The Defense Compliance ReportCMMC 2.0 & the Defense Industrial Base
Updated July 15, 2026 — CMMC Phase II suspended July 13, 2026. Level 1 and Level 2 self-assessment pathways remain active where required. No replacement Phase II date has been announced.

Is CMMC Still Required After the Suspension? What Contractors Must Do Now

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.

·

The Defense Compliance Report is not affiliated with the Cyber AB, the Department of Defense (also referred to as the Department of War), DCMA DIBCAC, NIST, or any U.S. government agency.

Is CMMC still required after the suspension? Yes. CMMC remains required wherever a solicitation, contract, or prime flow-down calls for a CMMC status.

On July 13, 2026, the Department suspended CMMC Phase II — the scheduled expansion of third-party assessment requirements set to begin November 10, 2026 — and suspended the pending and future milestones behind it. But it paused a verification mechanism, not the security obligation. The underlying DFARS duties, the NIST controls, and your existing CMMC level remain active where your contract says they do.

Then the qualifier that decides your next move: if an active solicitation or an existing contract still lists Level 2 (C3PAO) or Level 3, don't treat the announcement as an automatic contract change. The Department directed contracting officers to issue the amendment or modification — it did not tell you to strike the clause out yourself. Look for the paperwork first.

Here's the part almost nobody is saying out loud, and the reason we read every source ourselves before writing this: the suspension didn't lower your risk so much as move it. For a contractor with a gap, the most dangerous response this week is to exhale, freeze remediation, and keep affirming a compliant score. We'll show you exactly where the risk went — with the DFARS clauses and a real Department of Justice settlement to back it up — and it's not where most vendors are pointing.

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor's level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

The 20-second version: what paused, what didn't

CMMC requirements status after the July 13, 2026 suspension
Requirement or pathwayStatus after July 13, 2026What it means today
CMMC Level 1 (Self) — 15 basic safeguards for Federal Contract Information (FCI)Active where requiredKeep your annual self-assessment and affirmation current
CMMC Level 2 (Self) — 110 NIST SP 800-171 Rev. 2 requirements for Controlled Unclassified Information (CUI)Active where requiredKeep implementing, keep your evidence, keep affirming
New Level 2 (C3PAO) — third-party assessmentSuspendedNo new government requirement for a certificate right now
New Level 3 (DIBCAC) — government assessment of the most sensitive CUISuspendedPending/future milestone, paused until further notice
DFARS 252.204-7012 — safeguard covered defense information; report incidentsIn effect where includedUntouched by the suspension
NIST SP 800-171 Revision 2 — the Level 2 control setStill the assessment basisRevision 3 has not replaced it for CMMC
NIST SP 800-171 DoD Assessment score in SPRS (DFARS 252.204-7019/-7020)Still required where clauses applyVerify your current summary score is posted
CMMC status + annual affirmation (32 CFR Part 170; DFARS 252.204-7021)Still required for your statusAffirm after assessment and annually thereafter
Government-led (DCMA/DIBCAC) assessmentsStill happeningThe government's own auditors were not removed
A new Phase II dateNot announcedDon't assume a replacement deadline

Primary sources: Department of War release, July 13, 2026 (war.gov); Department CIO policy memorandum and Under Secretary (Acquisition & Sustainment) implementation procedures, public-release case 26-P-1023; 32 CFR Part 170 (eCFR); DFARS 252.204-7012, -7019, -7020, and -7021 (Acquisition.gov, current as of the DFARS change dated May 7, 2026). Full links at the end.


What exactly did the Department suspend on July 13, 2026?

The Department suspended the November 2026 Phase II transition — the scheduled expansion of third-party (C3PAO) assessment requirements across applicable procurements — along with all pending and later CMMC milestones. Phase I self-assessment requirements, in place since November 10, 2025, remain firmly in place.

A C3PAO (CMMC Third-Party Assessment Organization) is a private firm authorized or accredited to perform CMMC Level 2 certification assessments. DIBCAC(the Defense Industrial Base Cybersecurity Assessment Center, part of DCMA — the Defense Contract Management Agency) is the government's assessment team; it would have run Level 3. Phase II was not the first moment a C3PAO requirement could appear in a contract — it was the scheduled expansion of that requirement across applicable procurements. During Phase I (beginning November 10, 2025), requiring activities could already include Level 2 (C3PAO) in select procurements. Now that discretion is paused.

The Department's official July 13 release on war.gov states directly: “All Phase I self-assessment requirements remain firmly in place,” and “this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.” During the interim, the released procedures also confirm that CMMC waiver processing is suspended during the review.

The action was carried out by two documents cleared for public release under case number 26-P-1023: a policy memorandum from the Department CIO, Kirsten A. Davies, and implementation procedures from Under Secretary for Acquisition and Sustainment Michael Duffey. The stated rationale is cost and capacity. Officials cited Small Business Administration data suggesting future CMMC phases could cost small and mid-sized firms billions of dollars a year, and Davies pointed to delays in building sufficient C3PAO assessment capacity.

A quick note on the name

If “Department of War” threw you: Executive Order 14347 (signed September 5, 2025) authorized “Department of War” and “Secretary of War” as an additional secondary title for official correspondence, public communications, ceremonial contexts, and non-statutory documents. The order is explicit that statutory references to the Department of Defense and Secretary of Defense “shall remain controlling until changed subsequently by the law.” That's why current official communications may use either name, and why this report uses both.

What the suspension did not do

The former schedule, for context

Former CMMC phased implementation schedule and current status
Former milestoneWas scheduled forStatus now
Phase I — Level 1 (Self) and Level 2 (Self)November 10, 2025 through November 9, 2026Self-assessment designations continue
Phase II — expansion of Level 2 (C3PAO)November 10, 2026Transition suspended
Phase III — Level 3 (DIBCAC)November 10, 2027Pending milestone suspended
Phase IV — full incorporationNovember 10, 2028Pending milestone suspended
Replacement scheduleNot announced

Is CMMC dead, or just paused? Suspended versus repealed

CMMC is not dead. The July 13 action was a policy decision and implementation procedures — not a rule change. It did not amend 32 CFR Part 170 (the CMMC Program rule) or the CMMC contract clause, DFARS 252.204-7021, both of which remain in force. As of July 15, 2026, CMMC is paused, not repealed.

Within hours of the announcement, “CMMC is dead” was everywhere. It's wrong, and the error is always the same: it confuses the certification mechanism with the security requirement. The Department paused the third-party verification step. It did not — and by memorandum alone, could not — erase the duty to protect covered defense information. That duty predates CMMC and outlives this pause.

It helps to see the layers that actually govern you. The Defense Compliance Report calls this the CMMC authority stack:

CMMC authority stack: what each layer is and what July 13 did to it
LayerWhat it isWhat the July 13 action did to it
Codified authority32 CFR Part 170 (CMMC Program rule) and DFARS 252.204-7021 (contract clause)Unchanged; still in force
Implementation directionThe July 13 release and CIO/Under Secretary procedures (case 26-P-1023)New layer — directs how the Department applies the rule during the review
Binding procurement instrumentYour solicitation, amendment, contract, modification, or subcontract flow-downUnchanged until the specific document is amended or modified

The top layer is codified regulation. A memorandum can change how the middle layer is implemented; it cannot rewrite the top. What 's on hold is the Department's use of its discretion to designate the higher assessment levels — not the regulation itself.

The accreditation body reads it the same way. In its July 15, 2026 statement, the Cyber AB — the official, non-governmental accreditation body for CMMC — said only Phase II implementationwas suspended and that the rest of the ecosystem (C3PAO Level 2 certification assessments, training, exams, Registered Practitioner support, and DIBCAC's oversight of C3PAOs) remains operational. Its own characterization was “a pause, not a stop.”

Could it still be canceled? Possibly. When reporters pressed, Davies and Duffey pointedly declined to rule out ending the program at the end of the review. The official written release does not state the review's outcome. So the honest status is: suspended today, genuinely uncertain tomorrow, and still codified underneath. Plan against the rule that exists — not the outcome you're hoping for.


Is CMMC still required after the suspension — and which requirements still apply?

During the suspension, Level 1 (Self) and Level 2 (Self) remain the permitted CMMC designations. Applicable contractors must also keep meeting the underlying FAR/DFARS safeguards, maintain a current NIST assessment and SPRS score where the assessment clauses apply, affirm their CMMC status where they hold one, and cooperate with government-led assessments. The third-party assessment is what paused — not the work underneath it.

Several separate obligations get collapsed into one word, “CMMC.” They aren't the same, and only one was touched. Below is our SPRS record crosswalk — the three (really four) records contractors blur together, with the trigger, the owner, and the primary authority for each.

SPRS records crosswalk: what triggers each, who submits it, and the governing authority
RecordWhat triggers itWho submits itWhere it livesPrimary authority
NIST SP 800-171 DoD Assessment summary score (Basic self-assessment, or government Medium/High)DFARS 252.204-7019/-7020 in the solicitation/contractYou (Basic) or the government (Medium/High)SPRSDFARS 252.204-7019, -7020
CMMC self-assessment result / statusContract specifies Level 1 (Self) or Level 2 (Self)YouSPRS32 CFR Part 170; DFARS 252.204-7021
CMMC certification result / status (C3PAO)Contract specifies Level 2 (C3PAO)The C3PAO transmits the result; your status posts to SPRSSPRS32 CFR Part 170; DFARS 252.204-7021
CMMC affirmation of continuous complianceYou hold a CMMC statusYour named Affirming OfficialSPRS32 CFR Part 170

Notice what this means: DFARS 252.204-7012 by itself does not create your SPRS score or your CMMC affirmation. Those come from the assessment clauses (7019/7020) and the CMMC clause (7021).

Now the specifics.

Level 1 (Self) — for FCI. If a solicitation, contract, or flow-down requires CMMC for an in-scope system that handles Federal Contract Information (FCI) — non-public information you handle in performing a contract, but not CUI — Level 1 (Self) is the applicable path: 15 requirements, an annual self-assessment, and an annual affirmation. There is no reason to buy a C3PAO assessment for a Level 1 requirement.

Level 2 (Self) — for CUI. If an applicable solicitation, contract, or flow-down requires Level 2 for an in-scope system that processes, stores, or transmits Controlled Unclassified Information (CUI), Level 2 uses all 110 NIST SP 800-171 Revision 2 requirements across 14 control families, on a three-year assessment cycle, with annual affirmations, a current System Security Plan (SSP), and maintained evidence. The procurement states whether the required status is Level 2 (Self) or Level 2 (C3PAO). One confirmed carve-out: CMMC does not apply to acquisitions exclusively for commercially available off-the-shelf (COTS) items.

Level 3 (DIBCAC) — for the most sensitive CUI. Level 3 requires a Final Level 2 (C3PAO) status for the same scope, plus a selected subset of enhanced requirements from NIST SP 800-172, assessed by the government. New Level 3 designations are among the milestones now paused.

DFARS 252.204-7012 — for everyone with the clause. This is the safeguarding-and-incident-reporting clause. It was not suspended, and it operates independently of CMMC. Its NIST implementation provision required covered systems subject to the clause to implement the specified requirements no later than December 31, 2017.

Government-led assessments — still live.The pause covers new Level 3 (DIBCAC) designations, but it does not stop the government from conducting a NIST SP 800-171 Assessment where DFARS 252.204-7020 applies. Under that clause, DoD (for example, DCMA) conducts Medium and High Assessments and posts the summary score to SPRS. The Department's own release confirmed “select government-led assessments” continue.

Revision 2 vs. Revision 3 — don't get ahead of the rule. NIST withdrew Revision 2 from its active publication catalog on May 14, 2024 and superseded it with Revision 3. That did not automatically amend the CMMC Program rule or the applicable DFARS requirements: 32 CFR Part 170 still incorporates the February 2020 Revision 2 publication with its January 2021 updates, and current Department guidance still assesses CMMC against Revision 2. If your team is implementing Rev. 3 controls, good — but you still have to account for any gaps against the Rev. 2 assessment basis.

The right CMMC provider isn't the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist.

Use the Find My CMMC Path tool →

Free · ~2 minutes · do not submit CUI, drawings, or sensitive contract details. Provider matching, if you choose it, may generate referral compensation when disclosed.

For how the three levels differ in full, see our CMMC levels explainer. (RPO/RP = Registered Provider Organization / Registered Practitioner; MSSP = Managed Security Service Provider; GRC = governance, risk, and compliance platform; CUI enclave = a segmented, hardened environment that isolates CUI to shrink your assessment scope.)


What does the suspension mean for your exact solicitation or contract?

The practical answer depends on which document you're holding — an active solicitation, an existing contract, an upcoming option, or a subcontract flow-down — because the Department directed a different written action for each. Find the governing document and its assessment type before you change scope, spending, or any compliance representation.

Below is our CMMC Suspension Contract Action Matrix — built by mapping the Department's implementation procedures against the situations contractors are actually in, then adding the columns nobody else combines: the written artifact that controls your situation, and the least-regret action that follows. Find your row.

CMMC Suspension Contract Action Matrix: situation, status, ongoing duties, controlling document, and least-regret action
Your situationStatus after July 13What still appliesThe document that controls itLeast-regret next action
FCI only; solicitation says Level 1 (Self)Level 1 self-assessment remains an allowed designationFAR basic safeguards; current Level 1 status; annual assessment & affirmationSolicitation, contract, FCI determinationKeep the Level 1 baseline current. Don't buy a C3PAO assessment.
CUI; solicitation says Level 2 (Self)Level 2 self-assessment remains an allowed designationNIST 800-171 Rev. 2; applicable DFARS duties; SSP; SPRS score & affirmationSolicitation, contract clauses, SSP, SPRS recordContinue remediation and evidence work. Verify self-assessment and affirmation are current.
Active solicitation still says Level 2 (C3PAO)Requirement is to be amended outSeparately applicable safeguarding and NIST assessment duties continueThe written solicitation amendment — not the announcementAsk the contracting officer when the amendment issues.
Active solicitation still says Level 3 (DIBCAC)New Level 3 designations paused; solicitation to be amendedAny separately applicable security requirementsWritten solicitation amendmentGet written clarification before pricing or representing compliance.
Existing contract contains Level 2 (C3PAO) or Level 3To be removed by modification before next option or scheduled administrative modCurrent contract safeguards until the document changesSigned contract modificationDon't self-delete the clause. Request written timing and instructions.
Prime still demands a certificate from you (sub)Government's new-designation policy changed; the prime's flow-down may not haveFCI/CUI safeguarding; valid flow-down dutiesSubcontract, purchase order, revised prime directionAsk the prime to state data type, level, assessment type, evidence, and effective date in writing.
C3PAO assessment booked, but no current document requires itNew C3PAO designations paused; no universal rule on voluntary assessmentsYour underlying security program may still be necessaryEngagement agreement; target solicitations; written customer demandsSeparate the assessment's strategic value from the old November deadline. Read your cancellation terms first.
C3PAO assessment already in progressThe suspension materials give no universal stop-work or refund ruleExisting agreement, security work, customer commitmentsAssessment contract; current stage; customer requirementsGet written options and costs from the C3PAO. Neither finishing nor cancelling is automatically correct.
You hold a Final or Conditional Level 2 (C3PAO) statusNo announced automatic revocation; new government requirements for that status pausedStatus-maintenance duties; annual affirmationCertificate of CMMC Status; annual affirmation; target solicitationsKeep your status and affirmation accurate. Don't promise it will (or won't) be required after reform.
Contract has DFARS 252.204-7012 but no separate CMMC or NIST assessment clauseSafeguarding duties were not suspendedSafeguarding and incident reportingContract clausesContinue the work. Check separately for 252.204-7019, -7020, -7021.
No FCI, no CUI, no applicable safeguarding clauseCMMC may not apply — but the documents decideAny other contractual security provisionsSolicitation, contract, data-flow analysisConfirm scope before spending. Don't assign yourself a level from a generic checklist.

The concept under this whole table — document-controlled relief. An announcement explains policy. A solicitation amendment, a contract modification, or a revised subcontract changes the instrument you're actually bound by. The Department told its contracting officers to change those documents. It did not tell you to reinterpret or edit your own contract on the strength of a news release. If your paperwork and the policy disagree, the safe move is to get the paperwork corrected — and, where the stakes are real, to run it past a CMMC Registered Practitioner or a qualified federal-contracts attorney. This report is educational research, not legal advice.

Before you decide anything, have these open in front of you: your solicitation and all amendments; your contract and all modifications; any option notice; your prime flow-down or supplier letter; the DFARS clauses in the contract; the listed CMMC level and assessment type; your CAGE code(s); and your current SPRS record.

Not sure what your document actually requires now? Map it in two minutes.

The Defense Compliance Report's Find My CMMC Path tool walks through your document type, FCI vs. CUI scope, the assessment type written in your contract, and your timeline, then points you to the provider category to evaluate first — and flags what to verify before you spend. It's free, it takes about two minutes, and it accounts for the post-suspension picture on this page.

Find My CMMC Path →

Do not submit CUI, drawings, contract numbers, or sensitive program details. The tool is educational triage, not compliance advice. Provider matching, if you choose it, may generate referral compensation when disclosed; it does not control the tool's category logic or this report's analysis. See how your information is handled before you share anything: privacy and data use.


What if your solicitation or contract still says Level 2 (C3PAO) or Level 3?

For an active solicitation, the Department directed the requiring activity to amend the requirement and the contracting officer to issue that amendment as soon as practicable. For an existing contract, contracting officers were directed to remove the requirement by modification before the next option period or scheduled administrative modification. Until that written change appears, ask — don't assume, and don't self-delete.

If it's an active solicitation: look for a numbered amendment. Check whether the required status shifted to Level 2 (Self), and whether proposal dates or representations changed with it. Do not rely on a vendor email or a LinkedIn post summarizing the news — rely on the amendment.

If it's an existing contract: look for a signed modification, and watch the timing around your next option. Confirm whether any deliverables, representations, or status requirements changed. Keep performing every unrelated cybersecurity clause in the meantime.

Because the fastest way to resolve this is to ask the right person the right way, here's a neutral message you can adapt and send today.

“We're reviewing the July 13, 2026 CMMC Phase II suspension procedures against [solicitation/contract number]. Please confirm in writing: (1) whether the current Level 2 (C3PAO) or Level 3 requirement will be removed; (2) whether Level 2 (Self) will replace it; (3) when the amendment or modification will issue; (4) whether proposal, award, or option dates are changing; and (5) what CMMC status or evidence will be required after the change.”

One safety note: do not paste CUI, drawings, or controlled technical details into any web form or shared channel.

Bring in counsel or an RP/RPO when your documents conflict, when a proposal or option is imminent, when a prime refuses to revise a flow-down, when cancellation or reliance costs are material, when you've already submitted a representation, or when you genuinely aren't sure whether your information is FCI or CUI.

→ Tracking the official actions as they happen? See our CMMC Reform Review tracker — dated government actions and source links, no predictions.


Does the CMMC suspension reduce your False Claims Act risk?

No. The third-party C3PAO audit paused; the liability didn't. Pausing new Level 2 (C3PAO) designations did not suspend the False Claims Act or the underlying contract duties. An inaccurate NIST assessment score or CMMC affirmation can create False Claims Act exposure when someone knowingly — including through deliberate ignorance or reckless disregard — makes a false statement material to a government payment or decision.

Under the Phase II model that was coming, an independent third-party assessor would have reviewed your Level 2 implementation before certifying it. Removing that step doesn't lower the bar — it shifts the reliance onto your own self-attestation. During the suspension, the accuracy of your self-reported SPRS score and your annual affirmation carries the weight, and the government's own auditors are still in the field.

This isn't theoretical, and it isn't old news. On June 18, 2026 — weeks before the suspension — the Justice Department announced that LOGZONE Inc., a Huntsville, Alabama defense contractor, agreed to pay $507,144to resolve False Claims Act allegations tied to two Navy contracts. According to the DOJ's own release, from May 2021 to March 2025 the company allegedly failed to implement certain NIST SP 800-171 controls; against a perfect score of 110 reflected in the record, a government assessment scored its environment at −170, at the low end of the possible range of −203 to 110. (The claims were resolved as allegations only, with no determination of liability.)

Read that timeline again. The conduct predates CMMC Phase II entirely. The contracts incorporated DFARS 252.204-7012, -7019, and -7020 — the exact obligations the Department just told you to keep meeting — and the damaging score came from a government assessment under 7020, the kind that did not pause.

FCA crosswalk: what each record is, accuracy duty, what LOGZONE shows, and what it does not establish
Record or representationGoverning sourceAccuracy dutyWhat LOGZONE showsWhat it does not establish
NIST SP 800-171 assessment score in SPRSDFARS 252.204-7019/-7020Post a current, accurate summary scoreA posted score can be tested by a government assessment years laterThat every imperfect score is a violation
CMMC / self-attested compliance representation32 CFR Part 170; DFARS 252.204-7021Represent your status accuratelyMisrepresenting posture can support FCA allegationsThat liability is automatic without scienter and materiality
Payment claims on the contractFalse Claims Act (31 U.S.C. § 3729)Don't knowingly submit false claimsA $507,144 settlement resolved the allegationsA fixed penalty formula for any inaccuracy

The False Claims Act reaches a knowingly false claim, or a knowingly false record or statement material to a false claim. “Knowingly” includes actual knowledge, deliberate ignorance, and reckless disregard. Treble damages are a statutory consequence of a violation — not an automatic result of an inaccurate score. The amount of any settlement or judgment turns on the actual facts: the claims, the damages, scienter, materiality, cooperation, and more.

The suspension removed the November 10 audit-deadline pressure, giving you a window to close real gaps and correct an inaccurate score before a government assessment does it for you. Correcting a score yourself is a far stronger position than having DIBCAC find the gap during a Medium or High Assessment. The audit deadline that was forcing expensive evidence-packaging and audit-choreography spend is gone. What's left is the work that actually protects your data and defends you: closing genuine Rev. 2 gaps, keeping an honest SSP, maintaining evidence.

If your SPRS score and your real controls don't match, closing that gap is the priority now — not waiting on the review.

The right help depends on the gap: an RPO or MSSP to build and run controls, a GRC platform to organize evidence, or a CUI enclave to shrink your scope. Match the fix to the finding before you request quotes.

Independent, category-first guidance. Provider matching, if you choose it, may generate referral compensation when disclosed; it does not control our category guidance or regulatory analysis. Do not submit CUI or sensitive contract details.


Do I still need a C3PAO assessment? And should I cancel one I've booked?

No requiring activity should be adding a new Level 2 (C3PAO) designation during the suspension, so you shouldn't buy an assessment merely because the old November 10 milestone was looming. A voluntary or customer-driven assessment can still hold real strategic value — but that's now a business decision to justify against actual opportunities, contract language, cost, and cancellation terms, not a deadline to beat.

When the answer is probably “not yet”: no current solicitation or contract requires a C3PAO; the only urgency was the former November date; your scope and SSP aren't mature; you haven't signed the engagement; leadership is reacting to vendor-manufactured deadline pressure. Keep the security readiness work; hold the assessment purchase.

When the answer is “verify before you decide”: a live solicitation still contains C3PAO language; a prime has a written, customer-backed requirement; you're already mid-assessment; a teaming arrangement values an existing certificate; your cancellation costs are substantial; or leadership wants independent assurance for reasons beyond contract eligibility.

C3PAO assessment decision matrix: what to continue, hold, or verify for each situation
Your situationContinue nowHold nowVerify before deciding
Assessment not contracted; no current C3PAO requirementSecurity readinessThe formal assessment purchaseWhich target solicitations actually require it
Deposit paid; work not startedReadiness and evidenceAdditional nonrefundable spendCancellation terms and real customer need
Assessment in progressAccurate cooperation and evidenceOptional add-onsCost to finish vs. cost to stop
Final or Conditional status already heldStatus accuracy and affirmationAssumed future-value claimsCurrent solicitations and later official guidance
Prime demands a certificateUnderlying security workBlind acceptance or refusalThe written flow-down and its customer basis

One structural point that survives the suspension: readiness and assessment must stay independent. Under the Cyber AB's rules, a C3PAO and every member of its assessment team may not participate in a Level 2 certification assessment if they served as a consultant preparing that organization for any CMMC assessment within the previous three years; other conflicts must be disclosed and mitigated. If you're deciding who to bring in first, our who-to-hire-first guide walks the sequence.

The least-regret strategy isn't “keep spending” and it isn't “cancel everything.” It's this: preserve the controls and evidence that protect your current contracts, and require a fresh, document-based justification for every dollar of formal-assessment spend.

Want a self-serve next step? Download the CMMC Readiness Checklist— the controls and evidence that still matter, organized to the 14 control families. Free, and there's no better use of this window.

CMMC Readiness Checklist →

Should you stop your NIST 800-171 and SPRS work — or pause spending?

Do not stop the safeguarding, documentation, remediation, self-assessment, or evidence work tied to your current contracts. Do revalidate any spending that existed solely to obtain a third-party certificate on the suspended schedule — especially before you sign a new, nonrefundable engagement.

Here's the clean sort. Print it, hand it to your team, run every open invoice through it.

Post-suspension spending sort: what to stop assuming, keep doing, and verify before spending
Stop assumingKeep doingVerify before spending
November 10, 2026 is still the live C3PAO dateProtecting FCI and CUIWhether a current document requires a C3PAO
"Suspended" means all cyber duties vanishedClosing real Rev. 2 gapsAmendment or modification status on your contract
The announcement changed your contractMaintaining your SSP and evidenceYour prime's actual flow-down
A compliance platform alone proves complianceKeeping your assessment score and affirmation honestCancellation and refund terms
Every contractor needs a provider immediatelyIncident-response and reporting readinessWhether an enclave still solves a real scope problem
All prior spend was wastedMonitoring official changesWhether a formal assessment has independent commercial value

The work that almost always keeps its value: CUI inventory and data-flow mapping, scope reduction, identity and access controls, multifactor authentication, configuration management, incident response, an accurate SSP, evidence discipline, and supplier/external-service-provider governance. That's not compliance theater — that's the security your contracts require and your customers expect, with or without an assessor in the room. (For where the real money goes, see our CMMC Level 2 cost breakdown.)

The work that now needs a new business case: C3PAO deposits and scheduling fees, assessment-only consulting, rush premiums, and any long-term platform or migration you bought onlybecause of the old date. Be honest with yourself here — some assessment-specific spend may simply not carry the same procurement value right now. Reprice it; don't pretend.


What does the CMMC suspension mean for primes and subcontractors?

The suspension changes which CMMC assessment types the Department is directing into new procurements. It does not automatically erase FCI/CUI safeguarding duties or every existing subcontract obligation. Primes and subs should replace vague “go get certified” demands with written, procurement-specific instructions that name the data type, level, assessment type, evidence, and effective date.

If you're a prime, give your suppliers a clarification they can act on. Copy this template:

Post-Suspension Supplier Clarification

  1. Data type: FCI, CUI, both, or neither.
  2. Required CMMC level.
  3. Assessment type: Level 1 (Self), Level 2 (Self), or Level 2 (C3PAO).
  4. Contractual or customer basis for the requirement.
  5. Evidence requested.
  6. Effective date.

That five-minute email prevents a hundred confused supplier calls.

If you're a sub, ask the questions that separate a real obligation from a nervous preference: Is this a formal subcontract clause or a supplier-readiness ask? Has the prime received an amendment or modification? Is Level 2 (Self) now acceptable? Which system or CAGE code is in scope? Is the evidence needed before proposal, before subcontract award, or before you touch data?

And keep one distinction sharp: government procurement policy, a prime's own contractual duties, and a prime's private supplier standards are not the same thing. A prime can maintain a commercial security bar the government isn't currently mandating. The July 13 directives do not themselves amend your subcontract — so don't assume the suspension frees you from a flow-down without reading the flow-down and, if needed, revising it through the applicable contracting parties.


Could CMMC return after the review?

The Department announced a review by a new CMMC Reform Task Force but did not announce its outcome or a replacement date. Possible results range from a reformed, scaled-down framework to — officials declined to rule it out — ending the program. Nothing is settled. Plan against the rule that's still in force, and watch the dated milestones.

What's known: a CMMC Reform Task Force, led by the Department CIO, is conducting a top-to-bottom review. It's drawing on a public Request for Information (RFI), and it is charged with delivering a final report to the CIO within 60 days of the July 13 announcement (roughly mid-September 2026). Per the RFI as reported by multiple government-contracts law firms, comments are due 12:00 PM ET on Friday, August 14, 2026. Separately, the Cyber AB has scheduled a CMMC Town Hall for July 28, 2026 at 6:00 p.m. ET to address the pause and review.

What's not known: whether third-party assessments return in the same form; whether thresholds, scope, or frequency change; whether a new schedule appears; how existing certificates are treated; whether costs or provider roles shift; or whether new rulemaking will be required for specific reforms.

A word on the cost argument: the Department cited SBA figures suggesting future phases could cost small and mid-sized firms billions of dollars a year. But some of the sharpest voices in the ecosystem push back: they argue that most of the eye-watering per-firm cost estimates reflect NIST 800-171 implementation — which the Department explicitly told you to keep doing — rather than the C3PAO assessment itself, which industry estimates put in the tens of thousands of dollars every three years for most companies outside Level 3. Dropping the C3PAO requirement does not save a contractor the six-figure cost of actually being secure, because that cost was never mostly the audit.

Possible CMMC reform procedural outcomes and what to watch for each
Possible procedural outcomeWhat to watch for
Phase I continues longerContinued self-assessment and SPRS guidance
A revised third-party modelNew eligibility, scope, or frequency language
A new phased scheduleA formal memo, Federal Register action, or acquisition guidance
Broader government-led verificationChanges to assessment and enforcement guidance
A rule amendmentProposed or final rulemaking on 32 CFR Part 170

We record each signed memo, official FAQ, and rule change as it actually happens — no predictions — in the CMMC Reform Review tracker.


What should defense contractors do after the CMMC suspension?

Pull your controlling documents, identify the required level and assessment type, look for a written amendment or modification, and keep your applicable safeguards and self-assessment records current. Do not cancel an assessment, sign a new one, or change a compliance representation on the strength of the announcement alone. Then write the decision down.

Your next 48 hours, in order:

  1. Pull every controlling document — solicitation, amendments, contract, modifications, option notices, and subcontract flow-downs.
  2. Find the listed assessment type — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3.
  3. Confirm FCI vs. CUI — from your contract and data flows, not a generic quiz.
  4. Check for a written change — an amendment or modification, not just an announcement.
  5. Preserve current security work — safeguards, evidence, incident readiness, an accurate self-assessment, and your SPRS/affirmation status.
  6. Sort every open invoice into Continue, Hold, or Verify — separating operating security from formal certification.
  7. Document the decision— the source you checked, the date, who's responsible, the open question, and your next review date.

That last step is the one contractors skip and later wish they hadn't. When the Task Force reports and your leadership asks “why did we keep spending / why did we stop,” a dated record of what you verified and why is worth more than any vendor's reassurance. Copy this worksheet and fill one out per procurement:

CMMC Suspension 48-Hour Review Worksheet

CMMC Suspension 48-Hour Review Worksheet fields
Procurement / contract ID___________________________________________
Document type (new solicitation / active solicitation / existing contract / option / subcontract)___________________________________________
FCI, CUI, both, or neither___________________________________________
Listed CMMC level___________________________________________
Listed assessment type (Self / C3PAO / Level 3)___________________________________________
Written amendment or modification number (if any)___________________________________________
Current SPRS score / affirmation status___________________________________________
Open provider or C3PAO commitments___________________________________________
Decision — Continue / Hold / Verify___________________________________________
Source checked and date___________________________________________
Decision owner___________________________________________
Next review date___________________________________________

Turn the suspension into a documented next step — without guessing, and without oversharing.

Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options — or tell you if the answer is “no provider yet.”

Get matched with source-checked provider options →

Do not submit CUI, drawings, controlled technical information, or contract files. Provider matching may generate referral or lead-routing compensation when disclosed; it does not control this report's regulatory analysis or category guidance. Prefer to explore on your own first? Find My CMMC Path.


What The Defense Compliance Report verified

We don't ask you to take any of the above on faith. Here's what we checked, on what date, and — just as important — what we did not claim.

Verified July 15, 2026:

What we did not claim:

Who, how, and why. This report was produced by The Defense Compliance Report Editorial Team through primary-source review and current-status verification, checked against an internal claim record before publication. Our research approach is documented at Methodology and Editorial Standards; we correct errors promptly and log them at Corrections.

Disclosure: The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance. We may receive compensation for qualified introductions, sponsorships, or partner referrals when disclosed. Compensation does not control our regulatory analysis, provider-category recommendations, or Cyber AB status verification.

This report is educational research, not legal, contractual, or compliance advice. CMMC requirements vary by contract, scope, and CUI handling. Confirm scope and applicability with a CMMC Registered Practitioner (RP/RPO) or a qualified federal-contracts attorney before making compliance decisions.


Frequently asked questions

Was CMMC canceled?
No. Only Phase II implementation was suspended on July 13, 2026. The program rule (32 CFR Part 170) and the CMMC contract clause were not amended, and the Cyber AB says the rest of the program remains operational. Officials declined to rule out ending CMMC after the review, but as of July 15, 2026 it is paused, not canceled.
Is November 10, 2026 still the CMMC Phase II deadline?
No. The scheduled expansion of third-party (C3PAO) requirements on that date is suspended, and no replacement date has been announced.
Is CMMC Level 2 still required?
Level 2 (Self) can still be required where a solicitation, contract, or flow-down specifies it, along with the 110 NIST SP 800-171 Rev. 2 requirements underneath it. New Level 2 (C3PAO) designations are suspended during the review.
Do I still need a C3PAO assessment?
Not merely because of the former November 10 milestone. Check your actual written requirements, any amendment, real customer demand, and your existing engagement terms before deciding.
Is NIST SP 800-171 Revision 2 still required?
Yes, where applicable. It remains the CMMC Level 2 assessment basis; 32 CFR Part 170 still incorporates the February 2020 Rev. 2 publication with its January 2021 updates, even though NIST superseded Rev. 2 with Rev. 3 in its own catalog in 2024.
Do I still need a NIST 800-171 DoD Assessment score in SPRS?
Yes, where DFARS 252.204-7019/-7020 or applicable contract language requires it. Those clauses — not DFARS 252.204-7012 alone — establish the current-assessment and SPRS-summary-score mechanics.
What is the difference between a NIST assessment score, a CMMC status, and a CMMC affirmation?
They are three separate SPRS records. The NIST SP 800-171 DoD Assessment summary score comes from DFARS 252.204-7019/-7020. The CMMC status (self or C3PAO) comes from 32 CFR Part 170 and DFARS 252.204-7021. The annual affirmation of continuous compliance is entered after a CMMC assessment and annually thereafter. Which ones you owe depends on the clauses in your contract.
How long does a Conditional CMMC Status last?
A Conditional Level 2 (C3PAO) Status generally expires after 180 days unless the associated Plan of Action and Milestones (POA&M) is closed through a C3PAO closeout assessment. A Final status is generally current for up to three years, subject to an affirmation not older than one year and continued compliance.
Can DIBCAC still assess us?
Yes. New Level 3 (DIBCAC) designations are suspended, but the government can still conduct Medium and High NIST SP 800-171 Assessments where DFARS 252.204-7020 applies — the LOGZONE case above involved exactly such a government assessment.
What if my solicitation still says C3PAO?
Look for the written amendment and ask the contracting officer for timing. Do not silently disregard the existing language.
What if my existing contract still says C3PAO?
Look for a signed contract modification, particularly before your next option or scheduled administrative modification.
Can my prime still require a certificate?
Possibly. Get the requirement and its customer basis in writing. Government implementation policy and a prime's contractual or commercial supplier requirements are not the same thing, and the July 13 directives do not themselves amend your subcontract.
Should I cancel my scheduled C3PAO assessment?
Not automatically. Review actual contract demand, your cancellation terms, the stage of work, and the business value of finishing versus stopping.
Are completed CMMC certificates invalid now?
The materials we reviewed do not state that an existing CMMC status is automatically revoked, and they do not guarantee how it will be treated after reform. Keep your status and affirmation accurate and monitor official guidance.
How long must I keep CMMC assessment evidence?
Under 32 CFR Part 170, assessment records are generally retained for six years from the CMMC Status Date, and Level 2 (C3PAO) evidence carries specific handling requirements. Keep your evidence intact through the review.
Did the suspension eliminate cyber-incident reporting?
No. DFARS 252.204-7012 remains in effect where your contract includes it.
When will Phase II resume?
No replacement date has been announced. Track official actions in our CMMC Reform Review tracker.

Need help deciding what type of CMMC provider you need?

Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. We map your situation to the right provider category — a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — so you evaluate the right kind of help before you request quotes.

Do not submit CUI, drawings, controlled technical information, contract files, or other sensitive data. Provider matching may generate referral, sponsorship, or partner compensation when disclosed. It does not influence our regulatory analysis or category guidance.


Sources

Primary authorities

  • U.S. Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” July 13, 2026 — war.gov
  • Department CIO policy memorandum and Under Secretary (Acquisition & Sustainment) implementation procedures, public-release case 26-P-1023, July 2026.
  • 32 CFR Part 170 (CMMC Program rule; effective December 16, 2024) — eCFR / Federal Register.
  • DFARS 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021; DFARS Subpart 204.75 — Acquisition.gov (current as of the DFARS change dated May 7, 2026).
  • NIST SP 800-171 Revision 2 (110 requirements across 14 control families) and NIST SP 800-172 — NIST Computer Security Resource Center.
  • Executive Order 14347, “Restoring the United States Department of War,” 90 FR 43893 (September 10, 2025) — Federal Register.
  • False Claims Act, 31 U.S.C. § 3729 — U.S. Code.
  • U.S. Department of Justice, “Alabama Defense Contractor Agrees to Pay $507,144 to Resolve False Claims Act Liability Relating to Cybersecurity Violations,” June 18, 2026 (Press Release 26-676) — justice.gov.

Accreditation-body materials

  • The Cyber AB, “Statement on the Department of War's Suspension of CMMC Phase II Requirements,” July 15, 2026; Cyber AB Code of Professional Conduct v2.0 and CMMC Assessment Process (CAP) v2.0.

Attributed industry and legal commentary (not regulatory evidence)

  • Federal News Network; DefenseScoop; Breaking Defense; National Defense Magazine (Redspin and CyberSheath statements); law-firm client alerts (Crowell & Moring; Sheppard Mullin; Jenner & Block; Dentons; Akin Gump).

Last verified: . This is a developing regulatory story. We re-verify this report against war.gov, the Federal Register, Acquisition.gov, and the Cyber AB on a weekly cadence until the CMMC Reform Task Force delivers its report or the Department publishes further guidance, then at each subsequent milestone.