CMMC Phase 2 Is Suspended: What Defense Contractors Should Do

CMMC Phase 2 Is Suspended: What Defense Contractors Should Do

The Department of Defense just hit pause on CMMC Phase 2. Before you treat it as a reprieve and redirect the budget, understand what actually changed, what did not, and why the smart move is to keep going.

What the Pentagon Actually Announced

On July 13, 2026, the Department of Defense suspended CMMC Phase 2, which was scheduled to take effect November 10, 2026. That phase would have required contractors handling Controlled Unclassified Information to pass an assessment from a Certified Third-Party Assessor Organization, a C3PAO, before receiving contract awards.

The Department also suspended all pending and future CMMC milestones, including Phase 3 and full implementation, and established a 60-day CMMC Reform Task Force to review the entire program. Officials have not ruled out reinstating a revised CMMC, replacing it, or ending it altogether.

Why They Hit Pause

The suspension stems from cost and capacity concerns. DoD Chief Information Officer Kirsten Davies cited Small Business Administration data indicating future CMMC phases could cost small and mid-sized businesses more than $7 billion a year, pushing small and non-traditional companies out of the defense industrial base. A March 2026 Government Accountability Office report warned the standards might prove too difficult and costly for some small businesses. There is also a severe shortage of C3PAO assessors, which would have created a bottleneck the moment certification became mandatory.

A Suspension Is Not a Repeal

This is the part that matters. The certification requirement is paused. The underlying security obligations are not. If you read only one section, read this one.

What NIST 800-171 Still Requires

If CMMC is the certification wrapper, NIST SP 800-171 is the actual security standard underneath it, and it did not go anywhere. It defines 110 security controls across 14 families, covering access control, identification and authentication, audit and accountability, configuration management, incident response, media protection, and more. Meeting it is not optional for contractors that handle CUI.

Three things carry the weight during the pause:

Why You Should Keep Doing the Work

It is tempting to treat this as found money. That is a mistake, for four reasons.

What to Do in the Next 60 Days

Keep your program moving on everything that does not depend on a C3PAO. None of this is wasted, whatever the task force decides.

What Might Come Back

The task force has 60 days. The realistic outcomes are a revised CMMC that is cheaper and faster to assess, a different verification model, or continued reliance on self-assessment with more government spot checks. None of those outcomes remove the NIST 800-171 baseline. Planning as if security requirements are gone is the one bet almost certain to lose.

Frequently Asked Questions

Is CMMC cancelled?

No. It is suspended pending a 60-day review. The Department has not decided whether to revise, replace, or end it. NIST 800-171 requirements and existing contract clauses remain in force during the pause.

Do I still need to meet NIST 800-171?

Yes, if your contracts include DFARS 252.204-7012 and you handle Controlled Unclassified Information. The self-assessment and SPRS reporting obligations did not change.

Should we stop our CMMC preparation?

No. Re-time anything that depends on a third-party assessor, but keep closing gaps and maintaining your documentation. Stopping and restarting costs more than staying the course.

The rules just got more confusing, not less. JBW Group helps organizations in the Defense Industrial Base navigate this, cutting through the noise to keep CMMC and NIST 800-171 programs moving without spending money on the wrong things at the wrong time.

← Back to all posts