Articles
·
CMMC
·
14.07.2026

CMMC Phase II Suspended: What Organizations Need to Know

On July 13, 2026, the U.S. Department of War (DoW) announced a temporary suspension of the implementation of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program. This phase was set to take effect on November 10, 2026. The suspension applies for a period of at least 60 days.

As a reminder, Phase II provided that, starting November 10, 2026, a CMMC Level 2 certification issued by an accredited third party (C3PAO) would be required for U.S. defence contracts.

Why the Suspension

The DoW indicates that the current certification process has proven too heavy and too costly. Among the reasons cited: a significant bureaucratic burden, a number of accredited auditors (C3PAOs) that falls well short of the number of companies to be certified, and costs that are difficult to absorb or justify for small subcontractors.

Over the coming weeks, the DoW will conduct a review of the program in order to reassess the certification process, reduce the administrative burden, and better align it with its priorities.

Official source: https://dodcio.defense.gov/cmmc/Resources-Documentation/

What the Suspension Changes (and What It Does Not)

To date, only the requirement to obtain a CMMC Level 2 certification performed by a C3PAO is temporarily suspended, for a period of at least 60 days. All other requirements remain in force and unchanged:

  • Organizations that handle Controlled Unclassified Information (CUI) must continue to maintain the security controls required by their contractual obligations. All applicable DFARS obligations remain in force.
  • Compliance with NIST SP 800-171 Rev.2 remains mandatory.
  • CMMC Level 1 and Level 2 self-assessments remain mandatory, and DoW contracts will continue to require them.
  • Annual submission of the SPRS score remains required where the contract calls for it.
  • A member of senior management must continue to provide an annual affirmation confirming compliance with NIST SP 800-171 Rev.2.
  • The DoW reserves the right to conduct random, unscheduled audits to verify the actual level of compliance.

One point deserves particular attention: any inaccurate information provided during a self-assessment, for example an erroneous SPRS score, could be interpreted by the DoW as an attempt at fraud. The organizations concerned would expose themselves to consequences under the False Claims Act.

What Organizations Should Consider

At this stage, continuing efforts toward CMMC and NIST SP 800-171 Rev.2 compliance remains the most prudent course for any organization that handles CUI.

Work already undertaken retains its full value. Implementing security controls, drafting policies and procedures, developing the System Security Plan (SSP), and collecting evidence will continue to strengthen your cybersecurity posture, regardless of the adjustments made to the program.

The DoW will continue to require organizations to demonstrate an appropriate level of compliance with the applicable requirements. Maintaining compliance with the 110 NIST SP 800-171 Rev.2 controls, where they apply, therefore remains essential. This suspension targets the third-party certification mechanism, not the underlying security standard.

We Are Following the Situation

The CMMC program is entering a review period whose conclusions are not yet known. StreamScan is following the file closely and will publish updates as the DoW clarifies its direction and final decisions.

To discuss the impact of this announcement on a CMMC compliance project, contact our team.