CMMC Phase II Is Suspended: What Small Government Contractors Should Review Now

On July 13, 2026, the Department of Defense announced that it is suspending the transition to CMMC Phase II and opening a 60-day review of the program. If you run or support a small business that sells to the Department, or you sit somewhere in a defense supply chain, your inbox probably filled with conflicting takes within hours. Some people read the news as the end of CMMC. Others treated it as permission to stop thinking about cybersecurity for a while. Both readings miss what actually happened.

Here is a practical look at what the announcement changes, what it leaves untouched, and where a small contractor's attention is best spent while the review runs.

What actually changed

The specific thing that paused is the move to third-party certification assessments. Under the plan that was scheduled to phase in on November 10, 2026, many contractors handling Controlled Unclassified Information would have needed a certification assessment from an accredited third-party assessment organization, known as a C3PAO, before they could win or continue certain work. That step is the piece now on hold.

The Department also opened a review that is expected to run about 60 days and to recommend a more workable version of the program. The stated goal is to lower the cost and complexity that were pushing smaller and non-traditional suppliers out of defense work. In plain terms, the government decided the current model asked too much, too fast, of the companies it needs in the industrial base, and it wants to redesign the on-ramp before requiring the toughest assessments.

What did not change

Quite a lot, and this is the part that gets lost in the headlines.

Phase I self-assessment requirements that took effect in November 2025 remain in force. If your contracts already expected you to complete a self-assessment, calculate a score, and post it, that expectation still stands. The obligation to protect government information did not move either. Defense contractors and subcontractors remain bound by their existing DFARS terms to safeguard covered defense information and to report cyber incidents. The security controls in NIST SP 800-171, which sit underneath the entire CMMC structure, are still the baseline the Department expects you to meet.

So the assessment gate moved. The security bar did not.

Why the work still matters

It helps to separate two things that often get treated as one: proving your security to an outside party, and actually having it. The suspension touches the first. It does nothing to the second.

Consider a small machine shop that supplies parts to a larger prime. The prime handles CUI and flows related requirements down. Whether or not a C3PAO ever walks through that shop's door this year, the shop still receives sensitive drawings, still stores them on a network, and still has to keep them from leaving through the wrong door. A pause in certification does not make an unpatched server safer or an undocumented access policy more defensible. If anything, the review period is a quieter stretch of road for fixing those things without an assessment date adding pressure.

There is also a contract-eligibility angle. A current self-assessment score, honestly produced and supported by real evidence, is still something contracting officers can see and weigh. Letting that lapse because Phase II is suspended is the kind of shortcut that looks fine until a renewal or a new opportunity puts it back in front of you.

Where to put your attention now

If you want to use this period well, focus on the documentation and evidence that any future version of the program will still rest on.

Start with your System Security Plan. An SSP that accurately describes your environment, names the systems in scope, and explains how each control is met is the backbone of a defensible program. Many small contractors have a thin or outdated SSP, and this pause is a good window to make it match reality.

Keep your Plan of Action and Milestones honest and current. A POA&M is not an admission of failure. It is a record that you know where your gaps are and have a plan and a date to close them. Assessors, and your own leadership, tend to read a maintained POA&M as a sign of a program that is actually being run.

Organize your evidence as you go. Screenshots, policy documents, configuration records, training logs, and access reviews are far easier to assemble in small, regular passes than in a scramble later. Tie each piece back to the NIST SP 800-171 practice it supports so nothing has to be reconstructed from memory.

Then read your contracts. The single most useful hour a small contractor can spend right now is reading the actual clauses in current agreements and recent solicitations to see what they require. Applicability has always depended on the specific contract, the information you handle, and the level involved. That is still true, and it is more reliable than any general summary, including this one.

Common misconceptions

“CMMC is cancelled.” It is not. The transition to third-party assessments is suspended while the program is reviewed. The framework, the underlying standard, and the existing self-assessment and safeguarding requirements are still here.

“We can stand down our security program.” The obligation to protect federal information comes from contract terms that did not change. Pausing your program can put you out of step with commitments you have already signed.

“Nothing counts until the new rules land.” The work of documenting your environment and closing gaps carries directly into whatever the reviewed program looks like. It is not throwaway effort.

Between panic and complacency

The two failure modes here are easy to name. Panic leads teams to spend money and energy reacting to a deadline that just moved. Complacency leads them to shelve everything and lose the momentum they had built. Neither serves a small contractor well.

The steadier path is to treat cybersecurity as an operating practice rather than a one-time gate. Keep the SSP current, keep the POA&M moving, keep evidence tidy, and keep an eye on what your contracts actually say. When the reviewed program is published, organizations that kept up will be adjusting a working program instead of starting one under time pressure.

Practical next steps

If you want a simple plan for the next few weeks, this is a reasonable one. Confirm that your current self-assessment score is accurate and supported. Update your SSP so it matches your real environment. Review your POA&M and set honest target dates. Pull your recent contracts and note what each one requires. Then keep a light, regular cadence on evidence so the pile never gets ahead of you.

For teams that would rather work from a structured starting point than a blank page, the Washington Process Group CMMC Level 1 and Level 2 DIY Readiness Kit is built for this kind of internal work. It provides templates, trackers, and guidance to organize your documentation, map your gaps against NIST SP 800-171, and keep your SSP, POA&M, and evidence in order at your own pace. It does not guarantee an assessment outcome, and it does not decide what applies to your contract. What it does is give a small team a practical way to keep moving while the program's next chapter is written.

The gate paused. The work continues. Use the time.

Keep your CMMC readiness moving

The CMMC Level 1 & Level 2 DIY Readiness Kit gives your team the templates, trackers, and guidance to organize documentation, evidence, SSP support, and POA&M tracking at your own pace.

View the CMMC Level 1 & Level 2 DIY Kit

Based on the official U.S. government announcement issued July 13, 2026. Contractors should review the specific requirements in their own solicitations and contracts and seek appropriate legal, contractual, or cybersecurity guidance for their situation.