CMMC Phase II Suspended: Impact on Higher Ed Defense Research

Article CMMC

July 14, 2026

Aerial view of the Pentagon building, the headquarters of the United States Department of Defense, located in Arlington, Virginia

On July 13, 2026, the Department of War announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, originally set to take effect November 10, 2026. DoW Chief Information Officer Kirsten A. Davies broke the news in a short video message, and Under Secretary of War for Acquisition and Sustainment Michael P. Duffey signed the implementing memorandum that same day.

Both moves fall under Secretary Pete Hegseth’s Acquisition Transformation System, aimed at speeding up capability delivery and easing compliance barriers for small and non-traditional businesses in the defense industrial base.

A 60-day CMMC Reform Task Force review is now underway. Industry can weigh in through a Request for Information on SAM.gov, with comments due August 14, 2026. Worth bookmarking is the DoD CIO’s CMMC program page for updates once the review wraps up.

What Actually Changed

Program offices can now only require Level 1 or Level 2 self-assessments in new solicitations. Third-party assessments from Certified Third-Party Assessment Organizations and government-led DIBCAC certification assessments are off the table while the review is underway. Solicitations and contracts already carrying those requirements are being amended to remove them, and no new waivers are going out in the meantime.

What Hasn’t Changed

Here’s where it gets important. Phase I self-assessment requirements are still in force. DFARS 252.204-7012 and FAR 52.204-21 haven’t gone anywhere. NIST SP 800-171 Revision 2 is still the baseline: all 110 controls and 320 assessment objectives for Controlled Unclassified Information  (CUI), and the 15 basic safeguarding requirements for FCI.

FedRAMP Moderate cloud-handling rules for CUI are unchanged. The 72-hour incident reporting window is still in play. DFARS 252.204-7020 still gives the government the right to show up and assess a contractor directly. In short, the certification requirement is paused. Everything underneath it keeps running.

The Higher Education Angle

This lands right in the middle of an active compliance cycle for a lot of campuses. A good share of higher education handles Controlled Unclassified Information through sponsored research, plus subcontracts flowing down from primes and federal labs. Sponsored programs offices and research computing teams have spent the last year or two building System Security Plans, standing up separate CUI enclaves, and gearing up for a Level 2 certification assessment that’s now off the calendar, at least for the moment.

That’s genuine relief on cost and scheduling, and it’s tempting to read it as permission to shelve the whole effort. Don’t! Export-controlled and CUI-designated research doesn’t stop moving just because a certification requirement got paused, and the flow-down obligations owed to subrecipients under DFARS 7012 haven’t changed either.

Most research universities are handling financial aid data under GLBA and student records under FERPA on the very same networks, often relying on the same access controls, logging, and incident response processes to cover all three. Let the NIST 800-171 baseline slip because CMMC paused, and it weakens the other two as well, not just the defense side.

The score sitting in the Supplier Performance Risk System is still a representation made to the federal government. An inflated or stale one still carries real False Claims Act exposure, whether or not a C3PAO ever sets foot on campus.

A Security Advisor’s Recommendations for Higher Education: 

Treat this as a scheduling change, not an off-ramp for compliance. For institutions managing DoD-funded research, here’s where to focus:

  • Pull the current SPRS score and make sure it actually reflects today’s environment, not last year’s CUI enclave. That’s the number a contracting officer or government assessor sees first.
  • Keep the SSP and POA&M current. They’re still the working baseline for self-assessment, and for the government-led assessments that are explicitly still on the table during the review.
  • Have sponsored programs and research computing sit down together and go through every active and pending award. Flag anything that still carries a Level 2 (C3PAO) or Level 3 (DIBCAC) requirement, since that language is being stripped out, and don’t let a proposal or subrecipient agreement keep budgeting for an assessment that’s no longer required.
  • Revisit flow-down language in subaward agreements. A subrecipient whose compliance plan was built around the old Phase II timeline may need an amendment, or at least a conversation, before the next reporting cycle.
  • Bring export control and research security officers into this conversation, not just IT. On most campuses, CUI tends to run through ITAR/EAR-controlled research and data segmentation.
  • Comment on the RFI before August 14. Higher education’s compliance burden doesn’t look like a manufacturing subcontractor’s. Distributed research environments, academic freedom, and mixed funding sources on the same network make for a different risk picture, and that difference belongs in the record while the task force is still working and writing.
  • Keep building toward full NIST 800-171 compliance itself, not toward a specific assessment date. Whatever comes out of the 60-day review will almost certainly still run through the same 110 controls. Institutions that keep moving now won’t be scrambling later.

Primary sources: the Department of War’s press release announcing the suspension, the signed implementing memorandum (26-P-1023), CIO Kirsten Davies’ video announcement, and the DoD CIO’s CMMC program page.

Share

About the Author
Jason Klinger

Jason Klinger

CISA, CMMC-RPA

Security Advisor

Jason is a customer focused professional and member of the CampusGuard Security Advisor team with 20 years of experience in IT and Information Security. He partners with higher education and government agencies to reduce risk, ensure audit-readiness, and adapt to evolving internal and external challenges. Known for his strategic insight and dedication to customer success, he excels at evaluating client processes and technologies to identify vulnerabilities and non-compliance. His collaborative approach helps clients strengthen their security posture and optimize resources through thoughtful planning and remediation.

Related Content