CMMC Phase II Is Officially on Hold. NIST and DFARS aren't.
On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase II requirements, which were originally set to take effect on November 10, 2026. The decision also triggers a 60-day comprehensive review of the entire CMMC program, led by a newly established CMMC Reform Task Force under DoW CIO Kirsten A. Davies.
For many in the Defense Industrial Base, this news lands like a set back after years of investment in Phase II readiness. For others, it was a confirmation of something they'd been quietly saying for a long time: Implementing CMMC at scale was an uphill battle — one that left many small and midsize contractors behind. .
Let's unpack what happened, what it actually means, and more importantly, what it shouldn't change about how you protect your data.
What the CMMC Suspension Actually Does (and Doesn't Do)
The DoW announcement is surgical and deliberate in its scope.
What's suspended: the Phase II mandate for third-party C3PAO assessments for CMMC Level 2 contracts, and all pending and future CMMC implementation milestones across DoW solicitations and contracts.
What's not suspended: Phase I self-assessment requirements, which remain fully in place. NIST SP 800-171 Rev 2 enforcement, which the DoW made clear will continue through self-assessments and select government-led assessments during the interim period. And DFARS 252.204-7012, which is the one that matters most. The DoW was emphatic that every defense contractor and subcontractor remains contractually obligated to safeguard covered defense information under this clause. The legal obligation to protect CUI has not moved one inch.
Ultimately, the compliance framework shifted, but the data protection obligation did not.
What the DIB Should Do Right Now
The 60-day task force clock is ticking. The DoW's public RFI is an active opportunity for the DIB, and the vendors who serve it, to shape what that future model looks like. The contractors and partners who show up with data-centric, encryption-first approaches will help move the conversation away from audit-driven certification and toward practical, scalable security. Here's how to position yourself well regardless of what that reform produces.
Treat DFARS 252.204-7012 as your north star.
This clause is contractual. It is not subject to phased rollout or task force review. It requires you to adequately protect covered defense information, full stop. Your NIST SP 800-171 Rev 2 self-assessment score in SPRS is still a live, enforceable data point that the government can and will scrutinize. Don't let the Phase II suspension become a reason to let your cyber hygiene slide.
CMMC was always an enforcement and verification mechanism layered on top of obligations that already existed. DFARS 252.204-7012 has since 2015 required contractors to implement the security requirements in NIST SP 800-171. CMMC Level 2 maps directly to those same 110 controls. The Phase II suspension removes the third-party verification mechanism. It does not remove the underlying obligation.
That distinction matters enormously, because the gap between what contractors claim in SPRS and what they've actually implemented has become a serious legal liability. The Justice Department's Civil Cyber-Fraud Initiative has made clear that an inflated SPRS score is a False Claims Act problem.
Multiple settlements in recent years have followed the same pattern: a contractor posts a near-perfect self-assessment score, a subsequent review finds only a fraction of controls actually implemented, and the government comes knocking. The compliance theater that the industry has practiced for years is exactly what has produced those outcomes. Your SPRS score is still live, the government can still audit it, and your obligation to actually implement those controls hasn't paused alongside Phase II.
Protect the data, not just the perimeter.
The DoW's reform language specifically calls for "scalable, resilient cybersecurity measures" that prioritize "tangible cyber hygiene over administrative overhead." That is a direct signal toward what Virtru calls data-centric security. In this paradigm, data-centric security becomes isn't a feature or a compliance requirement; it's foundational infrastructure —, as critical as the networks that carry data, the clouds that process it, and the AI models that learn from it.
When your security travels with the data itself, rather than just within the boundary of a secure environment, framework changes don't destabilize your posture. The Trusted Data Format (TDF) binds security policies directly to individual data objects, creating a protective wrapper that travels with your data wherever it goes. That means persistent encryption, granular access control, usage governance, and the ability to revoke access after the fact, with a full audit trail that follows the data regardless of where it lands.
And it maps directly to where policy is heading: the ATS emphasis on resilience and speed points toward zero trust architectures and data sovereignty, protecting information itself rather than relying on perimeter models or certification snapshots.
Know what your vendors actually solve, and what they don't.
The compliance uncertainty of the last several years has produced a flood of vendors making inflated claims. While CMMC Level 2 requires organizations to meet all 320 objectives across 110 controls through people, processes, and technology, some providers claim to address 90% or more of controls, often by including inherited compliance from the vendor's own underlying infrastructure, inaccurately claiming credit for controls like physical security that require escorting visitors through a building.
Recommended Reading: There's No Silver Bullet for CMMC: How to Spot Empty Promises by Software Vendors
Choose partners who are honest about what they actually solve. Don't fall for the vendor who claims the highest number of controls on their marketing collateral.
Don't abandon your compliance investments; build on them.
If you've been working toward CMMC Level 2, you haven't wasted your time. The NIST SP 800-171 controls you've been implementing are still the right foundation. The DoW isn't saying the security controls were wrong; it's saying the assessment mechanism was unworkable. The underlying hygiene requirements are staying. Your SPRS score still matters. Keep going.
True Security Outperforms "Compliance Theater" Every Time
We've said it before, and today's announcement makes the point better than we ever could: Compliance is a snapshot at a moment in time. Security is a continual posture that doesn’t just “check the box,” but also verifiably demonstrates the protection of sensitive information.
CMMC has been evolving since it was first introduced, moving from a five-level model to a three-level model under CMMC 2.0, then rolling out in phases, then pausing and resetting. Discussions and debates about CMMC have echoed through the defense community for several years, as the CMMC standard itself has evolved and the implementation timeline has slowly crept forward.
Every time the framework shifted, organizations that had built their security strategy around the compliance checklist had to scramble. Organizations that had built their security strategy around actually protecting their data just kept doing what they were doing.
The regulation is a means to an end. It is not the end itself.
Compliance isn’t the Goal. Security is. Stay the Course.
U.S. adversaries have systematically targeted the defense supply chain, particularly its smaller, less-resourced nodes, to aggregate sensitive technical information. That threat hasn't filed a 60-day suspension notice. It hasn't launched a reform task force. It is operating right now, and the weakest link in the supply chain is still the target.
The DoW's suspension of CMMC Phase II is a pragmatic acknowledgment that the program's implementation was structurally broken. It is not a signal that CUI protection is optional, that adversaries have paused, or that the underlying NIST SP 800-171 baseline has been relaxed.
The organizations that will be best positioned when the reformed CMMC framework arrives, whether in 60 days, six months, or two years, are the ones that never confused compliance with security. They built data-centric controls that protect CUI wherever it goes. They chose FedRAMP-authorized tools. They maintained accurate SPRS scores. They understood that the point was never to pass an audit. The point was to protect the data.
Today, it's the difference between a security posture that can weather a policy change and one that needs to start over.
Editorial Team
The editorial team consists of Virtru brand experts, content editors, and vetted field authorities. We ensure quality, accuracy, and integrity through robust editorial oversight, review, and optimization of content from trusted sources, including use of generative AI tools.
View more posts by Editorial TeamSee Virtru In Action
Sign Up for the Virtru Newsletter
Dive Deeper
/2026%20Newsletter%20Assets/jk-HIO.png)
We Asked Kindervag: Why Are So Many Organizations Still Getting Zero Trust Wrong?
/blog%20-%20ShareFile%20Takedown/26-Competitor-Blog-Blog%20-%20Virtru%20vs%20Sharefile.jpg)
Looking for a ShareFile Alternative? Here's What Regulated Organizations Need to Know.
/blog%20-%20sendsafely%20takedown/26-Competitor-Blog-Blog%20-%20Virtru%20vs%20SendSafely%20(1).jpg)
SendSafely vs. Virtru: Which Secure File Sharing Platform Protects Your Data After Download?

Dropbox Alternatives for Secure File Sharing: What IT Teams Are Missing
/blog%20-%20alex%20karp/alex-karp.jpg)
Alex Karp Is Right About the AI Problem. He's Missing the Solution.
/blog%20-%20SACR%20Report/anna-perrone-commentary%20copy.webp)
The Email Security Report Every CISO Should Read, And the Questions It Should Inspire
/temp%20-%20cmmc%20compliance%20advantage/IVIS-CMMC%20COMPASS.webp)
A 20-Year DIB Veteran on Turning CMMC Into a Compliance Advantage
/blog%20-%20shared%20services%20model/shared-services-model%20copy.webp)
Your Shared Services Model Might Be Leaking Data. Here's How to Stop It.
/blog%20-%20collaborate%20webinar%20recap/Collab-Demo-Recap.webp)
Inside Virtru Collaborate: The File Sharing Platform Built on NSA Open Standards

The Hidden Cost of a Microsoft GCC High Migration, and What the License Quote Leaves Out
Book a Demo
Become a Partner
Contact us to learn more about our partnership opportunities.
Become a Compliance Champion
Contact us to learn more about our partnership opportunities.