The Department suspended the November 10, 2026 transition to Phase 2 and all pending and future CMMC implementation milestones while a task force reviews the program. Phase 1 self assessments remain in effect, and contractors handling covered defense information remain responsible for DFARS 252.204-7012. I work onsite with defense manufacturers to align the CUI boundary, SSP, SPRS score, and operating environment with the requirements that apply now.

The July 13, 2026 announcement removed the November 10, 2026 transition to Phase 2 and suspended pending and future CMMC implementation milestones. It did not remove the underlying obligation to protect covered defense information. During the review, the Department states that it will continue enforcing NIST SP 800-171 Revision 2 through self assessments and select government led assessments.
The Department suspended the transition that would have expanded Level 2 C3PAO requirements beginning November 10, 2026, together with pending and future implementation milestones.
Level 1 and Level 2 self assessments remain in the current program. Contractors handling covered defense information also remain responsible for the safeguarding requirements in DFARS 252.204-7012.
A CMMC Reform Task Force is conducting a 60 day review informed by a public request for information. The Department has not announced a replacement Phase 2 date or a final revised model.
The practical question is no longer whether the November 10, 2026 Phase 2 date controls your schedule. It is whether your contracts, SPRS records, SSP, CUI boundary, and operating environment support the obligations that remain in force.
Review Readiness Services →Most CMMC guidance is written for the people who will implement the controls. This series is written for the person who has to decide, fund, announce, and answer for the program. Six installments, in the order you will actually face them, with working samples you can adapt: announcement memos, a budget worksheet, a backward timeline, and more.
What the program is, what it demands, and why the obligation is contractual rather than optional.
Part 02The decision that sets the cost, timeline, and scope of everything else. It turns on whether you handle CUI or only FCI.
Part 03 · NewAssigning ownership, briefing leadership, and announcing to employees, with sample memos and a kickoff agenda.
Part 04 · NewWhat the suspension changes, what current contracts still require, and how to budget implementation without relying on a Phase 2 date.
Part 05 · NewWhat your team can carry, where outside help earns its cost, and how to evaluate a practitioner before you sign anything.
Part 06What Phase 1 requires now, how self and government led assessments differ, and what a future third party requirement could examine.
Start at the beginning or jump to where you are. The series index lays out the full path and is the fastest way to see which decisions are behind you and which are next.
View the Full Series →Phase 1 permits Level 2 self assessment against the 110 security requirements in NIST SP 800-171 Revision 2, with results entered in SPRS and an annual affirmation of compliance. The suspension changes the planned expansion of third party certification, while the current self assessment framework remains in operation.
An SSP, policy set, or software platform can support that work, but none substitutes for implementation in the contractor's actual environment. The score must be supported by the systems, people, records, and operating practices within the defined assessment scope.
NIST SP 800-171 Revision 2 contains 110 security requirements for systems that handle controlled unclassified information. Many of the implementation decisions depend on the contractor's facility, workforce, equipment, and actual information flow. Four examples show why the onsite environment matters.
The defined scope determines which systems, users, facilities, and supporting resources must be documented and evaluated. An onsite review traces how engineering files move through email, file shares, print queues, CAD workstations, shop floor terminals, removable media, and external services so the boundary reflects the contractor's actual operation.
NIST SP 800-171A uses examination, interview, and testing methods to determine whether requirements are implemented. The supporting record may include procedures, configuration evidence, log samples, training records, change records, visitor records, and media sanitization records. Building that record requires work with the people who operate the systems and processes described in the SSP.
The physical protection requirements address authorized access, monitoring of facilities, visitor activity, physical access records, access devices, and protection of systems and output devices. An onsite review compares those requirements with the actual doors, keys, badges, visitor process, server locations, work areas, printed CUI handling, and media storage used at the facility.
The awareness and training requirements address security risks, applicable policies, assigned duties, and recognition of potential insider threat indicators. A generic course may provide part of the program, but the contractor still needs training content and records that correspond to its workforce, systems, information handling rules, and assigned security responsibilities.
The sequence now begins with the requirements that remain active in Phase 1 rather than a presumed November 2026 C3PAO date. Each engagement is organized around the contractor's current contracts, CUI flow, SPRS record, and implementation gaps.
A short introductory call to confirm fit, followed by two to three days onsite. I walk the facility, meet the people responsible for IT, operations, quality, and contracts, map how CUI enters and moves through the environment, and identify where scope reduction is available.
Gap analysis against the 110 requirements in NIST SP 800-171 Revision 2, followed by a prioritized remediation plan. The work includes SSP development, policy alignment, evidence collection, and periodic onsite verification while the contractor implements the requirements.
Review of the SSP, SPRS record, annual affirmation support, evidence set, and open remediation items. The objective is to maintain an accurate current record that can support a government led assessment or a future third party requirement.
The CyberAB issues two practitioner credentials for CMMC consulting work. Registered Practitioner (RP) is the base credential. Registered Practitioner Advanced (RPA) is the advanced credential. Both are held by individuals, not firms, and both are subject to the CyberAB Code of Professional Conduct.
The RPA credential includes training in CMMC Level 2 assessment methodology, NIST SP 800-171 Revision 2, and the CMMC Assessment Process. That background supports readiness and implementation work by establishing how assessment objectives, evidence, interviews, and testing are organized.
An RPA is not a C3PAO. A formal CMMC certification assessment, when required, is performed through an authorized or accredited third party assessor organization. The RPA role is readiness, enablement, and implementation, including preparation for a government led review or any future contract requirement for a third party assessment.
Anyone who holds an RP or RPA credential is listed in the CyberAB Marketplace. Before engaging any CMMC consultant, looking up their status there is a reasonable first step. The lookup returns one of three clear answers: a current credential, a lapsed credential, or no listing at all.
The full path. Onsite discovery, scoping, gap analysis, prioritized remediation plan, and ongoing advisory through the pre-assessment review. Most clients retain me for this from start to finish.
A focused engagement to identify where controlled unclassified information actually lives in your environment and to reduce the assessment boundary. A smaller boundary means fewer controls to maintain, a lighter evidence and maintenance burden across recurring self assessments and any future external review. This work can reduce the number of systems, users, and locations that must be documented and maintained.
Developing or rebuilding a System Security Plan and the supporting policies so they describe your actual environment, not a generic template. Includes critical review of existing SSPs that feel like they were not written for your operation.
For legal counsel and prime contractors. Independent onsite verification of a supplier's CMMC readiness before a contract is signed. Produces a structured findings record suitable for legal review and contract negotiation.
A short, focused engagement. I review an existing SSP against the contractor's actual environment and identify where the document, SPRS score, evidence, and operation diverge before a government or external review.
Private briefings for leadership that translate CMMC obligations into business terms: contract exposure, remediation cost, realistic timeline, and the decisions leadership needs to own rather than delegate.
How a readiness engagement is sequenced week by week, what deliverables you take away, the contractor profiles this practice supports, and common questions contractors ask before a first call. Written for the IT director, CFO, or legal counsel who needs to understand what they are buying before the first conversation.
A portion of my practice supports attorneys advising defense contractors on M&A, subcontracting, and pre-award risk. Before your client executes a contract that flows CUI obligations downstream, you need an independent answer to one question: does the counterparty actually comply.
I provide structured, onsite technical verification and produce a findings memorandum suitable for inclusion in the legal record. The full For Legal Counsel reference describes the engagement models, the substantive scope, and the practitioner credentials that bear on counsel's selection of an advisor.
Discuss a Verification Engagement →A practitioner guide written for CEOs and senior executives of small and midsize defense contractors trying to decide how to approach compliance. Covers False Claims Act exposure, SPRS scoring, assessment preparation, and the decisions that determine whether a program succeeds. Free to download.
Read More →Published white papers on topics including C3PAO assessment capacity, CUI scope reduction, artifact integrity, supply chain compliance, MSP and ESP obligations, the training mandate, and pre-award verification. Each paper cites its sources and is available as a free PDF.
View All Publications →
I am a CyberAB Registered Practitioner Advanced and the founder of an independent CMMC practice built to serve defense aerospace manufacturers and the legal counsel who support them. I work onsite in the specific environment where the controls have to operate, and I stay engaged through implementation, recurring self assessment, and any future external review.
My background is more than 30 years in information technology with a cybersecurity specialization dating to 2002. I have worked inside manufacturing environments, inside regulated financial operations, and alongside law firms on technical and regulatory matters.
I am the author of The CMMC Decision, now in its second edition, and I have published a library of practitioner white papers addressing topics from assessment capacity and artifact integrity to scope reduction and supply chain compliance. The work reflects a consistent commitment to substance over salesmanship: ground truth documentation, defensible findings, and guidance that holds up under scrutiny.
What I offer clients is my time, my attention, and a willingness to travel to their facility and do the work there. I am not a reseller, not a software vendor, and not a template library. If that fits what you need, we should talk.
Call, email, or send a note. I respond personally to every inquiry, usually within one business day. No commitment and no pitch.
Whether you are ready to engage, looking for a second opinion, or still trying to understand what CMMC means for your organization, I would like to hear from you.
Start CMMC Readiness →