• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
    • Managed Service Providers
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST® Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Certification
    • MARS-E Assessment
    • PCI SSF
    • P2PE Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Blog
    • Tools
    • Become a Partner
  • Contact Us
  • English

CMMC P2 Pause

You are here: Home / News / CMMC P2 Pause

On July 13, 2026, the Department of War announced a 60-day pause in the implementation of the mandatory CMMC Level 2 third-party assessment requirements, previously scheduled to take effect on November 10, 2026 (Phase II).

Have Questions?
Book a Meeting

While we expect additional guidance during this review period, protecting both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and strengthening the cybersecurity of the Defense Industrial Base remain national priorities. You still need to pay attention to and adhere to your contractual obligations.

At ControlCase Federal, including CyberNINES, our mission remains exactly the same. We are here to help organizations strengthen their cybersecurity, meet their contractual obligations, and prepare for whatever direction the Department ultimately takes. We continue to support all of our clients with assessments, consulting engagements, readiness activities, and project work as scheduled.Here are five facts every defense contractor should know.

1. Your cybersecurity obligations remain in effect.

The pause applies to the implementation of CMMC Level 2 C3PAO third-party assessment requirements. All Phase I self-assessment requirements (Level 1 and Level 2) remain in effect. The DFARS 252.204-7012 requirements to safeguard covered defense information and NIST SP 800-171 remain in place. CMMC Level 2 Certifications are still being issued by C3PAOs and will be going forward.

2. Strong Cybersecurity Is Bigger Than Any One Compliance Program

This does not eliminate existing cybersecurity obligations. The security controls that protect your organization, your customers, and our nation’s defense supply chain remain just as important today as they were yesterday. Investing in cybersecurity continues to reduce operational risk, improve resilience, and strengthen your business.

3. The Work You Do Today Will Continue to Deliver Value

Whether the government resumes the current CMMC framework, modifies it, or introduces changes following the review, organizations that have invested in implementing NIST SP 800-171, improving documentation, and maturing their cybersecurity program will be better positioned than those who delay.

4. Continue Your Assessment and Compliance Journey

For organizations in the process of getting scheduled, we recommend you continue to do so. For organizations engaged in readiness or consulting services, this remains an excellent opportunity to strengthen your cybersecurity program, improve documentation, and close remaining gaps while additional guidance is developed.

5. ControlCase Is Ready for Whatever Comes Next

For more than 20 years, ControlCase has helped organizations navigate evolving cybersecurity, privacy, and compliance requirements. As an Authorized C3PAO, RPO, 3PAO and accredited cybersecurity provider across more than 100 frameworks, we have the experience, resources, and financial strength to support our clients regardless of how the CMMC program evolves.

Organizations that continue to improve their cybersecurity today will be better positioned, regardless of what comes out of the Department’s review.

Our Commitment

The headlines may have changed, but our mission has not.

We remain committed to helping organizations protect sensitive information, strengthen their cybersecurity posture, and maintain readiness across the Defense Industrial Base.

We will continue monitoring developments closely throughout the Department’s 60-day review and will share factual updates as additional guidance becomes available.

In the meantime, our recommendation is simple:

  • Continue protecting your information.
  • Continue strengthening your cybersecurity.
  • Continue preparing.

  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
3975 FAIR RIDGE DR STE T25S-D
FAIRFAX, VA 22033

Send us a message

Call Us

Search

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific, Australia and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Careers
  • Locations
  • Covid-19 Notice
  • Manage Cookies
  • Your Privacy Choices

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST® Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • PCI SSF
  • P2PE Certification
  • SOC2 Report

© ControlCase LLC 2026 | Privacy Policy | Impartiality Statement | Legal Notices

  • English