CMMC Phase II Is Suspended. Your Obligation to Protect Federal Data Is Not.
On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements, the assessment phase that would have required many defense contractors to pass a third-party certification before winning or keeping contracts. That phase was scheduled to take effect on November 10, 2026. For a lot of companies in the Defense Industrial Base, the news probably felt like a reprieve.
Here is the part that matters, and the part easy to miss in the headline: the certification deadline is in suspension as of now, but the security requirement did not get suspended. If you handle federal data, you are still contractually obligated to protect it, and the standard you are measured against is still NIST SP 800-171. The Department of War said as much in the same announcement.
For contractors relying on BitLyft, and for anyone weighing whether managed detection and response is still worth the investment, this is the moment to look past the deadline and at the obligation underneath it.
What the Department of War actually announced
The announcement suspends the transition to Phase II and pauses pending and future CMMC implementation milestones across Department of War solicitations and contracts. It also kicks off a 60-day, top-to-bottom review of the program through a new CMMC Reform Task Force, aimed at reducing compliance costs and lowering barriers for small and mid-sized businesses.
Three points from the release are worth reading closely.
First, Phase I self-assessment requirements remain firmly in place. Nothing about your existing self-assessment obligation went away.
Second, during this interim period the Department will continue to enforce cybersecurity compliance against the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments. In the Department's own words, the focus shifts to tangible cyber hygiene rather than administrative overhead.
Third, and most important, the release states plainly that this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information under DFARS clause 252.204-7012.
So the certification gate is paused. The controls behind it are not.
The obligation did not change, only the verification
It helps to separate two things that often get blurred together.
NIST SP 800-171 is the standard. It defines 110 security requirements across 14 control families that a contractor must implement to protect Controlled Unclassified Information on its systems. Those requirements have been contractually binding since 2017 under DFARS 252.204-7012, years before CMMC existed.
CMMC was never a separate set of controls. It was the verification layer built on top of 800-171, the mechanism that checks whether your self-reported security posture is real. Phase II was going to add the third-party version of that check for many Level 2 contractors handling CUI. That check is what has been paused.
For contractors handling only Federal Contract Information, CMMC Level 1 remains the floor, an annual self-assessment against the basic safeguarding practices in FAR 52.204-21. For the far larger group handling CUI, the full 800-171 baseline still applies, still gets self-assessed, and still gets scored in SPRS. What changed is who verifies it and when, not what you owe.
If your compliance program was built to pass an assessment on a date, this pause is a trap. If it was built to actually protect data, nothing about your workload changed.
Why MDR is still central to meeting NIST 800-171
Here is where the technical reality catches up with the paperwork. Several of the 800-171 control families cannot be satisfied by policy documents alone. They require something running continuously, watching your environment, and responding when something goes wrong.
Look at what the standard asks for:
- Audit and Accountability requires you to generate, review, retain, and alert on system logs. Not once a quarter. Continuously.
- Incident Response requires that incidents are detected, handled, and reported. You cannot report what you never saw.
- System and Information Integrity requires you to monitor systems and identify malicious activity in something close to real time.
- Access Control requires you to monitor and control remote access as it happens.
Layered on top of all of it, DFARS 252.204-7012 requires you to report a cyber incident to the Department within 72 hours of discovery. That clock only starts if you actually discover the incident, which means the whole obligation quietly depends on detection you can trust.
You cannot honestly self-attest to those controls without the capability behind them. A self-assessment is a signed statement about what your environment does every day. Signing it when no one is watching the logs is not compliance. It is exposure, and in the DFARS world it is exactly the kind of gap that turns into a False Claims Act problem later.
This is the case for MDR, and it does not weaken because a certification date slipped. If anything it sharpens. When the pressure of an assessment deadline comes off, the temptation is to let monitoring lapse and treat security as a project that ended. Adversaries targeting the Defense Industrial Base are counting on exactly that. The threat to your CUI does not pause for a 60-day study.
Where BitLyft fits
BitLyft True MDR is managed detection and response built on BitLyft AIR®, our autonomous SOC platform for threat detection, investigation, and response. That combination is designed to give defense contractors the continuous monitoring, alerting, and incident response that NIST 800-171 actually requires, delivered as a managed service rather than a headcount problem you have to solve alone.
For a small or mid-sized contractor, that is the difference between a compliance posture you can defend and a self-assessment you are hoping no one checks. True MDR keeps the audit logs flowing and reviewed, surfaces malicious activity fast enough to matter, and supports the detection and reporting workflow that DFARS 252.204-7012 assumes you already have. When the reformed program lands and verification returns in some form, you are not scrambling to rebuild. You have been meeting the standard the whole time.
What defense contractors should do now
The 60-day review is a real signal that the compliance landscape will keep shifting, and it is worth watching. But treating the Phase II pause as permission to stand down would be a serious misread of what the Department of War said. The safeguarding requirement is intact. The standard is intact. The threats are intact.
Keep your 800-171 self-assessment current. Keep your System Security Plan accurate to your actual environment. And keep the detection and response capability running that lets you attest to the monitoring controls honestly, because those are the controls a signed self-assessment quietly puts your name behind.
If you want to talk through what continuous monitoring looks like in practice, or where your current posture would hold up under a government-led assessment, that is a conversation worth having now, while the deadline pressure is off and not after it returns.
Set up 15 minutes to walk through your current posture here: schedule a call
Update, July 14, 2026:
The Department of War has since released implementing procedures for the suspension (memo 26-P-1023), and they reinforce the point above. During the suspension, the Department will enforce baseline compliance with NIST SP 800-171 Rev 2 through CMMC Level 1 and Level 2 self-assessments and select government-led assessments, and DFARS 252.204-7012 remains in effect.
The mechanics are now spelled out. For the duration of the suspension, contracting activities may only require CMMC Level 1 (Self) or Level 2 (Self) assessments. They may not designate CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) assessments. Where a solicitation or an active contract already carried a C3PAO or DIBCAC requirement, contracting officers are directed to remove it by amendment or modification, and no new waivers will be granted during the review.
The takeaway does not change. The third-party assessment is off the table for now, but the Level 2 self-assessment against the full 800-171 baseline is still required for CUI work, and the obligation to safeguard covered defense information stands. Further guidance is expected at the conclusion of the CIO's 60-day review.
Sources: U.S. Department of War, "Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements," July 13, 2026. https://www.war.gov/News/Releases/Release/Article/4542329/
Department of War CIO, "Implementing the Suspension of CMMC Phase II" (memo 26-P-1023). https://dowcio.war.gov/Portals/0/Documents/Library/ImplementingSuspensionCMMC-PhaseII.pdf