" /> CMMC Phase 2 Suspended: What Still Applies (Updated July 2026)
July 14, 2026

CMMC Phase II Suspended: Every Question Defense Contractors Are Asking (July 2026)

Published July 14, 2026 · ITSecOps analysis · Primary source: official Department of War release, July 13, 2026

On July 13, 2026, the U.S. Department of War (formerly DoD) suspended CMMC Phase II requirements — including the November 10, 2026 third-party certification milestone — effective immediately, pending a 60-day program review. Phase 1 self-assessments, SPRS scores, and DFARS 252.204-7012 safeguarding obligations remain fully in force.

If you sell to the Department of War or sit anywhere in a defense supply chain, this is the biggest CMMC development since enforcement began in November 2025. Below are direct answers to the questions contractors are asking right now, with links to official sources so you can verify everything yourself. For a contract-by-contract breakdown, see our companion CMMC suspension scenario guide for DFARS 7012/7019/7021, CUI, ITAR and EAR organizations.

What happened

What exactly did the Department of War announce on July 13, 2026?

The DoW suspended the transition to CMMC Phase II requirements, plus pending and future CMMC implementation milestones across its solicitations and contracts, and launched a 60-day top-to-bottom review of the program. A new cross-functional CMMC Reform Task Force will synthesize industry feedback from a public Request for Information (RFI) and deliver recommendations to the DoW CIO within 60 days. All Phase 1 self-assessment requirements stay in place, and during the interim the Department will enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments. Sources: DoW press release; DoW CIO — Brilliant Basics.

Is CMMC cancelled?

No. CMMC is suspended at Phase II, not cancelled — Phase 1 self-assessment requirements remain in force. That said, at the announcement briefing DoW officials notably declined to rule out deeper restructuring, or even cancellation, after the review (DefenseScoop). The prudent read: treat this as a pause of the certification mechanism, not a repeal of the underlying security standard. NIST SP 800-171 remains the contractual baseline either way.

Why did the DoW suspend Phase II?

Cost and capacity math. Per DoW CIO Kirsten A. Davies, SBA data suggested future CMMC phases could cost small and mid-sized businesses more than $7 billion annually, with individual compliance bills approaching $600,000 — while more than 100,000 DIB companies would need third-party assessments from only roughly 100 approved assessment organizations. In her words: “the math just simply doesn’t math.” A March 2026 GAO report (GAO-26-107955) had already warned the requirements could push small businesses out of the defense industrial base. The SBA publicly endorsed the suspension.

Deadlines and assessments

Does the November 10, 2026 deadline still apply?

No. The November 10, 2026 Phase II milestone — C3PAO Level 2 certification as a condition of award — is suspended while the 60-day review runs. It may return in its current form, return with new dates, or be replaced by a different verification model; that is exactly what the Reform Task Force is deciding. The report is due to the DoW CIO around mid-September 2026. Watch dowcio.war.gov and DoW press releases rather than relying on secondhand summaries — including this one.

Should we pause our CMMC assessment?

You can defer the C3PAO certification transaction; you should not pause the security program behind it. Separate the two things people mean by “assessment”: (1) the formal third-party certification assessment — that requirement is suspended, so scheduling one is now optional; (2) your NIST SP 800-171 self-assessment and implementation work — still contractually required under DFARS 7012/7019/7020, and now the primary enforcement mechanism. If you were weeks away from a C3PAO assessment and are ready, going ahead still has upside (see next question). If you were early in remediation, redirect budget from assessment fees to actually closing gaps — that spend is valuable under every possible outcome of the review.

We have a C3PAO assessment booked — should we cancel it?

Do not cancel reflexively. Check three things first: your contract with the C3PAO, your primes’ expectations, and your readiness. Reasons to proceed anyway: a CMMC Level 2 certificate remains a valid, marketable credential; primes may still require it contractually; and if Phase II resumes, the roughly 100-assessor bottleneck means the queue will be brutal — being already certified beats re-joining the line. Reasonable alternatives: convert the engagement into a mock assessment or gap review, or defer with a written reschedule option. Ask your key primes in writing what they expect before you decide.

We already passed our C3PAO assessment. Was that money wasted?

No. DoW CIO Davies addressed this directly: contractors who invested in uplifting their cyber posture “have contributed to national security… that is not money that is spent in vain.” Practically: your certification differentiates you in prime supplier selection today, your certificate stays relevant if the requirement returns, and the security controls reduce real breach risk regardless of policy. Certified contractors are now a scarce, verified population — lean into that in your positioning.

Do we still need an SPRS score?

Yes. A current (within three years) NIST SP 800-171 Basic self-assessment score posted in SPRS is still required under DFARS 252.204-7019 to be considered for award, and Phase 1 affirmation requirements continue. Nothing in the announcement touches self-assessment obligations — the interim enforcement model leans on them harder. If your score is stale or optimistic, fix that now: an accurate score is your best protection (see the False Claims Act question below). You can rebuild your score control-by-control with our free SPRS score calculator.

Your contract clauses: DFARS 7012, 7019, 7021

Does DFARS 252.204-7012 still apply?

Yes, fully. The DoW release states explicitly that all defense contractors and subcontractors “remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.” That means: implement NIST SP 800-171 as adequate security, report cyber incidents to DIBNet within 72 hours, meet FedRAMP Moderate (or equivalent) requirements for clouds that touch covered defense information, and flow the clause down to subcontractors. Clause text: 252.204-7012 at acquisition.gov.

What happens to DFARS 7019, 7020 and 7021?

7019 and 7020 (self-assessment, SPRS posting, government assessment access) are unaffected and continue. 7021 — the CMMC clause — is what the suspension bites: expect it not to drive new certification milestones while the review runs. The Department says it is suspending “pending and future CMMC implementation milestones across the Department of War solicitations and contracts.” For a contract you already hold that contains 252.204-7021: do not assume relief — the clause in your signed contract stays binding until modified. Ask your Contracting Officer, in writing, how the suspension applies, and keep the response in your compliance file.

Can prime contractors still require CMMC certification?

Yes. Primes can contractually require certification, a specific SPRS score, or NIST 800-171 evidence from subcontractors regardless of federal milestones. Many primes spent two years building certified-supplier pipelines and may hold that line to de-risk their own supply chains. The federal suspension does not rewrite your commercial agreements. If a prime’s flow-down requires certification, your options are to comply, renegotiate, or lose the work — so ask each key prime for their post-suspension position in writing this month.

The next 60 days — and after

What is the CMMC Reform Task Force?

A cross-department team — CIO, Acquisition and Sustainment, Research and Engineering, security, legal, legislative and public affairs — that will review the entire program and report to the DoW CIO within 60 days. It will be the central hub for industry feedback gathered through a public RFI on compliance challenges. Its mandate, per the release: recommend “realistic, scalable security measures” that prioritize speed to capability and lower barriers for small and non-traditional businesses.

What should we expect after the 60-day review?

A report with recommendations around mid-September 2026 — then, likely, rulemaking. Plausible outcomes span a wide range: Phase II resumes with new dates; certification thresholds get narrowed (for example, third-party assessment only for higher-risk data or larger awards); verification shifts toward government-led or automated models; or the program is restructured more fundamentally. Two anchors for planning: (1) formal changes to 32 CFR Part 170 and DFARS require rulemaking, which takes months, not weeks; (2) every scenario on the table keeps NIST SP 800-171 Rev 2 as the substantive standard. Build to the standard, stay flexible on the mechanism.

Does the suspension change anything for ITAR or EAR data?

No. ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) are export control law, administered by the State and Commerce Departments — they were never part of CMMC and are untouched by this announcement. If your environment decisions (US-persons-only access, GCC High or equivalent sovereign hosting, NOFORN handling) were driven by ITAR/EAR or by CUI-Specified dissemination controls, none of that changes. Only the DoW certification-verification layer is paused. Details per data type in our scenario guide.

Does this affect CMMC Phase 3 (November 2027)?

Effectively yes — the suspension covers “pending and future CMMC implementation milestones,” which includes the Phase 3 Level 3 (DIBCAC) timeline. Whether Phase 3 returns on schedule, slips, or is redesigned depends entirely on the task force outcome.

Is False Claims Act risk gone now?

No — if anything, self-assessment accuracy matters more, because self-assessment is now the primary enforcement mechanism. The DOJ Civil Cyber-Fraud Initiative continues to pursue contractors over misrepresented cybersecurity compliance, and a defense contractor settled FCA cybersecurity allegations as recently as June 2026. An inflated SPRS score or false annual affirmation is a legal liability with or without CMMC Phase II. Score yourself honestly, document your evidence, and keep POA&Ms real.

What should we do in the next 60 days?

Keep building, verify your paperwork, and get every assumption in writing. Our recommended sequence:

  1. Do not dismantle anything. Every credible outcome keeps NIST SP 800-171 as the baseline.
  2. Verify your SPRS score is current and defensible — recheck it control-by-control with the free SPRS calculator and fix the affirmation trail.
  3. Write to your Contracting Officer about any awarded contract containing 252.204-7021.
  4. Write to your primes and ask whether they still expect certification from subcontractors.
  5. Keep closing POA&M items — remediation spend is valuable under every scenario.
  6. Reassess (don’t reflexively cancel) any booked C3PAO engagement — consider converting it to a mock assessment.
  7. Respond to the DoW RFI when it publishes — this is the DIB’s chance to shape what replaces Phase II; bring real cost data.
  8. Re-run your budget scenarios with our CMMC cost & roadmap planner and the CMMC Cost Index 2026.
  9. Monitor official channelsdowcio.war.gov and war.gov releases — for the RFI and the task force report.

Official references

Free CMMC tools while you wait out the review

Disclaimer. ITSecOps is an independent cybersecurity and compliance consultancy. We are not affiliated with, endorsed by, or authorized to speak for the U.S. Department of War, the DoW CIO, the Cyber AB, or any government agency, and this article is not legal advice. It reflects our professional interpretation of publicly available information as of July 14, 2026 — a fast-moving situation that may have changed by the time you read this. For authoritative guidance, always rely on official government channels (war.gov, dowcio.war.gov, acquisition.gov) and direct all contract-specific questions to your Contracting Officer.

Your next move

The suspension ends. Your obligations don’t.

In 15 minutes we’ll tell you exactly where you stand — your likely SPRS score, your top exposures, and what to fix while the review window is open. Fixed fee. No sales theater. When the requirement returns, you’ll be the supplier your primes don’t have to worry about.

Show me where we stand →Join the live CMMC briefing

15-minute scoping call · Fixed fee · No obligation — you leave knowing your real position.