CMMC Phase 2 Suspended: What Changed, and the AI Risk to Watch

Reports to: 
02
Location: 

CMMC Phase 2 Suspended: What Changed, and the AI Risk to Watch

The Department of War suspended Phase 2 of CMMC on July 13, 2026, the phase that would have required outside assessors to certify defense contractors starting this November. The announcement removed one thing: the third-party assessor. The rest of the framework, NIST SP 800-171 and DFARS 252.204-7012, is exactly as it's been for over a decade.

The requirements are still there. What deserves more attention is what got verified before this pause, what still gets verified now, and where that leaves a business trying to do this properly.

Start with self-assessment, since that's the piece nobody's allowed to skip.

Is CMMC Self-Assessment Still Required? Yes, and That's the Risky Part

Self-assessment works like asking someone if they lock their door every day. They say yes and that is an attestation. However, it’s different if someone shows up and tests if you actually do lock the door, that's the verification. Self-assessment is when a company confirms that they meet the requirements. The verification part, having someone come check, is what has just been paused.

With that check gone for now, what's left is whether the number (SPRS score) a company posts is actually true. A self-assessment score still has to be submitted and affirmed as accurate every year, and an inflated one doesn't just risk a failed audit anymore, it risks the False Claims Act and a Department of Justice inquiry. Real settlements already exist, with penalties running from the hundreds of thousands into the millions, and the mechanism behind them never paused.

Some of this data is export-controlled, covered by rules like ITAR. That means only US citizens can legally access it, and getting that wrong goes well past a fine. Separately, the government also conducts their own walkthrough review through DIBCAC (the Defense Industrial Base Cybersecurity Assessment Center), which can happen on short notice, virtually or in person.

None of that is a reason to slow down. An unverified attestation carries more risk now, not less, since there's no outside check quietly catching a bad score before it turns into a legal problem.

Where CMMC Assessments Are Trending Next: Past the Once-Every-Three-Years Checkup

Government officials gave a straightforward reason for the timing of the pause. According to DoW CIO Kirsten Davies, "the math just simply doesn't math," roughly 100,000 companies needed a third-party assessment, and only about 100 qualified assessors existed to do it.

Other federal programs, FedRAMP 20X among them, have already started shifting toward continuous, automated checks using technical indicators instead of a once-every-three-years  visit. CMMC likely will end up somewhere similar eventually. This pause doesn't say so directly, but a program built around scarce human assessors has an obvious ceiling on how long it can keep working as designed.

AI Tools and CUI: Does NIST 800-171 Cover This?

AI tools are being used everywhere in daily work now, like someone transcribing a meeting with an AI assistant, pasting a drawing into a writing tool, or dictating a project update into a voice app on the way home. Many don’t realize that everyday tasks like these could potentially violate some of the rules protecting sensitive government data. This is already coming up in real conversations with clients, because CUI (Controlled Unclassified Information, the sensitive-but-not-classified data these rules exist to protect) doesn't need a hacker to leave the building.

NIST 800-171 was written before the surge in the use of AI tools, so it was not built to catch this. The way to counter this is with zero trust (a security posture) built on precisely knowing where sensitive data lives, how it moves, and what's allowed to touch it, before any of it reaches a tool nobody scoped for CUI in the first place. Compliance asks "did we check the box." Zero trust asks "do we know where this data can go, right now, regardless of what's on paper."

The audit gap might get addressed by what the task force recommends. This one won't, since no policy change fixes a gap the framework itself never covered. That part comes down entirely to what a company builds into its own security posture between now and what comes next.

What Businesses Should Do Now, Regardless of What the Task Force Decides

The reform task force has 60 days to figure out what comes next, and CMMC's been through this kind of rework before, so there's a decent chance it happens again. None of that has much bearing on whether the data actually needs protecting.

The more useful move right now is testing what's already running instead of waiting to find out if it works. A mock assessment, run by an outside team, is the most thorough way to find the real gaps. There's also a smaller, faster check anyone can try without help: paste a file into a personal AI tool, or drag one into a personal cloud drive, the same way an employee might without thinking twice. Just make sure it's a dummy file, not real CUI information. Then see what happens.

That one small test tells a company something specific. Getting blocked means real zero trust controls are doing their job, watching where data moves and keeping it away from places it shouldn't go, while getting through without any resistance means the only thing that was ever stopping employees was a policy nobody enforced. It's the same standard we hold ourselves to; our own practices are public on Treeline's Trust Center.

Companies already doing that won't be scrambling no matter what happens in 60 days. There's also a deadline coming up: the Department's RFI closes August 14. If compliance costs have been a real burden, this is the time to say so.

FAQ: Didn't find your answer?

Not every question fits neatly into an FAQ, but here are the ones coming up most. If you’d like to talk through it more, book some time with one of our security and compliance experts.

Do I still need to worry about CMMC right now?

Yes. Phase 1 self-assessment is untouched, and NIST 800-171 compliance is still enforced, just without a third-party assessor checking it for now. The Department's own CMMC FAQ confirms Phase 2 is what's paused, not the underlying requirement.

Is CMMC cancelled?

No. It's suspended, not cancelled. Fully rescinding CMMC would require the Department to go through formal notice-and-comment rulemaking, which hasn't happened. A CMMC Reform Task Force has 60 days to review the program and could recommend anything from minor adjustments to a full rebuild, but the program itself, and the underlying rule it's based on, is still on the books.

Does this lower my compliance costs?

Only the assessment portion, and that was never the larger expense. The Department's own CMMC FAQ is explicit that implementation costs, the underlying work of meeting DFARS 252.204-7012, were never counted as part of CMMC's compliance cost to begin with. That work hasn't gotten any less expensive.

If I'm mid-assessment, should I stop?

If it's already underway and paid for, finish it. A completed Level 2 assessment is proof of exactly what the Department says it still expects, and it holds its value regardless of what the reform task force decides.

Will someone still check my work?

The Department has said it can request a virtual or in-person review with limited notice, independent of whether third-party certification resumes. Self-assessment isn't the same as nobody looking.

Does this apply to my subcontractors too?

Yes. If a subcontractor touches CUI or federal contract information, the same safeguarding requirements flow down to them, not just to the prime holding the contract. That hasn't changed either.

Will my competitors be able to see my compliance score?

No. Scores aren't made public. The Department can see them, and a company can choose to share its own status with a prime or teaming partner to prove it's compliant, but there's no public list exposing anyone's score.

What about the cloud services we use to store this data?

If a cloud provider stores, processes, or transmits CUI on a company's behalf, that provider has to meet a specific federal security baseline (FedRAMP Moderate) or an equivalent standard. Using a major cloud provider doesn't automatically satisfy this on its own, it's worth confirming directly.