CMMC Phase II Suspended, Not Canceled: What Defense Contractors Need to Know
The Department of War’s July 13, 2026, announcement sent ripples through the defense contracting community: CMMC Phase II requirements have been suspended. But let us be clear, suspended does not mean canceled.
This pause is temporary, and it is meant to give the Department time to refine implementation details, align oversight processes, and ensure that third‑party certification (C3PAO) standards are consistent across the supply chain. The Cybersecurity Maturity Model Certification (CMMC) program itself remains very much alive and so do your obligations under Phase I.
What the Suspension Actually Means
Phase II was scheduled to take effect on November 10, 2026, introducing mandatory third‑party certification for CMMC Level 2 and Level 3 compliance. That rollout is now on hold. Program Managers have been directed to amend active solicitations and modify existing contracts to remove Phase II language until further notice.
However, Phase I self‑assessment requirements remain firmly in place. Contractors must continue performing CMMC Level 1 and Level 2 self‑assessments wherever specified in their contracts. The Department will still enforce these through self‑attestation and internal review.
So, to be very, very clear: CMMC Level 2 is not paused, only Phase 2 is (the audit-before-award requirement tied to the Nov 10 date). Level 2 compliance and NIST SP 800-171 remain fully in force; only the audit/certification gate is suspended. It is a regulatory pause, not a security pause. Clients still must do the work, they just have “more time to study for the test.”
In short: the test is not canceled, it is suspended. The framework continues to evolve, and organizations that maintain compliance now will be better positioned when Phase II resumes.
Your Obligations Have Not Changed
Even with the suspension, defense contractors and subcontractors must still safeguard Covered Defense Information under DFARS 252.204‑7012 and implement the security requirements of NIST SP 800‑171 Rev 2. The Department expects continued adherence to these standards and will monitor compliance through existing assessment mechanisms.
This means:
- Keep your self‑assessments current.
- Maintain documentation and evidence of compliance.
- Continue remediation of any identified gaps.
- Treat cybersecurity as a continuous process, not a one‑time audit.
Why the Suspension Matters
For many organizations, the pause offers breathing room, time to strengthen internal controls, refine documentation, and prepare for third‑party audits without the pressure of an immediate deadline. But it is also a warning: when Phase II resumes, enforcement will likely be stricter, and organizations that use the suspension as an excuse to delay will find themselves behind.
Manufacturers and defense suppliers should view this as an opportunity to mature their cybersecurity programs, not to relax them.
How 2W Tech Can Help
2W Tech works with defense contractors and manufacturers to build sustainable cybersecurity programs that align with CMMC, DFARS, and NIST requirements. Our team helps organizations perform accurate self‑assessments, close compliance gaps, and prepare for eventual third‑party certification when Phase II resumes. We also assist with documentation, policy development, and technical remediation to ensure readiness under any future CMMC phase.
The suspension is a pause, not a reset. Now is the time to strengthen your cybersecurity posture so you are ready when the test begins again.
Read More: