CMMC Program Update · Department of War · 07.13.2026

CMMC Phase II is paused.
Your contracts are not.

The Department of War suspended third-party (C3PAO) assessment requirements while a Reform Task Force conducts a 60-day review. But DFARS 252.204‑7012, NIST SP 800-171, SPRS scores, and your self-assessments are all still in force — and your primes haven't paused anything. Find out exactly where you stand.

58
Days remaining in the DoW's 60-day CMMC review
Requirements Status Register

One thing was suspended.
Everything else stands.

The pause has a narrow, defined scope: the mandatory third-party assessment mechanism. The underlying obligations in your contracts didn't move.

Reference
Requirement
Status
L2 (C3PAO)
Third-party Level 2 assessments as a condition of awardPaused pending the 60-day review — not canceled. Was scheduled for Nov 10, 2026; being removed from active solicitations
Paused
252.204‑7012
DFARS safeguarding & incident reportingStill a binding clause in your existing contracts
In Force
SP 800-171 R2
NIST security controls for CUIThe interim enforcement standard during the review
In Force
L1 / L2 (Self)
Phase I self-assessmentsCan still be required in new awards
In Force
SPRS / Affirm
SPRS score submissions & annual affirmationsSigned by your Affirming Official — now carrying more enforcement weight
In Force
Flow-downs
Prime contractor certification requirementsNothing stops a prime from requiring Level 2 certification before sharing CUI
In Force
Why this isn't a reprieve

The pause moved your risk. It didn't remove it.

With third-party verification on hold, the government's enforcement weight shifts to your self-attestation. An inaccurate SPRS score or annual affirmation now carries more exposure — including under the False Claims Act — not less.

Contractors who keep maturing their programs through these 60 days will be ready whether the Task Force resumes, modifies, or restructures CMMC. Contractors who stop and guess wrong will be scrambling — possibly on short notice.

"We are not reducing cybersecurity through this measure."
— DoW Chief Information Officer, July 13, 2026 announcement
The 60-Day Window

What smart contractors are doing right now

Verify

Pressure-test your SPRS score

Self-attestation is now the primary verification mechanism. Make sure your score reflects reality and would survive scrutiny.

Close

Finish gaps without a deadline

Remediate POA&M items, complete your System Security Plan, and mature documentation while the clock is stopped.

Confirm

Talk to your primes

Certification flow-downs are contractual, not regulatory. Find out whether yours still apply — many will.

Speak

Respond to the RFI by Aug 14

The Task Force is taking industry feedback directly. If compliance costs have burdened your business, say so.

CMMCReady Discovery Meeting

Find out where you stand.

30 minutes with our team. No pressure, no doom-selling — just a clear read on your obligations under the pause.

  • Your contractual obligations today
  • Your SPRS posture & attestation risk
  • What to prioritize during the review
Frequently Asked Questions

The CMMC pause, answered straight.

Is CMMC canceled?
No. The Department of War suspended Phase II — the mandatory third-party assessment requirement — pending a 60-day review by a CMMC Reform Task Force. The program itself is codified in federal regulation (32 CFR Part 170) and can't simply be erased without formal rulemaking. Officials haven't ruled out major changes after the review, but as of today CMMC still exists and Phase I requirements are still in effect.
Do we still have to comply with NIST SP 800-171?
Yes. If DFARS 252.204‑7012 is in your contracts — and it is for virtually every contractor handling covered defense information — implementing NIST SP 800-171 remains a binding contractual obligation. The Department has stated it will continue enforcing this standard during the review through self-assessments and select government-led assessments.
We had a C3PAO assessment scheduled. Should we cancel it?
In most cases, no. C3PAOs are still conducting assessments and Level 2 certifications are still being issued. If your primes require certification — or you want to be first in line when requirements resume in whatever form — completing the assessment protects the investment you've already made. Talk it through with your assessor and your primes before making a call.
Can new contracts still include CMMC requirements?
Level 1 and Level 2 self-assessment requirements can still appear in new solicitations and awards. What contracting officers can no longer include — and are being directed to remove from active solicitations and contracts — are Level 2 (C3PAO) and Level 3 (DIBCAC) third-party assessment requirements.
Will our prime contractor still require certification?
Possibly, yes. Flow-down requirements are contractual, not regulatory — nothing in the suspension prevents a prime from requiring Level 2 certification before sharing CUI with a subcontractor. Several major primes spent the past year telling their supply chains to get certified. Ask your primes directly rather than assuming the pause applies to you.
Did our compliance risk actually go down?
In one important way it went up. With third-party verification paused, the government leans harder on your self-attestation — your SPRS score and the annual affirmation signed by your Affirming Official. An inaccurate score or affirmation carries False Claims Act exposure, and the Department of Justice has continued pursuing enforcement actions against contractors that misrepresent their compliance.
What happens after the 60 days?
The Task Force delivers a report with recommendations — expected around mid-September 2026. From there the Department could resume the current framework, modify it, or restructure the program. Nobody outside the Pentagon knows which. What's certain is that protecting FCI and CUI remains a national priority, and contractors who keep maturing their programs will be ready for any of the three outcomes.
How do we make our voice heard?
The Department is collecting industry feedback through a public Request for Information, due August 14, 2026. If compliance costs or assessor availability have been a burden for your business, this is the mechanism to say so directly. We're happy to point you to the submission — ask us in a Discovery Meeting.