Peerless Post | Peerless Tech Solutions

CMMC Phase II Is Suspended: What It Actually Means for Your Contracts

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase II requirements, which had been scheduled to take effect on November 10, 2026. The action was formalized the same day in a signed memorandum from Under Secretary of War for Acquisition and Sustainment Michael P. Duffey, and announced directly by the DoW Chief Information Officer.

If you are a defense contractor or subcontractor, your inbox and LinkedIn feed are probably already full of takes on this. Some are treating it as a reason to shelve their compliance projects. We would urge you not to. Below is a clear-eyed breakdown of what changed, what did not, and, most importantly, what it means for your business.

Straight From the Source: the CIO's Announcement

DoW Chief Information Officer Kirsten A. Davies announced the suspension in a short (roughly three-minute) video message. We strongly encourage every client to watch it directly rather than rely on secondhand summaries.

The 60-day review of the CMMC program is owned by the DoW CIO, Kirsten Davies, who is standing up a CMMC Reform Task Force to lead a top-to-bottom review and deliver recommendations. The entire effort sits under Secretary of War Pete Hegseth’s broader Acquisition Transformation priorities, which the Department describes as forging the “Arsenal of Freedom”: speed to capability, lower barriers for small, medium, and non-traditional businesses, and scalable, resilient cybersecurity in place of bureaucratic compliance.

Your Voice Matters: the RFI Is Open to Stakeholders

The Task Force is gathering industry input through a public Request for Information (RFI), “Reforming CMMC and Reducing Compliance Burden,” posted on SAM.gov. Responses are due August 14, 2026. This is the official channel for the Defense Industrial Base to shape what the reformed program looks like. If CMMC’s cost and complexity have been a burden on your organization, this is your opportunity to be heard as a stakeholder, and we recommend you take it.

What the Announcement Actually Says

The big picture: The DoW CIO has paused the CMMC rollout and suspended Phase II implementation as part of a broader acquisition overhaul tied to Executive Order 14265 (Modernizing Defense Acquisitions and Spurring Innovation in the Industrial Base, April 2025). A 60-day review is now underway.

The mechanics that affect your contracts:

  • Only self-assessments may be required during the suspension. Program managers may now include only CMMC Level 1 (Self) or CMMC Level 2 (Self) assessments in procurement requests and requirement documents.
  • Third-party and government certification assessments are off the table for now. Program offices may not designate CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) assessments during this period.
  • Existing C3PAO and DIBCAC requirements are being removed. Active solicitations carrying a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement will be amended to strip them out. Existing contracts that already contain them will have them removed by modification before the next option period is exercised, or at the next scheduled administrative modification.
  • No new waivers will be granted during the review.
  • Further guidance will follow at the conclusion of the 60-day review.

In short: the third-party certification mechanism is being paused and reworked. The security expectations underneath it are not going away.

What Does This Mean to You? (A Straight Answer for the DIB)

This is the part that matters. The only thing that has changed is the Phase II requirement to undergo a Certification Assessment by a Certified Third-Party Assessment Organization (C3PAO). Everything else you were already obligated to do, you are still obligated to do.

Here is what remains fully in force:

1. Your self-assessment is still REQUIRED.

CMMC Level 1 (Self) and Level 2 (Self) self-assessments remain required. Phase I was never suspended. You still perform the assessment, you still affirm it, and you still post your results to the Supplier Performance Risk System (SPRS), accessed through the Procurement Integrated Enterprise Environment (PIEE).

2. Your core safeguarding obligations are unchanged.

If you store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), you must still meet:

  • DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting. Fully in force.
  • FAR 52.204-21 (redesignated FAR 52.240-93 under the FAR Overhaul), Basic Safeguarding of Covered Contractor Information Systems (the FCI safeguarding requirement). Fully in force.

A note on DFARS 252.204-7021 (the CMMC clause): with Phase II suspended and the program under a 60-day review, this clause is currently listed as “TBD” on the DoD CIO’s CMMC Resources page; its future application is to be determined pending the outcome of the review. That does not relieve you of anything above. Your safeguarding, self-assessment, and reporting duties continue regardless of where 7021 lands.

The one CMMC element that is suspended is the Phase II Certification Assessment performed by a C3PAO. Nothing about your obligation to actually protect FCI and CUI is lifted.

3. NIST SP 800-171 Revision 2 remains the standard.

Systems that process FCI or CUI must still meet NIST SP 800-171 Revision 2:

  • For FCI (CMMC Level 1): the 15 basic safeguarding requirements in FAR 52.204-21 (now FAR 52.240-93), which map to 17 of the 110 security controls in NIST SP 800-171 Rev 2.
  • For CUI (CMMC Level 2): all 110 security controls in NIST SP 800-171 Rev 2, measured against all 320 assessment objectives (NIST SP 800-171A Rev. 2). Every one of these is still required to be met.

4. CUI cloud requirements are unchanged.

CUI must still be stored and processed only using cloud service providers (CSPs) that meet the Federal Risk and Authorization Management Program (FedRAMP) Moderate baseline (or equivalent), consistent with DFARS 252.204-7012.

5. Incident reporting is unchanged.

Cyber incidents involving CUI must still be reported to the DoD Cyber Crime Center (DC3) within 72 hours of discovery.

6. You must stay compliant for the life of the contract, and you can still be checked.

The DIB is required to maintain compliance for the entire duration of the contract, and you remain subject to select government-led assessments during this period; DFARS 252.204-7020 preserves the government’s right to assess. Self-assessment does not mean self-policing without consequence.

Why “Wait and See” Is the Wrong Move

  • Government-led assessments are explicitly still on the table. The suspension did not remove the possibility of a DoW assessor showing up; the memorandum names select government-led assessments as part of the interim approach.
  • The underlying standard is not changing. Whatever the reformed program looks like, it will almost certainly remain built on NIST 800-171. Work you do today is the foundation for whatever comes next.
  • Your existing clauses do not pause themselves. DFARS 7012 obligations, and their flow-down to subcontractors, continue regardless of the CMMC timeline.
  • Your self-attestation carries real legal weight. With self-assessment now carrying more of the load, an inaccurate or inflated score remains exposed to False Claims Act liability. Recent enforcement actions against contractors that misrepresented their cybersecurity posture make this risk concrete, not theoretical.
  • The threat does not take a 60-day break. Adversaries targeting the defense supply chain are not waiting for the Task Force to publish its findings.

Firms that treated earlier CMMC delays as an excuse to stand down consistently found themselves scrambling later, at higher cost and under time pressure. The organizations that stayed the course kept their competitive edge.

What We Recommend You Do Right Now

  • Read the primary sources (linked below) so your leadership is working from facts, not headlines.
  • Contact Peerless and your C3PAO. If you recently procured a C3PAO CMMC Certification Assessment that you have not yet executed, or one is upcoming, reach out to us for guidance, changes, or next steps.
  • Validate your current self-assessment score. Make sure it is accurate and defensible before any government-led assessment.
  • Complete or refresh your Level 1 (Self) and Level 2 (Self) assessment against NIST 800-171 Rev 2. This is the active enforcement baseline.
  • Keep your System Security Plan (SSP) and POA&M current. These remain the backbone of any self-assessment.
  • Close real control gaps, prioritizing genuine cyber hygiene: MFA, access control, logging, encryption, incident response, backup integrity, and FedRAMP-authorized handling of CUI.
  • Confirm your flow-down obligations. Verify subcontractors handling FCI or CUI are meeting DFARS 7012 and FAR 52.204-21.
  • Check your active solicitations and contracts for any C3PAO or DIBCAC requirement being removed, so you do not sign up for costs that are being lifted.
  •  Submit feedback through the RFI on SAM.gov  by August 14, 2026. Help shape the reformed program while the window is open.
  • Stay positioned, not paused. Keep NIST 800-171 Rev 2 as your working target so you are ready when reformed requirements land.

The Bottom Line

Your obligations under DFARS 252.204-7012, FAR 52.204-21 (52.240-93), NIST SP 800-171 Rev 2 (all 110 controls and 320 objectives for CUI), FedRAMP cloud handling, and 72-hour DC3 incident reporting all remain in force, and you remain subject to government-led assessment. Peerless is still here to ensure you meet your requirements, whether that is the 15 basic safeguarding requirements for CMMC Level 1 (Self) or all 110 NIST SP 800-171 security controls for CMMC Level 2 (Self). If you have our services, nothing changes in our support. Our goal is to support and lead you to CMMC readiness based on NIST SP 800-171.

Official Sources

We encourage clients to review the primary sources directly:

This post is for general informational purposes and reflects the DoW announcement, signed memorandum, and CIO video dated July 13, 2026. It is not legal advice. Contractual obligations vary; consult your contracting officer and legal counsel regarding your specific requirements. Sources: U.S. Department of War press release, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements”; the memorandum “Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements” (26-P-1023), signed by Under Secretary of War Michael P. Duffey; the DoW CIO CMMC program page; and 32 CFR Part 170, FAR 52.204-21, and DFARS 252.204-7012.