What CMMC's Last Pause Tells Us About This One

By: Marco
July 16, 2026

 On July 13, the Department of War suspended CMMC Phase 2's third-party certification requirement. The math explains why: more than 100,000 Defense Industrial Base companies needed a third-party assessment, while only about 100 C3PAOs existed to conduct them.

A reform task force now has 60 days to rebuild the program, working off a public comment period that closes August 14.

The CMMC 2.0 timeline, explained

American flags outside the US capitol

CMMC 1.0 went live in 2020 with five levels and no allowance for plans of action and milestones. It drew roughly 750 public comments, most focused on the cost and complexity that landed hardest on small and mid-sized contractors. In March 2021, the Department pulled it in for review. Eight months later, it came back as CMMC 2.0: three tiers instead of five, POA&Ms restored, and closer alignment with existing NIST standards.

The obligation to protect controlled unclassified information never went away during that review.

The only change was the delivery mechanism — the original one was too expensive and too complicated for the industry it regulated to actually use.

That's nearly the same issue behind this suspension: SBA data cited by the Department put the cost of full rollout at an estimated $7 billion a year for small and mid-sized businesses, against an assessor pool that couldn't clear the backlog in time regardless.

If the pattern holds, a 60-day review produces a rewrite, not a repeal. So far, it's one for one.

DFARS 252.204-7012: what's still required 

The government's own release states this directly: the suspension "does not eliminate the requirement for companies to protect federal data."

Everything underneath Phase 2's paperwork is still standing. DFARS clause 252.204-7012 remains the contractual basis for safeguarding covered defense information. NIST SP 800-171 Rev 2 is still the enforced technical standard. Self-assessment is also still mandatory for every contractor it covers. Export control requirements didn't move either.

Certification got suspended. The requirements didn't.

Why CMMC self-assessment risk just went up

A DoD contractor researching upcoming CMMC changes.

Third-party certification, whatever else was wrong with it, gave a contractor a second set of eyes on its own compliance claims before those claims went into a federal system of record.  

The problem: With self-assessment, nobody double-checks you first. A false score can still get you sued later under the False Claims Act. 

That's not theoretical. In June, a Huntsville, Alabama, defense contractor agreed to pay $507,144 after self-reporting a perfect NIST SP 800-171 score on two Navy contracts — a government audit found the real score was closer to the bottom of the scale. DOJ's Civil Cyber-Fraud Initiative closed nine cybersecurity-related settlements in the fiscal year that ended last September.

None of that activity paused. A contractor that stops maintaining its System Security Plan or lets its POA&Ms go stale isn't avoiding cost. It's increasing liability. 

3 ways contractors are misreading the pause

"The requirement is gone."

The truth: Phase 2's certification gate is gone. DFARS 7012 and NIST SP 800-171 Rev 2 are not.

"We can stand down and pick this back up later."

The truth: Every prior pause in this program's six-year history has come back as a rewrite. A contractor that lets its program lapse now is trading a near-term cost for a harder, more expensive scramble once the task force reports out, likely against an assessor pool that hasn't grown in the meantime.

"Our prime contract requirements will loosen up too."

The truth: Primes carry their own DFARS 7012 exposure and their own FCA risk. A subcontract clause requiring a Level 2 assessment doesn't automatically move because the federal certification timeline did.

What we suggest in the coming months 

A business consultation with a CMMC consultant.

Treat this window as time to close gaps, not a reason to relax. The task force's report this coming September is what to plan around, not the suspension itself. History suggests it changes how compliance gets verified, not whether it's required.

With the third-party check gone, the accuracy of your self-assessment score and the currency of your POA&Ms matter more, not less.

Close real gaps now, and you'll be ready for whatever the task force ships in September. Ignore this window, and you may be explaining a stale SPRS (Supplier Performance Risk System) score to a DOJ attorney instead.

Frequently asked questions about CMMC 2.0

Straight answers to the questions defense contractors are asking about the July 2026 pause. 

Is CMMC Phase 2 cancelled?

No. It's suspended for a 60-day review, along with Phase 3 and Phase 4. Required self-assessments are unaffected.

Do I still need to do a CMMC self-assessment?

Yes. That requirement has been mandatory since November 2025 and wasn't part of the pause.

Does DFARS 252.204-7012 still apply during the pause?

Yes. It's been in place since 2017, years before CMMC existed, and the suspension didn't touch it.

What happens if my CMMC self-assessment score is wrong?

You can be sued under the False Claims Act: significant damages plus a penalty on every invoice submitted while the false score was on file.

Talk to a consultant

Compliance needs aren't going away, and neither is the shortage of credentialed assessors

When certification resumes, we're anticipating a significant backlog, and those who are ready will be in a position to win more contracts. But we can help.

Reserve time with our consultants now to answer your CMMC questions.

Talk to a Specialist

Topics: Manufacturing, CMMC