CMMC starts outside IT. Free webinar June 30 @ 12PM ET. Register Now →

CMMC Phase II Suspension FAQs

On Monday, July 13th, the DOW announced the immediate suspension of CMMC Phase II requirements, pausing the planned requirement for many contractors to obtain a formal third-party CMMC assessment through a C3PAO.

The announcement has created understandable questions for defense contractors, especially those already preparing for assessment, budgeting for certification, or tracking upcoming contract requirements. At the same time, the pause provides organizations with additional flexibility and may reduce near-term assessment costs while the Department reviews the program.

These FAQs explain what changed, what remains in effect, and what organizations should consider while the program is under review.

 

CMMC Phase II Suspension FAQs

  1. What changes were announced to the CMMC program on July 13th, 2026?
  2. Why was CMMC Phase II suspended?
  3. Is Phase I still in effect?
  4. How does this impact current contracts?
  5. What does the Phase II program review include?
  6. What should I do if I have an assessment scheduled?
  7. Should I continue pursuing CMMC compliance?
  8. Are C3PAO assessments still required?
  9. What should companies be doing right now?
  10. Where can I learn more?

What changes were announced to the CMMC program on July 13th, 2026?

The DOW announced that it is pausing the rollout of CMMC Phase II while it reviews and reforms the program. Phase II was scheduled to begin on November 10th, 2026 and would have required many contractors to obtain a formal third-party CMMC assessment through a C3PAO.

Overview

  • Phase II requirements are temporarily paused.
  • Pending and future CMMC Phase II milestones in Department solicitations and contracts are also paused.
  • Phase I self-assessment requirements remain in effect.
  • A CMMC Reform Task Force will review the program and provide recommendations within 60 days.

In summary, the requirement to obtain a formal third-party CMMC assessment through a C3PAO is on hold for now.

For many organizations, this pause is welcome news. It gives contractors more time to prepare and may reduce near-term pressure around formal assessment costs. However, it does not end CMMC or cybersecurity compliance. Phase I self-assessments, NIST SP 800-171 requirements, and any cybersecurity obligations already written into contracts still apply.

Why was CMMC Phase II suspended?

The DOW concluded that the planned CMMC Phase II certification requirements could impose significant costs and administrative burdens on defense contractors, particularly small, medium-sized, and non-traditional businesses.

Key concerns included:

  • High compliance costs that may be difficult for smaller contractors to absorb.
  • Administrative complexity and bureaucracy that could slow participation and contract execution.
  • Potential delays in delivering critical capabilities to the Department of Defense.
  • Risk of losing innovative suppliers that may choose to exit the defense market rather than pursue certification.
  • Limited assessor capacity, with too few authorized C3PAOs available to support the expected number of companies needing certification.

Overall, the review is assessing whether the planned certification approach strengthens cybersecurity while preserving a competitive, innovative, and resilient defense industrial base.

 

Is Phase I still in effect?

Yes. The announcement explicitly states that all Phase I self-assessment requirements remain in effect.

During the review period, the Department will continue enforcing cybersecurity requirements through:

Phase I remains active and enforceable. Only the rollout of Phase II certification requirements has been paused pending review.

This temporary reprieve allows contractors to continue building toward compliance at a more measured pace while delaying assessment-related costs.

 

How does this impact current contracts?

The announcement suspends “the transition to Phase II requirements of CMMC, as well as pending and future CMMC implementation milestones across the DOW solicitations and contracts.”

This means:

  • Existing cybersecurity obligations still apply.
  • Any upcoming deadlines tied to Phase II are paused.
  • New contract solicitations are not expected to continue adding the paused Phase II milestones while the review is underway.

For now, contractors should continue following the requirements in their current contract. Any changes related to the Phase II suspension will need to be communicated through official contract updates or modifications.

 

What does the Phase II program review include?

Phase II is currently on hold while the government reviews the program and considers potential changes.

During the review period, the Department is pausing the rollout of CMMC Phase II and establishing a CMMC Reform Task Force to conduct a comprehensive 60‑day review of the certification program. The task force will analyze industry feedback and recommend cybersecurity requirements that are more scalable, reduce barriers for small and non-traditional businesses, and align with the Department’s acquisition reform goals.

The Department is requesting industry feedback through the Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base (DIB) RFI. Responses are due by August 14th, 2026.

While the review is underway, contractors must still protect federal data and comply with NIST SP 800‑171 Rev. 2 through self-assessments and select government-led assessments. The Department emphasized that cybersecurity requirements remain in place even though the Phase II certification requirements are suspended.

 

What should I do if I have an assessment scheduled?

The Department has announced a pause on the third-party certification requirement but has not yet provided comprehensive guidance on how organizations should handle assessments already under contract or scheduled.

Organizations should avoid making immediate changes until they have spoken directly with their C3PAO.

Organizations should contact their C3PAO to understand:

  • Whether scheduled assessments will proceed.
  • Whether certifications can still be issued.
  • What happens to deposits already paid.

Companies that have already invested significant effort and have a scheduled assessment date may still find value in continuing, depending on what their C3PAO communicates regarding planned assessments. It’s worth noting that organizations that have invested in CMMC readiness are already seeing returns through enhanced protection of sensitive information, reduced cyber risk, and a stronger foundation for future compliance.

 

Should I continue pursuing CMMC compliance?

Yes. While Phase II certification requirements have been suspended, the Department has not eliminated cybersecurity requirements. Phase I self-assessments remain in effect, NIST SP 800‑171 compliance continues to be enforced, and contractors are still required to protect covered defense information under existing contract requirements.

Organizations handling Controlled Unclassified Information (CUI) are still responsible for:

  • Protecting CUI in accordance with DFARS 252.204-7012
  • Implementing NIST SP 800-171 Rev. 2 requirements
  • Maintaining supporting compliance documentation
  • Completing required self-assessments
  • Submitting and maintaining accurate SPRS scores

These requirements remain active today. The underlying cybersecurity and contractual obligations remain unchanged.

Regardless of how certification requirements evolve, organizations that have invested in compliance are building a stronger security foundation that reduces risk, protects CUI, and better positions them for future contract opportunities.

 

Are C3PAO assessments still required?

For now, the government has paused the next phase of CMMC, including the deadlines connected to formal third-party assessments.

Contractors still need to show they are meeting current cybersecurity requirements. For most, that means keeping self-assessments up to date, being prepared for possible government-led reviews, and continuing to protect federal data.

The good news is that companies already working toward compliance are still on the right path, and this pause may give them more time to strengthen their programs before taking on the cost and scheduling pressure of a formal assessment.

 

What should companies be doing right now?

While this announcement creates uncertainty around the future of CMMC Phase II, it does not eliminate current cybersecurity requirements.

Companies should continue to:

  • Complete required Phase I self-assessments.
  • Maintain compliance with NIST SP 800-171 Rev. 2.
  • Protect Controlled Unclassified Information (CUI) and other defense information as required by contract.
  • Continue improving their cybersecurity posture and documenting compliance efforts.

With certification deadlines on hold, organizations have more time to strengthen security, address compliance gaps, and prepare for future requirements.

Organizations should also remember that cybersecurity obligations in defense contracts remain enforceable. The government has pursued enforcement actions under the False Claims Act against contractors that knowingly misrepresented their compliance with required cybersecurity controls. In one example from a June 2026 press release, the DOJ reported that an Alabama Defense Contractor agreed to pay over half a million dollars to resolve False Claims Act liability violations relating to cybersecurity violations.

 

Where can I learn more?

For additional details about the suspension and the government’s planned review of CMMC Phase II, see the following resources:

These resources provide the latest information on the suspension, the ongoing review process, and what contractors can expect in the months ahead.

The Pause Doesn’t Change the Risk

Even with Phase II on hold, the business case for cybersecurity remains strong. Current contract requirements and NIST SP 800-171 obligations still apply, and the costs of a cyber incident can far exceed the cost of compliance. Many organizations may use this review period to strengthen their security programs, address compliance gaps, and prepare for whatever comes next.

One CMMC level 2 certified company shared how their cybersecurity investments paid off when a peer company was compromised:

“Our CEO came back probably a year into this. He’d been to a CEO roundtable, and someone in that group had just recently been hit by ransomware and hacked. It cost that company almost $500,000 to recover. The amount we were spending to get CMMC certified and to harden our cybersecurity automatically became worthwhile to him. He still says today: all the money we spent was well worth it based on the problems we’ve avoided going forward.”

 

As a small business that achieved CMMC Level 2 certification ourselves, we understand the challenges firsthand. Alluvionic has been through the process and can help you assess your compliance posture, identify gaps, and build a practical path forward whether you’re preparing for current requirements or what’s next. Connect with a cybersecurity expert today.

 

Contact Us

Read From Our Blog

DOWNLOAD OUR PROJECT ASSURANCE® CHECKLIST

Fill out the form below to access our checklist that will ensure your project's success!