Essex Junction, VT802-335-2662dkoran@davidkoran.com
DK
David Koran& Associates
July 13, 2026: The Department suspended CMMC Phase 2. Phase 1 self assessment requirements remain in effect. Read the official announcement
CMMC Phase 2 Suspended July 13, 2026

CMMC Phase 2 is suspended, while NIST SP 800-171 obligations remain in force.

The Department suspended the November 10, 2026 transition to Phase 2 and all pending and future CMMC implementation milestones while a task force reviews the program. Phase 1 self assessments remain in effect, and contractors handling covered defense information remain responsible for DFARS 252.204-7012. I work onsite with defense manufacturers to align the CUI boundary, SSP, SPRS score, and operating environment with the requirements that apply now.

Current Program Status

The program is paused in Phase 1

  • The Phase 2 transition scheduled for November 10, 2026 is suspended.
  • Level 1 and Level 2 self assessment requirements remain in Phase 1.
  • Level 2 self assessment covers the 110 requirements in NIST SP 800-171 Revision 2.
  • The Department may continue select government led assessments.
  • No replacement Phase 2 date or final reform structure has been announced.
30+
Years in IT
2002
Cybersecurity Since
CyberAB Registered Practitioner Advanced
Registered Practitioner Advanced
CMMC Program Status

Phase 2 is suspended. Phase 1 remains the operating framework.

The July 13, 2026 announcement removed the November 10, 2026 transition to Phase 2 and suspended pending and future CMMC implementation milestones. It did not remove the underlying obligation to protect covered defense information. During the review, the Department states that it will continue enforcing NIST SP 800-171 Revision 2 through self assessments and select government led assessments.

What Changed

The scheduled Phase 2 expansion stopped.

The Department suspended the transition that would have expanded Level 2 C3PAO requirements beginning November 10, 2026, together with pending and future implementation milestones.

What Remains

Phase 1 self assessment requirements continue.

Level 1 and Level 2 self assessments remain in the current program. Contractors handling covered defense information also remain responsible for the safeguarding requirements in DFARS 252.204-7012.

What Is Unresolved

The future certification structure is under review.

A CMMC Reform Task Force is conducting a 60 day review informed by a public request for information. The Department has not announced a replacement Phase 2 date or a final revised model.

The practical question is no longer whether the November 10, 2026 Phase 2 date controls your schedule. It is whether your contracts, SPRS records, SSP, CUI boundary, and operating environment support the obligations that remain in force.

Review Readiness Services →
Getting Started

The CMMC Executive Series

Most CMMC guidance is written for the people who will implement the controls. This series is written for the person who has to decide, fund, announce, and answer for the program. Six installments, in the order you will actually face them, with working samples you can adapt: announcement memos, a budget worksheet, a backward timeline, and more.

Start at the beginning or jump to where you are. The series index lays out the full path and is the fastest way to see which decisions are behind you and which are next.

View the Full Series →
What the Suspension Does Not Change

A Level 2 self assessment remains a statement about the contractor's actual implementation of NIST SP 800-171.

Phase 1 permits Level 2 self assessment against the 110 security requirements in NIST SP 800-171 Revision 2, with results entered in SPRS and an annual affirmation of compliance. The suspension changes the planned expansion of third party certification, while the current self assessment framework remains in operation.

An SSP, policy set, or software platform can support that work, but none substitutes for implementation in the contractor's actual environment. The score must be supported by the systems, people, records, and operating practices within the defined assessment scope.

The schedule changed, while the obligation to understand and support the reported result remains.
Why Onsite

The work has to happen in your building.

NIST SP 800-171 Revision 2 contains 110 security requirements for systems that handle controlled unclassified information. Many of the implementation decisions depend on the contractor's facility, workforce, equipment, and actual information flow. Four examples show why the onsite environment matters.

01 CUI scope reduction

The defined scope determines which systems, users, facilities, and supporting resources must be documented and evaluated. An onsite review traces how engineering files move through email, file shares, print queues, CAD workstations, shop floor terminals, removable media, and external services so the boundary reflects the contractor's actual operation.

02 Artifact collection

NIST SP 800-171A uses examination, interview, and testing methods to determine whether requirements are implemented. The supporting record may include procedures, configuration evidence, log samples, training records, change records, visitor records, and media sanitization records. Building that record requires work with the people who operate the systems and processes described in the SSP.

03 Physical security controls

The physical protection requirements address authorized access, monitoring of facilities, visitor activity, physical access records, access devices, and protection of systems and output devices. An onsite review compares those requirements with the actual doors, keys, badges, visitor process, server locations, work areas, printed CUI handling, and media storage used at the facility.

04 Security awareness training design

The awareness and training requirements address security risks, applicable policies, assigned duties, and recognition of potential insider threat indicators. A generic course may provide part of the program, but the contractor still needs training content and records that correspond to its workforce, systems, information handling rules, and assigned security responsibilities.

This is the work I travel to do. The onsite model allows the documents, systems, records, facility, and employee practices to be reviewed as one operating environment rather than as separate submissions.
Engagement Structure

Three Phases of an Implementation Engagement

The sequence now begins with the requirements that remain active in Phase 1 rather than a presumed November 2026 C3PAO date. Each engagement is organized around the contractor's current contracts, CUI flow, SPRS record, and implementation gaps.

Phase One · Weeks 1 to 4

Discovery and Scoping

A short introductory call to confirm fit, followed by two to three days onsite. I walk the facility, meet the people responsible for IT, operations, quality, and contracts, map how CUI enters and moves through the environment, and identify where scope reduction is available.

OutputScoping memorandum, boundary definition, and an initial implementation plan.
Phase Two · Implementation

Readiness and Remediation

Gap analysis against the 110 requirements in NIST SP 800-171 Revision 2, followed by a prioritized remediation plan. The work includes SSP development, policy alignment, evidence collection, and periodic onsite verification while the contractor implements the requirements.

OutputA current SSP, supported SPRS score, limited POA&M where permitted, and records that match the operating environment.
Phase Three · Sustainment

Validation and Maintenance

Review of the SSP, SPRS record, annual affirmation support, evidence set, and open remediation items. The objective is to maintain an accurate current record that can support a government led assessment or a future third party requirement.

OutputA supportable self assessment record and an environment aligned with the documents that describe it.
What Is an RPA

A short note on what the credential actually means.

The CyberAB issues two practitioner credentials for CMMC consulting work. Registered Practitioner (RP) is the base credential. Registered Practitioner Advanced (RPA) is the advanced credential. Both are held by individuals, not firms, and both are subject to the CyberAB Code of Professional Conduct.

The RPA credential includes training in CMMC Level 2 assessment methodology, NIST SP 800-171 Revision 2, and the CMMC Assessment Process. That background supports readiness and implementation work by establishing how assessment objectives, evidence, interviews, and testing are organized.

An RPA is not a C3PAO. A formal CMMC certification assessment, when required, is performed through an authorized or accredited third party assessor organization. The RPA role is readiness, enablement, and implementation, including preparation for a government led review or any future contract requirement for a third party assessment.

Verify any practitioner

Anyone who holds an RP or RPA credential is listed in the CyberAB Marketplace. Before engaging any CMMC consultant, looking up their status there is a reasonable first step. The lookup returns one of three clear answers: a current credential, a lapsed credential, or no listing at all.

Services

What I Do

01

Readiness Engagement

The full path. Onsite discovery, scoping, gap analysis, prioritized remediation plan, and ongoing advisory through the pre-assessment review. Most clients retain me for this from start to finish.

02

CUI Scope Reduction

A focused engagement to identify where controlled unclassified information actually lives in your environment and to reduce the assessment boundary. A smaller boundary means fewer controls to maintain, a lighter evidence and maintenance burden across recurring self assessments and any future external review. This work can reduce the number of systems, users, and locations that must be documented and maintained.

03

SSP and Policy Development

Developing or rebuilding a System Security Plan and the supporting policies so they describe your actual environment, not a generic template. Includes critical review of existing SSPs that feel like they were not written for your operation.

04

Pre-Award Verification

For legal counsel and prime contractors. Independent onsite verification of a supplier's CMMC readiness before a contract is signed. Produces a structured findings record suitable for legal review and contract negotiation.

05

SSP Critical Review

A short, focused engagement. I review an existing SSP against the contractor's actual environment and identify where the document, SPRS score, evidence, and operation diverge before a government or external review.

06

Executive Briefings

Private briefings for leadership that translate CMMC obligations into business terms: contract exposure, remediation cost, realistic timeline, and the decisions leadership needs to own rather than delegate.

Learn More

The Full CMMC Consulting Services Overview

How a readiness engagement is sequenced week by week, what deliverables you take away, the contractor profiles this practice supports, and common questions contractors ask before a first call. Written for the IT director, CFO, or legal counsel who needs to understand what they are buying before the first conversation.

For Legal Counsel

Pre-Award Technical Due Diligence

A portion of my practice supports attorneys advising defense contractors on M&A, subcontracting, and pre-award risk. Before your client executes a contract that flows CUI obligations downstream, you need an independent answer to one question: does the counterparty actually comply.

I provide structured, onsite technical verification and produce a findings memorandum suitable for inclusion in the legal record. The full For Legal Counsel reference describes the engagement models, the substantive scope, and the practitioner credentials that bear on counsel's selection of an advisor.

Discuss a Verification Engagement →
What counsel receives Onsite review of control implementation, document sampling, interviews with the supplier's security personnel, and a formal findings memorandum with control-by-control determinations. Structured for direct use in legal analysis, contract negotiation, or regulatory response. Engagements are structured to respect counsel-directed constraints including privilege, work product, and scope of retention.
Background Reading

The CMMC Decision, Second Edition

A practitioner guide written for CEOs and senior executives of small and midsize defense contractors trying to decide how to approach compliance. Covers False Claims Act exposure, SPRS scoring, assessment preparation, and the decisions that determine whether a program succeeds. Free to download.

Read More →
Practitioner Research
Nine Papers

Published white papers on topics including C3PAO assessment capacity, CUI scope reduction, artifact integrity, supply chain compliance, MSP and ESP obligations, the training mandate, and pre-award verification. Each paper cites its sources and is available as a free PDF.

View All Publications →
David W. Koran, CyberAB Registered Practitioner Advanced
David W. Koran
CyberAB Registered Practitioner Advanced
About

David W. Koran

"The difference between supportable compliance and compliance theater is whether the documents, records, systems, and daily operation describe the same environment."

I am a CyberAB Registered Practitioner Advanced and the founder of an independent CMMC practice built to serve defense aerospace manufacturers and the legal counsel who support them. I work onsite in the specific environment where the controls have to operate, and I stay engaged through implementation, recurring self assessment, and any future external review.

My background is more than 30 years in information technology with a cybersecurity specialization dating to 2002. I have worked inside manufacturing environments, inside regulated financial operations, and alongside law firms on technical and regulatory matters.

I am the author of The CMMC Decision, now in its second edition, and I have published a library of practitioner white papers addressing topics from assessment capacity and artifact integrity to scope reduction and supply chain compliance. The work reflects a consistent commitment to substance over salesmanship: ground truth documentation, defensible findings, and guidance that holds up under scrutiny.

What I offer clients is my time, my attention, and a willingness to travel to their facility and do the work there. I am not a reseller, not a software vendor, and not a template library. If that fits what you need, we should talk.

Get In Touch

Start a Conversation

Call, email, or send a note. I respond personally to every inquiry, usually within one business day. No commitment and no pitch.

Phone
Address
Essex Junction, VT
Travel
I travel to client sites nationally.

Reach Out

Whether you are ready to engage, looking for a second opinion, or still trying to understand what CMMC means for your organization, I would like to hear from you.

Start CMMC Readiness →