Department of War press release announcing the suspension of CMMC Phase II requirements

For nearly two years, defense contractors were told a hard deadline was coming: get third-party certified, or lose your shot at Pentagon work. On July 13, 2026, the government pulled that deadline, with no advance warning, and told everyone to stand by for a rewrite.

The requirement is called CMMC, short for Cybersecurity Maturity Model Certification, the Defense Department's program for verifying that contractors handling sensitive government information actually protect it. The version that just got suspended, known as Phase 2, would have required many contractors to pass an outside security audit before they could win or keep certain contracts. That audit requirement was scheduled to start November 10, 2026. It no longer is.

One thing to make clear: this was not a new law. Congress did not vote on anything. It was a policy memo, signed July 10, 2026 by the Department of War's Chief Information Officer, Kirsten Davies, suspending the requirement administratively. That distinction matters. A memo can be reversed, narrowed, or replaced by another memo. A law can't. So whatever comes next can move fast, in either direction.

What is CMMC, in plain terms?

CMMC exists because defense contractors and their subcontractors routinely handle sensitive government information on their own computer systems, and the government wanted proof, not just a promise, that those systems are actually secured. The program has three tiers, and which one applies to you depends on what kind of information you handle:

LevelWho it's forWhat it covers
Level 1 Contractors handling basic Federal Contract Information, the routine, non-public details of a government contract Basic cyber hygiene: things like using passwords and controlling who can access systems
Level 2 Contractors handling Controlled Unclassified Information, sensitive government data that isn't classified but still needs protection 110 specific security requirements drawn from a federal cybersecurity standard called NIST SP 800-171
Level 3 Contractors on higher-risk or especially sensitive work Advanced protections on top of everything in Level 2

Most of the attention, and most of the cost, falls on Level 2, because that's where most contractors handling sensitive information land. Under the original three-phase rollout, Level 1 and Level 2 companies first had to check their own work through a self-assessment. Phase 2 was the next step up: for many Level 2 contracts, a company would no longer be able to grade its own homework. It would need an outside auditor, called a C3PAO (short for CMMC Third-Party Assessment Organization), to inspect its systems, paperwork, and evidence and certify that it actually met the requirements before the government would award the contract.

That third-party audit requirement is the piece that just got suspended.

What actually happened on July 13

The Department of War, the Pentagon's current name for what was long called the Department of Defense, suspended the move to Phase 2 effective immediately. That suspension also covers everything that was supposed to follow: the Phase 3 and Phase 4 milestones planned for 2027 and beyond, which would have extended third-party auditing further across the program.

Alongside the suspension, the CIO stood up a group called the CMMC Reform Task Force to review the entire program from top to bottom. That task force has 60 days to deliver its findings. The Department also opened a public comment period, called a Request for Information, asking companies to weigh in on what the requirements should cost, how burdensome they've been, and which of the 110 security requirements actually reduce risk. Those comments are due August 14, 2026.

Department leadership was direct about why. Officials said the compliance costs and paperwork burden of third-party certification were pushing smaller companies out of the defense supply chain, at a time the Department says it can't afford to lose them. Reporting on the announcement also surfaced a simple math problem behind the decision: roughly 100,000 companies in the defense industrial base would have needed a third-party audit, and there were only around 100 accredited organizations able to perform one. There was never enough capacity to get everyone certified on time.

What's suspended, and what isn't

StatusRequirement
SuspendedPhase 2 (Level 2 C3PAO third-party certification as a condition of award), plus the planned Phase 3 and Phase 4 milestones
Still in effectPhase 1 self-assessment requirements for applicable Level 1 and Level 2 contracts, in place since November 2025
Still in effectThe underlying DFARS 252.204-7012 obligation to safeguard covered defense information, regardless of CMMC status
Still in effectAnnual compliance affirmation and NIST SP 800-171 Rev 2 cyber hygiene expectations, enforced through self-assessment and select government-led assessments

One more term worth defining: DFARS stands for Defense Federal Acquisition Regulation Supplement, the set of rules that govern defense contracts. Clause 252.204-7012 within it is what actually obligates contractors to protect sensitive government information. CMMC is how the government checks whether that obligation is being met. Suspending CMMC's third-party check doesn't touch the underlying rule.

The misconception this creates: "CMMC is dead"

It isn't. What got suspended is one specific verification mechanism: the requirement that an outside C3PAO assessor sign off on Level 2 compliance before contract award. What did not go away is the underlying obligation to protect Controlled Unclassified Information, which lives in that DFARS clause and applies whether or not a third party ever audits you.

The Department was explicit that this is not a cybersecurity rollback. Leadership framed it as removing the assessment bottleneck and the compliance cost, not the security requirement itself. Self-assessment against NIST SP 800-171 Rev 2 remains, and the Department said it will still run select government-led assessments during the review period.

So the honest read is: the audit requirement paused, not the security requirement.

What this means if you were on a CMMC timeline

If you were preparing for a C3PAO assessment ahead of the November 10, 2026 deadline, here is what to do with that work, not throw it away:

  • Do not stop your readiness program. Everything you built toward Level 2, your scope, your System Security Plan (a document explaining exactly how your security controls work in practice), and your evidence, still supports your Phase 1 self-assessment and your safeguarding obligations.
  • Watch your active solicitations and contracts for amendments. Some program offices had already written Phase 2 requirements into current solicitations, and those need to be formally modified.
  • Decide whether to weigh in on the Request for Information before August 14, 2026. Contractors who already invested in readiness have a direct stake in what replaces the current framework.
  • Do not treat this as a reason to get sloppy on your self-assessment score in the Supplier Performance Risk System (SPRS), the database where contractors report their compliance status. That obligation is unaffected, and enforcement of false claims under existing contracts is, if anything, getting more attention, not less.
  • Expect the task force's 60-day report to reshape, not eliminate, third-party assessment. Leadership has not ruled out ending CMMC entirely, but has also not signaled that outside verification disappears for good.

What Amomitto does now for a CMMC-track client

The suspension changes the deadline pressure. It doesn't change the underlying work, because self-assessment, SPRS scoring, and DFARS 7012 safeguarding obligations are all still live. A first-week engagement still starts in the same place:

Day 1: Contract and data reality check

We review contract language, current SPRS status, and what CUI or FCI the company actually handles, updated for the fact that a C3PAO requirement is no longer the forcing function it was assumed to be.

Day 2: Scope and asset mapping

Scope still drives everything. Where CUI lives and moves doesn't change because an audit requirement paused.

Day 3: Gap assessment against Level 2

We still assess against the full 110 NIST SP 800-171 requirements, because that's what self-assessment and any future government-led assessment will be measured against.

Day 4: Remediation roadmap

Priorities shift slightly. With C3PAO certification no longer an imminent gate, remediation gets sequenced around self-assessment accuracy and real risk reduction rather than assessor-readiness deadlines.

Day 5: Evidence plan and operating cadence

Evidence still needs to exist and hold up, because select government-led assessments remain on the table during the review period, and because an honest SPRS score requires it.

So what should you do now?

  • Confirm what your active contracts and solicitations actually require after this suspension, not what they required in June.
  • Ask primes whether they're amending flow-down requirements in light of the suspension.
  • Keep your Phase 1 self-assessment current and your SPRS submission accurate.
  • Maintain your DFARS 252.204-7012 safeguarding obligations regardless of CMMC's status.
  • Decide whether to submit RFI feedback before August 14, 2026.
  • Keep your scoping, SSP, and evidence work moving. None of it becomes wasted effort.

The short version: CMMC Phase 2 didn't get easier. It got paused, under review, and administratively reversible. That's a different problem than the one everyone was planning for in June.

FAQ: CMMC Phase 2 suspension

Did Congress pass a law suspending CMMC Phase 2?

No. The suspension came from a Department of War CIO memo dated July 10, 2026, announced publicly on July 13, 2026. It is an administrative action, not legislation, which means it can be changed again the same way it was made.

Is CMMC Level 2 self-assessment still required?

Yes. Phase 1 self-assessment requirements, in effect since November 2025, remain in place and unaffected by this suspension.

Do I still need to protect CUI if C3PAO certification is suspended?

Yes. The DFARS 252.204-7012 obligation to safeguard covered defense information applies regardless of where CMMC's certification requirement stands.

What happens after the 60-day review?

The CMMC Reform Task Force is due to deliver findings and recommendations within 60 days of the announcement, informed by a public Request for Information with comments due August 14, 2026. Department leadership has not ruled out ending third-party certification altogether, but has also not confirmed it will disappear.

Should I stop my CMMC readiness work?

No. Scoping, your System Security Plan, and your evidence library all still support your Phase 1 self-assessment and your DFARS 7012 obligations, and would carry over directly if a revised third-party framework replaces the suspended one.

Can Amomitto help with what changed?

Yes. Amomitto helps organizations reassess scope, self-assessment accuracy, and evidence readiness in light of the suspension, and can help evaluate whether submitting RFI feedback makes sense before the August 14 deadline.

Don't let "suspended" turn into "forgotten"

The Phase 2 audit requirement is paused. Your underlying safeguarding obligations are not. The companies that get caught off guard next will be the ones that read "suspended" as "cancelled" and stopped paying attention.

In a CMMC readiness consultation, we help you sort out what actually changed for your contracts, what your self-assessment and SPRS status require right now, and whether it's worth weighing in before the Department finalizes what comes next.

CMMC didn't get easier. It got quieter. Don't mistake the pause for the all-clear.

If you're sitting on a Level 2 program that was built for a November deadline, that work isn't wasted — but it does need a second look now that the finish line moved. Book a CMMC readiness consultation with Amomitto and we'll walk through what your contracts actually require today, whether your self-assessment and SPRS score would hold up to scrutiny, and whether it's worth putting your name on the RFI before the window closes.

Schedule your CMMC readiness consultation →