The short version
On July 13, 2026, the Department of War suspended CMMC Phase II, the phase that would have required defense contractors to pass a third-party assessment by a C3PAO for Cybersecurity Maturity Model Certification Level 2. It also stood up a CMMC Reform Task Force to deliver recommendations within 60 days.
The audit mandate is paused. The security obligation is not. Phase 1 self-assessment and the NIST SP 800-171 and DFARS 252.204-7012 requirements that protect Controlled Unclassified Information (CUI) still apply. If you handle CUI, you still have to protect it. What changed is how that gets verified, not whether it is required.
What changed, and what did not
| Before July 2026 | After the suspension | |
|---|---|---|
| Third-party C3PAO certification | Mandatory for Level 2 from November 10, 2026 | Suspended, under review |
| Phase 1 self-assessment | Required | Still required |
| NIST 800-171 controls | Required | Still required |
| Protecting CUI under DFARS | Required | Still required |
| SPRS score submission | Required | Still required |
| Program structure | CMMC 2.0 phased rollout | 60-day reform review |
The suspension removes a bottleneck, it does not remove the standard.
Why it happened
The math did not work. There were on the order of 100 accredited assessors for a defense industrial base of more than 100,000 companies. Small and mid-sized suppliers could not realistically book, pay for, and pass a certification before the deadline, and the Small Business Administration had flagged that compliance costs were pushing capable firms out of defense work. Suspending Phase II buys time to design something that scales.
Where the focus is moving: OT and the basics
The reform points at fundamentals that scale. The clearest signal is the Department of War CIO program Brilliant at the Basics, which now publishes a dedicated OT Top 10 for operational technology. That matters for manufacturers, because the assets that are hardest to certify, the PLCs, HMIs, CNCs, and SCADA servers on the shop floor, are the ones it is built around.
Those OT basics are familiar: identity and access control, a validated asset inventory, strict network segmentation, controlled remote access, and continuous monitoring. They are the same controls a Level 2 program asks for, stated plainly and without the certification overhead.
What to do now
Do not stand down. The organizations that treat the suspension as a pause button will be the ones scrambling when the reformed program lands. The ones that keep implementing will already be ready, and they get a more secure plant in the meantime.
The practical move is to cover the OT Top 10 on the equipment that cannot host a security agent. An agentless, network-layer approach enforces identity-bound access, microsegmentation, remote access, and tamper-evident audit inline, in front of the asset, so the PLC never changes and production never stops. That is how Access Gate covers eight of the ten OT basics out of the box, and contributes to the other two.
If you are earlier in the journey, start with what CMMC compliance requires and the CMMC solution for defense manufacturers with legacy OT. The destination has not moved. Only the paperwork did.