Resources
Blog

July 16, 2026

CMMC Phase II Paused: Why Self-Attestation Raises Your Legal Risk

Written by:

Jared Shepard

The question moving through the Defense Industrial Base (DIB) this week reduces to three words: is CMMC dead. The short answer is no. The more useful answer is that the pause did not lower the bar. It removed the party that used to check the work, then handed the contractor the pen.

What moved, and what did not

On July 13, the Department of War suspended the CMMC Level 2 third-party assessment requirements that were set to take effect on November 10, 2026. Phases 3 and 4 were shelved with them. During the review, the department will enforce compliance with NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments, while a CMMC Reform Task Force studies the program and reports back on or about September 13.

What did not move deserves equal attention. DFARS 252.204-7012 remains fully in force, as do Phase I self-assessment obligations, Supplier Performance Risk System (SPRS) score reporting, and annual affirmations. Contractors handling Controlled Unclassified Information (CUI) still answer to the same 110 controls they answered to last week. The security mandate did not move an inch. What moved was the verification.

Liability did not pause, it concentrated

Under the certification model, a Certified Third-Party Assessment Organization (C3PAO) sat between a contractor's compliance claims and any future fraud allegation. That assessment was a buffer, an independent record that someone outside the organization had validated the posture. The pause removes that buffer for most of the DIB and leaves the contractor's name on a self-reported score.

The Department of Justice (DOJ) paused nothing. Its Civil Cyber-Fraud Initiative continues to pursue organizations that knowingly misrepresent their cybersecurity posture, and an inaccurate self-assessment is a natural target. The exposure runs to treble damages under the False Claims Act (FCA), a case can originate with a whistleblower, and no auditor is required to surface the discrepancy. An employee with firsthand knowledge of how the environment actually runs is now a viable enforcement mechanism. The friendly assessor left the room. The Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), the government's own assessment arm, kept its authority to assess contractors directly. The unfriendly assessors stayed.

That much is now being written by every firm in the market. The part worth your attention is what you do about it.

The real move is to shrink what you must attest to

Two questions now matter more than anything the task force will produce.

The first is whether your attested posture is defensibly true today. Not aspirationally true, not true pending a remediation plan, but accurate and documentable as written. A System Security Plan (SSP) that does not reflect reality was always a problem. Without a C3PAO positioned to flag the gap first, that same document becomes a standing liability.

The second question is the one that changes your architecture: how do you reduce the set of things you must attest to in the first place. All 110 controls apply to systems that touch CUI. Every system removed from that boundary reduces the controls you self-attest to, and it reduces the surface to which an FCA theory could ever attach. In a self-attestation environment, boundary reduction stops being an architectural nicety and becomes legal posture.

Where Mobile Isolation changes the math

This is the case for Mobile Isolation. When CUI is never stored, processed, or transmitted on the endpoint, the endpoint falls out of scope. The data stays in a secure, accredited environment, and the device becomes a display. Nothing sensitive lands on it, so the phone, the tablet, and the personal networks behind them leave the assessment boundary rather than expanding it.

The effect is direct. Fewer endpoints inside the CUI boundary means fewer systems under the 110 controls, fewer controls to self-attest to, less documentation to keep true, and a smaller surface for any FCA theory to reach. You are not only closing gaps. You are removing the systems where gaps would otherwise have to be defended.

What to do while the window is open

1.    Treat certification as a scarce asset. C3PAOs continue to issue CMMC Level 2 certifications during the pause. While most of the DIB drops to self-attestation, a third-party validated score is the one signal a self-assessment cannot replicate, and it matters most where a prime is protecting its own contract. Primes including Lockheed Martin, Northrop Grumman, L3Harris, and Boeing have spent the past year directing their supply chains toward Level 2, and nothing in the suspension stops a prime from requiring certification before sharing CUI.

2.   Do not read the pause as the end of the program. The last review rebranded CMMC and returned it built on the same NIST SP 800-171 foundation, because the obligation lives in the DFARS clause and the contract, not in the certification brand. Whatever emerges in September will keep that foundation.

3.   Put a position on the record. The department opened a public Request for Information (RFI), due August 14, asking which controls actually reduce risk and whether commercial tools and managed services should count toward compliance. Those questions telegraph what the review is likely to reward: demonstrable, structural risk reduction rather than well-organized paperwork. Organizations that reduce real risk, and can show it, have roughly a month to make the case.

The bottom line

Compliance regimes come and go. The obligation to protect entrusted data does not. The pause never lowered the bar. It removed the party that used to check the work.

So the response is not to stand down. It is to reduce the surface, attest only to what is defensibly true today, and put a position on the record before August 14 closes. The contractors who emerge strongest from this period will not be the ones holding the most polished remediation plan. They will be the ones who moved CUI out of reach, and can stand behind every line of their self-assessment without hesitation.

Subscribe to Content Updates

Recent articles

July 8, 2026

The Armored Truck Problem

Every Secure Messaging Strategy Built on Consumer Apps is an Armored Truck. Here is Why That is the Wrong Vehicle.

July 2, 2026

What Is the Biggest CMMC Mistake Contractors Make?

The biggest CMMC mistake contractors make is treating certification as a compliance exercise. Learn how to protect CUI, eliminate shadow IT, and reduce mobile scope.

June 30, 2026

The Questions Your Board Is About to Start Asking About Mobile Messaging

Because the board isn’t asking yet. But they will be. And the answer you give will matter.