Press Release

What the CMMC Phase II Pause Means for the Defense Industrial Base

July 14, 2026

The certification requirements may be uncertain, but the mission to protect Controlled Unclassified Information remains unchanged.

The Department of War’s decision to temporarily suspend the implementation of CMMC Phase II changes the timing of third-party certification requirements, but it does not change the underlying cybersecurity obligations of organizations that handle Controlled Unclassified Information.

The Department has paused the rollout of CMMC Phase II while conducting a 60-day review of the program. During this period, existing requirements remain in effect, including DFARS 252.204-7012, NIST SP 800-171 implementation, the protection of CUI, and current CMMC Phase I self-assessment requirements.

For organizations across the Defense Industrial Base, our message is simple:

Stay the course and continue the mission.

This announcement should be viewed as an opportunity to strengthen your cybersecurity program, not as a reason to delay it.

Organizations that were not prepared for a certification assessment before this announcement are unlikely to become compliant simply by completing a self-assessment. Compliance begins with implementing the required security controls, maintaining supporting evidence, and documenting the cybersecurity program in accordance with NIST SP 800-171. A self-assessment should validate an organization’s cybersecurity posture, not replace the work required to achieve it.

Organizations should also ensure that their SPRS scores are accurate, current, and supported by defensible evidence. They should remain prepared for government-led assessments and continue flowing applicable cybersecurity requirements down to subcontractors.

Compliance should not be treated as a paperwork exercise. Companies that inaccurately represent their cybersecurity posture may face contractual, legal, and reputational risk, including potential exposure under the False Claims Act.

The broader regulatory direction remains clear: the federal government continues to place greater emphasis on protecting CUI. The fundamental expectation that contractors safeguard sensitive information has not changed.

This pause gives organizations valuable time to improve readiness. Companies that continue implementing NIST SP 800-171, addressing remediation priorities, strengthening evidence, and validating their programs will be better positioned for future certification requirements and government assessments.

“Security is our passion because strong security protects more than data. It protects revenue, customer trust, and the ability to compete,” said Brad Little, CEO of Coalfire. “Organizations that stay the course on CMMC will be better positioned to win and retain defense business, regardless of how the certification timeline changes.”

At Coalfire and Coalfire Federal, we remain committed to helping the Defense Industrial Base build resilient cybersecurity programs grounded in sound security practices, not simply compliance checklists. Our guidance remains unchanged: Implement the requirements. Validate your cybersecurity posture. Document your program. Protect your position in the Defense Industrial Base.


About Coalfire Federal

Coalfire Federal is a Certified Third-Party Assessment Organization (C3PAO) delivering trusted CMMC Level 2 assessments for the Defense Industrial Base. With decades of cybersecurity and compliance expertise, Coalfire Federal helps defense contractors protect the mission through transparent, evidence-driven assessments that meet the highest standards of rigor and precision.

Learn more at coalfirefederal.com.