🚀 What’s This Blog About?

This blog explains what the CMMC Phase II suspension means for federal contractors and why it doesn't eliminate cybersecurity requirements. It breaks down recent regulatory changes, what remains in effect today, and how organizations should prepare for the transition to NIST SP 800-171 Rev. 3. :contentReference[oaicite:0]{index=0}

Key Takeaways

  • ✅ The CMMC Phase II suspension delays third-party certification requirements, but existing cybersecurity obligations and self-assessments are still required.
  • ✅ NIST SP 800-171 Rev. 3 is expected to become the future standard, so organizations should begin planning for the transition now.
  • ✅ Companies that continue improving their cybersecurity instead of waiting for new rules will be better prepared for future compliance and enforcement.

Who Should Read This?

This guide is ideal for defense contractors, federal contractors, subcontractors, and compliance professionals trying to understand how the CMMC Phase II suspension affects their responsibilities. It's especially helpful for organizations planning future compliance investments or preparing for NIST SP 800-171 Rev. 3.

On July 13, 2026, the Department of War (DoW) suspended CMMC Phase II. Read in isolation, it looks like a scheduling delay.

But if you pair it up alongside the regulatory moves from the past several weeks, it's a restructuring signal. More specifically, the entire CUI compliance framework for federal contractors is being restructured from the ground up.

Here's what the full picture looks like when you zoom out.

The Three Events That Connect

To understand the July 13 announcement, you have to read it alongside two other developments that happened in the weeks just before it.

June 23: The FAR CUI Proposed Rule

The Federal Acquisition Regulatory Council published a sweeping proposed rule (FAR Case 2026-001) as part of the broader Revolutionary FAR Overhaul (RFO).

via Acquisition.gov

If finalized, the RFO will establish a government-wide CUI cybersecurity standard that extends to all federal contractors, not just those working for DoW.

The proposed rule would require any contractor handling CUI to implement NIST SP 800-171 Revision 3 (published in May 2024).

This new version…

  • Mandates 72-hour cyber incident reporting
  • Requires prime contractors to flow CUI obligations down to every subcontractor tier that touches the information
  • Establishes a new standard form agencies must complete to identify what CUI is present in each contract.

The FAR CUI Rule 

The FAR CUI Rule proposes to use normal contract administration procedures for validating compliance with requirements. Contractors operating information systems that access, use, process, store, maintain, or transmit CUI identified in the contract, must make the system security plan available and any associated plans of action required by NIST SP 800-171, for any planned implementations or mitigations to the Government upon request.

In other words, the proposed FAR CUI rule relies entirely on self-attestation backed by documentation available on request. There is no C3PAO, no DIBCAC, no structured audit pathway.

Unlike CMMC, it simply raises the standard by placing the accountability on contractors and their officers to enforce it through their existing contract compliance.

The comment period closes July 23, 2026. The FAR Council has signaled an intent to finalize the RFO rules, including this one, before the end of 2026. And critically, if it’s finalized as it is currently proposed, there is no phase-in period.

July: DoW's Unified Agenda Signal on Rev. 3 Migration

Also in July, DoW indicated through the Unified Agenda its intent to publish a proposed rule outlining the plan to migrate the CMMC program from NIST SP 800-171 Rev. 2 to Rev. 3.

via GSA

This is significant for two reasons. First, it confirms DoW is tracking the FAR-level direction. In other words, the government is moving to Rev. 3 as the baseline standard across the board. Second, it means CMMC, regardless of how it changes after the 60-day review, will eventually need to be reconciled with a different control set than the one it was built around.

It’s worth mentioning that Rev. 3 is not a minor update.

It…

  • Adds three new security control families
  • Increases the number of assessment objectives from 320 to 422
  • Includes 88 organization-defined parameters (ODPs) that DoW has assigned values for 79

While it technically has fewer numbered requirements than Rev. 2 (110), many of the changes represent mergers and expansions, not reductions.

Contractors who have completed their Rev. 2 compliance work will face a meaningful, though not complete, rebuild when Rev. 3 becomes the contractual standard.

July 13: DoW Suspends CMMC Phase II

Against that backdrop, the July 13 announcement lands differently.

DoW CIO Kirsten Davies confirmed the immediate suspension of CMMC Phase II.

As we know, this is the requirement for Certified Third-Party Assessor Organization (C3PAO) assessments, which had been scheduled to take effect November 10, 2026. 

via DoW

The move also included…

  • A suspension of Phases III and IV
  • The creation of a CMMC Reform Task Force has been established (members not listed)
  • A public Request for Information issued
  • A 60-day review launched to reimagine what the program looks like going forward

The announcement states a real logistical concern as to why it occurred, as well. DoW estimated that over 78,000  companies needed third-party assessments, with only around 1,000 authorized assessors available to conduct them.

The math, as Davies put it, "just simply doesn't math" for small and medium-sized businesses.

But the structural conflict goes beyond the capacity problem. As DoW's own memo acknowledged, continuing to enforce CMMC Phase II "directly contradicts" Secretary Hegseth's Acquisition Transformation System directives of prioritizing speed, competition, and removing barriers for nontraditional entrants.

via DoW

The Small Business Administration (SBA) commended the DoW shortly after its decision. In the SBA commend letter it had also formally documented that the current structure was forcing innovative companies out of the defense industrial base entirely.

via SBA

What This Means in Plain Terms

Put the three developments together, and a coherent pattern emerges:

Third-party certification is being reconsidered. The FAR CUI proposal emphasizes self-attestation while the Phase II suspension pauses mandatory C3PAO assessments. Audits may become more targeted rather than universal.

NIST SP 800-171 Rev. 3 is the coming standard, at every level of government contracting. The FAR CUI rule locks in Rev. 3 for all federal contractors. DoW's Unified Agenda entry signals Rev. 3 is coming for CMMC as well. The contractors who measure compliance against Rev. 2 today will need to migrate.

Self-attestation is bearing more weight, not less and so is enforcement risk. With third-party audits being pulled back, the government is betting more on contractor integrity. This bet has backing from the DoJ's Civil Cyber-Fraud Initiative. Self-assessments that don't reflect actual posture, SPRS scores that overstate compliance, and System Security Plans that describe controls that aren't implemented all remain fully actionable under the False Claims Act.

via DoJ

The scope of who this affects is expanding dramatically. CMMC only covered DoW contractors. The proposed FAR CUI rule covers virtually all federal contractors handling CUI. This would include civilian agency contractors, commercial product and services providers, subcontractors at every tier. The world of companies affected by CUI cybersecurity requirements could expand well beyond the traditional DIB.

What Is and Isn't Suspended Right Now

To be precise about the current state:

Suspended immediately:

  • The November 10, 2026 Phase II rollout requiring CMMC Level 2 C3PAO assessments/certifications in new solicitations
  • All pending and future Phase III and IV CMMC implementation milestones
  • The ability for program managers to designate CMMC Level 2 (C3PAO) in new procurement requests

Not suspended and therefore still fully in force:

  • CMMC Phase I requirements: Level 1 and Level 2 self-assessments and attestations remain firmly in place for applicable contracts
  • DFARS 252.204-7012: Every defense contractor and subcontractor remains contractually obligated to safeguard covered defense information (unchanged since 2017)
  • NIST SP 800-171 Rev. 2: The 110-control standard remains the technical baseline DoW enforces through self-assessments and select government-led (DIBCAC) assessments during the review period
  • SPRS score requirements: Accurate scores must be on file before contract award under DFARS 252.204-7019
  • System Security Plans, POA&Ms: Still required
  • Employee CUI training requirements: The proposed FAR CUI rule includes a specific obligation for contractors to train employees to identify and safeguard CUI. For defense contractors, workforce awareness has always been implicit in NIST 800-171 (AT domain). The FAR rule makes it explicit and contractual across all federal contractors.
  • DoJ Civil Cyber-Fraud Initiative: Still active; inaccurate Phase I self-assessments are squarely in scope
  • Prime contractor flowdown requirements: The DoW suspension only governs what the government requires in solicitations. Prime contractors may still independently require C3PAO assessments from their subcontractors as a condition of doing business. If you're a sub, check your existing agreements the suspension doesn't override contractual obligations your prime has already placed on you. 

What Defense Contractors Should Do Now

Finish your Rev. 2 work

The Phase II suspension did not suspend NIST SP 800-171 Rev. 2. DoW will continue to enforce it through both self and government-led assessments.

Whatever gap remediation you were doing in preparation for your C3PAO assessment…keep going. That work satisfies DFARS 7012 today and prepares you for whatever verification mechanism the task force recommends.

Start your Rev. 3 gap analysis. 

The Rev. 3 migration is coming. Both DoW (through whatever emerges from the 60-day review) and the FAR-wide direction established by the proposed CUI rule relate to it.

Companies that begin their Rev. 3 gap assessment now will have months of lead time over those who wait for the final rule to drop.

The new control families (supply chain security, incident response emphasis, advanced threat countering) and the additional 102 assessment objectives will require meaningful implementation work.

If you're a non-DoW federal contractor, pay attention now 

The proposed FAR CUI rule changes your calculus fundamentally.

If your agency contracts involve CUI you need to understand your obligations under the proposed rule. Specifically, whether your current cybersecurity posture meets the Rev. 3 baseline or not.

The comment period closes July 23. If the compliance costs or practical difficulties in the proposed rule affect your business, this is your window to say so.

Respond to the DoW RFI.

The CMMC Reform Task Force is actively soliciting feedback on cost drivers, administrative burdens, and which NIST 800-171 controls deliver meaningful risk reduction.

Contractor feedback will directly shape what the reformed program looks like. Submit at FAR Case 2026-001 framing and the DoW RFI channel before the deadline.

Watch the 60-day clock. 

The task force report is expected around mid-September 2026.

Its findings will signal whether the C3PAO mechanism returns in modified form, is replaced by a risk-tiered model, or is abandoned in favor of government-led audits for sensitive programs.

Plan your Q4 compliance investment accordingly.

The Bigger Picture: An Opportunity, Not a Reprieve

The companies that will be best positioned when the regulatory dust settles are those that treat this moment as preparation time, not breathing room.

The standard isn't going away. The enforcement risk isn't going away. 

The scope is actually expanding.

What's changing is the verification mechanism and that won't be settled until September at the earliest.

The contractors who invested in genuine cybersecurity maturity during the CMMC buildout are well positioned for whatever comes next. Of course, we’re referencing those that actually implemented the 110 Rev 2 controls, not just documentation theater.

CIO Davies said it directly: "Every dollar spent on security is a wise dollar spent." That investment contributed to national security and provides a real foundation for migrating to Rev. 3 when the time comes.

How K2 GRC Can Help

K2 GRC also helps organizations manage and distribute mandated CUI training to employees, ensuring the workforce awareness requirements embedded in both the existing CMMC framework and the proposed FAR CUI rule are documented and defensible…not just checked off.

Whether you're an established defense prime managing Phase I obligations, a smaller DIB company trying to understand what the suspension means for your November plans, or a civilian agency contractor suddenly in scope under the proposed FAR CUI rule, we can help you understand where you stand and build a realistic path forward.

❓ Frequently Asked Questions About the CMMC Phase II Suspension

What does the CMMC Phase II suspension mean?

The CMMC Phase II suspension pauses the planned requirement for certain contractors to obtain a CMMC Level 2 certification through a third-party assessor. It does not remove the cybersecurity requirements that defense contractors must already follow.

Are CMMC requirements still in effect after the Phase II suspension?

Yes. CMMC Phase I self-assessments and affirmations remain in effect for applicable contracts, along with existing DFARS and NIST SP 800-171 requirements. The suspension mainly affects the rollout of mandatory third-party assessments.

Should contractors stop preparing for CMMC certification?

No. Contractors should continue closing security gaps, updating their System Security Plans, managing POA&Ms, and maintaining accurate self-assessment scores. The CMMC Phase II suspension changes the verification timeline, not the need to protect CUI.

Does the CMMC suspension affect NIST SP 800-171 compliance?

No. NIST SP 800-171 Rev. 2 remains the current cybersecurity baseline for applicable defense contracts during the review period. Contractors should continue implementing its requirements while also preparing for the expected transition to Rev. 3.

When will NIST SP 800-171 Rev. 3 apply to federal contractors?

The exact implementation date has not been finalized. However, proposed federal rules and DoW planning indicate that Rev. 3 is expected to become the future baseline, so contractors should begin a gap analysis before it becomes contractual.

Can prime contractors still require a C3PAO assessment?

Yes. The CMMC Phase II suspension limits what the government requires in new solicitations, but it does not automatically override private contract terms. A prime contractor may still require subcontractors to complete a C3PAO assessment as a condition of doing business.

What should defense contractors do during the CMMC review period?

Contractors should speak with their prime contractor or contracting officer, finish their Rev. 2 remediation work, and begin comparing their program against Rev. 3. They should also keep compliance documentation accurate because self-attestations and inaccurate security claims may still create enforcement risk.

This post reflects information available as of July 14, 2026, including the DoW CMMC Phase II suspension announcement, the proposed FAR CUI Rule (FAR Case 2026-001, comment deadline July 23, 2026), and DoW's indicated intent to pursue rulemaking on the CMMC Rev. 3 migration. K2 GRC will publish updated analysis when the CMMC Reform Task Force report is released.

Tag :

Related Posts

The CMMC Phase II Suspension: Where CUI Compliance Is Heading

Jul 14, 2026
Learn what the CMMC Phase II suspension means for federal contractors, what's still required today, and how to prepare for NIST SP 800-171 Rev. 3.
Read More
10 min read

Risk Register Examples: From Heat Maps to Dollars

Jul 10, 2026
Explore practical risk register examples, including enterprise, operational, qualitative, and FAIR-based cybersecurity registers, to learn how organizations identify, prioritize, and manage risk more effectively.
Read More
10 min read

CMMC Acceptable Use Policy: What It Is and How to Write One

Jul 10, 2026
Discover what a CMMC Acceptable Use Policy should include, best practices for implementation, and download a free editable template to accelerate your compliance efforts.
Read More
10 min read

Start your GRC journey today

Discover how K2 GRC can simplify compliance and enhance your organization's governance and risk management.