Government
What the CMMC Phase II Suspension Means for Defense Contractors
On July 13, 2026, the Department of War (DoW) announced a pause of the planned CMMC Phase II implementation while it conducts a 60-day review of the program. The DoW chief information officer (CIO) has suspended CMMC Phase II requirements and directed a newly established CMMC Reform Task Force to comprehensively review the program and deliver actionable recommendations for reform.
For defense contractors and the broader Defense Industrial Base (DIB), this is a significant development, but it definitely is not a signal to stop but to stay the course.
What Happened
The DoW suspended CMMC Phase II requirements, which were originally scheduled to take effect on November 10, 2026. Phase II would have introduced mandatory third-party certification assessments through certified third-party assessment organization (C3PAOs) audit firms for CMMC Level 2 and government-led assessments for CMMC Level 3.
The suspension means that during the review period, DoW program managers can only require CMMC Level 1 self-assessments, CMMC Level 2 self-assessments, or select DIBCAC government-led assessments. Third-party (C3PAO) certification audits are no longer a condition of contract award while the review is underway.
The DoW also released a public request for information (RFI) to gather direct feedback from DIB companies on practical strategies to inform the CMMC Reform Task Force. Responses are due by 12 PM ET on Friday, August 14, 2026.
Why the Pause Was Issued
The DoW cited several factors driving the decision:
- Prohibitive compliance costs: Recent research, including reports from the Small Business Administration (SBA), showed that CMMC Phase II requirements have created unacceptable bureaucratic roadblocks, particularly for small, medium, and non-traditional businesses.
- DIB attrition: Current requirements are driving innovative companies out of the DIB at a time when the military needs increased production capability.
- Wartime acquisition priorities: The suspension aligns with DoW’s Acquisition Transformation System (ATS) directive to prioritize speed to capability and reduce bureaucratic barriers.
- Insufficient assessor capacity: The number of available C3PAOs is not large enough to conduct all evaluations needed by the November 2026 deadline.
What Did Not Change
This is the most important point for DoW DIB companies to understand: this announcement did not eliminate your DoW cybersecurity obligations.
Organizations must continue to comply with DFARS clause 252.204-7012 and implement the NIST SP 800-171 safeguards necessary to protect Controlled Unclassified Information (CUI). The DoW explicitly reaffirmed this:
“It is critical to note that this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.”
The following requirements remain firmly in place:
| Requirement | Status |
| CMMC Phase I self-assessments | Remain in effect |
| DFARS 252.204-7012 obligations | Remain in effect |
| NIST SP 800-171 Rev 2 compliance | Remain in effect |
| SPRS scoring and annual affirmations (7019/7020) | Remain in effect |
| C3PAO Phase II Assessments | Paused |
| Cybersecurity as a priority | Reaffirmed |
Potential Areas of Change
While the long-term outcome remains uncertain, based on the RFI and public statements, several potential areas of change are emerging.
Reduced Reliance on Third-Party Assessments. The DoW may move toward a model that relies more heavily on self-assessments and government validation activities, reserving independent C3PAO assessments for higher-risk programs or contracts. The RFI specifically asks the DIB about challenges with CMMC Phase I self-assessments and how the process could be fundamentally streamlined.
Clearer, More Practical Evidence Requirements. Evidence expectations will be simplified. Companies can rely more on tool-generated logs, manage security services, and standardized evidence formats, reducing administrative burden. Opportunity to automate continuous monitoring and automation, similar to what FedRAMP is aiming to do with Open Security Controls Assessment Language (OSCAL).
Increased Focus on SPRS Scores Accuracy. SPRS (Supplier Performance Risk System) scores may become an even more important indicator of an organization’s cybersecurity posture. As a result, greater attention may be placed on ensuring scores accurately reflect implemented controls and documented Plan of Action and Milestones (POA&M) activities.
Shift Toward Continuous Compliance Validation. Rather than emphasizing a point-in-time assessment, the DoW may continue moving toward ongoing demonstration of cybersecurity maturity through operational controls, monitoring activities, and periodic validation. This aligns well with the GRC Services already offered by Thrive.
What This Means for Our Clients
While details are still emerging, we anticipate a program that may become:
- Less costly to maintain and demonstrate compliance
- Less dependent on traditional third-party audit activity
- More focused on operational cybersecurity effectiveness
- More closely aligned with ongoing NIST SP 800-171 and DFARS compliance obligations
- More reliant on continuous monitoring and objective evidence of control performance
Our existing cybersecurity and compliance services remain highly relevant. If anything, the focus may shift away from preparing for a single assessment event and toward maintaining a sustainable, continuously monitored, evidence-backed security program.
In my view, this creates an opportunity for our clients, particularly those still maturing their control environments, to strengthen processes, close identified gaps, improve documentation, and establish ongoing monitoring capabilities while the Department completes its review.
How Thrive Is Positioned to Help
This shift plays directly to two of our core service areas.
- Automated evidence collection through platforms and toolsets. Our compliance portal provides centralized documentation, task automation, evidence tracking, and real-time visibility into compliance and security status. If the DoW moves toward accepting system-generated logs, managed security service reporting, and standardized evidence packages, our clients are already producing that evidence through our existing integrations and toolsets. The infrastructure to demonstrate compliance through objective, automated evidence is already in place.
- Expanded continuous monitoring and managed compliance services. Through Thrive’s GRC Services, we provide ongoing visibility into control effectiveness and cybersecurity posture. This includes system monitoring, documentation management, annual policy and assessment updates, and evidence tracking with real-time dashboards. If the DoW continues moving toward continuous compliance validation rather than point-in-time assessments, our managed compliance model is already designed to support that approach.
Our Recommendation: Stay the Course
The worst response to this announcement would be to pause your compliance efforts. The best response is to use this window strategically.
For organizations that have been working toward CMMC readiness, the underlying work you have been doing, implementing NIST SP 800-171 controls, documenting policies and procedures, closing gaps, and building monitoring capabilities, remains essential. None of that work is wasted. In fact, it positions you favorably regardless of what the reformed program looks like.
For organizations that have not yet started or are early in the process, this is an opportunity to build a strong foundation without the immediate pressure of a third-party audit deadline. Strengthen your control environment now, and you will be prepared whether the future program relies on self-assessment, C3PAO audits, government validation, or a hybrid model.
Key Takeaways
- DFARS 252.204-7012 and NIST SP 800-171 obligations are unchanged. Contractors must continue to protect CUI.
- CMMC Phase II third-party certification requirements are suspended during a 60-day review, but CMMC Phase I self-assessments remain in effect.
- The DoW is soliciting industry input through an RFI due August 14, 2026, and may move toward self-assessments, practical evidence expectations, SPRS accuracy, and continuous compliance validation.
- Thrive’s GRC Services are well positioned for the direction the program appears to be heading.
- Organizations should continue their CMMC readiness journey and use this window to strengthen their security posture.
Contact Thrive today to learn how our CMMC readiness and continuous compliance services can help your organization navigate these changes and maintain a strong cybersecurity posture. Visit thrivenextgen.com/cmmc-compliance to learn more.
References
- Department of War News: “War Department Changes Cybersecurity Maturity Model Certification Requirements” — https://www.war.gov/News/News-Stories/Article/Article/4542849/war-department-changes-cybersecurity-maturity-model-certification-requirements/
- DoW CIO RFI: “Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base” — https://sam.gov/workspace/contract/opp/89ef9bfb0834473791e991c712698d94/view
- DoW CIO Library (official memo) — https://dodcio.defense.gov/library/