CMMC Phase II Is Paused, Not Canceled: What Defense Contractors Need to Know
Executive Brief
On July 13, 2026, the Department of War (DoW) announced it's suspending Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, with no set timetable for reinstatement, while a 60-day CMMC Reform Task Force reviews the program's future direction.
If you saw that headline and assumed CMMC compliance disappeared, you are not alone. But when you read the full memo, it’s clear that CMMC is still enforceable, and the pause has a very defined scope:
- The suspension applies to the mandatory third-party assessment requirement (through a Certified Third-Party Assessment Organization, or C3PAO), not the underlying compliance obligation
- Phase 1 self-assessment requirements for CMMC Level 1 and Level 2 remain fully in effect
- Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 obligations are unchanged
- Prime contractors can still require CMMC Level 2 (C3PAO) certification through their own supply chain flow-down requirements, independent of the DoW's timeline
- A 60-day review will determine what, if anything, replaces the paused certification requirement
Dig deeper below to learn more.
Why This Pause Is Getting So Much Attention
CMMC Phase II was set to make third-party certification the default requirement for Level 2 contracts starting November 10, 2026. Contractors, primes, and assessors had all spent the better part of two years preparing for that date.
- Some contractors had contracts and prospects already in motion tied to that deadline
- Some are now pausing or canceling compliance projects they assume are no longer necessary
- Others are asking whether this signals the end of CMMC altogether
The reality is that nobody outside of the DoW has a confirmed picture of what happens after the 60-day review. What is confirmed is what has and has not changed today.
Key Dates to Know
- July 10, 2026: Suspension memo signed by the War Department's Chief Information Officer (CIO), Kirsten Davies
- July 13, 2026: Public announcement and press briefing
- August 14, 2026: Industry responses to the Request for Information (RFI) are due. This is the only fixed deadline during the interim period
- Mid-September 2026 (estimated): The CMMC Reform Task Force reports its findings to War Department CIO Davies
- November 10, 2026: No longer the milestone date for Phase II of the CMMC rollout.
What Actually Changed
- The requirement for a C3PAO certification assessment, tied to the November 10, 2026, Phase II deadline, has been suspended
- DoW is conducting a 60-day review of the CMMC program, with an eye toward reducing burden on small and mid-sized businesses
- Alongside the announcement, DoW released “Brilliant at the Basics” interim baseline cybersecurity guidance loosely tied to the 110 controls in NIST SP 800-171
What HasN't Changed
- DFARS 252.204-7012 remains a binding contractual requirement for any contract that includes it
- NIST SP 800-171 Revision 2 is still the standard your organization is contractually obligated to meet, and the interim enforcement standard during the review period
- Supplier Performance Risk System (SPRS) score submission requirements are unchanged
- CMMC Level 1 and Level 2 self-assessment obligations under Phase 1 continue to apply
- False Claims Act exposure for inaccurate self-attestation has not gone anywhere
ISI Insight: the framework you're being measured against hasn't moved. What's under review is how the government verifies that you actually meet it.
The Real Risk Sits in Self-Attestation, Not in the Pause Itself
With third-party verification on hold, more risk shifts back to the contractor due to their self-assessments. If anything, that raises the stakes.
- You are still attesting that you meet all 110 NIST SP 800-171 controls, without an outside check confirming it
- An inaccurate self-attestation can create False Claims Act exposure even without a failed third-party audit to trigger it
- A System Security Plan (SSP) that does not reflect reality is now more of a liability without a C3PAO flagging it before your assessment
If your organization is leaning on self-assessment for the foreseeable future, now is the time to make sure your documentation and evidence would hold up if someone asked hard questions about it.
Watch What Prime Contractors Do Next
DoW's timeline is only one part of the picture. Prime contractors had already started flowing down their own CMMC Level 2 certification requirements ahead of the November 10 deadline, independent of the federal rollout.
- Primes are not obligated to relax their own supply chain requirements just because the Department paused Phase II
- Some primes may hold firm on certification requirements they have already communicated to subcontractors
- Subcontractors should confirm directly with their primes rather than assume the pause applies to their specific contract
“Brilliant at the Basics” Is Guidance, Not a Substitute for Your Contract Requirements
DoW paired the suspension with interim guidance, “Brilliant at the Basics,” aimed at giving small, mid-sized, and non-traditional businesses a simpler baseline to work from. It's a useful reference point, but it's not a new compliance standard, and it doesn't replace what's written into your contract.
- Your compliance obligations are defined by your contract clauses, not by interim guidance documents
- Treat new guidance as context, not as a shortcut around NIST SP 800-171 or DFARS 252.204-7012
The ISI Advantage: One Partner, Whatever the Framework
Frameworks change. Deadlines move. Assessment mechanisms get paused and reviewed. What doesn't change is that defense contractors still need to run secure, well-managed IT environments and protect the information the government has entrusted to them.
What ISI does:
- We are a provider of managed IT and cybersecurity services for the Defense Industrial Base (DIB)
- Because we are exclusively focused on the DIB, we track regulatory shifts like this one and adjust our guidance and strategy faster than generalist IT providers juggling multiple industries
- Whether the requirement in front of you is CMMC Level 2, NIST SP 800-171 Revision 2 or Revision 3, DFARS 252.204-7012, or a future GSA or FAR-based CUI rule, our job is the same: keep your environment secure and your documentation defensible
- We help you build and maintain evidence-based documentation, including an accurate System Security Plan and supporting POA&Ms, so a paused third-party assessment does not leave you exposed on self-attestation
We are your trusted advisors and ground every one of our recommendations in your actual contractual obligations and business goals, not in speculation about what might happen after a 60-day review.
FAQs
Does the CMMC Phase II suspension mean I no longer need to comply with CMMC?
No. The suspension pauses the mandatory third-party (C3PAO) certification assessment tied to the November 10, 2026, deadline. Phase I one requirements, CMMC Level 1 (Self) and Level 2 (Self), can still apply to new awards.
Do I still need to complete a self-assessment?
Yes. Phase 1 self-assessment requirements for CMMC Level 1 and Level 2, along with SPRS score submission, remain in effect. If you have already achieved Level 2 (C3PAO) certification, that certification is still valid for three years and is accepted for awards requiring either Level 1 (Self) or Level 2 (Self) certification.
Will my prime contractor still require a CMMC Level 2 certification?
Possibly. Many primes built their own certification requirements into supply chain flow-downs ahead of the federal deadline. Confirm directly with your prime rather than assuming DoW's pause applies to your contract.
What is the risk of self-attestation without a third-party assessment?
Self-attestation still requires you to certify that you meet all 110 NIST SP 800-171 controls. An inaccurate attestation can create False Claims Act exposure, whether a third-party assessor was ever involved.


