SME, Inc.

  • Home
  • About Us
  • Services
    • Cloud Solutions
    • Compliance Solutions
      • ALTA Best Practices
      • CMMC
      • DFARS
      • HIPAA
      • PCI DSS
      • Security Awareness Training
    • Data Center Services
      • Hosting
      • Monitoring
      • Hands & Eyes
    • Managed Security Services
      • Asset Management
      • Nextwall™ Managed Firewall
      • IDS/IPS
      • Managed Anti-Virus
      • VPN/Remote Access
      • Vulnerability Assessment Services
        • External Vulnerability Assessment
        • Internal Vulnerability Assessment
        • Web Application Testing
    • Technical Support
      • The SME Tech
      • Backups
      • Remote Support
  • Blog
  • Contact Us

July 14, 2026 By Rich Westbrook

CMMC Phase II Is Suspended. Your Cybersecurity Responsibilities Are Not.

Recently, the Department of War announced the immediate suspension of CMMC Phase II and the planned November 10, 2026 transition while it conducts a 60-day review of the program. The review is intended to reduce compliance burdens for small, medium, and non-traditional defense contractors while maintaining strong cybersecurity standards. (Defense Business)

If you’re a defense contractor, this announcement is significant—but it doesn’t mean you should stop preparing.

What Changed?

The Department has suspended the rollout of Phase II, including the planned requirement for third-party CMMC Level 2 assessments, while it evaluates the future of the program.

What Didn’t Change?

Several critical cybersecurity requirements remain in effect:

  • Phase I self-assessment requirements remain in place.
  • DFARS 252.204-7012 still requires contractors to protect Covered Defense Information.
  • NIST SP 800-171 security requirements still apply where required.
  • Organizations are still responsible for protecting Controlled Unclassified Information (CUI).

What This Means for Defense Contractors

The third party assessment may be paused

Your contractual cybersecurity requirements are not.

Requirements under DFARS 252.204-7012 and applicable NIST SP 800-171 controls remain in effect. Organizations are still responsible for protecting Controlled Unclassified Information (CUI), and inaccurate cybersecurity representations may expose contractors to significant legal and financial consequences under the False Claims Act.

This is not the time to pause your cybersecurity efforts. It’s an opportunity to strengthen your security posture before the Department announces its next steps.

This additional time can be used to:

  • Close existing cybersecurity gaps
  • Build or improve your CUI enclave
  • Develop required documentation and policies
  • Prepare for whatever verification model emerges from the Department’s review

Organizations that continue making progress today will be in a much stronger position regardless of how the CMMC program evolves.

How SME Can Help

Earlier this month, SME introduced a new implementation approach designed specifically for small and mid-sized defense contractors.

Instead of following the traditional consulting model, our team works alongside your organization to complete key implementation activities in parallel, helping you build the technical foundation for compliance while developing the documentation and processes needed to support it.

The result is a more efficient path toward CMMC readiness, no matter what comes next.

Don’t Wait for the Next Deadline

The timeline may have changed. Your risk hasn’t.

Schedule a consultation with the SME team today to strengthen your cybersecurity posture, reduce compliance risk, and prepare for whatever comes next.

Share this:

  • Share on Facebook (Opens in new window) Facebook
  • Share on X (Opens in new window) X

Filed Under: Uncategorized

Contact Us

    Your Name

    Your Email

    Subject

    Your Message

    Recent Post

    Recently, the Department of War announced the immediate suspension of CMMC Phase II and the planned November 10, 2026 … More »

    What Our Clients Say

    "SME handles all of our internet hosting needs, providing a reliable, high-performance, secure and cost-effective platform for us to host web-based systems for biotech companies. We have been consistently impressed with the responsive, knowledgeable and professional service we receive."

    Simply Making IT Easier!TM
    Local: 703-378-4110
    Toll Free: 855-2-SMEINC
    Email: info [at] smeinc.net

    Copyright © 2026 · Systems Management Enterprises, Inc. · Privacy Policy · Terms of Service