On July 13, 2026, the Pentagon announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase 2, the stage that was scheduled to require third-party certification starting November 10. Alongside it, the department opened a 60-day, top-to-bottom review of the entire program and left open the possibility of reshaping it.
If you run technology or compliance for a defense contractor, you've seen the headlines by now. But the CMMC suspension confuses the part of the program that was suspended with the obligation sitting underneath it, and the difference between those two things is the whole story.
So if the news left you wondering whether a year of preparation just went to waste, the short answer is no. Here's the accurate, measured version of what happened and what it means for you.
CMMC compliance was never the obligation itself. It was the mechanism built to verify an obligation that already existed, which is your duty to protect Controlled Unclassified Information (CUI).
What the Pentagon suspended is the verification step: the requirement to pass an assessment by a Certified Third-Party Assessment Organization (C3PAO) before a contract is awarded. The department pointed to a real, practical problem. More than 100,000 defense businesses still needed a third-party assessment, and only around 100 assessors were available to conduct them. In a release lauding the DOW’s decision, the Small Business Administration cited the “costly bureaucratic burdens on the small contractors.”
So the department took the following actions:
What the DOW did not do, and what a memo legally cannot do, is repeal your responsibility to secure data. According to DOW CIO Kirsten Davies, "Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness.” The department framed the move as cutting red tape, rather than removing the need for sound cybersecurity practices. The action does not eliminate the legal requirement for industry partners to protect federal data.
|
Change |
What it means for you |
|
Third-party (C3PAO) certification is suspended |
Level 2 and Level 3 certification is no longer a gate for contract award during the review. |
|
Phase 2 and later milestones are frozen |
New and renewing solicitations can require only CMMC Level 1 (Self) or Level 2 (Self), not C3PAO Level 2 or DIBCAC Level 3. Phase 2 language already in contracts is being amended by the government. |
|
A 60-day review is underway |
A CMMC Reform Task Force will recommend a path forward by roughly mid-September. An RFI is open through August 14, 2026. |
|
Requirement |
Status |
|
DFARS clause 252.204-7012 |
Fully in effect: Safeguard CUI, report incidents, flow requirements down to subcontractors. |
|
NIST SP 800-171 (Rev 2) |
Still the security standard for handling CUI. The 110 controls remain the benchmark. |
|
Phase 1 self-assessments |
Still required, including Level 1 and Level 2 self-assessments where applicable. |
|
SPRS score |
Must be kept current and accurate (arguably more important now, not less) |
|
Government-led (DIBCAC) assessments |
Continue during the interim. These aren't conducted by an assessor you choose. |
|
Prime contractor flow-downs |
May still bind you. A prime's contractual language doesn't dissolve because the federal timeline shifted. |
|
False Claims Act exposure |
The DOJ's Civil Cyber-Fraud Initiative still pursues organizations that misrepresent their posture. No breach required. |
Related reading: CMMC 2.0 Compliance: What DOW Contractors Must Know and our CMMC compliance guide for GovCons
Side by side and the picture is clear: the paperwork gate moved, but the road behind it is unchanged.
It’s not that regulatory calendars aren’t important – they still are. But they’re also a construct of the federal government. Your threat environment doesn’t operate on any kind of timeline. The nation-state actors probing the defense industrial base for weak links aren't standing down for a 60-day review. The sensitive data on your systems is no less valuable to them this week than it was last week.
The nation-state actors probing the defense industrial base for weak links aren't standing down for a 60-day review. The sensitive data on your systems is no less valuable to them this week than it was last week.
To put this into the proper perspective, remember that protecting CUI was never about earning a certificate, even if that was a major focus for defense contractors. It was about not becoming a soft entry point into a supply chain. That responsibility is yours whether or not a C3PAO ever comes calling.
If you pause your program for 60 days and the requirement returns in a similar form (something which is entirely possible since CMMC is codified in federal regulation and unwinding it would take a formal rulemaking process) you haven't saved any effort. Now you're simply 60 days behind, facing the same work with less runway. Meanwhile, the assessor shortage that helped trigger this suspension hasn't been solved. If certification resumes and everyone who stopped work rushes back at once, the line only gets longer.
The work you've done (your System Security Plan (SSP), your implemented controls, your evidence, your documented processes) satisfies obligations that are still live today. It also positions you for whatever framework emerges from the review.
Put another way: there is no version of the future in which a mature, well-documented security program turns out to be the wrong thing for you to have.
Don’t overhaul your roadmap. Just make a few deliberate decisions rather than reactive ones:
The obligation underneath obtaining CMMC compliance isn’t going anywhere. Look at the suspension as an opportunity to do this right, to make sure your security foundation is solid rather than assembled in a rush against a deadline.
Whatever framework comes out of the next 60 days, the companies that use this window to strengthen their posture will be the ones ready for it. Beyond being a sound compliance strategy, it's also good business, and it's the right thing to do for your mission.
If you’re not sure what the suspension means for your specific contracts, in-flight assessment, or your overall cybersecurity roadmap, talk to Ntiva’s GovCon team or explore our Governance, Risk & Compliance services. We can help you adjust deliberately instead of reactively.