Policy update · July 13, 2026
CMMC Phase II is suspended. Here’s what actually changed.
On July 13, the DoW suspended CMMC Phase II, which paused third-party assessments.
What’s different
Third-party assessment requirements are on hold, along with the November 10 compliance deadline and the assessor capacity shortage that’s constrained the program since 2023.
What isn’t
DFARS 252.204-7012 is still binding, Phase I self-assessment is still required, and your duty to protect CUI is unchanged. No one is currently verifying your controls, but the requirement was not eliminated, and assessments will resume. The contractors who use this window to get their evidence in order now will be ahead of it when they do.
What to do in the next 60 days
Keep your self-assessment current rather than letting it lapse now that no one is requesting it. Retain evidence of your controls, not just the score: logs, configuration exports, screenshots, whatever supports the claim. Confirm which of your subcontractors actually handle CUI; that list is often out of date. And don’t let your security posture drift now that the deadline pressure is off. Assessors will return, and having been compliant six months ago will not be sufficient at that point.
None of this requires a vendor, but it does require keeping it up without a deadline forcing you to, which is where most programs will fall through.
That’s what continuous monitoring is for: keeping evidence current without turning it into a recurring scramble. If you want to talk through what that looks like for your environment, book a call with us.
Book a call