On July 13, 2026, the Department of War suspended CMMC Phase II, the third-party (C3PAO) certification that was set to begin November 10, 2026. A 60-day task force will study the program’s future. Plenty of people are reading this as “compliance is paused.” That reading is wrong, and acting on it creates real liability.
Here’s the distinction that matters. NIST SP 800-171 is the what — the 110 controls protecting Controlled Unclassified Information. CMMC is the how — the framework that verifies them. They ride on separate DFARS clauses:
• 7012 mandates NIST 800-171 itself, in place since 2017, years before CMMC.
• 7019 / 7020 require a current self-assessment score in SPRS.
• 7021 is the clause that enforces CMMC certification.
Suspending Phase II touches 7021. It does not touch the 7012 mandate.
𝗖𝗵𝗮𝗻𝗴𝗲𝗱: The November 10, 2026 third-party certification gate is on hold. No C3PAO assessment needed right now.
𝗦𝘁𝗶𝗹𝗹 𝗼𝗽𝗲𝗻: The task force could reshape CMMC, swap in a new model, or recommend cancelling it. Separately, a government-wide FAR CUI rule (91 FR 37550, published June 23, 2026) would extend NIST 800-171 obligations to all federal agencies, not just DoD — entirely independent of CMMC. If finalized, 800-171 becomes a baseline regardless of what happens to the program.
https://lnkd.in/eHk3J8PB
𝗡𝗼𝘁 𝗰𝗵𝗮𝗻𝗴𝗲𝗱: If you handle CUI, 7012 still legally binds you to NIST 800-171. You still self-assess and post to SPRS. False Claims Act exposure is still real. And 800-171 is solid cyber hygiene any serious organization should want.
Suspension of the audit is not suspension of the standard. Keep building toward 800-171.
Want help sorting out what’s required from what’s coming? Reach out to me or connect with us.
(Not legal advice; your contract clauses govern.)