On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase 2 requirements, which were scheduled to take effect on November 10, 2026. Phase 2 was the milestone that would have made Level 2 certification by a third-party assessor a condition of award for applicable contracts.
The announcement was specific about what is stopping. Third-party certification assessments are suspended. Pending CMMC implementation milestones are suspended. Program managers have been directed to amend active solicitations that contain Phase 2 requirements. A CMMC Reform Task Force will review the program and deliver recommendations to the DoW CIO within 60 days, informed by a public Request for Information that is open now.
The announcement was equally specific about what is not stopping, and that part received far less attention. We'll get to it in a moment, because it's the part that determines what you should actually do.
If your first reaction was relief, that's understandable. The certification requirement carried real costs, and for many organizations the November deadline had become a source of genuine pressure. But before anyone stands down their compliance program, it's worth reading what the Department actually said, rather than what the headlines implied.
Four things survived the announcement intact, and together they matter more than what was suspended.
DFARS 252.204-7012 remains in your contracts. The announcement states this explicitly: all defense contractors and subcontractors remain contractually obligated to safeguard covered defense information. That clause requires implementation of NIST SP 800-171. It has been in contracts since 2017, and nothing that happened this week touched it.
NIST SP 800-171 remains the standard. During the review period, the Department will enforce compliance with 800-171 Rev 2 through self-assessments and select government-led assessments. The 110 controls did not go anywhere. What changed is who checks.
Phase 1 remains in effect. Self-assessment requirements that took effect in November 2025 continue. If your contracts require a Level 1 or Level 2 self-assessment, they still do.
Your SPRS score and annual affirmation remain required. An executive at your company still signs an annual affirmation of compliance, posted in SPRS, visible to the government and to the primes you work with. That affirmation is a certification to the federal government. A false or unsupported one carries False Claims Act exposure, and the Department of Justice has already pursued and settled cases against defense contractors and universities over exactly this kind of misrepresentation.
Put plainly: the certificate was suspended. The obligation was not.
It's tempting to read this announcement as the beginning of the end for CMMC. The history suggests otherwise.
CMMC has been through this before. The original CMMC 1.0 was paused in 2021 for a comprehensive review, and what emerged months later was CMMC 2.0, streamlined but very much alive. The program has now survived two administrations, because the problem it exists to solve, the sustained theft of defense technical data from contractor networks, has not gone anywhere.
The structure of this week's action points the same direction. A 60-day task force with a public RFI is the machinery of reform, not repeal. The RFI questions ask industry which controls deliver real security value, which create overhead without value, and how self-attestation can be strengthened. Those are the questions you ask when you intend to keep a program and make it cheaper, not when you intend to end it.
There's also a legal reality. The requirements live in codified regulation. Unwinding them entirely would take formal rulemaking measured in years, not a 60-day study. Suspension by policy memo is what's available quickly, and it's what was used.
Our expectation, and it's only an expectation until the task force reports: the verification regime changes, likely toward self-attestation as the default with government-led spot assessments as the check, possibly with a slimmed emphasis on the controls that measurably reduce risk. The underlying requirement to protect federal data persists in every scenario we consider plausible.
Here's the part that deserves more attention than it's getting.
Under the certification model, verification was scheduled. You knew your assessment date, you prepared for it, and you had months of runway. Under the model the Department just described, verification arrives two ways, and neither comes with a preparation window.
The first is a government-led assessment. The Department has said it will conduct select assessments during the interim period, and DIBCAC has been building capacity for exactly this. A spot assessment evaluates the same controls a C3PAO would have, with less notice and no commercial relationship softening the encounter.
The second is legal. In a self-attestation regime, the annual affirmation carries the enforcement weight. The Department of Justice's Civil Cyber-Fraud Initiative has demonstrated that it will treat unsupported cybersecurity attestations as false claims. Whistleblowers inside your own organization can initiate those cases.
This is the paradox of the suspension. For an organization that was treating CMMC as a checkbox, the pressure just dropped. For an organization thinking clearly about risk, the pressure arguably went up, because you can prepare for a scheduled assessment, but you can only already be ready for an unscheduled one.
And there's a third channel that doesn't depend on the government at all: your primes. Flow-down obligations under 7012 are unchanged, which means prime contractors still carry liability for their supply chains, now with less independent verification available to them. We expect primes to respond by tightening their own supplier verification, not loosening it. If you sub to a major prime, your compliance requirements may effectively be set in their supply chain office rather than the Pentagon for the next year.
Our guidance to our own clients this week, shared here in full:
Do not dismantle or pause what you've built. Companies that stand down now will rebuild under pressure when the replacement regime lands or when a prime demands proof, likely at greater cost and on someone else's timeline. The work you've done implementing controls, maintaining your SSP, and keeping evidence current is precisely what protects you in the environment the Department just created.
Verify your SPRS score is accurate and supported. If your posted score would not survive scrutiny, fixing that is now your single most important compliance task, because the score and the affirmation behind it are what the government and your primes are relying on.
Check your specific contracts and flow-downs before changing plans. Some contracts and some primes may still require third-party certification. The suspension directed program managers to amend solicitations, but that takes time, and private flow-down requirements are set by primes, not the Department.
If you were scheduled for a C3PAO assessment, don't cancel reflexively. Talk to your assessor and your contracting officer first. Depending on your contracts and your primes, holding your place may be the smarter move, particularly if some form of third-party assessment returns for prioritized programs.
Consider responding to the RFI. The Department is asking industry which requirements create value and which create overhead. Responses are due August 14. If you've lived this program's costs firsthand, this is the rare moment when that experience can shape what comes next. We're submitting a response ourselves.
This suspension removed a deadline, not an obligation. The 110 controls are still in your contracts. Your affirmation still carries legal weight. The government just told you it will check compliance on its own schedule instead of yours, and your primes still have every incentive to check it on theirs.
The organizations at risk in this new environment are not the ones that were slow to schedule a C3PAO. They're the ones whose self-attestation doesn't match reality, because there is no longer a scheduled, commercial assessment standing between that gap and a government assessor or a False Claims Act complaint.
We've said since the day we founded this firm that compliance is a continuous state, not a certificate. This week, the Department of War restructured its entire program around that premise. Whatever emerges from the 60-day review, the organizations that treat compliance as an ongoing operational discipline will be ready for it. The ones that treated it as an event now have no event to prepare for, and no excuse.
Take our 3-minute Readiness Check and get an instant gap summary based on your environment.
Start Readiness Check →An independent firm focused exclusively on CMMC compliance for defense contractors and the DIB.