Back to Expertise

The CMMC Phase II Pause Does Not Change Your Compliance Obligations

July 16, 2026

cybersecurity compliance trends

Do Not Delay Your Compliance Efforts Following the Suspension of CMMC Phase II

The Department of Defense’s July 13, 2026, announcement suspending CMMC Phase II has created uncertainty across the defense industrial base. For some contractors, the pause may appear to provide additional time before cybersecurity requirements become a pressing concern.

For organizations doing business with the US federal government, the announcement raises important questions about compliance obligations and accountability. The message is straightforward: the underlying obligations remain unchanged.

While the third-party verification requirement associated with Phase II has been suspended, federal contractors and subcontractors are still responsible for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Phase I requirements continue to apply, including self-assessments against NIST SP 800-171 Rev. 2. Organizations doing business with the federal government remain responsible for implementing and maintaining the security controls required by their contracts.

Just as importantly, market expectations have not changed. Prime contractors continue to face their own compliance obligations and must have confidence in the cybersecurity posture of the organizations supporting them. Many will still expect subcontractors to demonstrate alignment with NIST SP 800-171 before including them in proposals or awarding new work.

Cybersecurity compliance remains a business requirement as much as a regulatory one.

Organizations should also recognize that self-assessments carry significant responsibility. Reporting compliance information to the government is not a paperwork exercise. It is a representation of an organization’s cybersecurity practices and controls, and those representations must be accurate.

Recent False Claims Act enforcement actions have highlighted the consequences of overstating compliance or misrepresenting cybersecurity capabilities. Government contractors should be prepared to substantiate their assessment results and demonstrate that required controls have been implemented and are operating as claimed.

This places particular importance on the role of the Affirming Official. Executives responsible for attesting to their organization’s compliance are putting their name behind those assertions each year. That responsibility cannot be delegated and should not be approached as a routine administrative task. Leadership teams must have confidence that their compliance program reflects reality, not aspiration.

The Department of Defense’s announcement changes the verification timeline. It does not change the expectation that contractors safeguard sensitive information and maintain effective cybersecurity practices. The department has made clear that it will continue enforcing compliance with NIST SP 800-171 through self-assessments and selected government-led assessments, with a focus on demonstrable cyber hygiene.

For federal contractors, the message is straightforward: compliance obligations remain in force, accountability remains in place, and the risks associated with noncompliance remain significant.

A pause in third-party verification is not a reason to postpone progress.

Elevate helps organizations review their compliance posture, identify gaps, and navigate complex cybersecurity requirements with confidence. If your team is evaluating the impact of the CMMC Phase II suspension, we can help you determine the right path forward.

The suspension of CMMC Phase II does not change contractors’ cybersecurity obligations. Compliance, executive accountability, and False Claims Act risk remain.

Learn more about our Cybersecurity Maturity Model Certification services