← All learn guides

Program update

CMMC Phase 2 is suspended. Here is what still applies.

On July 13, 2026, the Department of Defense suspended the second phase of the CMMC rollout, the one that would have required third-party certification assessments for Level 2 contracts starting November 10, 2026. The headline reads like CMMC went away. It did not: the Level 1 and Level 2 self-assessment requirements in effect since November 2025 were explicitly kept, and they are the requirements that bind contractors today. This page separates what was suspended from what was not, with primary sources.

Last reviewed: July 2026. This page will be updated when the CMMC Reform Task Force outcome is published.

  1. 01

    What was suspended

    On July 13, 2026, the Department of Defense announced the immediate suspension of the CMMC Phase 2 requirements. Phase 2 was scheduled to begin on November 10, 2026, and would have brought Level 2 certification assessments by authorized third-party assessment organizations (C3PAOs) into applicable solicitations: to win those contracts, a contractor handling Controlled Unclassified Information would have needed to pass a C3PAO assessment rather than self-assess.

    Alongside the suspension, DoD stood up a CMMC Reform Task Force to review the program, with a report of findings and recommendations due within 60 days. Officials framed the decision as a response to the burden the program as executed places on the defense industrial base, particularly small businesses.

  2. 02

    What still applies, unchanged

    The suspension is not the end of CMMC. All Level 1 and Level 2 self-assessment requirements that took effect on November 10, 2025 remain in place. During the suspension, DoD guidance says program managers and requiring activities may designate only CMMC Level 1 (Self) or Level 2 (Self) assessment requirements in solicitations; they may not designate Level 2 (C3PAO) or Level 3 (DIBCAC) assessments.

    Concretely: if you handle Federal Contract Information, the annual Level 1 self-assessment against the 15 FAR 52.204-21 requirements, affirmed in SPRS by a senior official, is still a live contractual requirement. If you handle CUI under a Level 2 (Self) designation, the triennial self-assessment against all 110 NIST SP 800-171 R2 requirements, with the score submitted in SPRS and affirmed annually, is still a live contractual requirement. None of that was suspended.

  3. 03

    What this means in practice

    The binding requirement for the duration of the review is the self-assessment and the documentation behind it. A self-assessment is an affirmation by a senior official of your company, submitted to the government, so the practical question is unchanged: can you produce the assessment, the System Security Plan, and the policies and plans that make each answer defensible?

    Primes were already pushing CMMC requirements down to subcontractors before the suspension, and flow-down expectations do not disappear because the certification phase paused. A contractor who uses the review window to get the self-assessment and document set in order is prepared for either outcome: a resumed Phase 2 on a new timeline, or a reformed program that keeps self-assessment at its center.

  4. 04

    What is genuinely uncertain

    The task force report and whatever follows it. The review could resume the phases on a new schedule, restructure the assessment model, or change program mechanics in ways nobody should claim to predict. What is not uncertain is the floor: the self-assessment obligations in effect since November 2025 were explicitly kept, and the 32 CFR Part 170 program rule remains codified. Planning against that floor is the defensible move; planning against a guess about the task force outcome is not.

Related guides

The self-assessment is the requirement that binds right now.

Work through the Level 1 readiness assessment and generate the document set behind your answers. Drafts stay pseudonymous: real system names and identifiers stay in your locally completed copy, not on our servers.

Get started

Official sources

This guide is general information, not legal or compliance advice. Program status can change: verify current requirements against the primary sources above and your own contracts and solicitations. Security Binder prepares documentation. It does not guarantee compliance, certification outcomes, or audit acceptance, and it does not substitute for licensed legal or audit review. CMMC is a program of the U.S. Department of Defense; framework names are the property of their respective publishers.