CMMC Program Status Brief
On July 13, 2026, the Department of War suspended CMMC Phase 2 and opened a 60-day program review. The certification deadline is gone. Your obligations are not. Here is exactly where things stand — updated as the program develops.
The 20-second version
- • Suspended: Phase 2 — mandatory third-party (C3PAO) Level 2 certification as a condition of award, previously scheduled for November 10, 2026.
- • Still in force: Phase 1 self-assessments, SPRS score submissions, and DFARS 252.204-7012 (CUI safeguarding + NIST SP 800-171).
- • Next milestone: the review task force reports to the DoW CIO ~mid-September 2026; an RFI is collecting industry input.
- • Smart move: keep improving your real 800-171 posture; stop spending against a certification date that no longer exists.
What changed on July 13, 2026
Under the “Forging the Arsenal of Freedom” initiative, the Department of War announced the immediate suspension of CMMC Phase 2 requirements and a 60-day review of the program. The department’s stated rationale: compliance costs and bureaucratic burden were pushing innovative companies out of the defense industrial base.
$7B+ / year
projected cost of future CMMC phases to small and mid-sized businesses (SBA data cited by DoW)
~$600K
individual compliance bills were approaching this figure
100,000 : 100
DIB companies needing third-party assessment vs. authorized C3PAOs
What still binds you
The suspension removed a certification gate — not your contractual security obligations. Three regimes are explicitly unaffected:
| Obligation | Status | What it means in practice |
|---|---|---|
| Phase 1 self-assessments | In force | Level 1/2 self-assessment + affirmation requirements continue appearing in new DoD solicitations. |
| SPRS score | In force | Keep it current and honest — overstating your posture is False Claims Act exposure, suspension or not. |
| DFARS 252.204-7012 | In force | CUI safeguarding, 72-hour cyber incident reporting, and NIST SP 800-171 controls — unchanged. |
| Phase 2 C3PAO certification | Suspended | The Nov 10, 2026 condition-of-award gate is off. Its replacement depends on the 60-day review. |
What to do now
- 1
Keep your 800-171 posture moving
The controls are still contractually required via DFARS 7012 and still scored in SPRS. Security work keeps paying under any regime the review produces.
- 2
Re-baseline your SPRS score honestly
Affirmations carry False Claims Act weight. If your score is stale or optimistic, fix that before it becomes a legal problem rather than a compliance one.
- 3
Pause deadline-driven spending, not readiness
Certification scheduling, panic consulting retainers, and date-driven tooling buys were priced against November 10. That date is gone — renegotiate from strength.
- 4
Answer the RFI if the burden hit you
The review is explicitly collecting industry feedback on compliance cost. Small and non-traditional contractors have the most to gain from being heard.
- 5
Architect so the next regime is irrelevant
Whatever replaces Phase 2, one property wins in every scenario: your data and AI stack under your own control, mapped to 800-171. Regime-proof beats deadline-chasing.
The review timeline
Nov 10, 2025
Phase 1 begins — self-assessment requirements enter new DoD solicitations (48 CFR CMMC acquisition rule effective).
Jul 13, 2026
Phase 2 suspended; 60-day program review + industry RFI opened.
~Sep 11, 2026
Review task force report due to the DoW CIO. Expect the shape of what replaces Phase 2.
TBD
New rulemaking or program guidance. This brief will be updated the day it lands.
Questions we keep getting
Is CMMC cancelled?
No. The Department of War suspended Phase 2 requirements on July 13, 2026 and opened a 60-day program review. Phase 1 self-assessment requirements, SPRS score submissions, and DFARS 252.204-7012 safeguarding obligations all remain fully in force.
Do I still need a CMMC Level 2 (C3PAO) certification?
Not on the previously announced timeline. Phase 2 — which would have made third-party C3PAO certification a condition of award for CUI solicitations starting November 10, 2026 — is suspended. What replaces it will be shaped by the 60-day review. If you already scheduled an assessment, ask your C3PAO about deferral options before cancelling: NIST SP 800-171 compliance is still contractually required either way.
What do defense contractors still have to comply with?
Three things are untouched by the suspension: (1) Phase 1 self-assessments — Level 1/2 self-assessment and affirmation requirements in new DoD solicitations; (2) SPRS — your Supplier Performance Risk System score must stay current, and affirmations carry False Claims Act exposure; (3) DFARS 252.204-7012 — CUI safeguarding, cyber incident reporting, and the underlying NIST SP 800-171 controls.
Why was CMMC Phase 2 suspended?
The department cited prohibitive compliance costs and a structural bottleneck: SBA data projected future CMMC phases could cost small and mid-sized businesses more than $7 billion annually — with individual compliance bills approaching $600,000 — while over 100,000 defense industrial base companies would have needed third-party assessments from roughly 100 authorized C3PAOs.
When will we know what replaces Phase 2?
The review task force reports to the DoW CIO within 60 days of the July 13, 2026 announcement — around mid-September 2026. A public request for information is collecting industry feedback on compliance burden. This brief will be updated when the report lands.
Should we stop our CMMC readiness work?
No — redirect it. The NIST SP 800-171 controls underneath CMMC are still contractually binding through DFARS 252.204-7012 and still assessed via SPRS. Work that improves your actual security posture and score keeps paying off under any regime the review produces. What changed is deadline-driven panic spending — certification-scheduling for a date that no longer exists.
Want to know exactly where you stand?
Run the free readiness check — scored against the NIST SP 800-171 families that still bind you, suspension or not.
Check Your CMMC Readiness