Share
Compliance Strategy
July 16, 2026
Phase 1 · Self-assessmentIN FORCE since Nov 10, 2025YOU ARE HEREPhase 2 PAUSEDsuspended July 13, 2026C3PAO certificationunder 60-day review

CMMC Phase 2 Is Paused — But the Requirements That Reach Your Front Desk Never Moved

On July 13, 2026, the Department of War suspended CMMC Phase 2 and the third-party certification requirement that was set to hit contracts on November 10. Here is what actually changed, what is still fully in force today, and why the physical-access and screening controls that trip up defense contractors were never part of the pause.

When a headline says a compliance deadline was “suspended,” the dangerous reaction is relief. For most of the defense industrial base, the July 13 decision on CMMC is genuinely good news — a costly, capacity-starved requirement got pushed back. But if a contractor reads “Phase 2 paused” as “we can ease off,” they will walk straight into the requirements that did not pause.

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase 2 — the phase that would have made an independent third-party assessment a condition of award — and launched a 60-day “CMMC Reform Task Force” to review the program, with recommendations expected around mid-September 2026. The memo, issued by the department's Chief Information Officer, framed the pause around a blunt problem: the combination of prohibitive compliance costs, a severe shortage of third-party assessor capacity, and complex timelines was pushing small businesses and new entrants out of defense work.

The one-sentence version

The third-party verification of your cybersecurity program was paused. The requirement to have that program — self-assessed, attested, and safeguarding CUI under DFARS 252.204-7012 — was not.

What was actually suspended

Phase 2 was the point at which CMMC got teeth from an outside party. For most contracts involving Controlled Unclassified Information (CUI), it would have required a Level 2 certification assessment performed by an accredited third party — a Certified Third-Party Assessment Organization, or C3PAO — as a condition of award, replacing the self-attestation contractors use today. That transition, scheduled to begin appearing in solicitations on November 10, 2026, is what the DoW suspended.

Follow-up guidance after the memo indicated that active solicitations and contracts that already contain a Level 2 or Level 3 assessment requirement are to be amended to remove it during the review. If that describes one of your contracts, the status of that clause is a conversation with your contracting officer — not something any software vendor can change or interpret for you.

What remains fully in force today

This is the part worth reading twice, because it is where the misread costs money. The suspension touched the assessment mechanism. It left the underlying obligations standing:

Paused (under review)
  • Third-party C3PAO Level 2 certification as a condition of award
  • Level 3 (government-led) assessment requirements
  • The Nov 10, 2026 Phase 2 transition in new solicitations
  • Removal of Level 2/3 assessment clauses from active contracts during the review
Still in force now
  • DFARS 252.204-7012 — safeguard covered defense information, report cyber incidents
  • Level 1 self-assessment for Federal Contract Information (FCI)
  • Level 2 self-assessment & attestation for CUI, implementing NIST SP 800-171
  • NIST 800-171 Physical Protection — escort visitors, log physical access, control CUI areas (3.10.1 / 3.10.3 / 3.10.4)

Both the program rule at 32 CFR Part 170 and the acquisition rule that lets a contracting officer require a CMMC status remain on the books; neither can be rewritten without going back through rulemaking. And a Level 2 self-assessment still requires you to meet the same NIST SP 800-171 controls a C3PAO would have checked — you are simply attesting to them yourself, with an official signing the affirmation, for now.

Why this matters at the front desk

The controls that most often derail an otherwise-ready defense contractor are the physical ones — escorting visitors, logging who reached a CUI area, and proving it with evidence rather than a policy binder. Those controls sit inside the Level 2 self-assessment that is still required, and inside DFARS 7012 safeguarding. The pause did nothing to soften them. An affirmation you sign yourself is still a statement the government can hold you to.

The smart way to use the pause

The reprieve is real, and it is worth something: the C3PAO queue was always going to be the binding constraint, and now there is breathing room. But the contractors who come out ahead will treat the review window as time to close the same gaps on their own terms, not as permission to stop. When third-party assessment returns in some form — and the program rule staying in force is a strong signal that it will — readiness will still be measured against NIST SP 800-171. The work does not change; only the audience does.

There is also a quieter point in the DoW's own reasoning. The task force was told to favor “scalable, realistic security measures” over “prohibitive, third-party compliance models.” Whatever emerges, it will still reward the contractor who can show controlled access and clean screening with evidence, cheaply and continuously — not the one who bought a certificate and stopped.

Where SecurePoint fits: our visitor platform generates the timestamped access logs, escort records, and audit trail that support the NIST 800-171 Physical Protection and Audit & Accountability control families, and screens visitors and vendors against restricted-party lists with a recorded disposition. That is assessment evidence — for a self-assessment today or a C3PAO later. It is not, and we never claim it to be, a CMMC certification.

What to do during the 60-day review

Keep meeting DFARS 252.204-7012 — safeguarding CUI and incident reporting never paused, and it is enforceable today.

Maintain your Level 1 / Level 2 self-assessment and SPRS score. Your affirmation is still a statement you are accountable for.

Make physical-access evidence audit-ready now: visitor logs, escort records, and CUI-area access mapped to NIST 800-171 controls 3.10.1, 3.10.3, and 3.10.4.

Check any contract that already carried a Level 2/3 assessment clause with your contracting officer — expect amendments during the review.

Treat the window as time to close 800-171 gaps on your terms. When third-party assessment returns, the standard will be the same.

Watch for the task force recommendations around mid-September 2026, and verify current status against the issuing agency before acting.

Frequently asked questions

No. The Department of War suspended Phase 2 — the phase that would have required third-party (C3PAO) Level 2 and Level 3 certification assessments, scheduled to begin appearing in contracts on November 10, 2026. The CMMC program rule (32 CFR Part 170) and the acquisition rule remain on the books, and a 60-day "CMMC Reform Task Force" is reviewing the program, with recommendations expected around mid-September 2026. This is a pause on the third-party-assessment requirement, not a repeal of the program.

Primary & source coverage

The CMMC Phase 2 suspension and the 60-day review are recent and evolving. Effective dates and rule status change; verify the current status against the issuing agency before relying on it. This article is educational and is not legal advice.

Assessment-ready, whoever is doing the assessing

Phase 2 or not, a Level 2 self-assessment still runs on NIST SP 800-171. See how SecurePoint USA produces the visitor access evidence and restricted-party screening records that support those controls — for a self-assessment today or a C3PAO tomorrow.

Found this helpful? Share it with a colleague.

Visitor Compliance Checklist

  • ITAR/EAR and CMMC L2 requirements
  • Audit-ready evidence collection
  • AI assists, humans approve
Download PDF

Stay ahead of compliance changes

Get weekly insights on sanctions, export controls, and visitor compliance delivered to your inbox.

No spam. Unsubscribe anytime.

CMMC Phase 2 Suspended: What Defense Contractors Still Must Do | SecurePoint USA | SecurePoint USA