CMMC Phase 2 Suspended? Separating Fact from Fiction for Defense Contractors

Is CMMC Phase 2 suspended? Unpack the truth behind CMMC 2.0 delays, the current rulemaking status, and why defense contractors must prioritize NIST 800-171 now.
Amidst the evolving landscape of defense contracting, rumors and headlines regarding "CMMC phase 2 suspended" have caused a stir among Small to Mid-sized Businesses (SMBs) in the Defense Industrial Base (DIB).
However, navigating the complexities of the Cybersecurity Maturity Model Certification (CMMC) requires distinguishing between procedural pauses, rulemaking shifts, and the ultimate reality of compliance requirements. If you are a defense contractor, understanding the current state of CMMC 2.0 is critical to your long-term eligibility for Department of Defense (DoD) contracts.
The Truth About the "Suspension"
The phrase "CMMC phase 2 suspended" often refers to the transition period between the original CMMC 1.0 and the current CMMC 2.0 framework. During this shift, the DoD effectively paused the implementation of the original pilot programs to simplify the requirements and reduce the burden on small businesses.
What many interpreted as a "suspension" was actually a restructuring. The DoD moved away from the five-level model to a streamlined three-level model. While the rollout of specific contract requirements was delayed, the underlying mandate to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) never went away.
Why the Shift Occurred
The DoD recognized several roadblocks in the initial version of CMMC:
- Cost Complexity: SMBs found the certification costs prohibitive.
- Assessor Scarcity: There weren't enough Third-Party Assessment Organizations (C3PAOs) to audit hundreds of thousands of contractors.
- Redundancy: Much of CMMC 1.0 overlapped with existing NIST SP 800-171 requirements.
Where Does CMMC 2.0 Stand Today?
Currently, CMMC 2.0 is in the final stages of the federal rulemaking process. We are no longer in a "suspended" state; we are in the "implementation" countdown. The Final Rule for CMMC was submitted to the Office of Management and Budget (OMB) and is expected to appear in contracts starting in 2025.
The Phases of Implementation
Once the rule is finalized, the DoD plans a phased rollout over four years:
- Phase 1: Self-assessments for Level 1 and some Level 2 contracts will be required as a condition of contract award.
- Phase 2: C3PAO certifications will become a requirement for specific Level 2 programs.
- Phase 3: Level 3 certification requirements (for high-priority programs) will be introduced.
- Phase 4: Full implementation across all applicable solicitations.
The NIST 800-171 Connection
The most dangerous misconception regarding "CMMC phase 2 suspended" is the idea that cybersecurity requirements are currently optional.
Even without a formal CMMC certificate on your wall today, if you handle CUI, you are already legally obligated to comply with DFARS 252.204-7012 and NIST SP 800-171.
CMMC 2.0 Level 2 is directly mapped to the 110 controls found in NIST 800-171. If you are waiting for the "suspension" to end before starting your compliance journey, you are already behind. Auditors will look for historical evidence that these controls have been active in your environment for months, not just days.
Risks of Delaying Compliance
Delaying your preparation because of headlines regarding program pauses carries significant business risks:
- Contract Ineligibility: Once the CMMC clause appears in a Request for Proposal (RFP), you will likely not have enough time to achieve compliance before the bid deadline.
- False Claims Act Exposure: Self-attesting to compliance in the SPRS (Supplier Performance Risk System) while lacking the necessary controls can lead to legal action and heavy fines.
- Cyber Vulnerability: The threats from external actors targeting the DIB are increasing. Compliance is not just a "hoop to jump through"—it is a defense mechanism for your intellectual property.
How to Prepare Now
The "pause" is over. Now is the time for action. Follow these steps to ensure your organization is ready for the CMMC 2.0 rollout:
1. Identify Your Scope
Determine what CUI and FCI you handle. If you can isolate this data within a specific enclave, you can significantly reduce the cost and complexity of your CMMC assessment.
2. Gap Assessment
Perform a formal gap assessment against NIST 800-171. Identify which of the 110 controls are fully implemented, partially implemented, or missing entirely.
3. Develop Your SSP and POA&M
You must have a written System Security Plan (SSP). For any controls not yet met, you need a Plan of Action and Milestones (POA&M). Note that under CMMC 2.0, certain high-priority controls cannot remain on a POA&M for the final certification.
4. Improve Your SPRS Score
Ensure your scores are accurately reported in the DoD’s Supplier Performance Risk System. A low or outdated score can be a red flag for prime contractors looking for reliable subcontractors.
Conclusion
While the term "CMMC phase 2 suspended" was a popular headline during the transition to version 2.0, the reality is that the program is moving forward with full support from the DoD.
Compliance is no longer a "future" problem; it is a current business requirement. Organizations that use this remaining time to solidify their security posture will have a distinct competitive advantage over those who wait until the last minute.
Is your business ready for the end of the CMMC transition? Don't wait for a mandate to find out you're missing critical controls. Contact GreyPike today for a readiness assessment.



