Technology Resources for Cybersecurity, IT, + Cloud | CompassMSP

CMMC Update: The Certification Is Suspended. The Standard Is Not.

Written by Jim Ambrosini | Jul 13, 2026 11:49:41 PM

CMMC Phase II is on hold. Here's why "pencils down" is the most expensive conclusion you could draw.

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements: the third-party C3PAO assessments that were set to start appearing in contracts on November 10. The Phase III and Phase IV milestones behind it are suspended as well. A newly formed CMMC Reform Task Force will spend 60 days reviewing the program, gathering industry input through an RFI, and reporting back to the DoW CIO with recommendations for something faster and less costly for small and non-traditional businesses.

Now read the rest of that release, because the part that matters is the part that isn't in the headline.

In this article: 

Phase I self-assessments remain firmly in place. DFARS 252.204-7012 remains in force. NIST SP 800-171 remains the enforced standard, and the Department explicitly reserved the right to conduct government-led assessments. In the Department's own words, this action does not eliminate the requirement for companies to protect federal data.

Strip away the branding and here is what actually happened: the government removed the certification audit, not the security requirement. What's left is, functionally, CMMC without the C3PAO.

  • The same 110 controls.
  • The same SSP.
  • The same POA&M.
  • The same SPRS score.
  • The same contract clause making all of it material. Just no accredited third party checking your work before the government relies on it
If you've already passed your C3PAO assessment: you didn't waste your money. You bought a defensible security posture, a validated SSP, and an SPRS score you can actually stand behind. Which, as I'll explain below, is now the single most legally exposed number in your company. You are also going to win work over competitors who can't say the same, because primes are not going to loosen their flow-down requirements on the strength of a 60-day study. Keep your controls operating. Certification lapses in value only if you let the program decay behind it.

If you haven't started preparing for CMMC: this is a reprieve on the audit calendar, not on the obligation. If you hold a contract with DFARS 7012 in it today, you are already required to implement all 110 NIST 800-171 controls, and you were required to do so long before CMMC was ever conceived. If you have been treating November 10 as your start date, you are misreading your own contract. The deadline moved. The debt did not.

If you haven't started preparing for CMMC: this is a reprieve on the audit calendar, not on the obligation.

 

Yes, we saw it coming. No, that doesn't mean pencils down.

CMMC has been "eighteen months away" for the better part of seven years. Born in 2019, rebuilt as CMMC 2.0 in 2021, finalized in 2024, phased in starting last November. Every version arrived late and left a little smaller. The skepticism was earned, and the folks who quietly slow-rolled their C3PAO scheduling are feeling clever this week.

Enjoy it. It's a short victory lap.

Because "we called it" is not a security program, and the celebration going on in parts of the defense industrial base rests on a category error. The Department did not conclude that contractor cybersecurity was optional. It concluded that one particular verification mechanism had become too expensive relative to what it delivered. Those are very different findings, and the space between them is where a lot of companies are about to get hurt.

CMMC was always a verification layer bolted on top of an obligation that already existed. The obligation lives in DFARS 252.204-7012 and FAR 52.204-21. It predates CMMC, it survives CMMC, and it did not budge on July 13.

The 110 controls didn't move an inch

This is the operative fact, and it should be the first slide in whatever briefing you give your leadership this week.

NIST SP 800-171 defines 110 security controls for protecting Controlled Unclassified Information. DFARS 7012 makes implementing them a contractual requirement, not a best practice. The Department confirmed in the announcement that it will continue enforcing compliance against the NIST SP 800-171 standard during the interim period.

So: access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, MFA, FIPS-validated encryption, your System Security Plan, your POA&M. All of it. Still required. Still enforceable. Still the basis of whatever the Reform Task Force recommends in 60 days — because it has to be. 7012 points at 800-171, and 7012 is statutory plumbing that a CIO memo doesn't touch.

If your program was 70% audit choreography and 30% actual control implementation, this announcement is a gift: you now have permission to cut the theater and fund the security. But if you read it as license to stop implementing controls, you have inverted the entire message.

The audits didn't stop. They changed hands.

Buried in the release is a phrase that deserves far more attention than it's getting: the Department will enforce compliance through self-assessments and select government-led assessments.

Government-led. That means DIBCAC.

Ask anyone who has been through a DIBCAC High assessment whether they'd rather face that or a C3PAO. The C3PAO was a scheduled, negotiated, commercially-mediated event with a firm you hired. A government-led assessment is not. The auditors did not go away , the friendly ones did.

And DIBCAC has a documented habit of finding a very different number than the one the contractor self-reported. That brings us to the real risk.

Faking your score is still fraud, and the government is still prosecuting it

Here is the part the ecosystem consistently gets backwards, and it matters more this week than it did last week.

CMMC was never the sharp end of the enforcement stick. The False Claims Act is. It always has been.

Since DOJ stood up the Civil Cyber-Fraud Initiative in 2021, it has built a steady, unglamorous track record of extracting money from defense contractors over cybersecurity misrepresentation and not one of those cases required CMMC to exist. They ran on DFARS 7012, NIST 800-171, and self-reported SPRS scores. Exactly the machinery that survived this announcement.

Consider these cautionary tales:

  • .
  • LOGZONE Inc.$507,144, June 2026. The Huntsville contractor self-reported a perfect SPRS score of 110. When DCMA assessed the same environment, it scored -170 — near the floor of the -203 to 110 range. That gap was the case.
  • Georgia Tech Research Corporation$875,000, September 2025. Allegations included missing anti-virus tooling, no system security plan for the lab doing the DoD work, and a false campus-wide summary-level assessment score submitted to DoD. Filed by two former members of Georgia Tech's own cybersecurity team.
  • Raytheon, RTX, and Nightwing$8.4 million, May 2025. Failure to implement required controls on an internal system used for unclassified work across 29 DoD contracts and subcontracts. Nightwing was named successor in liability for conduct that occurred before it acquired the business. The relator, a former Raytheon director of engineering, took home $1.5 million.
  • Swiss Automation Inc.$421,234, December 2025. An Illinois machine shop, and the first FCA cyber settlement against a supply-chain subcontractor. The allegation was inadequate protection of technical drawings for parts it machined for DoD primes. The case came from its own former quality control manager, who collected $65,291.

The math nobody runs until it's too late

Settlement headlines understate the exposure, because they are negotiated down. The statute itself is far less forgiving.

Under 31 U.S.C. § 3729, a False Claims Act violation carries treble damages, meaning three times what the government paid you, plus a civil penalty assessed on every false claim. That per-claim penalty currently runs $14,308 to $28,619. (DOJ set those figures in July 2025; the 2026 inflation adjustment was cancelled after the October 2025 appropriations lapse left BLS unable to compute the CPI, so the 2025 amounts still govern.)

The load-bearing phrase is per claim. A claim is an invoice.

If you certified a false SPRS score and then billed monthly against that contract, every invoice is its own violation:

Invoicing history Penalties at minimum Penalties at maximum
36 invoices (3 years, monthly) $515,088 $1,030,284
60 invoices (5 years, monthly) $858,480 $1,717,140

That is before treble damages. And notice what's missing from the calculation: the size of your contract. Penalties attach to the number of invoices, not the value of the work. A small shop on a modest contract can face statutory exposure exceeding everything it was ever paid.

Which is precisely what happened to LOGZONE. The two Navy contracts at issue generated roughly $682,000 in total payments across the period of alleged non-compliance. The settlement came to $507,144, or roughly three-quarters of the entire revenue those contracts produced. For a logistics company that wasn't selling cybersecurity to anyone.

Two fair caveats: courts retain discretion over penalty stacking, and Eighth Amendment excessive-fines challenges have succeeded in reducing awards. Most matters settle well below the theoretical ceiling. But "we'll negotiate it down" is not a control, and the ceiling is what your counsel will be staring at across the table.

That last detail is the one to sit with. Qui tam. A whistleblower. Your departing sysadmin, your disgruntled MSP account manager, your quality lead who read the SSP and knew it was fiction. That is the enforcement mechanism, and no Pentagon memo disables it.

Note what is absent from all four: a breach. Nobody got hacked. DOJ's own framing, from Deputy Assistant Attorney General Brenna Jenny at a January 2026 FCA enforcement conference, is that these cases are not about data breaches,  they are premised on misrepresentations. You do not need to be breached to be liable. You only need to have told the government something that wasn't true.

 

You do not need to be breached to be liable. You only need to have told the government something that wasn't true.

Now hold that next to what survived on July 13: the self-attestation.

The Department just removed the independent check that would have caught your inflated SPRS score before DOJ did and kept the score itself, kept the standard it's measured against, and kept the contract clause that makes it material. If your 110 is aspirational, the C3PAO was your last friendly reader. The next person to grade that homework is DIBCAC, or a relator's attorney working on contingency.

Think if this announcement less as deregulation and more like the removal of a safety net.

What to actually do on Monday

  1. Pull up your SPRS score today and ask whether it's honest. Not "defensible with creative reading." Honest. A score you voluntarily correct is a compliance event. A score DIBCAC corrects for you is a False Claims Act exposure. The delta between those two outcomes is measured in seven figures.
  2. Finish your 800-171 implementation. It's cheaper now than it was last week becauseyou no longer have to prove it to an assessor on a deadline. You just have to be it. Getting to a real 110 is the entire ballgame.
  3. Reprice, don't cancel. Cut evidence-packaging and audit choreography line items. Keep the ones that buy working controls. If your CMMC budget was mostly documentation, that ratio was always wrong, now you have cover to fix it.
  4. Expect the primes to hold the line. Lockheed, RTX, and Northrop don't manage supply chain risk on a 60-day review cycle. Flow-down requirements will outlive this suspension, and your contract with the prime is not the Department's to suspend.
  5. Submit to the RFI. The Department asked for industry feedback on where CMMC was wasteful and where it was worth it. If you've spent three years and real money learning that, you're exactly the input this task force needs.
  6. Assume something comes back. In 60 days there will be a recommendation. It will be built on 800-171. Companies with mature control environments will absorb it in a quarter. Companies that stood down will be starting from a negative score with a shorter runway.

The certification may be is suspended but the standard, audit and liability remain.

Anyone reading this announcement as permission to stand down has misread it and will find out eventually from someone considerably less friendly than an assessor.

CompassMSP is a Registered Practitioner Organization (RPO) certified by The Cyber AB. If you're trying to figure out what this suspension means for your specific contracts, scope, or SPRS score, our team can help you separate what changed from what didn't explore our CMMC readiness services.