CMMC Phase 2 is suspended. Here’s what that actually means for you.
On July 13, the Department of War paused Phase 2 (and beyond) of CMMC — the third-party audit requirement that was set to hit contracts in November 2026. A 60-day Reform Task Force review is now underway, and officials haven’t ruled out significant changes to the program.
But before you cancel anything, here’s what didn’t change:
- DFARS 252.204-7012 is still in your contract
- NIST SP 800-171 compliance is still required
- SPRS self-assessments and annual affirmations are still mandatory — and with auditors out of the picture, your SPRS score is now the government’s primary compliance check (False Claims Act exposure is real)
- Prime contractors are still flowing CMMC requirements downstream
The honest take: This is a pause, not a pardon. The underlying mission — protect Controlled Unclassified Information — hasn’t changed in six years and isn’t going anywhere. What’s changing is how it gets enforced.
This week, do this:
- Check your contracts — not the headlines
- Keep your SSP, POA&M, and SPRS score current and accurate
- Watch the RFI — industry has a real chance to shape what comes next
Questions about what this means for your contracts? Let’s talk.


