CMMC Phase II Suspended: What Defense Contractors Need to Know (And Why Now Isn’t the Time to Pause Cybersecurity)
By Kevin Tucker, Cybersecurity Consultant and Troy Richardson, CMMC Consultant
On July 13, the Department of War announced the immediate suspension of CMMC Phase II implementation, delaying the planned transition to mandatory third-party assessments while launching a 60-day review of the program. The Department cited concerns that the current implementation created significant burdens, particularly for small and mid-sized businesses, and intends to reform CMMC into a more scalable framework.
For many contractors, the reaction has been relief. For others, confusion.
One thing is clear: this is not the end of cybersecurity compliance for defense contractors.
What Actually Changed?
DoD paused the rollout of mandatory Phase II CMMC certification requirements, including future contract milestones tied to third-party assessments.
The Department also established a CMMC Reform Task Force, which will spend the next 60 days evaluating how to reduce administrative burden while maintaining strong cybersecurity protections across the Defense Industrial Base.
What Did NOT Change?
Defense contractors are still contractually obligated to:
- Protect Controlled Unclassified Information (CUI)
- Meet DFARS 252.204-7012 requirements
- Implement NIST SP 800-171 security controls
- Conduct required self-assessments where applicable
- Report cyber incidents as required by contract
The Department has been explicit that the suspension affects certification requirements — not cybersecurity requirements.
On Self-Assessment Accuracy
Removing the third-party assessment checkpoint doesn’t remove the liability tied to your SPRS score. A self-attested score is a representation the government relies on when awarding and paying on contracts — an inaccurate one is False Claims Act exposure, not just an audit risk, and FCA cases can be brought by private relators, not only DOJ.
This isn’t theoretical. DOJ’s Civil Cyber-Fraud Initiative, running since 2021, has pursued exactly this: Aerojet Rocketdyne settled for $9M, MORSE Corp for $4.6M, and DOJ intervened in a case against Georgia Tech over NIST 800-171 non-compliance and a backdated system security plan. The third-party assessment would have been the mechanism that caught an inaccurate score before it became a false claim. Without it, the responsibility for getting that number right sits more squarely with the contractor.
What Should Contractors Do Now?
Rather than pausing, we recommend organizations use this period to:
- Complete a gap assessment against NIST SP 800-171
- Finalize or update your System Security Plan (SSP)
- Develop actionable Plans of Action & Milestones (POA&Ms)
- Validate technical safeguards
- Strengthen evidence collection and documentation
- Prepare for future third-party assessments — even if the timeline changes
Organizations that maintain momentum now will likely be ahead of the curve once the Department announces its updated framework.
Our Perspective
As an authorized Registered Provider Organization (RPO) and an organization preparing to operate as a Certified Third-Party Assessment Organization (C3PAO), we’ve always believed cybersecurity should be about reducing risk — not simply checking compliance boxes.
We welcome efforts to make CMMC more practical for the Defense Industrial Base. At the same time, protecting Controlled Unclassified Information remains a mission-critical responsibility. Regardless of how the certification model evolves, organizations that invest in cybersecurity maturity today will be better prepared for tomorrow’s requirements.
Need Guidance?
If you’re working through what this means for your organization, we’re here to help — whether you’ve already started preparing for CMMC or aren’t sure what your next step should be. We can help you understand your current compliance posture, prioritize remediation, and build a program that holds up regardless of what the revised framework looks like.
The rules may evolve. Good cybersecurity doesn’t.


