Upgrade your security strategy for the AI era.

CMMC Phase II Is Paused. Your Cybersecurity Obligations Are Not.
On July 13, 2026 the Defense Department announced it is suspending the planned rollout of CMMC Phase II and launching a 60-day review of the program. The decision pauses the November 10, 2026 requirement for most third-party CMMC Level 2 assessments while the Pentagon evaluates a new approach that it says will reduce cost, bureaucracy, and barriers to innovation.
For organizations throughout the Defense Industrial Base (DIB), the news has generated understandable questions:
Does CMMC still matter?
Should we stop preparing?
Are NIST 800-171 and DFARS still required?
What happens to contracts already in progress?
The short answer:
The certification timeline has changed. Your responsibility to protect federal information has not.
What Actually Changed?
The Pentagon has not eliminated CMMC.
Instead, it has:
Suspended the rollout of Phase II, which would have expanded requirements for third-party C3PAO assessments beginning November 10, 2026.
Ordered a comprehensive 60-day review of the program.
Directed contracting officers to modify solicitations requiring the suspended Phase II provisions where appropriate.
Continued Phase I requirements, including self-assessments where applicable.
The Department cited several reasons for the pause:
Compliance costs were becoming prohibitive for many small and mid-sized contractors.
There are simply not enough qualified third-party assessors to evaluate the number of organizations needing certification.
The administration wants to reduce bureaucracy while maintaining cybersecurity across the Defense Industrial Base.
What Didn't Change
This is where many organizations are misunderstanding today's announcement.
The following requirements remain in effect:
Protection of Federal Contract Information (FCI)
Organizations handling federal information must continue implementing appropriate safeguards.
Protection of Controlled Unclassified Information (CUI)
If your contracts require protection of CUI, those obligations have not disappeared.
DFARS Requirements
The cybersecurity requirements contained in DFARS clauses - including implementation of NIST SP 800-171 where applicable - remain contractual obligations. Today's announcement does not remove those requirements.
As Pondurance CISO Dustin Hutchison summarized internally:
"171 / DFARS is still appropriate... The Phase 1 self-assessments will still be in play and the need to protect data is necessary."
Why the Pentagon Hit Pause
Industry experts have warned for months that the current rollout was likely unsustainable.
More than 80,000 companies are expected to require Level 2 compliance, while only about 100 authorized C3PAO assessment organizations currently exist. Many assessors are already booked months in advance, creating an unavoidable bottleneck.
As Dustin Hutchison noted:
"The program may change completely... but the progress made to adequately identify and protect data should not stop."
Pondurance also believes the Department recognized another important issue: Compliance should improve cybersecurity - not become the objective itself. The Defense Department's own announcement emphasizes a future focused on "tangible cyber hygiene" rather than excessive administrative burden.
What Defense Contractors Should Do Now
Rather than stopping your cybersecurity efforts, organizations should use this pause strategically.
1. Continue implementing NIST 800-171
Whether future validation comes through self-assessment, government review, or a revised certification process, organizations with mature security programs will be positioned to adapt quickly.
2. Focus on protecting data - not passing audits
Cybersecurity should never exist solely to satisfy a compliance checklist.
Nation-state attackers aren't waiting for the government to finalize regulations. In fact, Nation-state and other threat actors can and will infer from this delay that many organizations are not currently as secure as they need to be.
3. Understand your environment
Properly identifying where CUI resides -and correctly scoping your environment- remains one of the largest drivers of both cost and success.
Poor scoping and a lack of data isolation frequently result in organizations spending far more than necessary.
4. Watch for future guidance
The Defense Department has committed to providing recommendations following its 60-day review.
Future requirements may evolve significantly from today's CMMC model.
Why This Doesn't Reduce Cyber Risk
Today's announcement changes how compliance may be validated.
It does not change the threat landscape.
Defense contractors continue to face:
Nation-state espionage
Ransomware
Supply chain attacks
Insider threats
Credential theft
Third-party compromise
Protecting sensitive government information remains essential regardless of the certification framework ultimately adopted.
How Pondurance Helps
Regulatory changes create uncertainty.
Strong cybersecurity programs create resilience.
Pondurance helps organizations focus on what matters most:
NIST 800-171 readiness
DFARS compliance support
CUI discovery and scoping
Security assessments and gap analyses
Managed Detection & Response (MDR)
Incident Response preparedness
Continuous monitoring that improves actual security - not just audit readiness
Our philosophy has always been simple: Build cybersecurity programs that protect your organization first; compliance naturally follows. Whether the DoD ultimately modifies, simplifies, or replaces portions of CMMC; organizations that have invested in sound cybersecurity practices will be far better positioned than those who viewed CMMC as merely a certification exercise.
Final Thoughts
Today's announcement should not be interpreted as a signal that cybersecurity requirements are disappearing.
Instead, it reflects an acknowledgment that the implementation approach needed refinement.
As the Pentagon works to balance national security, innovation, and practicality, one reality remains unchanged: Federal contractors are still expected to protect sensitive government information.
Organizations that continue strengthening their cybersecurity posture today will be prepared regardless of what the final CMMC framework looks like tomorrow.
About Pondurance
Pondurance helps organizations reduce cyber risk through Managed Detection & Response (MDR), Digital Forensics & Incident Response (DFIR), Cyber Advisory Services, and AI-powered security operations. We work alongside organizations in healthcare, government, manufacturing, and other regulated industries to build resilient security programs that protect critical operations while meeting evolving regulatory requirements.


.png)

