Key Takeaways
- Phase 2 of the CMMC rollout is paused for a 60-day review, so third-party assessments are not currently required for DIB organizations.
- Organizations must still meet NIST 800-171r2 and DFARS 252.204-7012 self-assessment requirements, including SPRS submission obligations.
- Contractors should confirm prime contractor requirements and weigh whether to continue certification efforts or wait for the review outcome.
As of July 13, 2026, the Department of War has paused Phase 2 of the CMMC phased rollout for a 60-day review. This means Defense Industrial Base (DIB) organizations are currently not required to have third-party CMMC assessments.
In summary:
- Phase 2 is paused, meaning third-party certifications are not required.
- There will be a 60-day review period, to which a special task force will be assigned.
- All previous and current solicitations will have the C3PAO certification requirements removed.
- Organizations within the DIB will still need to ensure compliance with NIST 800-171r2 as well as their requirements under DFARS 252-204.7012.
What This Means for You
If you are currently seeking certification through either our RPO Readiness Services or C3PAO Assessment Services:
- Understand that CMMC is still founded in Federal Regulation (32 CFR) and the phased rollout has merely been paused.
- You are still obligated to the self-assessment requirements of DFARS 252-204.7012 (NIST 800-171r2), which is subject to the False Claims Act, and to submission of the assessment in the Supplier Performance Risk System (SPRS).
- As outlined in the Memo, you are currently not required to have a third-party certification to be awarded contracts.
- Primes may still require certification as part of their procurement processes, regardless of the 60-day review. If you are working with a Prime contractor that requires third-party certification to remain active in their supplier program, work with them to verify requirements.
- You must decide whether to continue seeking certification or wait for the outcome of the 60-day review. The third-party assessment still provides a validation of your self-assessment and would be a differentiator for your organization.
Please reach out to our Risk Advisory team with questions.

Eide Bailly is a Registered Practitioner Organization and can help you prepare for CMMC requirements.
Talk to our SpecialistsRisk Advisory Services
Let us help you reduce and control your risk.
Who We Are
Eide Bailly is a nationally ranked accounting and advisory firm bringing financial, operational, and technical solutions to middle market and high-growth organizations.



