The CMMC deadline moved. Your duty to protect CUI did not.
Phase II and future rollout milestones are paused while the Department reviews CMMC. Phase I self-assessments remain, NIST SP 800-171 Rev. 2 remains the interim baseline, and DFARS 252.204-7012 still applies. PolicyCortex helps you make the SPRS score you affirm match the controls and evidence you actually have.
Founder-led engagements. DoD Secret and DoE Q-cleared leadership with direct delivery experience at MITRE and Los Alamos National Laboratory (LANL). NIST 800-171 and 800-53 practitioners.
AeoliTech is a readiness and implementation partner, not a C3PAO. We support defensible self-assessments, government reviews, and future certification readiness.
Regulatory update · July 13, 2026
CMMC Phase II is paused. Phase I is not.
The Department suspended the transition to Phase II and pending or future CMMC implementation milestones while it reviews the program. Phase I self-assessments remain in place. During the interim, NIST SP 800-171 Rev. 2 will be enforced through self-assessments and selected government-led assessments, and DFARS 252.204-7012 still requires contractors and subcontractors to safeguard covered defense information.
Paused
The Phase II transition and pending or future CMMC rollout milestones.
Still active
Phase I self-assessments and evidence-backed NIST SP 800-171 Rev. 2 implementation.
Still contractual
The duty to protect covered defense information under DFARS 252.204-7012.
Cleared. Experienced. Federally proven.

DoD Secret
Active clearance

DoE Q
Active clearance

MITRE
Federal delivery experience

LANL
Los Alamos delivery experience
What remains enforceable
Your SPRS score still needs to survive the evidence.
For applicable awards, contracting officers still verify that a current NIST SP 800-171 DoD Assessment score is posted in SPRS. The pause changes the certification timetable; it does not make an unsupported score, stale SSP, or unremediated control gap safe.
A paper compliance position
- •SPRS score calculated once and never reconciled to live system state
- •SSP and POA&M language that does not match the implemented controls
- •Evidence assembled manually only when a review is announced
- •CUI boundaries and subcontractor flow-downs that remain unclear
- •Surprises during a selected government assessment or award review
An evidence-backed position
- Assessment results traced to live controls and dated evidence
- SSP, POA&M, and evidence mapped to the 110 Rev. 2 requirements
- Continuous monitoring a government reviewer or future C3PAO can follow
- Control drift identified while it is still inexpensive to fix
- Cleared US personnel handling CUI-adjacent work end to end
The AeoliTech method
Continuous evidence, not deadline theater.
We own the work that makes a self-assessment defensible: scoping, policy enforcement, continuous evidence collection, remediation tracking, and a review-ready package. The same work carries forward if independent certification returns in a revised form.
1. Controls gap scan
Rapid gap assessment against NIST 800-171 and 800-53 moderate / high baselines. Scoped by your CUI flows, not a generic checklist.
2. Policy enforcement
We stand up the technical and administrative controls and wire them into the platforms you already run, so policy is enforced, not just written.
3. Evidence collection
Continuous, assessor-ready evidence. Logs, configs, access reviews, training records, all mapped to control families and ready for upload.
4. Review-ready handoff
SSP, POA&M, and evidence packaged for self-assessment, a selected government review, your AO, or a future C3PAO assessment.
Our proprietary platform does the heavy lifting. PolicyCortex connects the Customer Responsibility Matrix, live control state, remediation work, and evidence trail so the position you report is the position your environment can prove.
Who we serve
Built for the DoD and federal supply chain.
Defense primes, cleared subcontractors, federal civilian integrators, and DoE laboratory partners: AeoliTech supports the compliance work that sits under every cybersecurity line item in solicitations like PSC R425 engineering / technical support and NAICS 541512 computer systems design services.
If your opportunity set includes CMMC L2 / L3, NIST 800-171, 800-53, FedRAMP Moderate / High, PCI DSS sustainment, or ATO continuous monitoring, that's the work we do.
Solicitation fit examples
- CMMC L2 self-assessment & future certification readiness
- CMMC L3 for elevated CUI environments
- NIST 800-171 gap assessment & SSP build
- NIST 800-53 ATO package preparation
- FedRAMP Moderate / High control alignment
- PCI DSS technical support & sustainment
- Continuous monitoring & evidence automation
Cleared leadership
Founder Leonard Esere holds active DoD Secret and DoE Q clearances, the access profile required for CUI and sensitive national security work.
Federal delivery track record
Direct delivery experience at MITRE and Los Alamos National Laboratory. We know how federal assessors, ISSOs, and AOs actually run evaluations.
Framework fluency
NIST 800-171 Rev. 2 & Rev. 3, NIST 800-53 Rev. 5, CMMC 2.0 Levels 1-3, FedRAMP, PCI DSS 4.0, mapped to the controls and evidence your assessor expects.
Know the score you can defend.
Tell us what you have in SPRS, what your SSP says, and what your environment can prove. We will identify the gaps that matter now without pretending anyone knows the final shape of CMMC reform.
Review my SPRS positionNo pitch deck. No sales theatre. A working conversation with cleared engineers.