
Matt Chaiko
Lead Principal, Advisory Services, Coalfire
CMMC



On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase II requirements, which were scheduled to take effect on November 10, 2026. The Department also launched a 60-day study of the program’s future, to be led by a new CMMC Reform Task Force reporting to the DoW CIO. The stated goal is to reduce compliance costs and lower barriers for small, medium, and non-traditional businesses that the Department says are being pushed out of the Defense Industrial Base.
If you lead security or compliance for an organization in the DIB, your inbox probably filled up fast. The natural question after any announcement like this is simple: does the pressure come off now?
Our answer is no. The delivery mechanism for third-party certification is under review. Your legal obligation to protect federal data is not. Below we walk through what actually changed, what did not, and why the organizations that keep moving will be in a far stronger position than the ones that coast.
Read the release closely and a few things stand out.
Phase I self-assessment requirements remain in place. The Department was explicit that this action does not eliminate the requirement for companies to protect federal data. During the interim period, the DoW will enforce compliance with the NIST SP 800-171 Rev. 2 standard through self-assessments and select government-led assessments. And every defense contractor and subcontractor remains contractually obligated to safeguard covered defense information under DFARS clause 252.204-7012.
So the headline is real: the November 2026 move to mandatory third-party certification is suspended, and a task force will recommend a path forward within roughly 60 days. But the underlying security bar did not move. If anything, the release points to more government-led assessments in the near term, not fewer.
It helps to separate the mechanism from the mandate.
What is in flux is the assessment model. The requirement for many organizations to pass a third-party assessment by a C3PAO starting in November 2026 is on hold while the Department rethinks how it verifies cybersecurity across the supply chain.
What has not changed is the law and the contract language behind it. DFARS 252.204-7012 still requires you to implement NIST SP 800-171 and to report an accurate score in the Supplier Performance Risk System (SPRS). For organizations handling only Federal Contract Information, FAR 52.204-21 still sets the basic safeguarding floor. The self-assessment and annual affirmation obligations tied to those clauses are still live.
In other words, the audit at the door may be paused. The homework is not.
Our approach has always been to prepare organizations in the DIB to meet or exceed the requirements of DFARS 252.204-7012 and the adjacent requirements, such as FAR 52.204-21 for Level 1. We built our work around the standard, not the stamp.
If you were preparing for a Phase II assessment, that preparation still counts. Use this interim period to close findings, mature your documentation, and turn a defensible SPRS score into an accurate one. When the task force reports back, and when new requirements land, you want to be adjusting from a position of strength rather than starting over.
Here is the risk that a suspended assessment deadline can hide. Self-assessment is not a lighter obligation. It is a legal attestation, and the government has spent the last several years proving it will treat an inflated score as fraud.
Under the DOJ’s Civil Cyber-Fraud Initiative, contractors who misrepresent their cybersecurity posture face liability under the False Claims Act. The exposure is not trivial. Whistleblowers, often current or former employees, can file qui tam suits and collect 15 to 30 percent of the recovery, which gives insiders a strong incentive to report a number they know is wrong.
The settlements make the pattern concrete:
Look at the range. These cases span multimillion-dollar primes and small logistics providers, and they cover self-assessment misrepresentation specifically. The LOGZONE and MORSECORP cases are the ones to sit with, because both turned on a self-assessed SPRS score that did not match reality. That is exactly the attestation the DoW just told you remains in force.
A suspended Phase II does not shrink FCA exposure. By leaning harder on self-assessment during the interim, the current posture arguably concentrates the risk on getting your own score right.
There is a second cost that no policy memo can suspend. If you suffer a breach of CUI, or the government determines you misrepresented your compliance, you will likely end up in the news.
The reputational hit lands in two places at once. It can jeopardize your standing with the DoW and contracting officers who now have a documented reason to question your reliability. And it can follow you into the commercial market, where customers, partners, and investors read the same headlines and draw the same conclusions about how you handle sensitive data. Trust is slow to build and fast to lose, and a cybersecurity failure erodes it on both fronts simultaneously.
Security maturity is not only a contractual checkbox. It is a competitive asset and a brand-protection strategy.
We would not tell you to ignore the announcement. It is a meaningful signal about where the program may be headed, and small businesses in particular should welcome a serious look at compliance cost. But treating a paused assessment as permission to slow down is a bet against your own contracts, the law, and your reputation.
The program is in flux. The expectation to protect federal data is not. Organizations that stay the course through this interim will not be scrambling when the next set of requirements arrives, and they will carry a stronger security posture into every contract and every customer conversation in the meantime.
How Coalfire can help
If you would like to talk to our team about CMMC or have questions about this announcement, reach out.