What Changed: Memo 26-P-1023 in Plain English
On July 13, 2026, the Department of Defense issued memo 26-P-1023, pausing the phased rollout of CMMC Phase II third-party C3PAO (Certified Third-Party Assessment Organization) requirements in defense contracts. The memo directs acquisition officials to halt inclusion of the CMMC Phase II assessment scheduling and condition language in new solicitations while a 60-day task force review re-examines implementation guidance.
In practical terms: a defense contractor who would otherwise have been required to hold a current C3PAO certification to win a new contract during this window is, in fact, not barred from award on Phase II grounds during the suspension. The DoD press language is careful: the suspension is procedural, not statutory. The underlying authorities — 32 CFR Part 170 and DFARS 252.204-7012 — remain codified.
The stated rationale in the memo is consistency and capacity: assessment slots, assessor availability, and program office readiness have lagged the rollout schedule, creating a backlog that would have sidelined qualified defense SMBs who have done the implementation work but cannot get an assessment date. The 60-day window is intended to publish revised implementation guidance resolving those bottlenecks.
Memo 26-P-1023 suspends the phased C3PAO assessment requirement. It does not suspend NIST 800-171, DFARS 252.204-7012, or your existing contractual obligation to protect CUI.
What Stays in Force: Phase I, NIST, and DFARS
The suspension is narrow. Here is what remains contractually and regulatorily binding for every defense contractor handling CUI — unchanged by memo 26-P-1023:
- 32 CFR Part 170 — The CMMC 2.0 rule that codified the program remains in effect. Suspension does not rescind the regulation.
- DFARS 252.204-7012 — Safeguarding Covered Defense Information remains the underlying clause. If your contract contains 252.204-7012 (as virtually all CUI-bearing defense contracts do), you still owe the NIST 800-171 implementation, the System Security Plan, the POA&M, and 72-hour cyber-incident reporting.
- NIST SP 800-171 Rev 2 — All 110 controls across 14 families remain the substantive standard. No control has been suspended, deferred, or weakened.
- SPRS score submissions (DFARS 252.204-7021) — Self-assessments uploaded to the Supplier Performance Risk System / DoD DIBNET portal continue on the same cadence. An expired or stale SPRS score is still an active contract risk.
- 72-hour cyber-incident reporting rule — Reporting cyber incidents affecting covered defense information to DoD within 72 hours is untouched. The DFARS clause is not suspended.
- Phase I (self-assessment + affirmation) — Contractors who baseline to CMMC Level 1 or who operate under the self-assessment affirmation path (Level 1 and a portion of Level 2) remain bound by those obligations under the existing regulatory text.
What still binds you: NIST 800-171 Rev 2 implementation, DFARS 252.204-7012 safeguards, SPRS submission cadence, and 72-hour incident reporting are all unchanged. Continue documentation, SSP maintenance, and incident-response readiness throughout the suspension.
What the Suspension Actually Pauses
Memo 26-P-1023 pauses one specific thing: the C3PAO assessment scheduling/condition language that has been progressively inserted into DoD solicitations launched between Phase II rollout milestones. For solicitations issued during the review window, contracting officers are directed not to require a current conditional or final CMMC Phase II assessment as an award condition.
That pause is procedural, not statutory. It does not invalidate CMMC Phase II as a program. It does not amend 32 CFR Part 170. It does not reduce the NIST 800-171 implementation burden. It does not affect contracts already awarded with the Phase II assessment condition baked into the award — obligations under those contracts remain.
Two corners matter:
- Existing awards — If your active contract carries a CMMC Phase II condition (in the award letter or via DFARS 252.204-7012(c)(3)), you still owe the assessment and the certification. The memo only affects new solicitations issued during the window.
- Subcontract flow-down — Primes may still demand CMMC certification from subcontractors under their own supply-chain risk clauses. Read your prime's flow-down language carefully — the DoD suspension does not automatically relax a private contractual ask.
The 60-Day Task Force Review Timeline
DoD's stated window is 60 days from memo issuance. Interim guidance is expected on Day 30; revised implementation guidance on Day 60. Solicitation issuance during the window is paused on the Phase II C3PAO condition language.
| Milestone | Date | What Happens |
|---|---|---|
| Day 0 — Memo issued | Jul 13, 2026 | Memo 26-P-1023 published; new solicitations pause the Phase II C3PAO condition language. |
| Day 30 — Interim guidance | Aug 12, 2026 | DoD task force publishes interim implementation expectations for contracting officers and C3PAOs. |
| Day 60 — Revised guidance | Sep 11, 2026 | Revised CMMC Phase II implementation guidance published; solicitation language expected to resume on updated schedule. |
| During window | Jul 13 – Sep 11, 2026 | New solicitations launched during the review window do not require a C3PAO assessment as an award condition. |
Note that interim and revised guidance dates are DoD's stated targets, not guaranteed. Expect updated implementation language to clarify assessment cadence, C3PAO capacity, and any technical exceptions for limited-scope or single-program CUI environments. Watch the updated deadline page for changes.
What Contractors Should Do During the Suspension Window
The suspension pauses the assessment condition — it does not pause the compliance work. Use the 60-day window to firm up everything the suspension does not cover.
1. Continue NIST 800-171 Implementation
Do not slow down. Every 110-control gap you close during the window positions you ahead of the post-review demand spike when C3PAO assessment slots compress again. Auditable evidence — screenshots of MFA enforcement, configuration baselines, log retention samples — is what survives an assessment, not narrative.
2. Keep SPRS Scores Current
Upload a fresh SPRS score to DIBNET. A current score is the cheapest defense against any L2 self-assessment statement you may need to make if the revised guidance re-tightens Phase II scope before you complete a C3PAO assessment.
3. Finalize POA&Ms
An open POA&M is acceptable when documented and time-bound; an undocumented gap is a failed control. Update POA&M items with concrete remediation dates and acceptable interim mitigations. Close what you can; document what you cannot.
4. Book (or Pre-Book) a C3PAO Assessment
Demand spikes after the 60-day review publishes revised implementation guidance. C3PAO capacity is the bottleneck the memo was written to address — but capacity does not catch up overnight. Lock an assessment window now, even if it lands after the suspension ends. Most C3PAOs will honor pre-booked dates.
5. Review Your Active Contract DFARS Clauses
Open every active contract and confirm whether your DFARS 252.204-7012(c)(3) language requires a current conditional or final CMMC Phase II assessment as a deliverable. Memorize the award letter. The suspension does not retroactively excuse a missed award-condition assessment.
During-the-Suspension Checklist
- ☐ Refresh your NIST 800-171 self-assessment against all 110 controls (Met / Partially Met / Not Met / N/A)
- ☐ Re-upload a current SPRS score to DIBNET, dated within the last 12 months
- ☐ Close all POA&M items you can close in the next 30 days; document the rest
- ☐ Pre-book a C3PAO assessment window for late Q3 / early Q4 2026
- ☐ Re-read your top 3 active contracts for DFARS 252.204-7012(c)(3) Phase II assessment conditions
- ☐ Tabletop the 72-hour incident reporting procedure with your IR lead
- ☐ Sign the SSP and POA&M for the latest assessment cycle
- ☐ Run the free CMMC Readiness Assessment to baseline current posture
FAQ: CMMC Phase II Suspension
Six high-intent questions defense contractors are asking right now. Click any answer to expand.
Is CMMC still required for defense contracts after the July 2026 suspension?
Yes. Memo 26-P-1023 suspends the phased third-party C3PAO assessment rollout, not the underlying obligation to protect CUI. 32 CFR Part 170 stays codified, DFARS 252.204-7012 remains the underlying clause, and NIST SP 800-171 Rev 2 (110 controls) is still the substantive standard. The suspension pauses the C3PAO assessment schedule/condition language in new solicitations during the 60-day review window.
Does the CMMC Phase II suspension affect my existing DFARS clauses?
No. DFARS 252.204-7012 and DFARS 252.204-7021 remain contractually binding. If your active contract contains DFARS 252.204-7012, you still owe the NIST 800-171 implementation, the SSP, the POA&M, and 72-hour cyber-incident reporting. SPRS score submissions continue on the same cadence.
Should I keep paying my Registered Practitioner Organization (RPO) during the suspension?
Yes. RPO work is scoped to NIST 800-171 implementation, gap assessment, and SSP/POA&M authoring — work the suspension does not pause. Continuing during the 60-day window puts you ahead of the post-review demand spike and preserves institutional momentum.
What happens to my pending C3PAO assessment?
Memo 26-P-1023 does not invalidate assessments in progress. Confirm with your C3PAO whether the assessment proceeds, defers, or rebbooks. Expect C3PAO slots to compress after the 60-day review publishes revised guidance, so secure a fallback assessment window now.
Does the CMMC Phase II suspension change NIST SP 800-171 requirements?
No. NIST 800-171 Rev 2 — the 110-control standard behind CMMC Level 2 — is unchanged. The suspension acts on the assessment schedule and DoD's phased rollout, not on the controls themselves. Rev 3 remains under review and is not yet binding by reference.
When will CMMC Phase II enforcement resume?
DoD's stated review timeline is 60 days from July 13, 2026, putting revised implementation guidance around September 11, 2026. Interim guidance is expected around August 12, 2026 (Day 30). Until then, continue NIST 800-171 implementation, keep SPRS current, and finalize POA&Ms.
The Bottom Line: Updated Deadline Guidance Is Live
DefenseBizStack is tracking the memo and the 60-day task force review in real time. The updated deadline page is the single source of truth for what contractors should do today, what changes when revised guidance lands on September 11, 2026, and which assessments are still bookable.
Updated deadline guidance is live at /cmmc-deadline-2026 — see the action checklist, C3PAO booking guide, and 3-minute readiness check. Or run the free CMMC Readiness Assessment against all 110 NIST 800-171 controls.
⚠ AI Disclaimer: This article contains AI-generated analysis of a developing policy situation. Memo 26-P-1023 and the resulting 60-day task force review are subject to revision; dates, scope, and procedural details may change. Consult qualified CMMC RPOs and C3PAOs, your contracting officer, and authoritative DoD sources for binding guidance specific to your contracts. See our full AI disclaimer.