CMMC Phase 2 Suspended: What This Means for Your Compliance Program

Posted By: Jerrod Weaver News, Industry, NFFS, Technical,

On July 13, 2026, the Department of War announced the immediate suspension of Phase 2 of the Cybersecurity Maturity Model Certification program. Phase 2 had been scheduled to begin November 10, 2026, and would have expanded the use of third-party CMMC assessments in Department solicitations and contracts.

The Department has also placed later CMMC implementation milestones on hold while a newly established CMMC Reform Task Force conducts a 60-day review of the program. The review will consider how CMMC can better support the Department’s Acquisition Transformation System priorities, including reducing barriers for small and midsized businesses, increasing competition and moving capabilities into production more quickly.

For manufacturers that have spent considerable time and money preparing for CMMC certification, this is a significant development. However, it is important to understand what has—and has not—changed.

CMMC has not been eliminated, and defense contractors have not been relieved of their cybersecurity responsibilities.

What Has Been Suspended

During the suspension, Department program managers may not require a CMMC Level 2 certification assessment conducted by a Certified Third-Party Assessment Organization, commonly referred to as a C3PAO. They also may not require a CMMC Level 3 assessment conducted by the Defense Industrial Base Cybersecurity Assessment Center.

For new procurement requirements, the Department may currently require only:

  • CMMC Level 1 self-assessments; or
  • CMMC Level 2 self-assessments.

Active solicitations containing Level 2 C3PAO or Level 3 assessment requirements are expected to be amended. For existing contracts containing those requirements, contracting officers have been directed to remove them through a contract modification before the next option period or during the next scheduled administrative modification.

Companies should not assume that a requirement has been removed until they receive and review the applicable solicitation amendment or contract modification.

What Has Not Changed

The suspension does not eliminate the obligation to protect Federal Contract Information or Controlled Unclassified Information.

Companies handling Federal Contract Information must continue to comply with the basic safeguarding requirements contained in FAR 52.204-21.

Companies handling Controlled Unclassified Information must continue to comply with applicable contract requirements, including DFARS 252.204-7012 and the security controls contained in NIST Special Publication 800-171 Revision 2. The Department has stated that it will continue enforcing these requirements through contractor self-assessments and selected government-led assessments.

Current Phase 1 self-assessment requirements also remain in effect. Depending on the information handled and the terms of the contract, these requirements may include:

  • Completing the appropriate CMMC Level 1 or Level 2 self-assessment;
  • Maintaining an accurate System Security Plan;
  • Documenting any remaining deficiencies in a Plan of Action and Milestones;
  • Maintaining a current and supportable assessment score in the Supplier Performance Risk System; and
  • Reporting cyber incidents and preserving relevant information when required by contract.

Prime contractors may also continue imposing cybersecurity requirements through their subcontracts and supplier agreements. A government announcement does not automatically rewrite a private subcontract. Suppliers should review the language in their agreements and discuss any uncertainty with the prime contractor or qualified contract counsel.

Do Not Treat the Suspension as Permission to Stop

The most important advice for companies already working toward CMMC is straightforward: Do not dismantle your compliance program.

The technical safeguards, policies, procedures and documentation developed for CMMC also support obligations that remain in effect today. Access controls, multifactor authentication, security awareness training, incident response procedures, system monitoring and protection of Controlled Unclassified Information are not simply certification exercises. They are fundamental cybersecurity practices that help protect the company, its customers and the defense supply chain.

The Department’s concern appears to be with the cost and administrative structure of the current certification process—not with the underlying need to secure defense information. The CMMC Reform Task Force has specifically been directed to recommend more realistic and scalable security measures. The program may therefore return in a revised form after the review. 

Companies that abandon their programs now may find themselves rebuilding the same capabilities later, potentially under a shorter implementation schedule.

What Companies Pursuing CMMC Should Do Now

Companies actively preparing for certification should continue improving their cybersecurity controls but may have an opportunity to reconsider the timing of certain certification expenses.

  1. Continue implementing the applicable NIST SP 800-171 controls. Correct real security weaknesses, maintain your System Security Plan and retain evidence showing that controls are operating as described.
  2. Review your SPRS score. Make sure the score is current, accurate and supported by documentation. A self-assessment is not simply an estimate of where the company hopes to be. It is a formal representation of the controls implemented within the assessed environment.
  3. Review your contracts, subcontracts and pending solicitations. Identify whether a CMMC certification requirement comes directly from the government or through a prime contractor. Do not rely solely on the general suspension announcement when making a contract-specific decision.
  4. Speak with your C3PAO or cybersecurity consultant before canceling an assessment already scheduled or underway. Companies should consider assessment deposits, contractual commitments, customer expectations and the amount of work already completed. An independent readiness review may still provide value, even when an official certification is no longer immediately required.
  5. Finally, avoid making major program changes until the Department completes its review and issues additional guidance. The current announcement describes a suspension and reform process—not a permanent withdrawal of cybersecurity requirements.

A Pause in Certification, Not Cybersecurity

The Department of War has made clear that it intends to reduce excessive compliance costs and make it easier for small, midsized and nontraditional companies to participate in the defense industrial base. That objective will be welcomed by many manufacturers that have struggled with the cost, complexity and uncertainty surrounding CMMC.

However, the underlying requirement to protect government information remains firmly in place.

For now, companies should continue building a practical and defensible cybersecurity program, maintain accurate self-assessment records and carefully review their contractual requirements. The certification process may change, but the need to protect defense information—and the business systems that support defense production—has not.