CMMC Phase II Suspended: What Government Contractors Need to Know About the Pentagon's New Cybersecurity Strategy

The Department of War has officially suspended CMMC Phase II, marking one of the most significant changes to defense contractor cybersecurity policy since the Cybersecurity Maturity Model Certification (CMMC) program was introduced.

For many government contractors, the announcement immediately raised questions:

  • Is CMMC canceled?

  • Do I still need to comply with NIST SP 800-171?

  • What happens to my upcoming C3PAO assessment?

  • Should I stop preparing for certification?

  • What is the new CMMC Reform Task Force?

The short answer is this:

CMMC Phase II has been suspended, but cybersecurity compliance has not.

While mandatory third-party assessments are on hold, the Department made it clear that contractors must continue protecting Controlled Unclassified Information (CUI), performing required self assessments, and complying with existing DFARS cybersecurity requirements.

Here's what changed and what it means for your business.

What Changed?

On July 13, 2026, Department CIO Kirsten Davies announced the immediate suspension of CMMC Phase II, which had been scheduled to begin on November 10, 2026.

Phase II would have expanded the use of mandatory CMMC Level 2 third party assessments performed by Certified Third Party Assessment Organizations (C3PAOs).

Instead, the Department directed acquisition officials to:

  • Suspend implementation of Phase II.

  • Stop requiring Level 2 C3PAO assessments.

  • Suspend Level 3 government assessments.

  • Remove those requirements from pending solicitations where appropriate.

  • Modify existing contracts during future administrative actions when applicable.

This is a significant policy shift.

However, it does not eliminate the underlying cybersecurity requirements that defense contractors have been implementing for years.

What Requirements Still Apply?

One of the biggest misconceptions following the announcement is that CMMC has disappeared.

It hasn't.

The Department specifically stated that the following remain in effect:

  • CMMC Phase I self assessments

  • NIST SP 800-171 Revision 2

  • DFARS 252.204-7012 cybersecurity requirements

  • Cyber incident reporting requirements

  • Protection of Federal Contract Information (FCI)

  • Protection of Controlled Unclassified Information (CUI)

In other words, the government changed how contractors demonstrate compliance, not whether cybersecurity is required.

For companies handling CUI, NIST SP 800-171 remains the foundation of the Department's cybersecurity expectations.

Why Did the Department Suspend CMMC Phase II?

According to the Department, the existing CMMC framework created substantial costs and administrative burdens that discouraged companies, particularly small businesses and nontraditional defense contractors, from participating in the Defense Industrial Base.

Compliance expenses extended far beyond the assessment itself.

Many contractors invested heavily in:

  • CMMC consultants

  • Managed security service providers

  • Secure cloud environments

  • New cybersecurity platforms

  • Documentation development

  • Policy creation

  • Employee training

  • Technical remediation

  • Evidence collection

Another major challenge was assessment capacity.

Department leadership acknowledged that more than 100,000 companies could eventually require assessments while only a limited number of Certified Third Party Assessment Organizations were available to perform them.

The result was a program that became increasingly difficult to scale.

Rather than continuing with the planned rollout, the Department chose to pause implementation while reconsidering the broader strategy.

The CMMC Reform Task Force

Rather than simply delaying Phase II, the Department announced something much larger.

CIO Kirsten Davies is establishing a CMMC Reform Task Force to conduct a comprehensive 60 day review of the program.

Its mission is to determine whether the Department can improve cybersecurity while reducing compliance costs and administrative burden.

According to the Department, the task force will examine:

  • Opportunities to simplify compliance

  • Ways to improve operational resilience

  • Recognition of commercial cybersecurity capabilities

  • Reducing barriers for small businesses

  • Alternatives to expensive third-party certification models

At the time of this announcement, the Department has not publicly released the full membership of the task force.

Industry Will Help Shape the Future of CMMC

Along with creating the task force, the Department released a Request for Information (RFI) seeking direct feedback from industry.

Rather than asking contractors whether they like CMMC, the RFI asks much more practical questions:

  • Which security controls provide the greatest real-world cybersecurity benefit?

  • Which requirements generate the highest cost with the least measurable value?

  • How should commercial cybersecurity services be recognized?

  • How can self-assessments be improved?

  • What policy changes would reduce barriers for small businesses?

  • What reforms would improve operational resilience?

Responses are due by August 14, 2026.

This is likely the most significant opportunity contractors have had to influence the future of defense cybersecurity policy since CMMC was first introduced.

Congress Was Already Looking for Solutions

Interestingly, Congress had already recognized that CMMC costs were becoming a challenge.

Before the suspension, lawmakers were considering legislation that would establish a grant program to help eligible small businesses pay for CMMC Level 2 certification.

The proposal reportedly included:

  • Up to $100,000 per company

  • Approximately $50 million in total funding

  • Priority for small businesses and nontraditional contractors

Much of that funding, however, was intended to help companies pay for third party assessments.

Now that those assessments have been suspended, Congress may need to reconsider whether future funding should instead support actual cybersecurity improvements such as secure environments, managed security services, continuous monitoring, or technical remediation.

What Government Contractors Should Do Now

Although Phase II has been suspended, contractors should resist the temptation to stop preparing altogether.

Instead, companies should focus on five immediate actions.

1. Continue implementing NIST SP 800-171

The cybersecurity requirements remain in place even though the certification process has changed.

2. Review active solicitations

Watch for amendments removing Level 2 C3PAO or Level 3 assessment requirements.

3. Review existing contracts

Policy announcements do not automatically modify contract language.

Wait for official contract modifications before assuming requirements have changed.

4. Maintain compliance documentation

Continue updating your:

  • System Security Plan (SSP)

  • Plan of Action and Milestones (POA&M)

  • SPRS submissions

  • Policies and technical evidence

Government led assessments remain possible.

5. Respond to the Department's Request for Information

If you've spent years navigating CMMC requirements, now is the time to share practical recommendations that can improve cybersecurity while reducing unnecessary compliance costs.

The Bottom Line

The suspension of CMMC Phase II is not the end of CMMC.

Instead, it signals the beginning of what could become the program's most significant redesign.

The Department appears to be shifting its focus away from compliance for compliance's sake and toward measurable cybersecurity outcomes that strengthen the Defense Industrial Base while making it easier for innovative companies to do business with the government.

For contractors, the message is straightforward:

Continue protecting sensitive information.

Continue implementing NIST SP 800-171.

Monitor future guidance closely.

And take advantage of the opportunity to help shape whatever comes next.

The companies that understand this distinction today will be far better positioned when the Department announces the next chapter of CMMC reform.

If you want to focus on your business while winning government contracts, reach out to our team and let’s see how we can win together!

Next
Next

NASA SEWP VI Is Finally Here