The Department of War has suspended the second phase of the Cybersecurity Maturity Model Certification (CMMC) program, putting third-party certification requirements and future Phase 2 implementation milestones on hold.
Phase 2 was scheduled to begin Nov. 10, 2026, while the Phase 1 self-assessment requirements remain in effect.
The department is
launching a 60-day review of CMMC through a new reform task force, which will look for ways to lower costs and simplify the program. During the pause, contractors would be required to follow NIST SP 800-171 through self-assessments and some government reviews.
Audit process has changed, not the security obligation
For defense contractors and the MSPs supporting them, the pause changes the immediate deadline. It does not remove the security work.
Jim Ambrosini, CISO and cybersecurity advisor at CompassMSP told MSSP Alert, “The suspension may have reduced immediate pressure around third-party certification timelines, but it has also created confusion for organizations that believe the underlying requirements have gone away. In reality, the audit process has changed, not the security obligation. Contractors are still expected to implement the same NIST SP 800-171 controls and protect federal data. Organizations that interpret this as a reason to pause their cybersecurity efforts are misreading what actually changed,” said
Contractors still have to prove their security posture
Defense contractors and subcontractors remain contractually responsible for protecting covered defense information under DFARS clause 252.204-7012. They still need to know where controlled unclassified information is stored, who can access it, and which systems, vendors, and service providers are part of that environment.
“The biggest misconception is that preparation can stop because certification has been delayed. That's not the case. The 110 NIST SP 800-171 security controls remain contractual requirements under DFARS 7012. Companies still need a strong system security plan, accurate SPRS scores, and working security controls. The compliance timeline shifted, but the responsibility to secure sensitive information did not,” Ambrosini said.
MSPs and MSSPs are still part of the compliance process. If they manage a contractor’s firewall, identity systems, backups, cloud environment, or security tools, they may need to provide the evidence that supports the customer’s self-assessment and SPRS score. That can include logs, configurations, policies, and other documentation showing that the required controls are in place and working.
Remediation work should continue
The suspension could lead some contractors to delay projects that were originally tied to a C3PAO assessment. That may include network segmentation, multifactor authentication, vulnerability management, backup improvements, encryption, and access-control work.
“Some organizations may delay remediation work now that C3PAO assessments are paused, but that would be a costly mistake. This is an opportunity to focus less on preparing for an audit and more on strengthening security controls. MSPs should emphasize that remediation isn't about passing an assessment, it's about reducing cyber risk and meeting contractual obligations that are still fully enforceable,” Ambrosini said.
This will likely change how providers discuss CMMC with customers. An upcoming certification date was a simple reason to approve spending. With that deadline suspended, MSPs will have to connect the work to contract requirements, SPRS accuracy, and the risks created by weak or undocumented controls. Contractors may still need help defining the CUI boundary, replacing aging infrastructure, separating regulated data from the rest of the network, and documenting how each control works. Those services were already becoming a source of project and recurring revenue for providers serving the defense industrial base.
Smaller contractors may get some cost relief
The government said the current model has created compliance costs and bureaucratic burdens that have pushed some businesses away from the defense industrial base. The reform task force will use industry feedback to recommend a revised approach within 60 days.
“For many smaller contractors, the greatest burden wasn't implementing good security practices - it was the cost and complexity associated with preparing for third-party certification. If the reform process can reduce unnecessary audit overhead while preserving strong security requirements, that would allow organizations to invest more of their resources where they have the greatest impact: improving their actual cybersecurity posture,” Ambrosini said.
The review could change when an independent assessment is required, how contractors submit evidence, and how the government checks that controls are working. The department has already said self-assessments and selected government reviews will be used during the interim period, suggesting contractors will still need documentation that can stand up to scrutiny.
MSP services may move toward continuous compliance
The pause may push CMMC services away from one-time audit preparation and toward ongoing compliance management. MSPs could be asked to maintain system security plans, review SPRS scores, update evidence, and regularly validate the controls they manage.
“If the revised model places greater emphasis on self-assessments and government-led reviews, MSPs will need to shift from helping clients prepare for a one-time certification event to supporting continuous compliance. That means maintaining accurate documentation, validating security controls on an ongoing basis, and ensuring clients can confidently stand behind their SPRS scores and security posture at any time,” Ambrosini said.
Providers will still need people who understand the CMMC model, the underlying federal requirements, and the difference between operating a security tool and proving that a control is working. They will also need a repeatable way to manage evidence across customers rather than rebuilding the process for each assessment.