CMMC Phase II Suspension: What it Means for Defense Contractors

Key Takeaways

  • The Department of War suspended CMMC Phase II third-party audit requirements on July 13, 2026.
  • Defense contractors must still complete NIST SP 800-171 Revision 2 self-assessments under existing DFARS obligations. 
  • A 60-day review of the CMMC program is underway and future requirements may change. 
  • The suspension creates immediate business risk: inconsistent self-assessments, potential compliance gaps and readiness concerns if the program is revised. 
  • Boulay’s Risk Advisory team helps contractors interpret the change, improve self-assessment processes and build defensible compliance documentation. Need help navigating the CMMC Phase II suspension?

On July 13, 2026, the Department of War announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, effectively removing the need for third-party audits by certified third-party assessment organizations (C3PAOs) for contractors. While this reduces administrative burden, it does not eliminate contractors’ obligation to implement NIST SP 800-171 Revision 2 security practices and document self-assessments under DFARS clause 252.204-7012. 

For defense contractors, this change is less about “what’s gone” and more about “what remains”. The real question for contractors is: How do we ensure our self-assessments are credible, defensible and aligned with government expectations, even without independent audits? 

At Boulay, our Risk Advisory team helps clients interpret this shift, enhance their security posture and prepare for potential program changes. 

What the CMMC Phase II Suspension Changes

The Department of War’s decision to suspend CMMC Phase II requirements may come as a relief for many defense contractors. Originally scheduled to take effect Nov. 10, 2026, the Phase II rollout has been paused while the department conducts a 60-day review of the program. 

In practical terms: 

      • Contractors no longer need to schedule or pay for C3PAO audits for Phase II 
      • Self-assessments against NIST SP 800-171 Revision 2 remain mandatory 
      • Contractors must still document and maintain evidence of compliance for government review 

Organizations should also continue monitoring developments related to CMMC compliance and DFARS cybersecurity requirements, as future revisions may alter assessment expectations for covered contractors. 

What the CMMC Audit Suspension Means for Defense Contractor Compliance

The suspension of third-party assessments does not reduce cyber risk. If anything, it places greater responsibility on contractors to ensure their initial cybersecurity programs are mature, well documented and consistently followed. 

Beyond regulatory compliance, maintaining a strong cybersecurity program helps organizations: 

      • Protect sensitive information 
      • Strengthen customer and partner confidence 
      • Reduce operational and financial risk 
      • Remain competitive for future defense contracts 

The organizations that continue improving their security posture today will be in a strong position regardless of how the CMMC program evolves. 

Three Actions Defense Contractors Should Take Now

1.) Validate your NIST SP 800-171 self-assessment process.

Review how controls are being evaluated, documented and supported with evidence. Even without third-party certification requirements, your assessment should be well supported. 

2.) Update compliance documentation and supporting evidence. 

Ensure policies, procedures, system security plans and supporting evidence accurately reflect your current environment. 

3.) Prepare for changes following the 60-day review. 

Use this period to address known gaps and refine cybersecurity controls so your organization remains ready regardless of the review’s outcome. 

How Boulay Helps Organizations Stay Ready

Regulatory requirements will continue to evolve, but the fundamentals of good cybersecurity remain the same. 

Boulay’s Risk Advisory team helps defense contractors build practical cybersecurity programs that align compliance requirements with business objectives. Whether you’re evaluating your current NIST SP 800-171 posture, reinforcing internal controls or preparing defensible documentation, our advisors help organizations reduce risk while remaining ready for future regulatory changes. 

Our team also assists clients with cybersecurity risk assessments, compliance readiness reviews, internal control evaluations and broader compliance initiatives. 

Rather than treating compliance as a one-time exercise, we help clients build repeatable processes that support long-term resilience. 

Don’t Mistake a Delay for a Deadline Extension

The Department of War’s review of CMMC Phase II creates uncertainty, but it does not eliminate defense contractors’ responsibility to safeguard sensitive information. 

Organizations that use this period to improve their security will be better prepared for whatever comes next. If you’re unsure where your organization stands today, our team can help assess your cybersecurity program, identify gaps and develop a practical roadmap for strengthening your compliance posture.

Subscribe to Our Newsletter

LOCATIONS

CONTACT

COMPANY

RESOURCES

Investment Advisory Services offered through Boulay Financial Advisors, LLC a SEC Registered Investment Advisor. Certain Third Party Money Management offered through Valmark Advisers, Inc. a SEC Registered Investment Advisor. Securities offered through Valmark Securities, Inc. Member FINRA, SIPC. Registered Representatives of Valmark Securities, Inc. are located at the Minneapolis/Eden Prairie office(s). See Valmark’s Form CRS.

Boulay PLLP and Boulay Financial Advisors, LLC are separate entities from Valmark Securities, Inc. and Valmark Advisers, Inc. FINRA | SEC | SIPC | ©2021-2024 Boulay | All rights reserved.