The Department of Defense has announced an immediate suspension of the planned CMMC Phase II rollout, which was scheduled to begin on November 10, 2026. Phase II would have introduced mandatory third-party assessments (C3PAO audits) for many contractors handling Controlled Unclassified Information (CUI). Instead, the DoD has launched a 60-day review of the entire CMMC program to evaluate potential reforms and reduce barriers for small and medium-sized defense contractors.

CMMC Update: Phase II Paused, But Compliance Is Not

Before anyone celebrates, there is one critical point to understand:

Cybersecurity requirements have not gone away.

The DoD has made it clear that existing obligations under NIST SP 800-171, DFARS 252.204-7012, and current CMMC Phase I self-assessment requirements remain in effect. Contractors are still required to protect federal data, maintain security controls, and demonstrate compliance when required.

What This Means for Defense Contractors

  • CMMC Phase II third-party certification requirements are temporarily suspended.
  • Phase I self-assessments remain in force.
  • NIST 800-171 and DFARS cybersecurity requirements remain unchanged.
  • The DoD will continue reviewing the program and is expected to issue recommendations within 60 days.

Our Recommendation

At Fairoaks IT, we advise defense contractors not to pause their compliance efforts. Whether the government ultimately modifies, streamlines, or reinstates CMMC certification requirements, organizations that have already invested in cybersecurity maturity will be in the strongest position to win contracts, protect sensitive information, and rapidly adapt to future requirements.

As a Managed Services Provider specializing in CMMC, NIST 800-171, DFARS compliance, enclave design, SSP development, POA&M management, and ongoing Compliance-as-a-Service (CaaS), we're helping clients stay focused on the controls that matter—not just the certification process.

Bottom line: The certification timeline may have changed, but the expectation to secure CUI and protect federal data has not. Now is the time to strengthen your cybersecurity program—not put it on hold.

Have questions about how the CMMC suspension affects your organization? Contact Fairoaks IT to review your compliance roadmap and ensure you're prepared for whatever comes next.