govt regulations 1  54bd5a283ab41

Financial Reporting | July 17, 2026

Federal Cybersecurity Mandate Suspended: What the CMMC Pause Teaches Firms About Protecting Client Data

A stalled defense compliance program offers a timely lesson for accounting and tax practices.

Scott Carr

In July 2026, the Department of War suspended Phase II of its Cybersecurity Maturity Model Certification (CMMC) program, a requirement that would have forced more than 100,000 defense contractors into costly third-party cybersecurity assessments starting this November. The program stalled under its own weight: compliance costs approaching $600,000 per organization and a severe shortage of qualified assessors to conduct the certifications.

Accounting and tax firms don’t fall under CMMC. But the pattern deserves attention from anyone advising clients on compliance and risk. A federal deadline was delayed, and it’s tempting to read that as license to delay related work elsewhere. For firms managing client financial and tax records, that instinct is worth resisting. Obligations under the FTC Safeguards Rule and GLBA don’t move just because a different program’s timeline did, and client financial data remains a high-value target for cybercriminals regardless of what happens in the defense sector.

The Real Lesson Behind the Suspension

Government compliance programs get delayed, revised, or scrapped with some regularity. The underlying risk they were designed to address rarely follows suit. For firms serving clients who depend on the confidentiality of tax records, banking details, and payroll information, a documented, consistently enforced security policy isn’t a box to check when a regulator demands it. It’s a baseline expectation clients increasingly assume is already in place.

Firms that treat cybersecurity policy as an ongoing practice, rather than a reaction to the next compliance deadline, tend to identify gaps before they become incidents. That distinction matters most during filing season, when client data volume peaks and downtime carries the highest cost.

Practical Steps Firms Can Take Now

  1. Formalize a written information security policy (WISP). This is already an expectation under the FTC Safeguards Rule, and having it documented protects both the firm and its clients.
  2. Require multi-factor authentication across tax software, email, and any remote access tools used to serve clients.
  3. Inventory where client data lives, including cloud storage, integrations with third-party platforms, and any staff-managed spreadsheets.
  4. Establish a defined patch and update schedule, particularly for systems handling client financial data, ideally completed before filing season begins.
  5. Confirm backups are automated, encrypted, and tested for successful restoration, not simply scheduled.
  6. Train staff annually on phishing recognition, with particular attention to tax-season-themed scams targeting client data.
  7. Review cyber liability insurance policies against actual security controls in place; gaps between the two are a common and costly surprise.
  8. Revisit the security policy every year, not only when a client or regulator raises the issue.

Questions Firms Are Likely Asking

Why does a defense-sector suspension matter to accounting firms?
It’s a useful case study in what happens when a compliance deadline shifts while the underlying risk to client data does not. GLBA and Safeguards Rule obligations for firms serving individual and business clients remain fully active.

We’re a small or mid-sized firm. Are we really a target?
Firms of all sizes are frequently targeted precisely because attackers assume smaller practices have fewer defenses in place, and client financial data carries resale value regardless of firm size.

Do we need a formal WISP if no client has asked for one yet?
Yes. It’s an existing regulatory expectation rather than an optional client accommodation, and having it in place avoids scrambling to produce documentation under pressure.

What’s the realistic cost of getting this wrong?
Beyond potential fines, a breach disrupts client service during the firm’s busiest periods and can cause lasting damage to the trust clients place in the firm to safeguard their most sensitive information.

The Takeaway for Firms and Their Clients

Federal mandates pause. The risk to client financial data, and the regulatory expectations tied to protecting it, do not. Firms that build and maintain a documented security policy before a client, insurer, or examiner asks for one are better positioned to demonstrate the reliability their clients depend on.


Scott Carr, owner of Farmhouse Networking in Grants Pass, Oregon, is a veteran Network & Computer Systems Architect with over 30 years of IT experience. For over a decade, he’s led his team in delivering proactive, secure, and fully managed IT services to more than 80 businesses—including accounting and finance firms that rely on data security, compliance, and efficiency. Scott’s hands-on, jargon-free approach ensures every client understands their technology and gains confidence in their systems. His firm is known for fast, responsive support—most issues are resolved within 15 minutes—and deep expertise in cybersecurity, network design, and IT compliance. Learn more about how Farmhouse Networking supports the accounting industry at https://www.farmhousenetworking.com/finance-it-support/.

Sign in to get access to this free resource, and all of our whitepapers and reports.

Download this content today!

Register to get free access to this content, as well as newsletters, continuing education, podcasts, and more…

Leave a Reply

Scott Carr

Scott Carr

Scott Carr, owner of Farmhouse Networking in Grants Pass, Oregon, is a veteran Network & Computer Systems Architect with over 30 years of IT experience. For over a decade, he’s led his team in delivering proactive, secure, and fully managed IT services to more than 80 businesses—including accounting and finance firms that rely on data security, compliance, and efficiency. Scott’s hands on, jargon free approach ensures every client understands their technology and gains confidence in their systems. His firm is known for fast, responsive support—most issues are resolved within 15 minutes—and deep expertise in cybersecurity, network design, and IT compliance. Learn more about how Farmhouse Networking supports the accounting industry at https://www.farmhousenetworking.com/finance-it-support/.