top of page

NEWS | Pentagon Suspends CMMC Phase II Requirements for Small Business Defense Contractors

  • Writer: NSBA
    NSBA
  • 1 hour ago
  • 2 min read

Small businesses pursuing Department of Defense contracts received welcome news this week as the Pentagon announced it is suspending implementation of Cybersecurity Maturity Model Certification (CMMC) Phase II, which had been scheduled to take effect on November 10, 2026, with the pause providing temporary relief for thousands of small firms preparing for more rigorous cybersecurity certification requirements while the Department reevaluates the program.


JULY 14, 2026 | The Department of Defense (DoD, DoW) has established a CMMC Reform Task Force, which will conduct a comprehensive review of the certification framework and deliver recommendations within the next 60 days. During that review, Phase II implementation will remain on hold.


The suspension follows months of outreach between the Department and the small-business community, including NSBA and our Small Business Technology Council (SBTC).


In October 2025, the Department of Defense Office of Small Business Programs (OSBP) distributed a survey seeking feedback from small businesses on their readiness to comply with upcoming CMMC requirements. The survey asked companies how they were preparing for implementation and what challenges they anticipated as the program expanded.


According to the Department, stakeholder feedback played a significant role in the decision to pause Phase II implementation and reassess whether the current framework appropriately balances cybersecurity objectives with the realities facing small businesses.


While the announcement delays the next phase of CMMC implementation, it does not eliminate the program.


Small businesses should understand that the suspension is not a rescission of CMMC. Existing cybersecurity obligations remain in place, and contractors should continue preparing to safeguard sensitive federal information while monitoring additional guidance from the Department.


The Pentagon indicated the review is intended to evaluate whether the certification program can better protect national security, while reducing unnecessary compliance burdens that may discourage participation by innovative small businesses.


Many small defense contractors have expressed concerns about the cost and administrative complexity associated with obtaining third-party cybersecurity certification. Certification expenses, limited availability of assessors, and uncertainty surrounding implementation timelines have all raised questions about whether smaller firms could continue competing effectively for Department of Defense contracts.


NSBA has consistently supported cybersecurity measures that protect sensitive government information while recognizing that compliance requirements must remain practical and achievable for small businesses. A strong defense industrial base depends on maintaining participation from innovative small firms across manufacturing, technology, engineering, and professional services.

The Pentagon's decision creates an opportunity to evaluate whether the program can achieve its cybersecurity objectives without unnecessarily reducing competition among qualified small contractors.


Looking ahead, the CMMC Reform Task Force is expected to complete its review and submit recommendations within the next 60 days, after which the Department will determine the future of Phase II implementation.


In the meantime, small businesses should continue complying with existing cybersecurity requirements, stay informed about future Department guidance, and be prepared for potential changes to the certification framework.


NSBA will continue monitoring developments and keeping members informed as the Department's review progresses.


Small businesses pursuing Department of Defense contracts received welcome news this week as the Pentagon announced it is suspending implementation of Cybersecurity Maturity Model Certification (CMMC) Phase II, which had been scheduled to take effect on November 10, 2026, with the pause providing temporary relief for thousands of small firms preparing for more rigorous cybersecurity certification requirements while the Department reevaluates the program.



nsba white.png
  • X
  • LinkedIn
  • Facebook

CYBERSECURITY REMINDER | NSBA will ONLY email you with details specific to our org., our Leadership Council, or other NSBA programs.  We will never ask for passwords or gift cards, and we urge you to delete and report solicitations of the sort.

Stay cyber aware, and keep your small business safe.

bottom of page