War Department Changes Cybersecurity Maturity Model Certification Requirements
The War Department has announced the suspension of the Cybersecurity Maturity Model Certification (CMMC) phase two requirements initially scheduled to take effect in November and launched a comprehensive review of the entire CMMC program.…
Cabrillo Club
Editorial Team · July 14, 2026 · 4 min read
Cabrillo Club Insights
War Department Changes Cybersecurity Maturity Model Certification Requirements
Also in this intelligence package
Overview
The War Department has announced the suspension of the Cybersecurity Maturity Model Certification (CMMC (Cybersecurity Maturity Model Certification)) phase two requirements that had been initially scheduled to take effect in November, and it has launched a comprehensive review of the entire CMMC program. For contractors this is a critical development: requirements you or your primes were preparing to meet may be paused, re-scoped, or reissued after the review. Action is needed now to avoid both unnecessary spending on changed requirements and gaps that could expose CUI (Controlled Unclassified Information) or put you out of compliance under existing contract clauses. Maintain current protections and evidence while you monitor for official War Department guidance and any follow-on direction affecting solicitations and contract language. Use this pause to update your risk assessments, confirm current DFARS (Defense Federal Acquisition Regulation Supplement)/FAR (Federal Acquisition Regulation) applicability on active contracts, and prepare flexible capture and compliance plans that can adapt when updated CMMC guidance is published.
Immediate Actions (This Week)
- [ ] Monitor War Department official channels and Cabrillo Signals War Room for the formal suspension notice, any clarifying guidance, and timelines for the review.
- [ ] Identify active and near-term solicitations or contracts that referenced CMMC phase two or CMMC generally; flag them for immediate legal/contracts review.
- [ ] Notify capture, proposals, security, and legal teams of the suspension so bid/no-bid criteria and proposal assumptions are paused pending guidance.
- [ ] Do not reduce current cybersecurity controls or evidence collection — maintain NIST 800-171 (NIST Special Publication 800-171) and related protections where contract clauses (DFARS, FAR) still apply.
- [ ] Compile an inventory of where CUI is processed/stored and which contracts mention CMMC or related clauses so you can rapidly assess impact once updated guidance is released.
Short-Term Actions (30 Days)
- [ ] Perform a focused gap analysis against NIST 800-171 (and NIST 800-172 where applicable) to document current posture and remediation status; capture evidence for auditability.
- [ ] Update your opportunity pipeline and capture plans in case the War Department issues revised requirements or timelines — ensure primes/subcontractors are informed and aligned.
Long-Term Actions (90+ Days)
- [ ] Maintain a flexible compliance roadmap that can accommodate revised CMMC requirements after the War Department review; prioritize controls and documentation that provide the greatest continuity.
- [ ] Run tabletop exercises and update incident response and supplier management processes to reflect potential changes in certification, reporting, and contract clause expectations.
Compliance Checklist
- [ ] CMMC — Monitor the War Department review and maintain readiness; preserve documentation of current control implementation and any prior certification activity.
- [ ] NIST SP 800-171 (NIST Special Publication 800-171) — Continue implementing and documenting controls; ensure artifacts and evidence are current and audit-ready.
- [ ] NIST SP 800-172 — Evaluate applicability for enhanced protections and maintain documentation where relevant.
- [ ] DFARS 252.204-7012, 252.204-7019, 252.204-7020, 252.204-7021 — Identify which active contracts include these clauses and ensure you remain compliant with their requirements.
- [ ] FAR 52.204-21 — Ensure required practices for federal contractor safeguarding are maintained and evidence is available.
Resources
- War Department announcement — monitor official War Department channels for the full statement and follow-up guidance.
- CMMC Compliance Guide (/insights/cmmc-compliance-guide) (primary hub for tracking CMMC changes and contractor obligations)
- Related guidance and planning:
- CUI-Safe CRM Guide (/insights/cui-safe-crm-guide)
- Compliant AI Proposal Guide (/insights/compliant-ai-proposal-guide)
How Cabrillo Club Automates This
- Cabrillo Signals War Room — The War Room already detected this event and delivered this briefing within minutes. It continuously monitors War Department and related sources for announcements, program notices, and policy shifts so you get immediate alerts when the suspension and review were posted and when follow-on guidance appears. Use War Room alerts to drive your immediate actions without manual source monitoring.
- Cabrillo Signals Match Engine — When the CMMC phase two suspension and program review change the competitive or compliance landscape, the Match Engine automatically rescales opportunity scores across your pipeline. It updates match scores, keyword relevance (e.g., CMMC/CUI), and agency alignment in real time so capture and BD teams see which opportunities gained or lost viability under the new posture.
- Cabrillo Signals Intelligence Hub — The Intelligence Hub tracks affected agencies, contract vehicles, and NAICS profiles. Configure saved searches and alerts to watch for follow-on solicitations or amendments on SAM.gov (System for Award Management) and other sources that match this event’s profile; the Hub will surface new solicitations, amendments, or policy documents so you can react quickly.
- Proposal Studio (Proposal OS) — Proposal Studio generates compliance matrices, first-draft technical approaches, and win-theme content tailored to the current compliance posture. If guidance changes, Proposal OS can re-run bid/no-bid logic and regenerate drafts that reflect the latest assumptions about CMMC and NIST requirements, using your past performance library as context.
- Proposal Studio Workflow Tracker — The Workflow Tracker enforces a 9-gate capture process that routes compliance reviews to contracts and legal, tracks supplier certifications, and compiles audit-ready documentation packages. When the War Department publishes updates, the Workflow Tracker can re-prioritize compliance gates and notify reviewers to revalidate assumptions and evidence.
Call to action: log into your Cabrillo Signals War Room and Intelligence Hub to confirm your saved searches and pipeline rescoring are active, and open Proposal Studio to update bid assumptions so your teams are ready for the War Department’s next steps.
---
Stop missing federal opportunities
Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.
Start Free Trialor try our free Intelligence Dashboard→

Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.