Elevate

CMMC Level 2 in 2026: What the Phase 2 Suspension Actually Means for Your Contracts

On July 10, 2026, the Department of War suspended the Phase 2 requirements of the Cybersecurity Maturity Model Certification, and with them the CMMC Level 2 third-party assessment that was scheduled to take effect on November 10, 2026. If you have been racing toward a C3PAO assessment, that deadline is gone for now. What did not go away is your legal obligation to protect the government’s data, and reading the suspension as permission to stop is the most expensive mistake you can make right now.

The memo is explicit on this point, and so is this article. The Department suspended who verifies your cybersecurity. It did not suspend what you are required to do. This guide covers exactly what the suspension changed, what remains in force, and why the contractors who keep preparing are the ones who will win work when the pause ends.

What the July 2026 Suspension Actually Did

The suspension is narrower than the headlines suggest, and the details decide what happens to your specific contract.

The Phase 2 Transition Is Paused

The upcoming November 10, 2026 transition to Phase 2 of CMMC implementation is suspended. During the suspension, program managers and requiring activities may only include CMMC Level 1 (Self) or CMMC Level 2 (Self) assessment requirements in procurement documents. They may not designate CMMC Level 2 (C3PAO) or CMMC Level 3 (DIBCAC) assessments. In plain terms, the third-party assessment requirement that defined Phase 2 cannot be placed on new work during the pause.

The Department framed this as a burden problem, not a security reversal. Officials pointed to a defense industrial base with over 100,000 businesses needing a third-party assessment against roughly 100 available assessors, and concluded that the math did not work for small and mid-sized firms to certify by the November deadline. The Small Business Administration had documented that the program, as executed, was pushing companies out of the defense industrial base.

Active Solicitations and Contracts Get Cleaned Up

This is the part that affects you today rather than in the abstract. If an active solicitation or an existing contract already contains a CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, contracting officers have been directed to remove it. For solicitations, program managers must provide an amended requirements document removing those requirements, and the contracting officer issues a corresponding amendment as soon as practicable. For existing contracts, the requirement is to be removed by modification before the next option period is exercised or during the next scheduled administrative modification.

If you hold a contract with a looming C3PAO obligation, the relief is real and it is being applied through normal contracting mechanisms. You do not need to request it, but you should confirm the modification actually reaches your contract rather than assuming it will.

No Waivers During the Pause

Because program managers can no longer select requirements that would trigger a Level 2 (C3PAO) or Level 3 (DIBCAC) assessment, the waiver process is also suspended. No waivers will be granted during program review. This directive took effect immediately.

A 60-Day Review Is Under Way

The suspension is not the end state. The Department established a CMMC Reform Task Force to conduct a top-to-bottom review of the program, synthesize feedback from a public Request for Information, and deliver a final report to the DoW CIO within 60 days. Further guidance will follow at the conclusion of that review. The direction of travel the Department has signaled is toward measures that lower the barrier for small and non-traditional businesses, not toward abandoning cybersecurity requirements.

What Did Not Change, and Why It Matters

Here is the uncomfortable part, and it is the reason this article exists. The suspension changed the verification mechanism. It did not touch the underlying legal obligation, and several requirements remain fully in force.

Your Contractual Duty to Protect CUI Stands

The cybersecurity requirements in DFARS clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, remain in effect. That clause is what contractually obligates you to safeguard covered defense information and to report cyber incidents, and it is untouched by the suspension. The Department stated the point directly: the action does not eliminate the legal requirement for industry partners to protect federal data.

If your systems process, store, or transmit Controlled Unclassified Information, the obligation to protect it did not pause. Only the third-party check on whether you are doing so did.

Level 1 and Level 2 Self-Assessments Continue

Phase 1 self-assessment requirements remain firmly in place. During the suspension, the Department will enforce baseline compliance with NIST SP 800-171 Rev 2 through CMMC Level 1 and CMMC Level 2 self-assessment, along with select government-led assessments. CMMC Level 2 is aligned with NIST SP 800-171 Rev 2, and the self-assessment version of that requirement can still appear in your contracts.

Read that carefully. A CMMC Level 2 (Self) requirement is still a live contract requirement. You still attest to meeting the security requirements for CUI. What changed is that an accredited third party is not, for now, checking your attestation.

The 110 Requirements Have Applied Since 2014

This is the argument that should settle any internal debate about standing down. The 110 security requirements in NIST SP 800-171 are not new, and they are not a CMMC invention. Defense contractors handling CUI have been contractually required to implement them for years, since well before CMMC existed. CMMC was built to verify compliance that was already mandatory, not to create a new obligation.

So a contractor treating the suspension as a reason to stop implementing controls is not returning to a pre-CMMC baseline of no requirements. It is choosing to be non-compliant with an obligation it already carries, and government-led assessments can still check that compliance during the pause.

Government-Led Assessments Can Still Happen

The suspension removes the C3PAO and DIBCAC designations from new procurements. It does not remove the Department’s ability to conduct select government-led assessments of NIST SP 800-171 Rev 2 compliance. A contractor that has let its controls lapse is exposed to those assessments with no third-party report to fall back on and no accredited assessor’s timeline to hide behind.

Why CMMC Level 2 Preparation Should Continue

The contractors who treat this as a reprieve will be indistinguishable, on paper, from the contractors who were never going to comply. The ones who keep going gain three concrete advantages.

The Requirement Is Deferred, Not Deleted

A 60-day review is not a repeal. The Department has been explicit that robust cybersecurity remains a non-negotiable priority and that it is reducing red tape rather than reducing security. Whatever the task force recommends, the likeliest outcomes preserve a security baseline while adjusting how it is verified and how heavily it falls on small firms. A contractor that maintains its NIST SP 800-171 program is ready for any of those outcomes. A contractor that dismantles its program is betting that the requirement disappears entirely, which nothing in the announcement supports.

Readiness Is a Competitive Advantage While Others Pause

When third-party assessments resume in some form, the assessor bottleneck that triggered this suspension does not vanish. Roughly 100 assessors for a six-figure-sized industrial base means the queue will be long, and the firms that kept their evidence current will reach certification first. Being early to a scarce resource is worth more than the cost of maintaining readiness through the pause. The firm that stayed ready wins the contract that requires certification while its competitors are still scheduling an assessor.

Self-Assessment Still Requires Real Controls

A CMMC Level 2 (Self) requirement is not a paperwork exercise. It is an attestation, made under the same NIST SP 800-171 Rev 2 standard, and a false attestation carries False Claims Act exposure that the suspension does nothing to reduce. If anything, the removal of the third-party check raises the stakes on getting your own assessment right, because there is no accredited assessor validating your work before you certify it. Elevate’s guide to the seven-step CMMC self-assessment process covers how to do it defensibly.

What to Do Right Now

Five actions, in order, for a contractor caught in the middle of this.

First, confirm your contract modifications. If you hold a contract or a bid with a C3PAO or DIBCAC requirement, verify that the promised amendment or modification actually reaches your specific contract. Do not assume it will. Track it with your contracting officer.

Second, keep your NIST SP 800-171 Rev 2 program running. Maintain your controls, your documentation, and your evidence exactly as if the assessment deadline still stood, because your underlying obligation still does.

Third, keep your SPRS score current. Your self-assessment score in the Supplier Performance Risk System remains the record of your compliance, and it is what a government-led assessment will check against.

Fourth, scope your CUI environment properly. The single most expensive error in CMMC preparation is an oversized boundary that pulls in systems that never needed to be in scope. The pause is a chance to get that boundary right without an assessor’s clock running. Elevate’s guidance on scoping your enclave for CMMC covers how.

Fifth, treat the 60-day window as preparation time, not downtime. Close your open POA&M items now, while there is no assessment queue and no deadline pressure. Elevate’s CTO guide to building a POA&M covers the approach.

A Note on Department of War and Department of Defense

You will see this action attributed to the Department of War, and its documents carry the war.gov domain and the DoW CIO signature. Under Executive Order 14347, signed September 5, 2025, the Department of Defense uses Department of War as a secondary title. The statutory entity, and the department named in 32 CFR Part 170 and in the DFARS clauses that govern CMMC, remains the Department of Defense. The names differ. The rules, the clauses, and your obligations are the same.

Conclusion

The CMMC Level 2 third-party assessment is suspended, and for contractors deep in assessment preparation that is real, immediate relief. But the suspension is a change to verification, not to obligation. DFARS 252.204-7012 still binds you. The NIST SP 800-171 Rev 2 requirements you have carried since 2014 still apply. Level 1 and Level 2 self-assessments continue, government-led assessments can still happen, and a 60-day review will decide what comes next.

The contractors who dismantle their cybersecurity programs during this pause are not saving money. They are accepting non-compliance with an obligation that never left, and forfeiting the head start that readiness will buy when assessments resume into a market with roughly 100 assessors for over 100,000 firms. The smart move is the unglamorous one: keep preparing, get your scope and your self-assessment right while the pressure is off, and be ready to move the moment the guidance lands.

Elevate Consult advises defense contractors on CMMC readiness and NIST SP 800-171 compliance, from CUI scoping through self-assessment and POA&M remediation. To make the suspension window count rather than waste it, talk to an Elevate advisor.

Key Takeaways

The suspension changed the verification mechanism, not the underlying legal duty. That distinction is the whole story.

CMMC Level 2 (C3PAO) and Level 3 (DIBCAC) assessments are suspended. As of the July 10, 2026 memo, program managers may only require CMMC Level 1 (Self) or Level 2 (Self) on new work. The November 10, 2026 Phase 2 transition is paused.

Existing C3PAO and DIBCAC requirements are being removed. Contracting officers are directed to amend active solicitations and modify existing contracts to strip those requirements. Confirm the change reaches your contract.

Your legal obligation did not change. DFARS 252.204-7012 remains in effect, and the duty to protect CUI is untouched. The NIST SP 800-171 Rev 2 requirements have applied to CUI handlers since well before CMMC existed.

Self-assessments and government-led assessments continue. A CMMC Level 2 (Self) requirement is still a live contract term, and a false attestation still carries False Claims Act exposure. The government can still conduct its own assessments.

A 60-day review will decide what comes next. A CMMC Reform Task Force reports to the DoW CIO within 60 days. The Department has said it is reducing red tape, not reducing security.

Readiness is now a competitive advantage. With roughly 100 assessors for over 100,000 firms, contractors who stay ready will certify first when assessments resume. Dismantling a compliance program forfeits that head start.

FAQs

Q1. Is CMMC Level 2 still required in 2026?

The CMMC Level 2 self-assessment can still be required in contracts, but the CMMC Level 2 third-party assessment by a C3PAO is suspended as of the July 10, 2026 Department of War memo. During the suspension, program managers may only designate CMMC Level 1 (Self) or CMMC Level 2 (Self) assessments on new work, and may not designate Level 2 (C3PAO) or Level 3 (DIBCAC) assessments. The underlying NIST SP 800-171 Rev 2 requirements that Level 2 is built on remain fully in force.

Q2. Does the CMMC suspension mean I can stop working on compliance?

No. The suspension changed how compliance is verified, not whether it is required. DFARS clause 252.204-7012 remains in effect, and the obligation to protect Controlled Unclassified Information is unchanged. The 110 NIST SP 800-171 requirements have applied to CUI handlers for years, government-led assessments can still occur during the suspension, and a false self-assessment carries False Claims Act exposure. Stopping work means accepting non-compliance with an obligation you still hold.

Q3. What happens to my contract if it already has a CMMC Level 2 (C3PAO) requirement?

Contracting officers have been directed to remove it. For active solicitations, program managers provide an amended requirements document stripping the C3PAO or DIBCAC requirement, and the contracting officer issues an amendment as soon as practicable. For existing contracts, the requirement is removed by modification before the next option period or during the next scheduled administrative modification. Confirm with your contracting officer that the change actually reaches your specific contract.

Q4. How long will the CMMC Phase 2 suspension last?

There is no fixed end date, but the Department established a CMMC Reform Task Force to review the program and deliver a final report to the DoW CIO within 60 days of the July 10, 2026 memo. Further guidance will follow at the conclusion of that review. The Department has stated that robust cybersecurity remains a priority and that the goal is to reduce administrative burden, particularly on small and non-traditional businesses, rather than to eliminate cybersecurity requirements.

Q5. Should defense contractors keep preparing for CMMC during the suspension?

Yes, for three reasons. The requirement is deferred by a 60-day review, not repealed. When third-party assessments resume in some form, the assessor shortage that triggered the suspension means the firms that stayed ready will certify first, ahead of a long queue. And the self-assessments and government-led assessments that continue during the pause still require genuine NIST SP 800-171 Rev 2 compliance. Maintaining your program protects you now and positions you to win work when the pause ends.