• Link to LinkedIn
  • Link to Facebook
  • Link to X
  • Link to Youtube
  • Service: 866-692-9082
  • Customer Portal
  • Sales: 866-792-6638
  • Get A Quote Now
E-N Computers
  • Managed IT Services
    • Managed Services Plans
      • Fully Managed
      • Co-Managed
      • CMMC & Compliance
    • Support & Management
      • Help Desk Services
      • Onsite IT Services
      • Account Management
      • M365 Administration
    • Security & Compliance
      • Cybersecurity
      • IT Compliance Consulting
      • CMMC Consulting
    • Monitoring & Maintenance
      • Backups & Disaster Recovery
      • Patch Management
      • Network Monitoring & Incident Response
  • Professional IT Services
    • IT Consulting
      • CMMC Consulting
      • CMMC Gap Analysis
      • Cybersecurity
      • IT Consulting
    • On-Site & Staffing
      • Network Projects
      • Office IT Relocation
      • Security Cameras
      • IT Staff Augmentation
    • Telecommunications
      • Business VoIP Telephone Service
      • Business Internet Service
      • Electronic Fax Service
    • Emergency IT Services
  • Learning Center
    • Business-IT Strategy
    • Cybersecurity
    • IT Hiring & Staffing
    • Managed IT Services
    • Videos
    • E-Rate Resources
  • About
    • Testimonials
    • Team
    • Partners
    • Areas We Serve
    • Our Process
    • Careers
  • Pricing
    • Service Plans
    • Managed Services Pricing Calculator
    • Consulting
    • VoIP
    • Projects & Professional Services
  • Contact
  • Menu Menu
  • Managed IT Services
  • Professional Services
  • Learning Center
  • About
  • Pricing
  • Contact

CMMC Phase 2 is suspended. What Virginia defense contractors should do now.

CMMC phase 2 suspended. What should contractors do now?

Headshot of Ian MacRaeby Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.

On July 13, the Pentagon suspended Phase 2 of the Cybersecurity Maturity Model Certification program — the audit requirement that would have forced defense contractors to pass a third-party certification before winning most contracts involving controlled unclassified information (CUI). The November 10 deadline is off, and a 60-day review will decide what replaces it. 

By now you’ve probably seen a dozen versions of “what it means.” The more useful question is what to do about it — and that depends on where you stood when the news hit. If you run a defense contractor in Virginia or the DC area, work through whichever of these situations is yours. 

QUICK ANSWER:

Is CMMC still required after the Phase 2 suspension?

Keep meeting your CMMC obligations — the suspension paused the audit, not the requirement. On July 13, 2026, the Pentagon suspended Phase 2, so third-party certification isn’t required right now. But you still have to protect CUI, keep a current self-assessment and SPRS score, and meet any deadline your primes set.

Table of Contents

  1. First, what changed and what didn’t
  2. If you already started a third-party assessment
  3. If you hadn’t started yet
  4. If your prime is still demanding certification
  5. Where this is heading — and why managed compliance wins either way
  6. Not sure which of these is you?

First, what changed with CMMC and what didn’t

Suspended: the Phase 2 third-party audit, along with the later Phase 3 and Phase 4 milestones. Gone for now is the hard November deadline and the requirement to hire an accredited outside assessor to certify you. 

Not suspended: everything underneath it. You’re still bound by DFARS 252.204-7012 to protect covered defense information. All 110 NIST 800-171 controls are still the standard. Phase 1 self-assessments and your SPRS score — the number you file in the federal contractor scoring system — still apply, and the Pentagon says it will keep checking them through self-assessments and select government-led assessments. The Justice Department’s cyber-fraud enforcement, which goes after firms that overstate their compliance, hasn’t paused at all. 

So the deadline eased. The obligation didn’t. With that straight, here’s what to do.

If you already started a third-party assessment

Don’t cancel it — but you can breathe. The work you’ve done to meet NIST 800-171 is exactly what the reformed program will measure you against, so none of it is wasted. What you can drop is the scramble to book a third-party (C3PAO) audit before November. Finish the readiness work at a sane pace, keep your documentation current, and hold your certification slot loosely until the new rules are clear. If your assessor will convert a scheduled audit into a mock assessment, that’s a smart way to check your self-assessment score without paying for a certification you may not need yet. 

If you hadn’t started yet

This is not permission to wait. The requirement to protect CUI is in your contracts today, and a self-assessment with an honest SPRS score is still required — that part never went away. Use the pause to close real gaps instead of racing a clock. Your real deadline isn’t the rollout calendar — it’s when your own contracts come up. Figure out where your federal data lives, fix the controls you’re missing, and get your SPRS score to reflect what’s true. Contractors who treat the suspension as a reason to stand down will be the ones scrambling when the reformed rule lands. 

If your prime is still demanding certification

They probably will keep demanding it, and they’re within their rights to. Primes flow compliance requirements down to protect themselves, and many set their own deadlines regardless of the Pentagon’s timeline. A federal suspension doesn’t override a contract term your prime wrote. If a prime is gating your next award on proof of compliance, keep meeting that bar — the suspension changes the government’s deadline, not your customer’s. 

Where this is heading — and why managed compliance wins either way

The 60-day review isn’t only about cutting cost. In its request for public comment, the Pentagon is asking how it could give companies credit for the commercial security tools and managed services they already use, rather than treating compliance as a separate box to check — a signal that ongoing, managed compliance could count for more than a once-every-three-years certificate. 

That’s the direction the smart contractors were already heading. A point-in-time audit tells you that you passed on one day. Managed compliance — someone keeping your controls current, your documentation ready, and your SPRS score honest year-round — is what keeps you eligible no matter which version of the rules survives the review. Whatever the task force recommends, a company that treats security as something it maintains, not something it certifies once, comes out ahead.

Not sure which of these is you?

If you can’t tell whether to keep your certification project going, whether your self-assessment would hold up to a government review, or what to tell a prime that’s still asking, that’s worth a short conversation. E-N Computers is a CMMC Registered Practitioner Organization working with smaller and medium-sized defense contractors across Virginia and the DC metro area. We help you sort out what’s worth doing now and what can wait for the reformed rules — and we manage the compliance work so it stays current instead of going stale between audits. Schedule a complimentary CMMC consultation with a CMMC registered practitioner. 

Complimentary review with an experienced engineer

Are you ready for CMMC?

IT maturity assessment

Get a free strategic consultation to start or streamline your journey toward CMMC compliance.

Reserve an appointment

CMMC RESOURCES

If you need CMMC managed IT services

  • Virginia CMMC Managed IT Services
  • Best CMMC managed IT services providers in the DMV
  • Best Virginia CMMC managed IT services providers

If you need to better understand CMMC requirements:

  • The Ultimate Guide to CMMC
  • The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
  • What is FCI and should I worry about it?
  • What is CUI and should I worry about it?
  • CMMC compliance deadlines: Key dates and what they mean

If you’re looking for CMMC tools and training:

  • We found the best GRC tool for CMMC
  • What is Microsoft GCC High and do I need it?
  • Best CMMC training resources
  • CMMC Level 1 guide as audio book
  • CMMC Level 2 guide as audio book
  • CUI enclaves in CMMC compliance: Are they right for your business?

If you’re looking for a CMMC consultant or Registered Practitioner Organization:

  • Best CMMC consultants
  • Best CMMC RPOs near Washington, DC
  • Best Virginia Registered Practitioner Organizations
  • Case Study: Virginia Government Contractor Nears CMMC Compliance
  • CMMC Gap Analysis

If you’re looking for a CMMC assessor:

  • Best CMMC assessors near Washington, DC

If you’re looking for information about CMMC that is targeted toward smaller businesses:

  • Is CMMC worth the cost?
Search Search

Categories

  • Best of
  • Business-IT Strategy
  • Compliance
  • Cybersecurity
  • Internet, Telephone, & VoIP
  • IT Hiring
  • Managed IT Services
  • Tech Tools & Tips
  • Uncategorized

Recent Posts

  • Reg S-P compliance after June 3: what SEC examiners will look for July 14, 2026
  • CMMC Phase 2 is suspended. What Virginia defense contractors should do now. July 14, 2026
  • How to buy GCC High and what’s involved July 2, 2026
  • Signs your IT provider has gone downhill — and what to do about it June 22, 2026
  • How to evaluate your IT provider for Reg S-P compliance June 22, 2026
EN Computers logo

Industries

Accounting & CPA

Construction & Architecture

Defense Contractors

Education (K-12)

Financial Services

Government Contractors

Healthcare

Investment Advisors

Law Firms

Manufacturers

Marketing & Advertising

Nonprofit Organizations

 

 

Locations

Waynesboro, VA
Corporate HQ

215 Fifth St.
Waynesboro, VA 22980

Sales: 540-217-6261
Service: 540-885-3129
Accounting:  540-217-6260
Fax: 703-935-2665

Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366

Sales: 202-888-2770
Service: 866-692-9082

VA DCJS # 11-6604

Locations

Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801

Sales: 540-569-3465
Service: 866-692-9082

Richmond, VA
3026A W. Cary St.
Richmond, VA 23221

Sales: 804-729-8835
Service: 866-692-9082

Website by Abstrakt Marketing Group © 2026
  • Privacy Policy
  • Sitemap
  • Linkedin
  • Facebook
  • Youtube
Scroll to top Scroll to top Scroll to top