Changes to the CMMC Framework
Posted in Uncategorized
Changes to the CMMC Framework: What Defense Contractors Need to Know
The Cybersecurity Maturity Model Certification (CMMC) program has changed again, leaving many companies in the Defense Industrial Base (DIB) uncertain about what comes next. On July 13, 2026, the Department of War suspended Phase II of the CMMC rollout and started a 60-day review of the program. This move delays the planned start of mandatory third-party CMMC Level 2 assessments, which were set for November 2026. For many contractors, the announcement has raised an important question: Should we continue preparing for CMMC?
The answer is yes.
Even though the timeline has shifted, protecting Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) is still required. Companies that keep improving their cybersecurity now will be ready no matter how the Department updates the framework.
What Changed?
The most significant change is the suspension of CMMC Level 2, which would have required many contractors handling Controlled Unclassified Information to complete third-party CMMC Level 2 certification assessments before receiving certain defense contracts.
Rather than continuing with that requirement, the Department has paused all Level 2 requirements while a new CMMC Reform Task Force reviews the program. Officials said the current process had become too expensive and difficult, especially for small and mid-sized businesses in the defense supply chain.
It is important to note that CMMC is not being eliminated. This is only a pause while the Department looks for ways to make compliance easier without lowering cybersecurity standards.
What Has Not Changed?
While the headlines focus on the suspension, several critical requirements remain in place.
Companies that are currently required to perform CMMC Level 1 self-assessments must continue doing so. Existing contractual obligations to protect Federal Contract Information and Controlled Unclassified Information remain unchanged, and contractors are still expected to implement appropriate security controls in accordance with their contract requirements.
To put it simply, cybersecurity requirements are still in place. Only the schedule for mandatory third-party assessments has changed.
Why the Department Paused Phase II
According to Department leadership, the existing implementation created significant challenges for the Defense Industrial Base.
Many contractors reported that preparing for certification required substantial financial investments while also competing for a limited number of Certified Third-Party Assessment Organizations (C3PAOs). Smaller contractors, in particular, expressed concern that compliance costs were becoming a barrier to participating in Department of Defense contracts.
The Department decided that strong cybersecurity is essential, but the rules should not make it harder for companies to compete or stop new suppliers from helping with national defense. The review aims to find ways to keep security strong while making compliance less of a burden.
Why NIST SP 800-171 Still Matters
One misconception following the announcement is that companies no longer need to comply with NIST SP 800-171.
That is not the case.
NIST SP 800-171 is still the main standard for protecting Controlled Unclassified Information in contractor environments. Its 110 security requirements are widely accepted as best practices for keeping sensitive government information safe.
Putting these controls in place is worthwhile no matter what happens with CMMC timelines. They help with identity management, make access controls stronger, lower ransomware risk, improve monitoring, and boost overall cyber resilience.
For most defense contractors, investing in NIST 800-171 compliance continues to provide both regulatory and operational value.
What Defense Contractors Should Do Now
This pause is a chance to improve your cybersecurity, not a reason to wait or slow down.
Imagine preparing for a mountain expedition that has been postponed due to changing weather conditions. The extra time allows you to strengthen your equipment, improve your training, and prepare more thoroughly for the journey ahead. When the expedition resumes, you’ll be far better prepared than those who stopped training altogether.
The same principle applies to CMMC.
This is an ideal time to review your System Security Plan (SSP), update your Plan of Action and Milestones (POA&M), validate technical controls, perform vulnerability assessments, conduct penetration testing, and address any remaining gaps in your NIST SP 800-171 implementation.
Businesses that keep working on their cybersecurity now will probably save time and money when new compliance rules come out.
How the Recent Changes Affect Small Businesses
Small and mid-sized defense contractors are expected to benefit the most from the temporary suspension.
Many smaller firms have found it hard to afford third-party certification and to get an assessment slot. The Department’s review recognizes these issues and aims to balance national security with keeping a strong and competitive group of suppliers.
However, small businesses should not assume cybersecurity expectations have been lowered.
Prime contractors continue evaluating subcontractors based on cybersecurity maturity, and having strong security practices remains a competitive advantage when bidding for contracts. Tanner Security helps defense contractors strengthen their cybersecurity posture through services designed to reduce risk and improve compliance readiness.
Cybersecurity Gap Assessments: Identify gaps before a formal assessment and develop a practical roadmap toward compliance.
NIST SP 800-171 Gap Assessments: Evaluate current security controls against NIST requirements and prioritize remediation efforts.
Penetration Testing: Validate whether security controls effectively protect systems from real-world cyberattacks.
Vulnerability Assessments: Identify known security weaknesses before attackers can exploit them.
Microsoft 365 and Cloud Security Assessments: Evaluate cloud environments that store or process Controlled Unclassified Information.
Virtual CISO (vCISO) Services: Get expert cybersecurity leadership and ongoing compliance advice without paying for a full-time executive.
Changes to the CMMC Framework FAQ’s
Has CMMC been canceled?
No. The Department has suspended the rollout of Phase II while conducting a comprehensive review of the program. Phase I self-assessment requirements remain in effect.
Are third-party CMMC assessments still required?
The planned expansion of mandatory third-party Level 2 assessments has been paused while the Department reviews the framework. Additional guidance is expected after the review is complete.
Do contractors still need to implement NIST SP 800-171?
Yes. Contractors handling Controlled Unclassified Information should continue implementing NIST SP 800-171 security controls because they remain the technical foundation for protecting sensitive government information.
Should companies stop preparing for CMMC?
No. Continuing to improve cybersecurity, complete gap assessments, and implement NIST SP 800-171 controls will reduce future compliance efforts while improving overall security.
How long will the review take?
The Department has established a CMMC Reform Task Force that is expected to provide recommendations within 60 days.
Will CMMC requirements change again?
It is possible. The purpose of the review is to evaluate the current framework and recommend improvements that reduce unnecessary compliance burdens while maintaining strong cybersecurity across the Defense Industrial Base.
What should contractors do while waiting?
Companies should continue strengthening cybersecurity, maintaining documentation, improving technical controls, and preparing for future requirements rather than delaying security investments.
Conclusion
The recent changes to the CMMC framework are about how it will be implemented, not a step back from cybersecurity.
By suspending Phase II, the Department has acknowledged that compliance needs to be simpler for defense contractors, but security for sensitive government information must remain strong. Contractors should use this extra time to strengthen their cybersecurity, align with NIST SP 800-171, and address any security gaps before new rules are released, as the compliance timeline has changed. Businesses that continue investing in cybersecurity today will be in the strongest position when the next phase of CMMC is finalized.
Whether your company is beginning its compliance journey or preparing for future certification, proactive planning remains the best way to protect your business and the sensitive information you manage.
Schedule a Call