The Pentagon’s newly implemented Cybersecurity Maturity Model Certification (CMMC) rule is receiving a mixed reaction from lawmakers on Capitol Hill.
In October, the Department of Defense (DoD) released the final rule for the CMMC program that requires Defense Industrial Base (DIB) contractors and subcontractors to implement necessary security measures for Federal Contract Information and introduce new security requirements for Controlled Unclassified Information related to specific priority programs.
After much anticipation for the final rule, the DoD is preparing to roll out CMMC requirements into contracts beginning in 2025. But at least one lawmaker on Capitol Hill wants to do away with the program before it even starts.
Rep. Garry Palmer, R-Ala., on Nov. 15 submitted a joint resolution of disapproval to block the CMMC rule, as part of his effort to give Congress a stronger role in reviewing major regulatory actions.
“Congress disapproves the rule submitted by the Department of Defense relating to ‘Cybersecurity Maturity Model Certification (CMMC) Program’ (89 Fed. Reg. 83092; published October 15, 2024), and such rule shall have no force or effect,” reads the notice.
Under the Congressional Review Act, Congress can move to dismiss some agency rules within 60 days of being issued.
However, both chambers must pass the resolution, and the president must sign it for it to take effect. As of now, no other lawmakers have supported Rep. Palmer’s effort to block the CMMC rule.
In fact, some lawmakers are working to support the success of the CMMC. Rep. Scott Fitzgerald, R-Wis., has introduced a draft bill that would provide tax credits to smaller businesses to help offset the costs of complying with the DoD’s upcoming CMMC program.
The draft bill – the Small Business Cybersecurity Act of 2024 – would allow companies with 50 or fewer employees to claim a tax credit of up to $50,000 for CMMC costs.
The rule estimates that small businesses will incur approximately $101,000 in costs to obtain a Level 2 CMMC certification, including expenses for planning, preparation, the certification assessment process, and payments to an outside third-party CMMC assessment organization.
However, the bill is unlikely to be included in the 2025 defense authorization bill, which lawmakers are working to finalize by the end of this year.
DoD officials expect the CMMC rule to take effect in 2025.
