Policy Watch

CMMC Phase 2 Is Suspended. The Reform RFI Is How You Shape What Comes Next.

July 14, 2026 · 8 min read

In the span of about 24 hours, the Department of War rewrote the near-term future of CMMC. On July 13, the Under Secretary of War for Acquisition and Sustainment signed a memo suspending the November 2026 transition to CMMC Phase 2 — no more Level 2 (C3PAO) or Level 3 (DIBCAC) assessment designations while a 60-day review runs. And right behind it came the part most of the industry chatter is skipping: an RFI, Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base, asking contractors to tell the newly stood-up CMMC Reform Task Force exactly what to fix.

The suspension is the headline. The RFI is the opportunity. If your firm has been staring down a five- or six-figure C3PAO prep bill, the next 30 days are your one formal channel to influence what replaces it. Here's what the memo actually changed, what to watch on your active pursuits, and how to put together a response worth reading.

What the July 13 memo actually says

The memo (26-P-1023) frames the suspension under Pillar 3 of the Acquisition Transformation Strategy — maximizing acquisition flexibility through reduced regulations and process — and cites Executive Order 14265 from April 2025. The DoW CIO has paused the CMMC rollout, suspended Phase 2 implementation, and initiated a 60-day review focused on keeping the Defense Industrial Base secure "without imposing significant burden" on small and non-traditional businesses. The operative changes, per Attachment 1:

Read that last bullet twice before you deprioritize anything. This is a suspension of third-party assessment designations, not a cybersecurity holiday. Your System Security Plan, your SPRS score, your incident reporting obligations under 7012 — all still live. Companies mid-stream on C3PAO prep aren't wasting that work either; the underlying 800-171 Rev 2 controls are the same ones a Level 2 self-assessment attests to, and nothing in the memo says third-party certification won't return in some form after the review.

If you have an active DoW pursuit, check it this week

The amendment directive is immediate and mandatory, which means a wave of solicitation amendments is about to move through SAM.gov and the portals. Three things for capture and proposal teams to do now:

First, inventory your pipeline for C3PAO/DIBCAC requirements. Any active solicitation carrying one should get amended. Watch for the amendment — and read it fully, because contracting officers rarely change just one thing. Page limits, due dates, and evaluation language have a way of shifting in the same amendment that removes the CMMC clause.

Second, reassess your competitive position. If a certification requirement was thinning the field on a pursuit — and you were one of the certified few — that moat just drained. Conversely, if a C3PAO requirement had you leaning no-bid, the calculus may have flipped. Either way, the bid/no-bid math on affected pursuits deserves a fresh pass.

Third, if you hold contracts with these requirements baked in, expect a modification before your next option exercise or at the next admin mod. That's relief on compliance cost, but confirm in writing what remains — the 7012 and 800-171 obligations don't come out with the assessment requirement.

The RFI: your 10 pages in front of the Reform Task Force

Now the part that deserves more attention than it's getting. The RFI exists to feed the CMMC Reform Task Force during its 60-day review, and the questions are unusually direct about what the government wants to hear: where the money goes, which controls work, and which requirements are compliance theater.

RFI — Reforming CMMC and Reducing Compliance Burden for the DIB
Issuer: Department of War (WHS / EOSD-PSB)
Type: RFI — market research only, no award
Purpose: Industry input to the CMMC Reform Task Force
POC: Ms. Leanne Condren
Response Due: Friday, August 14, 2026, 12:00 PM ET
Submission: Email only, to both addresses in the RFI
Page Limit: 10 pages + 1-page cover letter (excluded)
Format: Times New Roman 10pt, single-spaced, 1″ margins; Word or PDF

The RFI asks seven questions. Read as a set, they sketch the reform the Task Force is already leaning toward: heavier reliance on self-attestation, formal recognition of commercial cybersecurity tooling, and a control set trimmed to what measurably reduces risk. Here's each question and what a strong response actually requires:

What They're AskingWhat to Bring
1. Top 5 cost drivers in complying with CMMC / NIST 800-171 Rev 2Real numbers. Consultant fees, enclave buildouts, GCC High migration costs, staff hours. Ranked, quantified, sourced from your own books.
2. Controls with the most tangible upliftSpecific control families that stopped or caught something — MFA, logging, endpoint detection — with the incident or near-miss to back it up.
3. Controls with high burden, low security valueThe inverse list. This is where documentation-heavy requirements get named. Be specific about hours spent vs. risk reduced.
4. Commercial cybersecurity capabilities you already useYour actual stack — managed services, platforms, SOC providers — and a concrete proposal for how DoW should credit them in a compliance framework.
5. Phase 1 self-assessment pain pointsHonest answer to their pointed question: did self-assessment change your cyber posture, or is it performed only for compliance?
6. Policy reforms to cut cost and barriers (60-day horizon)Actionable and specific. "Reduce burden" is noise; "accept SOC 2 Type II / ISO 27001 as reciprocal evidence for control families X, Y, Z" is signal.
7. Policy reforms to improve operational resilience (60-day horizon)The question most respondents will phone in — which makes it the differentiator. Resilience, not just protection: recovery, continuity, threat intel sharing.

Note the framing in questions 6 and 7: the Task Force wants recommendations it can act on within its 60-day window. Long-horizon regulatory rewrites won't land. Reforms implementable by memo, clause change, or acceptance policy will.

The fine print that will disqualify sloppy responses

The proprietary-data conflict

The RFI's description section states that submissions must not contain proprietary data, and the Government will not consider or review any responses marked as proprietary. The format section, however, instructs respondents to mark proprietary information appropriately and include a proprietary information statement "if applicable."

These two instructions point in opposite directions. The conservative play — and the one we recommend — is to write the entire response as non-proprietary. Sanitize your cost data into ranges, describe your commercial stack by category rather than contract terms, and skip anything you'd need to mark. A response set aside on a marking technicality helps nobody. If your input genuinely requires proprietary detail, email the POC for clarification before you write, not after.

Beyond that, the mechanics deserve respect, because RFI responses get screened on compliance before anyone reads for substance:

One more clarification the RFI itself makes: responding does not constitute a CMMC self-attestation. Answering question 5 candidly about your self-assessment gaps does not create a compliance representation. Say what's true.

Why this one is worth the response effort

Our usual guidance on RFIs is ruthless triage — most are worth a response only when they position you for the solicitation behind them. This RFI has no solicitation behind it, no award, no reimbursement. And it's still one of the highest-leverage documents a small or mid-sized defense contractor can respond to this year, for one reason: the output isn't a contract, it's the rulebook. Sixty days from now, the Task Force's recommendations will shape the cybersecurity requirements attached to every DoW solicitation you bid for years.

The businesses with the most at stake — small and non-traditional firms for whom C3PAO prep was a real percentage of annual revenue — are exactly the ones the memo says this review is designed to protect. If those firms don't respond, the record gets written by the large primes and the assessment-industry incumbents, whose cost structures and incentives look nothing like yours.

A focused response is a two-to-three day effort: pull your actual compliance spend, rank it, name the controls that earn their keep and the ones that don't, and make two or three implementable recommendations. That's the whole assignment. Ten pages is a ceiling, not a target — a sharp six-page response beats a padded ten every time.

What to do this week

Before August: sweep your pipeline for C3PAO/DIBCAC requirements and watch for amendments. Assign one owner to the RFI response and have them start with your compliance cost data — question 1 is the anchor, and it takes the longest to source credibly. Draft against the seven questions in order, keep everything non-proprietary, and submit early. Noon deadlines punish the last-minute.

Want the full breakdown without reading the documents yourself? We ran both the suspension memo and the RFI through RFP Snapshot the morning they dropped — response requirements, all seven questions, the proprietary-data conflict, and the submission logistics, structured into a 4-page Snapshot. Comment "snapshot" on our LinkedIn post or sign up at app.rfpsnapshot.com — first three Snapshots are free, no credit card required.

An RFI dropped. Your response window is 30 days. Triage it in 3 minutes.

Upload any federal RFI, sources sought, or solicitation and get a standardized ~4-page Opportunity Snapshot — response requirements, deadlines, document conflicts flagged. First three are free.

Try It Free →
← Back to Blog