On July 13, 2026, the Department of War (DoW) suspended CMMC Phase II. Read in isolation, it looks like a scheduling delay.
But if you pair it up alongside the regulatory moves from the past several weeks, it's a restructuring signal. More specifically, the entire CUI compliance framework for federal contractors is being restructured from the ground up.
Here's what the full picture looks like when you zoom out.
To understand the July 13 announcement, you have to read it alongside two other developments that happened in the weeks just before it.
The Federal Acquisition Regulatory Council published a sweeping proposed rule (FAR Case 2026-001) as part of the broader Revolutionary FAR Overhaul (RFO).

If finalized, the RFO will establish a government-wide CUI cybersecurity standard that extends to all federal contractors, not just those working for DoW.
The proposed rule would require any contractor handling CUI to implement NIST SP 800-171 Revision 3 (published in May 2024).
This new version…
The FAR CUI Rule proposes to use normal contract administration procedures for validating compliance with requirements. Contractors operating information systems that access, use, process, store, maintain, or transmit CUI identified in the contract, must make the system security plan available and any associated plans of action required by NIST SP 800-171, for any planned implementations or mitigations to the Government upon request.
In other words, the proposed FAR CUI rule relies entirely on self-attestation backed by documentation available on request. There is no C3PAO, no DIBCAC, no structured audit pathway.
Unlike CMMC, it simply raises the standard by placing the accountability on contractors and their officers to enforce it through their existing contract compliance.
The comment period closes July 23, 2026. The FAR Council has signaled an intent to finalize the RFO rules, including this one, before the end of 2026. And critically, if it’s finalized as it is currently proposed, there is no phase-in period.
Also in July, DoW indicated through the Unified Agenda its intent to publish a proposed rule outlining the plan to migrate the CMMC program from NIST SP 800-171 Rev. 2 to Rev. 3.

This is significant for two reasons. First, it confirms DoW is tracking the FAR-level direction. In other words, the government is moving to Rev. 3 as the baseline standard across the board. Second, it means CMMC, regardless of how it changes after the 60-day review, will eventually need to be reconciled with a different control set than the one it was built around.
It’s worth mentioning that Rev. 3 is not a minor update.
It…
While it technically has fewer numbered requirements than Rev. 2 (110), many of the changes represent mergers and expansions, not reductions.
Contractors who have completed their Rev. 2 compliance work will face a meaningful, though not complete, rebuild when Rev. 3 becomes the contractual standard.
Against that backdrop, the July 13 announcement lands differently.
DoW CIO Kirsten Davies confirmed the immediate suspension of CMMC Phase II.
As we know, this is the requirement for Certified Third-Party Assessor Organization (C3PAO) assessments, which had been scheduled to take effect November 10, 2026.

The move also included…
The announcement states a real logistical concern as to why it occurred, as well. DoW estimated that over 78,000 companies needed third-party assessments, with only around 1,000 authorized assessors available to conduct them.
The math, as Davies put it, "just simply doesn't math" for small and medium-sized businesses.
But the structural conflict goes beyond the capacity problem. As DoW's own memo acknowledged, continuing to enforce CMMC Phase II "directly contradicts" Secretary Hegseth's Acquisition Transformation System directives of prioritizing speed, competition, and removing barriers for nontraditional entrants.

The Small Business Administration (SBA) commended the DoW shortly after its decision. In the SBA commend letter it had also formally documented that the current structure was forcing innovative companies out of the defense industrial base entirely.

Put the three developments together, and a coherent pattern emerges:
Third-party certification is being reconsidered. The FAR CUI proposal emphasizes self-attestation while the Phase II suspension pauses mandatory C3PAO assessments. Audits may become more targeted rather than universal.
NIST SP 800-171 Rev. 3 is the coming standard, at every level of government contracting. The FAR CUI rule locks in Rev. 3 for all federal contractors. DoW's Unified Agenda entry signals Rev. 3 is coming for CMMC as well. The contractors who measure compliance against Rev. 2 today will need to migrate.
Self-attestation is bearing more weight, not less and so is enforcement risk. With third-party audits being pulled back, the government is betting more on contractor integrity. This bet has backing from the DoJ's Civil Cyber-Fraud Initiative. Self-assessments that don't reflect actual posture, SPRS scores that overstate compliance, and System Security Plans that describe controls that aren't implemented all remain fully actionable under the False Claims Act.

The scope of who this affects is expanding dramatically. CMMC only covered DoW contractors. The proposed FAR CUI rule covers virtually all federal contractors handling CUI. This would include civilian agency contractors, commercial product and services providers, subcontractors at every tier. The world of companies affected by CUI cybersecurity requirements could expand well beyond the traditional DIB.
To be precise about the current state:
Suspended immediately:
Not suspended and therefore still fully in force:
The Phase II suspension did not suspend NIST SP 800-171 Rev. 2. DoW will continue to enforce it through both self and government-led assessments.
Whatever gap remediation you were doing in preparation for your C3PAO assessment…keep going. That work satisfies DFARS 7012 today and prepares you for whatever verification mechanism the task force recommends.
The Rev. 3 migration is coming. Both DoW (through whatever emerges from the 60-day review) and the FAR-wide direction established by the proposed CUI rule relate to it.
Companies that begin their Rev. 3 gap assessment now will have months of lead time over those who wait for the final rule to drop.
The new control families (supply chain security, incident response emphasis, advanced threat countering) and the additional 102 assessment objectives will require meaningful implementation work.
The proposed FAR CUI rule changes your calculus fundamentally.
If your agency contracts involve CUI you need to understand your obligations under the proposed rule. Specifically, whether your current cybersecurity posture meets the Rev. 3 baseline or not.
The comment period closes July 23. If the compliance costs or practical difficulties in the proposed rule affect your business, this is your window to say so.
The CMMC Reform Task Force is actively soliciting feedback on cost drivers, administrative burdens, and which NIST 800-171 controls deliver meaningful risk reduction.
Contractor feedback will directly shape what the reformed program looks like. Submit at FAR Case 2026-001 framing and the DoW RFI channel before the deadline.
The task force report is expected around mid-September 2026.
Its findings will signal whether the C3PAO mechanism returns in modified form, is replaced by a risk-tiered model, or is abandoned in favor of government-led audits for sensitive programs.
Plan your Q4 compliance investment accordingly.
The companies that will be best positioned when the regulatory dust settles are those that treat this moment as preparation time, not breathing room.
The standard isn't going away. The enforcement risk isn't going away.
The scope is actually expanding.
What's changing is the verification mechanism and that won't be settled until September at the earliest.
The contractors who invested in genuine cybersecurity maturity during the CMMC buildout are well positioned for whatever comes next. Of course, we’re referencing those that actually implemented the 110 Rev 2 controls, not just documentation theater.
CIO Davies said it directly: "Every dollar spent on security is a wise dollar spent." That investment contributed to national security and provides a real foundation for migrating to Rev. 3 when the time comes.
K2 GRC also helps organizations manage and distribute mandated CUI training to employees, ensuring the workforce awareness requirements embedded in both the existing CMMC framework and the proposed FAR CUI rule are documented and defensible…not just checked off.
Whether you're an established defense prime managing Phase I obligations, a smaller DIB company trying to understand what the suspension means for your November plans, or a civilian agency contractor suddenly in scope under the proposed FAR CUI rule, we can help you understand where you stand and build a realistic path forward.
This post reflects information available as of July 14, 2026, including the DoW CMMC Phase II suspension announcement, the proposed FAR CUI Rule (FAR Case 2026-001, comment deadline July 23, 2026), and DoW's indicated intent to pursue rulemaking on the CMMC Rev. 3 migration. K2 GRC will publish updated analysis when the CMMC Reform Task Force report is released.