DoD Suspends CMMC Phase II: What Defense Contractors Need to Know
Key Details: On July 13, 2026, the Department of War suspended CMMC Phase II implementation and related third-party assessment requirements. The DOW official press release can be found here and the official suspension memorandum can be found here. The suspension pauses the planned November 10, 2026 transition to Phase II, including Level 2 third-party assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs) and Level 3 assessments conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The Department established a CMMC Reform Task Force to conduct a top-to-bottom review of the program and provide recommendations within 60 days. While the suspension pauses certain assessment requirements, it does not eliminate existing cybersecurity obligations. Phase I self-assessments remain in place, and contractors should continue documenting compliance with NIST SP 800-171 Rev. 2, maintaining Supplier Performance Risk System (SPRS) information, complying with FAR 52.204-21 and DFARS 252.204-7012, and meeting applicable cyber incident reporting requirements.
What Is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) Program is the Department of War's framework for validating cybersecurity controls across the Defense Industrial Base (DIB). The program was designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) through a combination of self-assessments, third-party assessments, and cybersecurity compliance requirements tied to federal contracts.
Questions Contractors Should Ask Now
- Do active solicitations contain Level 2 C3PAO or Level 3 DIBCAC requirements?
- Do existing contracts contain CMMC implementation language that may require modification or clarification?
- Are SPRS scores current and supported by documentation?
- Are System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) up to date?
- Are cyber incident reporting processes current?
- Are subcontractor flow down requirements being managed appropriately?

What the CMMC Phase II Suspension Means
The July 2026 action is best understood as a pause and reform effort, not a cancellation of cybersecurity compliance requirements.
According to the Department, the suspension pauses:
- CMMC Phase II implementation
- Level 2 C3PAO assessments
- Level 3 DIBCAC assessments
- Pending and future implementation milestones associated with Phase II
The Department stated that the current implementation created significant compliance costs and administrative burdens, particularly for small, medium-sized, and non-traditional defense contractors. The Small Business Administration supported the suspension, citing concerns that compliance costs and assessment capacity issues were pushing some innovative companies out of the Defense Industrial Base.
What Changed and What Didn't Change
What Changed
- CMMC Phase II is suspended.
- The November 10, 2026 transition to Phase II is paused.
- Level 2 C3PAO assessments are suspended during the review period.
- Level 3 DIBCAC assessments are suspended during the review period.
- Certain solicitations and contracts may require amendments or modifications.
- Phase I self-assessments remain in place.
- Level 1 and Level 2 self-assessments remain allowable and expected where applicable.
- NIST SP 800-171 Rev. 2 remains applicable for contractors handling CUI.
- DFARS 252.204-7012 remains in effect.
- FAR 52.204-21 remains in effect.
- SPRS scoring and affirmations remain in place.
- Cyber incident reporting requirements remain active.
- Contractors remain responsible for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
What Didn't Change
- Phase I self-assessments remain in place.
- Level 1 and Level 2 self-assessments remain allowable and expected where applicable.
- NIST SP 800-171 Rev. 2 remains applicable for contractors handling CUI.
- DFARS 252.204-7012 remains in effect.
- FAR 52.204-21 remains in effect.
- SPRS scoring and affirmations remain in place.
- Cyber incident reporting requirements remain active.
- Contractors remain responsible for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
The practical takeaway is straightforward: the assessment requirements have been paused, but cybersecurity compliance obligations remain enforceable.
What Contractors Should Do During the Review Period
The Department's announcement should not be interpreted as a reason to stop cybersecurity work.
Instead, contractors should:
- Review active solicitations for Level 2 C3PAO or Level 3 DIBCAC requirements.
- Review current contracts for CMMC implementation language that may require modification or clarification.
- Continue maintaining Level 1 and Level 2 self-assessment documentation.
- Update SPRS scores only when supported by documentation and actual control implementation status.
- Maintain or refresh System Security Plans (SSPs).
- Maintain or refresh Plans of Action and Milestones (POA&Ms).
- Continue CUI and FCI identification, marking, access control, incident response, and subcontractor flowdown practices.
- Monitor guidance issued by the CMMC Reform Task Force and subsequent Department guidance.
Contractors that continue addressing cybersecurity gaps and strengthening documentation may be better positioned when a revised framework is announced. Contractors should also remember that suspension of third-party assessment requirements does not eliminate risks associated with inaccurate cybersecurity representations. Organizations should continue ensuring that System Security Plans, SPRS submissions, self-assessments, and cybersecurity attestations accurately reflect actual compliance status.
What to Watch Next
The CMMC Reform Task Force is expected to deliver recommendations within 60 days.
Contractors should monitor:
- Task Force recommendations
- Revised implementation guidance
- Requests for Information (RFIs)
- Solicitation amendments
- Contract modifications
- Updated assessment requirements
- Potential changes to compliance scoring or validation methods
Because the review is ongoing, this remains an evolving area for defense contractors.
Conclusion
The Department of War's suspension of CMMC Phase II provides temporary relief from upcoming third-party assessment requirements, particularly for contractors preparing for Level 2 C3PAO or Level 3 DIBCAC assessments.
However, the suspension does not eliminate existing cybersecurity obligations. Phase I self-assessments, remain in place, and requirements under NIST SP 800-171 Rev. 2, FAR 52.204-21, DFARS 252.204-7012 continue to apply incorporated into current contracts. Contractors should therefore continue maintaining applicable SPRS submissions, affirmations, and cyber incident reporting processes consistent with their current existing contract requirements.
Contractors should treat the suspension as a planning window to strengthen compliance and documentation, not as a pause on cybersecurity readiness. Organizations doing business with the Department of War should review existing cybersecurity requirements, contract language, self-assessment documentation, and compliance processes during the review period. Proactively addressing compliance gaps now may reduce future implementation risk if revised CMMC requirements are released.
Today’s Thought Leaders

About Sagarika Susarla
Finance Consultant
Sagarika Susarla is a Finance Consultant at Ryan & Wetmore. She focuses on supporting clients through financial analysis, tax consulting, and building practical tools that improve efficiency and decision-making. Sagarika earned her MBA from The George Washington University and her undergraduate degree in Finance, with a concentration in Corporate Finance.

About Samad Arouna
Marketing Coordinator
Samad Arouna is the Marketing Coordinator at Ryan & Wetmore, bringing a wealth of knowledge in digital marketing strategy and analytics. Before joining Ryan & Wetmore, Samad honed his skills working as a loan specialist for the Small Business Administration. He holds a Bachelor of Business Administration and a Master of Science in Marketing. Samad is dedicated to devising innovative marketing solutions that drive growth and success for the firm.
Frequently Asked Questions
Does the CMMC Phase II suspension mean contractors can stop preparing for cybersecurity compliance?
No. The suspension pauses certain third-party assessment requirements, but it does not remove existing cybersecurity obligations. Contractors should continue maintaining self-assessment documentation, SPRS information, System Security Plans, POA&Ms, and cyber incident reporting processes where applicable.
What should contractors review first during the CMMC review period?
Contractors should start by reviewing active solicitations, current contract language, SPRS scores, self-assessment documentation, SSPs, POA&Ms, and subcontractor flow down requirements. This helps identify where clarification, updates, or continued documentation may be needed.
What should contractors watch for next?
Contractors should monitor recommendations from the CMMC Reform Task Force, revised Department guidance, solicitation amendments, contract modifications, and any updates to assessment or validation requirements. The suspension creates a temporary review period, but future requirements may change once the reform process is complete.