On July 13, 2026, DoD suspended CMMC Phase 2 and opened a 60-day review. The C3PAO third-party certification mandate scheduled for Nov 10, 2026 is paused. Phase 1 self-assessment requirements remain in effect, and you must still meet NIST 800-171 and protect FCI/CUI.
DoD hit pause, not delete. It suspended the Phase 2 third-party (C3PAO) certification requirement and started a 60-day review of the whole program. What did not change: Phase 1 self-assessments, NIST SP 800-171, DFARS 252.204-7012, your SPRS score, and the plain legal duty to protect federal data. If you were building toward compliance, keep building. The rules you're meeting today are still the rules, and the certification piece could come back in modified form.
Word of a CMMC suspension moves through the defense industrial base fast, and it tends to get flattened into a headline that isn't true: "CMMC is dead." It isn't. Something real did happen on July 13, and it matters — but the version bouncing around LinkedIn is a game of telephone. Here's the accurate, unhyped read of what DoD actually did, what it touches, what it leaves standing, and what a small contractor should do with the next 60 days instead of celebrating or panicking.
We'll keep this grounded in the primary sources, which are linked at the bottom of the page so you can read the memo yourself rather than trust a summary — ours included.
On July 13, 2026, the Department of Defense — styled the "Department of War" in the release — issued an immediate suspension of CMMC Phase 2 and opened a 60-day top-to-bottom review of the program. The memo was signed by DoD Chief Information Officer Kirsten Davies. The framing from the department was that the certification mechanism, as designed, was doing more to slow the defense industrial base down than to secure it — and that it deserved a hard look before it fully switched on.
The specific target matters, so be precise about it. Phase 2 is the piece of the rollout that would have required C3PAO third-party certification for applicable Level 2 contracts, phasing in starting November 10, 2026. That is the requirement now on hold. The suspension is aimed at the third-party assessment gate — not at the security standard underneath it, and not at the affirmations contractors are already making today.
This is a suspension pending review. It is not a repeal, not a cancellation, and not a signal that the DoD has stopped caring who's protecting its data. Read it as a timeout on one specific mechanism while the department decides whether to restart it, reshape it, or replace it.
This is the part worth slowing down on, because getting it wrong is expensive in both directions. One column is paused. The other is fully live, and treating it as optional is how a contractor ends up out of compliance during the exact window they thought they'd caught a break.
If you want the clean mental model of the piece that got paused versus the piece that stayed, our C3PAO vs self-assessment guide lays out exactly where the third-party line sits — and everything on the self-assessment side of that line is still your job today.
The reasoning DoD cited comes down to arithmetic that never balanced. Roughly 100,000-plus firms across the defense industrial base would eventually need third-party assessments. The number of authorized assessors to perform them? Around 100. That's a thousand contractors per assessor before you account for reassessments, and it's the same bottleneck we've flagged for a year — there simply were never enough C3PAOs to certify the base on the planned timeline.
Stack the cost and burden of certification on top of that supply problem and you get the second half of the rationale. The Small Business Administration reported that CMMC, as structured, was pushing small and innovative firms out of the defense industrial base — the exact companies the DoD wants in the tent — and that the compliance drag was delaying capability to warfighters. When a security program starts thinning out your supplier base and slowing delivery, the department's read was that it needed a review before it locked in.
None of that is a verdict that the underlying security is unnecessary. It's a verdict that the certification machinery outran the capacity to run it. That distinction is why the standard survived and the audit gate got paused — and why nobody serious should read this as permission to run an unprotected network.
The instinct to exhale is understandable. Ignore it. The move that wins here is boring and unglamorous: keep going, because everything you build satisfies obligations that are live right now and positions you if the certification gate comes back on. Here's the concrete order of operations.
Here's the honest bottom line from a shop that does this work: a suspension is the best possible time to get your house in order calmly, without an assessor's calendar breathing down your neck. The pressure just came off the deadline. The obligation to protect the data did not. Use the quiet to finish the paperwork you'd have been scrambling to assemble in November — and if the gate reopens, you're already standing on the right side of it.
Phase 2's third-party audit is on hold — but Phase 1 self-assessment, NIST 800-171, and your SPRS score are all still live, and the certification gate could return in modified form. The CMMC Level 2 DIY Compliance Kit is the whole documented layer — a System Security Plan mapped to all 110 controls, the 20 required policies, a POA&M template, and a per-control SPRS scorer — editable and built for a small shop. It satisfies what you owe today and keeps you audit-ready straight through the 60-day review.
No. On July 13, 2026, the Department of Defense suspended CMMC Phase 2 and opened a 60-day review of the program. Suspended is not repealed. The C3PAO third-party certification mandate that was scheduled to phase in starting November 10, 2026 is paused pending that review and could return in a modified form. The rest of the framework — including the requirement to protect federal data — is untouched.
The suspension targets CMMC Phase 2 — specifically the mechanism that would have required Level 2 contractors to obtain a C3PAO third-party certification, phasing in starting November 10, 2026. That third-party assessment requirement is what is on hold. Phase 1 self-assessment requirements, which have been in effect since roughly November 2025, are not suspended.
Yes. NIST SP 800-171 remains the standard, and DFARS 252.204-7012 still obligates contractors handling covered defense information to safeguard it and to submit an SPRS score. The Phase 2 suspension pauses the third-party certification layer, not the underlying legal duty to protect Federal Contract Information and Controlled Unclassified Information. The requirement to secure the data did not go away.
No. Self-assessment is still the law, an SPRS score is still required on applicable contracts, and the 60-day review could reinstate the third-party mandate in modified form. Every control you implement and every document you write satisfies obligations that are in effect today and keeps you audit-ready if certification returns. Dismantling a compliance program during a pause is the one move that can leave you exposed both to a data breach and to a fast reinstatement.
The stated reason is a capacity and cost mismatch. Roughly 100,000-plus defense industrial base firms would need third-party assessments, but only about 100 authorized assessors exist to perform them. Combined with the cost and burden of certification — and Small Business Administration reporting that CMMC was pushing small and innovative firms out of the defense industrial base and delaying capability to warfighters — DoD opened a 60-day top-to-bottom review of the program.
Yes. This is a suspension pending a 60-day review, not a repeal. The program could return in a modified form after the review concludes. Contractors who let their readiness lapse and then face a reinstated requirement will be scrambling for a seat in the same short assessor line as everyone else. Staying prepared through the window is the low-risk position.