
BLUF – On July 13, 2026, the U.S. Department of War (DoW) effectively suspended the majority of the Cybersecurity Maturity Model Certification (CMMC) Program (32 CFR Part 170) and initiated a 60-day review. (The official announcement with details is here.) Here’s what you need to know:
The DoW announcement, titled “Forging the Arsenal of Freedom,” does four things at once.
The stated rationale is economic: the Small Business Administration reported that compliance costs were pushing innovative companies out of the Defense Industrial Base (DIB), delaying capabilities to the warfighter. Fair enough. But the more interesting story is in the language the Department chose to explain itself.
(Note: CMMC is a DoW acquisition requirement under 32 CFR Part 170 and DFARS clause 252.204-7021 — it was never a government-wide mandate. This suspension changes nothing on civilian agency contracts, though the same compliance-versus-risk debate is unfolding there through the proposed FAR CUI rule.)
This isn’t the DoW’s first pause on CMMC.
In late 2020, the Department suspended the entire program and launched an 18-month review. For a year and a half, the industry debated the outcome with zero information from DoW. Opinions ranged from “implement as-is” to “scrap it entirely.” The result was neither. The Department streamlined the framework — five levels collapsed to three — and re-launched with a narrower scope.
That history is instructional. The DoW doesn’t tend to kill programs outright and it doesn’t tend to preserve them untouched. It redesigns. If you’re placing bets on the outcome of this 60-day review, the 2020-2021 precedent suggests the answer will land somewhere between “business as usual” and “gone forever.” Plan accordingly.
The announcement doesn’t say the DIB needs less security. It says the Department wants to replace “bureaucratic compliance” with “scalable, resilient cybersecurity measures” and to focus on tangible cyber hygiene rather than administrative overhead. DoW CIO Kirsten Davies paired the suspension with a direct reaffirmation that cybersecurity and operational resilience remain critical priorities.
If that vocabulary sounds familiar, it should.
It’s the same pivot codified across federal cyber policy over the past year. BOD 26-04 replaced calendar-driven, Common Vulnerability Scoring System (CVSS)-based patching with stakeholder-specific vulnerability categorization built on actual exploitation risk. OMB-26-14 rebuilt federal logging around required outcomes instead of checkbox maturity tiers. Now the DIB’s certification regime is getting the same scrutiny.
This has been argued for years: compliance-based telemetry validates that controls exist. Risk-based telemetry validates that controls work.
A third-party certification is a point-in-time attestation of existence. It tells an authorizing official that on assessment day, the paperwork and the technical configuration matched. It says very little about whether those controls held up on day 90, under an adversary who read the same framework you did.
We have empirical evidence for this gap on the civilian side. GAO-24-106291 found that most of the CFO Act agencies reviewed were rated as not effective by their Inspectors General, agencies that were, by any compliance measure, doing the paperwork. Existence and effectiveness are different questions. CMMC, as designed, answered the first one at considerable cost. The reform question is whether the replacement can answer the second one at a cost the DIB can bear.
Let’s be honest about the trade being made here.
Suspending Phase II removes the independent verification layer and nothing replaces it yet. A pause is not a plan.
Self-assessment is attestation, not evidence. The gap between self-reported SPRS scores and what independent assessments later found has been an open industry conversation for years; it’s a big part of why third-party assessments existed in the first place. Take the assessor away and keep the self-assessment and for the duration of this interim period, the Department is largely trusting the DIB to grade its own homework on the honor system. Adversaries face no such pause.
That’s not fear-mongering. It’s the trade the Department has openly made: near-term verification rigor in exchange for supply-chain breadth and a shot at a better model.
And here’s the part that should sharpen your focus: the legal obligations haven’t paused alongside the certification. If you suffer a breach while handling Controlled Unclassified Information (CUI), your liability under DFARS 252.204-7012 is exactly what it was last week. The DoW can still conduct direct audits during the suspension period.
We have empirical evidence for this gap on the civilian side. GAO-24-106291 found that most of the CFO Act agencies reviewed were rated as not effective by their Inspectors General, agencies that were, by any compliance measure, doing the paperwork. Existence and effectiveness are different questions. CMMC, as designed, answered the first one at considerable cost. The reform question is whether the replacement can answer the second one at a cost the DIB can bear.
The certification requirement is on hold. The consequences of a security failure are not.
The trade only pays off if the task force fills the gap with something stronger than the checklist it replaced.
The worst outcome of the next 60 days would be a cheaper checklist. The opportunity is to move DIB assurance from artifacts to evidence. Three design principles would get there:
Done right, this isn’t deregulation. It’s the difference between asking “Did you certify?” and asking “Can you operate under attack?” Zero Trust is not the destination. Operational resilience is. The announcement also reinforces that shift by placing resilience (not compliance) at the center of the conversation.
Cybersecurity is the art and science of maintaining operations. CMMC was never the point. A defense supply chain that can take a punch and keep delivering is the point.
The Phase II suspension is a bet that the Department can get there with less friction and more evidence. Whether that bet pays off is being decided in the next 60 days and the DIB has a seat at that table.
The organizations that will navigate this transition with confidence are the ones treating the interim period as an investment window, not a vacation. They’re building evidence of effectiveness now, because they understand what’s coming next.
GuidePoint Security is a CMMC Registered Provider Organization (RPO) and works with defense contractors and federal agencies on these types of transitions, from compliance posture to demonstrable security capability. If your organization needs to understand what this interim period means for your contracts, your SPRS posture or your security roadmap, start with an honest gap assessment of where controls exist on paper versus where they demonstrably work.
Federal Chief Information Security Officer (CISO)
GuidePoint Security
Timothy Amerson is currently the Federal Chief Information Security Officer (CISO) at GuidePoint Security. While also serving as the the President of the Board of Directors for The KEY (Keep Elevating Yourself) Community Non-Profit. He brings more than 30+ years of distinguished service in federal cybersecurity leadership. Most recently, he served as the CISO and Associate Commissioner at the Social Security Administration (SSA), where he was recognized as a 2023, 2024 and 2025 Top 100 Information Security Professional; 2024 FedScoop Top 50 Federal Leader Nominee; 2025 CyberScoop Government Leaders, FedScoop Top 50 Federal Leader Nominee and Finalist US Forces in Business Lifetime Achievement Award.
Practice Director, Compliance
GuidePoint Security
Dan Mengel, Practice Director at GuidePoint Security, began his career in the security industry in 2000. He has delivered high-quality consulting services, directly and by leading others, in the areas of information security program architecture, security policy development and security vulnerability, risk and compliance assessments. He has developed sales and delivery processes and documentation templates for all of these engagement types. Dan is currently leading GuidePoint’s Compliance team in delivering assessment and advisory services for multiple information security standards. He also has significant prior experience designing and integrating security technology solutions from Cisco, Check Point, Websense, RSA and others.