CMMC Phase 2 Suspended: What It Means for OSCs, Assessments, and Certifications

On July 13, 2026, the Department of War (DoW) suspended the planned transition to CMMC Phase 2. In a release titled Forging the Arsenal of Freedom, the Department announced that, effective immediately, it will suspend “the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts.” Phase 2, scheduled to begin November 10, 2026, would have made third-party (C3PAO) CMMC Level 2 certification a condition of contract award for most new contracts involving Controlled Unclassified Information (CUI). A newly established CMMC Reform Task Force will review the program and report to the DoW CIO within 60 days.

If your organization is an OSC or OSA — an Organization Seeking Certification or Assessment, in CMMC terms — the announcement is easy to misread. Suspending Phase 2 does not suspend your security obligations. The sections below separate what changed from what did not, because that distinction should drive every compliance decision you make in the months ahead.

The bottom line up front

  • CMMC Phase 2 is suspended, not canceled. The third-party certification mandate scheduled for November 10, 2026 is on hold pending a 60-day review, and all pending and future implementation milestones — including the November 2027 Phase 3 milestone that would have introduced Level 3 assessments — are “held in abeyance until further notice.”
  • DFARS 252.204-7012 is untouched. The obligation to safeguard covered defense information and report cyber incidents within 72 hours remains fully binding.
  • Flow-down still exists. Subcontractors remain obligated under DFARS, and primes are not required to relax the CMMC requirements they have already pushed down their supply chains.
  • Existing certifications are not invalidated. A CMMC Level 2 certificate already earned remains a valid credential.
  • NIST SP 800-171 Rev 2 is the interim standard, enforced through self-assessments and select government-led assessments — with genuine False Claims Act exposure for inaccurate self-attestations.

What the Department announced on July 13

The press release states: “Effective immediately, the Department will suspend the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts.” The implementing memorandum, signed by DoW Chief Information Officer Kirsten A. Davies, directs that all pending and future CMMC implementation milestones are “held in abeyance until further notice.” Phase 2 was the point in the phased rollout at which most new contracts involving CUI would have required an assessment by a Certified Third-Party Assessment Organization (C3PAO) rather than a self-assessment. That transition is now paused.

The same action established a CMMC Reform Task Force — described by Davies as a cross-functional team with representation from the CIO's office, Acquisition and Sustainment, Research and Engineering, and other components — to conduct a top-to-bottom review and deliver recommendations to the CIO within 60 days, placing its report in mid-September 2026. The release frames the review as “prioritizing speed to capability” and lowering barriers for small, medium, and non-traditional businesses; Davies' memo goes further, directing the task force to recommend a framework that replaces “prohibitive, third-party compliance models” with “scalable, realistic security measures.”

Why the Department suspended Phase 2

The suspension reflects cost and capacity, not a retreat from cybersecurity. Announcing the decision, Davies told reporters that “the math just simply doesn't math for small to medium-sized businesses to even get compliant by the transition date.” Three pressures converged:

  • Cost. Citing Small Business Administration data, Davies said that moving into the future phases of CMMC implementation could cost small and mid-sized businesses more than $7 billion annually.
  • Assessment capacity. By Davies' count, more than 100,000 defense industrial base companies still needed a third-party assessment — against roughly 100 authorized assessment organizations. The Cyber AB counted 107 authorized C3PAOs at its June 2026 town hall, supported by about 1,000 individual certified assessors. On that arithmetic, the November timeline was not achievable.
  • Industrial base retention. Department leaders concluded the mandate, as structured, was pushing the small and non-traditional businesses the military needs out of the defense industrial base.

What did not change: DFARS 252.204-7012

The most important fact for contractors: your DFARS obligations did not move. DFARS 252.204-7012 — the clause that requires you to safeguard covered defense information by implementing NIST SP 800-171 and to rapidly report cyber incidents within 72 hours of discovery — remains fully in effect. So do DFARS 252.204-7019 and 7020, which require a current NIST 800-171 self-assessment score posted in SPRS and give the government the right to verify it. CMMC was always the verification layer on top of these clauses; pausing the verification does not remove the underlying requirement. If you handle CUI, you are contractually required to protect it to the 800-171 standard today. (Our guide to SPRS scores covers how that obligation is scored and submitted.)

What did not change: flow-down

Flow-down survives the suspension in two distinct ways. First, DFARS 7012 flows down by its own terms to subcontractors at every tier whose performance involves covered defense information — and the Department's announcement reaffirmed it directly: “All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.” Second, many prime contractors had already flowed CMMC Level 2 requirements down to their suppliers ahead of the November deadline, independent of the federal rollout. Primes are under no obligation to relax those contractual requirements because the Department paused Phase 2. If your prime expects you to be Level 2-ready, that expectation likely still stands — confirm it rather than assume.

What did not change: recent certifications

If you invested in a C3PAO assessment and earned a CMMC Level 2 certification, the suspension takes nothing away from you. Existing certifications are not invalidated. A Level 2 certificate remains a valid credential — and in a market where third-party certification is temporarily paused, holding one is a genuine differentiator in prime supplier selection. Contractors who completed the work early did not waste the investment; they hold a head start. Level 1 and Level 2 self-assessed certifications, and the annual affirmations behind them, likewise remain in force.

What it means for assessments and OSCs

For organizations mid-journey, the practical effects are specific:

  • Solicitations are being amended. Active solicitations that still list Level 2 (C3PAO) certification or Level 3 requirements are to be amended to remove them as soon as practicable. Existing contracts that contain those requirements are to have them removed by modification before the next option period is exercised, or during the next scheduled administrative modification.
  • Self-assessment is the interim path. The Department will enforce cybersecurity through NIST SP 800-171 Rev 2 self-assessments and select government-led assessments during the review window. Phase 1, in effect since November 10, 2025, continues unchanged.
  • C3PAO assessments are not prohibited. Third-party assessment is paused as a condition of award, not banned. C3PAOs remain authorized, and contractors may still pursue certification voluntarily — many will, to stay ahead of whatever the task force recommends.
  • Self-attestation accuracy carries legal weight. With self-assessment at the center of interim enforcement, the accuracy of your SPRS score and senior-official affirmation matters more than ever. A knowingly inflated score is a false statement to the government, and False Claims Act enforcement in this area has been rising. Treat every submission as the legal representation it is.

What prepared contractors are doing now

The task force is reviewing how compliance gets verified — not whether you must secure CUI. That duty lives in DFARS and is not under review. The contractors who come out ahead will treat the next 60-plus days as time to prepare, not permission to stop:

  • Keep closing your 800-171 gaps. Every gap you close raises your SPRS score, satisfies DFARS 7012 today, and positions you for whatever verification model returns. The work does not expire. Our Level 2 requirements checklist is a practical map.
  • Confirm your prime's expectations in writing. Federal timelines changed; your prime's supply-chain requirements may not have.
  • Address scope now. Consolidating CUI into a purpose-built secure enclave reduces the systems you must secure, document, and eventually certify — a sound decision under any version of the rules.
  • Establish an honest baseline. A CMMC readiness assessment shows where you actually stand against all 110 requirements, so decisions rest on data rather than headlines.

Frequently asked questions

Is CMMC canceled?

No. CMMC Phase 2 is suspended pending a 60-day review by the CMMC Reform Task Force. The program is paused and under revision, not repealed, and Phase 1 self-assessment requirements remain in effect.

Do I still have to comply with DFARS and NIST 800-171?

Yes. DFARS 252.204-7012, 7019, and 7020 are unaffected. You must still safeguard covered defense information to the NIST SP 800-171 Rev 2 standard, keep a current self-assessment score in SPRS, and report cyber incidents within 72 hours.

Are existing CMMC certifications still valid?

Yes. The suspension does not invalidate certifications already earned. An existing CMMC Level 2 certificate remains a valid credential and a competitive differentiator.

Do prime contractor flow-downs still apply?

Generally, yes. DFARS 7012 obligations flow down to subcontractors by the clause's own terms, and primes are not required to drop CMMC requirements they have already flowed down. Confirm your specific prime's expectations directly.

Should I stop my CMMC project?

No. The verification method is under review, but the obligation to protect CUI is not. Continuing to close your NIST 800-171 gaps satisfies DFARS today and positions you for whatever the task force recommends.

When will third-party CMMC certification return?

The task force is due to deliver recommendations within 60 days of the July 13, 2026 announcement — around mid-September 2026. The timing and shape of any revived third-party requirement will depend on that review; no new date has been set.

How Essendis helps

Regulatory change is easier to navigate with advisory and engineering under one roof. Essendis can tell you precisely what the Phase 2 suspension does and does not change for your contracts, then do the work: readiness assessment, secure enclave build, remediation, and assessment preparation for when certification resumes. It is the same approach that took our client RPS Defense to a perfect 110/110 CMMC Level 2 assessment with A-LIGN (C3PAO), with no POA&M required. Explore our CMMC Level 2 compliance services, review our CMMC 2.0 overview, or connect with an expert to assess your position under the new guidance.

Talk to a Cloud Cybersecurity Expert

Thank you for contacting Essendis. Our team is reviewing your submission and will be in touch shortly. 
We look forward to assisting with your cybersecurity and cloud computing needs. 

Continue Exploring Essendis’ Offerings

Return to Essendis
Oops! Something went wrong while submitting the form.