What Changed
What Didn't Change
Our Recommendation
Don't pause your compliance program. Continue implementing NIST SP 800-171, maintain evidence of implementation, and ensure your self-assessment accurately reflects your environment to avoid False Claims Act risk.
The Department of War has announced the immediate suspension of CMMC Phase II, which would have required third-party C3PAO assessments beginning November 10, 2026. This announcement has already created some confusion that we hope to clear up.
While this is a significant change to the implementation timeline, it is not the end of cybersecurity compliance for the Defense Industrial Base and supply chain.
Here are the six things every defense contractor should understand.
The Department has suspended:
Organizations will not currently be required to obtain a C3PAO certification in order to satisfy the suspended Phase II requirements.
Note: The DoW has given itself 60 days to evaluate the program, but it can take as long as it needs to act on whatever that review recommends, whether that means changing the framework, implementing new requirements, or something else. That is why the suspension is best understood as indefinite; there is no fixed date on which Phase II resumes.
Nothing in the DoW announcement changes DFARS 252.204-7012.
If your contracts require protection of Covered Defense Information (CDI) or Controlled Unclassified Information (CUI), those obligations remain exactly the same.
The underlying security requirements in NIST SP 800-171 Rev. 2 are still the government's required cybersecurity baseline.
The government did not suspend cybersecurity; it suspended one method of verifying it.
Organizations must continue to:
Government-led assessments also remain available as an enforcement mechanism.
Under the previous roadmap, many organizations expected an independent C3PAO assessment before certification.
Those assessments often identified documentation gaps, implementation weaknesses, or misunderstandings before they became contractual issues.
With third-party certification paused, organizations are now relying much more heavily on the accuracy of their own self-assessment and annual affirmations.
That makes internal governance, documentation, and evidence even more important.
Organizations should ensure that every control claimed as implemented can be supported with objective evidence.
The Department has established a 60-day CMMC Reform Task Force to recommend what replaces the current implementation approach.
The review will examine:
Future changes could range from modifications to certification requirements to broader restructuring of the current program.
Until those recommendations are released, organizations should avoid making assumptions about the long-term direction of CMMC.
Our recommendation has not changed: continue building a mature cybersecurity program with the help of CMMC experts.
Specifically:
Organizations that pause compliance efforts may find themselves unprepared for future requirements or exposed if their self-attestations cannot be supported.
Today's announcement changes how compliance may be demonstrated.
It does not eliminate the responsibility to protect government information.
The strongest organizations will use this period to improve operational security, validate their documentation, and ensure that their self-assessments accurately reflect their environments.
Whether the Department ultimately returns to third-party certification or introduces a revised framework, organizations with mature cybersecurity programs will be in the strongest position.
If you have questions about how these changes affect your organization, our team is actively helping contractors understand the announcement, review their current posture, and determine the appropriate next steps.