MNS Group Blog | MSP, MSSP and CMMC Services

CMMC Program Changes: What Defense Contractors Need to Know Today.

Written by MNS Group | Jul 14, 2026 5:36:42 PM

TL;DR

What Changed

  • CMMC Phase II third-party certification requirements have been suspended for 60 days.
  • The Department will use this 60-day window to review the third-party assessment schedule and provide recommendations for moving forward

What Didn't Change

  • Businesses must still protect CUI under DFARS 252.204-7012.
  • NIST SP 800-171 remains the required security standard.
  • Self-assessments, SPRS reporting, and annual affirmations remain required.
  • False or unsupported compliance claims still carry significant contractual, legal, and financial risk.

Our Recommendation

Don't pause your compliance program. Continue implementing NIST SP 800-171, maintain evidence of implementation, and ensure your self-assessment accurately reflects your environment to avoid False Claims Act risk.

 

The Department of War has announced the immediate suspension of CMMC Phase II, which would have required third-party C3PAO assessments beginning November 10, 2026. This announcement has already created some confusion that we hope to clear up.

While this is a significant change to the implementation timeline, it is not the end of cybersecurity compliance for the Defense Industrial Base and supply chain.

Here are the six things every defense contractor should understand.

1. Third-Party CMMC Assessments Are Suspended

The Department has suspended:

    • Phase II implementation
    • Pending CMMC milestones
    • Future CMMC implementation milestones

Organizations will not currently be required to obtain a C3PAO certification in order to satisfy the suspended Phase II requirements.

Note: The DoW has given itself 60 days to evaluate the program, but it can take as long as it needs to act on whatever that review recommends, whether that means changing the framework, implementing new requirements, or something else. That is why the suspension is best understood as indefinite; there is no fixed date on which Phase II resumes.

2. Your Contract Requirements Did Not Change

Nothing in the DoW announcement changes DFARS 252.204-7012.

If your contracts require protection of Covered Defense Information (CDI) or Controlled Unclassified Information (CUI), those obligations remain exactly the same.

The underlying security requirements in NIST SP 800-171 Rev. 2 are still the government's required cybersecurity baseline.

The government did not suspend cybersecurity; it suspended one method of verifying it.

3. Self-Assessments Continue

Organizations must continue to:

    • Perform NIST SP 800-171 self-assessments
    • Maintain supporting documentation
    • Submit required SPRS scores
    • Complete annual affirmations where required

Government-led assessments also remain available as an enforcement mechanism.

4. The Biggest Risk Has Changed

Under the previous roadmap, many organizations expected an independent C3PAO assessment before certification.

Those assessments often identified documentation gaps, implementation weaknesses, or misunderstandings before they became contractual issues.

With third-party certification paused, organizations are now relying much more heavily on the accuracy of their own self-assessment and annual affirmations.

That makes internal governance, documentation, and evidence even more important.

Organizations should ensure that every control claimed as implemented can be supported with objective evidence.

 

5. The Department Is Reviewing the Entire Program

The Department has established a 60-day CMMC Reform Task Force to recommend what replaces the current implementation approach.

The review will examine:

    • Reducing compliance costs
    • Lowering barriers for small businesses
    • Improving speed to capability
    • Maintaining cybersecurity across the Defense Industrial Base

Future changes could range from modifications to certification requirements to broader restructuring of the current program.

Until those recommendations are released, organizations should avoid making assumptions about the long-term direction of CMMC.

 

6. What Should Contractors Do Now?

Our recommendation has not changed: continue building a mature cybersecurity program with the help of CMMC experts.

Specifically:

    • Continue implementing NIST SP 800-171
    • Maintain accurate SSPs and POA&Ms
    • Keep evidence current
    • Validate your SPRS score- inflated scores, whether intentional or not, are subject to FCA
    • Review your annual affirmation process
    • Continue preparing for future assessments, regardless of what form they ultimately take
    • Talk with your subs and primes to understand how they will provide verification of their cybersecurity state and what requirements they have.
    • Meet with Contract Officers and Primes to discuss their expectations for Level 2 certification

Organizations that pause compliance efforts may find themselves unprepared for future requirements or exposed if their self-attestations cannot be supported.

Our Perspective

Today's announcement changes how compliance may be demonstrated.

It does not eliminate the responsibility to protect government information.

The strongest organizations will use this period to improve operational security, validate their documentation, and ensure that their self-assessments accurately reflect their environments.

Whether the Department ultimately returns to third-party certification or introduces a revised framework, organizations with mature cybersecurity programs will be in the strongest position.

If you have questions about how these changes affect your organization, our team is actively helping contractors understand the announcement, review their current posture, and determine the appropriate next steps.