CMMC Phase 2 Is Paused: What It Means for Your Compliance Roadmap

An image titled 'CMMC Phase 2 Is Paused What It Means for Your Compliance Roadmap.png' that includes overlaid text reading 'CMMC Phase 2 Is Paused: What It Means for Your Compliance Roadmap. BY: SCOTT D. BUTCHER, FSMPS, CPSM.' In the background, a person works at a computer, holding a document marked 'CMMC PHASE 2: PAUSED. NIST 800-171: REQUIRED.' with a small plaque that says 'CYBERSECURITY COMPLIANCE - NOT PAUSED.' The Stambaugh Ness logo is visible at the bottom right.
July 17, 2026

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements, the third-party assessment mandate originally scheduled to take effect on November 10, 2026.

If you’re a contractor or subcontractor in the Defense Industrial Base (DIB), or you’ve been working toward CMMC Level 2 readiness, the most important takeaway is this: the audit requirement is paused, but the underlying security expectations remain.

Here’s what changed, what didn’t, and what we recommend you do next:

What Was Announced

DoW Chief Information Officer Kirsten Davies announced the suspension in support of Secretary of War Pete Hegseth’s Acquisition Transformation System directives, which prioritize speed to capability and reducing compliance burdens on small and medium-sized businesses.

The suspension covers Phase 2, originally slated for November 2026, as well as the subsequent Phase 3 and Phase 4 milestones, effectively pausing the current path toward mandatory third-party CMMC Level 2 certification for now.

Alongside the suspension, DoW established a 60-day CMMC Reform Task Force charged with reviewing the program end-to-end and recommending a framework that lowers barriers for small and non-traditional businesses while still protecting sensitive defense information. That report is expected in mid-September 2026.

What Hasn’t Changed

A few things are important to keep straight, because this announcement is easy to over-read:

  • Phase 1 self-assessment requirements remain in force. If your contracts currently require a CMMC Level 1 or Level 2 self-assessment, that obligation stands.
  • Your legal duty to protect Controlled Unclassified Information (CUI) hasn’t changed. DFARS clause 252.204-7012 still contractually obligates defense contractors and subcontractors to safeguard covered defense information, regardless of what happens to the third-party assessment mechanism.
  • NIST SP 800-171 is still the baseline. During this interim period, DoW will continue enforcing cybersecurity compliance through self-assessments and select government-led assessments. The underlying standard hasn’t gone anywhere.

In short, the audit requirement is paused. The security expectation is not.

What Does the CMMC Pause Mean If You’ve Been Working Toward CMMC Level 2?

If you’ve been preparing for CMMC Level 2 through NIST 800-171 control implementation, CUI/FCI scoping, policy documentation, or enclave architecture, this pause doesn’t make that work obsolete.

The certification was intended to validate the implementation of the underlying NIST SP 800-171 security controls. Passing a C3PAO audit was never the ultimate objective; it was proof that you’d already done the harder work of identifying where CUI lives, restricting access appropriately, and building the technical and policy controls needed to protect it.

That underlying security posture is what reduces your risk and strengthens your competitiveness, independent of whether a third-party assessor ever signs off on it.

Will the Requirements Change?

Almost certainly, but we don’t yet know how.

The Department has not announced what the revised framework will look like, but officials have emphasized that cybersecurity expectations are not being eliminated. DoW has signaled it wants “scalable, realistic security measures,” not a wholesale abandonment of cyber hygiene standards.

Organizations that have already implemented NIST SP 800-171 controls should be better positioned to adapt to whatever framework emerges. Contractors with mature controls in place will have a stronger starting point than those who pause their efforts entirely and have to restart once new requirements are announced.

Could Contract-Specific Requirements Still Apply?

Yes. Contract-specific and prime-flow-down requirements may still apply.

Some primes and specific solicitations had already begun requiring CMMC assessments ahead of the November deadline. If that applies to your organization, this suspension doesn’t necessarily remove that obligation. Review your specific contracts and flow-down requirements before changing your compliance plans.

Our Recommendation: Don’t Stop. Recalibrate.

For organizations that were racing toward a November certification deadline, some near-term pressure has eased. Use that additional time strategically.

This is an opportunity to reassess your timeline and budget, confirm which requirements still apply to your contracts, and sequence your compliance work more efficiently rather than sprinting toward a date that no longer exists.

We’ll continue helping firms build out the substantive controls, including access management, encryption, logging, incident response, and policy documentation that satisfy NIST 800-171 today and are likely to remain foundational to whatever framework emerges from the 60-day review.

We’re monitoring the CMMC Reform Task Force closely and will share updates as its recommendations take shape.

If you want to talk through what the CMMC pause means for your specific contracts, timeline, or budget, contact us. We’re happy to help you determine the right path forward.


Phil Keeney - Stambaugh Ness