RESTON, Va. — July 15, 2026 — The Department of War’s decision to pause implementation of CMMC Phase II will understandably create questions across the Defense Industrial Base. The implementation timeline has changed. The responsibility to protect Controlled Unclassified Information has not.
The underlying cybersecurity obligations remain fully in effect. Contractors handling Controlled Unclassified Information are still expected to implement NIST SP 800-171, comply with applicable Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirements, and accurately represent their cybersecurity posture. The Department of Justice’s Civil Cyber-Fraud Initiative also remains active and continues to use the False Claims Act to hold organizations accountable for knowingly misrepresenting their cybersecurity posture.
We believe this period should be viewed as an opportunity to strengthen cybersecurity, not delay it. Organizations that continue improving governance, reducing technical debt, maturing their cybersecurity programs, and building operational resilience will be better positioned regardless of how the Department ultimately evolves the Cybersecurity Maturity Model Certification (CMMC) framework.
At CyberSheath, our focus remains unchanged. We will continue helping defense contractors build defensible cybersecurity programs, protect Controlled Unclassified Information, strengthen operational resilience, and help our customers navigate this period with facts, not speculation.
For additional perspective, read “The CMMC Pause: What Defense Contractors Need to Know” to better understand what changed, what remains in effect, and how organizations can use this time to strengthen their cybersecurity readiness.
Emil Sayegh
CEO, CyberSheath