Summary
On July 13, 2026, the Department of War announced the suspension of CMMC Phase 2 along with the CMMC Third-Party Assessment Organization (C3PAO) assessment requirements that were scheduled to begin appearing in contracts on November 10, 2026. A 60-day CMMC Reform Task Force will study the program's future and report back on or about September 13. Meanwhile, all prior cybersecurity requirements remain in force.
If you build, supply, or support the systems our warfighters depend on, you carry the burden of protecting critical data from U.S. adversaries, and the CMMC Phase 2 pause announcement doesn’t change that.
CMMC self-assessments, SPRS scoring, annual affirmations, DFARS 252.204-7012, FedRAMP Moderate (or equivalent) for CUI in the cloud, ITAR/EAR data sovereignty, and the FAR 52.204-21 basics are all still in force.
DIBCAC still assesses, DOJ still prosecutes False Claims Act cases, primes still set their own bar, and China, Russia, and Iran aren’t letting off the gas.
If you’ve been preparing for third-party assessments, keep going. Stopping now only surrenders progress toward the mission.
Here’s what happened with the July 13th announcement from the DoW, what it means for you, and where to go from here.
What actually changed
The Department of War (DoW) has suspended the transition from CMMC Phase 1 to CMMC Phase 2 effective immediately pending a 60-day review from a CMMC Reform Task Force.
The hard requirement for C3PAO assessments to verify CMMC Level 2 and DIBCAC assessments for Level 3 that were set to begin phasing into contracts on November 10, 2026 are on hold. In practical terms:
- For now, CMMC Levels 1 and 2 only require self-assessment, but don’t forget there is a minimum score of 88/110 for CMMC Level 2.
- Current solicitations carrying Level 2 (C3PAO) or Level 3 requirements will be amended
- Current contracts up for option periods will have those requirements removed via modification at the next scheduled administrative action
- Modification isn’t automatic, so wait for details on your specific contract
- A CMMC Reform Task Force will conduct a top-to-bottom review and deliver recommendations to the DoW CIO within 60 days.
- Review task force will lean on a public Request for Information
The answer is not to stop protecting your data.
It’s to keep protecting it and to make your voice heard in the RFI, rather than to bet the company on any one outcome.
As Under Secretary Duffey put it:
“We’re not relaxing the standards by any means. We expect businesses to adhere to the standards that NIST has outlined. What we’re removing is the bureaucracy of the third-party assessment.” – USD(A&S) Michael Duffey
So, the standard hasn’t changed, but the audit process is under review.
What did not change
Both the 32 CFR Part 170 rule that establishes the CMMC Program and the acquisition rule published at 90 Fed. Reg. 43562 remain in effect.
Neither can be lawfully rewritten without going back through proper rulemaking. Suspending a rollout phase is not repealing a rule.
And the obligations behind the rules are untouched:
- The requirement to protect CUI to the NIST SP 800-171 Rev 2 standard.
- DFARS 252.204-7012 and its full weight in your existing contracts – safeguarding, incident reporting, and the rest.
- FedRAMP Moderate (or equivalent) for handling CUI in the cloud
- FAR 52.204-21 basic safeguarding
- ITAR / EAR data sovereignty requirements
- CMMC Phase 1 obligations, including SPRS scoring and annual affirmations signed by your organization’s Affirming Official
- DIBCAC can show up and conduct Medium and High assessments anytime
- DOJ will keep pursuing False Claims Act cases against companies that don’t meet their 7012 obligations
- The proposed FAR CUI rule, part of the broader FAR overhaul, is still expected to go final in 2026; this carries a NIST 800-171 Rev 3 requirement with it.
Most importantly, the threats are unchanged. China, Russia, Iran, and others are not waiting for us to adjust our timeline.
If you handle CUI, at a minimum you still self-assess and submit annual affirmations of continued compliance. DIBCAC can still assess you. You’re still liable under the False Claims Act. The only open question is when you might be required to bring in a C3PAO for a third-party assessment. Everything else is exactly where it was on July 12.
What the SBA Announcement Got Wrong
The Small Business Administration (SBA) published a commendation of the DoW’s decision to suspend Phase 2. The problem is, much of the information in their release is incorrect or misleading.
- C3PAO capacity Problem
- Certification costs $600K per business
- 120,000 small DIB contractors would be made to assess during phase 2
The Myth of a CMMC Capacity Problem
Despite persistent claims that the CMMC ecosystem lacks sufficient assessor capacity, the data shows the opposite: as of April 2026, the CyberAB ecosystem includes enough Certified CMMC Assessors and Lead CCAs to field roughly 255 assessment teams, far exceeding the 100 number cited by the SBA. Even under conservative assumptions of assessor participation, the system can still deliver several times the required annual assessments. The true bottleneck isn’t capacity at all; it’s contractor readiness, with a significant portion of organizations unable to pass initial pre‑assessment checks due to gaps in their NIST SP 800‑171 implementation, documentation, and SPRS accuracy. In short, the ecosystem is sitting on excess assessment capacity, while many contractors are struggling to reach the starting line.
About that “$600K” number
The SBA calls CMMC a cost-prohibitive program, but the certification itself doesn’t have significant compliance costs. Outside of CMMC L3, it’s just the cost of the assessment ranging on average from $20-50K every 3 years.
The DoW and SBA are overlooking that the real cost comes from implementing the existing DFARS 7012 clause, which they explicitly say to keep doing.
Much of the coverage, and the SBA’s own commendation of the decision, centers on cost: figures approaching roughly $593,800 per certification. That number is misleading as dropping the C3PAO requirement will not save contractors $600K.
But here’s what gets lost when implementation cost and assessment cost are folded into one alarming number. SBA’s own estimates put a self-assessment-only firm at about $388,600 in expenses without a C3PAO assessment. That entire figure is the cost of implementing NIST 800-171: the people, the processes, the secure environment, the documentation.
Suspending Phase 2 does not remove the significant cost of implementation. Even on SBA’s own math, roughly two-thirds of the cost is untouched by suspending C3PAO audits. The bulk of the cost has always been the security.
Implementation is a durable investment: you keep the hardened environment, and it keeps protecting you. The assessment is a recurring verification cost. Considering the cost of implementation and assessment together is misleading because it makes the “savings” sound far larger than they are, and it quietly implies the security work is now optional. It isn’t.
Where does 120,000 affected contractors come from?
The SBA claims that 120,000 small businesses would be affected during CMMC Phase 2 but does not elaborate on where that number came from. About 2,300 contracts were supposed to see C3PAO assessments during phase 2, but there is no clear way to determine how many total contractors would be affected due to flow-down. In any case, 120,000 contractors are likely an excess.
Slowing compliance now is the expensive choice
Assessment requirements may have paused, but your primes haven’t.
Over the past year we’ve watched L3Harris, Lockheed Martin, Northrop Grumman, Boeing, Parsons, and Elbit America send their supply chains a consistent message: get your CMMC Level 2 house in order.
L3Harris Missile Solutions gave suppliers roughly 80 business days to produce Level 2 certifications.
Primes flow requirements down to protect their own contracts, and nothing in this suspension stops a prime from requiring a certification before it shares CUI with you.
If a prime is flowing you CUI and wants third-party validation, a self-assessment won’t satisfy them.
Self-attestation is where False Claims Act exposure lives.
With less third-party verification in the picture, the government leans harder on your attestation: your SPRS score and your annual affirmation, personally signed by a senior official.
That’s exactly the surface LOGZONE tripped on. A breach isn’t required for FCA liability; a false claim is. The administration is going to aggressively pursue fraud and prosecute companies that commit fraud by side stepping their cybersecurity obligations.
Fewer audits don’t mean less accountability. In some ways, it means more responsibility lands on you.
The threat environment is intensifying, not relaxing.
Whatever the Reform Task Force recommends, “protect the data to the NIST standard” is not going anywhere.
You’ve been carrying this. The suspension doesn’t set the load down, it just moves the deadline for one part of it. The work you’ve done building toward a defensible environment is progress toward the mission, not toward a date on a calendar. Keep it.
How we help
Summit 7 has spent more than a decade in a supporting role to companies like yours, the ones actually on the front line of protecting CUI.
We were here before CMMC had a name, and we’ve been here through every twist in its creation: the proposed rules, the pauses, the “CMMC 2.0” rewrite, the final rules, and the phased rollout. None of that is our achievement. It’s context for a simple promise: our job is to carry the compliance and security weight that would otherwise pull you away from building.
This announcement changes nothing about what we do. If the department adjusts the guardrails around how CUI protection gets verified, we adjust with you and keep your data out of adversarial hands either way. Concretely:
- We keep deploying and managing NIST 800-171 Rev 2 and CMMC Level 2-compliant environments in GCC High and Azure Government.
- We keep supporting our clients to standard, not to the minimum the calendar allows, but to what actually protects your data and your contracts.
- We keep preparing for NIST 800-171 Rev 3 so you’re ready for the coming FAR CUI requirement and future DoW expectations.
- We keep educating the DIB, the DoW, federal agencies, and Congress on cybersecurity, compliance, the NIST standards, and CMMC.
We will keep working on the exact problem at the center of this decision: cost. As the only AOS-G partner selected for the Army’s NCODE program, we’re intent on helping the smallest, most innovative members of the supply chain stand up secure, foundational environments for a fraction of the traditional cost. The affordability concern is legitimate. It’s also solvable without abandoning verification. We are leading the industry toward the affordability goal and we are proud of that.
What to expect from here and how to be heard
Respond to the RFI by August 14. This is your direct line to the people writing the next chapter. Bring real numbers – your actual implementation costs, your assessor-capacity experience, which controls delivered meaningful risk reduction and which felt like paperwork. This is how the standard that governs your business gets shaped, and you’re the one with the ground truth to shape it.
Watch for the Task Force’s output on or about September 13, 2026. That report will tell us a great deal about whether third-party assessment returns, evolves, or gives way to something new.
The clock on the November 2026 Phase 2 rollout is paused. The clock on protecting American innovation from foreign adversaries never does. You’ve been doing the hard part all along. Keep going – and if it helps to have someone carry a share of the load, that’s what we’re here for.
Follow along for analysis as this develops. We’ll cut through the noise as fast as reliable information is available.
Not sure where this leaves your specific contracts, your SPRS score, or your next option period? Talk to a Summit 7 expert. We’ll help you stay confident, compliant, and ready for whatever the Task Force recommends.


