This joint resolution nullifies the Department of Defense (DOD) rule titled Cybersecurity Maturity Model Certification (CMMC) Program (89 Fed. Reg. 83092) and published on October 15, 2024. Among other elements, the rule establishes the Cybersecurity Maturity Model Certification Program. The program institutes policies regarding the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) that is processed, stored, or transmitted on defense contractor and subcontractor information systems during defense contract performance. The rule also identifies entities to which the rule applies and describes DOD implementation of the program.
The passage of HJR40 would prevent the enforcement of the CMMC rule, which may have wide-ranging implications for defense contractors and businesses in the cybersecurity space. Without the CMMC certification requirements, experts suggest that the protection of sensitive defense-related information could be compromised, resulting in increased vulnerability to cyberattacks. The immediate effect on businesses would be the elimination of the compliance burden that CMMC would impose, but in the long term, this might weaken overall cybersecurity governance within the defense sector.
HJR40 is a joint resolution that seeks to disapprove a rule set forth by the Department of Defense regarding the Cybersecurity Maturity Model Certification (CMMC) Program. This resolution is an expression of Congress's authority to overturn regulations that it deems unnecessary or overreaching. The CMMC program involves a framework intended to enhance cybersecurity standards within the defense industrial base, aimed at protecting sensitive information from cyber threats. However, this resolution will potentially halt its implementation, indicating serious concerns amongst some legislators about the requirements proposed under this program.
Debate surrounding HJR40 has called attention to the balance between necessary government regulations and undue restrictions on businesses. Proponents of the resolution argue that the CMMC outlines an overly complex and potentially costly set of obligations that may hinder smaller companies’ ability to compete for defense contracts. In contrast, opponents counter that rejecting the CMMC undermines essential measures needed to safeguard national security interests. This legislative maneuver reflects differing views on the role of regulatory oversight in ensuring cybersecurity readiness in critical sectors.
Armed Forces and National Security