On July 13, 2026, the Department of War announced a 60-day pause in the implementation of the mandatory CMMC Level 2 third-party assessment requirements, previously scheduled to take effect on November 10, 2026 (Phase II).
While we expect additional guidance during this review period, protecting both Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) and strengthening the cybersecurity of the Defense Industrial Base remain national priorities. You still need to pay attention to and adhere to your contractual obligations.
At ControlCase Federal, including CyberNINES, our mission remains exactly the same. We are here to help organizations strengthen their cybersecurity, meet their contractual obligations, and prepare for whatever direction the Department ultimately takes. We continue to support all of our clients with assessments, consulting engagements, readiness activities, and project work as scheduled.Here are five facts every defense contractor should know.
1. Your cybersecurity obligations remain in effect.
The pause applies to the implementation of CMMC Level 2 C3PAO third-party assessment requirements. All Phase I self-assessment requirements (Level 1 and Level 2) remain in effect. The DFARS 252.204-7012 requirements to safeguard covered defense information and NIST SP 800-171 remain in place. CMMC Level 2 Certifications are still being issued by C3PAOs and will be going forward.
2. Strong Cybersecurity Is Bigger Than Any One Compliance Program
This does not eliminate existing cybersecurity obligations. The security controls that protect your organization, your customers, and our nation’s defense supply chain remain just as important today as they were yesterday. Investing in cybersecurity continues to reduce operational risk, improve resilience, and strengthen your business.
3. The Work You Do Today Will Continue to Deliver Value
Whether the government resumes the current CMMC framework, modifies it, or introduces changes following the review, organizations that have invested in implementing NIST SP 800-171, improving documentation, and maturing their cybersecurity program will be better positioned than those who delay.
4. Continue Your Assessment and Compliance Journey
For organizations in the process of getting scheduled, we recommend you continue to do so. For organizations engaged in readiness or consulting services, this remains an excellent opportunity to strengthen your cybersecurity program, improve documentation, and close remaining gaps while additional guidance is developed.
5. ControlCase Is Ready for Whatever Comes Next
For more than 20 years, ControlCase has helped organizations navigate evolving cybersecurity, privacy, and compliance requirements. As an Authorized C3PAO, RPO, 3PAO and accredited cybersecurity provider across more than 100 frameworks, we have the experience, resources, and financial strength to support our clients regardless of how the CMMC program evolves.
Organizations that continue to improve their cybersecurity today will be better positioned, regardless of what comes out of the Department’s review.
Our Commitment
The headlines may have changed, but our mission has not.
We remain committed to helping organizations protect sensitive information, strengthen their cybersecurity posture, and maintain readiness across the Defense Industrial Base.
We will continue monitoring developments closely throughout the Department’s 60-day review and will share factual updates as additional guidance becomes available.
In the meantime, our recommendation is simple:
- Continue protecting your information.
- Continue strengthening your cybersecurity.
- Continue preparing.
