CMMC Phase 2 Is Paused — But the Requirements That Reach Your Front Desk Never Moved
On July 13, 2026, the Department of War suspended CMMC Phase 2 and the third-party certification requirement that was set to hit contracts on November 10. Here is what actually changed, what is still fully in force today, and why the physical-access and screening controls that trip up defense contractors were never part of the pause.
When a headline says a compliance deadline was “suspended,” the dangerous reaction is relief. For most of the defense industrial base, the July 13 decision on CMMC is genuinely good news — a costly, capacity-starved requirement got pushed back. But if a contractor reads “Phase 2 paused” as “we can ease off,” they will walk straight into the requirements that did not pause.
On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase 2 — the phase that would have made an independent third-party assessment a condition of award — and launched a 60-day “CMMC Reform Task Force” to review the program, with recommendations expected around mid-September 2026. The memo, issued by the department's Chief Information Officer, framed the pause around a blunt problem: the combination of prohibitive compliance costs, a severe shortage of third-party assessor capacity, and complex timelines was pushing small businesses and new entrants out of defense work.
The one-sentence version
The third-party verification of your cybersecurity program was paused. The requirement to have that program — self-assessed, attested, and safeguarding CUI under DFARS 252.204-7012 — was not.
What was actually suspended
Phase 2 was the point at which CMMC got teeth from an outside party. For most contracts involving Controlled Unclassified Information (CUI), it would have required a Level 2 certification assessment performed by an accredited third party — a Certified Third-Party Assessment Organization, or C3PAO — as a condition of award, replacing the self-attestation contractors use today. That transition, scheduled to begin appearing in solicitations on November 10, 2026, is what the DoW suspended.
Follow-up guidance after the memo indicated that active solicitations and contracts that already contain a Level 2 or Level 3 assessment requirement are to be amended to remove it during the review. If that describes one of your contracts, the status of that clause is a conversation with your contracting officer — not something any software vendor can change or interpret for you.
What remains fully in force today
This is the part worth reading twice, because it is where the misread costs money. The suspension touched the assessment mechanism. It left the underlying obligations standing:
- Third-party C3PAO Level 2 certification as a condition of award
- Level 3 (government-led) assessment requirements
- The Nov 10, 2026 Phase 2 transition in new solicitations
- Removal of Level 2/3 assessment clauses from active contracts during the review
- DFARS 252.204-7012 — safeguard covered defense information, report cyber incidents
- Level 1 self-assessment for Federal Contract Information (FCI)
- Level 2 self-assessment & attestation for CUI, implementing NIST SP 800-171
- NIST 800-171 Physical Protection — escort visitors, log physical access, control CUI areas (3.10.1 / 3.10.3 / 3.10.4)
Both the program rule at 32 CFR Part 170 and the acquisition rule that lets a contracting officer require a CMMC status remain on the books; neither can be rewritten without going back through rulemaking. And a Level 2 self-assessment still requires you to meet the same NIST SP 800-171 controls a C3PAO would have checked — you are simply attesting to them yourself, with an official signing the affirmation, for now.
Why this matters at the front desk
The controls that most often derail an otherwise-ready defense contractor are the physical ones — escorting visitors, logging who reached a CUI area, and proving it with evidence rather than a policy binder. Those controls sit inside the Level 2 self-assessment that is still required, and inside DFARS 7012 safeguarding. The pause did nothing to soften them. An affirmation you sign yourself is still a statement the government can hold you to.
The smart way to use the pause
The reprieve is real, and it is worth something: the C3PAO queue was always going to be the binding constraint, and now there is breathing room. But the contractors who come out ahead will treat the review window as time to close the same gaps on their own terms, not as permission to stop. When third-party assessment returns in some form — and the program rule staying in force is a strong signal that it will — readiness will still be measured against NIST SP 800-171. The work does not change; only the audience does.
There is also a quieter point in the DoW's own reasoning. The task force was told to favor “scalable, realistic security measures” over “prohibitive, third-party compliance models.” Whatever emerges, it will still reward the contractor who can show controlled access and clean screening with evidence, cheaply and continuously — not the one who bought a certificate and stopped.
Where SecurePoint fits: our visitor platform generates the timestamped access logs, escort records, and audit trail that support the NIST 800-171 Physical Protection and Audit & Accountability control families, and screens visitors and vendors against restricted-party lists with a recorded disposition. That is assessment evidence — for a self-assessment today or a C3PAO later. It is not, and we never claim it to be, a CMMC certification.
What to do during the 60-day review
Keep meeting DFARS 252.204-7012 — safeguarding CUI and incident reporting never paused, and it is enforceable today.
Maintain your Level 1 / Level 2 self-assessment and SPRS score. Your affirmation is still a statement you are accountable for.
Make physical-access evidence audit-ready now: visitor logs, escort records, and CUI-area access mapped to NIST 800-171 controls 3.10.1, 3.10.3, and 3.10.4.
Check any contract that already carried a Level 2/3 assessment clause with your contracting officer — expect amendments during the review.
Treat the window as time to close 800-171 gaps on your terms. When third-party assessment returns, the standard will be the same.
Watch for the task force recommendations around mid-September 2026, and verify current status against the issuing agency before acting.
Frequently asked questions
Primary & source coverage
- Dept. of War — "Forging the Arsenal of Freedom: DoW Suspends CMMC Phase II Requirements" (July 13, 2026)
- Federal News Network — Pentagon suspends CMMC Phase 2, launches review
- Crowell & Moring — DoW Suspends CMMC Phase II, Launches 60-Day Reform Review
- CMMC Program — 32 CFR Part 170 (eCFR)
- DFARS 252.204-7012 (Acquisition.gov)
- NIST SP 800-171 — Protecting CUI
The CMMC Phase 2 suspension and the 60-day review are recent and evolving. Effective dates and rule status change; verify the current status against the issuing agency before relying on it. This article is educational and is not legal advice.
Assessment-ready, whoever is doing the assessing
Phase 2 or not, a Level 2 self-assessment still runs on NIST SP 800-171. See how SecurePoint USA produces the visitor access evidence and restricted-party screening records that support those controls — for a self-assessment today or a C3PAO tomorrow.


