On July 13, 2026, the Department of War — the renamed Department of Defense — announced the immediate suspension of CMMC Phase 2, the stage of the Cybersecurity Maturity Model Certification rollout that would have required independent third-party cybersecurity assessments across all contracts involving sensitive unclassified information starting November 10, 2026. All pending and future CMMC implementation milestones are suspended along with it, pending a comprehensive review. The announcement came in a release titled, without understatement, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements.”
The department’s Chief Information Officer, Kirsten Davies, was blunt about the reason. The program’s third-party assessment model, she said, imposes “significant and sometimes prohibitive costs” on small and nontraditional suppliers — and the capacity problem underneath it is arithmetic, not policy: on the order of 100,000 defense industrial base companies were headed toward a third-party assessment requirement, with only roughly 100 authorized assessment organizations (C3PAOs) available to conduct them before the November date. In Davies’ words: “the math just simply doesn’t math.”
A new cross-department CMMC Reform Task Force — drawing from the Office of the CIO, Acquisition and Sustainment, Research and Engineering, Information and Security, Legislative Affairs, Public Affairs, and the department’s legal office — will review the program top to bottom and deliver findings and recommendations to the CIO within 60 days. In parallel, the department published a Request for Information asking the defense industrial base how the government can protect federal data while cutting compliance cost and burden. The Small Business Administration publicly commended the suspension the same day, with Administrator Kelly Loeffler calling CMMC an “untenable barrier” for small defense contractors.
If you are a defense contractor, you have probably already received some version of this news filtered through a vendor email with a subject line like “CMMC IS DEAD — What It Means For You.” It is not dead. And if you spent the last year and a significant budget preparing for a C3PAO assessment — including readers who followed our own guidance on the November deadline — the worst possible reading of this announcement is that the work was wasted and the pressure is off. Neither is true. This article walks through what was actually suspended, what conspicuously was not, what happens to contracts and assessments already in flight, and what a rational contractor does during the 60-day review window.
What Was Suspended — and What Was Not
Precision matters here, because the legal architecture of CMMC has several layers, and the July 13 announcement touched only some of them.
Suspended:
- The Phase 2 requirement itself. Beginning November 10, 2026, new solicitations for contracts involving Controlled Unclassified Information (CUI) at Level 2 would have required certification by a C3PAO rather than self-assessment. That trigger is now off.
- All pending and future CMMC implementation milestones — including the later phases that would have extended requirements across effectively all covered DoW contracts by roughly 2028, and the Level 3 government-led assessment expansion. The entire phased rollout calendar is frozen pending the Task Force’s review.
Not suspended — stated explicitly by the department:
- Phase 1 remains firmly in place. Since November 10, 2025, applicable solicitations have required Level 1 or Level 2 self-assessments, recorded in the Supplier Performance Risk System (SPRS) and backed by an annual affirmation from a senior company official. Those requirements continue. If a solicitation requires a current self-assessment and affirmation, you still cannot be awarded the work without them.
- DFARS 252.204-7012 and NIST SP 800-171. The department went out of its way to say that the suspension “does not eliminate the requirement for companies to protect federal data” and that all contractors and subcontractors “remain contractually obligated to safeguard covered defense information” under DFARS 252.204-7012 — which means implementing the 110 controls of NIST SP 800-171 Rev 2, maintaining a System Security Plan, and reporting cyber incidents to the DoW within 72 hours. That clause predates CMMC by nearly a decade and does not depend on it.
- Discretionary government scrutiny. The department retained its authority to require third-party or government-led assessments on a case-by-case basis during the suspension. Program offices handling sensitive work can still demand more than a self-assessment.
Davies herself framed the boundary: “We are not reducing cybersecurity through this measure,” and “every dollar spent on security is a wise dollar spent.” Whatever the Task Force produces, the underlying substantive obligation — implement 800-171, protect CUI, tell the truth about your posture — is the part of the regime that survived intact. What has been suspended is the verification mechanism, not the requirement being verified.
One more structural point that vendor marketing will skip: the CMMC program rule at 32 CFR Part 170 and the acquisition rule creating DFARS 252.204-7021 went through full notice-and-comment rulemaking and remain on the books. A press release and an implementation memo can pause how the department applies them; formally unwinding or replacing them would require new rulemaking. That is the precise sense in which suspended is not repealed — the legal machinery still exists, idling, while the department decides what to do with it.
Why It Happened: The Math That Didn’t Math
The capacity problem was visible for years, and we flagged it in the November deadline analysis: a finite supply of accredited assessors against a very large population of contractors, all converging on the same date. The department’s own figures put roughly 80,000 companies on a path to eventual third-party assessment; the SBA cited more than 120,000 small businesses affected by Phase 2. Against approximately 100 C3PAOs, even heroic assumptions about assessments-per-assessor-per-year left the overwhelming majority of the defense industrial base mathematically unable to obtain a certification before the phase gate — not unwilling, unable.
The cost problem compounded it. Assessment preparation for a small contractor routinely runs into six figures once remediation, documentation, enclave architecture, and the assessment itself are totaled — recurring, not one-time. The SBA reported that these costs were “forcing innovative companies out of the defense industrial base”: firms doing niche, mission-critical work concluding that a Pentagon contract was no longer worth the compliance overhead of holding it. For a department whose stated acquisition priority under Secretary Hegseth’s Acquisition Transformation Strategy is expanding the supplier base and accelerating speed-to-capability, a gate that shrinks the vendor pool was working directly against policy.
None of this means the problem CMMC targets went away. The reason CMMC exists is that a decade of self-attestation under DFARS 7012 produced a defense industrial base that systematically claimed compliance it had not achieved, which adversaries systematically exploited. The Task Force’s assignment is to find a verification model that scales — the release language points toward “realistic, scalable security measures” that lower barriers for small and nontraditional businesses — not to abandon verification. Contractors should plan for the successor regime to still involve someone checking.
The Reform Task Force, the RFI, and the 60-Day Clock
The Task Force is deliberately cross-functional: CIO, Acquisition and Sustainment, Research and Engineering, Information and Security, Legislative Affairs, Public Affairs, and Legal. That composition tells you the review is not a narrow technical tune-up. Acquisition and Sustainment owns the DFARS clause; Legislative Affairs signals engagement with Congress (which wrote CMMC’s premise into several NDAAs); Legal signals awareness that changing course on a promulgated rule has administrative-law consequences.
The Task Force will serve as the central hub for synthesizing industry feedback from the public RFI and deliver its report to the CIO within 60 days — which lands in mid-September 2026, with any actual regime change following after that. Contractors should read the calendar realistically: nothing about the successor model will be contractually binding this year, and a formally amended rule is plausibly a 2027 event. The suspension is open-ended; the review is not.
If You Followed the November-Deadline Guidance: Your Investment Is Not Wasted
In June we told contractors, in plain terms, that November 10, 2026 was a real gate and that anyone not already deep into assessment preparation was nearly out of runway. Some readers acted on that: budgets were approved, gap assessments run, enclaves built, C3PAOs engaged. It is fair to ask whether that money and effort just evaporated.
It did not, for four reasons worth stating carefully:
First, almost everything you built was never CMMC-specific. The 6-to-12-month grind of assessment prep is, overwhelmingly, implementing NIST SP 800-171: MFA everywhere CUI is accessed, FIPS-validated encryption, access control and least privilege, logging and monitoring, incident response, a real SSP, CUI inventory and data-flow mapping. Every one of those is a current, live contractual obligation under DFARS 252.204-7012 — today, during the suspension, and under whatever replaces Phase 2. CMMC was only ever the audit of homework that was already assigned. The homework is still assigned.
Second, your SPRS score still matters — and it must still be true. Phase 1’s self-assessment and affirmation machinery is untouched. Contracting officers still see your score; primes still check subs’ scores during flow-down diligence; and the affirmation your senior official signs is still a representation to the federal government with all that entails (more on that below). A contractor that used assessment prep to move from an inflated paper score to an accurate, high, evidence-backed one is in a strictly stronger position than before — commercially and legally.
Third, verification is paused, not cancelled — and readiness is a queue position. If the Task Force’s replacement model preserves any third-party or government assessment component (a likely outcome for the most sensitive work, given the department’s retained case-by-case authority), the same capacity crunch will reappear on the new timeline. Organizations that are assessment-ready when the successor regime lands will clear it first and bid earliest. The contractors hurt worst by regulatory whiplash are the ones who sprint, stop, dismantle, and sprint again.
Fourth, the threat model did not read the press release. The espionage and supply-chain compromise campaigns that justified CMMC are indifferent to its implementation schedule. The controls protect your business either way — and as we covered in the context of CIRCIA’s September 2026 final rule, the broader federal trend is still firmly toward more accountability for critical-infrastructure and defense-adjacent companies, not less.
What you should revisit is sequencing and spend, which is what the decision framework below is for.
Existing Contracts, In-Flight Assessments, and Certifications Already Earned
The July 13 release left several practical questions open. A July 14 implementation memo answered the biggest one: active solicitations and contracts that already include CMMC Level 2 C3PAO or Level 3 assessment requirements must be amended to remove those requirements — solicitations “as soon as practicable,” and existing contracts before the next option exercise or at the next scheduled administrative modification. If you hold a contract with a 252.204-7021 certification condition, expect a modification; if you are mid-proposal on a solicitation that required certification, expect an amendment. Do not self-help — the clause binds you until the contracting officer modifies it, and the self-assessment and 7012 components of your obligations survive the modification in any case.
In-flight C3PAO assessments are the genuinely unresolved category. The announcement does not address assessments underway or scheduled, and C3PAOs are commercial businesses whose engagement letters are private contracts — the government’s suspension does not automatically unwind them. If you are days from a scheduled assessment with the fee committed, completing it may still be rational (see the framework below). If you are holding a deposit on a Q4 slot, your contract’s rescheduling and cancellation terms just became the most important document in your compliance program. Have that conversation with your C3PAO now, in writing, before their calendar fills with everyone else having the same conversation.
Certifications already earned do not expire because Phase 2 paused. A completed Level 2 certification remains a government-validated, evidence-backed attestation of 800-171 implementation — three years of standing proof you can hand to primes, cyber insurers, and commercial customers, and a credential the successor regime is far more likely to grandfather than discard. The department has given no indication that issued certifications are void; treat yours as an asset and keep the underlying control environment (and the affirmations that maintain it) current.
Subcontractors and flow-down deserve a specific mention. Primes spent the last year writing CMMC certification requirements into subcontract terms and vendor questionnaires. Those private contractual requirements do not vanish with the government’s suspension — they say whatever they say until amended. Primes should decide deliberately whether to relax certification language to self-assessment-plus-evidence during the review period; subs should ask rather than assume.
The Risk That Does Not Pause: False Claims Act Exposure
Here is the paragraph that should temper any celebration. The Department of Justice’s Civil Cyber-Fraud Initiative — which uses the False Claims Act to pursue contractors that misrepresent their cybersecurity compliance — is a DOJ program, not a DoW one. It did not pause on July 13, and nothing in the CMMC announcement touches it.
The exposure runs through exactly the machinery that remains in force. Every Phase 1 self-assessment score posted to SPRS, and every senior-official affirmation renewing it, is a statement to the government on which contract awards rest. An inflated score or a false affirmation is precisely the fact pattern the FCA reaches — and the case law is no longer hypothetical. Aerojet Rocketdyne paid $9 million in 2022 to resolve allegations that it misrepresented DFARS cybersecurity compliance while winning contracts; Penn State paid $1.25 million in 2024 over allegedly false 800-171 self-assessment scores and compliance representations on DoD contracts. Both cases predate CMMC enforcement entirely — they rest on self-attestation regimes exactly like the one you are still operating under during the suspension. Legal analysts reviewing the July 13 announcement made the same point within hours: with third-party verification paused, DOJ scrutiny of self-assessment accuracy becomes more consequential, not less, because the self-assessment is once again the only assessment.
The practical instruction is simple. During the suspension window, treat your SPRS entry as a litigation document: score it against evidence, not aspiration; document the basis for every control you claim; keep POA&Ms honest and dated; and make sure the senior official signing the annual affirmation has actually seen the evidence supporting it. Our walkthrough of the SPRS submission process and its procedural requirements covers the mechanics. If your score was inflated on July 12, the suspension did not fix that on July 13.
A Decision Framework for Contractors Mid-Way Through Assessment Prep
Different organizations are at very different points in the pipeline. The rational move depends on where you are:
If your C3PAO assessment is scheduled and substantially paid for (next 60–90 days): Seriously consider completing it. You are past the expensive part; the marginal cost of finishing buys a three-year certification that survives the suspension, differentiates you with primes immediately, and is the strongest possible position under any successor regime. Cancel only if your contract lets you exit cheaply and your pipeline contains no primes or programs that value the certificate.
If you have engaged a C3PAO but the assessment is months out: Negotiate, don’t cancel. Convert the engagement to a paused or deferred posture if the contract allows; get rescheduling rights and fee treatment in writing. Redirect near-term spend from assessment-day logistics to closing remaining POA&M items — that work counts under 7012 regardless of what the Task Force decides.
If you are mid-remediation with no assessment booked: Keep going, at a sustainable pace instead of a deadline sprint. Reprioritize by intrinsic risk and 7012 obligation rather than by “what the assessor checks first”: MFA, encryption, access control, logging, incident response, and an accurate SSP. Use the schedule relief to do properly the things a deadline sprint does badly — CUI scoping and enclave design chief among them, since a well-scoped environment cuts cost under every possible future verification model.
If you had not started: You did not just get permission to continue not starting. You got the runway you no longer had. Your 7012/800-171 obligation is current and your SPRS score is a live representation; begin with an honest gap assessment and an accurate score, because that is where both your contract eligibility and your FCA exposure sit today.
If you are a prime: Decide your interim flow-down standard this quarter — most rationally, current SPRS self-assessment scores plus evidence sampling for subs handling CUI — and communicate it to your supply chain before your subs make dismantling decisions you will regret in 2027.
Across every scenario, one common instruction: document your decision. Write down what you knew on July 13, what you chose to continue, defer, or stop, and why. If the successor regime arrives in 2027 and a contracting officer, prime, or DOJ attorney later asks what your organization did during the suspension, a dated, reasoned record of “we continued implementing 800-171 and maintained an accurate SPRS posture while deferring third-party assessment expenditure” is exactly what you want to produce.
Respond to the RFI — This Is the Rare Window Where Complaints Count
Contractors have spent five years complaining about CMMC’s cost, complexity, and capacity math in webinars and LinkedIn posts, where those complaints changed nothing. The department has now opened a formal channel and built a Task Force whose explicit job is to synthesize what comes through it. That window will not stay open long, and the entities best resourced to file polished responses — large primes, assessment-industry incumbents, consultancies with business models tied to the current framework — will not necessarily argue for what small contractors need.
If you are in the DIB, respond, and be concrete rather than rhetorical:
- Quantify your costs. Actual dollars spent on gap assessment, remediation, enclave build-out, consultants, and C3PAO fees, against your annual DoW revenue. The ratio is the argument.
- Describe the capacity math from your seat: quoted C3PAO lead times, prices, scheduling experiences.
- Propose mechanisms, not sentiments. Tiered verification proportional to CUI sensitivity and contract size; reciprocity with FedRAMP, SOC 2, or ISO 27001 evidence; government-subsidized or government-led assessment for small business; shared-services enclaves; longer certification validity; sampling-based verification of self-assessments.
- Say what should be kept. If the discipline of preparing for assessment genuinely improved your security — for many contractors it did — the Task Force should hear that too, or the baby leaves with the bathwater.
- Coordinate through associations (NDIA, PSC, AIA, your state PTAC/APEX accelerator) for aggregate weight, but file your own response as well; volume and specificity from actual small businesses is what the SBA’s advocacy has been missing.
Conclusion: Plan for the Verification Regime, Not the Vacuum
The July 13 suspension is best read not as the death of CMMC but as the department conceding a specific design failure: a verification model whose arithmetic could not deliver the population of certified contractors the mission needed, on the timeline the rule demanded. The obligation to protect controlled unclassified information was reaffirmed in the same breath that the assessment mandate was paused — and the enforcement mechanism that actually produces settlements, the False Claims Act, belongs to a different department that made no announcement at all.
So the strategic picture for a defense contractor is close to unchanged, with the deadline pressure redistributed rather than removed: implement NIST SP 800-171 because DFARS 252.204-7012 requires it now; keep your SPRS score accurate because your affirmation is a federal representation now; preserve the assessment readiness you have already bought because verification will return in some form; and spend the next 60 days doing the two things a deadline never allowed — scoping your CUI environment properly, and telling the department, on the record, what a workable program looks like. The contractors who treat this suspension as a pause to consolidate will be ready for whatever the Task Force produces. The ones who treat it as a repeal are making the same bet the pre-CMMC industrial base made for a decade — and CMMC exists because of how that bet ended.
Sources: U.S. Department of War — Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements (Release 4542329), DefenseScoop — DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn’t math’, Federal News Network — Pentagon suspends CMMC phase two requirements, launches review of program, National Defense Magazine — BREAKING: Pentagon Suspends Phase 2 of CMMC Program, SBA — SBA Commends U.S. Department of War’s Suspension of CMMC Phase II for Small Defense Contractors, Industrial Cyber — Department of War suspends CMMC Phase II, launches 60-day review, Crowell & Moring — Department of War Immediately Suspends CMMC Phase II Requirements, Launches 60-Day Reform Review
This article is provided for informational purposes only and does not constitute legal advice.



