LegisTrack
Back to all bills
HJRES 40119th CongressIn Committee

Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Department of Defense relating to "Cybersecurity Maturity Model Certification (CMMC) Program".

Introduced: Feb 12, 2025
View on Congress.gov
Standard Summary
Comprehensive overview in 1-2 paragraphs

H. J. Res. 40 is a joint resolution introduced in the House under the Congressional Review Act (CRA). It would disapprove the Department of Defense rule implementing the Cybersecurity Maturity Model Certification (CMMC) program and would render that rule null and void if enacted. The DoD rule in question was published on Oct. 15, 2024 (Federal Register 89 Fed. Reg. 83092) and would have required DoD contractors to obtain CMMC certifications at specified maturity levels to bid on or perform DoD contracts. If the resolution becomes law, the rule would have no force or effect, and DoD would not implement the CMMC requirements outlined in that rule. The sponsor is Rep. Clyde, and the bill is currently introduced and referred to the Committee on Armed Services.

Key Points

  • 1What it does: Provides congressional disapproval of a specific DoD rule under the Congressional Review Act, blocking the CMMC rule from taking effect.
  • 2Rule targeted: The DoD rule on the Cybersecurity Maturity Model Certification program, published Oct. 15, 2024 (89 Fed. Reg. 83092).
  • 3Legal effect if enacted: The rule would have no force or effect; DoD could not implement the CMMC requirements as described in that rule.
  • 4Process and status: Introduced in the House on Feb. 12, 2025 by Rep. Clyde; referred to the Committee on Armed Services.
  • 5Scope: Focused narrowly on disapproval of this particular rule; does not repeal DoD authorities to pursue cybersecurity or other DoD cybersecurity policies outside of this rule.

Impact Areas

Primary affected group/area:- DoD contractors and the defense industrial base: would avoid the added costs and administrative burden of CMMC certification under this rule, at least until (and unless) DoD pursues a different approach.Secondary affected group/area:- DoD procurement and contracting processes: would continue under existing cybersecurity requirements unless DoD takes new steps to adjust policy in response.Additional impacts:- Small businesses: potential relief from mandatory CMMC certification costs and administrative workload.- DoD cybersecurity policy: signals congressional preference against implementing this particular CMMC rule, which could influence future DoD cyber policy or lead to new legislative or rulemaking proposals.- Legal/regulatory environment: demonstrates Congress’ use of the CRA to block agency rules; may affect expectations for how quickly proposed cyber security rules move forward in the future.CMMC stands for Cybersecurity Maturity Model Certification and is a DoD framework intended to ensure contractors protect sensitive defense information. The rule in question would have established certification levels and assessment processes; this joint resolution seeks to prevent that specific rule from taking effect.
Generated by gpt-5-nano on Nov 18, 2025