CMMC Phase II Is Suspended
Here's What Actually Changes
Last updated: July 14th, 2026
The headlines say CMMC is dead. Here's the version your clients actually need.
CMMC is not going away. It's a federal rule, not a policy memo, and the Department of War can't erase it by announcement alone. What changed on July 13 is narrower: Phase II — the third-party certification requirement — is suspended while DoD runs a 60-day review. Phase I self-assessments stay in force today, in every active contract.
That distinction is the whole story. Here's what it means in practice.
What DoD actually announced
On July 13, 2026, the Department of War suspended the transition to CMMC Phase II, which had been scheduled to take effect November 10, 2026. Phase II would have required third-party assessments — CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) — for applicable contracts.
DoD also directed contracting officers to strip any Level 2 (C3PAO) or Level 3 (DIBCAC) requirements already sitting in active solicitations and contracts, replacing them with self-assessment language. Program managers have until the next option period or scheduled modification to make that change.
Alongside the suspension, DoD stood up a CMMC Reform Task Force to run a top-to-bottom review of the program. Industry feedback is due through an RFI by August 14, 2026, and the task force has 60 days from the July 13 announcement to deliver findings.
What hasn't changed
Three things are still true today, for every contractor and every MSP client:
Phase I is enforceable
Level 1 and Level 2 self-assessments, which took effect November 10, 2025, remain fully in force. Nothing about the July 13 announcement touches them.
DFARS 252.204-7012 obligations are untouched
Contractors handling covered defense information still have to implement NIST SP 800-171 Rev 2, still have to report cyber incidents within 72 hours, and still carry that obligation contractually regardless of what happens to CMMC's certification layer.
The underlying rule is still law
CMMC's program requirements live in 32 CFR Part 170, and the contracting mechanics live in the DFARS clauses at 252.204-7021 and 252.204-7025. Both went through full federal rulemaking — proposed rule, public comment, final rule. DoD can pause how it enforces its own contract requirements. Rewriting or repealing the underlying rule is a different, slower process that requires going back through rulemaking from the start.
Why "suspended" doesn't mean "resolved"
DoD hasn't said what happens after the 60-day review. Based on what officials have said publicly, there are three realistic paths:
- The pause ends and Phase II resumes roughly as planned. The review confirms the framework, DoD sets a new go-live date, and third-party assessments come back.
- DoD keeps self-assessments in place longer and pushes the third-party requirement out. No rule change, just more runway before Level 2/3 certification kicks in.
- DoD rewrites the rule. Officials have said they haven't ruled out major changes, including how the program is structured. This path takes the longest, since it requires a new proposed rule and comment period before anything is final.
Nobody — including DoD's own leadership — has said which of these is coming. That's the honest answer, and it's the one your clients need instead of a headline.
What this means for MSPs right now
The clients who lose ground here are the ones who read "CMMC suspended" and quietly stop working on compliance. That's the wrong read. Phase I self-assessments and NIST SP 800-171 obligations are active today, and contracting officers are still checking for them.
The 60-day window is a chance to get ahead, not a reason to pause:
- Get every client's Phase I self-assessment and SSP current now, while the requirement is stable and the pressure is temporarily off Phase II.
- Keep documentation audit-ready. Whatever comes out of the review, contractors with a clean, current self-assessment are positioned to move fast.
- Watch the RFI and task force timeline. The August 14 comment deadline and the 60-day report are the two dates that will actually tell you what's next.
Talk to FortMesa
FortMesa helps MSPs turn moments like this into client conversations that build trust instead of scrambling to react. If you want help walking your clients through their Phase I status or getting their SSPs in order before the review concludes, register a deal or reach out to your FortMesa contact.
Sources: U.S. Department of War press release, July 13, 2026; DoW memo 26-P-1023 (Implementing Suspension of CMMC Phase II); Federal News Network, July 13, 2026; DefenseScoop, July 13, 2026.
Explore Resources
What your company needs to deliver cybersecurity!