Skip to main content

What changed, what didn't, and what to do next...


If you've been following the recent CMMC announcement, you're probably wondering whether your cybersecurity plans should change.

It's a fair question.

The short answer is no.

The Department of Defense recently announced a temporary 60-day pause on mandatory third-party C3PAO assessments for CMMC Level II and Level III while it reviews the future of the audit process.

Unsurprisingly, the announcement has generated a lot of discussion.

Some organizations see this as welcome breathing room. Others are wondering whether they should delay projects or postpone investments until there's more clarity.

My perspective is simple.

The audit process may be changing. The responsibility to protect sensitive information is not.

Compliance and Security Are Not the Same Thing

One of the biggest misconceptions about CMMC is that it's primarily an audit.

It isn't.

CMMC is a cybersecurity framework. An audit is simply one way to verify that an organization has implemented the required security controls.

Whether that verification ultimately comes through a third-party assessment, self-attestation, or another process, the underlying expectation remains the same. Organizations entrusted with Controlled Unclassified Information (CUI) are still expected to protect it.

That distinction matters because cybersecurity has never been about passing an audit.

It's about reducing risk.

The same principle extends well beyond organizations supporting the Defense Industrial Base.

Customers continue to evaluate cybersecurity before awarding business. Cyber insurance providers continue to assess security maturity. Regulators continue to introduce new requirements. Boards and executive teams are asking more informed questions about cyber risk than ever before.

Good cybersecurity has become a business requirement, not simply a compliance exercise.

Why the Department of Defense Is Taking Another Look

I understand why the Department of Defense is reviewing the current process.

The existing C3PAO model introduced significant challenges for many organizations.

The number of authorized assessors has remained relatively small compared to the number of organizations requiring certification. Scheduling became difficult. Costs increased. Many small and medium-sized businesses found themselves balancing audit preparation with the day-to-day realities of running their businesses.

Taking time to evaluate whether there's a more effective way to validate compliance is reasonable.

Reducing unnecessary friction doesn't mean reducing cybersecurity expectations.

If anything, it creates an opportunity to focus on what really matters.

What Should Organizations Do Now?

This is the question I've been asked most since the announcement.

My advice is straightforward.

If you've already started a gap assessment, keep going.

A gap assessment is still one of the most valuable investments an organization can make. Understanding where your security program stands today provides clarity regardless of how future compliance is validated.

You can't prioritize improvements if you don't know where your risks are.

If you're considering engaging a C3PAO, I'd avoid making a long-term commitment until there's more clarity.

The next 60 days should provide additional direction on whether the audit process returns unchanged, is modified, or takes a different path. Waiting before making significant financial commitments is a reasonable decision.

If you've already engaged a C3PAO, reach out to them directly.

They should be able to explain how they're interpreting the announcement and what it means for your engagement, timelines, and next steps.

Don't Mistake Breathing Room for a Free Pass

For many organizations, this announcement provides something valuable.

Time.

The question is how that time will be used.

The organizations that benefit most won't be the ones that pause their cybersecurity efforts.

They'll be the ones that continue improving their security posture while others wait.

The controls that support CMMC are the same controls that reduce ransomware risk, strengthen cyber insurance readiness, protect customer data, and build trust with customers and partners.

Identity management.

Multi-factor authentication.

Asset inventory.

Access control.

Vulnerability management.

Security awareness.

These aren't compliance checkboxes.

They're practical business safeguards that reduce real-world risk.

A Risk-Based Approach Still Wins

One of the things I've always appreciated about a risk-based approach to cybersecurity is that it doesn't depend on regulatory timelines.

Regulations evolve.

Audit models change.

Customer expectations continue to grow.

Organizations that build their cybersecurity programs around compliance deadlines often find themselves scrambling every time the rules change.

Organizations that build their cybersecurity programs around managing risk adapt much more easily.

Whether the Department of Defense reinstates third-party assessments, modifies the process, or adopts a different approach altogether, organizations that continue strengthening their cybersecurity today will be well positioned for whatever comes next.

Compliance requirements may evolve.

Managing cyber risk remains a business responsibility.

We'll continue monitoring the Department of Defense's review and share updates as more information becomes available.

In the meantime, I wouldn't spend the next 60 days waiting.

I'd spend them reducing risk.

 

Ford Winslow
Ford Winslow
Jul 17, 2026 3:42:43 PM