
When the Department of War suspended CMMC Phase II on July 13, 2026, most of the coverage framed it as a Defense Industrial Base story. That's too narrow a read.
The third-party assessment requirement that just disappeared was the first real-world test of whether a federal agency could scale independent verification to the size of the population it regulates. It failed that test — and every agency currently building or expanding its own compliance-verification regime should be paying close attention to why.
The mechanics of what changed are narrower than the headlines suggest. DFARS clause 252.204-7012 still applies, and NIST 800-171's 110 controls are unchanged. The Department's own release is explicit that the suspension "does not eliminate the requirement for companies to protect federal data." What disappeared is the independent check that used to sit between a self-attested compliance score and a federal contract award — the audit, not the standard.
A Capacity Problem With a Familiar Shape
Department of War CIO Kirsten Davies gave the number that actually explains the decision: more than 100,000 Defense Industrial Base companies needed a third-party assessment from a Certified Third-Party Assessor Organization, and only around 100 C3PAOs existed to conduct them.
That gap didn't open overnight — training and accrediting a C3PAO through the CMMC Accreditation Body has been a multi-year process since the program's 2021 relaunch, and the assessor pipeline never scaled to match the population it was built to certify.
Federal IT and compliance leaders outside the defense space should recognize this problem, because it isn't unique to CMMC. Any verification regime that depends on a small, credentialed pool of third-party assessors checking a much larger regulated population carries the same structural risk — the assessor pipeline becomes the bottleneck, not the underlying standard.
A March 2026 Government Accountability Office review fed directly into the Department's decision, and the Small Business Administration has publicly credited compliance costs approaching $600,000 for some small contractors with pushing firms out of the supply chain rather than bringing new entrants in.
The Liability Didn't Move. Ownership of It Did.
Self-assessment against NIST 800-171 continued the entire time CMMC Phase II was in force. What changes with the suspension is that a self-attested SPRS score submitted without an independent check behind it is no longer a preliminary claim — it's the entire case.
The Department of Justice's Civil Cyber-Fraud Initiative, active since October 2021, exists specifically to pursue false cybersecurity compliance claims under the False Claims Act. A March 2026 Mayer Brown analysis of the Initiative's enforcement record found DOJ has settled fifteen civil cyber-fraud cases since launch, more than half of them in fiscal year 2025 alone.
A pending case against Georgia Tech, reported by Buchanan Ingersoll & Rooney in October 2025, alleges the university submitted a false cybersecurity assessment score to the DoD, with the government seeking damages and penalties as high as $28 million. No breach is required to trigger that kind of exposure — a mismatch between the attestation and the environment is enough.
The Reform Window Is Open. It Won't Stay Open Long.
The part of this story getting the least attention deserves the most: the Department's Request for Information, open through August 14, 2026. DoW is explicitly asking how existing commercial security tooling might be recognized in whatever framework eventually replaces or revises Phase II.
For compliance and IT leaders watching from outside the defense sector, this is worth tracking closely — whatever framework emerges is likely to become a template other agencies reach for the next time they need to verify compliance at scale without enough assessors to do it manually.
Organizations with mature, evidence-generating architectures have a real opportunity to shape that outcome. It's the same architectural premise behind data security platforms that carry their own independently audited compliance record — platforms like Kiteworks, which holds FedRAMP Moderate Authorization (with FedRAMP High currently in process), built around a continuously demonstrable security posture precisely because it can't depend on when the next third-party assessor happens to show up.
What to Do Before the Next Audit — Whenever It Arrives
The temptation is to treat the suspension as breathing room: pause the budget line, deprioritize the gap-closure roadmap, wait for the 60-day Reform Task Force review before doing anything else. That's the wrong read. Removing a verification control never eliminates the underlying risk — it just removes the party that used to catch a mistake before it became a liability.
Two things matter most in the meantime:
- Verify every control claim against real evidence — logs, configuration baselines, access records — before re-certifying anything, rather than after a subpoena forces the exercise.
- Build continuous evidence generation into the architecture itself instead of relying on point-in-time documentation. A control that can produce its own audit trail on demand is defensible the day someone asks about it. A control that exists only in a policy document is not.
An auditor going quiet doesn't mean the exam ended. It means every organization is grading its own paper now, and the people checking that work later have gotten considerably less forgiving about mistakes.
Frank Balonis is Field CISO at Kiteworks, where he advises Defense Industrial Base and regulated-industry organizations on data security architecture and compliance strategy.






















