LogicData is now a part of WM Synergy. Learn More

Skip to content

CMMC Phase Two Is Suspended. Here’s What That Actually Means for Aerospace and Defense Manufacturers

CMMC Phase Two Is Suspended. Here’s What That Actually Means for Aerospace and Defense Manufacturers

The Pentagon Just Hit Pause on Third-Party Assessments, But the Compliance Work Isn’t Over

On July 13, 2026, the Department of Defense suspended third party audit requirements for CMMC Phase 2. DoD Chief Information Officer Kirsten Davies signed a memo pausing the ramp-up of third-party CMMC assessments and opened a 60-day, “top-to-bottom” review of the program. (Source: DoD CIO Memo, “CMMC Reform,” July 13, 2026.)

If you’re an aerospace and defense manufacturer, that headline probably raised more questions than it answered. Does this mean CMMC is dead? Can you stop the compliance work you already started? Here’s our take.

What Actually Changed

CMMC Phase Two would have required independent third-party assessments, known as C3PAO audits, across Defense Department contracts involving sensitive but unclassified information. That requirement was set to begin ramping up in November 2026. It’s now suspended until further notice, along with other pending CMMC milestones. (Source: Federal News Network, “Pentagon suspends CMMC phase two requirements, launches review of program,” July 13, 2026.)

CMMC Phase One is a different story. Self-assessment requirements under Phase One have been enforced since November 2025, and they are not affected by this pause. DoD will keep relying on self-assessments and select government-led reviews while the review plays out. (Source: Infor, “Ultimate Guide to CMMC 2.0 Compliance Requirements.”)

Davies’ memo puts the reasoning in plain terms. Compliance costs and a shortage of accredited C3PAO assessors were, in her words, “actively forcing innovative new entrants and small businesses to opt out of DoD contracts.” That directly conflicts with Defense Secretary Pete Hegseth’s push to widen the industrial base, not narrow it. The Small Business Administration backed the decision, calling the current CMMC structure “an untenable barrier” for exactly the kind of small manufacturers the defense industrial base depends on.

How This Affects SMB Aerospace and Defense Manufacturers

DoD estimated roughly 80,000 companies would eventually fall under the third-party assessment requirement. A large share of those are small and mid-sized aerospace and defense subcontractors, the shops running bills of material, routings, and customer drawings tied to a defense program, often without a dedicated compliance department.

For those manufacturers, Phase Two wasn’t just another form to fill out. It was a real budget line and a real staffing question, often hindering growth plans. This pause takes some of that pressure off in the near term. It does not, however, change the underlying reality that if your ERP system touches Controlled Unclassified Information, that system and the processes around it need to hold up to scrutiny.

Do Aerospace and Defense Contractors Still Need to Worry About CMMC?

Yes. Phase One self-assessment obligations are still active, still enforced, and still tied to applicable contracts. DoD has been clear that during the review period, it wants contractors focused on what it calls “tangible cyber hygiene,” not a compliance checklist. The security expectations behind CMMC, most of which map back to NIST SP 800-171, haven’t gone anywhere. Only the third-party audit ramp-up has been paused. (Source: Infor, “Ultimate Guide to CMMC 2.0 Compliance Requirements.”)

That distinction matters. A manufacturer that reads this news as “CMMC is over” and stops documenting access controls or CUI handling is making a bet that the review produces a much lighter framework. Given how DoD has talked about this review, that may not be the safest way to hedge your bets.

What We’re Telling Clients to Do Right Now

Keep moving on the work you’ve already started. Access controls, system security plans, and audit-ready documentation built for CMMC preparation support NIST 800-171 requirements directly, and those requirements aren’t going away no matter how the framework gets restructured.

Use this window as a checkpoint rather than a reason to coast. If your ERP environment’s user access controls, audit logging, and CUI data handling were “in progress” a month ago, this is the time to make them documented and defensible, not the time to set the project aside.

Keep an eye on the CMMC Reform Task Force. Its recommendations are due within 60 days of the July 13 memo, and they will shape how third-party assessments apply to aerospace and defense contractors going forward.

Don’t treat Phase One as optional. Self-assessment requirements for applicable DoD contracts are fully in force during the review, regardless of what happens to Phase Two.

What Happens Next

CMMC has been down this road before. In 2021, the Biden administration paused the original CMMC program for a similarly sweeping review, and that process produced CMMC 2.0. DoD has said it wants a scalable framework that “lowers barriers for small, medium, and non-traditional businesses” while still holding the line on real security outcomes. Based on that history, aerospace and defense contractors should expect meaningful changes out of this review, not a quiet return to the status quo.

Where WM Synergy Fits

WM Synergy has worked with aerospace and defense manufacturers navigating CMMC and NIST compliance for years, long before this latest reshuffle. Whether your ERP environment can produce a defensible audit trail today is a question we help clients answer regardless of which phase of CMMC happens to be active. If you want a clear read on where your systems stand, our team can help you assess it.

Frequently Asked Questions About the CMMC Phase Two Suspension

CMMC Phase 2 is the stage of the Cybersecurity Maturity Model Certification program that would have required independent, third-party (C3PAO) cybersecurity audits for Defense Department contracts involving sensitive but unclassified information. It was set to begin ramping up on November 10, 2026, before DoD suspended it.

DoD's CMMC Reform Task Force has 60 days from the July 13, 2026 memo to deliver recommendations on a revised framework.

No. DoD has indicated that cybersecurity and documentation work already underway will carry forward into whatever framework replaces the current CMMC structure, and NIST 800-171-based security expectations haven't changed.

Sources: Federal News Network, “Pentagon suspends CMMC phase two requirements, launches review of program,” July 13, 2026 Infor, “Ultimate Guide to CMMC 2.0 Compliance Requirements”

Is your manufacturing future-ready?

Discover the future of formula-based manufacturing in our exclusive on-demand webinar, Behind the Batch. Join us as we explore the transformative power of Acumatica's Process Manufacturing ERP Suite, designed to meet the evolving demands of the industry. Learn how modern, cloud-based solutions can elevate your operations, ensuring consistent quality, efficient formula management, streamlined production, and adherence to rigorous standards. Don't miss out – watch now to unlock your competitive advantage.
CTA Image