The Compliance Floor Is Moving. Your Security Program Shouldn't.

Two things happened within days of each other this July. On July 13, the Pentagon suspended CMMC Phase 2, the requirement that would have put third-party cybersecurity assessments into defense contracts starting this November, and opened a 60-day top-to-bottom review of the program. Days earlier, the updated federal regulatory agenda confirmed that the long-awaited HIPAA Security Rule overhaul slid another year, to July 2027.
Two of the most consequential federal cybersecurity mandates of the decade paused in the same news cycle. If your company sells to the Department of Defense or operates in healthcare, your compliance calendar just changed. But the more important question is what conclusion you draw from it, because there is a right reading and a costly one.
What actually happened
The CMMC suspension is a capacity story, not a philosophy story. Over 100,000 defense industrial base companies needed assessments and roughly 100 authorized assessors existed to perform them. In the words of a Pentagon official, "the math just simply doesn't math" for small and mid-sized contractors to be compliant by November. Phase 1 self-assessments remain in force, and the underlying NIST SP 800-171 obligations are still written into defense contracts. The requirement to protect controlled unclassified information did not go anywhere. The third-party proof mechanism did.
The HIPAA story rhymes. HHS proposed the biggest strengthening of the Security Rule in twenty years in January 2025: mandatory MFA, encryption, asset inventories, and much more. Then more than one hundred hospital systems and every major industry association pushed back on the projected multi-billion dollar first-year cost, and final action moved to mid-2027 at the earliest. We covered the practical posture in what to do while the final rule is pending; the delay extends that holding pattern.
The vacuum is being filled by states, not by nothing
Reading the federal pullback as deregulation misses where the regulation went. Twenty states have comprehensive consumer privacy laws in effect in 2026, three of them new in January, and the 2026 legislative wave has pushed the total passed to roughly two dozen states. State attorneys general are staffing enforcement teams. New York's financial services regulator continues tightening its cybersecurity rules regardless of what Washington does.
For a mid-market company, this trade is strictly worse than a single federal standard: instead of one rule with one deadline, you now answer to a patchwork of overlapping state obligations with different definitions, thresholds, and enforcement appetites. The companies that handle this well do not chase each statute one at a time. They build one strong program and map it to many obligations, which has been our thesis all along: assess once, map to many.
The threat side does not read the Federal Register
The same week the Pentagon paused CMMC, security researchers documented the first ransomware campaign run end to end by an autonomous AI agent: initial access, credential theft, lateral movement, and extortion, with no human operator in the loop. The cost of running an attack is collapsing at the exact moment the regulatory pressure to defend against it is softening. Those two lines are moving in opposite directions, and your risk lives in the gap between them.
This is the fact that separates the right reading from the costly one. Regulation was always a lagging, lowest-common-denominator description of what a security program should do. The threat environment is the leading indicator, and it is accelerating.
Is your security program anchored to deadlines that just moved?
Z Cyber's Executive Security Advisors build risk-led programs that hold up whether the rule lands in 2027 or never.
What ESG teaches us about what happens next
We have watched this exact movie in a different policy area. In 2024 the SEC adopted climate disclosure rules; by 2025 it had stopped defending them and moved to rescind. The federal mandate evaporated. Corporate behavior barely moved: roughly 90 percent of the S&P 500 kept disclosing emissions data voluntarily, because the audiences that actually move markets, investors, customers, and large trading partners, kept demanding it. The strongest companies had never treated disclosure as a compliance chore. They treated it as a differentiator that lowered their cost of capital and won them contracts, and state and international regimes filled the federal gap anyway.
Swap the nouns and you have cybersecurity in 2026. The federal mandate recedes. The market demand does not: enterprise customers still send security questionnaires before they sign, cyber insurance carriers still underwrite on controls you can prove, boards still ask who owns cyber risk, and states write their own rules. The best mid-market companies will do what the best public companies did with ESG: keep building, and turn the program into a sales asset while competitors treat the pause as a permission slip.
Deadline-led programs just lost their engine. Risk-led programs did not.
Here is the uncomfortable truth these delays expose: many security programs were never actually anchored to risk. They were anchored to dates. Budget got approved because November 10 was coming. Projects got sequenced by audit season. Remove the date and the program stalls, which tells you what was really holding it up.
This is where the difference between buying tools and running a program becomes visible. Tools do not know your regulatory posture changed. A program does, because a person owns it. What a mid-market company needs in this environment is not another platform license. It is a senior security executive who can set a vision for what the program must protect, hold a roadmap that survives regulatory whiplash, and re-sequence the work when the landscape moves, as it just did.
That is the job of an Executive Security Advisor. When CMMC Phase 2 paused this week, deadline-led contractors faced a question they had no way to answer: do we stop? An ESA-led program barely notices, because the roadmap was never built on the deadline. It was built on the risk register: which systems hold controlled unclassified information or patient data, which controls reduce real exposure, what evidence proves they work. The frameworks are mapped once, so whether the eventual mandate is CMMC as we knew it, a revised version after the review, a 2027 HIPAA rule, or a new state law, the program answers it from current evidence instead of starting a scramble. The advisor decides what happens next quarter and can defend that decision to the board in business terms. The platform keeps the picture current between decisions. Vision and roadmap first, instruments second.
There is also a quiet advantage waiting on the other side. Suspended rules have a habit of returning, often faster than the market expects, and the Pentagon's own memo frames this as a review, not a repeal. When the requirements come back, the companies that kept building will produce their evidence on demand. Everyone else will re-enter the same assessor bottleneck that broke the program the first time, at panic prices.
The bottom line
The federal government just told you it will not force you to build a strong security program on its schedule. The threat landscape, your customers, your insurer, your board, and two dozen states are telling you they still expect one. The companies that listen to the second group will spend the next eighteen months turning security into a differentiator, exactly as the best companies did with ESG when that federal floor moved. If your program needs a vision and a roadmap that do not depend on a mandate, talk to a Z Cyber advisor.
Frequently Asked Questions
Is CMMC going away?
No. On July 13, 2026 the Department of Defense suspended CMMC Phase 2, which would have required third-party cybersecurity assessments across contracts involving sensitive unclassified information starting November 10, 2026, and opened a 60-day top-to-bottom review of the program. Phase 1 self-assessment requirements remain in force, and the underlying NIST SP 800-171 security obligations in defense contracts have not been removed. What changed is the timeline and the third-party assessment mandate, not the expectation that contractors protect controlled unclassified information.
Is the HIPAA Security Rule update cancelled?
Not cancelled, delayed. HHS proposed a major strengthening of the HIPAA Security Rule in a rule published in January 2025, and the regulatory agenda has since pushed final action out to July 2027, after industry groups and more than one hundred provider organizations objected to the projected first-year costs. The existing HIPAA Security Rule remains fully in force and enforceable today. Organizations that use the delay to defer basic security work are taking on risk the rule's timeline does nothing to reduce.
Which states have privacy laws in 2026?
Twenty states have comprehensive consumer privacy laws in effect during 2026, with Indiana, Kentucky, and Rhode Island joining in January. A further legislative wave in 2026 brought the total passed to roughly two dozen states, including laws in Alabama, Louisiana, Oklahoma, and Vermont that take effect later. The practical consequence for a mid-market company is that the compliance burden is shifting from one federal conversation to a patchwork of state ones, with state attorneys general increasingly active enforcers.
If federal mandates are weakening, why invest in a security program now?
Because the mandate was never the real reason. Threats are accelerating, with autonomous AI-driven attacks documented in the wild this same month. Customers demand security evidence in procurement, cyber insurance carriers underwrite on controls that can be proven, boards are personally attentive to cyber risk, and states are filling the federal gap with their own enforcement. The compliance deadline was an excuse to fund work that these other forces still require. Companies that build ahead of the floor also avoid the scramble when a suspended rule comes back.
What should a mid-market security leader do differently after these delays?
Shift the program's anchor from regulatory deadlines to risk. That means a current risk register, controls mapped once to the frameworks that matter so the program survives regulatory swings, evidence that stays fresh rather than being assembled for audit season, and a roadmap owned by a senior security executive who can defend it to the board. An Executive Security Advisor exists for exactly this: setting the vision and roadmap, and keeping the program moving when no deadline forces it.
Subscribe for Updates
Get cybersecurity insights delivered to your inbox.


