CMMC Phase 2 implementation may be changing. The mission to protect the Defense Industrial Base remains.
The Department of War’s decision to pause CMMC Phase 2 implementation has created significant discussion across the Defense Industrial Base. For many contractors, the announcement raises important questions:
- What happens to CMMC requirements?
- Should organizations continue preparing?
- Does this change existing cybersecurity obligations?
The answer requires separating two issues that are often conflated: how cybersecurity compliance is validated and the underlying responsibility to protect sensitive defense information. The implementation timeline may be changing. The cybersecurity mission has not.
What the Department Announced
On July 13, 2026, the Department of War announced a suspension of CMMC Phase 2 implementation and established a 60-day CMMC Reform Task Force to review the program and provide recommendations.
The announcement pauses pending implementation milestones, including the planned transition that would have introduced mandatory third-party CMMC assessments for applicable contracts. During this review period, the Department will evaluate how CMMC can best achieve its goal of improving cybersecurity across the Defense Industrial Base while addressing concerns around scalability and implementation.
The key point: the Department is reviewing the implementation approach—not abandoning the need for stronger cybersecurity.
What Did Not Change
The most important message for defense contractors is what remains in place.
Organizations handling Controlled Unclassified Information (CUI) are still responsible for protecting that information in accordance with existing cybersecurity requirements. The pause does not eliminate:
- NIST SP 800-171 requirements for protecting CUI
- Applicable DFARS cybersecurity obligations
- System Security Plan (SSP) requirements
- Plans of Action and Milestones (POAMs)
- Accurate cybersecurity representations and affirmations
CMMC also remains part of the Department’s regulatory framework following completion of the federal rulemaking process. This announcement changes implementation. It does not erase the cybersecurity expectations contractors have been working toward.
Do Not Confuse More Time With Less Responsibility
The biggest risk following this announcement is that organizations interpret the pause as a reason to delay cybersecurity investments. That would be the wrong conclusion.
The threats facing the Defense Industrial Base have not paused. Nation-state adversaries targeting defense contractors do not operate according to regulatory timelines. Cybersecurity requirements exist because sensitive defense information continues to be targeted, and protecting that information remains critical to national security.
For organizations that have been preparing for CMMC, the work completed so far still creates value. Stronger identity management, improved security controls, better documentation, and mature cybersecurity processes strengthen the organization regardless of how the certification framework evolves.
The Real Goal Was Never the Assessment
CMMC assessments were designed to validate cybersecurity maturity—not create it. The objective has always been a more resilient Defense Industrial Base capable of protecting Controlled Unclassified Information and supporting the mission of the Department of War.
A successful cybersecurity program is not built the week before an assessment. It requires governance, ownership, operational discipline, and continuous improvement. The organizations that use this period to strengthen those foundations will be better positioned regardless of what changes emerge from the Department’s review.
What Defense Contractors Should Do Now
While the CMMC framework evolves, organizations should continue focusing on the fundamentals:
- Understand your current cybersecurity posture. Know where gaps exist and what security requirements remain incomplete.
- Continue implementing NIST SP 800-171 requirements. The security controls that protect CUI remain essential regardless of assessment timelines.
- Maintain accurate documentation. Your SSP, POAM, and cybersecurity representations remain important parts of demonstrating due diligence.
- Build cybersecurity into operations. Compliance should not be a one-time project. It should become part of how the organization manages risk.
The Mission Continues
Regulatory frameworks change. Implementation strategies evolve. Policy decisions shift. But the responsibility to protect the Defense Industrial Base remains constant.
The CMMC pause creates uncertainty, but it also creates an opportunity: more time to build cybersecurity programs that are not simply designed to pass an assessment, but designed to protect critical information.
The mission did not pause. Neither should cybersecurity readiness.
Frequently Asked Questions
1. What exactly was suspended?
The Department of War suspended the transition to CMMC Phase 2 implementation, including the planned introduction of mandatory third-party C3PAO assessments for applicable contracts. The suspension pauses implementation milestones while the Department conducts a 60-day review. It does not eliminate existing cybersecurity obligations related to protecting Controlled Unclassified Information (CUI). CMMC Phase 1 remains active.
2. Does this mean CMMC has been canceled?
No. CMMC has not been canceled. The CMMC program is under review. The Department has initiated a 60-day review to evaluate the future implementation of the program. The objective remains strengthening cybersecurity across the Defense Industrial Base while addressing concerns around scalability and implementation. The implementation strategy may evolve. The need to protect CUI has not.
3. Are third-party C3PAO assessments no longer required?
The Department has paused the transition that would have introduced mandatory C3PAO assessments under Phase 2 implementation. The role of third-party assessments is part of the Department’s broader review. For now, the Department will rely on Level 1 and applicable Level 2 self-assessments. Organizations should continue monitoring official guidance and contract-specific requirements.
4. What happens to contracts that were expected to require CMMC Level 2 certification?
The Department has directed that pending and future CMMC implementation milestones be held in abeyance while the review is conducted. Contractors should continue monitoring guidance from contracting officers and prime contractors, as individual contract requirements and supplier expectations may vary.
5. Do we still have to comply with NIST SP 800-171?
Yes. The pause affects CMMC implementation timelines, not the underlying cybersecurity requirements for protecting CUI. Organizations handling CUI must continue implementing applicable NIST SP 800-171 requirements and meeting cybersecurity obligations established through contracts and DFARS requirements.
6. Do we still need to maintain an SPRS score?
Organizations should continue maintaining accurate cybersecurity representations and scores where required by applicable contracts and regulations. Accurate self-assessments remain important because contractors are responsible for representing their cybersecurity posture truthfully.
7. Can we stop working our POAMs?
No. Organizations should continue managing documented remediation plans and addressing cybersecurity gaps. A POA&M is not just a compliance artifact. It is part of a structured approach to reducing risk and improving cybersecurity maturity.
8. Does DFARS 252.204-7012 still apply?
Yes. The CMMC implementation pause does not eliminate existing, longstanding DFARS safeguarding, incident reporting, or cybersecurity requirements.
9. Does this reduce False Claims Act risk?
No. Contractors remain responsible for accurately representing their cybersecurity posture and compliance with contractual requirements. The Department of Justice’s Civil Cyber-Fraud Initiative continues to demonstrate that inaccurate cybersecurity representations can create significant legal and contractual consequences.
10. Will primes still require cybersecurity validation?
Potentially, yes. Prime contractors may continue asking suppliers to demonstrate cybersecurity maturity, provide evidence of security controls, or meet specific cybersecurity requirements as part of their supply chain risk management efforts. The absence of a CMMC implementation milestone does not prevent primes from establishing cybersecurity expectations for their suppliers.
11. Will this change subcontract flow-down requirements?
Contractors should continue reviewing cybersecurity requirements that flow down through their contracts. Prime contractors may continue requiring suppliers to demonstrate the ability to protect CUI and meet cybersecurity expectations, regardless of changes to CMMC implementation timelines.
12. Should contractors stop preparing for CMMC?
No. The pause creates an opportunity to strengthen cybersecurity programs, not delay them. Organizations that use this time to assess their current posture, implement security improvements, and mature their cybersecurity processes will be better positioned regardless of how CMMC evolves.
