CMMC Program Update

CMMC Phase II Is Paused. Your Cybersecurity Obligations Are Not.

The Department of War suspended third-party assessment requirements while a Reform Task Force reviews the program. Here's what actually changed, what didn't, and what smart contractors are doing with the window.

60 Days
Length of the Task Force review
Nov 10, 2026
Original Phase II effective date, now suspended
Aug 14, 2026
Deadline for industry RFI feedback
Published July 15, 2026 Simpatico Systems CMMC & Compliance 6 Min Read

On July 13, the Department of War announced an immediate suspension of CMMC Phase II — the requirement that defense contractors handling Controlled Unclassified Information (CUI) pass a third-party (C3PAO) assessment as a condition of contract award, which was scheduled to take effect November 10, 2026.

A newly formed CMMC Reform Task Force will now conduct a 60-day, top-to-bottom review of the program, with industry feedback due through a public Request for Information by August 14.

If you saw the headline and thought "we're off the hook" — we need to talk.

Key Takeaways

  • The Department of War paused CMMC Phase II (third-party C3PAO assessments) on July 13, 2026, pending a 60-day Reform Task Force review. Phases III and IV are paused as well.
  • CMMC is not canceled. Phase I self-assessments, SPRS scores, and annual affirmations remain required.
  • DFARS 252.204‑7012 and NIST SP 800-171 remain binding contractual obligations and the interim enforcement standard.
  • Prime contractors can still require Level 2 certification from subcontractors — flow-downs are contractual, not regulatory.
  • Industry feedback is due through a public RFI by August 14, 2026.

What Changed

One thing: the mandatory third-party assessment requirement is on hold. Contracting officers have been directed to remove CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) requirements from active solicitations and contracts while the review is underway.

What Did NOT Change

Almost everything else:

Phase I Is Still In Effect

CMMC Level 1 and Level 2 self-assessments can still appear in new awards, and your SPRS score submissions and annual affirmations — signed by your Affirming Official — are still required.

DFARS 252.204‑7012 Is Still In Your Contracts

The legal requirement to safeguard covered defense information and implement NIST SP 800-171 hasn't moved an inch. This is a pause on one verification mechanism, not a reduction in standards.

False Claims Act Exposure Hasn't Gone Anywhere

With less third-party verification in the picture, the government leans harder on your self-attestation. An inaccurate SPRS score is now a bigger risk, not a smaller one.

Your Primes Haven't Paused Anything

Nothing in the suspension prevents a prime from requiring Level 2 certification before sharing CUI with you. Those flow-down requirements are contractual, not regulatory.

The Dates That Matter Now

Jul 13
Suspension announced
Aug 14
RFI responses due
~Sep 11
Task Force report expected
Nov 10
Original Phase II date, suspended

What Happens After 60 Days?

Honestly: nobody outside the Pentagon knows. The Task Force could recommend resuming the current framework, modifying it, or restructuring the program entirely. What we do know is that protecting FCI and CUI remains a stated national priority, NIST SP 800-171 remains the enforcement baseline during the review, and the contractors who keep maturing their programs will be ready for whichever direction this goes.

"We are not reducing cybersecurity through this measure."
— DoW Chief Information Officer, July 13, 2026 announcement

What You Should Do Right Now

Keep Protecting CUI to the NIST SP 800-171 Standard

It's still your contractual obligation, and it's the interim enforcement standard during the review.

Verify Your SPRS Score Is Accurate and Current

Self-attestation is now the primary verification mechanism. Make sure yours would survive scrutiny.

Keep Closing Gaps

If you're mid-readiness, this is a gift: time to finish documentation, remediate POA&M items, and mature your program without a deadline breathing down your neck.

Talk to Your Primes

Find out whether they'll still require third-party certification in flow-downs. Many will.

Consider Responding to the RFI

Small and mid-sized contractors have until August 14 to tell the Department directly what a workable program looks like.

Frequently Asked Questions

Is CMMC canceled?
No. The suspension applies to Phase II — the mandatory third-party assessment requirement — pending the Task Force's 60-day review. The program is codified in federal regulation and can't be erased without formal rulemaking. Phase I requirements remain in effect.
Do we still have to comply with NIST SP 800-171?
Yes. DFARS 252.204‑7012 remains a binding clause in your contracts, and the Department will continue enforcing NIST SP 800-171 during the review through self-assessments and select government-led assessments.
Should we cancel our scheduled C3PAO assessment?
In most cases, no. C3PAOs are still conducting assessments and Level 2 certifications are still being issued. If your primes require certification, completing the assessment protects the investment you've already made.
Will our prime still require certification?
Possibly, yes. Flow-downs are contractual, not regulatory — nothing in the suspension prevents a prime from requiring Level 2 certification before sharing CUI with a subcontractor. Ask your primes directly.
Did our compliance risk actually go down?
In one important way it went up. With third-party verification paused, enforcement weight shifts to your self-attestation — your SPRS score and annual affirmation — which carries False Claims Act exposure if inaccurate.

Find Out Where You Stand

A 30-minute Discovery Meeting with our team — a clear read on what the pause means for your contracts, and what to do about it.

  • Your obligations today
  • Your SPRS posture & attestation risk
  • What to prioritize during the review
30 minutes · No pressure · No obligation