You’ve probably seen the recent headlines about CMMC, the Department of Defense’s (now the Department of War) Cybersecurity Maturity Model Certification, and there’s a lot of noise and conflicting information out there. Here’s what happened, and where we stand.
The short version
On July 13, the Department of War announced the immediate suspension of CMMC Phase II, the third-party assessment requirement that was scheduled to take effect November 10, 2026. The decision was formalized in a memorandum signed July 10 and made public three days later. The suspension extends to all pending and future CMMC implementation milestones across Department of War solicitations and contracts, including Phase III (November 2027) and full implementation (2028).
A CMMC Reform Task Force has been established under the Department CIO to conduct a comprehensive review of the program, informed by a public Request for Information on compliance burden. Industry responses to that RFI are due August 14. The Task Force itself must report back within 60 days, placing its deadline in mid-September.
Key dates
- July 10, 2026 — Suspension memorandum signed
- July 13, 2026 — Public announcement; Phase II suspended and a 60-day review launched
- August 14, 2026 — Industry responses to the Request for Information due
- Mid-September 2026 — CMMC Reform Task Force report due to the Department CIO
- November 10, 2026 — Former Phase II effective date (now suspended)
The number behind the decision
Strip away the politics and this comes down to capacity. There are roughly 110 firms authorized to perform the assessment. The market that will eventually need one runs well past 100,000 companies. That imbalance, not a change in what CUI (Controlled Unclassified Information) protection requires, is the entire justification the Department gave for pausing Phase II.
Officials were careful to draw that line themselves: this is about easing the path to compliance, not lowering the bar for it. The suspension sits inside a broader push to speed up how contractors get onboarded and lower the cost of entering the defense industrial base in the first place.
Paused. Not gone.
Suspended: the Phase II contractual mandate requiring a Certified Third-Party Assessment Organization (C3PAO, Level 2) or Defense Industrial Base Cybersecurity Assessment Center (DIBCAC, Level 3) assessment, along with all pending and future CMMC milestones tied to that mandate. During the review, Program Managers and requiring activities may only designate CMMC Level 1 (Self) or Level 2 (Self) assessments in new procurement documents.
Unchanged: Phase I self-assessment, SPRS (Supplier Performance Risk System) score submission, and annual affirmation requirements. DFARS (Defense Federal Acquisition Regulation Supplement) 252.204-7012, which has required NIST SP 800-171 implementation since 2017. NIST SP 800-171 Revision 2 as the enforced interim standard. Prime-to-sub flow-down requirements, which are contract terms independent of the DoW milestone. And existing, already-issued CMMC certifications, which remain valid.
Straight from the accreditation body
On July 15, the Cyber AB, the official accreditation body for the CMMC program, issued a statement responding to the announcement. CEO Matthew Travis confirmed that C3PAO Level 2 certification assessments remain fully operational, alongside CAICO training, CMMC professional exams, and DIBCAC’s assessment of C3PAOs. Nearly 2,000 defense contractors have already achieved CMMC Level 2 (Final) certification, supported by 110 authorized C3PAOs and over 1,000 certified assessors.
Travis was direct about where the risk sits: “NIST SP 800-171 and DFARS 7012 requirements remain in place and unchanged for most all contractors. A Level 2 certification by a C3PAO remains a compelling calling card for subcontracting viability to primes and the best insurance policy against False Claims Act risk.”
The risk didn’t disappear. It moved.
The obligation to protect Controlled Unclassified Information didn’t originate with CMMC. DFARS 252.204-7012 has required implementation of NIST SP 800-171 since 2017. CMMC exists to answer a narrower question: how does the government verify that contractors actually implemented what they attested to? That verification requirement exists because self-reported SPRS scores have, in a number of cases, outpaced what government-led assessments later found on the ground.
With third-party verification paused for new solicitations, self-attested scores are the primary signal available to the government in the interim. That raises the stakes on accuracy. A failed audit and a false attestation are different categories of exposure, and the second one carries the sharper consequences under the False Claims Act.
What we still don’t know
Several questions remain open until the Task Force reports: whether CMMC returns in its current form, a modified form, or a different validation model entirely; how contracts that already contain CMMC clauses will be administered in the meantime (existing clauses govern until a modification is issued); and whether NIST SP 800-171 Revision 3 arrives during or after the review.
It’s happened before
CMMC has already been rebuilt once. What launched as CMMC 1.0 didn’t make it past its first real stress test, it got scrapped and replaced with CMMC 2.0 back in 2021. The name changed. The assessment mechanics changed. What never moved was the actual obligation sitting underneath the program the whole time. Organizations that treated that earlier disruption as a reason to keep building came out the other side of it with everything they’d already done still counting for something.
Business as usual, for us
Nothing about our ability to do our job has changed. Insight Assurance remains fully authorized to conduct assessments and issue certifications, and we’re doing exactly that today. If you’re on a compliance path with us, that path is open and moving.
Who this affects
A 60-day federal review is looking at the scope of CMMC, essentially, who it applies to and how. The relief that review is weighing is aimed at a specific, narrow group: small businesses. For the large majority of companies, the practical picture hasn’t changed.
Our take
If you fall into that small, specific group the review is aimed at, it’s reasonable to reassess your timing. For everyone else, the stronger move is to keep going. Continuing now keeps you ahead of the crowd, out of the backlog that forms when the review wraps, and locks in a certification that’s valid for three years, ahead of whatever the review and the coming update to the standard (NIST SP 800-171 Rev 3) may change.
What we do
Our role is independent assessment. We evaluate where you stand against the applicable standard and give you an honest, evidence-based picture, whether that’s a full certification, an independent check of your own self-assessment, or a readiness review. Whatever the headlines do next, the requirement isn’t going away, and neither is the value of getting it right.
Frequently asked questions
Is CMMC cancelled?
No. Phase II — the third-party assessment requirement — is suspended, and a 60-day review is underway. The program, its earlier phases, and the cybersecurity obligations underneath it are all still standing.
Do I still have to meet NIST SP 800-171?
Yes. DFARS 252.204-7012 has required it since 2017, and none of that changed on July 13. NIST SP 800-171 Revision 2 is still the enforced standard during the review.
What’s still in effect?
Phase I Level 1 (Self) and Level 2 (Self) assessments, SPRS score submission, annual affirmation, prime-to-sub flow-down, and every certification already issued. All of it remains valid.
When does Phase II come back?
No one knows yet. The CMMC Reform Task Force reports to the Department CIO by mid-September, and industry has until August 14 to weigh in through the RFI. Phase II could return as-is, in a modified form, or as a different model entirely.
Should I pause my CMMC work?
The suspension didn’t lower the bar — it moved the risk. With third-party verification on hold, your self-attested score is what the government sees, and a false attestation carries sharper consequences under the False Claims Act than a failed audit does. Insight Assurance stays fully authorized to assess and certify throughout the review.
Work with Insight Assurance
Not sure where your CMMC obligations stand? Insight Assurance is fully authorized to perform independent CMMC assessments — Level 2 certification, readiness reviews, and independent checks of your self-assessment. Talk to our team about demonstrating compliance with confidence.
