ITAR Registration Code: M49438 / Cage Code: 94U86

CMMC Level 2

CMMC Phase II Implementation Paused: What Defense Contractors Need to Know

Table of Contents

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements and launched a 60-day review of the program as part of Secretary Pete Hegseth’s Acquisition Transformation System (ATS) initiative.

The announcement quickly made headlines across the Defense Industrial Base (DIB). Many contractors immediately began asking the same questions:

  • Is CMMC going away?
  • Do we still need to prepare for certification?
  • Are C3PAO assessments canceled?
  • Should we pause our compliance efforts?

The short answer is no.

Key Takeaways

  • CMMC has not been eliminated.
  • Existing DFARS/NIST cybersecurity obligations remain in effect.
  • Continue preparing while the Department completes its review.

While the Department has paused the planned implementation of CMMC Phase II, it has not eliminated the CMMC program or removed the cybersecurity requirements that defense contractors are expected to meet. Existing contractual obligations, cybersecurity expectations, and the responsibility to protect Controlled Unclassified Information (CUI) remain unchanged.

Understanding exactly what was announced and what it means for your business is critical. Let’s break it down.

What Did the Department of War Announce?

The Department of War announced that it is suspending the implementation of CMMC Phase II requirements while it conducts a comprehensive 60-day review of the program.

According to the Department, the review is intended to evaluate whether the current implementation approach best supports the Defense Industrial Base while continuing to protect national security. The review is part of Secretary Pete Hegseth’s broader effort to modernize defense acquisition through the Acquisition Transformation System (ATS), an initiative focused on reducing unnecessary bureaucracy, improving efficiency, and accelerating the delivery of critical capabilities to the warfighter.

It is important to understand what this announcement does and does not mean.

The Department is reviewing the implementation of Phase II, specifically the planned rollout of mandatory third-party C3PAO assessments that were scheduled to begin in November 2026. It is not announcing the end of CMMC, nor is it eliminating the cybersecurity standards defense contractors are expected to follow.

Why Is Phase II Being Reviewed?

Secretary Pete Hegseth has repeatedly emphasized that the Department’s acquisition processes must become faster, more efficient, and less burdensome without compromising national security.

The review of CMMC Phase II reflects that same philosophy.

The Department wants to determine whether the current implementation timeline and certification process create unnecessary challenges for contractors, particularly small and mid-sized businesses that make up a significant portion of the Defense Industrial Base.

Rather than assuming the current implementation is the only path forward, the Department is taking the opportunity to evaluate whether improvements can be made before mandatory third-party assessments become a contract requirement.

This review should be viewed as an effort to improve implementation, not an indication that cybersecurity is becoming less important.

Cybersecurity Is Still a Top Priority

One of the most important statements in the Department’s announcement came from the Department of War Chief Information Officer, Kirsten Davies.

She reaffirmed that robust cybersecurity and operational resilience remain critical to protecting American innovation, strengthening the Defense Industrial Base, and supporting warfighter readiness.

That message should remove any doubt about the Department’s priorities.

Cybersecurity has not been deprioritized.

Protecting sensitive government information remains essential, and contractors that store, process, or transmit Controlled Unclassified Information are still expected to maintain appropriate cybersecurity safeguards.

The Department is reviewing how CMMC Phase II will be implemented, not whether cybersecurity remains necessary.

The Honorable Michael Duffey, Under Secretary of War for Acquisition and Sustainment, reinforced this same point, stating that the Department has a strategic imperative to reduce bureaucracy while building the world’s strongest Arsenal of Freedom, and that the decision ensures a strict security baseline is maintained while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain.

What Is CMMC Phase II?

CMMC is being introduced in multiple phases.

Phase I primarily focuses on self-assessments for contracts that require lower levels of verification.

Phase II introduces mandatory third-party certification for many contractors that handle Controlled Unclassified Information (CUI). Under the original implementation schedule, organizations within this scope would need to successfully complete an assessment performed by an authorized Certified Third-Party Assessment Organization (C3PAO) before receiving certain contract awards.

This planned implementation is now under review.

The Department has not announced the elimination of C3PAO assessments. Instead, it is evaluating whether the current November 2026 implementation timeline remains appropriate or requires adjustments.

The Department’s implementing memorandum (26-P-1023, signed by Under Secretary of War for Acquisition and Sustainment Michael Duffey) spells out exactly what this means for procurement documents during the suspension. Program Managers and requiring activities may only include CMMC Level 1 (Self) or CMMC Level 2 (Self) assessment requirements in solicitations. They are not permitted to designate CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) assessments while the review is underway. In practical terms, self-assessment stays available and is expected to continue, but the third-party and government-led certification tiers are what’s on hold.

It is worth noting that CMMC Level 2 self-assessment is not a rubber stamp. Under the existing NIST SP 800-171 scoring methodology, organizations still need a minimum SPRS score of 88 out of 110 to demonstrate an acceptable level of implementation. The suspension changes who verify that score, not the bar itself.

What Has Not Changed?

Although the announcement has generated considerable discussion, several important requirements remain the same.

If your organization handles Controlled Unclassified Information, your responsibility to protect that information has not changed.

The Department’s news release is explicit on this point, stating that this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.

In other words, the CMMC audit controls tied to 252.204-7012 still apply. The Phase II pause affects the third-party certification mechanism, not the underlying safeguarding obligation itself.

Organizations should continue to implement and maintain applicable NIST SP 800-171 Rev 2 security controls. The Department’s implementing memorandum specifically directs that baseline compliance during the suspension period is enforced through NIST SP 800-171 Rev 2, via CMMC Level 1 and Level 2 self-assessment and select government-led assessments.

Required documentation should continue to be developed and maintained.

Evidence supporting implemented security controls should continue to be collected.

Internal cybersecurity improvements should continue.

Simply put, the announcement does not mean organizations should stop preparing for CMMC.

What Implementing Memo Directs for Active Solicitations and Contracts

Beyond the CIO’s initial announcement, Under Secretary of War for Acquisition and Sustainment Michael Duffey issued a formal implementing memorandum (26-P-1023) on July 13, 2026, directing Program Managers, requiring activities, and contracting officers on exactly how to carry out the suspension. Two directives from that memo are especially relevant for contractors currently in a solicitation or holding an active contract.

Relief on solicitations and contracts that already contain Phase II requirements. If a solicitation package already includes a CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) requirement, Program Managers and requiring activities must initiate an amendment removing it, and the contracting or agreements officer must issue the corresponding amendment as soon as practicable. For contracts or agreements that already contain these requirements, contracting and agreements officers are directed to remove them by modification before the next option period or the next scheduled administrative modification. If you’re currently working on a solicitation or contract with a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement baked in, this is worth raising directly with your contracting officer.

No waivers during the review. The memo makes it clear that no waivers will be granted while the CMMC Reform Task Force conducts its review. This directive is effective immediately, and further guidance will be provided only once the 60-day review concludes.

Your Primes Haven’t Paused Anything

The Phase II suspension applies to what the Department itself requires in its own solicitations and contracts. It does not apply to what your prices require of you.

Nothing in this suspension prevents a prime contractor from requiring a subcontractor to obtain CMMC Level 2 certification before sharing Controlled Unclassified Information. Several major primes have already reduced Level 2 certification requirements for their supply chains on their own timelines, independent of the Department’s Phase II schedule. If a prime is sharing CUI with you and wants third-party validation, a self-assessment will not satisfy that requirement.

There is also a liability angle worth understanding. With fewer third-party assessments in the near term, more weight falls on your own attestation: your SPRS score and the annual affirmation signed by your organization’s Affirming Official. The Department of Justice continues to pursue False Claims Act cases against companies whose representations do not align with their actual cybersecurity posture. Fewer audits do not mean less accountability. In some respects, the suspension places more responsibility on the accuracy of your self-reporting.

What Does This Mean for Contractors Already Preparing?

For organizations that have already invested time and resources into CMMC readiness, this announcement should not discourage continued progress.

Every security control implemented, every policy documented, and every process improved strengthens your organization’s cybersecurity posture.

Those investments continue providing value regardless of whether Phase II begins in November 2026 or later.

If anything, our recommendation is that organizations continue preparing now. Doing so is likely to leave you in a stronger position once the Department announces its final decision, though the outcome of the review itself remains uncertain.

Could This Benefit Companies That Are Behind?

Potentially, yes.

Many contractors have spent the past several years preparing for CMMC, while others have delayed implementation due to staffing limitations, budget constraints, competing priorities, or uncertainty surrounding the certification timeline.

If the Department ultimately decides to postpone the mandatory C3PAO assessment requirement, those organizations could gain valuable additional time to:

  • Complete cybersecurity gap assessments
  • Implement remaining technical safeguards
  • Finalize required documentation
  • Train employees
  • Build supporting assessment evidence
  • Conduct internal readiness reviews

However, additional time should never be viewed as permission to stop preparing.

Organizations that pause their compliance efforts now may find themselves rushing to catch up once the Department completes its review.

If your organization supports defense contracts and is unsure how CMMC timelines, SPRS requirements, or assessment readiness apply to you, now is the time to get clarity.

Download the CMMC Level 2 Audit Checklist to understand what evidence is required, and where organizations most commonly fall short.

What Should Defense Contractors Do During the 60-Day Review?

Based on current contractual obligations, our recommendation is straightforward.

  • Continue preparing.
  • Continue strengthening your cybersecurity program.
  • Continue documenting your environment.
  • Continue implementing technical controls.
  • Continue training your employees.
  • Continue improving your overall security posture.

Whether the Department maintains the current timeline, delays implementation, or adjusts the certification process, our recommendation is that organizations continue preparing today. Based on current contractual obligations, this positions you well regardless of how the review concludes.

Waiting for the review to conclude poses unnecessary risk and could leave companies scrambling if certification requirements advance sooner than expected.

Official Resources for the Review Period

The Department has made several official channels available for contractors during the 60-day review.

The Department has published a formal Request for Information on reforming CMMC and reducing compliance burden for the Defense Industrial Base. This is the formal mechanism for contractors to submit feedback on cost drivers, administrative burdens, and which security controls deliver meaningful risk reduction. Organizations that have real cost and implementation data should strongly consider responding, and should plan to do so by the August 14, 2026, response deadline.

The RFI asks contractors to address seven specific questions:

  1. Identify the top five most prohibitive cost drivers, administrative burdens, or operational challenges your organization has experienced, or anticipates experiencing, in complying with the CMMC framework and NIST SP 800-171 Rev 2.
  2. Which specific security controls has your organization found deliver the most tangible uplift in cybersecurity and actual risk reduction?
  3. Conversely, which specific regulatory requirements or security controls impose the highest administrative overhead and financial burden while yielding the least measurable improvement in your actual cybersecurity posture?
  4. Describe how your organization uses existing commercial cybersecurity capabilities, platforms, managed services, or other strategies to safeguard data, improve operational resiliency, and reduce cybersecurity risk, and how the Department might better recognize or accept these commercial solutions within a compliance or risk framework.
  5. Regarding Phase I self-assessments, what administrative or technical challenges does your organization face in maintaining, verifying, and reporting compliance, and how could this process be streamlined? Have your self-assessments led to a more dynamic cyber posture, or are they performed only for compliance purposes?
  6. What specific, actionable policy changes or regulatory reforms should the CMMC Reform Task Force recommend to reduce costs and barriers to entry for small, medium, and non-traditional businesses without degrading the protection of federal data?
  7. What specific, actionable policy changes or regulatory reforms should the Task Force recommend improving operational resilience against cyberattacks at your organization?

Responses that bring real cost and operational data, rather than general commentary, are likely to carry the most weight with the Task Force.

The Department’s Brilliant Basics page is the designated source for program updates as the review progresses, including the task force’s eventual recommendations, expected on or about September 13, 2026, 60 days after the July 13 announcement.

Contractors seeking hands-on support during this period can also use Project Spectrum, the Department’s cybersecurity readiness and compliance resource. It offers self-assessment tools, cybersecurity readiness training, advisory services, and policy and documentation templates to help organizations strengthen their security posture during the review.

Our Perspective

At Brea Networks, we believe this announcement should be viewed as an opportunity to gain clarity, not as a reason to pause cybersecurity efforts.

The Department of War is evaluating the implementation of CMMC Phase II to ensure that the certification process effectively supports both national security and the businesses that comprise the Defense Industrial Base.

Secretary Pete Hegseth’s focus on acquisition reform seeks to reduce unnecessary administrative burdens while maintaining the capabilities needed to protect the nation.

Chief Information Officer Kirsten Davies has reinforced that cybersecurity remains fundamental to protecting America’s defense supply chain.

Taken together, these messages tell a consistent story.

The Department is reviewing the implementation of mandatory third-party C3PAO assessments, not the importance of cybersecurity itself.

Final Thoughts

The headlines surrounding this announcement have understandably created confusion.

While it is accurate to say the Department of War has paused CMMC Phase II requirements during its 60-day review, it is equally important to understand what that suspension means.

The Department has not announced the end of CMMC.

It has not eliminated the responsibility to protect Controlled Unclassified Information.

It has not removed existing cybersecurity expectations for defense contractors.

Instead, it is reviewing whether the implementation of mandatory third-party assessments should proceed as originally planned or be adjusted to better support the Defense Industrial Base.

For defense contractors, the path forward remains clear.

Continue preparing.

Continue strengthening your cybersecurity program.

Continue protecting sensitive information.

Regardless of the outcome of the Department’s review, our recommendation is that organizations remain proactive today. Based on current contractual obligations, this is the position most likely to hold up well, regardless of how the review concludes.

Not sure where your organization stands with CMMC, ITAR, or federal cybersecurity requirements? The fastest way to get clarity is to talk with an expert. Book a call with our team to review your current environment, identify compliance risks, and determine the steps required to move forward. A short conversation can help you avoid costly mistakes and focus on what matters for contract eligibility and security.

SCHEDULE YOUR FREE CONSULTATION!

 

About Brea Networks

Brea Networks is a cybersecurity and compliance-focused IT partner supporting Defense Industrial Base (DIB) contractors. We help organizations implement the security requirements outlined in FAR 52.204-21, DFARS 252.204-7012, NIST SP 800-171, and the CMMC framework. Whether your organization is completing a Level 2 self-assessment or preparing for future third-party certification, we help define assessment scope, strengthen cybersecurity, prepare documentation, improve SPRS readiness, and build sustainable compliance programs that protect FCI and CUI.

Annual affirmations remain part of the CMMC program. Organizations required to perform CMMC self-assessments continue to submit affirmations in SPRS as required by the CMMC rule. Although the Department has temporarily paused the implementation of Phase II Level 2 (C3PAO) requirements during its 60-day review, it has not announced the elimination of annual affirmations or the underlying cybersecurity obligations established under the CMMC program. Contractors should continue to maintain accurate documentation and security evidence supporting the reported compliance posture.