CMMC Phase II Suspended: What Defense Contractors Must Know 

Department of War suspends CMMC Phase II requirements for defense contractors, July 2026

Table of Contents

More than 100,000 small defense businesses needed a third-party cybersecurity assessment by November 2026. Only about 100 approved assessors existed to perform them. That gap just forced one of the biggest compliance reversals in recent defense contracting history. 

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements. The same day, Under Secretary of War for Acquisition and Sustainment Michael P. Duffey signed implementation memo 26-P-1023, which tells program offices exactly how to apply the pause. The Cybersecurity Maturity Model Certification (CMMC) is the framework that verifies how defense contractors protect sensitive government data. Phase II would have required most contractors handling that data to pass a formal third-party audit before winning new contracts. 

If you hold a defense contract or plan to bid on one, this CMMC Phase II suspension changes your timeline but not your obligations. This guide breaks down what the memo actually orders, why the Department acted, what rules still apply, and what you should do during the 60-day review. 

What the Department of War Announced

The Department suspended the November 10, 2026, transition to CMMC Phase 2. Phase 2 would have required contractors handling Controlled Unclassified Information (CUI) to pass an assessment from a Certified Third-Party Assessor Organization (C3PAO) before receiving contract awards. 

The Duffey memo ties the decision to Executive Order 14265, signed in April 2025, and to Pillar 3 of the Acquisition Transformation Strategy: maximizing acquisition flexibility through reduced regulations and processes. Department of War Chief Information Officer Kirsten A. Davies launched a CMMC Reform Task Force the same day. That task force must report on the program’s future within 60 days, and further guidance will follow at the end of that review. 

Only Self-Assessments Are Allowed in New Solicitations

Here is the operative rule from Attachment 1 of the memo. During the suspension, program managers and requiring activities may only include CMMC Level 1 (Self) or CMMC Level 2 (Self) assessments in procurement documents. They may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments at all. In plain terms: no new Department of War solicitation can demand a third-party or government-led CMMC certification while the review runs. 

Relief Extends to Contracts You Already Hold

This part received far less attention than the headline, and it matters most to working contractors. The memo not only pauses future requirements, but it also orders active ones removed. 

If an open solicitation included a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, program offices must initiate amendments, and contracting officers must issue them as soon as practicable. For existing contracts that already contain these requirements, contracting officers are directed to strike them through a modification before the next option period or at the next scheduled administrative change. If you bid on or hold one of these contracts, watch for that paperwork and confirm your contracting officer acts on it. 

Waivers Are Frozen Too

One more detail from the memo: no CMMC waivers will be granted during the review. Since no solicitation can require a third-party assessment anyway, there is nothing to waive. Contractors with pending waiver requests should expect them to sit until the review concludes. 

Why the Pentagon Hit Pause

The numbers tell the story. The Small Business Administration (SBA) estimates compliance costs of roughly $593,800 per certification for small firms needing a third-party assessment, and about $388,600 for firms eligible to self-assess. Davies told reporters that future phases could cost small and medium businesses more than $7 billion each year. 

The assessor shortage made the math worse. With over 100,000 businesses needing assessments and only around 100 approved assessors, most companies had no realistic path to certification before the deadline. Davies put it bluntly: “The math just simply doesn’t math.” 

Government watchdogs saw this coming. A March 2026 Government Accountability Office report warned that CMMC costs could push small businesses out of the defense industrial base entirely. SBA Administrator Kelly Loeffler said her agency heard the same message directly from small contractors during a nationwide manufacturing tour. Losing those suppliers would slow the delivery of critical capabilities and weaken competition across the defense supply chain. 

What Still Applies During the Suspension

The suspension pauses the certification mechanism, not the security requirements behind it. The memo itself spells out what stays active. 

DFARS 252.204-7012 Remains in Effect

Attachment 1 states it directly: the cybersecurity requirements in DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, remain in effect. DFARS stands for the Defense Federal Acquisition Regulation Supplement, the procurement rulebook specific to defense contracts. Your duty to protect covered defense information and report cyber incidents did not change on July 13. 

Self-Assessment Duties Continue at Both Levels

CMMC Level 1 still applies to contractors handling Federal Contract Information (FCI). It checks compliance with the basic safeguarding rules in FAR clause 52.204-21. CMMC Level 2 (Self) still applies to contractors handling CUI and aligns with NIST SP 800-171 Revision 2, the National Institute of Standards and Technology publication that lists 110 security controls. The Department will also run select government-led assessments during the interim, so an accurate score matters. 

Legal and Commercial Pressure Has Not Gone Anywhere

When you submit a self-assessment score, you certify it as accurate. An inflated score can trigger liability under the False Claims Act, the law the government uses to pursue contractors who misrepresent compliance. Self-assessment now carries more weight, not less, because the government relies on your word instead of an auditor’s. The memo also lets program offices require additional cybersecurity protections where law and regulation allow, and prime contractors can still demand compliance from their subcontractors as a condition of teaming. 

What Defense Contractors Should Do Next

The 60-day review creates a window, not a vacation. Use it well. 

  • Step 1: Check your active solicitations and contracts. If any include a C3PAO or DIBCAC requirement, confirm the amendment or modification removing it. Ask your contracting officer about timing before you spend another dollar on certification prep. 
  • Step 2: Keep your self-assessment current. Score your systems against NIST SP 800-171 honestly and document the results. This satisfies the active requirements and protects you in a government-led assessment. 
  • Step 3: Close your known gaps. Work through your remediation items now, while no certification deadline is looming. Companies that finish this work will move fastest when new rules arrive. 
  • Step 4: Respond to the RFI by August 14, 2026. The Department posted a Request for Information on SAM.gov asking contractors about cost drivers, burdensome requirements, and which security controls actually reduce risk. This is your chance to shape the replacement framework. 
  • Step 5: Talk to your primes. Ask whether their flow-down requirements change during the suspension, and get the answer in writing. 

Mistakes to Avoid During the Review Period

The most expensive mistake is treating the suspension as permission to stop. Contractors who abandon their security programs now face a double penalty later: rushed spending when new requirements land, plus exposure if a breach or a government assessment happens in the meantime. 

The second mistake is walking away from money already spent. Davies addressed this directly, calling every dollar spent on security “a wise dollar spent.” Your investment still protects your data, your contracts, and your eligibility. A third mistake is staying silent. If compliance costs hurt your business, the RFI is the place to say so with specifics. 

How CyberX Gov Solutions Can Help

Regulatory swings like this one reward contractors who stay ready while others stall. CyberX Gov Solutions works with small businesses and subcontractors at exactly this stage. 

Through the Get Fed Ready™ program, our team helps you build a solid federal foundation: readiness assessments, SAM.gov registration support, compliance guidance, and opportunity identification. The suspension also means amended solicitations and fresh bidding room in some markets, and our proposal development team can help you turn that opening into submitted, compliant bids. We track shifts like the CMMC review so our clients respond early instead of scrambling late. 

Conclusion

The CMMC Phase II suspension gives defense contractors breathing room, not an exit. Third-party certification requirements are coming out of solicitations and contracts while the Reform Task Force studies the program. Your duty to protect federal data under DFARS 252.204-7012, FAR 52.204-21, and NIST SP 800-171 continues without interruption. 

Treat the next 60 days as preparation time. Verify your contract paperwork, keep your self-assessment accurate, close security gaps, and tell the Department what a workable framework looks like through the RFI. Contractors who do this will hold an advantage, whatever the task force recommends. 

If you want help positioning your business in the federal marketplace while the rules settle, CyberX Gov Solutions can help.

Schedule a free consultation at cyberxgovsolutions.com/schedule-a-meeting/ and get a clear plan for your next move. 

Frequently Asked Questions

Is CMMC cancelled?

No. The Department of War suspended the Phase 2 transition and later milestones while a task force reviews the program for 60 days. Self-assessment requirements remain in force, and further guidance will follow when the review ends. 

What happens to my contract that already requires a C3PAO assessment?

Memo 26-P-1023 directs contracting officers to remove Level 2 (C3PAO) and Level 3 (DIBCAC) requirements from existing contracts through a modification before the next option period or next administrative change. Active solicitations must be amended as soon as practicable. Confirm the change with your contracting officer in writing. 

Can I still get a CMMC waiver during the suspension?

No. The memo states that no waivers will be granted during the program review. Since solicitations cannot include third-party assessment requirements right now, waivers are unnecessary during this period. 

Do I still need to worry about cybersecurity if I only handle FCI, not CUI?

Yes. Contractors with Federal Contract Information remain subject to CMMC Level 1 self-assessment, which checks the basic safeguarding requirements in FAR 52.204-21. The suspension did not remove that obligation. 

How do I submit feedback on CMMC reform?

The Department posted a Request for Information on SAM.gov on July 13, 2026, with responses due August 14, 2026. Any defense contractor can respond with specifics on compliance costs, administrative burden, and which controls deliver real security value. 

Should I cancel a C3PAO assessment I already scheduled?

That is a business decision, not a requirement. A completed or mock assessment still validates your self-assessment score and positions you well if certification requirements return after the review. Weigh the cost against your contract pipeline before cancelling.