Published July 14, 2026 · Companion to our CMMC Phase II suspension Q&A · Primary source: official DoW release
The July 13, 2026 CMMC Phase II suspension pauses third-party certification — it does not pause a single safeguarding obligation. What you should actually do next depends on which clauses sit in your contracts and which data sits in your systems. Find your scenario below.
Requirement status at a glance (after July 13, 2026)
| Requirement | Status |
|---|---|
| CMMC Level 2 C3PAO certification as a condition of award (Phase II, Nov 10, 2026) | Suspended pending 60-day review |
| Future CMMC milestones, incl. Phase 3 Level 3 DIBCAC (Nov 2027) | Suspended / paused pending review |
| Phase 1 self-assessments and affirmations (CMMC Level 1 / Level 2 self) | In force |
| DFARS 252.204-7012 — safeguard CUI, 72-hour incident reporting, cloud equivalency, flow-down | In force |
| DFARS 252.204-7019/7020 — current NIST 800-171 self-assessment score in SPRS | In force |
| NIST SP 800-171 Rev 2 implementation | In force — interim enforcement standard (self + select government-led assessments) |
| DFARS 252.204-7021 in contracts you already hold | Ask your Contracting Officer — signed clauses bind until modified |
| Prime flow-down demands (certification, SPRS thresholds) | Unchanged — commercial terms, not federal milestones |
| ITAR (22 CFR 120-130) and EAR (15 CFR 730-774) | Unaffected — separate export control law |
| False Claims Act exposure for inaccurate self-attestation | Unchanged, arguably sharper focus on self-assessments |
Scenario 1: Your contracts include DFARS 252.204-7012 (you handle CUI)
Bottom line: nothing about your day-to-day obligations changed on July 13.
What changed: only the future requirement to prove compliance via a C3PAO certificate. What didn’t: the release explicitly reaffirms that contractors and subcontractors “remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012” — NIST SP 800-171 security requirements, 72-hour incident reporting to DIBNet, FedRAMP Moderate (or equivalent) for clouds handling covered defense information, and flow-down to subs. Do now: keep implementing; treat your System Security Plan and POA&M as living documents — under interim enforcement they are the first thing a government-led (DIBCAC) assessment will ask for.
Scenario 2: You have DFARS 252.204-7019/7020 and an SPRS score on file
Bottom line: your SPRS score just became your primary compliance credential — make sure it is current and true.
What changed: nothing in these clauses. What didn’t: you still need a Basic self-assessment score no older than three years posted in SPRS to be eligible for award, and 7020 still gives the government the right to assess you. Do now: re-derive your score control-by-control (our free SPRS calculator uses the official DoD weights, including the MFA/FIPS conditional rules) and correct SPRS if reality has drifted. Under-documented “compliant” claims are exactly what select government-led assessments and False Claims Act reviews target.
Scenario 3: A contract you already hold contains DFARS 252.204-7021
Bottom line: do not self-grant relief — a clause in a signed contract binds until the government modifies it.
What changed: the DoW is suspending pending and future CMMC implementation milestones across solicitations and contracts, so certification-driven option exercises and new insertions should stop. What didn’t: your existing contract text. Do now: send your Contracting Officer a short written request: does the suspension modify the 252.204-7021 requirement in contract number X, and will a modification issue? File the answer. If you are mid-performance with a certification milestone approaching, that letter is your protection either way.
Scenario 4: You only handle FCI (CMMC Level 1)
Bottom line: your world is unchanged — Level 1 was always a self-assessment, and Phase 1 stays in force.
Do now: keep your annual Level 1 self-assessment and affirmation current against the 15 basic safeguarding requirements of FAR 52.204-21. Beware of scope drift: if a new contract or drawing package brings CUI into your environment, you move up to the 110-control NIST SP 800-171 world regardless of what happens to CMMC — check data classification before you bid, not after.
Scenario 5: You handle CUI Basic
Bottom line: protect it exactly as before — CUI obligations come from 32 CFR Part 2002 and DFARS 7012, not from CMMC.
What changed: the verification layer only. What didn’t: NIST SP 800-171 remains the required control set for CUI in nonfederal systems; the NARA CUI Registry still governs categories and markings. Do now: use the review window to fix the expensive foundations properly — scoping, enclave design, cloud selection — instead of racing a certification date. A commercial cloud or a FedRAMP Moderate equivalent platform is typically sufficient for CUI Basic; you likely do not need GCC High unless export control or CUI-Specified rules say so. Our cost & roadmap planner models exactly this decision.
Scenario 6: You handle CUI-Specified or export-controlled CUI
Bottom line: your stricter handling rules come from the underlying law and the specifying authority — the suspension changes nothing.
What didn’t change: CUI-Specified categories carry dissemination and handling controls (NOFORN, US-persons restrictions, specific safeguarding) defined by their governing statutes and regulations, layered on top of NIST SP 800-171. Architecture decisions those rules forced — sovereign hosting, access segregation by nationality, GCC High-class environments — remain necessary. Do now: re-verify your data inventory maps each CUI category to its handling requirements; that mapping, not a CMMC certificate, is what an incident or audit will test.
Scenario 7: You are an ITAR-registered organization
Bottom line: ITAR is State Department export control law (22 CFR 120-130) — CMMC never created your obligations and its suspension never removes them.
What didn’t change: DDTC registration, licensing, US-persons access restrictions on technical data, and penalties for unauthorized exports — all fully intact. If ITAR technical data is also CUI in a DoW contract context, DFARS 7012 safeguarding continues too. Do now: nothing new — but do not let anyone in your organization interpret “CMMC is suspended” as “we can relax data controls.” An ITAR violation is a criminal exposure; CMMC was only ever the verification wrapper.
Scenario 8: Your data is EAR-controlled
Bottom line: same story as ITAR — the EAR (15 CFR 730-774, Commerce/BIS) is untouched.
Do now: keep your export classification (ECCN vs EAR99), license determinations, and deemed-export controls exactly as they are. If EAR-controlled technology is also CUI under your defense contracts, NIST SP 800-171 safeguarding under DFARS 7012 continues. Use the pause to close the common gap we see: cloud tenants where foreign-national admin access was never actually restricted to match the export posture.
Scenario 9: Your C3PAO assessment is booked in the next 90 days
Bottom line: you have three defensible options — proceed, convert, or defer. Choose based on primes, readiness and cash, not headlines.
Proceed if you are genuinely ready and your primes value the certificate: you gain a scarce credential and skip the future queue (100,000+ companies, ~100 assessment organizations — the backlog math returns the moment any certification requirement does). Convert the engagement to a mock assessment or gap review if you want validation without the certification stakes. Defer in writing, with a reschedule clause, if budget is tight. Before deciding, ask your top primes one question in writing: “Will you require CMMC certification from subcontractors during the suspension?”
Scenario 10: You haven’t started NIST SP 800-171 implementation
Bottom line: this is a reprieve on the deadline, not on the requirement — and it is the cheapest moment you will ever have to start.
Why start now: DFARS 7012/7019 already apply to you if you hold (or want) CUI-bearing contracts; self-assessment is now the primary enforcement mechanism; consultant and platform pricing will soften during the pause and spike the moment a new deadline lands. Do now: scope your CUI footprint, decide enclave vs enterprise (enclaves typically cut cost 40-60% — modeled in our CMMC Cost Index 2026), get an honest baseline score from the SPRS calculator, and sequence remediation over the next two quarters instead of a panic sprint.
Scenario 11: You are a non-US supplier handling CUI
Bottom line: your obligations flow through your prime’s contract — DFARS 7012 flow-down and NIST SP 800-171 still apply to you, suspension or not.
What changed: pressure to obtain a C3PAO certificate on the November timeline is off for now. What didn’t: flow-down safeguarding, incident reporting through your prime, and any export control constraints (ITAR/EAR do not stop at the border — they follow the data). Do now: confirm in writing what your prime expects during the suspension, and keep implementing — international suppliers who can evidence 800-171 compliance are exactly who primes keep when they de-risk supply chains. This is our specialty: see CMMC for contractors outside the US.
Scenario 12: Your prime still demands certification
Bottom line: they are allowed to — flow-down and supplier-selection criteria are commercial terms the federal suspension does not rewrite.
Do now: get their requirement and timeline in writing, then negotiate from the middle ground: offer a current SPRS score with evidence, a third-party mock-assessment report, or a committed certification date contingent on the task force outcome. Most primes’ real need is defensible assurance, not the certificate itself — give them an evidence package and many will flex.
What everyone should do next (regardless of scenario)
- Keep your NIST SP 800-171 program running — every scenario above still requires it.
- Verify your SPRS score is current, accurate and evidenced.
- Get written positions from your Contracting Officer (awarded 7021 contracts) and your primes (flow-down expectations).
- Respond to the DoW RFI when it publishes at dowcio.war.gov/brilliantbasics — bring real cost data.
- Recheck around mid-September 2026 for the Reform Task Force report, and plan for rulemaking lead time after that.
Free tools for the review window
- SPRS Score Calculator — all 110 controls, official DoD weights, instant score.
- CMMC Cost & Roadmap Planner — enclave vs enterprise, cloud tiering by data type (FCI / CUI Basic / CUI-Specified / ITAR / EAR).
- CMMC Cost Index 2026 — modeled costs for 8 contractor profiles.
- Full Q&A on the suspension — deadlines, task force, what to expect after 60 days.
Disclaimer. ITSecOps is an independent cybersecurity and compliance consultancy. We are not affiliated with, endorsed by, or authorized to speak for the U.S. Department of War, the DoW CIO, the Cyber AB, the U.S. State or Commerce Departments, or any government agency, and nothing here is legal advice. This guide reflects our professional interpretation of publicly available information as of July 14, 2026 and may be outdated by later official action. For authoritative guidance, rely only on official channels (war.gov, dowcio.war.gov, acquisition.gov, archives.gov/cui) and direct contract-specific questions to your Contracting Officer or legal counsel.
Your next move
The suspension ends. Your obligations don’t.
In 15 minutes we’ll tell you exactly where you stand — your likely SPRS score, your top exposures, and what to fix while the review window is open. Fixed fee. No sales theater. When the requirement returns, you’ll be the supplier your primes don’t have to worry about.
Show me where we stand →Join the live CMMC briefing
15-minute scoping call · Fixed fee · No obligation — you leave knowing your real position.