CMMC Phase II Suspension: Facts vs. Fiction 7 min read Download Download CMMC Phase II Suspension: Facts vs. Fiction 7 min read By Perry E. KeatingManaging Director and President, Protiviti Government ServicesExecutive summaryOn July 13, 2026, the Department of Defence (DoD) announced the immediate suspension of CMMC Phase II implementation and established a 60-day CMMC Reform Task Force to conduct a comprehensive review of the program. While this announcement creates uncertainty regarding the future of third-party certification requirements, organisations should not interpret the decision as a relaxation of cybersecurity obligations.The certification process may be changing. The requirement to protect government information is not. Self-assessments and SPRS reporting remain part of the current compliance framework.Organisations handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) remain subject to existing contractual cybersecurity obligations, including DFARS 252.204-7012 requirements, NIST SP 800-171 implementation expectations, self-assessment obligations, and related compliance activities. The DoD announcement affects the certification rollout timeline, not the underlying cybersecurity requirements. Download the paper The certification process may be changing. The requirement to protect government information is not. Self-assessments and SPRS reporting remain part of the current compliance framework. Five things every contractor should know + EXPAND ALL 1. CMMC has not been cancelled. + The CMMC program remains active. The Department of Defense has paused the implementation of Phase II requirements and initiated a review of the program. Phase I requirements remain in effect. 2. NIST SP 800-171 remains in effect. + Organisations handling Controlled Unclassified Information (CUI) remain responsible for implementing and maintaining applicable NIST SP 800-171 security controls. These obligations are driven by existing contractual requirements and have not changed as a result of the Phase II suspension. 3. DFARS cybersecurity requirements remain in force. + DFARS 252.204-7012 requirements continue to apply to covered defense information and remain contractually enforceable. These obligations are driven by existing contractual requirements and have not changed as a result of the Phase II suspension. 4. False claims act exposure has not changed. + Organisations remain responsible for the accuracy of self-assessments, representations, affirmations, and cybersecurity compliance assertions made to the government. 5. The certification timeline may change — cybersecurity obligations have not. + The current discussion is about how cybersecurity compliance is verified, not whether cybersecurity is required. Facts vs. fiction FictionFactKey point"CMMC has been cancelled."CMMC has not been cancelled. The Department of Defence has suspended the Phase II rollout and launched a review of the program. Phase I requirements remain in effect.Think "pause," not "cancel." The CMMC program remains active while DoD evaluates potential reforms."We no longer need to comply with NIST SP 800-171."NIST SP 800-171 requirements remain in place and continue to form the basis for protecting Controlled Unclassified Information (CUI).The security requirements remain. Organisations handling CUI must continue implementing and maintaining required controls."DFARS cybersecurity requirements are gone."DFARS 252.204-7012 requirements remain fully enforceable. Contractors are still required to protect covered defence information.Contractual obligations have not changed. The requirement to protect government information remains."We should stop our cybersecurity improvement efforts."Organisations should continue executing their cybersecurity roadmap and remediation activities.Continue the journey. Strong cybersecurity remains essential regardless of how the certification process evolves."All of our CMMC preparation work was wasted."Readiness efforts remain valuable and continue to support compliance, audit readiness, cybersecurity maturity, and operational resilience.Keep building. SSPs, POA&Ms, policies, procedures, evidence repositories, and security improvements still matter."The government is backing off cybersecurity."Cybersecurity remains a top priority for the DoD. The review focuses on certification processes and administrative burden—not security expectations.Cybersecurity is still the mission. The discussion is about how compliance is verified, not whether security is required."The government is accepting self-attestations again, so audit readiness no longer matters."Organisations remain responsible for demonstrating compliance and supporting self-assessment assertions with appropriate evidence.Evidence still matters. Documentation, policies, procedures, technical artifacts, and audit trails remain critical."If CMMC changes, we no longer need to identify and protect CUI."Organisations that receive, process, store, or transmit CUI remain responsible for protecting that information.The data did not change. Understanding where CUI resides and how it is protected remains fundamental."The DOJ will stop pursuing cybersecurity enforcement cases."False Claims Act exposure and DOJ Civil Cyber-Fraud Initiative enforcement remain unchanged.Be careful what you attest to. Companies must be able to support compliance claims with evidence."SPRS scores are no longer important."Self-assessments and SPRS reporting remain part of the current compliance framework.Maintain accurate records. Organisations should continue managing SPRS scores, documentation, and affirmations."Existing contracts with CMMC requirements will stay as-is."The DoD has indicated that certain solicitations and contracts containing CMMC certification requirements may be amended during the review period.Review your contracts carefully. Monitor modifications and guidance from contracting officers."Small businesses can just wait until the government decides what to do."The Reform Task Force is expected to deliver recommendations within 60 days, and future requirements may evolve quickly.Use this time wisely. Stay informed, improve cybersecurity, and maintain readiness for future changes."CMMC is over."The certification process is temporarily paused, but cybersecurity requirements remain in force.Continue protecting CUI and FCI. The security mission remains unchanged. What has not changedOrganisations should continue to:Protect Federal Contract Information (FCI).Protect Controlled Unclassified Information (CUI).Comply with DFARS 252.204-7012 requirements.Maintain NIST SP 800-171 compliance efforts.Perform required self-assessments.Maintain and update System Security Plans (SSPs).Maintain Plans of Action & Milestones (POA&Ms).Maintain accurate SPRS submissions and affirmations.Continue cybersecurity remediation activities.Prepare for potential government-led reviews and audits.Maintain defensible cybersecurity documentation and evidence repositories.Maintain incident response, logging, monitoring, and vulnerability management capabilities.Continue identifying and protecting CUI throughout the enterprise.Ensure executive affirmations and compliance representations are supportable and evidence-based.What should contractors do now?Organisations should consider the following actions during the review period:Continue NIST SP 800-171 implementation and remediation efforts.Maintain current SSPs, POA&Ms, policies, procedures, and supporting evidence.Validate SPRS submissions and annual affirmations.Continue identifying, classifying, and protecting CUI and FCI.Review active solicitations and contracts for potential modifications.Evaluate cybersecurity representations made to customers and government agencies.Continue preparing for potential future certification, assessment, or audit requirements.Monitor guidance issued by the DoD CIO and CMMC Reform Task Force.Avoid making business decisions based on assumptions that cybersecurity requirements have been relaxed.Use this period to mature cybersecurity capabilities and close known security gaps.What may changeThe following areas are currently under review:Future role of independent third-party assessments (C3PAOs)Timing of future implementation phasesAssessment methodologiesCertification requirements for various contractor populationsApproaches intended to reduce burden on small and non-traditional businessesAlternative cybersecurity verification modelsPotential updates to assessment and attestation processesFuture alignment between certification activities and cybersecurity outcomes Cybersecurity compliance should not be viewed solely as a certification exercise. It is a business, operational, contractual and national security requirement. Protiviti's perspective As a CyberAB Registered Practitioner Organisation (RPO), we believe organisations should remain focused on the fundamentals. Cybersecurity compliance should not be viewed solely as a certification exercise. It is a business, operational, contractual and national security requirement.The certification model may evolve over the next 60 days, but the obligation to protect government information remains unchanged. Organisations that continue investing in governance, cybersecurity controls, documentation, evidence management, continuous monitoring, and operational resilience will be best positioned regardless of the outcome of the Department of Defence review.Companies that use this period to strengthen cybersecurity programs, improve documentation, close known control gaps, enhance executive oversight and improve audit defensibility will be positioned to respond effectively regardless of the future direction of the CMMC program. About Protiviti Government Services Protiviti Government Services is a CyberAB Registered Practitioner Organisation (RPO) that assists organisations with CMMC, NIST SP 800-171, DFARS, Government Data Protection, Compliance Readiness, Cybersecurity Program Management, Technical Remediation, and AI-enabled compliance acceleration services.For additional information regarding CMMC readiness, cybersecurity compliance and government data protection services, please contact [email protected]. Topics Cybersecurity and Privacy Risk Management and Regulatory Compliance Industries Government Aerospace and Defense