CMMC Phase II Was Suspended: What Does It Mean for Defense Contractors?

CMMC Phase II Suspended July 2026 and picture of Pentagon and All In Technology logo

For many defense contractors, the Pentagon’s July 13 announcement may have brought a sense of relief.

CMMC Phase II, which was scheduled to begin on November 10, 2026, has been suspended while the Department conducts a comprehensive 60-day review of the program and considers whether the current certification model creates too much cost, complexity, and administrative pressure for small and midsized members of the Defense Industrial Base. Later implementation milestones have also been placed on hold during that review.

For companies preparing for a third-party assessment, this is significant news. CMMC readiness has required substantial investments in technology, documentation, employee time, consulting, remediation, and internal coordination. Smaller manufacturers, engineering firms, technology providers, and subcontractors may have faced particularly difficult decisions as they tried to balance compliance requirements with limited staff and budgets.

The pause gives those organizations more breathing room, but it should not be interpreted as the end of CMMC preparation or the removal of existing cybersecurity responsibilities.

The third-party assessment timeline may have changed, but contractors are still responsible for understanding what federal information they hold, how that information is protected, and whether their current cybersecurity representations are accurate. In some cases, the absence of an immediate external assessment may place even more responsibility on company leadership to understand what is happening inside the environment before signing an affirmation of compliance.

What Changed With CMMC in July 2026?

The Pentagon suspended CMMC Phase II and paused later implementation milestones while it reviews the program’s cost, complexity, and impact on smaller defense contractors.

The suspension delays the planned expansion of mandatory Level 2 third-party assessments conducted through authorized CMMC Third-Party Assessment Organizations, commonly known as C3PAOs. It does not, however, eliminate existing cybersecurity responsibilities.

Phase I self-assessments remain in place, and the Department has indicated through its official CMMC program guidance that it will continue relying on self-assessments and select government-led assessments to enforce NIST SP 800-171 Revision 2 during the review period. Contractors may also remain responsible for maintaining accurate SPRS information, complying with applicable DFARS clauses, reporting qualifying cyber incidents, and meeting other contract-specific obligations.

In practical terms, the certification timeline changed, but the responsibility to protect federal information did not.

Why CMMC Was Paused

The concerns behind the suspension are understandable.

CMMC has asked contractors to work through dense technical standards, changing timelines, unfamiliar terminology, and a certification process that can be difficult to navigate without dedicated cybersecurity and compliance resources. Even companies that fully support stronger security requirements have struggled with the practical side of implementation.

The questions often begin with scope.

Which users, devices, systems, and locations are included? Where is Controlled Unclassified Information stored or transmitted? Does it pass through Microsoft 365, a cloud application, a personal device, or a vendor-managed platform? How should a contractor account for remote employees, subcontractors, shared production systems, or older technology that cannot easily support modern controls?

These are not simple questions, particularly for a small organization where the same person may oversee technology, operations, contracts, and compliance.

What begins as a cybersecurity project can quickly become an organization-wide effort involving purchasing, human resources, leadership, vendors, legal counsel, and everyday employee behavior. The Pentagon’s review may ultimately produce a more scalable model that preserves meaningful security expectations without creating unnecessary barriers for smaller or nontraditional contractors.

That would be a positive outcome for the Defense Industrial Base. It would not, however, change the underlying reason the requirements exist.

The certification process may be revised, but the need to protect sensitive federal information remains.

The Certificate Was Never the Security Program

A CMMC certificate provides evidence that a contractor’s cybersecurity practices have been assessed against a defined set of requirements. It can help the government, prime contractors, and other partners feel more confident that appropriate safeguards are in place.

The certificate itself is not what makes an organization secure.

The real security program is built through the routine work happening behind the assessment. It includes removing access when an employee leaves, applying multifactor authentication consistently, protecting privileged accounts, reviewing security alerts, managing devices, controlling where sensitive files are stored, and ensuring backups can actually be restored.

It also includes work that may be less visible but is just as important. A System Security Plan must be updated as the environment changes. Vendor access must be reviewed. Employees need to understand how regulated information should be handled. Incident response procedures should be tested before a real event exposes weaknesses in the process.

None of those efforts become less valuable because an assessment date moved!

In fact, one of the greatest risks created by the suspension is that organizations may begin viewing security improvements as optional work that can be postponed until another deadline is announced. A network segmentation project may be delayed, open remediation items may remain unresolved, and policies may fall behind the technology they are supposed to describe.

That is why ongoing investment in secure network infrastructure and managed network services still matters. Segmentation, firewall management, remote connectivity, and infrastructure visibility are not simply assessment items. They are part of maintaining a more controlled and defensible technology environment.

Companies that approached CMMC primarily as a deadline-driven certification project are especially vulnerable to losing momentum. The stronger approach is to view certification as a validation of an operating security program rather than the reason that program exists.

Self-Assessment Still Requires Honest Answers

The current suspension does not eliminate Phase I self-assessment requirements. Contractors may still need to complete applicable assessments, maintain information in the Supplier Performance Risk System, and affirm that they continue to meet the requirements associated with their contracts. Current DFARS language also addresses ongoing affirmations of continuous compliance and the need to maintain current assessment information in SPRS.

The phrase “self-assessment” can make the process sound informal. In reality, it places the responsibility directly on the organization to evaluate its own environment and stand behind the results.

A meaningful self-assessment involves more than confirming that a policy document exists or that a security product has been purchased. It requires the company to determine whether the control is operating correctly and consistently across the systems that matter.

For example, a company may have multi-factor authentication enabled for most users while excluding a legacy system, service account, or administrative login. A written policy may require prompt account termination, even though several former employees still have active credentials. Security logs may be collected without anyone routinely reviewing them for unusual activity.

Documentation can also create a false sense of confidence when it no longer reflects the environment. A System Security Plan written a year ago may not include a new cloud platform, remote office, vendor connection, or production system. An SPRS score may remain unchanged even though the underlying technology and business processes have evolved.

For organizations using Microsoft 365, this also means taking a close look at how identities, devices, applications, and access policies are managed in practice. Microsoft Intune for endpoint management and device security can help create more consistent policy enforcement, but the technology still has to be configured around the organization’s real users, devices, workflows, and data-handling requirements.

Before affirming compliance, leadership should be able to ask whether the organization can support its answers with evidence. That evidence may include system configurations, access reviews, training records, policies, security reports, remediation documentation, screenshots, and records of completed testing.

The purpose is not to create paperwork for its own sake. It is to make sure the company’s written position and its actual security practices describe the same environment.

The More Likely Risk Is Gradual Drift

Most contractors will not respond to the suspension by deciding that cybersecurity no longer matters. The more realistic risk is gradual drift.

A project scheduled for this quarter gets moved to the next. An access review is skipped because the team is busy preparing for a major contract. A policy remains unchanged after the underlying software is replaced. A temporary workaround becomes part of the normal workflow because no one returns to correct it.

Individually, these decisions may seem minor. Over time, they create distance between what the organization believes is happening and what is actually happening.

This type of drift is common because technology environments are constantly changing. Employees adopt new tools, vendors receive additional access, systems are moved to the cloud, remote work expands, and files are shared in ways that were not considered when the original documentation was written.

As those environments become more distributed, secure cloud services and Microsoft cloud management can help organizations maintain better visibility across users, systems, applications, and data. That visibility becomes especially important when documentation and controls need to keep pace with changes in the actual environment.

An upcoming third-party assessment tends to bring those inconsistencies to the surface. Without an external deadline on the immediate calendar, contractors will need to create their own process for reviewing the environment, updating documentation, and closing security gaps before they become part of a larger problem.

Contractual Cybersecurity Obligations Still Apply

CMMC is one part of a broader set of cybersecurity responsibilities that may apply to companies working with the federal government.

Depending on the contract and the information involved, a contractor may still be subject to NIST SP 800-171 requirements for protecting Controlled Unclassified Information, DFARS clauses, cyber incident reporting obligations, SPRS assessment requirements, safeguarding standards, and security expectations passed down by a prime contractor.

The exact obligations vary, which is why contractors should review the language in their individual contracts, subcontracts, solicitations, and task orders with qualified legal and compliance advisors.

Contractors should also avoid assuming that every agreement will be affected in the same way. Existing contract language, specific DFARS clauses, prime contractor requirements, and future solicitation language will continue to shape the requirements that apply to each organization.

What does not vary is the broader principle. Delaying a third-party certification requirement does not automatically remove cybersecurity language that is already part of an active contract.

Recent enforcement activity also shows why that distinction matters.

In June 2026, Alabama defense contractor LOGZONE agreed to pay $507,144 to resolve False Claims Act allegations related to cybersecurity requirements in Navy contracts. The Department of Justice alleged that the company submitted claims for payment while knowingly failing to comply with required cybersecurity controls. The settlement resolved allegations, and there was no determination of liability.

The case was not simply about the absence of a CMMC certificate. It centered on the difference between what the contractor was allegedly required to do and what had actually been implemented.

The settlement also reinforces the government’s continued focus on cybersecurity representations and contractual compliance. Defense contractors should therefore avoid viewing CMMC certification and contractual cybersecurity obligations as interchangeable concepts. They are closely connected, but a delay in one does not erase the other.

How Contractors Can Use the Pause Productively

The announcement does not require companies to react with urgency or panic. It does, however, create an opportunity to step back and determine which parts of the work are improving real security and which parts were being completed primarily to satisfy an approaching certification date.

Review what has already been documented

Contractors should compare their current environment with the information already included in their SPRS score, System Security Plan, Plans of Action and Milestones, and previous self-assessments.

Important areas to revisit include:

  • Changes to systems, locations, vendors, and cloud applications
  • New users or administrative accounts
  • Open remediation work
  • Evidence supporting the current SPRS score
  • Differences between written policies and everyday practices
  • Contract-specific requirements that may still apply
  • Prime contractor expectations that have been passed down

Companies change quickly. Employees leave, vendors are added, systems are replaced, and cloud applications become part of normal workflows. Documentation that was accurate when it was created may no longer provide a complete picture.

Continue work that reduces actual security risk

Projects that improve identity security, endpoint protection, network security, monitoring, data handling, backups, and incident response remain valuable regardless of when the next certification phase begins.

These improvements support compliance, but they also reduce the risk of ransomware, account compromise, data loss, insider risk, and operational disruption. Contractors should be cautious about postponing projects that solve known security problems simply because the external assessment timeline has changed.

A Zero Trust security strategy can help bring identity verification, device controls, network access, and continuous monitoring into a more consistent operating model. That consistency can make it easier to maintain security over time rather than relying on one-time remediation before an assessment.

Test controls instead of assuming they work

A control may exist on paper without operating consistently in the real environment. Contractors can use the pause to verify that:

  • Former employees and vendors no longer have access
  • Multifactor authentication is applied where required
  • Backups can be restored
  • Administrative access remains appropriate
  • Security alerts are reviewed
  • Incident response procedures are understood and usable

Written procedures are important, but they do not always match everyday behavior. Testing helps reveal the places where documentation, technology, and actual employee practices have started to separate.

Build compliance into ongoing operations

CMMC readiness is easier to maintain when it becomes part of routine IT and business management rather than a large project completed before an assessment.

Access reviews can happen on a recurring schedule. Security policies can be updated when systems change. Evidence can be collected as work is completed, and remediation items can have assigned owners with realistic deadlines.

This approach may feel less dramatic than preparing for a single certification event, but it is far more sustainable. It also makes the organization less dependent on the pressure of an outside deadline to keep security work moving.

For organizations without enough internal capacity to maintain that rhythm, managed and co-managed IT services can provide ongoing monitoring, cybersecurity support, infrastructure oversight, documentation assistance, and additional expertise alongside the internal team.

CMMC 2026 Frequently Asked Questions

Was CMMC canceled in 2026?

No. The Pentagon suspended CMMC Phase II and paused later implementation milestones while it reviews the program. Phase I self-assessments remain in place, and existing contractual cybersecurity requirements may still apply.

What happened to CMMC Level 2 third-party assessments?

The planned expansion of mandatory Level 2 assessments through C3PAOs has been suspended while the Department reviews the program. That does not prevent the government from using select government-led assessments or enforcing cybersecurity requirements already contained in contracts.

Do defense contractors still need to comply with NIST SP 800-171?

Contractors that handle Controlled Unclassified Information are often required to meet NIST SP 800-171 requirements based on clauses included in their contracts or subcontracts. The Phase II suspension does not automatically remove those obligations.

Are SPRS scores still required?

Some contractors must still maintain current assessment information in the Supplier Performance Risk System. Requirements depend on the contract, the information being handled, and the applicable DFARS clauses.

Should contractors stop preparing for CMMC?

Most contractors should continue work that improves real cybersecurity, corrects known gaps, and supports accurate self-assessments. The certification process may change, but access control, data protection, documentation, monitoring, and incident response will remain important.

How All In Technology Supports CMMC Readiness

For many contractors, the most difficult part of CMMC is not understanding that cybersecurity matters. The challenge is translating a dense set of requirements into practical decisions about Microsoft 365, user accounts, endpoints, networks, backups, vendors, documentation, and employee workflows.

All In Technology helps organizations understand their current IT and cybersecurity environments, identify gaps, and create improvement plans that support both compliance readiness and stronger everyday protection.

The exact work depends on the organization, its contracts, and the information it handles. Support may include managed or co-managed IT services, Microsoft security, identity and access management, endpoint protection, network security, monitoring, backup and recovery planning, technical documentation, and coordination with legal or compliance professionals. Those capabilities are part of All In Technology’s broader IT, cybersecurity, cloud, network, and compliance support solutions.

All In Technology does not view compliance as a matter of simply installing a product or checking a list of requirements. The technology, documentation, employee processes, and leadership understanding all need to align.

The goal is to build an environment that can be explained clearly, supported with evidence, and confidently represented by the people responsible for affirming compliance.

The Timeline Changed, but the Responsibility Remains

The CMMC program may look different after the Pentagon completes its review. The assessment process could become more affordable, more flexible, or better aligned with the needs of small and midsized contractors.

Those changes may be necessary, and many organizations will welcome them with relief.

In the meantime, defense contractors remain responsible for understanding the information they hold, the requirements contained in their contracts, and the controls operating inside their environments.

The suspension provides additional time, but it does not provide certainty about what comes next. Organizations can spend that time waiting for another announcement, or they can use it to make sure their security programs are accurate, practical, and prepared for whatever form the next phase of CMMC takes.

Defense contractors or businesses that need help evaluating their current technology environment can contact All In Technology to discuss CMMC readiness and cybersecurity support.

All In Technology Full Color Logo