Preparation/Requirements

CMMC Phase II Suspended: What the Department of War's Decision Means for Defense Contractors

On July 13, 2026, the Department of War (DoW) suspended implementation of the upcoming CMMC Phase II third-party assessment requirements that had been scheduled to begin on November 10, 2026. that verification mechanism and initiates a 60-day review of the program. It does not change contractors’ underlying obligations to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) where required by contract and applicable DFARS clauses. For the contractors in the Defense Industrial Base (DIB), that distinction is the whole story. Here is what the DoW actually suspended, what stayed the same, and how defense contractors can use the review period to stay ready.

What the Department of War Announced

The DoW announced the immediate suspension of CMMC Phase II and directed a 60-day study of the program's future. DoW Chief Information Officer Kirsten Davies framed the action as a way to cut red tape and compliance costs for smaller firms while keeping a strict security baseline in place.

To lead the review, the DoW is standing up a CMMC Reform Task Force. The task force will gather industry feedback through a public Request for Information (RFI), then recommend scalable security measures that prioritize speed and lower the barrier for small and non-traditional businesses. It will deliver a final report to the DoW CIO within 60 days. The suspension aligns with Secretary of War Pete Hegseth's Acquisition Transformation System (ATS), which pushes the department toward faster capability delivery and away from heavy compliance processes. You can read the full announcement on war.gov.

What Changed

The suspension affects the certification mechanism and its timeline:

  • The November 10, 2026 Phase II rollout has been placed on hold pending the 60-day review and any follow-on implementation guidance.

  • Pending CMMC implementation milestones tied to the phased rollout have been placed in abeyance, including later implementation steps that would have followed Phase II, subject to further Department guidance.

  • Contracting officers have been directed to remove Level 2 C3PAO and Level 3 DIBCAC assessment requirements from affected solicitations and to strip those provisions from existing contracts at the next option period or administrative modification.

  • Contractors that would otherwise have been preparing for an external CMMC assessment can reasonably defer scheduling a formal Level 2 C3PAO or Level 3 DIBCAC assessment until revised implementation guidance is issued.

What Did Not Change

The underlying requirement to protect federal data stands. During the interim period, these obligations remain in force:

  • Phase I self-assessment obligations remain in effect, including the applicable annual self-assessment, reporting, and affirmation steps.

  • Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 still applies, so every contractor and subcontractor remains contractually obligated to safeguard covered defense information.

  • For contractors handling CUI, NIST SP 800-171 Revision 2 remains the operative security baseline, with compliance continuing to be evidenced through self-assessments and subject to government review.

  • The duty to protect Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is unchanged.

The review targets how compliance gets verified. It does not change the security standard you are expected to meet.

Phase II and Later CMMC Milestones Are on Hold

CMMC was built as a phased rollout. Phase I took effect on November 10, 2025, and centered on contractor self-assessment. Phase II, scheduled for November 10, 2026, would have introduced third-party assessment requirements for many contractors handling CUI. Phase III was set for November 2027, with full implementation planned for 2028.

The July 13 action pauses Phase II and the implementation milestones that would have followed it, while leaving Phase I in place. In practical terms, contractors handling CUI should continue to treat NIST SP 800-171 Revision 2 as the live baseline during the review period, while contractors handling only FCI should continue to follow the requirements applicable to their assigned level and contract terms.

Why the Department Suspended Phase II

The DoW pointed to compliance costs and a shrinking supplier base as the core problems. According to the Small Business Administration (SBA), which commended the decision, more than 100,000 small businesses were affected, with compliance costs reaching as high as $600,000 for some firms.

There was also a capacity problem. Department officials noted that roughly 100,000 DIB companies still needed a third-party assessment, while only about 100 authorized assessors were available to conduct them. That imbalance made the November 10 deadline unrealistic for most small and mid-sized contractors. Rather than force firms out of the defense supply chain, the department chose to pause certification and rethink the approach. 

What Defense Contractors Should Do During the 60-Day Review

A suspension is not a reason to stand down. If you handle CUI or are subject to DFARS 252.204-7012, you still must meet the underlying safeguarding obligations, the government may still review your compliance posture, and prime contractors may still require readiness to award or retain work. The safest position is to treat NIST SP 800-171 Revision 2 as the live standard it is.

Complete or refresh your self-assessment and, where applicable, confirm that any score you report in the Supplier Performance Risk System (SPRS) accurately reflects your actual control status. An inflated or inaccurate score can create False Claims Act risk, and that exposure does not disappear just because the certification timeline has been paused.

For contractors that would otherwise have needed external certification, the piece you can reasonably defer is the formal C3PAO or DIBCAC assessment scheduling process, because that verification mechanism is what is currently under review. A mock assessment can still be a useful readiness exercise before any future certification requirement resumes.

Staying Continuously Ready With Drata

The DoW review sets a clear direction: speed to capability, lower barriers for smaller firms, and scalable security in place of bureaucratic compliance. Continuous readiness is how you meet that bar without a last-minute rush every time the government asks.

Drata, the Agentic Trust Management Platform, helps defense contractors align with NIST SP 800-171 and stay ready across frameworks all year, not just at assessment time. Dedicated NIST 800-171 Revision 2 framework mappings help teams organize current requirements and connect them to controls in one workspace. Automated evidence collection and continuous control monitoring reduce your reliance on point-in-time self-assessments and keep you prepared for government-led reviews and CMMC-aligned evaluations. When a prime contractor asks for proof, you can share approved readiness documentation and alignment summaries through Drata’s Trust Center with controlled access, while keeping CUI within the systems designated to store and protect it.

See how Drata brings continuous readiness to your CMMC and NIST 800-171 program. Get a Demo.


JULY 16, 2026
CMMC Collection
Navigate CMMC With Confidence
Get a Demo

Navigate CMMC With Confidence