• 3 min read
CMMC pause exposes a bigger defense data gap
The CMMC Phase II suspension removed third-party checks, not contractors' obligations. That shifts attention to whether AI and automated workflows are governed at all.

Image: TechRepublic
The CMMC Phase II suspension looks less like a scheduling hiccup and more like a governance test for defense contractors. The Department of War paused the third-party assessment requirement for Level 2 contractors because too many organizations need reviews and too few accredited C3PAOs are available to perform them.
As DoW CIO Kirsten Davies put it, the suspension “does not eliminate the requirement for companies to protect federal data.” The underlying DFARS 252.204-7012 obligation still stands, as do existing NIST 800-171 self-attestations. What disappeared is the independent verification that might have exposed weaknesses before the Department of Justice did.
For many organizations, that weakness is no longer limited to employees mishandling Controlled Unclassified Information. Compliance programs were largely built around human access: document retrieval, file sharing, collaboration, authentication, audit logging, and incident response. But defense environments now include AI agents, automated pipelines, LLM-integrated tools, and agentic workflows moving data across systems, sometimes beyond the perimeter where human-focused controls apply.
That shift matters because attackers have already moved there. The CrowdStrike 2026 Global Threat Report found an 89% year-over-year increase in AI-enabled attacks. A governance model that covers people but not automated systems is, at best, incomplete.
DOJ enforcement and the self-governance problem
The article points to the DOJ’s Civil Cyber-Fraud Initiative, launched in October 2021, which uses the False Claims Act to pursue cybersecurity misrepresentations by government contractors. A Mayer Brown analysis from March 2026 identified 15 settled enforcement actions since launch, with most occurring in fiscal year 2025. According to the source, those cases did not require a breach — only a mismatch between what contractors attested to and what evidence showed was actually in place.

Recommended reading
AI won’t replace penetration testers just yet
That makes the current pause significant: during it, Defense Industrial Base organizations are effectively self-governing their compliance posture without outside verification. The key questions are straightforward:
- Are the controls protecting human access to CUI also applied to automated workflows?
- Is there a unified audit trail covering both human and agent access?
- Would that evidence hold up under scrutiny?
What contractors should do in the next 60 days
The source argues against building a separate compliance stack for AI. Instead, it recommends a unified governance architecture that applies the same policy layer — access controls, logging, data handling, and enforcement — to every identity touching sensitive data, whether human or machine.
It highlights three immediate steps for technology leaders:
- Audit the full access picture by mapping every human and automated entity that retrieves, processes, or routes CUI.
- Build continuous evidence generation rather than relying on point-in-time assessment prep.
- Extend policy enforcement to all identities under one control layer.
That approach could matter in the next version of the compliance model. The DoW’s RFI due Aug. 14 on SAM.gov explicitly asks how existing commercial security tools should be recognized. Contractors that can show continuous governance across both human and agent access may be better positioned when the audit process resumes — and better protected if enforcement arrives first.
Security Editor
Sophia unpacks the invisible wars happening on our networks. Covering cybersecurity, privacy legislation, and cryptography, she exposes how our data is weaponized and defended. Before joining for(geeks), she spent years as a penetration tester. She's the reason the rest of the team uses physical security keys.
via TechRepublic


