CMMC Updates & Cybersecurity Readiness Resources 

The compliance path changed. The responsibility to protect CUI has not.

As CMMC requirements evolve, organizations handling Controlled Unclassified Information (CUI) remain responsible for implementing applicable NIST SP 800-171 requirements and completing required self-assessments and affirmations.

Exostar brings together the latest updates, expert guidance, and actionable resources to clarify what has changed, what remains in effect, and how to move forward with confidence.

image (78)

On-Demand Executive Briefing

CMMC Paused? What That Actually Means for You

Protecting CUI After the CMMC Update

  • What changed?
  • What is required?
  • Should we continue with our current plans?

Watch Exostar’s executive leadership team explain what the update means for organizations handling CUI, clarify today’s cybersecurity responsibilities, and discuss where businesses should focus now.

Watch Now
A jet engine attached to a plane wing as part of Aerospace and Defense industries.

Expert Insight

CMMC Is Changing. Protecting CUI Is Still the Mission

Go beyond the headlines to explore why the latest CMMC changes don’t alter the real objective: protecting CUI and building a stronger cybersecurity program.

Read the Article
Four employees collaborating and standing around a desk and laptop.

Editorial Insight

Whistleblowers, False Claims, and CUI Protection

Explore how rising enforcement pressure is redefining risk—and why a defensible approach to protecting sensitive data matters for defense contractors.

Read the Article
Certification Assistant photo of a man at a desk with papers in front of him.

Key Takeaways

What Should Your Organization Focus on Now?

  • Identify where CUI is stored, processed, and transmitted
  • Implement applicable NIST SP 800-171 requirements
  • Complete accurate, evidence-based self-assessments
  • Maintain accurate SPRS submissions and affirmations

Protecting CUI doesn’t begin or end with a single assessment. It requires an ongoing, disciplined cybersecurity program that supports your contractual obligations today—and adapts as requirements evolve.

Have Questions About the CMMC Update?

How do the latest CMMC changes affect your organization? Explore the FAQs below for clear guidance on current requirements or contact us using the form below.

Understanding the Announcement

Did CMMC get paused?

Not exactly.

The Department of War (DoW) suspended the planned expansion of CMMC Phase II third-party assessment requirements while it conducts a 60-day program review.

What did not change is your responsibility to protect Controlled Unclassified Information (CUI), implement the applicable NIST SP 800-171 Rev. 2 security requirements, and complete any required CMMC self-assessments and affirmations when applicable under your contracts.

What changed?

The DoW paused the planned implementation of CMMC Phase II for 60 days while it reviews the program. The pause affects the planned expansion of mandatory third-party assessments, not the underlying responsibility to protect CUI.

What didn't change?

Your responsibility to protect CUI, implement NIST SP 800-171 Rev. 2 where requiredmaintain documentation, and complete applicable self-assessments remains unchanged. 

Has CMMC been cancelled?

No. CMMC has not been cancelled. Phase II implementation has been paused while the program is reviewed. Phase I requirements remain in effect.

Will CMMC return?

The DoW has described this as a temporary review. Organizations should continue meeting current contractual requirements while monitoring future guidance.

Can I provide feedback to the DoW?

Yes. The DoW issued a Request for Information (RFI), and organizations may provide feedback using the official submission process. Comments may be submitted until 12:00 PM ET on August 14, 2026.

Protecting CUI & Your Responsibilities

Do I still have to protect CUI?

Yes.

If your organization stores, processes, or transmits CUI under DFARS 252.204-7012, your contractual obligation to protect that information has not changed.

The recent announcement affects the planned rollout of third-party assessments, not the requirement to safeguard CUI.

Do I still need to implement NIST SP 800-171?

Yes. Organizations subject to DFARS 252.204-7012 must continue implementing the applicable NIST SP 800-171 Rev. 2 security requirements. Those requirements remain the foundation for protecting CUI regardless of future CMMC program decisions.

Do I still need to complete a self-assessment?

If your contract requires a CMMC Level 1 Self or Level 2 Self assessment, yes.

Organizations should complete the required self-assessment, document the results, maintain supporting evidence, and submit the required affirmation to SPRS when applicable.

Does my SPRS submission still matter?

Yes. Your SPRS submission should accurately reflect your cybersecurity posture and be supported by objective evidence.

What is the difference between a self-assessment and a self-affirmation?

A self-assessment evaluates your implementation of NIST SP 800-171, identifies gaps, and documents objective evidence.

A self-affirmation is the official statement submitted through SPRS (when required) confirming your organization meets the applicable requirements.

Think of the self-assessment as the work that supports a defensible self-affirmation.

Who performs the self-assessment and who submits the affirmation?

The self-assessment is typically performed by your cybersecurity, IT, or compliance team, sometimes with assistance from a trusted advisor.

The affirmation is submitted by an authorized company official, such as a CEO, President, Owner, Corporate Officer, or other designated representative.

The assessment documents the work. The affirmation is the organization’s official declaration that the work is complete and supported by evidence.

What documentation should I have?

Maintain documentation demonstrating how you protect CUI and implement NIST SP 800-171.

Typical documentation includes:

  • System Security Plan (SSP)
  • Policies and procedures
  • Plans of Action & Milestones (POA&M)
  • Assessment results
  • Technical configurations
  • Logs and screenshots
  • Training records
  • Objective evidence supporting implemented controls.

Readiness & Investment

Should I stop my readiness project?

No. Continue implementing controls, documenting your environment, and preparing for self-assessment. Don’t pause your readiness efforts.

Was our investment wasted?

No. Your investment reduces cyber risk, supports contractual obligations, and prepares your organization for future verification.

Should I hire a C3PAO now?

If you have already engaged a C3PAO, continue according to your plans. If not, consider waiting until the DoW review concludes before making that investment.

Should we wait until the DoW completes its review?

We don’t recommend waiting.

Your obligations begin when the applicable contractual clauses are included in your contracts, not when future third-party assessment decisions are announced. Continuing to strengthen your cybersecurity posture today reduces risk and prepares you for whatever comes next.

Working with Exostar

How does Exostar help?

Exostar helps organizations protect CUI by securing where it is stored, processed, and transmitted.

We also help customers:

  • Support NIST SP 800-171 implementation
  • Reduce CUI scope
  • Organize compliance documentation
  • Build objective evidence
  • Prepare for required self-assessments and affirmations
  • Stay ready as DoW cybersecurity requirements evolve.
Do I still need CMMC software?

Yes. Organizations still need to organize documentation, manage evidence, protect CUI, and support required self-assessments and affirmations. The recent announcement changed the certification path, not the underlying cybersecurity responsibilities.

What does 'reducing CUI scope' mean?

Reducing CUI scope means limiting where CUI is stored by moving it into a secure managed environment. 
 
Fewer systems containing CUI can reduce operational complexity, security risk, documentation, evidence collection, and ongoing compliance effort. 

Is Exostar replacing my IT department?

No. Exostar provides a secure managed collaboration environment with inherited and shared security capabilities. Your organization remains responsible for its security program, policies, personnel, and many NIST SP 800-171 controls.

Looking Ahead

Why should I continue investing in cybersecurity?

Because protecting CUI is still a contractual requirement.

Strengthening your cybersecurity posture helps reduce cyber risk, protect customer trust, and prepare your organization for future Department of War requirements.

What should my organization focus on during the next 60 days?

Focus on:

  • Identifying where CUI is stored
  • Implementing and validating NIST SP 800-171 controls
  • Strengthening documentation
  • Organizing evidence
  • Reviewing your self-assessment
  • Reducing unnecessary CUI exposure.

Turn Guidance Into Action

Connect with Exostar to discuss your organization’s requirements and determine the right path forward.

Thanks for Getting in Touch

We’ve received your submission and a team member will contact you shortly. We’re here to help you move forward with confidence.