Department of War Suspends CMMC Phase II: What It Means for Defense Contractors

Overview

On Monday, the Department of War (DoW) announced the suspension of CMMC Phase 2 which is the CMMC Third-Party Assessment Organization (C3PAO) assessment and certification requirements which were scheduled to appear in contracts beginning on November 10, 2026. Phase I has NOT been suspended: contractors are still expected to attest to their compliance in SPRS before November 10, 2026.

Why did the DoW do this?

Two main reasons were given:

  • Lack of certification progress: Few assessments have been completed, which the DoW attributed to a shortage of qualified assessors.

  • Cost burden for small businesses: High assessment costs raised concerns about speed to market, barriers to entry, and innovation.

To date, fewer than 2,000 defense contractors have achieved CMMC Level 2 certification. The DIB was unlikely to meet the November 10th deadline, risking a supply chain unable to fulfill DoW demands.

What Happens Next?

  • A 60-day CMMC Reform Task Force will evaluate the program and report back around September 11.

  • An RFI has been released, seeking industry feedback.

  • All prior cybersecurity requirements remain in force.

‍Ariento's Analysis

Although many details remain uncertain, here is our best analysis of what this announcement may mean for the future of CMMC:

  1. False Claims Act enforcement: Organizations misrepresenting their SPRS scores or compliance will continue to face FCA actions. Self-attestation in SPRS remains required as part of CMMC Phase I by November 10, 2026.

  2. Focus on mid-to-enterprise organizations: Certification requirements will likely target larger entities, while small businesses may transition to self-attestations. The fact that the DOW did not shut down assessments, and companies can still get assessed by C3PAOs during the pause, seems to indicate they aren’t likely to end the assessment and certification capability of CMMC altogether. Furthermore, the original CMMC Final Rule distinguished certification requirements between Small Entities and Other Than Small Entities. Our analysis suggests that certification requirements may ultimately be narrowed to focus on Other Than Small Entities that have the resources to manage the CMMC burden. Because the framework for this distinction already exists within the Final Rule, we believe it would be relatively straightforward for the Department to reduce the number of organizations required to obtain certification while transitioning Small Entities to the self-attestation model.

  3. Extended timelines: Expect deadlines to be pushed out, with a more measured rollout emphasizing Level 2 self-attestations. Certification assessments will likely remain available for organizations that choose to pursue them, but the deadline by which certification becomes a contractual requirement may be pushed back.

  4. Delayed or canceled requirements for small businesses: Self-attestation will likely remain for small businesses, with FCA used as a deterrent. Spot checks by C3PAOs may occur.

  5. Innovative solutions for small businesses: We believe the Department will continue exploring innovative approaches that reduce the cost and complexity of compliance for small businesses. Solutions like Enclave One, which Ariento was already discussing with the SBA prior to this announcement, provide a cost-effective approach to implementing NIST SP 800-171. As the Department evaluates alternatives, we believe these types of solutions may receive increased attention. One potential future model could provide some form of reciprocity for CMMC Level 2 certified MSPs, similar to the role FedRAMP-authorized CSPs play today, giving small businesses that leverage those providers credit toward meeting certain CMMC requirements. Such an approach would preserve the spirit of CMMC while significantly reducing the compliance burden on small businesses.

What Does This Mean for You?

Your next steps depend on where you are in your CMMC compliance journey:

  • All contractors: You must still report your self-attestation in SPRS by November 10, 2026. DFARS 7012 remains in effect, requiring an SSP and use of FedRAMP moderate/high cloud services for CUI. As of today, some primes are still requiring certification by the original deadline.

  • Still getting ready for CMMC: Continue your efforts, but note you may not need certification. DFARS 7012 and CMMC Phase I self-attestation deadline remain.

  • Signed a contract for a certification assessment: Pause and await guidance after the 60-day review. Reschedule with your C3PAO if possible. If your assessment has already kicked off, consider completing it, as certification is more robust than self-attestation and may prove to be an advantage regardless.

  • Currently using a CMMC Level 2 certified MSP (e.g., Ariento): Hold off on assessments for now; see analysis above.

  • Already certified: Maintain continuous monitoring and annual SPRS attestation as those requirements remain. Re-certification may not be required in three years; avoid scheduling that until further guidance.

FAQs

  • Is CMMC Level 2 Certification still valuable? Yes, RFPs may still contain a risk score or risk evaluation and certified companies will likely score higher on those criteria.

  • Can primes still require certification by November 10? Yes, some primes are maintaining the deadline, though it’s no longer a DoW requirement.

  • Can I still get CMMC Level 2 certification? Yes, certifications continue during the pause.

  • Do I have to self-attest by Nov 10? Yes.

  • Are DIBCAC assessments still ongoing? Yes, DIBCAC assessments are separate from CMMC and continue.

  • What about Rev 3? DoW is still using Rev 2 at this time.

  • Is GSA moving forward with their assessment program? Yes, GSA’s program is separate and continues.

Conclusion

The Department's announcement provides relief for many organizations, particularly small businesses facing the cost and logistical challenges of certification. However, it should be viewed as a change in how compliance may ultimately be demonstrated, not a change in the underlying cybersecurity expectations.

We believe this pause creates an opportunity for the Department to develop a more practical and scalable approach to CMMC, one that maintains strong cybersecurity while reducing unnecessary burden on the Defense Industrial Base. Emerging approaches, such as Enclave One's rent-versus-buy model and potential reciprocity for certified MSPs, could play an important role in that future.

We expect additional guidance following the Task Force's review and will continue sharing our analysis as more information becomes available. As both a CMMC-certified MSP and an authorized C3PAO, Ariento will continue helping organizations navigate these changes with practical guidance grounded in both implementation and assessment experience.

ariento-specific faqs

  • Can I reschedule my assessment? Yes, rescheduling is allowed at no cost through our PMO.

  • Has Ariento been in touch with SBA? Yes, we continue to collaborate on solutions like Enclave One to address cost and timeline concerns.

  • Does Ariento provide False Claims Assurance? Yes, both our C3PAO and MSP offer False Claims Assurance.

  • What is Ariento doing to respond? We are conducting an internal review to determine the best ways we can support you. Here are a few things in the works:

    • Rolling out False Claims Act Assurance in addition to our existing Certification Assurance.

    • Free rescheduling of assessments or assessment support projects until more guidance is provided

    • Repurposing of funds to other services if a certification assessment requirement is removed for your individual business

    • Exploring versions of Enclave One that include False Claims Act Assurance instead of C3PAO certification in the cost.

    • Continuing to work with SBA and DOW on how Enclave One and certified MSPs can reduce cost and address the two main concerns driving the pause.

Next
Next

CMMC Timeline Update - 32 CFR Final Rule Sent For Final Review