Blog

CMMC Phase II Is Suspended. Your Obligation Is Not.

The Department of War suspended the C3PAO requirement today. It did not suspend the Level 1 and Level 2 bar, the contract clause, or your liability under the False Claims Act. Here is what actually changed, and what did not.

Fortreum is a trust partner to organizations operating in the most demanding compliance environments in the world. This evening, many of them are reading the news from the Department of War and working through what it means for their CMMC program and their broader security posture. This is our first read, based on the information the Department published today.

The Department announced the immediate suspension of CMMC Phase II requirements, which were scheduled to take effect November 10, 2026. It is a significant development, and in the coming days there will be no shortage of interpretations of what it means.

Two of them are worth setting aside early. The first is that CMMC is effectively over and programs can stand down. The second is that nothing meaningful has changed. Neither reflects what the Department actually said, and the distance between those two readings is where costly decisions get made.

What follows is what the Department announced, what it left unchanged, and what we would recommend a defense contractor consider over the next sixty days.

What the Department Actually Announced

The facts, drawn from the official release and the CIO’s remarks at the Pentagon:

Table showing CMMC Phase II C3PAO independent assessment for Level 2 validations is suspended, CMMC Level 3 is under review, and Level 1 and Level 2 self-assessments, DFARS clause 252.204-7012, NIST SP 800-171 Rev 2, and liability for misrepresentation all remain in force.
Figure 1. One requirement was suspended. Four remain fully in force.
The distinction is where companies will make expensive mistakes over the next sixty days.

The cleanest way to say this: the Level 1 and Level 2 bar remains in effect. The C3PAO requirement to verify it has been suspended pending a 60-day review. Those are two very different things, and the distance between them is where the confusion lives.

The Department is also standing up a CMMC Reform Task Force to conduct a top-to-bottom review, with a final report due to the CIO within sixty days. This is a sixty-day study, not a repeal. Expect the requirements to be revised rather than removed. What comes back will almost certainly be a watered-down version of the verification mechanism, not the disappearance of the standard.

Level 3 warrants a specific note. The implementation memo addresses Level 3 (DIBCAC) alongside Level 2, and we are still reviewing that guidance. What has not changed is who conducts a Level 3 assessment: that was always DIBCAC, never a C3PAO. If your organization is on a Level 3 path, reach out and we will walk through what the memo means for your specific situation.

The Reasoning Behind the Decision

The Department was candid about what drove this. Kirsten Davies, the DoW Chief Information Officer, told reporters that there are over 100,000 DIB businesses that still needed a third-party assessment, against roughly 100 available assessors, and concluded that the math simply does not work for small and medium businesses to get compliant by November 10.

That capacity gap has been a known constraint across the industry for some time. Assessor supply was always going to be the binding limit on how quickly the DIB could move through third-party certification, and the Department has now acted on it. What matters is how they resolved it. Faced with a capacity constraint, the Department did not extend the deadline or expand the assessor pool. It suspended the verification requirement and left the security requirement in place. That choice tells you something useful about what is likely to come back in sixty days.

Where the Cost Actually Sits

The stated rationale for the suspension is that CMMC compliance costs are forcing companies out of the Defense Industrial Base. The cost pressure is real, and it is worth being precise about where it comes from, because that determines what today’s announcement actually saves you.

In our experience, the assessment is not the largest line item in a CMMC program. The larger cost is the security requirements levied on Controlled Unclassified Information and the infrastructure required to meet them. For most contractors, that means standing up a compliant enclave, and that infrastructure spend typically dwarfs the cost of the audit.

The assessment itself, and the readiness work leading up to it, tend to be a fraction of the total. Those costs have also been trending down as the assessor community matures and gets more efficient at running assessments.

WHAT THIS MEANS IN PRACTICE

Suspending the C3PAO requirement does not remove the expensive part of a CMMC program. The enclave, the tooling, and the infrastructure required to protect CUI are still required, because DFARS 252.204-7012 and NIST SP 800-171 Rev 2 still require them. If a contractor cancels their assessment and assumes their compliance costs just went away, they are going to be unpleasantly surprised. The audit was the receipt. The infrastructure was the bill.

The Risk of Standing Down

The move I would caution against over the next several weeks is the obvious one: read the headline, cancel the CMMC program, reassign the budget, and report the savings to the board.

Sixty days from now, the Task Force delivers its report. Whatever comes back will still require a defensible security posture built on NIST 800-171. The companies that kept building will have it. The companies that stood down will be starting cold, with less runway than they had today, in a market where readiness and advisory capacity is exactly as constrained as it was this morning.

And the suspension of the C3PAO requirement did not remove the assessment. It changed who conducts it. A select set of companies will still be audited by DIBCAC. If your contracting officer decides your program warrants scrutiny, you will be assessed, and it will not be by an assessor you chose and prepared with.

THE EXPOSURE MOST PEOPLE ARE MISSING

You are still the risk owner. Nothing about today’s announcement transfers that. If your SPRS score reflects a posture you cannot evidence, your False Claims Act exposure did not go down today. It went up, because the entity most likely to find the gap is now the government rather than an assessor you hired to find it first. DIBCAC does not grade on a curve, and they do not give you a remediation window before they write it down.

The contractual obligation under DFARS 252.204-7012 has not moved an inch. Neither has the Department of Justice’s interest in companies that certify to controls they have not implemented. Suspending a certification program does not create a safe harbor for a false attestation.

What a Defense Contractor Should Do Tomorrow

My honest advice, and it is the same advice I would give one of our clients:

1- Do not stand down. Re-sequence.
If you were racing toward a C3PAO assessment date, that pressure is off. Good. Use the time you just got back to close the control gaps you were going to paper over. The Level 1 and Level 2 bar did not move. Only the deadline to prove it did.
2- Get a mock assessment anyway.
This is the single most valuable thing you can do in the next sixty days. You remain the risk owner and you remain exposed under the False Claims Act for a score you cannot defend. A readiness review or mock assessment finds the daylight between your submitted SPRS score and your actual posture, on your terms, before DIBCAC or a contracting officer finds it on theirs. The C3PAO requirement went away. The reason to know exactly where you stand did not.
3- Watch your primes, not just the Department.
Lockheed, Boeing, Northrop and others have been issuing supplier directives requiring compliance documentation. Those are commercial requirements in a private contract. The Department suspending a federal certification does not release you from what a prime has already contractually required of you. Read your flow-downs before you assume anything changed.
4- Have the honest budget conversation now.
Let us be direct about the commercial reality. Your compelling event just evaporated. It will be materially harder for a compliance manager to get a CFO to fund a C3PAO audit when the mandate that justified it has been suspended. That is a real problem, and pretending otherwise helps nobody. The argument that still works is the one that was always true: the requirement is in the contract, the liability sits with you, and the cost of being wrong has not changed.
5- Plan for the sixty-day report, not the headline.
The Task Force will recommend something. The stated goals are scalable, resilient security measures with lower barriers for small business. That likely means a leaner verification mechanism, not the absence of one. Build toward a defensible 800-171 posture and you are ready for whatever shape it takes.

Where We Stand

Fortreum is an authorized C3PAO. A meaningful part of our business was pointed at the November 10 date. I am telling you not to panic-buy a certification you are not currently required to hold, which is not the pitch you would expect from someone in my position.

I am telling you that because it is the right answer, and because a rule is coming back in sixty days. What you do between now and then matters more than what you cancel this week.

What I will tell you to do is know where you actually stand. Get the readiness review. Run the mock assessment. Find the gap between the score you submitted and the posture you can prove, and close it while the pressure is off and nobody is watching. That was good advice yesterday when a C3PAO assessment was mandatory. It is better advice today, when the only thing standing between you and a False Claims Act problem is your own honesty about your posture.

The requirement to protect controlled unclassified information is not a compliance trend. It exists because adversaries are actively taking that data out of the defense supply chain. That was true on November 10, 2025. It was true this morning. It is true tonight.

Build the security. The paperwork will follow whatever shape the Department gives it.

Where We Go From Here

This is our first read on a developing situation. The Task Force report lands in sixty days, and we expect further guidance from the Department before then. As that picture sharpens, we will keep publishing what we learn.

In the meantime, the questions we are hearing most are the specific ones: Does this change my scope? What do I tell my prime? Should I pause my enclave build? Where does this leave my Level 3 program? Those answers depend on your contracts, your CUI footprint, and where you are in your program, and they are worth a conversation rather than a blog post.

If you are working through what this means for your organization, reach out. Whether you are a client or not, we are happy to talk it through.

Stay tuned, and contact us with questions here.

Sources:
U.S. Department of War, “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements,” Immediate Release, July 13, 2026. DoW CIO Memorandum 26-P-1023, Attachment 1: Cybersecurity Maturity Model Certification Procedures. Remarks by DoW Chief Information Officer Kirsten A. Davies, Pentagon press briefing, July 13, 2026, as reported by Breaking Defense. DFARS clause 252.204-7012. NIST SP 800-171 Rev 2.