As our CEO, I don't get to write as much as I used to — most days that's a good sign, since it means the team is running things well without me parked in every draft. But when this announcement came down, I felt like it was one worth me tackling myself. CMMC has shaped nearly every conversation we've had with contractors, Primes, and fellow small businesses in this space for years now, and the reactions I watched roll in — on LinkedIn, in customer calls, in group chats with people who've been living this alongside us — told me there was real confusion brewing that needed a straight answer, and not a hot take.
If you work anywhere near the defense industrial base, you've probably already seen the headlines: the Department of Defense has suspended CMMC Phase 2. Depending on which LinkedIn feed you're scrolling, that's either being read as "CMMC is dead" or "CMMC is on ice." Neither read is quite right, and the gap between those two takes is exactly where a lot of contractors are about to get into trouble.
So let's separate what actually happened from what a lot of people are assuming happened.
What DoD Actually Announced
On July 13, 2026, DoD announced it is immediately suspending the Cybersecurity Maturity Model Certification (CMMC) Phase 2 requirements — the third-party certification requirements that were scheduled to take effect November 10, 2026. Phase 3 and Phase 4 are suspended right along with it. Phase 1 self-assessments stay in place.
In their place, DoD has stood up a CMMC Reform Task Force to run a 60-day review, explicitly aimed at aligning CMMC with Defense Secretary Pete Hegseth's Acquisition Transformation System priorities — faster capability delivery, lower barriers for small and non-traditional businesses, and less bureaucratic overhead. The stated trigger was cost: Small Business Administration data reportedly showed CMMC compliance costs were pushing smaller, innovative companies out of the DIB altogether, which is the opposite of what a supply-chain security program is supposed to do.
DoD CIO Kirsten Davies put it plainly: "We believe the DIB can achieve both, while we reduce unnecessary government red tape." Undersecretary Michael Duffey framed it as maintaining a security baseline while removing costs that were pushing competitors out of the market. DoD also opened a public Request for Information — due August 14 — asking industry directly what's driving costs, which NIST SP 800-171 controls actually reduce risk, and whether commercial tools and managed services should count toward compliance instead of requiring separate assessments. If your company has opinions on any of that (and if you've lived through a CMMC assessment, you probably do), that RFI is worth your time.
None of that is nothing. It's a real, meaningful pause in a specific verification mechanism. But it is not what a lot of people are hearing it as.

Here's the Part That's Getting Lost
DoD said this explicitly, and it's the single most important line in the announcement: the suspension does not eliminate your obligation to protect federal data. Contractors and subcontractors still have to safeguard covered defense information under DFARS 252.204-7012.
That's worth sitting with, because it points to something a lot of the CMMC conversation gets backwards. CMMC was never the source of your obligation to protect CUI. It was the verification mechanism DoD built to check whether you were meeting an obligation that already existed elsewhere. The actual requirement — protect CUI in accordance with NIST SP 800-171 (and FedRAMP for your CSP's) — lives in your contract, via DFARS 252.204-7012 (and 7019/7020, and eventually 7021). Suspending the certification exam doesn't touch the standard the exam was testing you against.
Think of it like a driver's license road test getting postponed. The DMV pausing the test doesn't mean the speed limit went away. You're still required to drive safely — you just aren't being formally re-certified on it this quarter.
If your company handles CUI, that requirement is still sitting in your contract right now, independent of whatever CMMC's org chart looks like in 60 days.
One Requirement That Hasn't Moved: Your Cloud Service Providers
This is a good moment to double-check something a lot of companies quietly let slide: DFARS 252.204-7012 doesn't just require you to protect CUI on your own systems — it requires any cloud service provider storing, processing, or transmitting covered defense information on your behalf to meet security requirements equivalent to the FedRAMP Moderate baseline, at minimum. That requirement hasn't been touched by the CMMC suspension, because it was never a CMMC requirement to begin with. It's baked directly into 7012.
Here's where it gets more interesting: there's a real, meaningful difference between a CSP that is a FedRAMP Authorized Service Provider — meaning it actually went through the FedRAMP process and holds an ATO or P-ATO backed by an independent third-party assessment — and one that merely claims to be "FedRAMP equivalent," which is typically a vendor's own self-attestation that it meets similar controls without ever going through the FedRAMP process itself.
We're continuing to see Prime contractors push their subs toward the former. More and more Primes are telling their supply chain, in plain terms, that "equivalent" isn't good enough anymore — they want CSPs that are actually FedRAMP Authorized, full stop. That's not a formal DoD-wide mandate as of this writing, but if you're a sub relying on a CSP that only claims equivalency, don't be surprised if your Prime starts asking harder questions about it. That pressure isn't waiting on the outcome of the CMMC review.
Proof This Isn't Going Away: Golden Dome
If you want a concrete, current example of DoD treating these requirements as non-negotiable regardless of CMMC's status, look at the Golden Dome for America (GDA) cybersecurity memo, issued by the GDA program office back in July 2025 — well before this suspension. It lays out supply chain security requirements for every vendor touching one of the highest-profile missile defense programs in the country, and it does so by name-checking DFARS 252.204-7012, 7018, 7019, 7020, the pending 7021, and CUI-handling requirements under 32 CFR Parts 170 and 2002 — i.e., NIST SP 800-171, with NIST SP 800-172 layered in for enhanced protections on breakthrough technologies.
Notice what's doing the actual work in that memo: it's the DFARS clauses and the NIST control sets. CMMC gets a mention as the eventual verification path, but the enforceable, contractual obligation is anchored to the regulation, not the certification brand name. That's true whether CMMC is in Phase 2, under review, or renamed entirely in six months.
We're Not Dismissing the Cost Problem
To be fair to the frustration driving this pause: the compliance and audit costs behind CMMC have been genuinely brutal for smaller players in the DIB, and DoD citing SBA data on companies leaving the supply chain over it isn't a talking point — it's a real dynamic we've watched play out. Sharetru is a small business too. We went through FedRAMP authorization at the SaaS layer as a Cloud Service Provider precisely because we know what it's like to carry serious security requirements on a small-business budget. We're not writing this from the sidelines.
But "this is expensive and needs reform" and "you can stop protecting CUI" are two completely different statements, and only one of them is what DoD actually said.
What to Actually Do Right Now
- Keep running your NIST SP 800-171 self-assessments. Phase 1 didn't move.
- Don't quietly let your SSP, POA&M, or CUI handling practices lapse because "CMMC is paused." Your contract's DFARS clauses are still active.
- If cost and administrative burden are real pain points for you, submit to the RFI before August 14. This review is explicitly soliciting that input.
- Keep using tools built for this from the start. Whatever CMMC looks like in 60 days, you'll still need a way to move and store CUI that's actually built for DFARS 7012 and NIST SP 800-171 — not retrofitted onto it.
- Confirm every CSP touching CUI in your environment — including your MFT or file-sharing platform — is actually FedRAMP Authorized, not just self-attested as "FedRAMP equivalent." If your Prime hasn't asked about this yet, expect them to.

That last point is where we'll put in a word for ourselves: Sharetru Federal is a FedRAMP-authorized managed file transfer (MFT) platform, that undergoes an annual 3PAO, audit, appears as a FedRAMP authorized service in the marketplace, is built specifically for organizations that need to move CUI in and out of their environment without gambling on whether their file transfer setup would survive an assessment — CMMC or otherwise. That need doesn't pause for 60 days.
CMMC's shape may well change. It might get simpler. It might come back looking very different. It might stay exactly the same. What won't change is the underlying rule: if you're handling CUI for DoD, you're required to protect it. That's not a CMMC rule. It's a contract rule and you should be planning accordingly.