The Department of War (DoW) recently announced that it is pausing Phase II of the Cybersecurity Maturity Model Certification (CMMC) program.
That is a big development for the Defense Industrial Base (DIB), especially for organizations preparing for a mandatory CMMC Level 2 assessment with a Certified Third-Party Assessment Organization, or C3PAO.
It may also have caused a few compliance teams to briefly consider throwing their documentation into a drawer and taking the rest of the year off.
Unfortunately, it is not quite that simple.
The pause changes how and when certain CMMC requirements may be enforced. It does not remove the responsibility to protect Controlled Unclassified Information, or CUI.
In other words, the assessment timeline may be taking a breather. Your cybersecurity obligations are not.
What Exactly Was Paused?
CMMC was designed to roll out in phases.
Phase II was expected to begin on November 10, 2026. During that phase, more solicitations and contracts would have required organizations to complete a CMMC Level 2 assessment conducted by a C3PAO.
The DoW has now suspended that transition while it reviews the program.
The review will look at ways to reduce unnecessary costs and administrative burdens while still protecting sensitive defense information. A CMMC reform task force has also been created to gather input and consider potential changes.
For now, the program remains in Phase I.
That means the government has pressed pause on the next stage of the rollout. It has not hit the delete button.
What Has Not Changed?
Organizations that handle CUI still have cybersecurity responsibilities.
Depending on their contracts, those responsibilities may include:
- Implementing the 110 security requirements in NIST SP 800-171 Revision 2
- Completing a CMMC Level 2 self-assessment when required
- Â Reporting assessment results in the Supplier Performance Risk System (SPRS)
- Submitting and renewing annual affirmations
- Maintaining documentation and evidence to support reported scores
- Completing eligible Plans of Action and Milestones within the required timeframe
- Meeting applicable DFARS contract requirements
The Department has also indicated that it may continue using selected government-led assessments to verify compliance.
So, while mandatory third-party assessments may not expand as originally planned this fall, contractors still need to know where their CUI lives, who has access to it and how it is protected.
CMMC Did Not Create the Requirement to Protect CUI
This is an important distinction.
CMMC is a way for the government to validate that contractors have implemented required cybersecurity practices. It did not create the original responsibility to protect CUI.
Many defense contractors were already required under DFARS 252.204-7012 to protect CUI using the security requirements in NIST SP 800-171.
Those contractual obligations remain in place.
Prime contractors may also continue asking subcontractors for SPRS scores, security documentation, evidence of compliance, or other assurances that CUI is being properly handled.
The absence of an immediate third-party assessment requirement does not mean organizations can move CUI back into an unprotected commercial environment and hope nobody notices.
That is generally not considered a cybersecurity strategy.
Should Contractors Pause Their CMMC Work?
For most organizations, stopping completely would be a mistake.
The government is reviewing the program, but it has not announced what the final changes will be. CMMC could return with a different timeline, a revised assessment process, or new methods of validating contractor security.
Organizations that put their programs on hold may find themselves scrambling when updated guidance is released.
More importantly, the threats facing the DIB have not paused.
Defense contractors continue to be targeted because they hold valuable technical, operational, and program information. Attackers are not checking the CMMC implementation schedule before launching an attack.
Maintaining strong cybersecurity practices is still necessary to protect your organization, your customers, and the defense supply chain.
Do Organizations Still Need a Secure Enclave?
In many cases, yes.
A secure enclave allows an organization to limit where CUI is stored, processed, and transmitted. It creates a controlled environment for sensitive data without requiring the entire company to operate within the same compliance boundary.
A properly designed enclave can help an organization:
- Reduce the number of users and devices in scope
- Separate CUI from everyday business information
- Apply stronger access controls
- Improve logging and monitoring
- Limit how users download and share sensitive files
- Simplify evidence collection
- Support incident response
- Reduce the burden placed on employees who do not work with CUI
The right approach depends on the organization’s contracts, data, users, and business processes.
However, the Phase II pause does not suddenly make commercial Microsoft 365 suitable for every type of government information. Organizations still need to use systems and configurations that meet their contractual and security requirements.
Certification and Security Are Not the Same Thing
A certification shows that an organization met a defined set of requirements at a particular point in time.
Security is what happens on all the days before and after the assessment.
It includes the less glamorous but very important work of:
- Reviewing user access
- Applying security updates
- Monitoring systems
- Managing endpoints
- Responding to alerts
- Training employees
- Updating policies
- Reviewing vendors
- Maintaining documentation
- Collecting evidence
Nobody gets particularly excited about reviewing access permissions, but attackers are often very excited when organizations do not.
These activities remain necessary whether an assessment takes place next month, next year, or under a revised program.
What Should DIB Organizations Do Now?
The best next step is not to panic, celebrate too early, or immediately dismantle your compliance program.
Instead, organizations should take a practical look at their current environment.
Review your contracts and determine which DFARS, CMMC, and NIST SP 800-171 requirements apply. Confirm where CUI is stored, who has access to it and how it moves between systems.
Organizations should also continue addressing known security gaps, maintaining accurate SPRS scores, and keeping assessment evidence current.
Most importantly, do not make major changes to your cybersecurity environment based on a headline alone. The pause affects the rollout of CMMC Phase II, but each contractor’s obligations still depend on its contracts, customers, and data.
How KTL Solutions Can Help
KTL Solutions helps organizations across the Defense Industrial Base build and manage secure Microsoft environments designed to protect CUI.
Our team works with organizations that are beginning their compliance journey, improving an existing environment, or preparing for future requirements.
KTL can help with:
- CUI scoping and data-flow reviews
- Microsoft GCC High licensing
- GCC High implementation and migration
- Secure enclave design and deployment
- Microsoft Azure Government
- Identity and access management
- Endpoint and device security
- Security monitoring
- Managed security services
- NIST SP 800-171 implementation
- Compliance documentation
- Evidence collection
- CMMC readiness support
KTL’s experience as an authorized C3PAO gives our team a strong understanding of what assessors look for, how requirements are interpreted, and where organizations commonly run into trouble. While third-party CMMC Level 2 assessments are currently paused, that knowledge still brings valuable credibility and practical insight to the environments we design and support.
We understand that compliance is not just about checking boxes. Organizations need security controls that work in the real world, documentation that reflects the environment, and evidence that can stand up to future review.
Whether your organization needs to complete a self-assessment, respond to a prime contractor or continue preparing for whatever comes next, the goal remains the same: protect sensitive government information and remain ready to support the defense mission.
The Bottom Line
CMMC Phase II may be paused, but CUI still needs to be protected.
The government may adjust the certification process, the timeline, or the way compliance is validated. What has not changed is the need for contractors to secure sensitive information and meet the requirements in their contracts.
Organizations that continue making steady progress will be in a much better position when the next round of guidance arrives.
So, take a breath. You may have a little more time.
Just do not use that extra time to ignore the problem.
Still have questions? Reach out, and we’ll help you determine the best next steps for your organization.