top of page

CMMC Phase 2 Is Paused. CMMC Level 2 Requirements Are Not.

  • 2 hours ago
  • 2 min read

The United States Department of War's July 13 announcement has created understandable confusion across the Defense Industrial Base, but one distinction is critical:


The 60-day review pauses the implementation timeline for Phase 2 C3PAO certification requirements; not the cybersecurity requirements for organizations handling Controlled Unclassified Information (CUI).


Since the announcement, many defense contractors have understandably asked the same question:


Does this mean CMMC Level 2 requirements have changed?


The answer is no.


What changed was the implementation timeline for Phase 2 of the CMMC rollout, not the cybersecurity requirements for organizations that handle Controlled Unclassified Information (CUI).

The distinction is important, and one that many organizations have misunderstood.


What Actually Changed?


The CMMC final rule established a phased implementation schedule for certification requirements. Those phases determine when specific assessment requirements become mandatory in DoD contracts.


The Department's July 13 memo did not change the CMMC Levels or the underlying security requirements. Instead, it paused the implementation dates for Phases 2 through 4 while the Department conducts a 60-day review of the program.


The comparison below illustrates the change.


CMMC Phases - Before and After DoW announcement

As shown above:


  • Phase 1 remains unchanged and continues as planned.

  • Phases 2, 3, and 4 no longer have fixed implementation dates. Instead, their start dates are now TBD pending completion of the review.


In other words, the implementation schedule changed, not the security expectations.


What Did Not Change


Organizations handling Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) are still expected to meet existing contractual cybersecurity obligations.


That includes:


  • Implementing NIST SP 800-171 Rev. 2 security requirements where contractually required.

  • Completing required self-assessments.

  • Maintaining required SPRS affirmations.

  • Protecting CUI in accordance with existing contract requirements.


These obligations remain in effect today.


Why the Review Matters


According to the Department, the review is intended to evaluate how CMMC is implemented—not whether cybersecurity is necessary.


The objectives include:


  • Making the program more effective.

  • Reducing unnecessary burden on industry, particularly small businesses.

  • Improving accessibility while maintaining strong cybersecurity outcomes.

  • Gathering additional industry feedback through a 60-day review.


The announcement also states that active solicitations currently requiring C3PAO certification will be amended to permit a self-assessment during the review period.


What This Means for Defense Contractors


For organizations that have already invested in CMMC readiness, those efforts remain valuable.


Activities such as:


  • Identifying where CUI resides

  • Establishing a defensible CMMC scope

  • Implementing NIST SP 800-171 controls

  • Maintaining documentation and evidence

  • Preparing for future certification


continue to support existing contractual obligations while positioning organizations for Phase 2 implementation once a revised timeline is announced.


Organizations that pause their cybersecurity efforts because certification dates have shifted may find themselves less prepared when implementation resumes.


The Bottom Line


The Department of War has paused the implementation timeline for Phase 2 C3PAO certification requirements.


It has not paused the responsibility to protect CUI.


For defense contractors, the focus should remain the same:


  • Protect sensitive information.

  • Continue improving your cybersecurity posture.

  • Stay current with self-assessment and SPRS obligations.

  • Participate in the Department's review process by providing constructive feedback.


The implementation timeline may have changed, the need to protect CUI has not.


If you have questions about how this announcement affects your organization, your SPRS score, your secure enclave, or your overall compliance strategy, we're here to help, simply Contact Us.

Recent Posts

See All

Comments


bottom of page