Find notable cyber news and cases, enriched with sources, timelines, and signals.

US Department of Defense (DoD) Cybersecurity Maturity Model Certification (CMMC) Phase II Suspended the Phase II requirements pending review and announced a 60-day program review

Public Sector Action
First reported
Last updated
Happening score
H score 67
1 unique sources, 1 articles

Summary

Hide ▲

The US Department of Defense suspended CMMC Phase II requirements pending review, delaying a planned November 10, 2026 compliance step for defense contractors and subcontractors handling FCI and CUI. The pause affects the move from self-attestations to independent assessments by C3PAOs, which had been intended to verify compliance with NIST SP 800-171. The review could reshape cybersecurity obligations across the defense industrial base and slow the rollout of stricter certification enforcement.

Related Happenings

Pentagon suspends CMMC phase two for 60-day review

Public Sector Action
H score24 First: 14.07.2026 09:37 Last: 14.07.2026 09:37 Sources 1

About this happening: The **Pentagon** suspended **CMMC phase two** and opened a **60-day review**, delaying new certification requirements for **defense contractors** and **subcontractors**. The pause...

DoD final CMMC rule and ISACA credentialing rollout

Public Sector Action
H score25 First: 17.12.2025 16:05 Last: 17.12.2025 16:05 Sources 1

About this happening: The **US Department of Defense** published the **final CMMC rule**, starting a **three-year rollout** of cybersecurity requirements across **DoD contracts**. The change matters be...

Timeline

  1. 14.07.2026 18:28 2 articles · 3h ago

    DoD suspends CMMC Phase II and launches 60-day review

    Legal Policy Action Update

    The US Department of Defense suspended CMMC Phase II requirements pending a review of the program, pausing the planned November 10, 2026 shift to mandatory independent assessments for defense contractors handling federal contract information (FCI) and controlled unclassified information (CUI). During the interim, the DoD said it will enforce cybersecurity compliance with NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments while a CMMC Reform Task Force conducts a 60-day review.

    Show sources
  2. 14.07.2026 18:28 1 articles · 3h ago

    Experts urge contractors to keep CMMC compliance efforts after the delay

    Industry Or Public Sector Update

    Dave Schroeder of the University of Wisconsin Madison said the pause likely reflects not enough contractors being ready for CMMC Phase II by Nov 10, and Nelina Varenas warned that defense contractors should not treat the delay as a reason to abandon compliance efforts because CMMC Level 1 self-assessment requirements remain in place. The guidance framed the suspension as additional time to strengthen cybersecurity practices before any future enforcement resumes.

    Show sources