HomeGuides › CMMC Phase 2 Suspended

CMMC Phase 2 Suspended: What It Actually Means for Your Contracts

Updated July 13, 2026 · Primary-sourced from DoW CIO memo 26-P-1023, the DoW CMMC FAQ, and the "Reforming CMMC" RFI.

On July 13, 2026, the Department of War's Chief Information Officer issued memo 26-P-1023 suspending CMMC Phase 2 — the scheduled ramp-up of third-party (C3PAO) certification assessments that was set to begin November 10, 2026 — along with all pending and future CMMC milestones, "until further notice." A 60-day CMMC Reform Task Force was stood up to recommend a revised approach.

The headlines read "CMMC suspended," and a lot of contractors are quietly filing the whole subject under later. That's the expensive misread. What got suspended is the part most of the paid CMMC industry was built around — audits, assessor scheduling, "get certified by November." What did not get suspended is the part that actually binds you today: the self-assessment obligations already written into your contracts. Here's the precise split.

What was suspended vs. what still applies

RequirementStatus after July 13, 2026
Phase 2 — third-party (C3PAO) certification rolloutSuspended. The Nov 10, 2026 start of mandatory C3PAO assessments is paused until further notice.
All future CMMC phase milestonesSuspended pending the task force review.
Level 1 (FCI) annual self-assessmentStill required. Unchanged.
Level 2 (CUI) self-assessment under DFARS 252.204-7021Still required where your contract carries the clause (in effect since Nov 10, 2025).
SPRS score submissionStill required. You still calculate and post a current score.
Annual affirmation in SPRSStill required — signed by a senior official, every year.
DFARS 252.204-7012 safeguarding & incident reportingUnchanged. Contractual and independent of the CMMC phases.
NIST SP 800-171 Revision 2 as the standardUnchanged. Scoring still runs on Rev 2 — no move to Rev 3.
Put simply: the assessor didn't get suspended — the third-party assessor did. You are still your own assessor, and that obligation was never on the November calendar. It's on your contract.

The affirmation trap

This is the part that quietly bites. The suspension does nothing to the annual affirmation — the statement a senior official signs in SPRS attesting that your organization meets its NIST 800-171 requirements. That attestation carries real legal weight: under the civil False Claims Act, a false or reckless affirmation about your compliance is its own liability, and the Department of Justice's cyber-fraud enforcement operates entirely independently of whether CMMC Phase 2 is on or off.

So the risk isn't "the deadline moved." The risk is a contractor who hears "CMMC suspended," lets their posture drift, and then signs next year's affirmation anyway. The paperwork you sign didn't get easier — the enforcement backstop behind it is still there.

What the task force is reviewing — and the dates to watch

The 60-day CMMC Reform Task Force was directed to recommend an approach that "prioritizes speed to capability, lowers barriers for small and medium businesses, and replaces prohibitive third-party compliance models with scalable, realistic security measures." In parallel, the Department opened a Request for Information — "Reforming CMMC" — asking industry directly about cost drivers, which controls deliver real security versus paper burden, and how to streamline the Phase 1 self-assessment.

Read plainly, the direction of travel is toward self-attestation, not away from it — the RFI asks how to optimize self-assessment, not whether to keep it. Nothing announced repeals the underlying duty to protect CUI; the memo itself calls data protection "critical and non-negotiable." Three dates worth putting on your calendar:

DateWhat happens
Aug 14, 2026Responses to the "Reforming CMMC" RFI are due.
~Sep 11, 2026The 60-day CMMC Reform Task Force report is expected — the first real signal of what replaces Phase 2.
OngoingWatch whether primes keep flowing down assessment requirements contractually regardless, and any signal on NIST 800-171 Rev 3.

What to actually do right now

  1. Don't stand down. Your Phase 1 self-assessment, SPRS score, and annual affirmation obligations are unchanged. If you were behind, you're still behind.
  2. Know your real number. Calculate your SPRS score against the 110 NIST 800-171 requirements so your affirmation is honest and your gaps are visible.
  3. Document where you stand. Draft your System Security Plan and turn your gaps into a POA&M — the artifacts an affirmation is supposed to rest on.
  4. Treat the pause as runway, not relief. Whatever the task force recommends, "self-assess against 800-171 and prove it" is the floor. Getting your posture and documentation solid now is time you won't have to spend under a future deadline.

Know exactly where you stand — free

The suspension doesn't change your homework. Run the free SPRS self-assessment: your real score against all 110 requirements, your prioritized gaps, and your next moves. No signup.

Calculate your SPRS score →

Frequently asked questions

Is CMMC cancelled?

No. Phase 2 — the third-party (C3PAO) certification rollout set for Nov 10, 2026 — was suspended on July 13, 2026. Phase 1 self-assessment, SPRS submission, and annual affirmations remain in force.

Do I still need my SPRS score?

Yes. SPRS self-assessment scores and submission are unchanged. Contracts under DFARS 252.204-7021 still require a current self-assessment against NIST 800-171, and 252.204-7012 safeguarding is unchanged.

Do I still have to submit annual affirmations?

Yes — signed by a senior official, every year. A false affirmation carries False Claims Act exposure regardless of the Phase 2 suspension, so it's not a formality.

What exactly was suspended?

CMMC Phase 2 (the phased start of C3PAO certification assessments, set for Nov 10, 2026) plus all pending and future CMMC milestones, per DoW CIO memo 26-P-1023 (July 13, 2026). Phase 1 self-assessment was not suspended.

Is NIST 800-171 Rev 2 still the standard?

Yes. Self-assessment and SPRS scoring still use Rev 2. A 60-day CMMC Reform Task Force is reviewing the program (report expected ~Sep 11, 2026), but the standard has not changed.

Score, document, plan — free

Cut through the noise with your own numbers: calculate your SPRS score, draft your SSP, and build your POA&M. All three are free, run in your browser, and reflect what your contracts still require today. For the wider picture, see the CMMC timeline and self-assessment vs. C3PAO.