TL;DR
The War Department announced the suspension of the Cybersecurity Maturity Model Certification (CMMC (Cybersecurity Maturity Model Certification)) phase two requirements, which had been initially scheduled to take effect in November, and launched a comprehensive review of the entire CMMC program. This change immediately alters the compliance trajectory for contractors pursuing or relying on phase two certification for War Department work. Affected firms should expect near-term uncertainty on solicitation language, assessment requirements, and award evaluations tied to CMMC phase two. Contractors with active bids, proposals, or compliance programs tied to CMMC phase two need to inventory impacted opportunities and prepare for revised guidance following the Department’s review. Short-term implications include paused enforcement of the phase two requirement and a heightened need for real-time monitoring of policy updates that will follow the review.
Key Points
- What happened: The War Department suspended the CMMC phase two requirements and launched a comprehensive review of the entire CMMC program.
- Who is affected: NAICS codes listed in segmentation (541512, 541330, 541519, 541511, 541513, 334111, 334118, 336411, 336412, 336413, 336414, 336415, 336419, 541715, 541714, 541713, 541712, 541711, 561210, 561990); agencies in segmentation (DOD; Department of the Army; Department of the Navy; Department of the Air Force; Defense Logistics Agency; Defense Information Systems Agency; Missile Defense Agency; Defense Advanced Research Projects Agency); market segments and compliance surfaces listed in segmentation; contract vehicles listed in segmentation.
- Timeline: Suspension of phase two requirements that had been initially scheduled to take effect in November; comprehensive review launched. Further timeline details TBD pending source review.
- What contractors should do NOW: Inventory active and pipeline opportunities that reference CMMC phase two; flag proposals and awards that rely on phase two for compliance or evaluation; notify capture, proposal, security, and executive teams; enable continuous monitoring for follow-on guidance; update bid/no‑bid decisions and compliance workstreams pending the review outcome.
Who Is Affected
Organizations across the Defense and Defense Industrial Base market segments that provide cybersecurity, IT services, systems integration, cloud and managed security services, professional services, and aerospace and defense manufacturing are affected. Specific items from segmentation:
- NAICS codes: 541512, 541330, 541519, 541511, 541513, 334111, 334118, 336411, 336412, 336413, 336414, 336415, 336419, 541715, 541714, 541713, 541712, 541711, 561210, 561990
- Agencies: DOD; Department of the Army; Department of the Navy; Department of the Air Force; Defense Logistics Agency; Defense Information Systems Agency; Missile Defense Agency; Defense Advanced Research Projects Agency
- Contract vehicles: OASIS+; SEWP; GSA (General Services Administration) IT Schedule 70; STARS III; ITES-3S; CIO-SP4; Alliant 2; 8(a) STARS III
- Compliance regimes / surfaces: CMMC; NIST 800-171 (NIST Special Publication 800-171); NIST 800-172; DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012; DFARS 252.204-7019; DFARS 252.204-7020; DFARS 252.204-7021; FAR (Federal Acquisition Regulation) 52.204-21
Frequently Asked Questions
Q: Has the War Department removed CMMC entirely?
A: The Summary states the War Department suspended CMMC phase two requirements and launched a comprehensive review of the entire CMMC program. Whether CMMC in other forms remains or is revised is pending source review.
A: The Summary reports suspension of phase two requirements and a program review; specific treatment of existing contracts (awards, contract clauses, or enforcement actions) is pending source review.
Q: What should contractors with active proposals that cite CMMC phase two do right now?
A: Contractors should inventory and flag affected proposals, notify internal capture/proposal/compliance leads, and prepare to update compliance claims pending guidance from the War Department. Specific contract-level actions or deadlines are pending source review.
Definitions
- Cybersecurity Maturity Model Certification (CMMC): A Departmental program intended to certify contractors’ cybersecurity practices. (As used in the Title and Summary.)
- phase two requirements: The phase of the CMMC program referenced in the Summary that had been scheduled to take effect in November and is now suspended pending review.
Intelligence Response
- Cabrillo Signals War Room — Already detected this event and delivered this briefing. Continuously monitors regulatory changes, contract vehicles, and policy shifts.
- Cabrillo Signals Match Engine — Automatically rescores opportunity pipelines when events like this shift the competitive landscape.
- Cabrillo Signals Intelligence Hub — Tracks affected agencies, NAICS codes, and contract vehicles. Saved searches alert when follow-on solicitations appear on SAM.gov (System for Award Management).
- Proposal Studio (Proposal OS) — AI-powered proposal automation with compliance matrices, win theme library, and bid/no-bid decision engine.
- Proposal Studio Workflow Tracker — 9-gate capture management with automated compliance routing and audit-ready documentation.
Which Cabrillo products to leverage now
- Use Cabrillo Signals War Room and Cabrillo Signals Intelligence Hub to monitor official War Department guidance and to surface changes tied to the listed agencies and vehicles.
- Use Cabrillo Signals Match Engine to re‑score and reprioritize opportunity pipelines where CMMC phase two drove competitive advantage or bid/no‑bid decisions.
- Use Proposal Studio (Proposal OS) and Proposal Studio Workflow Tracker to flag and re-audit proposals that referenced phase two requirements and to document bid/no‑bid and capture decisions.
Notify who in the organization
- Capture Lead — immediate impact on pipeline and bid/no‑bid decisions.
- Proposal Manager — needs to re-audit proposal claims and compliance matrices.
- CISO / Security & Compliance Lead — to evaluate posture, evidence, and assessment timelines.
- Chief Growth Officer / BD Lead — to reassess go-to-market and pursuit prioritization.
First 48-hour response playbook
- Hour 0–4: Confirm detection and distribute this briefing to capture, proposal, security, and executive teams. Create an incident flag on all active opportunities that reference CMMC phase two.
- Hour 4–12: Run Cabrillo Signals Match Engine to rescore the pipeline and identify highest-risk opportunities. Start targeted saved searches in Cabrillo Signals Intelligence Hub for follow-on War Department notices.
- Hour 12–24: Convene short review with Capture Lead, Proposal Manager, and CISO to triage active proposals; use Proposal Studio to mark proposals requiring compliance rework and to capture audit trails.
- Hour 24–48: Implement revised bid/no‑bid decisions and update internal stakeholders. Continue daily War Room monitoring and schedule weekly cadence until the War Department publishes review outcomes.
Additional resources
- Primary hub: CMMC Compliance Guide (/insights/cmmc-compliance-guide)
- Related guides: CUI (Controlled Unclassified Information)-Safe CRM Guide (/insights/cui-safe-crm-guide), Compliant AI Proposal Guide (/insights/compliant-ai-proposal-guide)