At 3:30 PM Eastern on July 13, 2026, the Department of War (DoW) dropped two memos and kicked off a lot of speculation. The subject lines: “Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements” and “Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements.”
The reaction from defense contractors and some MSPs was immediate — and predictably wrong. Inboxes lit up with messages like “CMMC is dead,” “the audit requirement is gone,” and “we can slow down now.” Every one of those takes is incorrect, and for MSPs advising clients in the defense industrial base (DIB), acting on that bad information could put your clients — and your business — in serious legal jeopardy.
Here’s what actually happened, what it means specifically for managed service providers, and what you need to do right now.
What CMMC Was — A Quick Level-Set
Before unpacking the suspension, a brief grounding on the program itself, because the distinction between what’s paused and what’s not depends entirely on understanding CMMC’s architecture.
The Cybersecurity Maturity Model Certification program was first proposed in 2020 to standardize cybersecurity across the DIB. The Department released an updated version, CMMC 2.0, in 2021 to simplify and align requirements with NIST SP 800-171. The program’s Final Rule was published September 10, 2025 and became effective November 10, 2025 — making CMMC a contractual, legally binding requirement under the Defense Federal Acquisition Regulation Supplement (DFARS).
CMMC operates across three tiers:
| Level | Scope | Controls | Verification |
|---|---|---|---|
| Level 1 | Federal Contract Information (FCI) | 17 controls (FAR 52.204-21) | Self-assessment |
| Level 2 | Controlled Unclassified Information (CUI) | 110 NIST SP 800-171 controls | Self-assessment or C3PAO third-party audit as determined by the contract |
| Level 3 | Sensitive CUI | NIST SP 800-172 | DIBCAC government-led assessment |
Compliance is tracked through annual affirmations of continuous compliance posted in the Supplier Performance Risk System (SPRS). Those affirmations are personal legal attestations — not checkbox confirmations — and are enforceable under the False Claims Act. That detail matters enormously, as you’ll see.
The rollout was always phased across four stages spanning 2025–2028:
Phase 1 (Nov. 2025 – Nov. 2026): Self-assessments at Level 1 and Level 2 as conditions of award
Phase 2 (Nov. 2026 – Nov. 2027): Level 2 C3PAO third-party certifications enter solicitations
Phase 3 (Nov. 2027 – Nov. 2028): Level 2 C3PAO and Level 3 DIBCAC mandates expand
Phase 4 (Nov. 2028+): Requirements become mandatory across all applicable DoW contracts
Phase 2 — the one requiring independent, third-party C3PAO audits — was scheduled to begin November 10, 2026. That phase is now suspended.
What the July 13 Memo Actually Says
The DoW’s suspension memo is blunt about what’s happening and why. According to Defensescoop, DoW CIO Kirsten Davies cited that CMMC had become “too bureaucratic and burdensome on the industrial base” — particularly for small and medium-sized businesses. The math driving that concern is stark: there are only approximately 100 authorized C3PAOs available to serve an estimated 80,000 to 120,000+ companies in the DIB. The compliance cost burden was estimated at $388,000 to $594,000 per small firm. Those numbers, combined with Secretary Hegseth’s push to streamline defense acquisition through the Acquisition Transformation System, drove the decision.
What’s suspended:
Phase 2 C3PAO third-party certification requirements (originally due Nov. 10, 2026)
Phase 3 and Phase 4 implementation milestones
Designation of CMMC Level 2 (C3PAO) or Level 3 (DIBCAC) requirements in any new or renewing solicitations during the suspension period
All pending CMMC Phase 2 implementation milestones across DoW solicitations
What’s explicitly not suspended — and this is the list MSPs need to print and post on a wall:
CMMC Phase 1 self-assessment requirements
DFARS 252.204-7012 (safeguarding covered defense information, 72-hour incident reporting)
All 110 controls of NIST SP 800-171 Rev. 2
Annual affirmations of continuous compliance under 32 CFR 170.22
FedRAMP Moderate requirements for cloud systems handling CUI
False Claims Act / Civil Cyber-Fraud Initiative enforcement
DFARS 252.204-7012 flow-down from prime contractors to subcontractors
That last point deserves emphasis. If your clients work as subs to a prime, the prime’s flow-down requirements are still fully in force. The certification requirement moved; the obligation to protect government information did not.
The DoW memo states explicitly: “During this suspension, the Department will continue enforcing baseline compliance with NIST SP 800-171 Rev. 2 through DIB self-assessment and select government-led assessments, focusing on tangible cyber hygiene rather than third-party certifications.”
The 60-Day Review: What Might Change
The suspension established a 60-day CMMC Reform Task Force under the DoW CIO, with a report due in mid-September 2026. A public Request for Information (RFI) is accepting comments through August 14, 2026 — a rare and narrow window for MSP organizations to directly influence the program’s future.
Three realistic outcomes exist after the review concludes:
Reinstatement as-is: Phase 2 requirements resume, likely with a revised timeline pushed out by 12–24 months
Structural reform: A tiered or simplified verification model; DoW officials have referenced a “Brilliant at the Basics” framework that may replace some requirements with a checklist of high-impact controls (phishing-resistant MFA, secure AI adoption, shift-left security practices)
Formal rulemaking to amend the CFR: Under the Administrative Procedure Act, an indefinite pause constitutes a “de facto repeal” — so any permanent changes require a new notice-and-comment rulemaking process, which takes time
One important note: CMMC has been codified in 32 CFR part 170. It cannot simply be deleted by memo. Full repeal would require the same regulatory machinery that created it. The DoW cannot quietly make this disappear — which means MSPs who tell clients “it’s probably going away” are giving legally and operationally dangerous advice.
Also worth watching: The FAR Council published a proposed government-wide CUI rule based on SP 800-171 Rev. 3 in June 2026. If adopted, this could shift the baseline controls that underpin CMMC Level 2, requiring a gap analysis even for organizations that have already completed their 800-171 Rev. 2 work.
The Problem Nobody Is Talking About: MSPs as the Weak Link
Here’s the conversation your clients probably aren’t having — and the one you, as their MSP, need to initiate.
CMMC’s regulatory structure treats managed service providers as “External Service Providers” (ESPs) under vague scoping rules, with only voluntary certification requirements. This was a gap before the suspension. The suspension made it worse.
Consider what MSPs actually do inside contractor environments. MSP personnel routinely hold privileged administrative access — they patch vulnerabilities, reset credentials, and tune configurations/defenses. In many cases, your technicians have deeper, more persistent access to CUI-bearing systems than the contractor’s own employees. Yet the regulation places the compliance obligation entirely on the contractor, not on the provider with administrative control.
The numbers are damning: industry estimates suggest tens of thousands of MSPs serve U.S. defense contractors, yet only about 1,717 organizations — a fraction of which are MSPs — across the entire DIB have achieved CMMC Level 2 certification. Without an accurate inventory, the DoW is, in the words of the authors of a May 2026 commentary in Nextgov, “operating blind.”
This is not a theoretical risk. The 2020 SolarWinds attack exploited trusted software updates to breach dozens of defense contractors. The 2021 Kaseya VSA ransomware campaign hit MSPs directly, encrypting systems at hundreds of downstream clients. In early 2026, ransomware groups Qilin and Akira specifically targeted IT service providers and manufacturing supply chains, with Akira breaching providers serving defense and government sectors. Chinese-linked Mustang Panda continues persistent espionage campaigns through third-party vectors. Supply chain attacks are accelerating. The adversary hasn’t paused anything.
The legislative response is beginning to form. There are active calls for the House Armed Services Committee to direct the DoW to survey Level 2 contractors about MSP usage, and to amend 32 CFR Part 170 to require MSPs with administrative access to CUI environments to obtain certification matching their client’s CMMC level. Congress has already defined “managed service provider” in 6 U.S.C. § 650(18) as entities providing ongoing network, infrastructure, or security services — a statutory foundation ready to be applied.
Whether this legislative fix happens before or after the task force reports in September, the direction of travel is clear: MSPs are going to face formal accountability for the environments they manage.
The Self-Attestation Trap
With C3PAO audits suspended, the burden of verifying compliance now falls entirely on the contractor’s own SPRS affirmation. For MSPs, this creates a specific and serious liability exposure.
Here’s how the trap closes:
MSP deploys a security toolset (EDR, MFA, SIEM, backup, etc.)
MSP tells contractor they are “CMMC Level 2 compliant”
Contractor submits a high SPRS score and executive affirmation
Prime contractor or DCMA spot-check surfaces that actual controls don’t meet the mapped NIST 800-171 practices
DOJ Civil Cyber-Fraud Initiative opens an investigation under the False Claims Act
The median SPRS score across the DIB at the time of the suspension was approximately 60 — against a required score of 110. The gap between what contractors are attesting to and what they can actually demonstrate is enormous. That gap exists in large part because MSPs have been selling security tools rather than CMMC-mapped compliance programs, and because self-attestation allows companies to score controls as “implemented” without the evidence packages that a C3PAO assessment would require.
Executive affirmations under 32 CFR 170.22 are personal legal attestations. “I trusted my IT vendor” is not a defense under the False Claims Act. DOJ’s Civil Cyber-Fraud Initiative has already pursued and settled cases against contractors who falsely certified cybersecurity compliance — and those enforcement actions are continuing regardless of CMMC’s audit schedule.
If your MSP has told clients they’re “CMMC compliant” based on tool deployment without proper evidence packages, POA&M documentation, and controls mapped to specific NIST 800-171 practice IDs, those clients are potentially exposed. And depending on how those representations were made, so might you be.
What MSPs Must Do Right Now
“This is another frustrating false start on CMMC, so we have to assume that the instinct for many will be to slam on the brakes. But it’s important to remember that companies should have been complying with NIST SP 800-171 for about a decade now, and it’s in everyone’s best interest to keep working toward this baseline. At the end of the day, this is about smart security, not just legislation.” — Mike Zbarsky, Co-Founder of Blacksmith Infosec
Here is the action list for MSP teams serving DIB clients:
1. Keep NIST SP 800-171 Rev. 2 implementation moving. This is the floor. It is enforced under DFARS 252.204-7012 regardless of what happens to CMMC’s audit schedule. Every control is still required; only the third-party verification of those controls is suspended.
2. Audit your own SPRS representations immediately. Review every client for whom you’ve made compliance representations. Confirm that each control scored as “implemented” is actually implemented and documented with evidence that would survive a government-led assessment. If it wouldn’t survive a spot-check, fix it now.
3. Build or upgrade evidence packages. Documentation must map implementations to specific NIST 800-171 practice IDs — not just describe what tools you’ve deployed. “We use Senteon” is not evidence of 3.4.1 physical access control. Build the mapping.
4. Review all client contracts for existing CMMC clauses. Contracts that already contain CMMC Level 2 C3PAO requirements remain in force until a contracting officer issues a formal modification. Do not assume the suspension automatically rewrites existing contract language — it doesn’t.
5. Verify cloud environments against FedRAMP Moderate. This requirement did not move. If you’ve deployed cloud platforms for clients that process, store, or transmit CUI, those platforms must be FedRAMP Moderate authorized. Confirm this for every relevant client.
6. Submit to the RFI before August 14, 2026. MSP organizations have a direct opportunity to shape how the task force addresses the ESP/MSP gap. If your firm serves DIB clients and you’re not submitting formal comment, you’re ceding that ground to others.
7. Don’t pause in-progress C3PAO assessments. If any of your clients were mid-assessment, finishing is almost always cheaper than stopping and restarting. Certifications issued during the suspension remain valid and represent genuine competitive differentiation when Phase 2 requirements resume in some form.
8. Communicate proactively with clients. Your clients who have read the headlines may believe compliance is optional now. Every day that belief goes uncorrected, they’re building compliance debt and legal exposure. Send the communication now, not in September.
9. Pursue MSP-level certification. With only approximately 40 certified MSPs serving the entire DIB, early certification is not a cost — it’s a market differentiator. When the task force produces its report and contracting resumes, clients who need a certified MSP-partner will look for whoever has the credentials. Be that firm.
10. Track the “Brilliant at the Basics” framework. The DoW CIO has referenced a voluntary best-practices framework emphasizing high-impact, low-friction controls: phishing-resistant MFA, shift-left security practices, secure AI adoption. If this becomes the interim standard for self-assessments, your clients need to be compliant with it before the task force reports.
What This Means for the Defense Supply Chain — And Your Business
The suspension is one component of a larger shift in defense acquisition philosophy. The DoW is pushing to bring commercial technology — software, AI, cloud infrastructure — into the warfighter environment faster. The Software Fast Track (SWFT) initiative, AI-first strategy memos, and OTA-as-default contracting posture are all pieces of the same picture. CMMC’s burdensome audit structure was viewed as friction against that goal.
What this creates for MSPs is a bifurcated market. On one side: firms that stayed compliant, built accurate evidence packages, and can demonstrate a credible security posture. On the other: firms that treated the suspension as a vacation. When Phase 2 requirements resume — and they will, in some form — the first group will be positioned to win contracts and command premium pricing. The second will be scrambling.
The compliance gap in the DIB right now is staggering. A median SPRS score of 60 against a required 110 means the average contractor is operating with roughly half of the required controls in place. MSPs who help close that gap during the suspension window are creating real, demonstrable value. MSPs who let clients believe the problem has been solved are creating liability.
The Bottom Line
The gate moved. The bar didn’t.
CMMC Phase 2’s C3PAO audit requirement is suspended for 60 days pending a task force review. The task force will report in mid-September 2026, after which requirements will be reinstated, restructured, delayed further, or formally amended through rulemaking. Full repeal is not legally simple and is not what officials are signaling.
In the meantime: NIST SP 800-171 is enforced. DFARS 252.204-7012 is enforced. Annual affirmations are legally binding personal attestations. The False Claims Act applies to every SPRS score your clients have submitted. And MSPs — the providers with the most access to CUI environments — remain the most under-regulated entities in the entire DIB compliance ecosystem.
The firms that use this window to build accurate evidence packages, close control gaps, and position themselves as credible CMMC-ready partners will emerge from September with a genuine competitive advantage. The firms that treat this as permission to slow down will find themselves 60 days — or more — behind when the requirements resume.
Do not stop. Do not wait. The adversary certainly isn’t.
Frequently Asked Questions
The Basics
Q: What exactly was suspended on July 13, 2026?
The Department of War (DoW) suspended the Phase 2 requirements of the Cybersecurity Maturity Model Certification (CMMC) program, which were originally scheduled to take effect November 10, 2026. Phase 2 was the stage that would have required Level 2 contractors — those handling Controlled Unclassified Information (CUI) — to obtain independent, third-party certifications from authorized C3PAO (Certified Third-Party Assessment Organization) assessors. The suspension also pauses Phase 3 and Phase 4 milestones. Phases 3 and 4 would have progressively expanded mandatory C3PAO and DIBCAC (Defense Industrial Base Cybersecurity Assessment Center) requirements across more solicitations through 2028.
Q: Is CMMC cancelled?
No. CMMC is not cancelled. The program is suspended pending a 60-day review. “Suspended” and “cancelled” are not the same thing, and the difference carries significant legal weight. CMMC was codified into federal regulation under 48 CFR Part 204 and 32 CFR Part 170 through a full notice-and-comment rulemaking process under the Administrative Procedure Act (APA). It cannot be repealed by memo. Any permanent changes to the rule — including full repeal — would require a new APA rulemaking cycle, which typically takes 12–24 months minimum. Officials have not signaled intent to cancel; they have signaled intent to restructure.
Q: Why did the DoW suspend Phase 2?
DoW CIO Kirsten Davies cited two primary reasons: the program had become “too bureaucratic and burdensome” on the defense industrial base, and the ecosystem of assessment organizations was structurally incapable of handling the volume. With only approximately 100 authorized C3PAOs available to certify an estimated 80,000–120,000+ companies in the DIB, the math was unworkable — the assessment pipeline would have created years-long bottlenecks before companies could even get certified. The compliance cost burden for small businesses was estimated at $388,000 to $594,000 per firm. The suspension aligns with Secretary Hegseth’s broader Acquisition Transformation System initiative to reduce barriers and accelerate defense procurement.
Q: What is the Phase 2 suspension’s duration?
The formal review period is 60 days from July 13, 2026, with the CMMC Reform Task Force report due in mid-September 2026. However, the suspension itself does not have a hard end date — its lifting is contingent on the outcome of the review, not a calendar trigger. If the task force recommends restructuring the program, additional rulemaking time may be required before requirements resume.
Q: What are the possible outcomes of the 60-day review?
Three realistic scenarios exist after the task force reports:
Reinstatement with timeline adjustment: Phase 2 requirements resume largely as written, but with a new deadline pushed 12–24 months out to allow the C3PAO ecosystem to scale.
Program restructuring: CMMC is redesigned — potentially replacing C3PAO audits with a tiered or simplified model, or anchoring requirements to a “Brilliant at the Basics” framework emphasizing high-impact controls rather than full 110-control assessments.
Formal rulemaking to amend or replace the rule: A new notice-and-comment process begins, which means the existing rule stays in force during the rulemaking period and any new framework takes years to finalize.
Full cancellation is not off the table, but it is the least likely outcome given the statutory and regulatory infrastructure CMMC is embedded in, and the ongoing national security justification for protecting CUI in the defense supply chain.
What’s Still Required
Q: If Phase 2 is suspended, what cybersecurity requirements still apply to my clients?
All of them except the C3PAO third-party audit requirement. The following obligations are fully in force:
CMMC Phase 1 self-assessment requirements — Level 1 and Level 2 self-assessments remain conditions of contract award
DFARS 252.204-7012 — contractors must safeguard covered defense information (CDI) and report cyber incidents to the DoW within 72 hours
NIST SP 800-171 Rev. 2 — all 110 controls remain required for organizations handling CUI
Annual affirmations under 32 CFR 170.22 — contractors must affirm continuous compliance in SPRS each year
FedRAMP Moderate — cloud systems that process, store, or transmit CUI must still be authorized at FedRAMP Moderate or equivalent
DFARS 252.204-7012 flow-down — prime contractors must still flow these requirements down to subcontractors
The suspension changed the mechanism of verification. It did not change the underlying security requirements.
Q: Do existing CMMC contract clauses still apply?
Yes, until formally modified. Contracts that were awarded with CMMC Level 2 or Level 3 requirements already written into them remain in force under the original terms until a contracting officer (CO) issues a formal contract modification removing or altering those clauses. The suspension memo directs contracting officers to issue those modifications, but “directed to issue” is not the same as “have issued.” Until your client receives a written modification, the original contract governs. MSPs should advise clients to request explicit confirmation of any modifications in writing from their COs.
Q: Is the SPRS affirmation process still active?
Yes. SPRS (Supplier Performance Risk System) affirmations remain a legal requirement. Contractors must maintain a current SPRS score and affirm continuous compliance annually under 32 CFR 170.22. These affirmations are personal legal attestations — they create direct liability for the individual signing them. A high SPRS score that cannot be supported by actual evidence of implemented controls creates False Claims Act exposure regardless of whether a C3PAO audit ever happens.
MSP-Specific Questions
Q: Does the suspension affect MSPs directly?
Both directly and indirectly. Directly: MSPs seeking their own CMMC Level 2 C3PAO certification can no longer be designated in new solicitations during the suspension, and active assessment pipelines may face uncertainty about timelines. Indirectly: MSPs who advise and service DIB clients are now more exposed, not less, because the suspension shifts the compliance burden entirely to client self-attestation — and most clients rely on their MSP to tell them whether they’re compliant. If your representations are inaccurate, the client’s SPRS affirmation is potentially fraudulent, and the liability traces directly back to the source of those representations.
Q: Are MSPs formally required to be CMMC-certified?
Not currently. CMMC’s regulatory framework treats managed service providers as “External Service Providers” (ESPs) with only voluntary certification requirements. This is a documented gap in the program — not an oversight by MSPs, but a structural deficiency in the regulation itself. There are active legislative proposals to amend 32 CFR Part 170 to require MSPs with administrative access to CUI environments to obtain CMMC certification matching their client’s level. Congress has already defined “managed service provider” in 6 U.S.C. § 650(18), establishing the statutory foundation for such a requirement. Whether this change comes from the task force, Congress, or a future rulemaking cycle, the direction of regulatory travel is toward more MSP accountability, not less.
Q: What does it mean that MSPs are “an attack vector”?
It means the regulatory gap between contractor obligations and MSP obligations creates an exploitable seam in the defense supply chain. MSP personnel typically hold privileged administrative access to contractor environments — patching, configuring, credentialing, monitoring. If that MSP is not certified to the same security standard as its contractor client, adversaries can target the MSP rather than the contractor to gain access. This is not theoretical. The 2020 SolarWinds breach, 2021 Kaseya VSA attack, and 2026 campaigns by ransomware groups Akira and Qilin all followed this exact pattern: compromise the service provider, inherit access to the clients. With the suspension intensifying reliance on unverified self-attestation, this gap is more consequential now than it was in November 2025.
Q: My firm has told clients they are “CMMC compliant” — are we exposed?
Potentially, yes. The exposure arises if your compliance representations caused a client to submit an inflated SPRS score in their annual affirmation. The False Claims Act creates liability for anyone who causes a false claim to be submitted to the government, not just the person who signs it. If a client submitted an SPRS affirmation based on your compliance assessment, and that assessment overstated their actual security posture, DOJ’s Civil Cyber-Fraud Initiative may consider whether your firm contributed to that false affirmation. The prudent course of action is an immediate internal audit of every compliance representation your firm has made, compared against actual evidence packages. Where gaps exist, close them and document the remediation before any spot-check or investigation reaches you.
Q: We were in the middle of a C3PAO assessment for one of our clients. Should we stop?
No. Finishing an in-progress assessment is almost always cheaper than stopping and restarting. Assessment costs, scheduling, evidence preparation, and assessor familiarity with the environment are all sunk costs that restart from zero if you pause. More importantly, a completed CMMC Level 2 certification is a genuine competitive differentiator right now. With only approximately 40 MSPs currently certified and the entire DIB in self-assessment mode, a certified client is better positioned to win contracts regardless of the Phase 2 suspension. Certifications issued during the suspension remain valid.
Q: Should we tell our DIB clients to slow down on compliance work?
No. This is the most dangerous advice an MSP can give a defense contractor right now. The underlying legal obligations have not changed. The timeline for third-party verification has shifted, but NIST SP 800-171, DFARS 252.204-7012, and annual SPRS affirmations remain fully in force. Clients who slow down are building compliance debt that will come due the moment Phase 2 requirements resume — and will face it with less preparation time and under potentially greater scrutiny given that they had a grace period and used it to do nothing.
Legal and Enforcement Questions
Q: Is the DoJ’s Civil Cyber-Fraud Initiative still active?
Yes. The Civil Cyber-Fraud Initiative, which uses the False Claims Act to pursue contractors and vendors who falsely certify cybersecurity compliance, has not been paused, modified, or suspended. It operates independently of CMMC’s certification schedule. Since CMMC Phase 1 self-assessments and annual SPRS affirmations remain active, the legal mechanism that makes false compliance claims actionable is fully intact. Enforcement actions have continued throughout 2025 and 2026 under this framework.
Q: What is the False Claims Act exposure in practical terms?
Under the FCA, any person or company that submits (or causes to be submitted) a false or fraudulent claim to the government is liable for three times the damages the government sustains, plus civil penalties that are currently $14,308 to $28,619 (and adjust annually for inflation) per false claim. In the cybersecurity context, “damages” includes breach response costs, investigation costs, and the value of contracts improperly awarded based on false compliance representations. DOJ has successfully settled FCA cybersecurity cases in the range of $10 million to $300 million. The size of the organization is not a shield — small contractors and their service providers have been pursued under this statute.
Q: What is the significance of the August 14, 2026 RFI deadline?
The DoW’s Request for Information (RFI) is the formal public comment mechanism for the CMMC Reform Task Force. Submissions received by August 14 will inform the task force’s report, due in mid-September. This is an unusually direct opportunity for MSPs, MSP associations, and compliance consultants to formally advocate for regulatory changes that address the ESP/MSP gap, assessment scalability, and the burden on small businesses. Industry input submitted during an RFI period carries legal weight in subsequent rulemaking — it becomes part of the administrative record. Organizations that do not submit are effectively ceding their position to others who will.
Forward-Looking Questions
Q: What is the “Brilliant at the Basics” framework the DoW CIO referenced?
This is a voluntary best-practices framework referenced by DoW CIO Kirsten Davies as a potential alternative or complement to the full CMMC control structure. The framework emphasizes a small set of high-impact, high-priority security practices: phishing-resistant MFA, shift-left security (building security into development rather than adding it after deployment), secure AI adoption, and continuous monitoring. It has not been formally defined or codified, but its inclusion in DoW communications suggests it may become an interim self-assessment standard or a tiered floor requirement if the task force restructures CMMC. MSPs should ensure their clients can demonstrate compliance with these practices regardless of what happens to the broader CMMC framework.
Q: What is NIST SP 800-171 Rev. 3, and should we care about it?
Yes. The FAR Council published a proposed government-wide CUI protection rule based on SP 800-171 Rev. 3 in June 2026. Rev. 3 restructures and expands the control families from Rev. 2, adds new controls around supply chain risk management and software security, and introduces organization-defined parameters that give agencies more flexibility in tailoring requirements. If this proposed rule is finalized and adopted by the DoW, it would replace Rev. 2 as the baseline for CMMC Level 2 — meaning organizations that are fully compliant with Rev. 2 today would need to perform a gap assessment and remediate new or changed controls. MSPs should begin tracking this rulemaking now and build Rev. 3 awareness into client compliance roadmaps.
Q: What should our firm’s 90-day plan look like?
Given the mid-September task force report date, MSPs serving DIB clients should structure the next 90 days around three priorities:
Audit and remediate (now through August 14): Conduct internal reviews of all client compliance representations; close documented gaps; build or upgrade evidence packages to NIST 800-171 practice-level mapping standards. Submit RFI comments by August 14.
Communicate and document (now through September): Brief all relevant clients on the suspension’s actual meaning; document those communications in writing; ensure clients understand that SPRS affirmations remain legally binding and that you are maintaining their compliance posture, not standing down.
Evaluate and position (September through October): Once the task force reports in mid-September, assess the revised landscape and adjust your service offerings, pricing, and contract language accordingly. If C3PAO certifications resume under a new timeline, get back into that pipeline immediately. If a new framework emerges, be among the first MSPs to map your services to it.
Additional Sources
Suspension of CMMC Phase II and What It Means for You
What to Know About the CMMC Final Rule: Key Changes and How to Prepare
Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements