CMMC is (Not) Cancelled

Table of contents
Word is out that the Department of War (DoW) has suspended the rollout of CMMC Phase II. However, contractors working on CMMC compliance should not abandon their CMMC plans: Although the audit requirement is suspended, the rest of CMMC is still very much in effect. Read on to understand the implications of this announcement and some speculation on why the audits may have been suspended.
TrustedSec is a CMMC RPO that helps organizations achieve CMMC compliance and has years of experience assessing compliance with NIST SP 800-171 as well as FISMA/NIST SP 800-53 assessments for federal agencies. If you need assistance with these areas, get in touch with us.
Overview
- CMMC Level 2 C3PAO audit requirements are not going to take effect as planned in November.
- DoW is conducting a 60-day review period to determine what comes next.
- Self-Assessment requirements for CMMC Levels 1 and 2 remain in effect.
- FAR 52.204-21 contract requirements for safeguarding FCI remain in effect.
- DFARS 252.204-7012 contract requirements for safeguarding CUI and reporting breaches remain in effect.
- DFARS 252.204-7020 contract requirements for self-assessing and reporting NIST SP 800-171 compliance via SPRS remains in effect.
- Subcontractors should be prepared to continue receiving unnecessary CMMC Level 2 audit requirements from upstream contractors that don’t understand the CMMC program or this announcement.
- Significant False Claims Act penalties remain in effect for violating current CMMC, FAR 52.204-21, and/or DFARS 252.204-7012 requirements.
- There are various reasons why this may have been postponed including:
- Large contractors unnecessarily flowing down Level 2 audit requirements, leading to more contractors implementing Level 2 and seeking audits than are necessary.
- Contractors don’t understand what CUI is and as a result, believe they require audits when they do not.
- Contractors that should have implemented NIST SP 800-171 several years ago did not and are now scrambling to implement it before they get audited.
- A flood of contractors are attempting to get audited all at once before the deadline.
- DoW is accepting feedback on the CMMC program as part of the review process for 30 days following the suspension announcement.
What Has Changed
CMMC had a phased rollout plan, the details of which are in our previous post A Big Step on the CMMC Rollout Timeline. The important part is that CMMC Level 2 C3PAO audit requirements were supposed to start appearing in DoW contracts at the start of Phase 2 on November 10, 2026.
The suspension announcement means that the rollout of Level 2 C3PAO audit requirements is not going to happen, at least for now. The DoW is conducting a 60 day study to determine the future of the CMMC program.
As the DoW is not going to put audit requirements in prime contracts, other contractors should not be putting audit requirements in their subcontracts. Effectively, CUI categories that would have been subject to a CMMC Level 2 C3PAO audit requirement will remain subject to the CMMC Level 2 Self-Assessment requirement that other CUI categories have been and remain eligible for.
What Hasn’t Changed
Phase 1 of the CMMC rollout already began on November 10, 2025, and the suspension announcement makes clear that the Phase 1 requirements remain in place. Phase 1 rolled out CMMC Level 1 Self-Assessments for contractors handling FCI and CMMC Level 2 Self-Assessments for contractors handling CUI.
Contractors handling FCI must continue to implement, self-assess, and report compliance with the 15 Basic Safeguards in CMMC Level 1, and contractors handling CUI must continue to implement, self-assess, and report compliance with the 110 NIST SP 800-171r2 requirements in CMMC Level 2. More information on what CMMC level should apply to a contractor is in our previous post on CMMC Level and Assessment Requirements for Defense Contractors.
CMMC Level 1 and 2 requirements continue to apply to subcontractors handling FCI and CUI respectively, while CMMC Level 2 also continues to apply to External Service Providers as described in our previous post on CMMC Subcontractors and Service Providers.
Outside of CMMC, the FAR 52.204-21 contract clause that requires the protection of FCI with the 15 basic safeguards and the DFARS 252.204-7012 contract clause that requires the protection of CUI remain in effect, as does the DFARS 252.204-7020 contract clause that requires reporting of NIST SP 800-171 self-assessment scores via SPRS.
What May Not Change
Contractors have imposed unnecessary and incorrect supposed CMMC audit requirements on potential subcontractors for years before the CMMC program started rolling out in November (this is explored more below under The Flow Down Problem and in our previous post The Proliferation of “Fake” CMMC Contract Clauses). I do not expect these supposed requirements to stop now, even in light of the DoW announcement (If they didn’t bother to understand the CMMC flow down requirements before, why would they start now?)
Subcontractors should be prepared to receive supposed audit requirements from upstream contractors even though the DoW is postponing the rollout of contracts with actual audit requirements. Subcontractors will need to make their own decision as to how they want to handle these unnecessary requirements (Push back on the upstream contractor, implement the requirements anyways, refuse to bid on the subcontract, etc.)
Flying Under the Radar and Penalties
CMMC effectively exists because many contractors handling CUI did not implement the requirements of the DFARS 252.204-7012 contract clause (whether due to ignorance, misunderstandings, or willful non-compliance), often despite submitting self-assessment results indicating they were compliant. The CMMC program was meant to fix this problem with independent audits.
With the suspension of Level 2 audits, we are back to the honor system (at least for now) and some contractors may be tempted to go back to flying under the radar by claiming compliance to win contracts before the necessary safeguards are in place. This is a potentially very expensive move.
A contractor that fails to comply with a government contract clause that it agreed to is subject to the False Claims Act. The Department of Justice (DOJ) has been aggressively pursuing cases related to non-compliance with contractual cybersecurity requirements. The following examples show the scale of recent settlements for non-compliance with DoW cybersecurity requirements along with the allegations that resulted in the settlements:
May 2025 - $8.4 million - Raytheon Companies and Nightwing Group
- Non-compliance with the requirements of FAR 52.204-21 which form the basis of CMMC Level 1
- Non-compliance with the requirements of DFARS 252.204-7012 which form the basis of CMMC Level 2
- Failed to develop a System Security Plan (SSP) as required by NIST SP 800-171
September 2025 - $875,000 - Georgia Tech Research Corporation
- Failed to develop an SSP
- NIST SP 800-171 requirements were not implemented
- False self-assessment score was submitted to SPRS based on a fictitious environment that did not apply to any of the CUI being handled
December 2025 - $421,234 – Swiss Automation Inc.
- NIST SP 800-171 requirements were not implemented
June 2026 - $507,144 – LOGZONE Inc.
- NIST SP 800-171 requirements were not implemented
- DIBCAC assessment revealed a score of -170 on a scale of -203 to 110
Why the Delay?
The announcement stated that the suspension of audit requirements was to “reduce compliance barriers for small and medium sized businesses” without much more detail. During my work as a CMMC RP, I’ve noticed a few problems that have unnecessarily contributed to the increased cost of CMMC for small and medium businesses:
The Flow Down Problem
When CMMC was proposed, DoD estimated that 63% of defense contractors would only be subject to CMMC Level 1 Self-Assessment requirements because they will handle FCI but not CUI. Furthermore, contractors are only supposed to flow down CMMC requirements to subcontractors that are appropriate for the information being flowed down as part of a specific subcontract as follows:
Highest Level Information Flowed Down to Subcontractor | CMMC Requirement to be Passed on to Subcontractor |
|---|---|
CUI received under a contract with a Level 3 (DIBCAC) requirement | Level 2 (C3PAO) |
CUI received under a contract with a Level 2 (C3PAO) requirement | Level 2 (C3PAO) |
All other CUI, e.g., received under a contract with a Level 2 (Self) requirement | Level 2 (Self) |
FCI | Level 1 (Self) |
Unfortunately, many large prime contractors have ignored the official CMMC flow down requirements. Instead, these contractors have informed all their potential subcontractors that they must have a CMMC Level 2 C3PAO audit certification to continue doing business, regardless of what information will be flowed down in a specific subcontract.
This has led many small and medium businesses to unnecessarily implement the Level 2 requirements in preparation for an audit at great cost despite the fact that they will not handle CUI.
The solution here is simple: prime contractors need to start keeping track of what information will be flowed down under each subcontract so that potential subcontractors can be accurately informed of the CMMC requirements that will apply to them. This is unlikely to happen as subcontractors don’t have enough leverage over prime contractors to change their behavior. Additionally, there is no enforcement mechanism for DoW to prevent prime contractors from spraying their subcontractors with unnecessary requirements.
The CUI Misunderstanding Problem
Identifying CUI should be simple: The government is required to apply standardized markings to all CUI before sending it to a contractor, and the government should inform contractors if any of the information the contractor creates under a contract must be marked as CUI.
Unfortunately, many contractors don’t understand what CUI is or how it is marked. Some contractors think that any information they receive and/or create under a contract is potentially CUI. This has led to many contractors treating unmarked documents as CUI and applying a wild variety of supposed CUI markings to documents. These misunderstandings and mismarked documents ripple throughout the supply chain, causing subcontractors to think they are handling CUI when they are not.
This problem compounds the flow down problem described above: Contractors are unnecessarily incurring the costs of Level 2 compliance because they think they are handling CUI when the information they are handling is most likely FCI, only subject to Level 1 requirements.
Contractors should take the time to understand what CUI is and is not, both to simplify their own compliance efforts and to avoid causing further confusion among their customers and suppliers.
The Non-Compliance Problem
The remaining estimated 37% of contractors that actually handle CUI should have implemented the NIST SP 800-171 controls that underpin CMMC Level 2 long ago as a result of existing DFARS 252.204-7012 requirements. These contractors should also have assessed themselves against those requirements and reported their scores to the DoW via SPRS as per DFARS 252.204-7020. In this ideal world, the CMMC C3PAO audits would have been a simple check to confirm the self-assessments submitted by contractors were accurate.
Unfortunately, many of these contractors did not implement these requirements and are now scrambling to get compliant before C3PAOs turn up evidence that the contractors have been violating their contracts for nearly a decade.
Implementing compliance in a hurry is more expensive and more disruptive to the business than taking a methodical approach, but the looming deadline prevented a methodical approach.
This is effectively a problem of contractor’s own making, assuming that they have been handling CUI and are therefore subject to DFARS 252.204-7012, NIST SP 800-171, and CMMC Level 2. Hindsight is 20/20, and contractors must now deal with the consequences of their failure to implement these long-standing compliance requirements.
The All at Once Problem
The original CMMC rollout plan states that all DoW contracts that involve handling CUI in the defense grouping after the Phase 2 start date will contain CMMC Level 2 C3PAO certification audit requirements. Contractors are, in theory, not required to have a CMMC Level 2 certification until they encounter their first contract with this requirement, which may come some time after the start of rollout Phase 2.
Unfortunately, reality doesn’t work like this. Implementing CMMC Level 2 and getting a certification audit takes longer than the contract bidding and award process. Contractors that want to continue winning contracts must have their certification in hand well before any potential CMMC Level 2 audit requirements appear in contracts.
This has led to a flood of contractors frantically trying to hire the few available C3PAOs to perform audits. C3PAOs have months-long backlogs and can name their own price for audits as demand vastly outstrips supply. Contractors are faced with the awful choice of paying for an overpriced audit or declining to bid on contracts with Level 2 audits requirements once Phase 2 starts.
Perhaps the DoW should consider adjusting the CMMC rollout so that CMMC Level 2 C3PAO requirements are imposed on contractors and subcontractors based on revenue. Contractors and subcontractors with large revenues over a certain threshold could be expected to conduct audits early in the process while contractors and subcontractors below that threshold could continue self-assessing. The revenue threshold could be slowly reduced over time, eventually including all contractors and subcontractors to which the audit requirements apply. This approach is already in use in the CCPA cybersecurity requirements rollout.
What’s Next
Contractors and others involved in the CMMC program can make their voice heard as the DoW’s 60-day CMMC review period begins. The DoW published an RFI shortly after the announcement, requesting feedback from companies on how to protect federal data while reducing compliance costs. The document attached to the RFI contains seven specific questions and provides email addresses for responses. Responses are due by 12PM EST on August 14, 2026.