The deadline changed. The engineering obligation did not. Re-sequence rather than stand down.
On July 13, 2026, the Department of War suspended the planned CMMC Phase II transition and all pending or future CMMC implementation milestones. The announcement immediately changed the acquisition timeline. It did not eliminate applicable contractual duties to safeguard Federal Contract Information (FCI) or covered defense information, including Controlled Unclassified Information (CUI). Those duties depend on the clauses incorporated into each instrument, including FAR 52.204-21 or its current FAR Part 40 deviation counterpart, FAR 52.240-93, and DFARS 252.204-7012.
The most important detail sits in the Department’s implementation memorandum: during the suspension, acquisition teams may designate only CMMC Level 1 (Self) or Level 2 (Self). They may not designate Level 2 (C3PAO) or Level 3 (DIBCAC). This is broader than a delay to third-party Level 2 assessments alone.
| Property | Current status |
|---|---|
| Policy memorandum signed | July 10, 2026 |
| Department announcement | July 13, 2026 |
| Effective status | Effective immediately; Phase II and all pending or future implementation milestones suspended until further notice |
| Program review | CMMC Reform Task Force report due to the DoW CIO within 60 days of the July 10 memorandum |
| Industry feedback | RFI responses due August 14, 2026 at 12:00 p.m. ET |
Official direction: Read the Department of War press release, the CIO reform memorandum, and the Acquisition and Sustainment implementation memorandum together. The implementation memorandum contains acquisition instructions that are more specific than the press release.
The Short Version
- DoW acquisition teams may currently designate only CMMC Level 1 (Self) or CMMC Level 2 (Self) in procurement requests and requirement documents.
- They may not designate Level 2 (C3PAO) or Level 3 (DIBCAC) during the suspension.
- Active solicitations containing those designations must be amended. Existing contracts and agreements are to be modified before the next option exercise or during the next scheduled administrative modification.
- DFARS 252.204-7012, applicable NIST SP 800-171 Rev. 2 obligations, and separate government Medium and High NIST SP 800-171 DoD assessment authority remain in force where the relevant clauses are incorporated. Existing instruments may use DFARS 252.204-7019 and 252.204-7020; solicitations and contracts issued under Class Deviation 2026-O0025 use DFARS 252.240-7997.
- No revocation of an existing CMMC status was announced. Voluntary CMMC Level 2 certification assessments may continue and C3PAOs may issue certificates, but the July 13 documents do not guarantee how those statuses will be valued in future DoW procurements.
- Do not stop remediation. Use the review window to reduce the CUI boundary, close real control gaps, make the documentation match production, and ensure every submission is supported by evidence.
What the Official Documents Changed
The July 10 memorandum, announced publicly on July 13, pauses the planned transition beyond Phase 1 and directs a 60-day review of the program. It does not simply exchange a private assessor for a government assessor.
| Area | Direction during the suspension |
|---|---|
| Permitted CMMC designations | Level 1 (Self) and Level 2 (Self) |
| Paused designations | Level 2 (C3PAO) and Level 3 (DIBCAC) |
| Later milestones | All pending and future CMMC implementation milestones held in abeyance |
| Active solicitations | Amend as soon as practicable to remove Level 2 C3PAO or Level 3 DIBCAC requirements |
| Existing contracts or agreements | Remove those requirements by modification before the next option or during the next scheduled administrative modification |
| Waivers | No CMMC waivers will be granted during the review |
| Interim enforcement | Phase 1 CMMC self-assessment designations, separate government-led NIST SP 800-171 assessments, and applicable contractual cybersecurity clauses, where incorporated |
Suspension is not repeal
32 CFR Part 170 still defines the CMMC program. Its provisions for Level 2 C3PAO assessments and Level 3 DIBCAC assessments remain published. DFARS 252.204-7021 also remains published.
The July 13 action is an immediate implementation suspension and acquisition directive while reform is studied, not a completed repeal or replacement of those authorities. Preserve reusable architecture, evidence, and program artifacts, but do not keep treating the former November 10, 2026 transition as an active deadline.
The suspension limits current DoW procurement designations. It does not prohibit C3PAOs from conducting voluntary Level 2 certification assessments or issuing certificates, although the July 13 documents do not guarantee how a newly issued certificate will be treated in future DoW procurements.
A signed requirement does not disappear by press release
The implementation memorandum directs contracting and agreements officers to issue amendments and modifications. It does not say every signed document changed automatically on July 13. If a live solicitation, contract, option, other transaction agreement, or subcontract contains a Level 2 C3PAO or Level 3 DIBCAC requirement, obtain the actual amendment or modification and evaluate its effective language.
What Remains in Force
Phase 1 self-assessment requirements, where designated
During the suspension, Level 1 (Self) and Level 2 (Self) remain the only permitted CMMC designations. Which level applies, along with the applicable assessment cadence, affirmation, and Supplier Performance Risk System (SPRS) submission requirements, depends on the solicitation or contract and its incorporated clauses. For FCI, existing instruments may contain FAR 52.204-21, while current FAR Part 40 deviations use FAR 52.240-93, Basic Safeguarding of Covered Contractor Information Systems. A Level 2 requirement should not be inferred merely because an organization participates in the Defense Industrial Base.
Test the deployed system, not an aspirational design. Evidence should support each assessment objective marked MET.
DFARS 252.204-7012 obligations
The Department expressly preserved DFARS 252.204-7012. Where the clause is incorporated, its obligations extend beyond implementing the 110 NIST SP 800-171 security requirements. They include:
- adequate security for covered contractor information systems;
- rapid reporting of covered cyber incidents within 72 hours of discovery;
- after discovery of a covered cyber incident, preservation and protection of images of known affected systems and relevant monitoring or packet-capture data for at least 90 days from submission of the incident report;
- upon Department request, access to additional information or equipment needed for forensic analysis;
- cloud-service requirements; and
- applicable subcontractor flowdown.
Certification timing never replaced these duties, and its suspension does not remove them.
The separate NIST SP 800-171 assessment regime
Separate government Medium and High NIST SP 800-171 DoD assessment authority remains. Existing instruments may still incorporate DFARS 252.204-7019 and DFARS 252.204-7020. For solicitations and contracts issued under current Class Deviation 2026-O0025, effective February 1, 2026, the applicable assessment clause is DFARS 252.240-7997, NIST SP 800-171 DoD Assessment Requirements. Government Medium or High assessments can still occur where applicable.
These government assessments are distinct from CMMC Level 3 assessments. The implementation memorandum pauses Level 3 DIBCAC designations while the Department retains separate authority to conduct select government-led NIST SP 800-171 assessments.
Accurate representations
The suspension creates no False Claims Act safe harbor. Knowingly false and material cybersecurity representations, affirmations, or payment claims can still create exposure. In its June 18, 2026 LOGZONE settlement announcement, the Department of Justice alleged that the company knowingly submitted false or fraudulent payment claims while failing to comply with contractual NIST SP 800-171 requirements. The settlement agreement also records a substantial disparity between the company’s earlier 110 self-assessment score and its later −170 government assessment. The claims resolved were allegations only, with no determination of liability.
Align SPRS scores, affirmations, SSP statements, and proposal claims with evidence. Obtain legal advice for a specific disclosure, certification, or False Claims Act question.
What This Means for Your Current Situation
| Situation | Practical response |
|---|---|
| Active solicitation requires Level 2 C3PAO or Level 3 DIBCAC | Track the promised solicitation amendment. Do not assume relief until the contracting or agreements officer issues it. |
| Existing agreement contains one of those requirements | Identify the next option and scheduled administrative modification. Request written direction and review the issued modification. |
| Current Level 1 or Level 2 self-assessment requirement | Continue to assess, affirm, and report in SPRS as the applicable requirement directs. Keep evidence aligned to the submitted result. |
| Existing CMMC status | No revocation was announced. Continue any maintenance and affirmation duties that apply, but do not assume the reform outcome or future procurement value. |
| Planned or contracted voluntary C3PAO assessment | Level 2 C3PAO certification assessments may continue voluntarily, and C3PAOs may issue certificates. Confirm the contractual purpose, cancellation terms, and expected business value before committing more spend; the July 13 documents do not guarantee future DoW procurement value. |
| Prime or subcontractor relationship | Review the actual subcontract. Required flowdowns and additional supplier terms are distinct, and a prime may change its expectations on a different schedule. |
| Selected for a government NIST assessment | Identify the incorporated authority: existing instruments may include DFARS 252.204-7019 and 252.204-7020, while current instruments issued under Class Deviation 2026-O0025 use DFARS 252.240-7997. Validate the assessment scope, evidence, and score recorded in SPRS. |
Early industry commentary correctly emphasized that NIST SP 800-171 and DFARS obligations remain. For example, Schellman’s July 14 analysis warned against treating the pause as the end of CMMC. The more detailed acquisition memorandum adds an important correction: both Level 2 C3PAO and Level 3 DIBCAC designations are paused for current procurement use. The continuing government assessment authority is a separate NIST assessment mechanism, not merely a change in who performs the same CMMC assessment.
A Better Use of the 60-Day Window
Advisory note: bladestack.io is an accredited 3PAO listed on the FedRAMP Marketplace as “Advisory Focused” and operates exclusively as an advisory firm. This analysis reflects our professional interpretation.
The wrong response is to freeze the program. The useful response is to separate deadline-driven spending from security work that remains contractually and operationally valuable.
1. Re-baseline contractual truth
Build a clause and commitment register for each relevant prime contract, subcontract, solicitation, and agreement. Record the CMMC designation, DFARS clauses, CUI and FCI assumptions, SPRS obligations, option dates, and pending amendments. Assign an owner to verify every change in writing.
2. Minimize the boundary before buying more controls
Trace where CUI enters, moves, is stored, is backed up, and leaves. Then reduce the assessment boundary through sound segmentation and deliberate product design. A smaller, accurate boundary lowers implementation complexity without pretending the data is elsewhere.
3. Close security gaps that survive any reform
Prioritize identity, access control, secure configuration, vulnerability remediation, logging, incident response, encryption, backup resilience, and supplier risk. These capabilities protect the mission and support NIST SP 800-171 regardless of the eventual verification mechanism.
4. Make documentation describe production
Treat the documentation, SSP, network and data-flow diagrams, asset inventory, policies, and procedures as maintained system artifacts. Tie claims to configuration, code, tickets, logs, screenshots, test results, and responsible owners. If the architecture changes, the package should change with it.
5. Test the obligations outside the control matrix
Run a tabletop for 72-hour incident reporting. Confirm that, after a covered cyber incident is discovered, images of known affected systems and relevant monitoring or packet-capture data can be preserved for at least 90 days from submission of the incident report. Confirm that the organization can provide additional information or equipment for forensic analysis if the Department requests it. Review cloud-service commitments and subcontractor flowdowns. These DFARS 252.204-7012 duties are easy to miss in a controls-only project.
6. Put a decision gate around certification spend
Separate remediation from assessment fees. Continue work that reduces real risk and supports current obligations. Before a voluntary certification expense, require a documented business case based on an actual customer term, market need, ecosystem availability, and acceptable cancellation exposure.
What to Watch Next
Under the July 10 memorandum, the CMMC Reform Task Force must deliver recommendations to the DoW CIO within 60 days. A mid-September result is a planning estimate, not a promised public release date. The Department could revise verification, scoping, assessment frequency, supplier treatment, or implementation sequencing. It has not announced the final model.
The public CMMC reform RFI asks industry to identify cost drivers, controls that deliver meaningful risk reduction, low-value overhead, useful commercial capabilities, Phase 1 friction, and actionable reforms. Responses are due Friday, August 14, 2026 at 12:00 p.m. ET.
Organizations responding should be specific. Quantify engineering hours, assessment costs, boundary impacts, supplier loss, duplicated evidence, and the security outcome of a proposed alternative. The most persuasive feedback connects burden reduction to measurable resilience rather than asking the Department to accept unevidenced self-assertion.
The bladestack.io View
The Department’s stated goal, stronger cybersecurity without driving innovators out of the DIB, is the same friction bladestack.io was built to solve. Compliance and engineering should not be opposing forces. A defensible program should translate requirements into architecture, automation, evidence, and operational habits that make the product stronger.
This pause is an opportunity to remove security theater from the roadmap. It is not permission to let the underlying system drift. The teams best positioned for the reform outcome will be able to show exactly where CUI lives, how the deployed controls protect it, what the evidence proves, and which contractual statement authorizes every external claim.
bladestack.io is advisory-only. We embed with engineering teams to build secure, elegant systems and assessment-ready evidence without creating an assessor conflict. Talk with bladestack.io about re-sequencing your CMMC roadmap during the review.




