Intelligence in Other

CMMC Phase II Is Suspended. Your Security Requirements Aren't.

By Josh Fleming + Kelsey Cunningham
Posted on Jul 13 / 2026
CMMC Phase II Is Suspended Your Security Requirements Arent

Summary

The Department of War has suspended CMMC Phase II, removing the requirement for third-party C3PAO assessments for Level 2 certification while a newly formed task force conducts a 60-day review of the program and seeks industry feedback on compliance burdens. Although the future of CMMC certification remains uncertain, the article stresses that organizations should continue implementing NIST 800-171 controls and strengthening their cybersecurity programs because DFARS 252.204-7012 requirements, cyber incident reporting obligations, subcontractor flow-downs, and potential legal liability for noncompliance remain fully in effect. While companies may choose to pause assessment-related spending, delaying security improvements would increase risk without reducing their existing contractual obligations.

The Department of War suspended all CMMC Phase II requirements today, effective immediately.

Phase II was the stage that would have required third party C3PAO assessments for Level 2 certification, originally set for November 10, 2026. That's off the table. The DoW CIO is standing up a CMMC Reform Task Force to conduct a 60-day review of the entire program, including a public RFI to collect industry feedback on compliance burden. The stated rationale is that CMMC compliance costs were pushing small and nontraditional businesses out of the defense supply chain, citing SBA data. This falls under Secretary Hegseth's Acquisition Transformation System initiative.

Phase I self-assessment requirements remain in effect. So does everything else that actually matters.

What changed

The C3PAO assessment requirement is gone for now. Nobody needs to be ready for a third party CMMC assessment by November 2026 or any other date. The 60-day task force could reshape the program entirely. Whether C3PAO assessments come back as-is, come back lighter, or get replaced with something else is an open question until mid-September.

What did not change

DFARS 252.204-7012 is still in every contract that had it yesterday. The contractual obligation to implement NIST 800-171 Rev 2 and report cyber incidents within 72 hours has not moved. Primes can still flow 7012 down to subs. A contracting officer can still ask for your SSP and POA&M. If you get breached and you haven't done the work, you still have False Claims Act exposure.

The security requirements are identical today to what they were last week. The only thing that changed is who was going to verify them and when.

What you should do

Don't stop.

I've already gotten messages from clients asking whether they can pause their 800-171 programs. The answer is no, and I want to be direct about why: companies that use this as a reason to slow down their security implementation are trading real risk reduction for a compliance holiday that could end in 60 days. That's a bad trade even if the holiday lasts longer.

Keep building your SSP. Keep closing gaps. Keep your security program moving. That work pays off regardless of what the task force recommends, because the underlying contractual obligations haven't changed and the threat environment certainly hasn't changed.

The one thing worth pausing is scheduling or paying for a C3PAO assessment itself. There's no certification to receive right now, so there's no reason to spend money on the assessment process. Spend it on the security work instead.

What to watch

The RFI for industry feedback and whatever comes out of the task force in approximately 60 days, which puts us around mid-September 2026. That's when we'll know if this is a pause, a restructuring, or a wind-down.

We'll be tracking the task force output and the RFI closely. If you want help understanding what this means for your specific situation, or if you've been putting off your 800-171 implementation and need to get moving, reach out.

Are you ready to get started?