CMMC Phase 2 is Suspended: Why Smart Contractors Will Press On

|By Michael Diab

On July 13, 2026, the Pentagon announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase 2, the stage that was scheduled to require third-party certification starting November 10. Alongside it, the department opened a 60-day, top-to-bottom review of the entire program and left open the possibility of reshaping it.

Key Takeaways

  • On July 13, 2026, the Department of War suspended CMMC Phase 2, the third-party certification requirement set to take effect November 10, 2026, and opened a 60-day review of the program.
  • The suspension halts the certification mechanism, not your obligation to protect Controlled Unclassified Information (CUI). DFARS clause 252.204-7012 and NIST SP 800-171 remain fully in force.
  • Phase 1 self-assessments, an accurate Supplier Performance Risk System (SPRS) score, government-led DIBCAC assessments, prime contractor flow-downs, and False Claims Act exposure all still apply.
  • The security work you've already done still satisfies live requirements today and positions you for whatever the review produces.
  • Watch the 60-day window: the CMMC Reform Task Force is targeting a report by mid-September, and the public RFI is open for responses through August 14, 2026. The program may return in a modified form.

If you run technology or compliance for a defense contractor, you've seen the headlines by now. But the CMMC suspension confuses the part of the program that was suspended with the obligation sitting underneath it, and the difference between those two things is the whole story.

So if the news left you wondering whether a year of preparation just went to waste, the short answer is no. Here's the accurate, measured version of what happened and what it means for you.

CMMC certification was suspended but the underlying requirement hasn't stopped

CMMC compliance was never the obligation itself. It was the mechanism built to verify an obligation that already existed, which is your duty to protect Controlled Unclassified Information (CUI).

What the Pentagon suspended is the verification step: the requirement to pass an assessment by a Certified Third-Party Assessment Organization (C3PAO) before a contract is awarded. The department pointed to a real, practical problem. More than 100,000 defense businesses still needed a third-party assessment, and only around 100 assessors were available to conduct them. In a release lauding the DOW’s decision, the Small Business Administration cited the “costly bureaucratic burdens on the small contractors.”

So the department took the following actions:

  • Suspend third-party certification.
  • Make a plan to establish a CMMC Reform Task Force.
  • Asked for industry feedback through a public Request for Information, with responses due August 14. The task force will report back within 60 days. You can access it here.

What the DOW did not do, and what a memo legally cannot do, is repeal your responsibility to secure data. According to DOW CIO Kirsten Davies, "Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness.” The department framed the move as cutting red tape, rather than removing the need for sound cybersecurity practices. The action does not eliminate the legal requirement for industry partners to protect federal data.

What changed...and what stayed exactly the same

What the suspension changed

Change

What it means for you

Third-party (C3PAO) certification is suspended

Level 2 and Level 3 certification is no longer a gate for contract award during the review.

Phase 2 and later milestones are frozen

New and renewing solicitations can require only CMMC Level 1 (Self) or Level 2 (Self), not C3PAO Level 2 or DIBCAC Level 3. Phase 2 language already in contracts is being amended by the government.

A 60-day review is underway

A CMMC Reform Task Force will recommend a path forward by roughly mid-September. An RFI is open through August 14, 2026.


What did not change

Requirement

Status

DFARS clause 252.204-7012

Fully in effect: Safeguard CUI, report incidents, flow requirements down to subcontractors.

NIST SP 800-171 (Rev 2)

Still the security standard for handling CUI. The 110 controls remain the benchmark.

Phase 1 self-assessments

Still required, including Level 1 and Level 2 self-assessments where applicable.

SPRS score

Must be kept current and accurate (arguably more important now, not less)

Government-led (DIBCAC) assessments

Continue during the interim. These aren't conducted by an assessor you choose.

Prime contractor flow-downs

May still bind you. A prime's contractual language doesn't dissolve because the federal timeline shifted.

False Claims Act exposure

The DOJ's Civil Cyber-Fraud Initiative still pursues organizations that misrepresent their posture. No breach required.

 

Related reading: CMMC 2.0 Compliance: What DOW Contractors Must Know and our CMMC compliance guide for GovCons

Side by side and the picture is clear: the paperwork gate moved, but the road behind it is unchanged.

Why protecting CUI still matters

It’s not that regulatory calendars aren’t important – they still are. But they’re also a construct of the federal government. Your threat environment doesn’t operate on any kind of timeline. The nation-state actors probing the defense industrial base for weak links aren't standing down for a 60-day review. The sensitive data on your systems is no less valuable to them this week than it was last week.

The nation-state actors probing the defense industrial base for weak links aren't standing down for a 60-day review. The sensitive data on your systems is no less valuable to them this week than it was last week.

To put this into the proper perspective, remember that protecting CUI was never about earning a certificate, even if that was a major focus for defense contractors. It was about not becoming a soft entry point into a supply chain. That responsibility is yours whether or not a C3PAO ever comes calling.

Keep building your cybersecurity foundation

If you pause your program for 60 days and the requirement returns in a similar form (something which is entirely possible since CMMC is codified in federal regulation and unwinding it would take a formal rulemaking process) you haven't saved any effort. Now you're simply 60 days behind, facing the same work with less runway. Meanwhile, the assessor shortage that helped trigger this suspension hasn't been solved. If certification resumes and everyone who stopped work rushes back at once, the line only gets longer.

The work you've done (your System Security Plan (SSP), your implemented controls, your evidence, your documented processes) satisfies obligations that are still live today. It also positions you for whatever framework emerges from the review.

Put another way: there is no version of the future in which a mature, well-documented security program turns out to be the wrong thing for you to have.

What to do now

Don’t overhaul your roadmap. Just make a few deliberate decisions rather than reactive ones:

  • Don't dismantle anything. Your controls, SSP, and evidence still serve obligations that remain in effect.
  • Keep your SPRS score current and defensible. Government-led assessments continue, and self-attestation now carries more weight.
  • Pause before you cancel a scheduled C3PAO assessment. The right call depends on your contracts, your primes, your assessor, and how far along you are. Talk it through before you forfeit a deposit or a spot in line.
  • Check your flow-downs. A prime's contractual requirements may still bind you regardless of the federal timeline. When in doubt, confirm the specific obligation with your contract counsel.
  • Watch the 60-day window. The task force is targeting mid-September. What it recommends will shape your next steps, and it's worth following in real time rather than after the fact.

What comes next

The obligation underneath obtaining CMMC compliance isn’t going anywhere. Look at the suspension as an opportunity to do this right, to make sure your security foundation is solid rather than assembled in a rush against a deadline.

Whatever framework comes out of the next 60 days, the companies that use this window to strengthen their posture will be the ones ready for it. Beyond being a sound compliance strategy, it's also good business, and it's the right thing to do for your mission.

If you’re not sure what the suspension means for your specific contracts, in-flight assessment, or your overall cybersecurity roadmap, talk to Ntiva’s GovCon team or explore our Governance, Risk & Compliance services. We can help you adjust deliberately instead of reactively.

Back to blog

About the author

Michael Diab

Michael Diab is Ntiva's Director of Regulatory & Compliance, where he supports the company's GovCon practice and its CMMC readiness and compliance-as-a-service work for regulated clients. He’s helped take Ntiva through its own CMMC Level 2 certification via an accredited C3PAO and advises defense contractors from firsthand, auditor-tested experience.

18-ContentGroup

Explore Our Latest
Resources and Articles

08-FeaturedBlogPosts