Skip to the main content.

Modernize & Transform

Built to help you reimagine IT operations, empower your workforce, and leverage AI-powered tools to stay ahead of the curve.

Untitled design (3)

Empower My Team

We bring together the best of Microsoft’s cloud ecosystem and productivity tools to help your people thrive.

Untitled design (3)

Build My Infrastructure

We offer a comprehensive suite of infrastructure services tailored to support your business goals today and scale for the future

Untitled design (3)

IT Services

Our managed and co-managed IT service plans deliver a responsive and innovative engagement to support your IT needs, improve employee experience, and drive growth for your business. 

Untitled design (3)

Cybersecurity Services

Sourcepass offers innovative solutions, including SOC, GRC, Security Assessments, and more to protect your business.

Untitled design (3)

Professional Services

Grow your business with cloud migrations, infrastructure refreshes, M&A integrations, staff augmentation, technical assessments, and more.

Untitled design (3)

Industries

We understand what most managed service providers don’t – when it comes to industry-specific technology, one-size-fits-all solutions don’t exist.

Untitled design (3)

Public Sector

Sourcepass GOV, a division of Sourcepass, is dedicated to providing specialized IT solutions for the public sector.

Untitled design (3)

Locations

We have coverage across the United States, with phyiscal locations across 8 states. Wherever you are, Sourcepass has your back.

Untitled design (3)

Resource Library

Stay ahead, stay connected, and discover the future of IT with Sourcepass.

Untitled design (3)

Events & Webinars

Dive into a dynamic calendar of webinars and in-person gatherings designed to illuminate the latest in managed IT services, cybersecurity, and automation.

Untitled design (3)

Resources by Role

Explore key resources, eBooks, video trainings, and more curated for CEOs, CFOs, CIOs, CISOs, and technology leaders!

Untitled design (3)

The Sourcepass Story

Sourcepass aims to be different. It is owned and operated by technology, security, and managed services experts who are passionate about delivering an IT experience that clients love.

Untitled design (3)

The Sourcepass Experience

At Sourcepass, we’re rewriting the IT and cybersecurity experience by helping businesses focus on what they do best, while we deliver the infrastructure, insights, and innovation to help them thrive.

Untitled design (3)

 

CMMC Phase II Suspension: What to Do Next for Cybersecurity Compliance

 
CMMC Phase II Suspension: What to Do Next for Cybersecurity Compliance

The CMMC Phase II suspension changes how some defense contractors may need to demonstrate cybersecurity compliance, but it does not remove the need to protect Controlled Unclassified Information, maintain an accurate compliance posture, or continue implementing required security controls.

For executives, operations leaders, and IT decision-makers, the practical question is not whether to pause. It is how to keep compliance efforts moving while the government reviews the assessment mechanism.

 

What This Is

The Department of War announced the immediate suspension of CMMC Phase II requirements that had been scheduled for November 10, 2026, while confirming that Phase I self-assessment requirements remain in place and that cybersecurity remains a priority for the Defense Industrial Base.

The Department’s CMMC resources also state that, during this period, it will enforce cybersecurity compliance with NIST 800-171 Rev. 2 through self-assessments and select government-led assessments. DoD CIO CMMC overview 

 

What the CMMC Phase II Suspension Actually Means 

The suspension affects the planned transition to broader mandatory third-party CMMC Level 2 assessments.

It does not eliminate the underlying expectation that organizations handling CUI must implement appropriate safeguards, maintain accurate documentation, and be prepared to support their compliance position.

This distinction matters for any organization affected by CMMC requirements. A delayed or revised assessment pathway may reduce near-term administrative pressure, but it does not reduce the business, contractual, or operational need to protect sensitive information. Prime contractors, customers, insurers, and auditors may still ask for evidence that security controls are implemented and operating as intended.

 

CMMC Compliance Still Depends on NIST SP 800-171 

NIST SP 800-171 remains central to cybersecurity compliance for organizations that process, store, or transmit CUI in nonfederal systems.

NIST describes the publication as recommended security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations, with requirements intended for use in federal contracts and similar agreements. NIST SP 800-171 Rev. 2

That means the most durable work is still the same work: confirm where CUI resides, implement required controls, maintain a System Security Plan, track remediation through Plans of Action and Milestones, and validate evidence against assessment objectives. NIST SP 800-171A provides assessment procedures that help organizations evaluate whether those requirements are satisfied. NIST SP 800-171A assessment procedures

 

Why Organizations Should Not Pause Cybersecurity Work 

A compliance pause can create an operational gap if it is misread as a security pause. The better approach is to treat the review period as time to improve control quality, evidence accuracy, and day-to-day security behavior.

 

Focus on Measurable Risk Reduction 

Executives should ask for security progress in measurable terms. Useful indicators include the percentage of users protected by multifactor authentication, the number of privileged accounts reviewed, the age of open remediation items, the percentage of endpoints covered by management and detection tools, and the completeness of evidence mapped to NIST SP 800-171 requirements.

Improve Security Behavior, Not Just Documentation

Compliance evidence is strongest when it reflects repeatable behavior. Access reviews should happen on a defined cadence. Incident response roles should be understood before an event. Users should know how to report suspicious messages. Administrators should follow least-privilege practices. These behaviors reduce risk and make future assessments easier to support.

 

Security Priorities for CMMC Readiness

Organizations should continue focusing on the control areas that support NIST SP 800-171 implementation and assessment readiness.

The most important priorities are not new. They include accurate scoping, implemented security controls, documented policies and procedures, organized evidence, and validation against the NIST SP 800-171A assessment objectives.

Compliance Posture and Evidence

Self-assessment increases the importance of accurate, evidence-based compliance claims. Organizations should be able to show which controls are implemented, which gaps remain, what remediation is underway, and what evidence supports each assertion.

Control Implementation and Remediation

Organizations should continue implementing required security controls and remediating known gaps. Pausing remediation during the review period could create unnecessary risk and leave the organization behind if future requirements continue to rely on the same security framework.

Prime Contractor and Customer Expectations

The announcement addresses Department implementation of CMMC requirements. It does not determine supplier qualification expectations set by prime contractors or customers. Organizations should confirm whether independent validation, evidence packages, or other compliance documentation will still be required.

 

How to Use the Review Period Productively

Leaders do not need to wait for final program changes to make useful progress. The review period is an opportunity to tighten the connection between security operations and compliance evidence.

  • Confirm whether contracts, prime contractor requirements, or customer commitments still require evidence of NIST SP 800-171 implementation.
  • Refresh the CUI data flow so leaders know which systems, users, devices, and third parties are in scope.
  • Review the System Security Plan for accuracy and remove assumptions that are not supported by evidence.
  • Prioritize remediation items that reduce real operational risk, especially identity, endpoint, logging, backup, and incident response gaps.
  • Validate controls against assessment objectives instead of relying only on policy statements.
  • Prepare executive reporting that shows risk reduction, evidence maturity, and remaining decisions.

 

What This Means for Managed Security Strategy

For many organizations, the challenge is not understanding that controls matter. It is sustaining them with the right capacity, governance, and accountability.

A managed security model can help when it is focused on governance, identity protection, monitoring, response readiness, and evidence management rather than one-time compliance preparation.

The right operating model should make security and compliance easier to manage over time. That includes clear ownership, practical reporting, documented exceptions, regular control reviews, organized evidence, and a path for turning technical findings into executive decisions.

 

Frequently Asked Questions

 

Does the CMMC Phase II suspension mean CMMC compliance no longer matters?

No. The suspension affects the planned Phase II implementation path, not the need to protect CUI or maintain accurate cybersecurity compliance evidence. Phase I self-assessment requirements remain in place, and organizations should continue aligning security practices to NIST SP 800-171 where applicable.

Should organizations stop preparing for a CMMC Level 2 assessment?

No. Organizations should continue preparing as though their controls may be reviewed by a customer, prime contractor, government reviewer, insurer, or future assessment body. The most useful preparation is implementing controls, collecting evidence, and correcting gaps that create actual risk.

What cybersecurity controls should organizations prioritize first?

Most organizations should prioritize identity security, multifactor authentication, privileged access review, endpoint management, patching, backup resilience, logging, incident response readiness, and documentation accuracy. These areas usually have direct risk reduction value and support stronger compliance evidence.

What should organizations do during the review period?

Organizations should continue implementing NIST SP 800-171 security requirements, remediating gaps, maintaining documentation, collecting evidence, and validating controls against NIST SP 800-171A assessment objectives. They should also confirm whether prime contractors or customers will continue to require independent validation.

What should executives ask their IT or security teams right now?

Executives should ask where CUI resides, which systems are in scope, which NIST SP 800-171 controls are not fully implemented, what evidence supports current self-assessment claims, which remediation items reduce the most risk, and whether prime contractors or customers still expect independent validation.

 

 

Sources: dowcio.war.gov |  war.gov