Author: Beau Dickie, Chief Information Security Officer
On July 13, 2026, the Department of Defense (DoD), recently adapted to Department of War (DoW), announced a significant shift for the defense industrial base. CMMC Phase 2, originally scheduled to take effect on November 10, 2026, has been suspended indefinitely. All future implementation phases are now frozen pending a 60-day review.
If you handle government contracts or work with Controlled Unclassified Information (CUI), you're probably wondering what this means for your compliance roadmap, your budget, and your ability to win future contracts.
We tackled exactly these questions during our recent webinar. I joined several compliance experts to break down what this suspension means in practical terms and to answer the questions defense contractors are asking right now. If you missed the session, you can watch the full recording here to get the complete analysis and hear directly from the panel.
But here's what I want you to understand right now: this suspension is not permission to stand down.
What Actually Happened
Because this situation is changing quickly, contractors should verify current guidance against the DoD CIO memorandum, the acquisition implementation memorandum, active solicitation amendments, contract modifications, and counsel or their contracting officer before making binding compliance decisions.
The DoD suspended the mandatory third-party certification requirements that would have gone into effect this November. Under Phase 2, organizations handling CUI would have been required to obtain CMMC Level 2 certification from an authorized third-party assessment organization (C3PAO) as a condition of contract award.
That requirement is now on hold.
The decision came after the Small Business Administration reported that future CMMC phases could cost small and midsize defense contractors more than $7 billion annually. The DoD also cited severe shortages in third-party assessment capacity, with industry reporting more than 100,000 companies potentially needing assessments and roughly 100 authorized C3PAOs available to conduct them. The math, as officials put it, simply did not work.
The DoD has established a CMMC Reform Task Force that will report back within 60 days. Officials have declined to rule out ending the program entirely, though they've emphasized that cybersecurity remains a "critical non-negotiable priority."
What This Does NOT Mean
Here's where the confusion starts, and it's critical to get this part right.
The suspension does not eliminate your cybersecurity obligations. It does not repeal the CMMC rule. It does not change the DFARS clauses in your contracts. And it absolutely does not mean you can stop protecting Controlled Unclassified Information.
Phase 1 self-assessment requirements remain in full effect. If your contract includes DFARS 252.204-7012 and you handle CUI, you are still required toimplement the 110 security requirements in NIST SP 800-171. If your contract includes a CMMC Level 1 or Level 2 self-assessment requirement under DFARS 252.204-7021, that self-assessment requirement also remains in place. You are still required to maintain accurate assessment information in SPRS where applicable, and you are still subject to enforcement action if you misrepresent your compliance status.
The Department of Justice's Civil Cyber-Fraud Initiative has not been suspended. False certifications can still result in False Claims Act liability, and that risk has not gone away.
Why You Should Not Hit the Brakes
I've already heard from contractors who are wondering whether they should stop their remediation work, defer investments in cybersecurity infrastructure, or delay planned assessments. I understand the temptation, especially if you've been staring down a six-figure compliance bill.
But here's why that's a mistake.
First, your contractual obligations have not changed. If you're handling Federal Contract Information, CUI, or covered defense information, the safeguarding requirements in your existing contracts still control. FAR 52.204-21 applies basic safeguarding requirements to Federal Contract Information, while DFARS 252.204-7012 and NIST SP 800-171 obligations apply when covered defense information or CUI is in scope. Those requirements are enforceable today, regardless of what happens with CMMC Phase 2.
Second, the review period is short. The task force has 60 days to report back. The public comment window closes on August 14, 2026. That means we could see new guidance, a revised framework, or a policy shift by late summer or early fall. If third-party assessments resume in any form, contractors who stayedthe course will be ready. Those who stopped will be scrambling.
If you've already obtained a CMMC Level 2 certification, that status has not been automatically invalidated by the suspension. Contractors should confirm how the certification is reflected in SPRS, how long it remains current, and whether a customer or contracting officer treats it as relevant for a specific procurement. In a competitive bid environment, having that work completed can still give you an edge over contractors who have not validated their implementation. It also strengthens your position in due diligence if you're pursuing acquisitions or partnerships.
Finally, cyber threats have not been suspended. Nation-state actors, ransomware groups, and supply chain attackers are not taking a break because the DoD is reviewing its certification program. If you're handling sensitive data, the obligation to protect it is both contractual and operational. A breach doesn't care about policy reviews.
What You Should Do Right Now
If you're a defense contractor, here's my practical guidance.
Before changing your compliance plan, review the exact clauses in your prime contract, subcontract, and any current solicitation. The CMMC announcement affects the rollout of third-party assessment requirements, but your enforceable obligations still come from the contract language, incorporated clauses, flow-downs, and any subsequent amendments or modifications.
Continue your remediation efforts. If you're working toward NIST SP 800-171 compliance, keep going. Close the gaps you've identified. Document your controls. Maintain evidence of implementation. This work will serve you regardless of what the final CMMC framework looks like.
Stay current on self-assessment requirements. Make sure your SPRS score and supporting documentation are accurate, current, and aligned with the assessment methodology that applies to your contract. If you have not completed a required self-assessment, do it now. Self-attestation carries legal risk, and accuracy matters.
Monitor active solicitations. The DoD implementation guidance directs program managers and requiring activities to initiate amendments removing CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) designations during the suspension period, with contracting officers issuing corresponding amendments as soon as practicable. If you have proposals in flight, watch for amendments and adjust your compliance representations only after the solicitation or contract language changes.
Participate in the public comment process. The request for information closes on August 14, 2026. If you're a small or midsize contractor and the cost or complexity of CMMC has been a burden, this is your opportunity to make your voice heard. Industry input will shape what comes next.
During this week's webinar, we fielded dozens of questions about how to handle this transition. Because the topic is moving quickly and the details matter, we've compiled the most important information into our CMMC Phase II Suspension: Q&A Reference Guide. It includes timelines, action items, and answers to the questions we heard most often. You can download it here and share it with your team.
What Happens Next
The next 60 days will determine the future of the CMMC program. The task force will evaluate cost, scalability, assessor capacity, and alignment with the DoD's broader acquisition priorities. The public comment period will give contractors a rare opportunity to influence policy with real data.
Three things to watch closely:
- The August 14 deadline for public comments. This is the window for contractors to submit input on the burdens of implementing and complying withCMMC. Small and midsize voices need to be part of that conversation.
- Regulatory changes. The suspension is being implemented through DoD policy and procurement guidance, not through a repeal of the DFARS clause or the CMMC program rule itself. If you see a class deviation, DFARS amendment, contract modification, or changes to 32 C.F.R. Part 170, that is when the legal framework for a specific requirement may materially shift.
- Guidance for non-DoD contracts. The CMMC suspension applies to DoD CMMC implementation milestones; it does not relieve contractors of separate CUI, FAR, agency-specific, or contract-specific cybersecurity requirements outside the DoD context. If you support both DoD and civilian agency work, review each contract and flow-down clause separately before assuming the pause changes your obligations.
The Bottom Line
I know this suspension creates uncertainty. Contractors have spent months preparing for Phase 2, and now the timeline has shifted. Budgets are in question. Leadership teams are asking whether to move forward or wait and see.
Here's my answer: proceed with purpose.
The DoD has suspended the certification rollout. It has not suspended the requirement to protect sensitive data. It has not eliminated the legal and contractual obligations you already carry. And it has not signaled that cybersecurity is any less important to national security or mission readiness.
Organizations that continue building a defensible, documented, and mature cybersecurity posture will be better positioned regardless of what the final CMMC framework looks like. Those that treat this as a green light to defer investment may find themselves at a disadvantage when guidance is finalized and contracts start flowing again.
Cybersecurity is not a checkbox exercise. It's a business imperative. It protects your operations, your contracts, your reputation, and the sensitive information your customers trust you to safeguard.
If you have questions about how this suspension affects your specific contracts, or if you need help evaluating where you stand with NIST SP 800-171, DFARS compliance, SPRS reporting, or readiness for whatever comes next, reach out to our team. We work with defense contractors every day to navigate compliance requirements with clarity and confidence, and we can help you separate what has changed from what still applies.
The suspension may have changed the timeline, but it hasn't changed the responsibility. Stay the course, stay compliant, and stay ready.