By Troy Dahlin

If you’ve been bracing for a CMMC Level 2 audit this fall, take a breath, but don’t take your foot off the gas just yet.

On July 13, 2026, the Department of War hit pause on CMMC Phase II, the rule that was going to require a formal third-party assessment before you could win or keep certain defense contracts starting November 10, 2026. Phase III, the next step up for higher-level programs, is on hold too. The reason is refreshingly candid: there were over 100,000 defense contractors who needed an assessment, and only about 100 certified assessors in the country to do the work. The math didn’t add up, and the Department knew it.

That’s genuinely good news if you’ve been feeling squeezed by the timeline. But here’s the part that matters most for your business: the underlying cybersecurity requirements haven’t gone anywhere. What paused is the certification checkpoint, not your obligation to protect sensitive defense information, and not the expectations your prime contractors and the government still hold you to.

Here’s what we’re telling our clients this pause actually means.

What’s on Hold

  • The requirement for a formal C3PAO audit to win or keep contracts tied to Phase II
  • Phase III: the next tier of assessments that would have started in 2027
  • Any CMMC milestones already sitting in active solicitations, contracting officers are being told to go back and strip these requirements out of current contracts

What Hasn’t Changed (and This Is the Important Part)

We know “suspended” sounds like a green light to relax. It isn’t, and here’s why.

You’re still on the hook for protecting sensitive defense information. If your contracts include the DFARS cybersecurity clause, that obligation was never tied to whether CMMC certification existed; it’s been a contractual requirement for years, and it’s not going anywhere. So is the requirement to report cyber incidents quickly when something happens.

Self-assessments and SPRS scores still matter, maybe more than ever. The Department has said plainly that it’s going to lean on self-assessments and spot-check audits while this pause is in effect. That means the honesty and accuracy of your own score just became the thing under the microscope, not less scrutinized.

The government still takes false claims seriously. Companies that post an inflated or unsupported compliance score can face real legal and financial consequences under federal fraud enforcement; pausing the certification program doesn’t pause that risk. If anything, it raises the stakes on getting your self-assessment right.

The hardest, highest-value controls still count the most. A core set of your requirements carries outsized weight in your score, and that’s not up for negotiation in the review the Department is running. Whatever comes out of the 60-day review, that fundamental scoring reality is expected to hold.

What Happens Next

The Department has stood up a task force to gather feedback from businesses like yours and come back with recommendations in 60 days focused on making the *process* faster and more accessible for small and mid-sized companies. What it is not doing is reopening the core security standard itself. Leadership has been direct about this: the goal is less red tape, not a lower bar for security.

Our Advice: Keep Building

This is the moment to get ahead, not the moment to stand down. Here’s why:

Pauses have ended before, and they’ve ended with the bar the same or higher. CMMC went through a similar review-and-pause cycle back in 2021. It came back. Betting your business on a permanent reprieve is a risk we wouldn’t recommend taking.

A practice-run assessment is one of the smartest investments you can make right now. Rather than waiting to find out where the gaps are when it counts, a mock assessment lets you validate your score, catch surprises early, and walk in ready on your timeline, not a deadline.

Some of your toughest requirements were never eligible for a “fix it later” plan and that won’t change no matter what the review recommends. Building your roadmap around those now means you won’t be scrambling later.

Your prime contractors aren’t waiting either. Many have already built these cybersecurity expectations into their subcontracts on their own schedule, independent of what the federal government requires. Being ready protects your seat at the table with them, pause or no pause.

The bottom line – the certification appointment got pushed back. The work behind it didn’t. Businesses that keep moving now will be the ones ready to move fast whenever Phase II returns — and the ones best protected in the meantime.


Have questions about what this means for your specific contracts or timeline? Contact us today for a free consultation. We’re happy to walk through it with you.

This post reflects the CMMC Phase II suspension announced by the Department of War on July 13, 2026, and the ongoing 60-day CMMC Reform Task Force review. Guidance may evolve as the task force reports back. We’ll keep you posted.

Troy Dahlin is a Cybersecurity Compliance Specialist for Export Solutions -- a full-service consulting firm specializing in U.S. import and export regulations.