Update — July 14, 2026: This issue went out the morning after the Department of War suspended CMMC Phase 2 and all pending CMMC implementation milestones. The Rev 3 interim final rule has not been withdrawn, but the interim posture is Rev 2 and the July timeline is now unlikely. Full analysis: DoW Suspends CMMC Phase 2 — Your Audit Is Off, Your Liability Isn't
DoW Suspends CMMC Phase 2 — Your Audit Is Off, Your Liability Isn't
Third-party assessments are frozen and a 60-day review may rewrite the program entirely. DFARS 252.204-7012 and your SPRS affirmation still bind.
On July 13, the Department of War announced the immediate suspension of CMMC Phase 2, which would have required third-party C3PAO certification as a condition of award starting November 10, 2026. The decision is memorialized in a July 10 memorandum from DoW CIO Kirsten Davies, released under case number 26-P-1023. Phases 3 and 4 are suspended as well, along with all pending and future CMMC implementation milestones.
What actually changed
Under Secretary Michael Duffey was direct: the department is halting complex audits and stopping the requirement for third-party assessors. During the suspension, contracting officers may designate only Level 1 (Self) or Level 2 (Self). Solicitations carrying third-party requirements are to be amended, existing contracts modified at the next option or administrative modification, and all CMMC waivers are suspended.
The stated reason is arithmetic. Davies pointed to more than 100,000 DIB firms needing assessment against roughly 100 authorized assessors, and to SBA figures putting compliance near $593,800 per certification for firms requiring third-party assessment. Her summary: the math simply doesn't work for small and mid-sized businesses.
What did not change
Nothing about your legal obligation. DFARS 252.204-7012 remains in effect. Phase 1 self-assessment requirements remain in place. The interim posture is enforcement of NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments. Davies was explicit that this reduces red tape, not cybersecurity.
That relocates the risk rather than removing it. With the C3PAO gate gone, your SPRS score and annual affirmation become the government's primary evidence of your posture — self-attested, and squarely within False Claims Act exposure. Note also that the civilian side is moving the other direction: the FAR CUI rule keyed to Rev 3 is still projected final in September.
The move
Respond to the RFI by August 14. The Task Force reports to the CIO within 60 days, roughly mid-September, and officials declined to rule out cancelling CMMC outright — so the framework that replaces this one is being decided now, and the DIB's input is the input. Meanwhile: ask your primes in writing whether their flow-downs still require certification, since a federal suspension does not rewrite your commercial agreements. If you hold a scheduled C3PAO assessment, consider converting it to a gap review rather than cancelling. Confirm details against the memoranda on dowcio.war.gov before acting.
FAQ
Is CMMC cancelled?
No. Phase 2, Phase 3, Phase 4, and all pending implementation milestones are suspended pending a 60-day review. Phase 1 self-assessments remain in force. DoW officials did not rule out cancelling the program at the end of the review.
Do I still need to comply with NIST SP 800-171?
Yes. DFARS 252.204-7012 remains in effect, and the interim enforcement posture is Rev 2 compliance verified through self-assessments and select government-led assessments.
Was my CMMC investment wasted?
Not per DoW. Davies stated that contractors who improved their posture contributed to national security and that the money was not spent in vain. A Level 2 certificate remains a marketable credential, and primes may still require it contractually.
When is the RFI deadline?
Responses are due August 14, 2026. The CMMC Reform Task Force report is due to the DoW CIO within 60 days.
The rule you spent two years preparing for was suspended with four months' notice. Federal Cyber Brief tracks the federal IT and cybersecurity rules that gate small-business work — what changed, what it costs you, and what to do about it — every Tuesday.
Sources
Department of War, Forging the Arsenal of Freedom: DoW Suspends CMMC Phase II Requirements, July 13, 2026 — https://www.war.gov/
Department of War CIO, CMMC Resources & Documentation (memoranda released under case 26-P-1023) — https://dowcio.war.gov/
U.S. Small Business Administration, SBA Commends U.S. Department of War's Suspension of CMMC Phase II for Small Defense Contractors, July 13, 2026 — https://www.sba.gov/article/2026/07/13/sba-commends-us-department-wars-suspension-cmmc-phase-ii-small-defense-contractors
Federal News Network, Pentagon suspends CMMC phase two requirements, launches review of program, July 13, 2026 — https://federalnewsnetwork.com/cybersecurity/2026/07/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program/
DefenseScoop, DOD halts cybersecurity requirements for CMMC Phase 2, July 13, 2026 — https://defensescoop.com/2026/07/13/dod-halts-cmmc-cybersecurity-requirements-phase-2/
Jenner & Block, Department of War Suspends CMMC Phase II—But Compliance Obligations Remain, As Does Enforcement Risk — https://www.jenner.com/en/news-insights/client-alerts/department-of-war-suspends-cmmc-phase-iibut-compliance-obligations-remain-as-does-enforcement-risk
