INSIGHTS // CMMC

CMMC Phase II Is Suspended: What Defense Contractors Still Have to Do

BY POLICYCORTEX TEAM·PUB Jul 13, 2026· 7 MIN· CMMC Phase II SPRS NIST 800-171 DFARS 7012

The Department of War suspended CMMC Phase II on July 13, 2026, but kept Phase I self-assessments, NIST SP 800-171 Rev. 2 enforcement, and DFARS 252.204-7012 obligations in place.

KEY TAKEAWAYS
  • 01The November 10, 2026 Phase II transition and future CMMC implementation milestones are suspended while the Department conducts a 60-day review.
  • 02All Phase I self-assessment requirements remain in place.
  • 03During the review, the Department says it will enforce NIST SP 800-171 Rev. 2 through self-assessments and selected government-led assessments.
  • 04DFARS 252.204-7012 still requires contractors and subcontractors to safeguard covered defense information.
  • 05The practical priority is a defensible SPRS score backed by live technical evidence, not a race to a suspended date.

The Short Version

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements. The transition had been scheduled for November 10, 2026.

This is a real pause, but it is not a repeal of contractor cybersecurity obligations.

The official release says five things that matter now:

  1. The Phase II transition is suspended.
  2. Pending and future CMMC implementation milestones are suspended.
  3. All Phase I self-assessment requirements remain in place.
  4. NIST SP 800-171 Rev. 2 will be enforced during the interim through self-assessments and selected government-led assessments.
  5. Contractors and subcontractors remain contractually obligated to protect covered defense information under DFARS 252.204-7012.

The deadline clock stopped. The duty to secure the system did not.

What Actually Paused

The suspended piece is the planned expansion from Phase I into Phase II, including the broader use of Level 2 third-party certification requirements in solicitations and contracts.

The Department also paused later implementation milestones while a CMMC Reform Task Force conducts a top-to-bottom review. Its final report is due to the Department CIO within 60 days of the announcement.

That means November 10, 2026 should no longer be presented as the current government-wide Phase II enforcement date. Any homepage countdown, “condition of award on November 10” banner, or sales sequence built around that date is now stale.

It does not mean every existing CMMC-related contract term disappeared. Contractors should still read the clauses in each solicitation and contract, and subcontractors should confirm any current prime-imposed requirements in writing.

What Remains Active

Phase I self-assessments

The Department's wording is unambiguous: all Phase I self-assessment requirements remain firmly in place.

For contractors, the immediate question is no longer “Can we get through a C3PAO queue before November?” It is “Can we defend the score and system state we represent today?”

NIST SP 800-171 Rev. 2

During the review, the Department says it will enforce NIST SP 800-171 Rev. 2 through contractor self-assessments and selected government-led assessments.

This distinction matters. CMMC marketing pages often blur Revision 2 and Revision 3. The retained interim CMMC baseline named in the release is Revision 2, with its 110 security requirements. Revision 3 transition planning can continue, but it should not be mislabeled as the current 110-requirement assessment baseline.

DFARS 252.204-7012

DFARS 252.204-7012 still requires adequate security for covered contractor information systems and implementation of the applicable NIST SP 800-171 requirements. It also retains its cyber-incident reporting and flow-down obligations.

The July 13 release calls this out directly. The government paused a certification rollout, not the contractual duty to protect covered defense information.

Current NIST assessment information in SPRS

DFARS 252.204-7019 requires a current NIST SP 800-171 DoD assessment for covered systems relevant to an award and provides for summary scores in SPRS. Applicability depends on the clauses in the solicitation and contract, so contractors should verify their specific instruments.

The risk of an unsupported score is not theoretical. In June 2026, the Department of Justice announced a $507,144 False Claims Act settlement with LOGZONE. The settlement agreement says LOGZONE posted a 110 self-assessment score in SPRS and later received a -170 government assessment. The settlement resolved allegations; it was not a judicial finding of liability.

The Better Strategy During the Review

1. Recalculate the score from live system state

Do not carry forward an old spreadsheet score because the Phase II date moved. Revalidate the CUI boundary, the current implementation of all 110 Rev. 2 requirements, and the evidence behind each scored item.

2. Prioritize operational risk reduction

The reform announcement explicitly calls for scalable, resilient cybersecurity measures and lower administrative burden. The Department's new “Brilliant at the Basics” guidance emphasizes identity, asset inventory, segmentation, risk-based vulnerability management, resilient backup, and continuous monitoring.

That direction favors work that changes the actual environment: close exposed access paths, enforce MFA, validate asset coverage, reduce lateral movement, fix logging gaps, and prove that controls stay implemented.

3. Keep evidence current

A self-assessment is only as defensible as the evidence behind it. Maintain timestamped configuration state, remediation history, approvals, rollback records, SSP changes, and POA&M closures. Current evidence supports Phase I, selected government assessments, prime reviews, and whatever assessment model follows the reform.

4. Re-plan C3PAO spending instead of abandoning readiness

The government-wide November clock is gone. That gives contractors room to sequence work around actual contract risk instead of panic-buying assessment preparation.

Before cancelling or booking an assessment, check the exact solicitation, existing contract, recompete calendar, customer direction, and prime flow-down. Keep technical remediation moving because that work survives every likely policy outcome.

5. Prepare an evidence-backed RFI response

The Department says a public Request for Information will inform the reform task force. As of the July 13 announcement, the release does not provide the RFI questions or submission instructions.

Companies with real implementation data should prepare now: which requirements reduce measurable risk, which evidence activities create cost without improving security, where small businesses get stuck, and which controls can be continuously validated. Submit when the Department publishes the official instructions.

Where PolicyCortex Fits Now

PolicyCortex is not assessment cramming. It maps the live cloud environment to NIST SP 800-171, remediates technical gaps with controlled rollback, and packages evidence behind the score.

That value remains useful under Phase I self-assessment, selected government review, prime oversight, a future revised CMMC model, or a more risk-based successor.

The offer changes from “get ready before November” to “know what is actually true before you put a score in SPRS.”

That is a more durable reason to act.

FREQUENTLY ASKED
Did the Department of War cancel CMMC?
No. It suspended the Phase II transition and pending and future CMMC implementation milestones while a reform task force conducts a 60-day review. Phase I self-assessment requirements remain in place.
What CMMC requirements still apply during the pause?
Phase I self-assessment requirements remain active. The Department says it will enforce NIST SP 800-171 Rev. 2 through self-assessments and selected government-led assessments during the interim period.
Does DFARS 252.204-7012 still apply?
Yes. The July 13 release explicitly says defense contractors and subcontractors remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012.
Should contractors stop CMMC preparation?
Contractors should stop planning around November 10 as a current government-wide Phase II deadline, but they should not stop safeguarding CUI, validating their NIST 800-171 implementation, maintaining current contract-required SPRS information, or checking contract- and prime-specific requirements.
READY TO AUTOMATE?

Replace 4 tools with one platform.

See how PolicyCortex consolidates compliance, security, AI governance, and cost — autonomously.

SYS: ONLINE
FOCUSNIST 800-171 / SPRS
BUILD0aed52
PHASE IISUSPENDED
©2026 POLICYCORTEX, INC.