PROCIRCULAR BLOG

Educating your business on the importance of cybersecurity

CMMC Phase 2 is Paused - The Homework is Still Due.

Posted by Keegan Paisley on Jul 17, 2026 2:30:43 PM
Find me on:

On July 13th, 2026, the DoW CIO released a statement mandating a pause in the Phase 2 rollout of the Cybersecurity Maturity Model Certification (CMMC) program, which was scheduled to go into effect on November 10th of 2026. Additionally, the article announced a 60-day review period of the program aimed at reducing red tape and barriers to entry for SMBs, along with a public Request for Information (RFI). Further public memos have been published outlining clarifications and implementation specifics for the statement, including outlines for interim actions for Department contractors and requirements for necessary contract revisions.

What has stayed the same, and what has changed?

CMMC Level 1 and Level 2 requirements are unchanged. Organizations are still required to perform self-assessments aligned with the requirements in FAR 52.204-21 and upload the self-assessment scores to SPRS for Level 1. Organizations are still required to implement all 110 controls of NIST’s 800-171r2 and upload those scores to SPRS for Level 2.

At this time, CMMC Level 2 is pausing the requirement for organizations to undergo audits from Certified 3rd Party Organizations to attest to the implementation of NIST 800-171r2, organizations needing to implement CMMC Level 3 through additional requirements set in NIST 800-172 will not need to undergo DIBCAC audits, and existing contracts with these provisions will need to be restructured to not include these audits.

In other words, while the instructor is no longer checking our homework, that doesn’t mean no one will, or that it doesn’t need to be done. The False Claims Act is still in effect; memos note options for the DoW to implement select spot-check audits, and threat actors remain the ultimate practical exam for implementing a meaningful security program. Full self-attestation was part of what initially led to the development of the CMMC program, and the DoW has implied that they will pay closer attention to whistleblowers and other False Claims Act notices. While 3rd-party certifications are not going to be required on contracts, CMMC is not gone, and the base requirements it sought to enforce remain real and necessary for Department contractors working on or with Covered Defense Information.

ProCircular’s specialists have been preparing alongside the industry by offering CMMC Readiness assessments and Cybersecurity Advisory Programs structured around CMMC. If you would like to learn more about CMMC Readiness or any of our other offerings, contact our team of experts to get started! For more information about CMMC, check out our page here.

Topics: Government & Public Sector, Manufacturing, Compliance & Governance

  • There are no suggestions because the search field is empty.

ProCircular is a Full-Service Information Security Firm

We are passionate about helping businesses navigate the complex world of information security, and our blog is another great source of inforamtion. We can assist you no matter where you are in your security maturity journey:

  • Breached or hit with ransomware?
  • Don't know where to start? 
  • Looking to confirm your security with a third party?

Secure your future with ProCircular.

Recent Posts

Subscribe to Email Updates