CMMC Phase II Is Suspended. Your Compliance Obligations Are Not.
- 3 days ago
- 3 min read

On July 13, 2026, the Department of War (formerly the Department of Defense) announced the immediate suspension of CMMC Phase II requirements — originally scheduled to take effect on November 10, 2026. The Department is launching a 60-day review, led by a newly formed CMMC Reform Task Force, aimed at reducing compliance burden on small, mid-sized, and non-traditional Defense Industrial Base (DIB) partners.
For many contractors, the immediate reaction has been relief. That reaction is understandable — but it's also premature.
What Changed
The suspension applies specifically to CMMC Phase II third-party certification requirements. That's the formal assessment structure that was set to layer on top of existing obligations starting this November.
What the announcement does not change:
l Phase I self-assessment requirements remain fully in place.
l NIST SP 800-171 Rev 2 remains the enforced standard, through both self-assessments and select government-led assessments.
l DFARS clause 252.204-7012 obligations to safeguard covered defense information remain contractually binding, with no exception.
The Department's own release makes this explicit: "This action does not eliminate the requirement for companies to protect federal data." The certification mechanism paused. The underlying obligation did not.
Why This Distinction Matters
If your organization was building a compliance program specifically to pass a Phase II assessment by a fixed date, that timeline has changed, and it's reasonable to revisit how you allocate resources over the next 60 days.
If your organization was building toward NIST 800-171 because that's what safeguarding CUI demands, very little changes. The controls you need are the same controls you needed last week.
The risk isn't in the suspension itself. It's in the two ways contractors are likely to misread it:
Reading it as permission to stop. Self-assessment under 800-171 Rev 2 is still actively enforced; it is not just a formality. False Claims Act liability for a false attestation doesn't pause along with Phase II — if anything, self-assessments carry more individual accountability, not less, when there's no third-party assessor validating the claim.
Reading it as no change at all. A 60-day reform review is likely to produce a different implementation model, not a return to the status quo. Organizations that stay engaged with the RFI process and track the Task Force's recommendations will be better positioned than those who assume the outcome won’t impact them.
What to Do in the Next 60 Days
Don't pause control implementation. Whatever program you were building toward Phase II certification is very likely the same program you need for 800-171 self-assessment and DFARS 7012 compliance. Certification timing changed; the control set didn't.
Get honest about your current SPRS score. Self-assessments carry real liability when they don't reflect reality. If there's a gap between your claimed score and your actual posture, this review period is the time to close it — not the time to leave it unexamined.
Watch the Task Force's output, not just the headline. The RFI process will shape what CMMC becomes. Organizations that submit feedback or track the outcome closely will have a head start adapting to whatever the next version requires.
Treat this as a resourcing decision, not a compliance decision. The controls you need haven't moved. What may be worth revisiting is how quickly you need to get there, and where your budget is best spent during the review window.
The Bottom Line
A paused certification deadline is not the same as an eliminated security requirement. NIST 800-171 and DFARS 252.204-7012 remain the law of the land for anyone handling CUI or FCI.
The organizations that will be best positioned when the next version of CMMC arrives will be the ones that kept building toward the security outcome — not just the assessment date.
If you're uncertain where your organization currently stands against NIST 800-171, independent of what CMMC ultimately becomes, that's a conversation worth having now, while there's still runway to close the gap on your own terms.
Securance Consulting provides cybersecurity advisory and compliance readiness services to organizations across the Defense Industrial Base and beyond. Contact us to assess where your program stands.
.png)



Comments