top of page

Upgrade your security strategy for the AI era.

Suspect a Breach? 

!

Contact Us:

Pondurance_Logo_R-10pxMargin_312px_REV-wordmark.png

CMMC Phase II Is Paused. Your Cybersecurity Obligations Are Not.

Gartner_Resources-Tout_AI-SOC-Agents_2x (1).png
Pondurance
July 16, 2026

On July 13, 2026 the Defense Department announced it is suspending the planned rollout of CMMC Phase II and launching a 60-day review of the program. The decision pauses the November 10, 2026 requirement for most third-party CMMC Level 2 assessments while the Pentagon evaluates a new approach that it says will reduce cost, bureaucracy, and barriers to innovation.


For organizations throughout the Defense Industrial Base (DIB), the news has generated understandable questions:

  • Does CMMC still matter?

  • Should we stop preparing?

  • Are NIST 800-171 and DFARS still required?

  • What happens to contracts already in progress?


The short answer:

The certification timeline has changed. Your responsibility to protect federal information has not.


What Actually Changed?

The Pentagon has not eliminated CMMC.


Instead, it has:

  • Suspended the rollout of Phase II, which would have expanded requirements for third-party C3PAO assessments beginning November 10, 2026.

  • Ordered a comprehensive 60-day review of the program.

  • Directed contracting officers to modify solicitations requiring the suspended Phase II provisions where appropriate.

  • Continued Phase I requirements, including self-assessments where applicable.


The Department cited several reasons for the pause:

  • Compliance costs were becoming prohibitive for many small and mid-sized contractors.

  • There are simply not enough qualified third-party assessors to evaluate the number of organizations needing certification.

  • The administration wants to reduce bureaucracy while maintaining cybersecurity across the Defense Industrial Base.


What Didn't Change

This is where many organizations are misunderstanding today's announcement.

The following requirements remain in effect:

Protection of Federal Contract Information (FCI)

Organizations handling federal information must continue implementing appropriate safeguards.

Protection of Controlled Unclassified Information (CUI)

If your contracts require protection of CUI, those obligations have not disappeared.


DFARS Requirements

The cybersecurity requirements contained in DFARS clauses - including implementation of NIST SP 800-171 where applicable - remain contractual obligations. Today's announcement does not remove those requirements.


As Pondurance CISO Dustin Hutchison summarized internally:

"171 / DFARS is still appropriate... The Phase 1 self-assessments will still be in play and the need to protect data is necessary."

Why the Pentagon Hit Pause

Industry experts have warned for months that the current rollout was likely unsustainable.

More than 80,000 companies are expected to require Level 2 compliance, while only about 100 authorized C3PAO assessment organizations currently exist. Many assessors are already booked months in advance, creating an unavoidable bottleneck.


As Dustin Hutchison noted:

"The program may change completely... but the progress made to adequately identify and protect data should not stop."

Pondurance also believes the Department recognized another important issue: Compliance should improve cybersecurity - not become the objective itself. The Defense Department's own announcement emphasizes a future focused on "tangible cyber hygiene" rather than excessive administrative burden.


What Defense Contractors Should Do Now

Rather than stopping your cybersecurity efforts, organizations should use this pause strategically.

1. Continue implementing NIST 800-171

Whether future validation comes through self-assessment, government review, or a revised certification process, organizations with mature security programs will be positioned to adapt quickly.


2. Focus on protecting data - not passing audits

Cybersecurity should never exist solely to satisfy a compliance checklist.

Nation-state attackers aren't waiting for the government to finalize regulations. In fact, Nation-state and other threat actors can and will infer from this delay that many organizations are not currently as secure as they need to be.


3. Understand your environment

Properly identifying where CUI resides -and correctly scoping your environment- remains one of the largest drivers of both cost and success.


Poor scoping and a lack of data isolation frequently result in organizations spending far more than necessary.


4. Watch for future guidance

The Defense Department has committed to providing recommendations following its 60-day review.

Future requirements may evolve significantly from today's CMMC model.


Why This Doesn't Reduce Cyber Risk

Today's announcement changes how compliance may be validated.

It does not change the threat landscape.

Defense contractors continue to face:

  • Nation-state espionage

  • Ransomware

  • Supply chain attacks

  • Insider threats

  • Credential theft

  • Third-party compromise


Protecting sensitive government information remains essential regardless of the certification framework ultimately adopted.


How Pondurance Helps

Regulatory changes create uncertainty.


Strong cybersecurity programs create resilience.


Pondurance helps organizations focus on what matters most:

  • NIST 800-171 readiness

  • DFARS compliance support

  • CUI discovery and scoping

  • Security assessments and gap analyses

  • Managed Detection & Response (MDR)

  • Incident Response preparedness

  • Continuous monitoring that improves actual security - not just audit readiness


Our philosophy has always been simple: Build cybersecurity programs that protect your organization first; compliance naturally follows. Whether the DoD ultimately modifies, simplifies, or replaces portions of CMMC; organizations that have invested in sound cybersecurity practices will be far better positioned than those who viewed CMMC as merely a certification exercise.


Final Thoughts

Today's announcement should not be interpreted as a signal that cybersecurity requirements are disappearing.


Instead, it reflects an acknowledgment that the implementation approach needed refinement.

As the Pentagon works to balance national security, innovation, and practicality, one reality remains unchanged: Federal contractors are still expected to protect sensitive government information.


Organizations that continue strengthening their cybersecurity posture today will be prepared regardless of what the final CMMC framework looks like tomorrow.

About Pondurance

Pondurance helps organizations reduce cyber risk through Managed Detection & Response (MDR), Digital Forensics & Incident Response (DFIR), Cyber Advisory Services, and AI-powered security operations. We work alongside organizations in healthcare, government, manufacturing, and other regulated industries to build resilient security programs that protect critical operations while meeting evolving regulatory requirements.

wave pattern background

Featured Posts

CMMC Phase II Is Paused. Your Cybersecurity Obligations Are Not.

July 16, 2026

Benefits of Integrating SIEM Systems in Enterprise Security Infrastructure

February 3, 2026

Best Enterprise Cybersecurity Software for Larger Organizations

February 3, 2026

bottom of page