KnowledgeWave Blog

CMMC's Deadline Moved. The Requirement Didn't.

Written by Eric Sokolowski | July 16, 2026

On July 13, the Pentagon announced the immediate suspension of CMMC Phase 2 which is the milestone that would have made third-party cybersecurity assessments a condition of contract award starting November 10, 2026. In the same breath, DoD Chief Information Officer Kirsten Davies launched a 60-day, top-to-bottom review of the entire program, with a new CMMC Reform Task Force gathering industry feedback through a public Request for Information (responses due August 14).

The reasoning behind the memo is simple math. Citing Small Business Administration data, Davies pointed to compliance costs that could top $7 billion a year for small and mid-sized contractors, with individual bills approaching $600,000, while more than 100,000 companies would have needed assessments from roughly 100 authorized assessment organizations. Her summary of the decision: “We are not reducing cybersecurity through this measure. We are reducing the red tape.

If your company sits anywhere in a defense supply chain, this is the biggest CMMC development since enforcement began last November. It is also the easiest one to misread.

The Expensive Misread

The headline word is “suspended.” Some contractors will hear “optional.” That's the misread that could cost your company money.

What the Pentagon suspended is who verifies your cybersecurity: the third-party audit. What it did not suspend is what you're required to do. Those are very different things, and the gap between them is exactly where companies get hurt.

What Changed and What Didn't

Here's the short version of what actually changed: the November 10 Phase 2 deadline is gone for now, along with pending and future CMMC milestones (including Phase 3, which was slated for November 2027). Contracting officers have even been directed to amend active solicitations and contracts to strip out third-party assessment requirements that were already written in.

Now the longer, more important list — what didn't change:

  • Phase 1 self-assessments remain fully in force. Level 1 and Level 2 self-assessments and annual affirmations are still required on applicable contracts, exactly as they have been since November 2025.

  • DFARS 252.204-7012 is still in your contract. Every defense contractor and subcontractor remains obligated to safeguard covered defense information. That clause predates CMMC and survives it.

  • NIST SP 800-171 is still the standard. During the pause, DoD will enforce compliance with all 110 requirements through self-assessments and select government-led assessments.

  • The legal exposure didn't shrink. It arguably grew. The Department of Justice's Civil Cyber-Fraud Initiative continues to pursue False Claims Act cases against companies that misrepresent their cybersecurity posture. With no third-party assessor validating your work before you attest, your self-reported score now stands on your word alone.

  • Primes set their own bar. Many will keep cybersecurity flow-down requirements in place regardless of what a 60-day study concludes.

Training is Not Part of the Pause

Inside those 110 requirements sits a control family that has nothing to do with firewalls and everything to do with people: 3.2, Awareness and Training.

In plain English, it asks three things of you. Everyone who touches your systems (managers, admins, everyday users) must understand the security risks that come with their role and the policies that govern it. Anyone with security-related duties must be trained to actually perform them. And your workforce needs training on how to recognize and report the warning signs of an insider threat.

When you submit a self-assessment score, you're attesting to those controls along with all the others. An annual slideshow technically ticks the box, but it doesn't build the true awareness that the control was written to create, and it doesn't leave much of a record if a government-led assessment, or a skeptical prime, asks how your people stay current.

And, setting compliance aside for a moment, phishing and social engineering are still how most breaches start. Security awareness training is the rare control that pays for itself no matter what the Reform Task Force decides in 60 days.

What One of Our Clients Got Right

One of our clients working toward CMMC Level 2 originally came to KnowledgeWave for a reason that had nothing to do with compliance. They were moving their entire organization from Google Workspace to Microsoft 365, and they needed training that would make the new environment stick for every employee, not just the IT team.

And the same KnowledgeWave Learning Service subscription that helped drive their migration also delivers our monthly Cyber Security Brief: short, current security awareness training that lands every month, not once a year.

So while other contractors spent this week deciding what the Phase 2 suspension means for their training plans, this team didn't have to decide anything. Their people were being trained before the announcement, and they'll be trained after it. Because the training obligation is never paused.

That's the quiet advantage of treating training as infrastructure instead of a checkbox: one subscription driving Microsoft 365 adoption on one side and continuous security awareness on the other. The news changes. The habit doesn't.

What to Do with the Window

If Phase 2 comes back,  in its current form or a new one, the assessment bottleneck will make the line for re-entry brutal, and the companies with an unbroken compliance and training record will be first through it. (And if you're already working with one of those authorized assessment providers...carry on! That investment will likely still pay off and you won't have to start again at the end of the line.)

If it that third-party audit requirement doesn't come back, with training in place you'll still have hardened the layer where most real-world attacks actually land: your people.

So use the pause the way it was intended. Keep your controls running. Keep your documentation current. And keep your people trained — because that requirement was never suspended in the first place.

A Straight Answer, When You Want One

If your organization handles CUI or supports DoD work and you're wondering what this suspension means for your security awareness program, let's have that conversation. We'll give you a straight answer on what still needs to happen and show you how the KnowledgeWave Learning Service pairs Microsoft 365 adoption training with a monthly Cyber Security Brief aimed at end users, so one subscription covers the productivity you want and the compliance you're attesting to.