THE DEEP TAKE

The Pentagon removed the audit, not the liability

The Department of War suspended CMMC Phase II on July 13. Phase II was the part with teeth: third-party certification, scheduled to reach contracts on November 10. Pentagon CIO Kirsten Davies signed the pause and stood up a 60-day reform task force. Phase III and Phase IV milestones are frozen with it.

Read the coverage and you get "Pentagon suspends CMMC." Read what actually moved and you get something much narrower. The check went away. Everything that creates legal exposure stayed.

DFARS 252.204-7012 is untouched. NIST SP 800-171 is untouched. Phase I self-assessments, live since November 2025, are still required. Your SPRS score is still self-attested. A self-attested score that is wrong is still a False Claims Act problem. Primes can still require certification contractually, and the ones who already wrote it into their flowdowns have no reason to stop. So the government deleted the mechanism that would have independently verified your score. It left the liability for that score being wrong exactly where it was. If you were quietly counting on an assessor to find your gaps before a prosecutor did, your position got worse this week.

Here is the part worth more than the news. The program did not collapse over policy. It collapsed over arithmetic. Roughly 80,000 companies were eventually going to need third-party assessment. As of February, 98 organizations were authorized to perform those assessments, with 748 credentialed assessors against an estimated need of 2,000 to 3,000. Lead times already ran 3 to 12 months. Nobody needed a model to see this coming. You could do it on a napkin two years ago and get the same answer. The date was never going to hold.

That generalizes, and it is the real takeaway for anyone who has never touched a defense contract. Regulatory deadlines are not planning variables. Enforcement capacity is. A rule with a date and no bodies behind it slips, every time. The tell is not in the Federal Register. It is in the headcount of whoever has to sign off. CIRCIA is the live example. CISA expects a final rule in September, carrying 72-hour incident reporting and 24-hour ransomware payment reporting. Before you fund a readiness push against that date, ask what happens if it slips a year. If the answer is "we burned a quarter," sequence the work differently.

So finish the self-assessment. The standard did not move and the exposure did not move. You have a 60-day window to close gaps with nobody scheduled to look. Then take the napkin math to your next compliance deadline, whichever regime it lives in, and price the date accordingly.

Powered by the DoGood network

The data in this issue came from priority submissions by 5,000+ enterprise IT leaders. If you run IT or security at a $100M+ company and want to see what your peers are funding — and earn rewards for participating in vetted meetings with the vendors worth your time — apply to join DoGood.

QUICK HITS

Patch the 5.3 before the 63 criticals

Microsoft shipped 621 CVEs on July 14, with 63 rated critical. Two are under active exploitation. Neither is one of the 63. CVE-2026-56164 is a SharePoint Server elevation-of-privilege flaw rated 5.3, a missing-authentication bug an unauthenticated attacker can reach remotely. CVE-2026-56155 is an AD FS elevation-of-privilege flaw rated 7.8. Both sit on identity infrastructure. If your triage rule is "criticals first," this month it routes you around both live exploits and into 63 bugs nobody is using. Sort by exploited, then by severity. Not the reverse.

A CVSS 10.0 sat in SonicWall's VPN for three weeks

SonicWall published an advisory on July 14 for two SMA1000 zero-days. CVE-2026-15409 is an unauthenticated server-side request forgery in the Appliance Work Place interface, rated CVSS 10.0. CVE-2026-15410 is a post-authentication command injection in the management console, rated 7.2. Rapid7's MDR team found both and dates first exploitation to June 22. That is three weeks of live attacks on an internet-facing access appliance before anyone published a word. Hotfixes are out, v12.4.3-03453 and 12.5.0-02835, and require a call to SonicWall support. Federal agencies have until July 17 under BOD 26-04 to patch or pull the product. If you run SMA1000, your compromise assessment window opens June 22. Not July 14.

Your AI vendor wants engineers inside your building

Anthropic, Blackstone, Hellman & Friedman, and Goldman Sachs launched Ode with Anthropic this week. It is a $1.5 billion joint venture that sells enterprise AI implementation, not models. It runs 100 engineers and has already bought Fractional AI. OpenAI has The Deployment Company. Microsoft put $2.5 billion and 6,000 people into Frontier at the start of the month. Deloitte and Accenture are staffing forward-deployed engineering teams of their own. The labs have concluded the bottleneck is not model quality. It is that nobody inside your company can rewire the process the model is supposed to run. They are probably right. It also means your next AI conversation is a staffing proposal, with a vendor's engineers working inside your systems. That is a different diligence problem than buying software. Decide now who owns the access review, the IP terms, and where the process knowledge lives when the engagement ends.

THE NUMBER: $660 million

IBM's preliminary Q2 revenue landed at $17.2 billion, about $660 million under the $17.86 billion consensus. The explanation is the interesting part. IBM said it faltered as corporate spending shifted from software to data-center infrastructure. The market took that literally. IBM lost roughly a quarter of its value in one session, its worst day since October 19, 1987. ServiceNow, Microsoft, Salesforce, and Workday all fell with it. If you have been telling your CFO that AI spend is a new line item, the market just priced the opposite view. It is coming out of the software budget you are renewing right now. Two things follow. Your incumbent vendors know it too, which changes what a renewal conversation is worth. And vendor financial health moves from diligence boilerplate to something you actually check.

If CMMC or an AI staffing decision landed on your desk this week, the useful conversation is with a peer who already made the call. That is what the DoGood network is for.

The CXO Brief is powered by the DoGood network, 5,000+ IT leaders sharing what they are actually working on.

Know a CIO who needs this? Forward it and they can subscribe here.

Enterprise IT leader at a $100M+ company? Apply to join DoGood.

Keep Reading