On July 13, 2026, the Pentagon suspended the Cybersecurity Maturity Model Certification (CMMC) Phase II effective immediately, including the third-party certification phase that was scheduled to begin on November 10, 2026, and launched a 60-day review of the certification program. Phase I self-assessments, annual affirmations in Supplier Performance Risk System (SPRS), and every safeguarding and cyber incident reporting obligation under DFARS 252.204-7012 or other contractual provisions remain fully in force and unchanged. Contractors who read the pause as a compliance holiday are misreading it. The third-party certification requirement is paused, at least for now, but the requirements and representations, along with the False Claims Act exposure that attaches to them, are not.

Reading the pause memorandum, it is clear that the Administration now believes that CMMC implementation clashes with the desired speed of industry and acquisition transformation.  The rationale for this pause appears to be the same policy desire: to strip out compliance overhead that might slow down AI and cyber capability delivery and to review and revise compliance verification mechanisms.

Last November, in Navigating Turbulent Waters,” we described colliding priorities bearing down on defense contractors: an acquisition reform agenda built around speed to capability and commercial solutions, and increasing pushes for security in the defense industrial base. This trend has continued with Executive Order 14409 and National Security Presidential Memorandum/NSPM-11, which largely directed speed-over-compliance in the realm of Artificial Intelligence, followed by Executive action against Anthropic’s Fable 5. We closed our previous analysis by observing that implementing agencies might eventually develop approaches that recognize the tension between speed and compliance, or that one of the two colliding forces might simply win out.

For at least the new Chief Information Officer, it looks like the answer is speed, commerciality, and ease of contracting is winning out over security.  The Department’s stated rationale tracks the Secretary’s Acquisition Transformation initiatives: prioritizing speed to capability, lowering barriers for small and non-traditional businesses, and “replacing bureaucratic compliance with scalable, resilient cybersecurity measures.”

The question defense contractors should be asking is not whether the storm has passed, but whether this is merely the eye of the storm and what comes next. Five key takeaways to consider as you navigate the choppy seas:

  1. The Pause Suspends Verification, Not Obligation

It is important to be precise about what was suspended. The Department halted the transition to Phase II, the phase in which third-party certification assessments by accredited C3PAOs could be required as a condition of award for contracts involving controlled unclassified information (CUI), along with pending and future CMMC implementation milestones across Department solicitations and contracts. The Department’s CMMC program page now describes the program as paused in Phase 1.

What was not suspended is nearly everything else, including contractual requirements. Phase 1 self-assessment requirements remain, in the Department’s words, firmly in place: an annual Level 1 self-assessment and affirmation against the 15 basic safeguarding requirements of FAR 52.204-21 for contractors handling federal contract information, and a triennial Level 2 self-assessment, with annual affirmations, against the 110 security requirements of NIST SP 800-171 Revision 2 for contractors handling CUI, with results and affirmations entered into the SPRS. During the review period, the Department will enforce cybersecurity compliance with NIST SP 800-171 Rev 2 through self-assessments and, notably, select government-led assessments. And the announcement states expressly that contractors and subcontractors remain contractually obligated to safeguard covered defense information under DFARS 252.204-7012, which continues to carry its adequate-security, rapid incident-reporting, and subcontract flowdown requirements.

In short: the third-party assessment is on hold. The substantive duty, the self-assessment, and the  affirmations are not.

  1. The Pause Memorandum Focuses on the Speed Agenda

From Executive Orders 14265 and 14275 in April 2025, through the Secretary’s November 2025 Transforming the Warfighting Acquisition System memorandum, to the Acquisition Transformation System directives are a consistent policy agenda from this Administration to streamline and speed defense acquisitions. (We’ve covered this extensively, e.g., here and here).  The Department’s stated position is that CMMC, as designed, created prohibitive compliance costs and administrative burdens, and it cites Small Business Administration reporting that compliance costs are pushing innovative companies out of the defense industrial base, delaying capability delivery to warfighters.

Contractors should take the Department at its word about the path forward: the reform effort favors scalable security measures over certification infrastructure, and the Reform Task Force will synthesize industry feedback from a public Request for Information before reporting out. But contractors should be equally clear-eyed that a Department press release realigns Department acquisition policy—it does not amend the False Claims Act, withdraw DOJ’s enforcement initiative, or rewrite the safeguarding clauses already sitting in their contracts.

  1. Self-Attestation Is Where the FCA Docket Was Built

If defense contractors only take one thing away from this pause, it should be this: the interim regime—self-assessment plus signed affirmation—is precisely the posture under which the Civil Cyber-Fraud Initiative generated its settlements to date. As we wrote about in February, 2025 was a record year in settlements for the Civil Cyber Fraud Initiative on the backbone of False Claims Act issues predicated on cybersecurity issues.

As we explained in “4 Key Takeaways on the False Claims Act and CMMC 2.0 Compliance,” the government has effectively built materiality into the clause architecture itself. Under Escobar’s materiality standard and given DOJ’s consistent position that cybersecurity requirements are material to payment, every SPRS score and every annual affirmation is a representation on which an FCA case can be constructed. The Phase II pause removes the independent assessor who might have caught, and forced remediation of, a gap before a certification issued. It does not remove a single representation. Viewed that way, the risk per representation arguably goes up, not down: contractors are back to grading their own homework, and the qui tam bar knows exactly what that looked like from 2017 through 2025.

  1. “Adequate Security” Is Now Doing More Work and the Bar Is Rising

The substantive standard in DFARS 252.204-7012, the obligation to provide “adequate security” on all covered contractor information systems, implementing NIST SP 800-171 at a minimum, remains the operative minimum protection bar for covered defense information. That standard may be in flux. As we argued in our recent Law360 analysis, “How Anthropic’s Mythos May Upend Defense Cyber Rules,” adequacy is unclear when viewed against a threat environment that is rapidly changing in the face of frontier AI capabilities that are transforming what a reasonable safeguarding posture looks like. Suspending a third-party certification program does not suspend the threat; if anything, it widens the gap between the floor the Department will verify and the security necessary for cyber defenses.

Contractors should also pay close attention to the announcement’s reference to select government-led assessments during the interim period. The scope, selection criteria, and cadence of those assessments are undefined. Contractors with weak SPRS scores, recent incidents reported under -7012, or high-visibility programs should assume they are candidates and should treat their current self-assessment documentation as if it will be examined by a government assessment team, because it may be.

  1. Don’t Dismantle: Readiness Is a Discriminator, a Defense, and Insurance

This pause is certainly not reason to throw out established cybersecurity and compliance processes, even as defense contractors adjust their timelines.  First, certification requirements do not exist only in regulation. Many prime contractors have written CMMC Level 2 certification requirements and target dates directly into subcontracts and supplier agreements, and those contractual obligations are unaffected by the Department’s policy change unless and until the parties amend them. Second, a certification-ready posture, a current system security plan, closed or tightly managed POA&Ms, and contemporaneous documentation of SPRS score, is among the strongest practical defenses to an FCA allegation built on an affirmation. Third, the Task Force is charged with recommending realistic, scalable security measures within 60 days; a modified verification requirement emerging from that review is a practical reality, and contractors that preserve their enclave investments and assessment preparation will be positioned to move first when the requirement returns in whatever form.

What Contractors Should Do Now

  • Re-validate all SPRS entries. Confirm that current scores and affirmations are accurate and supportable today, and document the factual basis for each control determination.
  • Keep the system security plan and POA&Ms current. Treat every self-assessment as if a government-led assessment will audit it.
  • Audit executed prime and subcontract agreements for contractual CMMC certification requirements and target dates that survive the policy change and engage counterparties before assuming relief.
  • Participate in the Request for Information and Task Force process. The 60-day window is the industry’s possible opportunity to shape what replaces Phase II.
  • Preserve enclave, documentation, and assessment-preparation investments, and obtain written direction before deviating from any previously planned certification milestone.
  • To the extent possible, stay up to date on AI-enabled cyber threats and defense/security tools.

What to Watch

The Task Force report is due to the Department’s CIO within 60 days, roughly mid-September 2026. Watch closely for the legal mechanics of the suspension itself: the CMMC phase schedule is codified in 32 CFR Part 170 and implemented through the acquisition rulemaking, so the Department will need to effectuate the pause through some combination of class deviation, rulemaking, or solicitation-by-solicitation practice, and the chosen vehicle will determine how durable, and how contestable, the change is. Watch whether the November 10, 2026, Phase II date is formally removed or merely slipped; whether the National Defense Authorization Act for Fiscal Year 2027 has Congress weighing in on the program’s future; and whether DOJ’s Civil Cyber-Fraud Initiative tempo changes at all.

Check the Barometer, Not Just the Sky

Again, in November 2025, we wrote that the tension between speed and security would likely persist rather than resolve, and that contractors would need to navigate changes in the winds and seas rather than wait for clear skies. Recent developments and policies highlight this reality. The Presidential Actions and Phase II pause are exactly this kind of change, that demands adjustment without fundamentally altering the course. The verification storm wall has passed overhead, and for the next 60 days the winds are calm on that front. But the enforcement wall, the clause obligations, the affirmations, the qui tam bar, DOJ’s enforcement, and cyber threats, have not changed at all. Contractors who use the eye of the storm to check their condition and prepare for the future will be ready whichever direction they need to move. Contractors who mistake it for fair weather will not.  If assistance is required navigating these turbulent waters or to check in on compliance efforts, Fluet’s experienced Government Contracts team is prepared to help.