What the CMMC Phase II Suspension Means for MSPs and Their DIB Customers

On July 13, 2026, the Department of War (DoW) suspended CMMC Phase II, the mandatory third‑party (C3PAO) assessment that was scheduled to enter solicitations on November 10, 2026. In its place, they stood up a CMMC Reform Task Force to conduct a 60‑day, top‑to‑bottom review of the program.

You've spent months or years investing in staff, tooling, and customer education to get ahead of CMMC Phase II. A last-minute suspension after that kind of commitment is frustrating, and the uncertainty of a 60-day review makes it hard to know what to tell customers who are mid-implementation.

Here's the honest read: the investment wasn't wasted. NIST SP 800-171, DFARS 7012, and annual self-attestation are all still in force. What changed is who verifies the score and that shift makes the evidence you've been building more valuable, not less. Tell your customers to keep going. The audit paused; the accountability didn't.

Key components of the announcement

If you lead an MSP serving the Defense Industrial Base (DIB), or you are a defense contractor yourself, the temptation will be to read this as repeal of the requirements, but this doesn’t appear to be the case.  

3rd party assessment requirements have been suspended: This is a 60-day pause of the C3PAO certification gate while a CMMC Reform Task Force revies the process.  

  • CMMC Level 2 third-party (C3PAO) assessments and CMMC Level 3 (DIBCAC) assessments cannot be designated during the review.  
  • Pending and future CMMC implementation milestones across DoW solicitations and contracts are paused.  
  • Solicitations already carrying third‑party requirements are to be amended; existing contracts modified at the next option or administrative modification.

This is not a repeal of the requirements for protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI)

  • Required safeguards aligned to DFARS 252.2047012 and NIST SP 800171 Rev. 2 remain in place
  • CMMC Phase I selfassessments: Level 1 (self) for FCI and Level 2 (self) for CUI remain firmly in place, along with the annual affirmation. These are currently the only levels a contracting officer may designate.
  • The CMMC clause (DFARS 252.2047021): Still required by the DFARS, prescribed for use through November 2028.

In the near term you should be aware that:

  • The 60day review, is expected to be complete around mid‑September, 2026 and restructuring or cancellation (highly unlikely) are both on the table. The outcome will shape your customers' obligations for years.
  • The RFI comment window gives MSPs and contractors a chance to shape the outcome. If a compliance cost has hit your business, this is the moment to say so on the record.

Key considerations

Under the model prior to the DoW suspension, a third‑party did much of the diligence. An assessor looked at the environment, tested the controls, and put their name behind the result. In a self‑attestation world, that independent check disappears, shifting the burden of verification back onto the contractor and, by extension, onto the MSP and any outsourced service providers who design, operate, and monitor those environments.

  • DOJ has consistently pursued False Claims Act (FCA) actions tied to alleged noncompliance with DFARS 252.204‑7012 and 252.204‑7020, and could extend that focus to false or inaccurate CMMC Phase I self‑assessments. Violations of the FCA have already resulted in fines in hundreds of thousands of dollars in the past.
  • DOJ enforcement of the Civil Cyber‑Fraud Initiative continues, and settlements like LOGZONE show it is already reaching NIST SP 800‑171 self-assessments. Attest carefully and focus on defensibility.

How Todyl can streamline CMMC Level 1 and 2 self-attestations

Todyl is a unified threat, risk, and compliance platform built for MSPs, IT, and security teams with a broad set of capabilities to help guide DIB customers through a self-attestation world where accuracy and evidence are everything. The value isn't in any single tool; it's in consolidating controls implementation, monitoring, response, and compliance evidence in one place instead of stitching together a half-dozen point products.

Six modules do the heavy lifting:

  • SIEM centralizes log collection, correlation, and long-term retention across the environment to deliver the audit trails, continuous monitoring, and compliance reporting that satisfy auditor and regulatory demands. When an incident hits, the evidence is already there.
  • Endpoint Security provides continuous endpoint monitoring, threat detection, and forensic telemetry that create the required audit trails. Demonstrates endpoint controls are in place, current, and actively enforced — turning attestation into observable reality.
  • Lan ZeroTrust Microsegmentation enforces the least-privilege network access controls required by Zero Trust mandates across multiple frameworks, demonstrating that internal network access is continuously verified and restricted.
  • MXDR delivers 24/7 expert-led threat monitoring, investigation, and response, fulfilling continuous monitoring and incident response mandates. Gives auditors evidence of a formalized security operations function without the MSP having to build a SOC from scratch
  • SOAR automates incident response workflows and captures records of every enforcement action taken during an event. Demonstrates that incidents are handled in a repeatable, auditable, and timely manner helping to satisfy requirements for formalized IR plans and producing evidence of remediation.
  • GRC maintains documented policies, assessments, and reporting to provide evidence of existing processes needed to demonstrate continuous compliance. Turns "we think we're compliant" into "we can show it", which is often the difference between a defensible score and a False Claims Act settlement.

Together, these modules help MSPs accelerate controls adoption, maintain defensible evidence, and keep DIB customers ready for self-assessment today and for whatever the CMMC Reform Task Force finalizes next.

Contact us to discuss how Todyl can help you and your clients navigate CMMC Level 1 and Level 2, regardless of the outcome of the current review process.

AI Defense Readiness Assessment

Evaluate your security posture against AI-powered attacks and get recommendations to close any gaps.

Stay on the Cutting Edge of Security

Subscribe to our newsletter to get our latest insights.