CMMC Pause Raises DFARS Self-Assessment Risks

CMMC Phase II Is Suspended. Your DFARS Obligations Are Not.

A single announcement from the Department of War just suspended the one external check standing between a defense contractor’s self-attested compliance score and a False Claims Act investigation. On July 13, 2026, the Department of War suspended CMMC Phase II – the third-party assessment requirement that was set to take effect November 10, 2026 – and the trade press immediately framed it as regulatory relief. It is not. It is a redistribution of risk, and the organizations that treat it as a stand-down are the ones most exposed when the review period ends.

Department of War Chief Information Officer Kirsten Davies announced the suspension after internal data showed a capacity problem that had nowhere to go: more than 100,000 Defense Industrial Base (DIB) companies needed a third-party assessment from a Certified Third-Party Assessor Organization (C3PAO), and only about 100 C3PAOs existed to conduct them. “The math just simply doesn’t math,” Davies told reporters, according to Breaking Defense’s July 13 coverage of the announcement. Phase 3 and Phase 4 of CMMC were suspended as well, pending a 60-day review by a newly formed CMMC Reform Task Force, and the Department has not ruled out cancelling the program outright once that review concludes.

What CMMC Phase II’s Suspension Actually Changes for DIB Contractors

None of that changes what a defense contractor is legally required to do today. DFARS clause 252.204-7012 has obligated contractors and subcontractors to safeguard covered defense information since well before CMMC existed as a program, and the Department’s own release states plainly that the suspension “does not eliminate the requirement for companies to protect federal data.” NIST 800-171 Rev 2’s 110 controls are unchanged. Self-assessment continues. What paused is the third party checking your work – and for a compliance officer, that is a very different kind of relief than the headlines suggest.

Kiteworks works with Defense Industrial Base contractors navigating exactly this kind of regulatory whiplash, and the pattern is familiar: a deregulatory announcement creates a false sense of security precisely when the underlying risk has gotten worse, not better.

The distinction matters because compliance teams, contracting officers, and executives are all reading the same headlines right now, and most of those headlines lead with relief rather than risk. A CISO who takes the wrong lesson from this announcement will walk into next week’s leadership meeting recommending the organization deprioritize a security investment it should be accelerating. A General Counsel who assumes existing CMMC contract language quietly disappeared will miss a flow-down obligation still sitting in an active subcontract.

Getting the framing right in the first 48 hours after an announcement like this one is not a communications exercise – it is the difference between an organization that closes its compliance gaps during a 60-day window and one that discovers them during a False Claims Act inquiry eighteen months from now. A supply chain risk management review that maps every active subcontract’s CMMC flow-down language should be the first action a prime contractor’s legal team takes this week.

CMMC 2.0 Compliance Roadmap for DoD Contractors

Read Now

Key Takeaways

1. CMMC Phase II is suspended, not eliminated.

The Department of War paused the third-party assessment requirement on July 13, 2026, while Phase 1 self-assessment and the underlying DFARS 252.204-7012 obligation remain fully in force.

2. The suspension is a capacity failure, not a policy reversal.

Over 100,000 Defense Industrial Base companies needed a third-party assessment, and only about 100 C3PAOs existed to conduct them – a structural bottleneck a 60-day review cannot fix.

3. Removing the third-party check raises False Claims Act exposure.

With no C3PAO catching an inaccurate self-attested SPRS score first, that liability now sits entirely with the contractor – civil penalties currently run roughly $13,946 to $27,894 per false claim, plus treble damages, and the government has already settled 15 cybersecurity-related False Claims Act cases since 2021.

4. Flow-down obligations and existing solicitations do not reset.

Primes still owe CMMC Level 2 requirements to subs, and contracts citing Level 2 remain in effect until formally amended, one contract at a time.

5. A public comment window closes August 14, 2026.

The Department’s RFI directly asks how commercial security tools might count toward a future framework, making this a dated opportunity rather than a reason to wait. Use the CMMC gap analysis methodology now, before the assessor queue reopens, to identify which technical gaps can be closed during this window.

The Backlog Was the Cause, and a 60-Day Review Does Not Fix It

Start with why this happened, because the reason matters more than the announcement itself. CMMC Level 2 requires a triennial assessment from a C3PAO for contractors handling Covered Defense Information (CDI) or Controlled Unclassified Information (CUI). That assessment pipeline was never built to handle the volume the Department itself now says exists. Washington Technology’s July 13 reporting confirmed that DoW’s suspension extends to CMMC Phase 3 (the Level 3 assessments originally slated for November 2027) and Phase 4, and that the Department posted a formal Request for Information (RFI) on SAM.gov the same day, with industry responses due August 14, 2026.

That RFI is worth reading closely, because it tells you where this is actually headed. It asks companies to weigh in on cost drivers and administrative burdens tied to CMMC compliance, which NIST 800-171 controls actually deliver meaningful risk reduction, and – most notably – how the Department might recognize existing commercial cybersecurity tools and managed services in a future compliance framework instead of requiring a separate third-party assessment for everything.

That is not a program being killed. That is a program being redesigned around exactly the kind of demonstrable, tooling-backed technical readiness that a self-assessment now has to stand on by itself.

The 100,000-to-100 ratio that Davies cited is a structural problem, not a temporary one. Training and accrediting new C3PAOs takes time measured in years, not the 60 days allotted to this review. When Phase II returns – and DoW officials have been explicit that they have not ruled out cancelling the program, only that they have also not committed to it – the same bottleneck will still exist, now compressed into whatever window the Reform Task Force sets.

Organizations that use this pause to build real technical readiness will be first through that pipe. Organizations that treat it as a reason to disengage will be competing with everyone else for the same scarce assessor capacity, at the same time, all over again. The CMMC compliance checklist provides the structured inventory that turns “build real technical readiness” into a documented, prioritized action list rather than a general intent.

This Is Not CMMC’s First Rescheduling, and That History Matters

Anyone tempted to read this suspension as evidence that CMMC itself is unraveling should look at how the program actually got here. The Department originally rolled out CMMC 1.0 in 2020 with five maturity tiers and a phased contract-by-contract rollout.

That version was scrapped in 2021 in favor of CMMC 2.0, a simplified three-tier structure aligned to NIST 800-171, after industry pushback over cost and complexity. The 2.0 rulemaking process itself then took roughly three years to finalize, moving through both the 32 CFR and 48 CFR rulemaking tracks before the CMMC Final Rule published in 2024 and Phase 1 self-assessment requirements took effect in November 2025.

That is the pattern worth noticing: every prior version of this program has been revised in response to exactly the kind of implementation problem now driving the Phase II suspension. CMMC 1.0’s complexity got it replaced. CMMC 2.0’s assessor capacity is now getting Phase II paused. In neither case did the underlying goal – protecting Controlled Unclassified Information moving through the defense supply chain – go away.

The mechanism changed. The obligation did not. Reading today’s suspension against that history should lower, not raise, anyone’s confidence that this is the end of third-party verification rather than another iteration of it.

Why Removing the Third-Party Check Raises the Stakes on Self-Assessment

Here is the part of this story that got buried under the “CMMC is dead” headlines: removing a third-party check does not remove risk from the system. It relocates the risk entirely onto the accuracy of a contractor’s own attestation.

CMMC Level 1 and the interim Phase 1 requirements have always relied on self-assessment, with results posted to the Supplier Performance Risk System (SPRS) and affirmed by a corporate executive.

Under the now-suspended Phase II construct, a C3PAO would have independently verified that self-attested score before it became load-bearing for a contract award. With that check paused, an inaccurate SPRS score is no longer a finding a third party catches during an assessment cycle – it is a claim the contractor made to the federal government, unverified, that a False Claims Act investigation can test directly.

The mechanics of that exposure are well established and predate CMMC entirely. The Department of Justice’s Civil Cyber-Fraud Initiative, launched in October 2021, uses the False Claims Act specifically to pursue cybersecurity-related misrepresentations by government contractors and grant recipients, and the Act’s whistleblower qui tam provision lets a private party – a disgruntled employee, a competitor, a former subcontractor – bring the claim directly and share in any recovery.

Civil penalties currently run roughly $13,946 to $27,894 per false claim, adjusted regularly for inflation, on top of treble damages. The government is not shy about pursuing this: DOJ settled an $8.4 million False Claims Act case against Raytheon and its successor Nightwing in 2025 over misrepresented compliance with NIST 800-171, and a pending case against Georgia Tech alleges the university submitted a false cybersecurity assessment score to the DoD – the exact failure mode a suspended C3PAO check would otherwise have caught.

That math does not require a breach to happen. It only requires that a contractor’s self-attested score does not hold up to scrutiny – and with no C3PAO in the loop to catch that gap first, the contractor is the only line of defense against it. A formal risk assessment conducted against the NIST 800-171 control set, documented with the same evidentiary rigor a C3PAO would apply, is the most direct way to verify that a self-attested SPRS score will survive external scrutiny.

This is why framing this suspension as “less pressure” gets the risk calculus backward. Less third-party pressure on paper translates to more first-party liability in practice. A compliance officer who understood their exposure on July 12 should understand it more acutely on July 14, not less.

Contractual Flow-Downs Do Not Reset With the Department’s Timeline

A second detail that got lost in the coverage: DoW’s phase suspension is a change to the Department’s own audit requirements, not a change to what primes owe subs or what existing solicitations already require. Primes with CMMC Level 2 flow-down clauses in their subcontracts still have to push those requirements down the supply chain – the suspension of the Department’s own third-party verification process does not relieve a prime of its contractual obligation to its subs, and it does not relieve a sub of its obligation back to the prime.

The same logic applies to solicitations and contracts that already cite CMMC Level 2 as an award or performance condition. Breaking Defense’s July 13 coverage reported that Davies directed program managers and contracting officers to amend or modify current solicitations containing the suspended Phase II requirements “as soon as possible” – which is itself confirmation that those requirements do not simply evaporate; they get formally revised, on the Department’s timeline, one contract action at a time. Until that amendment happens for a specific contract, the CMMC Level 2 language in it is still there.

For a General Counsel or a VP of Contracts, that is the detail that should drive action this week: audit which active solicitations and subcontracts cite Phase II requirements, and do not assume any of them have been quietly relieved just because the Department made a national announcement.

Supply chain risk management disciplines — specifically the practice of maintaining a current, auditable record of every subcontractor’s compliance status — are what make that audit possible in days rather than weeks. Organizations without a documented sub-tier compliance inventory should treat building one as the immediate priority alongside reviewing contract language.

The Small Business Angle DoW Is Using to Justify the Pause

The suspension’s public justification leans heavily on small and mid-size contractors, and understanding that framing matters for anyone assessing where this goes next. The Small Business Administration publicly commended the suspension the same day it was announced, citing compliance costs approaching $600,000 for some small firms and warning that the current CMMC framework was pushing firms out of the Defense Industrial Base entirely rather than bringing new entrants in.

That is the political rationale behind the pause: preserve the security baseline while removing a cost barrier that was shrinking the supply chain instead of securing it.

That framing cuts both ways for a small or mid-size subcontractor deciding what to do next. On one hand, the RFI’s question about recognizing existing commercial tools is a direct opportunity to argue that a smaller firm’s existing security stack should count for something in whatever framework replaces or revises Phase II.

On the other hand, a firm that reads this suspension as permission to deprioritize security spending entirely is choosing to be less prepared, not more competitive, when the assessor queue reopens – and reopens for everyone at once, small and large contractors alike. Secure MFT and secure email platforms that already map to NIST 800-171 controls are exactly the kind of commercial tools the RFI is asking about — smaller firms that can document existing tool coverage have a direct submission pathway to shape how the Reform Task Force treats their compliance posture.

Why “Tangible Cyber Hygiene Over Administrative Overhead” Is a Reframe, Not a Retreat

The Department’s own language points toward where this is actually going, and it is worth taking at face value rather than reading it as spin. DoW officials have repeatedly framed the goal of the CMMC Reform Task Force as preserving “a strict security baseline” while removing cost barriers – specifically, they want “tangible cyber hygiene over administrative overhead.”

Read plainly, that is a statement about which kind of compliance evidence the Department actually values going forward: demonstrable technical controls over assessment paperwork.

That reframe should change what a DIB contractor prioritizes during this window. A self-assessment built on documented, operational security controls – not just a completed checklist – is inherently more defensible under a False Claims Act inquiry, more resilient to whatever the Reform Task Force ultimately proposes, and better positioned to satisfy the RFI’s explicit question about recognizing commercial tools instead of requiring a separate third-party review of everything.

Kiteworks secure data exchange is built around exactly this kind of demonstrable technical readiness for organizations handling CUI and CDI. The platform maps nearly 90% of CMMC Level 2 requirements out of the box across domains including Access Control, Configuration Management, Audit and Accountability, and Physical Protection, backed by a hardened virtual appliance architecture, FIPS 140-3 Level 1 validated encryption, and FedRAMP Moderate authorization – with FedRAMP High currently In Process for its Secure Gov Cloud offering.

None of that is a substitute for a C3PAO assessment, and no organization should claim it is – the Department’s own FedRAMP equivalency guidance exists specifically to police vendors who make that kind of overreach. What it does provide is audit logs and access controls that give a self-attested SPRS score something real to stand behind, independent of when the next C3PAO assessment happens to land.

The NIST 800-171 compliance documentation that underlies this coverage is exactly the kind of evidentiary package the RFI signals the Reform Task Force wants to see recognized — organized, auditable proof of technical control implementation rather than assessment paperwork.

What Compliance Teams Should Actually Do Before the 60 Days Are Up

Treat this as a working window, not a pause. Five actions belong on a compliance officer’s list this week:

  1. Re-verify your SPRS score against actual evidence, not against the assumption that self-attestation carries lower scrutiny now. If a control claim cannot be demonstrated with logs, configuration records, or documentation, it is a liability, not a compliance win. This is the single highest-leverage action available during the review period, because it is the one thing a False Claims Act investigation would test first.

  2. Audit every active solicitation and subcontract for CMMC Level 2 language that has not yet been formally amended, and confirm with your contracting officer or prime whether flow-down obligations still apply. Do not wait for a notice; the amendment process is happening contract by contract, and there is no guarantee your specific agreement has been touched yet.

  3. Draft a response to DoW’s RFI, due August 14, 2026, particularly if your organization already uses commercial security tooling that maps to NIST 800-171 – this is a dated, formal channel to shape how the Reform Task Force ultimately treats tools like yours, and it closes in roughly a month.

  4. Close technical gaps now, while the assessment queue is paused, rather than waiting for Phase II to resume and competing with 100,000 other companies for roughly 100 assessors at the same time. A gap closed in August costs far less, in both money and risk, than the same gap discovered during a compressed reassessment window later. Encryption enforcement, attribute-based access controls, and immutable audit logging are the three technical domains where self-assessed gaps most commonly fail under external scrutiny — close these first.

  5. Document your audit trail and access-control evidence in a form you could hand to a False Claims Act investigator or a future C3PAO without having to reconstruct it under pressure. Evidence assembled after a subpoena arrives is materially weaker than evidence that already existed before the question was asked. A documented incident response plan that maps each NIST 800-171 IR control to a specific, tested procedure gives the audit package an additional layer of credibility that a checklist alone cannot provide.

The organizations that come out of this 60-day window ahead are not the ones that relaxed. They are the ones that used the gap between announcements to close it.

To learn more about closing CMMC 2.0 Level 2 compliance gaps while third-party assessments are paused, schedule a custom demo today.

Frequently Asked Questions

No. The Department of War suspended the third-party assessment requirement under Phase II, but Phase 1 self-assessment obligations remain in force, and DFARS clause 252.204-7012 still legally requires contractors and subcontractors to safeguard covered defense information. The Department’s own release states the suspension “does not eliminate the requirement for companies to protect federal data.” Organizations should continue working toward CMMC 2.0 compliance rather than treating this as relief from the underlying obligation. A risk assessment conducted against the full 110-control NIST 800-171 set — documented with evidentiary rigor equivalent to what a C3PAO would apply — is the most defensible posture during the suspension period and the most useful input to the CMMC Reform Task Force’s RFI process.

DoW CIO Kirsten Davies cited a capacity mismatch: more than 100,000 Defense Industrial Base companies needed a third-party assessment from a C3PAO, while only about 100 C3PAOs existed to conduct them, making the original November 10, 2026 deadline unworkable. A newly formed CMMC Reform Task Force is now reviewing the program for 60 days, with a public Request for Information open through August 14, 2026. The RFI specifically asks about the potential for commercial security tools to count toward a future compliance framework — organizations with existing tooling that maps to NIST 800-171 should treat the RFI as a direct opportunity to document and submit that coverage before the comment window closes. The NIST 800-171 compliance platform documentation that underlies a tool’s control coverage is exactly the kind of evidentiary artifact the Reform Task Force is signaling it wants to recognize.

It can increase it. With no C3PAO independently verifying a contractor’s self-attested SPRS score, an inaccurate attestation is no longer caught by a third party before it becomes actionable – it is a claim the contractor made directly to the federal government. The False Claims Act’s civil penalties and whistleblower qui tam provision apply to a false attestation regardless of whether an external assessor was ever involved, so accurate, evidence-backed self-assessment matters more, not less, during this suspension. Data governance documentation that records exactly which controls are implemented, at what configuration level, with what evidence — maintained continuously rather than assembled pre-assessment — is the organizational practice that most directly limits False Claims Act exposure during a period when no external check is running.

Not automatically. DoW has directed program managers and contracting officers to amend or modify solicitations and contracts containing the suspended Phase II requirements, but that happens contract by contract on the Department’s timeline. Until a specific contract or subcontract is formally amended, its existing CMMC Level 2 language and any associated DFARS flow-down obligations remain in effect. Supply chain risk management disciplines — specifically maintaining a current, auditable record of every subcontractor’s compliance status and every active contract’s CMMC language — are what make the required audit possible in days rather than weeks. Organizations without a documented sub-tier compliance inventory should treat building one as an immediate priority alongside the contract language review.

Use the window to close technical gaps rather than waiting for Phase II to resume. That means verifying SPRS scores against real evidence, auditing active contracts for unamended CMMC Level 2 language, documenting audit trail and access control evidence, and considering a response to DoW’s RFI before the August 14, 2026 deadline. Organizations that build demonstrable readiness now avoid competing with the full backlog of 100,000 companies once third-party assessments resume. An incident response plan that maps each NIST 800-171 IR control to a specific, tested procedure is a particularly high-value audit artifact — it demonstrates the kind of operational security posture the Reform Task Force’s “tangible cyber hygiene” language is pointing toward, and it is often the most visible gap when compliance programs have prioritized checklist completion over tested operational readiness.

Additional Resources

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Table of Content
Share
Tweet
Share
Explore Kiteworks