CMMC Phase II Is Suspended but Your Obligations Are Not

The Department of Defense just paused CMMC Phase II. Before you move, here's what you still have to do, who can still assess you, and why waiting could put you at the back of a very long line.

Risk Level

Read Time

On July 13, 2026, the Department of Defense announced the immediate suspension of CMMC Phase II, the phase that was set to require third-party certification starting November 10, 2026. Alongside it, the Department opened a 60-day task force review of the whole program, pointing to compliance costs that were pushing smaller companies out of the defense industrial base.

If you're a defense contractor, the word “suspended” is easy to read as “off the hook” but we’re here to tell you that reading will cost some companies a lot of money. And while we are a Certified Third Party Assessment Organization (C3PAO), we’ll address the elephant in the room and let you know that the following advice is based on years of working in and around the federal government.

The certification step is paused, but the requirement to actually protect defense data, and to prove it when the government asks, did not. Here's what changed, what didn't, and why this pause is a window you want to use rather than a break you want to take.

“Ok, so what did they actually announce?”

The Department suspended the transition to Phase II, along with pending and future CMMC milestones across its solicitations and contracts. A CMMC Reform Task Force will spend 60 days reviewing the program and recommending a more scalable approach, with a report due to the DoW CIO at the end of that period.

The stated goal is to cut compliance overhead for small and mid-sized businesses. We will note this has always been known but seemingly ignored by the Department in the lead up to CMMC. The Department was at least clear that this is not a retreat from security. In its own words, the action “does not eliminate the requirement for companies to protect federal data.”

“Great, so I can stop worrying about all this, right?”

Not quite. Four things stayed exactly where they were:

  1. Phase I self-assessments remain in place. If you were required to self-assess and post a score, you still are. The suspension doesn't erase that.

  2. DFARS 252.204-7012 is still in force. This is the clause that requires you to safeguard covered defense information, implement NIST SP 800-171 (Rev 2 for current enforcement), report cyber incidents within 72 hours, and flow those requirements down to your subcontractors. The CMMC suspension left it untouched. It was the backbone of contractor cybersecurity obligations long before CMMC enforcement existed, and it remains the backbone now.

  3. The government can still assess you directly. DIBCAC, the Defense Industrial Base Cybersecurity Assessment Center inside the Defense Contract Management Agency, conducts government-led assessments of contractor compliance. That authority now lives in DFARS 252.240-7997, renumbered from 252.204-7020 in February 2026 (new number who this). The Department's release confirms it will keep enforcing compliance during the interim through self-assessments and select government-led assessments. “Select” means risk-based rather than universal, but if you post a suspiciously perfect score, handle sensitive technology, or draw a whistleblower referral, you are exactly the kind of company that gets a closer look.

  4. False Claims Act exposure is unchanged. This is the one that catches people so read on.

“But I haven't been breached. Doesn't that keep me safe?”

The most common misconception about cybersecurity liability is that you're only at risk if you get breached which is the case for laws like the CCPA, and GDPR. Under the False Claims Act, however, it’s looking at a different mechanism.

Liability attaches to the misrepresentation, not to any incident that follows it. When you certify compliance as a condition of a contract or payment and that certification is false, you have made a false claim. Whether a hacker ever touches your network isn’t the deciding factor. The Justice Department has said this plainly, and its recent cases prove it.

MORSE Corp paid $4.6 million in 2025 to resolve allegations that it reported a self-assessment score of 104 when its actual score was deeply negative. Georgia Tech's research corporation paid $875,000 over allegations tied to unmet controls and a misrepresented score. Health Net Federal Services agreed to $11.25 million to resolve claims it falsely certified compliance. None of these cases required a data breach. The alleged false statement was the violation.

The trend is accelerating. Cybersecurity recoveries have climbed sharply and the government recovered a record amount under the False Claims Act in fiscal year 2025. Enforcement reached down the supply chain to subcontractors and, in one December 2025 case, to an individual manager facing criminal charges

“Fine, but if assessments are paused, why rush?”

Set aside enforcement for a moment - the task force has 60 days. Certification, in some form, is coming back. And the fundamentals of what a C3PAO evaluates, your implementation of NIST SP 800-171, your documentation, your evidence, are not going to transform into something unrecognizable. The controls that matter today will still matter when assessments resume and likely with less overheard for Organizations Seeking Certification (OSCs) and C3PAOs alike.

That creates a simple dynamic: the contractors who treat this pause as time to get their house in order will be ready the moment the door reopens. The contractors who treat it as a break will be scrambling later, competing for a limited number of assessment slots against every other company that also waited. We can attest that assessor capacity is finite at the moment and the pause isn’t going to help things.

“Ok but what do I do now?”

You don't need to guess where you stand, and you shouldn't wait for a government-led assessment to find out the hard way. The smartest move during this window is to get assessed on your own terms, by an assessor who evaluates you against the same requirements that are live today.

As a C3PAO, we run CMMC mock assessments that mirror the real thing. We show you exactly where your implementation holds up, where it falls short, and because we’re not certifying you, we can tell you what to fix before it becomes a finding on a government assessment or a line in a False Claims Act complaint. You walk away knowing your real position.

To summarize: the enforcement didn't slow down and the only thing that changed is that you likely have a little more time to get it right so USE IT!

Ready to see where you actually stand? Book a CMMC mock assessment.


Ready to see where you stand? Book a mock assessment


 

Follow us - stay ahead.

Previous
Previous

Are Your Passwords in the Green?

Next
Next

Show AND Tell: The Importance of Policies in a CMMC Assessment