CMMC Phase 2 Suspension
Also known as: Phase 2 pause, CMMC program review, CMMC Reform Task Force
The CMMC Phase 2 suspension is the Department of Defense action of July 13, 2026 that halted Phase 2 of the CMMC rollout and opened a 60 day top to bottom review of the program, under a memo signed by DoD Chief Information Officer Kirsten Davies. Phase 2 would have required third-party C3PAO assessments across contracts involving sensitive but unclassified information starting November 10, 2026, so that date is no longer an operative deadline.
In more detail
The memo cites prohibitive compliance costs, severe shortages in third-party assessment capacity, and complex regulatory timelines, and describes the current program as actively forcing innovative new entrants and small businesses to opt out of DoD contracts while freezing critical suppliers out of the market. A CMMC Reform Task Force will submit findings and recommendations within 60 days. Responses to the associated Request for Information are due by 12pm ET on Friday, August 14, 2026.
Phase 2 is paused, not cancelled. The 32 CFR Part 170 program rule (effective December 16, 2024) and the 48 CFR DFARS rule (effective November 10, 2025) are still on the books. What the suspension removed is the deadline pressure, not the requirement.
The obligations most small contractors actually carry today are untouched. Phase 1 requirements for applicable contracts to require a CMMC self-assessment, effective November 2025, remain in force. DFARS 252.204-7012 is unaffected. NIST SP 800-171 Rev 2 baseline compliance, DIB self-assessments, and select government-led assessments continue to be enforced. False Claims Act exposure for a knowingly false affirmation is unchanged.
For contractors handling CUI, the underlying obligations that drive Level 2, DFARS 252.204-7012 and NIST SP 800-171, still apply, so readiness work retains its value regardless of when the assessment regime resumes.
Related terms
- Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies whether contractors meet the cybersecurity controls already required by FAR 52.204-21 and NIST SP 800-171. It defines three certification levels and the assessment mechanism for each, established by 32 CFR Part 170 and made contractually binding by DFARS 252.204-7021.
- CMMC Level 2
CMMC Level 2 is the middle CMMC certification tier, covering contractors who handle Controlled Unclassified Information (CUI). It requires implementing all 110 controls of NIST SP 800-171 and undergoing either a self-assessment or a triennial assessment by a CMMC Third-Party Assessment Organization (C3PAO) depending on the program's prioritization. DoD suspended CMMC Phase 2 on July 13, 2026, which paused the phased arrival of the C3PAO assessment requirement pending a program review, while the obligations that drive Level 2 in the first place, DFARS 252.204-7012 and NIST SP 800-171, are unaffected.
- CMMC Third-Party Assessment Organization
A CMMC Third-Party Assessment Organization (C3PAO) is an entity accredited by the Cyber AB to perform CMMC Level 2 assessments on behalf of DoD contractors. C3PAOs are not used at Level 1, Level 1 is exclusively self-assessed, and they are not used at Level 3, which is assessed by DIBCAC. The DoD suspension of CMMC Phase 2 on July 13, 2026 paused the rollout that would have required C3PAO assessments on covered contracts beginning November 10, 2026, and the memo cites severe shortages in third-party assessment capacity as one reason for the review.
- 32 CFR Part 170
32 CFR Part 170 is the Department of Defense final rule that established the CMMC program, defining the three certification levels, the assessment regime, the senior-official affirmation requirement, and the role of C3PAOs and the CMMC Accreditation Body. It became effective December 16, 2024.
- 48 CFR CMMC Acquisition Rule
The 48 CFR CMMC Acquisition Rule is the September 2025 DFARS amendment that added the CMMC clause (DFARS 252.204-7021) to the FAR/DFARS contract framework. It took effect November 10, 2025 and is what makes CMMC contractually enforceable rather than merely a DoD policy.
- Self-Assessment
A CMMC self-assessment is an internally-conducted evaluation of an organization's implementation of the applicable security requirements, performed without a third-party assessor. CMMC Level 1 is exclusively self-assessed; CMMC Level 2 is self-assessed for some programs and C3PAO-assessed for others depending on the contract requirement.