The Audit Is Suspended. Your Obligations Aren't: NIST 800-171 and SPRS After the CMMC Pause
CMMC Phase 2 is on hold, but DFARS 252.204-7012, NIST SP 800-171, SPRS scores, and annual self-assessments still apply to every defense contractor handling CUI. What you must keep doing — and the False Claims Act risk if you don't.
"CMMC is dead" is the most expensive sentence in defense contracting right now
On July 13, 2026, the Department of War suspended CMMC Phase 2 — the third-party certification requirements that were due to hit new solicitations in November. Within hours, the takes started: CMMC is dead. Compliance is optional. Stand down.
Here's what actually got suspended: the audit. Here's what didn't: every contractual obligation that makes NIST SP 800-171 binding on your company. Those clauses have been in DoD contracts since 2017 — years before CMMC existed — and the memo doesn't touch them.
If you handle Controlled Unclassified Information (CUI) under a DoD contract, the following are as mandatory today as they were on July 12:
What's still in your contract
DFARS 252.204-7012 — the clause that started it all. If it's in your contract (it's in virtually all of them), you agreed to implement all 110 requirements of NIST SP 800-171 and to report cyber incidents to the DoD within 72 hours. Suspension of CMMC changes nothing here.
DFARS 252.204-7019 and -7020 — you must have a current NIST 800-171 self-assessment score posted in SPRS (not older than three years) to be eligible for award, and you must let the government verify it. Contracting officers still check.
CMMC Phase 1 — in force since November 2025 and explicitly preserved by the memo. Where the clause appears, an annual Level 1 or Level 2 self-assessment with a senior-official affirmation in SPRS is a condition of award. The suspended part is the C3PAO showing up — not the assessment, and not the affirmation.
FAR 52.204-21 — the 15 basic safeguarding requirements for anyone touching Federal Contract Information. Unchanged. (Small shop? Start with our plain-English Level 1 self-assessment guide.)
Your prime's flow-downs — primes are contractually on the hook for their supply chain, and their supplier questionnaires didn't pause for the memo. If anything, expect more of them while the government's own verification is in flux. Here's how to answer them without losing the work.
No auditor doesn't mean no enforcement
This is the part that should worry you more, not less: with third-party certification suspended, your own affirmation is the enforcement surface — and affirmations are signed by a senior company official, under a statute with teeth.
The Department of Justice's Civil Cyber-Fraud Initiative has been using the False Claims Act against contractors that claimed compliance they didn't have, and it has already produced multimillion-dollar settlements — including cases built on inflated self-assessment scores. FCA liability means treble damages, and whistleblowers (often your own former IT staff) collect a share.
So the honest framing of the CMMC pause is this: the government stopped checking your work, but kept the penalty for getting it wrong. When there's no assessor to catch an optimistic answer before it becomes a signed affirmation, the only thing standing between you and an FCA problem is the quality of your own records: the self-assessment, the scoring worksheet, the System Security Plan, the POA&M, and the evidence behind each answer.
What to actually do during the pause
The Reform Task Force reports in roughly 60 days, and whatever replaces Phase 2 will almost certainly be built on the same foundation: NIST 800-171 self-assessment plus affirmation. Contractors who use this window well will be ready for any version of the outcome. The playbook:
- Scope your CUI environment. Which systems, people, and processes touch CUI? Keep the boundary as small as honesty allows — scope drives everything else.
- Self-assess against all 110 requirements of NIST SP 800-171 Rev 2, using the DoD scoring methodology. Implemented, partially, or not — answered honestly.
- Compute your real SPRS score with the official weights (some gaps cost you 5 points, some cost 1 — the difference matters) and post it. An accurate mediocre score is defensible; an inflated one is a liability.
- POA&M the gaps. Every "not yet" needs an owner, an action, and a date. That document is your good-faith story if anyone ever asks.
- Keep the SSP and evidence current. Policies, user lists, MFA settings, incident response plan — filed where you can produce them for a prime, a contracting officer, or an investigator.
- Recheck annually — or when the rules change. The affirmation is annual. The task force outcome may adjust the control set; a maintained assessment is a one-day update, an abandoned one is a restart.
How CyberPolicify does the heavy lifting
This playbook is exactly what CyberPolicify automates for small and mid-size contractors — without consultants, and at software prices:
- Guided 800-171 self-assessment: all 110 NIST SP 800-171 Rev 2 requirements in plain English, with the official SPRS weighting built in, so your score is computed the way DoD computes it.
- AI-generated policies and procedures mapped to the requirements they satisfy — the documentation layer where most small contractors actually fail.
- Gap analysis with remediation tracking: every gap becomes a tracked action with an owner and a date — your POA&M, maintained instead of improvised.
- A living risk register so next year's affirmation, the next prime questionnaire, and whatever CMMC reform produces are updates to a running program, not emergencies.
The audit is suspended. The obligations aren't — and neither is your competition. Start your self-assessment, or take the free 3-minute readiness check to see where you stand first.
Generate documentation mapped to frameworks
Generate policies, procedures, and gaps you can act on—without consultant-heavy overhead.