Skip to main content
Measured savings across 11 LLMs, from Claude Opus 4.7 to Gemini Flash.→ See per-model data
Connect your client
Engineering

CMMC's third-party audit is suspended. The data obligation isn't.

On July 13 the Pentagon suspended CMMC Phase II, the third-party audit that was set to start in November. NIST 800-171 self-assessment stays, and so does the legal duty to protect federal data. For contractors running AI dev tools, the burden of proof just moved onto them.

James Hollingsworth(Contributor)Published 5 min read~888 words

On July 13, 2026, the Pentagon suspended the part of CMMC that most defense contractors were dreading: the third-party audit. If you supply the Department of Defense and you have been budgeting for a certified assessor, that line item is gone for now. If you read the headline as "cybersecurity requirements dropped," you read it wrong. We build compression and code-scanning tooling, not a compliance product, so treat what follows as an engineer's read of a policy change, not legal advice.

What the Pentagon actually suspended

The suspension is narrow and specific. Pentagon CIO Kirsten Davies announced the immediate suspension of CMMC Phase II, the requirement that was scheduled to take effect November 10, 2026. What Phase II added was the third-party assessment: an outside, accredited assessor auditing your controls every three years. That audit is what stopped. Undersecretary Michael Duffey told reporters the department is halting complex audits and the third-party assessor requirement, and directed contracting officers to amend active solicitations that still carry those clauses.

The reason is arithmetic, not a change of heart about security. Davies put it plainly: more than 100,000 defense-industrial-base businesses needed a third-party assessment, against roughly 100 accredited assessors to conduct them. Her words: "the math just simply doesn't math." The Small Business Administration's feedback, cited in the July 10 memo, called the current program structurally incompatible with rapidly expanding the industrial base. A task force will review CMMC and report back within 60 days.

Self-assessment is a heavier obligation, not a lighter one

Here is the sentence in the announcement that matters most, and the one the headlines skipped: the action does not eliminate the legal requirement for industry partners to protect federal data. During the review, the department will keep enforcing baseline compliance through NIST SP 800-171 Rev 2, by self-assessment. Duffey was blunt about the scope. What is being removed is the bureaucracy of the third-party assessment, not the standards.

Read that as a shift in who holds the burden of proof, because that is what it is. A third-party audit is expensive and slow, but it outsources the question "are you actually compliant" to someone else's signature. Self-attestation hands that question back to you. The 110 controls in NIST 800-171 have been contractually required for defense work that handles controlled unclassified information since the DFARS clause took effect in 2017. The audit going away does not make the controls go away. It makes you the one who has to show, on demand and continuously, that you meet them.

The egress path nobody wrote into the memo: your AI tools

CMMC was written for a world where your data leaves through email, file shares, and the occasional misconfigured storage bucket. That is not the world a 2026 defense contractor works in. Your engineers paste source into AI assistants, wire MCP servers into their editors, and run coding agents that read whole repositories. Every one of those is a new place controlled unclassified information can leave your boundary, and most of them ship it to a third-party cloud by default.

NIST 800-171 has no control that says "audit your AI tools" because the framework predates the tools. The obligation catches them anyway: access control (family 3.1) and media protection (family 3.8) both bite the moment CUI flows into a service you do not run. If a coding assistant transmits a file marked CUI to an external model, that is a data-handling event you now have to account for in a self-assessment, with no assessor on hand to tell you where the line sits. The convenient tools are the ones that phone home.

How we think about it

We are biased here, so read this as disclosure rather than a pitch. gotcontext runs its compression engine locally: ONNX and sentence-transformer models, no calls to OpenAI or Anthropic at runtime, shipped as a self-hosted Docker image licensed with an offline Ed25519 key so it can run air-gapped. We built it that way for latency and cost, not for compliance. The property that falls out of it, that context gets compressed without leaving the boundary it started in, happens to be the property a CUI-handling shop needs from every tool in its pipeline.

The other half is knowing what you install. Self-attestation makes your supply chain your problem, including the AI skills and MCP tool manifests your team pulls off the internet. Our scanning tools, gc_scan for source and gc_skill_scan for skill and tool manifests, exist to answer one question before you trust a component: what can this thing actually do. That is not a CMMC control. It is the habit CMMC was trying to build, minus the assessor.

The caveat

We are not a GRC platform, and none of this is compliance advice. Whether a given tool satisfies a given control is a question for your assessor, your legal team, and the final task-force report, due about 60 days from the July 10 memo. The suspension is provisional too: the review could reinstate third-party audits in a leaner form, keep self-attestation, or land somewhere else. What will not change in any of those outcomes is the underlying duty. Federal data still has to stay protected, the job of proving it is now yours to carry, and the fastest-growing gap in that proof is the AI tooling nobody has a control number for yet.

Try it on your own context

You just read the writeup. Now run the thing. Paste a doc or some verbose tool output and watch it shrink — free, no signup.

2,912/12,000 chars
Compressed
Compressed text will appear here…

Cite this

Researchers, analysts, or journalists referencing this post can use either format below — both are copyable.

BibTeXbibtex
@misc{cmmc-audit-suspended-data-obligation-stays-2026,
  title  = {CMMC's third-party audit is suspended. The data obligation isn't.},
  author = {James Hollingsworth},
  year   = {2026},
  month  = {July},
  url    = {https://gotcontext.ai/blog/cmmc-audit-suspended-data-obligation-stays},
  note   = {gotcontext.ai engineering blog.},
}
APAtext
James Hollingsworth. (2026, July 14). CMMC's third-party audit is suspended. The data obligation isn't.. gotcontext.ai. Retrieved from https://gotcontext.ai/blog/cmmc-audit-suspended-data-obligation-stays.

Contribute