CMMC Phase II suspended, but mission to protect CUI remains
CMMC Phase II is paused, but cybersecurity obligations remain. Learn what changed, what didn’t, and what contractors should do next.
The Department of War (DoW) just dropped a major announcement that shakes up the entire federal contracting landscape: “CMMC Phase II requirements are officially suspended immediately.”
The DoW in coordination with the Small Business Administration (SBA) is launching a 60-day review to eliminate prohibitive compliance costs (which according to the SBA were pushing up to $600,000 per firm) that have been driving small- and mid-sized businesses out of the Defense Industrial Base (DIB)
Pausing the process ≠ dropping your guard
While industry is breathing a sigh of relief over reduced perceived bureaucratic red tape, this is not a pass to weaken your cybersecurity posture.
As DoW Chief Information Officer Kirsten Davies emphasized, “Robust cybersecurity and operational resilience remain critical to protecting American innovation.”
Phase I is still fully in place: Contractors are still contractually required to complete Level 1 or Level 2 self-assessments.
The baseline hasn’t changed: Safeguarding covered defense information under DFARS 252.204-7012 remains a legal obligation.
Additionally, the suspension of Phase II does not remove any CMMC-related DFARS clauses or the enforcement of DFARS, nor does it change the risk of false claims for inaccurate representation and reporting.
The bigger picture: The FAR CUI framework is here
The suspension of CMMC Phase II third-party assessments doesn’t change the broader federal reality: the government is aggressively standardizing data protection. Under the recent Revolutionary FAR Overhaul (RFO), contractors across both civilian and defense sectors are facing tighter, unified data security rules under the new FAR Part 40 (Information Security and Supply Chain Security).
Specifically, the new FAR 52.240-7 (Controlled Unclassified Information) clause shifts the focus away from costly certifications and directly onto actionable security:
- NIST SP 800-171 baseline: Mandating clear compliance for non-federal systems handling CUI.
- Standardized CUI Identification (SF XXX): Forcing agencies to clearly communicate what data needs protection right inside the solicitation.
- The 72-Hour Breach Clock: Requiring immediate transparency and reporting of CUI incidents to protect the supply chain.
The bottom line
The government is moving toward a strategy of “speed to capability” over perceived bureaucratic compliance requirements. They want American innovators in the defense supply chain, but they need that innovation secured. The third-party assessment may have been paused, but an “adequate cyber posture” is still required.
What GovCons should pause vs. not pause
| What changed? | What remains the same? | Temporary vs. permanent? |
| Pause: CMMC Phase II third-party certification requirements and pending/future implementation milestones in DoW solicitations and contracts are suspended immediately while DoW conducts a 60-day review. | Do not pause: Phase I self-assessments remain in place. Contractors still need to complete applicable Level 1 or Level 2 self-assessments and maintain cyber controls aligned to contract requirements. | Temporary: The Phase II suspension is tied to the 60-day CMMC review and reform task force. Contractors should monitor for revised guidance rather than assuming CMMC is gone. |
| Pause: Rushing into a third-party assessment solely because Phase II was expected to begin on Nov. 10, 2026. | Do not pause: Protection of CUI, FCI, and covered defense information remains a contractual obligation under existing DFARS requirements and applicable contract clauses. | Permanent: The government’s expectation that contractors protect sensitive federal data has not changed. Cybersecurity remains a baseline requirement to compete and perform. |
| Pause: Treating CMMC certification timing as settled for new opportunities until DoW completes its review. | Do not pause: Remediation planning, documentation, incident response readiness, vendor risk management, and evidence collection should continue. | Likely evolving: The process may shift from certification-heavy compliance toward scalable, resilient cybersecurity measures, but the security outcomes still matter. |
Contractors can pause the Phase II certification scramble, but they should not pause cybersecurity. The announcement temporarily reduces immediate third-party assessment pressure; it does not remove the duty to protect government data and other agencies are planning to stand up their own “CMMC-like” requirements – another big reason to NOT PAUSE your implementation.
Related services
Our solutions are tailored to each client’s strategic business drivers, technologies, corporate structure, and culture.
Any advice contained in this communication, including attachments and enclosures, is not intended as a thorough, in-depth analysis of specific issues. Nor is it sufficient to avoid tax-related penalties. This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice specific to, among other things, your individual facts, circumstances and jurisdiction. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.