DFARS 252.204.7012 Obligations Have Not Changed; this represents a pause in CMMC Phase II requirement, not a repeal.

On July 13, 2026, the Department of War announced the immediate suspension of CMMC Phase II requirements while a CMMC Reform Task Force conducts a 60-day review of the program.

It is critical to note that this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.

The purpose of the Secretary of War, Pete Hegseth’s Acquisition Transformation System (ATS) directives, focuses on accelerating delivery of capability, reducing entry barriers for small, medium, and non‑traditional firms, and shifting from bureaucratic compliance to scalable, resilient cybersecurity approaches.

At S3 Security, we view this announcement as an opportunity rather than a setback. Organizations that use this time to improve documentation, validate controls, and strengthen their cybersecurity programs will be in a much better position, as legal obligations still remain.

S3 Security Recommendations

While the certification schedule is under review, the core requirements remain largely unchanged.

Contractors handling CUI and FCI still need to understand where that information resides, maintain a defined scope for their environment, implement required security controls, and maintain the documentation necessary to support their cybersecurity program.

That means maintaining:

  • A clearly defined CMMC scope
  • Asset inventories and network diagrams
  • Data-flow documentation
  • A comprehensive System Security Plan (SSP)
  • Implemented technical, administrative, and physical safeguards
  • Evidence that controls are operating as intended

A common mistake organizations make during periods of regulatory uncertainty is pressing pause on readiness activities. We believe that would be a mistake here.

The companies that continue strengthening their programs during this period will be far better prepared for whatever comes next.

If You Choose to Perform Your Self-Assessment

One common misconception is that a self-assessment will be significantly easier than a third-party assessment.

In reality, a self-assessment still requires organizations to evaluate their environment objectively, validate that controls are operating as intended, and support their conclusions with evidence.

A policy by itself does not prove compliance.

Organizations should be prepared to demonstrate how controls are implemented and how those controls operate in practice.

Examples may include:

  • Access review records
  • Vulnerability scans and remediation activities
  • Security monitoring and logging records
  • Incident response testing
  • Security awareness training records
  • Risk assessments and management activities
  • Documentation supporting third-party service providers
  • Evidence showing policies and procedures are being followed consistently

The strongest self-assessments are conducted with the same discipline organizations would apply if they expected an assessor to review the environment tomorrow.

That approach not only creates a more accurate assessment but also helps establish a stronger foundation for future certification efforts.

Be Careful What You’re Attesting To

As organizations complete self-assessments and submit results to SPRS, accuracy matters.

A self-assessment is ultimately a representation of your cybersecurity posture. If a customer, contracting officer, government reviewer, or insurer asks how those conclusions were reached, organizations should be able to support their answers with documentation and objective evidence.

This extends beyond compliance requirements.

Many organizations make similar representations through:

  • Government proposals and contracts
  • SPRS submissions and affirmations
  • Customer and partner security questionnaires
  • Subcontractor agreements
  • Cyber liability insurance applications and renewals

Cyber insurance providers, in particular, continue to ask more detailed questions about controls such as multifactor authentication, vulnerability management, endpoint security, backups, employee security awareness training, and incident response capabilities.

If an organization claims a control is in place, it should be prepared to demonstrate how that control is implemented and maintained.

A well-executed self-assessment can help create a consistent and defensible body of evidence that supports compliance, contractual requirements, and cyber insurance obligations alike.

Use This Time Wisely

For organizations that felt unprepared for the original timeline, this pause could create an opportunity to get ahead.

Use the additional time to:

  • Define and validate your CUI environment
  • Strengthen documentation
  • Validate control implementation
  • Collect supporting evidence
  • Address known gaps
  • Improve readiness for future assessments

The organizations that benefit most from this announcement will continue moving forward rather than waiting for the next round of guidance. Those that stop their readiness efforts may find themselves facing the same implementation challenges later, potentially with less time to respond.

How S3 Security Can Help

As an Authorized C3PAO and CMMC Registered Provider Organization, S3 Security helps organizations navigate the technical, operational, documentation, and assessment requirements associated with CMMC and NIST SP 800-171 Rev 2.

Whether your organization is preparing for a self-assessment, validating evidence, strengthening documentation, closing compliance gaps, or preparing for future certification requirements, our team can help you build a practical and defensible path forward.

Organizations that continue investing in cybersecurity today will be best positioned for whatever comes next.

We will update our recommendations and keep you informd as new information is formally announced by the Department of War and the Secretary of War for Aquisition and Sustainment.

 

Disclaimer: This post reflects S3 Security’s interpretation of the Department of War announcement as of July 15, 2026. The CMMC program is currently under review, and additional guidance may affect future implementation requirements. This information is provided for general informational purposes and does not constitute legal advice.

Share