TroutTrout
Back to Blog
CMMCComplianceManufacturingOT Security

CMMC Phase II Suspended: What Actually Changes for Defense Manufacturers

Trout Team3 min read

The short version

On July 13, 2026, the Department of War suspended CMMC Phase II, the phase that would have required defense contractors to pass a third-party assessment by a C3PAO for Cybersecurity Maturity Model Certification Level 2. It also stood up a CMMC Reform Task Force to deliver recommendations within 60 days.

The audit mandate is paused. The security obligation is not. Phase 1 self-assessment and the NIST SP 800-171 and DFARS 252.204-7012 requirements that protect Controlled Unclassified Information (CUI) still apply. If you handle CUI, you still have to protect it. What changed is how that gets verified, not whether it is required.

What changed, and what did not

Before July 2026After the suspension
Third-party C3PAO certificationMandatory for Level 2 from November 10, 2026Suspended, under review
Phase 1 self-assessmentRequiredStill required
NIST 800-171 controlsRequiredStill required
Protecting CUI under DFARSRequiredStill required
SPRS score submissionRequiredStill required
Program structureCMMC 2.0 phased rollout60-day reform review

The suspension removes a bottleneck, it does not remove the standard.

Why it happened

The math did not work. There were on the order of 100 accredited assessors for a defense industrial base of more than 100,000 companies. Small and mid-sized suppliers could not realistically book, pay for, and pass a certification before the deadline, and the Small Business Administration had flagged that compliance costs were pushing capable firms out of defense work. Suspending Phase II buys time to design something that scales.

Where the focus is moving: OT and the basics

The reform points at fundamentals that scale. The clearest signal is the Department of War CIO program Brilliant at the Basics, which now publishes a dedicated OT Top 10 for operational technology. That matters for manufacturers, because the assets that are hardest to certify, the PLCs, HMIs, CNCs, and SCADA servers on the shop floor, are the ones it is built around.

Those OT basics are familiar: identity and access control, a validated asset inventory, strict network segmentation, controlled remote access, and continuous monitoring. They are the same controls a Level 2 program asks for, stated plainly and without the certification overhead.

What to do now

Do not stand down. The organizations that treat the suspension as a pause button will be the ones scrambling when the reformed program lands. The ones that keep implementing will already be ready, and they get a more secure plant in the meantime.

The practical move is to cover the OT Top 10 on the equipment that cannot host a security agent. An agentless, network-layer approach enforces identity-bound access, microsegmentation, remote access, and tamper-evident audit inline, in front of the asset, so the PLC never changes and production never stops. That is how Access Gate covers eight of the ten OT basics out of the box, and contributes to the other two.

If you are earlier in the journey, start with what CMMC compliance requires and the CMMC solution for defense manufacturers with legacy OT. The destination has not moved. Only the paperwork did.

FAQ

Frequently Asked Questions

Is CMMC cancelled?
No. The Department of War suspended Phase II, the mandatory third-party Level 2 certification that was set to take effect on November 10, 2026, and opened a 60-day reform review. Phase 1 self-assessment and the underlying NIST 800-171 and DFARS obligations to protect CUI remain in force.
Do defense contractors still need a C3PAO assessment?
Not for now. The requirement to be certified by a third-party assessment organization is paused while the CMMC Reform Task Force reviews the program. Contractors that handle CUI still have to implement the NIST 800-171 controls and self-attest under Phase 1.
Why was CMMC Phase II suspended?
There were roughly 100 accredited assessors for more than 100,000 companies in the defense industrial base, so the November 2026 timeline was not achievable, and the cost of certification was pushing small and non-traditional suppliers out of defense work.
What should manufacturers do during the suspension?
Keep implementing the controls. The security obligation did not change, and the fastest way to stay ready is to get the fundamentals right on the hardest equipment to secure, legacy OT. The DoW Brilliant at the Basics OT Top 10 is the list to work against.