CMMC Phase II Suspension: Cybersecurity Compliance Can Change in the Blink of an Eye
Cybersecurity professionals work in an environment shaped by evolving threats, technologies, organizational priorities, and regulatory requirements. Even when an implementation schedule appears settled, the conditions surrounding it may change quickly.
On July 13, 2026, the U.S. Department of War announced the immediate suspension of the Cybersecurity Maturity Model Certification Phase II requirements that had been scheduled to take effect on November 10, 2026. The Department also suspended pending and future CMMC implementation milestones across its solicitations and contracts while a newly established task force conducts a 60-day review of the certification program.
The announcement does not eliminate cybersecurity responsibilities for the Defense Industrial Base. Phase I self-assessment requirements remain in effect. During the review period, the Department plans to enforce compliance with National Institute of Standards and Technology Special Publication 800-171 Revision 2 through self-assessments and selected government-led assessments. Defense contractors and subcontractors also remain contractually responsible for safeguarding covered defense information under DFARS clause 252.204-7012.
The policy change therefore represents a suspension and reassessment of part of the certification process, not an abandonment of the underlying responsibility to protect federal information.
An Evolving Regulatory Environment
Gregory (2026) examined the behavioral intentions of cybersecurity professionals to adopt cyber incident response plans in medium- and large-sized U.S. businesses. The study discussed CMMC within an increasingly stringent cybersecurity regulatory environment and noted that its phased implementation would affect how covered organizations approached compliance and incident-response preparedness.
The July 13 announcement provides a timely illustration of a broader point: cybersecurity requirements do not operate in a static environment. Regulations, contractual mechanisms, assessment models, implementation schedules, and enforcement priorities may change as governments respond to cost concerns, industry feedback, operational demands, and policy objectives.
An organization may spend months preparing for a specific compliance milestone, only to learn that the milestone has been postponed, suspended, revised, or replaced. That does not necessarily mean the preparation was wasted. Security controls, documented procedures, trained personnel, and tested incident-response capabilities may retain operational value even when the external compliance mechanism changes.
The Cyberpsychology of Regulatory Change
This development is not only a regulatory or technical story. It is also a cyberpsychology story because changes in policy can influence perception, motivation, judgment, and organizational behavior.
Some organizations may interpret the suspension as an opportunity to redirect resources or reconsider the costs associated with certification. Others may continue their preparations because they perceive the underlying cybersecurity practices as necessary regardless of the certification schedule. Still others may become uncertain about which investments, assessments, or implementation activities should proceed.
These responses can be influenced by several questions:
- Do decision-makers believe that continued preparation will improve organizational security?
- Are adequate resources, guidance, personnel, and technical support available?
- Will the suspension reduce the perceived urgency of compliance activities?
- Could repeated changes produce confusion, frustration, or compliance fatigue?
- Will organizations distinguish between postponement of a certification requirement and the continuing need for cybersecurity readiness?
These are behavioral questions as much as policy questions.
Performance and Organizational Support
Gregory (2026) found that performance expectancy and facilitating conditions significantly predicted cyber incident responders’ behavioral intentions to adopt cyber incident response plans. The results showed that perceived performance benefits and organizational support were the only factors that significantly predicted behavioral intentions to adopt cyber incident response plans. Other examined factors, including effort expectancy, social influence, hedonic motivation, price value, and habit, were not significant predictors in the study.
Those findings provide a useful lens through which to view the CMMC announcement.
When an external deadline changes, organizations may need to reinforce the operational reasons for maintaining cybersecurity and incident response capabilities. A requirement supported only by the pressure of an approaching compliance date may lose momentum when that date disappears. A practice understood as improving detection, coordination, containment, recovery, and organizational resilience may have a more durable behavioral foundation.
Facilitating conditions also remain important. Organizations need leadership support, training, personnel, compatible systems, documented procedures, and time to prepare. Regulatory uncertainty may complicate decisions about where those resources should be directed. Clear communication will therefore matter during the review period.
Compliance Is Not the Same as Readiness
The suspension also highlights an important distinction between compliance and cybersecurity readiness.
Compliance establishes externally defined requirements and methods of demonstrating adherence. Readiness concerns whether an organization can identify, manage, respond to, and recover from actual cyber incidents. The two concepts may support one another, but they are not identical.
An organization may satisfy an assessment requirement without developing a deeply embedded culture of preparedness. Conversely, an organization may maintain strong security and incident-response practices even while a certification framework is being reconsidered.
Gregory (2026) described effective cyber incident response plans as more than documents placed in policy repositories. Their value depends on meaningful use, realistic exercises, defined responsibilities, organizational support, and integration into normal operations.
That principle remains relevant regardless of what emerges from the 60-day CMMC review.
Cyberpsychology in Motion
It is too early to determine the long-term effects of the suspension. The review may produce revised requirements, a different assessment structure, a new implementation schedule, or other reforms. Organizations within the Defense Industrial Base will need to follow official guidance as the situation develops.
For cyberpsychology, however, the announcement already offers an instructive example. A change in policy alters the environment in which people make decisions. That altered environment can influence urgency, trust, motivation, resource allocation, risk perception, and behavioral intention.
Cybersecurity is not created by regulations alone. It emerges from the interaction of requirements, technologies, organizations, and human behavior.
Sometimes that environment changes gradually. Sometimes it changes in the blink of an eye.
References
Department of War. (2026, July 13). Forging the arsenal of freedom: Department of War suspends CMMC Phase II requirements.
https://www.war.gov/News/Releases/Release/Article/4542329/forging-the-arsenal-of-freedom-department-of-war-suspends-cmmc-phase-ii-require/
CIO – CMMC Resources & Documentation
Gregory, D. S. (2026). Factors that predict behavioral intentions to adopt cyber incident response plans in medium- and large-sized U.S. businesses [Doctoral dissertation, Capitol Technology University]. ProQuest Dissertations & Theses.