Navigating CMMC and FedRAMP Together: From Assessment-Ready to Authorized | July 22nd

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Governance
AI Governance
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

CMMC Phase II Suspended by DoW

CMMC

Published: Jul 14, 2026

On July 13, 2026, the Department of War (DoW) immediately suspended CMMC Phase II — specifically, the requirement for third-party (C3PAO) certification assessments that had been set to take effect November 10, 2026. CMMC Phase I self-assessment requirements for CMMC Levels 1 and 2, and the related NIST SP 800-171 / DFARS 252.204-7012 obligation to safeguard federal data, are unchanged.

DoW has launched a 60-day CMMC Reform Task Force review to recommend a path forward that focuses on reducing the reported negative impacts of the planned CMMC Phase II on small and non-traditional businesses. Officials describe this as addressing capacity issues as well as reducing the burden on small businesses rather than a relaxation of security standards.

 This pause does not mean CMMC is “going away” – it means that some CMMC requirements will not be enforced by DoW as planned and future CMMC requirements enforced by DoW may be modified. Critically, CMMC L2 certification assessments can continue to be performed with certificates issued by C3PAOs, and organizations may choose or be required to obtain CMMC certification outside of direct DoW contract requirements.  

Two things to keep front-of-mind:

  1. Contractors’ NIST 800-171 compliance obligations have not changed and these are, if anything, the primary contractual and compliance vehicle DoW will lean on during this pause (DFARS 252.204-7012), in addition to the current CMMC Phase 1.
  2. Prime contractors set their own subcontractor cybersecurity expectations independent of DoW's requirements and timeline, so reduced federal pressure does not necessarily mean reduced commercial pressure.

What does this mean for you?

  • If you have already achieved your CMMC certification, you can feel confident that your investment stands, and you should be proud of that accomplishment. This was specifically recognized by CIO Davies in her remarks.
  • If you are already under contract for a certification assessment but have not yet completed Phase 1, you have a decision to make. You can continue on your current path toward CMMC Level 2 certification, or consider an alternative NIST 800-171 assessment instead. Please note, it's important that you confirm this choice meets your specific contractual requirements (whether to the DoW, a DIB Prime, or other applicable parties).
  • If you are still evaluating your options, you can choose to pursue the certification approach or consider a phased strategy that starts with a NIST 800-171 assessment first.

All guidance will be revisited once the Reform Task Force reports, expected mid-September 2026 and we will continue to update you along the way!

Our team is standing by and ready to answer your questions about the impact on your specific compliance roadmap.

About Douglas Barbin

As President and National Managing Principal, Doug Barbin is responsible for the strategy, development, growth, and delivery of Schellman’s global services portfolio. Since joining in 2009, his primary focus has been to expand the strong foundation in IT audit and assurance to make Schellman a market leading diversified cybersecurity and compliance services provider. He has developed many of Schellman's service offerings, served global clients, and now focuses on leading and supporting the service delivery professionals, practice leaders, and the business development teams. Doug brings more than 25 years’ experience in technology focused services having served as technology product management executive, mortgage firm CTO/COO, and fraud and computer forensic investigations leader. Doug holds dual-bachelor's degrees in Accounting and Administration of Justice from Penn State as well as an MBA from Pepperdine. He has also taken post graduate courses on Artificial Intelligence from MIT and maintains multiple CPA licenses and in addition to most of the major industry certifications including several he helped create.