Strike Graph security compliance blog

The CMMC Phase 2 deadline is gone. Your legal obligation isn't.

Written by Justin Beals : Founder & CEO | Jul 14, 2026 8:16:22 PM

On July 13, 2026, the Department of War suspended CMMC Phase 2 requirements, which were scheduled to go into effect November 10, 2026. The C3PAO third-party audit deadline is gone. Your DFARS 252.204-7012 obligation, your NIST 800-171 self-assessment requirement, and your SPRS score are not.

If you're a defense contractor trying to figure out what this means for your compliance posture, here's the clearest answer we can give.

What the CMMC Phase 2 suspension actually means

Phase 2 of CMMC would have required defense contractors to pass a third-party cybersecurity assessment conducted by a Certified Third-Party Assessor Organization (C3PAO), beginning November 10, 2026. That requirement is now suspended indefinitely, and the CMMC Reform Task Force is running a 60-day review of the program.

Pending and future CMMC Phase 2 implementation milestones in DoD solicitations and contracts are also suspended. If your contract included Phase 2 requirements, contracting officers have been directed to amend or modify them.

That is the full scope of what changed. Everything else is still in effect.

What the CMMC Phase 2 suspension does not cover

DFARS 252.204-7012 still applies. This clause requires every contractor and subcontractor that handles covered defense information to protect it in accordance with NIST SP 800-171.

NIST SP 800-171 Rev 2 compliance is still required. The DoD continues to enforce cybersecurity compliance through self-assessments and select government-led DIBCAC assessments during the review period.

SPRS scores are still required. Self-assessments remain mandatory during the suspension. Contractors must still submit their score to SPRS and affirm it annually. Your score is live, visible to every prime and contracting officer you work with, and factors into contract eligibility. Nothing about the suspension changes how SPRS scores are recorded or referenced.

Phase 1 self-assessment requirements remain fully in place. Level 1 and Level 2 self-assessments are unaffected by the suspension and still required.

Prime contractor requirements can still flow down. Primes can require third-party assessments from their subcontractors contractually, regardless of what DoD does at the program level. The suspension does not prevent that.

If you're not sure where your SPRS score stands or whether your self-assessment would hold up to scrutiny, Strike Graph can help you find out.

Why the DoD suspended CMMC Phase 2

The official reasoning from DoW CIO Kirsten A. Davies points to two problems that have become impossible to ignore.

First, compliance costs were forcing smaller companies out of the defense industrial base at a time when the DoD urgently needs their capabilities. The Small Business Administration identified CMMC compliance costs as the top concern for small and mid-size DIB businesses. Future phases of the program were projected to cost the defense industrial base more than $7 billion per year.

Second, the math on assessor capacity never worked. There were roughly 100 approved C3PAO assessors available to more than 100,000 companies needing third-party assessments. The November deadline was functionally impossible for most of the DIB to meet.

Davies was explicit that the suspension cuts red tape, not cybersecurity. The direction of travel is toward fewer bureaucratic compliance burdens, not toward reinstating a mandatory C3PAO regime on the original timeline.

What this means for your defense contractor compliance posture

The C3PAO audit was the proof point under Phase 2. With Phase 2 suspended, the Level 2 self-assessment is now how defense contractors demonstrate compliance to primes, contracting officers, and the DoD. That is what SPRS records. That is what the DoD enforces against.

That shift carries one implication that every contractor should understand clearly: self-attestation under NIST 800-171 carries False Claims Act liability. A contractor who submits an SPRS score that does not reflect their actual security posture is legally exposed, regardless of whether a C3PAO auditor ever shows up. The absence of a third-party auditor does not make an inaccurate score safer. It means there is no one else to catch the gap before you attest.

Think of it like HIPAA. The enforcement burden falls on the organization, not the auditor.
This is not a reason to panic. It is a reason to take your NIST 800-171 self-assessment seriously.

What smart defense contractors are doing right now

The suspension gives contractors something they did not have before: time to get the self-assessment done right, without racing a deadline or fighting for C3PAO capacity.
Contractors who use that time well will have a complete, defensible SPRS score before the 60-day review is even finished. Whatever the CMMC Reform Task Force recommends, they will be in the best position across every possible outcome. Phase 2 returns in some form: they are ahead of it. Phase 2 gets reformed into something lighter: their self-assessment is already done. CMMC ends entirely: their DFARS obligation is still met and their SPRS score is documented and current.

A strong NIST 800-171 self-assessment is the right answer in all three scenarios.
Contractors who wait will find themselves in the same position they were in before this week, except the case for acting will be harder to make to their leadership.

Frequently Asked Questions

Is CMMC Phase 2 completely cancelled?

No. CMMC Phase 2 is suspended, not cancelled. A 60-day CMMC Reform Task Force review is now underway. The program could be reformed, scaled back, or ended entirely, but no final decision has been made.

Do defense contractors still need to comply with NIST 800-171 after the suspension?

Yes. NIST SP 800-171 Rev 2 compliance is still required and actively enforced through self-assessments and select DIBCAC assessments. The suspension only affects the C3PAO third-party audit requirement, not the underlying cybersecurity standard.

Does my SPRS score still matter after the CMMC Phase 2 suspension?

Yes. SPRS scores remain active and visible to primes and contracting officers. The suspension does not change how scores are recorded, reported, or referenced in contract eligibility decisions.

What is the False Claims Act risk for defense contractors?

A self-attestation that does not accurately reflect your security posture carries False Claims Act exposure, regardless of whether a C3PAO audit ever takes place. With Phase 2 suspended, self-attestation is the primary enforcement surface, which raises the stakes on getting your SPRS score right.

Do I still need to complete a Level 2 self-assessment?

Yes. Phase 1 self-assessment requirements, including Level 2 self-assessments, remain fully in place. With the C3PAO requirement suspended, the self-assessment is now the primary way defense contractors demonstrate NIST 800-171 compliance.

Can my prime contractor still require a third-party assessment from me?

Yes. Primes can flow third-party assessment requirements down to subcontractors through contract terms, independent of what DoD does at the program level. The suspension does not prevent that.

What should defense contractors do right now?

Complete your Level 2 self-assessment while you have the time and runway to do it right. Whatever the 60-day review produces, a complete and defensible SPRS score is the correct answer in every outcome.

How Strike Graph helps defense contractors

Strike Graph's AI-native compliance platform guides you through your complete Level 1 or Level 2 self-assessment end-to-end. The platform, complete with all 110 NIST 800-171 Rev 2 controls and their 320 objectives, helps you identify gaps, close them with clear action items, and automatically generates your System Security Plan and POA&M as your program evolves. Verify AI validates your evidence so your SPRS score reflects actual evidence of your security posture, not an optimistic estimate. Strike Graph then generates a submission-ready package for your Affirming Official to review and submit to SPRS.

If you were already mid-process on CMMC compliance, the work you have done is not wasted. The self-assessment infrastructure you have built is exactly what the current environment demands. If you have not started, Strike Graph offers a free 60-day trial of the full CMMC platform so you can see exactly where you stand before you commit to anything.