CMMC Phase II Is Paused. Your Cybersecurity Obligations Are Not.
The Department of War suspended third-party assessment requirements while a Reform Task Force reviews the program. Here's what actually changed, what didn't, and what smart contractors are doing with the window.
On July 13, the Department of War announced an immediate suspension of CMMC Phase II — the requirement that defense contractors handling Controlled Unclassified Information (CUI) pass a third-party (C3PAO) assessment as a condition of contract award, which was scheduled to take effect November 10, 2026.
A newly formed CMMC Reform Task Force will now conduct a 60-day, top-to-bottom review of the program, with industry feedback due through a public Request for Information by August 14.
If you saw the headline and thought "we're off the hook" — we need to talk.
Key Takeaways
- The Department of War paused CMMC Phase II (third-party C3PAO assessments) on July 13, 2026, pending a 60-day Reform Task Force review. Phases III and IV are paused as well.
- CMMC is not canceled. Phase I self-assessments, SPRS scores, and annual affirmations remain required.
- DFARS 252.204‑7012 and NIST SP 800-171 remain binding contractual obligations and the interim enforcement standard.
- Prime contractors can still require Level 2 certification from subcontractors — flow-downs are contractual, not regulatory.
- Industry feedback is due through a public RFI by August 14, 2026.
What Changed
One thing: the mandatory third-party assessment requirement is on hold. Contracting officers have been directed to remove CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) requirements from active solicitations and contracts while the review is underway.
What Did NOT Change
Almost everything else:
Phase I Is Still In Effect
CMMC Level 1 and Level 2 self-assessments can still appear in new awards, and your SPRS score submissions and annual affirmations — signed by your Affirming Official — are still required.
DFARS 252.204‑7012 Is Still In Your Contracts
The legal requirement to safeguard covered defense information and implement NIST SP 800-171 hasn't moved an inch. This is a pause on one verification mechanism, not a reduction in standards.
False Claims Act Exposure Hasn't Gone Anywhere
With less third-party verification in the picture, the government leans harder on your self-attestation. An inaccurate SPRS score is now a bigger risk, not a smaller one.
Your Primes Haven't Paused Anything
Nothing in the suspension prevents a prime from requiring Level 2 certification before sharing CUI with you. Those flow-down requirements are contractual, not regulatory.
The Dates That Matter Now
What Happens After 60 Days?
Honestly: nobody outside the Pentagon knows. The Task Force could recommend resuming the current framework, modifying it, or restructuring the program entirely. What we do know is that protecting FCI and CUI remains a stated national priority, NIST SP 800-171 remains the enforcement baseline during the review, and the contractors who keep maturing their programs will be ready for whichever direction this goes.
What You Should Do Right Now
Keep Protecting CUI to the NIST SP 800-171 Standard
It's still your contractual obligation, and it's the interim enforcement standard during the review.
Verify Your SPRS Score Is Accurate and Current
Self-attestation is now the primary verification mechanism. Make sure yours would survive scrutiny.
Keep Closing Gaps
If you're mid-readiness, this is a gift: time to finish documentation, remediate POA&M items, and mature your program without a deadline breathing down your neck.
Talk to Your Primes
Find out whether they'll still require third-party certification in flow-downs. Many will.
Consider Responding to the RFI
Small and mid-sized contractors have until August 14 to tell the Department directly what a workable program looks like.
Frequently Asked Questions
Is CMMC canceled?
Do we still have to comply with NIST SP 800-171?
Should we cancel our scheduled C3PAO assessment?
Will our prime still require certification?
Did our compliance risk actually go down?
Find Out Where You Stand
A 30-minute Discovery Meeting with our team — a clear read on what the pause means for your contracts, and what to do about it.
- Your obligations today
- Your SPRS posture & attestation risk
- What to prioritize during the review