CMMC Phase II Is Paused. The Security Obligation Is Not.
CMMC UPDATE

CMMC Phase II Is Paused. The Security Obligation Is Not.

What the July 13 suspension changes, what remains in force, and how defense contractors should use the review period.

Leonard EsereJuly 14, 2026

On July 13, 2026, the Department announced the immediate suspension of CMMC Phase II, which had been scheduled to begin November 10, 2026. It also suspended pending and future implementation milestones while a reform task force reviews the program. That is a meaningful change. It is not the elimination of CMMC, NIST SP 800-171, SPRS assessments, or the contractual duty to protect covered defense information.

The short version

The external certification timetable moved. Phase I self-assessments remain firmly in place. The Department says it will enforce NIST SP 800-171 Rev. 2 through self-assessments and selected government-led assessments during the interim. DFARS 252.204-7012 still applies to covered contractor information systems.

What paused

The transition to Phase II and pending or future CMMC implementation milestones.

What remains

Phase I self-assessment requirements and NIST SP 800-171 Rev. 2 enforcement.

What still controls

Your solicitation, your contract, and DFARS 252.204-7012 obligations.

What changed

The November 10 Phase II deadline should no longer drive your buying decision or your implementation schedule. The Department is reviewing whether the certification model creates too much cost and administrative burden, particularly for small and non-traditional businesses. The reform task force is expected to deliver its report to the Department CIO within 60 days.

No one can responsibly promise what the replacement timetable or assessment model will be. Marketing that still says every contractor must pass a C3PAO assessment by November 2026 is now stale.

What did not change

  • Phase I remains in place. The announcement says all Phase I self-assessment requirements remain firmly in place.
  • NIST SP 800-171 Rev. 2 remains the interim security baseline. The Department says it will use self-assessments and selected government-led assessments to enforce it during the review.
  • DFARS 252.204-7012 remains contractual. Contractors and subcontractors must continue safeguarding covered defense information.
  • SPRS still matters. Current DFARS policy requires a current NIST SP 800-171 DoD Assessment for applicable awards, and contracting officers verify the summary-level score in SPRS.

Phase II is a rollout phase, not CMMC Level 2

The announcement pauses a phase of implementation. It does not say that CMMC Level 2, CUI protection, or the underlying 110 NIST SP 800-171 Rev. 2 security requirements have been erased.

The strategy now

Stop selling or buying a date. Build a defensible security position that works under self-assessment today and can be reused if independent certification returns in a revised form.

1. Validate the score you are prepared to affirm

Reconcile your SPRS score to live system state, your SSP, your POA&M, and the evidence behind each scored requirement. A spreadsheet score that cannot be reproduced is not a durable position.

2. Use Rev. 2 as the operating baseline

The announcement explicitly names NIST SP 800-171 Rev. 2 for the interim period. Track Rev. 3 as forward-looking readiness, but do not combine its requirement count with the 110-requirement CMMC Level 2 baseline.

3. Fix the control, then collect the evidence

Prioritize identity, access, logging, configuration, incident response, and CUI boundary gaps that reduce real risk. Preserve evidence continuously instead of rebuilding it for a deadline.

4. Stay ready for more than one kind of review

Your evidence should support Phase I self-assessment, a selected government-led assessment, a prime-contractor review, and any future certification model without four separate compliance programs.

A practical next-30-day plan

  1. 1. Confirm which systems receive, store, process, or transmit CUI.
  2. 2. Re-run the NIST SP 800-171 Rev. 2 assessment against actual system state.
  3. 3. Reconcile the result to the score and assessment date recorded in SPRS.
  4. 4. Correct the highest-risk technical gaps and update the SSP and POA&M.
  5. 5. Build a dated evidence trail that another person can independently follow.
  6. 6. Monitor the reform task force, RFI, and contract-specific direction without guessing at the outcome.

Where PolicyCortex fits

PolicyCortex is most useful when compliance is not a one-time exam. It validates live control state, maps evidence to NIST requirements, detects drift, and keeps the SSP, POA&M, and evidence trail aligned. That makes the score you affirm more defensible now and preserves the work if the Department introduces a revised certification model.

Know the score you can defend

We will review your CUI scope, current assessment position, and evidence gaps without pretending anyone knows the final shape of CMMC reform yet.

Request an SPRS evidence review

Primary sources

This article is general information, not legal advice. Your solicitation, contract, flow-down clauses, and contracting officer direction control your obligations.