DoD Suspends CMMC Phase 2 and Launches 60-Day Reform Review

The U.S. Department of Defense (DoD) has announced that it is suspending implementation of Cybersecurity Maturity Model Certification (CMMC) Phase 2 while conducting a 60-day review of the program. Although this announcement has created uncertainty for many federal contractors, it should not be interpreted as a signal that cybersecurity requirements are going away. Instead, the DoD is evaluating how to streamline and improve the CMMC program while continuing to protect sensitive government information.
For small and medium-sized government contractors, now is the time to remain focused on cybersecurity readiness rather than delaying compliance efforts.
What Is Changing?
Phase 2 of the CMMC program was expected to expand the number of contractors required to obtain third-party cybersecurity certifications before being awarded certain DoD contracts. Under the announced pause, the DoD will review the certification framework, implementation process, and associated costs to determine whether reforms are necessary.
The review is expected to focus on reducing unnecessary administrative burdens while maintaining appropriate safeguards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What This Means for Contractors
While the certification timeline may shift, the underlying cybersecurity obligations have not been suspended. Contractors should remember that:
Existing cybersecurity requirements under DFARS clauses remain in effect.
Contractors handling Controlled Unclassified Information (CUI) are still expected to implement the security controls outlined in NIST SP 800-171.
Future DoD solicitations may continue to include cybersecurity requirements even if formal CMMC certification dates change.
Waiting until the review concludes could leave contractors scrambling if implementation resumes with little notice.
Recommended Actions
Government contractors should use this period to strengthen their cybersecurity posture by:
Reviewing compliance with NIST SP 800-171 security controls.
Identifying and remediating gaps in cybersecurity policies and technical safeguards.
Updating the organization's System Security Plan (SSP) and Plan of Action & Milestones (POA&M).
Maintaining documentation that demonstrates ongoing cybersecurity efforts.
Monitoring DoD announcements regarding the outcome of the reform review.
Organizations that continue preparing now will likely be in a much stronger position regardless of how the final CMMC framework evolves.
HR's Role in Cybersecurity Compliance
Although CMMC is often viewed as an IT initiative, Human Resources plays an important supporting role. HR departments should ensure that:
Cybersecurity awareness training is provided to employees.
New hire onboarding includes required security policies and acceptable use acknowledgments.
Employee terminations include timely removal of system access.
Personnel responsible for handling sensitive information understand their cybersecurity responsibilities.
Security-related policies remain current and are consistently enforced.
Strong administrative controls complement technical safeguards and help demonstrate an organization's commitment to protecting sensitive information.
Looking Ahead
The DoD's 60-day reform review introduces some short-term uncertainty, but the long-term direction is clear: cybersecurity will remain a critical requirement for companies doing business with the federal government. Contractors that continue investing in compliance, documentation, and employee awareness will be better positioned to compete for future contracts while reducing operational and security risks.
How C2 Essentials Can Help
Navigating federal contractor compliance requires more than understanding HR regulations. C2 Essentials partners with government contractors to support policy development, employee training, onboarding and offboarding procedures, documentation practices, and other administrative controls that complement your organization's cybersecurity compliance efforts. While technical cybersecurity implementation should be managed by qualified IT and security professionals, C2 Essentials helps ensure your workforce practices support your overall compliance strategy and readiness for future federal requirements.

