At a Glance
- On July 13, 2026, DoD suspended upcoming CMMC implementation deadlines, including the transition to CMMC Phase II, and launched a 60-day review of the CMMC program. In doing so, DoD cited administrative burdens and stated that “the current CMMC program is structurally incompatible with [DoD’s] need to rapidly expand the [Defense Industrial Base].”
- The suspension affects the timing of third-party CMMC assessments; it does not, however, withdraw Phase I requirements. Level 1 and Level 2 self-assessment requirements, supplier performance risk system posting, and annual affirmations remain important for applicable solicitations and contracts.
- Contractors should not treat the suspension as a compliance pass. Rather, contractors remain subject to important DFARS and FAR clauses that implement NIST SP 800-171 Rev. 2 requirements, and must abide by all relevant cyber incident reporting and prime/subcontractor flowdowns involved in contract performance.
On July 13, 2026, the Department of Defense (DoD) announced an immediate suspension of the transition to Phase II of the Cybersecurity Maturity Model Certification (CMMC) program and directed a 60-day review of the program’s structure, costs, and assessment model. The suspension pauses the planned expansion of mandatory third-party CMMC assessments, including Level 2 CMMC Third-Party Assessment Organization (C3PAO) certifications and Level 3 Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) assessments, while DoD evaluates whether the program should be recalibrated to reduce barriers for small, medium-sized, and nontraditional defense contractors.
Overview
Effective immediately, DoD has suspended both the transition to Phase II CMMC requirements previously scheduled to take place in November 2026 and the pending and future CMMC milestones tied to third-party assessment requirements. DoD issued two agency memoranda on July 13 to effectuate the suspension; one to implement the suspension itself (“Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements”), and another (“Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements”) to direct a broader CMMC review and explain the Department’s efforts to continue enforcing baseline cybersecurity compliance in the meantime.
The CMMC Program was designed to move the defense industrial base from an exclusively self-attested model toward a tiered assessment regime for information systems that process, store or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). During Phase I of CMMC implementation, DoD began requiring Level 1 and Level 2 self-assessments for certain applicable solicitations and contracts. Those requirements remain in place during the suspension, including the need to enter required assessment information and affirmations in the Supplier Performance Risk System (SPRS), and contractors should maintain a strong record supporting any self-assessment, affirmation, or contract representations. The next phase would have permitted DoD to require Level 2 certifications by accredited C3PAOs for applicable contracts involving CUI. DoD has now paused that third-party certification requirement while the newly established CMMC Reform Task Force conducts a “top-to-bottom 60-day review of the certification program” and evaluates whether the model should be modified to reduce associated compliance burdens on contractors.
The DoD’s change in course is a response to recent data and feedback indicating that “the current CMMC program is “structurally incompatible with [DOD’s] need to rapidly expand the Defense Industrial Base (DIB).” DoD framed the July 13 suspension as part of a broader acquisition reform effort. The July 13 agency memoranda emphasize that the current CMMC approach created administrative burdens, high compliance costs, limited third-party assessment capacity and complex implementation timelines that risked excluding small, medium-sized, and nontraditional businesses from the defense industrial base. At the same time, DoD stated that its objective is not to reduce cybersecurity, but to align CMMC with the Acquisition Transformation System’s focus on speed and capability while maintaining a strict security baseline. In this regard, it is noteworthy that, just one day after the suspension, the White House announced on July 14 its “Gold Eagle Initiative” for cybersecurity coordination.
Moving forward, the agency memorandum directs contracting activities not to designate Level 2 (C3PAO) or Level 3 (DIBCAC) CMMC requirements in covered solicitations or contracts during the suspension period, unless and until DoD issues further direction. The implementing direction also contemplates “immediate relief” of procurement documents already in process that include these requirements, directing program managers to initiate amendments to active solicitations. Affected solicitations are likely to be amended and contracts or task orders will be modified, as appropriate, to remove suspended Phase II requirements or align them with current DoD directions. However, offerors and contractors should review open questions with their contracting officers rather than assuming that legacy solicitation language has been automatically superseded.
Additionally, through a SAM.gov Request for Information (RFI), the Department is also soliciting feedback and industry perspectives on utilizing existing commercial cybersecurity capabilities, leveraging and optimizing self-attestation capabilities, and streamlining cybersecurity compliance requirements. Defense contractors and other industry actors are directed to respond to a specific set of questions regarding industry readiness, cost drivers, and current cybersecurity control implementation. Responses are due by August 14, 2026.
Implications for Federal Contractors
The July 13 announcement shifts the CMMC compliance conversation from near-term third-party audit deadlines to a broader reassessment of DoD’s contractor cybersecurity model. The suspension reduces the short-term pressure for defense contractors to secure Level 2 C3PAO certification by the prior Phase II milestone. Companies that were progressing toward a formal C3PAO assessment should revisit timing, assessor engagements, customer commitments, and budget assumptions, while preserving evidence of control implementation, remediation, and governance. Defense contractors should use the suspension as a governance and contract-review window, rather than an opportunity to stand down cyber compliance in full.
Contractors should also distinguish between the suspended CMMC requirement and still-operative contractual obligations. Phase I self-assessments, DFARS and FAR clauses, NIST requirements, SPRS entries, annual affirmations, incident reporting obligations, and customer flowdowns all remain important sources of legal, operational and enforcement risk, as evidenced by recent enforcement actions under the False Claims Act. If a solicitation, contract, subcontract, teaming agreement or customer certification already requires a particular CMMC status, NIST SP 800-171 implementation, SPRS score, incident reporting, or annual affirmation, that requirement should be analyzed under the governing document and any later amendments or modifications.
Importantly, CMMC and DFARS cyber requirements flow down through prime-subcontract relationships where subcontractors process, store, or transmit FCI or CUI, meaning that prime contractors must continue to evaluate subcontractor coverage, flowdown language, SPRS status, and incident reporting channels.
Prime contractors should assess how the suspension affects flowdowns to subcontractors, especially where purchase orders or supplier terms require Level 2 C3PAO certification by a fixed date. Subcontractors, in turn, should determine whether prime-imposed obligations exceed current government requirements and whether amendments, waivers, or schedule adjustments are appropriate.
The suspension also may affect bid strategy and risk allocation by both prime contractors and subcontractors; and offerors should monitor amendments to pending solicitations, preserve assumptions in proposals, and avoid broad assumptions that CMMC third-party certification is no longer relevant to performance, particularly where FCI or CUI will be handled.
Finally, contractors and other industry actors should consider submitting comments in response to the CMMC Reform Task Force RFI regarding administrative burdens, cost drivers, and existing commercial cybersecurity issues to help shape the Department’s review of the CMMC program. Further information regarding the requested information is available in the Word document linked on the Department’s SAM.gov RFI page.
For More Information
For further information, you may contact the authors. Faegre Drinker’s government contracts and cybersecurity teams will continue to monitor the CMMC review, implementation guidance, solicitation and contract changes, and related DFARS cyber developments.