CMMC Level 2 Certifications Are NOT Suspended
Key Takeaways
- CMMC Assessments Continue: C3PAOs are still conducting CMMC Level 2 Certification Assessments – the only change is a 60-day pause on adding Level 2 assessment requirements to new DOW contracts.
- Cybersecurity Requirements Remain in Effect: Contractors subject to DFARS 252.204-7012 must continue implementing NIST SP 800-171, maintaining an SSP, and protecting CUI regardless of the pause.
- Unsupported SPRS Affirmations Carry Significant Risk: Organizations that cannot substantiate their compliance claims may face contract issues, procurement consequences, and potential False Claims Act liability.
- Use the Pause to Prepare: Organizations that continue strengthening cybersecurity, maintaining compliance evidence, and pursuing CMMC assessments will be better positioned when CMMC implementation resumes.
All Certified Third-Party Assessor Organizations (C3PAOs) continue to actively provide CMMC Level 2 Certification Assessments, entering the results into eMASS and SPRS with the final status. None of this has changed. This was reinforced by the Cyber AB, the official accreditation body of the Department of War’s (DOW) Cybersecurity Maturity Model Certification (CMMC) program. Refer to Cyber AB’s statement on the suspension of CMMC Phase II requirements.
What Is Currently Paused?
What has been paused for 60 days is the rollout by the DOW of adding the CMMC Level 2 C3PAO third-party assessment requirements to contracts. This pause is allowed because the regulation provides the DOW the ability to exercise a pause at their discretion. The law which requires CMMC has not changed. If an organization’s contract includes DFARS 252.204-7012, they remain contractually required to implement NIST SP 800-171 Rev. 2, maintain a current System Security Plan (SSP), and protect Controlled Unclassified Information (CUI). Those requirements existed before CMMC, remain in force today, and are independent of the current review of the CMMC program. CMMC simply provides the mechanism for verifying compliance with those existing requirements.
How Does This Affect Security Requirements?
The suspension and review do not change the significance of SPRS affirmations. The Affirming Official is not merely acknowledging that a self-assessment occurred; they are certifying that the organization, a) has implemented all applicable CMMC security requirements, and b) will maintain implementation of those requirements. If the organization does not have objective evidence to support the affirmation and substantiate an affirmed score, they may face contract performance issues, procurement consequences, and potential exposure under the False Claims Act.
The Department of Justice has repeatedly pursued cybersecurity related False Claims Act cases where contractors have misrepresented compliance. The cost of a CMMC Level 2 Certification Assessment appears like a small price to pay to avoid payments such as:
- Aero Turbine Inc paid $1.75 million to resolve their liability.
- Alabama defense contractor agrees to pay $507,144 to resolve cybersecurity violations under the False Claims Act.
What Should Organizations Do Now?
Affirming Officials should ask the question, “Is our compliance representations in anyway knowingly false or materially misleading?” If so, the organization and the Affirming Official are at risk of prosecution under the False Claims Act. As a C3PAO, our team has seen many cases where preparation for CMMC Level 2 Assessments has brought the noncompliance issues to the forefront in organizations.
From a business perspective, view this announcement as a pause – not a repeal. The regulatory framework for CMMC remains in place, and any future CMMC implementation will continue requiring contractors to demonstrate effective cybersecurity. Organizations that continue preparing now will be much better positioned to compete for future DOW opportunities, avoid the inevitable surge in demand for C3PAO assessments, and reduce the risks associated with unsupported SPRS affirmations.
Our recommendation is straightforward: Continue implementing NIST SP 800-171, maintain evidence that supports the organization’s SPRS affirmations, and pursue CMMC assessments. Regardless of how the DOW refines the CMMC program, organizations with mature cybersecurity practices and independently validated compliance will be in the strongest position when CMMC implementation resumes.
For more information on our CMMC services, contact Dave Hammarberg, Partner, LCCA or Elaine Nissley, Director, LCCA.
About the Author
David Hammarberg, CPA, CFE, CISSP, GSEC, MCSE, CISA, CCSFP, CHQP, CCA is a Partner and leader of the Soc & Cybersecurity team. His expertise and service focus areas include SOC for Service Organizations, SOC for Cybersecurity, HITR… Read more