Skip to main content

Technology Insights Blog

CMMC Phase 2 Hits Pause. Now What?

DP Solutions
Post by DP Solutions
July 14, 2026
CMMC Phase 2 Hits Pause. Now What?

Updated: July 14, 2026

The Department of War recently announced the immediate suspension of CMMC Phase II requirements and launched a 60-day review of the program. The third-party assessment requirements that were scheduled to take effect on November 10, 2026, are now on hold while the Department evaluates the future direction of CMMC. Phase I self-assessment requirements remain in effect.

For many organizations across the Defense Industrial Base (DIB), this announcement raises an important question:

Should We Continue Our CMMC and NIST 800-171 Efforts?

In our view, yes.

While the certification timeline may shift, the need to safeguard Controlled Unclassified Information (CUI), maintain cybersecurity controls, and meet existing contractual obligations has not changed. The Department's announcement specifically notes that organizations are still expected to meet applicable cybersecurity requirements, including existing obligations related to protecting sensitive information.

Organizations that pause all cybersecurity and compliance initiatives in response to this announcement may ultimately find themselves scrambling if requirements are reinstated, revised, or accelerated following the review period.

 

What Has Changed?

At this time, the biggest change is the temporary pause on the implementation of CMMC Phase II third-party assessments while the Department conducts its review of the program. According to the announcement, the review is intended to evaluate the impact of compliance requirements and identify ways to reduce barriers for small and mid-sized businesses while maintaining strong cybersecurity expectations.

For organizations actively pursuing CMMC Level 2 certification, this may provide additional time to prepare and assess their readiness.

However, it is important to remember that this is a pause, not necessarily a cancellation of cybersecurity requirements.

 

Compliance Concept. Word on Folder Register of Card Index. Selective Focus.-1

What Hasn't Changed?

The core cybersecurity expectations that defense contractors have been working toward remain relevant.

Organizations that handle CUI should still be focused on:

    • Protecting sensitive information
    • Strengthening cybersecurity controls
    • Documenting policies and procedures
    • Managing risk across their environment
    • Aligning security programs with NIST SP 800-171 requirements
    • Maintaining compliance with applicable DFARS obligations

Cybersecurity threats continue to evolve regardless of regulatory timelines. Strong security practices help protect intellectual property, customer trust, operations, and business continuity whether a formal certification date is approaching or not.

 

Why Your CMMC Efforts Are Not Wasted

Many organizations have already invested significant time and resources into cybersecurity improvements, including:

    • Gap assessments
    • Security policy development
    • System documentation
    • Technical remediation projects
    • Security awareness initiatives
    • Incident response planning
    • Evidence collection and control validation

These investments continue to deliver value.

At DP Solutions, we've always viewed CMMC as more than a certification exercise. CMMC provides a framework for building a mature cybersecurity program, but the end goal should never be simply passing an assessment.

The true objective is creating an organization that can effectively protect sensitive information, reduce operational risk, and demonstrate security maturity to customers, partners, and government agencies.

Whether the certification process changes or not, those outcomes remain beneficial for every defense contractor.

 

Our Advice to Defense Contractors

Rather than viewing this announcement as a reason to stop, we encourage organizations to use this time strategically.

➡️ Stay Focused on Security Improvements Already Underway
If you've begun implementing security controls, continue making progress. Pausing remediation projects now may create additional work later.

➡️ Continue Documenting and Maturing Processes
Documentation has long been one of the most challenging aspects of CMMC preparedness. Policies, procedures, and evidence collection remain valuable regardless of how the certification program evolves.

➡️ Strengthen Your Overall Security Posture
Use this period to address known security gaps, improve visibility, and reduce risk throughout your organization.

➡️ Stay Flexible
The outcome of the Department's review is not yet known. Organizations that maintain momentum while remaining adaptable will be best positioned to respond to future guidance.

 

Looking Ahead

As more information becomes available during the Department's review period, we expect additional clarification regarding the future of the CMMC program and compliance expectations across the Defense Industrial Base.

DP Solutions will continue monitoring developments and helping our clients navigate changes with practical guidance, clear communication, and actionable next steps.

For organizations handling CUI or pursuing CMMC readiness, the message remains straightforward:

The timeline may have shifted. Good cybersecurity hasn't.

Source: Department of War Announcement on CMMC Phase II Suspension

 

Need Guidance on Your CMMC Readiness Strategy?

Whether you're just beginning your compliance journey or have already invested in NIST 800-171 and CMMC preparation, DP Solutions can help you evaluate your current posture, identify gaps, and develop a practical path forward.

Questions about what this announcement means for your organization? Contact our team to discuss your specific situation and next steps or Request a CMMC-Compliant Proposal.

 


Frequently Asked Questions (FAQ)

Does this Mean CMMC is Dead or Cancelled?

No. CMMC has not been cancelled. While the DoD has paused implementation of Phase II third-party assessment requirements pending a review, existing cybersecurity requirements remain in place. Organizations supporting the Defense Industrial Base should continue preparing for compliance with NIST SP 800-171 and related DFARS requirements while monitoring for additional updates.

Does This Even Apply to Us?

Maybe. CMMC requirements generally apply to organizations that work directly or indirectly on Department of Defense contracts. Whether your organization is affected depends on your contracts, subcontractor relationships, and any applicable flow-down requirements. If you're unsure, review your contract obligations and consult your compliance or legal advisor to determine what requirements apply to your business.

Should We Stop, Pause, or Cancel Our Level 2 C3PAO Assessment?

It depends. The current pause does not automatically change your contractual obligations or customer requirements. Organizations should carefully evaluate their specific contracts, business objectives, and assessment plans before deciding whether to continue, postpone, or adjust their certification efforts. Consulting with legal, compliance, or contract advisers can help ensure any decision aligns with your organization's requirements and risk tolerance.

Should We Wait to Start Our CMMC Level 2 Journey?

Not necessarily. While the future timeline for CMMC assessments is under review, the underlying cybersecurity requirements in NIST SP 800-171 remain in place for organizations subject to DFARS 252.204-7012. Building a strong cybersecurity foundation and addressing compliance requirements can still be a worthwhile investment, regardless of when certification requirements ultimately take effect.

Do We Still Have to Comply with NIST SP 800-171?

Yes. The pause in CMMC Phase II does not change existing DFARS 252.204-7012 requirements. Organizations that are required to comply with NIST SP 800-171 Rev. 2 must continue to implement and maintain those security controls. While the method for validating compliance may be under review, the underlying cybersecurity requirements remain in effect.

What About Our SPRS Score and Annual Self-Assessment?

For now, nothing has changed. The DoD's announcement does not affect existing self-assessment requirements, and organizations with SPRS scoring obligations should continue to maintain and update their scores as required. The current review focuses on third-party assessment requirements, not the underlying self-assessment processes that remain in place today.

What Happens After the 60-Day Review?

The outcome of the review remains unknown. While the DoD has announced that recommendations will be developed during the review period, no decisions regarding future requirements, timelines, or assessment processes have been finalized. Organizations should continue to focus on current compliance obligations and watch for official updates from the Department of Defense. 

 

Comments