Skip to content
"VC3 has made it easier than ever before for our local government to serve our citizens by providing us with modern web tools and a team
of talented and courteous professionals.
City of Valdosta, GA

Find All the Resources You Need

Our resources & insights includes case studies, client testimonials, guides, checklists, blog articles and more!

 

6 min read

CMMC Phase II Is Suspended—What Defense Contractors Need to Know

CMMC Phase II Suspension

On July 13, 2026, the Department of War announced the suspension of CMMC Phase II pending a 60-day review by a newly formed CMMC Reform Task Force.

If you're a defense contractor, you've likely seen the headlines. However, what you may not have seen is a clear explanation of what this actually means for your compliance obligations—and what it doesn't.

The short answer? The audit requirement is paused. The underlying security requirements are not.

What Is CMMC Phase II, and Why Was It Suspended?

Phase II of CMMC (which originally was to take effect on November 10, 2026) requires defense contractors to pass an independent assessment conducted by a Certified Third-Party Assessment Organization (C3PAO) before obtaining or retaining certain DoW contracts. C3PAOs serve as independent verifiers that confirm a contractor actually implemented the required cybersecurity controls, rather than simply claiming they did.

One key problem was math. An estimated 100,000 or more contractors in the Defense Industrial Base (DIB) would require assessment under Phase II. The available pool of C3PAOs is estimated at fewer than 200. That mismatch was creating a bottleneck that threatened to push compliant, capable companies out of the DIB simply because they couldn't get an assessment scheduled in time and not because they lacked the right security controls.

The suspension is the DoW's acknowledgment that the mechanism for demonstrating compliance wasn't scalable—but not an acknowledgment that the compliance requirements themselves were wrong.

Does CMMC Phase I Still Apply?

Yes, and this point cannot be overstated.

CMMC Phase I took effect on November 10, 2025 and requires applicable defense contractors to complete a CMMC self-assessment. That means documenting your compliance posture through:

  • A SPRS score
  • A System Security Plan (SSP)
  • A Plan of Action and Milestones (POA&M) (where applicable)

Phase I requirements remain fully in effect during the Phase II suspension period. The DoW was explicit: "All Phase I self-assessment requirements remain firmly in place."

If your organization has not completed these Phase I requirements, the suspension of Phase II does not give you a pass.

What Hasn't Changed About Your CMMC Requirements?

The suspension of Phase II does not modify or eliminate any of the following obligations:

  • DFARS 252.204-7012: Includes safeguarding and cyber incident-reporting requirements. This is the clause that mandates NIST SP 800-171 (the 110 controls that form the core of CMMC requirements).
  • FAR 52.204-21: Establishes basic safeguarding requirements for Federal Contract Information (FCI).
  • NIST SP 800-171 Rev. 2: Establishes the security requirements for protecting CUI.
  • Maintaining an accurate SPRS score, a current SSP, and a POA&M where gaps exist.

DoW Chief Information Officer Kirsten A. Davies was direct on this point: "This action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012."

A Word on SPRS Scores and Legal Risk

With third-party assessments suspended, your self-attestation is now the entire compliance record. There is no C3PAO review standing between an inflated score and a government inquiry.

An inaccurate or overstated SPRS score is a False Claims Act exposure. That risk is functionally higher now, not lower, precisely because no independent check exists. If your posted score wouldn't survive a government-led assessment today, the right move is to fix your score or fix your gaps. This is the single most important action contractors can take during this 60-day period.

If Your Customer Is a Prime Contractor, Their Timeline Is Your Timeline

The federal suspension governs DoW solicitations and contracts. It does not govern what your prime contractor customers require of their supply chain.

Major primes have their own supplier security programs, and they are not likely to unwind those programs during a 60-day federal review. If you've been working toward CMMC compliance because a prime required it, get their current expectations in writing before your next award cycle. Don't assume the federal pause changed anything downstream.

What Is the 60-Day CMMC Phase II Review Expected to Focus On?

Based on available guidance, the Reform Task Force is expected to evaluate how organizations demonstrate compliance and not whether the underlying security requirements should be reduced. The DoW's stated goal is to create a more scalable, less administratively burdensome approach across the DIB while preserving the actual security posture those requirements are designed to produce.

This suggests the review is more likely to result in changes to the assessment model than to the control requirements themselves.

The DoW has also released a Request for Information (RFI) seeking direct feedback from the DIB community. The deadline for responses is August 14, 2026. The questions in the RFI suggest the DoW is considering whether all 110 controls should remain mandatory, which means the outcome could materially affect future compliance costs. Organizations that submit feedback have a rare opportunity to influence the outcome.

What Should You Do Right Now About the 60-Day CMMC Phase II Suspension?

1. Keep implementing, and don't pause. The suspension removed the audit bottleneck but not the requirements. Continue closing POA&M gaps and maintaining your SSP. Organizations that pause now risk re-entering the compliance pipeline behind everyone else when third-party assessments return in some form.

2. Pressure-test your SPRS score. With self-attestation now the entire enforcement surface, this is the highest priority action on your list. If your score wouldn't survive scrutiny, fix the gaps or fix the score before it becomes a legal matter rather than a compliance project.

3. Respond to the RFI by August 14. The DoW is asking for input. Small and mid-size contractors rarely get a direct voice in federal rulemaking. This is one of those rare moments to make your voice heard.

4. Watch your contracts for amendments. Modifications removing Phase II language will begin arriving. Read them carefully. Some may substitute other assurance requirements. Confirm what your specific contracts require before assuming the self-assessment path applies to you.

5. Ask your prime customers directly. Don't assume a federal pause changed their supplier requirements. Get it in writing.

6. Mark mid-September. The Task Force reports within 60 days. Be ready to act upon whatever comes out of that review.

7. Don't let your guard down on cybersecurity. Nation state actors targeting the DIB are indifferent to DoW rulemaking calendars. The threat environment has not paused. Organizations that interpret this suspension as a reason to slow down their security investments are exposed in a way that has nothing to do with CMMC.

What’s the Bottom Line About the CMMC Phase II Suspension?

The CMMC Phase II suspension is a meaningful development, but it’s not a reprieve from the obligations that have always mattered most. DFARS 252.204-7012 and NIST SP 800-171 are contract terms, not CMMC artifacts, and they remain fully in force today.

Organizations that use this period to complete their self-assessments, close documented gaps, and build a defensible compliance posture will be well-positioned regardless of what the Task Force recommends.

Organizations that treat the suspension as a reason to delay will find themselves behind—whether that's in an assessment queue, a prime contractor's supplier review, or a DOJ inquiry.

The 60 days ahead are an opportunity. Use them wisely.

Have questions about how the CMMC Phase II suspension affects your organization? Reach out to us today to discuss your specific situation and compliance obligations.

Let's talk about how VC3 can help you AIM higher.