Cybersecurity & IT Support for Businesses Across NY & PA 

CMMC Phase II Is Paused. Prime Contractors May Still Expect Proof.

CMMC Phase II pause update for defense contractors and manufacturers

Update notice: This article reflects the Department’s July 13, 2026 announcement and guidance available as of July 15, 2026. CMMC policy may change following the Department’s ongoing review.

On July 13, 2026, the Department announced that it was immediately suspending the transition to Phase II of the Cybersecurity Maturity Model Certification program.

Phase II had been scheduled to begin on November 10, 2026 and would have expanded the use of third-party CMMC Level 2 assessments. The Department also suspended pending and future CMMC implementation milestones while a reform task force conducts a 60-day review of the program.

For many small defense contractors, that announcement brought immediate relief.

Companies that were preparing for a C3PAO assessment may now be asking whether they should cancel the assessment, pause cybersecurity projects, or stop preparing for CMMC altogether.

But the practical answer is not as simple as saying the deadline disappeared.

The federal implementation schedule has changed. The pressure to prove that cybersecurity controls are working may not have.

What the CMMC Phase II suspension actually changes

During the suspension, Department program managers and requiring activities may include only:

  • CMMC Level 1 self-assessment requirements
  • CMMC Level 2 self-assessment requirements

They may not designate a CMMC Level 2 C3PAO assessment or Level 3 DIBCAC assessment during the review period.

Active solicitations containing those assessment requirements are supposed to be amended. Existing contracts containing them are supposed to be modified before the next option period or during the next scheduled administrative modification, according to the Department’s implementation memorandum.

This is a significant change. A manufacturer preparing for a mandatory November C3PAO deadline should review its timeline, assessment agreement, and planned spending.

However, contractors should not assume that a press release automatically changes the terms of a specific solicitation, purchase order, subcontract, or supplier agreement.

Look for the actual amendment or contract modification. Until you receive it, clarify the requirement with the appropriate contracting authority or prime customer.

What has not gone away

The Department was explicit that Phase I self-assessment requirements remain in place.

During the review, cybersecurity compliance will continue to be addressed through NIST SP 800-171 Revision 2 self-assessments and selected government-led assessments. DFARS 252.204-7012 requirements for protecting covered defense information also remain active.

Depending on the work your company performs, continuing responsibilities may include:

  • Protecting Federal Contract Information or Controlled Unclassified Information
  • Maintaining a current System Security Plan
  • Conducting an accurate NIST SP 800-171 assessment
  • Maintaining a current score in the Supplier Performance Risk System
  • Completing applicable CMMC self-assessments and affirmations
  • Reporting cyber incidents when required
  • Flowing applicable requirements down to subcontractors
  • Providing access for selected government-led assessments

For applicable solicitations, DFARS 252.204-7019 continues to require a current NIST SP 800-171 assessment to be posted in SPRS before award. DFARS 252.204-7020 also gives the government the ability to conduct Medium or High assessments when necessary.

CMMC Phase II may be paused. The responsibility to protect defense information is not.

Prime contractors are still a major enforcement point

The federal CMMC rollout is only one source of cybersecurity pressure in the Defense Industrial Base.

Prime contractors decide which suppliers they are prepared to trust with technical drawings, specifications, manufacturing data, engineering files, customer portals, and other sensitive information.

They also carry responsibility for flowing applicable requirements down through their supply chains.

Under the CMMC rule, a subcontractor handling CUI must have at least CMMC Level 2 Self status. A formal Level 2 C3PAO requirement flows down when the associated prime contract includes that requirement.

That formal distinction matters. A prime contractor cannot simply create an official government C3PAO requirement that is disconnected from the associated prime contract.

However, primes still control supplier qualification, subcontract awards, approved-vendor programs, and access to their information.

A prime may continue asking suppliers for:

  • A current SPRS score
  • Confirmation of NIST SP 800-171 implementation
  • A System Security Plan
  • Cybersecurity questionnaires
  • Evidence of multi-factor authentication
  • Access-control procedures
  • Incident-response documentation
  • Security policies and training records
  • Independent testing or assessment results
  • Compliance with the prime’s own information-security terms

Major prime contractors already maintain public supplier cybersecurity requirements and resources built around NIST SP 800-171, SPRS, DFARS, and CMMC obligations.

For a smaller machine shop or component manufacturer, the distinction between a government mandate and a customer requirement can feel academic.

A supplier can still lose an opportunity if a prime does not believe it can safely handle sensitive information.

The real question is not whether CMMC is “gone”

The better question is:

What will our current and prospective prime customers expect us to prove?

That answer may vary by customer, program, subcontract, and type of information involved.

One prime may accept a current Level 2 self-assessment and an accurate SPRS score. Another may conduct its own supplier review. A third may reserve certain programs for suppliers that can provide stronger independent assurance.

The federal pause could reduce immediate assessment pressure for some contractors. It does not guarantee that primes will lower their supplier-security standards.

In some cases, primes may become more important as enforcement shifts away from a single approaching federal certification date and toward customer-specific risk decisions.

Should defense contractors pause CMMC preparation?

Some CMMC-related plans deserve to be reconsidered. Others should continue.

Work that should generally continue

Continue work that protects information, supports current contracts, or addresses a real cybersecurity weakness:

  • Clarifying where CUI is stored, processed, and transmitted
  • Correcting inaccurate SPRS scores
  • Maintaining the System Security Plan
  • Improving identity and access controls
  • Enforcing MFA where required
  • Removing shared accounts and unnecessary permissions
  • Protecting and monitoring endpoints
  • Testing backups and recovery procedures
  • Maintaining incident-response capabilities
  • Collecting evidence that controls are operating
  • Reviewing subcontractor access and flowdown obligations

These activities are not useful only because an assessor might ask about them. They protect contracts, intellectual property, customer relationships, and daily operations.

Work that should be reassessed

Review projects or expenses that were driven primarily by the former November 2026 transition:

  • The timing of a C3PAO engagement
  • Assessment deposits and scheduling agreements
  • Consulting contracts based on the former deadline
  • Large technology purchases that were never properly scoped
  • Plans that assume every system must be placed inside the CMMC boundary
  • Accelerated remediation that could now be completed more carefully

Reassessment does not automatically mean cancellation. It means confirming that the expense still solves a real requirement.

What contractors should not assume

Do not assume:

  • The announcement canceled CMMC
  • Every contract will change immediately
  • Prime contractors will stop reviewing supplier cybersecurity
  • Existing DFARS obligations disappeared
  • An inaccurate SPRS score no longer matters
  • CUI can be handled without appropriate safeguards
  • All current remediation work is unnecessary

The safest approach is neither panic nor complete inaction.

It is to separate active obligations, customer expectations, security needs, and assessment-related spending.

CMMC Pause: Continue, Reassess, or Do Not Assume?

The right decision depends on your contracts, customer requirements, information environment, and the purpose behind the planned work.

Continue

Security and active obligations

  • Protecting CUI and FCI
  • Maintaining accurate self-assessments
  • Correcting material security weaknesses
  • Maintaining the SSP and supporting evidence
  • Reviewing customer and subcontract requirements
Reassess

Timing, scope, and spending

  • C3PAO scheduling and deposits
  • Projects driven by the former November date
  • Consulting agreements and timelines
  • The size of the CUI environment
  • Technology purchases made without clear scoping
Do Not Assume

Requirements disappeared

  • Every contract changed automatically
  • Primes will stop reviewing suppliers
  • SPRS accuracy no longer matters
  • Existing DFARS clauses are inactive
  • Cybersecurity work can be abandoned

This framework is general guidance. Review the actual requirements in your contracts, solicitations, purchase orders, and prime-contractor agreements.

Use the pause to get your scope right

Many defense contractors began preparing for CMMC before fully understanding where their CUI lives.

That can lead to an oversized assessment boundary and unnecessary cost.

For example, a manufacturer may initially assume its entire network, every employee, and every workstation must be included. A closer review may show that CUI can be limited to a smaller group of employees, systems, devices, or cloud resources.

A well-defined scope can make security easier to manage and evidence easier to maintain.

Use this period to answer:

  1. Do we receive, create, or store CUI?
  2. Which contracts or customers send it to us?
  3. How is it marked or identified?
  4. Which employees can access it?
  5. Which systems process, store, or transmit it?
  6. Is it being copied into email, file shares, workstations, backups, or shop-floor systems unnecessarily?
  7. Which outside vendors can access the environment?
  8. What cybersecurity requirements appear in our prime-customer agreements?
  9. Does our current SPRS score accurately reflect our implementation?
  10. Could a better-defined enclave reduce our compliance boundary?

Better scoping helps a contractor regardless of what the reform task force ultimately recommends.

A practical plan during the CMMC review

Defense contractors should use the review period to make better decisions, not to wait passively.

1. Review current contract language

Check active solicitations, contracts, subcontracts, purchase orders, cybersecurity addenda, and supplier terms.

Do not rely only on broad announcements.

2. Contact your prime customers

Ask whether their supplier cybersecurity requirements are changing.

Questions may include:

  • Will you continue requiring a current SPRS score?
  • Are supplier cybersecurity questionnaires changing?
  • Will you request independent verification for specific programs?
  • Are existing purchase-order requirements being modified?
  • What proof will be required for future bids?

3. Maintain applicable self-assessments

The Department has confirmed that Level 1 and Level 2 self-assessments remain available during the suspension. Level 2 Self currently covers the 110 requirements in NIST SP 800-171 Revision 2 and requires annual affirmation.

4. Keep correcting material security gaps

Weak MFA, shared accounts, unprotected endpoints, missing logging, excessive permissions, and untested backups remain risks even when an assessment date moves.

5. Reevaluate major assessment spending

Review C3PAO agreements, accelerated projects, and technology purchases against current requirements.

A pause can be used to reduce waste without abandoning necessary work.

6. Preserve your evidence

Policies, logs, training records, access reviews, configuration records, and test results may still be requested by customers, government assessors, insurers, or future CMMC assessors.

7. Watch official guidance

The Department has established a reform task force and requested recommendations within 60 days. Until new guidance is released, predictions about the final program remain predictions.

How Micro Solutions helps defense contractors respond

Micro Solutions helps small and mid-sized defense contractors understand how cybersecurity requirements connect to their actual systems, contracts, and operations.

That can include:

  • Reviewing where CUI may exist
  • Identifying which systems belong in scope
  • Assessing current cybersecurity controls
  • Helping establish a realistic SPRS score
  • Building a prioritized remediation roadmap
  • Improving documentation and evidence collection
  • Supporting internal IT staff
  • Managing security controls over time

We do not assume every system needs to be replaced or every project needs to continue at its previous pace.

The goal is to help contractors understand what remains necessary, what should be reassessed, and how to build a cybersecurity program that supports both compliance and continued eligibility in the defense supply chain.

Important: This article provides general information and is not legal, procurement, or contracting advice. Contractors should review their specific contracts, solicitations, supplier agreements, and customer requirements with the appropriate qualified professionals.

CMMC Planning After the Pause

Review Your CMMC Plan Before Making the Next Investment

The federal schedule changed, but your contracts, prime-customer expectations, and security responsibilities may not have. Micro Solutions can help you identify what still needs attention, what should be reassessed, and where unnecessary cost may be avoided.

CMMC Phase II Suspension

Frequently Asked Questions

Answers to common questions from defense contractors and manufacturers responding to the CMMC Phase II pause.

Has CMMC been canceled?

No. The Department suspended the transition to CMMC Phase II and other pending implementation milestones while it reviews the program. Phase I self-assessment requirements remain in place, and contractors still have obligations to protect applicable federal and defense information.

Are CMMC Level 2 third-party assessments still required?

Department program managers and requiring activities may not designate CMMC Level 2 C3PAO assessments during the suspension. Contractors should still review their actual solicitation, contract, subcontract, and customer requirements rather than assuming every existing document has changed automatically.

Are CMMC Level 2 self-assessments still active?

Yes. The Department has stated that Level 1 and Level 2 self-assessment requirements remain available during the suspension. Level 2 Self is aligned with the 110 requirements in NIST SP 800-171 Revision 2 and includes annual affirmation requirements.

Does NIST SP 800-171 still apply?

Yes, when it is required by the applicable contract or subcontract. The Department stated that it will continue enforcing NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments during the review period.

Can a prime contractor still require proof of cybersecurity?

Yes. Prime contractors may review suppliers before awarding work or granting access to sensitive information. Depending on the customer and program, a prime may request an SPRS score, System Security Plan, security questionnaire, policies, technical evidence, or compliance with its own supplier-security terms.

Can a prime still require an official Level 2 C3PAO assessment?

Under the formal CMMC flowdown structure, a subcontractor’s Level 2 C3PAO requirement is tied to the requirement in the associated prime contract. During the suspension, the Department has directed that those requirements not be designated in procurement documents. A prime may still establish other supplier-security or independent-verification expectations within the limits of applicable contracts, laws, and regulations.

Should we cancel a scheduled C3PAO assessment?

Do not cancel automatically. Review the agreement, refund terms, current contract language, expected prime-customer requirements, and the likelihood that the assessment will still provide business value. Some contractors may reasonably delay an assessment, while others may benefit from continuing.

Does our SPRS score still matter?

Yes. Applicable solicitations may still require a current NIST SP 800-171 assessment in SPRS before award. Prime contractors may also review SPRS information or ask suppliers to confirm their current security posture.

Should our company continue preparing for CMMC?

Continue work that protects sensitive information, supports active contractual obligations, corrects material security gaps, or helps you meet prime-customer expectations. Reassess expenses and schedules that were based only on the former November 2026 transition date.

When will the Department announce what happens next?

The Department established a reform task force to conduct a comprehensive review and deliver recommendations within 60 days of the July 13, 2026 announcement. Further guidance is expected after that review, but the timing and final outcome are not yet certain.

These answers provide general information. Requirements can vary by contract, subcontract, customer, program, and the type of information being handled.

To top