Skip to main content
Rule Updates

CMMC Phase 2 Suspended: What the Department of War's July 2026 Reversal Means for Contractors

The Department of War suspended CMMC Phase 2 certification requirements on July 13, 2026, launching a 60-day reform review while Phase 1 self-assessments and DFARS 252.204-7012 remain in force.

Brandon Hancock, J.D., CMMC-RPPublished July 14, 2026Updated July 14, 20266 min read

Three weeks ago, this blog laid out what contractors needed to do before CMMC Phase 2 began on November 10, 2026. On July 13, 2026, the Department of War suspended it — indefinitely, and effective immediately.

The Department of War (DoW, formerly the Department of Defense) announced on July 13, 2026 that it is immediately suspending the CMMC Phase 2 requirements that were scheduled to take effect November 10, 2026, and launching a 60-day "top-to-bottom" review of the entire CMMC program. Phase 1 self-assessment requirements remain in place. Phase 3 and Phase 4 — the later milestones extending certification requirements further across the Defense Industrial Base (DIB) — are suspended as well. Contractors who spent the last several months lining up C3PAO assessments for a November deadline now have a different, and less certain, question to answer: what happens next, and when.

What the Department Actually Announced

Per the DoW's official release, effective immediately the Department suspended "the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones" across DoW solicitations and contracts. The decision was signed out in a memo from DoW Chief Information Officer Kirsten A. Davies, who tied it to Secretary of War Pete Hegseth's Acquisition Transformation System (ATS) — a broader directive prioritizing speed to capability and lower barriers for small, medium, and non-traditional defense businesses.

The stated rationale: data, including reporting from the Small Business Administration, indicated that CMMC compliance costs and bureaucratic burdens were pushing innovative companies out of the DIB — a result the Department says works against, not for, warfighter readiness.

What Still Applies

The suspension is not a suspension of cybersecurity obligations generally. Three things the release is explicit about:

  • Phase 1 self-assessment requirements remain firmly in place. If your contracts already require a Level 1 or Level 2 self-assessment posted to SPRS, that obligation has not changed.
  • DFARS 252.204-7012 still applies. The release states plainly that "this action does not eliminate the requirement for companies to protect federal data" — contractors and subcontractors remain contractually obligated to safeguard covered defense information under the existing clause.
  • NIST SP 800-171 Rev. 2 is the interim baseline. During the review period, DoW says it will enforce cybersecurity compliance through self-assessments and "select government-led assessments" against Rev. 2 — not the independent C3PAO certification model that Phase 2 would have introduced.

What is suspended is the shift from self-attestation to mandatory third-party (C3PAO) certification for Level 2, along with the Phase 3 DIBCAC-assessment milestone and full Phase 4 implementation.

The CMMC Reform Task Force

DoW's CIO is standing up a CMMC Reform Task Force to conduct the review, drawing on feedback already gathered through a public Request for Information on compliance challenges. Under Secretary of War for Acquisition and Sustainment Michael Duffey framed the goal as maintaining "a strict security baseline while removing paralyzing costs." The task force is due to deliver its final report and recommendations to the DoW CIO within 60 days of the July 13 announcement — roughly mid-September 2026.

Nothing in the release commits DoW to any particular outcome. The task force could recommend reinstating a modified Phase 2 on a new timeline, replacing C3PAO certification with a different verification model, or something else entirely. Contractors should not read "suspended" as "cancelled," and should not assume the review lands on the side of less oversight.

What Contractors Should Do Now

Don't stop your NIST SP 800-171 work. The suspension removes the near-term C3PAO deadline, not the underlying control requirements. Contractors who let their self-assessment and SPRS scores lapse will still be exposed under DFARS 252.204-7012 and under existing False Claims Act enforcement risk — a risk line this blog has covered repeatedly and that this announcement does not touch.

Hold off on final C3PAO scheduling decisions, but don't cancel groundwork. If you were mid-process with a C3PAO, talk to them about what the suspension means for your specific engagement. The self-assessment and POA&M remediation work underlying that engagement is still worth finishing — it is the same control set the interim enforcement baseline uses.

Watch for the Reform Task Force report, expected around mid-September 2026. That report, not this suspension notice, will determine what actually replaces Phase 2. Treat the current interim period as a pause for planning, not a permanent reprieve.

Reread your existing contracts and solicitations. Confirm which of your DoW obligations were tied to the specific Phase 2 milestone versus the underlying NIST SP 800-171 framework obligations that remain independent of it. The Find My Requirements tool can help sort out what changed and what didn't for your specific contract mix.

Key Takeaways

  • DoW suspended CMMC Phase 2 (C3PAO certification for Level 2) effective July 13, 2026, along with Phase 3 and Phase 4 — Phase 1 self-assessment requirements remain in force.
  • DFARS 252.204-7012 and NIST SP 800-171 Rev. 2 self-assessment obligations are unchanged. The Department will rely on self-assessments and select government-led assessments as the interim enforcement baseline while the program is reviewed.
  • A CMMC Reform Task Force must report recommendations within 60 days (around mid-September 2026). Treat the suspension as a paused timeline, not a cancelled program — continue closing NIST SP 800-171 gaps rather than standing down.

This article is educational information about federal procurement and cybersecurity requirements. It is not legal advice, and it does not create an attorney-client relationship.

Primary source: U.S. Department of War, "Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements" (July 13, 2026), war.gov.

Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the founder and principal advisor of GovConCyber. His advisory approach is shaped by roughly six years as a U.S. Army human intelligence collector, where information accuracy, source protection, classification discipline, need-to-know access, and controlled reporting were daily requirements. He brings that information-discipline mindset to GovConCyber's work helping government contractors understand and comply with federal cybersecurity obligations.

Was this post helpful?