Skip to main content
Truvisory
Federal

CMMC Phase II Is Suspended: The Gate Moved, the Bar Didn't

Tony Adams12 min read

On July 13, 2026, the Department of War suspended CMMC Phase II — the mandatory third-party assessment that was to begin November 10. Read the announcement carefully and one sentence matters most: the certification gate is paused, but the security bar is not. DFARS 252.204-7012, NIST SP 800-171, annual self-assessment, and FedRAMP-Moderate cloud for CUI all remain fully enforceable.

If you run a program office, work for a prime looking for subcontractors, or lead a small software firm that has been priced out of defense work, this is a real change — but not the one most of the headlines will imply. Nobody’s cybersecurity obligations went away today. What went away, for now, is the requirement to pay for and pass a third-party audit before you can compete.

What actually changed on July 13

The Department of War’s CIO, Kirsten Davies, and Under Secretary for Acquisition and Sustainment Michael Duffey announced an immediate suspension of the CMMC Phase II rollout, implemented through memo 26-P-1023. During the suspension, contracting officers and requiring activities may designate only CMMC Level 1 (Self) or CMMC Level 2 (Self) — they may not designate Level 2 (C3PAO) or Level 3 (DIBCAC) assessments, and no waivers will be issued while the review runs. Solicitations already carrying third-party requirements are to be amended, and existing contracts modified at the next option or administrative modification.

A CMMC Reform Task Force now has 60 days to conduct a top-to-bottom review, informed by a public Request for Information with responses due August 14, 2026. Two things about that review deserve your attention. First, the officials announcing it did not rule out cancelling CMMC outright. Second — and this is the sentence to hold onto — the department was explicit that the goal was reducing red tape, not reducing cybersecurity.

A quick naming note, because it affects your paperwork: the department now brands itself the Department of War, following Executive Order 14347 in September 2025. But that order established “Department of War” as a secondary title. The statutory legal name is still the Department of Defense, and your contracts, your SAM registration, the FAR, and the DFARS all still say DoD. Use DoW in correspondence; expect DoD in the clauses.

What did not change

This is the table to bookmark, because most of the confusion in the coming weeks will live in the gap between “suspended” and “gone.”

// What the July 13 suspension changed — and what it didn't
RequirementStatus after July 13, 2026
CMMC Level 2 third-party (C3PAO) assessmentSuspended. Cannot be designated during the review.
CMMC Level 3 (DIBCAC) assessmentSuspended. Phase III milestone paused.
CMMC Level 1 (Self) / Level 2 (Self)Still required. The only levels a CO may designate now.
DFARS 252.204-7012 (safeguard CDI; 72-hour incident report)Fully in force. Unchanged.
NIST SP 800-171 Rev. 2 (110 controls)Fully required. Enforced via self-assessment and government-led assessment.
Annual affirmation (32 CFR 170.22)Still required.
DFARS 252.204-7021 (the CMMC clause)Still in the DFARS. Prescribed for use until November 9, 2028.
FedRAMP Moderate for cloud handling CUIUnchanged. Required by DFARS 252.204-7012(b)(2)(ii)(D).
False Claims Act exposure for false attestationsActive. DOJ’s Civil Cyber-Fraud Initiative continues.

Read that table again if you’re tempted to stand down a compliance program. The 110 controls of NIST SP 800-171 are still the baseline. You still have to report a cyber incident within 72 hours. You still need a system security plan and a plan of action. And if your AI system stores, processes, or transmits controlled unclassified information in the cloud, that cloud still has to meet FedRAMP Moderate — authorized or equivalent. None of that was touched.

What was removed is the audit. Which means the thing you now attest to, you attest to on your own signature — and the Justice Department has an active enforcement initiative built precisely around false cybersecurity attestations on federal contracts. The paperwork got lighter. The liability did not.

Why the department did it

The stated reason was small business, and the numbers behind it are worth understanding — including the fact that they’re contested.

The Small Business Administration backed the move hard, characterizing CMMC compliance as an untenable barrier driving small firms out of the defense industrial base. SBA’s figures put certification cost near $593,800 for firms needing a third-party assessment and roughly $388,600 for those eligible to self-assess, against a population of 120,000+ affected small firms and only about 100 approved assessors.

Be careful with those numbers, though, because the department’s own rulemaking estimated the cost far lower — roughly $105,000–$118,000 for a Level 2 third-party certification over the three-year cycle, and $37,000–$49,000 for a Level 2 self-assessment. That’s a four-to-five-fold gap between two federal agencies describing the same program. Both are cited here because both are real, and any vendor quoting a single number at you as settled fact is telling you more about their sales process than about CMMC.

The capacity problem is less disputable. By early 2026 there were roughly 103 authorized third-party assessment organizations to serve a population north of 80,000 firms expected to need Level 2 — and only about 1% of the industrial base had actually achieved certification. Davies’ own summary of the arithmetic was blunt: the math simply doesn’t work for small and mid-sized businesses. Whatever you think of the decision, the deadline was not going to be met.

What the CIO actually wants now: “Brilliant at the Basics”

Alongside the suspension, the department pointed contractors to a resource called Brilliant at the Basics. It’s worth being precise about what this is, because it will be widely misdescribed: it is not a replacement certification framework, and it is not mandatory. It’s a voluntary best-practices campaign from the CIO’s office — a Top 10 list for IT security, a Top 10 for operational technology, and a set of curated external resources.

What’s notable is how closely it reads like a modern software shop’s security checklist rather than a compliance regime. Phishing-resistant multi-factor authentication is item one. Integrating security early in the development lifecycle — shift-left scanning, dependency testing — is item seven. And item eight is secure AI adoption: technical guardrails, keeping sensitive departmental data out of public commercial AI systems, and using approved enterprise AI environments.

That last item is the tell. The department is not asking for a binder. It’s asking whether you actually run secure engineering practices, and whether you know how to handle AI systems without leaking data into someone’s public chatbot. Those are engineering questions, and a firm that builds this way already answers them.

This is one thread in a much larger door-opening

The CMMC suspension doesn’t stand alone. It’s the compliance-side piece of a coordinated push to get commercial technology — especially software and AI — into the department faster:

  • Software Fast Track (SWFT), launched in mid-2025, replaces the slow authority-to-operate process with continuous, evidence-driven authorization.
  • The AI-first strategy memoranda of January 2026 declared an AI-first warfighting force, established a monthly board empowered to remove non-statutory barriers, and stood up pace-setting projects including an enterprise agents playbook for deploying AI agents into departmental workflows.
  • The November 2025 acquisition transformation memo made speed to capability the organizing principle and pushed Commercial Solutions Openings and Other Transaction Agreements as default contracting methods for software.

Put those four things together — suspend the audit, publish plain-language security basics, accelerate software authorization, and make OTAs the default — and the direction is unmistakable. The department is trying to make it easier for small, technically capable, non-traditional vendors to sell it working software. That is the opportunity here, and it’s a bigger one than the CMMC headline alone suggests.

The honest counterpoint: self-attestation has a track record, and it isn’t good

A piece that only sold you the upside would be doing you a disservice, so here’s the other side.

Third-party assessment existed because self-attestation had failed before. A decade of inspector-general and GAO work found contractors attesting to controls they had not implemented. The independent 2025 State of the Defense Industrial Base research found only about 1% of defense contractors felt fully prepared, with a median SPRS score of 60 against the required 110 — and a meaningful share reporting negative scores. CMMC’s original architect has argued consistently that self-attestation is not reliable, and the accreditation body whose assessor ecosystem is now sidelined was not informed before the announcement.

So the honest read is this: the suspension solves a real capacity and cost problem, and it reintroduces a real verification problem. Both things are true.

And that shift matters for you as a buyer. In a world with mandatory third-party audits, the badge did your diligence for you. In a world of self-attestation, it doesn’t — which means the burden of telling a genuinely secure vendor from a well-worded one lands back on the program office and the prime. That’s not a reason to avoid small firms. It’s a reason to ask better questions, which is exactly what our guide to verifying an AI contractor’s CMMC and FedRAMP claims is built for.

How a small AI firm serves the department now

If you’re a program office wondering how to bring in capability quickly, or a small firm wondering how to get in, the practical pathways are:

  • SBIR/STTR — still the classic on-ramp, Phase I to Phase II to a sole-source Phase III.
  • OTAs and Commercial Solutions Openings — now the default route for software, and the fastest path for a non-traditional vendor.
  • SDVOSB set-asides and sole-source authority — the government-wide service-disabled veteran-owned prime contracting goal is now 5%, raised from 3% by the FY2024 NDAA, and SBA certification is required to compete for those set-asides. More on that in SDVOSB leverage.
  • Subcontracting to a prime — bearing in mind primes flow down the 800-171 and DFARS 7012 obligations regardless, and several set minimum SPRS thresholds for their subs.

And the security posture such a firm actually needs, absent a C3PAO badge: implement the 110 controls, keep a real system security plan and plan of action, self-assess honestly, report incidents inside 72 hours, and — the part most often missed — build on a FedRAMP-authorized cloud platform if CUI is anywhere near the system.

That last requirement is the one that quietly separates firms that can do this work from firms that can’t. And it’s the one the suspension didn’t touch.

Where Truvisory fits — stated plainly

Here’s the honest version, which is the only kind worth publishing on a compliance topic.

Truvisory is not CMMC-certified. We never have been, and we have never claimed to be — our standing position has been that if we’re not certified for something, we don’t display the badge. Our documented posture is CMMC Level 1 self-assessed, with all 110 NIST SP 800-171 controls implemented and documented. Today’s announcement doesn’t change that fact. What it changes is that the fact is no longer a gate: under a Level 2 (Self) posture, a program office can engage a firm like ours without waiting on an assessment that, realistically, wasn’t available anyway.

Truvisory is FedRAMP-aware, not FedRAMP-authorized. That distinction is deliberate and we hold it hard. Truvisory itself is not a FedRAMP-authorized service. What we do is build on Cloudflare’s government platform, which holds a FedRAMP Moderate authorization — the exact authorization level DFARS 7012 requires for cloud handling CUI. A small firm does not need its own FedRAMP authorization to build on an authorized platform. It needs to know the difference, and to be honest about which side of it it’s on. That’s what FedRAMP-aware means, and why we’ve written about FedRAMP versus CMMC at length before today.

Nothing about how we work changed today. We are an SBA-verified SDVOSB (UEI KNZKX28MLC42, CAGE 0HPQ0, NAICS 541512), operating out of Colorado since 2018 — eight years, not a firm that appeared when the rules moved. We are led by an Army combat veteran and 25-year operating executive who now writes the code himself. We ship working software — AI agents, retrieval systems, back-office automation — on fixed-scope 30-to-90-day engagements, Cloudflare-native by design. Working software, not strategy decks.

What changed is the alignment. The department just said, in effect: we want secure engineering practices, not compliance theater; we want speed; and we want small, capable firms that were previously locked out. That is the posture we already had — held, at some commercial cost, back when the safer marketing move was to imply certifications we didn’t hold.

We’re not betting on CMMC staying suspended. The review could restore it, restructure it, or end it. Our model doesn’t depend on which — because the underlying security requirements, the ones that actually survived today, are the ones we already build to.

What to watch

  • The 60-day review, with results expected around mid-September 2026. Cancellation is genuinely on the table; so is a restructured program.
  • The RFI, with responses due August 14, 2026 — if the cost of compliance has shaped your business, this is your comment window.
  • The proposed government-wide CUI rule, published in June 2026, which would move the baseline to NIST SP 800-171 Rev. 3. It is proposed, not final — but it’s the direction of travel.
  • DOJ enforcement. The Civil Cyber-Fraud Initiative has not paused, and self-attestation is now the primary mechanism. Attest carefully.

If you’re a program office or prime that needs working AI software from a small, capable, security-serious firm — and you’d rather have a straight answer about what we are and aren’t certified for than a badge wall — that’s a conversation we’re glad to have.

Frequently asked

Is CMMC cancelled?
No. Phase II third-party assessments are suspended pending a 60-day review. The CMMC program rule (32 CFR Part 170), the DFARS final rule, and the CMMC clause (DFARS 252.204-7021) all remain in effect. Officials have not ruled out cancelling the program later, but as of today it is suspended, not repealed.
Do I still have to comply with NIST SP 800-171?
Yes. Rev. 2 and its 110 controls remain the baseline, enforced through Level 1 and Level 2 self-assessment and select government-led assessments. Nothing about the underlying security requirement changed.
Can a program office bring on a firm that isn't CMMC-certified now?
Yes — under a Level 2 (Self) posture, which is currently the highest level a contracting officer may designate. The firm still needs genuine 800-171 implementation and, if CUI touches the cloud, FedRAMP-Moderate infrastructure.
What's the difference between Level 2 (Self) and Level 2 (C3PAO)?
The controls are the same; the verification differs. Level 2 (Self) means the contractor assesses and affirms its own compliance. Level 2 (C3PAO) means an accredited third party audits it. Only the self-assessed version may be designated during the suspension.
Is "FedRAMP-aware" good enough for a cloud AI system handling CUI?
It depends on what the phrase is covering. The requirement is that the cloud service meets FedRAMP Moderate (authorized or equivalent). A developer building on an already-authorized platform does not need its own separate FedRAMP authorization. A developer claiming it is FedRAMP-authorized when only its platform is — that's the claim to scrutinize.
Could CMMC Phase II come back?
Yes. The suspension is explicitly pending review, and the clause remains prescribed for use until November 9, 2028. Plan your security posture on the assumption that the requirements survive in some form — because the underlying ones already did.
§ Field notes — monthly

One email a month. Not a vendor blog.

// Signing up gets you the AI pilot go/no-go checklist + one field-note a month — no drip, one-click unsub