• Skip to primary navigation
  • Skip to main content
  • Skip to footer
ControlCase No Tag LOGO md

ControlCase

IT Certifications, Continuous Compliance and Cybersecurity Services Provider

  • Company
    • About Us
    • Careers
    • Locations
    • Team
  • Industries
    • Business Process Outsourcing
    • Cloud Service Providers
    • Retail
    • Telecom | Entertainment
    • Managed Service Providers
  • Certifications
    • PCI DSS Certification
    • CSA STAR Certification
    • GDPR Assessment
    • HIPAA Assessment
    • HITRUST® Certification
    • ISO 27001 Certification
    • FedRAMP 3PAO Services and NIST 800-53
    • CMMC Certification
    • MARS-E Assessment
    • PCI SSF
    • P2PE Certification
    • SOC2 Report
  • Solutions
    • Continuous Compliance Solution
    • One Audit
    • Card Data Discovery Software
    • Data Security Rating
  • Testing
    • Application Reviews
    • Application Security Training
    • Code Reviews
    • Card Data Discovery
    • External Vulnerability Scans
    • Firewall Security Reviews
    • Internal Vulnerability Scans
    • Log Monitoring
    • Penetration Testing
  • Resources
    • Events
    • News
    • Webinars
    • Courses
    • Blog
    • Tools
    • Become a Partner
  • Contact Us
  • English

The CMMC Phase II Pause

You are here: Home / News / The CMMC Phase II Pause

A deeper look at the Department of War’s 60-day review.

A deeper look at the Department of War’s 60-day review, the obligations still in force, and the practical path forward for defense contractors.

Got Questions?
Let’s Meet

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase II. The requirement for third-party certification assessments, scheduled to begin appearing in contracts on November 10, 2026, is now on hold pending a 60-day review by a new CMMC Reform Task Force.

Within hours, headlines and social feeds compressed this into three words:  CMMC is dead.  It isn’t.

 
Contractors are still required to complete and upload their SPRS self-assessments to the DoD’s SPRS system. Failing to do so—or submitting inaccurate information—can still expose organizations to liability under the False Claims Act.
In fact, the continued SPRS self-assessment requirement gives companies an opportunity to achieve and maintain CMMC readiness more cost-effectively by combining continuous compliance/readiness software with experienced cybersecurity professionals, often at a fraction of the cost of traditional approaches.
The Department paused one verification mechanism. It did not pause the security standard, the self-assessment requirement, the annual affirmation your executive signs, or the enforcement behind all of it.
Here is what the announcement says, what remains in force, and what your organization should do during the review period.

What the Department Announced

The official DoW release makes four things explicit:

  1. The transition to CMMC Phase II, including the C3PAO third-party assessment requirements and pending implementation milestones, is suspended for 60 days for review.
  2. All Phase I self-assessment requirements remain firmly in place.
  3. During the interim period, the Department will enforce the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments.
  4. Contractors remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012.

DoW Chief Information Officer Kirsten A. Davies is establishing a CMMC Reform Task Force to conduct a top-to-bottom review of the program, informed by a public Request for Information (RFI). The task force will deliver its recommendations to the DoW CIO within 60 days, on or about September 13, 2026.

The Department has been direct about what this is and is not. Under Secretary of War for Acquisition and Sustainment Michael Duffey put it this way: “We’re not relaxing the standards by any means. We expect businesses to adhere to the standards that NIST has outlined. What we’re removing is the bureaucracy of the third-party assessment.” (Breaking Defense, July 13, 2026)

The stated goal is to reduce compliance costs and barriers for small and non-traditional businesses, not to lower the security bar. The standard stayed. The audit process is under review.

What Did Not Change

This is the part the headlines miss. Nearly every obligation a defense contractor carried on July 12 was still there on July 14:

Requirement Status after the announcement
NIST SP 800-171 Rev 2 In force. This is the standard the Department says it will enforce during the pause, through self-assessments and select government-led assessments.
DFARS 252.204-7012 In force. Safeguarding covered defense information and 72-hour incident reporting, in contracts since 2017.
CMMC Level 1 and Level 2 self-assessments In force. Level 2 still requires a minimum SPRS score of 88 out of 110.
Annual affirmations (DFARS 252.204-7021) In force. A senior official at your company, the Affirming Official, still signs your continuing compliance into SPRS every year.
SPRS score posting and government assessments (DFARS 252.204-7019/-7020) In force. DIBCAC retains the authority to assess contractors directly, at any time.
32 CFR Part 170 (the CMMC program rule) In force. Suspending a rollout phase is a policy pause, not a repeal. Changing the rule itself requires formal rulemaking.
False Claims Act enforcement In force and unaffected. DOJ’s Civil Cyber-Fraud Initiative did not pause.
CMMC Level 2 certifications by C3PAOs Still available and still valid. Certifications continue to be issued, and organizations already certified keep that status.

One sentence captures it:
The government removed the mandatory verifier, not the obligation.

The Signature Is Now the Center of Gravity

Under the current rules, your compliance officer enters SPRS on the strength of your own assessment, and a named senior executive at your company affirms it annually. That affirmation is a continuing legal representation to the federal government. It must stay accurate through cloud migrations, acquisitions, new managed service providers, and every other change to your environment.

Before the pause, a third-party assessor would eventually stand behind your Level 2 status.

The full evidence burden sits inside your walls: the scope, the score, the artifacts, and the judgment calls.

That raises a practical question for every contractor: what does your Affirming Official actually review before signing? A spreadsheet from IT and a verbal assurance, or evidence mapped to each of the 110 requirements? The answer matters, because enforcement did not pause either.

Enforcement Did Not Pause

The Department of Justice pursues false cybersecurity representations under the False Claims Act, which carries treble damages plus per-claim penalties. Under the statute, “knowingly” includes deliberate ignorance and reckless disregard. A good-faith error is not fraud. An unchallenged score, signed year after year without validation, is harder to defend as good faith.

The recent record shows how these cases arise:

  1. CompanyA settled for $4.6 million in March 2025 over a stale SPRS self-assessment score.
  2. CompanyB, a contractor on Navy contracts, settled for $507,000 in June 2026, five weeks before the pause. The company had self-reported compliance. When DCMA assessed the environment directly, it scored a negative 170 on a scale with a floor of negative 203.
  3. CompanyC resolved allegations for over $11.25 million in 2025, tied to false annual cybersecurity certifications on the TRICARE contract.
  4. CompanyD and CompanyE settled for $8.4 million in May 2025 over NIST 800-171 failures across roughly 30 DoD contracts. The acquirer was held liable as a successor for pre-acquisition conduct.
  5. CompanyF settled for $9 million in 2022 in a case brought by a former employee under the False Claims Act’s whistleblower provisions.

These settlements resolve allegations without any adjudication of liability. The pattern across them is consistent, though: self-reported compliance, no independent challenge to the score, and a government assessment or an insider who saw the gap.
The CompanyB case is the one to sit with. It involved a small business, a self-assessment, and a direct government audit. That is exactly the posture most of the Defense Industrial Base is in during this pause.

Your Primes Are Not Waiting for Washington

Prime contractors set their own subcontractor cybersecurity expectations, and nothing in the suspension stops a prime from requiring evidence, or a certification, before sharing sensitive data with you. Over the past year, primes have pushed their supply chains toward CMMC Level 2 readiness on their own timelines. CompanyG gave suppliers roughly 80 business days to produce Level 2 certifications.

There is a structural reason for this. Every prime’s own Affirming Official signs on top of a supply chain they cannot fully see into, and primes must verify subcontractor status and affirmations before award under DFARS 252.204-7021. Reduced federal pressure does not mean reduced commercial pressure. In many cases, it means more.

The Real Cost Was Never the Audit

Much of the public case for the pause rests on cited cost figures approaching $600,000 per certification. That number warrants scrutiny because it conflates two distinct costs into one.
According to the Small Business Administration’s own estimates, a firm doing only a self-assessment, with no third-party audit at all, still spends about $388,600. That entire figure is the cost of implementing NIST 800-171: the people, the processes, the secured environment, the documentation. The third-party assessment itself typically runs $20,000 to $50,000 every three years outside of Level 3.

In other words, roughly two-thirds of the commonly cited cost is security implementation work that the suspension does not touch, because DFARS 252.204-7012 and NIST 800-171 still require it. Implementation is also a durable part of the investment. You keep the hardened environment, and it keeps protecting you. The audit was always the smaller, recurring verification cost on top.

For contractors weighing whether to slow down: pausing readiness work saves little, compresses the same work into a shorter runway later, and leaves your next affirmation resting on unvalidated assumptions in the meantime.

What You Should Do Now

If you already hold a CMMC Level 2 certification

Your investment stands. Certifications remain valid, C3PAOs continue to issue them, and DoW leadership has publicly recognized organizations who achieved certification. You are also differentiated with primes today, and first in line if third-party requirements return in any form.

If you are under contract for, or scheduled for, a certification assessment

We recommend you continue. Completing the third-party assessment demonstrates certified alignment with NIST SP 800-171, will be accepted by DoW, and gives you a rigorous, unbiased view of your vulnerabilities. It reduces risk, demonstrates regulatory compliance, and builds trust with investors, boards, customers, and insurers. Where timing genuinely needs to change, confirm the decision against your actual contract language first, including what your prime requires. An alternative for some organizations is a standalone NIST SP 800-171 assessment, but verify it satisfies your specific contractual requirements before choosing that path.

If you are earlier in the journey

Use the pause as runway, not as a reprieve. The same work is required under every plausible outcome of the review. Practical priorities for the next 60 days include:

  1. Validate your scope. Confirm which systems and data actually fall within your CUI boundary, and that your score maps to the right entity and CAGE code.
  2. Make your self-assessment defensible. Re-perform the score against NIST SP 800-171A with evidence of current operating effectiveness, not just policies and old screenshots.
  3. Keep your System Security Plan current, especially after any cloud migration, acquisition, new MSP, or facility change.
  4. Track POA&M items. Conditional status carries a 180-day closeout clock that did not pause.
  5. Verify your subcontractors. If they handle FCI or CUI, you are responsible for confirming their status and affirmations before award.
  6. Give your Affirming Official a real decision package before they sign: scope, score, evidence sufficiency, open findings, and what was and was not tested.

Make your voice heard

The Reform Task Force is soliciting industry input through a public RFI, with responses due August 14, 2026. If compliance costs or assessor availability have affected your business, this is the direct channel to the people writing the next chapter. Bring real numbers. The task force report is expected on or about September 13, 2026, and we will publish analysis as guidance develops.

Our Commitment

The headlines changed. Our mission did not.
For more than 20 years, ControlCase has helped organizations navigate evolving cybersecurity, privacy, and compliance requirements through every version of these programs. As an Authorized C3PAO, RPO, and 3PAO accredited across more than 100 frameworks, and with the CyberNINES team alongside us, we continue to support clients with assessments, readiness engagements, consulting, and project work as scheduled, and we will adapt with you whatever direction the Department ultimately takes.

Our recommendation through the review period is simple. Continue protecting your information. Continue strengthening your cybersecurity. Continue preparing. Organizations who keep improving today will be better positioned under every outcome of the Department’s review.

Questions about your specific contracts, your SPRS score, or your assessment timeline?
Receive a call from the Federal team
Schedule a meeting with our Federal Team


  • Facebook
  • Instagram
  • LinkedIn
  • Twitter
  • YouTube

Footer

Connect

Corporate Headquarters
3975 FAIR RIDGE DR STE T25S-D
FAIRFAX, VA 22033

Send us a message

Call Us

Search

About Us

ControlCase is a United States based company, headquartered in Fairfax, Virginia with locations in North America, Europe, Latin America, Asia/Pacific, Australia and the Middle East to serve our clients globally.

Quick Links

  • Company
  • Careers
  • Locations
  • Covid-19 Notice
  • Manage Cookies
  • Your Privacy Choices

Certifications, Assessments and Reports

  • PCI DSS Certification
  • CSA STAR Certification
  • GDPR Assessment
  • HIPAA Assessment
  • HITRUST® Certification
  • ISO 27001 Certification
  • FedRAMP and 3PAO Services
  • MARS-E Assessment
  • PCI SSF
  • P2PE Certification
  • SOC2 Report

© ControlCase LLC 2026 | Privacy Policy | Impartiality Statement | Legal Notices

  • English