Department Of War just suspended CMMC Phase II

The Department of War’s suspension of CMMC Phase II is being covered as a compliance win for small and mid-size defense contractors, and in terms of bureaucratic burden, it is. But the third-party verification that Phase II provided doesn’t disappear without consequence; the DFARS clauses creating personal liability for affirming officials are still fully in force.

More details are here: Pentagon announces ‘immediate suspension’ of CMMC Phase II mandates – Breaking Defense

Justin Beals, CEO & Founder, Strike Graph, an AI-native GRC and compliance automation platform

“This isn’t a security stand-down. It’s a stand-down on who checks your homework. Phase I self-assessment stays in place, but the third-party verification that would catch a bad self-assessment doesn’t.

That matters because DFARS 252.204-7012 and 252.204-7021 didn’t go anywhere. Affirming officials are still personally exposed under the False Claims Act for a compliance claim nobody independently verified, the exact gap that produced the $4.6 million MORSECORP settlement.

Companies that treat this suspension as permission to stop building evidence will be the ones exposed when the Reform Task Force’s review lands in 60 days, or when an incident forces the question first. Self-attestation was never the finish line. It was always a claim waiting to be tested.”

This will be a #fail. I am calling it now as we need more cybersecurity not less. But I guess that the find out moment will come when people and organizations get pwned.

Leave a Reply

Discover more from The IT Nerd

Subscribe now to keep reading and get access to the full archive.

Continue reading