Phase I Isn’t Suspended. Neither Are Your Obligations Under DFARS.

CMMC Phase II

The suspension of CMMC Phase II paused third-party certification. It did not pause your DFARS cybersecurity obligations. Phase I self-assessment requirements remain in place throughout the 60-day review period, and the Department of War will enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments during this window. If your organization holds a DoW contract, those obligations remain fully in force today.

Since the announcement, the most common question we’ve heard from defense contractors is some version of “do we still have to do this?” The answer is yes, and the contract clauses that say so never moved.

What Stays Binding Under 7012, 7019, and 7020

DFARS 252.204-7012 requires defense contractors and subcontractors to safeguard covered defense information by implementing the 110 controls of NIST SP 800-171, and to report cyber incidents to DoW within 72 hours. The obligation to protect Controlled Unclassified Information, and to report incidents within 72 hours, didn’t pause with the assessment.

DFARS 252.204-7019 requires offerors to have a current NIST SP 800-171 self-assessment score, no older than three years, posted in the Supplier Performance Risk System (SPRS) as a condition of contract award eligibility.

DFARS 252.204-7020 obligates contractors to maintain that SPRS score, grant the government access to conduct higher-level assessments, and flow the requirement down to applicable subcontractors.

Third-party certification under Phase II is paused. The self-assessment, scoring, reporting, and data-protection duties under 7012, 7019, and 7020 are not.

What Changes When the Assessor Isn’t in the Room

Self-assessments now carry more weight in the absence of Phase II third-party certification, which means the accuracy of a contractor’s SPRS score matters more, not less.

Submitting an inflated, unsupported, or knowingly false self-assessment score, or misrepresenting the state of NIST SP 800-171 implementation, exposes a contractor to liability under the federal False Claims Act. The Department of Justice has actively pursued contractors that knowingly misrepresent their cybersecurity compliance. Violations can result in triple damages, per-claim civil penalties, contract termination, suspension or debarment, and, in cases involving willful misconduct, criminal prosecution. The Act’s qui tam provisions also allow whistleblowers to bring suit on the government’s behalf and share in any recovery.

The practical takeaway: a score in SPRS is a legal attestation, not a placeholder. If your posted score was optimistic, the review period is the time to correct it, before a government-led assessment or an incident forces the question.

What Defense Contractors Should Do During the Review Period

  1. Verify your SPRS score is accurate and evidence-backed. If you can’t produce the System Security Plan and supporting documentation behind it, the score is a liability, not an asset.
  2. Keep your NIST 800-171 implementation on schedule. The 110 requirements apply today, and the requirement is expected to return in reformed, not reduced, form.
  3. Confirm your incident response process can meet the 72-hour reporting window. That clock is contractual and did not pause.
  4. Check your subcontractor flowdowns. 7020 obligations move down the chain when CUI does.

For the full breakdown of what the suspension announcement said and why it happened, see our analysis: CMMC Phase II Is Suspended. Your Compliance Obligations Are Not.

Frequently Asked Questions

Did the CMMC Phase II suspension pause DFARS 252.204-7012? No. DFARS 252.204-7012 remains contractually binding. Contractors handling covered defense information must implement the 110 controls of NIST SP 800-171 and report cyber incidents to DoW within 72 hours.

Do I still need a SPRS score during the suspension? Yes. Under DFARS 252.204-7019, a current self-assessment score (no older than three years) posted in SPRS remains a condition of contract award eligibility. DFARS 252.204-7020 requires you to maintain it.

Can I be penalized for an inaccurate self-assessment score? Yes. A knowingly false or unsupported SPRS score can trigger liability under the False Claims Act, including triple damages, civil penalties, contract termination, debarment, and criminal prosecution for willful misconduct.

Are government assessments still happening? Yes. The Department of War stated it will enforce NIST SP 800-171 Rev 2 through self-assessments and select government-led assessments during the 60-day review period.

If the Phase II suspension has you unsure where you stand, schedule a Strategy Session to find out.

Schedule a Strategy Session

Co-Author Mike Shughrue

ON THIS PAGE

Looking to hire an MSP for CMMC?

Click the button below now.

Lorem ipsum dolor sit amet,

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec

Compliance Isn't a Checkbox

It’s contract eligibility. Agile IT builds, secures, and validates Microsoft 365, GCC High, and Azure environments for organizations facing CMMC, NIST 800-171, and CUI requirements. If a failed audit would cost you contracts, talk to us before it does.

Related Posts