Insights

CMMC Phase II: A Tactical Pause, Not a Strategic Retreat

Published on July 14, 2026 5 minute read
Practical ERP Solutions Background

The Department of Defense recently announced the immediate suspension of CMMC Phase II requirements and launched a 60-day review of the program. While Phase I self-assessment requirements remain in effect, the Department is reevaluating how to balance cybersecurity, acquisition speed, innovation, and the compliance burden placed on defense contractors. According to the Department, the goal is to reduce unnecessary red tape while maintaining strong cybersecurity standards across the Defense Industrial Base (DIB).

As stated in the Department's official announcement, “Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape.”

For many organizations, particularly small and mid-sized contractors, the pause may be welcome news. Concerns about assessment costs, limited assessor availability, and the administrative demands of certification have been recurring challenges across the defense contracting community. However, contractors should not view this development as a signal that cybersecurity requirements are going away. The Department has made it clear that cybersecurity remains a priority, and the responsibility to protect federal information has not changed.

The reality is that the foundational requirements behind CMMC remain in place. Organizations handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are still expected to implement appropriate safeguards, and NIST SP 800-171 continues to serve as the primary framework for protecting sensitive government information.

Rather than viewing this pause as a delay, contractors should see it as an opportunity to strengthen their cybersecurity posture. Organizations can use this time to address compliance gaps, enhance security controls, improve documentation, mature incident response capabilities, and establish sustainable governance processes. These efforts not only prepare companies for future compliance requirements but also reduce risk and improve operational resilience.

Whether future compliance is achieved through a revised CMMC model, a streamlined certification process, or another mechanism entirely, organizations that continue investing in cybersecurity maturity will be better positioned for success.

The timeline may be changing, but the destination remains the same. The expectation that defense contractors protect sensitive information and maintain strong cybersecurity practices is as important as ever. Organizations that continue aligning with NIST SP 800-171 and view cybersecurity as a business imperative will be best positioned for long-term success.

Need help navigating CMMC, NIST SP 800-171, or preparing for future certification requirements? Contact Citrin Cooperman’s Government Contracting or Risk Advisory teams to learn how we can help your organization stay secure, compliant, and prepared for what's next.