Search
Generic filters
What the CMMC Phase II Suspension Means for Contractors and How to Stay Ready
July 16, 2026

What the CMMC Phase II Suspension Means for Contractors and How to Stay Ready

On July 13, 2026 the Department of War announced significant changes to the Cybersecurity Maturity Model Certification (CMMC) program. CMMC Phase II requirements that were supposed to go into full effect on November 10, 2026 have been suspended while the Department conducts a comprehensive 60-day review of the program’s future.

The intent of the review is to align with DoW directives prioritizing speed to capability; lowering barriers for small, medium and non-traditional businesses; and replacing bureaucratic compliance with scalable, resilient cybersecurity measures.

Understandably, contractors are wondering what this all means. The short answer is that you should continue securing your systems to CMMC standards, but third-party assessments of that work have been suspended. You will need to perform self-assessments in the interim.

The Department has paused portions of the rollout, but not the underlying cybersecurity obligations that protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Contractors are still responsible for meeting contract requirements, accurately performing self-assessments and maintaining evidence their security controls are operating as represented.

What got suspended

The July 13th memorandum immediately pauses the next stage of CMMC implementation while a newly formed CMMC Reform Task Force conducts a top-to-bottom review of the program, creating impacts throughout the CMMC community.

The suspended elements include:

  • The planned November 10, 2026 Phase II transition
  • The rollout of Level 2 assessments performed by CMMC Third-Party Assessment Organizations (C3PAOs)
  • Level 3 DIBCAC assessment designations
  • Pending and future CMMC implementation milestones
  • Existing solicitation language requiring future third-party assessments,
  • The broader implementation schedule while the agency conducts its 60-day review

According to DoW CIO Kirsten Davies, the review is intended to determine whether the current CMMC framework creates unnecessary barriers for the DIB (particularly among smaller and non-traditional contractors) while identifying ways to maintain strong cybersecurity with a more scalable implementation model.

“Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape,” states Davies. And she adds that “the current CMMC program is structurally incompatible with our need to rapidly expand the DIB.”

The requirements that remain in effect after CMMC phase II suspension

While Phase II rollout has been paused, many of the requirements the DIB has been working toward remain unchanged. Contractors must still comply with:

  • Phase I Level 1 and applicable Level 2 self-assessment requirements
  • NIST SP 800-171 Rev. 2 security requirements (where contractually applicable)
  • DFARS 252.204-7012 safeguarding requirements
  • Protection of FCI and CUI
  • Applicable subcontractor flow-down requirements
  • Select government-led cybersecurity assessments where required

During the suspension, emphasis will shift toward self-assessments and operational cybersecurity.

Self-assessment still requires operational rigor

One misconception is that self-assessments are an informal method of assurance and that attestations don’t need to be fully supported. This couldn’t be further from the truth. Organizations must still understand precisely how their systems operate and be able to demonstrate that their reported security posture accurately reflects reality.

That means you should continue to:

  • Identify every system that stores, processes or transmits CUI
  • Understand how NIST SP 800-171 requirements have actually been implemented
  • Maintain current policies, technical configurations and supporting evidence
  • Remediate known security gaps
  • Ensure reported assessment results accurately reflect current operating conditions
  • Remain prepared for possible government review and avoid penalties

In other words, maintaining baseline integrity is still key. A self-assessment has little value if the baseline being evaluated is outdated, inconsistent across systems or no longer reflects the production environment. Repeatable technical validation remains essential regardless of whether an external assessor is involved or not.

A shift toward scalable cybersecurity

While the outcome of the 60-day review remains unknown, the Department’s public statements provide insight into the issues driving the review. Officials have repeatedly referenced goals such as:

  • Reducing prohibitive compliance costs
  • Lowering barriers for small, medium-sized and non-traditional contractors
  • Replacing administrative burden with scalable security measures
  • Emphasizing tangible cyber hygiene over paperwork
  • Improving operational resilience across the DIB

We can’t predict what the final CMMC framework will ultimately look like. The review may result in significant changes, modest adjustments or an entirely different implementation approach. Until additional guidance is issued, contractors should continue building sustainable cybersecurity programs that satisfy existing contractual obligations rather than trying to plan for assumed future requirements.

The role of unified automation

Whether organizations ultimately undergo self-assessments or third-party assessments, the underlying technical work remains largely the same. Ultimately, security configurations must still be implemented consistently, validated regularly and maintained over time.

Unified automation helps organizations reduce the manual effort associated with those activities by enabling teams to:

  • Apply approved security configurations consistently
  • Reduce manual hardening and remediation
  • Customize security policies to fit operational requirements
  • Detect configuration drift and unauthorized changes
  • Continuously validate system configurations
  • Generate repeatable technical evidence and reporting
  • Scale security operations without creating equivalent administrative overhead

SteelCloud’s ConfigOS addresses the technical aspects of compliance from a single solution, purpose built to automate the configuration management, remediation, validation, customization and evidence collection activities that support CMMC, NIST SP 800-171, STIG and CIS Benchmarks implementations.

9 actions contractors should continue during the suspension

Rather than pausing cybersecurity initiatives, organizations should use this review period to strengthen their NIST 800-171 implementation and invest in cyber resilience and continuous monitoring. Recommended next steps include:

  1. Review current contracts and active solicitations for applicable CMMC requirements
  2. Confirm whether any third-party assessment language will be removed or modified
  3. Review the DoW’s “Brilliant at the Basics” guidelines supporting NIST requirements
  4. Continue completing required Phase I self-assessments
  5. Maintain NIST SP 800-171 Rev. 2 implementation and remediation activities
  6. Validate that reported assessment results and supporting evidence accurately reflect current operating conditions
  7. Monitor for guidance issued following the Department’s 60-day review
  8. Evaluate where automation can reduce the long-term cost of implementing, validating and maintaining cybersecurity controls
  9. Consult legal counsel with DFARS and False Claims Act experience to help guide organizational alignment

Organizations that continue improving their cybersecurity posture today will be better positioned regardless of how the revised CMMC framework ultimately evolves.

Focus on the requirement that has not changed

The structure of the CMMC program may be under review with the CMMC Phase II suspension, but one responsibility remains constant: protecting sensitive defense information.

Whether future compliance relies primarily on self-assessments, third-party assessments or some other certification model, organizations will still need accurate security baselines, sustainable technical controls and defensible evidence demonstrating that those controls are operating effectively.

Unified automation is a readiness multiplier, helping organizations accomplish the technical aspects of certification more consistently with less manual effort and greater operational confidence. It ensures you are always prepared for whatever may come from adversaries, your customers and the CMMC program. To see unified automation in action, schedule a demo.

Share This Resource: