In the span of about 24 hours, the Department of War rewrote the near-term future of CMMC. On July 13, the Under Secretary of War for Acquisition and Sustainment signed a memo suspending the November 2026 transition to CMMC Phase 2 — no more Level 2 (C3PAO) or Level 3 (DIBCAC) assessment designations while a 60-day review runs. And right behind it came the part most of the industry chatter is skipping: an RFI, Reforming CMMC and Reducing Compliance Burden for the Defense Industrial Base, asking contractors to tell the newly stood-up CMMC Reform Task Force exactly what to fix.
The suspension is the headline. The RFI is the opportunity. If your firm has been staring down a five- or six-figure C3PAO prep bill, the next 30 days are your one formal channel to influence what replaces it. Here's what the memo actually changed, what to watch on your active pursuits, and how to put together a response worth reading.
What the July 13 memo actually says
The memo (26-P-1023) frames the suspension under Pillar 3 of the Acquisition Transformation Strategy — maximizing acquisition flexibility through reduced regulations and process — and cites Executive Order 14265 from April 2025. The DoW CIO has paused the CMMC rollout, suspended Phase 2 implementation, and initiated a 60-day review focused on keeping the Defense Industrial Base secure "without imposing significant burden" on small and non-traditional businesses. The operative changes, per Attachment 1:
- Only self-assessments may be designated. Program offices and requiring activities may only include CMMC Level 1 (Self) or CMMC Level 2 (Self) in procurement requests and requirement documents. Level 2 (C3PAO) and Level 3 (DIBCAC) designations are off the table for the duration of the suspension.
- Active solicitations get amended. If a requirements package included a C3PAO or DIBCAC requirement, Program Managers must initiate amendments, and contracting officers must issue corresponding solicitation amendments "as soon as practicable."
- Existing contracts get modified. Contracting officers are directed to remove C3PAO/DIBCAC requirements via modification prior to the next option exercise or during the next scheduled administrative modification — whichever comes first in practice.
- Waivers are suspended too. Because program offices can no longer select requirements that would need a C3PAO or DIBCAC assessment, no waivers will be granted during the review.
- The floor hasn't moved. DFARS 252.204-7012 remains in effect, and CMMC Level 2 (Self) is still aligned to NIST SP 800-171 Rev 2. FAR 52.204-21 basic safeguarding still governs FCI at Level 1.
Read that last bullet twice before you deprioritize anything. This is a suspension of third-party assessment designations, not a cybersecurity holiday. Your System Security Plan, your SPRS score, your incident reporting obligations under 7012 — all still live. Companies mid-stream on C3PAO prep aren't wasting that work either; the underlying 800-171 Rev 2 controls are the same ones a Level 2 self-assessment attests to, and nothing in the memo says third-party certification won't return in some form after the review.
If you have an active DoW pursuit, check it this week
The amendment directive is immediate and mandatory, which means a wave of solicitation amendments is about to move through SAM.gov and the portals. Three things for capture and proposal teams to do now:
First, inventory your pipeline for C3PAO/DIBCAC requirements. Any active solicitation carrying one should get amended. Watch for the amendment — and read it fully, because contracting officers rarely change just one thing. Page limits, due dates, and evaluation language have a way of shifting in the same amendment that removes the CMMC clause.
Second, reassess your competitive position. If a certification requirement was thinning the field on a pursuit — and you were one of the certified few — that moat just drained. Conversely, if a C3PAO requirement had you leaning no-bid, the calculus may have flipped. Either way, the bid/no-bid math on affected pursuits deserves a fresh pass.
Third, if you hold contracts with these requirements baked in, expect a modification before your next option exercise or at the next admin mod. That's relief on compliance cost, but confirm in writing what remains — the 7012 and 800-171 obligations don't come out with the assessment requirement.
The RFI: your 10 pages in front of the Reform Task Force
Now the part that deserves more attention than it's getting. The RFI exists to feed the CMMC Reform Task Force during its 60-day review, and the questions are unusually direct about what the government wants to hear: where the money goes, which controls work, and which requirements are compliance theater.
The RFI asks seven questions. Read as a set, they sketch the reform the Task Force is already leaning toward: heavier reliance on self-attestation, formal recognition of commercial cybersecurity tooling, and a control set trimmed to what measurably reduces risk. Here's each question and what a strong response actually requires:
| What They're Asking | What to Bring |
|---|---|
| 1. Top 5 cost drivers in complying with CMMC / NIST 800-171 Rev 2 | Real numbers. Consultant fees, enclave buildouts, GCC High migration costs, staff hours. Ranked, quantified, sourced from your own books. |
| 2. Controls with the most tangible uplift | Specific control families that stopped or caught something — MFA, logging, endpoint detection — with the incident or near-miss to back it up. |
| 3. Controls with high burden, low security value | The inverse list. This is where documentation-heavy requirements get named. Be specific about hours spent vs. risk reduced. |
| 4. Commercial cybersecurity capabilities you already use | Your actual stack — managed services, platforms, SOC providers — and a concrete proposal for how DoW should credit them in a compliance framework. |
| 5. Phase 1 self-assessment pain points | Honest answer to their pointed question: did self-assessment change your cyber posture, or is it performed only for compliance? |
| 6. Policy reforms to cut cost and barriers (60-day horizon) | Actionable and specific. "Reduce burden" is noise; "accept SOC 2 Type II / ISO 27001 as reciprocal evidence for control families X, Y, Z" is signal. |
| 7. Policy reforms to improve operational resilience (60-day horizon) | The question most respondents will phone in — which makes it the differentiator. Resilience, not just protection: recovery, continuity, threat intel sharing. |
Note the framing in questions 6 and 7: the Task Force wants recommendations it can act on within its 60-day window. Long-horizon regulatory rewrites won't land. Reforms implementable by memo, clause change, or acceptance policy will.
The fine print that will disqualify sloppy responses
The RFI's description section states that submissions must not contain proprietary data, and the Government will not consider or review any responses marked as proprietary. The format section, however, instructs respondents to mark proprietary information appropriately and include a proprietary information statement "if applicable."
These two instructions point in opposite directions. The conservative play — and the one we recommend — is to write the entire response as non-proprietary. Sanitize your cost data into ranges, describe your commercial stack by category rather than contract terms, and skip anything you'd need to mark. A response set aside on a marking technicality helps nobody. If your input genuinely requires proprietary detail, email the POC for clarification before you write, not after.
Beyond that, the mechanics deserve respect, because RFI responses get screened on compliance before anyone reads for substance:
- Noon, not midnight. Responses are due at 12:00 PM Eastern on Friday, August 14. Calendar it as a morning deadline. A 4 PM submission that day is a non-submission.
- Email only, both addresses. The RFI names an organizational mailbox and the POC. Submissions to anyone else won't be considered. No hard copies, no portals.
- Reference the subject line exactly: "Subject: Reforming CMMC and Reducing Compliance Burden for the DIB."
- 10 pages, single-spaced, Times New Roman 10-point, one-inch margins. Graphics and table text no smaller than 9-point. Material beyond the limit "may or may not be considered" — assume it won't be.
- Include the admin block: company name, UEI/DUNS, CAGE code, and full POC details. The RFI still asks for a fax number. It's 2026. Give them a fax number.
- No brochures. Extraneous marketing material is explicitly excluded. Ten pages of substance beats eight pages of substance stapled to a capabilities one-pager.
One more clarification the RFI itself makes: responding does not constitute a CMMC self-attestation. Answering question 5 candidly about your self-assessment gaps does not create a compliance representation. Say what's true.
Why this one is worth the response effort
Our usual guidance on RFIs is ruthless triage — most are worth a response only when they position you for the solicitation behind them. This RFI has no solicitation behind it, no award, no reimbursement. And it's still one of the highest-leverage documents a small or mid-sized defense contractor can respond to this year, for one reason: the output isn't a contract, it's the rulebook. Sixty days from now, the Task Force's recommendations will shape the cybersecurity requirements attached to every DoW solicitation you bid for years.
The businesses with the most at stake — small and non-traditional firms for whom C3PAO prep was a real percentage of annual revenue — are exactly the ones the memo says this review is designed to protect. If those firms don't respond, the record gets written by the large primes and the assessment-industry incumbents, whose cost structures and incentives look nothing like yours.
A focused response is a two-to-three day effort: pull your actual compliance spend, rank it, name the controls that earn their keep and the ones that don't, and make two or three implementable recommendations. That's the whole assignment. Ten pages is a ceiling, not a target — a sharp six-page response beats a padded ten every time.
What to do this week
Before August: sweep your pipeline for C3PAO/DIBCAC requirements and watch for amendments. Assign one owner to the RFI response and have them start with your compliance cost data — question 1 is the anchor, and it takes the longest to source credibly. Draft against the seven questions in order, keep everything non-proprietary, and submit early. Noon deadlines punish the last-minute.
Want the full breakdown without reading the documents yourself? We ran both the suspension memo and the RFI through RFP Snapshot the morning they dropped — response requirements, all seven questions, the proprietary-data conflict, and the submission logistics, structured into a 4-page Snapshot. Comment "snapshot" on our LinkedIn post or sign up at app.rfpsnapshot.com — first three Snapshots are free, no credit card required.