On July 13th, 2026, the DoW CIO released a statement mandating a pause in the Phase 2 rollout of the Cybersecurity Maturity Model Certification (CMMC) program, which was scheduled to go into effect on November 10th of 2026. Additionally, the article announced a 60-day review period of the program aimed at reducing red tape and barriers to entry for SMBs, along with a public Request for Information (RFI). Further public memos have been published outlining clarifications and implementation specifics for the statement, including outlines for interim actions for Department contractors and requirements for necessary contract revisions.
What has stayed the same, and what has changed?
CMMC Level 1 and Level 2 requirements are unchanged. Organizations are still required to perform self-assessments aligned with the requirements in FAR 52.204-21 and upload the self-assessment scores to SPRS for Level 1. Organizations are still required to implement all 110 controls of NIST’s 800-171r2 and upload those scores to SPRS for Level 2.
At this time, CMMC Level 2 is pausing the requirement for organizations to undergo audits from Certified 3rd Party Organizations to attest to the implementation of NIST 800-171r2, organizations needing to implement CMMC Level 3 through additional requirements set in NIST 800-172 will not need to undergo DIBCAC audits, and existing contracts with these provisions will need to be restructured to not include these audits.
In other words, while the instructor is no longer checking our homework, that doesn’t mean no one will, or that it doesn’t need to be done. The False Claims Act is still in effect; memos note options for the DoW to implement select spot-check audits, and threat actors remain the ultimate practical exam for implementing a meaningful security program. Full self-attestation was part of what initially led to the development of the CMMC program, and the DoW has implied that they will pay closer attention to whistleblowers and other False Claims Act notices. While 3rd-party certifications are not going to be required on contracts, CMMC is not gone, and the base requirements it sought to enforce remain real and necessary for Department contractors working on or with Covered Defense Information.
ProCircular’s specialists have been preparing alongside the industry by offering CMMC Readiness assessments and Cybersecurity Advisory Programs structured around CMMC. If you would like to learn more about CMMC Readiness or any of our other offerings, contact our team of experts to get started! For more information about CMMC, check out our page here.
