On July 13, 2026, the Department of War announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, the very requirements that were scheduled to take effect on November 10, 2026. For thousands of defense contractors who have spent the last two years budgeting for a third-party assessment, the headline reads like a reprieve. Read the fine print, and it is something more complicated, and more important.
The obligation to protect controlled unclassified information did not go away. The DFARS clause that has carried that obligation since 2017 is untouched. The self-assessment requirement is still in force. What changed is the enforcement mechanism, not the security expectation. Contractors who treat this as permission to stand down are misreading the announcement, and setting themselves up for a painful reversal when the review concludes.
We work with defense industrial base companies every day on exactly this problem, and this post lays out precisely what happened, what did not change, why the pause occurred, and the practical steps we recommend during the interim. If you would rather talk it through, our team offers a CMMC readiness assessment that tells you where you actually stand today.
What the Department of War actually changed
The announcement, published under the title "Forging the Arsenal of Freedom," does four concrete things:
- Phase II is suspended, effective immediately. The transition to Phase II, which would have introduced independent third-party assessments by a C3PAO for Level 2 contracts, is halted. The November 10, 2026 deadline for those assessments is off the calendar for now.
- Pending and future implementation milestones are paused. The suspension is not limited to Phase II. The Department also paused the later Phase III and Phase IV implementation milestones across its solicitations and contracts until further notice.
- Phase I stays firmly in place. All Phase I self-assessment requirements remain active. Nothing about the self-attestation obligation was rolled back.
- A comprehensive review begins. The Chief Information Officer is standing up a CMMC Reform Task Force to conduct a top-to-bottom review of the certification program, with a final report due within 60 days.
In the words of Department of War Chief Information Officer Kirsten A. Davies, quoted in the release: "In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program. strong cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness."
You can read the primary source directly on the Department of War newsroom: the official CMMC Phase II suspension release. We always recommend reading the government's own words before acting on a headline.
What did not change, and why it matters more than the headline
This is the part that gets lost in the celebration. The suspension pauses the certification and assessment machinery. It does not pause the legal duty to secure federal data. Three obligations survive the announcement intact.
DFARS 252.204-7012 is still binding. Every defense contractor and subcontractor whose contract carries this clause remains contractually obligated to safeguard covered defense information and to report cyber incidents. The release is explicit that this action "does not eliminate the requirement for companies to protect federal data." If your contract already includes the clause, your duty is unchanged. Our overview of NIST and DFARS compliance obligations walks through what the clause actually requires.
NIST SP 800-171 is still the standard. During the interim period, the Department stated it will enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, focusing on tangible cyber hygiene rather than administrative overhead. That means the 110 security controls you were already expected to implement are still the baseline. A credible NIST 800-171 self-assessment remains the price of admission to defense work.
Your SPRS score still speaks for you. The Supplier Performance Risk System score you submit is a representation to the government. Submitting an inflated self-assessment score does not become safe because Phase II paused. The Department of Justice Civil Cyber-Fraud Initiative has repeatedly used the False Claims Act against contractors who misrepresented their security posture. A generous self-score you cannot defend is a liability whether or not a C3PAO ever knocks on your door.
The suspension removes the assessor. It does not remove the standard, the clause, or the consequences of a false attestation.
Why the pause happened
The reasons the Department gave are practical, not philosophical. Two forces drove the decision.
The first is capacity. In a companion news story, CIO Davies acknowledged that the number of authorized assessors is simply not large enough to conduct all the evaluations needed before the November deadline. The certified third-party assessment ecosystem never scaled to the volume the rule assumed. Tens of thousands of contractors chasing a few hundred assessors was always going to bottleneck, and the Department chose to relieve the pressure rather than enforce a deadline the market could not meet.
The second is policy. The move aligns with Secretary of War Pete Hegseth's Acquisition Transformation System, which prioritizes speed to capability and aims to lower barriers for small, medium, and non-traditional businesses. Michael Duffey, Under Secretary of War for Acquisition and Sustainment, framed it bluntly in the release: "We cannot expect our industries to build at the speed of relevance if they are drowning in peacetime paperwork and administrative bureaucracy." The Small Business Administration publicly commended the decision, citing months of engagement with small contractors who warned that compliance costs were pushing firms out of the defense industrial base entirely.
The review itself is structured and time-boxed. The Department has launched a public Request for Information on SAM.gov to gather feedback on compliance cost drivers and administrative burdens. Responses are due by August 14, 2026, and the CMMC Reform Task Force must deliver its final report within 60 days, which puts the decision point in mid-September 2026. This is a genuine reassessment, not a quiet cancellation. Contractors running multi-year compliance roadmaps across all four phases should expect those roadmaps to change.
Which CMMC level applies to you
Some of the confusion around this announcement comes from contractors who are not sure which tier they fall into. The suspension hits the tiers differently, so it is worth being precise about the CMMC certification levels.
Level 1 covers federal contract information and is met with an annual self-assessment. That obligation is untouched, and it was never part of Phase II. Level 2 covers controlled unclassified information and maps to the 110 controls of NIST SP 800-171. Level 2 is where the third-party C3PAO assessment would have applied under Phase II, and it is that assessment, not the underlying 800-171 requirement, that is now paused. Level 3, which layers on the enhanced requirements for the highest-priority programs, was always the furthest out and is paused along with the later milestones. In short, if you handle controlled unclassified information, your security bar did not move even though your assessment date did.
The interim compliance baseline, in plain terms
If you are a contractor asking "what am I actually held to right now," the answer is clear. You are held to a real, defensible NIST SP 800-171 Rev 2 self-assessment. That is more than a checklist exercise. A self-assessment that will survive a government-led review has four moving parts:
- A System Security Plan (SSP) that documents how each of the 110 controls is implemented across your environment. A missing or generic SSP is the single most common finding we see.
- A Plan of Action and Milestones (POA&M) for every control not yet fully met, with realistic remediation dates. An honest POA&M is defensible. A perfect score with no plan is not.
- An accurate SPRS score derived from the actual state of your controls, submitted and kept current.
- Evidence. Screenshots, configurations, policies, and logs that prove the control is real and operating, not aspirational.
Worth noting for planning: NIST has published Revision 3 of SP 800-171, and the reform review is happening against that backdrop. The interim enforcement standard the Department named is Rev 2, so that is what governs your self-assessment today, but the Task Force review makes the future revision landscape one to watch closely.
For contractors handling the most sensitive programs, the higher bar of NIST 800-172 enhanced security requirements may still flow down through prime contracts regardless of the CMMC timeline. Requirements do not disappear just because the certification wrapper paused.
Why the smart move is to keep going
It is tempting to shelve the compliance program and reclaim the budget. We advise against it, for reasons that are strategic, not just cautious.
The clause is already in your contracts. Suspension of Phase II does not strip DFARS 252.204-7012 or existing 800-171 requirements out of contracts and solicitations you have already signed. Your obligations are contractual and current.
Primes will keep flowing requirements down. Large prime contractors manage their own supply-chain risk. Many will continue to require 800-171 evidence and strong SPRS scores from subcontractors no matter what the certification calendar does, because their own exposure has not changed.
Reinstatement is the likely outcome. The Department did not say cybersecurity no longer matters. It said the current mechanism is too costly and slow. The most probable result of a 60-day review is a recalibrated program, not the disappearance of independent assessment. Contractors who keep their house in order will glide through whatever comes next. Contractors who stand down will be scrambling again in the fall.
Security is a competitive advantage, not a tax. A defensible security posture wins work, shortens prime due-diligence cycles, and lowers your cyber-insurance premiums. It also protects you from the ransomware and data-theft events that do not wait for a rulemaking to conclude. If you are weighing frameworks, our comparison of CMMC versus ISO 27001 can help you see where your investment carries beyond defense contracting.
A practical 60-day action plan
Use the pause the way the Department intends, to get real work done without a deadline breathing down your neck. Here is the sequence we run with our defense clients:
- Confirm your contractual reality. Pull every active contract and solicitation and confirm which carry DFARS 252.204-7012 and 800-171 flow-downs. Your obligations start here, not with the news cycle.
- Run an honest gap assessment. Score yourself against all 110 controls as they actually operate today, not as you hope they operate. This is the foundation for everything else.
- Rebuild or refresh your SSP and POA&M. Make them accurate and current. These are the documents a government-led assessment will ask for first.
- Correct your SPRS score. If your submitted score no longer matches reality, fix it now, while there is no assessment pressure and no penalty for candor.
- Close the cheap, high-impact gaps. Multifactor authentication, encryption of covered data at rest and in transit, logging, and access reviews deliver outsized risk reduction for modest cost.
- Respond to the RFI if it affects you. Small contractors have a real window to shape the reformed program before August 14, 2026. Your voice counts more now than it will after the Task Force reports.
- Book a professional review. An outside cybersecurity risk assessment catches the blind spots an internal self-score misses, and gives you evidence you can hand to a prime or an auditor.
How Petronella Technology Group can help
Petronella Technology Group, Inc. has spent years helping regulated and defense-contractor businesses build cybersecurity programs that hold up under scrutiny. We do not sell fear, and we do not sell shelfware. We build defensible, documented, working security.
For defense contractors navigating this suspension, our services map directly to the interim baseline: a gap assessment against NIST 800-171, SSP and POA&M development, SPRS score validation, remediation of the controls that matter most, and ongoing managed compliance so you are never scrambling before a deadline again. Our full CMMC compliance guide lays out the program end to end, and our managed cybersecurity services keep it running after the paperwork is done. Contractors modernizing their operations can also explore how we apply AI for defense contractors to reduce the manual burden of continuous compliance.
The companies that come out of this reform period strongest will be the ones who used the pause to get genuinely secure, not the ones who used it to stop.
Frequently asked questions
Is CMMC cancelled?
No. CMMC is not cancelled. The Department of War suspended Phase II and paused later implementation milestones while a 60-day review runs. Phase I self-assessment requirements remain in place, and the program could return in a modified form after the CMMC Reform Task Force reports in mid-September 2026.
Do I still need to comply with NIST 800-171?
Yes. The Department named NIST SP 800-171 Rev 2 as the interim enforcement standard, applied through self-assessments and select government-led assessments. If your contract carries the 800-171 requirement, you are still obligated to meet it.
Should I stop preparing for my C3PAO assessment?
We advise against stopping. The third-party assessment requirement is paused, not eliminated, and the most likely outcome of the review is a recalibrated program rather than a permanent end to independent assessment. The work you do now, on your SSP, POA&M, and controls, carries directly into whatever comes next.
What is DFARS 252.204-7012?
It is the Defense Federal Acquisition Regulation Supplement clause that requires contractors to safeguard covered defense information and to report cyber incidents. It predates CMMC, it is unaffected by this suspension, and it remains fully binding on every contractor whose agreement includes it.
Does this affect subcontractors?
Yes, but not by removing obligations. Prime contractors flow cybersecurity requirements down to their subcontractors to manage their own supply-chain risk, and many will continue to require 800-171 evidence regardless of the CMMC calendar. Subcontractors should assume their flow-down obligations are unchanged.
When will the review be finished?
The public Request for Information closes on August 14, 2026, and the CMMC Reform Task Force must deliver its final report within 60 days of the announcement, placing the decision point around mid-September 2026. Expect updated guidance to follow that report.
Talk to a CMMC Registered Practitioner
The suspension is a window, not a finish line. The contractors who use it well will be ready for whatever the reformed program requires, and secure in the meantime. If you want a clear, honest picture of where you stand and what to fix first, call Penny, our AI assistant, at 919-348-4912, or start with a CMMC readiness assessment from Petronella Technology Group, Inc. We will help you turn a confusing headline into a concrete plan.