Deep Breaths, Everyone
Well, that was a Monday.
Yesterday, July 13, 2026, the DoD CIO announced the immediate suspension of CMMC Phase 2 requirements, which were originally scheduled to begin on November 10, 2026. Within about 20 minutes of the CMMC Phase 2 suspension news hitting my screen, my LinkedIn feed turned into what seemed to be a single-topic forum page, with no other items in sight. Additionally, my desktop Discord crashed from all the activity in the COOEY COE Discord for all the CMMC Geeks out there.
And look, I get it. This is big news. But if there is one thing I have learned from years in the trenches of DIB compliance, it is that the hours immediately following a major announcement are when the most confident and least accurate takes get published. So, I want to do something a little different here. I want to walk through what actually happened, what explicitly did not happen, what is still required of you today, and the genuinely open questions that nobody (myself included) can answer yet.
No panic. No spin. Just the facts as published, a healthy respect for what we do not know, and some practical advice for what you should do while the dust settles. Sound good? Word.
What the CMMC Phase 2 Suspension Actually Changed
Three official items landed on July 13: a press release from the Department, a memorandum with implementation guidance published to the DoD CIO document library (referenced as 26-P-1023), and an updated banner on the CIO’s CMMC Resources & Documentation page. Taken together, here is the picture they paint:
Phase 2 is suspended, effective immediately. The transition to Phase 2, which would have introduced CMMC Level 2 (C3PAO) certification assessment requirements into applicable solicitations starting November 10, 2026, is on hold. During the suspension, Program Managers and requiring activities may only include CMMC Level 1 (Self) or CMMC Level 2 (Self) assessment requirements in procurement request and requirement documents. They are expressly prohibited from designating CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) assessments during this period. Notably, that prohibition removes even the discretionary ability Program Managers had during Phase 1 to include a C3PAO requirement early.
Active solicitations and contracts are being cleaned up. If a requirements package included a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, Program Managers must initiate amendments to active solicitations, and contracting officers are directed to issue corresponding amendments as soon as practicable. For existing contracts that already contain these requirements, contracting officers are directed to remove them via modification before the next option period is exercised or during the next scheduled administrative modification.
Waiver procedures are suspended too. Since Program Managers can no longer select requirements that would call for a C3PAO or DIBCAC assessment, the memo states that no waivers shall be granted during program reviews.
Phase 1 remains firmly in place. The press release says exactly that, in those words. Level 1 and Level 2 self-assessment requirements continue. Officials have also indicated that, during the interim, the Department will enforce NIST SP 800-171 compliance through self-assessments and “select Government-led assessments” — a phrase the released documents do not define.
A 60-day review is underway. DoD Chief Information Officer Kirsten A. Davies is establishing a CMMC Reform Task Force to conduct a comprehensive review of the program. The task force will synthesize industry feedback from the Department’s public Request for Information on compliance challenges and deliver a final report to the CIO within 60 days, with recommendations aimed at scalable security measures and lower barriers for small and non-traditional businesses. Further guidance will be promulgated at the conclusion of that review. Assuming the clock runs 60 days from the announcement — and note that the memo itself is dated July 10, so the exact start of that clock is a little murky — the report should land on or around mid-September 2026. I’d assume public guidance will lag the report’s delivery by a bit, but we don’t know by how much.
As for the “why,” the Department’s stated rationale is cost and participation. The press release asserts that CMMC in its current form has created prohibitive compliance costs and bureaucratic burdens, and cites Small Business Administration reporting that compliance pressure is pushing innovative companies out of the DIB. The move is framed as part of aligning with the Secretary’s Acquisition Transformation System (ATS) directives.
I have a strong feeling that a lot of this has to do with the FAR CUI Rule that is in process that will be requiring protections for Controlled Unclassified Information for Federal Acquisitions beyond those that support the DoD. Sheer speculation here, but that’s my hunch if you ask me (you’re reading my blog so I’ll take that as a yes!).
What Did Not Happen
Now for the part that I think is getting lost in the noise. A few things that did not happen on July 13:
CMMC was not cancelled. Yet. The word in every official document is “suspension,” paired with a 60-day review and a reform task force. Could that review lead to major restructuring? Absolutely. Could it lead to a leaner program that retains third-party assessment in some form? Also plausible. “Suspended pending review” and “dead” are two very different states, and treating the former as the latter is exactly the kind of assumption I would encourage you to avoid making with your security budget.
The codified rules did not vanish. 32 CFR Part 170 (the CMMC Program rule) and the DFARS rule finalized under DFARS Case 2019-D041 remain codified in federal regulation. A memorandum directs procurement behavior within the Department; it does not amend the Code of Federal Regulations. How the Department formally reconciles the suspension with the rules on the books is one of the open questions we will get to shortly.
Your obligation to protect CUI did not change. The press release is explicit that this action does not eliminate the requirement for companies to protect federal data, and that all defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS 252.204-7012. The implementation memo repeats it. This was not buried in a footnote. It was stated plainly, twice, in the two most authoritative documents released.
At the end of the day, here is the cleanest way I can summarize it: the verification mechanism of third-party assessment was suspended, but the requirements being verified were not.
The Requirements Still Firmly in Play
So, what does your compliance to-do list actually look like on July 14? Honestly, if you have been doing this right, it looks remarkably similar to how it looked on July 12.
DFARS 252.204-7012. If you handle CUI under a DoD contract, this clause remains your daily bread. That means implementing the security requirements of NIST SP 800-171 Rev 2, rapidly reporting cyber incidents to the Department within 72 hours, preserving relevant images and monitoring data, submitting discovered malicious software, and flowing the clause down to subcontractors handling covered defense information. This was your obligation before CMMC existed, and it is your obligation today.
Phase 1 self-assessments and affirmations. New solicitations will continue to carry CMMC Level 1 (Self) or Level 2 (Self) requirements, with the associated self-assessment and affirmation obligations that came with Phase 1 back in November 2025.
Accuracy still carries legal weight. I want to say this gently but clearly, because a self-assessment-centric interim period can tempt people into treating compliance like an honor system. The Department of Justice’s Civil Cyber-Fraud Initiative has already pursued False Claims Act cases involving misrepresented cybersecurity compliance. A false affirmation was a legal risk under Phase 1, and it remains one now. Third-party assessors were never the source of your obligation; rather, the fact that you accepted a contract involving regulated information was.
The Questions That Still Need Answers
Here is where I will practice what I preach and resist the urge to fill silence with speculation. These are the questions the July 13 documents genuinely do not answer:
1. How will the suspension be reconciled with the codified rules? 32 CFR Part 170 and the CMMC DFARS clause remain in regulation. Will the Department issue a class deviation? Initiate new rulemaking? The memo is silent on mechanics. My assumption is that, after the review is complete, we’ll receive another memo, class deviation, or other formal announcement like the one released yesterday that gives us more answers and information as to the future of the programs and the regulations.
2. What happens to certifications already earned and assessments in progress? Nothing in the release or the memo addresses the standing of existing CMMC Level 2 (C3PAO) certifications, assessments currently scheduled or underway, or the broader assessment ecosystem of C3PAOs and certified assessors. If you hold a certification or are mid-assessment, there is no official statement yet on what happens to that status or that investment. I know this will make many want to pull their hair out, but before we jump to the conclusion that the roughly 1,000 CMMC Level 2 certifications that have been attained over the last couple of years have been a waste, just wait and see what comes from the 60-day review.
3. What will the task force actually recommend? The report is due to the CIO within 60 days, and further guidance will follow it. The recommendations could range from streamlining the existing model to something structurally different. Anyone claiming to know the outcome is guessing. I will say that not all guesses are totally uneducated. According to a news article from Breaking Defense, Michael Duffey, Under Secretary of Defense for Acquisition and Sustainment, told reporters the following:
“What is changing? Let me be direct. We are halting complex audits. We are stopping the requirement for third-party assessors and audits…”
Now, again, this isn’t codified and we’re working with what we’ve got, but it may very well be the case that the CMMC program looks quite different after this review and we should mentally prepare for that.
4. What will prime contractors do? The government suspending its own C3PAO requirements does not prevent primes from setting supplier expectations contractually. Supplier risk programs and flowdown requirements do not always move at the government’s pace, and a third-party certification may retain real commercial value in the meantime. We’re just going to have to wait and see. I wouldn’t be surprised if some prime contractors release memos similar to the CIO’s memo halting the enforcement or expectation of CMMC Level 2 certifications for the time being until more information is available, but that is sheer speculation.
Regardless, I would encourage a healthy suspicion of anyone claiming certainty on any of these items right now. Myself included!
So What Should You Actually Do?
As always, it really depends. But there is a framework here that I think holds up regardless of which way the 60-day review breaks.
Pointer #1: Do not dismantle anything. Your obligation to implement NIST SP 800-171 Rev 2 predates CMMC and survives this suspension untouched. If you gut your security program’s resources because the assessment mechanism is paused, you end up noncompliant with a live contract clause and less secure. That is a lose-lose, and it is also precisely the behavior that would justify bringing rigorous verification back with a vengeance. Stay the course, do your continuous monitoring activities, and don’t make drastic decisions as if everything has changed because it hasn’t.
Pointer #2: Keep your documentation current. Your System Security Plan, your POA&Ms, and your other documentation used to support your CMMC / NIST SP 800-171 implementation remain the backbone of how you demonstrate compliance during this interim period. Self-assessments are still in play. NIST SP 800-171 Rev 2 is still the requirement and, therefore, your 3.12.1 and 3.12.3 requirements are still there begging you not to drop the ball. Stay disciplined.
Pointer #3: If you are mid-preparation for a C3PAO assessment, separate implementation from scheduling. Implementation work continues no matter what, because the requirements continue no matter what. The question of whether to keep an assessment on the calendar is a business decision that depends on your contract pipeline, your primes’ expectations, your competitive positioning, and your budget. The review window is only 60 days. If you can afford to wait for the task force report before making an irreversible scheduling decision, that patience will cost you very little. Now, if you’re concerned that your CMMC Level 2 Certification Assessment investment is going to be a waste of time now (which would be an understandable conclusion because of yesterday’s chaos), I still think you shouldn’t jump the gun. However, have a conversation with the C3PAO and at least get some information about your options. It doesn’t hurt to have information about potential cancellations and refunds in your back pocket. I still can’t stress this enough. Don’t make any changes just yet. Please wait and see.
Pointer #4: If you are already certified, your investment is by no means a waste. The security posture you built is real, and it is still contractually required. The market signal of having passed a rigorous third-party assessment is real too. What the certification means within the program going forward is an open question, but the work behind it was never just about a certificate. Even if you never get certified again, you can keep your system secure and maintain the security posture you’ve worked so hard to enforce.
Pointer #5: Engage with the process. The task force is explicitly built to synthesize industry feedback from the Department’s public RFI on compliance challenges. This is an intentional window where the Department is asking, on the record, what is broken. If compliance costs have genuinely strained your organization, this is the venue for that story. Good faith participation beats LinkedIn venting every time. Be sure to participate and get them some solid, informed feedback while they are receiving it.
Pointer #6: Get your updates from primary sources. The press release, the CIO memo and its implementation guidance, and the official CMMC resources page are linked in the references below. Further guidance is coming at the end of the 60-day review. When it drops, read the actual documents before you read the hot takes about the documents. (And yes, I recognize the irony of a blogger telling you that.)
Wrapping Up
This is one of the more consequential shifts in the DIB compliance landscape in years, and I do not want to minimize it. Livelihoods, business models, and years of preparation are tied up in this program, and the uncertainty is genuinely hard, especially for the assessment ecosystem. If that is you, we see you, and you have our sincere empathy.
But uncertainty is not a reason to abandon good security, and it is definitely not a reason to abandon good judgment. The requirements that actually protect CUI are still in your contracts. The review is 60 days. Steady hands win here, and we at IntelliGRC are going to stay on top of the breaking news regarding this. Stay tuned!
As always, Happy Implementing!
Steven Molter, Lead GRC Consultant, IntelliGRC
Key Takeaways
- On July 13, 2026, the Department suspended the CMMC Phase 2 transition (originally November 10, 2026), effective immediately, pending a 60-day review by a new CMMC Reform Task Force.
- During the suspension, solicitations may only require CMMC Level 1 (Self) or Level 2 (Self). Level 2 (C3PAO) and Level 3 (DIBCAC) requirements are being removed from active solicitations and existing contracts.
- DFARS 252.204-7012 remains fully in effect. Contractors handling covered defense information are still contractually obligated to implement NIST SP 800-171 Rev 2 and report cyber incidents.
- Phase 1 self-assessment and affirmation obligations remain firmly in place, and accurate SPRS scores still carry legal weight.
- Key unknowns remain: reconciliation with the codified 32 CFR Part 170 and DFARS rules, the standing of existing certifications, the meaning of “select Government-led assessments,” and what the task force will recommend. Further guidance is expected after the 60-day review.
Frequently Asked Questions
Is CMMC cancelled? No. CMMC Phase 2 is suspended pending a 60-day review by the new CMMC Reform Task Force. Phase 1 self-assessment requirements remain in place, and further guidance is expected after the review.
Does DFARS 252.204-7012 still apply? Yes. Contractors and subcontractors handling covered defense information remain contractually obligated to implement NIST SP 800-171 Rev 2 and report cyber incidents within 72 hours.
Do I still need a C3PAO assessment? Not for DoD solicitations during the suspension — Level 2 (C3PAO) and Level 3 (DIBCAC) requirements are being removed from active solicitations and contracts. Prime contractors, however, may still expect third-party certification as a supplier requirement.
Are Phase 1 self-assessments still required? Yes. CMMC Level 1 (Self) and Level 2 (Self) requirements, along with their affirmation obligations, continue — and inaccurate affirmations still carry False Claims Act risk.
References
- Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” July 13, 2026: war.gov press release
- DoD CIO, Memorandum 26-P-1023, Attachment 1, “Cybersecurity Maturity Model Certification Procedures” (implementing the suspension of CMMC Phase II): dodcio.defense.gov (PDF)
- DoW CIO, CMMC Resources & Documentation: dowcio.war.gov
- 32 CFR Part 170, Cybersecurity Maturity Model Certification (CMMC) Program, Final Rule: Federal Register
- DFARS Case 2019-D041, Assessing Contractor Implementation of Cybersecurity Requirements, Final Rule: Federal Register
- DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting: acquisition.gov
- Breaking Defense, “Pentagon announces ‘immediate suspension’ of CMMC Phase II mandates,” July 13, 2026: breakingdefense.com
