On July 13, 2026, the Department of War (DoW) suspended the planned transition to CMMC Phase 2. In a release titled Forging the Arsenal of Freedom, the Department announced that, effective immediately, it will suspend “the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts.” Phase 2, scheduled to begin November 10, 2026, would have made third-party (C3PAO) CMMC Level 2 certification a condition of contract award for most new contracts involving Controlled Unclassified Information (CUI). A newly established CMMC Reform Task Force will review the program and report to the DoW CIO within 60 days.
If your organization is an OSC or OSA — an Organization Seeking Certification or Assessment, in CMMC terms — the announcement is easy to misread. Suspending Phase 2 does not suspend your security obligations. The sections below separate what changed from what did not, because that distinction should drive every compliance decision you make in the months ahead.
The press release states: “Effective immediately, the Department will suspend the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the Department of War solicitations and contracts.” The implementing memorandum, signed by DoW Chief Information Officer Kirsten A. Davies, directs that all pending and future CMMC implementation milestones are “held in abeyance until further notice.” Phase 2 was the point in the phased rollout at which most new contracts involving CUI would have required an assessment by a Certified Third-Party Assessment Organization (C3PAO) rather than a self-assessment. That transition is now paused.
The same action established a CMMC Reform Task Force — described by Davies as a cross-functional team with representation from the CIO's office, Acquisition and Sustainment, Research and Engineering, and other components — to conduct a top-to-bottom review and deliver recommendations to the CIO within 60 days, placing its report in mid-September 2026. The release frames the review as “prioritizing speed to capability” and lowering barriers for small, medium, and non-traditional businesses; Davies' memo goes further, directing the task force to recommend a framework that replaces “prohibitive, third-party compliance models” with “scalable, realistic security measures.”
The suspension reflects cost and capacity, not a retreat from cybersecurity. Announcing the decision, Davies told reporters that “the math just simply doesn't math for small to medium-sized businesses to even get compliant by the transition date.” Three pressures converged:
The most important fact for contractors: your DFARS obligations did not move. DFARS 252.204-7012 — the clause that requires you to safeguard covered defense information by implementing NIST SP 800-171 and to rapidly report cyber incidents within 72 hours of discovery — remains fully in effect. So do DFARS 252.204-7019 and 7020, which require a current NIST 800-171 self-assessment score posted in SPRS and give the government the right to verify it. CMMC was always the verification layer on top of these clauses; pausing the verification does not remove the underlying requirement. If you handle CUI, you are contractually required to protect it to the 800-171 standard today. (Our guide to SPRS scores covers how that obligation is scored and submitted.)
Flow-down survives the suspension in two distinct ways. First, DFARS 7012 flows down by its own terms to subcontractors at every tier whose performance involves covered defense information — and the Department's announcement reaffirmed it directly: “All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.” Second, many prime contractors had already flowed CMMC Level 2 requirements down to their suppliers ahead of the November deadline, independent of the federal rollout. Primes are under no obligation to relax those contractual requirements because the Department paused Phase 2. If your prime expects you to be Level 2-ready, that expectation likely still stands — confirm it rather than assume.
If you invested in a C3PAO assessment and earned a CMMC Level 2 certification, the suspension takes nothing away from you. Existing certifications are not invalidated. A Level 2 certificate remains a valid credential — and in a market where third-party certification is temporarily paused, holding one is a genuine differentiator in prime supplier selection. Contractors who completed the work early did not waste the investment; they hold a head start. Level 1 and Level 2 self-assessed certifications, and the annual affirmations behind them, likewise remain in force.
For organizations mid-journey, the practical effects are specific:
The task force is reviewing how compliance gets verified — not whether you must secure CUI. That duty lives in DFARS and is not under review. The contractors who come out ahead will treat the next 60-plus days as time to prepare, not permission to stop:
No. CMMC Phase 2 is suspended pending a 60-day review by the CMMC Reform Task Force. The program is paused and under revision, not repealed, and Phase 1 self-assessment requirements remain in effect.
Yes. DFARS 252.204-7012, 7019, and 7020 are unaffected. You must still safeguard covered defense information to the NIST SP 800-171 Rev 2 standard, keep a current self-assessment score in SPRS, and report cyber incidents within 72 hours.
Yes. The suspension does not invalidate certifications already earned. An existing CMMC Level 2 certificate remains a valid credential and a competitive differentiator.
Generally, yes. DFARS 7012 obligations flow down to subcontractors by the clause's own terms, and primes are not required to drop CMMC requirements they have already flowed down. Confirm your specific prime's expectations directly.
No. The verification method is under review, but the obligation to protect CUI is not. Continuing to close your NIST 800-171 gaps satisfies DFARS today and positions you for whatever the task force recommends.
The task force is due to deliver recommendations within 60 days of the July 13, 2026 announcement — around mid-September 2026. The timing and shape of any revived third-party requirement will depend on that review; no new date has been set.
Regulatory change is easier to navigate with advisory and engineering under one roof. Essendis can tell you precisely what the Phase 2 suspension does and does not change for your contracts, then do the work: readiness assessment, secure enclave build, remediation, and assessment preparation for when certification resumes. It is the same approach that took our client RPS Defense to a perfect 110/110 CMMC Level 2 assessment with A-LIGN (C3PAO), with no POA&M required. Explore our CMMC Level 2 compliance services, review our CMMC 2.0 overview, or connect with an expert to assess your position under the new guidance.

