CMMC Suspension Update: NIST 800-171r2 Compliance Still Required

CMMC suspension graphic

Department of War Suspends CMMC Phase II Requirements...BUT NIST SP 800-171r2 Compliance is Still Required

On July 13, 2026, the Department of War (DoW) announced the immediate suspension of the Cybersecurity Maturity Model Certification (CMMC) Phase II requirements, which was originally scheduled to come into effect on November 10, 2026."In support of Secretary Pete Hegseth's directive to reduce compliance barriers for small and medium sized businesses, we are today suspending the CMMC Phase II requirements and initiating a 60-day study of the future of this program," said DoW Chief Information Officer Kirsten A. Davies. "Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape."

What is CMMC Phase II?

Beginning November 10, 2026, applicable solicitations and RFPs will require contractors to hold a CMMC Level 2 certification.During this interim period, the Department will enforce cybersecurity compliance with the NIST SP 800-171 Rev 2 standard through self-assessments and select government-led assessments, focusing on tangible cyber hygiene rather than administrative overhead.It is critical to note that this action does not eliminate the requirement for companies to protect federal data. All defense contractors and subcontractors remain contractually obligated to safeguard covered defense information in accordance with DFARS clause 252.204-7012.The Department of War remains steadfast in its commitment to securing its digital domain while empowering the DIB to rapidly provide the most advanced capabilities to the warfighter. More information can be found here: Brilliant at the Basics

Warning: Organizations that knowingly submit inaccurate NIST SP 800-171 self-assessment scores or falsely represent compliance in SPRS may be subject to investigation and liability under the False Claims Act, consistent with the U.S. Department of Justice's Civil Cyber-Fraud Initiative.“The FCA provides that any person who knowingly submits, or causes to submit, false claims to the government is liable for three times the government’s damages plus a penalty that is linked to inflation (currently Min $14,308 USD - Max $28,619 USD per claim). USCODE-2024-title31-subtitleIII-chap37-subchapIII-sec3729.pdf and eCFR :: 28 CFR 85.5 -- Adjustments to penalties for violations occurring after November 2, 2015."

The risk is significant. If your organization claims compliance with NIST SP 800-171 but is not compliant, each invoice submitted under a U.S. government contract could be treated as a false claim. False Claims Act penalties currently range from approximately $14,308 to $28,619 per claim. If the issue is not discovered for months or years, the penalties can quickly add up to hundreds of thousands of dollars. Organizations may also face contract termination and the loss of future government contracting opportunities.
False Claim Act
©cyberab.org

Questions about how the CMMC suspension affects your organization? Schedule a consultation with Steve Spry, CMMC RP, CCP to get clear, expert guidance and a plan moving forward.