Site icon RSI Security

CMMC Phase 2 Paused: What It Means for Defense Contractors and What to Do Now

On July 13, 2026, the Department of Defense, operating under the secondary designation “Department of War”, announced the immediate suspension of CMMC Phase 2 requirements, which had been scheduled to take effect on November 10, 2026. The announcement also suspends all pending and future CMMC implementation milestones, including Phases 3 and 4.

A 60-day CMMC Reform Task Force has been established to conduct a top-to-bottom review of the entire program, with a final report due to DoD Chief Information Officer Kirsten Davies within 60 days, placing that deadline around mid-September 2026.

Here is what the suspension actually covers, what it explicitly does not cover, and what defense contractors should be doing right now.

What the Suspension Actually Covers

The DoD has suspended the transition to Phase 2 requirements, which would have introduced mandatory third-party C3PAO certification requirements into applicable DoD solicitations and contracts starting November 10, 2026. Phases 3 and 4 are also suspended as “pending and future implementation milestones.”

A July 14 clarifying memo added a critical operational detail: any active solicitations and contracts that already include CMMC Level 2 C3PAO or CMMC Level 3 DIBCAC assessment requirements must be amended to remove those requirements. Contracting officers have been directed to amend solicitations “as soon as practicable” and to amend existing contracts “prior to the exercise of the next option period or during the next scheduled administrative modification.”

During the review period, the DoD will enforce cybersecurity compliance through self-assessments and select government-led assessments, focusing on what it describes as “tangible cyber hygiene rather than administrative overhead.”

One boundary is worth stating up front. What is suspended is the Department’s mandatory incorporation of Level 2 (C3PAO) and Level 3 (DIBCAC) requirements into solicitations and contracts. It is not a prohibition on third-party assessment as such. Program offices retain the ability to impose additional cybersecurity protections consistent with law and regulation, and the Department did not explicitly address the case-by-case discretion Phase 1 already granted to require C3PAO assessments. “No one can ask me for a C3PAO assessment anymore” is not what this memo says.

What the Suspension Does Not Cover

This is the part every defense contractor needs to read carefully, because the most dangerous misreading of this announcement is treating it as a general reprieve from cybersecurity obligations.
The suspension does not eliminate the legal requirement to protect federal data. The suspension does not suspend NIST SP 800-171 Revision 2. The suspension does not eliminate DFARS 252.204-7012. The suspension does not eliminate System Security Plan requirements or Plans of Action and Milestones. The suspension does not suspend the obligation to accurately represent cybersecurity posture through SPRS self-assessments.

The suspension does not bind your prime, or, entirely, the program office.

The memo directs the government’s own contracting workforce. It does not reach up or down the supply chain on its own.

Primes can still require CMMC certification of their subcontractors. A prime’s flow-down obligations are a matter of the prime’s contract with its subs, its own risk posture, and its judgment about what the Department will require when the review concludes. Nothing in this suspension voids an existing subcontract term requiring CMMC Level 2 certification, and nothing prevents a prime from continuing to require it in new subcontracts. Primes that have built supplier qualification programs around CMMC have every incentive to keep them intact – dismantling and rebuilding a supply chain qualification framework costs more than maintaining one through a 60-day review. If you are a subcontractor, your operative question is not what the Department requires. It is what your prime requires. Ask them, and get the answer in writing.

Program offices retain discretion. Requiring activities may still impose additional cybersecurity protections as commensurate with law and regulation, and sensitive programs can be expected to continue setting stricter terms. Treat “the government can no longer require this” as a claim to verify with your contracting officer – not a position to assert to them.

And critically: the Department of Justice’s Civil Cyber-Fraud Initiative continues to pursue organizations that knowingly misrepresent their cybersecurity posture. In June 2026, Alabama defense contractor LOGZONE Inc. agreed to pay $507,144 to resolve False Claims Act allegations that it knowingly failed to comply with cybersecurity requirements in two Navy contracts, a case that turned on a self-assessment: LOGZONE had self-reported a perfect score of 110, while an independent DIBCAC audit found its actual score was negative 170. An inflated SPRS score or inaccurate annual affirmation carries exactly the same legal exposure it carried before the Phase II suspension. Phase 1 self-assessments remain in force. The underlying security obligations remain contractually binding.

Source: U.S. Department of Justice, “Alabama Defense Contractor Agrees to Pay $507,144 to Resolve False Claims Act Liability Relating to Cybersecurity Violations,” June 18, 2026 (justice.gov).

The DoD’s own statement put this directly: “The suspension of CMMC Phase 2 requirements does not eliminate the requirement for companies to protect federal data.”

Why the DoD Made This Decision

The official rationale centers on three specific, named problems that the program’s own data surfaced.

Prohibitive compliance costs drove the primary concern. SBA data suggested future CMMC phases could cost small and mid-sized businesses more than $7 billion annually, with individual compliance bills approaching $600,000.

Severe assessor capacity shortages made the November timeline structurally unworkable. DoD CIO Kirsten Davies put the math plainly at the announcement briefing: “We’re seeing that there’s over 100,000 DIB businesses still that needed a third-party assessment conducted and somewhere in the neighborhood of 100, maybe a little over 100 assessors that are available for that. So the math just simply doesn’t math for small to medium-sized businesses to even get compliant by the former transition date.”

The precise figure is roughly 100 authorized C3PAOs — the assessment organizations — against a Defense Industrial Base of more than 100,000 companies. (There are far more individual Certified CMMC Assessors working within those firms, but the organizational bottleneck is what set the ceiling on assessment throughput.) However the capacity is counted, the conclusion holds: the infrastructure could not process the volume by November 10, 2026.

And the market effects were already measurable. Small Business Administration reports showed CMMC compliance was forcing innovative companies out of the defense industrial base, which would delay delivery of critical capabilities to warfighters.

The suspension also reflects a broader strategic tension. Davies’ memo suggests that the CMMC program, as currently planned, conflicts with Defense Secretary Hegseth’s Acquisition Transformation System initiative’s focus on reducing compliance barriers for small and medium-sized businesses and making it easier for commercial and nontraditional companies to work with the DoD.

What Comes Next: The 60-Day Reform Task Force

The DoD has posted a public Request for Information alongside the suspension announcement. The Reform Task Force is specifically seeking industry feedback on cost drivers, administrative burdens, which NIST SP 800-171 Revision 2 security controls deliver meaningful risk reduction, how companies are already using commercial cybersecurity tools and managed services, and how the department might recognize those existing investments in a revised compliance framework. Responses to the RFI are due August 14, 2026.

The outcome of this review is genuinely uncertain. DoD officials notably did not rule out the department completely cancelling the CMMC program altogether at the end of this pause and review period. The most likely outcomes range from a restructured CMMC that maintains the underlying NIST SP 800-171 Revision 2 baseline while replacing or modifying the third-party verification mechanism, to a significantly delayed reimplementation with a more scalable assessment model, to a more fundamental program redesign. A complete cancellation is possible but would be the most disruptive outcome given that CMMC completed the federal rulemaking process and is now part of the DoD’s regulatory framework.

CMMC itself is no longer merely a proposed framework, it completed the federal rulemaking process and became part of the Department’s regulatory framework. Today’s announcement changes implementation. It does not erase the underlying cybersecurity expectations that defense contractors have spent years preparing to satisfy.

Industry Reaction: Divided, but Converging on One Point

The announcement has drawn both relief and criticism across the defense industrial base.
For smaller contractors who were facing genuine cost barriers and couldn’t access the limited pool of C3PAOs, the suspension is a real reprieve, more time to prepare, and the possibility of a more scalable future assessment model.

For contractors who had already invested heavily in CMMC readiness, completed gap assessments, built SSPs, booked C3PAO slots, spent real money on remediation, the announcement is complicated. That investment was not wasted. The underlying cybersecurity requirements have not changed, and organizations that have used this period to strengthen their cybersecurity programs will be significantly better positioned regardless of how the department ultimately reforms CMMC.

The converging message from practitioners across both sides of the debate: do not interpret this as a reason to stop preparing.

What Defense Contractors Should Do Right Now

The immediate priorities have shifted, but they haven’t disappeared.

Do not stop your readiness work. NIST SP 800-171 Revision 2 remains your contractual baseline. DFARS 252.204-7012 remains in effect. Your SPRS score needs to reflect your actual security posture. The security problem CMMC was designed to solve has not been suspended, only the third-party verification mechanism for it has been paused.

Audit your contract stack in both directions. Active solicitations and contracts containing Level 2 (C3PAO) or Level 3 (DIBCAC) requirements are being amended. Contact your contracting officer to understand the timeline for your specific contract, and do not assume the change has reached you until you have seen the modification. Then look the other way. If you are a subcontractor, review your subcontract terms and ask your prime, in writing, whether their CMMC flow-down requirements are changing. If you are a prime, decide now what you are telling your suppliers, because they are about to ask.

Submit feedback to the RFI before August 14. This is a genuine opportunity to shape what the reformed program looks like. If you have specific, documented views on which controls deliver real security value versus administrative overhead, what assessment models would be more workable for your organization, or what cost drivers need to be addressed, the Reform Task Force wants that input. The RFI is available on SAM.gov.

Hold your C3PAO slot if you have one. Do not assume a cancelled Phase 2 means you can release your assessment booking. The program is under review, not cancelled. If your C3PAO slot falls before mid-September, before the reform recommendations are delivered, having an assessment complete puts you in the strongest possible position regardless of which direction the program evolves.

Maintain your SPRS score accurately. Self-assessment is now the primary enforcement mechanism during the review period. The False Claims Act exposure for inaccurate affirmations is unchanged. Score yourself honestly, document your evidence, and keep your POA&Ms current and realistic.

Watch for the 60-day report. The Reform Task Force delivers its recommendations around mid-September 2026. That report will be the most important CMMC document published since the Final Rule, it will define what the reformed program actually looks like, what the new timelines are, and what assessment models replace the suspended Phase 2 structure.

RSI Security’s Position

RSI Security is an authorized C3PAO. We help defense contractors build assessment-ready security programs — with readiness and independent assessment kept properly separate, as CMMC independence rules require. And we’re watching this situation closely.

Our view, consistent with what the most credible voices across the industry are saying: this is a pause of the certification mechanism, not a reprieve from the security obligation. The contractors who respond to this news by stopping their readiness work will be the ones scrambling again when the reformed program is announced, and the reformed timeline may be shorter and more compressed than the original Phase 2 rollout was.

The contractors who use this window to close real security gaps, maintain accurate SPRS scores, and build the documentation and control maturity that any assessment model will eventually require, those organizations will be better positioned at the end of the 60-day review regardless of what the task force recommends.

Partnership Beyond the Assessment means we’re in this with our clients for the duration, not just for the deadline that was just suspended. If you have questions about what this means for your specific readiness situation, your active contracts, or your existing C3PAO engagement, schedule a consultation with our CMMC team today.

Frequently Asked Questions

Is CMMC Phase 2 cancelled or just paused?

Paused, not cancelled. The Department of Defense has suspended Phase 2 implementation and launched a 60-day reform review, but CMMC completed the federal rulemaking process and is part of DoD’s regulatory framework. The November 10, 2026 third-party certification deadline is suspended; the underlying security requirements are not. The reform task force will deliver recommendations around mid-September 2026, after which the program’s direction will become clearer.

Do I still need to comply with NIST SP 800-171 Revision 2?

Yes, fully. NIST SP 800-171 Revision 2, DFARS 252.204-7012, System Security Plan requirements, SPRS self-assessments, and POA&M obligations are all unchanged by the Phase 2 suspension. Phase 1 self-assessment requirements remain in force. The suspension covers only the transition to Phase 2’s mandatory third-party C3PAO certification, not the underlying cybersecurity obligations.

My prime requires CMMC Level 2 certification in our subcontract. Does the suspension remove that?

No. The suspension directs DoD program offices and contracting officers. It does not modify subcontract terms between a prime and its suppliers. Whether your prime relaxes its flow-down requirement is your prime’s decision, and many will not, supplier qualification programs built around CMMC are expensive to dismantle and rebuild for a 60-day review. Ask your prime directly and get the answer in writing.

Can a program office still require a third-party assessment?

The Department has suspended the mandatory incorporation of Level 2 (C3PAO) and Level 3 (DIBCAC) requirements into solicitations and contracts. It did not prohibit requiring activities from imposing additional cybersecurity protections consistent with law and regulation, and it did not explicitly address the case-by-case C3PAO discretion that existed under Phase 1. Verify with your contracting officer rather than assuming.

Should I cancel my C3PAO assessment booking?

Not necessarily. If your assessment is scheduled before mid-September 2026, before the reform recommendations are delivered, completing it puts you in the strongest possible position regardless of how the program evolves. If your booking was scheduled for late 2026 specifically to meet the November deadline, it’s worth a conversation with your C3PAO about options given the suspension, but don’t assume cancellation is the right call.

What is the CMMC Reform Task Force and when does it report?

The CMMC Reform Task Force is a DoD body established by CIO Kirsten Davies to conduct a comprehensive review of the CMMC program, synthesize industry feedback from a public RFI (responses due August 14), and deliver final recommendations within 60 days of the July 13 suspension announcement, placing the report deadline around mid-September 2026.

What does the suspension mean for contracts that already include CMMC Level 2 or Level 3 requirements?

Active solicitations and contracts that already include Level 2 C3PAO or Level 3 DIBCAC assessment requirements are being amended to remove those requirements. Contracting officers have been directed to amend solicitations as soon as practicable and to amend existing contracts prior to the next option period or next scheduled administrative modification. Contact your contracting officer to understand the status of your specific contract.

Exit mobile version