On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements, which were scheduled to take effect on November 10, 2026. Within hours, defense contractors started asking the same question: “Do we still need to spend money on this?”
Yes. Here’s why, and what actually changed.
What the Department of War Announced
The official release states the following:
- Phase II is suspended, effective immediately. This includes pending and future CMMC implementation milestones across Department of War solicitations and contracts.
- All Phase I self-assessment requirements remain firmly in place. Phase 1 began November 10, 2025, and continues unchanged.
- A CMMC Reform Task Force will conduct a 60-day review of the program, synthesizing industry feedback and delivering recommendations to the DoW CIO. The stated goal: align CMMC with Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives, which prioritize speed to capability, lower barriers for small, medium, and non-traditional businesses, and favor scalable cybersecurity over bureaucratic compliance.
- During the review, the Department will enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments.
DoW CIO Kirsten A. Davies was direct: “Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness.”
What Did NOT Change
This is the part getting lost in the headlines. The suspension pauses third-party certification. It does not pause your security requirements.
DFARS 252.204-7012 remains contractually binding. The release states it plainly: “All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.” If you handle CUI, the 110 security requirements of NIST SP 800-171 Rev 2 still apply to your environment today.
Self-assessments and SPRS scores are still required. Under Phase 1:
- Level 1 (FCI): Annual self-assessment and annual affirmation against the 15 requirements in FAR 52.204-21, entered into SPRS. POA&Ms are not permitted.
- Level 2 (CUI): Self-assessment against all 110 NIST 800-171 Rev 2 requirements every three years, with annual affirmation, entered into SPRS. POA&Ms are permitted but must close within 180 days.
Government-led assessments continue. The Department explicitly retained “select government-led assessments” during the review period. Organizations reporting a perfect 110 in SPRS should expect that score to invite scrutiny, not deflect it.
The False Claims Act still applies. Your annual affirmation is a legal attestation by a senior official. The Department of Justice has pursued contractors under its Civil Cyber-Fraud Initiative for misrepresenting cybersecurity compliance. An inflated SPRS score was a liability before July 13. It still is.
Why This Happened, and Why It Was Predictable
The math didn’t math. Phase II would have required certification through a system supported by roughly 100 authorized C3PAOs, against a defense industrial base with over 120,000 small organizations needing assessment. SBA reporting confirmed compliance costs were pushing innovative suppliers out of the DIB entirely.
CMMC has never been smooth sailing. The program has been revised, delayed, and restructured repeatedly since its introduction. A bottleneck-driven pause on the third-party assessment layer is a correction to the delivery mechanism, not a retreat from the requirement to protect federal data. The Department said exactly that in its own release.
The Wrong Move Right Now: Pausing Your Compliance Program
Some organizations will read “suspended” and freeze their budgets. That decision creates three problems:
1. You are still on the hook today. NIST 800-171 and DFARS 7012 obligations didn’t move. A cyber incident or a government-led assessment during the review period lands on your current environment, not your future one.
2. The requirement is coming back. The task force’s mandate is to recommend “realistic, scalable security measures.” That is reform, not repeal. Organizations that keep implementing will be positioned for whatever CMMC becomes. Organizations that stop will restart from behind, competing for the same limited remediation and assessment capacity as everyone else who waited.
3. Contract eligibility doesn’t pause. Primes are not loosening flow-down requirements because of a 60-day review. Your SPRS score is still visible. Your affirmation is still due.
Compliance Is the Driver. It’s Not the Only Return.
Here’s what gets missed when CMMC is treated as a paperwork exercise: the work required to actually meet NIST 800-171 fixes problems your organization already has.
Most defense contractors we assess are running fragmented environments: CUI scattered across on-prem file servers, Google Workspace, Box, and personal drives. That sprawl is why they can’t pass an assessment. It’s also why they can’t find their own data, can’t control who accesses it, and can’t collaborate securely with primes and teaming partners.
Consolidating into Microsoft GCC High solves both problems at once:
- One environment that holds and tracks your data, with the access controls, logging, and monitoring NIST 800-171 requires built in, not bolted on.
- Secure collaboration with other GCC High organizations (primes, subs, and partners) without side channels that break your CUI boundary.
- An audit trail that exists by default, so your self-assessment and affirmation rest on evidence instead of estimates.
Organizations that migrate for compliance keep the environment for efficiency. The contract eligibility is the floor, not the ceiling.
What to Do This Quarter
- Verify your current SPRS score is accurate and defensible. If it was optimistic, correct it before it becomes a False Claims Act problem.
- Confirm your CUI boundary. If you can’t say exactly where CUI lives, that’s the first gap.
- Keep your remediation on schedule. POA&M items still have a 180-day clock at Level 2.
- Use the pause to consolidate. A GCC High migration takes planning. Sixty days of regulatory quiet is the best window you’ll get.
- Watch the task force output. The final report goes to the DoW CIO within 60 days. We’ll break down what it means when it lands.
Where Agile IT Fits
Agile IT implements NIST 800-171 security requirements in Microsoft environments. We migrate defense contractors to GCC High, configure and secure the environment, and validate it against the 110 requirements, so your self-assessment reflects an environment that actually complies, not a spreadsheet that hopes it does.
If your organization handles CUI and you’re deciding what this suspension means for your budget, start with an assessment of where you stand today.
Schedule a CMMC readiness assessment
Frequently Asked Questions
Is CMMC going away?
No. The Department of War suspended Phase II and launched a 60-day review to reform the program, not eliminate it. Phase 1 self-assessment requirements remain fully in effect.
Do I still need to comply with NIST 800-171?
Yes. During the review period, the Department will enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments. DFARS 252.204-7012 remains contractually binding for anyone handling covered defense information.
Do I still need to submit a score to SPRS?
Yes. Level 1 requires an annual self-assessment and affirmation. Level 2 requires a self-assessment every three years with annual affirmation. Both are entered into SPRS.
Should I pause my CMMC preparation?
No. The security requirements didn’t change, government-led assessments continue, and the program is expected to return in a reformed state. Organizations that keep implementing will be positioned for whatever CMMC becomes.
What happens after the 60-day review?
The CMMC Reform Task Force will deliver recommendations to the DoW CIO. We will publish a breakdown when the report lands.
Sources: Department of War release, July 13, 2026 · DoD CIO: About CMMC





