CMMC Phase II Under Review: What It Actually Means for Your Compliance Timeline

DoW paused CMMC Phase II C3PAO assessments for 60 days. Learn what this means for Level 1 & 2 entities and prime contractors and why now isn't the time to slow down.

CMMC
CMMC Phase II Under Review: What It Actually Means for Your Compliance Timeline

Quick Answer: What Does the CMMC Phase II Delay Mean

The DoW has paused only the CMMC Phase II requirement for Level 2 entities to complete third-party C3PAO assessments. All other CMMC obligations remain fully in effect.
  • A DoW task force will review the validation program for 60 days before further action.
  • Phase I requirements are unchanged: Level 2 self-assessments, SPRS registration, CUI/FCI safeguarding, and prime flow-down tracking all still apply.
  • Level 1 entities: No change, continue with your self-assessment prep.
  • Level 2 entities: Continue with your self-assessments; if mid-C3PAO assessment, finish it rather than restart later.
  • Primes: Subcontractor CMMC flow-down compliance monitoring remains required.

About the Announcement

The recent buzz surrounding the Department of War (DoW) decision to delay the CMMC Phase II rollout has sparked a flurry of commentary. 

Most of the discourse centers on the potential impact for organizations pursuing certification and the C3PAO community at large. 

Having navigated the cybersecurity compliance landscape for over two decades, I’ve learned to view shifts in validation frameworks with a measured perspective; we have witnessed these cycles before and will undoubtedly encounter them again. My primary recommendation to those following these developments is to maintain your composure, resist the urge to adopt a "sky-is-falling" mentality. 

Generating cybersecurity requirements is relatively straightforward; however, the actual implementation of programs to verify adherence is, and will always remain, a complex challenge. If a governing body like the DoW could simply issue security standards and trust every organization to comply out of a sense of duty, there would be no need for formal validation. Unfortunately, human nature and business realities don’t work that way. While the core CMMC standards are not new, the official framework for validating them is still relatively new and will naturally require fine-tuning over time. 

Does this signify the demise of CMMC? 

I would argue a definitive no.

The underlying threats remain constant, ensuring the standard’s continued relevance in our industry.

What has really changed then? 

Only one thing, effective immediately the DoW has paused the phase that would require a Level 2 entity to get an assessment from a 3rd party C3PAO. And they are forming a task force to investigate the validation program for the next 60 days. That's it and that's all. All of Phase I validation requirements are still in place (Self Assessments), protecting CUI/FCI is still in place, SPRS registration is still in place, flow-down compliance tracking for primes is still in place, etc. 

The next path in this ongoing process rests entirely with you. If your company handles sensitive data, the mandate to safeguard that information remains unchanged. While you could opt to pause and speculate on the eventual validation program (make no mistake, it is inevitable) the wiser course is to maintain your current momentum. These standards are fundamentally sound; they represent the same core security principles being embraced across every major sector, from finance to healthcare, and they are certainly here to stay.

Investing in cybersecurity is never a cheap endeavor, and when you introduce a formal validation mechanism, the price tag inevitably climbs. Human nature being what it is, organizations rarely prioritize selfless compliance; they typically require a stiff push to verify their security status. 

Currently, the DoW is attempting to navigate the complexities of a validation framework that doesn't inadvertently stifle the Defense Industrial Base (DIB) (a noble objective, to be sure). I actually have to give some credit to the leadership at the DoW for making the difficult choice to hit the brakes. They likely recognized that the original phase rollout was going to be difficult on the DIB at this time and acted, despite the shockwaves it sent through the industry. 

We can only speculate about any higher-level government discussions occurring behind the scenes, but perhaps they are seeking a broader approach that allows the CMMC cybersecurity standards to be adopted across other agencies. I'm choosing to remain optimistic and I'll reserve my final judgment until this 60-day review concludes.

So what should your CMMC approach be over the next 60 days?

What Should a Level 1 Entity Do?

No change for you at all, keep working towards getting your systems in order so you can confidently complete your Level 1 self assessment.

What Should a Level 2 Entity Do?

As previously noted, the fundamental CMMC security standards remain entirely intact; only the mechanism for verifying adherence has shifted. 

For the time being, the benchmark remains a comprehensive Level 2 Self Assessment, a task that should already be underway for any organization that hasn't completed a formal C3PAO review. This is certainly not an invitation to slacken your pace. The DoW's goal isn't to stall progress while they refine the validation framework, so I strongly urge you to keep your momentum going.

What if you are a Level 2 entity that is in the middle of a C3PAO assessment process?

  • Push forward and finish that work. It will take more time to stop and restart this later if required in the future

How should I feel now if I just finished a CMMC Level 2 assessment with a C3PAO?

  • You should feel great and ahead of the game, it is inevitable that a high level of validation will be required at some point in the future. Additionally your risk to a prime contractor is very low and that represents a market advantage for you.
  • In my two decades of conducting cybersecurity compliance assessments, I have never seen an organization regret completing the journey. They invariably emerge with a stronger security posture and genuine peace of mind regarding their system security.

What should I do if I am just starting my Level 2 validation process?

  • For now you have more choices, self assessment only, self assessment with a CCA/C3PAO review of your work, self assessment with CCA guidance and a full CMMC Mock Audit by a C3PAO to give you the highest level of assurance.
  • A key benefit of the Phase I self-assessment guidelines is the flexibility they provide, allowing you to align your compliance efforts with your specific risk tolerance and choose the precise level of assurance you want to present to your prime contractor.
  • Remember, there are still big positives to working with a C3PAO during this process.

What Should Prime Contractors Do?

Whether you are a top-tier or mid-tier prime contractor, the duty of managing CMMC supply chain compliance has not disappeared with this announcement. 

This is actually the perfect moment to double down on your supply chain security. You must evaluate: what level of flow-down risk is your organization truly willing to accept? To prevent cybersecurity complacency from setting in, actively communicating with and tracking your subcontractors' CMMC progress is more crucial than ever. 

Do not neglect this essential responsibility simply because a C3PAO assessment may not be required for a period of time.

Summing Up What This Pause Means

While this announcement offers a brief moment of relief regarding the upcoming 2027 Level 2 C3PAO validation deadlines, it is certainly not an invitation to procrastinate. 

A validation framework will inevitably be established, and halting your preparations now will only create a difficult bottleneck for your organization down the road. Our adversaries remain highly active, persistently seeking to compromise the DIB and its projects. Continue leveraging the CMMC guidelines to fortify your overall cybersecurity posture. 

Do your part to help navigate this transition successfully, this can happen if we all work together to protect sensitive defense industry data.

Trust me, it's better to be secure than to be compelled to be secure after a compromise.