War Department Changes Cybersecurity Maturity Model Certification Requirements
The War Department announced the suspension of CMMC phase two requirements that had been initially scheduled to take effect in November, and launched a comprehensive review of the entire CMMC program.…
Cabrillo Club
Editorial Team · July 14, 2026 · 6 min read
Cabrillo Club Insights
War Department Changes Cybersecurity Maturity Model Certification Requirements
Also in this intelligence package
Executive Summary
The War Department announced the suspension of Cybersecurity Maturity Model Certification (CMMC (Cybersecurity Maturity Model Certification)) phase two requirements that had been initially scheduled to take effect in November, and has launched a comprehensive review of the entire CMMC program. This is a critical, program-level shift that directly affects contractors working across the Defense and defense-adjacent market segments that were planning near-term investments, proposals, or flow-down changes tied to CMMC Phase 2 acceptance or enforcement.
Segments most affected (per the event Tags) include Cybersecurity, IT Services, Defense, Defense Industrial Base, Aerospace and Defense Manufacturing, Systems Integration, Cloud Services, and Managed Security Services. Contractors in these segments should pay attention now because the suspension creates both short-term bid/proposal uncertainty and medium-term regulatory uncertainty while the review proceeds. Firms that were about to rely on Phase 2 milestones or that had restructured capacity, pricing, or subcontracting based on Phase 2 rules need to reassess near-term plans, preserve evidence of compliance under existing regimes, and prepare to respond quickly once the review issues new guidance.
Impact Matrix
Cybersecurity
- Risk Level: Critical
- Opportunity: Contractors providing cybersecurity compliance, assessment, and remediation services may see demand for advisory and gap-assessment work during the review. Relevant NAICS (from Tags): 541512, 541519, 541511, 541513, 541330, 541715, 541714, 541713, 541712, 541711. Relevant vehicles (from Tags): OASIS+, SEWP, GSA (General Services Administration) IT Schedule 70, STARS III, ITES-3S, CIO-SP4, Alliant 2, 8(a) STARS III.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended) and the War Department has launched a comprehensive review of the CMMC program.
- Action Required: Preserve current compliance posture under existing regimes (e.g., maintain NIST-based controls), document audits/gap assessments, pause irreversible investments built only to meet Phase 2 timelines, and monitor War Department and listed agencies for revised guidance.
- Competitive Edge: Offer rapid CMMC-gap-to-remediation packages tied to existing compliance frameworks (NIST 800-171 (NIST Special Publication 800-171) / NIST 800-172 referenced in Tags) so customers can quickly align to either the pre-review status or any revised outcomes.
IT Services
- Risk Level: High
- Opportunity: Short-term uncertainty may open windows for contract amendments, advisory work, and transition projects as primes and agencies reassess compliance flow-downs. Relevant NAICS (from Tags): 541512, 541511, 541513, 541519, 541330. Relevant vehicles (from Tags): GSA IT Schedule 70, OASIS+, SEWP, STARS III, ITES-3S, CIO-SP4, Alliant 2, 8(a) STARS III.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review underway.
- Action Required: Re-evaluate proposal assumptions tied to CMMC Phase 2, protect margin and schedule assumptions that depended on Phase 2 enforcement, and keep contemporaneous evidence of existing NIST/DFARS (Defense Federal Acquisition Regulation Supplement) compliance posture.
- Competitive Edge: Emphasize demonstrable controls and documentation that satisfy DFARS/FAR (Federal Acquisition Regulation)/NIST expectations (see compliance surfaces in Tags) so evaluators can rely on verifiable security posture irrespective of CMMC phase status.
Defense
- Risk Level: High
- Opportunity: Contractors across DoD (Department of Defense) and its components named in Tags may bid on transitional work, compliance consulting, and request-for-information responses as the War Department and listed agencies coordinate the review. Relevant agencies (from Tags): DOD, Department of the Army, Department of the Navy, Department of the Air Force, Defense Logistics Agency, Defense Information Systems Agency, Missile Defense Agency, Defense Advanced Research Projects Agency.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Coordinate with primes and program offices to understand contract-specific flow-down expectations, maintain readiness to reintroduce CMMC-based compliance if the review restores requirements, and document current good-faith compliance actions.
- Competitive Edge: Develop position papers and readiness packages for program offices that demonstrate minimal operational disruption if new CMMC outcomes are reinstated, while offering interim compliance assurance services.
Defense Industrial Base
- Risk Level: High
- Opportunity: Suppliers in the defense industrial base can capture work to document current compliance, pursue remediation contracts, and support primes reworking supply-chain requirements. Relevant NAICS (from Tags): 334111, 334118, 336411, 336412, 336413, 336414, 336415, 336419, plus service NAICS listed above.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Continue to meet existing contract clauses and compliance expectations (see compliance surfaces in Tags), preserve audit trails, and limit disruptive supply-chain changes based solely on the previously scheduled Phase 2 date.
- Competitive Edge: Provide turnkey supplier-assessment and prioritized remediation offerings that let primes quickly validate subcontractor posture regardless of the final CMMC outcome.
Aerospace and Defense Manufacturing
- Risk Level: High
- Opportunity: Manufacturing contractors can offer compliance validation, evidence-collection services, and secure engineering support while agencies reassess CMMC implementation timelines. Relevant NAICS (from Tags): 334111, 334118, 336411, 336412, 336413, 336414, 336415, 336419.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Maintain documented compliance consistent with NIST and DFARS clauses cited in Tags, avoid major process or contractual changes tied solely to the suspended phase, and prepare to bid on remediation or advisory work.
- Competitive Edge: Bundle operational security controls with manufacturing process controls to demonstrate end-to-end security posture attractive to primes and program offices.
Professional Services
- Risk Level: Medium
- Opportunity: Consulting, legal, program-management, and proposal-support firms can advise clients on how to adjust to the suspension, prepare comments for the review, and update pricing assumptions. Relevant NAICS (from Tags): 541330, 561210, 561990, 541711–541715 series.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Update proposal templates and risk matrices, provide clients near-term transition guidance, and monitor War Department communications for requested input to the review.
- Competitive Edge: Package rapid-impact recommendations and rule-change readiness playbooks for primes and subcontractors to minimize bid disruption.
Systems Integration
- Risk Level: High
- Opportunity: Systems integrators can capture rework, testing, and verification work as program offices reassess CMMC enforcement and as primes reconcile flow-downs. Relevant NAICS (from Tags): 541512, 541511, 541513, 541519.
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Retain staff/contractors trained on the compliance frameworks listed in Tags, maintain evidence of control implementations, and be ready to update system baselines to match any revised requirements.
- Competitive Edge: Provide modular compliance integration services that can be scaled up or down depending on the review’s outcomes.
Cloud Services
- Risk Level: High
- Opportunity: Cloud providers and integrators may be asked for assessments, enablement of required controls, and temporary architectures to meet transitional needs. Relevant vehicles (from Tags): SEWP, GSA IT Schedule 70; relevant compliance regimes: NIST 800-171, NIST 800-172 (from Tags).
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Continue to align cloud offerings to existing government security expectations referenced in Tags, document control implementations, and liaise with agency stakeholders named in Tags to clarify interim expectations.
- Competitive Edge: Offer validated, evidence-rich cloud configurations aligned to NIST controls so customers can demonstrate compliance regardless of CMMC phase decisions.
Managed Security Services
- Risk Level: Critical
- Opportunity: Demand for managed detection, monitoring, and compliance-as-a-service may increase as contractors seek to demonstrate ongoing security posture during the program review. Relevant NAICS (from Tags): 541512, 541519, 541511, 541513; relevant compliance surfaces: CMMC, NIST 800-171, NIST 800-172, DFARS clauses, FAR 52.204-21 (from Tags).
- Timeline: Phase two requirements were initially scheduled to take effect in November (suspended); comprehensive review launched.
- Action Required: Maintain continuous monitoring and logging capabilities, preserve evidence packages, and be prepared to provide short-notice attestations or transition support to primes and subcontractors.
- Competitive Edge: Differentiate by offering compliance-ready MSSP services that map monitored controls to the listed compliance surfaces so customers can show continuity of security posture.
Cross-Segment Implications
- Program-level suspension of CMMC Phase 2 creates cascading uncertainty across suppliers, primes, and program offices named in Tags (DOD and listed components). Primes may delay flow-down enforcement, causing downstream revenue timing and compliance-cost unpredictability for IT Services, Systems Integration, Managed Security Services, and Defense Industrial Base firms.
- Contractors focused on cybersecurity and managed services will be called on to both preserve current control sets (per NIST/DFARS/FAR references in Tags) and to provide rapid assessment/remediation services; this increases demand for cross-segment offerings (e.g., MSSP + professional services + systems integration).
- Cloud Services and Aerospace/Defense Manufacturing firms may need to coordinate tightly with IT and cybersecurity providers to maintain evidence and architectures that satisfy existing contract clauses while awaiting the review outcome.
- Agencies and contract vehicles listed in Tags (e.g., OASIS+, SEWP, GSA IT Schedule 70, STARS III, etc.) may see short-term changes in procurement timing or require clarifying guidance; contractors should watch those vehicles and the named agencies for updated direction.
Stop missing federal opportunities
Signals matches SAM.gov opportunities to your NAICS codes, tracks regulatory changes, and alerts you before competitors.
Start Free Trialor try our free Intelligence Dashboard→

Cabrillo Club
Editorial Team
Cabrillo Club is a defense technology company building AI-powered tools for government contractors. Our editorial team combines deep expertise in CMMC compliance, federal acquisition, and secure AI infrastructure to produce actionable guidance for the defense industrial base.