CMMC Phase II Is Suspended: What Defense Contractors Still Have to Do
The Department of War suspended CMMC Phase II on July 13, 2026, but kept Phase I self-assessments, NIST SP 800-171 Rev. 2 enforcement, and DFARS 252.204-7012 obligations in place.
- 01The November 10, 2026 Phase II transition and future CMMC implementation milestones are suspended while the Department conducts a 60-day review.
- 02All Phase I self-assessment requirements remain in place.
- 03During the review, the Department says it will enforce NIST SP 800-171 Rev. 2 through self-assessments and selected government-led assessments.
- 04DFARS 252.204-7012 still requires contractors and subcontractors to safeguard covered defense information.
- 05The practical priority is a defensible SPRS score backed by live technical evidence, not a race to a suspended date.
The Short Version
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements. The transition had been scheduled for November 10, 2026.
This is a real pause, but it is not a repeal of contractor cybersecurity obligations.
The official release says five things that matter now:
- The Phase II transition is suspended.
- Pending and future CMMC implementation milestones are suspended.
- All Phase I self-assessment requirements remain in place.
- NIST SP 800-171 Rev. 2 will be enforced during the interim through self-assessments and selected government-led assessments.
- Contractors and subcontractors remain contractually obligated to protect covered defense information under DFARS 252.204-7012.
The deadline clock stopped. The duty to secure the system did not.
What Actually Paused
The suspended piece is the planned expansion from Phase I into Phase II, including the broader use of Level 2 third-party certification requirements in solicitations and contracts.
The Department also paused later implementation milestones while a CMMC Reform Task Force conducts a top-to-bottom review. Its final report is due to the Department CIO within 60 days of the announcement.
That means November 10, 2026 should no longer be presented as the current government-wide Phase II enforcement date. Any homepage countdown, “condition of award on November 10” banner, or sales sequence built around that date is now stale.
It does not mean every existing CMMC-related contract term disappeared. Contractors should still read the clauses in each solicitation and contract, and subcontractors should confirm any current prime-imposed requirements in writing.
What Remains Active
Phase I self-assessments
The Department's wording is unambiguous: all Phase I self-assessment requirements remain firmly in place.
For contractors, the immediate question is no longer “Can we get through a C3PAO queue before November?” It is “Can we defend the score and system state we represent today?”
NIST SP 800-171 Rev. 2
During the review, the Department says it will enforce NIST SP 800-171 Rev. 2 through contractor self-assessments and selected government-led assessments.
This distinction matters. CMMC marketing pages often blur Revision 2 and Revision 3. The retained interim CMMC baseline named in the release is Revision 2, with its 110 security requirements. Revision 3 transition planning can continue, but it should not be mislabeled as the current 110-requirement assessment baseline.
DFARS 252.204-7012
DFARS 252.204-7012 still requires adequate security for covered contractor information systems and implementation of the applicable NIST SP 800-171 requirements. It also retains its cyber-incident reporting and flow-down obligations.
The July 13 release calls this out directly. The government paused a certification rollout, not the contractual duty to protect covered defense information.
Current NIST assessment information in SPRS
DFARS 252.204-7019 requires a current NIST SP 800-171 DoD assessment for covered systems relevant to an award and provides for summary scores in SPRS. Applicability depends on the clauses in the solicitation and contract, so contractors should verify their specific instruments.
The risk of an unsupported score is not theoretical. In June 2026, the Department of Justice announced a $507,144 False Claims Act settlement with LOGZONE. The settlement agreement says LOGZONE posted a 110 self-assessment score in SPRS and later received a -170 government assessment. The settlement resolved allegations; it was not a judicial finding of liability.
The Better Strategy During the Review
1. Recalculate the score from live system state
Do not carry forward an old spreadsheet score because the Phase II date moved. Revalidate the CUI boundary, the current implementation of all 110 Rev. 2 requirements, and the evidence behind each scored item.
2. Prioritize operational risk reduction
The reform announcement explicitly calls for scalable, resilient cybersecurity measures and lower administrative burden. The Department's new “Brilliant at the Basics” guidance emphasizes identity, asset inventory, segmentation, risk-based vulnerability management, resilient backup, and continuous monitoring.
That direction favors work that changes the actual environment: close exposed access paths, enforce MFA, validate asset coverage, reduce lateral movement, fix logging gaps, and prove that controls stay implemented.
3. Keep evidence current
A self-assessment is only as defensible as the evidence behind it. Maintain timestamped configuration state, remediation history, approvals, rollback records, SSP changes, and POA&M closures. Current evidence supports Phase I, selected government assessments, prime reviews, and whatever assessment model follows the reform.
4. Re-plan C3PAO spending instead of abandoning readiness
The government-wide November clock is gone. That gives contractors room to sequence work around actual contract risk instead of panic-buying assessment preparation.
Before cancelling or booking an assessment, check the exact solicitation, existing contract, recompete calendar, customer direction, and prime flow-down. Keep technical remediation moving because that work survives every likely policy outcome.
5. Prepare an evidence-backed RFI response
The Department says a public Request for Information will inform the reform task force. As of the July 13 announcement, the release does not provide the RFI questions or submission instructions.
Companies with real implementation data should prepare now: which requirements reduce measurable risk, which evidence activities create cost without improving security, where small businesses get stuck, and which controls can be continuously validated. Submit when the Department publishes the official instructions.
Where PolicyCortex Fits Now
PolicyCortex is not assessment cramming. It maps the live cloud environment to NIST SP 800-171, remediates technical gaps with controlled rollback, and packages evidence behind the score.
That value remains useful under Phase I self-assessment, selected government review, prime oversight, a future revised CMMC model, or a more risk-based successor.
The offer changes from “get ready before November” to “know what is actually true before you put a score in SPRS.”
That is a more durable reason to act.
- Did the Department of War cancel CMMC?
- No. It suspended the Phase II transition and pending and future CMMC implementation milestones while a reform task force conducts a 60-day review. Phase I self-assessment requirements remain in place.
- What CMMC requirements still apply during the pause?
- Phase I self-assessment requirements remain active. The Department says it will enforce NIST SP 800-171 Rev. 2 through self-assessments and selected government-led assessments during the interim period.
- Does DFARS 252.204-7012 still apply?
- Yes. The July 13 release explicitly says defense contractors and subcontractors remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012.
- Should contractors stop CMMC preparation?
- Contractors should stop planning around November 10 as a current government-wide Phase II deadline, but they should not stop safeguarding CUI, validating their NIST 800-171 implementation, maintaining current contract-required SPRS information, or checking contract- and prime-specific requirements.
Replace 4 tools with one platform.
See how PolicyCortex consolidates compliance, security, AI governance, and cost — autonomously.
- R-01The $507K LOGZONE Settlement: Your SPRS Score Is Now False Claims Act EvidenceDOJ settled with a defense contractor that posted a 110 SPRS score and later received a -170 government assessment. Phase II is paused, but the risk of an unsupported score remains.
- R-02The C3PAO Capacity Math After the CMMC Phase II SuspensionThe Phase II countdown is gone, but C3PAO capacity still matters for contract-specific and voluntary assessment plans. Here is how to use the dated 2026 market snapshot without planning from a suspended milestone.
- R-03CMMC Level 2 Requirements in 2026: The Complete Guide for Defense ContractorsCMMC Phase II is suspended, but the 110-requirement NIST 800-171 Rev. 2 baseline, Phase I self-assessments, and DFARS safeguarding obligations remain active.
