Secure Cyber Blog

CMMC Phase II Is Suspended. Your Cybersecurity Requirements Are Not.

Written by Secure Cyber | Jul 14, 2026 1:33:09 PM

By SecureCyber | July 2026

If you do business with the Department of War (DoW), or you supply someone who does, your inbox probably lit up this week. On July 13, 2026, the Department announced the immediate suspension of CMMC Phase II, the third-party assessment requirement that was scheduled to start showing up in contracts on November 10, 2026. The later phases of the program are on hold too.

That headline is causing a lot of confusion, and a fair amount of bad advice, across the defense industrial base. So let's walk through what actually changed, what didn't, and what you should be doing right now. No jargon required.

What actually happened

CMMC (the Cybersecurity Maturity Model Certification) is the Department's program for verifying that contractors are protecting sensitive government information. It was being rolled out in phases. Phase 1, which started in November 2025, requires companies to self-assess their cybersecurity and report the results. Phase 2 was the big one: starting this November, many contractors would have needed an independent third-party assessor to certify them before they could win certain contracts.

Citing heavy costs and paperwork burdens, especially for small and mid-sized companies, the DoW Chief Information Officer suspended Phase 2 before it took effect. The Small Business Administration reported that compliance costs were pushing companies out of defense work entirely, with third-party certification costs approaching six hundred thousand dollars for some small firms.

In place of the rollout, the Department stood up a CMMC Reform Task Force. That team has 60 days to review the whole program and recommend a path forward. While that review runs, the Department also launched a public campaign called "Brilliant at the Basics" that points contractors toward practical, foundational cybersecurity practices instead of certification paperwork.

What did NOT change

This is the part too many people are getting wrong, so let's be direct.

Your obligation to protect government information did not go anywhere. The contract clause that created that obligation (DFARS 252.204-7012) has been in place for years, and it is still in your contracts today. The security standard behind it, NIST SP 800-171, is still the standard. The Department said plainly that it will keep enforcing it through self-assessments and select government-led reviews during the pause.

Phase 1 is also still fully in effect. If your contracts require a self-assessment and a reported score, that requirement stands, and the accuracy of that score still matters. Overstating your score has always carried legal risk, and that risk did not get smaller this week.

One more reality check: the big prime contractors are not going to loosen their supply chain requirements based on a 60-day study. If a prime requires evidence of your security posture to keep you on their program, expect that to continue.

The simplest way to say it: the government paused the audit, not the homework.

Will the government get rid of the Phase 2 requirements for good?

Honest answer: nobody knows yet, including the government. The task force will deliver its recommendations in about 60 days, and officials have been careful not to rule anything in or out.

Here is what we do know. Department leadership said repeatedly that they are not relaxing security standards, and that everything still rests on NIST SP 800-171. So the realistic outcomes are a Phase 2 that returns largely as designed, a redesigned and cheaper version of third-party verification, or a new model that leans harder on self-assessment with government spot checks.

What is very unlikely is a future where nobody ever verifies anything. Some form of verification is expected to come back. Companies that keep their security programs running through the pause will absorb whatever comes next with little drama. Companies that treat this as permission to stand down will be starting over, with less runway, when the new rules land.

What is an RFI, and how do I answer it?

Alongside the suspension, the Department published a Request for Information, or RFI. If you have never dealt with one, here is the plain-English version: an RFI is the government formally asking industry for feedback. It is not a bid, it is not a contract, and responding does not obligate you to anything. Think of it as an official comment box, and this one feeds directly into the task force that will decide what replaces Phase 2.

The Department specifically wants to hear about what CMMC compliance actually cost you, which parts created paperwork without improving security, and which security controls genuinely made you safer.

If you want your experience to shape the outcome, here is how to write a useful response. Keep it factual and specific. Real dollar figures, real staff hours, and real timelines carry far more weight than general complaints. If you spent eighteen months and a specific amount preparing for an assessment, say so. If a particular requirement improved your security, say that too. Balanced feedback is more credible than venting. Keep it concise, a few pages is plenty, and have someone in leadership review it before you submit, because it represents your company. Watch the DoW CIO website (dowcio.war.gov) and SAM.gov for the submission details and deadline.

If writing it feels daunting, this is a place where your assessment history helps. Companies that have been through readiness assessments already have the cost and effort data the government is asking for.

So what should I do during the 60-day window?

Keep going. That sounds anticlimactic, but it is the right answer for almost everyone.

Keep your security controls running and keep your documentation current, especially your System Security Plan and your plan for closing known gaps. Make sure your reported self-assessment score reflects reality, because self-assessment just became the primary way the government checks on you. If your score would not survive a hard look, the pause is your chance to fix that quietly and correctly.

Talk to your prime contractors before changing anything. Their requirements flow down through your contract with them, and those requirements are not the Department's to suspend. If you were scheduled for a third-party assessment, talk to your assessor before canceling. Department leadership went out of its way to say that money spent improving your security posture was not wasted, and a validated posture is a competitive advantage while your competitors sit in limbo.

Then use the window productively. Close the gaps you have been deferring. Consider responding to the RFI. And keep an eye on official channels rather than social media hot takes, because the task force report will arrive fast.

A word for manufacturers and operations-heavy companies

One detail of the announcement deserves more attention than it is getting. The "Brilliant at the Basics" campaign includes a Top 10 list written specifically for operational technology, meaning the equipment side of your business: production lines, controllers, plant networks, and the systems that keep machines running.

That is a signal. The Department is telling industrial suppliers that securing the factory floor matters just as much as securing the office network. For manufacturers, a cyber incident is not really a data problem; it is a downtime problem. The campaign's guidance covers things like separating your business network from your plant network, controlling who can remotely access equipment, and having a recovery plan that does not require shutting everything down. These are achievable steps, and they map closely to what the underlying security standard already expects.

Where SecureCyber fits

SecureCyber has been performing these readiness assessments since DFARS first took effect. We have helped defense suppliers understand where they stand against NIST SP 800-171, build realistic plans to close gaps, and prepare documentation that holds up when someone looks closely. That includes the operational side, where our team works with manufacturers on the plant-floor systems that traditional IT assessments overlook.

Here is where we can help right now:

  • SPRS scoring and submission. We help you calculate your self-assessment score the way an assessor would, so the number you report in the government's Supplier Performance Risk System is one you can stand behind, and we help you get it submitted correctly.
  • Responding to the RFI. We help you gather your real compliance costs and experiences and shape them into a clear, credible response that gives the task force something useful to work with.
  • An outside look at your program today. A fresh set of eyes on your current security program shows you where you actually stand, before the government or a prime contractor looks for you.
  • Updating your System Security Plan and Plan of Action and Milestones. These two documents are the backbone of your compliance story. We help you bring them up to date so they reflect your environment as it runs today, not as it looked two years ago.

If the suspension left you unsure what your next move is, that is a reasonable place to be this week. A readiness assessment gives you a clear picture of your current posture, supports your alignment with the standard the government is still enforcing, and puts you in a strong position for whatever the task force recommends.

Let's talk before the 60 days are up. Reach us at securecyberdefense.com/contact-us.

SecureCyber | secdef.com | (937) 388-4405 | info@secdef.com

Proven. Proactive. Personalized.