Skip to main content
Home/Blog/CMMC Phase 2 Is Suspended. Don't Stand Down. Here's What Defense Contractors Must Do Right Now.
Compliance

CMMC Phase 2 Is Suspended. Don't Stand Down. Here's What Defense Contractors Must Do Right Now.

The Pentagon just suspended CMMC Phase 2 third-party certification requirements. Before you breathe a sigh of relief, read this — your obligations didn't disappear.

July 15, 2026·7 min read

On July 13, 2026, the Department of War (formerly DoD) dropped a bombshell on defense contractors: CMMC Phase 2 is suspended. Immediately. The third-party certification process that was scheduled to take effect November 10, 2026 is on hold while the Department conducts a 60-day review.

Cue the collective exhale from thousands of defense contractors who've been grinding through assessment prep for months.

Here's the problem with that exhale: your cybersecurity obligations didn't go anywhere.

What Actually Happened

DoW Chief Information Officer Kirsten A. Davies signed memo 26-P-1023 suspending the Phase 2 transition, citing Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium businesses and "replace bureaucratic compliance with scalable, resilient cybersecurity measures."

A CMMC Reform Task Force now has 60 days to deliver a comprehensive review. The Department's stated goals: speed to capability, lower barriers for non-traditional defense contractors, and less administrative overhead.

So what's still in place?

- Phase 1 self-assessments remain fully intact - Annual affirmation requirements in the Supplier Performance Risk System (SPRS) are unchanged - DFARS clause 252.204-7012 — the foundational contract clause requiring protection of Covered Defense Information — is still live - NIST SP 800-171 Rev 2 compliance is still required and will be enforced through self-assessments and targeted government-led assessments

Phase 2 — the third-party audit — is paused. Everything else? Still your problem.

Why This Matters More Than You Think

I've been in cybersecurity for 25 years. I've watched compliance programs come and go, get delayed, get restructured, and get politicized. And I can tell you with confidence: the contractors who treat this suspension as a green light to stand down on security work are the ones who will get hurt.

Here's why:

First, the 60-day review doesn't mean the requirement disappears. CMMC Phase 2 is suspended, not repealed. The Reform Task Force could recommend a modified version, a delayed timeline, or an alternative assessment model — but the underlying premise, that defense contractors handling sensitive federal data must implement real cybersecurity controls, isn't going away. The political will to protect national security data hasn't changed; the mechanism for proving it is being reconsidered.

Second, NIST 800-171 enforcement just got real. The announcement was explicit: during the interim period, the DoW will enforce compliance with NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments. Government-led assessments aren't random. They target contractors with gaps in their SPRS scores, contracts with elevated risk, and organizations that look like they're not taking this seriously. If you've been counting on the third-party audit as your forcing function to actually fix your security gaps, that's a problem.

Third, your contract risk is unchanged. DFARS 252.204-7012 is a contract clause, not a program requirement. It doesn't care about CMMC's status. If you're a prime or sub handling Controlled Unclassified Information (CUI) and you're breached, your obligation to protect that data — and your legal exposure if you didn't — exists regardless of what's happening with the certification program.

Fourth, your prime contractors may have their own requirements. Many large prime contractors have built CMMC compliance into their supply chain expectations already. If you're a subcontractor to a prime that built Phase 2 readiness into their vendor requirements, that prime's contractual expectations don't change because the government paused the formal certification.

What Should Defense Contractors Do Right Now?

This is where I'll give you the opposite advice you might be expecting.

Don't stop your CMMC prep work. If you've been building toward Phase 2, keep going. The controls CMMC Phase 2 requires — based on NIST 800-171 — are the same controls the government will now be assessing you against via self-assessment and spot-audits. Nothing you've built is wasted.

Get your SPRS score honest. If your current Supplier Performance Risk System score doesn't accurately reflect your actual security posture, fix it. Government-led assessments during this interim period will be looking at organizations with suspicious gaps between self-reported SPRS scores and observable reality. A score that overstates your posture is a liability, not a shield.

Document everything. The 60-day review will produce something — possibly a modified CMMC framework, possibly alternative assessment mechanisms, possibly new timelines. Whatever it produces, organizations with documented, demonstrable security programs will be in the best position to adapt quickly. Organizations that used this pause to do nothing will scramble.

Understand what Phase 1 actually covers. Level 1 self-assessment requires implementation of 17 foundational cybersecurity practices derived from NIST 800-171. If you're not solid on those 17 practices, that's where to focus immediately. They're not optional — they're the floor.

Ask hard questions of your supply chain. If you're a prime, now is not the time to loosen vendor security expectations. Your subcontractors' breaches become your breaches. Use this transition period to assess where your supply chain actually stands.

The Bigger Picture

CMMC was designed to solve a real problem: defense contractors — including small businesses — have been targeted relentlessly by nation-state adversaries looking to steal intellectual property, technical data, and operational information. The classified systems are protected. The supply chain surrounding them has been the soft underbelly.

A 60-day review isn't going to change that threat reality. Russian, Chinese, and Iranian state-sponsored groups aren't pausing their operations because the Pentagon is rethinking its audit process.

The contractors who will come out of this in the strongest position are the ones who use this window not to stop, but to accelerate. Fix the gaps that would have been flagged in a third-party assessment anyway. Get your documentation in order. Train your people. Make your SPRS score honest.

When Phase 2 returns — and it will, in some form — you'll be ready. And until it does, you'll be operating with lower risk and stronger contract protections than the contractors who decided the pause was permission to coast.

Need Help Navigating CMMC?

TrustPoint Cyber works with defense contractors at every stage of CMMC readiness — from initial gap assessment to full documentation and ongoing compliance management. If the Phase 2 suspension has you wondering where you actually stand, let's find out together. We'll give you an honest picture — not a comfortable one.

Get Protected

Ready to strengthen your security?

TrustPoint Cyber delivers Zero Trust architecture, incident response, managed security, and vCISO services — built for your business.