Program update
CMMC Phase 2 is suspended. Here is what still applies.
On July 13, 2026, the Department of Defense suspended the second phase of the CMMC rollout, the one that would have required third-party certification assessments for Level 2 contracts starting November 10, 2026. The headline reads like CMMC went away. It did not: the Level 1 and Level 2 self-assessment requirements in effect since November 2025 were explicitly kept, and they are the requirements that bind contractors today. This page separates what was suspended from what was not, with primary sources.
Last reviewed: July 2026. This page will be updated when the CMMC Reform Task Force outcome is published.
- 01
What was suspended
On July 13, 2026, the Department of Defense announced the immediate suspension of the CMMC Phase 2 requirements. Phase 2 was scheduled to begin on November 10, 2026, and would have brought Level 2 certification assessments by authorized third-party assessment organizations (C3PAOs) into applicable solicitations: to win those contracts, a contractor handling Controlled Unclassified Information would have needed to pass a C3PAO assessment rather than self-assess.
Alongside the suspension, DoD stood up a CMMC Reform Task Force to review the program, with a report of findings and recommendations due within 60 days. Officials framed the decision as a response to the burden the program as executed places on the defense industrial base, particularly small businesses.
- 02
What still applies, unchanged
The suspension is not the end of CMMC. All Level 1 and Level 2 self-assessment requirements that took effect on November 10, 2025 remain in place. During the suspension, DoD guidance says program managers and requiring activities may designate only CMMC Level 1 (Self) or Level 2 (Self) assessment requirements in solicitations; they may not designate Level 2 (C3PAO) or Level 3 (DIBCAC) assessments.
Concretely: if you handle Federal Contract Information, the annual Level 1 self-assessment against the 15 FAR 52.204-21 requirements, affirmed in SPRS by a senior official, is still a live contractual requirement. If you handle CUI under a Level 2 (Self) designation, the triennial self-assessment against all 110 NIST SP 800-171 R2 requirements, with the score submitted in SPRS and affirmed annually, is still a live contractual requirement. None of that was suspended.
- 03
What this means in practice
The binding requirement for the duration of the review is the self-assessment and the documentation behind it. A self-assessment is an affirmation by a senior official of your company, submitted to the government, so the practical question is unchanged: can you produce the assessment, the System Security Plan, and the policies and plans that make each answer defensible?
Primes were already pushing CMMC requirements down to subcontractors before the suspension, and flow-down expectations do not disappear because the certification phase paused. A contractor who uses the review window to get the self-assessment and document set in order is prepared for either outcome: a resumed Phase 2 on a new timeline, or a reformed program that keeps self-assessment at its center.
- 04
What is genuinely uncertain
The task force report and whatever follows it. The review could resume the phases on a new schedule, restructure the assessment model, or change program mechanics in ways nobody should claim to predict. What is not uncertain is the floor: the self-assessment obligations in effect since November 2025 were explicitly kept, and the 32 CFR Part 170 program rule remains codified. Planning against that floor is the defensible move; planning against a guess about the task force outcome is not.
Related guides
- CMMC readiness with Security Binder
The Level 1 self-assessment, the Level 2 readiness assessment, and the sixteen-document set behind the answers.
- CMMC Level 1 vs Level 2
FCI vs CUI, 15 vs 110 requirements, how scoring works, and why POA&M rules differ between the levels.
- CMMC Level 1 self-assessment checklist
The 15 FAR 52.204-21 requirements in plain language with the supporting documents for each practice family.
- The CMMC SSP without hosting your network data
What NIST SP 800-171 3.12.4 expects from a System Security Plan and a local-completion drafting approach.
The self-assessment is the requirement that binds right now.
Work through the Level 1 readiness assessment and generate the document set behind your answers. Drafts stay pseudonymous: real system names and identifiers stay in your locally completed copy, not on our servers.
Get started