On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements: the third-party C3PAO assessments that were set to start appearing in contracts on November 10. The Phase III and Phase IV milestones behind it are suspended as well. A newly formed CMMC Reform Task Force will spend 60 days reviewing the program, gathering industry input through an RFI, and reporting back to the DoW CIO with recommendations for something faster and less costly for small and non-traditional businesses.
Now read the rest of that release, because the part that matters is the part that isn't in the headline.
In this article:
Faking your score is still fraud, and the government is still prosecuting it
Phase I self-assessments remain firmly in place. DFARS 252.204-7012 remains in force. NIST SP 800-171 remains the enforced standard, and the Department explicitly reserved the right to conduct government-led assessments. In the Department's own words, this action does not eliminate the requirement for companies to protect federal data.
Strip away the branding and here is what actually happened: the government removed the certification audit, not the security requirement. What's left is, functionally, CMMC without the C3PAO.
If you haven't started preparing for CMMC: this is a reprieve on the audit calendar, not on the obligation. If you hold a contract with DFARS 7012 in it today, you are already required to implement all 110 NIST 800-171 controls, and you were required to do so long before CMMC was ever conceived. If you have been treating November 10 as your start date, you are misreading your own contract. The deadline moved. The debt did not.
If you haven't started preparing for CMMC: this is a reprieve on the audit calendar, not on the obligation.
CMMC has been "eighteen months away" for the better part of seven years. Born in 2019, rebuilt as CMMC 2.0 in 2021, finalized in 2024, phased in starting last November. Every version arrived late and left a little smaller. The skepticism was earned, and the folks who quietly slow-rolled their C3PAO scheduling are feeling clever this week.
Enjoy it. It's a short victory lap.
Because "we called it" is not a security program, and the celebration going on in parts of the defense industrial base rests on a category error. The Department did not conclude that contractor cybersecurity was optional. It concluded that one particular verification mechanism had become too expensive relative to what it delivered. Those are very different findings, and the space between them is where a lot of companies are about to get hurt.
CMMC was always a verification layer bolted on top of an obligation that already existed. The obligation lives in DFARS 252.204-7012 and FAR 52.204-21. It predates CMMC, it survives CMMC, and it did not budge on July 13.
This is the operative fact, and it should be the first slide in whatever briefing you give your leadership this week.
NIST SP 800-171 defines 110 security controls for protecting Controlled Unclassified Information. DFARS 7012 makes implementing them a contractual requirement, not a best practice. The Department confirmed in the announcement that it will continue enforcing compliance against the NIST SP 800-171 standard during the interim period.
So: access control, audit and accountability, configuration management, identification and authentication, incident response, media protection, MFA, FIPS-validated encryption, your System Security Plan, your POA&M. All of it. Still required. Still enforceable. Still the basis of whatever the Reform Task Force recommends in 60 days — because it has to be. 7012 points at 800-171, and 7012 is statutory plumbing that a CIO memo doesn't touch.
If your program was 70% audit choreography and 30% actual control implementation, this announcement is a gift: you now have permission to cut the theater and fund the security. But if you read it as license to stop implementing controls, you have inverted the entire message.
Buried in the release is a phrase that deserves far more attention than it's getting: the Department will enforce compliance through self-assessments and select government-led assessments.
Government-led. That means DIBCAC.
Ask anyone who has been through a DIBCAC High assessment whether they'd rather face that or a C3PAO. The C3PAO was a scheduled, negotiated, commercially-mediated event with a firm you hired. A government-led assessment is not. The auditors did not go away , the friendly ones did.
And DIBCAC has a documented habit of finding a very different number than the one the contractor self-reported. That brings us to the real risk.
Here is the part the ecosystem consistently gets backwards, and it matters more this week than it did last week.
CMMC was never the sharp end of the enforcement stick. The False Claims Act is. It always has been.
Since DOJ stood up the Civil Cyber-Fraud Initiative in 2021, it has built a steady, unglamorous track record of extracting money from defense contractors over cybersecurity misrepresentation and not one of those cases required CMMC to exist. They ran on DFARS 7012, NIST 800-171, and self-reported SPRS scores. Exactly the machinery that survived this announcement.
Consider these cautionary tales:
Settlement headlines understate the exposure, because they are negotiated down. The statute itself is far less forgiving.
Under 31 U.S.C. § 3729, a False Claims Act violation carries treble damages, meaning three times what the government paid you, plus a civil penalty assessed on every false claim. That per-claim penalty currently runs $14,308 to $28,619. (DOJ set those figures in July 2025; the 2026 inflation adjustment was cancelled after the October 2025 appropriations lapse left BLS unable to compute the CPI, so the 2025 amounts still govern.)
The load-bearing phrase is per claim. A claim is an invoice.
If you certified a false SPRS score and then billed monthly against that contract, every invoice is its own violation:
| Invoicing history | Penalties at minimum | Penalties at maximum |
|---|---|---|
| 36 invoices (3 years, monthly) | $515,088 | $1,030,284 |
| 60 invoices (5 years, monthly) | $858,480 | $1,717,140 |
That is before treble damages. And notice what's missing from the calculation: the size of your contract. Penalties attach to the number of invoices, not the value of the work. A small shop on a modest contract can face statutory exposure exceeding everything it was ever paid.
Which is precisely what happened to LOGZONE. The two Navy contracts at issue generated roughly $682,000 in total payments across the period of alleged non-compliance. The settlement came to $507,144, or roughly three-quarters of the entire revenue those contracts produced. For a logistics company that wasn't selling cybersecurity to anyone.
Two fair caveats: courts retain discretion over penalty stacking, and Eighth Amendment excessive-fines challenges have succeeded in reducing awards. Most matters settle well below the theoretical ceiling. But "we'll negotiate it down" is not a control, and the ceiling is what your counsel will be staring at across the table.
That last detail is the one to sit with. Qui tam. A whistleblower. Your departing sysadmin, your disgruntled MSP account manager, your quality lead who read the SSP and knew it was fiction. That is the enforcement mechanism, and no Pentagon memo disables it.
Note what is absent from all four: a breach. Nobody got hacked. DOJ's own framing, from Deputy Assistant Attorney General Brenna Jenny at a January 2026 FCA enforcement conference, is that these cases are not about data breaches, they are premised on misrepresentations. You do not need to be breached to be liable. You only need to have told the government something that wasn't true.
You do not need to be breached to be liable. You only need to have told the government something that wasn't true.
Now hold that next to what survived on July 13: the self-attestation.
The Department just removed the independent check that would have caught your inflated SPRS score before DOJ did and kept the score itself, kept the standard it's measured against, and kept the contract clause that makes it material. If your 110 is aspirational, the C3PAO was your last friendly reader. The next person to grade that homework is DIBCAC, or a relator's attorney working on contingency.
Think if this announcement less as deregulation and more like the removal of a safety net.
The certification may be is suspended but the standard, audit and liability remain.
Anyone reading this announcement as permission to stand down has misread it and will find out eventually from someone considerably less friendly than an assessor.
CompassMSP is a Registered Practitioner Organization (RPO) certified by The Cyber AB. If you're trying to figure out what this suspension means for your specific contracts, scope, or SPRS score, our team can help you separate what changed from what didn't explore our CMMC readiness services.