CMMC Phase II Suspended

Table of Contents

    Updated:

    July 15, 2026

    CMMC Phase 2 Certification Rollout Suspended

    The Pentagon suspended the CMMC Phase 2 certification rollout on July 13, 2026, delaying mandatory third-party assessments for defense contractors. The decision paused planned Level 2 C3PAO assessments, Level 3 government assessments, and later implementation milestones while a CMMC Reform Task Force reviews program costs, assessment capacity, and possible structural changes.

    CMMC Phase 1 remains active. Contractors must still complete applicable self-assessments, submit scores through the Supplier Performance Risk System, provide annual affirmations, and follow FAR and DFARS requirements for protecting federal contract information and controlled unclassified information.

    The pause follows several years of rulemaking, including the CMMC 2.0 redesign and final program and acquisition rules issued in 2024 and 2025.

    It provides temporary relief to contractors expecting external certification, particularly small and medium-sized businesses facing high assessment costs and limited access to qualified assessors. Enforcement risks remain.

    Inaccurate cybersecurity representations can still lead to contract eligibility problems, government investigations, and False Claims Act exposure.

    Defense contractors should continue maintaining system security plans, closing remediation items, preserving assessment evidence, and preparing for future verification requirements. The Pentagon’s 60-day review will help determine whether CMMC retains broad third-party certification, limits it to higher-risk contracts, or adopts a different assessment model.

    Bright Defense helps defense contractors maintain CMMC readiness through Security Assessments, Continuous Compliance, and Penetration Testing services.

    CMMC Bright Defense
    CMMC Bright Defense

    What Did The Pentagon Suspend Under CMMC Phase 2?

    The Pentagon stopped the progression from CMMC Phase 1 to Phase 2, including the introduction of mandatory CMMC Level 2 assessments conducted by certified third-party assessment organizations. Level 3 assessments performed through the Defense Industrial Base Cybersecurity Assessment Center have been placed on hold as well. (U.S. Department of War)

    Contracting officers must remove Level 2 third-party certification and Level 3 government assessment requirements from active solicitations. Existing contracts must be modified before the next option exercise or other administrative modification when they contain affected requirements.

    The Pentagon directed officials not to use waivers as a workaround during the suspension. All later implementation milestones are being held while a CMMC Reform Task Force reviews the program. The official documents describe the action as a suspension and reform process rather than the cancellation of CMMC.

    Pentagon Suspends CMMC Phase 2
    Pentagon Suspends CMMC Phase 2

    How Did CMMC Reach The July 13, 2026 Suspension?

    CMMC developed through several rulemaking and implementation cycles beginning in 2019. The Pentagon introduced an interim assessment rule in 2020, replaced the original five-level model with CMMC 2.0 in 2021, finalized the main program rule in 2024 and began contractual implementation in 2025. (Breaking Defense)

    The Department of Defense published its first CMMC-related interim rule on September 29, 2020, with an effective date of November 30, 2020. The department announced CMMC 2.0 on November 4, 2021, and published its formal update on November 17, 2021, pausing the original pilot structure while it developed new regulations.

    A proposed program rule followed on December 26, 2023. The final rule was published on October 15, 2024, and took effect on December 16, 2024, as 32 CFR Part 170. A separate acquisition rule was published on September 10, 2025, and became effective on November 10, 2025, starting Phase 1 implementation. (Federal Register)

    Small-business concerns continued after implementation. The Small Business Administration announced a CMMC cost and impact roundtable on February 24, 2026, and held the session on March 12, 2026. The Pentagon suspended Phase 2 four months later and announced a 60-day review of the program. (Office of Advocacy)

    Which CMMC Requirements Still Apply During The Phase 2 Pause?

    CMMC Phase 1 remains in effect. Contractors may still face Level 1 or Level 2 self-assessment requirements, annual compliance affirmations and SPRS reporting obligations. The underlying FAR and DFARS clauses governing federal contract information and controlled unclassified information remain enforceable during the review. (dodcio.defense.gov)

    CMMC Level 1 requires an annual self-assessment covering 15 basic safeguarding requirements from FAR 52.204-21. A senior company official must affirm compliance annually. (dodcio.defense.gov)

    Every defense contractor that handles controlled unclassified information and pursues CMMC Level 2 compliance must implement the 110 security requirements from NIST SP 800-171 Revision 2, and Level 2 self-assessments measure how fully those controls operate.

    The assessment is generally valid for three years, but the contractor must submit a new affirmation each year. Assessment results must be recorded in SPRS. (dodcio.defense.gov)

    Conditional Level 2 status may remain valid for no more than 180 days while a contractor closes an approved plan of action and milestones. DFARS 252.204-7012, including its incident-reporting and controlled-information safeguards, remains in force. (dodcio.defense.gov)

    Which Defense Contractors Are Affected By The CMMC Phase 2 Suspension?

    The suspension affects defense contractors and subcontractors whose systems process, store or transmit federal contract information or controlled unclassified information. Companies expecting mandatory Level 2 C3PAO assessments receive the most immediate relief, while organizations subject to Phase 1 self-assessments must continue meeting their current contractual obligations. (dodcio.defense.gov)

    Pentagon Chief Information Officer Kirsten Davies told reporters during the July 13, 2026, briefing that more than 100,000 defense industrial base businesses still needed a third-party assessment while only around 100, or slightly more than 100, assessors were available. Davies said the available capacity could not bring small and medium businesses into compliance before the former November 10, 2026, transition date. (Breaking Defense)

    National Defense reported on June 30, 2026, that the Pentagon estimated approximately 80,000 companies would require CMMC Level 2 certification specifically. Davies’ figure covered DIB businesses that still needed any third-party assessment across Levels 2 and 3. The figures represent different assessment populations and do not conflict. (National Defense Magazine)

    What CMMC Enforcement And False Claims Act Risks Remain?

    The Phase 2 suspension removes the near-term third-party certification gate, but it does not prevent enforcement of existing cybersecurity clauses. Contractors can still lose award eligibility, encounter option-exercise problems or face False Claims Act investigations when their assessments, affirmations or invoices misrepresent actual compliance. (U.S. Department of War)

    On June 18, 2026, Alabama contractor LOGZONE agreed to pay $507,144 to resolve allegations that it knowingly failed to meet cybersecurity requirements on two Navy contracts. A government assessment produced an SPRS score of -170 on a scale ranging from -203 to 110. The DOJ settlement agreement states that LOGZONE had self-reported a perfect SPRS score of 110 on October 13, 2021, before a DIBCAC assessment completed on February 2, 2024, produced the -170 score. The settlement resolved allegations without a determination of liability. (Department of Justice)

    Raytheon companies and Nightwing Group agreed to pay $8.4 million on May 1, 2025, resolving allegations involving cybersecurity requirements across 29 Defense Department contracts and subcontracts. The Justice Department alleged that an internal system lacked a required system security plan and did not meet other FAR and DFARS safeguards. (Department of Justice)

    These cases concern the underlying contract clauses rather than failure to obtain a CMMC certificate. Their continued relevance shows that the Pentagon’s schedule change does not stop enforcement against unsupported compliance representations.

    Why Did Small Businesses Push Back On CMMC Phase 2?

    For defense suppliers with limited security budgets and staff, achieving CMMC compliance for small businesses means absorbing high assessment costs, finding qualified assessors, and interpreting unclear scoping rules that affect contract eligibility.

    The SBA warned in 2024 that the proposed program carried high compliance costs and requested clearer guidance for enclaves, service providers and C3PAO assessments. (Office of Advocacy)

    The Pentagon’s proposed cost model estimated that a Level 2 third-party assessment cycle would cost nearly $105,000 for a small entity and about $118,000 for a larger entity. Those estimates included the assessment and related affirmations but excluded the expense of implementing the underlying security controls. (DefenseScoop)

    The Pentagon said in its suspension memo that costs, procedural complexity and assessment-capacity shortages were discouraging small and nontraditional companies from participating in the defense supply chain. The department did not publish data showing how many suppliers had departed due specifically to CMMC.

    What Should Defense Contractors Do During The CMMC Phase 2 Suspension?

    Defense contractors should continue their CMMC readiness programs rather than treat the suspension as permission to stop remediation. Existing self-assessment, SPRS, affirmation and DFARS duties remain active. Systems that handle controlled unclassified information should continue operating according to NIST SP 800-171 Revision 2. (U.S. Department of War)

    1. Maintain The System Security Plan. Keep the CUI boundary, assets, users, data flows and external service providers accurately documented.
    2. Complete Required Assessments. Submit current Level 1 or Level 2 self-assessment results to SPRS and retain evidence supporting each score.
    3. Close Open Remediation Items. Conditional CMMC status permits no more than 180 days to complete an approved plan of action and milestones.
    4. Preserve Assessment Evidence. Keep policies, configuration records, access reviews, vulnerability findings, incident records and control-testing results available for future government or third-party review.
    5. Review Solicitations And Contracts. Confirm that contracting officers have removed suspended C3PAO or DIBCAC requirements where the Pentagon’s implementation memo applies.

    When Will The Pentagon Decide The Future Of CMMC?

    The CMMC Reform Task Force has 60 days from the July 13, 2026, announcement to submit recommendations to the Pentagon’s chief information officer. That schedule places the expected review point around September 11, 2026, although the department has not announced a new Phase 2 implementation date. (U.S. Department of War)

    The review will consider responses to a public request for information, assessment capacity, compliance costs and possible alternatives to the existing certification structure. All milestones after Phase 1, including the previously planned Phase 3 and full implementation stages, remain suspended. (U.S. Department of War)

    The existing CMMC regulations remain codified in 32 CFR Part 170. Major structural changes could therefore require further rulemaking or amendments to the DFARS acquisition provisions. That conclusion is an inference from the current regulatory status. The Pentagon has not yet specified which rules it intends to revise. (Federal Register)

    What Does The CMMC Phase 2 Pause Mean For Defense Cybersecurity?

    The suspension shifts near-term reliance from independent certification toward contractor self-assessments and selected government-led reviews. It may reduce procurement delays and supplier costs, but it leaves the Pentagon with fewer independent assessments for confirming that contractors have implemented controls protecting sensitive defense information. (U.S. Department of War)

    Pentagon Chief Information Officer Kirsten Davies said the department was not reducing cybersecurity requirements and was instead seeking to reduce procedural barriers. The final direction will determine whether CMMC retains mandatory third-party verification, narrows it to higher-risk contracts or adopts a different assessment model. (Breaking Defense)

    How Bright Defense Helps Defense Contractors Maintain CMMC Readiness

    Bright Defense helps defense contractors maintain readiness during the CMMC Phase 2 suspension through Security Assessments, Continuous Compliance and Penetration Testing. These services can evaluate NIST SP 800-171 controls, test whether safeguards operate as documented, track remediation work and organize evidence for self-assessments or future certification reviews.

    Continuous Compliance can help teams monitor control changes between formal assessments. Security Assessments can compare current practices with Level 1 or Level 2 requirements. Penetration Testing can expose technical weaknesses that could undermine an organization’s documented security posture.

    These services do not replace a C3PAO assessment when third-party certification is required. They can prepare contractors for renewed assessment requirements once the Pentagon completes its reform process.

    Sources

    • U.S. Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements” (July 13, 2026)
    • Department of War Chief Information Officer, “Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements” (July 10, 2026; released July 13, 2026)
    • Department of War Acquisition and Sustainment, “Implementing the Suspension of CMMC Phase II Requirements” (July 13, 2026)
    • Department of War Chief Information Officer, “About CMMC” (accessed July 14, 2026)
    • Federal Register, “Cybersecurity Maturity Model Certification Program” (October 15, 2024)
    • Federal Register, “Assessing Contractor Implementation of Cybersecurity Requirements” (September 10, 2025)
    • Federal Register, “Cybersecurity Maturity Model Certification 2.0 Updates and Way Forward” (November 17, 2021)
    • U.S. Small Business Administration Office of Advocacy, “Comment Letter: Cybersecurity Maturity Model Certification Program” (February 26, 2024)
    • U.S. Small Business Administration Office of Advocacy, “CMMC Program Small Business Impacts Roundtable,” announced February 24, 2026, held March 12, 2026
    • Breaking Defense, “Pentagon Announces Immediate Suspension of CMMC Phase II Mandates” (July 13, 2026)
    • Washington Technology, “DOD Suspends CMMC Phase 2, Launches 60-Day Reform Review” (July 13, 2026)
    • National Defense, “Consultants Warn of Overconfidence as CMMC Phase 2 Deadline Looms” (June 30, 2026)
    • U.S. Department of Justice, “Alabama Defense Contractor Agrees to Pay $507,144 Over Cybersecurity Violations” (June 18, 2026)
    • U.S. Department of Justice, “Raytheon Companies and Nightwing Group to Pay $8.4 Million Over Cybersecurity Requirements” (May 1, 2025)
    • DefenseScoop, “Pentagon Reveals Updated Cost Estimates for CMMC Implementation” (December 28, 2023)

    Tamzid brings 5+ years of writing experience across SaaS, cybersecurity, compliance, and blockchain. He holds a foundational Cisco cybersecurity certification and turns complex topics into clear, practical insights.

    Get In Touch

      Group 1298 (1)-min