CMMC Phase 2 Suspended: A False Claims Act Nightmare

The DoD has suspended the November 2026 transition to Phase 2 of CMMC implementation, but that doesn't mean cybersecurity requirements have been relaxed.

Breaking news coverage of the DoD’s suspension of the November 2026 CMMC Phase Two transition. The core message: less changed than people think, and the self-assessment path carries more legal exposure than most contractors realize.

Key Takeaways

What Changed
New DoD contracts will only require Level 1 or Level 2 self-assessments. C3PAO third-party certification requirements will be removed from active solicitations and existing contracts at the next option period.

What Didn’t Change
Everything else — DFARS 252.204-7012, NIST SP 800-171, scoping guidance, the 88-point minimum passing score, POAM rules, 180-day closeout windows, six-year artifact retention, and annual affirmation requirements are all still fully in effect.

Self-Assessment Is Not a Free Pass
This is not a return to the old SPRS score-upload days. A CMMC Level 2 self-assessment has real minimum thresholds and qualifying rules. Contractors are now fully liable for all of it with no third party to vouch for them.

False Claims Act Risk Just Got Higher
DIBCAC and the DOJ aren’t going anywhere. Uploading an inaccurate score is a False Claims Act violation pursued years after the fact. The team predicts a wave of contractors gaming the 88-point minimum — and DIBCAC systematically hunting expired conditional statuses.

Don’t Stop Implementation
Smaller companies breathing a sigh of relief and pausing implementation are making a mistake. The liability hasn’t changed — only who’s vouching for your compliance has.

The 60-Day Review
Skepticism is warranted. The last program review took nine months and changed nothing substantive. The RFI for public comment closes August 14th — 10-page max.


Transcript

Jacob: All right, folks. It is July of 2026, and here is the big news. The upcoming November 2026 transition to Phase Two of CMMC implementation is officially suspended. That means that until further notice, the only CMMC status requirements that will appear in new DoD contracts and solicitations will be either CMMC Level 1 self-assessment or CMMC Level 2 self-assessment. All of the cyber requirements in the FAR and the DFARS for the protection of controlled unclassified information and cyber incident reporting are still in place and so is your liability for meeting them.

Meanwhile, the DoD CIO task force will conduct a 60-day review of the CMMC program, and the DoD wants your feedback on the program via an official request for information. So how does any of this actually impact your contracts moving forward, and what should you focus on first as we move ahead here? That’s what we’re going to talk about today.

Jason, this is all pretty straightforward. I mean, despite all the noise and the chaos, this is all pretty straightforward. Program reviews giving contractors more time before third-party assessments is literally nothing that we haven’t seen before in the story of CMMC. CMMC 2.0 was the result of the last program review that they did in 2021, and the requirements in DFARS 252.204-7012 and NIST SP 800-171 literally haven’t changed in 10 years.

Jason: Jacob, to quote a great poet — Paula Abdul — two steps forward, two steps back, right? And apparently that’s just been the theme of the program. Maybe it’s up on a live, laugh, love banner inside the walls of the Pentagon for Kirsten Davies to walk by and see every day. Not quite sure. What I am sure of is that the only thing that this will produce is potential confusion and conflation with already existing requirements — not new things that have to exist. People are going to think that this is just another DFARS 7012 situation. “Let me throw in a score so I can keep getting the contracts.” And it’s not exactly that. We’re not back to the old days, but we’re back to the old days. And maybe a customary review of things that haven’t been reviewed before — I don’t know — in the past decade is what is in order, right? Yeah. CMMC self-assessments are a lot more complicated and there are a lot more ways that you can mess them up compared to the self-assessments that you were uploading in SPRS previously over the last few years.

Jacob: That’s what we’re going to talk about. Let’s talk about the impact on contracts first. So like we said, the only CMMC status requirements that will appear in new DoD contracts and solicitations will be one of two things — either CMMC Level 1 self-assessment if you’re only dealing with federal contract information, or CMMC Level 2 self-assessment if you’re handling controlled unclassified information. If you have the data that triggers the requirements in FAR clause 52.204-21, you’ve got to do a Level 1 self-assessment in order to prove it. If you have the data that triggers the requirements in DFARS clause 252.204-7012, then you’ve got to do the CMMC Level 2 self-assessment to prove that you’re meeting those requirements. Those requirements haven’t changed. You’re just doing the self-assessment.

Now beyond that, active solicitations that might be out there that contain CMMC status level requirements of either Level 2 C3PAO or CMMC Level 3 DACA will be amended to remove those requirements. So if you’re out there and you’re seeing contract solicitations that still say you need a C3PAO verification of your Level 2, that is going to be updated here shortly. Any existing contracts that have already been awarded that have those requirements — which there are not many — will have those requirements removed via modification prior to the exercise of the next option period or during the next scheduled administrative modification.

So to be clear, the CMMC program is still in effect, and the DoD themselves are very clear about that in their memos and statements and videos and interviews that were on this media blitz earlier this week. Here’s one of the quotes — we’ll link to all of them below. “The CMMC program still requires pre-award assessment of covered contractor information systems against the prescribed cybersecurity standards for safeguarding CUI and FCI.” Straight out of the words of the DoD. Check out the memos and the press releases below if you’d like to read it for yourself.

The only difference now is that you, the contractor, will continue to be responsible and liable for assessing your cyber posture for the time being, rather than the DoD allowing you to go out and have a C3PAO third party vouch for your cyber compliance. And that’s going to be a big problem.

Jason: Yeah, I think that people aren’t looking at how much that actually means or the impact of that statement right there. That means everything now falls back on you. It’s your responsibility to report it. It’s your responsibility for your organization to adhere to it. And if you’re the person that puts that score in when the DOJ needs to ask questions, or when DIBCAC comes and verifies things and they’re not correct, it’s you that they’re going to talk to. And so organizations are thinking that there’s this deflection of responsibility, deflection of resources, et cetera — but don’t realize the ramifications that lie underneath. Like I mentioned in the opening, this isn’t just a “back to DFARS 7012, back to basics” type situation. This is a situation where there are CMMC Level 2 self-attestations that are required, and minimum thresholds to achieve those.

Jacob: Yeah, absolutely. All right, so we’re back to everybody doing self-assessments. So this is the part that’s probably the most important. And I honestly am pretty disappointed that the DoD didn’t point this out while they were making all this noise about the change. Because thanks to this DoD decision, it is now extremely important — please listen to what I am telling you — it is extremely important that you familiarize yourself with the Level 2 self-assessment portion of the CMMC regulation that is still in effect, because now moving forward, until we hear otherwise, everyone has to go through this part of the regulation rather than allowing the C3PAO to do it for you. That’s 32 CFR Section 170.16. We will link that below.

The only difference now as a result of this news — the only difference between a C3PAO assessment and a self-assessment — is the person doing the assessment. The NIST requirements: the same. The verification criteria in NIST SP 800-171A for those requirements: the same. The scoping guidance: the same. The minimum passing score of 88 in order to have a status at all and not fail your assessment: the same. Which cyber requirements are allowed to be open findings and still pass with a conditional status: the same. The requirement to conduct closeout assessments if you have any open items within 180 days: the same. Maintaining six years of assessment evidence and artifact retention: the same. If you self-assess, you are liable for all of that. You don’t get the cover of a third party vouching for you through the certification.

So thanks to the DoD going back for yet another review of a program that has already been reviewed half a dozen times — between the IG, the GAO, and DoD’s internal tiger teams over the years — contractors are now, maybe they don’t realize it yet, more exposed than they otherwise would be for the assessment and attestation of their cyber posture.

Jason: While you motivate people to familiarize themselves with 32 CFR Section 170.16 — which contains the self-assessment criteria, the Level 2 assessment criteria — I also urge you to familiarize yourself with Sections 170.21 or 170.24. The one that lists the POAM criteria, what’s acceptable, and what the closeout looks like. And the reason why is because there is a minimum threshold that remains the same. There is a 180-day window that remains the same. But that doesn’t mean any control you need can just go on the POAM window and you’ve got six months but still get the contract. Not the case. There’s a qualifying list. So if you try to input a score and that score reflects a POAM that has an item that’s not on the limited deficiencies list listed within the rule — guess what? Flag on the play.

Jacob: Yes, sir. That’s not correct. You actually just falsified a score to get a contract. I know that sounds extreme, but that’s what we’re dealing with at this point. And now, instead of having somebody with expertise come in and validate that and maybe give you a little reassurance so you can sleep better at night, it’s all on you, Mr. Affirming Official. Thanks, DoD.

Jason: Well, let’s talk about affirming officials, because probably the second most important thing that people need to pay attention to — which still exists regardless of whether it’s a third-party or a self-assessment — is the annual affirmation part of the CMMC regulation. So regardless of who conducts your assessment or when you’re required to have the assessment, you are still on the hook for having a senior company official affirm the company’s continuing compliance on an annual basis. None of that has changed. If that does not ring a bell to you, it is extremely important — please listen to what I am telling you — it is extremely important that you go read Section 170.22 of the CMMC regulation. We will link it directly below.

The liability is through the roof for people who conduct their self-assessments. And a lot of people out there are rejoicing, like, “Hey, DoD’s taking their foot off the gas for the third-party assessment, so I don’t have to pay $50,000 for a third-party assessment.” The companies that understand how liability works and understand that the CMMC program is different from the underlying requirements in their contracts are not happy. If you are an organization that thinks the DoD is taking their foot off the gas because they’re at a stop sign and everything is going to completely halt, you’re going to quickly hear the beeping of the DOJ Brinks truck backing up to your organization.

Jacob: Well, let’s talk about it, because the DoD even says this in their memos and their press releases. DIBCAC and the Department of Justice — they don’t use this word, but effectively they’re still on the hunt. And now we’re chumming the water for these guys. The days of simply conducting a self-assessment and needing any score uploaded into the SPRS database are over. Starting in 2020, you could have had a negative 200. You could have had a perfect 110. You could have had a zero. Didn’t matter. You just had to have a score as a result of your self-assessment uploaded into the system as a condition of contract award.

Now you have to have a CMMC Level 2 status as a condition of award. And in order to do that, you have one of two options — achieving what’s known as a final status or achieving what’s known as a conditional status. You get a final status if your self-assessment determines that every requirement is fully implemented and you therefore have a perfect score. If you have any open items — and only some requirements qualify to be open items — you have what’s known as a conditional status. You have an open plan of action that must be closed out with another assessment within 180 days to then move to final status, showing that all of your requirements are fully implemented. If your open items as a result of your assessment result in a score of less than 88, you don’t have a CMMC status — you have failed your assessment. It doesn’t matter if you’re doing the math or if the third party is doing the math. You have to cross that threshold. You didn’t have to do that before CMMC. You could miss every single control and put them on a POAM. You just had to have a score.

So make sure that you are correct, because this is the exact situation that DIBCAC and the DOJ specialize in exposing. DIBCAC can call you or show up at your door at any moment and say, “Prove what you just claimed in this system.” We already know you have to maintain the artifact evidence. Two weeks ago, we did an episode on a DOJ settlement for 75% of the value of the contracts that this contractor was awarded, because they uploaded a perfect score and it turned out they had something like a negative 170.

All this is going to do is cause people to upload minimum threshold 88s, which is going to dramatically overstate the readiness of the ecosystem. And as soon as you do that, you have made a statement and a claim to the government that is in the system that they can go back and look at. All of these False Claims Act settlements that we’ve been covering over the last two or three years are not about current status. They’re about claims that people made a year or two or three years ago that they got paid for and are now paying fines on. So be very, very, very careful.

Jason: Familiarize yourself with what this regulation says, because you can’t just enter whatever score you want to. If you find out you have a negative score and you have to have an 88 to achieve the status to win this contract, you think the leadership of your company is going to be like, “Guess we’re going to skip the contract.” We all know what they’re going to do. They’re going to tell you to put an 88 into that system. And that’s how you end up with a whistleblower under the False Claims Act. This is a bad, bad situation. I mean, this is a recipe for disaster. And it’s not sudden, and it’s not overnight, and it’s not something that’ll happen tomorrow — but we’re going to see this crop up over time as we move forward here. We’ve already seen this happen in the past. This is just setting more people up for the same thing.

What’s happening — or what is going to happen in some cases, and we can predict it now because we saw it in the days of the SPRS 800-171 reporting — is: I’ve got a score of 88, the minimum required to get there, all of these items on my POAM list are limited deficiencies, and then the six months ends and they’re like, “Well, I still have the score of 88 but that POAM list extended six more months — I’m just going to re-enter the score.” That is one of the reasons why you’re going to have to retain all of your files, all your evidence, all your artifacts, everything that was used when that score was submitted. Because that retention period is when — like Jacob said — the DOJ is going to come back and be like, “Hey, you put this and then you put that. How come it took you seven different contract cycles to implement MFA effectively?” or whatever it was. That’s not a deficiency you can just keep rolling.

So I’ll tell you exactly what DIBCAC is probably going to do. They’re probably going to sit there and go, “Hey, ChatGPT, give me a list of all the conditional CMMC Level 2 statuses that expired yesterday because of POAM closeout.” And it goes, “Here you go.” And they go, “Hello — your POAM closeout period ended yesterday and you didn’t update your score. Can you send me all your documentation?” Click. That’s exactly what’s going to happen.

Jacob: So familiarize yourself with what’s going on. Do not be misled by the noise around this news and think that this is a joke. And the Logzone FCA case being unsealed when it did was probably perfect timing, because it relays that these are the ramifications associated with what’s just been put on the plate for every single organization. If you do this, this is what you’re required to do. If you do this incorrectly, this could be you.

It’s been encouraging. I mean, the last 48 to 72 hours, companies that understand how liability works have all called us and said, “Well, we might not need a third-party assessment, but we still have to implement all this stuff.” It’s been wonderful. A lot of the companies that are the smallest — who can least afford a run-in with DIBCAC and the DOJ — are the first ones saying, “We don’t really know what this means so we’re going to stop our implementation.” Bad idea, folks. Bad idea. If anything, the uncertainty of whether a contract is going to drop or whether a prime requirement is going to be sent to you by November 10th of this year relieved some of the pressure. We talked about it in earlier episodes — it wasn’t that there wasn’t enough assessment capacity. It was that people weren’t ready to be assessed and the implementation wasn’t going the way it needed to. Now a lot of those people are breathing a sigh of relief.

Jason: Yeah, we all know the reason why they’re doing a program review. It’s to buy time for people that weren’t ready. So anyways, talking about the program review — we don’t have a lot of details on this. We don’t know who or how many people are on this task force that’s supposed to conduct a 60-day review of the program.

Let’s go way back in not-so-distant history, everybody. How did we go from CMMC 1.0 to CMMC 2.0? In March of 2021, they announced they were going to do a comprehensive program review of CMMC. And then it took them nine months to come up with CMMC 2.0. And what did CMMC 2.0 do? Did it change any of your requirements? Nope. Did it actually change any of the things that you have to implement? Sure didn’t. It made a bunch of superficial changes. We went from five levels to three levels. We renamed practices to requirements. We got rid of a bunch of controls and just directly aligned with NIST so there’s nothing left to cut out. We made some changes to scoping guidance to make things even easier so you can have assets inside of your authorization boundary that you just tell people not to worry about. I mean, they spent a long time going through everything. And the changes that came out really didn’t change anything for people that have to comply with DFARS 7012, because the program is different from the requirements. So I don’t know what they expect to find in 60 days, but there’s not really that much left to review. And 60 days is not a lot of time for whoever is on this task force to learn all of that stuff that they already went through back in the day.

Jacob: Well, what I hope they find in those 60 days is that this needs to align with NIST SP 800-171 Revision 3 to harmonize with other federal regulations within the government. I hope that they come out of that 60-day deep dive — that Aaron Rodgers ayahuasca retreat they’re in, trying to figure out what’s wrong with the CMMC program — and the one thing they come up with above anything else, and the second thing if they’re going to come up with something — I don’t know what they’re going to come up with, because like I said, in the past 10 years almost everything’s been reviewed: small business, large business, medium size, whatever — but the second thing is more flexibility. You want to create flexible, resilient systems to combat today’s threats. But in this case, the inflexibility of point-in-time assessments that require 100% implementation don’t allow for that type of innovation in technology and systems to combat these threats. So if we’re going to do that, let’s make that part a little bit easier to limit some of the burden associated with evaluating the risk of whether to implement a new technology to combat a threat — without having to incur an extra $30,000 assessment cost six months after the last one.

Jason: Yeah, we’ll see what they come up with out of the 60 days. But for now, you guys still have all the same liability, and whatever they come up with out of those 60 days, you’re still going to have the same requirements in the FAR and the DFARS for what you actually have to implement.

Jacob: All righty, last bit here. Let’s talk about the RFI. We’re going to do a separate show on this, so make sure that you like and subscribe — almost 150,000 of you have liked and subscribed so far, so thanks for that. The RFI — the request for information — the DoD wants your feedback on the CMMC program. Comments are due by August 14th and it can’t be longer than 10 pages, everybody. So tell your LLMs to chill out. We’ll link to the official RFI down below. We’re going to talk about it in detail in an upcoming episode because there are some very interesting implications about what the current group of people at DoD think CMMC is. I’m not so sure that they have a firm grasp of what this program is actually doing, because they just got here.

Anyways, let’s wrap this up. There is a lot of noise around the announcement to suspend Phase Two, but whether or not you think this is a big deal really depends on three things: your understanding of the relationship between the CMMC program and the underlying independent requirements that it’s supposed to verify; how much context you have around the cyber policy problem that CMMC is supposed to solve — and not relying on self-assessments, pro tip DoD; and how much liability you had all along while the DoD occasionally makes these superficial changes to the front cover of the CMMC program documents. All of that is going to really determine whether you think this is an opportunity to pause what you’re doing or an opportunity to use this extra time to get your house in order.

So still lots of stuff to talk about with the RFI. Still lots of stuff to talk about with a couple of the things that were said and some of these statements from the DoD that boggle my mind. Like and subscribe — this will probably be a whole series for the rest of the month. We’ll see you next week. Happy birthday, Mom. See you next week.

Contact

Speak With Our Team

Scroll to Top