CMMC Phase II Is Suspended. What Changes Now?

Nick Harrahill Director of Security Programs

When the CMMC Phase II suspension was announced, the first thing I noticed was how quickly the headline became the story. In some coverage, the message sounded simple: CMMC had been put on hold, companies had more time, and the pressure was off.

After reading the Department’s announcement and implementation guidance, I came away with a different view. The pause is meaningful, particularly for smaller companies facing the cost and effort of a third-party assessment. But it is a change to how CMMC will be implemented and assessed, not an end to the security responsibilities behind it.

On July 13, 2026, the Department of War suspended CMMC Phase II, which had been scheduled to begin on November 10. The Department also established a task force to review the program over the next 60 days, with a focus on reducing costs and administrative barriers for small, midsized, and non-traditional businesses in the Defense Industrial Base. Phase I self-assessment requirements remain in place.

For companies preparing for certification, that distinction matters. Some near-term plans may need to change. The underlying security work should not stop.

What the CMMC suspension changes

The most immediate change is that the Department is pausing the expansion of third-party assessments.

During the suspension, contracts and solicitations may continue to require CMMC Level 1 or Level 2 self-assessments. They may not require the Level 2 third-party assessments or Level 3 government assessments that were expected to become more common during Phase II.

The Department has also instructed contracting officials to remove those Phase II assessment requirements from affected solicitations and existing contracts. That process may involve a formal amendment or contract modification, which means companies should review the documents that apply to them rather than assume the requirement has already disappeared.

This gives companies a reason to revisit assessment schedules, budgets, and outside support. It may not make sense to continue racing toward a third-party certification process that is currently being reconsidered.

At the same time, the Department has not said that independent validation will never return. The review could lead to a different assessment structure, a more targeted approach, or other changes that have not yet been defined. The responsible move is to adjust to what is known today without trying to predict the final outcome.

What has not changed

The announcement is equally clear about what remains in place. CMMC is currently paused in Phase I, where Level 1 and Level 2 self-assessments may still be required. The Department also plans to continue evaluating compliance with NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments.

Companies that are contractually required to safeguard federal information remain responsible for doing so. The Department specifically confirmed that the requirements in DFARS 252.204-7012, including safeguarding covered defense information and reporting certain cyber incidents, remain in effect.

This is the most important point in the announcement. CMMC provides a way to assess whether required security practices have been implemented. It is not the source of every security obligation placed on a contractor or subcontractor.

The assessment process is changing, but companies still need to understand what information they hold, where it resides, who can access it, and how it is protected.

Self-assessment still requires evidence

The continued use of self-assessments could create a false sense that compliance is now easier. In practice, a self-assessment is only useful when it reflects the environment as it operates today and can be supported with evidence.

A company may have a policy requiring multifactor authentication while still allowing exceptions that have never been reviewed. Access reviews may take place, but no one keeps a record of what was examined or corrected. A security plan may describe technology that has since been replaced, moved to the cloud, or handed over to a service provider.

Those gaps do not become less important because a third-party assessor is no longer arriving on a specific date. They may simply become easier to overlook.

A supportable assessment requires more than policies and completed questionnaires. It requires an accurate understanding of the environment and documentation that shows the controls are being used as intended. Depending on the requirement, that evidence may include system configurations, access records, asset inventories, vulnerability results, training records, incident response exercises, and plans for addressing known gaps.

The score is part of the assessment. The organization’s ability to explain and demonstrate the score is what makes it credible.

Four ways to make productive use of the pause.

Confirm what applies to your organization

Start with current solicitations, contracts, and subcontractor requirements. Determine whether CMMC language is included and whether any expected amendment or modification has been issued.

This is also the time to confirm which level and security requirements apply based on the information the organization handles. The answer should come from the contractual requirement and the actual data involved, not from a general interpretation of the announcement.

Revisit the scope

Many compliance problems begin with an incomplete understanding of where sensitive information moves.

Companies need to know which systems store, process, or transmit federal information, which employees have access, and whether cloud providers, managed service providers, subcontractors, or other third parties are involved.

A scope that is too broad can add unnecessary cost and complexity. A scope that is incomplete can leave important systems or information outside the security program. The goal is an accurate boundary that can be understood, protected, and maintained.

Test the controls that matter

The pause is an opportunity to move beyond documentation and check whether security practices are working.

Can access be removed promptly when an employee leaves? Is multifactor authentication applied where it should be? Are vulnerabilities identified and addressed? Are backups tested? Is third-party access controlled? Has the incident response plan been exercised?

These are practical security questions, not simply compliance questions. Weaknesses in these areas create exposure regardless of who performs the next assessment or when it takes place.

Address meaningful gaps

Some assessment-related spending may need to be reconsidered while the Department reviews CMMC. The same is not true of weaknesses that create immediate risk.

Unsupported technology, poor asset visibility, weak access controls, unmanaged vendors, untested backups, and outdated security plans are still worth addressing. That work reduces risk now and puts the company in a better position for whatever assessment model follows.

A pause should create clarity, not complacency

The concerns behind the CMMC suspension are legitimate. Security requirements need to protect federal information without creating costs and administrative barriers that drive capable companies out of the defense supply chain. The Department’s review is intended to address that balance.

Companies should take advantage of the breathing room, but not mistake it for permission to stop. The practical response is to confirm what the contract requires, make sure the scope is accurate, test whether controls work, and address the gaps that create real exposure.

That work will remain relevant even if the CMMC assessment process changes.

Cyber Defense Group helps organizations identify compliance gaps, prioritize practical improvements, and build ongoing security programs aligned with standards including NIST and CMMC. CDG’s compliance services focus on moving from assessment to remediation and sustained audit readiness, rather than treating compliance as a one-time exercise.