On July 13, 2026, the Department of War suspended the Phase II requirements of the Cybersecurity Maturity Model Certification and opened a 60-day review of the program. If you lead an aerospace or defense manufacturing business, your inbox has probably already filled up with opinions and theoretical outcomes. Some of them will tell you that CMMC is dead. Let me offer a more useful read, informed by years on both sides of this equation, inside the Office of the Secretary of Defense and out here in industry.
CMMC Phase II is paused. Your obligation to protect defense information is not.
Those are two very different statements, and the gap between them is where a lot of companies are about to make expensive mistakes.
What actually happened
The Department suspended the transition to Phase II, along with pending and future CMMC implementation milestones, and stood up a reform task force to deliver recommendations within 60 days. The stated reason is worth sitting with. Citing data that includes reporting from the Small Business Administration, the Department concluded that compliance costs were pushing innovative companies out of the Defense Industrial Base. You can see the apparent challenge. The cost of proving you are secure is becoming a bigger barrier than the threat itself. The review is meant to fix that balance by prioritizing speed to capability, lowering barriers for small and non-traditional businesses, and favoring scalable, resilient security over administrative overhead.
Here is the part the headlines tend to skip. Phase I self-assessments remain firmly in place. During the interim, the Department will continue to enforce cybersecurity compliance to the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments. Every contractor and subcontractor remains obligated to safeguard covered defense information under DFARS clause 252.204-7012. While the certification process is under review, the attention to cybersecurity compliance remains unchanged.
Why I think this is the right call
A level playing field is good for the mission. The strength of the American defense industrial base has never come only from its largest players, but from a diverse supply chain. It also includes the small shop with a better process, the non-traditional supplier with a smarter design, the mid-tier manufacturer that can move fast. When compliance overhead grows faster than actual security measures, the breadth of innovation we have access to gets squeezed. Our defense should have access to what it needs, not a portion of what’s available.
What defense manufacturers should do now
Do not confuse a pause with a pass. If you slow your security and modernization program because Phase II slipped, you are optimizing for the wrong thing. Consider what has not changed:
- The threat has not changed. Adversaries are not observing a 60-day pause.
- Your primes have not changed. They still evaluate the cybersecurity maturity of their suppliers, and that scrutiny is often tougher than any certification deadline.
- Your obligations have not changed. NIST SP 800-171 Rev 2 and DFARS 252.204-7012 still apply, and are still being assessed.
- The direction of travel has not changed. Whatever the task force recommends, it will still expect you to protect sensitive information. A scalable framework is still necessary.
The companies that will come out of this review ahead are the ones that treated security as an operating capability rather than a certificate to be earned once and filed away. A modernized, secure digital foundation helps protect your intellectual property, safeguards Controlled Unclassified Information, strengthens your resilience, and can position you for whatever framework emerges. That case was strong before last week. It is exactly as strong today.
Where Infor stands
We support an evaluation that makes the defense industrial base more secure and more open at the same time. It’s the same philosophy we apply to our portfolio. We believe the signals are clear: keep building on a secure foundation, keep meeting the obligations that remain, and be ready to adapt when the guidance lands. We will be tracking the review closely, and we will keep you informed as it develops.
Paused is not abandoned. Build like you know the difference.
If you’re interested in learning more about Infor GovCloud solutions, schedule a meeting.
*Source: Department of War press release, Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements
Alex Plitsas
Vice President, Global Industry Principal for Aerospace & Defense, Infor
Alex Plitsas is Vice President and Global Industry Principal for Aerospace & Defense at Infor, where he leads industry strategy and advises aerospace, defense, and complex industrial manufacturers on digital transformation, supply chain modernization, compliance, and operational scale. Drawing on experience across manufacturing, defense, finance, and government, he works with organizations navigating evolving regulatory requirements, production constraints, cybersecurity demands, and global supply chain disruption. Over the course of his private-sector career, he has supported transformation initiatives for more than one hundred aerospace and defense companies.