Resources
Blog

July 16, 2026

The Stern Report: The Audit Paused. The Requirement Didn't.

Written by:

Matt Stern

On July 13, the DoW CIO suspended CMMC Phase 2. No more third-party assessments as a condition of award, effective immediately, while a Reform Task Force spends 60 days figuring out what comes next.

I've watched the calls come in since. Contractors pulling back from their C3PAO prep. Budget lines for assessment readiness getting quietly zeroed out. The relief is understandable. It's also the wrong read.

What actually changed

Phase 2 required a third party to certify your Level 2 controls before contract award. That's suspended. Phase 1 self-assessments are not. NIST SP 800-171 Rev. 2 is not. DFARS 252.204-7012 is not. Your obligation to protect CUI didn't move. What moved is who checks your work, and how often.

That's not a rounding error. That's the whole question I want to put in front of you.

Who's verifying you now?

For 18 months, "we'll pass our C3PAO assessment" has functioned as the answer to that question for a lot of contractors. Fair enough, when it was coming. It isn't right now, and DoW hasn't ruled out canceling third-party assessment altogether once the task force reports back.

So who's checking? Right now: you are. A self-assessment, an SPRS score you submit yourself, and an annual affirmation you sign under the False Claims Act. DIBCAC still runs government-led reviews. That's the verification model for however long this suspension lasts, and possibly longer.

I spent a career on the other side of this problem, watching nation-state actors probe defense networks for the gap nobody else was watching. They were never waiting on your C3PAO date. They don't care about your assessment calendar. They care whether the control is real. A suspended audit doesn't suspend the adversary.

Baseline, not goal

Here's the mistake I want to head off: treating "pass the CMMC Level 2 assessment" as the objective. It was never the objective. It was the government's mechanism for verifying an objective that already existed: implement NIST SP 800-171 to actually protect CUI. The audit was the check. NIST 800-171 is the floor.

DIB companies who built their security program to satisfy an assessor are exposed right now. Those who built their security program to satisfy the 110 practices, because that's what they think is adequate to protect their data, may be exposed. The suspension doesn't touch that second group. It barely registers.

If your team has spent 18 months hardening access control, closing out POA&Ms, and getting your SSP in order, none of that is wasted motion. DoW CIO Kirsten Davies said as much herself: companies that invested in their cyber posture didn't spend that money in vain. She's right. Keep going.

If your team has been waiting for the C3PAO deadline to force the issue, you have a bigger problem than a paused audit. You have a security program that only exists because someone else was checking.

What I'd do this week

Don't cancel your gap assessment. Convert it into a baseline review against 800-171 itself, not the assessment rubric. Ask your primes directly whether their own certification requirements survive this pause, because DoW suspending Phase 2 does not touch a subcontract flow-down. And stop asking "when is our audit." Start asking "can we prove this control is real if DIBCAC shows up tomorrow."

The RFI comment window closes August 14. The task force reports in September. Whatever comes out of that review, the underlying requirement to protect CUI on every device it touches isn't on the table. It never was.

The assessment got paused. The threat didn't get the memo.

Subscribe to Content Updates

Recent articles

July 16, 2026

CMMC Phase II Paused: Why Self-Attestation Raises Your Legal Risk

The DoW paused CMMC Phase II assessments on July 13. Self-attestation now carries FCA risk. Read how DIB contractors cam reduce exposure.

July 8, 2026

The Armored Truck Problem

Every Secure Messaging Strategy Built on Consumer Apps is an Armored Truck. Here is Why That is the Wrong Vehicle.

July 2, 2026

What Is the Biggest CMMC Mistake Contractors Make?

The biggest CMMC mistake contractors make is treating certification as a compliance exercise. Learn how to protect CUI, eliminate shadow IT, and reduce mobile scope.