On July 13, 2026, the Department of War (DoW) announced the immediate suspension of Phase II of the Cybersecurity Maturity Model Certification (CMMC) program — the phase that was to require formal third-party (C3PAO) certification of Level 2 compliance beginning November 10, 2026. DoW Chief Information Officer Kirsten A. Davies described the move as consistent with Secretary of War Pete Hegseth's Acquisition Transformation System, which prioritizes speed to capability and lower barriers to entry for small, medium, and non-traditional defense contractors. DoW is launching a 60-day CMMC Reform Task Force to recommend a scaled-back, more efficient path forward, informed by industry feedback already gathered through a public Request for Information.
For contractors in the Defense Industrial Base (DIB), this is a significant, but partial, reprieve. Phase I self-assessment obligations are unchanged, and the underlying data-protection duty has not gone anywhere.
What Changed
- CMMC Phase II — the requirement for a formal, independent C3PAO assessment of CMMC Level 2 status — is suspended, along with related implementation milestones across DoW solicitations and contracts.
- DoW's CIO is standing up a CMMC Reform Task Force to conduct a top-to-bottom review of the program and deliver recommendations within 60 days.
- During this interim period, DoW will enforce cybersecurity compliance through self-assessments against NIST SP 800-171 Rev 2 (and select government-led assessments), rather than mandatory third-party certification.
What Has Not Changed
- CMMC Phase I self-assessment requirements remain firmly in place.
- Contractors and subcontractors remain contractually bound to safeguard covered defense information under DFARS 252.204-7012.
- The substantive security controls have not been relaxed — only the independent verification mechanism (C3PAO certification) has been paused.
- This is a suspension and review, not a repeal. Phase II requirements, or a revised successor framework, could be reinstated once the Task Force reports back.
- Under Phase I, DoW can still require a C3PAO assessment as a condition of award. There is nothing in DoW’s communications that necessarily changes that.
Cost Implications: CMMC Certification vs. NIST SP 800-171 Rev 2 Self-Assessment
Because CMMC Level 2 is built directly on the 110 controls in NIST SP 800-171 Rev 2, the underlying technical remediation, system security plan (SSP), and plan of action and milestones (POA&M) work is largely the same either way. The real cost delta is the formal, independent C3PAO assessment layer that Phase II would have required. Illustrative, industry-wide ranges for a small-to-midsize DIB contractor are below; actual costs vary with scope, current security maturity, and number of systems handling CUI.
|
Cost Component |
CMMC Level 2 (C3PAO Certification) |
NIST SP 800-171 Rev 2 (Self-Assessment Only) |
|
NIST SP 800-171 control remediation & implementation (initial year) |
$148,200 for small businesses and $543,400 for other than small businesses |
$148,200 for small businesses and $543,400 for other than small businesses |
|
SSP / POA&M documentation (according to industry studies) |
$12,000 – $60,000 |
$12,000 – $60,000 |
|
Formal assessment / attestation fee |
C3PAO assessment: $105,000 (DoD estimate) |
Self-assessment & annual affirmation: $36,643 (DoD estimate) |
|
Approximate total |
$265,200-$708,400 |
$196,843 – $640,043 (no third-party audit fee) |
Bottom line: the suspension does not materially reduce the cost of the underlying cybersecurity work contractors already owe the government under DFARS 252.204-7012 and NIST SP 800-171 Rev 2. What it defers, for now, is the incremental cost and scheduling burden of an independent C3PAO audit. Contractors have often found CMMC to be burdensome because it forced them to reckon with the fact that they had not successfully implemented the underlying security controls; something that CMMC finally forced them to do. If DoW abandons the requirement for a third-party certification (or significantly limits it), many companies may fall back to deprioritizing the implementation of the most expensive part of CMMC – the underlying cybersecurity controls and take on the risk of a DoW audit or whistleblower case. Today’s actions do nothing to streamline those underlying costs and only serve to officially eliminate a small part of the overall implementation cost.
False Claims Act Risk Is Higher When You Self-Certify
The shift back to self-assessment as the primary compliance mechanism increases, rather than decreases, False Claims Act (FCA) exposure for many contractors. An independent C3PAO assessment provides a documented, third-party record of the basis for compliance. A self-assessment places that same evidentiary burden — and the associated legal risk — entirely on the contractor and the executive who signs the affirmation.
- Annual affirmations submitted to the Supplier Performance Risk System (SPRS), and the self-assessment scores underlying them, are certifications made directly to the federal government. Under 31 U.S.C. § 3729, a certification that is false when made — or made with reckless disregard for its truth — can trigger treble damages and per-claim penalties.
- DOJ's Civil Cyber-Fraud Initiative, launched in 2021, has made cybersecurity self-certifications a recurring enforcement target. DOJ recovered $52 million in FY2025 alone under the initiative, and has settled multiple cybersecurity-related FCA cases involving inflated or unsupported SPRS scores.
- Recent settlements illustrate the exposure: a government contractor paid $4.6 million after a third-party review found its actual SPRS score was dramatically lower than the 104 (near-maximum) score it had self-reported; a federal services contractor paid $11.25 million for repeatedly and falsely certifying cybersecurity compliance over several years.
- The FCA's “knowingly” standard is broad — it reaches actual knowledge, deliberate ignorance, and reckless disregard. A contractor need not intend to defraud the government to face liability for a materially inaccurate self-assessment.
- Qui tam provisions let whistleblowers — including former employees, consultants, and business partners — bring FCA suits and share in any recovery, creating a strong incentive to report self-certifications that do not hold up to scrutiny.
In short, a lighter-touch verification regime shifts risk onto the contractor's own internal controls and documentation. Contractors that treat the suspension of Phase II as license to relax their compliance rigor — rather than as removal of an independent check on their own self-assessment — may be trading a known, bounded assessment cost for open-ended FCA exposure.
What's Next?
We recommend that contractors currently handling FCI or CUI on DoW contracts: (1) continue treating NIST SP 800-171 Rev 2 self-assessment scores and SPRS submissions with the same rigor and documentation discipline they would apply to a C3PAO audit; (2) preserve evidence supporting each control implementation, not just the final numeric score; (3) ensure the affirming official's sign-off is based on verified, current facts rather than aspirational or future-state compliance; and (4) monitor the CMMC Reform Task Force's 60-day review, as well as the related RFI docket, for signals about the framework's ultimate shape.
Hunton Andrews Kurth's Government Contracts team is closely tracking the CMMC Reform Task Force, the underlying RFI process, and related False Claims Act enforcement activity, and is available to help contractors calibrate their compliance posture, SPRS submissions, and subcontractor flow-downs no matter the direction this takes.
Search
Recent Posts
Categories
Tags
- 8(a) program
- Acquisition Transformation Strategy
- Anthropic
- Code of Federal Regulations
- Commercial Products
- Contractor’s Action Plan
- Controlled Unclassified Information
- Cybersecurity
- Cybersecurity Maturity Model Certification (CMMC)
- Cybersecurity Maturity Model Certification program
- Defense Contractors
- Defense Production Act
- Department of Defense
- Department of Energy
- Department of Homeland Security (DHS)
- Department of War
- Executive Order (EO)
- False Claims Act
- FAR
- FAR Council
- Federal Acquisition Regulations
- Federal Acquisition Regulatory Council
- Federal Acquisition Supply Chain Security Act
- Federal Contractors
- Federal Contracts
- Federal Government Contractor
- Federal Government Shutdown
- Federal Procurement
- General Services Administration
- Government Contracts
- Government Shutdown
- Iran
- National Defense Authorization Act
- Office of Management and Budget
- Procurement
- Revolutionary FAR Overhaul
- Service Contract Act (SCA)
- Small Business Administration
- Trump Administration
- Wage Determination