Is CMMC Still Required? What the Phase 2 Suspension Did and Did Not Change
The Department of War suspended CMMC Phase 2 on July 13. Within a day, the question in every small contractor’s inbox changed from “how do we get ready for November 10” to “do we still have to do any of this.” The short answer is yes. Here is the longer answer, with the exact rules that still apply.
Yes, CMMC is still required. The July 13, 2026 announcement suspended the Phase 2 milestone (mandatory third-party C3PAO assessments, originally effective November 10, 2026) and the later Phase 3 and Phase 4 dates, pending a 60-day program review. It did not suspend the program rule itself. CMMC Level 1 and Level 2 self-assessment requirements remain firmly in place, SPRS score submissions under DFARS 252.204-7019 continue, and the safeguarding obligations in DFARS 252.204-7012 and FAR 52.204-21 were never tied to a CMMC phase at all.
- The suspension paused the Phase 2 C3PAO milestone and all pending CMMC implementation dates. The 32 CFR Part 170 program rule is still on the books.
- Level 1 and Level 2 self-assessments, SPRS submissions, and annual affirmations continue exactly as they did last month.
- DFARS 252.204-7012 and FAR 52.204-21 apply through your contract clauses, not through CMMC phases. Nothing about them changed on July 13.
- Your SPRS score is still a representation to the federal government. The MORSECORP settlement ($4.6 million, March 2025) was built on a score gap, not a breach, and the DOJ initiative behind it was not paused.
- The Reform Task Force reports in roughly 60 days. RFI responses are due August 14. Everything from minor tweaks to a full overhaul is on the table.
What the July 13 Announcement Actually Suspended
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase 2 requirements. Phase 2 was the milestone that mattered most to contractors handling Controlled Unclassified Information: starting November 10, 2026, contracts involving CUI would have required a certification assessment by an authorized C3PAO instead of a self-assessment. That requirement, along with the Phase 3 (2027) and Phase 4 (2028) dates, is now on hold. The implementation memo, DoD CIO 26-P-1023, puts all pending and future CMMC milestones in abeyance until further notice.
The department also directed that active solicitations and contracts already carrying CMMC Level 2 C3PAO or Level 3 assessment requirements be amended to remove them during the suspension.
The reasoning was blunt. CIO Kirsten Davies’ memo called the current program “structurally incompatible” with the need to grow the defense industrial base, pointing to Small Business Administration data on compliance costs. The math behind that conclusion: over 100,000 companies were expected to need third-party assessments, against roughly 100 authorized C3PAOs, at an estimated cost that could exceed $7 billion annually for small and mid-sized businesses.
A CMMC Reform Task Force, reporting to the CIO, held its first meeting on July 16 and is expected to deliver its review in roughly 60 days. A public Request for Information on reforming the program is open now, with responses due August 14, 2026. Officials have not ruled out any outcome, including cancelling the program in its current form.
That is the full list of what changed. Now the part most of the coverage buries.
What Remains Fully in Force
The suspension announcement itself states that Phase 1 self-assessment requirements remain firmly in place. In practice, that means the compliance work a small contractor was doing in June is the same work required in July:

Level 1 and Level 2 self-assessments. If your contracts include the CMMC clause, the self-assessment requirement that took effect in November 2025 continues. Level 2 self-assessment still means all 110 NIST SP 800-171 Rev 2 requirements, assessed against the objectives in 800-171A. The full breakdown of who qualifies and what the self-assessment involves is in our CMMC Level 2 self-assessment requirements guide.
SPRS score submission. DFARS 252.204-7019 and 252.204-7020 require a current NIST 800-171 assessment score in the Supplier Performance Risk System before award and throughout performance. These clauses predate the CMMC phases and were not touched by the suspension.
DFARS 252.204-7012. The safeguarding clause that started all of this, requiring implementation of NIST SP 800-171 to protect covered defense information plus incident reporting to DoD within 72 hours, applies through your contract. It has applied since 2017. The suspension announcement explicitly reaffirms it.
FAR 52.204-21. The 15 basic safeguarding requirements for federal contract information apply to essentially every federal contractor, defense or otherwise. No connection to CMMC phases.
Annual affirmations. Where the CMMC clause is in your contract, a senior official continues to affirm continuing compliance annually in SPRS. That affirmation carries personal exposure, which we covered in who signs your CMMC affirmation is personally on the hook.
The pattern is simple. What was suspended is the third-party verification layer. What remains is the obligation itself, verified by your own signature instead of an assessor’s.
Your SPRS Score Is Still a Legal Statement
This is the piece that should shape your decisions during the review period, because the enforcement mechanism that punishes a wrong self-assessment was never part of CMMC and therefore was never paused.
The Department of Justice’s Civil Cyber-Fraud Initiative pursues False Claims Act cases built on the gap between what a contractor represented and what was true. No breach required. The clearest example is MORSECORP: in March 2025, the company agreed to pay $4.6 million to resolve allegations tied to its Army and Air Force contracts. It had submitted an SPRS score of 104 in January 2021. When a third party actually assessed the environment, the first honest score posted was 57. The case was triggered by a whistleblower, the company’s own head of security, and it was the first FCA settlement built specifically on a failure to correct an inflated SPRS score.
Every element of that case survives the suspension intact. The clauses requiring the score are in force. The affirmation is in force. The FCA is a statute, 31 U.S.C. 3729, that no DoD memo can pause. If anything, the suspension raises the relative weight of your self-assessment, because for the duration of the review it is the only assessment DoD has. The department said it will continue enforcing NIST 800-171 through self-assessments and select government-led assessments.
So the question for the next 60 days is not “is CMMC dead.” It is “can I defend the number my company has posted in SPRS.” If you have not scored yourself against the DoD Assessment Methodology recently, or the score in SPRS predates changes to your environment, that gap is your real exposure. How the scoring works, weight by weight, is in how your NIST 800-171 SPRS score is calculated. The NIST 800-171 SPRS Score Workbook for CMMC Level 2 ($87) walks all 110 controls with assessor-style scoring so the number you attest to is one you can defend.
The 60-Day Review: What Happens Between Now and September

Three dates matter.
August 14, 2026 is the deadline for responses to the RFI, “Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base.” If the compliance cost problem describes your company, this is the one window where small subcontractors get to put that on the record. The task force is explicitly weighing cost data. If only large, already-assessed organizations respond, the record understates the barrier you experienced.
Roughly mid-September is when the task force report is due, 60 days from the July 13 memo. Davies has said publicly the outcome could range from small adjustments to an overhaul, and cancellation has not been excluded.
After the report, whatever regime emerges will still sit on top of NIST 800-171 and the DFARS clauses. Every plausible outcome, from a leaner CMMC to a self-assessment-plus model to something new, keeps the self-assessment work relevant. There is no scenario in the announcement where implementing the 110 controls turns out to have been wasted effort.
What a Small Contractor Should Do This Week
Do not stop the 800-171 implementation work. Pause the C3PAO scheduling and the assessment-prep spend if you had it booked, and confirm with your C3PAO what happens to any deposit. The control implementation itself serves the clauses still in your contracts.
Verify your SPRS score reflects your current environment. This is the single highest-leverage hour of the review period. If the posted score is stale or optimistic, correcting it now is cheap. Correcting it after a whistleblower complaint is what MORSECORP did.
Keep your SSP current. DFARS 7012 requires 800-171 implementation, and 800-171 requires a system security plan (control 3.12.4). Assessors were never the only audience; contracting officers and DOJ read them too. The CMMC Level 2 System Security Plan (SSP) Template ($77) covers all 110 controls in the structure an assessor or reviewer expects.
Watch your primes, not just DoD. Flow-down letters are private contract terms. Some primes will relax C3PAO demands during the suspension; others will keep their own supplier requirements exactly where they were. Until your prime says otherwise in writing, the safest read is that their expectations have not moved.
Consider answering the RFI before August 14. A two-page response describing what Level 2 preparation actually cost a company your size is exactly the data the task force says it wants.
If you are earlier in the process and the suspension bought you breathing room to do the preparation properly instead of in a panic, that is the one genuine gift in this announcement. Audit prep on your own timeline is far cheaper than audit prep against a deadline. The CMMC Level 2 Readiness Kit: 5 NIST 800-171 Tools ($147) bundles the scoping worksheet, SSP template, SPRS workbook, POA&M tracker, and evidence tracker for exactly that scenario.
Frequently Asked Questions
Is CMMC going away? Not yet, possibly not at all. The 32 CFR Part 170 program rule remains in effect; what is suspended is the enforcement timeline. The task force could recommend anything from minor changes to ending the program in its current form. A decision is expected after the roughly 60-day review concludes in September.
Is CMMC 2.0 required right now? Where the CMMC clause appears in your contract, the Phase 1 requirements apply: Level 1 or Level 2 self-assessment, SPRS submission, and annual affirmation. Third-party certification is not currently being required, and existing contracts carrying C3PAO requirements are being amended to remove them.
Does CMMC Level 2 require an audit? During the suspension, no. Level 2 obligations are met through self-assessment against all 110 NIST 800-171 Rev 2 requirements. The mandatory third-party audit was the Phase 2 requirement now on hold.
What happens after the 60-day review? The Reform Task Force reports to the DoD CIO around mid-September 2026. Until then, existing self-assessment requirements and the underlying DFARS and FAR clauses continue unchanged. We will publish a plain-English breakdown when the report lands.
Sources
- Department of War press release, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements” (July 13, 2026): war.gov
- DoD CIO implementation memo 26-P-1023, suspension of the November 2026 Phase 2 transition (July 13, 2026): dodcio.defense.gov
- DoD CIO, About CMMC (suspension status and continuing Phase 1 requirements): dodcio.defense.gov/cmmc
- SBA news release 26-73, commending the Phase II suspension (July 13, 2026): sba.gov
- 32 CFR Part 170, CMMC Program: ecfr.gov
- DFARS 252.204-7012, -7019, -7020; FAR 52.204-21: acquisition.gov
- DOJ press release, MORSECORP Inc. $4.6M False Claims Act settlement (March 26, 2025): justice.gov
- NIST SP 800-171 Rev 2 and SP 800-171A: csrc.nist.gov