CMMC

The Department of War Suspended CMMC Phase II. Here’s Why You Shouldn’t Slow Down.

Matt chaiko

Matt Chaiko

Lead Principal, Advisory Services, Coalfire

Marc zurcher

Marc Zurcher

Managing Principal, Coalfire

July 14, 2026
Web Image Zurcher Blog 2

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of CMMC Phase II requirementswhich were scheduled to take effect on November 10, 2026. The Department also launched a 60-day study of the program’s future, to be led by a new CMMC Reform Task Force reporting to the DoW CIO. The stated goal is to reduce compliance costs and lower barriers for small, medium, and non-traditional businesses that the Department says are being pushed out of the Defense Industrial Base.

If you lead security or compliance for an organization in the DIB, your inbox probably filled up fast. The natural question after any announcement like this is simple: does the pressure come off now?

Our answer is no. The delivery mechanism for third-party certification is under review. Your legal obligation to protect federal data is not. Below we walk through what actually changed, what did not, and why the organizations that keep moving will be in a far stronger position than the ones that coast.

What the announcement actually said

Read the release closely and a few things stand out.

Phase I self-assessment requirements remain in place. The Department was explicit that this action does not eliminate the requirement for companies to protect federal data. During the interim period, the DoW will enforce compliance with the NIST SP 800-171 Rev. 2 standard through self-assessments and select government-led assessments. And every defense contractor and subcontractor remains contractually obligated to safeguard covered defense information under DFARS clause 252.204-7012.

So the headline is real: the November 2026 move to mandatory third-party certification is suspended, and a task force will recommend a path forward within roughly 60 days. But the underlying security bar did not move. If anything, the release points to more government-led assessments in the near term, not fewer.

What changed, and what didn’t

It helps to separate the mechanism from the mandate.

What is in flux is the assessment model. The requirement for many organizations to pass a third-party assessment by a C3PAO starting in November 2026 is on hold while the Department rethinks how it verifies cybersecurity across the supply chain.

What has not changed is the law and the contract language behind it. DFARS 252.204-7012 still requires you to implement NIST SP 800-171 and to report an accurate score in the Supplier Performance Risk System (SPRS). For organizations handling only Federal Contract Information, FAR 52.204-21 still sets the basic safeguarding floor. The self-assessment and annual affirmation obligations tied to those clauses are still live.

In other words, the audit at the door may be paused. The homework is not.

The Coalfire approach hasn’t changed, because it was never built around the certificate

Our approach has always been to prepare organizations in the DIB to meet or exceed the requirements of DFARS 252.204-7012 and the adjacent requirements, such as FAR 52.204-21 for Level 1. We built our work around the standard, not the stamp.

If you were preparing for a Phase II assessment, that preparation still counts. Use this interim period to close findings, mature your documentation, and turn a defensible SPRS score into an accurate one. When the task force reports back, and when new requirements land, you want to be adjusting from a position of strength rather than starting over.

The False Claims Act didn’t take a break

Here is the risk that a suspended assessment deadline can hide. Self-assessment is not a lighter obligation. It is a legal attestation, and the government has spent the last several years proving it will treat an inflated score as fraud.

Under the DOJ’s Civil Cyber-Fraud Initiative, contractors who misrepresent their cybersecurity posture face liability under the False Claims Act. The exposure is not trivial. Whistleblowers, often current or former employees, can file qui tam suits and collect 15 to 30 percent of the recovery, which gives insiders a strong incentive to report a number they know is wrong.

The settlements make the pattern concrete:

  • Health Net Federal Services and its parent, Centene, paid $11.2 million in February 2025 to resolve allegations that Health Net falsely certified compliance with cybersecurity requirements on a TRICARE contract.
  • Raytheon, RTX, and Nightwing entities paid $8.4 million in May 2025 over allegations that required controls, including a system security plan, were never implemented on a system used for unclassified DoD work.
  • Aerojet Rocketdyne paid $9 million in 2022 to settle claims that it misrepresented its compliance with DFARS and NASA cybersecurity requirements.
  • MORSECORP settled for $4.6 million after reporting a self-assessed score of 104 when its actual score was -142.
  • LOGZONE agreed to pay $507,144 in June 2026 after self-reporting a perfect 110 while a government assessment scored the same environment at -170.

Look at the range. These cases span multimillion-dollar primes and small logistics providers, and they cover self-assessment misrepresentation specifically. The LOGZONE and MORSECORP cases are the ones to sit with, because both turned on a self-assessed SPRS score that did not match reality. That is exactly the attestation the DoW just told you remains in force.

A suspended Phase II does not shrink FCA exposure. By leaning harder on self-assessment during the interim, the current posture arguably concentrates the risk on getting your own score right.

The court of public opinion never adjourns

There is a second cost that no policy memo can suspend. If you suffer a breach of CUI, or the government determines you misrepresented your compliance, you will likely end up in the news.

The reputational hit lands in two places at once. It can jeopardize your standing with the DoW and contracting officers who now have a documented reason to question your reliability. And it can follow you into the commercial market, where customers, partners, and investors read the same headlines and draw the same conclusions about how you handle sensitive data. Trust is slow to build and fast to lose, and a cybersecurity failure erodes it on both fronts simultaneously.

Security maturity is not only a contractual checkbox. It is a competitive asset and a brand-protection strategy.

What organizations in the DIB should do now

We would not tell you to ignore the announcement. It is a meaningful signal about where the program may be headed, and small businesses in particular should welcome a serious look at compliance cost. But treating a paused assessment as permission to slow down is a bet against your own contracts, the law, and your reputation.

A few practical moves for this interim period:

  • Keep your gap analysis and remediation work on track. Measure against NIST SP 800-171 Rev. 2 and 800-171A, not against a calendar date.
  • Make your SPRS score accurate before anyone else checks it. Reconcile your self-assessment with real evidence, and fix the delta rather than the number.
  • Flow requirements down to your subcontractors. Supply-chain gaps remain a live source of both breaches and FCA claims.
  • Prepare for government-led assessments. The Department signaled it will use them during the interim, so a self-assessment you cannot defend is a liability.
  • Watch for the task force’s findings and any new DFARS or contract language, and be ready to adjust from a mature baseline.

The program is in flux. The expectation to protect federal data is not. Organizations that stay the course through this interim will not be scrambling when the next set of requirements arrives, and they will carry a stronger security posture into every contract and every customer conversation in the meantime.

How Coalfire can help

If you would like to talk to our team about CMMC or have questions about this announcement, reach out