Takeaways

CMMC Phase II requirements, including the upcoming transition to CMMC Level 2 third-party assessments, have been suspended, but CMMC Level 1 and Level 2 self-assessment requirements remain in place.
Contractors must continue to comply with other contractual obligations to implement NIST SP 800-171 rev. 2 cybersecurity controls.
A newly established CMMC Reform Task Force will recommend changes within 60 days and Defense Industrial Base (DIB) stakeholders are encouraged to submit feedback to an RFI by August 14, 2026.

On July 13, 2026, the Department of Defense (DoD) announced that it was immediately suspending the roll out of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program, set to go into effect on November 10, 2026. As we have previously reported here and here, Phase II of CMMC would have involved the roll-out of CMMC Level 2 Assessments conducted by Certified Third-Party Assessment Organizations (C3PAOs). Although DoD has suspended these third-party certification requirements, it has not suspended the enforcement of the underlying cybersecurity control requirements in contracts and subcontracts.

Background
DoD’s Final Program Rule establishing CMMC explained that CMMC requirements would be implemented through a four-phase implementation plan over a three-year period. Phase I began on November 10, 2025, and involved the inclusion of CMMC Level 1 and Level 2 self-assessment requirements in new solicitations and contracts. Under Phase II of the implementation, DoD intended “to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award.” The Final Program Rule estimated C3PAO Assessments would impact approximately 76,000 businesses with costs of the assessment ranging between $104,670-$117,768 per business.

The Pause
On July 13, DoD’s Chief Information Officer issued a memorandum (“Reform Memorandum”) suspending the implementation of Phase II. (Notably, the suspension comes after a proposed provision in FY27 NDAA that would establish a $50 million grant program to help small businesses and nontraditional defense contractors to offset the expense of a C3PAO Assessment.) DoD’s stated rationale for suspending the implementation is that the Acquisition Transformation System (ATS) requires “ruthlessly eliminat[ing] bureaucratic barriers that impede” industrial base growth. Specifically, DoD believes that CMMC, as it stands, imposes “significant and often prohibitive burdens on the [DIB], particularly the small and non-traditional businesses that are the engine of innovation.” According to the Reform Memorandum, recent data from the Small Business Administration (SBA) demonstrated that prohibitive compliance costs, limited capacity of third-party assessors and complex regulatory timelines are forcing small businesses out of the market, negatively impacting critical suppliers. As such, DoD believes that continuing to enforce the CMMC deadlines would directly impact the ability to field capabilities to the warfighters.

Beyond suspension of Phase II, the Reform Memorandum directs the following other immediate actions:

  • Establish a dedicated CMMC Reform Task Force to conduct a top-to-bottom review of the certification program within 60 days.
  • Continue to enforce baseline compliance with National Institute of Standards and Technology Special Publication (NIST-SP) 800-171 Rev. 2 via self-assessments and select government-led assessments.
  • Program managers and requiring activities are now only authorized to make designations for CMMC Level 1 or Level 2 Self Assessments in procurement requests and requirements documents.

Along with the Reform Memorandum, DoD also issued a memorandum addressing the implementation of the suspension (“Implementation Memo”). The Implementation Memo provides further guidance regarding the state of CMMC during the pause. In addition to stating contracting agencies must only include self-assessment requirements during the pause, the Implementation Memo directs DoD agencies to provide immediate relief to contractors on existing solicitations and contracts. Specifically, the memo states that DoD agencies must amend solicitations to remove CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) requirements. For existing contracts and agreements that already contain these requirements, contracting officers and agreements officers are directed to remove them via modification prior to the exercise of the next option period or during the next scheduled administrative modification. It also states that Program Managers and requiring activities must continue to identify information security requirements associated with a planned contract effort.

On July 13, the Department also published a Request for Information (RFI) titled “Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base (DIB)” with responses due by August 14, 2026, at 12:00 pm (EDT). The RFI industry seeks input “on practical strategies to inform the newly established CMMC Reform Task Force during its review” including input on protecting federal data and uplifting operational resilience against cyber-attacks while also reducing compliance costs and administrative burdens.”  

Looking Ahead
The suspension of the C3PAO requirement will likely be welcomed relief to government contractors and subcontractors who have not yet undergone their third-party certification. With that said, contractors should not view this as a pause on their underlying cybersecurity obligations or the government’s enforcement priorities. Indeed, the July 13 memos make clear that contractors are still required to comply with their obligations under DFARS 252.204-7012 and with existing CMMC Level 1 and 2 self-assessment requirements. Thus, contractors must remain diligent in their efforts to implement the NIST SP 800-171 rev. 2 controls on systems processing, storing or handling controlled unclassified information. Failure to comply with these requirements could result in serious consequences such as contract termination and False Claims Act liability.

In addition, there will likely be delays and ambiguities in implementing the requirements of these memos, especially with regard to existing solicitations and contracts. Contractors and subcontractors alike must ensure that they understand their obligations in connection with existing solicitations and contracts and that those documents are formally amended, where necessary.

These and any accompanying materials are not legal advice, are not a complete summary of the subject matter, and are subject to the terms of use found at: https://www.pillsburylaw.com/en/terms-of-use.html. We recommend that you obtain separate legal advice.