Michael Duffey, President Donald Trump’s nominee for undersecretary of defense for acquisition and sustainment, told lawmakers that he will review details of the Pentagon’s long-delayed industry cybersecurity compliance policy if confirmed to his post.
In October 2024, the Department of Defense (DoD) released the final rule for the Cybersecurity Maturity Model Certification (CMMC) program that requires Defense Industrial Base (DIB) contractors and subcontractors to implement necessary security measures for Federal contract information and introduce new security requirements for controlled unclassified information related to specific priority programs.
After numerous revisions and what seems like an eternity in regulatory limbo, DoD expects to implement the new requirements by mid-year. However, due to the President’s deregulatory efforts, CMMC now finds itself in regulatory limbo once again.
“I recognize the critical importance of ensuring that contractual requirements for protecting DoD information are met by defense contractors. If confirmed, I will review the current requirements of the CMMC program and evaluate options to improve the requirements and implementation so that industry can affordably maintain pace with current cybersecurity best practices,” Duffey wrote in his responses to advance policy questions from lawmakers ahead of his confirmation hearing on March 27 before the the Senate Armed Services Committee.
Duffey acknowledged the importance of ensuring defense contractors meet DoD information protection requirements but emphasized the need to strengthen “cybersecurity across the DIB without overburdening small and medium-sized businesses.”
Since its introduction, the rule has faced criticism from industry leaders and some lawmakers, who argue that CMMC regulations would place heavy burdens on smaller firms with limited resources to ensure compliance.
“It is my understanding that the cyber capabilities of the companies in the DIB vary greatly. If confirmed, I look forward to reviewing the current state of DoD cybersecurity requirements for our industry partners and working to ensure we balance a need for security with the burdens of excessive regulation,” Duffey stated.
He also told lawmakers he would review mechanisms for assessing CMMC compliance – including third-party organizations and accreditation procedures – to ensure requirements stay aligned with threats and minimize burdens on the industrial base.
Duffey also pledged to “actively explore” the feasibility of multi-use secure compartmented information facilities – often costly for smaller companies – and other shared resource models to ease the burden on small firms and improve their access to classified information.