Skip to content
CMMC Phase II Is Suspended. Your Obligation to Protect CUI is Not.

What Every Defense Contractor Needs To Know After the Department of War Paused CMMC Phase II Implementation

The Department of War's decision has created significant confusion across the Defense Industrial Base. Here's what changed, what didn't, and what your organization should do next.

 

The Headlines Are Misleading

When the Department of War (DOW) announced the immediate suspension of CMMC Phase II implementation on July 13, 2026, many defense contractors came away with the wrong conclusion.

Some assumed CMMC had been canceled.

Others believed compliance deadlines had been pushed indefinitely.

Still others viewed the announcement as an opportunity to pause cybersecurity investments until the government provides additional guidance.

None of those conclusions are accurate.

The DOW did suspend the planned transition to mandatory third-party CMMC Level 2 assessments and launched a 60-day review of the program. However, the underlying obligation to protect Controlled Unclassified Information (CUI) did not change. Contractors handling CUI remain subject to DFARS 252.204-7012, NIST SP 800-171 Rev. 2, self-assessments, SPRS reporting, executive affirmations, and the responsibility to safeguard federal information.

This distinction is critical.

The government paused one enforcement mechanism. It did not pause cybersecurity.

For organizations that do business with the Department of War, the question is no longer, "Do we still need to prepare for CMMC?" The better question is, "What does contract-ready cybersecurity look like while the program is being reformed?"

Understanding that distinction will help organizations avoid one of the biggest risks created by this announcement: mistaking a pause in certification requirements for a pause in security obligations.

 

What Actually Changed

At first glance, the DOW’s announcement appears to be a significant shift in cybersecurity policy. In reality, the change is much narrower than many organizations initially believed.

The DOW suspended the planned implementation of CMMC Phase II, which would have expanded the use of mandatory third-party CMMC Level 2 assessments performed by Certified Third-Party Assessment Organizations (C3PAOs). During the suspension, contracting activities may require only CMMC Level 1 (Self) or CMMC Level 2 (Self) assessments in solicitations and contracts while the DOW conducts a comprehensive 60-day review of the program. Existing solicitations and contracts containing Level 2 (C3PAO) or Level 3 assessment requirements are also being directed to remove those requirements through amendments or future contract modifications.

For defense contractors, this means one thing above all else:

The assessment model changed. The security standard did not.

 

CMMC Phase II Suspension

What Changed vs. What Didn't

What Changed What Didn’t Change
Phase II implementation is suspended. Contractors must still protect Controlled Unclassified Information (CUI).
Mandatory CMMC Level 2 (C3PAO) assessments are paused. DFARS 252.204-7012 remains in effect.
Level 3 implementation is paused during the review. NIST SP 800-171 Rev. 2 remains the required security baseline.
New solicitations may only require Level 1 (Self) or Level 2 (Self) assessments. Level 2 self-assessments remain the active requirement for organizations handling CUI.
Existing solicitations and contracts are being updated to remove paused assessment requirements. SPRS submissions and executive affirmations remain required.
A 60-day CMMC Reform Task Force is evaluating the future of the program. Organizations must continue maintaining documentation, evidence, and ongoing cybersecurity readiness.

Key Takeaway

The certification process changed. The responsibility to protect federal information did not.

This distinction is where much of the market confusion begins. Many organizations focused on what was suspended without recognizing that the contractual and cybersecurity obligations they have been operating under remain in effect. That misunderstanding creates unnecessary business risk and could lead organizations to make decisions based on incomplete information.

For many organizations, this announcement removes the pressure of an immediate third-party assessment. It does not remove the business risk associated with protecting CUI, meeting contractual obligations, or demonstrating cybersecurity readiness to customers, prime contractors, and the Department of War.

 

Why the Department of War Hit Pause

The suspension of CMMC Phase II was not a retreat from cybersecurity. It was a recognition that the current implementation model risked becoming a barrier to defense acquisition.

The DOW cited several factors behind its decision, including the cost and complexity imposed on small and medium-sized businesses, limited third-party assessment capacity, and the need to accelerate innovation across the Defense Industrial Base (DIB). Rather than continuing with a model that could slow procurement and reduce participation, the DOW chose to pause Phase II implementation while conducting a comprehensive review of the program.

One of the most significant challenges was assessment capacity. The planned rollout depended on a relatively small number of Certified Third-Party Assessment Organizations (C3PAOs) conducting assessments for tens of thousands of organizations expected to require certification. The result was an increasing concern that assessment demand would exceed available capacity, creating delays that could impact contract awards and slow the delivery of critical capabilities to the DOW.

The DOW's announcement also aligns with its broader Acquisition Transformation System (ATS) initiative, which seeks to reduce unnecessary bureaucracy, lower barriers for non-traditional defense contractors, and accelerate the adoption of commercial technology. The stated objective is to replace administrative friction with scalable, risk-based security measures while maintaining the protection of federal information.

It is important to understand what the DOW did not say.

At no point did the DOW suggest that cybersecurity standards were too high or that protecting CUI was no longer a priority. Instead, the focus was on improving how compliance is validated, not whetherorganizations must implement appropriate cybersecurity controls.

For defense contractors, that distinction matters.

The DOW is reevaluating the certification process, not lowering the expectation that organizations implement and maintain effective cybersecurity practices.

 

The Biggest Mistake Defense Contractors Could Make

The greatest risk created by the CMMC Phase II suspension is not a cybersecurity vulnerability. It is a misunderstanding.

Some organizations will interpret the announcement as permission to delay remediation, postpone cybersecurity investments, or stop preparing for compliance altogether. That would be a costly mistake.

While the DOW paused the requirement for mandatory third-party CMMC Level 2 assessments, it did not pause the contractual obligation to safeguard Controlled Unclassified Information (CUI). Organizations that handle CUI remain responsible for implementing NIST SP 800-171 Rev. 2, maintaining accurate self-assessments, supporting executive affirmations, and protecting federal information in accordance with DFARS requirements.

In many respects, the importance of self-assessments has actually increased.

Without the immediate pressure of a scheduled third-party assessment, organizations now bear greater responsibility for ensuring their security posture accurately reflects reality. Executives signing annual affirmations should have confidence that their organization's documentation, evidence, and implemented controls support those statements. A self-assessment should never become a paper exercise. An organization should be able to demonstrate that every control claimed as implemented is supported by objective evidence.

Organizations that use this pause to strengthen their cybersecurity program will be well positioned regardless of how the DOW ultimately reforms CMMC. Organizations that pause their progress may find themselves scrambling to catch up when the next phase of implementation is announced.

The organizations that benefit most from this announcement will not be those that stop preparing.

They will be those that use the additional time to improve their cybersecurity maturity, strengthen their documentation, validate their evidence, and build a more resilient security program.

The government moved the certification timeline. It did not reduce the expectation that defense contractors protect federal information.

 

What Defense Contractors Should Do Now

While the DOW evaluates the future of CMMC, organizations should remain focused on building and maintaining a strong cybersecurity program. The pause provides additional time, but it should be viewed as an opportunity to strengthen readiness, not delay it.

Organizations should focus on the following priorities:

Continue implementing NIST SP 800-171 controls.

If your organization handles Controlled Unclassified Information (CUI), the requirement to implement the security controls defined in NIST SP 800-171 Rev. 2 has not changed. Continue executing your remediation plan and addressing identified gaps.

Maintain accurate documentation and evidence.

Keep your System Security Plan (SSP), Plans of Action and Milestones (POA&Ms), policies, procedures, inventories, and technical evidence current. Good documentation supports both self-assessments today and any future validation requirements.

Validate your self-assessment.

The absence of a near-term third-party assessment does not reduce the importance of an accurate self-assessment. Ensure your SPRS score accurately reflects your implemented controls and that executive affirmations are supported by objective evidence.

Review your contracts and solicitations.

As agencies update solicitations and contracts to reflect the suspension, review all active opportunities and contract modifications carefully. Do not assume that every document has already been updatedor that cybersecurity obligations have changed simply because C3PAO assessment language has been removed.

Monitor future guidance.

The DOW’s review is expected to conclude within 60 days, and additional guidance is anticipated. Organizations that continue improving their cybersecurity maturity today will be better positioned regardless of how the DOW ultimately revises the program. 

Key Takeaway

The organizations that gain the greatest advantage from this pause will not be those that wait for the next announcement.

They will be the organizations that use this time to improve their cybersecurity, strengthen their evidence, and ensure they are prepared for whatever comes next.

 

Final Thoughts

The suspension of CMMC Phase II marks an important shift in how the Department of War intends to validate cybersecurity across the Defense Industrial Base. However, it should not be interpreted as a reduction in cybersecurity expectations or a reason to delay compliance efforts.

Defense contractors that continue strengthening their cybersecurity programs, maintaining accurate documentation, and building defensible evidence will be well positioned regardless of how the CMMC program evolves. Those that pause their efforts risk creating larger operational and compliance challenges in the future.

The next 60 days should not be viewed as time to wait. They should be viewed as an opportunity to improve.

Whether the DOW ultimately resumes third-party assessments, introduces a revised validation model, or adopts a hybrid approach, one fact remains unchanged:

Organizations entrusted with Controlled Unclassified Information are expected to protect it.

That expectation existed before CMMC, it exists during this suspension, and it will remain long after the current review is complete.

The organizations that emerge strongest from this pause will not be the ones that waited. They will be the ones who used this time to strengthen their cybersecurity, improve their evidence, and prepare for whatever comes next.

 

About MAD Security

MAD Security is a CMMC Level 2 Certified Managed Security Services Provider (MSSP) and Registered Provider Organization (RPO) helping Defense Industrial Base organizations protect Controlled Unclassified Information and achieve long-term cybersecurity resilience.

We help organizations implement, operate, and continuously improve cybersecurity programs that support today's contractual requirements while preparing for tomorrow's regulatory changes.

 

Questions About How the CMMC Phase II Suspension Affects Your Organization?

Every defense contractor's situation is different. Contract requirements, the handling of Controlled Unclassified Information, and existing cybersecurity maturity all influence what actions should be taken next.

If you would like help evaluating how this announcement impacts your organization, contact the MAD Security team to schedule a CMMC Readiness Review. We'll help you understand what changed, what didn't, and the practical steps you should take moving forward.