This article is provided for informational and educational purposes only and reflects our perspective as an authorized Certified Third-Party Assessment Organization (C3PAO). It is not legal advice and should not be interpreted as guidance regarding contractual compliance or certification decisions. Organizations should consult qualified legal counsel and appropriate contracting authorities regarding legal or contractual obligations.
On July 13, 2026, the Department of War announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements. According to the announcement, Phase I self-assessment requirements remain in place while the Department conducts a 60-day review of the CMMC program to align cybersecurity with its Acquisition Transformation System (ATS), reduce compliance barriers, and lower costs for small, medium-sized, and non-traditional businesses.
The announcement has understandably generated questions throughout the Defense Industrial Base (DIB). As an authorized Certified Third-Party Assessment Organization (C3PAO), our role is not to speculate about future policy decisions. Our responsibility is to conduct independent assessments using established assessment criteria and methodologies when authorized to do so.
This article summarizes what is currently known, addresses several common questions, and explains what remains unchanged from an assessment perspective based on the information available today.
Key Takeaways
- The Department has suspended the CMMC Phase II requirements while conducting a comprehensive review of the program.
- Phase I self-assessment requirements remain in place.
- During the interim period, the Department stated that it will continue enforcing cybersecurity compliance with NIST SP 800-171 Rev. 2 through self-assessments and select government-led assessments.
- Defense contractors and subcontractors remain contractually obligated to protect federal data in accordance with applicable contract requirements, including DFARS clause 252.204-7012 where applicable.
- Independent assessment principles, including objective evidence, professional independence, and accurate representations, remain fundamental.
Who Should Read This?
This article is intended for defense contractors, subcontractors, program managers, cybersecurity leaders, contracts professionals, and executive decision-makers seeking to understand the assessment implications of the Department’s announcement.
What We Know Today
- The Department has suspended the transition to CMMC Phase II requirements and announced a comprehensive review of the certification program.
- The stated objectives include reducing unnecessary compliance burdens, improving scalability, supporting innovation within the Defense Industrial Base, and maintaining robust cybersecurity and operational resilience.
- The Department also announced that Phase I self-assessment requirements remain in effect and that, during the interim period, it will continue enforcing cybersecurity compliance with NIST SP 800-171 Rev. 2 through self-assessments and select government-led assessments.
- The Department’s review of the CMMC program should not be interpreted as diminishing the importance of cybersecurity. Rather, the announced review reflects an effort to evaluate how cybersecurity objectives can be achieved while reducing unnecessary compliance burdens.
- Organizations should continue to rely on official Department communications for future guidance as the review progresses.
What Remains True Today
Several important principles remain unchanged. The purpose of an independent assessment is not to determine cybersecurity policy or establish contractual obligations. Rather, it is to objectively evaluate whether an organization has implemented applicable cybersecurity requirements using standardized assessment criteria and objective evidence. Likewise, the principles underlying independent assessments have not changed. Independent assessments continue to rely on standardized methodologies, qualified assessors, and objective evidence to establish confidence in assessment results. It is also important to distinguish between implementation timelines and assessment criteria. A change in when an assessment may be required does not necessarily indicate a change in what assessors evaluate or how assessments are performed.
Common Questions
- Does the suspension eliminate cybersecurity obligations? No. The Department addressed this point directly: «”It is critical to note that this action does not eliminate the requirement for companies to protect federal data.”» The announcement further states that defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012. Organizations should continue to understand and satisfy the cybersecurity requirements applicable to their contracts and the information they are entrusted to protect.
- Does a self-assessment require less rigor? The assessment mechanism and the rigor of an assessment are different concepts. Regardless of the assessment approach, organizations benefit from ensuring that conclusions regarding their cybersecurity posture are supported by objective evidence rather than assumptions. Objective evaluations provide greater confidence to organizational leadership, customers, and government stakeholders.
- Have assessment expectations changed? Based on the information currently available, the announcement does not indicate that assessment objectives, evidence expectations, or assessment methodologies have changed. Organizations should avoid assuming that future assessment criteria will change unless official guidance indicates otherwise.
Objective Evidence Remains Fundamental
- Independent assessments establish confidence through objective evaluation.
- Objective evidence enables assessors to determine whether applicable cybersecurity requirements have been implemented and are operating as intended. Documentation is an important component of that process, but documentation alone rarely provides a complete understanding of implementation.
- Assessors evaluate multiple forms of evidence, including documentation, interviews, observations, and technical examination, to develop an objective understanding of an organization’s implementation.
- Objective evidence also helps organizations demonstrate that representations regarding their cybersecurity posture are supported by observable and verifiable facts.
Understanding the False Claims Act in Context
The suspension has also prompted questions about the relationship between CMMC and the False Claims Act (FCA). The FCA is not a cybersecurity framework, nor is it part of the CMMC assessment process. However, it reinforces the broader principle that representations made to the federal government should be accurate, supportable, and made in good faith. From an assessment perspective, objective evidence helps establish confidence that organizational representations are supported by demonstrable facts rather than assumptions.
Organizations that maintain reliable documentation, perform thoughtful internal evaluations, and ensure that statements regarding their cybersecurity posture are supported by objective evidence are generally better positioned to demonstrate consistency between their representations and their implementation. The purpose of emphasizing objective evidence is not to create unnecessary administrative burden or encourage decisions based on fear of enforcement. Rather, objective evidence supports sound governance, informed decision-making, and confidence in the accuracy of organizational representations. Organizations with questions regarding legal obligations or certifications should seek guidance from qualified legal counsel.
Why Independent Assessments Continue to Matter
- Independent assessments provide an objective evaluation performed by qualified assessors using standardized methodologies.
- Their purpose is not to redefine cybersecurity requirements or prescribe implementation approaches. Rather, they provide an independent measure of confidence that applicable cybersecurity requirements have been implemented and are operating as intended.
- Independence helps ensure that assessment conclusions are based on objective evidence rather than advocacy, implementation decisions, or business interests.
- This independence promotes consistency, confidence, and trust across the Defense Industrial Base.
Final Thoughts
The Department’s review of the CMMC program may result in future changes to implementation timelines or assessment requirements. Until additional guidance is issued, organizations should rely on official Department communications rather than speculation. Although implementation timelines may change, the fundamental principles of objective evidence, independent assessment, accurate representations, and protection of federal data continue to provide the foundation for confidence throughout the Defense Industrial Base.
About IBSS
Since 1992, IBSS has provided transformational cybersecurity services to the Federal defense, civilian, and commercial sectors. IBSS is an Authorized C3PAO, a designation granted by The Cyber AB (CMMC Accreditation Body) under the guidance of the Department of Defense (DoD). This authorization confirms that our organization has successfully completed the rigorous process required to assess the cybersecurity posture of organizations within the Defense Industrial Base (DIB) against the requirements of the Cybersecurity Maturity Model Certification (CMMC).
- Authorized by: The Cyber AB (Official Accreditation Body)
- Listing Verification: https://cyberab.org/Member/C3PAO-2829-Ibss-Corp
- Relevant Standards: C3PAO Authorization, CMMI SVC Level 3 and DEV Level 3, ISO 9001:2015 Certified Quality Management System, ISO/IEC 20000-1:2018 Certified Information Technology Services Management (ITSM), ISO/IEC 27001-2022 Certified Information Security Management Systems (ISMS), ISO/IEC 17020:2012 Compliance (in progress).
Read more About Us.
Keywords: CMMC, Authorized C3PAO, DoD Requirements, NIST SP 800-171, Cybersecurity, DIB, Cyber AB





