1. Home
  2. Resources
  3. News
  4. CMMC Phase 2 Suspended: What…

CMMC Phase 2 Suspended: What It Means for Your Compliance Program

IT director on a phone call at a conference table, reviewing compliance obligations now that CMMC Phase 2 suspended its third-party assessment requirement

TL;DR: CMMC Phase 2 suspended is the headline out of Washington: on July 13, 2026, the Department of War paused the Phase 2 third-party assessment requirement, citing cost and a severe shortage of approved assessors, while leaving Phase 1 self-assessment obligations fully in force. INVITE Networks is helping defense contractors keep their compliance programs moving through the review period instead of losing ground. This is for IT Directors and compliance leads at defense contractors managing CMMC obligations right now.

CMMC Phase 2 suspended: what actually changed?

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase 2, specifically the requirement for third-party assessments on contracts involving Controlled Unclassified Information (CUI), which was set to take effect November 10, 2026. The suspension does not touch CMMC Phase 1, which has required self-assessments since November 2025. In effect, the Department paused the second half of the certification model, not the first.

Why did the Pentagon suspend Phase 2?

One number explains the decision: only around 100 accredited assessors exist to certify more than 100,000 contractors that would need a third-party audit. Pentagon officials summarized the mismatch bluntly: the math didn’t math. Compliance costs across the Defense Industrial Base were also cited as prohibitive for many contractors. The Department is prioritizing a certification model contractors can actually complete over one that looks rigorous on paper.

What CMMC requirements are still in effect right now?

Phase 1 self-assessment obligations are unchanged. Contractors handling Federal Contract Information still need a Level 1 self-assessment; contractors handling CUI still need a Level 2 self-assessment with an affirmation in the Supplier Performance Risk System. If your System Security Plan or Plan of Action and Milestones was due before this announcement, it’s still due.

What happens next with the CMMC Reform Task Force?

The Department has launched a 60-day review led by a CMMC Reform Task Force, tasked with recommending a framework that lowers the barrier to compliance without abandoning the underlying security requirements. Expect a report within two months, followed by a revised timeline for when third-party assessment returns and in what form. Treat this as a pause, not a cancellation.

Does this suspension reduce your legal obligation to protect CUI?

No. The suspension applies to the assessment mechanism, not the underlying requirement. NIST SP 800-171 obligations under DFARS 252.204-7012 remain in force, and the Department has been explicit that the pause doesn’t eliminate that duty. Contractors who treat this as a reason to deprioritize security controls carry the same breach and contract-termination risk as before. They’ve only lost a deadline, not the underlying threat.

How should defense contractors respond right now?

Keep moving. Contractors who stop CMMC preparation during this window will be furthest behind once the Reform Task Force publishes its recommendations. INVITE Networks is advising clients to use the pause to close gaps identified in prior self-assessments, tighten System Security Plans, and validate control coverage against NIST SP 800-171. That’s the work any revised framework will still require. Contractors ready before the next deadline lands will have the shortest path to certification, whatever form it takes.

Frequently Asked Questions

Is CMMC still required for Department of Defense contracts?
Yes. Phase 1 self-assessment requirements remain fully in force. Only the Phase 2 third-party assessment requirement has been suspended.

What’s the difference between CMMC Phase 1 and Phase 2?
Phase 1 requires contractors to self-assess and attest to NIST SP 800-171 compliance. Phase 2 would have added mandatory third-party audits for CUI contracts. That second layer is what’s suspended.

Do I still need a third-party assessment?
Not for now. The Department has paused that requirement while the Reform Task Force reviews the program, but some form of independent verification is expected to return.

What is the CMMC Reform Task Force?
A Pentagon-led review group tasked with recommending a revised CMMC framework within 60 days, one that lowers compliance barriers while preserving the program’s security outcomes.

What should defense contractors do during the suspension?
Keep building toward full NIST SP 800-171 compliance. Close self-assessment gaps, update your SSP and POA&M, and prepare for whatever assessment model comes next.

Get Ahead of Whatever Comes Next

CMMC Phase 2 suspended doesn’t mean CMMC is going away. It’s being redesigned. INVITE Networks helps defense contractors build compliance programs that hold up regardless of which framework the Reform Task Force recommends. Schedule a CMMC compliance program review with INVITE and get a clear picture of where your NIST SP 800-171 controls stand today.