• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
    • Managed Service Providers
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST® Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Certification
    • MARS-E Assessment
    • PCI SSF
    • P2PE Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Blog
    • Tools
    • Become a Partner
  • Contact Us
  • English

CMMC Level 2 Assessment Pause: Frequently Asked Questions

You are here: Home / CMMC Level 2 Assessment Pause: Frequently Asked Questions

CMMC Level 2 Assessment Pause: Frequently Asked Questions

On July 13, 2026, the United States Department of War announced a 60-day pause in the mandatory CMMC Level 2 third-party assessment requirements, which were set to take effect on November 10, 2026 (Phase II).

Read our news article on the pause
Visit Now

Here are five facts every defense contractor should know.

1. Your cybersecurity obligations remain in effect.

  • The pause applies to the implementation of CMMC Level 2 C3PAO third-party assessment requirements.
  • All Phase I self-assessment requirements (Level 1 and Level 2) remain in effect.
  • The DFARS 252.204-7012 requirements to safeguard covered defense information and NIST SP 800-171 remain in place.
  • CMMC Level 2 Certifications are still being issued by C3PAOs and will be going forward.

2. Good cybersecurity is bigger than any one compliance program.

  • This does not eliminate existing cybersecurity obligations.
  • The security controls that protect your organization, your customers, and our nation’s defense supply chain remain just as important today as they were yesterday.
  • Investing in cybersecurity continues to reduce operational risk, improve resilience, and strengthen your business.

3. Preparation completed today will continue to provide value.

  • Whether the government resumes the current CMMC framework, modifies it, or introduces changes following the review, organizations that have invested in implementing NIST SP 800-171, improving documentation, and maturing their cybersecurity program will be better positioned than those who delay.

4. Continuing your assessment or compliance program is the best path forward.

  • For organizations scheduled for a CMMC assessment, we recommend maintaining your assessment schedule unless your specific business circumstances require a change.
  • For organizations engaged in readiness or consulting services, this remains an excellent opportunity to strengthen your cybersecurity program, improve documentation, and close remaining gaps while additional guidance is developed.

5. We are prepared for whatever comes next.

  • For more than 20 years, ControlCase has helped organizations navigate evolving cybersecurity, privacy, and compliance requirements.
  • As an Authorized C3PAO, RPO, and accredited cybersecurity provider across more than 100 frameworks, we have the experience, resources, and financial strength to support our clients regardless of how the CMMC program evolves.
  • Organizations that continue to improve their cybersecurity today will be better positioned, regardless of what comes out of the Department’s review.
  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
3975 FAIR RIDGE DR STE T25S-D
FAIRFAX, VA 22033

Send us a message

Call Us

Search

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific, Australia and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Careers
  • Locations
  • Covid-19 Notice
  • Manage Cookies
  • Your Privacy Choices

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST® Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • PCI SSF
  • P2PE Certification
  • SOC2 Report

© ControlCase LLC 2026 | Privacy Policy | Impartiality Statement | Legal Notices

  • English