Pausing CMMC Should Not Mean Pausing Cybersecurity
I understand why some defense contractors are relieved that CMMC Phase II has been paused.
On July 13, 2026, the Department of War immediately suspended the Phase II requirements that were scheduled to begin on November 10, 2026. The suspension also applies to pending and future Phase II milestones in solicitations and contracts. (Department of War release)
But this is not the end of CMMC, and it is not a cancellation of the cybersecurity requirements defense contractors already have.
Phase I remains in effect, including its self-assessment requirements. The department has also launched a 60-day review of the program and created a CMMC Reform Task Force to recommend a more practical and scalable approach, particularly for small, medium-sized, and nontraditional defense contractors.
Preparing for CMMC has been expensive, confusing, and stressful, especially for smaller businesses. There were clearly parts of the program that needed another look.
Still, I have a hard time seeing the pause as good news for cybersecurity.
The certification timeline may have changed, but the responsibility to protect controlled unclassified information has not.
CMMC Was Creating Momentum
One thing CMMC did well was get business leaders to take cybersecurity more seriously.
Most owners already know security matters. The problem is that it competes with customers, staffing, projects, and expenses. When nothing appears to be wrong, security improvements are easy to delay.
CMMC forced companies to ask important questions. Where is sensitive information stored? Who can access it? Is multifactor authentication being used consistently? Are computers properly protected and monitored? What happens if the company experiences a security incident?
Those are questions every defense contractor should be asking, whether CMMC continues in its current form or not.
My concern is that some businesses will hear the word "pause" and assume the cybersecurity work can also stop.
It cannot.
The Process May Need Work
The department says certification costs and administrative requirements have created barriers for smaller and more innovative companies trying to participate in the Defense Industrial Base. That concern is understandable. Smaller manufacturers, engineering firms, subcontractors, and professional service companies do not have the same resources as large defense contractors.
The government should look for ways to make the process more affordable and realistic.
But making the certification process easier cannot mean treating the information as less important.
Controlled unclassified information may include technical drawings, project details, system specifications, and contract information. That information can still be valuable to criminals and foreign adversaries.
The fact that protecting it is difficult does not make it less important.
The Requirements Are Still There
During the review, the department says it will continue enforcing NIST SP 800-171 Revision 2 through self-assessments and selected government-led assessments. Contractors and subcontractors also remain responsible for protecting Covered Defense Information under DFARS 252.204-7012, including applicable safeguarding and cyber incident-reporting obligations.
If a company had an inaccurate SPRS score before the pause, it still has an inaccurate score. If its system security plan is outdated, it is still outdated. If sensitive files are poorly controlled, those risks are still present.
The deadline changed. The problems did not.
Keep Moving Forward
Defense contractors should use this pause to take an honest look at where they stand.
- Make sure the NIST 800-171 self-assessment and SPRS score reflect the real environment.
- Update the system security plan.
- Confirm where CUI is stored and who actually needs access to it.
- Review shared folders, cloud services, and employee accounts for outdated or unnecessary permissions.
Companies should also revisit the issues they already know need attention. Instead of leaving unfinished items buried in a POA&M, assign someone to each issue, decide what needs to happen next, and set a realistic deadline for completing it.
Continue preserving documentation and evidence, and keep watching new solicitations and contracts for any specific assessment requirements.
None of this work depends on the final version of CMMC.
The program may need to become less expensive, less complicated, and more realistic for smaller businesses. But the need for stronger cybersecurity has not gone away.
The bottom line
Programs will change. Deadlines will move. The responsibility to protect the information remains.
Not sure where your NIST 800-171 self-assessment really stands?
DDSystems helps defense contractors across Maryland, DC, and Delaware review their SPRS score, tighten access to CUI, and keep compliance moving forward, pause or no pause.
Schedule an Appointment