On July 13, 2026, the Department of Defense (DoD) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase 2, which had been scheduled to take effect on November 10, 2026. Phase 2 would have made third-party assessment organization (C3PAO) certification at CMMC Level 2 a condition of award for applicable contracts involving controlled unclassified information (CUI). The suspension is broader than the headline suggests. Phases 3 and 4 and all future implementation milestones are frozen until further notice.
Before you pause your compliance spend, ask the right questions:
- With no third-party assessor, whose signature now carries the legal risk? Yours.
- Does your prime contract care what the Pentagon announced? No, and it still binds you.
- That gap assessment in your files documenting your shortfalls? It did not evaporate.
- Why a memo instead of a regulation? Because a memo can be reversed just as fast.
A new CMMC Reform Task Force, reporting to the DoD Chief Information Officer (CIO), will review the program and report within 60 days, drawing on responses to a public request for information due August 14, 2026. DoD’s CIO stated that Small Business Administration data suggest future CMMC phases could cost small and midsize businesses more than $7 billion annually. Expectations are also misaligned due to an assessor shortage, with more than 100,000 companies needing assessments and roughly 100 authorized C3PAOs. Officials declined to rule out ending the program entirely, and the Cyber AB was not told before the announcement.
Continue Reading DoD Suspends CMMC Phase 2. What Happened, What It Means, and What Nobody Is Telling You




