The Department of War’s suspension of CMMC Phase II is being covered as a compliance win for small and mid-size defense contractors, and in terms of bureaucratic burden, it is. But the third-party verification that Phase II provided doesn’t disappear without consequence; the DFARS clauses creating personal liability for affirming officials are still fully in force.
More details are here: Pentagon announces ‘immediate suspension’ of CMMC Phase II mandates – Breaking Defense
Justin Beals, CEO & Founder, Strike Graph, an AI-native GRC and compliance automation platform
“This isn’t a security stand-down. It’s a stand-down on who checks your homework. Phase I self-assessment stays in place, but the third-party verification that would catch a bad self-assessment doesn’t.
That matters because DFARS 252.204-7012 and 252.204-7021 didn’t go anywhere. Affirming officials are still personally exposed under the False Claims Act for a compliance claim nobody independently verified, the exact gap that produced the $4.6 million MORSECORP settlement.
Companies that treat this suspension as permission to stop building evidence will be the ones exposed when the Reform Task Force’s review lands in 60 days, or when an incident forces the question first. Self-attestation was never the finish line. It was always a claim waiting to be tested.”
This will be a #fail. I am calling it now as we need more cybersecurity not less. But I guess that the find out moment will come when people and organizations get pwned.
Related
This entry was posted on July 14, 2026 at 2:30 pm and is filed under Commentary with tags Department Of War. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Department Of War just suspended CMMC Phase II
The Department of War’s suspension of CMMC Phase II is being covered as a compliance win for small and mid-size defense contractors, and in terms of bureaucratic burden, it is. But the third-party verification that Phase II provided doesn’t disappear without consequence; the DFARS clauses creating personal liability for affirming officials are still fully in force.
More details are here: Pentagon announces ‘immediate suspension’ of CMMC Phase II mandates – Breaking Defense
Justin Beals, CEO & Founder, Strike Graph, an AI-native GRC and compliance automation platform
“This isn’t a security stand-down. It’s a stand-down on who checks your homework. Phase I self-assessment stays in place, but the third-party verification that would catch a bad self-assessment doesn’t.
That matters because DFARS 252.204-7012 and 252.204-7021 didn’t go anywhere. Affirming officials are still personally exposed under the False Claims Act for a compliance claim nobody independently verified, the exact gap that produced the $4.6 million MORSECORP settlement.
Companies that treat this suspension as permission to stop building evidence will be the ones exposed when the Reform Task Force’s review lands in 60 days, or when an incident forces the question first. Self-attestation was never the finish line. It was always a claim waiting to be tested.”
This will be a #fail. I am calling it now as we need more cybersecurity not less. But I guess that the find out moment will come when people and organizations get pwned.
Share this:
Like this:
Related
This entry was posted on July 14, 2026 at 2:30 pm and is filed under Commentary with tags Department Of War. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.