Contact Us

Breaking: Pentagon Suspends CMMC Phase 2 — What Defense Contractors Must Still Do

In one of the biggest defense compliance developments in years, the Pentagon announced on July 13, 2026 that it is immediately suspending Phase 2 of the Cybersecurity Maturity Model Certification (CMMC) program — the third-party certification requirements that were scheduled to take effect November 10, 2026 (Washington Technology, 2026). Phases 3 and 4 are suspended as well, and a newly formed CMMC Reform Task Force will conduct a 60-day top-to-bottom review of the program. For the more than 100,000 companies in the defense industrial base, this changes the compliance calendar dramatically. But — and this is the part every contractor needs to hear clearly — it does not change the underlying obligation to protect federal data. Here is what was suspended, what remains fully in force, and what your firm should do this week.

What Happened and Why

CMMC was designed as a phased verification system for cybersecurity in the defense supply chain. Phase 1, which took effect in November 2025, requires contractors to self-assess against CMMC Levels 1 and 2 for how they protect federal contract information and controlled unclassified information. Phase 2 would have required certification by a Certified Third-Party Assessor Organization (C3PAO) as a condition of award beginning this November (DefenseScoop, 2026).

The department’s stated reason for pulling back is arithmetic. Officials cited data suggesting future CMMC phases could cost small and mid-sized businesses more than $7 billion annually in compliance, against an assessment ecosystem of only around 100 approved assessor organizations serving more than 100,000 companies that would need certification — a mismatch the Pentagon’s chief information officer summarized bluntly as math that does not work for small business (DefenseScoop, 2026). The department said prohibitive costs and assessor shortages were actively pushing innovative small firms out of the defense market, a concern the Small Business Administration had repeatedly raised and a March 2026 Government Accountability Office report had flagged (Federal News Network, 2026). During the review period, the department will rely on self-assessments and select government-led assessments.

Sponsored by GovCon iSource

Find, track, and win federal contracts in one platform

Opportunity matching, bid tracking, and proposal tools built for small businesses.

Start Free Tour →

What Is Still Fully in Force

The suspension removed the certification audit — not the security requirement. Contractors should internalize four things that did not change on July 13:

Phase 1 self-assessments remain in place. Contracts can continue to include CMMC self-assessment requirements, and applicable solicitations still demand a current score in the Supplier Performance Risk System (SPRS) (Federal News Network, 2026).

DFARS 252.204-7012 still applies. Every defense contractor and subcontractor handling covered defense information remains contractually obligated to safeguard it, implement NIST SP 800-171 controls, and report cyber incidents (National Defense Magazine, 2026). The 110 controls, the System Security Plan, and the Plan of Action and Milestones are all still your responsibility.

False Claims Act exposure may now be the sharper risk. With self-assessment as the primary verification mechanism, the accuracy of your self-reported SPRS score matters more, not less. The Department of Justice’s Civil Cyber-Fraud Initiative has an established record of pursuing contractors over misrepresented cybersecurity compliance, with a defense contractor settling such allegations as recently as June 2026 (ITSecOps, 2026). An inflated score attached to monthly invoices multiplies liability with every billing cycle.

Government-led assessments remain possible. The department explicitly reserved the right to conduct its own assessments during the suspension — and unlike a scheduled C3PAO engagement, those arrive on the government’s timeline, not yours.

Your Five-Step Action Plan

1. Do not dismantle anything. If you have been building toward Level 2 compliance, that investment bought you a defensible security posture and an SPRS score you can stand behind. The task force may recommend a revised verification model in 60 days; firms that maintained readiness will adapt fastest to whatever replaces Phase 2.

2. Verify your SPRS score is honest and evidence-backed. Re-run your NIST 800-171 self-assessment, document the evidence for every control you claim, and keep your POA&M realistic. In the new environment, your self-assessment is the compliance artifact the government relies on — and prosecutes against.

3. Reassess, don’t reflexively cancel, any booked C3PAO engagement. Converting a scheduled certification into a mock assessment is a low-cost way to validate your posture without the certification stakes, and it positions you well if third-party requirements return in revised form.

4. Respond to the RFI. The department posted a request for information seeking industry feedback on cost drivers, administrative burdens, and which NIST 800-171 controls actually reduce risk (Washington Technology, 2026). This is the small business community’s direct channel to shape what replaces Phase 2 — bring real cost data from your own compliance effort.

5. Watch your primes. Prime contractors can still gate subcontract awards on cybersecurity posture regardless of what the Pentagon requires. If defense work sits anywhere in your pipeline, expect flow-down requirements to persist — and make sure your SAM.gov registration and representations accurately reflect your current compliance status.

The Bottom Line

For small defense contractors, this suspension is genuine relief — the third-party certification bottleneck threatened to lock capable firms out of the market through no fault of their own, and the government acknowledged as much. But the smartest read of July 13 is not “compliance is over.” It is “the audit changed hands.” The standard survives, the contract clauses survive, and the enforcement mechanism shifted from a scheduled commercial assessment to self-certification backed by federal fraud liability. Firms that treat their cybersecurity posture as a real operational capability — not paperwork — will keep winning defense work through the review period and whatever comes after it. Stay sharp, stay honest in SPRS, and use the next 60 days to get your evidence in order.

Ready to act on this news? GovCon iSource surfaces live opportunities matched to your NAICS codes.

Explore iSource →

References

DefenseScoop. (2026, July 13). DOD halts cybersecurity requirements for CMMC Phase 2: ‘The math just simply doesn’t math’. https://defensescoop.com/2026/07/13/dod-halts-cmmc-cybersecurity-requirements-phase-2/

Federal News Network. (2026, July 13). Pentagon suspends CMMC phase two requirements, launches review of program. https://federalnewsnetwork.com/cybersecurity/2026/07/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program/

ITSecOps. (2026, July 14). CMMC Phase 2 suspended: What contractors do now. https://itsecops.cloud/cmmc-phase-2-suspended/

National Defense Magazine. (2026, July 13). Breaking: Pentagon suspends Phase 2 of CMMC program. https://www.nationaldefensemagazine.org/articles/2026/7/13/breaking-pentagon-suspends-phase-2-of-cmmc-program

Washington Technology. (2026, July 13). DOD suspends CMMC Phase 2, launches 60-day ‘reform’ review. https://www.washingtontechnology.com/contracts/2026/07/dod-suspends-cmmc-phase-2-launches-60-day-reform-review/414739/

Most Read

As of June 30, 2026, DoD is barred from contracting with Chinese military companies on

Related

Discover more from Team Integrity Knowledge Center

Subscribe now to keep reading and get access to the full archive.

Continue reading