What the CMMC Phase II Suspension Means for Defense Contractors

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II, the requirements that had been scheduled to take effect on November 10, 2026. The suspension was formalized in a memo signed on July 10 and made public three days later. The announcement prompted a wide range of interpretations across the Defense Industrial Base about what the suspension actually changes for contractors. 

The most accurate answer comes from the regulation itself rather than the surrounding commentary: the Department suspended a certification mechanism. It did not suspend the underlying requirement to protect federal information. Understanding that distinction is the key to determining what, if anything, should change in an organization’s compliance program and CMMC certification plans. 

What is the CMMC Phase II suspension?

The July 13 release establishes five key facts. 

Phase II is suspended; Phase I is not. All Phase I self-assessment requirements remain in effect, including annual self-assessments, SPRS score submissions, and affirmations. 

The suspension extends beyond Phase II. Department officials confirmed that pending and future CMMC implementation milestones are suspended across Department of War solicitations and contracts, including Phase III (November 2027) and full implementation (2028). 

NIST SP 800-171 Revision 2 remains the enforced standard during the interim period, applied through self-assessments and select government-led assessments. 

DFARS 252.204-7012 is unchanged. The release states explicitly that the action does not eliminate the requirement to protect federal data. Contractors and subcontractors remain contractually obligated to safeguard covered defense information.

A formal review process has been established. The Department CIO is forming a CMMC Reform Task Force to conduct a comprehensive review of the program, informed by a public Request for Information on compliance challenges. The Task Force must deliver its final report to the CIO within 60 days, placing the deadline in mid-September 2026. 

Key dates

  • July 10, 2026 â€” Suspension memo signed. 
  • July 13, 2026 â€” Public announcement and press briefing. 
  • August 14, 2026 â€” RFI responses due. This is the only fixed deadline during the interim period. 
  • Mid-September 2026 (estimated) â€” CMMC Reform Task Force reports to the Department CIO.
  • November 10, 2026 â€” The former Phase II effective date. This date is suspended and should not be treated as an active deadline. 
  • Ongoing â€” Annual self-assessments and affirmations continue on each organization’s existing schedule throughout the review period. 

Why did the Department of War suspend CMMC Phase II?

The Department cited compliance cost and small-business attrition from the Defense Industrial Base as the primary drivers behind the suspension, along with a practical constraint in the assessment ecosystem: roughly 100 authorized C3PAOs against more than 100,000 companies expected to need assessment. The Department’s Chief Information Officer summarized the rationale directly, stating that “the math just simply doesn’t math” for small and medium businesses to reach compliance by the original transition date. 

Officials also emphasized that the suspension addresses process rather than security expectations: “We are not reducing cybersecurity through this measure. We are reducing the red tape.” The decision was framed within the Secretary’s Acquisition Transformation System priorities, which emphasize speed to capability and lower barriers to entry for contractors. 

What the suspension does not change

The obligation to protect Controlled Unclassified Information (CUI) did not originate with CMMC. DFARS 252.204-7012 has required covered contractors to implement NIST SP 800-171 since 2017. CMMC was developed to answer a narrower question: how does the government verify that contractors have implemented the controls they attested to? That verification requirement existed because self-reported SPRS scores had, in many cases, outpaced what government-led assessments later found.

Because CMMC did not create the underlying duty to protect CUI, suspending the CMMC verification process does not remove that duty. It shifts responsibility back to each organization’s own attestation.

Self-assessments carry the same weight they did before the announcement. Because Phase I remains in effect, SPRS scores and annual affirmations are subject to the same accuracy expectations as before July 13. If a score no longer reflects an organization’s environment, updating it remains the same task it was prior to the suspension.

Open questions during the interim period

Several aspects of the suspension have not yet been addressed in official guidance: 

  • Will CMMC return in its current form, a modified form, or under a different validation model? 
  • How will contracts that already contain CMMC clauses be administered? 
    • The written release addresses pending and future milestones but does not specify treatment of existing contract clauses. At the July 13 press briefing, Department officials stated that program managers and contracting officers have been directed to amend or modify active solicitations and contracts containing the suspended Phase II requirements. Until a modification is issued, the requirement currently in a contract continues to govern. Organizations with a CMMC requirement in an awarded contract should direct questions to their Contracting Officer. 
  • Will NIST SP 800-171 Revision 3 be introduced during or after the review? 
    • The interim standard is explicitly Revision 2. 
  • What scalable security measures will the Task Force recommend as an alternative to the current model? 
  • How might requirements be structured differently across segments of the Defense Industrial Base? 

Organizations should continue the following practices regardless of the suspension: 

  • Continue implementing NIST SP 800-171 Revision 2. It remains the interim standard, and a mature implementation supports every plausible outcome of the Task Force review. 
  • Maintain an accurate self-assessment. SPRS scores should reflect current conditions and be supported by objective evidence. 
  • Continue remediating identified gaps, particularly in access control, multifactor authentication, asset inventory, vulnerability management, incident response, logging and monitoring, configuration management, and encryption of CUI at rest and in transit. 
  • Maintain visibility into the CUI environment, including system boundaries, data flows, asset categorization, and external service provider relationships. This work applies regardless of which certification framework is ultimately adopted. 
  • Consult the Contracting Officer regarding any CMMC requirement already present in an awarded contract. 
  • Submit a response to the RFI. The Department is soliciting industry input on compliance cost drivers, administrative burden, and which NIST SP 800-171 controls provide meaningful risk reduction. Responses are due August 14, 2026, and will inform the Task Force’s recommendations.

Organizations should avoid the following during this period: 

  • Halting NIST SP 800-171 implementation, since it remains the enforced standard. 
  • Suspending remediation of known gaps. A deadline change does not change the underlying risk. 
  • Assuming that CUI protection requirements have been relaxed. They have not. 
  • Reducing cybersecurity investment based on a program review that has not yet concluded. 
  • Allowing an SPRS score to remain outdated. 
  • Making material business decisions based solely on press coverage or third-party commentary. 

Next steps by certification status 

The appropriate response to the suspension depends on where an organization currently stands in the CMMC process. 

Organizations that are already assessed and compliant should maintain their current affirmation and keep their environment aligned with the evidence supporting it. Existing validation is likely to satisfy requirements under most future versions of the program. 

Organizations that have not yet started should treat the suspension as an opportunity rather than a reprieve. The DFARS 252.204-7012 obligation to implement NIST SP 800-171 predates CMMC and remains fully in force. The interim period provides additional time to scope the CUI environment and begin remediation before formal milestones resume. 

Organizations with a scheduled or in-progress assessment should continue rather than pause. The security requirements behind the assessment have not changed, and stopping now typically costs an organization more than it saves.

For organizations earlier in the assessment process, the recommended path is to proceed on the current plan. The requirements driving the assessment have not gone away, and continuing now avoids the cost of stopping and restarting once the Task Force reports and milestones resume. Every control implemented supports NIST SP 800-171, which sits underneath each version of the program under consideration.

For organizations closer to completion, the recommended path is to finish. The most difficult phases of preparation are already behind an organization at this stage. Certifications that have already been issued remain valid, and demonstrated capability continues to position an organization ahead of competitors. The 2021 transition from CMMC 1.0 to CMMC 2.0 illustrates the pattern: organizations that kept their assessments moving carried the full value of that work into the new program.

Organizations with a certification currently in process should weigh this alongside their own internal expertise and resource constraints: the assessment team and institutional knowledge mobilized for the engagement are not easily reassembled later, and DFARS 252.204-7012 obligations and False Claims Act exposure apply to the organization’s attestation regardless of what the Task Force ultimately recommends.

The right choice still depends on contractual obligations, customer expectations, and available resources, and should be evaluated on an individual basis. For most organizations already underway, however, continuing is the lower-risk and lower-cost path.

Historical context 

Third-party verification was not the Department’s first approach, and it was not introduced to raise the security bar. It was introduced because the honor system that preceded it did not hold up. From 2017 onward, contractors were required to self-attest to their implementation of NIST SP 800-171 under DFARS 252.204-7012, with no independent check on the accuracy of that attestation. When the government did examine contractor environments directly, actual implementation regularly fell short of what SPRS scores claimed. That gap between attestation and reality, not a desire for a new standard, is what made independent, third-party assessment necessary in the first place. CMMC exists to confirm that a control environment matches the score reported for it, and that underlying problem is unrelated to whether a Phase II milestone is active. 

This is not the first time the Department has suspended and revised a CMMC framework. In 2021, the Department suspended CMMC 1.0 and reworked it into CMMC 2.0. The verification model changed, but the underlying DFARS 252.204-7012 obligation and NIST SP 800-171 standard remained in place throughout the transition. Organizations that continued building their security programs during that period entered CMMC 2.0 without losing the value of their prior work. 

Frequently asked questions

Is the CMMC Phase II suspension the same as CMMC being cancelled? 

No. The Department suspended the Phase II third-party assessment mandate pending a 60-day review; it did not cancel the program or eliminate the underlying security requirements. Phase I self-assessments remain fully in place, and NIST SP 800-171 Revision 2 continues to be enforced during the interim period. 

Do defense contractors still have to comply with NIST SP 800-171? 

Yes. DFARS 252.204-7012 has required NIST SP 800-171 implementation since 2017 and is unchanged by the suspension. The release states explicitly that the action does not eliminate the requirement to protect federal data. 

Does an issued CMMC certification still count? 

Yes. Nothing in the July 13 announcement revoked or invalidated certifications that have already been issued. A completed C3PAO assessment remains independent evidence that an environment met all 110 NIST SP 800-171 requirements. 

What happens to a certification that is awaiting results? 

The announcement does not address certifications that were in process at the time of the suspension, and issuance mechanics for those assessments remained unconfirmed as of this writing. Organizations in this position should confirm status directly with their C3PAO. 

What happens if an awarded contract already contains a CMMC clause? 

The clause continues to govern until a modification is issued. Department officials stated at the July 13 briefing that program managers and contracting officers have been directed to amend or modify active solicitations and contracts containingthe suspended Phase II requirements, but until that modification arrives, the existing contract terms apply. 

Do prime contractor flow-down requirements still apply? 

Yes. Flow-down requirements are contract terms between a prime and its suppliers, and they do not change because a Department milestone was suspended. DFARS 252.204-7012 flow-down obligations remain in effect regardless of the CMMC Phase II suspension. 

Is NIST SP 800-171 Revision 3 coming? 

The interim standard is explicitly Revision 2. Whether Revision 3 is introduced during or after the Task Force review is an open question that the July 13 announcement did not address. 

Why did some CMMC guidance pages go offline after the announcement? 

Several Department CIO CMMC pages and guidance documents were removed from public view around the time of the announcement, which contributed to speculation that the program had been eliminated entirely. The Department has not explained the removals. The written release and an organization’s own contract terms remain the authoritative record, not the availability of a webpage. 

Relevant resources 

News release: Department of War Suspends CMMC Phase II Requirements 

Department of War Chief Information Officer website 

Key takeaways 

The July 13 announcement changes how the Department verifies contractor cybersecurity. It does not change the underlying requirement to protect CUI. Phase I remains in effect, DFARS 252.204-7012 remains in effect, and NIST SP 800-171 Revision 2 remains the enforced standard. The CMMC Reform Task Force is required to report to the Department CIO within 60 days. 

Organizations should continue implementing their compliance programs as planned, keep self-assessments accurate, and submit RFI responses before the August 14 deadline. A-LIGN is monitoring the CMMC Reform Task Force and will publish updates as substantive guidance is released. 

How A-LIGN can help 

A-LIGN supports organizations across every stage of the CMMC process, from initial scoping and readiness assessments to full Level 2 certification. Our federal assessment team can help evaluate how the Phase II suspension affects a scheduled or in-progress engagement, and can advise on maintaining an accurate self-assessment during the interim period. 

Organizations with questions about scheduled assessments, contractual obligations, or interim readiness strategy are encouraged to contact A-LIGN directly