CMMC Phase 2 Third-Party Assessments Are Suspended: Here's What Actually Changed

3 min read
Jul 15, 2026

Here Is Why You Should Keep Your Compliance Roadmap On Track

On July 13, 2026, the Department of War's Office of the Chief Information Officer announced the immediate suspension of Phase 2 third-party assessment requirements under the Cybersecurity Maturity Model Certification (CMMC) program. If you're a defense contractor or subcontractor, that headline probably raised your pulse. Before you shelve your compliance roadmap, here's what the announcement actually says, and why it changes less than you might think.

What Was Actually Suspended

The announcement is narrower than the word "suspension" might suggest. It pauses Phase 2 of the CMMC rollout: the requirement for Organizations Seeking Certification (OSCs) handling Controlled Unclassified Information (CUI) to undergo third-party assessments conducted by accredited C3PAOs. That specific certification mechanism is on hold while a newly formed CMMC Reform Task Force reviews the program and delivers recommendations within 60 days.

Simultaneously, the department issued a Request for Information (RFI) inviting industry partners to weigh in on how they'll continue supporting cybersecurity while scaling production under the Arsenal of Freedom initiative. In the coming days, officials also plan to launch a "Brilliant at the Basics" campaign, which includes streamlined and practical guidance aimed at reducing cyber risk across both IT and OT environments for small and mid-size businesses.

Phase 1 Self-Assessments Remain Firmly in Place

This is the detail that matters most for the majority of the Defense Industrial Base (DIB): Phase 1 self-assessment requirements were explicitly called out as unaffected. If your organization is working toward Level 1 or Level 2 self-assessment, that obligation hasn't moved. The suspension applies specifically to the third-party assessment layer that was set to expand under Phase 2

Compliance Isn't Optional, Only the Bureaucracy Is Changing

The department was direct on this point: safeguarding covered defense information "remains a non-negotiable legal requirement." The stated goal of this action is to cut the cost of bureaucratic compliance, not the importance of cybersecurity itself. NIST SP 800-171 obligations and DFARS 252.204-7012 safeguarding, along with incident-reporting requirements, remain in force regardless of where CMMC certification timelines land.

Contractors who have already invested in third-party assessment readiness were specifically thanked and reassured that "your investments were not in vain", that work has made their organizations more resilient independent of the certification mechanism.

For contractors, that's the key takeaway: this is a pause on one certification pathway, not a rollback of the underlying security expectations that flow down through DoD contracts.

What This Means for Your Organization Right Now

Until the Reform Task Force issues its recommendations, treat this as a window rather than an off-ramp. Organizations that continue tightening access controls, documenting policies, and closing gaps against NIST 800-171 will be better positioned no matter what the task force ultimately recommends for the assessment structure. Organizations that pause entirely risk having to restart momentum later and losing ground on the underlying legal safeguarding requirements that were never suspended in the first place.

This is also a reasonable moment to revisit your System Security Plan (SSP), confirm your SPRS score reflects your current control environment, and make sure your policies and technical controls are still aligned, all steps that pay off under any future version of the certification framework.

Stay Ready for Whatever Comes Next 

The specifics of CMMC's assessment structure may still shift over the next 60 days and beyond. What won't shift is the legal requirement to protect Federal Contract Information and Controlled Unclassified Information. Dragnet is monitoring the CMMC Reform Task Force's progress and the department's RFI response closely, and we'll keep our clients and partners updated as the picture becomes clearer.

If you want a clear-eyed read on where your organization actually stands, independent of which certification pathway is active this quarter, our team at Dragnet can walk through your current gap posture and help you prioritize what to work on next.

Source: Department of War Office of the CIO announcement, dodcio.defense.gov/CMMC

Schedule a CMMC Discovery Call

 

Topics: Compliance CMMC

Get Email Notifications