By MSP Collective  |  July 14, 2026

CMMC Phase 2 Suspended with 60 Day Review


 
 
On July 13, 2026, the Department of War suspended CMMC Phase II, which includes the third-party (C3PAO) assessment requirements scheduled to begin appearing in contracts on November 10, 2026, and launched a 60-day review of the program.

If you run an MSP or MSSP with clients in the Defense Industrial Base, the news probably reached you as a question from a nervous client: "Does this mean CMMC no longer applies to us?"

The honest answer is nuanced. But let's separate what happened from what it means for the people who deliver compliance and security for a living.

What changed

The department suspended the transition to Phase 2 for 60 days, effective immediately.

The third-party assessment requirements – Level 2 (C3PAO) and Level 3 (DIBCAC) – that were set to begin phasing into contracts on November 10, 2026 are on hold.

Requirements may include CMMC Level 1 (Self) and CMMC Level 2 (Self) requirements for now.

Current solicitations carrying Level 2 (C3PAO) or Level 3 requirements will be amended, and current contracts up for option periods will have those requirements removed via modification at the next scheduled administrative action.

A CMMC Reform Task Force will deliver recommendations within 60 days, drawing on a public Request for Information with responses due August 14, 2026.

Department leaders were candid that deeper restructuring, even cancellation of the certification mechanism could be on the table.

Here's the part that’s important for your business model:

The reason they gave for concern was cost, not cyber.

The DoW CIO framed it as a cost problem first, pointing to SBA's estimated compliance costs with figures approaching $600,000 for a small firm requiring a third-party assessment as evidence that the DIB was being priced out.

Whether that number holds up is a separate question, and one this collective is well positioned to test.

The important point is that they did not say cybersecurity is too hard. They said the delivery model is too expensive. As MSPs, that delivery is our responsibility.

What did not change

Cyber standards have not changed, nor has everything your clients are on the hook for or everything you build and manage on their behalf:

  • Protecting CUI to the NIST SP 800-171 Rev 2 standard.
  • DFARS 252.204-7012 – safeguarding, incident reporting, the works, in every existing contract.
  • FedRAMP Moderate (or equivalent) for CUI in the cloud.
  • CMMC Phase I obligations, including SPRS scoring and annual affirmations by a senior company official.
  • DIBCAC can still conduct Medium and High assessments, anytime.
  • DOJ is still prosecuting False Claims Act cases. LOGZONE settled for $507,144 after self-reporting a 110 in SPRS that a later DIBCAC assessment scored at negative 170.
  • A final FAR CUI rule carrying a NIST 800-171 Rev 3 requirement is still expected in 2026.
  • And the threat from adversaries like China, Russia, Iran are not taking time off.
  • the compliant cloud
  • the round-the-clock SOC
  • the GRC expertise
  • the tooling
  • You're the provider, and your client is attesting to work you performed.
  • Their signature is only as trustworthy as your delivery.
  • The value of a genuinely certified MSP goes up in this moment, not down.
  • Are you CMMC Level 2 certified yourselves, at the corporate and managed-services level?
  • Is your Shared Responsibility Matrix mapped to NIST 800-171A, at the assessment objective level?
  • Can you produce artifacts and evidence for every control you own?
  • Is your support staff US persons, so ITAR/EAR data stays compliant?
  • Does the client own the tenant and hold the keys, or do you?
  • a standard for ESPs that exceeds the 800-171 floor,
  • appropriations that make compliance reachable for small businesses in the DIB,
  • and a certification ecosystem strong enough to keep critical infrastructure operational, safe, and resilient.

Nothing about the compliant environments you deploy got easier, optional, or cheaper to build. The only thing that paused is one method of verifying the work. The work is exactly where it was on July 12.

The real story is cost, and cost is an economics problem you already solve

Small contractors standing up a compliant program in-house still requires a heavy lift.

They need a GRC-literate compliance analyst, which is a role most manufacturers don't have.

They need a SOC, which for a mid-sized shop can run north of $2 million a year fully staffed.

They need help desk coverage, FedRAMP-authorized infrastructure, FIPS-validated hardware, and the documentation discipline to survive an assessment.

15-person defense shop can’t carry that. And that is the entire economic case for managed services.

A certified MSSP exists to take enormous fixed costs and spread them across a book of clients so each one pays a sliver instead of the whole. Examples are:

One contractor can't justify a six/seven-figure SOC, but an MSSP amortizes it across dozens of them.

The same logic applies to the compliance analyst nobody wants to hire full-time and the FedRAMP-authorized infrastructure nobody wants to build alone. When you layer in tight enclave scoping, which shrinks the assessment boundary to a CUI island instead of the whole enterprise, then the per-contractor cost drops again.

That’s the lever the DoW is implicitly asking the market to pull.

They're not expecting anyone to "do less security."

As an industry, we must deliver the same security while maintaining reasonable rates.

Why CMMC Certification Maintains Its Value

With Phase 2 paused, the government is leaning back on self-assessment and annual affirmation.

This means that the contractor's senior official must sign the attestation.

And when the underlying configuration is wrong, the contractor carries the False Claims Act liability.

Now if you follow the chain:

Less third-party verification in the ecosystem puts more weight on the honesty of each contractor's self-assessment, and behind most self-assessments is an MSP's build.

So expect your clients to start asking sharper questions, as they should.

A few questions they’re likely to ask include:

This is where the market separates.

We've all seen MSPs drop their DIB clients over the past year because the lift got too heavy or offer "professional services only" and hand the compliance risk back to a small business that can't manage it.

Every one of those exits is an opening for a provider who can commit to the standard, because the contractors those firms abandoned still need someone.

CMMC certification is how you become that someone, and how you become the cost solution and the assurance solution at the same time.

MSPs were built for this

The DoW just told the entire defense market that affordable, scalable security is the priority.

The DIB is growing, contractors need compliance at a price they can actually bear, and the government is now clearly leaning heavily into solving that problem, which is good for our industry as a whole.

The assignment is pretty clear now:

Get certified, build the shared infrastructure, and be the reason a small innovator stays in the fight instead of being priced out of it.

The MSP Collective exists for this moment

Inflection points like this are what the MSP Collective was formed to meet.

Our purpose is to give the External Service Providers who secure the Defense Industrial Base a coordinated, credible voice with Congress, the DoD, the Cyber AB, and state legislatures, grounded in three commitments that map directly onto the questions now in front of the Reform Task Force:

A single provider's comment on the RFI is a data point. The ESP community speaking as one with shared cost data, a common standard for provider accountability, and a concrete proposal for how the department can recognize managed services without lowering the bar is a position the task force cannot set aside.

The entire premise of a collective is that individually we are vendors, but together we are an industry the government can build policy around.

If you deliver compliance for the Defense Industrial Base and you are not yet part of this effort, this is the moment to join it.

The mission has not changed. Protecting the DIB, and the national security and American innovation that depend on it, is the same today as it was on July 12.

The government has asked the ESP community a direct question about how to secure the DIB affordably without lowering the guard. Let's answer it, together, before September 14.