The Pentagon just announced an immediate suspension of CMMC Phase II requirements and its third-party audit mandate. Phase II was originally scheduled to take effect November 10, 2026. Now, that timeline is on hold.
It’s tempting to see this as a reason to push CMMC to the bottom of your priority list. For most defense contractors, that would be the wrong takeaway. Before you change your compliance roadmap, it’s worth understanding what actually changed and, more importantly, what didn’t.
Key Takeaways
- The Pentagon suspended CMMC Phase II third-party audits, but core cybersecurity requirements remain intact.
- Defense contractors must continue complying with NIST SP 800-171 standards, despite the suspension of audits.
- Organizations should use this pause to strengthen their cybersecurity and compliance processes, not neglect them.
- There are several possible outcomes after 60 days, but strong cybersecurity practices will be essential regardless of the path taken.
- Companies that focus on genuine compliance rather than just meeting audit requirements will be better prepared for future changes.
Table of Contents
What Happened
The Pentagon suspended Phase II’s third-party assessment requirements while a task force conducts a 60-day review of the program. The task force will review the current program, gather industry feedback and issue recommendations that prioritize speed to capability while lowering barriers for small and non-traditional contractors. Those recommendations will help shape what compliance looks like going forward.
That’s the known fact. Everything else is speculation.
What’s Actually Still Required
Here’s what didn’t get suspended: the baseline cybersecurity requirements themselves.
CIO Kirsten Davies was explicit:
“This action does not eliminate the legal requirement for our industry partners to protect federal data.”
And Michael Duffey, Undersecretary of Defense for Acquisition and Sustainment, added:
“We’re not relaxing any standards by any means. We expect businesses to adhere to the standards that NIST has outlined. What we’re removing is the bureaucracy of the third-party assessment.”
During the 60-day review period, the Pentagon will continue enforcing baseline compliance through NIST SP 800-171 Rev 2 standards via self-assessments.
CMMC Phase II third-party audits are suspended. NIST 171 compliance is not.
If you’ve already invested time preparing for a C3PAO assessment, don’t assume that work was wasted. Documenting controls, gathering evidence and improving your cybersecurity posture still strengthen your NIST SP 800-171 compliance today. It also positions you to respond more quickly if third-party assessments return in a different form.
Three Possible Futures
When the Pentagon issues its recommendations in 60 days, a few scenarios could unfold:
• Phase II returns with modifications, such as different timelines, audit requirements or scope.
• Phase II remains suspended, with organizations continuing to demonstrate compliance through NIST SP 800-171 self-assessments.
• The Pentagon introduces a different compliance model altogether.
No one knows which path the Department of Defense will take. What is clear is that every scenario still requires organizations to maintain strong cybersecurity practices and demonstrate that they are effectively protecting federal data.
Why This Matters Regardless
Here’s the reality for defense contractors. Whichever direction the Pentagon takes, you still need robust cybersecurity and the ability to demonstrate it.
If CMMC Phase II returns, whether in 6 months or 18 months, companies that spent the suspension period coasting will be behind. They’ll face scrambling to meet re-imposed requirements, lost contracts and damaged reputations.
If CMMC Phase II stays suspended, you still need to comply with NIST 171. And compliance done well isn’t about passing an audit. It’s about actually protecting federal data and your company’s infrastructure. The Pentagon is reducing the bureaucratic overhead required to prove you meet security standards, not lowering them.
Either way, organizations that use this time to strengthen their governance foundation, improve visibility into their controls and mature their compliance processes will be better prepared than those that simply press pause.
What You Should Actually Be Doing Now
Stop conflating “suspended” with “doesn’t matter.” The suspension concerns third-party audits, not your obligation to be secure. You still need to comply with NIST 171. That hasn’t changed.
Make your self-assessments real. For the next 60 days and likely beyond, you’ll be doing NIST 171 self-assessments. Don’t phone them in. Use them to actually understand where you stand.
Build a clear picture of your control environment. Know which controls are in place, who owns them, what evidence supports them and where gaps remain. Whether requirements change or not, that visibility becomes the foundation for every future assessment.
Centralize your compliance information. Policies, evidence, testing results and ownership shouldn’t live across spreadsheets, email and shared drives. A centralized approach makes it much easier to adapt when requirements inevitably change.
Invest in governance practices that last. Clear accountability, documented processes and consistent evidence collection aren’t just helpful during assessments. They’re what enable organizations to maintain security over time.
Prepare for multiple scenarios. If the Pentagon recommends a different compliance framework entirely, organizations that have invested in a genuine security posture rather than checkbox compliance will adapt much faster.
The Distinction That Matters
There’s a critical difference between compliance built to satisfy an auditor and compliance built because your systems are actually secure.
If your CMMC Phase II preparation has focused primarily on checking boxes rather than strengthening your security program, the suspension is actually bad news. When requirements change, you’ll need to start over.
If your compliance work has been genuine– actually implementing controls, reducing risk, documenting what you’re doing because it reflects reality– then whatever the Pentagon recommends next, you’re in a fundamentally stronger position.
The suspension gives you time to choose which category you’re in.
What Happens in 60 Days
The Pentagon will release recommendations. Those recommendations will likely shape compliance requirements for the DIB for the next several years. However, they won’t change the fundamental expectation. Companies handling federal data need to be secure and able to demonstrate it.
The organizations that use this pause to strengthen their compliance programs will be much better positioned for whatever comes next.
Stay Ready for What’s Next
The Pentagon may have suspended third-party CMMC assessments. It didn’t suspend the need to protect federal data.
Whether CMMC Phase II returns unchanged, transitions into a different framework or remains suspended, the organizations that will adapt fastest will be the ones that invested this time in strengthening their compliance programs instead of waiting on the sidelines.
Onspring helps defense contractors centralize controls, evidence, policies and assessments in a single platform so they’re always prepared for changing requirements instead of scrambling to catch up when they arrive.
Onspring helps defense contractors centralize controls, evidence, policies and assessments in a single platform, so they’re always ready for changing requirements instead of scrambling to catch up when they arrive.
See how Onspring helps defense contractors stay prepared for changing requirements without starting from scratch every time.
