All articlesCMMC

CMMC Phase II Is Paused. Your DFARS Obligations Are Not.

July 17, 20268 min readMaverc CMMC Advisory · Registered Provider Organization (RPO)
CMMCNIST 800-171CUIDFARSComplianceGovernmentIdentity SecurityCloud Security
CMMC Phase II Is Paused. Your DFARS Obligations Are Not.

The Department of War suspended CMMC Phase II on July 13, 2026. DFARS 252.204-7012, NIST 800-171, and self-attested SPRS scores are still in force — and without a C3PAO in the loop, False Claims Act exposure now sits entirely with the contractor. Here is what defense contractors should actually do during the 60-day review window.

On July 13, 2026, Department of War Chief Information Officer Kirsten Davies suspended CMMC Phase II — the third-party assessment requirement that was scheduled to take effect November 10, 2026. Phases 3 and 4 were paused with it, pending a 60-day review by a newly stood-up CMMC Reform Task Force. Most of the trade press covered it as regulatory relief. It is not. It is a redistribution of risk, and the contractors treating it as a stand-down are the ones most exposed when the review window closes.

Nothing about a defense contractor's legal obligations changed on July 13. DFARS clause 252.204-7012 has required safeguarding of covered defense information since long before CMMC existed as a program. The 110 controls in NIST SP 800-171 Rev 2 are unchanged. Phase 1 self-assessment continues. What paused is the third party checking your work — and for a compliance officer, that is a very different kind of relief than the headlines suggest.

Why the pause happened, and why 60 days does not fix it

The Department's own numbers explain the suspension better than the announcement did. More than 100,000 companies in the Defense Industrial Base needed a triennial CMMC Level 2 assessment. Roughly 100 Certified Third-Party Assessor Organizations (C3PAOs) existed to conduct them. Davies described it plainly to reporters: the math does not math.

That is a structural bottleneck, not a policy dispute. Standing up new C3PAOs is measured in years, not the 60 days allotted to the Reform Task Force. Whatever framework emerges from the review — a revised Phase II, a recognition regime for existing commercial security tools, or something else — the underlying assessor capacity problem does not resolve inside the review window.

The Department also posted a Request for Information on SAM.gov the same day, with industry responses due August 14, 2026. The RFI asks contractors which 800-171 controls actually reduce risk, where administrative cost outweighs security value, and how commercial security tooling might count toward compliance in a future framework. Read plainly, that is a program being redesigned around demonstrable technical readiness, not a program being killed.

Removing the third-party check raises the stakes on self-attestation

Here is the part of the story that got buried under the "CMMC is dead" headlines: pausing a third-party check does not remove risk from the system. It relocates the risk entirely onto the accuracy of a contractor's own attestation.

Phase 1 self-assessments post to the Supplier Performance Risk System (SPRS) and are affirmed by a corporate executive. Under the now-suspended Phase II construct, a C3PAO would have independently verified that self-attested score before it became load-bearing for a contract award. With that check paused, an inaccurate SPRS score is no longer a finding a third party catches during an assessment cycle. It is a claim the contractor made to the federal government, unverified, that a False Claims Act investigation can test directly.

The mechanics are well established. The Department of Justice's Civil Cyber-Fraud Initiative, launched in October 2021, uses the False Claims Act specifically to pursue cybersecurity misrepresentations by government contractors and grant recipients. The Act's qui tam whistleblower provision lets a former employee, competitor, or subcontractor bring the claim directly and share in the recovery. Civil penalties currently run roughly $13,946 to $27,894 per false claim, adjusted for inflation, on top of treble damages.

The government has already used it. DOJ settled an $8.4 million FCA case against Raytheon and its successor Nightwing in 2025 over misrepresented compliance with NIST 800-171. A pending case against Georgia Tech alleges the university submitted a false cybersecurity assessment score to the DoD — exactly the failure mode a C3PAO check would otherwise have caught.

That math does not require a breach. It only requires that a contractor's self-attested score does not hold up to outside scrutiny. Framing this suspension as less pressure gets the calculus backward: less third-party pressure on paper means more first-party liability in practice.

Flow-down clauses and existing solicitations do not reset

A second detail the coverage largely missed: the Department's phase suspension is a change to its own audit posture, not a change to what primes owe subs or what existing contracts already require.

Primes with CMMC Level 2 flow-down clauses in active subcontracts still have to push those requirements down the supply chain. The Department's decision to pause its own third-party verification does not relieve a prime of its contractual obligation to a sub, and it does not relieve the sub of its obligation back to the prime.

The same logic applies to solicitations and contracts that already cite CMMC Level 2 as an award or performance condition. Davies directed program managers and contracting officers to amend affected solicitations "as soon as possible" — which is confirmation that those requirements do not simply evaporate. They get revised on the Department's schedule, one contract action at a time. Until an amendment lands for a specific contract, the CMMC Level 2 language in it is still binding.

For a General Counsel or a VP of Contracts, that is the detail that should drive action this week. Audit which active solicitations and subcontracts cite Phase II requirements. Do not assume any of them were quietly relieved by a national announcement.

What defense contractors should actually do in the 60-day window

The organizations that use this pause to close real gaps will be first through the pipe when the assessor queue reopens. The ones that treat it as permission to disengage will be competing with everyone else for the same scarce capacity, at the same time, all over again.

A short list of what to do now:

  • Treat the SPRS score as a legal instrument. Reconcile it against a fresh, evidence-backed assessment of all 110 NIST 800-171 controls. If it does not hold up under the same rigor a C3PAO would apply, revise it before someone else does.
  • Inventory every active contract, subcontract, and open solicitation that cites CMMC Level 2. Do not act on assumed relief; act on the specific contract modification that lands (or does not).
  • Continue enforcing flow-down obligations to subcontractors, and maintain a documented sub-tier compliance record. This is what turns a supply chain audit into a days-long task rather than a weeks-long fire drill.
  • Close the technical gaps you would have failed a C3PAO on. Access control, audit logging, configuration management, and identity — the domains where paper policies most often outrun operational reality — are also the domains a False Claims Act inquiry will look at first.
  • Submit to the August 14 RFI if your existing security stack maps to 800-171 controls. The Department is asking directly how commercial tooling should count in a future framework. That is a dated opportunity to shape the answer, not a reason to wait.

The reframe worth taking at face value

The Department's own language points to where this is headed. Reform Task Force officials have described the goal as preserving "a strict security baseline" while removing cost barriers, and specifically as favoring "tangible cyber hygiene over administrative overhead."

Read plainly, that is a statement about which kind of compliance evidence the Department values going forward: demonstrable technical controls over assessment paperwork. A self-assessment built on operational security controls — not a completed checklist — is more defensible under an FCA inquiry, more resilient to whatever the Reform Task Force ultimately proposes, and better positioned to satisfy the RFI's question about recognizing commercial tools.

CMMC has been rescheduled before. CMMC 1.0's complexity got it replaced in 2021. CMMC 2.0's assessor capacity is now getting Phase II paused. In neither case did the underlying goal — protecting Controlled Unclassified Information moving through the defense supply chain — go away. The mechanism changes. The obligation does not.

How Maverc helps DIB contractors during this window

Maverc is an RPO working with defense contractors and their subs across exactly this kind of regulatory whiplash. During the Phase II review window we are focused on the work that pays off regardless of what the Reform Task Force decides:

  • SPRS score reconciliation against evidence a C3PAO would accept.
  • Contract and subcontract audits to map every active CMMC Level 2 flow-down and the specific amendments that would (or would not) relieve it.
  • Closing the operational gaps most likely to draw an FCA question — identity, logging, CUI handling, access boundaries around any GCC High or FedRAMP-authorized enclave.
  • RFI response support for contractors whose existing security stack should count toward whatever framework replaces Phase II.

If your team is deciding what to prioritize this week, start with the SPRS score and the contract inventory. Everything else follows from those two.