CMMC update · Phase II suspended July 13, 2026

The CMMC deadline moved. Your duty to protect CUI did not.

Phase II and future rollout milestones are paused while the Department reviews CMMC. Phase I self-assessments remain, NIST SP 800-171 Rev. 2 remains the interim baseline, and DFARS 252.204-7012 still applies. PolicyCortex helps you make the SPRS score you affirm match the controls and evidence you actually have.

Founder-led engagements. DoD Secret and DoE Q-cleared leadership with direct delivery experience at MITRE and Los Alamos National Laboratory (LANL). NIST 800-171 and 800-53 practitioners.

AeoliTech is a readiness and implementation partner, not a C3PAO. We support defensible self-assessments, government reviews, and future certification readiness.

Regulatory update · July 13, 2026

CMMC Phase II is paused. Phase I is not.

The Department suspended the transition to Phase II and pending or future CMMC implementation milestones while it reviews the program. Phase I self-assessments remain in place. During the interim, NIST SP 800-171 Rev. 2 will be enforced through self-assessments and selected government-led assessments, and DFARS 252.204-7012 still requires contractors and subcontractors to safeguard covered defense information.

Paused

The Phase II transition and pending or future CMMC rollout milestones.

Still active

Phase I self-assessments and evidence-backed NIST SP 800-171 Rev. 2 implementation.

Still contractual

The duty to protect covered defense information under DFARS 252.204-7012.

Cleared. Experienced. Federally proven.

Department of Defense Seal

DoD Secret

Active clearance

Department of Energy Logo

DoE Q

Active clearance

MITRE Corporation Logo

MITRE

Federal delivery experience

Los Alamos National Laboratory Logo

LANL

Los Alamos delivery experience

What remains enforceable

Your SPRS score still needs to survive the evidence.

For applicable awards, contracting officers still verify that a current NIST SP 800-171 DoD Assessment score is posted in SPRS. The pause changes the certification timetable; it does not make an unsupported score, stale SSP, or unremediated control gap safe.

A paper compliance position

  • SPRS score calculated once and never reconciled to live system state
  • SSP and POA&M language that does not match the implemented controls
  • Evidence assembled manually only when a review is announced
  • CUI boundaries and subcontractor flow-downs that remain unclear
  • Surprises during a selected government assessment or award review

An evidence-backed position

  • Assessment results traced to live controls and dated evidence
  • SSP, POA&M, and evidence mapped to the 110 Rev. 2 requirements
  • Continuous monitoring a government reviewer or future C3PAO can follow
  • Control drift identified while it is still inexpensive to fix
  • Cleared US personnel handling CUI-adjacent work end to end

The AeoliTech method

Continuous evidence, not deadline theater.

We own the work that makes a self-assessment defensible: scoping, policy enforcement, continuous evidence collection, remediation tracking, and a review-ready package. The same work carries forward if independent certification returns in a revised form.

1. Controls gap scan

Rapid gap assessment against NIST 800-171 and 800-53 moderate / high baselines. Scoped by your CUI flows, not a generic checklist.

2. Policy enforcement

We stand up the technical and administrative controls and wire them into the platforms you already run, so policy is enforced, not just written.

3. Evidence collection

Continuous, assessor-ready evidence. Logs, configs, access reviews, training records, all mapped to control families and ready for upload.

4. Review-ready handoff

SSP, POA&M, and evidence packaged for self-assessment, a selected government review, your AO, or a future C3PAO assessment.

Our proprietary platform does the heavy lifting. PolicyCortex connects the Customer Responsibility Matrix, live control state, remediation work, and evidence trail so the position you report is the position your environment can prove.

Who we serve

Built for the DoD and federal supply chain.

Defense primes, cleared subcontractors, federal civilian integrators, and DoE laboratory partners: AeoliTech supports the compliance work that sits under every cybersecurity line item in solicitations like PSC R425 engineering / technical support and NAICS 541512 computer systems design services.

If your opportunity set includes CMMC L2 / L3, NIST 800-171, 800-53, FedRAMP Moderate / High, PCI DSS sustainment, or ATO continuous monitoring, that's the work we do.

Solicitation fit examples

  • CMMC L2 self-assessment & future certification readiness
  • CMMC L3 for elevated CUI environments
  • NIST 800-171 gap assessment & SSP build
  • NIST 800-53 ATO package preparation
  • FedRAMP Moderate / High control alignment
  • PCI DSS technical support & sustainment
  • Continuous monitoring & evidence automation

Cleared leadership

Founder Leonard Esere holds active DoD Secret and DoE Q clearances, the access profile required for CUI and sensitive national security work.

Federal delivery track record

Direct delivery experience at MITRE and Los Alamos National Laboratory. We know how federal assessors, ISSOs, and AOs actually run evaluations.

Framework fluency

NIST 800-171 Rev. 2 & Rev. 3, NIST 800-53 Rev. 5, CMMC 2.0 Levels 1-3, FedRAMP, PCI DSS 4.0, mapped to the controls and evidence your assessor expects.

Know the score you can defend.

Tell us what you have in SPRS, what your SSP says, and what your environment can prove. We will identify the gaps that matter now without pretending anyone knows the final shape of CMMC reform.

Review my SPRS position

No pitch deck. No sales theatre. A working conversation with cleared engineers.