Understanding CMMC 2.0: A Crucial Update for DoW Contractors
TL;DR: CMMC 2.0 is the streamlined and enhanced version of the Cybersecurity Maturity Model Certification, designed to protect sensitive unclassified information within the Defense Industrial Base (DIB). It simplifies compliance into three clear levels, emphasizes NIST 800-171, and establishes a robust assessment framework. Major update: On July 13, 2026, the Department of War (DoW — formerly the Department of Defense) announced the immediate suspension of CMMC Phase II requirements, which were originally scheduled to take effect November 10, 2026, and launched a comprehensive review of the entire program. Phase 1 self-assessment requirements remain firmly in place, and contractors are still legally obligated to protect federal data under DFARS 252.204-7012.
Key Takeaways
July 13, 2026: The DoW suspended CMMC Phase II — the planned rollout of mandatory third-party (C3PAO) certification requirements — and established a CMMC Reform Task Force to conduct a top-to-bottom review of the program, with findings and recommendations due within 60 days.
Phase 1 remains fully in force. Annual Level 1 self-assessments and triennial Level 2 self-assessments, with scores entered into the Supplier Performance Risk System (SPRS) and annual executive affirmations, are still required.
NIST SP 800-171 Rev 2 remains the bedrock of CUI protection. During the pause, the DoW will enforce compliance through self-assessments and select government-led assessments.
The suspension reduces red tape, not security obligations. DFARS 252.204-7012 safeguarding requirements are unchanged, and inaccurate self-assessments still carry False Claims Act risk.
Proactive preparation is still essential for all DIB companies to maintain and secure DoW contracts — the standard isn't going away, even if the verification mechanism changes.
A note on naming: following the department's renaming, this article uses "Department of War (DoW)" for current matters and "Department of Defense (DoD)" in historical context.
July 13, 2026 Update: The DoW Suspends CMMC Phase II and Launches a Program Review
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements, which had been scheduled to take effect on November 10, 2026. Under the program's phased implementation plan, Phase II would have begun inserting CMMC Level 2 certification requirements into applicable solicitations — meaning companies handling Controlled Unclassified Information (CUI) would have needed to pass an assessment by a CMMC Third-Party Assessment Organization (C3PAO) as a condition of contract award. Phase 3, planned for November 2027, would have introduced Level 3 government-led assessments by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).
All of that is now on hold. Alongside the suspension, DoW Chief Information Officer Kirsten Davies announced a CMMC Reform Task Force charged with completing a comprehensive, top-to-bottom review of the program within 60 days — putting its report and recommendations on track for roughly mid-September 2026. The department also signaled it will issue a Request for Information (RFI), giving DIB companies a direct channel to shape whatever comes next.
Why the suspension? The review is intended to align CMMC with Secretary of War Pete Hegseth's Acquisition Transformation System (ATS) directives, which prioritize speed to capability, lowering barriers for small, medium, and non-traditional businesses, and replacing bureaucratic compliance regimes with scalable, resilient cybersecurity measures. The department pointed to Small Business Administration findings that compliance costs were forcing innovative companies out of the defense industrial base, and to a stark capacity problem: more than 100,000 DIB companies would eventually need third-party assessments, while only around 100 authorized assessment organizations exist to perform them. As Davies put it: "We are not reducing cybersecurity through this measure. We are reducing the red tape."
What the suspension covers:
The November 10, 2026 Phase II transition and its C3PAO certification mandate.
Pending and future CMMC implementation milestones in DoW solicitations and contracts. Program managers and contracting officers have been directed to amend or modify any current solicitations or contracts that contain the suspended Phase II requirements.
What the suspension does NOT change:
Phase 1 requirements. The self-assessment obligations that took effect November 10, 2025 remain firmly in place (details below).
DFARS 252.204-7012. Contractors and subcontractors handling covered defense information are still contractually and legally required to safeguard it and report cyber incidents.
NIST SP 800-171 Rev 2 as the standard. During the interim period, the DoW will enforce compliance with NIST SP 800-171 Revision 2 through self-assessments and select government-led assessments.
Legal exposure. A false or inflated SPRS self-assessment score remains a False Claims Act risk.
Flow-down pressure. Prime contractors can — and many will — continue to require CMMC-aligned compliance from subcontractors regardless of the federal timeline.
Notably, at the announcement, DoW officials declined to rule out deeper restructuring of the program — or even outright cancellation — once the review concludes. For now, the prudent read is that this is a pause of the certification mechanism, not a repeal of the underlying security standard.
Understanding CMMC 2.0: How We Got Here
For any business engaged with the Department of War, navigating the evolving landscape of cybersecurity compliance is not just good practice — it's a contractual necessity. CMMC 2.0 represented a pivotal shift when it was unveiled, streamlining requirements and reinforcing the protection of Controlled Unclassified Information (CUI) across the Defense Industrial Base.
CMMC 2.0 was officially unveiled in late 2021, replacing the initial CMMC 1.0 framework. This update came in response to feedback from industry stakeholders, aiming to reduce complexity, increase clarity, and strengthen the overall security posture of the DIB. The core objective remains the same: ensure that all defense contractors and subcontractors adequately protect CUI and Federal Contract Information (FCI). After a years-long rulemaking process, the program rule (32 CFR Part 170) was finalized in late 2024, the contracting rule took effect on November 10, 2025, and Phase 1 of a planned three-year phased rollout began that same day. As of July 13, 2026, that rollout is paused at Phase 1.
Why the Original Change to 2.0? Addressing Industry Feedback and Enhancing Security
The original CMMC 1.0 faced criticism for its complexity, cost, and perceived barriers to entry, particularly for small and mid-sized businesses. The DoD recognized these challenges and initiated an internal review to enhance the program while maintaining its critical mission of safeguarding national security information. The result was CMMC 2.0, a more focused framework based on well-established NIST standards. The revisions were driven by a desire to:
Safeguard sensitive unclassified information (FCI and CUI) that is shared with defense contractors.
Streamline the CMMC standard and its associated requirements.
Provide additional clarity on compliance requirements.
Increase public trust in the CMMC ecosystem.
Focus on the most critical cybersecurity requirements to protect defense information.
In a telling echo of history, the very same concerns — cost, complexity, and barriers for smaller businesses — are what drove the July 2026 suspension and the current reform effort. The department has now concluded that even the streamlined 2.0 construct imposed prohibitive burdens on the industrial base.
The Three Levels of CMMC 2.0: What's Required (and What's Currently Enforced)?
CMMC 2.0 consolidated the original five maturity levels into three tiers, each tied to the type and sensitivity of the information handled. With Phase II suspended, only the self-assessment requirements at Levels 1 and 2 are currently being implemented through contracts.
Level 1: Foundational (FCI Protection) — ACTIVE
CMMC Level 1, known as 'Foundational,' applies to companies that handle Federal Contract Information (FCI) — information not intended for public release but that is not CUI.
Requirements: Implement the 15 security requirements in FAR clause 52.204-21. These are basic cyber hygiene controls.
Assessment (in force under Phase 1): Annual self-assessment conducted by the organization, with results entered into SPRS and an annual affirmation of compliance by a company executive.
POA&Ms: Not permitted at Level 1.
Level 2: Advanced (CUI Protection) — SELF-ASSESSMENT ACTIVE; C3PAO CERTIFICATION SUSPENDED
This is where the majority of defense contractors find themselves. CMMC Level 2, or 'Advanced,' is for companies handling CUI.
Requirements: Implement the 110 security requirements of NIST SP 800-171 Revision 2, as already required by DFARS clause 252.204-7012.
Assessment (in force under Phase 1): A self-assessment every three years, with results entered into SPRS and an annual affirmation of compliance by a company executive. A CMMC Status is valid for three years from the status date.
What's suspended: The Phase II requirement for triennial certification assessments by a C3PAO, which was expected to eventually apply to tens of thousands of companies on CUI contracts, is on hold pending the reform review.
POA&Ms: Permitted in limited circumstances as defined in 32 CFR § 170.21(a)(2), and must be closed out within 180 days. A conditional CMMC status becomes final once the POA&M closeout assessment is complete.
Level 3: Expert (CUI Protection in High-Risk Environments) — SUSPENDED
CMMC Level 3, or 'Expert,' targets companies handling CUI in the most critical programs and high-priority acquisitions.
Requirements: The 110 requirements of NIST SP 800-171 plus a subset of enhanced controls from NIST SP 800-172, addressing advanced persistent threats (APTs).
Assessment: Triennial government-led (DIBCAC) assessments — which were slated to enter contracts in Phase 3, beginning November 2027 — are now on hold along with the rest of the post-Phase 1 rollout.
Key Differences and Program Updates
Beyond the consolidated levels, CMMC 2.0 introduced several other significant changes that remain relevant context for the current review:
Elimination of Maturity Processes
CMMC 1.0 had 'maturity processes' for each level alongside practices. Those process requirements were removed in CMMC 2.0, focusing squarely on implementation of the cybersecurity practices themselves, as defined by NIST standards.
Alignment with NIST Standards
CMMC 2.0 is closely aligned with NIST SP 800-171 and 800-172. This matters even more now: the DoW has confirmed that during the suspension it will continue enforcing NIST SP 800-171 Revision 2 — so investment in meeting that standard retains its value no matter what the task force recommends. Every plausible outcome of the review keeps NIST SP 800-171 as the substantive security baseline.
Plans of Action and Milestones (POA&Ms)
CMMC 2.0 permits limited use of POA&Ms — a critical piece of industry feedback. Under the final rule, POA&Ms are not allowed at Level 1, and at Level 2 they are restricted to certain lower-weighted requirements and must be closed out within 180 days, with the closeout self-assessment performed in the same manner as the initial self-assessment.
Waivers
The department has indicated that waivers of CMMC requirements may be possible in very limited, mission-critical circumstances, approved by specific DoW personnel. With the entire framework now under review, expect the mechanisms for flexibility to be revisited as well.
Preparing in the Post-Suspension Landscape: What Your Business Needs to Do Now
The suspension changes the calendar — not the destination. Here are the crucial steps to take:
Identify Your CMMC Level: Determine which level applies to your organization based on the type of defense information you handle (FCI or CUI).
Keep Implementing NIST SP 800-171 Rev 2: For CUI handlers, this remains your contractual obligation under DFARS 252.204-7012 and the standard the DoW will enforce during the pause. Do not treat the suspension as a reason to slow down.
Complete an Accurate Self-Assessment and Post Your SPRS Score: Phase 1 requirements are fully in force. Remember that a misrepresented score is a False Claims Act liability, and annual affirmations must continue or your CMMC status lapses.
Conduct a Gap Analysis: Assess your current cybersecurity posture against the requirements for your level and identify gaps in controls, policies, and procedures.
Develop a Remediation Plan: Create a POA&M for identified gaps, prioritizing critical controls and mindful of the 180-day closeout window.
Implement and Document: Deploy the necessary controls and thoroughly document all processes, policies, and evidence of compliance. If it's not documented, it didn't happen.
Don't Abandon Certification Readiness: You do not need to schedule a formal C3PAO certification right now, but third-party verification could return in some form after the review — and many prime contractors will still expect assessment-ready postures from their supply chains. A mock assessment remains a smart way to validate your self-assessment.
Engage with the Review: Watch for the DoW's RFI and the task force report expected around September 2026. The RFI is the DIB's opportunity to provide direct feedback — bring real cost and implementation data.
Train Your Employees: Cybersecurity is a team effort. Ensure all employees understand their roles in protecting sensitive information.
The Role of Managed Cybersecurity Services
For many small and mid-sized businesses within the DIB, navigating this shifting landscape can be overwhelming. This is where partnering with a skilled cybersecurity services provider can be invaluable. Experts can assist with:
Gap Analyses and Readiness Assessments: Precisely identifying where your organization stands against NIST SP 800-171 and CMMC requirements.
Accurate SPRS Scoring: Helping you produce a defensible self-assessment score and affirmation.
Implementation Support: Deploying and configuring the necessary security controls, such as endpoint protection, email security, and vulnerability management.
Documentation and Policy Development: Creating the comprehensive documentation required for self-assessments today and any assessments the reformed program requires tomorrow.
Ongoing Monitoring and Management: Ensuring continuous compliance and rapid threat response through SOC & MDR services.
Strategic Guidance: Interpreting the task force's recommendations as they emerge and integrating them into your business strategy.
Choosing a partner who understands both the current requirements and the direction of reform can significantly de-risk your compliance journey while keeping you eligible for defense contracts.
Looking Ahead: CMMC at a Crossroads
CMMC now sits at an inflection point. Within roughly 60 days of the July 13 announcement, the CMMC Reform Task Force will deliver findings and recommendations, and the range of plausible outcomes is wide: Phase II could resume on new dates; third-party certification could be narrowed to higher-risk data or larger awards; verification could shift toward government-led or automated models; or the program could be restructured more fundamentally. Officials have not ruled out cancellation. Two planning anchors hold in every scenario: formal changes to 32 CFR Part 170 and the DFARS require rulemaking, which takes months rather than weeks; and NIST SP 800-171 Rev 2 remains the substantive security standard throughout.
The practical strategy for DIB companies is clear — build your security program around the standard itself, and stay adaptable about how compliance gets verified. Cyber threats against the defense supply chain are not pausing for a program review. Companies that maintain genuine, well-documented NIST SP 800-171 compliance will be positioned to win under whatever framework emerges, while contributing to the nation's overall security posture.
For defense contractors, understanding and acting on the July 2026 changes now is not an option; it's a strategic imperative.





