Go Back Up

CMMC Update: The Certification Is Suspended. The Standard Is Not.

Jul 13, 2026 7:49:41 PM Jim Ambrosini 13 min read

CMMC Phase II is on hold. Here's why "pencils down" is the most expensive conclusion you could draw.

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements: the third-party C3PAO assessments that were set to start appearing in contracts on November 10. The Phase III and Phase IV milestones behind it are suspended as well. A newly formed CMMC Reform Task Force will spend 60 days reviewing the program, gathering industry input through an RFI, and reporting back to the DoW CIO with recommendations for something faster and less costly for small and non-traditional businesses.

Now read the rest of that release, because the part that matters is the part that isn't in the headline.


In this article: 


Phase I self-assessments remain firmly in place. DFARS 252.204-7012 remains in force. NIST SP 800-171 remains the enforced standard, and the Department explicitly reserved the right to conduct government-led assessments. In the Department's own words, this action does not eliminate the requirement for companies to protect federal data.

Strip away the branding and here is what actually happened: the government removed the certification audit, not the security requirement. What's left is, functionally, CMMC without the C3PAO.

  • The same 110 controls.
  • The same SSP.
  • The same POA&M.
  • The same SPRS score.
  • The same contract clause making all of it material. Just no accredited third party checking your work before the government relies on it
If you've already passed your C3PAO assessment: you didn't waste your money. You bought a defensible security posture, a validated SSP, and an SPRS score you can actually stand behind. Which, as I'll explain below, is now the single most legally exposed number in your company. You are also going to win work over competitors who can't say the same, because primes are not going to loosen their flow-down requirements on the strength of a 60-day study. Keep your controls operating. Certification lapses in value only if you let the program decay behind it.

If you haven't started preparing for CMMC: this is a reprieve on the audit calendar, not on the obligation. If you hold a contract with DFARS 7012 in it today, you are already required to implement all 110 NIST 800-171 controls, and you were required to do so long before CMMC was ever conceived. If you have been treating November 10 as your start date, you are misreading your own contract. The deadline moved. The debt did not.

If you haven't started preparing for CMMC: this is a reprieve on the audit calendar, not on the obligation.

 

Yes, we saw it coming. No, that doesn't mean pencils down.

CMMC has been "eighteen months away" for the better part of seven years. Born in 2019, rebuilt as CMMC 2.0 in 2021, finalized in 2024, phased in starting last November. Every version arrived late and left a little smaller. The skepticism was earned, and the folks who quietly slow-rolled their C3PAO scheduling are feeling clever this week.

Enjoy it. It's a short victory lap.

Because "we called it" is not a security program, and the celebration going on in parts of the defense industrial base rests on a category error. The Department did not conclude that contractor cybersecurity was optional. It concluded that one particular verification mechanism had become too expensive relative to what it delivered. Those are very different findings, and the space between them is where a lot of companies are about to get hurt.

CMMC was always a verification layer bolted on top of an obligation that already existed. The obligation lives in DFARS 252.204-7012 and FAR 52.204-21. It predates CMMC, it survives CMMC, and it did not budge on July 13.

The 110 controls didn't move an inch

This is the operative fact, and it should be the first slide in whatever briefing you give your leadership this week.

NIST SP 800-171 defines 110 security controls for protecting Controlled Unclassified Information. DFARS 7012 makes implementing them a contractual requirement, not a best practice. The Department confirmed in the announcement that it will continue enforcing compliance against the NIST SP 800-171 standard during the interim period.

So: access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, MFA, FIPS-validated encryption, your System Security Plan, your POA&M. All of it. Still required. Still enforceable. Still the basis of whatever the Reform Task Force recommends in 60 days — because it has to be. 7012 points at 800-171, and 7012 is statutory plumbing that a CIO memo doesn't touch.

If your program was 70% audit choreography and 30% actual control implementation, this announcement is a gift: you now have permission to cut the theater and fund the security. But if you read it as license to stop implementing controls, you have inverted the entire message.

The audits didn't stop. They changed hands.

Buried in the release is a phrase that deserves far more attention than it's getting: the Department will enforce compliance through self-assessments and select government-led assessments.

Government-led. That means DIBCAC.

Ask anyone who has been through a DIBCAC High assessment whether they'd rather face that or a C3PAO. The C3PAO was a scheduled, negotiated, commercially-mediated event with a firm you hired. A government-led assessment is not. The auditors did not go away , the friendly ones did.

And DIBCAC has a documented habit of finding a very different number than the one the contractor self-reported. That brings us to the real risk.

Faking your score is still fraud, and the government is still prosecuting it

Here is the part the ecosystem consistently gets backwards, and it matters more this week than it did last week.

CMMC was never the sharp end of the enforcement stick. The False Claims Act is. It always has been.

Since DOJ stood up the Civil Cyber-Fraud Initiative in 2021, it has built a steady, unglamorous track record of extracting money from defense contractors over cybersecurity misrepresentation and not one of those cases required CMMC to exist. They ran on DFARS 7012, NIST 800-171, and self-reported SPRS scores. Exactly the machinery that survived this announcement.

Consider these cautionary tales:

  • .
  • LOGZONE Inc.$507,144, June 2026. The Huntsville contractor self-reported a perfect SPRS score of 110. When DCMA assessed the same environment, it scored -170 — near the floor of the -203 to 110 range. That gap was the case.
  • Georgia Tech Research Corporation$875,000, September 2025. Allegations included missing anti-virus tooling, no system security plan for the lab doing the DoD work, and a false campus-wide summary-level assessment score submitted to DoD. Filed by two former members of Georgia Tech's own cybersecurity team.
  • Raytheon, RTX, and Nightwing$8.4 million, May 2025. Failure to implement required controls on an internal system used for unclassified work across 29 DoD contracts and subcontracts. Nightwing was named successor in liability for conduct that occurred before it acquired the business. The relator, a former Raytheon director of engineering, took home $1.5 million.
  • Swiss Automation Inc.$421,234, December 2025. An Illinois machine shop, and the first FCA cyber settlement against a supply-chain subcontractor. The allegation was inadequate protection of technical drawings for parts it machined for DoD primes. The case came from its own former quality control manager, who collected $65,291.

The math nobody runs until it's too late

Settlement headlines understate the exposure, because they are negotiated down. The statute itself is far less forgiving.

Under 31 U.S.C. § 3729, a False Claims Act violation carries treble damages, meaning three times what the government paid you, plus a civil penalty assessed on every false claim. That per-claim penalty currently runs $14,308 to $28,619. (DOJ set those figures in July 2025; the 2026 inflation adjustment was cancelled after the October 2025 appropriations lapse left BLS unable to compute the CPI, so the 2025 amounts still govern.)

The per-claim penalty for false SPRS scores is $14,308 to $28,619.

The load-bearing phrase is per claim. A claim is an invoice.

If you certified a false SPRS score and then billed monthly against that contract, every invoice is its own violation:

Invoicing history Penalties at minimum Penalties at maximum
36 invoices (3 years, monthly) $515,088 $1,030,284
60 invoices (5 years, monthly) $858,480 $1,717,140

That is before treble damages. And notice what's missing from the calculation: the size of your contract. Penalties attach to the number of invoices, not the value of the work. A small shop on a modest contract can face statutory exposure exceeding everything it was ever paid.

Which is precisely what happened to LOGZONE. The two Navy contracts at issue generated roughly $682,000 in total payments across the period of alleged non-compliance. The settlement came to $507,144, or roughly three-quarters of the entire revenue those contracts produced. For a logistics company that wasn't selling cybersecurity to anyone.

Two fair caveats: courts retain discretion over penalty stacking, and Eighth Amendment excessive-fines challenges have succeeded in reducing awards. Most matters settle well below the theoretical ceiling. But "we'll negotiate it down" is not a control, and the ceiling is what your counsel will be staring at across the table.

That last detail is the one to sit with. Qui tam. A whistleblower. Your departing sysadmin, your disgruntled MSP account manager, your quality lead who read the SSP and knew it was fiction. That is the enforcement mechanism, and no Pentagon memo disables it.

Note what is absent from all four: a breach. Nobody got hacked. DOJ's own framing, from Deputy Assistant Attorney General Brenna Jenny at a January 2026 FCA enforcement conference, is that these cases are not about data breaches,  they are premised on misrepresentations. You do not need to be breached to be liable. You only need to have told the government something that wasn't true.

 

You do not need to be breached to be liable. You only need to have told the government something that wasn't true.

Now hold that next to what survived on July 13: the self-attestation.

The Department just removed the independent check that would have caught your inflated SPRS score before DOJ did and kept the score itself, kept the standard it's measured against, and kept the contract clause that makes it material. If your 110 is aspirational, the C3PAO was your last friendly reader. The next person to grade that homework is DIBCAC, or a relator's attorney working on contingency.

Think if this announcement less as deregulation and more like the removal of a safety net.

What to actually do on Monday

  1. Pull up your SPRS score today and ask whether it's honest. Not "defensible with creative reading." Honest. A score you voluntarily correct is a compliance event. A score DIBCAC corrects for you is a False Claims Act exposure. The delta between those two outcomes is measured in seven figures.
  2. Finish your 800-171 implementation. It's cheaper now than it was last week becauseyou no longer have to prove it to an assessor on a deadline. You just have to be it. Getting to a real 110 is the entire ballgame.
  3. Reprice, don't cancel. Cut evidence-packaging and audit choreography line items. Keep the ones that buy working controls. If your CMMC budget was mostly documentation, that ratio was always wrong, now you have cover to fix it.
  4. Expect the primes to hold the line. Lockheed, RTX, and Northrop don't manage supply chain risk on a 60-day review cycle. Flow-down requirements will outlive this suspension, and your contract with the prime is not the Department's to suspend.
  5. Submit to the RFI. The Department asked for industry feedback on where CMMC was wasteful and where it was worth it. If you've spent three years and real money learning that, you're exactly the input this task force needs.
  6. Assume something comes back. In 60 days there will be a recommendation. It will be built on 800-171. Companies with mature control environments will absorb it in a quarter. Companies that stood down will be starting from a negative score with a shorter runway.

The certification may be is suspended but the standard, audit and liability remain.

Anyone reading this announcement as permission to stand down has misread it and will find out eventually from someone considerably less friendly than an assessor.

CompassMSP is a Registered Practitioner Organization (RPO) certified by The Cyber AB. If you're trying to figure out what this suspension means for your specific contracts, scope, or SPRS score, our team can help you separate what changed from what didn't explore our CMMC readiness services.

 

YOU MAY NEED TO KNOW

Frequently Asked Questions

Is CMMC cancelled?

No. Phase II, Phase III, and Phase IV implementation milestones are suspended pending a 60-day review by the CMMC Reform Task Force. Phase I remains firmly in place. The program is being reformed, not repealed, and the Department was explicit that the requirement to protect federal data is unchanged.

Do I still have to comply with NIST SP 800-171?

Yes. DFARS 252.204-7012 has required implementation of all 110 NIST SP 800-171 controls since 2017;years before CMMC existed. That clause is in your contract today, it was not suspended, and the Department stated it will continue enforcing compliance against the 800-171 standard during the interim period.

What happened to the November 10, 2026 CMMC deadline?

That was the date CMMC Phase II requirements would have begun appearing in solicitations, triggering the need for a C3PAO certificate. It is suspended. Your underlying 800-171 obligation has no such deadline; it is already past due.

I just passed my C3PAO assessment. Did I waste my money?

Donec nec justo eget felis facilisis fermentum. Aliquam porttitor mauris sit amet orci. Aenean dignissim pellentesque felis. Praesent dapibus, neque id cursus faucibus, tortor neque egestas auguae, eu vulputate magna eros eu erat. Aliquam erat volutpat.

Is my CMMC certificate still valid?

Your assessment result doesn't evaporate, but its practical value depends on what the Reform Task Force recommends. The safe assumption is that any future framework will be built on 800-171, which means the control environment you just validated is the asset, not the certificate itself. Keep the controls operating.

I haven't started preparing for CMMC. Can I wait for the 60-day review?

You can wait on the audit prep. You cannot wait on the controls. If DFARS 7012 is in your contract, you are already required to have implemented 800-171, and you are already exposed for every invoice you have submitted while non-compliant. Waiting doesn't pause that exposure. It extends it.

Are CMMC audits actually still happening?

Yes. The announcement explicitly preserved select government-led assessments. That means DIBCAC. The third-party assessors were removed from the process; the government assessors were not. DIBCAC assessments are generally harder than C3PAO assessments, not easier.

What happens if my SPRS score is inflated?

That is the central risk of this whole situation. A false self-assessment score submitted under DFARS 7019/7020 can support False Claims Act liability. LOGZONE learned this when it self-reported 110 and DCMA scored the same environment at -170. The statute provides for treble damages plus a civil penalty of $14,308 to $28,619 per false claim, and each invoice submitted against the contract is a separate claim. LOGZONE's settlement came to roughly three-quarters of everything the affected contracts paid it. If your score is wrong, correcting it voluntarily is dramatically cheaper than having DIBCAC or a whistleblower correct it for you.

How much can a company actually be fined for a false SPRS score?

More than most people assume, because the penalty scales with your invoices, not your contract value. Under 31 U.S.C. § 3729, a False Claims Act violation carries treble damages, meaning three times what the government paid you, plus a civil penalty of $14,308 to $28,619 on every false claim. A claim is an invoice. If you certified a false score and billed monthly for three years, that is 36 separate violations:

Invoicing history Penalties at minimum Penalties at maximum
36 invoices (3 years, monthly) $515,088 $1,030,284
60 invoices (5 years, monthly) $858,480 $1,717,140

That is before treble damages are added. In practice, cases settle below the statutory ceiling, and courts retain discretion over penalty stacking. But the real-world numbers are still severe: LOGZONE's two Navy contracts generated roughly $682,000 in total payments, and the settlement came to $507,144. That is about three-quarters of everything those contracts ever paid the company.

Can I face penalties if I was never breached?

Yes, and this is the most commonly misunderstood point in the entire discussion. None of the major DOJ cyber-fraud settlements involved an actual breach. They involved misrepresentation: telling the government you had implemented controls that you had not. You do not need to be hacked to be liable.

Who can report me for inflated SPRS scores?

Anyone with knowledge, under the False Claims Act's qui tam provisions, and they have a direct financial incentive. Georgia Tech's case came from two of its own cybersecurity staff. Raytheon's came from a former director of engineering, who received $1.5 million. Swiss Automation's came from its former quality control manager. Insiders are the primary source of these cases.

Do primes still require CMMC in their flow-downs?

Expect them to. Large primes do not restructure their supply chain risk programs around a 60-day study, and their contracts with you are not the Department's to suspend. Any DFARS 7012 flow-down in your subcontract remains binding regardless of what happens to CMMC.

Should I cut my CMMC budget?

Reprice it, don't cancel it. Costs tied to audit preparation, such as evidence packaging, artifact curation, and assessment scheduling, can reasonably be deferred. Costs tied to actual control implementation (MFA, encryption, logging, access control, incident response) should not be, because those are what 7012 requires and what DOJ enforces.

What should I do in the next 60 days?

Verify your SPRS score is honest, close your real 800-171 gaps, keep your controls operating, and submit feedback to the Department's RFI. Then be ready to move when the Task Force reports. Companies with mature control environments will absorb whatever comes next in a quarter. Companies that stood down will be starting over with less runway.

Jim Ambrosini

Jim is an award-winning CISO and cybersecurity advisor with over two decades of experience helping organizations protect what matters most: their customers, their data, and their reputation.

Navigate What’s Next

Get new insights, practical guides, and timely resources delivered to your inbox.