Conformité

CMMC Phase II suspended: what it means for your compliance program

On July 13, 2026, the Department of War (DoW) immediately suspended CMMC Phase II requirements, originally set to take effect November 10, 2026. Phase I self-assessments and DFARS 252.204–7012 obligations remain fully in force. A 60-day CMMC Reform Task Force review is now underway. Defense contractors and MSPs should maintain their compliance programs — the regulatory baseline hasn’t moved.

The announcement came without much warning. DoW Chief Information Officer Kirsten A. Davies confirmed the immediate suspension of CMMC Phase II requirements, citing SBA data showing that compliance costs were pushing innovative companies out of the Defense Industrial Base (DIB). Phase II had been scheduled to introduce mandatory third-party assessment organization (C3PAO) requirements into applicable DoW solicitations beginning November 10, 2026.

For the MSPs and IT teams supporting DIB contractors, this raises an obvious question: what do you do with a compliance program that was built around a deadline that no longer exists?

The short answer: keep building it. Here’s why, and what comes next.

What exactly did the DoW suspend — and what stayed in place?

The suspension covers Phase II requirements and all pending CMMC implementation milestones across DoW solicitations and contracts. That means the November 10, 2026 transition to mandatory C3PAO third-party assessments is on hold until further notice.

What isn’t suspended matters just as much.

Phase I self-assessment requirements remain fully in effect. Every contractor still required to complete CMMC Phase I self-assessments must continue to do so. The suspension doesn’t provide relief from current obligations.

DFARS clause 252.204–7012 remains contractually binding. Every defense contractor and subcontractor is still legally required to safeguard covered defense information. According to the official DoW press release, « this action does not eliminate the requirement for companies to protect federal data. » That obligation exists independent of CMMC and isn’t affected by the suspension.

NIST SP 800–171 Rev 2 enforcement continues. During the interim period, the DoW will enforce cybersecurity compliance through self-assessments and select government-led assessments, with an explicit emphasis on « tangible cyber hygiene rather than administrative overhead » (DoW press release, July 13, 2026).

In practical terms: the certification bottleneck has moved, but the security floor has not.

Why did the DoW suspend Phase II?

The decision ties directly to Secretary of War Pete Hegseth’s Acquisition Transformation System (ATS) directives, which prioritize speed to capability and lower barriers for small, medium, and non-traditional businesses in the defense supply chain.

According to the DoW press release, SBA data confirmed that CMMC compliance costs were « forcing innovative companies out of the Defense Industrial Base, which will delay the delivery of critical capabilities to the warfighters. » Under Secretary of War for Acquisition and Sustainment Michael Duffey put it plainly: « We have a strategic imperative to reduce bureaucracy as we build the world’s strongest Arsenal of Freedom. »

The goal isn’t to weaken cybersecurity standards. The DoW has been explicit that robust cyber hygiene remains a strategic priority. The intent is to replace what the department characterized as « bureaucratic compliance » with « scalable, resilient cybersecurity measures » (dowcio.war.gov/CMMC/).

To get there, the DoW CIO is standing up a CMMC Reform Task Force. The task force will synthesize industry feedback from a public Request for Information (RFI) on compliance challenges and deliver final recommendations within 60 days. If your organization has real compliance-cost data to share, the RFI is the right channel to contribute. You can access it at sam.gov.

What should MSPs and defense contractors do right now?

A suspension of enforcement timelines is not a suspension of cybersecurity risk. Here’s how to use this window productively.

Don’t stand down your compliance program. Phase I self-assessments are active, NIST SP 800–171 controls are being enforced, and DFARS 252.204–7012 obligations are contractually binding. Any organization that treats this pause as permission to slow down its compliance work is taking a significant contractual and security risk.

Treat this as a runway, not a reprieve. The 60-day Reform Task Force review could produce requirements that are tighter in some areas, even if the certification process becomes lighter overall. Organizations that keep building toward NIST 800–171 alignment now will be better positioned regardless of how the final framework lands.

Keep audit trails current. Government-led assessments remain in scope during the interim period. Assessors will expect evidence of patch management, access controls, continuous monitoring, and incident response readiness. Documentation gaps discovered now are far cheaper to close than those discovered during an assessment.

Watch the Reform Task Force output closely. When the 60-day review concludes, the revised framework will likely come with a new implementation timeline. Organizations that have maintained compliance momentum will have less distance to cover when enforcement resumes.

For MSPs specifically, this is a moment to differentiate. Clients navigating regulatory uncertainty need a partner who can demonstrate ongoing NIST 800–171 alignment and keep them audit-ready across whatever CMMC ultimately looks like.

A practical readiness checklist for the interim period:

  • Automated patch management across OS and third-party applications
  • Role-based access controls with documented separation of duties
  • Continuous monitoring with real-time alerting across all endpoints
  • Centralized log retention meeting NIST 800–171 requirements
  • Documented incident response plans tested and ready to execute
  • Audit-ready reporting that can be produced on short notice

Looking ahead: what could CMMC look like after the review?

The following reflects informed observations about an active regulatory process, not legal, compliance, or contractual advice. Organizations should consult their legal counsel, contracting officers, or a qualified compliance advisor for guidance specific to their contracts and obligations.

Several directions are possible when the Reform Task Force delivers its report.

A leaner certification framework is the most widely discussed scenario, one that preserves NIST 800–171 as the enforcement baseline while reducing the documentation and process overhead that made Phase II costly. The DoW has signaled a preference for « scalable, resilient cybersecurity measures » over administrative burden, which points in this direction.

New tiers or exemptions calibrated to business size are also plausible. The explicit policy goal of lowering barriers for small and non-traditional DIB entrants suggests the revised framework may treat different-size organizations differently than the current tiered structure does.

It’s equally possible that many Phase II requirements return largely intact after the review, with adjusted timelines or modified reporting mechanisms rather than substantive changes to the underlying control requirements. The DoW has been clear that it doesn’t intend to reduce the security baseline, only the bureaucratic overhead around proving it.

What’s unlikely to change: DFARS 252.204–7012 obligations and NIST SP 800–171 enforcement will remain the floor, regardless of how CMMC itself evolves. Work done toward CMMC 2.0 Level 2 readiness — automated patching, access control enforcement, continuous monitoring, audit-ready documentation — directly addresses those requirements. That investment isn’t wasted.

How N‑able helps you stay ready regardless of where CMMC lands

Because NIST SP 800–171 hygiene remains the enforcement baseline, the compliance groundwork organizations have laid toward CMMC 2.0 readiness continues to matter. N‑able’s approach is designed to protect that investment while keeping organizations audit-ready through whatever the revised framework requires.

N‑central for CMMC compliance

N‑central™ Unified Endpoint Management addresses the core technical controls that both CMMC 2.0 Level 2 and NIST SP 800–171 require. Key capabilities include:

  • Automated patch management for OS and 100-plus third-party applications, closing exposure windows continuously rather than episodically
  • Role-based access control with granular permissions and custom security groups for documented separation of duties
  • Real-time monitoring and alerting across all endpoints with customizable thresholds and automatic network scanning
  • Audit-ready reporting with structured logs, administrative action tracking, and script execution records that assessors can verify
  • Policy-driven configuration enforcement that prevents drift and maintains consistent security baselines across the entire managed estate

N‑central also comes with a Coalfire third-party attestation letter, providing independent validation of controls that can be shared directly with auditors. That’s audit evidence organizations don’t have to generate themselves.

Terence Tang, VP of Strategy at InTech Hawaii, described the impact directly: « Without N‑central, achieving CMMC compliance would have been extremely difficult. Manual processes just aren’t credible to assessors. »

Brett Kimmell, Managing Member and Principal Cybersecurity Consultant at Kimmell Cybersecurity, which was the first MSP to achieve CMMC Level 2 certification using N‑central, put it this way: « N‑central played an important role in our success in achieving CMMC Level 2 certification, and provides the tools we need to scale patching, monitoring, and security across thousands of endpoints. It’s already driving new business and setting us apart in the industry. »

Adlumin XDR and MDR

N‑able Adlumin™ Extended Detection and Response (XDR) and Managed Detection and Response (MDR) extend the compliance foundation with capabilities that address the continuous monitoring and incident response requirements central to NIST SP 800–171:

  • 24/7 SOC coverage with AI-powered threat detection that identifies behavioral anomalies faster than manual review can
  • SIEM, SOAR, and MDR capabilities in one platform, covering audit and accountability, incident response, and system integrity controls
  • Zero CUI exposure: Adlumin analysts investigate using behavioral telemetry, not file content. Controlled Unclassified Information stays in your environment and under your governance
  • Automated incident response with containment workflows that limit attacker dwell time

Together, N‑central and Adlumin XDR/MDR provide unified visibility across endpoints, networks, cloud, and identity layers, automated compliance controls that operate continuously, and audit-ready documentation ready for government-led assessments. The combination is designed to meet CMMC 2.0 requirements with confidence regardless of how the final framework is structured.

Use the 60 days well

CMMC Phase II enforcement is paused. Cybersecurity risk and DFARS obligations are not. The organizations that come out of this reform period strongest are the ones that treat the next 60 days as preparation time, not downtime.

Patch, monitor, document, and maintain. Keep audit trails current and access controls tight. Watch the Reform Task Force output. And make sure the tools supporting your compliance program can demonstrate continuous NIST SP 800–171 alignment to any assessor who asks.

If you want to understand how N‑central and Adlumin XDR/MDR can support your CMMC readiness program through the transition, explore the full solution or start a free trial of N‑central for CMMC compliance.

Frequently asked questions

What is the CMMC Phase II suspension announced on July 13, 2026?

On July 13, 2026, the Department of War immediately suspended CMMC Phase II requirements, which were originally scheduled to take effect on November 10, 2026. Phase II would have required defense contractors handling Controlled Unclassified Information to obtain third-party certification from a C3PAO. The suspension pauses that requirement while a 60-day CMMC Reform Task Force reviews the program and delivers revised recommendations.

Does the CMMC Phase II suspension eliminate my obligation to protect federal data?

No. The DoW press release (July 13, 2026) explicitly states that the suspension « does not eliminate the requirement for companies to protect federal data. » DFARS clause 252.204–7012, which requires all defense contractors and subcontractors to safeguard covered defense information, remains fully in force. NIST SP 800–171 Rev 2 compliance is also being enforced during the interim period.

Do CMMC Phase I self-assessment requirements still apply?

Yes. Phase I self-assessment requirements remain firmly in place. The suspension applies only to Phase II requirements and pending CMMC implementation milestones across DoW solicitations and contracts.

What will the CMMC Reform Task Force do, and when will it report?

The CMMC Reform Task Force, established by DoW CIO Kirsten A. Davies, will conduct a comprehensive top-to-bottom review of the certification program. It will synthesize industry feedback from a public RFI on compliance challenges and recommend realistic, scalable security measures aligned with the ATS directives. The task force is expected to deliver its final report to the DoW CIO within 60 days of the July 13, 2026 announcement.

Should organizations pause their CMMC compliance programs during the suspension?

No. Phase I requirements, NIST SP 800–171 controls, and DFARS obligations all remain active. The suspension of Phase II timelines doesn’t suspend cybersecurity risk or contractual requirements. Organizations that maintain compliance momentum now will be better positioned when enforcement requirements are updated following the Reform Task Force review.

How does N‑central support CMMC 2.0 compliance during the interim period?

N‑central addresses the core technical controls required by both CMMC 2.0 Level 2 and NIST SP 800–171, including automated patch management, role-based access control, real-time monitoring, and audit-ready reporting. A Coalfire third-party attestation letter is available to support audit evidence requirements. N‑central is currently generally available in a CMMC-ready configuration, with a free trial available at n-able.com/products/n-central-rmm/cmmc-compliance.

What is the « zero CUI exposure » model in Adlumin XDR/MDR?

Adlumin’s MDR analysts investigate threats using behavioral telemetry and indicators rather than accessing file content. Controlled Unclassified Information remains in the customer’s environment and under the customer’s governance. This model allows 24/7 SOC monitoring without creating a data exposure risk for sensitive defense information, which is a specific requirement under CMMC guidelines.

© N‑able Solutions ULC and N‑able Technologies Ltd. All rights reserved.

This document is provided for informational purposes only and should not be relied upon as legal advice. N‑able makes no warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information contained herein.

The N-ABLE, N-CENTRAL, and other N‑able trademarks and logos are the exclusive property of N‑able Solutions ULC and N‑able Technologies Ltd. and may be common law marks, are registered, or are pending registration with the U.S. Patent and Trademark Office and with other countries. All other trademarks mentioned herein are used for identification purposes only and are trademarks (and may be registered trademarks) of their respective companies.