Manufacturing operations face intense competitive pressures, increasingly complex supply chains, and strict compliance requirements like CMMC and ITAR...
Healthcare providers face mounting pressures from ever-evolving technology...
Accounting firms handle sensitive financial data—from tax filings to audit...
Law firms operate under strict confidentiality obligations and face evolving...
Auto dealerships handle a wealth of customer information, from financing details...
In Oil & Gas, uptime, safety, and data integrity are paramount. Whether you’re managing offshore rigs,...
Financial institutions bear a heavy responsibility: they hold sensitive client information and manage...
In the insurance sector, safeguarding sensitive policyholder information is essential—not just to meet...
Auto dealerships handle a wealth of customer information, from financing details...
Small and medium-sized businesses are the backbone of our economy, but they often face...
Manufacturing operations face intense competitive pressures, increasingly complex supply chains, and strict compliance requirements like CMMC and ITAR...
Healthcare providers face mounting pressures from ever-evolving technology...
Accounting firms handle sensitive financial data—from tax filings to audit...
Law firms operate under strict confidentiality obligations and face evolving...
Auto dealerships handle a wealth of customer information, from financing details...
In Oil & Gas, uptime, safety, and data integrity are paramount. Whether you’re managing offshore rigs,...
Financial institutions bear a heavy responsibility: they hold sensitive client information and manage...
In the insurance sector, safeguarding sensitive policyholder information is essential—not just to meet...
Auto dealerships handle a wealth of customer information, from financing details...
Small and medium-sized businesses are the backbone of our economy, but they often face...
On July 13, 2026, the Department of War suspended CMMC Phase II certification requirements that were set to take effect November 10, 2026. Your DFARS 7012 safeguarding obligations, your Phase I self-assessment, and DOJ’s ability to pursue false self-assessments have not changed at all.
Somewhere in your shop right now there’s a folder with your CMMC prep in it. Maybe it’s a policy binder your quality manager has been building for a year. Maybe it’s a half-finished System Security Plan your IT provider has been chipping away at. Maybe it’s just a date circled on the wall calendar in the office: November 10.
That date is no longer the thing driving your timeline. Here’s what actually happened, what it means for the work you’ve already started, and what you still owe your customers regardless of what the government does next.
The Department of War announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, the tier that would have required certification from a third-party assessor for most Level 2 contracts. Phase I self-assessment requirements, which took effect last November, remain fully in place. Phase III, the Level 3 government-led assessments planned for 2027, and Phase IV are suspended too. Every pending and future CMMC implementation milestone is paused until further notice.
The department’s stated reason is cost and capacity. DoW Chief Information Officer Kirsten Davies said the suspension supports Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directive to reduce compliance barriers for small, medium, and non-traditional businesses, and pointed to Small Business Administration data showing the current CMMC program was pushing innovative companies out of the defense industrial base (DIB) rather than protecting it. A new CMMC Reform Task Force will conduct a 60-day review of the program from top to bottom, delivering its findings within 60 days. Industry can weigh in through a public Request for Information through August 14, and the task force reports back to the department’s CIO around mid-September. Officials have not ruled out the possibility that CMMC gets rebuilt into something very different once that review is done.
In the meantime, contracting officers have been directed to pull Level 2 and Level 3 requirements out of active solicitations across the Department of War and modify existing contracts that already contain them. During this interim period, the department says it will enforce cybersecurity through self-assessments and select government-led assessments against the NIST SP 800-171 Rev 2 standard, not through the CMMC implementation pipeline that was about to come online.
DFARS clause 252.204-7012, requiring you to safeguard covered defense information and protect federal data, is untouched by any of this. If your shop handles drawings, CAD files, specifications, or inspection data tied to a defense contract, that obligation was never tied to a third-party audit in the first place. It was always a contractual requirement you carry the day you sign the contract, and it still is today. Nothing about where those files live, who can open them, or how they leave your building got easier to ignore.
The Department of Justice’s Civil Cyber Fraud Initiative is still actively using the False Claims Act to pursue companies over false or inaccurate self-assessments. That matters more now, not less. With the third-party audit on hold, your self-assessment score is carrying more of the weight than it was six months ago. Nobody outside your walls is going to catch a sloppy score before it becomes a legal problem. You are.
If your shop has been racing toward a formal outside assessment because a customer or a prime told you November 10 was the line, that specific line just moved. Nobody is pushing you toward a third-party audit on that clock anymore, and it’s worth being honest with yourself, your team, and anyone helping you get ready: repeating that date as the reason to act would be inaccurate now, and it would cost you credibility with anyone who’s already seen the news.
What hasn’t moved is the underlying reality. DFARS 7012 and NIST SP 800-171 implementation are mandatory today for any contract touching CUI, independent of whatever happens to CMMC Phase II down the road. There’s also a real, short window right now where the shape of this program gets decided. Being genuinely NIST 800-171 ready is a no-regret move no matter what comes out of that review in September, because even a lighter framework will still be built on that same standard.
None of this changes what your customers are actually watching for. Prime contractors aren’t just buying parts. They’re evaluating whether the business behind those parts can protect the information that comes with them, and that evaluation shows up in supplier reviews, cyber insurance renewal questionnaires, and the occasional direct question from a program manager who wants to know where your drawings live. The work you were already doing to get audit-ready doesn’t need to stop. It just doesn’t need to hit a November finish line anymore. Getting your CMMC compliance documentation and certification readiness in order is still the right move, whether the third-party check comes back in its old form, a new form, or not at all.
Some primes wrote CMMC Level 2 certification into their own subcontract requirements as part of their supply chain security standards, separate from anything DoD mandated department-wide. That contractual language doesn’t disappear just because the department paused its own program. If you’re working under a prime that put a CMMC flow-down clause in your contract, that requirement is likely still live, and it’s worth a direct conversation with that prime to confirm it. The suspension is a department-level decision. It doesn’t automatically override what your customer put in writing, and a supplier who assumes otherwise is the one who gets caught flat-footed at the next review.
Your NIST 800-171 self-assessment is the thing that actually protects you right now. Treat it like the real compliance requirement it is, not a placeholder you were keeping warm until Phase II showed up. If it’s been sitting untouched for a few months, this is the week to open it back up.
If you work under a prime, ask directly whether their CMMC Level 2 requirement is still in effect on your subcontract. Don’t assume the DoW suspension settles it for you, and don’t wait for them to bring it up first.
The public comment period for the Request for Information closes August 14, and the CMMC Reform Task Force reports back around mid-September. Whatever comes out of that 60-day review is the next point where the requirements, and the urgency, could shift again. You can track the review on DoD’s official CMMC program page as new guidance comes out, and it’s worth putting both dates on your calendar now.
None of this means you can put the folder back in the drawer. It means the deadline pressure is gone, but the underlying obligation to protect the information behind your customer’s parts is exactly what it was last week. Getting your documentation, your DFARS 7012 controls, and your self-assessment score in solid shape is still the right move, and it’s a lot easier to do without a government clock running against you.
If you want a clear-eyed read on where your shop actually stands against DFARS 7012 and NIST 800-171, right now, with no certification deadline pressuring the conversation, schedule a free assessment with our CMMC-focused team. We’ll help you figure out what’s solid, what needs work, and what to fix first.
Phase I requires an annual self-assessment against NIST SP 800-171 Rev 2 for contracts involving Controlled Unclassified Information, and it took effect in November 2025. Phase II would have added mandatory third-party certification from a C3PAO for most Level 2 contracts under the CMMC 2.0 program, along with government-led Level 3 assessments in Phase III. Phase II, along with Phases III and IV, is suspended as of July 13, 2026. Phase I self-assessment obligations remain fully in force and unaffected by the suspension.
Yes. DFARS 252.204-7012 is a separate contractual clause requiring adequate security for covered defense information, and it was never contingent on CMMC third-party certification. The Department of War’s July 2026 suspension applies specifically to CMMC Phase II rollout milestones, not to DFARS 7012 safeguarding obligations, which remain fully enforceable for every contractor and subcontractor handling CUI.
Yes. The suspension is a department-level pause on DoD’s own CMMC rollout milestones. It does not prevent a prime contractor from independently requiring Level 2 certification as a condition of its own subcontract or supply chain agreements. Subcontractors should confirm directly with any prime whose flow-down clauses reference CMMC Level 2 whether that requirement remains in place.
On July 13, 2026, the Department of War suspended CMMC Phase II certification requirements…
CMMC readiness is the state of having fully implemented, documented, and operationalized the cybersecurity…
A CMMC audit — more precisely called a CMMC Level 2 assessment — is…