Submit any questions you would like answered on the podcast!
Here are the actual memos (Definitely worth a read):
- https://federalnewsnetwork.com/wp-content/uploads/2026/07/CIO-CMMC-Reform-Memo_26-P-1023.pdf?hss_channel=lcp-348902https://federalnewsnetwork.com/wp-content/uploads/2026/07/CIO-CMMC-Reform-Memo_26-P-1023.pdf?hss_channel=lcp-348902
- https://dodcio.defense.gov/Portals/0/Documents/Library/ImplementingSuspensionCMMC-PhaseII.pdf
The Department of War just paused the rollout of CMMC Phase 2's third-party certification requirement for 60 days. Austin breaks down what the memo actually says, what it doesn't say, and why "certification is paused" is not the same thing as "compliance is paused."
In this episode:
- What the 60-day pause on CMMC Phase 2 actually covers (hint: it's the certification verification process, not the underlying NIST 800-171 requirements)
- Why this could ultimately make your path to CMMC less expensive, and why that's not a reason to slow down
- Why contractors who are already deep into implementation are in the strongest position no matter which direction this goes
- Why assuming "compliance has disappeared" is the riskiest read of this news
- What happens if third-party certification gets replaced with a stronger self-attestation or spot-check model, and why unsupported SPRS scores are already a liability
- A trade show story about a Department of War investigator actively pursuing ITAR fraud leads, and what that says about enforcement appetite right now
- What to actually do in the next 60 days while DoD figures out the future of the verification model
Hey there, Austin here from CMMC Compliance Guide by Justice IT Consulting. And as you may have heard, uh the Department of War just uh suspended the rollout of CMMC Phase 2, which essentially means uh for the next 60 days uh they are pausing the need for a third-party
Breaking News On CMMC Phase 2
Austincertification for your CMMC program. So what comes out of that remains to be seen is a pause, uh uh, but there is a memo uh that you can actually go read yourself, and it is uh basically directing a uh review of the CMMC certification process and um which basically highlights it's uh what we know uh pretty bureaucratic and red tapey process that it has. So um what this is is I think ultimately good news for you. What I think it most likely means is that your path to compliance just became potentially less expensive. So, but I wouldn't celebrate too much uh because there is some important distinctions here to understand, and that is that the Department of Defense or Department of War um has not rolled back any of the requirements. It is just pausing uh essentially the need for the uh the the rolling out of the certification requirements. So it's uh they're basically still gonna make you do everything, but um it is the process in which they're verifying you are doing everything you're supposed to be doing uh is potentially subject to change. So that's essentially all that's happening. Um so we're in yet another limbo period uh in the the life cycle of CMMC, but the underlying requirements, the NES 800-171 and the protection of COI and FCI and all that fun stuff, um, is is all still um very much in place and subject to all of the laws and false claims and and everything else that they can you know use to enforce it outside of that certification requirement. If you've listened to our podcast or you've been on a call with me or uh probably heard some of our team members um, you know, uh speak to you or heard me speak or broke speak, uh you've probably heard us criticize over the past few years the certification process and and how um you know it is so burdensome
Why The Pause Could Cut Costs
Austinand that uh is just disproportionately um burdensome to small businesses and that they did no favors to small businesses whenever they created this certification standard. So uh from that perspective, um if they can actually you know reduce unnecessary costs, eliminate some of the administrative burden, and actually make the certification process more practical without actually lowering the security bar and you know making sure the you know our uh our taxpayer information uh you know is safe, um, then that's actually you know a win-win-win for everybody. So um, you know, the uh defense industrial base wins, um, you know, smaller businesses win, uh, us taxpayers um who are ultimately footing the bill for everything win uh because we get more out of our uh our tax dollars. So uh you might be asking yourself, you know, okay, that's all good and great, but what does this mean for me and in my business? Um and I, you know, I think the what you're supposed to do yesterday and what you're supposed to do tomorrow is more or less the same. Um, you know, you there is a possibility that the certification requirement um as we currently know it goes away and gets made into something else. Um that's all to be decided,
Requirements Stay NIST Still Rules
Austinbut you you still have to do everything, um protect all the data in all the same ways that they they want you to. It's just the verification process changing. So you effectively um you know are running off the same playbook. You know, you need to still implement the core you know requirements of the NIST SP 800 171, you know, which is what the certification standard is designed to validate. Um if you're documenting your policies, deploying security controls, or improving your environment, I wouldn't stop that, you know, and we don't know what the result of the 60 days um is going to be. So um, you know, if anything, uh, you know, this is uh something that's working in your favor, um, uh potentially some more time uh that is you know at your disposal where you can have the opportunity to finish implementing your compliance program while the Department of Defense determines what the future of that verification model or certification or whatever it's gonna end up being, whether it's the same thing or something different, um you you have the opportunity to finish that up. So and and what I do think is that the companies that don't put, and this is you know just my personal opinion, and
What You Should Do Right Now
Austinum, you know, no one knows except for uh you know the powers that be, I guess. But um I think the companies that uh you know are are well on their path to to certification um or you know, right up to that point, you know, they're uh already implemented or you know, working on their documentation and building out their compliance program and and working through the implementation. Um if they can get that done and find themselves with a mature cybersecurity and compliance program built around all the same, you know, requirements that that have been around, um, they're gonna be in the strongest position, whichever the way the wind blows on this. Uh and so and that's what we're doing in our company. You know, we just uh went through our um final uh assessment, and uh, you know, we we find ourselves in the same position that our customers are and everyone else. So um, you know, this is uh the advice that we're implementing on our own business um is the same that you know, perspective that I'm I'm giving uh to you guys. Uh the one thing I do just want to call out and make sure that I caution against is uh just the broad assumption that this problem of compliance has disappeared. Uh, I mean depending on what way you look at it, uh, you know, they've been trying through multiple iterations since, you know, 2017 or before,
The Risk Of Assuming Compliance Is Gone
Austindepending on how you you cut it, uh to implement the same core, you know, requirements of the cybersecurity. So just assuming that because they've put this delay in for the making phase two um you know real deal here um as November comes up, uh, I wouldn't assume that this problem of compliance has just disappeared altogether. You know, the cyber threats have not gone away. We're involved in a multitude of military conflicts uh you know around the world. Uh the government's need to protect sense of information has not gone away. If anything, you know, you could argue that it's uh you know even more pressing from their perspective. Um contractors still have every reason to expect their suppliers to maintain a strong cybersecurity practice. At the end of their day, uh their customer is the government, and whether it's certification or not, they need to put their best foot forward to their customer and you know, their broader supply base. Um the more they are compliant, the better they look to the government. The requirement to secure government information um ultimately is bigger than the certification program that they put together. So at the core of it, that's what you need to focus on is implementing that NIST 800-171 standard, the protecting of the FCI and CUI. That stuff's not going away. One thing I will say that I'm will speculate on just a little bit, just my own personal um thoughts and and wonderings uh about this, is uh, you know, what happens if the third-party certification becomes um less prominent or isn't the main enforcement
If Audits Fade Evidence Matters More
Austinmechanisms. Um you know, you've if you've heard me talk, uh, you know that I've always said that reporting an SPR score, SPRS score, a Spurs score, um, without having any real supporting evidence or documentation or uh you know anything else around it is a very risky endeavor. Um even just reporting a CMMC level one status without evidence and documentation um in a you know a an attestation package on file is a risky endeavor for you. Um so if they were to transition the certification requirement into something else, um, or maybe even a you know stronger self-attestation or stronger reporting, um, then they very well could ask for more than just a score, right? There could be more of that evidence or more of the proof that you're gonna have to give, which just uh ultimately if you are not actually in a strong position or misrepresenting scores or something like sometimes people do, uh then that could potenti that could put you, if that is the result, even more risky scenario. So just even more reason to make sure that you know your compliance program is made appropriately, you have the evidence and the technical implementation to support it, uh, and you're not just saying you're good and hoping the government's not gonna check. Why I think about this is earlier this year, uh I was at uh I do all of our booths uh and at our trade shows. I I go um, you know, where we we meet uh customers at and and everything else uh had a booth, a manufacturing event, and an investigator from the Department of War stopped by um my booth
Trade Show Story ITAR Fraud Interest
Austinand I was very keen on talking to me. Um and he at the end of the day, uh the cut to it was looking for leads uh related to ITAR fraud. Uh and because uh don't get me trying to quote uh the reasons, but more or less um the ITAR fraud had some uh heftier um financial and legal penalties. Um, and so he was interested in pursuing more of those fraud cases, so he was looking for leads on that. So just that was not something I had ever expected uh to run into, um, you know, just out at a manufacturing trade show. Um, but that experience reinforced something, you know, I've I've always believed, but I mean even more so uh you know, validated in that feeling is the government takes false representations seriously, and given the chance, I think, you know, um they're interested in pursuing it. So it's not something I would want to find myself on the wrong end of. So if if certification is not the end result of this, uh, you know, I could see the government placing greater emphasis on, you know, like I said before, more than just an SPRS score you're you're reporting, um, you know, but you know, more spot checks, more requests for evidence,
Stay The Course And Final Advice
Austinuploading ways to validate your claims, maybe primes checking uh or digging further into things. Uh who knows? I don't know. This is pure speculation, but um but here's the one thing we do know is that we don't know anything until 60 days passes. So I hope this is good news. I hope compliance becomes more affordable, I hope certification becomes more practical, a more practical business endeavor. Um till we know otherwise, I'd I'd stay the course. Um, and that's what we're doing. Uh build the cybersecurity program your business needs, protect your customers' information, protect the government's information, document what you're doing, um, and you know, ultimately put yourself in a position where you're ready for whatever verification model that ultimately comes out of this next. Uh, you know, just said, I think simply, I feel like your CMMC may have just gotten cheaper, but ultimately your responsibility didn't go away. So thanks guys. Hopefully this is helpful. Give us a shout, text us, email us, uh, give us a call, uh, you know, uh comments, um any other questions you guys want us to cover on the podcast or or uh uh develop some answers around and and shoot out to everyone. Happy to do it. Thank you. See you later. Bye.

