The Department of War’s decision to suspend Phase Two of the Cybersecurity Maturity Model Certification (CMMC Phase II) program will likely prompt many defense contractors to revisit their compliance plans, to see what the real-world impacts are for them and determine their best route forward. The stated goal of this change is to reduce the cost and administrative impact of compliance on smaller contractors, who had said that it had placed an unnecessary burden on them.
Phase Two had been scheduled to begin in November 2026, expanding the use of independent third-party assessments for organizations handling Controlled Unclassified Information (CUI). Instead, the Department has paused that transition, suspended pending and future implementation milestones, and launched a 60-day review of the program. Phase One self-assessment requirements remain in place.
For security teams that have invested considerable time and resources preparing for certification, the announcement may be frustrating. For smaller contractors facing significant assessment costs, it may provide welcome relief. Regardless of the perspective, the overall requirement to protect federal information has not been suspended.
What has actually changed?
CMMC was designed to give the federal government greater confidence that members of the defense industrial base were implementing the controls they had committed to maintaining.
Under Phase One, which began in November last year, organizations may be required to complete Level 1 or Level 2 self-assessments, submit results through the Supplier Performance Risk System and provide affirmations of compliance. Where Phase Two would have differed was by introducing broader use of assessments performed by certified third-party assessment organizations (like Thoropass).
While the pause changes how compliance may be independently verified in future contracts, it does not remove the underlying security requirements. The Department of War has stated that it will continue enforcing NIST SP 800-171 Revision 2 through self-assessments and select government-led assessments. Contractors and subcontractors also remain responsible for safeguarding covered defense information under DFARS 252.204-7012.
The Department has also clarified that solicitations and contracts already containing certain Level 2 third-party or Level 3 assessment requirements will need to be amended. Contractors should review the language in their specific agreements rather than assuming the public announcement automatically changes every contractual obligation.
A Pause in Certification – Not a Pause in Accountability
There’s a broader lesson here for any organization operating in a regulated environment. Certification programs, assessment methods and implementation schedules can change, and sometimes with little notice, like in this instance. However, the obligation to understand risk, operate appropriate controls and demonstrate that those controls are working is far more durable.
Organizations should resist treating the suspension as rationale to stop all of their CMMC readiness work because, while abandoning a control program now may save money in the immediate term, it could lead to even higher cost and disruption when revised requirements emerge.
The review could lead to a narrower program, a more scalable assessment model or a different approach to independent verification. It could also change how requirements are applied to smaller businesses, non-traditional contractors and different categories of federal information. The outcome is not yet known.
What we know is that the Department hasn’t lowered the expectation that federal data must be protected, as it has explicitly described the review as an effort to reduce administrative burden while retaining a strict security baseline. Therefore, the debate is increasingly about how cybersecurity should be validated, not whether defense contractors need effective cybersecurity.
What Security Teams Should do Now
Security and compliance leaders should use the review period to make their programs more defensible, not simply more certifiable.
- First, confirm which requirements currently apply to your organization. Review active contracts, solicitation language, the type of information you handle and any obligations passed down by prime contractors. The suspension may affect future certification milestones, but Phase One requirements and existing DFARS obligations remain active.
- Second, maintain the controls supporting your NIST SP 800-171 environment. Continue collecting evidence, tracking deficiencies and closing Plans of Action and Milestones. A control that operates consistently is far easier to validate under any future assessment model than one reconstructed shortly before an audit.
- Third, review the accuracy of previous self-assessments and affirmations. Self-assessment does not mean informal assessment. Scores, attestations and representations made to the government should be supported by evidence and a reasonable evaluation of control performance. Inaccurate representations can create exposure beyond the CMMC program itself, including potential scrutiny under the Department of Justice’s Civil Cyber-Fraud Initiative.
- Fourth, separate necessary security investment from spending driven only by assumptions about a particular certification process. Some organizations may have committed to technologies, consulting engagements or documentation exercises primarily because they expected a specific type of third-party review. This is an appropriate time to reassess those plans, while continuing to fund the capabilities needed to protect CUI and FCI.
- Finally, monitor the reform process closely. The task force is expected to consider industry feedback and recommend revised measures within 60 days. Security leaders should be prepared to explain how proposed changes could affect their control environment, contractual eligibility and assessment strategy.
The Bigger Picture for Defense Contractors
For Thoropass customers and other defense contractors, the announcement reinforces why audit readiness should be built around sustainable controls rather than a single deadline.
Organizations that have already strengthened access controls, documented system boundaries, formalized incident response, improved vendor oversight and established repeatable evidence processes have not wasted that effort. Those capabilities support the protection of sensitive information and can contribute to readiness across multiple customer, contractual and regulatory requirements.
Customers preparing specifically for a CMMC third-party assessment may now have additional time to address gaps and improve the quality of their evidence. They should also revisit their assessment timelines and contractual assumptions. Readiness plans may need to change, but the underlying control environment should continue to mature.
This is also a reminder that compliance requirements rarely move in a straight line. Programs are revised and deadlines often shift. Assessment approaches evolve as regulators and agencies try to balance assurance, cost and operational feasibility.
Strong organizations plan for that uncertainty, and they know which controls they operate, why those controls exist and how they can prove that the controls are effective. That foundation survives changes in program names, phases and enforcement mechanisms.
Do not Confuse Delay with Direction
CMMC Phase Two may return in a revised form, or the Department may adopt a different mechanism for validating security across the Defense Industrial Base. The current review is likely to shape the cost, scope and structure of that oversight. Security professionals should follow those developments carefully. They should not allow uncertainty about the final assessment model to create uncertainty about their responsibility today.
Related Posts
Stay connected
Subscribe to receive new blog articles and updates from Thoropass in your inbox.
Want to join our team?
Help Thoropass ensure that compliance never gets in the way of innovation.










.png)