Back to Blog
    cmmc
    nist-800-171
    defense-contractors

    CMMC Phase 2 Is Suspended, but Your Cybersecurity Obligations Are Not

    Dustin CollettJuly 14, 2026

    On July 13, 2026, the Department of War announced the immediate suspension of Cybersecurity Maturity Model Certification (CMMC) Phase II requirements. The third-party assessment rollout scheduled for November 10, 2026, is now on hold while a reform task force conducts a 60-day review of the program.

    For defense contractors, that sounds like relief. In one important sense, it is: the near-term requirement for many companies to obtain a CMMC Level 2 assessment from a Certified Third-Party Assessment Organization (C3PAO) has been suspended.

    But the underlying cybersecurity obligations did not disappear.

    The bar did not move. The referee left the field.

    What the Pentagon Actually Suspended

    The Department announced that it is suspending the transition to CMMC Phase II, along with pending and future CMMC implementation milestones in solicitations and contracts. Officials also directed contracting personnel to address active requirements affected by the suspension.

    The Department’s official announcement says:

    • Phase II requirements are suspended effective immediately.
    • The November 10, 2026, implementation milestone will not proceed as planned.
    • A CMMC Reform Task Force will review the program and report back within 60 days.
    • Phase I self-assessment requirements remain in place.
    • The Department may continue using selected government-led assessments.

    What happens after the review is not yet known. The program could be revised, narrowed, replaced with a more scalable verification model, or changed more substantially.

    That uncertainty is real. It is not, however, permission to stop protecting Controlled Unclassified Information (CUI).

    CMMC Phase 2 Died of Arithmetic

    This decision was driven in large part by capacity and cost.

    Department Chief Information Officer Kirsten Davies said the available assessor workforce was not large enough to complete the volume of evaluations required before the November deadline. Industry reporting described a mismatch involving more than 100,000 companies potentially needing assessments and only roughly 100 available assessors.

    In plain language: the math did not work.

    The Pentagon also cited prohibitive costs, administrative burdens, and barriers that were pushing small and nontraditional businesses away from the Defense Industrial Base (DIB). The concern was not merely that CMMC was inconvenient. The concern was that its implementation model could reduce competition and slow the delivery of critical capabilities.

    That is a legitimate program-design problem.

    It does not mean the security requirements were unnecessary. It means the planned verification system could not scale to the population it was expected to regulate.

    What Did Not Go Away

    The suspension removed a certification milestone. It did not erase the contract clauses and security standards that already apply to many defense contractors.

    The Department explicitly stated that contractors and subcontractors remain obligated to safeguard covered defense information under Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012.

    Depending on your contracts and the information you handle, continuing obligations may include:

    • Implementing the applicable controls in National Institute of Standards and Technology Special Publication 800-171 Revision 2.
    • Maintaining an accurate System Security Plan (SSP).
    • Tracking incomplete requirements through Plans of Action and Milestones (POA&Ms), where permitted.
    • Reporting cyber incidents and preserving forensic evidence as required by DFARS 252.204-7012.
    • Maintaining a current NIST SP 800-171 DoD Assessment score in the Supplier Performance Risk System (SPRS).
    • Completing applicable CMMC Phase I self-assessments.
    • Submitting the required affirmation of continued compliance.

    The Department’s current CMMC overview confirms that Phase I remains active. It describes annual affirmations for Level 1 and Level 2 self-assessment environments, with Level 2 based on the 110 requirements in NIST SP 800-171 Revision 2.

    Your building inspector retiring does not change the wiring in your walls.

    Likewise, suspending a third-party assessment does not change whether multifactor authentication is deployed, whether privileged access is controlled, whether audit logs are retained, or whether CUI is sitting in an unmanaged cloud service.

    Why an Inaccurate SPRS Score May Be More Dangerous Now

    A third-party assessment is expensive and disruptive, but it also creates a structured opportunity to identify gaps before they become contractual or enforcement problems.

    Without that external checkpoint, contractors may be tempted to leave an optimistic SPRS score in place and postpone remediation. That is where the risk increases.

    An SPRS score is not a marketing estimate. It should be supported by evidence showing how each applicable NIST SP 800-171 requirement is implemented. The score should align with the actual environment, the SSP, technical configurations, policies, and operating practices.

    The Department of Justice continues to pursue cybersecurity-related False Claims Act cases involving government contractors. In June 2026, the Justice Department announced a settlement with a defense contractor accused of submitting claims while failing to comply with contractual cybersecurity requirements. A government assessment reportedly produced a score of -170, near the low end of the possible scoring range, after the contractor had allegedly failed to implement important NIST SP 800-171 controls.

    The lesson is not that every imperfect environment creates False Claims Act liability. The legal standard involves factors such as knowledge, contractual requirements, materiality, and the specific representations made.

    The practical lesson is simpler: do not affirm a cybersecurity condition that your evidence cannot support.

    What Defense Contractors Should Do Now

    Do not pause remediation merely because the C3PAO deadline was suspended.

    Instead, use the breathing room to make the underlying program defensible.

    1. Confirm which clauses are in your contracts. Review prime contracts, subcontracts, purchase orders, and flow-down requirements for DFARS 252.204-7012, 252.204-7019, 252.204-7020, and any CMMC language.

    2. Validate your CUI scope. Identify where CUI is received, created, processed, stored, transmitted, printed, backed up, and destroyed. Excessive scope makes compliance harder and more expensive.

    3. Recalculate the SPRS score from evidence. Do not rely on a score created during a sales exercise or based on planned controls. Confirm each requirement against current technical and procedural evidence.

    4. Update the SSP and POA&M. The documentation should match the environment as it exists today. Remove completed items, add newly discovered gaps, and assign realistic owners and dates.

    5. Continue closing high-risk gaps. Prioritize identity security, multifactor authentication, privileged access, endpoint protection, logging, incident response, vulnerability management, backups, and CUI handling.

    6. Preserve assessment-ready evidence. Keep screenshots, configurations, policies, tickets, logs, training records, diagrams, and other artifacts organized by control family and assessment objective.

    7. Review affirmations before submission. The affirming official should understand what is being represented and have a reasonable basis for believing it is accurate.

    A mock assessment or independent readiness review can still be valuable. The goal is no longer to race toward a November certification date. The goal is to determine whether your organization can support what it has already stated to the government.

    The Audit Date Moved, Not the Security Standard

    CMMC Phase II may return in a revised form. It may be replaced by government-led assessments, risk-based sampling, automated evidence collection, a different certification model, or a narrower requirement for selected programs.

    No contractor can responsibly build a security strategy around guessing which option the task force will choose.

    The safer course is to separate compliance mechanics from contractual security obligations:

    • The mechanics are under review.
    • The obligations remain.
    • The threats remain.
    • Your representations still matter.

    If you had a formal C3PAO assessment scheduled, it may be reasonable to reconsider the timing and purpose of that engagement. It is not reasonable to stop securing the environment or correcting a score that does not match reality.

    Do Not Confuse a Pause With Permission

    The suspension gives defense contractors time. Used well, that time can reduce cost, correct scope, strengthen evidence, and close security gaps without the pressure of an immediate certification deadline.

    Used poorly, it can allow inaccurate documentation and unsupported affirmations to remain in place until a breach, government review, whistleblower complaint, or contract dispute exposes them.

    The bar did not move. Only the referee left.

    Collett Systems helps Wisconsin manufacturers and defense contractors evaluate NIST 800-171 readiness, validate SPRS scoring, scope CUI environments, and build practical remediation plans. Contact Collett Systems to schedule a readiness review.