Is CMMC Still Required After the Suspension? What Contractors Must Do Now
Is CMMC still required after the suspension? Yes. CMMC remains required wherever a solicitation, contract, or prime flow-down calls for a CMMC status.
On July 13, 2026, the Department suspended CMMC Phase II — the scheduled expansion of third-party assessment requirements set to begin November 10, 2026 — and suspended the pending and future milestones behind it. But it paused a verification mechanism, not the security obligation. The underlying DFARS duties, the NIST controls, and your existing CMMC level remain active where your contract says they do.
Then the qualifier that decides your next move: if an active solicitation or an existing contract still lists Level 2 (C3PAO) or Level 3, don't treat the announcement as an automatic contract change. The Department directed contracting officers to issue the amendment or modification — it did not tell you to strike the clause out yourself. Look for the paperwork first.
Here's the part almost nobody is saying out loud, and the reason we read every source ourselves before writing this: the suspension didn't lower your risk so much as move it. For a contractor with a gap, the most dangerous response this week is to exhale, freeze remediation, and keep affirming a compliant score. We'll show you exactly where the risk went — with the DFARS clauses and a real Department of Justice settlement to back it up — and it's not where most vendors are pointing.
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor's level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
The 20-second version: what paused, what didn't
| Requirement or pathway | Status after July 13, 2026 | What it means today |
|---|---|---|
| CMMC Level 1 (Self) — 15 basic safeguards for Federal Contract Information (FCI) | Active where required | Keep your annual self-assessment and affirmation current |
| CMMC Level 2 (Self) — 110 NIST SP 800-171 Rev. 2 requirements for Controlled Unclassified Information (CUI) | Active where required | Keep implementing, keep your evidence, keep affirming |
| New Level 2 (C3PAO) — third-party assessment | Suspended | No new government requirement for a certificate right now |
| New Level 3 (DIBCAC) — government assessment of the most sensitive CUI | Suspended | Pending/future milestone, paused until further notice |
| DFARS 252.204-7012 — safeguard covered defense information; report incidents | In effect where included | Untouched by the suspension |
| NIST SP 800-171 Revision 2 — the Level 2 control set | Still the assessment basis | Revision 3 has not replaced it for CMMC |
| NIST SP 800-171 DoD Assessment score in SPRS (DFARS 252.204-7019/-7020) | Still required where clauses apply | Verify your current summary score is posted |
| CMMC status + annual affirmation (32 CFR Part 170; DFARS 252.204-7021) | Still required for your status | Affirm after assessment and annually thereafter |
| Government-led (DCMA/DIBCAC) assessments | Still happening | The government's own auditors were not removed |
| A new Phase II date | Not announced | Don't assume a replacement deadline |
What exactly did the Department suspend on July 13, 2026?
The Department suspended the November 2026 Phase II transition — the scheduled expansion of third-party (C3PAO) assessment requirements across applicable procurements — along with all pending and later CMMC milestones. Phase I self-assessment requirements, in place since November 10, 2025, remain firmly in place.
A C3PAO (CMMC Third-Party Assessment Organization) is a private firm authorized or accredited to perform CMMC Level 2 certification assessments. DIBCAC(the Defense Industrial Base Cybersecurity Assessment Center, part of DCMA — the Defense Contract Management Agency) is the government's assessment team; it would have run Level 3. Phase II was not the first moment a C3PAO requirement could appear in a contract — it was the scheduled expansion of that requirement across applicable procurements. During Phase I (beginning November 10, 2025), requiring activities could already include Level 2 (C3PAO) in select procurements. Now that discretion is paused.
The Department's official July 13 release on war.gov states directly: “All Phase I self-assessment requirements remain firmly in place,” and “this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.” During the interim, the released procedures also confirm that CMMC waiver processing is suspended during the review.
The action was carried out by two documents cleared for public release under case number 26-P-1023: a policy memorandum from the Department CIO, Kirsten A. Davies, and implementation procedures from Under Secretary for Acquisition and Sustainment Michael Duffey. The stated rationale is cost and capacity. Officials cited Small Business Administration data suggesting future CMMC phases could cost small and mid-sized firms billions of dollars a year, and Davies pointed to delays in building sufficient C3PAO assessment capacity.
A quick note on the name
If “Department of War” threw you: Executive Order 14347 (signed September 5, 2025) authorized “Department of War” and “Secretary of War” as an additional secondary title for official correspondence, public communications, ceremonial contexts, and non-statutory documents. The order is explicit that statutory references to the Department of Defense and Secretary of Defense “shall remain controlling until changed subsequently by the law.” That's why current official communications may use either name, and why this report uses both.
What the suspension did not do
- Amend 32 CFR Part 170 (the CMMC Program rule, effective December 16, 2024) or the DFARS clause text (DFARS 252.204-7021).
- Suspend DFARS 252.204-7012.
- Replace NIST SP 800-171 Revision 2 with Revision 3 for CMMC purposes.
- End Level 1 or Level 2 self-assessments.
- Eliminate government-led assessments.
- Announce a replacement Phase II date.
- Announce reimbursement for money already spent on assessment prep.
The former schedule, for context
| Former milestone | Was scheduled for | Status now |
|---|---|---|
| Phase I — Level 1 (Self) and Level 2 (Self) | November 10, 2025 through November 9, 2026 | Self-assessment designations continue |
| Phase II — expansion of Level 2 (C3PAO) | November 10, 2026 | Transition suspended |
| Phase III — Level 3 (DIBCAC) | November 10, 2027 | Pending milestone suspended |
| Phase IV — full incorporation | November 10, 2028 | Pending milestone suspended |
| Replacement schedule | — | Not announced |
Is CMMC dead, or just paused? Suspended versus repealed
CMMC is not dead. The July 13 action was a policy decision and implementation procedures — not a rule change. It did not amend 32 CFR Part 170 (the CMMC Program rule) or the CMMC contract clause, DFARS 252.204-7021, both of which remain in force. As of July 15, 2026, CMMC is paused, not repealed.
Within hours of the announcement, “CMMC is dead” was everywhere. It's wrong, and the error is always the same: it confuses the certification mechanism with the security requirement. The Department paused the third-party verification step. It did not — and by memorandum alone, could not — erase the duty to protect covered defense information. That duty predates CMMC and outlives this pause.
It helps to see the layers that actually govern you. The Defense Compliance Report calls this the CMMC authority stack:
| Layer | What it is | What the July 13 action did to it |
|---|---|---|
| Codified authority | 32 CFR Part 170 (CMMC Program rule) and DFARS 252.204-7021 (contract clause) | Unchanged; still in force |
| Implementation direction | The July 13 release and CIO/Under Secretary procedures (case 26-P-1023) | New layer — directs how the Department applies the rule during the review |
| Binding procurement instrument | Your solicitation, amendment, contract, modification, or subcontract flow-down | Unchanged until the specific document is amended or modified |
The top layer is codified regulation. A memorandum can change how the middle layer is implemented; it cannot rewrite the top. What 's on hold is the Department's use of its discretion to designate the higher assessment levels — not the regulation itself.
The accreditation body reads it the same way. In its July 15, 2026 statement, the Cyber AB — the official, non-governmental accreditation body for CMMC — said only Phase II implementationwas suspended and that the rest of the ecosystem (C3PAO Level 2 certification assessments, training, exams, Registered Practitioner support, and DIBCAC's oversight of C3PAOs) remains operational. Its own characterization was “a pause, not a stop.”
Could it still be canceled? Possibly. When reporters pressed, Davies and Duffey pointedly declined to rule out ending the program at the end of the review. The official written release does not state the review's outcome. So the honest status is: suspended today, genuinely uncertain tomorrow, and still codified underneath. Plan against the rule that exists — not the outcome you're hoping for.
Is CMMC still required after the suspension — and which requirements still apply?
During the suspension, Level 1 (Self) and Level 2 (Self) remain the permitted CMMC designations. Applicable contractors must also keep meeting the underlying FAR/DFARS safeguards, maintain a current NIST assessment and SPRS score where the assessment clauses apply, affirm their CMMC status where they hold one, and cooperate with government-led assessments. The third-party assessment is what paused — not the work underneath it.
Several separate obligations get collapsed into one word, “CMMC.” They aren't the same, and only one was touched. Below is our SPRS record crosswalk — the three (really four) records contractors blur together, with the trigger, the owner, and the primary authority for each.
| Record | What triggers it | Who submits it | Where it lives | Primary authority |
|---|---|---|---|---|
| NIST SP 800-171 DoD Assessment summary score (Basic self-assessment, or government Medium/High) | DFARS 252.204-7019/-7020 in the solicitation/contract | You (Basic) or the government (Medium/High) | SPRS | DFARS 252.204-7019, -7020 |
| CMMC self-assessment result / status | Contract specifies Level 1 (Self) or Level 2 (Self) | You | SPRS | 32 CFR Part 170; DFARS 252.204-7021 |
| CMMC certification result / status (C3PAO) | Contract specifies Level 2 (C3PAO) | The C3PAO transmits the result; your status posts to SPRS | SPRS | 32 CFR Part 170; DFARS 252.204-7021 |
| CMMC affirmation of continuous compliance | You hold a CMMC status | Your named Affirming Official | SPRS | 32 CFR Part 170 |
Now the specifics.
Level 1 (Self) — for FCI. If a solicitation, contract, or flow-down requires CMMC for an in-scope system that handles Federal Contract Information (FCI) — non-public information you handle in performing a contract, but not CUI — Level 1 (Self) is the applicable path: 15 requirements, an annual self-assessment, and an annual affirmation. There is no reason to buy a C3PAO assessment for a Level 1 requirement.
Level 2 (Self) — for CUI. If an applicable solicitation, contract, or flow-down requires Level 2 for an in-scope system that processes, stores, or transmits Controlled Unclassified Information (CUI), Level 2 uses all 110 NIST SP 800-171 Revision 2 requirements across 14 control families, on a three-year assessment cycle, with annual affirmations, a current System Security Plan (SSP), and maintained evidence. The procurement states whether the required status is Level 2 (Self) or Level 2 (C3PAO). One confirmed carve-out: CMMC does not apply to acquisitions exclusively for commercially available off-the-shelf (COTS) items.
Level 3 (DIBCAC) — for the most sensitive CUI. Level 3 requires a Final Level 2 (C3PAO) status for the same scope, plus a selected subset of enhanced requirements from NIST SP 800-172, assessed by the government. New Level 3 designations are among the milestones now paused.
DFARS 252.204-7012 — for everyone with the clause. This is the safeguarding-and-incident-reporting clause. It was not suspended, and it operates independently of CMMC. Its NIST implementation provision required covered systems subject to the clause to implement the specified requirements no later than December 31, 2017.
Government-led assessments — still live.The pause covers new Level 3 (DIBCAC) designations, but it does not stop the government from conducting a NIST SP 800-171 Assessment where DFARS 252.204-7020 applies. Under that clause, DoD (for example, DCMA) conducts Medium and High Assessments and posts the summary score to SPRS. The Department's own release confirmed “select government-led assessments” continue.
Revision 2 vs. Revision 3 — don't get ahead of the rule. NIST withdrew Revision 2 from its active publication catalog on May 14, 2024 and superseded it with Revision 3. That did not automatically amend the CMMC Program rule or the applicable DFARS requirements: 32 CFR Part 170 still incorporates the February 2020 Revision 2 publication with its January 2021 updates, and current Department guidance still assesses CMMC against Revision 2. If your team is implementing Rev. 3 controls, good — but you still have to account for any gaps against the Rev. 2 assessment basis.
The right CMMC provider isn't the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.
Use the Find My CMMC Path tool →For how the three levels differ in full, see our CMMC levels explainer. (RPO/RP = Registered Provider Organization / Registered Practitioner; MSSP = Managed Security Service Provider; GRC = governance, risk, and compliance platform; CUI enclave = a segmented, hardened environment that isolates CUI to shrink your assessment scope.)
What does the suspension mean for your exact solicitation or contract?
The practical answer depends on which document you're holding — an active solicitation, an existing contract, an upcoming option, or a subcontract flow-down — because the Department directed a different written action for each. Find the governing document and its assessment type before you change scope, spending, or any compliance representation.
Below is our CMMC Suspension Contract Action Matrix — built by mapping the Department's implementation procedures against the situations contractors are actually in, then adding the columns nobody else combines: the written artifact that controls your situation, and the least-regret action that follows. Find your row.
| Your situation | Status after July 13 | What still applies | The document that controls it | Least-regret next action |
|---|---|---|---|---|
| FCI only; solicitation says Level 1 (Self) | Level 1 self-assessment remains an allowed designation | FAR basic safeguards; current Level 1 status; annual assessment & affirmation | Solicitation, contract, FCI determination | Keep the Level 1 baseline current. Don't buy a C3PAO assessment. |
| CUI; solicitation says Level 2 (Self) | Level 2 self-assessment remains an allowed designation | NIST 800-171 Rev. 2; applicable DFARS duties; SSP; SPRS score & affirmation | Solicitation, contract clauses, SSP, SPRS record | Continue remediation and evidence work. Verify self-assessment and affirmation are current. |
| Active solicitation still says Level 2 (C3PAO) | Requirement is to be amended out | Separately applicable safeguarding and NIST assessment duties continue | The written solicitation amendment — not the announcement | Ask the contracting officer when the amendment issues. |
| Active solicitation still says Level 3 (DIBCAC) | New Level 3 designations paused; solicitation to be amended | Any separately applicable security requirements | Written solicitation amendment | Get written clarification before pricing or representing compliance. |
| Existing contract contains Level 2 (C3PAO) or Level 3 | To be removed by modification before next option or scheduled administrative mod | Current contract safeguards until the document changes | Signed contract modification | Don't self-delete the clause. Request written timing and instructions. |
| Prime still demands a certificate from you (sub) | Government's new-designation policy changed; the prime's flow-down may not have | FCI/CUI safeguarding; valid flow-down duties | Subcontract, purchase order, revised prime direction | Ask the prime to state data type, level, assessment type, evidence, and effective date in writing. |
| C3PAO assessment booked, but no current document requires it | New C3PAO designations paused; no universal rule on voluntary assessments | Your underlying security program may still be necessary | Engagement agreement; target solicitations; written customer demands | Separate the assessment's strategic value from the old November deadline. Read your cancellation terms first. |
| C3PAO assessment already in progress | The suspension materials give no universal stop-work or refund rule | Existing agreement, security work, customer commitments | Assessment contract; current stage; customer requirements | Get written options and costs from the C3PAO. Neither finishing nor cancelling is automatically correct. |
| You hold a Final or Conditional Level 2 (C3PAO) status | No announced automatic revocation; new government requirements for that status paused | Status-maintenance duties; annual affirmation | Certificate of CMMC Status; annual affirmation; target solicitations | Keep your status and affirmation accurate. Don't promise it will (or won't) be required after reform. |
| Contract has DFARS 252.204-7012 but no separate CMMC or NIST assessment clause | Safeguarding duties were not suspended | Safeguarding and incident reporting | Contract clauses | Continue the work. Check separately for 252.204-7019, -7020, -7021. |
| No FCI, no CUI, no applicable safeguarding clause | CMMC may not apply — but the documents decide | Any other contractual security provisions | Solicitation, contract, data-flow analysis | Confirm scope before spending. Don't assign yourself a level from a generic checklist. |
The concept under this whole table — document-controlled relief. An announcement explains policy. A solicitation amendment, a contract modification, or a revised subcontract changes the instrument you're actually bound by. The Department told its contracting officers to change those documents. It did not tell you to reinterpret or edit your own contract on the strength of a news release. If your paperwork and the policy disagree, the safe move is to get the paperwork corrected — and, where the stakes are real, to run it past a CMMC Registered Practitioner or a qualified federal-contracts attorney. This report is educational research, not legal advice.
Before you decide anything, have these open in front of you: your solicitation and all amendments; your contract and all modifications; any option notice; your prime flow-down or supplier letter; the DFARS clauses in the contract; the listed CMMC level and assessment type; your CAGE code(s); and your current SPRS record.
Not sure what your document actually requires now? Map it in two minutes.
The Defense Compliance Report's Find My CMMC Path tool walks through your document type, FCI vs. CUI scope, the assessment type written in your contract, and your timeline, then points you to the provider category to evaluate first — and flags what to verify before you spend. It's free, it takes about two minutes, and it accounts for the post-suspension picture on this page.
Find My CMMC Path →What if your solicitation or contract still says Level 2 (C3PAO) or Level 3?
For an active solicitation, the Department directed the requiring activity to amend the requirement and the contracting officer to issue that amendment as soon as practicable. For an existing contract, contracting officers were directed to remove the requirement by modification before the next option period or scheduled administrative modification. Until that written change appears, ask — don't assume, and don't self-delete.
If it's an active solicitation: look for a numbered amendment. Check whether the required status shifted to Level 2 (Self), and whether proposal dates or representations changed with it. Do not rely on a vendor email or a LinkedIn post summarizing the news — rely on the amendment.
If it's an existing contract: look for a signed modification, and watch the timing around your next option. Confirm whether any deliverables, representations, or status requirements changed. Keep performing every unrelated cybersecurity clause in the meantime.
Because the fastest way to resolve this is to ask the right person the right way, here's a neutral message you can adapt and send today.
“We're reviewing the July 13, 2026 CMMC Phase II suspension procedures against [solicitation/contract number]. Please confirm in writing: (1) whether the current Level 2 (C3PAO) or Level 3 requirement will be removed; (2) whether Level 2 (Self) will replace it; (3) when the amendment or modification will issue; (4) whether proposal, award, or option dates are changing; and (5) what CMMC status or evidence will be required after the change.”
Bring in counsel or an RP/RPO when your documents conflict, when a proposal or option is imminent, when a prime refuses to revise a flow-down, when cancellation or reliance costs are material, when you've already submitted a representation, or when you genuinely aren't sure whether your information is FCI or CUI.
→ Tracking the official actions as they happen? See our CMMC Reform Review tracker — dated government actions and source links, no predictions.
Does the CMMC suspension reduce your False Claims Act risk?
No. The third-party C3PAO audit paused; the liability didn't. Pausing new Level 2 (C3PAO) designations did not suspend the False Claims Act or the underlying contract duties. An inaccurate NIST assessment score or CMMC affirmation can create False Claims Act exposure when someone knowingly — including through deliberate ignorance or reckless disregard — makes a false statement material to a government payment or decision.
Under the Phase II model that was coming, an independent third-party assessor would have reviewed your Level 2 implementation before certifying it. Removing that step doesn't lower the bar — it shifts the reliance onto your own self-attestation. During the suspension, the accuracy of your self-reported SPRS score and your annual affirmation carries the weight, and the government's own auditors are still in the field.
This isn't theoretical, and it isn't old news. On June 18, 2026 — weeks before the suspension — the Justice Department announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144to resolve False Claims Act allegations tied to two Navy contracts. According to the DOJ's own release, from May 2021 to March 2025 the company allegedly failed to implement certain NIST SP 800-171 controls; against a perfect score of 110 reflected in the record, a government assessment scored its environment at −170, at the low end of the possible range of −203 to 110. (The claims were resolved as allegations only, with no determination of liability.)
Read that timeline again. The conduct predates CMMC Phase II entirely. The contracts incorporated DFARS 252.204-7012, -7019, and -7020 — the exact obligations the Department just told you to keep meeting — and the damaging score came from a government assessment under 7020, the kind that did not pause.
| Record or representation | Governing source | Accuracy duty | What LOGZONE shows | What it does not establish |
|---|---|---|---|---|
| NIST SP 800-171 assessment score in SPRS | DFARS 252.204-7019/-7020 | Post a current, accurate summary score | A posted score can be tested by a government assessment years later | That every imperfect score is a violation |
| CMMC / self-attested compliance representation | 32 CFR Part 170; DFARS 252.204-7021 | Represent your status accurately | Misrepresenting posture can support FCA allegations | That liability is automatic without scienter and materiality |
| Payment claims on the contract | False Claims Act (31 U.S.C. § 3729) | Don't knowingly submit false claims | A $507,144 settlement resolved the allegations | A fixed penalty formula for any inaccuracy |
The False Claims Act reaches a knowingly false claim, or a knowingly false record or statement material to a false claim. “Knowingly” includes actual knowledge, deliberate ignorance, and reckless disregard. Treble damages are a statutory consequence of a violation — not an automatic result of an inaccurate score. The amount of any settlement or judgment turns on the actual facts: the claims, the damages, scienter, materiality, cooperation, and more.
The suspension removed the November 10 audit-deadline pressure, giving you a window to close real gaps and correct an inaccurate score before a government assessment does it for you. Correcting a score yourself is a far stronger position than having DIBCAC find the gap during a Medium or High Assessment. The audit deadline that was forcing expensive evidence-packaging and audit-choreography spend is gone. What's left is the work that actually protects your data and defends you: closing genuine Rev. 2 gaps, keeping an honest SSP, maintaining evidence.
If your SPRS score and your real controls don't match, closing that gap is the priority now — not waiting on the review.
The right help depends on the gap: an RPO or MSSP to build and run controls, a GRC platform to organize evidence, or a CUI enclave to shrink your scope. Match the fix to the finding before you request quotes.
Do I still need a C3PAO assessment? And should I cancel one I've booked?
No requiring activity should be adding a new Level 2 (C3PAO) designation during the suspension, so you shouldn't buy an assessment merely because the old November 10 milestone was looming. A voluntary or customer-driven assessment can still hold real strategic value — but that's now a business decision to justify against actual opportunities, contract language, cost, and cancellation terms, not a deadline to beat.
When the answer is probably “not yet”: no current solicitation or contract requires a C3PAO; the only urgency was the former November date; your scope and SSP aren't mature; you haven't signed the engagement; leadership is reacting to vendor-manufactured deadline pressure. Keep the security readiness work; hold the assessment purchase.
When the answer is “verify before you decide”: a live solicitation still contains C3PAO language; a prime has a written, customer-backed requirement; you're already mid-assessment; a teaming arrangement values an existing certificate; your cancellation costs are substantial; or leadership wants independent assurance for reasons beyond contract eligibility.
| Your situation | Continue now | Hold now | Verify before deciding |
|---|---|---|---|
| Assessment not contracted; no current C3PAO requirement | Security readiness | The formal assessment purchase | Which target solicitations actually require it |
| Deposit paid; work not started | Readiness and evidence | Additional nonrefundable spend | Cancellation terms and real customer need |
| Assessment in progress | Accurate cooperation and evidence | Optional add-ons | Cost to finish vs. cost to stop |
| Final or Conditional status already held | Status accuracy and affirmation | Assumed future-value claims | Current solicitations and later official guidance |
| Prime demands a certificate | Underlying security work | Blind acceptance or refusal | The written flow-down and its customer basis |
One structural point that survives the suspension: readiness and assessment must stay independent. Under the Cyber AB's rules, a C3PAO and every member of its assessment team may not participate in a Level 2 certification assessment if they served as a consultant preparing that organization for any CMMC assessment within the previous three years; other conflicts must be disclosed and mitigated. If you're deciding who to bring in first, our who-to-hire-first guide walks the sequence.
The least-regret strategy isn't “keep spending” and it isn't “cancel everything.” It's this: preserve the controls and evidence that protect your current contracts, and require a fresh, document-based justification for every dollar of formal-assessment spend.
Want a self-serve next step? Download the CMMC Readiness Checklist— the controls and evidence that still matter, organized to the 14 control families. Free, and there's no better use of this window.
CMMC Readiness Checklist →Should you stop your NIST 800-171 and SPRS work — or pause spending?
Do not stop the safeguarding, documentation, remediation, self-assessment, or evidence work tied to your current contracts. Do revalidate any spending that existed solely to obtain a third-party certificate on the suspended schedule — especially before you sign a new, nonrefundable engagement.
Here's the clean sort. Print it, hand it to your team, run every open invoice through it.
| Stop assuming | Keep doing | Verify before spending |
|---|---|---|
| November 10, 2026 is still the live C3PAO date | Protecting FCI and CUI | Whether a current document requires a C3PAO |
| "Suspended" means all cyber duties vanished | Closing real Rev. 2 gaps | Amendment or modification status on your contract |
| The announcement changed your contract | Maintaining your SSP and evidence | Your prime's actual flow-down |
| A compliance platform alone proves compliance | Keeping your assessment score and affirmation honest | Cancellation and refund terms |
| Every contractor needs a provider immediately | Incident-response and reporting readiness | Whether an enclave still solves a real scope problem |
| All prior spend was wasted | Monitoring official changes | Whether a formal assessment has independent commercial value |
The work that almost always keeps its value: CUI inventory and data-flow mapping, scope reduction, identity and access controls, multifactor authentication, configuration management, incident response, an accurate SSP, evidence discipline, and supplier/external-service-provider governance. That's not compliance theater — that's the security your contracts require and your customers expect, with or without an assessor in the room. (For where the real money goes, see our CMMC Level 2 cost breakdown.)
The work that now needs a new business case: C3PAO deposits and scheduling fees, assessment-only consulting, rush premiums, and any long-term platform or migration you bought onlybecause of the old date. Be honest with yourself here — some assessment-specific spend may simply not carry the same procurement value right now. Reprice it; don't pretend.
What does the CMMC suspension mean for primes and subcontractors?
The suspension changes which CMMC assessment types the Department is directing into new procurements. It does not automatically erase FCI/CUI safeguarding duties or every existing subcontract obligation. Primes and subs should replace vague “go get certified” demands with written, procurement-specific instructions that name the data type, level, assessment type, evidence, and effective date.
If you're a prime, give your suppliers a clarification they can act on. Copy this template:
Post-Suspension Supplier Clarification
- Data type: FCI, CUI, both, or neither.
- Required CMMC level.
- Assessment type: Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO).
- Contractual or customer basis for the requirement.
- Evidence requested.
- Effective date.
That five-minute email prevents a hundred confused supplier calls.
If you're a sub, ask the questions that separate a real obligation from a nervous preference: Is this a formal subcontract clause or a supplier-readiness ask? Has the prime received an amendment or modification? Is Level 2 (Self) now acceptable? Which system or CAGE code is in scope? Is the evidence needed before proposal, before subcontract award, or before you touch data?
And keep one distinction sharp: government procurement policy, a prime's own contractual duties, and a prime's private supplier standards are not the same thing. A prime can maintain a commercial security bar the government isn't currently mandating. The July 13 directives do not themselves amend your subcontract — so don't assume the suspension frees you from a flow-down without reading the flow-down and, if needed, revising it through the applicable contracting parties.
Could CMMC return after the review?
The Department announced a review by a new CMMC Reform Task Force but did not announce its outcome or a replacement date. Possible results range from a reformed, scaled-down framework to — officials declined to rule it out — ending the program. Nothing is settled. Plan against the rule that's still in force, and watch the dated milestones.
What's known: a CMMC Reform Task Force, led by the Department CIO, is conducting a top-to-bottom review. It's drawing on a public Request for Information (RFI), and it is charged with delivering a final report to the CIO within 60 days of the July 13 announcement (roughly mid-September 2026). Per the RFI as reported by multiple government-contracts law firms, comments are due 12:00 PM ET on Friday, August 14, 2026. Separately, the Cyber AB has scheduled a CMMC Town Hall for July 28, 2026 at 6:00 p.m. ET to address the pause and review.
What's not known: whether third-party assessments return in the same form; whether thresholds, scope, or frequency change; whether a new schedule appears; how existing certificates are treated; whether costs or provider roles shift; or whether new rulemaking will be required for specific reforms.
A word on the cost argument: the Department cited SBA figures suggesting future phases could cost small and mid-sized firms billions of dollars a year. But some of the sharpest voices in the ecosystem push back: they argue that most of the eye-watering per-firm cost estimates reflect NIST 800-171 implementation — which the Department explicitly told you to keep doing — rather than the C3PAO assessment itself, which industry estimates put in the tens of thousands of dollars every three years for most companies outside Level 3. Dropping the C3PAO requirement does not save a contractor the six-figure cost of actually being secure, because that cost was never mostly the audit.
| Possible procedural outcome | What to watch for |
|---|---|
| Phase I continues longer | Continued self-assessment and SPRS guidance |
| A revised third-party model | New eligibility, scope, or frequency language |
| A new phased schedule | A formal memo, Federal Register action, or acquisition guidance |
| Broader government-led verification | Changes to assessment and enforcement guidance |
| A rule amendment | Proposed or final rulemaking on 32 CFR Part 170 |
→ We record each signed memo, official FAQ, and rule change as it actually happens — no predictions — in the CMMC Reform Review tracker.
What should defense contractors do after the CMMC suspension?
Pull your controlling documents, identify the required level and assessment type, look for a written amendment or modification, and keep your applicable safeguards and self-assessment records current. Do not cancel an assessment, sign a new one, or change a compliance representation on the strength of the announcement alone. Then write the decision down.
Your next 48 hours, in order:
- Pull every controlling document — solicitation, amendments, contract, modifications, option notices, and subcontract flow-downs.
- Find the listed assessment type — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3.
- Confirm FCI vs. CUI — from your contract and data flows, not a generic quiz.
- Check for a written change — an amendment or modification, not just an announcement.
- Preserve current security work — safeguards, evidence, incident readiness, an accurate self-assessment, and your SPRS/affirmation status.
- Sort every open invoice into Continue, Hold, or Verify — separating operating security from formal certification.
- Document the decision— the source you checked, the date, who's responsible, the open question, and your next review date.
That last step is the one contractors skip and later wish they hadn't. When the Task Force reports and your leadership asks “why did we keep spending / why did we stop,” a dated record of what you verified and why is worth more than any vendor's reassurance. Copy this worksheet and fill one out per procurement:
CMMC Suspension 48-Hour Review Worksheet
| Procurement / contract ID | ___________________________________________ |
| Document type (new solicitation / active solicitation / existing contract / option / subcontract) | ___________________________________________ |
| FCI, CUI, both, or neither | ___________________________________________ |
| Listed CMMC level | ___________________________________________ |
| Listed assessment type (Self / C3PAO / Level 3) | ___________________________________________ |
| Written amendment or modification number (if any) | ___________________________________________ |
| Current SPRS score / affirmation status | ___________________________________________ |
| Open provider or C3PAO commitments | ___________________________________________ |
| Decision — Continue / Hold / Verify | ___________________________________________ |
| Source checked and date | ___________________________________________ |
| Decision owner | ___________________________________________ |
| Next review date | ___________________________________________ |
Turn the suspension into a documented next step — without guessing, and without oversharing.
Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options — or tell you if the answer is “no provider yet.”
Get matched with source-checked provider options →What The Defense Compliance Report verified
We don't ask you to take any of the above on faith. Here's what we checked, on what date, and — just as important — what we did not claim.
Verified July 15, 2026:
- The July 13, 2026 Phase II suspension, read directly from the Department's official release (war.gov).
- The permitted designations (Level 1/2 Self) and the prohibition on new Level 2 (C3PAO) / Level 3 designations, and the amendment/modification instructions, from the Department CIO/Under Secretary procedures (public-release case 26-P-1023).
- The suspension of CMMC waiver processing during the review.
- That NIST SP 800-171 Revision 2 remains the CMMC assessment basis, and Revision 3 has not replaced it for CMMC.
- Phase I assessment cadence and the annual-affirmation requirement.
- That DFARS 252.204-7012 remains in effect, and that DFARS 252.204-7019 and -7020 are current in the DFARS as of the change dated May 7, 2026.
- That government-led (DCMA/DIBCAC) assessments continue.
- The current text of 32 CFR Part 170 in the eCFR (unamended by this action).
- The “additional secondary title” status of “Department of War” under Executive Order 14347 (90 FR 43893).
- The Cyber AB's July 15, 2026 statement, read via its official release.
- The LOGZONE settlement — $507,144, a −170 government assessment score, the −203 to 110 range, two Navy contracts, and the “allegations only” disclaimer — from the DOJ's June 18, 2026 announcement.
What we did not claim:
- A predicted replacement date, or a predicted outcome of the review.
- Any automatic cancellation, refund, or reimbursement right for prior assessment spend.
- Automatic revocation — or guaranteed future value — of an existing CMMC status.
- A legal interpretation of your specific contract.
- A universal “cancel it” or “keep it” verdict on a booked C3PAO assessment.
Who, how, and why. This report was produced by The Defense Compliance Report Editorial Team through primary-source review and current-status verification, checked against an internal claim record before publication. Our research approach is documented at Methodology and Editorial Standards; we correct errors promptly and log them at Corrections.
Frequently asked questions
- Was CMMC canceled?
- No. Only Phase II implementation was suspended on July 13, 2026. The program rule (32 CFR Part 170) and the CMMC contract clause were not amended, and the Cyber AB says the rest of the program remains operational. Officials declined to rule out ending CMMC after the review, but as of July 15, 2026 it is paused, not canceled.
- Is November 10, 2026 still the CMMC Phase II deadline?
- No. The scheduled expansion of third-party (C3PAO) requirements on that date is suspended, and no replacement date has been announced.
- Is CMMC Level 2 still required?
- Level 2 (Self) can still be required where a solicitation, contract, or flow-down specifies it, along with the 110 NIST SP 800-171 Rev. 2 requirements underneath it. New Level 2 (C3PAO) designations are suspended during the review.
- Do I still need a C3PAO assessment?
- Not merely because of the former November 10 milestone. Check your actual written requirements, any amendment, real customer demand, and your existing engagement terms before deciding.
- Is NIST SP 800-171 Revision 2 still required?
- Yes, where applicable. It remains the CMMC Level 2 assessment basis; 32 CFR Part 170 still incorporates the February 2020 Rev. 2 publication with its January 2021 updates, even though NIST superseded Rev. 2 with Rev. 3 in its own catalog in 2024.
- Do I still need a NIST 800-171 DoD Assessment score in SPRS?
- Yes, where DFARS 252.204-7019/-7020 or applicable contract language requires it. Those clauses — not DFARS 252.204-7012 alone — establish the current-assessment and SPRS-summary-score mechanics.
- What is the difference between a NIST assessment score, a CMMC status, and a CMMC affirmation?
- They are three separate SPRS records. The NIST SP 800-171 DoD Assessment summary score comes from DFARS 252.204-7019/-7020. The CMMC status (self or C3PAO) comes from 32 CFR Part 170 and DFARS 252.204-7021. The annual affirmation of continuous compliance is entered after a CMMC assessment and annually thereafter. Which ones you owe depends on the clauses in your contract.
- How long does a Conditional CMMC Status last?
- A Conditional Level 2 (C3PAO) Status generally expires after 180 days unless the associated Plan of Action and Milestones (POA&M) is closed through a C3PAO closeout assessment. A Final status is generally current for up to three years, subject to an affirmation not older than one year and continued compliance.
- Can DIBCAC still assess us?
- Yes. New Level 3 (DIBCAC) designations are suspended, but the government can still conduct Medium and High NIST SP 800-171 Assessments where DFARS 252.204-7020 applies — the LOGZONE case above involved exactly such a government assessment.
- What if my solicitation still says C3PAO?
- Look for the written amendment and ask the contracting officer for timing. Do not silently disregard the existing language.
- What if my existing contract still says C3PAO?
- Look for a signed contract modification, particularly before your next option or scheduled administrative modification.
- Can my prime still require a certificate?
- Possibly. Get the requirement and its customer basis in writing. Government implementation policy and a prime's contractual or commercial supplier requirements are not the same thing, and the July 13 directives do not themselves amend your subcontract.
- Should I cancel my scheduled C3PAO assessment?
- Not automatically. Review actual contract demand, your cancellation terms, the stage of work, and the business value of finishing versus stopping.
- Are completed CMMC certificates invalid now?
- The materials we reviewed do not state that an existing CMMC status is automatically revoked, and they do not guarantee how it will be treated after reform. Keep your status and affirmation accurate and monitor official guidance.
- How long must I keep CMMC assessment evidence?
- Under 32 CFR Part 170, assessment records are generally retained for six years from the CMMC Status Date, and Level 2 (C3PAO) evidence carries specific handling requirements. Keep your evidence intact through the review.
- Did the suspension eliminate cyber-incident reporting?
- No. DFARS 252.204-7012 remains in effect where your contract includes it.
- When will Phase II resume?
- No replacement date has been announced. Track official actions in our CMMC Reform Review tracker.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. We map your situation to the right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — so you evaluate the right kind of help before you request quotes.
Sources
Primary authorities
- U.S. Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” July 13, 2026 — war.gov
- Department CIO policy memorandum and Under Secretary (Acquisition & Sustainment) implementation procedures, public-release case 26-P-1023, July 2026.
- 32 CFR Part 170 (CMMC Program rule; effective December 16, 2024) — eCFR / Federal Register.
- DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021; DFARS Subpart 204.75 — Acquisition.gov (current as of the DFARS change dated May 7, 2026).
- NIST SP 800-171 Revision 2 (110 requirements across 14 control families) and NIST SP 800-172 — NIST Computer Security Resource Center.
- Executive Order 14347, “Restoring the United States Department of War,” 90 FR 43893 (September 10, 2025) — Federal Register.
- False Claims Act, 31 U.S.C. § 3729 — U.S. Code.
- U.S. Department of Justice, “Alabama Defense Contractor Agrees to Pay $507,144 to Resolve False Claims Act Liability Relating to Cybersecurity Violations,” June 18, 2026 (Press Release 26-676) — justice.gov.
Accreditation-body materials
- The Cyber AB, “Statement on the Department of War's Suspension of CMMC Phase II Requirements,” July 15, 2026; Cyber AB Code of Professional Conduct v2.0 and CMMC Assessment Process (CAP) v2.0.
Attributed industry and legal commentary (not regulatory evidence)
- Federal News Network; DefenseScoop; Breaking Defense; National Defense Magazine (Redspin and CyberSheath statements); law-firm client alerts (Crowell & Moring; Sheppard Mullin; Jenner & Block; Dentons; Akin Gump).