
by Ian MacRae
President and CEO, E-N Computers
25+ years experience solving business IT problems in Virginia and Washington, D.C.
On July 13, the Pentagon suspended Phase 2 of the Cybersecurity Maturity Model Certification program — the audit requirement that would have forced defense contractors to pass a third-party certification before winning most contracts involving controlled unclassified information (CUI). The November 10 deadline is off, and a 60-day review will decide what replaces it.
By now you’ve probably seen a dozen versions of “what it means.” The more useful question is what to do about it — and that depends on where you stood when the news hit. If you run a defense contractor in Virginia or the DC area, work through whichever of these situations is yours.
QUICK ANSWER:
Is CMMC still required after the Phase 2 suspension?
Keep meeting your CMMC obligations — the suspension paused the audit, not the requirement. On July 13, 2026, the Pentagon suspended Phase 2, so third-party certification isn’t required right now. But you still have to protect CUI, keep a current self-assessment and SPRS score, and meet any deadline your primes set.
First, what changed with CMMC and what didn’t
Suspended: the Phase 2 third-party audit, along with the later Phase 3 and Phase 4 milestones. Gone for now is the hard November deadline and the requirement to hire an accredited outside assessor to certify you.
Not suspended: everything underneath it. You’re still bound by DFARS 252.204-7012 to protect covered defense information. All 110 NIST 800-171 controls are still the standard. Phase 1 self-assessments and your SPRS score — the number you file in the federal contractor scoring system — still apply, and the Pentagon says it will keep checking them through self-assessments and select government-led assessments. The Justice Department’s cyber-fraud enforcement, which goes after firms that overstate their compliance, hasn’t paused at all.
So the deadline eased. The obligation didn’t. With that straight, here’s what to do.
If you already started a third-party assessment
Don’t cancel it — but you can breathe. The work you’ve done to meet NIST 800-171 is exactly what the reformed program will measure you against, so none of it is wasted. What you can drop is the scramble to book a third-party (C3PAO) audit before November. Finish the readiness work at a sane pace, keep your documentation current, and hold your certification slot loosely until the new rules are clear. If your assessor will convert a scheduled audit into a mock assessment, that’s a smart way to check your self-assessment score without paying for a certification you may not need yet.
If you hadn’t started yet
This is not permission to wait. The requirement to protect CUI is in your contracts today, and a self-assessment with an honest SPRS score is still required — that part never went away. Use the pause to close real gaps instead of racing a clock. Your real deadline isn’t the rollout calendar — it’s when your own contracts come up. Figure out where your federal data lives, fix the controls you’re missing, and get your SPRS score to reflect what’s true. Contractors who treat the suspension as a reason to stand down will be the ones scrambling when the reformed rule lands.
If your prime is still demanding certification
They probably will keep demanding it, and they’re within their rights to. Primes flow compliance requirements down to protect themselves, and many set their own deadlines regardless of the Pentagon’s timeline. A federal suspension doesn’t override a contract term your prime wrote. If a prime is gating your next award on proof of compliance, keep meeting that bar — the suspension changes the government’s deadline, not your customer’s.
Where this is heading — and why managed compliance wins either way
The 60-day review isn’t only about cutting cost. In its request for public comment, the Pentagon is asking how it could give companies credit for the commercial security tools and managed services they already use, rather than treating compliance as a separate box to check — a signal that ongoing, managed compliance could count for more than a once-every-three-years certificate.
That’s the direction the smart contractors were already heading. A point-in-time audit tells you that you passed on one day. Managed compliance — someone keeping your controls current, your documentation ready, and your SPRS score honest year-round — is what keeps you eligible no matter which version of the rules survives the review. Whatever the task force recommends, a company that treats security as something it maintains, not something it certifies once, comes out ahead.
Not sure which of these is you?
If you can’t tell whether to keep your certification project going, whether your self-assessment would hold up to a government review, or what to tell a prime that’s still asking, that’s worth a short conversation. E-N Computers is a CMMC Registered Practitioner Organization working with smaller and medium-sized defense contractors across Virginia and the DC metro area. We help you sort out what’s worth doing now and what can wait for the reformed rules — and we manage the compliance work so it stays current instead of going stale between audits. Schedule a complimentary CMMC consultation with a CMMC registered practitioner.
Complimentary review with an experienced engineer
Are you ready for CMMC?

Get a free strategic consultation to start or streamline your journey toward CMMC compliance.
CMMC RESOURCES
If you need CMMC managed IT services
- Virginia CMMC Managed IT Services
- Best CMMC managed IT services providers in the DMV
- Best Virginia CMMC managed IT services providers
If you need to better understand CMMC requirements:
- The Ultimate Guide to CMMC
- The Ultimate Guide to DFARS and NIST 800-171 (in plain English)
- What is FCI and should I worry about it?
- What is CUI and should I worry about it?
- CMMC compliance deadlines: Key dates and what they mean
If you’re looking for CMMC tools and training:
- We found the best GRC tool for CMMC
- What is Microsoft GCC High and do I need it?
- Best CMMC training resources
- CMMC Level 1 guide as audio book
- CMMC Level 2 guide as audio book
- CUI enclaves in CMMC compliance: Are they right for your business?
If you’re looking for a CMMC consultant or Registered Practitioner Organization:
- Best CMMC consultants
- Best CMMC RPOs near Washington, DC
- Best Virginia Registered Practitioner Organizations
- Case Study: Virginia Government Contractor Nears CMMC Compliance
- CMMC Gap Analysis
If you’re looking for a CMMC assessor:
If you’re looking for information about CMMC that is targeted toward smaller businesses:

Industries
Locations
Waynesboro, VA
Corporate HQ
215 Fifth St.
Waynesboro, VA 22980
Sales: 540-217-6261
Service: 540-885-3129
Accounting: 540-217-6260
Fax: 703-935-2665
Washington D.C.
1126 11th ST. NW
Suite 603
Washington, DC 20001-4366
Sales: 202-888-2770
Service: 866-692-9082
VA DCJS # 11-6604
Locations
Harrisonburg, VA
45 Newman Ave.
Harrisonburg, VA 22801
Sales: 540-569-3465
Service: 866-692-9082
Richmond, VA
3026A W. Cary St.
Richmond, VA 23221
Sales: 804-729-8835
Service: 866-692-9082
