Recent headlines announcing that the Department of War has suspended the planned November 10, 2026 implementation of CMMC Phase II have understandably raised questions throughout the Defense Industrial Base.
For many manufacturers, the first question has been:
"Does this change our compliance strategy?"
At this point, our answer is no.
While the Department reviews the CMMC Phase II certification process, organizations that handle Controlled Unclassified Information (CUI) remain responsible for meeting their contractual cybersecurity obligations. The planned implementation date has been suspended, but the underlying requirement to protect CUI has not.
What Was Announced?
The Department of War has suspended the planned November 10, 2026 implementation of CMMC Phase II while a task force reviews the program and develops recommendations.
According to the Department, the review is intended to reduce the cost and administrative burden placed on small, medium-sized, and non-traditional defense contractors while maintaining strong cybersecurity.
The review is focused on the certification process—not on eliminating cybersecurity requirements for organizations handling CUI.
What Hasn't Changed?
Several important requirements remain unchanged.
Organizations handling Controlled Unclassified Information should continue to:
- Protect CUI in accordance with applicable contractual requirements.
- Continue implementing NIST SP 800-171 security controls where required.
- Maintain an accurate System Security Plan (SSP).
- Complete required self-assessments and maintain accurate SPRS scores where applicable.
- Continue documenting evidence that supports their cybersecurity posture.
Prime contractors will also continue evaluating cybersecurity risk throughout their supply chains. Many will continue expecting subcontractors to demonstrate strong cybersecurity regardless of the federal certification timeline.
The Bigger Story Isn't the Suspension—It's Why
Most discussions surrounding this announcement focus on the suspension of CMMC Phase II.
We believe the more important question is why the Department made this decision.
The Department has stated that one of its primary objectives is reducing the cost and administrative burden placed on smaller defense contractors while maintaining strong cybersecurity.
That matters because many manufacturers have struggled with the assumption that CMMC requires securing every system, user, and business application across the organization.
For many companies, that's simply more than is necessary.
Why Site2 Believes This Reinforces Our Enclave Strategy
Long before this announcement, Site2 believed many manufacturers could achieve compliance more efficiently by reducing the scope of the environment that processes Controlled Unclassified Information.
Rather than expanding the compliance boundary across the entire organization, an appropriately designed enclave limits the systems, users, and data that require CMMC controls.
When appropriate, this approach can help organizations:
- Reduce implementation costs.
- Reduce assessment scope.
- Reduce operational complexity.
- Simplify ongoing compliance.
- Limit the number of systems requiring CMMC controls.
- Better align cybersecurity investments with actual business risk.
While we'll wait for the Department's recommendations before making any significant strategic adjustments, we believe the Department's stated objective aligns closely with the philosophy we've followed from the beginning:
Protect CUI without creating unnecessary cost, complexity, or compliance burden.
Don't Mistake the Suspension for Reduced Responsibility
One concern we have is that some organizations may interpret this announcement as a reason to pause their cybersecurity efforts.
We believe that's the wrong takeaway.
If your organization was required to protect CUI before this announcement, that obligation still exists today.
Organizations that continue improving their cybersecurity posture, maintaining documentation, and preparing for future assessments will be better positioned regardless of how the certification process ultimately evolves.
More importantly, cybersecurity isn't simply about passing an assessment. Protecting sensitive data, reducing operational risk, and maintaining trust with customers and prime contractors continue to provide value independent of any certification schedule.
What Should Manufacturers Do Next?
For most organizations, our recommendations remain unchanged.
- Continue protecting CUI.
- Continue following your compliance roadmap.
- Maintain accurate documentation and assessment evidence.
- Continue preparing for future CMMC requirements.
- Avoid making major strategic changes until the Department releases the results of its review.
- Evaluate opportunities to reduce long-term compliance costs by appropriately scoping your CMMC environment.
Frequently Asked Questions
Is CMMC going away?
No. The Department has suspended the planned November 10, 2026 implementation of CMMC Phase II while it reviews the program. It has not eliminated the underlying cybersecurity requirements or contractual obligations for organizations handling CUI.
Do I still need to comply with NIST SP 800-171?
If your contracts require compliance with DFARS 252.204-7012 or other applicable cybersecurity requirements, those obligations remain in effect. The review focuses on the certification process, not the requirement to protect CUI.
Should I stop preparing for CMMC?
No. We recommend continuing your compliance roadmap while avoiding major strategic changes until additional guidance is released.
Does this change Site2's recommendations?
Not at this time. In fact, we believe the Department's emphasis on reducing cost and complexity reinforces our long-standing recommendation to build practical, right-sized compliance solutions whenever appropriate.
Final Thoughts
The Department's announcement does not change the importance of protecting Controlled Unclassified Information. It suspends the planned implementation of CMMC Phase II while the program is reviewed and refined.
We'll continue monitoring the review process and sharing practical guidance as new information becomes available.
If you'd like to discuss how this announcement affects your organization—or whether an enclave strategy could reduce the cost and complexity of your CMMC program—we'd be happy to help.
Recent Posts in News

CMMC Update: What the DoD's Phase II Delay Means for Defense Contractors

Join Site2, Arctic Wolf, and NEPIRC for an Evening at the Ballpark

Comprehensive Overview of CMMC Registered Practitioner Organization (RPO) and Registered Practitioner (RP)

Medium-Assurance Certificate in Cybersecurity and Cybersecurity Compliance

