CMMC Phase II Is Suspended: What Defense Contractors Need to Know and What's Next

On July 13, 2026, the Pentagon announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which had been scheduled to take effect on November 10, 2026.
The suspension pauses the transition to mandatory third-party CMMC Level 2 assessments and later implementation milestones. It does not eliminate CMMC, NIST SP 800-171, or contractors' responsibility to safeguard Controlled Unclassified Information.
For defense contractors, the most important distinction is simple:
The third-party certification mandate is paused. The obligation to protect CUI is not.
All Phase I self-assessment requirements remain in place. During the suspension, acquisition teams may require CMMC Level 1 self-assessments or Level 2 self-assessments, but they may not designate Level 2 C3PAO or Level 3 DIBCAC assessments. The Department will continue enforcing baseline cybersecurity requirements through self-assessments and selected government-led assessments while it conducts a 60-day review of the program.
CMMC Phase II suspension: key facts
Effective date: The suspension took effect immediately on July 13, 2026.
What was suspended: The November 2026 transition to CMMC Phase II, Level 2 C3PAO assessment requirements, Level 3 DIBCAC assessment requirements, and pending or future implementation milestones.
What remains in place: CMMC Level 1 and Level 2 self-assessments, NIST SP 800-171 requirements where contractually applicable, and contractors' existing obligations to protect covered defense information.
Active solicitations: Program offices must initiate amendments to remove Level 2 C3PAO and Level 3 DIBCAC requirements from active solicitations as soon as practicable.
Existing contracts: Contracting officers have been directed to remove those requirements before the next option period or during the next scheduled administrative modification.
What happens next: A CMMC Reform Task Force will conduct a comprehensive review and submit recommendations within 60 days.
What exactly did the Pentagon suspend?
The suspension changes which CMMC assessment levels the Department may designate in procurement requirements during the review period.
Requirements that are paused
Program managers and requiring activities may not designate:
- CMMC Level 2 C3PAO assessments
- CMMC Level 3 DIBCAC assessments
- Later implementation milestones associated with those requirements
The suspension also affects active solicitations and existing contracts containing these assessment requirements. However, contractors should not assume the terms have disappeared automatically. The Government must still issue formal solicitation amendments or contract modifications.
Requirements that remain
Acquisition teams may continue to require:
- CMMC Level 1 self-assessments for systems handling Federal Contract Information
- CMMC Level 2 self-assessments for systems handling Controlled Unclassified Information
- Additional cybersecurity protections permitted by applicable law and regulation
- Selected government-led assessments
The Department has stated that it will continue enforcing NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments during the review.
What defense contractors should do now
The appropriate response depends on whether a company is pursuing an opportunity, performing an active contract, preparing for certification, or considering entering the defense market.
If you are pursuing an active solicitation
Search the complete solicitation and all attachments for:
- CMMC Level 2
- C3PAO
- CMMC Level 3
- DIBCAC
- DFARS 252.204-7021
- DFARS 252.204-7012
- NIST SP 800-171
- Controlled Unclassified Information
Continue monitoring the official opportunity record for amendments. If the solicitation still requires a Level 2 C3PAO or Level 3 DIBCAC assessment, consider submitting a formal question to the contracting officer.
Suggested question for the contracting officer:
In light of the Department's July 13, 2026 suspension of CMMC Phase II requirements, will the Government amend this solicitation to remove or revise the CMMC Level 2 C3PAO or Level 3 DIBCAC assessment requirement?
Do not rely solely on the public announcement when preparing a proposal. The solicitation remains the controlling document until the Government issues an amendment or formal clarification.
If you have an active DoW contract
Review the specific CMMC and cybersecurity requirements incorporated into the contract.
The implementation guidance directs contracting officers to remove Level 2 C3PAO and Level 3 DIBCAC requirements before the next option period or during the next scheduled administrative modification. That does not necessarily mean every contract will be modified immediately.
Contractors should:
- Identify the exact CMMC requirement in the contract.
- Contact the contracting officer for clarification.
- Document all related communications.
- Continue following the existing contract until a formal modification or direction is issued.
- Consult legal or compliance advisers regarding contract-specific obligations.
If you are preparing for a C3PAO assessment
Do not automatically cancel every cybersecurity investment or abandon the work already completed. Instead, separate your activities into two categories.
Security work that remains valuable
- Implementing NIST SP 800-171 controls
- Protecting CUI
- Maintaining an accurate System Security Plan
- Correcting known security gaps
- Documenting policies, processes, and evidence
- Preparing for self-assessments or government-led reviews
- Improving incident detection and response capabilities
Spending tied specifically to the suspended deadline
- C3PAO scheduling expenses
- Assessment support services
- Consulting driven solely by the November 2026 deadline
- Audit preparation that does not improve the underlying security environment
The Department's updated guidance recommends that companies continue carefully assessing their systems, correcting unmet requirements, and fully implementing the necessary security measures.
A pause in third-party certification is not permission to unwind the security controls the certification was intended to verify.
If you handle CUI
The obligation to safeguard covered defense information remains in place.
DFARS 252.204-7012 requires contractors to provide adequate security for covered contractor information systems. For applicable systems, this includes implementing NIST SP 800-171 and maintaining required cyber incident reporting, evidence preservation, and related response capabilities.
If you use external cloud or AI platforms for CUI
The CMMC suspension does not eliminate separate cloud security requirements.
When an external cloud provider stores, processes, or transmits covered defense information, DFARS 252.204-7012 requires contractors to ensure the provider meets security requirements equivalent to the FedRAMP Moderate baseline. The provider must also support applicable incident reporting, media preservation, forensic analysis, and related obligations.
Contractors should continue reviewing:
- What information users enter into each platform
- Whether that information includes CUI
- Where the information is stored and processed
- Whether the provider meets applicable security requirements
- Whether required incident reporting is supported
- Whether subcontractors and external service providers are properly included within the security scope
Contractor decision guide
Why did the Pentagon suspend CMMC Phase II?
The Pentagon said that the current program had created prohibitive compliance costs and bureaucratic burdens, particularly for small, medium-sized, and nontraditional businesses. The Department also said the compliance model was forcing some innovative companies out of the defense industrial base and could delay the delivery of critical capabilities.
Officials also pointed to a capacity shortfall behind the certification requirement. DoD Chief Information Officer Kirsten Davies told reporters that more than 100,000 defense industrial base companies still needed a third-party Level 2 assessment, while roughly 100 assessors were available to perform them, calling the mismatch simply unworkable at scale. Undersecretary of Defense for Acquisition and Sustainment Michael Duffey said the change was about cutting bureaucracy, not cybersecurity itself: officials were “halting complex audits” and the requirement for third-party assessors, while continuing to expect full compliance with NIST standards.
The underlying policy challenge is not whether defense contractors should maintain strong cybersecurity. The defense supply chain remains a major target for sophisticated adversaries.
The question is whether the Government can verify meaningful cybersecurity without creating a certification model that is too expensive or difficult to scale.
The cost gap between government estimates and small-business experience
Estimated and reported CMMC costs
The final CMMC program rule estimated that supporting a Level 2 self-assessment and initial affirmation would cost a small entity approximately $34,277. It estimated a Level 2 C3PAO certification assessment and initial affirmation at approximately $101,752.
The SBA Office of Advocacy later reported that small manufacturers had submitted substantially higher estimates. Those businesses reported upfront costs ranging from $150,000 to $800,000, plus monthly consulting expenses of $5,000 to $7,500. Some estimated that ongoing compliance could cost $1 million to $2 million or more over time.
SBA Administrator Kelly Loeffler put a more current figure on that gap following the suspension announcement, saying compliance costs were approaching $600,000 for the more than 100,000 small businesses affected, and that the agency “strongly supports” the Department's action to preserve cybersecurity while cutting red tape.
These reports do not mean that cybersecurity investments are unnecessary. They illustrate the potential gap between standardized regulatory estimates and the cost of restructuring a small company's actual systems, policies, personnel, facilities, and vendors.
Cybersecurity protects the defense industrial base. A compliance model that prevents capable companies from participating can weaken it.
What could replace the suspended requirements?
The Department has not announced a final replacement model.
Its reform task force has been directed to recommend realistic and scalable security measures that protect federal information while lowering barriers for small, medium-sized, and nontraditional businesses.
Potential approaches could include:
- Greater reliance on self-assessments
- Targeted government-led assessments
- Third-party certification for higher-risk programs
- Requirements based on the type and sensitivity of CUI
- Continuous evidence and security monitoring
- Secure shared environments for smaller contractors
- Greater reciprocity among federal security authorizations
- More direct support for small-business compliance expenses
These are possible approaches, not announced policy.
Frequently asked questions
Is CMMC completely suspended?
No. Phase II and later implementation milestones have been suspended. Phase I self-assessment requirements remain in place.
Are CMMC Level 2 self-assessments still permitted?
Yes. During the suspension, acquisition teams may designate CMMC Level 2 self-assessments for contractors handling CUI.
Do contractors still need a C3PAO certification?
The Department has suspended procurement designations requiring Level 2 C3PAO assessments during the review period. Contractors should still review each solicitation and contract and monitor for formal amendments or modifications.
Will active solicitations be amended?
The implementation guidance directs program offices to initiate amendments removing Level 2 C3PAO and Level 3 DIBCAC requirements from active solicitations as soon as practicable.
Do contractors still need to comply with NIST SP 800-171?
Yes, when required by the applicable contract and DFARS clauses. The Department stated that it will continue enforcing NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments.
Can contractors stop protecting CUI?
No. Contractors and subcontractors remain contractually responsible for safeguarding covered defense information.
Does FedRAMP still matter for cloud providers?
Yes. DFARS 252.204-7012 continues to require external cloud providers handling covered defense information to meet security requirements equivalent to the FedRAMP Moderate baseline.
What contractors should watch next
The CMMC Reform Task Force is expected to deliver recommendations within 60 days.
Contractors should monitor:
- New CMMC implementation guidance
- Solicitation amendments
- Contract modifications
- Changes to assessment levels
- Updated self-assessment requirements
- Government-led assessment policies
- Guidance for C3PAOs
- Treatment of existing certifications
- Potential changes to acquisition implementation
The final policy may change how the Government validates cybersecurity, but contractors should assume that protecting CUI will remain a core obligation.
Secure AI for government contractors
The CMMC suspension does not remove contractors' responsibility to understand where sensitive government information is stored, processed, and transmitted.
Awarded AI provides government contractors with an AI platform built to support how teams find, qualify for, respond to, win, and deliver government contracts in a secure, FedRAMP Moderate-authorized environment.
Request a demo to explore Awarded AI Security.
Disclaimer
This article is intended for informational purposes and does not constitute legal, cybersecurity, or contracting advice. Contractors should review their specific solicitations, contracts, systems, and information-handling practices with qualified legal and compliance professionals.
Click here to schedule a demo to get the full scoop on how our product actually works and discover how AI can transform your approach to government contracting.

.png)
