The CMMC Phase II suspension sounds like relief, and for many small and midsize defense contractors it is. On July 13, 2026, the Department of War announced that it was immediately suspending CMMC Phase II requirements that had been scheduled to take effect on November 10, 2026. The Department also started a 60-day review through a CMMC Reform Task Force.
That changes the near-term pressure around some third-party assessments. It does not give contractors handling covered defense information or controlled unclassified information a safe reason to pause cybersecurity work.
The safer reading is narrower: verification timing has changed, but the duty to protect sensitive defense information has not. The Department's release says Phase I self-assessment requirements remain in place and that existing DFARS 252.204-7012 obligations to protect covered defense information still apply (U.S. Department of War, July 13, 2026).
For SMB defense contractors, the practical response is not panic and not a victory lap. Review contract language, keep self-assessment evidence current, continue NIST SP 800-171 Rev. 2 remediation, and make sure your CUI scope is not living in someone's memory or a stale spreadsheet.
What the Department of War actually suspended
The policy change is specific. The Department suspended CMMC Phase II requirements before the November 10, 2026 transition date and opened a 60-day review of CMMC implementation, cost, and effects on the Defense Industrial Base (U.S. Department of War).
The implementation memo gives contractors the working version of that announcement. During the suspension, program managers and requiring activities may not designate CMMC Level 2 C3PAO assessments or Level 3 DIBCAC assessments for contracts. Instead, the memo says baseline compliance will be enforced through CMMC Level 1 Self and Level 2 Self assessments, plus selected government-led assessments. It also directs active solicitations and existing contracts with suspended requirements to be amended or modified as appropriate (DoW CIO implementation memo).
That is real relief if your company was budgeting for a third-party Level 2 assessment, trying to schedule a C3PAO, or negotiating with a prime over a Phase II deadline. It may also reduce some bid friction in the short term.
But it is not a full reset. The memo did not suspend Phase I self-assessments. It did not suspend DFARS safeguarding clauses. It did not say contractors can stop protecting CUI. It did not promise what the Department will decide after the review.
If your internal message to leadership is only "CMMC is paused," it is too broad. A better message is: "Some third-party assessment requirements are paused. Our self-assessment, contract, incident reporting, and CUI protection duties continue."
What still applies: self-assessment, NIST 800-171, and DFARS 7012
The difference between CMMC certification pressure and cybersecurity obligations matters because CMMC was added on top of existing contract duties. The 2025 DFARS acquisition rule described CMMC as a verification mechanism because DFARS 252.204-7012 did not provide DoD with pre-award verification of contractor implementation (Federal Register). Pausing one verification step does not erase the safeguarding clause underneath it.
DFARS 252.204-7012 requires contractors to provide adequate security for covered contractor information systems. For covered systems, the clause requires implementation of NIST SP 800-171 security requirements unless an authorized exception applies. It also requires rapid reporting of cyber incidents affecting covered systems or covered defense information, with "rapidly report" defined as within 72 hours of discovery. The clause includes flow-down requirements for subcontracts involving operationally critical support or covered defense information (Acquisition.GOV DFARS 252.204-7012).
NIST SP 800-171 Rev. 2 remains the practical technical baseline for protecting CUI in nonfederal systems during this interim period. The standard defines security requirements for protecting controlled unclassified information in nonfederal systems and organizations (NIST SP 800-171 Rev. 2). If your environment processes, stores, or transmits CUI, the work still includes access control, awareness and training, audit and accountability, configuration management, incident response, identification and authentication, media protection, risk assessment, and system and communications protection.
That does not mean every SMB should spend the pause the same way. A company that handles only federal contract information has a different scope than one hosting engineering files, technical data, or other CUI for a defense program. A subcontractor with limited CUI exposure may have a smaller boundary than a manufacturer with CUI moving through production, quality, and supplier systems. The pause is a good time to get that boundary right.
Why the pause matters for small businesses
The Department's announcement came after months of visible small-business concern. GAO reported in March 2026 that small businesses make up roughly three-quarters of the Defense Industrial Base and cited earlier DoD assessment-cost estimates ranging from $4,042 to $117,768 depending on assessment type (GAO). The SBA Office of Advocacy also sought small-business input on CMMC certification costs and expected impacts, and said it had previously filed comments that the Department underestimated certification compliance costs (SBA Office of Advocacy).
For a large contractor, a delayed third-party assessment may free up a program team or a budget line. For a 60-person supplier, it can affect cash flow, hiring plans, and whether leadership believes the company can keep bidding on defense work.
That is why SMBs need to be careful with the pause. A business under cost pressure has a natural urge to stop anything that looks optional. CMMC Phase II third-party assessment activity may now be deferred or removed from certain near-term contract paths. CUI protection is not optional when your contracts and data flows bring DFARS 252.204-7012 into scope.
There is another practical problem: evidence gets harder to rebuild after people stop collecting it. If you stop documenting system changes, access reviews, incident response tests, training completion, vulnerability remediation, and POA&M updates, you may save a few hours now and lose weeks later. If an incident occurs, you will not want to explain your posture through memory and intent. You will want records.
What to review in solicitations and contracts now
Start with the documents that create obligations faster than a policy memo reaches your inbox.
Review active solicitations, pending bids, option periods, and existing contracts for CMMC Level 2 C3PAO or Level 3 DIBCAC language. The DoW CIO memo directs that suspended assessment designations should not be used during the suspension and that solicitations or contracts containing them should be amended or modified as directed (DoW CIO implementation memo). Contractors should not ignore signed contract text on their own. Identify the language, ask for clarification through the proper contracting channel, and keep the answer with the contract record.
For SMBs, the review should include:
- Open solicitations where the bid strategy assumed a third-party Level 2 assessment before award.
- Existing contracts or task orders with CMMC assessment language tied to performance, option exercise, or deliverables.
- Prime contractor flow-down clauses that reference CMMC Level 2 C3PAO assessment timing.
- Subcontract templates your company uses when flowing cyber requirements to suppliers.
- Internal compliance calendars that still treat November 10, 2026 as an unchanged external deadline.
The goal is not to strip out cyber language wherever it appears. Prime contractors may still need evidence that suppliers can protect CUI, and DFARS 252.204-7012 can still flow down when covered defense information or operationally critical support is involved. The goal is to separate suspended assessment designations from continuing safeguarding duties.
This is also a good moment to clean up imprecise internal language. "CMMC compliant" is not specific enough for a decision record. A useful record says whether the system is in scope for FCI or CUI, whether the current designation is Level 1 Self or Level 2 Self, which NIST SP 800-171 Rev. 2 requirements are implemented, what remains in the POA&M, who owns remediation, and what evidence supports the current score or assertion.
How to use the pause without losing readiness
The best use of the suspension is practical and a little boring: reduce deadline pressure, then improve the parts of your program that make any future assessment easier and any current self-assessment more defensible.
Confirm CUI scope before buying more compliance work
Many SMB programs become expensive because the CUI boundary is fuzzy. If every workstation, file share, SaaS app, and production system is treated as equally in scope, remediation becomes overwhelming. If the scope is too narrow, the company may leave real CUI flows unprotected.
Map where CUI is received, created, stored, processed, transmitted, archived, and destroyed. Include email, collaboration platforms, engineering tools, managed service provider access, backups, removable media, and supplier exchanges where applicable. Then identify which systems are covered contractor information systems under your contract facts. This affects which controls apply, which evidence matters, and where segmentation or process changes could reduce exposure.
Keep the SSP current
A system security plan is useful only if it describes the environment you actually operate. During the pause, update the SSP when systems, owners, authentication methods, network boundaries, cloud services, or CUI workflows change. If your SSP still describes last year's environment because everyone was waiting for an assessor to ask for an update, fix that now.
The SSP should not be treated as a one-time writing project. It is the record that ties control implementation to real systems and business processes. If leadership, IT, compliance, and operations all tell different stories about where CUI lives, resolve the conflict in the SSP.
Treat the POA&M as a management tool
A POA&M can become a dumping ground for every hard problem. That makes it less useful and more risky. Use the pause to separate real remediation work from vague wishes. Each item should have an owner, a realistic action, a target date, and enough context for management to understand risk.
Do not stop remediation just because a C3PAO date moved. Prioritize issues that affect CUI exposure, identity, logging, incident response, endpoint hardening, and external access. If budget is tight, document the tradeoffs. A clear risk decision is better than silent drift.
Preserve evidence as work happens
Evidence collected in a rush is usually weaker than evidence collected during normal operations. Keep records of access reviews, training, configuration baselines, vulnerability remediation, backup tests, incident response exercises, policy approvals, supplier reviews, and exceptions. Store them where they can be found and tied to requirements.
This matters for self-assessments now and for whatever the Department issues after the review. It also matters if a prime asks for assurance, if a contracting officer requests support, or if an incident forces the company to prove which controls were operating at the time.
Recheck incident reporting procedures
The Phase II suspension does not pause cyber incident reporting duties under DFARS 252.204-7012. If a cyber incident affects a covered contractor information system or covered defense information, the clause requires rapid reporting to DoD, defined as within 72 hours of discovery (Acquisition.GOV DFARS 252.204-7012).
SMBs should make sure the reporting procedure is not just a paragraph in a policy. Confirm who can identify a reportable event, who contacts counsel or contract leadership, who submits the report, who preserves evidence, and how after-hours discovery works. A 72-hour clock is not generous if the first 24 hours are spent figuring out who owns the process.
Keep leadership tied to the evidence
Self-assessment discipline depends on honest internal reporting. Leadership should know what the company is asserting, what evidence supports it, and what gaps remain. If executives are asked to approve or affirm a posture, they should not be approving a slide deck detached from the SSP, POA&M, and control evidence.
Smaller organizations can improve here without building a large compliance department. Hold a regular review of open control gaps, contract requirements, incident readiness, and evidence status. Keep one version of the truth.
Keeping compliance work organized while the rules are in review
The CMMC Phase II suspension reduces immediate third-party assessment pressure for many SMB defense contractors. It does not reduce the need to know what data you handle, what contracts require, which controls are implemented, and what evidence proves it.
That is the control problem underneath the policy news: scattered evidence makes self-assessment fragile. When SSP updates live in documents, POA&M status lives in spreadsheets, policies live in shared drives, and contract interpretations live in email threads, leadership has a hard time making defensible decisions.
CulperSec's Safeguard Horizon GRC helps teams manage that work in one place by mapping requirements, organizing evidence, tracking assessments, and keeping remediation visible across compliance workflows. For contractors using the Phase II pause as a reset, the value is straightforward: keep CUI obligations, self-assessment status, and evidence under control while the Department finishes its review.



