Alert

Third-Party CMMC Assessments Paused by DoW

Updated on July 16, 2026
two coworkers looking at a computer

Key Takeaways

  • Phase 2 of the CMMC rollout is paused for a 60-day review, so third-party assessments are not currently required for DIB organizations.
  • Organizations must still meet NIST 800-171r2 and DFARS 252.204-7012 self-assessment requirements, including SPRS submission obligations.
  • Contractors should confirm prime contractor requirements and weigh whether to continue certification efforts or wait for the review outcome.

As of July 13, 2026, the Department of War has paused Phase 2 of the CMMC phased rollout for a 60-day review. This means Defense Industrial Base (DIB) organizations are currently not required to have third-party CMMC assessments.

In summary:

  • Phase 2 is paused, meaning third-party certifications are not required.
  • There will be a 60-day review period, to which a special task force will be assigned.
  • All previous and current solicitations will have the C3PAO certification requirements removed.
  • Organizations within the DIB will still need to ensure compliance with NIST 800-171r2 as well as their requirements under DFARS 252-204.7012.

What This Means for You

If you are currently seeking certification through either our RPO Readiness Services or C3PAO Assessment Services:

  • Understand that CMMC is still founded in Federal Regulation (32 CFR) and the phased rollout has merely been paused.
  • You are still obligated to the self-assessment requirements of DFARS 252-204.7012 (NIST 800-171r2), which is subject to the False Claims Act, and to submission of the assessment in the Supplier Performance Risk System (SPRS).
  • As outlined in the Memo, you are currently not required to have a third-party certification to be awarded contracts.
  • Primes may still require certification as part of their procurement processes, regardless of the 60-day review. If you are working with a Prime contractor that requires third-party certification to remain active in their supplier program, work with them to verify requirements.
  • You must decide whether to continue seeking certification or wait for the outcome of the 60-day review. The third-party assessment still provides a validation of your self-assessment and would be a differentiator for your organization.

Please reach out to our Risk Advisory team with questions.

Minimize Risk and Maintain ComplianceCMMC Insight
Eide Bailly is a Registered Practitioner Organization and can help you prepare for CMMC requirements.
Talk to our Specialists

About the Author(s)

Photo of Brendtly Lauck
Brendtly Lauck
Manager
Since 2015, Brendtly has accumulated experience in IT security, security administration and consulting across a variety of industries, including healthcare, financial services, manufacturing, energy, state and government agencies. He performs IT audits, risk assessments, consults, and control reviews, covering aspects of security and controls, including business continuity planning, organizational and operational controls, systems development and change management controls, physical and logical access security, application and processing controls, and compliance testing against organizational, industry and government standards. He works with clients on conducting NIST, FISMA, HITRUST, HIPAA, and other framework or other industry specific related audits and risk assessments. He performs SOC 1, SOC2 and SOC3 audits as well as SOC readiness assessments, as well ITGC, FDICIA and PCOAB audits. He has most recently began assisting clients in Cybersecurity Maturity Model Certification (CMMC) gap assessments for both ML1 and ML2 maturity levels.
Rick Olivier
Rick Olivier
Director
Rick helps organizations understand their cybersecurity risks by providing expert guidance and advisory solutions that uncover vulnerabilities and support smarter, more secure decisions.