Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Department of Defense relating to "Cybersecurity Maturity Model Certification (CMMC) Program".
- Bill Number
- H.J.Res. 40
- Origin Chamber
- House
- Congress
- 119th Congress, Session 1
- Policy Area
- Armed Forces and National Security
- Status
- Introduced
- Latest Action
- 2025-02-12: Referred to the House Committee on Armed Services.
- Last Updated
- 2025-06-13T18:51:07Z
AI-Generated Summary
Purpose
This joint resolution (H.J. Res. 40) aims to disapprove and nullify a specific rule issued by the Department of Defense (DoD) regarding the Cybersecurity Maturity Model Certification (CMMC) Program. The CMMC Program is a framework designed to verify that companies working with the DoD meet certain cybersecurity standards to protect sensitive government information. The resolution uses the Congressional Review Act (a law allowing Congress to review and overturn federal agency rules) to prevent the rule from taking effect.
Key Provisions
- Congress formally disapproves the DoD rule titled "Cybersecurity Maturity Model Certification (CMMC) Program," published in the Federal Register on October 15, 2024 (89 Fed. Reg. 83092).
- If enacted, the rule would have no legal force or effect, effectively blocking its implementation.
- The resolution was introduced in the House of Representatives on February 12, 2025, by Representative Clyde and referred to the House Committee on Armed Services for review.
Significant Changes to Existing Law
- This resolution does not amend existing laws but invokes the Congressional Review Act (chapter 8 of title 5, United States Code) to override the DoD's rulemaking authority.
- It would halt the rollout of the CMMC Program as defined in the disapproved rule, potentially requiring the DoD to revise or abandon aspects of the program that involve mandatory cybersecurity certifications for contractors.
- No direct changes to broader cybersecurity laws (like those under the Federal Acquisition Regulation) are made, but it disrupts the integration of CMMC into DoD contracting processes.
Potential Impacts
- On Government Agencies: The DoD would be unable to enforce the rule, possibly delaying or altering efforts to standardize cybersecurity requirements for contractors. This could lead to revised regulations or reliance on older standards, increasing administrative burdens.
- On Citizens and Businesses: Defense contractors (including small businesses) would avoid new certification costs and compliance requirements, potentially saving time and money but risking weaker protections for sensitive data. Employees in the defense sector might see less emphasis on cybersecurity training.
- On International Relations: It could indirectly affect U.S. supply chain security by easing cybersecurity mandates on contractors with international ties, potentially influencing partnerships or export controls related to defense technology.
Main Stakeholders
- Department of Defense (DoD): Primary issuer of the rule; would face implementation setbacks.
- Defense Contractors and Suppliers: Companies bidding on or holding DoD contracts, who must comply with cybersecurity standards; they benefit from avoided costs but may face uncertainty in future requirements.
- Congress (House Committee on Armed Services): Oversees the resolution and holds authority to influence defense policy.
- Cybersecurity Industry: Firms providing certification services or tools could see reduced demand if the program is blocked.
- U.S. Taxpayers: Indirectly affected through potential changes in government spending on defense contracts and data security.
Notable Legal, Constitutional, or Political Implications
- Legal: Relies on the Congressional Review Act, which gives Congress a 60-day window (after rule submission) to disapprove rules via simple majority vote, bypassing filibuster in the Senate. If passed and signed (or veto overridden), it prevents judicial challenges to the rule under certain conditions.
- Constitutional: Reinforces Congress's oversight role over executive branch actions (Article I powers), checking agency rulemaking without violating separation of powers.
- Political: Highlights partisan or bipartisan tensions over regulatory burdens on defense industries; disapproval could signal congressional pushback against perceived overreach by the executive branch, influencing future DoD policies and election-year debates on national security.
This summary was generated by AI and may contain inaccuracies. Refer to the official source document for the authoritative text.
Sponsor
Rep. Clyde, Andrew S. [R-GA-9]
Recent Actions
- 2025-02-12: Referred to the House Committee on Armed Services.
- 2025-02-12: Introduced in House
- 2025-02-12: Introduced in House
Bill Versions
- Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Department of Defense relating to "Cybersecurity Maturity Model Certification (CMMC) Program". — issued 2025-02-12 — PDF (1 pages)