3 min read

CMMC Phase 2 Suspended: What it Means for Defense Contractors

CMMC Phase 2 Suspended: What it Means for Defense Contractors

On July 13, the Department of War suspended the CMMC Phase 2 audit requirement. If you're a defense contractor, you've probably already heard, and you're probably asking the same question I've fielded from half our client list this week: does this mean the compliance work can wait?

Short answer: not really. Here's what’s happened and my take on what it means for defense contractors moving forward.

 

Phase 2 Suspension Announcement

The Department of War suspended the CMMC Phase 2 requirement, which was set to take effect November 10, 2026. That's the part of CMMC that would have required companies handling Controlled Unclassified Information (CUI) to pass a third-party audit from a Certified Third-Party Assessor Organization, or C3PAO, before they could win or keep a contract.

Phase 1 isn't affected. If your contract requires a Level 1 or Level 2 self-assessment through SPRS, that requirement is still fully in place today.

The Department also established a CMMC Reform Task Force to study the program for 60 days and report back on what comes next.

 

Why the Department Pulled the Plug

This was a math problem. DoD Chief Information Officer Kirsten Davies told reporters that roughly 100 certified assessors exist to audit more than 100,000 businesses that needed third-party certification before the November deadline. In her words, "the math just simply doesn't math."

Add to that the cost. A single Level 2 audit runs $30,000 to $50,000 for a small or mid-sized shop, on top of everything you've already spent getting ready. Small Business Administration data reportedly showed that requirement alone was pushing innovative companies out of the defense supply chain entirely, right when the Pentagon needs them the most.

So the Department pulled the audit requirement. But we need to dig a little deeper to realize that it didn't pull the security standard behind it.

 

What Happens to Level 2 Now?

During the review period, the Department says it will enforce compliance through self-assessments and select government-led reviews rather than mandatory third-party audits. In plain terms, Level 2 is very likely shifting to a self-attestation model for now, the same approach that's already covered Level 1 since last November.

On one side of the coin, that's a real relief on cost. Now you’re not forced to pay $30,000+ for an audit. But it’s not a green light to stop your compliance and security program all together.

 

The Part I Need Everyone to Hear

Suspending the audit doesn't suspend your legal obligation to protect federal data. Every defense contractor is still bound by DFARS 252.204-7012, which requires you to safeguard covered defense information whether or not a C3PAO ever walks through your door.

Self-attestation also isn't a free pass. If you sign your name to a claim of compliance you can't back up, you're exposed to False Claims Act penalties, fines, and in serious cases, criminal charges. The Department of Justice's Civil Cyber-Fraud Initiative is still active and still pursuing companies that misrepresent their cybersecurity posture.

 

If anything, that risk grew a little, since there's no longer a third party checking your work before you certify it.

 

I understand why this feels like a green light. I just don't want anyone caught off guard six months from now because they read it that way.

 

What I Think Happens Next

My read: the Department moves toward spot-check audits on companies that win contracts, instead of universal audits across the entire industrial base. If you win the work and can't back up what you attested to, you risk losing it, and getting barred from bidding on the next one.

That's a tougher spot to be in than a scheduled audit. A scheduled audit gives you time to prepare, but a spot-check after you've already won the contract is more of a make-or-break situation.

 

What Smart Contractors Should Do Right Now

If you were budgeting for a C3PAO audit, that specific cost just came off the table. Great! Now put that money into closing your control gaps instead. Readiness is still what wins you the contract. It's just self-certified readiness for the moment instead of having the support and backing of a third-party verifying your claims.

We're already helping clients work through the 110 controls in NIST SP 800-171 under this exact model: build the controls, document the evidence, self-attest with confidence instead of guesswork.

At the end of the day, the audit got suspended but the standard didn't. The businesses that keep building toward Level 2 through this review period are the ones who'll be ready whenever the Department decides what comes next, and won't have to explain to a contracting officer why their attestation doesn't match reality.

If you want a straight answer on where your business stands against these controls, I’m happy to talk or swing by your office.

 

Who Needs CMMC Certification? Industries That Are Caught Off Guard

6 min read

Who Needs CMMC Certification? Industries That Are Caught Off Guard

Most companies that need CMMC certification don't find out until a prime contractor asks for documentation they don't have. By that point, a contract...

Read More
CMMC 2.0 Explained: What Is CMMC Compliance?

6 min read

CMMC 2.0 Explained: What Is CMMC Compliance?

Most defense contractors don't think of themselves as cybersecurity companies. A machine shop thinks about tolerances and lead times. A small AEC...

Read More
The Cost of CMMC Non-Compliance: What Defense Contractors Can Lose

7 min read

The Cost of CMMC Non-Compliance: What Defense Contractors Can Lose

You open an email from your prime contractor on a Tuesday morning and are presented with something you’ve been dreading for months, if not years. ...

Read More