CMMC Level 2 Assessment Pause: Frequently Asked Questions
On July 13, 2026, the United States Department of War announced a 60-day pause in the mandatory CMMC Level 2 third-party assessment requirements, which were set to take effect on November 10, 2026 (Phase II).
Here are five facts every defense contractor should know.
1. Your cybersecurity obligations remain in effect.
- The pause applies to the implementation of CMMC Level 2 C3PAO third-party assessment requirements.
- All Phase I self-assessment requirements (Level 1 and Level 2) remain in effect.
- The DFARS 252.204-7012 requirements to safeguard covered defense information and NIST SP 800-171 remain in place.
- CMMC Level 2 Certifications are still being issued by C3PAOs and will be going forward.
2. Good cybersecurity is bigger than any one compliance program.
- This does not eliminate existing cybersecurity obligations.
- The security controls that protect your organization, your customers, and our nation’s defense supply chain remain just as important today as they were yesterday.
- Investing in cybersecurity continues to reduce operational risk, improve resilience, and strengthen your business.
3. Preparation completed today will continue to provide value.
- Whether the government resumes the current CMMC framework, modifies it, or introduces changes following the review, organizations that have invested in implementing NIST SP 800-171, improving documentation, and maturing their cybersecurity program will be better positioned than those who delay.
4. Continuing your assessment or compliance program is the best path forward.
- For organizations scheduled for a CMMC assessment, we recommend maintaining your assessment schedule unless your specific business circumstances require a change.
- For organizations engaged in readiness or consulting services, this remains an excellent opportunity to strengthen your cybersecurity program, improve documentation, and close remaining gaps while additional guidance is developed.
5. We are prepared for whatever comes next.
- For more than 20 years, ControlCase has helped organizations navigate evolving cybersecurity, privacy, and compliance requirements.
- As an Authorized C3PAO, RPO, and accredited cybersecurity provider across more than 100 frameworks, we have the experience, resources, and financial strength to support our clients regardless of how the CMMC program evolves.
- Organizations that continue to improve their cybersecurity today will be better positioned, regardless of what comes out of the Department’s review.
