What the CMMC Phase II suspension actually revealed about who was paying for what
On July 13, 2026, the Department of War suspended CMMC Phase II. The November 10 third-party assessment milestone is gone, along with all pending and future CMMC rollout milestones. A Reform Task Force has sixty days to report. DFARS 252.204-7012 remains in force, unchanged, as it has been since 2017. Phase I self-assessment stays. NIST SP 800-171 Revision 2 remains the contractual baseline, enforced through self-assessment and government-led assessment.
Within hours, a familiar argument reappeared. If the assessment was going to cost you real money, the reasoning goes, you were never compliant to begin with. You signed the SPRS affirmation. You claimed the score. An auditor confirming what you already attested should cost nearly nothing. Any number larger than nothing is a confession.
The argument is wrong. It is wrong in a specific, documentable way, and the document that proves it is the government’s own regulatory impact analysis.
The number the government published
In the CMMC final rule at 32 CFR Part 170, DoD estimated that a Level 2 certification assessment would cost a small entity $104,670 across the triennial cycle. For other-than-small entities, $117,690. Level 2 self-assessment runs about $37,000 for small entities across the same cycle.
DoD stated plainly that for Levels 1 and 2, its cost estimates were based only on assessment, certification, and affirmation activities. The Department explicitly declined to count the cost of implementing the security requirements themselves. Its reasoning was that the controls were already required by FAR 52.204-21 as of June 2016 and by DFARS 252.204-7012 as of December 2017, so those costs should already have been incurred and were not attributable to the rule.
The assumption embedded there is a contractor who is already fully compliant, with every control implemented and every requirement met. DoD modeled the honest actor and still projected six figures for him.
The $104,670 buys no security whatsoever. It buys proof of security that the same document assumes you already have. DoD priced the verification separately from the thing verified and published the receipt. The people arguing that a large assessment bill implies noncompliance are arguing against the regulatory impact analysis of the program they are defending.
What I am not arguing
I am not arguing against the 110 requirements of NIST SP 800-171 Revision 2. The cost debate keeps collapsing that distinction, and the collapse is what lets the shaming argument work at all. The controls are sound. Access control, multifactor authentication, audit and accountability, configuration management, media protection, boundary defense, flaw remediation. None of that is a bureaucratic wish list. It describes a competent security program, and any organization holding sensitive defense information that cannot articulate how it does those things has a real problem that has nothing to do with paperwork. I would implement most of 800-171 with no clause compelling me, because it is the job.
The dispute has never been about the controls. It is about what CMMC did to them.
What the clause actually says
The shaming argument leans on the obligation without ever quoting it. DFARS 252.204-7012 is the clause that puts 800-171 into a contract. Paragraph (b)(2)(i) makes a covered contractor information system subject to the requirements in NIST SP 800-171 in effect at the time the solicitation is issued. Paragraph (b)(2)(ii)(A) sets the date: implement 800-171 as soon as practical, but not later than December 31, 2017. That settles the date question raised later in this essay. The clause says 2017, in the clause, and it still says it in the May 2024 revision.
The clause defines what it is asking for, and the definition is the part everyone skips. Under paragraph (a), adequate security means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
Commensurate with the consequences and probability. That is a risk formula. It sits in the definitions section of the operative clause, and it is the standard the contractor is actually held to. The 110 requirements are the floor the Department specified as its minimum, which the clause states in exactly those terms: to provide adequate security, implement at a minimum the following protections. Paragraph (b)(3) then requires applying additional measures where the contractor reasonably determines they are needed for a changing environment or special circumstances, based on assessed risk or vulnerability.
The structure is a floor plus judgment, calibrated to consequence and probability, with the contractor doing the calibrating and the clause expecting it.
The sentence that says a control does not apply
Paragraph (b)(2)(ii)(B) almost never appears in the compliance conversation and belongs in the first paragraph of it.
The contractor may submit a written request to vary from 800-171 to the Contracting Officer, for consideration by the DoD CIO. And then the operative sentence: the Contractor need not implement any security requirement adjudicated by an authorized representative of the DoD CIO to be nonapplicable, or to have an alternative but equally effective security measure that may be implemented in its place.
That is a variance mechanism written into the contract clause. Not a loophole, not an exemption for the unwilling, and not expired. It survives in the May 2024 revision. Paragraph (C) even provides for reusing a prior CIO adjudication on a new contract, and paragraph (m)(2)(i) requires subcontractors to notify the prime when they submit one, which means the drafters expected variance requests to move through the supply chain as ordinary business.
The mechanism assumes a relationship. It assumes a contractor who can look at a requirement, determine it does not fit the environment, propose something that achieves the same protection by other means, and have a government official decide. It assumes engineering judgment exists on the contractor side, that it can be wrong, and that the government is the one to rule on it. The 2017 DoD guidance on the clause made the corollary explicit: third party assessments or certifications of compliance were not required, authorized, or recognized by DoD.
For a manufacturer this is not academic. A requirement written for an enterprise network meets a machine that cannot host an agent, cannot be patched on the vendor’s terms, and cannot be taken down for a maintenance window without stopping a line. Under 7012 the answer was a written request, a proposed alternative, and an adjudication. The answer might be no. But there was a venue, a decision-maker, and a record.
That conversation has no equivalent in CMMC. The scoring methodology at 170.24 has three findings: MET, NOT MET, and NOT APPLICABLE. A C3PAO assessor scores what is in place. Nothing in the certification path lets an assessor accept an alternative but equally effective measure, because that adjudication belongs to the DoD CIO and a C3PAO is not the DoD CIO. The variance mechanism still exists in the clause. It simply has no bearing on whether you pass.
So the same contractor, holding the same contract, under the same 110 requirements, has two different relationships with the government depending on which instrument is looking at him. Under 7012 he is a party who can argue that a control does not fit and propose one that does. Under a certification assessment he is a score.
From risk management to pass or fail
Structurally, 800-171 R2 is a risk management instrument. Section 3.11 is a Risk Assessment family. Section 3.12.2 requires organizations to develop and implement plans of action to correct deficiencies and reduce or eliminate vulnerabilities. NIST’s own discussion of that requirement describes plans of action as documents that describe how unimplemented security requirements will be met and how planned mitigations will be implemented, and states that federal agencies may consider submitted system security plans and plans of action as critical inputs to an overall risk management decision about whether to place CUI on a nonfederal system.
That sentence contemplates a contractor with unimplemented requirements, a documented plan, and a government customer making a risk decision with full visibility. That contractor is a participant in a risk conversation rather than a violator. And R2 attaches no deadline to any of it. The CMMC final rule itself acknowledges this in its own words, observing that an explicit time limit for mitigation is not specified in NIST SP 800-171 R2, while noting that contractors failing to reasonably comply may face standard contractual remedies.
That describes a risk-managed regime. You assess, you document honestly, you sequence remediation against actual threat and actual resources, you carry residual risk knowingly, and the government sees all of it and decides what it wants to do. It is also, for anyone who has run a real program, the on-ramp to mature security thinking. The 110 requirements are the vocabulary. Risk judgment is the grammar. You do not get a defensible program by reciting the vocabulary.
CMMC took the identical 110 requirements and changed their grammar. Under 32 CFR 170.21 and 170.24, the same controls become a score. Reach 80 percent of the maximum with only permitted requirements deferred and you receive a Conditional status. All NOT MET requirements go on a POA&M. That POA&M closes within 180 days of the Conditional status date, verified by a second assessment, or the status expires and standard contractual remedies apply. Certain requirements cannot be deferred at all. The rule assigns weighted point values to individual requirements and the arithmetic decides your eligibility.
The change added nothing to the security. It removed the judgment. Under R2, a control I rationally defer because the threat does not justify the spend this year is a documented risk decision I own and defend. Under CMMC, that same decision is a countdown against a contract vehicle on a clock I did not set, verified by a party I pay, against a scope I may not control. The security posture is identical in both cases. The authority to reason about it is not.
The loss is not measured in money. A CISO whose job is to reason about risk under constraint, and who is instead required to certify a binary against a fixed clock, has stopped doing security. The organization has not become safer. It has become compliant, which is a different and lesser thing, and everyone in the profession knows it is a different thing.
The Department knows it too. The Secretary of War’s own acquisition strategy calls for transitioning from a culture of compliance to one of speed and execution. The suspension guidance says the Department will focus on tangible cyber hygiene rather than administrative overhead. Those are the Department’s words, in the Department’s own documents, drawing the distinction the shaming argument refuses to admit exists.
Why the clock has teeth
Underneath the scoring change sits the False Claims Act, and an enforcement record that is already written.
Under 32 CFR 170.22, a senior official must affirm in SPRS that the organization has implemented and will maintain implementation of all applicable CMMC security requirements, upon achieving status, annually thereafter, and at POA&M closeout. That affirmation carries the weight of a legally operative representation rather than an engineering one, and DOJ has been treating it that way.
The record through fiscal year 2025: DOJ recovered more than $52 million across nine cybersecurity-related FCA settlements, with recoveries in the area more than tripling in each of the prior two years, and cyber cases featuring in the Department’s record $6.8 billion in total FCA recoveries. The Deputy Assistant Attorney General overseeing FCA enforcement has called this a significant upward trajectory and named cybersecurity fraud a key priority. These cases, she says, are premised on misrepresentations rather than on data breaches.
The specific cases map directly onto the industrial base. In March 2025, a defense contractor paid $4.6 million after submitting an SPRS score of 104 when a later gap analysis put its actual score at negative 142. In December 2025, an Illinois precision machining company paid $421,234 to resolve allegations that it knowingly failed to provide adequate cybersecurity under DFARS 252.204-7012 for technical drawings of parts it supplied to prime contractors, in a case brought by a former quality control manager. That was the first FCA cybersecurity settlement reaching a defense supply chain subcontractor. In June 2026, a logistics contractor paid $507,144 after a DIBCAC assessment scored it at negative 170, in a matter triggered not by a whistleblower but by the government’s own assessment process. The restitution in that case exceeded a third of what the contractor had been paid under the relevant contracts.
Technical drawings. Blueprints and machining diagrams. A quality control manager as the relator. That is the business described earlier in this essay, and FCA exposure reached it on the shop floor rather than stopping at the primes.
Scope is set by an upstream marking process the Inspector General has found unreliable. The level is often set by a prime resolving liability asymmetry in its own favor. The score is a weighted arithmetic with a 180-day clock. The affirmation is sworn by a named executive. Treble damages sit underneath. And the enforcement theory turns on misrepresentation rather than breach, which means the exposure attaches to the paperwork rather than to the security.
The do-or-die quality comes from that stack, and it has nothing to do with compliance being hard. An honest professional disagreement about scope, a good-faith risk judgment about sequencing, an upstream marking error nobody downstream can correct: each of them resolves into personal and corporate legal exposure. Under those conditions no rational CISO runs a risk-managed program. They run a checkbox program, because the checkbox is what the liability attaches to. The framework selects for defensive compliance rather than merely permitting it.
The enforcement record cuts in the shaming argument’s favor on one specific point: firms that certified 104 while sitting at negative 142 exist, and the honest members of this industry should want them found. But a whistleblower with direct knowledge found one, a government assessment found another, and a gap analysis found the third. No C3PAO anywhere in the sequence. The three cases that best justify verification are three cases where the mechanisms that already existed worked. What CMMC Phase II proposed to add was a toll rather than detection, paid by everyone, including the firms who were never the problem.
Where the money actually goes
The costs that make a Level 2 certification expensive have nothing to do with security. They are the costs of proving security to a stranger on a schedule, and they land on organizations already doing the work.
Two assessments instead of one. The C3PAO is the graded event. Walking into a graded event without a rehearsal is not a security posture, it is a gamble with a contract vehicle on the table. So the prudent CISO buys a mock assessment first, then buys the real one. Industry-reported mock assessments run roughly $10,000 to $30,000 for smaller well-prepared firms, with $30,000 to $50,000 common for broader readiness support. Direct C3PAO assessments run roughly $50,000 to $75,000 for well-prepared organizations, and $30,000 to $100,000 or more depending on size and complexity. None of that money buys a single new control. It buys the right to be told what you already knew, twice.
The POA&M closeout. Score at least 80 percent with permitted gaps and you get Conditional status, then 180 days to close and a second certification assessment to verify. Industry data suggests a meaningful share of first-time Level 2 attempts end with open POA&Ms requiring retesting. That is a third assessment event. The rule builds a reassessment into the design and the reassessment has a price.
The evidence apparatus. Under CMMC, 110 requirements decompose into assessment objectives that must be evidenced rather than satisfied. Assessors do not grade the control. They grade the artifact. An organization can run genuinely good access reviews and still fail because it ran them as an engineering practice rather than as an evidence-production practice. Preparation is conservatively estimated at hundreds of hours of internal staff time. That labor is real, it is not security, and it lands on the people who were already doing the work.
The enclave. Enclaving is legitimate architecture. Isolating CUI into a segmented boundary genuinely reduces risk and genuinely reduces cost, and DoD endorsed the approach in the rule. But under a self-assessment regime, a defensible scope argument is one you make to yourself and document in your SSP. Under a certification regime, it is an argument you make to a third party who has professional incentives to resolve ambiguity conservatively and whose own liability runs in one direction. The CMMC FAQ is explicit that encryption alone does not create logical separation. Segmentation must be architecturally enforced and evidenced.
So the enclave gets built. Sometimes because it is the right architecture. Sometimes because it is the only scope argument that survives contact with an assessor. Those are different reasons producing the same invoice, and only the first one is security.
The minimum viable company
An enclave is an entire second company IT infrastructure. In a world where the stated goal is reducing cost, both CMMC and the vendors who build enclaves say so in writing.
The enclave needs its own identity store, because enclave users cannot authenticate with their everyday corporate credentials. Its own email, because the enclave mail system is a separate tenant on separate infrastructure with no upgrade path from the commercial one. Its own file storage and collaboration. Its own endpoint management, its own patch management, its own vulnerability scanning, its own logging and SIEM, its own endpoint detection and response. Its own licenses, priced per user at a government premium that Microsoft does not publish. Its own backups. Its own documentation set. Its own change control. Its own help desk workflow, because the people who support it cannot be the same people supporting everything else unless those people are also in scope.
One vendor guide states the conclusion plainly. Building an enclave means building, in its words, a tiny separate company from an IT perspective. That is a vendor selling the service, not a critic.
The user experience follows the architecture. A person working on defense projects carries two accounts and lives in two worlds, checking commercial mail for the civilian side of the business and then switching tenants to open a drawing for the military side. Cross-tenant access runs one direction only. The swivel-seat problem is the recurring one: the finance person who reviews defense project numbers, the lawyer who reads the contract, the executive who wants visibility. Each of them forces the same choice, which is to pull another human into the enclave, build a controlled procedure for temporary access, or restructure the work so the touch never happens.
And then, having paid for all of it, you are left hoping the government entity you contracted with sends the CUI to the enclave rather than to the corporate side. A contracting officer with the wrong address in his autocomplete can put covered defense information into the environment you spent six figures keeping it out of, and the mistake is his while the problem is yours. It arrives unmarked or mismarked often enough, per the Inspector General, that a contractor cannot rely on the marking to know what he just received. The scope you carefully drew and the boundary you carefully built are both subject to revision by someone pressing Send.
So the arithmetic that made the enclave attractive comes back around. The enclave reduces the assessment scope, which is real and worth having. It does so by standing up a parallel operation and running both. The compliance cost falls. The operating cost does not, because now two of everything exists and both need people.
Congratulations, Department of War. You have discovered the minimum viable company.
That is not a joke at the Department’s expense so much as a description of what the scoping model produces when a certification regime meets a business that was not built around a document boundary. Nobody set out to require a second company. The rule required a defensible boundary, the assessor required it to be architecturally enforced and evidenced, the liability made every ambiguity resolve outward, and a second company is what falls out of those three pressures acting on a small firm at the same time.
And the second company is still the cheap option. The alternative is bringing the whole enterprise into scope, which for most manufacturers costs more. Everyone in this argument is choosing rationally. The choice set is the problem.
The model was built for an information business
Read the scoping rule closely and something becomes visible that the cost debate has mostly missed. CMMC assumes CUI is a document. It assumes the document moves through people at keyboards, that those people are the risk surface, and that the environment to be assessed is an information environment.
A large part of the support base runs a physical business instead. Machines, fixtures, tooling, welders, line workers. The CUI in that shop never gets emailed anywhere. It is a drawing that becomes a part, and the people who touch it are standing at a grinder rather than sitting in Outlook. The output is metal.
The rule half-knows this. At Level 2, 32 CFR 170.19 places Specialized Assets in the assessment scope but then instructs the assessor, in the table’s own words, to review the SSP and not assess against other CMMC security requirements. Specialized Assets are defined as assets that can process, store, or transmit CUI but are unable to be fully secured, and the enumerated list is exactly the industrial base: Internet of Things devices, Industrial Internet of Things devices, Operational Technology, Government Furnished Equipment, Restricted Information Systems, and Test Equipment.
The Department looked at the machines that do the work, concluded they cannot be fully secured by design, and exempted them from the security requirements, in plain language, in the table.
Then the framework turns around and assesses everything adjacent to those machines at full weight. The exemption runs to the equipment. The bill runs to the shop around it. A manufacturer gets told the machine holding the toolpath is out of assessment scope because it cannot be secured, and in the same breath gets told the environment surrounding that machine will be assessed against 110 requirements and roughly 320 assessment objectives, evidenced to a stranger, on a three-year cycle.
At Level 3, Specialized Assets lose the exemption entirely. Table 5 of the same section requires a limited check against Level 2 and assessment against all Level 3 requirements, with intermediary devices permitted to carry the load. The machines are unsecurable at Level 2 and expected to comply at Level 3. Nothing about the machines changed between those two tables. Only the contract did.
The identical widget
Take one part off the line. Same drawing, same machinist, same tolerance, same setup, same inspection. Sold to a truck fleet down the road it is a part. Sold to the Department, that drawing becomes CUI, the shop falls into scope, and the verification cost arrives in six figures.
Nothing about the physical risk changed. Nothing about the machine, the process, or the person changed. What changed is the identity of the customer and an upstream marking decision made by someone else, in a process the Inspector General found in April 2026 to be inconsistently executed and biased toward restrictive dissemination controls.
The complaint has never been that security is unreasonable. It is that scope gets triggered by customer identity and an upstream classification act rather than by any property of the thing being protected, and the party who pays holds no authority over either.
What gets lost is time, not margin
What a small specialty supplier sells the Department is frequently time rather than price. Having the widget on the shelf when something breaks half a world away, in a quantity no prime will hold, for a platform no prime still tools for. It is answering in minutes or hours rather than quarters. That capability exists because a small firm chose to carry inventory and capacity against unpredictable demand, which is an economically irrational thing to do that somebody still has to do.
Set the verification tax against that capability. For a prime, an assessment is absorbed into overhead across a program of record. For the shop that holds the obscure part, six figures buys down inventory that never gets carried and a machine that never gets replaced, and it costs two people who are not there when the call comes. There is not enough margin for the money to come out of margin, so it comes out of readiness.
This is where the program collided with the Department’s own stated strategy. On November 7, 2025, the Secretary of War signed the memorandum transforming the Defense Acquisition System into the Warfighting Acquisition System. Its language is not ambiguous. Speed to capability delivery is now the organizing principle and the decisive factor in maintaining deterrence and warfighting advantage. Every process, board, and review must justify its existence by demonstrating how it directly supports accelerating capability delivery. The strategy calls for transitioning from a culture of compliance to one of speed and execution. It directs the Department to go direct-to-supplier, negotiating and investing directly with companies and suppliers throughout the industrial base rather than only through the big prime contractors. It observes that the base has consolidated from 51 prime vendors after the Cold War down to five, and sets expanding it as a pillar.
One document says the decisive advantage is speed and the industrial base must be broadened beyond the primes. The other imposes a fixed six-figure verification cost, on a three-year cycle, on precisely the small and non-traditional suppliers the first document says are needed, gated behind roughly 100 assessment organizations serving over 100,000 firms.
Expense was the smaller problem. The verification tax fell hardest on the exact capability the Department’s own organizing principle identifies as decisive. That is a program operating against its own department’s declared strategy, which the Department eventually said aloud. The suspension memo describes the current program as imposing significant and often prohibitive burdens on the small and non-traditional businesses the Department calls the engine of American innovation.
The flowdown multiplier
One more mechanism, because it is where the shop floor feels this. Under 32 CFR 170.23, flowdown is supposed to track the data. The level required of a subcontractor is determined by the type of information the prime actually shares, not by the prime’s own level. A subcontractor receiving only FCI needs Level 1 regardless of what the prime holds. Primes are not authorized to blanket flow down their own requirement.
The behavior runs the other way, for structural rather than malicious reasons. For a prime, under-flowing is False Claims Act exposure and over-flowing is somebody else’s invoice. The consequences of under-flowing are more severe than the consequences of over-flowing. Faced with an asymmetry like that, a rational prime resolves every ambiguity upward and pushes the requirement down to suppliers who may never touch CUI at all. Practitioners name over-scoping vendors as a standard failure mode: demanding Level 2 from a supplier that never sees CUI, adding cost with no security benefit.
The government over-marks because the marking process is broken. The prime over-flows because the liability is asymmetric. The assessor resolves scope conservatively because that is where the professional risk sits. Every actor in the chain is behaving rationally given their own incentives, and every one of those rational decisions lands as cost on the smallest firm at the end of the line, which had no vote in any of them and frequently was not handling CUI in the first place.
The over-classification problem underneath all of it
Scope is a function of where CUI lives. Where CUI lives is a function of what gets marked CUI. And what gets marked CUI is decided by the government, not the contractor. The government is not deciding it well.
In April 2026, the DoD Inspector General issued a management advisory finding that DoD organizations frequently failed to properly mark CUI documents with the required designation indicator block, and that when they did mark, they often defaulted to restrictive dissemination controls such as Federal Employees and Contractors Only rather than applying no limited dissemination control at all. The finding emerged incidentally from a review of the Secretary’s use of Signal. The Department’s own intelligence and security office had reported in 2023 that only nine percent of CUI documents were unmarked. The IG’s sample suggested the problem was more pervasive than that.
Marking is inherently a government function, and contractors are not authorized to unilaterally designate or decontrol. When the government over-marks, the contractor absorbs the scope. When the government fails to mark, the contractor absorbs the ambiguity. In both directions the cost flows downhill to the party with no authority over the decision that created it. Unmarked data forces contractors to choose between absorbing costs outside the scope of the contract or accepting a security incident.
Bill Greenwalt, a senior fellow at AEI and a former deputy under secretary of defense, put it directly when the IG advisory landed: the CUI system appears to be completely out of control, it is already costing the government and industry billions a year to comply with through CMMC, and there has been little debate on the need or the effects of CUI in the public or in Congress.
The shaming argument never reaches this far down. It presumes a stable, well-defined, correctly-marked corpus of CUI against which compliance is a binary. That corpus does not exist. The scope of the obligation is set by an upstream process the IG has found to be broken, and the certification regime converts every upstream marking error into a downstream capital expenditure.
The arithmetic of who pays
This is a story about a fixed cost applied to firms of radically different sizes with radically different overhead absorption, in a market where the government is the only customer. A fixed six-figure charge is regressive by construction. The same invoice that a prime absorbs into overhead is two full-time employees at a small supplier. Not two employees for a quarter. Two employees, gone.
The government eventually did this math itself. DoW CIO Kirsten Davies, announcing the suspension, cited over 100,000 DIB businesses needing third-party assessment against roughly 100 available assessment organizations, and concluded that the math simply does not math. The SBA, endorsing the suspension, put small-firm compliance costs at approximately $593,800 per certification for firms requiring third-party assessment and about $388,600 for firms eligible for self-assessment. The March 2026 GAO report had already flagged that DoD failed to systematically assess external factors, naming assessor capacity specifically, and warned that heavy reliance on waivers could undermine the long-term viability of the program.
The capacity argument and the cost argument, made for years by practitioners and dismissed as excuse-making by noncompliant firms, became the government’s own stated rationale for suspension. The people who were told they were confessing to noncompliance were describing the program accurately. The Department has now conceded the description.
On being told to get out of the business
The sharpest version of the shaming argument came from the program’s own architect. Katie Arrington, then performing the duties of the DoD CIO, told an INSA audience in June 2025 that going on LinkedIn and complaining that CMMC is too hard was foolish, because your company has been contracted since 2014 to institute the 110 requirements of NIST 800-171, and what you are saying is that you are noncompliant. She added that the business of defense is not something to take lightly, and that if it is too hard, get out of the business.
The tone is beside the point. First, the date drifts. Arrington said 2014. DoD’s own rule says the controls were required by FAR 52.204-21 as of June 2016 and DFARS 252.204-7012 as of December 2017. If the person who built the program cannot hold the compliance date steady across a single sentence, the demand for precision from everyone else is doing something other than what it claims.
Second, and fatally, the argument conflates two distinct things: the cost of implementing 800-171 and the cost of certifying against CMMC. DoD’s regulatory impact analysis holds these apart deliberately and by name. It counts only the second. Arrington’s argument requires them to be the same cost, so that any complaint about the second is an admission about the first. The rule she is invoking says they are not the same cost. You cannot cite 800-171 obligations as proof that CMMC assessment should be free when the CMMC rule itself prices the assessment at six figures on top of full 800-171 compliance.
Third, get out of the business is a supply chain recommendation, and it was taken as one. The Department’s own suspension memo describes the current program as imposing significant and often prohibitive burdens on the DIB, particularly the small and non-traditional businesses the Department calls the engine of American innovation. SBA reported that compliance was pushing firms out of the defense industrial base entirely. Davies stated that pausing Phase II keeps companies in the DIB who would otherwise be forced out at a time when they are needed most.
Told to get out of the business, some firms did. The Department noticed. The Department then suspended the program.
There is a professional point buried in this that outlasts the current argument. The people who ran the CMMC ecosystem had a direct financial interest in the certification requirement existing. That does not make them wrong, and it should not be treated as automatically disqualifying. But when a party with revenue riding on a mandate tells the regulated population that objecting to the mandate is an admission of guilt, they have made a sales argument in a security register, and it should be discounted at that rate. Skin in the game does not disqualify anyone. Skin in the game that goes undisclosed while the holder questions everyone else’s integrity is another matter entirely.
What is actually true right now
Nothing about the obligation changed. DFARS 252.204-7012 is binding on every contract that contains it. NIST SP 800-171 Rev 2 remains the standard and is the interim enforcement baseline during the review. SPRS submission requirements are unchanged. Phase I self-assessment at Levels 1 and 2 remains fully in effect. The Department retains the right to assess under 252.204-7020, and has said it will use government-led assessments during the interim.
Self-assessment accuracy now matters more, not less, because self-assessment is the primary enforcement mechanism. The FCA exposure described above does not soften by one degree in the absence of a C3PAO. LOGZONE came from a government assessment, with no certification and no whistleblower anywhere in it. Anyone reading the suspension as permission to dismantle a control, or to let an SPRS score drift away from the truth, has misread it completely.
Alongside the suspension, the Department published Brilliant at the Basics, an interim baseline aimed at DIB partners. The framing matters more than the content. The stated intent is to strip away administrative complexity and compliance overhead so that partners can secure networks and reduce technical debt. Phishing-resistant MFA. Asset inventory. Segmentation to limit lateral movement. Risk-based vulnerability management driven by operational context rather than generic severity scores. Immutable backups with isolated credentials.
This is a controls-and-outcomes document with no assessment apparatus attached. Whatever else it is, it is the Department stating in its own voice that the security and the verification were separable all along, and that it can ask for the first without the second.
What follows
The Task Force reports in roughly sixty days. RFI responses were due August 14. Formal changes to 32 CFR Part 170 and the DFARS require rulemaking, which takes months. Every plausible outcome keeps NIST SP 800-171 as the substantive standard. Build to the standard. Stay flexible on the mechanism. Dismantle nothing.
But the record should not get rewritten in the meantime. For six years the practitioners who said this program would cost more than it protected, that the assessor capacity did not exist, that the fixed cost would fall hardest on the smallest and most irreplaceable suppliers, and that the scope problem was an upstream marking problem the government had not solved, were told they were describing their own noncompliance. They were not. They were describing the program. The GAO said it in March. The SBA said it in July. The CIO said it from the Pentagon podium on July 13 and used it as the reason to suspend.
The security was never the argument. Most of us were doing the security. The argument was always about who pays to prove it, on whose schedule, to whom, and at what cost to the ability to actually do the work. That argument was legitimate the entire time it was being dismissed as a confession.
I will keep protecting the information. I was protecting it before the ecosystem arrived, and I will be protecting it after the Task Force reports. What I will not do is accept that a demand for a receipt is the same thing as the security, or that questioning the price of the receipt is an admission that the goods were never there.
Sources
Every factual claim above is drawn from the following primary documents. Links current as of July 15, 2026.
Regulation and contract clauses
DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting (MAY 2024). Definition of adequate security at (a), the 800-171 requirement at (b)(2)(i), the December 31, 2017 date at (b)(2)(ii)(A), the variance mechanism at (b)(2)(ii)(B) and (C), additional measures at (b)(3), and subcontractor variance notification at (m)(2)(i). https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
32 CFR Part 170, Cybersecurity Maturity Model Certification (CMMC) Program, final rule, 89 FR 83092 (October 15, 2024). Regulatory Impact Analysis and cost estimates. Docket DoD-2023-OS-0063. https://www.federalregister.gov/documents/2024/10/15/2024-22905/cybersecurity-maturity-model-certification-cmmc-program
32 CFR 170.19, CMMC scoping. Specialized Assets treatment at Level 2 in Table 3 and at Level 3 in Table 5. https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170/subpart-D/section-170.19
32 CFR 170.21 (POA&M requirements), 170.22 (affirmation), 170.23 (application to subcontractors), 170.24 (scoring methodology). https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-G/part-170
NIST SP 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. Section 3.11 Risk Assessment, section 3.12.2 plans of action and associated discussion. https://csrc.nist.gov/pubs/sp/800/171/r2/upd1/final
The suspension
Department of War, Forging the Arsenal of Freedom: Department of War Suspends CMMC Phase II Requirements (July 13, 2026). https://www.war.gov/News/Releases/Release/Article/4542329/forging-the-arsenal-of-freedom-department-of-war-suspends-cmmc-phase-ii-require/
Department of War CIO, Brilliant at the Basics, interim cybersecurity baseline for DIB partners. https://dowcio.war.gov/brilliantbasics
Remarks by DoW CIO Kirsten Davies and USD(A&S) Michael Duffey, Pentagon press briefing (July 13, 2026), and the July 10, 2026 memo, reported in Breaking Defense, Pentagon announces immediate suspension of CMMC Phase II mandates. https://breakingdefense.com/2026/07/pentagon-announces-immediate-suspension-of-cmmc-mandates/
Federal News Network, Pentagon suspends CMMC phase two requirements, launches review of program (July 13, 2026). https://federalnewsnetwork.com/cybersecurity/2026/07/pentagon-suspends-cmmc-phase-two-requirements-launches-review-of-program/
Oversight and cost findings
GAO-26-107955, Defense Contractor Cybersecurity: DOD Should Address External Factors That Could Impede Program Implementation (March 12, 2026). https://www.gao.gov/products/gao-26-107955
Department of Defense Office of Inspector General, management advisory on CUI marking practices (April 2026), reported in Federal News Network, DoD still failing to properly mark CUI data years after initial audit. https://federalnewsnetwork.com/defense-news/2026/04/dod-still-failing-to-properly-mark-cui-data-years-after-initial-audit/
Acquisition strategy
Secretary of War, Transforming the Defense Acquisition System into the Warfighting Acquisition System to Accelerate Fielding of Urgently Needed Capabilities to Our Warriors, with attached Acquisition Transformation Strategy (November 7, 2025). https://media.defense.gov/2025/Nov/10/2003819439/-1/-1/1/TRANSFORMING-THE-DEFENSE-ACQUISITION-SYSTEM-INTO-THE-WARFIGHTING-ACQUISITION-SYSTEM-TO-ACCELERATE-FIELDING-OF-URGENTLY-NEEDED-CAPABILITIES-TO-OUR-WARRIORS.PDF
Enforcement
United States Department of Justice, Illinois Precision Machining Company Agrees to Pay $421,234 to Resolve Alleged False Claims Act Violations (December 5, 2025). Swiss Automation Inc. United States ex rel. Gomez v. Swiss Automation Inc., No. 1:22-cv-4328 (N.D. Ill.). https://www.justice.gov/opa/pr/illinois-precision-machining-company-agrees-pay-421234-resolve-alleged-false-claims-act
Statements quoted
Katie Arrington, then performing the duties of the DoD CIO, remarks to the Intelligence and National Security Alliance Coffee Series webinar (June 5, 2025), reported in Breaking Defense, Stop doing that: Arrington pleads to industry to quit complaining about CMMC. https://breakingdefense.com/2025/06/stop-doing-that-arrington-pleads-to-industry-to-quit-complaining-about-cmmc/
Katie Arrington, remarks at an AFCEA DC luncheon (April 2025), reported in Washington Technology, DOD’s Katie Arrington shows no mercy to CMMC complainers. https://www.washingtontechnology.com/contracts/2025/04/dods-katie-arrington-shows-no-mercy-cmmc-complainers/404863/