CMMC Phase 2 Suspension: Impact and Future Outlook

This title was summarized by AI from the post below.

CMMC Phase 2 has been suspended, prompting significant discussion within the community. For those who are knowledgeable about the CMMC ecosystem, your insights are valuable. What do you believe will be the impact of this suspension? Additionally, what do you think is the most likely outcome of the upcoming 60-day review period? This is an opportunity for subject matter experts to provide informed dialogue and healthy debate on the future of CMMC, so please share your thoughts and perspectives (if your comment doesn’t provide value or is noise, I am going to delete it).

The DOD press releases speak of "revision". So we know that change is coming and not just a "review" of the program. Most of the social chatter relates to encouraging OSC's to stay the course. The most immediately impacted seems to be the members of the eco-system who have invested years and money to be a part of the program. It seems like enclave solutions that bring 80-90% compliance via inheritance and have been picked up by the Army on NCODE are likely part of the compromise solution. Its the prep and 3rd party verification that are the cost burdens and so that is likely where the change may occur.

We do a lot of CMMC readiness work at Bright Defense. My guess is that CMMC Level 2 comes back after the moratorium with the same standards but greater ability for small businesses to self attest. Also, perhaps more penalties for falsely self attesting. We shall see….

I think the suspension doesn’t really make a lot of difference. The way I understand it is the idea of phase 2 being too burdensome on small business will impact a very small percentage as most small businesses are subs and primes can still demand it in phase 1. I am only an observer here so I might be missing something too.

I believe it may give birth to some middle ground or segmentation where a certain threshold (whether new data classification or contract value) may be subject to C3PAOs or some type of certification that’s not the full audit but not just self assessments? Perhaps something like FedRAMP 20x may be needed.

The fewer 3PAO audits required for those US DIB contracts, the more whistleblower cases I’d expect to see arise eventually under the False Claims Act. The 2025 case out of Georgia comes to mind.

From business perspective: Its enforcement wasn’t stable from the beginning. The difference between FCI and CUI wasn’t clear, so companies had to comply with L2 to stay in the safe side. NIST almost can replace it. Political wise, It was about to be suspended before, but got last minute enforced.

I hope the "only" impact (sensitivity to the risk to the C3PAO workforce) is that contractors pause pursuing C3PAO assessments, not their NIST SP 800-171 compliance. The RP clients I've spoken with are staying the course with DFARS 252.204-7012. We saw this with the CMMC v1→v2 transition. Pausing compliance is risky because no one knows where the Reform Task Force will land. If the outcome is largely status quo, losing 60+ days could matter. I could see several hybrid models emerging: C3PAO assessments for primes (and perhaps key subcontractors), SPRS/7019 enforcement for others, or C3PAO requirements only for higher-risk contracts. Some have mentioned a DoW-provided enclave solution, but I don't see how that could work logistically given how differently business and data flows operate in these environments. That could sold the problem of how contractors receive CUI, but I don't see a one size fits all solution that controls the flow throughout the entire lifecycle. Regardless, I expect prime contractor pressure, TPVRM expectations, and FCA whistleblower activity to continue driving compliance. Some primes have already started to enforce minimum acceptable score expectations with their suppliers. I don't see them dropping it.

I think it's a great step and shows they actually listen to feedback out there. If something isn't working as intended, or stopped serving it's true purpose, review and improve. Just like any control, it's not a rigid thing that exists in a vacuum. The value is in how you implement it and adapt it to real life

See more comments

To view or add a comment, sign in

Explore content categories