
The easiest response to the CMMC news is also the riskiest one: stop the readiness program, wait for a new date, and assume the pressure is gone. On July 13, 2026, the government suspended Phase II of the Cybersecurity Maturity Model Certification rollout and opened a 60-day review. It did not announce a replacement deadline. It also did not erase Phase I, NIST SP 800-171, or the contractual duty to protect Controlled Unclassified Information. For defense contractors, this is breathing room. It is not permission to stand still.
What changed on July 13
The government's July 13 announcement suspended CMMC Phase II immediately while the Department conducts a 60-day review of the program. Phase II had been scheduled to start on November 10, 2026 and would have expanded the use of Level 2 C3PAO certification assessments and Level 3 DIBCAC assessments as conditions of award.
The accompanying implementation memorandum tells contracting officers to remove Phase II C3PAO and DIBCAC status requirements from affected solicitations and contracts during the suspension. For now, new CMMC designations are limited to the Phase I paths: Level 1 Self or Level 2 Self, when the solicitation or contract calls for one.
One fact is deliberately absent from both documents: a new Phase II start date. Calling this an "extended deadline" would suggest the government moved a known date to another known date. It did not. Phase II is suspended pending review.
What did not change
The suspension is about how CMMC certification requirements enter acquisitions. It is not a suspension of the security baseline.
Phase I remains in effect. A solicitation can still designate a Level 1 or Level 2 self-assessment. The Department also said it will continue enforcing existing contractor cybersecurity obligations, including DFARS 252.204-7012 and the NIST SP 800-171 Revision 2 requirements used to protect CUI. If your company handles CUI, the underlying work still exists: control the boundary, restrict access, use appropriate encryption, maintain logs, respond to incidents, and describe the system honestly.
An SPRS score does not become more accurate because the certification calendar moved. If your score is based on controls that are only planned, evidence that no longer matches production, or a CUI boundary nobody can explain, the pause does not cure the gap. Start with an honest baseline using the SPRS score guide or the free SPRS score estimator, then verify the result against the environment you actually operate.
Why waiting still costs you
The slow gaps are still slow
The hardest NIST SP 800-171 gaps are rarely document edits. Identity architecture, multi-factor authentication, FIPS-validated cryptography, centralized logging, network segmentation, incident handling, and a defensible CUI enclave can take months to design and deploy. A future acquisition date cannot create implementation capacity retroactively.
Evidence has to show operation, not intent
A policy says what should happen. Assessment evidence shows what did happen, in the scoped system, recently enough to trust. Configuration exports, access reviews, log samples, training records, vulnerability results, and tickets need an operating history. Teams that wait for a new date can write documents quickly, but they cannot manufacture months of credible operation the week before an assessment.
Phase I can still reach the contract
During the suspension, Level 1 Self and Level 2 Self designations remain available under Phase I. That means the practical buying requirement did not disappear for every contractor. Read the actual solicitation and contract, confirm the required CMMC level and assessment type, and do not substitute a headline for the clause that governs your award.
Scope decisions determine cost
Every system, user, and data flow inside the CUI boundary multiplies the controls and evidence you must maintain. The pause is a chance to make that boundary deliberate before remediation spending hardens around a bad assumption. The companion guide to CUI scoping for CMMC explains how to separate CUI assets, security protection assets, contractor risk-managed assets, specialized assets, and out-of-scope assets without pretending exposure is gone.
The review may change mechanics, not the reason for the controls
The government may change timing, acquisition language, assessment demand, or program administration after its review. Contractors should watch the official DoD CIO CMMC program page for that outcome. None of those possibilities makes CUI less valuable or a compromised supplier less disruptive to a defense program. Work tied to the enduring NIST and DFARS baseline is less likely to become stranded than work built only to satisfy a calendar date.
A practical plan for the 60-day review window
First, identify every active and likely contract that involves CUI, then record the clause, CMMC level, and assessment type each one actually requires. Do not assume one program's designation applies to the whole company.
Second, redraw the CUI boundary from data flows instead of org charts. Name the systems, people, facilities, cloud services, security tooling, and external providers that store, process, transmit, or protect CUI. Reconcile that boundary with the System Security Plan.
Third, calculate an honest SPRS baseline and map supporting evidence at the NIST SP 800-171A objective level. Separate implemented-and-evidenced from implemented-without-evidence, partially implemented, and not implemented. A single green label for an entire requirement hides too much.
Fourth, close the gaps that are expensive, heavily weighted, or foundational to other controls. Identity, encryption, logging, boundary protection, incident response, and evidence retention deserve the runway more than cosmetic document cleanup.
Finally, monitor the official program page and your contracting officers. Maintain contact with a qualified C3PAO if certification is likely to matter later, but do not make a nonrefundable assessment decision using the now-suspended November date as if it were still operative.
What not to do
Do not tell leadership that CMMC was canceled. Do not publish a new deadline the government has not announced. Do not stop protecting CUI. Do not rush into a certification engagement solely because an old Phase II date is still printed in a slide deck. And do not use the pause to turn a weak self-assessment into a more optimistic one.
The better executive message is simpler: Phase II procurement requirements are paused for review; Phase I and the underlying security duties remain; the company is using the time to reduce uncertainty and produce evidence that will survive whichever acquisition path comes next.
Where Valty fits, honestly
Valty supports readiness; it does not issue a CMMC certification and it is not a C3PAO. The platform maps evidence to the 320 NIST SP 800-171A assessment objectives, calculates an indicative SPRS view, tracks gaps and POA&M work, and assembles machine-readable assessment artifacts. The output is decision-support and readiness evidence, not an authorization or legal opinion. See the CMMC readiness overview, the POA&M rules, and the federal and regulatory capability for the connected workflow.