On July 13, 2026, the Department of War's Chief Information Officer issued memo 26-P-1023 suspending CMMC Phase 2 — the scheduled ramp-up of third-party (C3PAO) certification assessments that was set to begin November 10, 2026 — along with all pending and future CMMC milestones, "until further notice." A 60-day CMMC Reform Task Force was stood up to recommend a revised approach.
The headlines read "CMMC suspended," and a lot of contractors are quietly filing the whole subject under later. That's the expensive misread. What got suspended is the part most of the paid CMMC industry was built around — audits, assessor scheduling, "get certified by November." What did not get suspended is the part that actually binds you today: the self-assessment obligations already written into your contracts. Here's the precise split.
What was suspended vs. what still applies
| Requirement | Status after July 13, 2026 |
|---|---|
| Phase 2 — third-party (C3PAO) certification rollout | Suspended. The Nov 10, 2026 start of mandatory C3PAO assessments is paused until further notice. |
| All future CMMC phase milestones | Suspended pending the task force review. |
| Level 1 (FCI) annual self-assessment | Still required. Unchanged. |
| Level 2 (CUI) self-assessment under DFARS 252.204-7021 | Still required where your contract carries the clause (in effect since Nov 10, 2025). |
| SPRS score submission | Still required. You still calculate and post a current score. |
| Annual affirmation in SPRS | Still required — signed by a senior official, every year. |
| DFARS 252.204-7012 safeguarding & incident reporting | Unchanged. Contractual and independent of the CMMC phases. |
| NIST SP 800-171 Revision 2 as the standard | Unchanged. Scoring still runs on Rev 2 — no move to Rev 3. |
The affirmation trap
This is the part that quietly bites. The suspension does nothing to the annual affirmation — the statement a senior official signs in SPRS attesting that your organization meets its NIST 800-171 requirements. That attestation carries real legal weight: under the civil False Claims Act, a false or reckless affirmation about your compliance is its own liability, and the Department of Justice's cyber-fraud enforcement operates entirely independently of whether CMMC Phase 2 is on or off.
So the risk isn't "the deadline moved." The risk is a contractor who hears "CMMC suspended," lets their posture drift, and then signs next year's affirmation anyway. The paperwork you sign didn't get easier — the enforcement backstop behind it is still there.
What the task force is reviewing — and the dates to watch
The 60-day CMMC Reform Task Force was directed to recommend an approach that "prioritizes speed to capability, lowers barriers for small and medium businesses, and replaces prohibitive third-party compliance models with scalable, realistic security measures." In parallel, the Department opened a Request for Information — "Reforming CMMC" — asking industry directly about cost drivers, which controls deliver real security versus paper burden, and how to streamline the Phase 1 self-assessment.
Read plainly, the direction of travel is toward self-attestation, not away from it — the RFI asks how to optimize self-assessment, not whether to keep it. Nothing announced repeals the underlying duty to protect CUI; the memo itself calls data protection "critical and non-negotiable." Three dates worth putting on your calendar:
| Date | What happens |
|---|---|
| Aug 14, 2026 | Responses to the "Reforming CMMC" RFI are due. |
| ~Sep 11, 2026 | The 60-day CMMC Reform Task Force report is expected — the first real signal of what replaces Phase 2. |
| Ongoing | Watch whether primes keep flowing down assessment requirements contractually regardless, and any signal on NIST 800-171 Rev 3. |
What to actually do right now
- Don't stand down. Your Phase 1 self-assessment, SPRS score, and annual affirmation obligations are unchanged. If you were behind, you're still behind.
- Know your real number. Calculate your SPRS score against the 110 NIST 800-171 requirements so your affirmation is honest and your gaps are visible.
- Document where you stand. Draft your System Security Plan and turn your gaps into a POA&M — the artifacts an affirmation is supposed to rest on.
- Treat the pause as runway, not relief. Whatever the task force recommends, "self-assess against 800-171 and prove it" is the floor. Getting your posture and documentation solid now is time you won't have to spend under a future deadline.
Know exactly where you stand — free
The suspension doesn't change your homework. Run the free SPRS self-assessment: your real score against all 110 requirements, your prioritized gaps, and your next moves. No signup.
Calculate your SPRS score →Frequently asked questions
Is CMMC cancelled?
No. Phase 2 — the third-party (C3PAO) certification rollout set for Nov 10, 2026 — was suspended on July 13, 2026. Phase 1 self-assessment, SPRS submission, and annual affirmations remain in force.
Do I still need my SPRS score?
Yes. SPRS self-assessment scores and submission are unchanged. Contracts under DFARS 252.204-7021 still require a current self-assessment against NIST 800-171, and 252.204-7012 safeguarding is unchanged.
Do I still have to submit annual affirmations?
Yes — signed by a senior official, every year. A false affirmation carries False Claims Act exposure regardless of the Phase 2 suspension, so it's not a formality.
What exactly was suspended?
CMMC Phase 2 (the phased start of C3PAO certification assessments, set for Nov 10, 2026) plus all pending and future CMMC milestones, per DoW CIO memo 26-P-1023 (July 13, 2026). Phase 1 self-assessment was not suspended.
Is NIST 800-171 Rev 2 still the standard?
Yes. Self-assessment and SPRS scoring still use Rev 2. A 60-day CMMC Reform Task Force is reviewing the program (report expected ~Sep 11, 2026), but the standard has not changed.
Score, document, plan — free
Cut through the noise with your own numbers: calculate your SPRS score, draft your SSP, and build your POA&M. All three are free, run in your browser, and reflect what your contracts still require today. For the wider picture, see the CMMC timeline and self-assessment vs. C3PAO.