CMMC Phase 2 Suspended: Impact on Your Cyber Career & Certs
Updated July 15, 202617 min read

Pentagon Suspends CMMC Phase 2 — What It Means for Your Cybersecurity Career

How the 60-day CMMC reform review reshapes certification paths, career planning, and opportunities for cybersecurity professionals.

What you’ll learn in this article…

  • Pentagon suspended CMMC Phase 2 mandatory assessments July 13, 2026.
  • A 60-day task force review targets compliance burdens on small defense contractors.
  • Shift certification focus to Security+, CISSP, and NIST 800-171 skills now.

On July 13, 2026, the Pentagon suspended a mandate requiring all defense contractors handling sensitive but unclassified information to pass third-party cybersecurity assessments, set to take effect November 10. For cybersecurity students and professionals building credentials for DoD contracts, the move freezes a certification path that many had invested in and raises immediate questions about which skills will carry the most weight when the program returns.

Rather than simply a policy delay, the suspension forces a recalculation: niche CMMC certifications like CCP and CCA now carry regulatory risk, while foundational credentials such as CompTIA Security+ and CISSP gain relative stability. The Pentagon's 60-day review aims to replace costly audit requirements with scalable, realistic measures, potentially rewriting the certification playbook for defense-sector cybersecurity professional careers. For anyone weighing their next credential, understanding how online cybersecurity programs align with evolving federal policy is a smart first step.

What Happened: The CMMC Phase 2 Suspension Explained

On July 13, 2026, the Pentagon abruptly paused the rollout of the Cybersecurity Maturity Model Certification (CMMC) program's Phase 2. A memo signed by DoD Chief Information Officer Kirsten Davies suspended the requirement for mandatory third-party cybersecurity assessments that were scheduled to take effect on November 10, 2026.1 The surprise announcement, first reported by Federal News Network's coverage of the Pentagon suspension, has immediate implications for defense contractors and the cybersecurity professionals who support them.

What Phase 2 Was Supposed to Require

Under the original CMMC 2.0 certification guide timeline, Phase 2 marked the program's most significant leap. Starting in November 2026, all defense contracts involving Controlled Unclassified Information (CUI) would have needed contractors to pass an audit by an accredited third-party assessment organization (C3PAO).1 Unlike Phase 1, which introduced self-attestation for basic cybersecurity hygiene (Level 1) and a limited number of Level 2 self-assessments, Phase 2 made external verification the default for handling sensitive but unclassified data.

This requirement carried substantial weight. It meant that small and mid-sized defense suppliers, many of which lack in-house cybersecurity teams, would have faced new compliance costs and a shortage of certified assessors. Industry estimates had pegged C3PAO audit fees anywhere from $15,000 to over $50,000, not including remediation expenses. For cybersecurity career seekers, Phase 2 promised a surge in demand for professionals trained in CMMC-specific auditing, system security planning, and NIST 800-171 control implementation.

The 60-Day Review and What's Suspended

The Davies memo establishes a 'CMMC Reform Task Force' to conduct a 60-day, top-to-bottom review of the entire program. All pending and future CMMC milestones are frozen, meaning Phase 3 (November 2027) and Phase 4 (November 2028) are on indefinite hold.2 The task force's mandate: reduce 'significant and often prohibitive burdens' on the Defense Industrial Base, especially for small and non-traditional businesses, and explore scalable, realistic security measures that might replace the third-party compliance model.

While the suspension halts any new Level 2 certification assessments, Phase 1 self-assessment requirements remain in force. DoD program offices can continue to include CMMC self-assessment clauses in contracts. Notably, some offices had already exercised their discretion to require C3PAO audits during Phase 1; those existing obligations are not immediately reversed, though the review may change future enforcement.

A Quick Timeline of CMMC Milestones

Understanding how we got here helps contextualize the suspension:

  • CMMC 1.0 (2019-2020): The original framework introduced five maturity levels and mandatory third-party audits for all contractors. It faced intense criticism over cost and complexity.
  • CMMC 2.0 (2021-2024): A streamlined overhaul reduced levels to three, allowed self-assessments for basic levels, and postponed third-party assessments to Phase 2.
  • Rulemaking Finalized (December 2024): 32 CFR Part 170 established the program's regulations, and the corresponding DFARS rule set contract enforcement to begin November 10, 2025.3
  • Phase 1 (November 10, 2025): Self-assessments became mandatory for Level 1 (basic safeguarding) and select Level 2 contracts, with some DoD offices allowed to require early C3PAO audits.1
  • Phase 2 Suspended (July 13, 2026): The imminent requirement for all CUI contracts to undergo third-party audits is paused, pending the 60-day reform review.

For professionals weighing cybersecurity certifications as a next step, understanding this shifting policy landscape is essential before committing to CMMC-specific training.

What's Still in Effect and Why the Pentagon Acted

What exactly is still required for defense contractors right now, and why did the Pentagon decide to pause phase two? The answer starts with the memo signed by DoD CIO Kirsten Davies on July 13, 2026, which stated plainly that the current CMMC program imposes "significant and often prohibitive burdens" on the Defense Industrial Base, especially small and non-traditional businesses.1

Phase 1 Self-Assessment Requirements Remain in Force

The immediate takeaway for anyone working toward or maintaining a cybersecurity career in defense: the suspension does not eliminate compliance obligations. Phase one self-assessment requirements are still fully in effect, and DoD programs can and do include CMMC self-assessment mandates in contracts. Contractors must continue to evaluate their own cybersecurity posture against the 110 controls outlined in NIST SP 800-171, document their implementation, and submit scores to the Supplier Performance Risk System (SPRS).

Practically, "self-assessment" means your organization (or the contractor you work for) must honestly review its systems, identify gaps, and report a score that reflects the current state. There is no external auditor verifying those results, but the False Claims Act still applies: misrepresenting your compliance status can lead to serious legal consequences, including fines and debarment. The enforcement mechanism hasn't paused; only the planned third-party assessment milestone has.

What's Required: NIST 800-171, DFARS, and SPRS

The unchanged obligations include: - NIST SP 800-171 compliance: All 110 security controls must be implemented or have a documented plan of action for any gaps. - DFARS 252.204-7012: The Defense Federal Acquisition Regulation Supplement clause requiring adequate security for covered contractor information systems remains in force. - SPRS score submission: Contractors must enter a self-assessment score into SPRS, which DoD program offices can review before awarding contracts.

These requirements apply to any organization handling Controlled Unclassified Information (CUI) on behalf of the DoD. For cybersecurity professionals, this means foundational skills in risk assessment, system hardening, and incident response remain critical and are far from optional.

Why the Pentagon Hit Pause on Phase Two

The decision wasn't sudden. The memo references years of feedback from industry and a Small Business Administration report highlighting crushing compliance costs.1 Phase two would have mandated third-party assessments by CMMC Third Party Assessment Organizations (C3PAOs) for all contracts involving CUI, starting November 10, 2026. For small shops, that often meant tens of thousands of dollars in audit fees, an expense many simply couldn't shoulder. By suspending those assessments, the Pentagon aims to lower barriers and encourage more competition within the defense supply chain.

Linking the Suspension to Broader Reform Goals

The 60-day review, led by a "CMMC Reform Task Force," directly supports the administration's push to make the defense ecosystem more accessible. Often framed as part of the "Arsenal of Freedom" initiative, the goal is to replace rigid, third-party compliance models with scalable, realistic security measures that still protect sensitive information but don't lock out capable small and non-traditional businesses. For students and career changers, this shift could mean a future where foundational certifications, explored in a solid CompTIA cybersecurity career pathway, carry more weight in winning DoD contracts than a narrow CMMC-specific credential.

How This Affects Cybersecurity Certifications and Training Paths

The suspension of CMMC Phase 2 creates a clear fork in the road for anyone building cybersecurity credentials: pursue niche, CMMC-specific certifications that are now in regulatory limbo, or invest in broad, foundational certifications that hold value regardless of policy shifts. For most students and early-career professionals, the math favors the latter.

CMMC-Specific Certifications Are in Limbo

CMMC introduced a class of credentials tied directly to its assessment framework, including Certified CMMC Professional (CCP) and Certified CMMC Assessor (CCA). These certifications were designed for individuals who would perform or oversee third-party assessments for defense contractors. With Phase 2 suspended indefinitely and all pending CMMC milestones frozen,1 the immediate need for these certified assessors has evaporated. The CMMC Reform Task Force is reviewing whether the program will even retain third-party assessments at scale,2 so the long-term viability of these credentials is uncertain. Training providers and the Cyber AB have not yet announced formal pauses, but enrollment in CMMC assessor programs has likely stalled given the lack of clarity.

Foundational Certifications Remain Strong Career Bets

Foundational exams like CompTIA Security+, CISSP, and CCSP map directly to the NIST 800-171 controls that remain mandatory under DFARS 252.204-7012.3 They satisfy baseline requirements for DoD information assurance roles and are valued across healthcare, finance, and tech. Because Phase 1 self-assessments are still in effect, employers need professionals who understand NIST security controls, risk management, and cloud security, all skills covered by these certifications. Knowing which cybersecurity certifications pay six figures can help you prioritize the credentials with the strongest return, in or out of the defense sector, without tying your career to a single government program.

Is CMMC Certification Still Worth Pursuing?

If you are considering a CMMC-specific credential, the risk is asymmetrical. The cost to wait, delaying an exam or course, is low, especially while a 60-day reform review is underway.1 If the task force scales back third-party requirements, the market for CCPs and CCAs could shrink dramatically or shift toward a simpler, self-attestation model. On the other hand, if you have already specialized exclusively in CMMC assessor work, diversify now: a foundational certification will buy you flexibility. For anyone entering the field, the safest move is to build a foundation with Security+, then layer on a cloud or advanced cert based on your interests. Exploring accelerated cybersecurity certification programs can help you move quickly while keeping an eye on the task force's recommendations later this summer. Separately, if you are weighing credentials against formal schooling, a closer look at cybersecurity degree vs. certifications can clarify which path fits your goals.

Certification Paths: Cmmc-Specific Vs. Foundational Cybersecurity Credentials

With the CMMC Phase 2 suspension creating uncertainty around the program's future, cybersecurity students and professionals must weigh the risks and rewards of pursuing CMMC-specific credentials like CCP and CCA against more stable, foundational certifications such as CompTIA Security+, CISSP, or CCSP. Use the comparison below to see which path aligns better with your career goals during this policy shift.

Comparison of CMMC-specific certifications versus foundational cybersecurity credentials across demand, transferability, cost, and policy risk as of July 2026.

Career Planning and Post-Review Scenarios

The suspension of CMMC Phase 2 replaces a known certification timeline with open questions, but that uncertainty creates room to build skills that remain valuable no matter what the reform task force recommends. Instead of waiting, cybersecurity learners and professionals can use this pause to align with durable federal priorities that already drive hiring demand.

Where You Stand Shapes Your Next Move

  • Students and newcomers: If you are choosing your first certification path, prioritize broad, foundational credentials like CompTIA Security+ or CISSP over CMMC-specific training. These certs are listed in DoD 8570 and cover core concepts required across all defense compliance frameworks.
  • Career changers targeting DoD work: Gain hands-on experience with NIST 800-171 self-assessments, which remain mandatory for any contractor handling controlled unclassified information. Cloud security skills, particularly around AWS GovCloud or Azure Government, align directly with FedRAMP requirements and are a faster route to impact than waiting for CMMC level adjustments. If you are switching to cybersecurity from another IT career, this combination of foundational certs and NIST 800-171 project work is a practical entry point.
  • Current defense-sector professionals: Stay proficient in Phase 1 self-assessment requirements, but also broaden your expertise into zero trust architecture and risk management. The reform task force's final recommendations, due by mid-September 2026, will likely shift emphasis toward scalable security models, and those who can bridge compliance and operations will be best positioned.

Skills That Outlast Any Regulation

Several competencies are anchored in active mandates and will remain essential regardless of how CMMC evolves:

  • NIST 800-171 implementation: Mandatory for all CUI under DFARS 252.204-7012, the 110 controls of a Level 2 self-assessment are the daily reality for defense contractors.1
  • Cloud security architecture: FedRAMP Moderate authorization is required for cloud services processing CUI, so skills in cloud-native security controls and government enclaves are directly transferable.2
  • Zero trust principles: While not formally part of CMMC, CISA's Zero Trust Maturity Model is reshaping how agencies procure security, and contractors who can design and audit zero trust environments are in growing demand.
  • Risk assessment and mitigation: The ability to quantify risk and propose compensating controls is central to any compliance framework and is valued well beyond the defense sector. Understanding cybersecurity salary expectations with certifications can help you target the roles where these skills command the most value.

Three Paths Forward: What the Review Could Deliver

The 60-day review led by CIO Kirsten Davies and Michael Duffey invites public comment through August 14, 2026.3 Three realistic outcomes for certification holders and job seekers emerge:

  • Simplified CMMC with fewer levels: A streamlined framework would reduce the emphasis on CMMC-specific auditors and increase the value of widely recognized certs like CISSP or CISA. Job seekers should document NIST 800-171 implementation experience and any self-assessment work.
  • Phase 2 reinstated with small-business carve-outs: If third-party assessments resume on a delayed timeline, demand for C3PAO-related roles will resume but at a slower pace. Career changers who start now with foundational certs and NIST 800-171 projects will be ready to step into assessor roles later. Exploring online cybersecurity programs now gives you a structured path to build those credentials before the review concludes.
  • CMMC folded into a broader federal cyber framework: A unified approach combining elements of CMMC, FedRAMP, and CISA models would create a larger but differently shaped job market. Your best hedge is to combine cloud, zero trust, and risk management skills with at least one major certification like Security+ or CISSP.

Cybersecurity Salaries and Job Demand in the Defense Sector

The table below presents national figures for Information Security Analysts, the broad occupation encompassing most cybersecurity roles. While BLS data does not separate defense-specific positions, professionals working on DoD contracts or holding security clearances often earn premiums above these medians. The occupation shows exceptional growth, driven by escalating cyber threats across both government and private sectors.

StatisticValue
Total Employment179,430
Annual Mean Wage$127,730
25th Percentile Wage$92,160
Median Annual Wage$124,910
75th Percentile Wage$159,600
Projected Job Growth (2024-2034)29% (much faster than average)
Annual Openings16,000 per year

Top-Paying Metro Areas for Information Security Analysts

While the highest salaries for information security analysts are found in Silicon Valley, defense-heavy metros like Washington, D.C., and Baltimore also rank among the top-paying areas, thanks to strong demand from federal agencies and contractors. Below are the top 10 metro areas for median annual wages, based on 2024 Bureau of Labor Statistics data.

Metro AreaMedian Annual WageTotal Employment
San Jose-Sunnyvale-Santa Clara, CA$175,5202,500
San Francisco-Oakland-Fremont, CA$168,1604,010
Seattle-Tacoma-Bellevue, WA$152,6604,490
Washington-Arlington-Alexandria, DC-VA-MD-WV$138,41015,870
New York-Newark-Jersey City, NY-NJ$138,36010,160
Baltimore-Columbia-Towson, MD$136,0504,370
Boston-Cambridge-Newton, MA-NH$132,1704,870
Denver-Aurora-Centennial, CO$131,6703,620
Dallas-Fort Worth-Arlington, TX$131,2806,570
Los Angeles-Long Beach-Anaheim, CA$131,2804,420

Frequently Asked Questions About the CMMC Phase 2 Suspension

The Pentagon's decision to suspend CMMC Phase 2 has left many cybersecurity students and professionals with questions. Here are answers to the most common queries to help you navigate this policy shift.

The suspension puts CMMC-specific certifications on hold. No new third-party assessments will be required, pending the outcome of the review. If you were pursuing CMMC credentials, you should wait for the review results. Meanwhile, foundational certifications like CompTIA Security+ and CISSP remain valuable and unaffected.

With Phase 2 suspended and a "top-to-bottom" review underway, the future of CMMC certification is uncertain. The Pentagon cited burdens on small businesses, which may lead to a simplified framework. Until the review concludes, it is prudent to focus on broader certifications that are widely recognized across the industry. If you are weighing your options, our guide on switching to cybersecurity from other IT careers walks through how to build a credential strategy that stays relevant through policy changes.

Phase 1 self-assessment requirements remain in force, and DoD programs can continue including CMMC self-assessment requirements in contracts. Some program offices may have already required third-party audits, but no new mandates will be added until further notice.

The CMMC Reform Task Force will evaluate the program and potentially recommend a simplified compliance framework. They aim to lower barriers, especially for small businesses, and replace third-party assessments with scalable measures. New guidelines may be issued post-review, affecting certification and training pathways. Understanding why cybersecurity is important for national defense can help you contextualize how any revised framework will still prioritize core security competencies.

The suspension relieves immediate pressure on small and non-traditional businesses, as the Pentagon acknowledged "prohibitive burdens" from compliance costs. This may open opportunities for newcomers in the defense sector. Small businesses can now focus on meeting NIST 800-171 standards without the added cost of third-party audits. For those looking to fund their training during this transition, federal programs that cover cybersecurity school tuition[[LINK:3|]] are worth exploring.

In light of the suspension, prioritize foundational certifications like CompTIA Security+, CISSP, or cloud security credentials such as AWS Certified Security. These are broadly recognized and not dependent on DoD policy shifts. They provide a solid career foundation regardless of the future CMMC framework.

The CMMC Phase 2 suspension is a pause, not a setback. Foundational skills and certifications like Security+ or CISSP remain in high demand across defense contractors, and NIST 800-171 fluency continues to open doors. Use this window to reinforce your credentials, explore cybersecurity salary expectations by certification, and monitor the Reform Task Force's findings. For those still weighing formal education, a cybersecurity degree program builds the durable technical foundation that outlasts any single compliance framework. The cyber workforce need is growing, and a strong core skillset keeps you positioned for whatever compliance model takes shape after the 60-day review concludes.

Recent News

Recent Articles

In this article