Military cyber operations center monitoring global networks

Suspended, Not Eliminated: Why the CMMC Rollout Pause Does Not Mean Stop

On July 13, 2026, the Department of War's Chief Information Officer suspended the rollout of CMMC Phase 2 and launched a 60-day review of the program. For a defense industrial base that has spent years bracing for third-party assessments, the announcement has had mixed reviews. Many contractors, understandably, feel a big relief in the potential time and cost involved, with some interpreting this as the time to shelve their compliance roadmaps.

That reaction is a mistake, and potentially a costly one. This is also a moment where contractors need a trusted advisor who understands both the regulatory detail and the technology infrastructure behind it, not just a headline summary.

As a cloud service provider to the government contracting community, Deltek has been closely tracking this shift, and our role in that infrastructure is exactly why the distinction below matters.

What Actually Changed

Two memoranda, one from CIO Kirsten Davies and one from Under Secretary of War for Acquisition and Sustainment Michael Duffey, laid out the specifics:

  • The November 10, 2026 CMMC Phase 2 deadline is suspended. Contractors handling Controlled Unclassified Information (CUI) will not be required to obtain third-party (C3PAO) Level 2 assessments on that timeline.
  • Program offices are now limited to self-assessments. Procurement documents may only require CMMC Level 1 (Self) or Level 2 (Self). Level 2 (C3PAO) and Level 3 (DIBCAC) designations cannot be included during the review period.
  • Existing contracts will be amended. Solicitations and contracts that already carry Level 2 or Level 3 third-party requirements must have them removed, either before the next option period or at the next scheduled administrative modification.
  • No waivers will be granted. Since program offices are already restricted to the lower self-assessment tiers, there is nothing left to waive.
  • A CMMC Reform Task Force is now running a 60-day review, informed by an open RFI on reducing compliance burden, with industry responses due August 14, 2026.

What Has Not Changed

This is the part that gets lost in the headlines. Both memos are explicit that the underlying cybersecurity standards remain fully in force:

  • NIST SP 800-171 Rev 2 continues to govern how CUI must be safeguarded, and self-assessment against it is still mandatory for contractors handling CUI.
  • DFARS 252.204-7012, covering safeguarding of covered defense information and cyber incident reporting, remains intact and enforceable.
  • FAR 52.204-21, the basic safeguarding rule underlying CMMC Level 1, is unaffected.

The Pentagon paused the assessment mechanism, the requirement for an outside party to certify compliance. It did not pause the requirement to be compliant.

The Risk of Reading This Pause as a Compliance Off-Ramp

We work with government contractors across the defense industrial base every day, and we're already hearing the “we can pause” read of this announcement. For contractors weighing whether to slow down or pause cybersecurity investment, consider what does not change with this announcement:

The threat environment hasn't paused.

Adversaries targeting the defense supply chain are not waiting for a program review to conclude. CUI still needs protecting regardless of which assessment framework verifies that it is.

Self-assessment still carries legal exposure.

Attesting to NIST 800-171 compliance in the Supplier Performance Risk System is a representation the government can rely on. Under the False Claims Act, a false attestation carries real liability, arguably more direct exposure than failing a third-party audit, because the company itself is now the one making the claim.

A System Security Plan and POA&M are still expected artifacts.

Self-assessment does not mean informal assessment. Contractors still need documented evidence of their security posture and a credible plan to close any gaps.

The review has a defined endpoint, and history suggests it moves fast.

The last time DOD undertook a comparable review, in 2021, it took roughly nine months to produce CMMC 2.0. Contractors who let their programs atrophy during this window risk a scramble when new requirements land, particularly if third-party assessment capacity is still constrained when Phase 2 (or its successor) resumes.

Competitive advantage goes to those who stay ready.

Roughly six in ten government contractors expect CMMC to apply to their business, and about half anticipate needing Level 2 or above, according to the 17th Annual Deltek Clarity Government Contracting Industry Study.

When assessment requirements return, whether under the current framework or a reformed one, contractors who kept their cybersecurity compliance programs current will be best positioned to win contracts. Those who paused will be playing catch-up against competitors who did not.

Related CUI rules outside CMMC are still advancing.

GSA's CUI policy and pending FAR cases (2017-016 and 2026-001) are moving forward independently of the DOD review, some referencing the same NIST baseline and even a FedRAMP Moderate equivalency standard for cloud service providers. Cybersecurity compliance is not a defense-only concern, and it is not going away industry-wide even if CMMC itself is reformed.

Why Your Cloud Partners Matter More, Not Less

If the assessment mechanism is in flux but the underlying standards aren't, the systems holding your CUI need to be built for the standards, not for whichever audit happens to be in fashion this year.

As a cloud service provider, Deltek’s Costpoint GCCM supports DFARS 242.204-7012 compliance requirements for safeguarding Covered Defense Information (aka CUI) and incident reporting obligations that are still fully intact. That obligation didn’t move. Neither did our commitment to it.

It also means we’re paying close attention to regulatory activity that hasn't slowed down. FAR case 2026-001, open for public comment through July 23, 2026, proposes updating FAR 52.204-7 so that any cloud service provider storing, processing, or transmitting CUI must meet security requirements equivalent to the FedRAMP Moderate baseline.

That's a direct signal that CUI-handling infrastructure, not just contractor attestations, is becoming a bigger part of how this obligation gets enforced. Contractors evaluating their systems of authority should be asking their providers the same question we ask ourselves every day: is our environment built to the standard the government expects, not just the standard currently being checked at contract award?

This suspension isn't a reason to pull back. It's a reason for contractors, and their technology partners, to double down on the fundamentals: NIST SP 800-171 Rev 2 alignment, DFARS 252.204-7012 compliance, and infrastructure built for CUI handling from the ground up.

What Contractors Should Do Now

  • Keep your NIST SP 800-171 program running. Continue maintaining and updating your SSP and POA&M as if a Level 2 (Self) assessment could be requested tomorrow, because it can be.
  • Treat self-attestation with the same rigor as a third-party audit. The assessment mechanism changed. The standard of accuracy you owe the government did not.
  • Participate in the RFI. The Reform Task Force is actively soliciting industry input through August 14, 2026. This is a rare opportunity to shape what CMMC 3.0 looks like rather than simply reacting to it.
  • Watch adjacent rulemaking. FAR case 2026-001 and GSA's CUI policy may affect your CUI obligations independent of whatever the CMMC review produces.
  • Evaluate the infrastructure underneath your compliance program. If FAR 52.204-7 moves forward as proposed, your cloud service provider's security posture becomes part of your compliance story, not just your internal controls. Confirm your provider's environment is built for DFARS 252.204-7012 and NIST SP 800-171 Rev 2 today.
  • Get ahead of the next iteration, not behind it. Whatever the Task Force recommends, contractors with a mature compliance posture will implement it faster and more affordably than those starting from scratch.

Get the Latest, Directly from the Source

CMMC guidance is shifting quickly, and secondhand interpretations can lag the facts. To help contractors cut through the noise, I'm co-presenting a webinar with Katie Arrington, a leading CMMC expert, where we'll unpack what this suspension means for your compliance strategy, what to expect from the 60-day review, and how to position your organization, and your infrastructure, for whatever comes next.

Register now

 

The rules of the road may be under review, but the destination, protecting the defense industrial base's most sensitive information, hasn't moved. Contractors who treat this suspension as a pause button on compliance rather than on paperwork will be the ones ready when the next chapter of CMMC arrives. Deltek intends to be right there with you, as a technology partner whose infrastructure is built for that standard, not just this quarter's assessment requirement.

 

FAQs

Yes, because the baseline requirements remain in force. NIST SP 800-171 Rev 2 and DFARS 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) are still active. What's paused is the escalation to third-party assessments (CMMC Level 2 C3PAO or Level 3 DIBCAC), not the underlying security obligation.

For the duration of the 60-day review, yes. Program offices can only require CMMC Level 1 (Self) or Level 2 (Self) in new solicitations. No new contracts can mandate a C3PAO-certified assessment or DIBCAC assessment during this window.

Program managers and contracting officers are directed to amend active solicitations and modify existing contracts to strip those requirements out, either at the next option period or the next administrative modification.

No. The suspension is scoped to 60 days, tied to a CIO-led review, with "further guidance" promised afterward. Nothing in either Department of War memo says the program is being eliminated. Tools like Costpoint GCCM can help contractors document their NIST 800-171 posture consistently, regardless of which assessment tier is eventually reinstated, so they aren't caught unprepared.

No. The Department of War memo is explicit that no waivers will be granted during the review period, since programs simply are not permitted to select those levels right now. Compliance documentation remains the operative mechanism, not a waiver process.

Contributors

Author

Michael Greenman

Sr. Product Marketing Manager

Michael Greenman is a subject matter expert in Software as a Service (SaaS) and cybersecurity. He has worked for Deltek since 2021 to bring awareness and understanding of Deltek’s SaaS solutions and how they benefit project-based businesses across multiple markets. Michael is a frequent speaker on cybersecurity compliance initiatives, like CMMC, for government contractors and he is a CMMC Registered Practitioner. Michael holds master’s degrees in public administration and cybersecurity.

Featured Thoughts

American navy aircraft carrier

Article

Speed Without Control: The New Competitive Reality for A&D Contractors

Winning A&D contracts now depends on operating speed with control, not proposal quality alone. The 2026 Deltek Clarity Study shows top performers invest in systems and governance to move quickly without losing oversight. Firms that align speed with discipline protect margins and compete more effectively.

Technician inspecting a jet engine in an aircraft hangar

Article

Why Cost Isn't The Biggest Manufacturing Challenge Anymore

See why quality, compliance, and traceability are becoming the new measures of manufacturing performance in government contracting.

Accountant reviewing a digital e-invoice

Article

The Pricing Workflows That Lived Outside the System Finally Have a Home

Discover how ProPricer helps GovCon teams close workflow gaps where critical proposal work has long lived outside the system of record.

professional reviewing a business proposal

Article

Modernizing Services Proposal Pricing for GovCon

Discover how government contractors can bring services proposal pricing into a governed workflow with greater traceability, control, and confidence.

Article

Built for Governance & Control: Why Some Systems Prevent Risk While Others Hide It

Compliance risk often comes from systems that allow workarounds, not bad actors. Learn why Deltek Costpoint validates transactions against contract rules in real time.