CMMC Phase 2 Is Suspended. Your 800-171 Obligations Are Not.
On July 13, the Department of War announced the immediate suspension of CMMC Phase 2 - the November 10, 2026 transition that would have started writing third-party certification requirements into new solicitations. The implementing memo (26-P-1023) suspends the Phase 2 transition and pending CMMC implementation milestones while a CMMC Reform Task Force runs a 60-day review of the program, with further guidance to follow at its conclusion.
If you run a small Mac-first defense shop, here is the one-sentence version: the certification deadline moved; the security standard did not. Below is the operative detail from the release and the memo text - not the headlines - and the short list of what to actually change.
What the suspension does
- Suspends the November 10, 2026 Phase 2 transition and pending CMMC implementation milestones across DoW solicitations and contracts, effective immediately.
- Restricts what can be put in solicitations during the suspension: per the memo, program managers and requiring activities "may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments during this period" - only Level 1 (Self) and Level 2 (Self).
- Unwinds requirements already in the pipeline: active solicitations carrying C3PAO/DIBCAC requirements get amendments; existing contracts get them removed by modification before the next option period or next scheduled administrative mod.
- Suspends CMMC waivers for the duration of the review.
- Stands up a CMMC Reform Task Force - a 60-day, top-to-bottom review (report due roughly mid-September), with a public request for information so industry can weigh in.
The driver, in the department’s own framing: the math. More than 100,000 companies would eventually need third-party assessments against roughly a hundred authorized C3PAOs, with cost estimates for small and mid-sized businesses running into the billions per year. The stated goal of the review is a framework that lowers barriers for small and non-traditional businesses.
What it does not do
This is the load-bearing section, because "CMMC suspended" headlines will tempt people to relax. Almost nothing that governs your day-to-day obligations changed:
- DFARS 252.204-7012 is untouched. The memo says its requirements "remain in effect": full NIST SP 800-171 Rev 2 implementation, a current SSP, 72-hour incident reporting to DIBNet, and subcontractor flow-downs.
- Self-assessments and SPRS continue. Level 2 (Self) means the same 110 requirements and the same 320 assessment objectives, scored and posted in SPRS, with an affirming official attesting to continuing compliance. Phase 1 obligations are fully in force.
- 32 CFR Part 170 was not rescinded. This is an acquisition-side pause by memo, not a rulemaking action. The CMMC rule, the Cyber AB ecosystem, and voluntary certification all remain legally in place.
- Government-led (DIBCAC) assessments continue as the department’s assessment arm during the interim.
- NIST SP 800-171 Revision 2 remains the anchor. The memo re-affirms Rev 2 as the standard during the suspension - no Rev 3 acceleration.
For the clause-level map of what carries the weight now, see the DFARS clauses behind CMMC.
What changes for a small Mac shop (less than you think)
The documentation work is identical. A Level 2 self-assessment assesses the same requirements a C3PAO would have: FileVault and FIPS posture, MDM-enforced baselines, audit logging, access control, and the SSP that ties it together. None of that was keyed to Phase 2. If you were building toward November, you are building toward the same standard with a different enforcement wrapper.
The affirmation is now the exposure. With third-party certification paused, your SPRS score and the affirming official’s annual attestation carry the compliance weight - and the Department of Justice’s Civil Cyber-Fraud Initiative has kept bringing False Claims Act cases over misrepresented cybersecurity compliance. An accurate score beats an optimistic one, suspension or not. If you have not run an honest pre-assessment, start there: our free Mac-First Readiness Pack includes the self-assessment workbook, and the SSP guide covers the document your affirmation ultimately rests on.
C3PAO plans: hold, not cancel. Nothing can require a C3PAO assessment during the suspension, and the review explicitly examines the third-party model - so a certificate bought today carries redesign risk. Voluntary certification remains legal, and if Phase 2 resumes as-was, the assessor backlog will be severe and early bookings will win. The sensible default for a small shop: keep readiness warm, spend nothing on assessment engagements until post-review guidance publishes, and revisit when it does. (Who all these bodies are - Cyber AB, C3PAO, DIBCAC - is mapped in the ecosystem map.)
Two dates to watch: the task force report, due roughly mid-September; and the public RFI, which is the one venue where small-business cost data can actually shape the outcome. We will track both here.
What we updated on this site
Consistency matters more than speed on a change like this. Alongside this analysis we have updated the key dates timeline (the Phase 2 row now reads suspended, with the review clock added), the DFARS clause reference (7021 status note), and the ecosystem map (C3PAO status note). Facts verified against the release and memo text on July 14, 2026; this post will be updated as post-review guidance lands.
Primary sources: the DoW release (July 13, 2026) and implementing memo 26-P-1023. Additional reporting: Federal News Network, Breaking Defense, DefenseScoop. Educational material, not legal advice; verify clause language against your own contracts.
Member discussion