If you’re a Defense Industrial Base (DIB) contractor, you’ve probably seen the headlines by now: the Department of War has suspended CMMC Phase II. If you’re wondering whether that means you can stop working on compliance and what happens now, just breathe — we’ve got you. Here’s what actually happened, what it means, and what we’d recommend doing next.
What happened
On July 13, 2026, the Department of War’s Chief Information Officer, Kirsten Davies, announced the immediate suspension of CMMC Phase II. This is the phase that would have introduced formal third-party assessments through Certified Third-Party Assessor Organizations (C3PAOs) starting November 10, 2026. Phase III, which would have added DIBCAC assessments in November 2027, is suspended as well.
The department cited a straightforward math problem: over 100,000 DIB businesses need third-party assessments, and only a little over 100 assessors exist to do them. That gap, combined with reported compliance costs reaching hundreds of thousands of dollars for small and mid-sized businesses, was pushing innovative companies out of the defense supply chain at exactly the moment the department says it needs them most.
A newly formed CMMC Reform Task Force now has 60 days to review the program and recommend a path forward, informed in part by public feedback through an open Request for Information (RFI), due August 14.
What didn’t change
This is the part worth sitting with, because it’s easy to miss in the headlines: Phase I is still fully in effect.

- Self-assessment at Level 1 (FCI) or Level 2 (CUI/CDI) is still required for applicable contracts.
- DFARS 252.204-7012, the clause requiring you to protect covered defense information and implement NIST SP 800-171, hasn’t gone anywhere.
- Your obligation to maintain an accurate SPRS score against all 110 controls and 320 assessment objectives is unchanged.
- DoW’s own solicitations and contracts cannot currently include the Phase II certification requirement. Program managers and contracting officers have been directed to amend or modify any pending contracts that still contain it.
- Separately, prime contractors, as private businesses, can still choose to require third-party validation from subcontractors and suppliers on their own timeline, independent of the federal deadline.
As Under Secretary of Defense for Acquisition and Sustainment Michael Duffey put it: “The CIO’s decision ensures we maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain.” The suspension targets the certification mechanism, not the underlying security standard.
Why this doesn’t really change your plan
I can’t stress enough that the work you’ve already put in, or are planning to put in, doesn’t become less valuable because a certification deadline moved.
A strong, accurate self-assessment is the foundation of CMMC compliance no matter what the program looks like after this review. That’s whether Phase II comes back in six months with different rules, a prime asks you for third-party validation next quarter regardless of the federal timeline, or the reform task force lands somewhere none of us expect yet. The 110 controls don’t change. The documentation discipline doesn’t change. The habit of actually protecting the data you’re contractually obligated to protect doesn’t change.
There’s a nuance in the announcement worth sitting with, too, because it’s easy to read “suspended” and assume the bar just got lower. Self-assessment isn’t a form where you sign your name and move on. It means going into SPRS and attesting, control by control, across all 110 controls and 320 assessment objectives, that you’re actually meeting each one. That’s a meaningfully higher bar than “we asked our security team if we’re good and they said yes.” The suspension didn’t touch that requirement. If anything, it’s now the primary way the government will know whether your program is real.
If anything, this is a good moment to get your self-assessment right, rather than a good moment to set it down.
What we’d suggest, depending on where you are
If you already completed a C3PAO assessment: Congratulations! You’re ahead, not behind. That work holds its value regardless of how the reform task force’s recommendations land.
If you already have a C3PAO assessment scheduled: That’s your call to make. Some contractors will want to proceed anyway. Being certified early has real advantages if Phase II returns, and a completed assessment never expires in value. Others may prefer to redirect that budget toward strengthening the self-assessment itself for now. Either path is reasonable, and we’re glad to help you think through which fits your situation.
If you don’t have an assessment scheduled and were working toward the November deadline: You have more room than you did last week. Use it to make sure your self-assessment is genuinely defensible. This means it’s accurate, documented, and something you’d be comfortable standing behind if a prime or the government asked to see it.
If you were waiting on C3PAO scheduling until after the original deadline: There’s no longer a hard external driver pushing you toward third-party certification right now. Self-assessment remains the active requirement, so that’s where we’d focus energy.
The questions we’re hearing most
Do I still need to do this? Yes. Phase I self-assessment and your DFARS 7012 / NIST 800-171 obligations are unchanged and still contractually binding.
Is CMMC still in contracts? Phase I requirements remain in applicable solicitations and contracts. Phase II milestones are suspended pending the review.
Will primes still require C3PAO assessments? Some may, independent of the federal timeline. That’s a business decision individual primes can still make with their supply chain.
What does the timeline look like from here? The Reform Task Force has 60 days (roughly through mid-September) to deliver recommendations, informed by public RFI comments due August 14. Any regulatory changes beyond that would still go through formal rulemaking, which historically takes months to years.
If there’s no third-party assessment requirement right now, can you still help me with the self-assessment itself? Absolutely! That’s a large part of what Tesseract is built for, and it doesn’t depend on Phase II being active.
Where Tesseract fits in all of this
Tesseract was built around the idea that CMMC compliance should be affordable, simple, and manageable for contractors of every size. That’s true whether Phase II is active or suspended.
Our Govern, Harden, Defend framework on Microsoft GCC High is designed to get you to a strong, defensible self-assessment and to actually prove it. Tesseract builds and maintains the real body of evidence behind your SSP: documentation tied to every one of the 110 controls and 320 assessment objectives, showing not just that you checked a box, but how you meet each one and when it was last validated. That matters more now, not less. If DoW ever investigates an incident and asks how you knew you were compliant, “we checked the boxes and hit submit” isn’t an answer. A documented, evidence-backed self-assessment is. And because that evidence is already organized, your annual refresh isn’t a scramble; it’s an update.
If you’re trying to figure out what this news means for your specific situation, we’re happy to talk it through. There is no pressure, no urgency tactics, just a clear-eyed look at where you stand.
This post reflects publicly available information as of July 14, 2026. For the most current guidance, refer to the Department of War’s official release and CIO memo.






