Skip to content
  • Home
  • Resources
  • Blog
  • CMMC Phase 2 Is Suspended. Here's Why Your Security Strategy Shouldn't Be.

CMMC Phase 2 Is Suspended. Here's Why Your Security Strategy Shouldn't Be.

Speach bubble that says "Don't panic" next to an illustrated stick figure visibly panicking. Text to the right says "What CMMC Phase 2 Suspension Means for Your MSP"

If your LinkedIn feed has suddenly filled up with people declaring CMMC "dead," you're not alone. Since the Department of Defense announced the suspension of CMMC Phase 2, cybersecurity professionals have been trying to separate the facts from the hot takes.

We’ve been inundated with upwards of three emails asking about this, so thought we’d clarify a few things. The good news is that the reality is far less dramatic than some headlines suggest.

Yes, CMMC Phase 2 has been suspended while the Department of Defense conducts a review of the program. No, that doesn't mean organizations can stop thinking about cybersecurity, abandon their compliance plans, or put NIST 800-171 back on the shelf.

For managed service providers (MSPs), this announcement shouldn't fundamentally change your security strategy. If anything, it should reinforce an important lesson that we’re always shouting from the rooftops: good cybersecurity has never been about passing an audit. It's about reducing risk, protecting your clients, and building security practices that stand up - whether an assessor is watching or not. Let's look at what’s actually changed, what hasn't, and what MSPs should be doing next.

 

What Is CMMC Phase 2?

The Cybersecurity Maturity Model Certification (CMMC) was created by the Department of Defense to ensure contractors handling sensitive government information meet consistent cybersecurity standards.

While CMMC includes multiple certification levels, Phase 2 primarily affects organizations handling Controlled Unclassified Information (CUI). Under the planned rollout, these organizations would need to demonstrate compliance with the security controls outlined in NIST SP 800-171 through an independent assessment conducted by a Certified Third Party Assessment Organization (C3PAO) - not to be confused with the metal guy from Star Wars.

For many contractors, that represented a significant shift. Instead of simply attesting that appropriate controls were in place, organizations would need independent verification before qualifying for certain Department of Defense contracts.

For MSPs supporting defense contractors, Phase 2 also meant helping clients prepare documentation, implement technical controls, improve employee security awareness, and ensure they were genuinely ready for an external assessment rather than simply hoping to scrape through one.

 

Why Has Phase 2 Been Suspended?

According to the Department of Defense, the suspension is intended to provide time to review how the program is implemented and whether changes are needed before mandatory third party assessments begin.

One of the biggest concerns raised by industry was the practical burden of the current model. Independent assessments are expensive, qualified assessors are in limited supply, and many smaller contractors are struggling to prepare for certification within the proposed timelines.

The review is intended to address those challenges while ensuring the defense industrial base remains both secure and competitive. In other words, the goal is to improve the process, not reduce cybersecurity expectations.

That distinction matters because some of the online reaction has suggested the Department of Defense has backed away from CMMC altogether. That's simply not the case. The current pause is focused on how compliance is verified, not whether organizations should be protecting sensitive information in the first place.

 

What Has Actually Changed?

The biggest immediate change is that mandatory third party assessments under CMMC Phase 2 have been paused while the review takes place. That means organizations that were preparing for those assessments have a little more breathing room.

It also means there is currently some uncertainty around exactly how Phase 2 will look once the review concludes. The Department of Defense may adjust timelines, modify assessment requirements, or make other changes intended to reduce administrative burden.

What hasn't happened is a wholesale abandonment of CMMC or a decision that cybersecurity is suddenly less important than it was last week. While certification timelines may move, the underlying need to protect sensitive information remains exactly the same.

For MSPs, the practical impact is less about changing direction and more about adjusting expectations around when independent assessments may take place.

 

What Hasn't Changed

Perhaps the most important thing to understand is that the suspension doesn’t remove the cybersecurity responsibilities organizations already have.

NIST SP 800-171 remains the security framework organizations handling Controlled Unclassified Information are expected to follow. Existing contractual obligations relating to protecting sensitive information haven't disappeared overnight simply because a certification milestone has been delayed.

Just as importantly, cybercriminals don’t tend to suspend their activities while the Department of Defense reviews its compliance program. Phishing attacks, credential theft, ransomware, business email compromise, and social engineering campaigns continue regardless of government timelines. Attackers don't wait for regulatory certainty before looking for their next target.

That's why security awareness training remains just as valuable today as it was before the announcement. Whether an organization is preparing for an audit or simply trying to reduce risk, educating employees to recognize phishing attempts, report suspicious emails, and follow secure working practices continues to be one of the most effective ways to strengthen an organization's overall security posture.

Compliance deadlines can move. Human risk doesn't.

 

What Should MSPs Do Right Now?

Quick, invest in SAT! Give Phin all your money! Nah, only joking. For most MSPs, the answer is surprisingly simple: stay the course.

If you've been helping clients align with NIST 800-171, continue doing exactly that. If you've been improving documentation, strengthening access controls, implementing multi-factor authentication, and running regular security awareness training, none of those investments have suddenly become unnecessary.

Rather than viewing the suspension as permission to pause, treat it as an opportunity to improve. Extra time can be used to close security gaps, refine documentation, strengthen incident response processes, and build confidence before assessments eventually resume.

It also gives MSPs an opportunity to have proactive conversations with clients. Some customers will inevitably see headlines suggesting CMMC has been suspended and assume compliance is no longer important. Helping them understand the difference between a delayed assessment and reduced security expectations reinforces your role as a trusted advisor rather than simply a technology provider.

The priorities for MSPs remain largely unchanged:

  • Continue implementing NIST SP 800-171 controls.
  • Maintain security awareness training and phishing simulations.
  • Keep documenting security policies and evidence.
  • Use the additional time to strengthen weak areas rather than delaying projects.
  • Keep clients informed about developments without encouraging unnecessary panic.

Organizations that continue improving their security today are likely to be in a much stronger position regardless of how the revised Phase 2 requirements ultimately look.

 

Will Phase 2 Come Back?

At the time of writing, the Department of Defense has announced a review rather than a cancellation.

While nobody can say exactly what the final version of Phase 2 will look like, most industry observers expect some form of third party verification to return once the review has concluded. The details may change, the timeline may shift, and the assessment process may become more practical for smaller contractors, but the overall objective of protecting sensitive defense information is unlikely to disappear.

For that reason alone, abandoning compliance efforts now would be a risky decision.

More importantly, organizations shouldn't be investing in cybersecurity solely because they're expecting an audit. They should be investing because strong cybersecurity protects their business, their customers, and their reputation.

That's a strategy that remains valuable whether compliance requirements change next month, next year, or not at all.

 

Frequently Asked Questions

Is CMMC Phase 2 canceled?

No. It has been suspended while the Department of Defense reviews the program. The current expectation is that a revised version of Phase 2 will be introduced following that review.

 

Does NIST SP 800-171 still apply?

Yes. The suspension affects the certification process rather than the underlying cybersecurity framework. Organizations handling Controlled Unclassified Information should continue aligning with NIST SP 800-171 requirements.

 

Should MSPs pause CMMC projects?

In most cases, no. The additional time should be viewed as an opportunity to strengthen security controls, improve documentation, and prepare clients for whatever the revised assessment process looks like.

 

Should organizations still invest in cybersecurity awareness training?

Absolutely. Security awareness training helps reduce phishing, social engineering, and credential theft regardless of whether a compliance assessment is taking place. Improving employee behavior is valuable in its own right, not simply because it supports compliance.

 

So, basically…

The suspension of CMMC Phase 2 has understandably created plenty of discussion across the cybersecurity industry. But once the headlines settle, the practical advice for MSPs is remarkably straightforward.

Continue building strong security programs. Continue helping clients implement NIST SP 800-171. Continue investing in security awareness training that reduces real-world risk.

Because while compliance requirements may evolve over time, the threats your clients face every day haven't changed at all.

If you need help proving the ROI of Security Awareness Training or other security layers to your clients, download this e-guide.



 

Leave a comment: