Why Was CMMC Phase II Suspended? And What Does That Mean?
Estimated reading time: 6 minutes
July 14, 2026 – CMMC Phase II suspension – by Zach Carothers – in Cybersecurity, Compliance
The short version: On July 13, 2026, the Department of War suspended CMMC Phase II, removing the November 10, 2026 deadline that would have required a third-party certification (C3PAO) audit for Level 2 contracts. DFARS 252.204-7012, NIST SP 800-171, SPRS self-assessments, and annual affirmations all remain mandatory. This is schedule relief, not scope relief, and for contractors whose paperwork outruns their practices, it raises legal risk rather than lowering it.
CMMC Phase II Suspension: Key Facts at a Glance
- What happened: The Department of War (the Pentagon) suspended CMMC Phase II, effective immediately, on July 13, 2026.
- What is paused: the third-party assessment by a certified third-party assessor organization (C3PAO) that was set to become a condition of contract award for Level 2 work on November 10, 2026, along with the Phase III Level 3 milestones scheduled for 2027.
- What still applies: DFARS 252.204-7012, NIST SP 800-171 Revision 2, Level 1 and Level 2 self-assessments, Supplier Performance Risk System (SPRS) score submissions, annual affirmations, and 72-hour cyber incident reporting.
- Why it happened: more than 100,000 defense industrial base companies still needed an assessment, against roughly 100 authorized assessors.
- What comes next: a 60-day review and a new CMMC Reform Task Force, with recommendations expected around mid-September 2026, shaped by a public Request for Information (RFI).
- Bottom line: CMMC is suspended, not canceled. Your SPRS self-attestation is now the primary evidence the government has that your security is real.
What the CMMC Phase II Suspension Actually Did
Phase II was the step that would have made an independent C3PAO audit a condition of award for Level 2 contracts. The Department of War suspended that transition effective immediately and also paused the Phase III Level 3 milestones set for 2027. Contracting officers have been directed to strip the suspended language out of active solicitations. The stated reason was simply capacity. The department’s CIO noted that more than 100,000 companies in the defense industrial base still needed an assessment, however, there are only about 100 authorized assessors. As one official put it at the briefing, the math simply does not math. A 60-day review and a new CMMC Reform Task Force will now collect industry input through a public RFI, with recommendations due around mid-September 2026.
What Did Not Change, and Why That Is the Whole Story
Everything underneath the audit stayed exactly where it was. DFARS clause 252.204-7012, in defense contracts since 2017, still requires you to implement the NIST SP 800-171 security controls, report cyber incidents to the government within 72 hours, and use FedRAMP-authorized cloud for any system that touches Controlled Unclassified Information (CUI). Phase I is untouched as well. Level 1 and Level 2 self-assessments, your SPRS score, and your annual affirmation of compliance are all still required. And the government can still assess you directly, since government-led reviews continue during the pause. CMMC was never the security requirement itself. It was the verification layer bolted on top of a requirement that is still fully in force.
Why the CMMC Phase II Suspension Can Make Your Exposure Worse
The counterintuitive part is this. With third-party assessors out of the picture, your SPRS self-assessment becomes the entire game. That score is not a private spreadsheet for internal use. It is a signed federal attestation, affirmed by an executive, that the government relies on when it awards work. When an independent assessor signed off on your environment, you had outside evidence that your attestation was made in good faith. That evidence is now shelved. Meanwhile, the Department of Justice’s Civil Cyber-Fraud Initiative has already produced multimillion-dollar settlements against contractors whose actual security did not match what they claimed it to be. If your SPRS score says 110 and your environment cannot back up all 110 controls, the suspension did not protect you. It removed the safety net.
This is the same shift we described in our breakdown of the new cyber insurance requirements, where the questionnaire became an audit and the controls you attest to have to be real and provable on your worst day. Different regulator, identical trap. The paperwork is easy to sign. Backing it up is the hard part, and now there is no one standing between your signature and a False Claims Act inquiry.
What Should Defense Contractors Do During the CMMC Pause?
Treat this as a window, not a vacation. The review closes in the fall, and whatever replaces Phase II will still measure the same 800-171 controls. For the manufacturers and defense suppliers we work with, the useful moves are clear.
- Make your SPRS score reflect reality. Confirm the score matches your actual environment. An inflated score is now your single biggest liability, not a convenience.
- Keep the 800-171 work moving. It satisfies DFARS 7012 today and whatever verification regime emerges this fall. Pausing remediation is the one decision that will age poorly.
- Do not cancel gap fixes because the audit slipped. The logistics of a booked C3PAO assessment can pause. The remediation behind it should not.
- Use the RFI. If compliance cost or assessor scarcity genuinely hurt your business, the public Request for Information is the official channel to say so.
- Plan for a tiered outcome. Expect a model where most of the base self-attests and only the most sensitive programs face third-party or government assessment. Build for the control, not the label.
If you are not sure where you actually stand, a compliance assessment turns your SPRS score from a hopeful guess into a documented fact, and an outside security leader such as a virtual CISO keeps the 800-171 program on track between now and whatever the task force decides.
The Bigger Pattern in an AI-Driven Threat Landscape
Step back and this is not really about one program. Cybersecurity rules are going to keep moving, tightening in some places and pausing in others, as AI reshapes the threat faster than any agency can write policy. Deepfake-driven fraud, automated phishing, and stolen-credential markets are not waiting for a task force report. The contractors who come through the churn in good shape build to the underlying control rather than to the deadline. A program that genuinely protects CUI, with real access control, encryption, monitoring, and phishing-resistant multifactor authentication, is compliant under CMMC, under a self-attestation regime, and under whatever comes next. Chasing the deadline leaves you exposed every time the deadline moves.
Sources
- U.S. Department of War: Department of War Suspends CMMC Phase II Requirements
- DefenseScoop: DOD halts cybersecurity requirements for CMMC Phase 2
- Crowell & Moring: DoW Immediately Suspends CMMC Phase II, Launches 60-Day Review
- ECN IT Solutions: DoD Suspends CMMC Phase II, What Actually Changed
- NIST SP 800-171 Rev 2
- DFARS 252.204-7012
- CMMC Program Rule, 32 CFR Part 170
CMMC Phase II Suspension FAQ
Yes. The Department of War suspended CMMC Phase II effective immediately on July 13, 2026, removing the November 10, 2026 third-party certification deadline while it conducts a 60-day review.
No. It is suspended, not rescinded. The underlying rules, including the CMMC program rule at 32 CFR Part 170 and the DFARS acquisition rule, still exist. Rescinding them would require new rulemaking. Suspended is the accurate word, not dead.
Yes. Self-assessments, your SPRS score, and annual affirmations are still required under applicable contracts, DFARS 252.204-7012 remains in force, and the government can still assess you directly during the pause.
There is no firm restart date. A CMMC Reform Task Force will deliver recommendations to the CIO around mid-September 2026. Many observers expect a risk-tiered model rather than a universal third-party audit, but nothing is final until new rulemaking occurs.
Make sure your SPRS score reflects your real environment. With the third-party audit paused, that self-attestation is the primary evidence the government has, and an inaccurate one carries real legal risk under the False Claims Act.
The CMMC Phase II suspension is real relief on the calendar. It is not relief on the obligation, and for anyone whose paperwork has been running ahead of their practices, it raised the stakes rather than lowering them. If you are a defense contractor or a manufacturer that handles CUI and you are not confident your SPRS score would survive a government-led look, this pause is the time to close that gap, not to coast on it. A compliance assessment is the place to start.
TorchLight specializes in managed security services for organizations where security and compliance are non-negotiable. With 18+ years serving regulated industries, 24/7 SOC operations, and deep regulatory fluency across GLBA, HIPAA, and SEC requirements, TorchLight delivers security operations leadership can defend.
Ready to explore what partnership looks like? Schedule a consultation to discuss your organization’s specific security needs and regulatory requirements.

