CMMC Phase 2 Suspended: What GovCons Must Do Now
A Practitioner’s Guide From a Veteran-Owned CMMC Consultancy with Cyber AB Registered Practitioners on Staff — What Actually Changed on July 13, 2026, What Didn’t, and Why the Signature You Put in SPRS Just Became the Riskiest Part of Your Compliance Program
BLUF — Bottom Line Up Front
CMMC Phase 2 is suspended. CMMC itself — and your compliance obligations — are not.
On July 13, 2026, the Department of War suspended the Phase 2 transition — the third-party audits that were coming this November — and put the certification program under a 60-day review. CMMC Phase 1 remains fully in force: contracts still require Level 1 (Self) and Level 2 (Self) assessments. DFARS 252.204-7012 is still in your contract, NIST SP 800-171 is still the standard, and you still have to score yourself in SPRS and personally affirm that score every year. With the auditors sidelined, that affirmation is now the government’s enforcement surface — and the Department of Justice has already used the False Claims Act to collect multimillion-dollar settlements from contractors whose scores didn’t match reality. The audit is gone. The liability isn’t. Don’t stop your compliance work — redirect it from audit prep to making sure the score you’re signing is one you can defend.
Key Takeaways
- On July 13, 2026, the Department of War (DoW — the renamed Department of Defense) suspended CMMC Phase 2, which would have required third-party certification assessments starting November 10, 2026. The suspension is effective immediately.
- Your legal obligation to protect government data did not change. DFARS clause 252.204-7012 and the NIST SP 800-171 security requirements behind it remain fully in force in your contracts.
- Self-assessments are still mandatory. During the suspension, contracts can only require CMMC Level 1 (Self) or Level 2 (Self) — and you still submit your score to SPRS and affirm it annually.
- The enforcement model just shifted from “pass an audit” to “sign an affirmation the Department of Justice can prosecute you over.” With third-party auditors sidelined, the accuracy of your self-attested SPRS score is now where all the legal risk lives — under the federal False Claims Act.
- A 60-day CMMC Reform Task Force will recommend what replaces the current program. Officials have not ruled out cancelling CMMC entirely — or bringing back a reformed version.
- The smart move for small contractors: don’t stop compliance work — redirect it. The audit is gone; the liability isn’t.
Table of Contents
- What Happened on July 13, 2026 — In Plain English
- The Acronyms, Decoded Once and For All
- What Changed vs. What Didn’t: Comparison Table
- The Two Memos Everyone Is Quoting (And What Each One Actually Does)
- The New Risk Center: Your SPRS Affirmation and the False Claims Act
- Frequently Asked Questions
- How Greypike Helps GovCons Navigate the Suspension
What Happened on July 13, 2026 — In Plain English
The Department of War announced that it is suspending the next phase of its cybersecurity certification program for defense contractors. That next phase — CMMC Phase 2 — was scheduled to begin on November 10, 2026, and it was the big one: the phase where many contractors handling sensitive government information would have needed to pass a formal audit by an outside certified assessment company before they could win new contracts.
That audit requirement is now on hold. So are all later CMMC rollout milestones. A government task force has 60 days to recommend what comes next, and senior officials have publicly declined to rule out ending the certification program altogether.
Here is what the announcement did not do — and this is where most of the confusion in the small-contractor community is coming from: it did not remove your contractual obligation to protect government information. It did not remove the requirement to assess your own systems and report your score to the government. And it did not remove the legal consequences for telling the government your cybersecurity is better than it actually is.
In our first client conversations since the announcement, the pattern is already clear: contractors are hearing “CMMC is dead” and concluding “compliance is dead.” Those are two very different statements, and confusing them is now the most expensive mistake a small GovCon can make.
The Acronyms, Decoded Once and For All
Defense compliance runs on acronyms, and the July 13 announcement used all of them. Here’s the plain-English translation:
DoW — Department of War. The renamed Department of Defense (DoD). Same building, same contracts, new letterhead. Older documents and clauses still say “DoD” or “Defense.”
CMMC — Cybersecurity Maturity Model Certification. The Department’s program for verifying that contractors actually implemented required cybersecurity. Think of it as the proctored exam. CMMC didn’t create the security rules — it was the mechanism for checking your work. CMMC has levels: Level 1 for basic federal contract information, Level 2 for contractors handling Controlled Unclassified Information, Level 3 for the most sensitive programs.
NIST SP 800-171 — National Institute of Standards and Technology Special Publication 800-171. This is the textbook the exam was based on: a list of 110 security requirements (access control, encryption, incident response, and so on) that any company handling Controlled Unclassified Information must implement. The current contractual baseline is Revision 2. This document is untouched by the suspension. It is still the standard you are measured against.
DFARS 252.204-7012 — Defense Federal Acquisition Regulation Supplement clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” This is the clause physically inside your contract that makes NIST SP 800-171 legally binding on you. It also requires you to report cyber incidents to the Department within 72 hours. If this clause is in your contract — and for nearly everyone handling defense information, it is — your obligations today are identical to your obligations last week.
CUI — Controlled Unclassified Information. Sensitive-but-not-classified government information: technical drawings, specifications, export-controlled data. If CUI touches your systems, NIST SP 800-171 applies to those systems.
FCI — Federal Contract Information. A lower tier of information: not public, but not CUI. FCI triggers the 15 basic safeguarding requirements in FAR clause 52.204-21 and CMMC Level 1.
SPRS — Supplier Performance Risk System. The government database where you submit your NIST SP 800-171 self-assessment score (the scale runs from -203 to a perfect 110). Contracting officers check SPRS before award. Your SPRS score and annual affirmation are still required — and they just became the center of gravity for enforcement.
C3PAO — CMMC Third-Party Assessment Organization. The private audit firms certified to conduct CMMC Level 2 assessments. These are the outside auditors whose assessments can no longer be required in contracts during the suspension.
DIBCAC — Defense Industrial Base Cybersecurity Assessment Center. The government’s own audit team. Level 3 (DIBCAC) requirements are suspended in contracts — but note carefully: the Department explicitly reserved the right to conduct “select government-led assessments” during the review period. The government can still show up and check.
RP / RPA — Registered Practitioner / Registered Practitioner Advanced. Individual consultants trained and registered with the Cyber AB to help contractors prepare — as opposed to C3PAOs, which audit. You may also see RPO (Registered Provider Organization), the Cyber AB’s registration for consulting firms. Practitioners advise; C3PAOs judge.
FCA — False Claims Act. The federal law that lets the Department of Justice pursue anyone who knowingly submits false claims to the government — including false statements about cybersecurity compliance. Penalties include treble damages. Remember this one; it’s about to become the main character.
2026 – What Changed vs. What Didn’t: Comparison Table
| Requirement | Before July 13, 2026 | After July 13, 2026 |
|---|---|---|
| NIST SP 800-171 Rev 2 implementation | Required by DFARS 252.204-7012 | ✅ Still required — unchanged |
| DFARS 252.204-7012 (safeguarding + 72-hour incident reporting) | In force | ✅ Still in force — unchanged |
| SPRS self-assessment score + annual affirmation | Required | ✅ Still required — and now the primary enforcement surface |
| CMMC Level 1 (Self) / Level 2 (Self) in contracts | Rolling out under Phase 1 | ✅ Still allowed — the only CMMC designations contracts may include |
| CMMC Level 2 (C3PAO) third-party certification | Coming November 10, 2026 | ⛔ Suspended — cannot be required in solicitations or contracts |
| CMMC Level 3 (DIBCAC) assessments | Phased in later | ⛔ Suspended |
| Existing contracts containing C3PAO/DIBCAC requirements | Requirements applied | 🔄 Being removed by contract modification at the next option period or administrative modification |
| CMMC waivers | Available in limited cases | ⛔ Suspended — nothing left to waive |
| Government-led (“select”) assessments | DIBCAC audits for high-value programs | ✅ Explicitly continuing during the review |
| False Claims Act exposure for inaccurate attestations | Real, but overshadowed by the coming audits | ⚠️ Now the primary compliance risk for every contractor |
The Two Memos Everyone Is Quoting (And What Each One Actually Does)
Two official documents were released on July 13, 2026, both cleared for open publication under case number 26-P-1023. If you read secondhand summaries all week, here’s what the source documents actually say:
Document 1: The CIO Memorandum. Signed by Department of War Chief Information Officer Kirsten A. Davies, this is the policy decision. It suspends the November 2026 Phase 2 transition and all pending CMMC milestones, establishes the 60-day CMMC Reform Task Force, and defines the interim posture: enforcement of NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments. It states in black and white that DFARS 252.204-7012 remains in effect. It also lists the free government cybersecurity resources that remain available to contractors — the DoW Cyber Crime Center, the NSA Cybersecurity Collaboration Center, and Project Spectrum.
Document 2: The Acquisition & Sustainment Memorandum. Signed by Under Secretary of War Michael P. Duffey, this is the implementation order — the instructions to the government’s own contracting workforce. Its Attachment 1 is where the operational details live:
- Program managers may only include CMMC Level 1 (Self) or Level 2 (Self) in procurement documents. Level 2 (C3PAO) and Level 3 (DIBCAC) designations are prohibited during the review.
- Active solicitations containing C3PAO or DIBCAC requirements must be amended “as soon as practicable.”
- Existing contracts containing those requirements will have them removed by modification before the next option period is exercised, or at the next administrative modification.
- No CMMC waivers will be granted during the review.
- Program offices retain the ability to require “additional cybersecurity protections as commensurate with law and regulation” — meaning sensitive programs can still impose stricter terms.
In our reading, the single most important sentence across both memos is the Task Force’s mandate: to recommend a framework that “replaces prohibitive, third-party compliance models with scalable, realistic security measures.” That is not neutral review language. The Department is telegraphing that whatever comes back in 60 days, it is unlikely to be the C3PAO audit regime with a new name.
The New Risk Center: Your SPRS Affirmation and the False Claims Act
Here is the part most of this week’s coverage is missing, and the part that matters most to a small contractor’s owner or CFO.
The enforcement model just shifted from “pass an audit” to “sign an affirmation the Department of Justice can prosecute you over.”
Under the old plan, a C3PAO auditor would eventually walk your environment and catch the gap between your paperwork and your reality before the government relied on it. Uncomfortable, expensive — but the auditor was, in a strange way, a safety net. If your score was wrong, a third party found it before the Department of Justice did.
That safety net is gone. What remains is your self-assessed score in SPRS and the annual affirmation — a named company official (an “Affirming Official,” typically an owner or senior executive) personally attesting to the federal government that the score is accurate and that compliance is being maintained. That signature is a statement to the government in connection with getting paid on federal contracts, which puts it squarely inside the False Claims Act.
This is not a theoretical risk. The Department of Justice’s Civil Cyber-Fraud Initiative was created specifically to pursue contractors who misrepresent their cybersecurity posture, and it has already produced multimillion-dollar settlements against defense contractors whose SPRS scores didn’t match their environments. FCA cases carry treble damages, and they are frequently initiated by whistleblowers — often a former IT employee who knows exactly which controls were checked off on paper but never implemented.
So run the logic forward. Third-party audits: suspended. Legal obligation to implement all 110 NIST SP 800-171 requirements: unchanged. Requirement to score yourself and personally affirm the result: unchanged. Government’s remaining enforcement tools: selective government-led assessments, and the False Claims Act.
The audit is gone. The liability isn’t. It just moved from a conference room with an assessor in it to the signature block of your annual affirmation.
This is why we tell contractors the worst response to the suspension is to freeze compliance work while continuing to affirm a compliant score. That combination doesn’t reduce your cost — it converts your compliance gap into personal legal exposure for whoever signs.
Frequently Asked Questions About the CMMC Phase 2 Suspension
Did CMMC get cancelled?
No. CMMC Phase 2 — the phase requiring third-party (C3PAO) certification assessments starting November 10, 2026 — was suspended, along with all later implementation milestones. Phase 1 self-assessment requirements remain fully in force. A 60-day CMMC Reform Task Force will recommend the program’s future, and officials have declined to rule out either cancelling CMMC entirely or returning with a reformed version. Until that review concludes, contracts may only require CMMC Level 1 (Self) or Level 2 (Self) assessments.
What is CMMC in plain English?
CMMC stands for Cybersecurity Maturity Model Certification. It is the Department of War’s program for verifying that defense contractors actually implemented the cybersecurity requirements already in their contracts. The security rules themselves come from NIST SP 800-171; CMMC was the mechanism for checking the work — through self-assessments at lower levels and third-party audits at Level 2 and above. The July 13 suspension paused the third-party audit portion, not the underlying security rules.
What is NIST SP 800-171 and do I still have to follow it?
NIST SP 800-171 is a publication from the National Institute of Standards and Technology listing 110 security requirements for protecting Controlled Unclassified Information (CUI) on contractor systems — covering access control, encryption, incident response, and more. Yes, you still have to follow it. The Department confirmed it will continue enforcing baseline compliance with NIST SP 800-171 Revision 2 through self-assessments and select government-led assessments during the suspension. The standard is unchanged.
What is DFARS 252.204-7012 and is it still in my contract?
DFARS 252.204-7012 is the Defense Federal Acquisition Regulation Supplement clause titled “Safeguarding Covered Defense Information and Cyber Incident Reporting.” It is the contract clause that legally requires you to implement NIST SP 800-171 and to report cyber incidents to the Department within 72 hours. Both July 13 memoranda state explicitly that this clause remains in effect. If it was in your contract last week, it is in your contract today, with identical obligations.
What is SPRS and do I still have to submit a score?
SPRS is the Supplier Performance Risk System — the government database where contractors submit their NIST SP 800-171 self-assessment score (on a scale from -203 to 110) and where a company official annually affirms the score’s accuracy. Yes, this is still required. In fact, with third-party audits suspended, your SPRS score and affirmation are now the government’s primary window into your compliance — and the primary surface for enforcement if the score is inaccurate.
Can I really get in legal trouble over my SPRS score?
Yes. Submitting a knowingly inaccurate score, or affirming compliance you aren’t maintaining, can constitute a violation of the federal False Claims Act — the law the Department of Justice’s Civil Cyber-Fraud Initiative uses against contractors who misrepresent cybersecurity compliance. FCA cases carry treble damages and are frequently initiated by whistleblowers. Several defense contractors have already paid multimillion-dollar settlements over inflated SPRS scores. With the audit safety net suspended, the accuracy of your attestation is where the legal risk now concentrates.
My contract already requires CMMC Level 2 (C3PAO) certification. What happens to it?
Per Attachment 1 of the Under Secretary’s implementing memorandum, contracting officers are directed to remove C3PAO and DIBCAC assessment requirements from existing contracts by modification — before the next option period is exercised, or during the next scheduled administrative modification. Active solicitations containing those requirements are being amended as soon as practicable. You don’t need to request this; it is being directed government-wide. All other cybersecurity clauses in your contract remain intact.
Do I still need to do anything before November 2026?
The November 10, 2026 deadline for Phase 2 third-party assessments no longer applies. But your standing obligations continue with no deadline relief: implement NIST SP 800-171 Rev 2, maintain a System Security Plan (SSP) and Plans of Action and Milestones (POA&Ms), keep a current and accurate score in SPRS, affirm it annually, and report cyber incidents within 72 hours. If your current SPRS score doesn’t reflect reality, correcting that is the most urgent item on your list — deadline or no deadline.
Should I stop my compliance project to save money?
Stopping entirely is the highest-risk option on the table. Your legal obligations under DFARS 252.204-7012 are unchanged, your affirmation risk just increased, the task force may return with a reformed program built on the same NIST SP 800-171 foundation, and prime contractors still expect their subcontractors to protect CUI. What you can reasonably defer is spending scoped specifically to third-party audit preparation — mock C3PAO assessments and certification-readiness reviews. Redirect that budget toward making your actual 800-171 posture and your SPRS score match, which is where both the legal risk and the security value now live.
Will prime contractors still require cybersecurity from subcontractors?
Yes. Primes flow DFARS 252.204-7012 down to subcontractors handling covered defense information, and they own supply-chain risk regardless of what the certification program does. With the government’s third-party verification suspended, several large primes are expected to lean harder on their own supplier cybersecurity requirements — meaning a small contractor’s ability to demonstrate real NIST SP 800-171 compliance may matter more to winning subcontract work, not less.
What are the two memos everyone keeps referencing?
Both were released July 13, 2026, under publication case 26-P-1023. The first, from Department of War Chief Information Officer Kirsten A. Davies, is the policy decision: it suspends Phase 2, creates the 60-day CMMC Reform Task Force, and defines the interim enforcement posture. The second, from Under Secretary of War for Acquisition and Sustainment Michael P. Duffey, is the implementation order to the contracting workforce; its Attachment 1 restricts contracts to Level 1 (Self) or Level 2 (Self), directs amendment of solicitations and modification of existing contracts, and suspends all CMMC waivers.
What is the CMMC Reform Task Force and what happens in 60 days?
The Task Force is a cross-department group directed to conduct a top-to-bottom review of CMMC and recommend a framework aligned with the Department’s Acquisition Transformation Strategy — one that, in the memo’s own words, “replaces prohibitive, third-party compliance models with scalable, realistic security measures.” Its report is due to the DoW CIO within 60 days, informed by a public Request for Information (RFI) where contractors can submit feedback. Possible outcomes range from a streamlined certification model to permanent reliance on self-assessment with government spot-checks. What is very unlikely to return unchanged is the mandatory universal C3PAO audit.
I’m a small shop that was avoiding defense work because of CMMC costs. Is now the time to enter?
The barrier just dropped substantially — that was the Department’s stated intent. Entering the Defense Industrial Base during the suspension means implementing NIST SP 800-171, standing up a defensible environment (a bounded CUI enclave keeps this affordable), submitting an honest SPRS score, and affirming it — with no six-figure certification audit standing between you and eligibility. The companies that build a right-sized, truthful compliance posture now will be positioned for whatever the task force produces, while competitors wait for certainty that may never fully arrive.
What is SPRS Attestation Assurance and why does it matter now?
SPRS Attestation Assurance is the discipline of making sure the score your company affirms in SPRS is one you can defend: an independent NIST SP 800-171 Rev 2 assessment of your environment, evidence collection for every claimed control, corrected scoring where paper and reality diverge, and support for the annual affirmation itself. It is False Claims Act risk management, priced at a fraction of what C3PAO certification preparation cost. With third-party audits suspended, this is the service model that matches the new enforcement reality: the audit is gone; the liability isn’t — and the signature your Affirming Official puts into a federal system deserves the same rigor the auditor would have brought.
What should a small defense contractor actually do this week?
Five things, in order: (1) Confirm which cybersecurity clauses are in your active contracts — DFARS 252.204-7012 in particular. (2) Pull your current SPRS score and honestly ask whether your environment supports it today. (3) If there’s a gap, prioritize closing it or correcting the score — an accurate lower score with a POA&M is defensible; an inflated score is a liability. (4) Keep any enclave, GCC High, or remediation project moving; defer only audit-prep-specific spending. (5) Watch for the task force’s RFI and consider submitting feedback — this is the rare window where small-business input directly shapes the replacement program.
How Greypike Helps GovCons Navigate the Suspension
Greypike is a Veteran-Owned consultancy whose Cyber AB Registered Practitioners (RP) and Registered Practitioners Advanced (RPA) work with small and mid-sized Defense Industrial Base contractors on NIST SP 800-171 and CMMC readiness every day. The most consistent observation across our engagements since the July 13 announcement: the contractors in the best position are the ones treating this as a change in enforcement mechanism, not a holiday from compliance.
Our SPRS Attestation Assurance service is built for exactly this moment: an independent NIST SP 800-171 Rev 2 assessment of your environment, control-by-control evidence collection, corrected SPRS scoring, and support for your Affirming Official through the annual affirmation — explicitly framed as False Claims Act risk management, at a fraction of the cost of the C3PAO certification journey that just left the stage. For contractors entering the DIB or right-sizing their footprint, our Managed Compliant Enclave deploys a hardened, CUI-compliant environment in your own Microsoft GCC High or Google Assured Workloads account — because a small, defensible boundary was the right answer under the audit regime, and it’s still the right answer under the attestation regime.
The audit is gone. The liability isn’t. If you’d like to know whether the score in SPRS next to your company’s CAGE code is one you’d be comfortable defending, that’s a conversation worth having this month — not after the task force reports.
Visit greypike.com, call (703) 214-9246, or book a scoping session to talk through your post-suspension compliance strategy.
Helpful Articles & Information
- What Is CMMC Phase 2 and Does It Affect Your DoD Contract?
- CMMC Scope Reduction: The 2026 Guide to Cutting Compliance Costs by 40%+
- How to Define Your CMMC Level 2 Assessment Boundary: A Step-by-Step Guide
- CMMC Level 2 for Small Defense Contractors: The Three Realistic Paths and What Each Actually Costs
- CUI vs FCI: Which of Your Systems Actually Need to Be CMMC-Certified?
- C3PAO vs RPO: Which Do You Need for CMMC Level 2?
- Greypike CMMC & NIST 800-171 Compliance Services
Authoritative External References
- DoW CIO — CMMC Resources & Documentation (official home of program documents, including the July 13, 2026 memoranda released under case 26-P-1023)
- DoW CIO — “Brilliant at the Basics” DIB Cybersecurity Campaign (the no-cost best-practices resource referenced in the Department’s announcement)
- NIST SP 800-171 Rev. 2 — Protecting Controlled Unclassified Information (official PDF)
- DFARS 252.204-7012 — Safeguarding Covered Defense Information and Cyber Incident Reporting (Acquisition.gov)
- 32 CFR Part 170 — CMMC Program Rule (eCFR)
- DOJ Civil Cyber-Fraud Initiative — Launch Announcement (U.S. Department of Justice)
- SPRS — Supplier Performance Risk System (official site)
About Greypike Inc.
Greypike Inc. is a Veteran-Owned cybersecurity and compliance firm based in Virginia, serving the Defense Industrial Base nationwide.
Credentials & Authority Signals:
- Veteran-Owned Small Business (VOSB) — SBA Certified
- Cyber AB Registered Practitioners (RP) and Registered Practitioners Advanced (RPA) on staff
- CAGE Code: 9WVS6
- Specialization: NIST SP 800-171 attestation assurance, CUI enclave architecture, SSP documentation, gap assessments, and ongoing compliance management for DIB contractors
- Service area: All 50 states; in-person engagements available in the Mid-Atlantic and DC Metro region
Greypike Inc. — Veteran-Owned. Mission-Focused. Compliance-Ready.





