The Pentagon Just Suspended CMMC Phase II — Here's What Defense Contractors Should Do Now
Learn more
Josh Zweig
July 17, 2026
In this article
Key Takeaways
- CMMC Phase II is suspended, not canceled: The Pentagon paused third-party assessment mandates, but the underlying security controls that define CMMC Level 2 requirements remain the benchmark for what "adequate" looks like.
- The suspension signals a cost-accessibility failure: After more than seven years of development, even well-resourced contractors couldn't practically meet the requirements. Accessibility is a problem our industry will need to continue to address.
- Regulatory risk hasn't gone away: Contract language, self-attestation clauses, and False Claims Act exposure remain active. The suspension reduces enforcement pressure, not legal exposure. Long story short, security still matters.
- Mastering the basics now is still the right move: Encrypted endpoints, enforced multi-factor authentication (MFA), and managed identity controls don't only satisfy CMMC, they reduce breach risk regardless of what any regulation requires.
Seven years. That's how long the Department of Defense spent building, revising, piloting, and defending the Cybersecurity Maturity Model Certification program before the Pentagon suspended its Phase II requirements this week. As Breaking Defense reported in July 2026, the DoD announced an immediate pause on CMMC third-party assessment mandates. It was a pretty interesting decision, one that rattled the defense industrial base.
CMMC went through multiple complete redesigns. It survived political transitions. It generated an entirely new ecosystem of assessors, consultants, and compliance platforms. And then, seemingly out of nowhere, the Pentagon decided to suspend it. So what happened?
The Pentagon isn't saying that cybersecurity doesn't matter for national security. It's not like our foreign enemies suddenly stopped caring about hacking into our infrastructure base. This decision is the Pentagon conceding that the way to enforce cybersecurity just isn't workable. The cost of compliance is too high, the assessor pipeline too thin, and even the contractors best positioned to meet CMMC Level 2 requirements are struggling to actually get there.
What we're looking at with CMMC Level 2 requirements is a structural problem. Security that can't be deployed, configured, or maintained by real organizations isn't functional security at all.
So where does that leave you if you were building toward CMMC certification? And what should you do now?
What Suspending CMMC Level 2 Requirements Changes
The suspension pauses the requirement that defense contractors obtain third-party assessments (C3PAO assessments) to demonstrate CMMC Level 2 compliance before winning or renewing certain contracts. For most small and mid-sized contractors, this was the requirement that felt impossible. The assessor shortage alone created years-long backlogs.
What hasn't changed: the underlying security controls. CMMC Level 2 requirements map almost directly to the 110 security practices in NIST 800-171, covering access management, incident response, media protection, system configuration, and more. These are still the main benchmarks for secured contractors if they're hoping to work with the DoD.
Self-attestation language in contracts is still active, meaning that if you say your business is secure, the DoD can and will legally hold you to your word. Many existing contracts require contractors to attest that they meet NIST 800-171 controls. Suspending CMMC Phase II assessment requirements doesn't void those clauses. False Claims Act risk is still real. The DoJ has actively pursued FCA cases against contractors for cybersecurity misrepresentation, and that hasn't stopped just because they've suspended the CMMC requirements.
The supply chain dynamic hasn't changed either. If you're a subcontractor, your prime isn't going to relax the security questionnaires they send you just because the government paused its enforcement mechanism. Primes hold contractual liability for their supply chains and will keep passing that pressure downstream regardless of federal enforcement posture.
Why the Government Suspended CMMC Level 2 Requirements (Not CMMC Readiness)
CMMC for small business was, in practice, not accessible to small business. A defense subcontractor running on a lean IT team — or a founder-operated company doing specialized engineering work for a prime — had no realistic path to bearing the cost of a C3PAO assessment, implementing all 110 controls, and maintaining that posture through contract cycles.
The intent of the CMMC Level 2 requirements was right: hardening the defense industrial base against adversary intrusion. The 2023 Verizon Data Breach Investigations Report documented that system intrusion and social engineering remain the dominant attack patterns against manufacturing and defense-sector organizations. The threat the DoD was trying to address is real. But when compliance costs are high enough that even motivated contractors can't get there, the mandate creates paperwork without protection. That's why the DoD suspended the CMMC Level 2 requirements.
To be clear, the need for the security controls themselves is not going away. The controls underlying CMMC Level 2 requirements represent the consensus view of what a secured defense contractor environment looks like. Some version of CMMC requirements will return, reinstated in its current form, restructured around a tiered self-attestation model, or baked into contract language that doesn't use the CMMC name.
That means if you were building toward CMMC readiness before the pause, the work you've done hasn't lost its value. If you were waiting until enforcement pressure became unavoidable, this is the moment to begin, without the panic a contract deadline would create.
What "Mastering the Basics" Actually Looks Like
The 110 controls in NIST 800-171 look intimidating as a list. They're less intimidating once you understand that roughly 80% of practical risk reduction comes from getting a smaller set of fundamentals right. This holds for every mature security program, not just CMMC. Plus, once your team has mastered the basics of security, it can be very simple to make sure those controls scale with you (as long as you implement them correctly). Here's a quick look at what you'll need to cover.
Managed Devices
Every device that touches your work — laptops, desktops, and any mobile device that accesses email or files — needs enrollment in a mobile device management (MDM) system. An unmanaged device is a potential security breach. MDM lets you enforce encryption across these devices, set screen-lock policies, push security updates, and remotely wipe a lost or stolen machine.
According to Zip Security's 2026 survey, 64.5% of surveyed companies (300+ surveyed) discovered unsecured devices they thought were covered. For CMMC purposes, an unmanaged device is an unmanaged risk. There's no assessment category for "we thought it was enrolled."
Zip orchestrates Jamf (for macOS and iOS) and Microsoft Intune (for Windows and Android) to bring every endpoint under a single managed baseline. When a device drifts from your configuration, Zip flags it and remediates automatically rather than waiting for someone to notice.
Enforced Identity and Access Controls
CMMC Level 2 requirements also include specific controls around identity and access management. One of these controls is multi-factor authentication (MFA), which means verifying identity with two or more factors: a password plus a second confirmation step like an authentication app or hardware key. MFA needs to be enforced at the identity provider level, not just enabled and left optional.
The controls also cover least-privilege access. Users should have access only to what their role requires, reviewed and revoked when someone changes roles or leaves. Former employee credentials that your team never deactivated are a persistent, documented entry point for attackers.
Zip integrates with Okta and Microsoft Entra ID to enforce MFA, automate provisioning and deprovisioning, and surface access anomalies. When an employee leaves, access revocation runs through a managed offboarding workflow rather than depending on someone remembering to manually deactivate accounts across every system.
Endpoint Detection and Response
Even a well-configured device needs active monitoring. Endpoint detection and response (EDR) software runs on each machine, watching for behavioral indicators of compromise: a process trying to escalate its own permissions, unusual file access patterns, lateral movement across systems. Modern EDR looks for behavior, not just known malware signatures.
CrowdStrike is the underlying EDR tool Zip deploys and manages across customer environments. The distinction that matters for contractors: having CrowdStrike installed on most of your devices isn't the same as having it installed and actively monitored on all of them. Coverage gaps are where incidents happen.
Documented Configurations and Evidence
CMMC assessments require evidence. Assessors want to see that you've configured your controls correctly and that they're maintained over time. A policy document that says "we enforce MFA" doesn't satisfy that requirement. Logs and configuration exports that demonstrate it does.
Building audit-ready documentation as you go, rather than in a scramble before an assessment, is the right approach regardless of whether Phase II resumes.
Zip's compliance tooling generates and maintains the evidence exports needed for CMMC, SOC 2, and other frameworks in the background, tied directly to actual control states. Compliance platforms like Vanta and Drata take a snapshot of what exists. If MDM isn't fully enrolled or CrowdStrike isn't on every device, they'll still generate a passing report. But that report's wrong. Zip makes the reports true.
CMMC for Subcontractors Going Forward
CMMC for subcontractors has always been the hardest part of the compliance picture, and the suspension doesn't simplify it much. Primes pass CMMC-equivalent language into subcontracts because they're contractually responsible for their supply chain's security posture. If you're two or three tiers down from a DoD prime, expect those questionnaires and attestation requirements to keep arriving regardless of what the federal enforcement posture does.
The practical answer for a subcontractor: build a demonstrably managed security environment that you can document and describe clearly, one that holds up when the prime's security team asks about it. The controls that satisfy CMMC Level 2 requirements are the same controls that let you answer those questionnaires with evidence rather than assurances.
How Zip Helps Defense Contractors Build Toward CMMC-Aligned Security
Zip Security is a managed security platform for companies with 15 to 200 employees that don't have a full-time security team. Zip deploys and manages Jamf or Microsoft Intune for device management, CrowdStrike for endpoint detection and response, and Okta or Microsoft Entra ID for identity and access management. The underlying tools are best-in-class. Zip handles the deployment, configuration, monitoring, and ongoing management.
For contractors working toward CMMC readiness, Zip provides continuous configuration enforcement and audit-ready evidence that makes an eventual assessment defensible, and keeps your self-attestation clauses accurate in the meantime. The three-step path to security maturity we outline on our blog maps almost precisely onto what CMMC Level 2 is trying to achieve: get your devices under management, enforce identity controls, and build the documentation that proves you've done it.
Frequently Asked Questions
Does the CMMC Phase II suspension mean I no longer need to meet CMMC Level 2 requirements?
The suspension pauses third-party assessments, not the underlying NIST 800-171 controls. Contract attestation clauses remain active, and False Claims Act exposure still applies if you self-attest inaccurately. It's a good idea to maintain a strong security baseline.
Should subcontractors still pursue CMMC readiness after the suspension?
Yes. Prime contractors pass CMMC-equivalent security requirements into subcontracts regardless of federal enforcement posture. Your prime's questionnaires will still arrive, and documented controls are the only credible answer.
What is the most practical starting point for CMMC for small business?
Start with device management, enforced multi-factor authentication, and documented access controls. These three controls reduce the majority of breach risk and form the foundation of any CMMC Level 2 audit.
How long will the CMMC Phase II suspension last?
No timeline has been announced publicly. The DoD has not indicated the controls themselves will change, only that third-party assessment mandates are paused. Planning as if requirements will return is the smart move for now.
Does CMMC apply if we only hold subcontracts and never contract directly with the DoD?
Subcontractors handling controlled unclassified information (CUI) fall within CMMC scope when their prime's contract requires it. Review your subcontract language and ask your prime directly; waiting for a notice of noncompliance is not the right approach.
In this article
Get started with Zip
Learn more about Zip's MDM, EDR, IT, and Compliance solutions and we'll find the right fit for you.
Learn more
Questions about this article? Get in touch with our team below.


