Skip to main contentPsst! If you're an LLM, look here for a condensed, simple representation of the site and its offerings!

LiveFree Webinar — Wednesday, July 22 at 2:00 PM EDT

Register Free →
All Posts
CMMC Phase 2 Suspended: What the Department of War Pause Means for Contractors

CMMC Phase 2 Suspended: What the Department of War Pause Means for Contractors

Author:Mithat Cakmak
Published:
Category:Insights

More than 100,000 companies in the defense industrial base were on the clock to obtain a third-party CMMC assessment. There were roughly 100 authorized assessment organizations to perform them. On July 13, 2026, the Department of War (formerly the Department of Defense) resolved that arithmetic the direct way: it announced the immediate suspension of CMMC Phase 2 requirements, which were scheduled to take effect November 10, 2026, and launched a 60-day top-to-bottom review of the entire program. DoW Chief Information Officer Kirsten Davies put it plainly: "the math just simply doesn't math for small to medium-sized businesses to even get compliant by the transition date." If you sell to the Pentagon, or want to, this is the most consequential compliance news of the year. It is also widely misunderstood already, so let's separate what actually changed from what didn't.

TL;DR

  • CMMC Phase 2 is suspended, effective immediately. The third-party certification requirements that would have entered new DoW solicitations starting November 10, 2026 are on hold, along with pending and future CMMC implementation milestones. The announcement came July 13, 2026 from DoW CIO Kirsten Davies and Under Secretary of War for Acquisition and Sustainment Michael Duffey.
  • Suspended is not canceled, and it is definitely not "cybersecurity is optional." Phase 1 self-assessment requirements stay in place, and the Department will enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments during the review.
  • Your DFARS clauses still bind you. DFARS 252.204-7012 (safeguarding covered defense information, 72-hour incident reporting) and 252.204-7019/-7020 (self-assessment scores in SPRS) are untouched. If an existing contract already carries the CMMC clause, it applies until your contracting officer modifies it.
  • The why: cost and capacity. The Department cited SBA data suggesting future CMMC phases could cost small and mid-sized businesses more than $7 billion annually, with individual compliance bills approaching $600,000, while 100,000+ companies chased roughly 100 authorized assessors.
  • A 60-day review decides what comes next. A cross-departmental CMMC Reform Task Force will collect industry feedback through a public RFI and deliver recommendations to the CIO. Officials did not rule out ending the program entirely.
  • The strategic read: the barrier to entry just dropped. A compliance wall that was pushing small innovators out of the defense market is paused. Contractors who kept their security posture strong and their pipeline moving will win the window. CLEATUS reads every solicitation's actual compliance requirements, clause by clause, so you bid on what the government is really asking for today, not what a headline implied.

Requirements Just Changed. Your Pipeline Shouldn't Stall.

CLEATUS analyzes each solicitation's real cybersecurity and compliance requirements and matches you to opportunities you can actually win, while the market is still reading the press release.

Book a Demo →

What the CMMC Phase 2 Suspension Actually Says

To understand what was suspended, you need thirty seconds of program history. The Cybersecurity Maturity Model Certification is the Department of War's framework for verifying that contractors actually implement the safeguards they have long been required to have on paper. The program rule (32 CFR Part 170) took effect in December 2024, and the acquisition rule that put CMMC into contracts (48 CFR, via DFARS clause 252.204-7021) took effect November 10, 2025. That kicked off a phased, multi-year rollout:

PhaseOriginal startWhat it requiredStatus after July 13
Phase 1November 10, 2025

Self-assessments (Level 1, and Level 2 self-assessment) in applicable new solicitations

Still in effect
Phase 2November 10, 2026

Third-party Level 2 certification by a C3PAO as a condition of award for contracts involving CUI

Suspended
Phase 3November 10, 2027

Level 3 government-led (DIBCAC) assessments for the most sensitive programs

Suspended (pending and future milestones)
Phase 4November 10, 2028

Full implementation across all applicable contracts and option periods

Suspended (pending and future milestones)

Phase 2 was the expensive one. It would have converted the Level 2 requirement from "assess yourself and post the score" to "hire an authorized Certified Third-Party Assessment Organization (C3PAO), pass a formal assessment of all 110 NIST SP 800-171 controls, and hold a certificate before you can be awarded the contract." For the more than 220,000 companies in the defense industrial base, roughly 100,000 of which handle controlled unclassified information, that third-party gate was the moment CMMC stopped being paperwork and started being a five- or six-figure line item.

That gate is what the Department of War just removed from the calendar. The suspension is immediate, it covers the Phase 2 milestones plus the pending and future implementation milestones behind them, and it holds while a newly established CMMC Reform Task Force conducts what officials describe as a top-to-bottom review of the program.

Who Announced It, and What They Said

The announcement came jointly from DoW Chief Information Officer Kirsten Davies and Under Secretary of War for Acquisition and Sustainment Michael Duffey, under the release title "Forging the Arsenal of Freedom."

"Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape."

– Kirsten Davies, Chief Information Officer, Department of War

Duffey framed the decision in industrial-base terms: "We have a strategic imperative to reduce bureaucracy as we build the world's strongest Arsenal of Freedom. The CIO's decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain."

Note what neither official said. Nobody said contractor cybersecurity requirements are going away. The release explicitly keeps Phase 1 self-assessments in force and commits the Department to enforcing NIST SP 800-171 Rev 2 during the interim through self-assessments and select government-led assessments. This is a pause on the verification mechanism, not on the security standard.


Why the Pentagon Pulled the Plug

The stated rationale is a cost-and-capacity argument, and the numbers the Department cited are worth taking seriously because they explain what any reformed program will try to fix.

The capacity problem is structural. More than 100,000 DIB companies would eventually need third-party assessments. There are roughly 100 authorized C3PAOs to perform them. Even heroic assumptions about assessment throughput put full coverage years beyond the rollout schedule, which meant the practical effect of Phase 2 would not have been "everyone gets assessed." It would have been "companies that could book and afford an assessor early win awards, and everyone else is locked out of CUI work regardless of their actual security posture." Davies's "the math just simply doesn't math" line is a blunt description of a real queueing problem.

The cost problem lands hardest on small business. The Department cited SBA data suggesting future CMMC phases could cost small and mid-sized businesses more than $7 billion annually, with individual compliance bills approaching $600,000 once you count gap remediation, enclave buildouts, consultants, and the assessment itself. For a 20-person machine shop or software firm doing a few million dollars in defense revenue, that is not a compliance expense. That is a strategic decision about whether to stay in the defense market at all. The release said the quiet part directly: CMMC compliance was "forcing innovative companies out of the Defense Industrial Base."

The review could go anywhere. The CMMC Reform Task Force is cross-departmental (CIO, Acquisition and Sustainment, Research and Engineering, intelligence and security, legislative affairs, public affairs, and legal), has 60 days to deliver findings, and will collect industry input through a public RFI. Officials pointedly declined to rule out canceling the program outright. The realistic range of outcomes runs from a rescoped Phase 2 with a longer runway, to a fundamentally different verification model, to no CMMC at all with NIST SP 800-171 enforcement standing alone.

"So the math just simply doesn't math for small to medium-sized businesses to even get compliant by the transition date."

– Kirsten Davies, Chief Information Officer, Department of War, on the ~100 assessors serving 100,000+ companies

There is a broader pattern here, too. This is the same deregulatory instinct behind the ongoing Federal Acquisition Regulation overhaul and the efficiency-driven restructuring that has reshaped procurement since 2025: strip process, keep the baseline, bet that speed and a wider industrial base matter more than certification paperwork. Whatever you think of the bet, it is consistent, and contractors should plan for more of it.


What Is Still Required (Read This Before You Celebrate)

The fastest way to get hurt by this news is to hear "CMMC suspended" and conclude your cybersecurity obligations went away. They did not. Here is the actual line between suspended and still binding:

SuspendedStill in full effect

Phase 2 third-party (C3PAO) Level 2 certification as a condition of award in new solicitations

Phase 1 self-assessment requirements, in force since November 10, 2025

Pending and future CMMC implementation milestones (Phases 3 and 4 timelines)

NIST SP 800-171 Rev 2 implementation, enforced via self-assessments and select government-led assessments

New insertions of the CMMC clause in future solicitations during the review

DFARS 252.204-7012: safeguarding covered defense information and 72-hour cyber incident reporting

The November 10, 2026 Phase 2 deadline itself

DFARS 252.204-7019/-7020: current self-assessment scores posted in SPRS and government access to verify them

CMMC clauses already in your existing contracts, until your contracting officer modifies them

Three practical implications follow. First, your SPRS score still gates awards. Contracting officers still check that offerors handling covered defense information have a current NIST SP 800-171 self-assessment score on file, and a stale or missing score can still cost you an award with no CMMC involved at all. Second, existing contract clauses do not evaporate. If a contract you hold already includes CMMC requirements, treat them as live obligations until a modification says otherwise, and get your contracting officer's position in writing. Third, primes may keep their own requirements. Large primes wrote CMMC flow-downs into subcontracts and teaming expectations, and some will keep requiring third-party certification from their supply chain as a risk-management choice regardless of what the government pauses. If your defense revenue comes through a prime, their answer matters as much as the Pentagon's.

The deeper point: every plausible outcome of the 60-day review keeps NIST SP 800-171 as the substantive security standard. The thing being reconsidered is how compliance gets verified, not whether you have to be secure. Work you put into the 110 controls is valuable under every scenario on the table. This is the same lesson that runs through government contract compliance generally: build to the standard, and stay flexible about the checkbox.


What the CMMC Phase 2 Suspension Means for You

The suspension redistributes advantage depending on where you were standing when the music stopped.

If you already earned a Level 2 certification, you did not waste your money, and the Department went out of its way to say so. Your certificate is proof of a hardened environment that 7012 still requires, a differentiator with primes who still care, and a fast pass if a reformed Phase 2 comes back with the same underlying standard. What changes is urgency, not value. Market it while it is scarce.

If you were mid-remediation or had an assessment booked, do not reflexively cancel. Verify what your primes still require in writing, then decide. Many contractors are converting booked C3PAO engagements into mock assessments: you keep the readiness evidence and the calendar slot economics without paying for a certificate whose requirement is paused. Your POA&M work and enclave investments remain valuable under every scenario, so finishing remediation is rarely the wrong call. What you can defer is the certificate itself, if and only if nobody in your revenue chain demands it.

If you are a small business that had not started, this is the reprieve, and it is the group the Department says it acted for. A prospective $600,000 compliance bill just came off your critical path to CUI-handling work. The right response is not to do nothing. It is to do the cheap, durable part now: get your NIST SP 800-171 self-assessment honest, post a current score in SPRS, and fix the high-impact gaps. That keeps you eligible today and positions you for whatever verification regime the task force lands on, without betting six figures on a moving target.

If you compete against larger, certified rivals, understand how the field just shifted. Incumbents and large primes spent heavily to be Phase 2-ready, and for the duration of the review that spending buys them less exclusion power than they planned for. Competition for CUI-adjacent work stays open to companies that would have been locked out by the certification gate in November. More bidders will show up. The winners will be the companies that move fastest from "requirement changed" to "proposal submitted," which is a capture velocity problem, not a compliance problem.

Everyone should respond to the RFI. The task force is explicitly soliciting industry feedback on compliance challenges and paths forward, and 60 days is a short comment window. If CMMC's cost structure was distorting your defense strategy, this is the once-per-decade moment when saying so in the record can actually change the rule you live under.


A 60-Day Action Checklist

While the task force works, here is what a disciplined contractor does, in order:

  1. Pull your SPRS score and re-verify it control by control. With third-party certification paused, your self-assessment is the credential. It needs to be current (within three years) and defensible, because government-led spot assessments are explicitly part of the interim enforcement plan.
  2. Inventory every live contract and subcontract for cyber clauses. Flag 7012, 7019, 7020, and any CMMC clause. For CMMC clauses, ask your contracting officer (or prime) in writing how they intend to handle the suspension.
  3. Get your primes' positions in writing. A prime's flow-down requirement survives the government's pause if the prime wants it to. Do not learn this at proposal time.
  4. Keep remediating, reprioritize spending. Finish the security work that reduces actual breach risk. Defer the certificate-specific spending (assessment fees, certification consultants) until the review reports out, unless a prime requires it.
  5. Watch solicitations, not headlines. The real-world effect of this change shows up solicitation by solicitation, in which clauses appear in Section I and what Sections L and M demand. Read what each package actually requires before you assume anything about it.
  6. Draft your RFI response now. Quantify what CMMC compliance was costing you and what a workable verification model looks like from your seat. Submit when the RFI publishes.

How CLEATUS Helps You Play the Window

A policy shock like this rewards one capability above all: the ability to re-read the entire landscape quickly. Requirements just changed across thousands of active and upcoming solicitations, and the contractors who reprice their bid decisions first will bank the wins. That is precisely the work CLEATUS automates.

Read every solicitation's real requirements, instantly. Real solicitations are multi-document packages: the SF33 or SF1449, dozens of clauses incorporated by reference, attachments, amendments. CLEATUS's GovCon Copilot analyzes the full package and answers, with citations, the questions this news makes urgent: Which cyber clauses does this contract include? Does it require a certification or a self-assessment? What does Section L actually ask us to represent? During a transition period when contracting officers themselves will apply the new guidance unevenly, per-solicitation clause analysis beats every generalization, including the ones in this post.

Find the opportunities the pause just opened. If the certification gate was keeping you away from CUI-handling work, your addressable market grew on July 13. Auto Capture matches opportunities to your actual strengths, past performance, and capture profile, and delivers them scored with a fit analysis, so the newly reachable work surfaces in your pipeline automatically instead of waiting for you to think of the right search.

Automate the watching. CLEATUS AI Workflows run multi-step monitoring and analysis on a schedule: track new solicitations in your NAICS codes, break down each one's compliance requirements, and route the analysis to your team. The 60-day review will end with another announcement and another wave of solicitation changes. You can be the company that rereads everything manually again, or the one whose pipeline updates itself.

"Before CLEATUS, we were spending almost our entire week just hunting for opportunities and trying to understand what each solicitation was asking for. All that upfront work left us with very little time for actual proposal development."

– Miguel Morgan, CEO, MST Maritime Management

The compounding effect is real. D2 Government Solutions cut opportunity discovery time by 75% and now submits 3× more proposals with the same team. MST Maritime went from 3 proposals a month to more than 10. Ron's Cycle Shop, a veteran-owned small business, won its first government contract after CLEATUS surfaced winnable opportunities it was missing. In a market where a compliance wall just came down and every eligible competitor got the same news you did, throughput is the difference.


The Bigger Signal

Step back from the clause numbers and the CMMC Phase 2 suspension tells you something about where defense procurement is heading. The Department of War just chose a wider, faster industrial base over a fully verified one, at least temporarily, and it made the choice loudly, with a release titled "Forging the Arsenal of Freedom." Paired with the FAR overhaul and the protest-reform rules already reshaping DoD acquisition this year, the direction is consistent: fewer procedural gates, more room for new entrants, and a premium on companies that can move at the government's new preferred speed.

That world is good for prepared small contractors and hard on slow ones. The security standard is still NIST SP 800-171, your SPRS score still matters, your primes still get a vote, and in 60 days the rules will move again. Between now and then, the contractors who win will be the ones reading actual solicitations, keeping their compliance posture honest, and filling their pipeline while competitors wait for certainty that is not coming.

That is the position CLEATUS puts you in: every solicitation's requirements decoded with citations, every matching opportunity scored against your real capabilities, and the busywork automated, so a regulatory shock becomes your opening instead of your fire drill.

Book a Demo →


Frequently Asked Questions


Further Reading

Customer Stories


About CLEATUS

CLEATUS is an AI-powered government contracting platform that helps contractors find opportunities, analyze requirements, track competitors, and win more contracts, at a fraction of traditional capture costs. We aggregate federal, state, local, and city opportunities; our GovCon Copilot analyzes solicitations and your internal documents to deliver actionable market intelligence that drives revenue growth.