CMMC Phase II is paused.
Your contracts are not.
The Department of War suspended third-party (C3PAO) assessment requirements while a Reform Task Force conducts a 60-day review. But DFARS 252.204‑7012, NIST SP 800-171, SPRS scores, and your self-assessments are all still in force — and your primes haven't paused anything. Find out exactly where you stand.
One thing was suspended.
Everything else stands.
The pause has a narrow, defined scope: the mandatory third-party assessment mechanism. The underlying obligations in your contracts didn't move.
The pause moved your risk. It didn't remove it.
With third-party verification on hold, the government's enforcement weight shifts to your self-attestation. An inaccurate SPRS score or annual affirmation now carries more exposure — including under the False Claims Act — not less.
Contractors who keep maturing their programs through these 60 days will be ready whether the Task Force resumes, modifies, or restructures CMMC. Contractors who stop and guess wrong will be scrambling — possibly on short notice.
What smart contractors are doing right now
Pressure-test your SPRS score
Self-attestation is now the primary verification mechanism. Make sure your score reflects reality and would survive scrutiny.
Finish gaps without a deadline
Remediate POA&M items, complete your System Security Plan, and mature documentation while the clock is stopped.
Talk to your primes
Certification flow-downs are contractual, not regulatory. Find out whether yours still apply — many will.
Respond to the RFI by Aug 14
The Task Force is taking industry feedback directly. If compliance costs have burdened your business, say so.
Find out where you stand.
30 minutes with our team. No pressure, no doom-selling — just a clear read on your obligations under the pause.
- Your contractual obligations today
- Your SPRS posture & attestation risk
- What to prioritize during the review