Key Takeaways
|
Understanding the impact of the CMMC Phase II suspension
Effective July 13, 2026, the Department of War (DOW) suspended the Phase II requirements of the Cybersecurity Maturity Model Certification (CMMC), which was scheduled to be in effect on November 10, 2026. But as many companies breathe a sigh of relief, it's important to understand what requirements are still in effect and what your next steps are.
The Phase II rollout requiring mandatory third-party certification (by a certified third-party assessor organization) have been suspended while the Department conducts a 60-day comprehensive review of the program and considers potential reforms. This review will recommend measures to remove barriers to entry for small and mid-sized businesses and encourage innovation, while maintaining a strict security baseline.
Phase 1 self-assessment requirements remain in effect
Organizations supporting the Defense Industrial Base (DIB) are still expected to implement and maintain the required cybersecurity controls, including compliance with NIST SP 800-171 Rev 2 and DFARS clause 252.204-7012. This includes assessing your Supplier Performance Risk System (SPRS) score against NIST SP 800-171 Rev 2 and annually affirming the score is accurate.
Protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) remains a contractual and operational requirement. This is a pause on one aspect of the certification rollout, not cybersecurity.
Use the delay to prepare for future CMMC requirements
Use this time wisely. Based on your contractual requirements, perform a readiness assessment and conduct a CMMC Level 1 and/or CMMC Level 2 self-assessment, ensuring you have the documentation to support your organization's score.
In addition, continue strengthening your security program, addressing gaps, and preparing for future CMMC requirements, whatever form they ultimately take. Being ready will put your organization in the best position when the revised framework is announced.
Turn the Phase II delay into readiness advantage
The UHY Technology Risk & Compliance team is actively helping organizations assess their readiness, implement NIST SP 800-171 security requirements, and prepare for future CMMC expectations. Connect with our team to understand how the Phase II suspension affects your organization and identify the steps you should take now to strengthen compliance and reduce future certification risk.
Contact Our Technology, Risk & Compliance Team
Complete this form to connect with our team to understand how the Phase II suspension affects your organization.
By submitting this form, you agree to be contacted by UHY.