Full Report
The Pentagon is suspending the ramp up of new Cybersecurity Maturity Model Certification third-party assessment requirements, while also launching a sweeping review of the CMMC program that once again calls into question the future of the contractor cyber compliance regime. In a July 13 announcement, the Defense Department said it is suspending plans to introduce…
Analysis Summary
# Regulation/Compliance: CMMC Program Update (July 2026 Suspension)
## Overview
The Department of Defense (DoD) has announced a suspension of the planned expansion of the Cybersecurity Maturity Model Certification (CMMC) program. Specifically, the "Phase Two" ramp-up of mandatory third-party assessments has been halted pending a sweeping program review. While the future of the contractor compliance regime is under evaluation, existing self-assessment requirements remain in effect.
## Key Details
- **Issuing Authority:** U.S. Department of Defense (Pentagon)
- **Effective Date:** July 13, 2026 (Date of suspension announcement)
- **Jurisdiction:** U.S. Defense Industrial Base (DIB)
- **Status:** Under Review (Phase Two Suspended; Phase One In Effect)
## Requirements
### Mandatory Requirements
1. **CMMC Phase One Self-Assessments:** Contractors must continue to perform and submit self-assessments for applicable contracts as mandated by the rules that went into effect in November 2025.
2. **Standard NIST SP 800-171 Compliance:** Adherence to existing cybersecurity standards for protecting Controlled Unclassified Information (CUI) remains a contractual obligation.
### Recommended Practices
1. **Maintain Audit Readiness:** Despite the suspension of third-party requirements, organizations should maintain documentation as if an audit were imminent to avoid gaps if the program resumes.
2. **Internal Gap Analysis:** Continue identifying vulnerabilities in the protection of sensitive but unclassified information.
## Affected Organizations
- **Industries:** Defense Industrial Base (DIB), including aerospace, manufacturing, IT services, and any contractor handling sensitive DoD data.
- **Organization Size:** All sizes (Prime contractors and subcontractors).
- **Geographic Scope:** Global (Any entity contracted by the U.S. DoD).
## Compliance Timeline
- **November 2025:** Phase One (Self-assessments) went into effect; **Remains Active.**
- **July 13, 2026:** Pentagon announces suspension of Phase Two and launches a sweeping review.
- **November 10, 2026:** Original target for mandatory third-party assessments across all sensitive contracts; **Now Suspended.**
- **Future Date (TBD):** Results of the Pentagon review will determine new milestones.
## Implementation Guidance
### Assessment Phase
- Review current contracts to determine if they fall under the active Phase One self-assessment mandate.
- Conduct an internal audit against the CMMC level appropriate for your current CUI handling.
### Implementation Phase
- Halt investments specifically tied to hiring C3PAOs (Certified Third-Party Assessment Organizations) for Phase Two until new guidance is issued.
- Focus resources on remediating technical gaps identified in Phase One self-assessments.
### Validation Phase
- Validate that self-assessment scores submitted to the Supplier Performance Risk System (SPRS) are accurate and supported by evidence.
## Technical Requirements
- **NIST SP 800-171:** The fundamental technical framework remains the basis for CMMC. Requirements include Access Control, Incident Response, Risk Assessment, and System and Communications Protection.
- **CUI Protection:** Maintaining technical controls to ensure sensitive but unclassified information is encrypted and isolated.
## Penalties & Enforcement
- **Fines:** Potential False Claims Act (FCA) implications if self-assessments are found to be intentionally inaccurate.
- **Other Consequences:** Loss of eligibility for new DoD contracts; potential termination of existing contracts for non-compliance with Phase One requirements.
- **Enforcement:** Managed via the Defense Contract Management Agency (DCMA) and through the SPRS reporting system.
## Related Standards
- **NIST SP 800-171:** The primary set of 110 controls that CMMC is designed to validate.
- **DFARS 252.204-7012:** The overarching regulation requiring the protection of guarded defense information.
## Resources
- **Official Documentation:** [h]ttps://www.acq.osd.mil/cmmc/ (General CMMC Portal)
- **Guidance Documents:** [h]ttps://federalnewsnetwork.com/cybersecurity/2026/07/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program/
## Practical Recommendations
- **Stay Informed:** Monitor official DoD communications for the outcome of the "sweeping review" to see if CMMC will be significantly modified or rebranded.
- **Do Not Relax Security:** The suspension applies to the *assessment mechanism* (third parties), not the *security requirements* themselves. Organizations should continue to reinforce their cybersecurity posture to protect against increasing nation-state threats.
- **Budget Reallocation:** Consider reallocating budget set aside for third-party certification fees toward internal security tooling and staff training in the interim.