Compliance|

CMMC Phase II Suspended: What Changed on July 13 — and What Didn't

DoD suspended CMMC Phase II third-party assessments on July 13, 2026. Here's exactly what was suspended, what remains in force, and what defense contractors should do now.

CMMCCMMC SuspensionNIST 800-171DFARS 7012Defense Contractors

On July 13, 2026, the Department of Defense announced the immediate suspension of CMMC Phase II — the third-party assessment requirement that had been scheduled to take effect November 10, 2026 — along with all later phases and pending milestones. A Reform Task Force will report in 60 days. Officials did not rule out ending the program entirely.

There is a lot of noise about what this means. The officials' own words are the clearest guide, so let's start there.

What DoD actually said

Michael Duffey, Under Secretary of Defense for Acquisition and Sustainment:

"We're not relaxing any standards by any means. We expect businesses to adhere to the standards that NIST has outlined. What we're removing is the bureaucracy of the third-party assessment."

Kirsten Davies, DoD Chief Information Officer:

"Investing in and dynamically maintaining robust cybersecurity remains a critical non-negotiable priority. This action does not eliminate the legal requirement for our industry partners to protect federal data."

Read those together and the new reality is exact: the standard stands, the verifier is gone.

What is suspended

  • CMMC Phase II — the third-party assessment requirement, originally effective November 10, 2026
  • All later phases and pending milestones of the CMMC rollout
  • Third-party assessment requirements in active solicitations — DoD has directed contracting officers to amend or modify affected solicitations and contracts

What remains in force

  • NIST SP 800-171 Rev 2 — the 110 security controls themselves. DoD said on the record it expects continued adherence.
  • DFARS 252.204-7012 — the contract clause requiring you to safeguard covered defense information and report incidents within 72 hours.
  • Phase 1 self-assessments — self-assessment obligations continue.
  • The annual SPRS affirmation — signed by a named affirming official, personally. This survives the suspension untouched.

Why DoD did it

Davies laid out the arithmetic: over 100,000 defense industrial base companies still needed a third-party assessment, against roughly 100 available assessors. "The math just simply doesn't math," she said. The program didn't fail because the standard was wrong — Duffey confirmed the standard survives intact. It failed because verification was performed by humans, and human verification doesn't scale.

What this means for you

Here is the part that's easy to miss in the relief about cancelled audits: nobody is coming to check — which also means nobody is coming to vouch. The assessor who would have co-signed your compliance claim no longer exists. Whatever you assert about your security posture, you now assert alone, and you defend alone if it's ever tested — by a prime's flowdown inquiry, a DIBCAC assessment, a diligence team at exit, or the Department of Justice.

And note Davies's verb: "dynamically maintaining." Not achieving. Not certifying. Maintaining — continuously. The CIO of the Department of Defense described a continuous standard in the same breath as cancelling the point-in-time audit. A snapshot was never going to prove continuous compliance anyway. Now nothing proves it — unless you build the proof yourself.

What to do this week

  1. Don't stop your NIST 800-171 work. The requirement is unchanged. DoD said so, twice, on the record.
  2. Look hard at your SPRS affirmation. A self-assessment is a representation to the federal government, and the False Claims Act is the mechanism by which representations get tested. Ask the person who signs at your company: what are they signing on the basis of? (Run the legal-exposure question past your counsel — this post describes a risk shape, not a legal opinion.)
  3. Start generating evidence now. A control gap can be remediated later. You cannot go back and generate logs for activity that already happened. Every ungoverned month is a permanent hole in the record.
  4. Don't try to predict the task force. Whatever it recommends will not be lower than NIST 800-171 — DoD said so. Build for the standard, not for the program.

The audit went away. The obligation to be provable didn't. The contractors who understand that distinction this week are the ones who'll be in the strongest position whenever the task force reports.

Need help with AI governance?

Book a 30-minute call. We'll tell you exactly where your risk is and how to fix it.

Book a Call