The Department of Defense just hit pause on CMMC Phase 2. Before you treat it as a reprieve and redirect the budget, understand what actually changed, what did not, and why the smart move is to keep going.
What the Pentagon Actually Announced
On July 13, 2026, the Department of Defense suspended CMMC Phase 2, which was scheduled to take effect November 10, 2026. That phase would have required contractors handling Controlled Unclassified Information to pass an assessment from a Certified Third-Party Assessor Organization, a C3PAO, before receiving contract awards.
The Department also suspended all pending and future CMMC milestones, including Phase 3 and full implementation, and established a 60-day CMMC Reform Task Force to review the entire program. Officials have not ruled out reinstating a revised CMMC, replacing it, or ending it altogether.
Why They Hit Pause
The suspension stems from cost and capacity concerns. DoD Chief Information Officer Kirsten Davies cited Small Business Administration data indicating future CMMC phases could cost small and mid-sized businesses more than $7 billion a year, pushing small and non-traditional companies out of the defense industrial base. A March 2026 Government Accountability Office report warned the standards might prove too difficult and costly for some small businesses. There is also a severe shortage of C3PAO assessors, which would have created a bottleneck the moment certification became mandatory.
A Suspension Is Not a Repeal
This is the part that matters. The certification requirement is paused. The underlying security obligations are not. If you read only one section, read this one.
- Phase 1 remains in effect. The CMMC self-assessment requirements that took effect last November still apply to applicable contracts.
- The standard still applies. During the pause, the Department will continue enforcing cybersecurity through the NIST SP 800-171 Revision 2 standard, using self-assessments and select government-led assessments.
- Your contract clauses did not disappear. DFARS 252.204-7012 and your obligation to protect CUI remain written into contracts, along with the self-assessment and reporting clauses that came with them.
- This could come back. The task force reports within 60 days. Whatever replaces this pause will not be no cybersecurity requirements at all.
What NIST 800-171 Still Requires
If CMMC is the certification wrapper, NIST SP 800-171 is the actual security standard underneath it, and it did not go anywhere. It defines 110 security controls across 14 families, covering access control, identification and authentication, audit and accountability, configuration management, incident response, media protection, and more. Meeting it is not optional for contractors that handle CUI.
Three things carry the weight during the pause:
- Your System Security Plan (SSP). The document that describes how you meet each of the 110 controls. If it is out of date, your whole posture is suspect.
- Your Plan of Action and Milestones (POA&M). The honest list of gaps and how you will close them, with dates.
- Your SPRS score. The self-assessment score you report in the Supplier Performance Risk System. Primes and the government can see it, and an inflated one is a liability, not an asset.
Why You Should Keep Doing the Work
It is tempting to treat this as found money. That is a mistake, for four reasons.
- The threat did not pause. Nation-state and criminal actors target the defense supply chain regardless of the compliance calendar. NIST 800-171 exists because those threats are real and constant.
- You are still legally on the hook. Self-attesting to a security posture you do not actually have carries real exposure under the False Claims Act, which has already produced multimillion-dollar settlements against contractors that misrepresented their cybersecurity.
- Primes still flow it down. Your customers up the supply chain still expect NIST 800-171 compliance in their contracts, task force or not. Losing your posture can lose you the relationship.
- Restarting costs more than continuing. Teams that stop and rebuild momentum later pay for it twice. The ones that stay the course will be first in line, and lowest cost, when the requirement returns.
What to Do in the Next 60 Days
Keep your program moving on everything that does not depend on a C3PAO. None of this is wasted, whatever the task force decides.
- Keep your System Security Plan and Plan of Action and Milestones current and honest.
- Recalculate your NIST 800-171 self-assessment and make sure your SPRS score reflects reality.
- Keep closing control gaps: identity and access, endpoint protection, logging and monitoring, backup and recovery, and incident response.
- Do not cancel your assessment roadmap. Re-time it, and watch what the task force recommends.
- Document what you are doing. If the rules change, a clean record of continuous effort is worth more than a last-minute scramble.
What Might Come Back
The task force has 60 days. The realistic outcomes are a revised CMMC that is cheaper and faster to assess, a different verification model, or continued reliance on self-assessment with more government spot checks. None of those outcomes remove the NIST 800-171 baseline. Planning as if security requirements are gone is the one bet almost certain to lose.
Frequently Asked Questions
Is CMMC cancelled?
No. It is suspended pending a 60-day review. The Department has not decided whether to revise, replace, or end it. NIST 800-171 requirements and existing contract clauses remain in force during the pause.
Do I still need to meet NIST 800-171?
Yes, if your contracts include DFARS 252.204-7012 and you handle Controlled Unclassified Information. The self-assessment and SPRS reporting obligations did not change.
Should we stop our CMMC preparation?
No. Re-time anything that depends on a third-party assessor, but keep closing gaps and maintaining your documentation. Stopping and restarting costs more than staying the course.
The rules just got more confusing, not less. JBW Group helps organizations in the Defense Industrial Base navigate this, cutting through the noise to keep CMMC and NIST 800-171 programs moving without spending money on the wrong things at the wrong time.