CMMC Phase II Is Suspended. Here's What Actually Changed — and the Opportunity It Creates.
The third-party audits are off the table. Your self-assessment obligation is not. For small defense contractors, this is the most favorable window in years — if you understand what it actually says.
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements — the phase, scheduled to take effect November 10, 2026, that would have forced many defense contractors to pass a third-party (C3PAO) assessment before they could win an award.
If you're a small defense contractor, your inbox has probably been a mess since. Half the industry is celebrating. The other half is quietly asking the only question that matters: Does this mean I can stop?
No. And the contractors who think it does are about to make an expensive mistake.
Here's the plain-English version of what the Department actually said, what it left standing, and — more importantly — the specific opportunity this creates for small businesses that have been priced out of the defense industrial base.
What Was Suspended vs. What Is Still Standing
This is the single most important distinction in the announcement, and most of the coverage has blurred it. The Department suspended the verification mechanism. It did not touch the underlying obligation.
❌ Suspended
- The Phase II transition — scheduled for November 10, 2026
- Third-party C3PAO assessments as a condition of contract award
- Phase III (Nov. 2027) and its DIBCAC-led Level 3 assessments
- Pending and future CMMC implementation milestones across DoW solicitations and contracts
✅ Still Firmly In Place
- Phase I self-assessment requirements — the Department's language was that these "remain firmly in place"
- DFARS clause 252.204-7012 — every contractor and subcontractor is still contractually obligated to safeguard covered defense information
- NIST SP 800-171 Rev 2 — the Department will enforce this standard during the interim
- Government-led assessments — the Department explicitly retained "select government-led assessments"
Read that right-hand column again. Nothing about your legal duty to protect federal data changed on July 13. What changed is who checks your work — and the answer is no longer "a paid third-party assessor." It's you, with the government reserving the right to look.
Why the Department Did This (And Why It's Good News for You)
The reasoning behind the suspension is unusually candid, and it tells you exactly who the Department is trying to protect: small businesses.
The Department's own release stated that while CMMC was designed to enhance cybersecurity in the defense industrial base, it had instead "created prohibitive compliance costs and bureaucratic burdens," and that data — including reports from the Small Business Administration — confirmed compliance was forcing innovative companies out of the DIB.
The numbers that drove the decision are staggering.
CIO Kirsten Davies summarized the arithmetic bluntly: "The math just simply doesn't math" for small and medium-sized businesses to get compliant by the transition date.
She's right. More than 100,000 companies chasing roughly 100 assessors was never going to work. The bottleneck alone would have locked qualified suppliers out of defense contracting through no fault of their own — and that's before the invoice arrived.
SBA's cost analysis put a number on that burden. One thing to be precise about: these are total compliance cost estimates — not audit fees. They bundle remediation, tooling, platform migration, documentation, internal labor, and the assessment itself, and they represent what costs "can reach," not a typical invoice:
- ~$593,800 per certification for small firms requiring a third-party assessment
- ~$388,600 for firms eligible for self-assessment
Sit with that second figure for a moment, because it's the one that actually explains this entire situation.
Why would a "self-assessment" cost a small firm nearly $390,000?
It isn't fees. There's no assessor to pay. It's labor and rework.
It's six months of an owner's evenings. It's documentation built, discarded, and rebuilt three times because nobody knew what "adequate" actually looked like. It's an hourly consultant billing you to explain what a System Security Plan is. It's a team guessing at scope, over-scoping badly, and then hardening systems that never needed to be in the boundary at all.
The expensive part of compliance was never the assessment. It was doing it without a map. Hold onto that — it's the key to everything below.
💡 If you already spent money on compliance, you did not waste it
Ahead of the announcement, CIO Davies made a point of addressing contractors who had already invested: "Every dollar spent on security is a wise dollar spent, and so those who have been forward leaning in uplifting their cyber posture — in assessing what their posture is, and doing something about it — they have contributed to national security. That is not money that is spent in vain."
Your controls, your policies, your evidence — all of it still counts. It still satisfies DFARS 7012. It still satisfies NIST SP 800-171. And it still wins you bids.
The Dangerous Misread: "CMMC Is Dead, I Can Stop"
Within hours of the announcement, this became the most common reaction in the small-contractor community. It is wrong, and it's the kind of wrong that costs contracts.
Here is what is still true today, July 14, 2026:
- Phase I self-assessment requirements remain firmly in place. If your contract requires a CMMC Level 1 or Level 2 self-assessment and an annual affirmation, that requirement did not go away yesterday.
- DFARS 252.204-7012 is federal contract law, not a CMMC artifact. It predates CMMC. It survives CMMC. If you handle covered defense information, you are contractually obligated to safeguard it — full stop.
- The Department will enforce NIST SP 800-171 Rev 2 during the interim through self-assessments and select government-led assessments.
- Primes still gate awards on compliance. Your prime contractor's flow-down requirements are contractual obligations between you and them. The Department of War suspending a phase of its rollout does not amend your subcontract.
- False Claims Act exposure did not go anywhere. Attesting to a security posture you don't actually have has always been the risk. It still is.
⚠️ Read those three words again: "select government-led assessments"
The Department did not remove assessment. It removed the third party from assessment. During this interim period, compliance is enforced through self-assessments and government-led assessments. If you're selected for one of those, there is no consultant sitting next to you and no assessor walking you through your binder. Your documentation is the only thing in the room. The bar for evidence quality just went up, not down.
Not sure where your self-assessment actually stands?
Our free CMMC Assessment Tool evaluates all 15 Level 1 practices and gives you an instant gap analysis and a prioritized remediation roadmap. No credit card. Results in under 30 minutes.
Run the Free Assessment →The Opportunity: Five Reasons This Window Favors Small Contractors
Now the part nobody else is writing about. Strip away the noise and this announcement did something remarkable for small businesses: it removed the single largest barrier to entry in defense contracting and left the achievable part intact.
Self-assessment is now the assessment path
The expensive, capacity-constrained, six-figure pathway is suspended. What remains is the pathway small businesses were always capable of walking: a documented, defensible self-assessment. If you have been putting off compliance because you were waiting to see whether you could afford a C3PAO — that question is off the table for now. The path in front of you is the one you can actually complete.
The cost barrier that pushed you out just collapsed
Remember the $388,600 figure — SBA's estimate for a firm doing this without a third-party assessor. Nearly all of that is internal labor, rework, and hourly help. It's the price of wandering.
Now the third-party pathway is suspended, which means the remaining question isn't "can I afford a C3PAO?" It's "can I do this efficiently?" And that question has a much better answer, because structure is what collapses the labor cost. Knowing exactly which artifacts you need, having the templates already written for your platform, and having someone to ask when you're stuck — that's the difference between six months of evenings and a few focused weeks.
The barrier was never really the certificate. It was the fog. The fog is the part you can actually buy your way out of.
Your competitors are frozen. You don't have to be.
Right now, a large share of the defense industrial base is sitting still, waiting for the 60-day review to tell them what to do. Meanwhile, contracting officers still need suppliers, primes still need subs, and every solicitation still needs someone who can credibly say "yes, we protect your data, and here's the documentation." The contractor who is assessment-ready in September walks into a market where half the competition is still in a holding pattern.
The re-entry window for companies who left the DIB
Under Secretary Michael Duffey framed the goal explicitly: by pausing Phase II implementation, the Department is "keeping more companies in the DIB who would otherwise be forced out of the market at a time when we need them most." If you exited defense work — or never entered — because CMMC math didn't work, the math just changed. This is the most open door small businesses have had into defense contracting in years.
You have a seat at the table — use it
The Department is standing up a CMMC Reform Task Force and issuing a public Request for Information (RFI). Davies described the RFI as "truly the defense industrial base's opportunity to give us direct feedback." The task force will synthesize industry responses and deliver recommendations to the DoW CIO within 60 days. If you are a small contractor with something to say about compliance burden — this is the moment where saying it actually matters.
What Happens Next — and How to Position for Every Outcome
Let's be honest about the uncertainty, because you deserve a straight answer rather than a sales pitch.
The Task Force delivers its report within 60 days — roughly mid-September 2026. When reporters pressed on what comes after, Davies and Duffey notably did not rule out cancelling the CMMC program entirely. Everything is genuinely fluid until that report lands.
So what should a rational small contractor actually do with 60 days of ambiguity? Look at the possible outcomes side by side:
| Possible Outcome | What It Means | Does a Defensible Self-Assessment Still Serve You? |
|---|---|---|
| CMMC returns, streamlined | A reformed, scaled-down framework with lower barriers for small business | Yes — you're already ahead of the field |
| CMMC is replaced | A new "scalable, resilient" model built on the same NIST foundation | Yes — NIST SP 800-171 is the substrate of whatever comes next |
| CMMC is cancelled outright | The certification program ends | Yes — DFARS 252.204-7012 still legally binds you to protect federal data |
| Status quo extends | Suspension continues while review runs long | Yes — self-assessments and government-led assessments remain the enforcement mechanism |
The no-regrets move
Notice that the right-hand column says yes in every row. That isn't a coincidence — it's the whole point. A properly documented self-assessment built on NIST SP 800-171 is the one investment that pays off regardless of what the Task Force decides in September. It satisfies your DFARS obligation today, it satisfies your prime's flow-down today, it protects you in a government-led assessment today, and it positions you as ready for whatever framework emerges tomorrow. There is no scenario where being able to prove you protect federal data is the wrong thing to have done.
Turn 60 days of uncertainty into a finished self-assessment
The Turnkey CMMC Level 1 Package breaks all 15 practices into 142 defined artifacts, with platform-specific templates for Microsoft 365 or Google Workspace, all 8 device & network configuration guides, an Evidence Locker, and your SPRS documentation — packaged, organized, and date-stamped. Eight bi-weekly expert consulting sessions keep you moving. Most clients complete their Level 1 assessment in 2–4 weeks.
$2,495/year — Save $500 (regular $2,995), limited time
Book a Free 30-Minute Consultation → Start with the Free AssessmentIf You Handle CUI: Level 2 Self-Assessment Just Became the Only Game in Town
Here's the nuance that matters most for CUI handlers, and it's being widely missed.
Phase I, which began in November 2025, required self-assessments under both CMMC Level 1 and Level 2. Phase II was the phase that would have forced Level 2 contractors to pass a C3PAO assessment. That's the piece that's suspended — not Level 2 itself.
In other words: if you handle Controlled Unclassified Information, Level 2 self-assessment is still live, still expected, and now unobstructed by a six-figure third-party audit. The most expensive part of your compliance path just got removed while the achievable part remained.
For a small contractor with a limited CUI footprint, that changes the calculus entirely. A dedicated CUI enclave — built on Google Workspace for Government or Microsoft 365 GCC High, with no Active Directory, no SIEM, and no enterprise IT department — is genuinely achievable. What it requires is disciplined documentation: a System Security Plan, a POAM, a Risk Register, and evidence that your controls actually run.
That's exactly what our L2 CUI Enclave Package was built to deliver: 110 practices mapped to 182 defined artifacts across 14 domains, 12 bi-weekly consulting sessions, dedicated enclave configuration guides for your chosen platform, a pre-filled SSP, POAM framework, Risk Register, and evidence checklist — with time estimates on every task so it's implementable part-time. $3,495/year.
⚠️ Self-Assessment Programs Only. The L2 CUI Enclave Package is scoped for CMMC Level 2 programs eligible for annual self-assessment. Programs required to use a C3PAO are not in scope.
Your 60-Day Action Plan
While the Task Force does its work, here is what a well-run small contractor should be doing:
- Confirm what your contracts actually require. Read your DFARS clauses and your prime's flow-downs. The Department's suspension does not amend your subcontract. Your obligations are whatever your contract says they are.
- Establish your real baseline. Not a spreadsheet of yes/no answers — an honest gap analysis against all 15 Level 1 practices (and NIST SP 800-171 if you handle CUI). Our free assessment tool does this in under 30 minutes.
- Fix your evidence, not just your policies. A policy proves intent. Evidence proves operation. In a government-led assessment, only one of those two matters.
- Complete your self-assessment and affirmation properly. Phase I is still in force. If you've been treating it as a checkbox, this is the quarter to make it defensible.
- Respond to the RFI. The Department is explicitly asking the defense industrial base for input on compliance challenges. Small contractors have historically been the least-heard voice in this process. Change that.
- Bid. Your competitors are waiting. You don't have to.
The Bottom Line
The Department of War just removed the part of CMMC that was breaking small businesses — the six-figure third-party audit, the 100,000-companies-to-100-assessors bottleneck, the $7 billion annual bill — and kept the part that was always achievable: a self-assessment you can actually complete and actually defend.
That is not a reason to stop. It's a reason to start, and to start with confidence, because the thing standing between you and a defensible compliance posture is no longer money or assessor capacity. It's just documentation.
And documentation is the one problem we know how to solve.
Let's turn this window into finished work.
Book a free 30-minute consultation. We'll walk through what your contracts actually require, where your evidence stands today, and what a defensible self-assessment looks like for a business your size. No pressure, no six-figure quotes.
Schedule Your Free 30 Minutes →Sources & Further Reading
- U.S. Department of War — "Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements" (July 13, 2026)
- DefenseScoop — "DOD halts cybersecurity requirements for CMMC Phase 2: 'The math just simply doesn't math'" (July 13, 2026)
- U.S. Small Business Administration — "SBA Commends U.S. Department of War's Suspension of CMMC Phase II for Small Defense Contractors" (July 13, 2026) — source of the compliance cost estimates cited above
- National Defense Magazine — "BREAKING: Pentagon Suspends Phase 2 of CMMC Program" (July 13, 2026)
- NIST SP 800-171 Rev. 2
- DoW CIO — Brilliant Basics
This article is provided for informational purposes and does not constitute legal advice. Contractors should review their specific contract terms and DFARS clauses with qualified counsel.
