On July 13, 2026, the U.S. Small Business Administration (SBA) Office of Advocacy announced that working with industry partners, including PilieroMazza, the SBA had worked to convince the U.S. Department of War (DoW) to suspend the Cybersecurity Maturity Model Certification (CMMC) program’s Phase II requirements and conduct a comprehensive review of the costs and regulatory requirements associated therewith. The suspension and investigation of CMMC Phase II marks a pivotal moment for small business contractors with concerns about the costly red tape associated with the program.

The CMMC program, launched via final rulemaking in 2024, was created to protect Controlled Unclassified Information and Federal Contract Information in the federal space by imposing three tiers of cybersecurity requirements and certifications onto contractors. Since its launch, CMMC has remained a point of contention for small business contractors, subject to its rules within the U.S. Defense Industrial Base. 

In an email circulating the press release, SBA shared that this decision was made as a result of “many round tables and conversations” in which PilieroMazza, through Cy Alba, participated and worked with SBA.  It was SBA ongoing work with DoW and small business stakeholders, who were particularly wary of the costs and requirements associated with the CMMC framework that lead to this great outcome for small contractors. Originally planned to go into effect in November 2026, CMMC Phase II would require more than 120,000 small business contractors to undergo a self-assessment or third-party assessment, based on their underlying contract, which SBA estimated could amount to nearly “$593,800 per CMMC certification for small firms requiring third party assessment, and about $388,600 for firms eligible for self assessment.” In short, compliance with CMMC Phase II, as it was written, would have cost small businesses hundreds of thousands of dollars in assessment costs and significant time spent pursuing certifications. 

SBA noted that due to the looming bureaucratic burden and costs associated with CMMC Phase II, several small business concerns considered leaving the defense industrial base. To avoid losing business with quality and reliable small business defense contractors, DoW responded by halting CMMC Phase II and launching a review into the program to recalibrate the program and assess next best steps. SBA’s Administrator, Kelly Loeffler, summed up the DoW decision by saying that “cybersecurity cannot come at the cost of bureaucracy that shuts out the very companies our warfighters depend on.”

Small businesses and federal contractors that routinely work with the DoW are advised to keep an eye out for further developments and changes to CMMC Phase II.

If you have further questions, do not hesitate to reach out to Cy Alba or anyone in PilieroMazza’s Government Contracts Group.