CMMC Phase 2 Suspended: What the July 2026 Memo Actually Changes
The Department of War's July 13, 2026 memo (26-P-1023) suspends CMMC Level 2 C3PAO and Level 3 requirements and launches a 60-day reform review. What the memo says, what happens to active solicitations, and what defense contractors should do now.
What happened
On July 13, 2026, the Department of War (DoW) issued memorandum 26-P-1023, immediately suspending CMMC Phase 2 — the stage of the rollout that would have started writing third-party (C3PAO) Level 2 assessments and Level 3 requirements into new DoD solicitations beginning November 10, 2026.
The memo goes further than pausing the calendar. It directs that "all pending and future CMMC implementation milestones across DoW solicitations and contracts are held in abeyance until further notice," and a companion implementation memo tells contracting agencies to amend active solicitations to remove CMMC Level 2 C3PAO and Level 3 requirements "as soon as practicable."
At the same time, the Department announced a CMMC Reform Task Force and a 60-day review of the entire program, with a public request for information (RFI) — responses due 12:00 p.m. ET, Friday, August 14, 2026.
If you want the primary source, the implementing memo is posted on the DoW CIO library.
What is suspended — and what is not
This is the part most headlines get wrong. The suspension applies to Phase 2: the third-party certification layer. Phase 1 — which has been in force since November 2025 — is untouched.
| Requirement | Status after the memo |
|---|---|
| Level 2 C3PAO third-party certification in new solicitations | Suspended |
| Level 3 (DIBCAC-assessed) requirements | Suspended |
| Level 1 annual self-assessment + affirmation (FCI) | Still required |
| Level 2 annual self-assessment + affirmation (CUI) | Still required |
| NIST SP 800-171 implementation under DFARS 252.204-7012 | Still required |
| SPRS score submission under DFARS 252.204-7019/7020 | Still required |
| 72-hour cyber incident reporting under DFARS 252.204-7012 | Still required |
In other words: the government paused the verification mechanism, not the security requirements. Every contract clause that made NIST SP 800-171 binding on contractors who handle CUI predates CMMC and remains in full force. We cover what that means for your program in The Audit Is Suspended. Your Obligations Aren't.
Why the Department did it
The stated goal of the Reform Task Force is a framework that "prioritizes speed to capability, lowers barriers for small, medium, and non-traditional businesses, and replaces prohibitive, third-party compliance models with scalable, realistic security measures."
Two pressures drove this:
- Cost. A Level 2 C3PAO certification realistically ran $50,000–$200,000+ once you count preparation, remediation, and assessor fees — a number many small subcontractors simply could not absorb.
- Capacity. There were nowhere near enough accredited assessors to certify the tens of thousands of contractors that would have needed Level 2 certificates as Phase 2 and 3 requirements rolled into contracts.
The Small Business Administration publicly commended the suspension on behalf of small defense contractors — a strong signal that whatever replaces Phase 2 will lean toward scalable self-assessment rather than universal third-party audits.
If you're bidding right now: watch your solicitations
The onus is on contracting officers to amend solicitations, but amendments take time and some will slip through. Practical guidance while the dust settles:
- Solicitation still lists a CMMC Level 2 certification requirement? Use the Q&A process to ask the agency to conform the solicitation to the memo. Get the answer in writing.
- Proposal already submitted, award pending? If you — or competitors — were shut out by a certification requirement that no longer applies, the ground rules of the competition may have materially changed. That's a conversation to have with counsel; both the pre-overhaul FAR (15.206) and the FAR Overhaul (RFO 15.106) require agencies to amend solicitations when requirements change.
- You're a subcontractor? Remember that primes can still impose cybersecurity requirements contractually in their flow-downs and supplier questionnaires — and most are keeping them. See our guide to answering prime contractor cybersecurity questionnaires.
What happens after the 60-day review
Nobody knows exactly what "CMMC reform" will produce, but the task force's own framing tells you the direction: fewer third-party audits, more emphasis on self-assessment, affirmation, and accountability. The RFI specifically asks industry which NIST 800-171 controls deliver meaningful risk reduction — so the control set could get leaner, but a documented self-assessment against 800-171 is the through-line in every plausible outcome.
That means the contractors who come out of this window strongest are the ones who used it to get their self-assessment, SPRS score, System Security Plan, and POA&M genuinely in order — not the ones who read "suspended" and stopped.
Where CyberPolicify fits
CyberPolicify is built for exactly the regime that survives this memo: self-assessment against NIST SP 800-171, done properly and documented.
- Run a CMMC Level 2 gap assessment against all 110 NIST SP 800-171 Rev 2 requirements, with the official DoD SPRS weighting built in — so you know your real score before you affirm it.
- Generate the policies that self-assessments and prime questionnaires ask for, mapped to the requirements they satisfy.
- Track gaps and remediation in a living risk register and POA&M, so next year's affirmation is an update, not a fire drill.
You can start a self-assessment now — or take the free 3-minute readiness check first, no signup required.
Generate documentation mapped to frameworks
Generate policies, procedures, and gaps you can act on—without consultant-heavy overhead.