THE CURTAIN DROPS
Immediate Suspension of CMMC Phase II
The compliance-industrial complex is mourning.
On July 13, 2026, the Department of War pulled the plug on CMMC Phase II — the third-party certification regime set to lock in on November 10, 2026. Contracting officers can now only require Level 1 or Level 2 self-assessment. No C3PAO. No DIBCAC. The assessors are watching two years of pipeline evaporate. The paper-pushers are calling it a weakened posture.
Maybe. Or maybe it's the first honest thing to happen to this program in years.
"Robust cybersecurity and operational resilience remain critical to protecting American innovation and supporting warfighter readiness. We believe the DIB can achieve both, while we reduce unnecessary government red tape." — DoW CIO Kirsten A. Davies
Under Secretary Michael Duffey put it more bluntly: the goal is to "maintain a strict security baseline while removing paralyzing costs and keeping innovators and competition growing in the defense supply chain."
Read that twice. Nobody in the room called this a retreat from security. They called it a retreat from cost without security. That's a different animal, and it's worth taking them at their word.
It wasn't killed. It's suspended, indefinitely, while a new CMMC Reform Task Force runs a comprehensive top-to-bottom review and reports back to the CIO in sixty days. That distinction matters — the fight over what actually protects the Defense Industrial Base isn't over. It's reopened, and this time speed to capability is in the room.
For five years, the DIB has choked on its own bureaucratic exhaust. The SBA's own data confirmed what every small manufacturer already knew: CMMC compliance costs were forcing innovative companies out of the supply chain, delaying the capabilities that actually reach the warfighter.
Pausing Phase II isn't a rollback of security. DFARS 252.204-7012 still binds every contractor touching CUI to the 110 requirements of NIST SP 800-171. Level 1 and Level 2 self-assessment are still mandatory, still on the record, still enforced through what the Department describes as "self-assessments and select government-led assessments." What's suspended is the third-party layer stacked on top. What's left is the baseline, undecorated — and it's still loaded. The DOJ's Civil Cyber-Fraud Initiative didn't go anywhere. An inaccurate self-assessment or unsupported affirmation is still a False Claims Act problem. The audit went away. The exposure didn't.
BRILLIANT AT THE BASICS
Fewer Controls. More Proof.
While the certification bodies were absorbing the suspension, the DoW CIO quietly published the actual roadmap: a campaign called Brilliant at the Basics — two Top 10 lists, one for IT, one for OT, aimed squarely at the small and mid-sized companies Phase II was crushing.
Read the list and the intent is obvious. Phishing-resistant MFA. Validated asset inventory. Network segmentation to limit lateral movement. Continuous monitoring. Supply chain security. Nothing exotic. Nothing that requires a six-figure assessor. Just the fundamentals, done well, done provably.
That word — brilliant — is doing more work than it looks like. It's not asking companies to check twenty new boxes. It's asking them to actually be good at the ten or so things that matter, and to be able to show it. That's not a lower bar. It's the same bar, with the theater scraped off.
The old model asked you to prove you'd paid someone to watch you follow a checklist. The new direction asks you to prove the fundamentals are true, continuously, in a way that survives a DOJ subpoena — not a way that survives an auditor's afternoon on-site.
That's a harder thing to fake and a much easier thing to build a real product around.
THE SHELFWARE EPIDEMIC
A Decade of Purchasing Security We Never Used
The cybersecurity industry has spent a decade perfecting the art of the illusion. We love metrics. We love activity. We love buying tools to signal maturity.
Security teams everywhere are infected with the shelfware problem: vulnerability scanners, endpoint agents, cloud posture platforms — deployed, licensed, never wired into an actual workflow. They scan. They generate colorful dashboards. They catalog thousands of findings into backlogs that no one will ever close.
Then, nothing happens.
We built an ecosystem around enumerating risk instead of managing it, and convinced ourselves visibility equals security. It doesn't. Visibility just means you have a high-definition camera watching an adversary walk out with your controlled unclassified information. A purchase order is not a risk reduction. It's a receipt.
CMMC Phase II, as written, was on track to become the ultimate shelfware enabler — a framework where passing an audit outranked closing a breach. Brilliant at the Basics reads like a deliberate correction: fewer controls, more proof. But self-assessment without a third party watching doesn't remove the shelfware problem on its own — it just removes the one external check that used to catch it. Now the only thing standing between an affirmation and an FCA subpoena is whatever evidence you actually kept.
TIME AS THE ULTIMATE ADVERSARY
Patient Strategy Against a Distracted Supply Chain
In my previous analysis, All the Way Down, I mapped the five-layer attack infrastructure of our primary adversary. From the Network up to the Psyche, Chinese cyber operations don't care about your compliance dashboards. They don't care about your incident response binder.
They care about time.
They are patient. They embed cellular modems into port cranes and firmware into subsidized routers, and they wait — years, sometimes — for the geopolitical moment that makes pulling the lever worth it. Taiwan is that moment, sitting on the calendar somewhere none of us gets to see. A patient adversary doesn't need to win a war to win a supply chain. It just needs the DIB slow, distracted, and full of gaps nobody's watching.
How do you counter a decades-long strategy? Not with administrative friction. We slowed down our own supply chain instead of theirs. We made a precision machine shop in Raleigh spend a year proving it had a policy for a firewall nobody ever checked. Every dollar and every hour a small DIB manufacturer spent on a third-party assessor was a dollar and an hour stolen from actual engineering, actual defense, actual speed to capability — the one resource a patient adversary is betting we don't have.
The suspension, and Brilliant at the Basics behind it, re-align us with time. Ten fundamentals, done well, ship faster than two hundred controls done for show.
THE PIVOT: UNIFIED EVIDENCE
From Compliance Artifact to Operational Weapon
This shift changes the market mechanics, whatever the Task Force's review ultimately produces. If a third-party audit is no longer the finish line, the finish line has to be reality — MFA that's actually phishing-resistant, an asset inventory that's actually validated, segmentation that actually holds. Reality, under an active FCA initiative, means proof you can stand behind if DOJ ever asks.
That's the thesis behind the pivot at Standalone Defense.
Small manufacturers can't do this alone. They rely on Managed Service Providers. But MSPs have historically been flying blind, armed with the same fragmented shelfware that plagues the enterprise — tools that report, but don't attest.
I built a schema for policy-and-control attestation — a unified evidence chain — because I kept seeing the gap between what tools report and what actually makes a network defensible. Brilliant at the Basics hands us the exact list to build against: ten IT fundamentals, ten OT fundamentals, each one a control that can be attested to instead of merely claimed. The schema stops being a compliance artifact and becomes a legal one.
The bet is simple: enable MSPs to operate as actual trusted partners for DIB manufacturers, not vendors of another dashboard. No more shelfware. No more fragmented evidence. A chain that ties each of those fundamentals directly to operational reality, in real time — so an MSP can show a DIB client, and if it ever comes to it, DOJ or the Department of War, that the baseline is met through cryptographic, immutable attestation instead of a signature on a form.
Whatever the Reform Task Force recommends in sixty days, it will need something to point at as proof. Evidence beats an affirmation every time someone actually checks — and someone is still checking.
WHERE THIS LEAVES US
The era of security-by-bureaucracy isn't dead — it's under review, with a live legal tripwire underneath it, and a short, honest list of fundamentals sitting where the paperwork used to be. That's a narrow window, and it's the most honest one this program has had in years.
The suspension is a wake-up call for everyone who was selling compliance instead of capability. The focus belongs back where it started: the supply chain, the adversary's patience, and the actual reduction of actual risk.
Tools won't save you. A stamped certificate never did, and its absence won't either. Being brilliant at the basics — and being able to prove it — will.
Build the evidence chain. Secure the baseline. And get back to work.
// Standalone Network Defense LLC · Raleigh, NC · standalonedefense.com