Resources

CMMC Phase II is Paused. The Cyber Threat Is Not.

Written by Chris Petersen | Jul 14, 2026

 

The pause in CMMC Phase II is understandable, and unfortunate. Reform should reduce unnecessary compliance burden without weakening the incentives, accountability, and operational capabilities needed to protect the Defense Industrial Base.

The Department of War has suspended the transition to Phase II of the Cybersecurity Maturity Model Certification program and initiated a 60-day review of CMMC.

The suspension is intended to address legitimate concerns: prohibitive compliance costs, limited third-party assessment capacity, complex implementation timelines, and barriers that may discourage small, innovative, and non-traditional companies from participating in the Defense Industrial Base.

Those concerns deserve serious attention.

America cannot build the world’s most capable defense industrial base by excluding the very companies capable of delivering its next generation of technology. Cybersecurity requirements must be scalable, economically achievable, and designed to accelerate—not obstruct—the delivery of capability to the warfighter.

But the suspension of CMMC Phase II cannot become a suspension of cybersecurity urgency.

This Is a Reset, Not a Reprieve

The Department’s action does not eliminate the obligation to protect Federal Contract Information or Controlled Unclassified Information.

During the review, CMMC Level 1 and Level 2 self-assessments remain in place. Program managers and requiring activities are prohibited from designating CMMC Level 2 C3PAO certifications or Level 3 DIBCAC assessments. Active solicitations containing those requirements will be amended as soon as practicable; existing contracts will have them removed at the next option period or scheduled modification.

However, DFARS 252.204-7012 and the underlying obligation to safeguard covered defense information remain fully effective. The Department’s implementation memorandum provides the operative interim procedures.

Defense contractors should therefore not interpret the announcement as permission to pause their security or compliance programs.

More importantly, neither have our adversaries.

“The mechanics of certification may change. The responsibility to protect sensitive defense information has not.”

The Economics of Cyberattack Are Changing

The Defense Industrial Base is being targeted by sophisticated, well-resourced adversaries seeking intellectual property, weapons-system information, manufacturing data, credentials, and persistent access to strategically important supply chains.

Artificial intelligence will further change the economics of these operations.

Our strategic assessment is that AI-augmented adversaries will be able to conduct reconnaissance, develop convincing social-engineering campaigns, identify vulnerable infrastructure, analyze stolen data, and coordinate attack activity with substantially greater speed and scale. Capabilities that previously required specialized teams will become increasingly accessible through commercial and open-source AI models.

That matters especially for the DIB’s long tail of small and mid-sized businesses. These companies may possess critical data and supply-chain access without the security personnel, tooling, or budgets of a major defense prime.

Reducing unnecessary compliance expense is important. Reducing actual defensive capability would be dangerous.

CMMC Is a Necessary Baseline—Not a Complete Defense Strategy

CMMC Level 2 and the 110 requirements of NIST SP 800-171 Rev. 2 establish an important foundation. They promote disciplined practices around access control, authentication, system configuration, incident response, auditability, information protection, and risk management.

Those practices matter.

But compliance with a control framework does not, by itself, guarantee that an organization can withstand a determined nation-state intrusion.

A point-in-time assessment can establish whether policies and technical safeguards exist. It does not necessarily demonstrate whether a company can identify an adversary already operating inside its environment, contain an active compromise, or eradicate a threat before sensitive information is stolen.

True cyber resilience requires organizations to perform several difficult operational functions exceedingly well:

  • Reduce the probability of compromise by hardening identities, endpoints, email, cloud infrastructure, applications, and users.
  • Continuously monitor the environment for evidence of malicious or anomalous activity.
  • Proactively hunt for sophisticated threats, including adversaries using legitimate tools and living-off-the-land techniques to evade traditional security products.
  • Rapidly investigate, contain, and eradicate intrusions before they become material national-security or operational events.

Any revision to CMMC should reinforce these critical outcomes—not relax them.

The DIB Should Continue Preparing

Companies throughout the Defense Industrial Base should use this period to strengthen—not defer—their security programs.

That means continuing to implement and maintain NIST SP 800-171 requirements, conducting accurate self-assessments, closing Plans of Action and Milestones, maintaining credible evidence, improving incident-response readiness, and preparing for whatever independent validation model emerges from the review.

Organizations that stop preparing may find themselves exposed in two ways: vulnerable to attack today and unprepared when the Department establishes its revised requirements.

Organizations that use this period to operationalize security will be better positioned regardless of the final regulatory structure.

RADICL's Commitment

At RADICL, we will continue working to reduce the cost and complexity of achieving and maintaining NIST 800-171 compliance - the standard the Department will enforce throughout this suspension, and the foundation of CMMC Level 1 and Level 2 self-assessments. We will help companies conduct defensible self-assessments, maintain the evidence needed to support the scores they affirm in SPRS, and stay prepared for government-led assessments and whatever validation model emerges from the Department's 60-day review.

But our mission extends beyond passing an assessment.

We built RADICL to make sophisticated cybersecurity accessible to the small and mid-sized businesses responsible for some of America’s most important innovations. That means helping them prevent compromise, continuously detect threats, proactively hunt for embedded adversaries, and rapidly respond when an intrusion occurs.

In the emerging contest between AI-augmented offense and AI-powered defense, completing all 110 security requirements will remain important.

Executing the most critical defensive functions exceptionally well will be indispensable.

The right question is not whether America must choose between cybersecurity and innovation. It is how we make effective cybersecurity an enabler of innovation, industrial expansion, and speed to capability.

CMMC Phase II may be paused. The mission to protect the Defense Industrial Base is not.

Official Source Materials

Department of War press release: “Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements”

DoW CIO memorandum: “Removing Barriers to Defense Industrial Base Expansion: Immediate Suspension and Strategic Review of Cybersecurity Maturity Model Certification Requirements”

Acquisition & Sustainment memorandum: “Implementing Department of War Chief Information Officer’s Suspension of the Advancement to Cybersecurity Maturity Model Certification Phase 2 Requirements”

Department of War Chief Information Officer: CMMC program page

NIST Special Publication 800-171 Revision 2

DFARS 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting