H.J. Res. 40 uses the Congressional Review Act (chapter 8 of title 5, U.S.C.) to disapprove the Department of Defense rule titled “Cybersecurity Maturity Model Certification (CMMC) Program” (89 Fed.
Reg. 83092, Oct. 15, 2024). The resolution states that the rule shall have no force or effect.
That legal nullification would remove the regulatory basis for the CMMC framework as published, creating immediate operational and compliance questions across DoD contracting: whether procurement clauses tied to the rule remain enforceable, how the department retools its approach to supply‑chain cybersecurity, and what happens to businesses that spent money to meet CMMC requirements or to firms that built services around the program.
At a Glance
What It Does
The resolution disapproves a specific DoD rule (CMMC) and declares the rule to have no force or effect. Under the Congressional Review Act, a disapproved rule may not be reissued in substantially the same form unless a later statute authorizes it.
Who It Affects
Primary effects fall on the DoD acquisition system and the defense industrial base: prime contractors, small and mid‑size subcontractors that handle controlled unclassified information, firms that provide CMMC assessments or consulting, and DoD acquisition and contracting officers who implement cybersecurity clauses.
Why It Matters
The CMMC rule was DoD’s attempt to standardize and verify contractor cybersecurity across the supply chain; disapproval removes that standardized regulatory lever and substitutes uncertainty. Compliance programs, contracting practices, and vendors that invested in CMMC infrastructure would all need to reassess near‑term obligations and business models.
More articles like this one.
A weekly email with all the latest developments on this topic.
What This Bill Actually Does
The resolution contains a single operative command: Congress disapproves the Department of Defense’s published rule on the Cybersecurity Maturity Model Certification (CMMC) Program, and the rule shall have no force or effect. That phrasing is the statutory language used in Congressional Review Act disapprovals to annul a federal rule that an agency has promulgated.
A key consequence under the Review Act is structural: if the resolution becomes law, the agency cannot reissue a substantially similar rule unless Congress later passes a law expressly authorizing that content. The resolution therefore does more than erase the published text; it creates a legal barrier to simply republishing the same regulatory approach.The resolution does not amend procurement statutes or substitute alternative regulatory text.
It strikes down the administrative rule itself. That leaves open administrative and contractual questions: DoD may need to remove or suspend procurement clauses that were implemented to flow down CMMC requirements; contracting officers will face guidance decisions about whether to award contracts that assumed CMMC compliance; and contractors with existing CMMC certifications will face uncertainty over the evidentiary value of those certifications going forward.Market and operational effects will be immediate and uneven.
Firms that sold assessment, accreditation, and advisory services tied to the CMMC regime will lose the regulatory demand driver. Small contractors that had not completed certification would avoid the rule’s compliance costs in the short term, but DoD and contractors will still confront the underlying policy problem the rule aimed to solve: how to ensure adequate cybersecurity across a sprawling supply chain that handles sensitive but unclassified information.
The Five Things You Need to Know
The resolution identifies and disapproves the DoD rule published at 89 Fed. Reg. 83092 (Oct. 15, 2024), declaring it has "no force or effect.", It proceeds under chapter 8 of title 5, U.S.C.—the Congressional Review Act—which both annuls the rule and bars reissuing a substantially similar rule unless later authorized by statute.
The text is narrowly focused on the administrative rule; it does not repeal or change any underlying statutes that authorize DoD procurement or cybersecurity policy.
If enacted, the resolution will create immediate legal ambiguity for contracts and solicitations that incorporated CMMC requirements or relied on CMMC certifications.
The resolution threatens the market for CMMC assessors, accreditation bodies, and consultants by removing the regulatory requirement that created demand for those services.
Section-by-Section Breakdown
Every bill we cover gets an analysis of its key sections.
Congressional disapproval and nullification of the identified rule
This single clause names the DoD rule by title and Federal Register citation and states that Congress disapproves it and that it "shall have no force or effect." Practically, that language directs the executive branch to treat the published regulatory text as void and removes the rule as binding administrative law. For compliance teams, the operative clause signals the end of the rule as a source of regulatory obligations if the resolution becomes law.
Use of the Congressional Review Act (chapter 8, title 5)
The resolution invokes the Congressional Review Act, which supplies both the mechanism for disapproval and the downstream prohibition on reissuing a substantially similar rule without subsequent statutory authorization. This is consequential because it does not merely pause enforcement; it constrains the department’s ability to return to the same regulatory text, forcing DoD to seek a different path (new rulemaking with materially different text or an act of Congress) if it wants the same outcomes.
What the resolution removes—and what it leaves intact
The resolution targets only the administrative regulation published in the Federal Register; it does not repeal procurement statutes or DFARS authorities. That distinction means DoD retains its statutory authorities but loses the specific regulatory vehicle. In practice, DoD could pursue supply‑chain cybersecurity objectives through other mechanisms (contract clauses inserted under existing procurement authority, agency guidance, or revised rulemaking), but those paths involve administrative, legal, and political constraints that the resolution’s prohibition complicates.
Immediate enforcement, contract clauses, and certification status
The text does not explicitly address existing contracts, clause insertions, or active certifications; those issues will be handled through procurement practice, guidance from DoD, and potentially litigation. Contracting officers and legal counsel will need to determine whether to remove or suspend CMMC-based clauses from solicitations, how to treat offers predicated on certification, and whether previously issued certifications remain persuasive evidence of security practices.
This bill is one of many.
Codify tracks hundreds of bills on Defense across all five countries.
Explore Defense in Codify Search →Who Benefits and Who Bears the Cost
Every bill creates winners and losers. Here's who stands to gain and who bears the cost.
Who Benefits
- Small and mid‑size defense contractors: They would avoid the near‑term costs and administrative burden of obtaining CMMC certification and associated remediation work.
- Subcontractors and suppliers that had not yet invested in certification: The resolution delays mandatory certification-related expenses and audit obligations that would have flowed down the supply chain.
- Contracting and procurement legal teams in industry: Firms gain short‑term flexibility in bid compliance and fewer immediate regulatory obligations tied to the CMMC rule.
- Business groups and trade associations critical of prescriptive federal cybersecurity mandates: They benefit politically and operationally from the rollback of a regulatory compliance driver.
Who Bears the Cost
- Department of Defense acquisition officials and cybersecurity managers: They lose a standardized regulatory tool for enforcing baseline cybersecurity across the defense industrial base, complicating risk management.
- Large prime contractors seeking a single, uniform standard: Primes lose regulatory leverage to require consistent practices down their subcontract chains and may face more fragmented compliance from suppliers.
- CMMC assessors, accreditation bodies, and consulting firms: These vendors face a sudden contraction in the market created by mandatory certification.
- Contractors who already spent funds to achieve CMMC certification: Those businesses bear sunk compliance costs without any statutory or regulatory reimbursement.
- Federal cybersecurity posture and risk managers: Eliminating the rule raises operational and programmatic costs for detecting and mitigating supply‑chain cyber risk, potentially increasing reliance on non‑regulatory tools.
Key Issues
The Core Tension
The central tension is straightforward and hard to resolve: the bill reduces regulatory burden on contractors and the private sector but removes a standardized, enforceable mechanism DoD designed to raise minimum cybersecurity across a high‑risk federal supply chain; protecting contractors from rule‑driven costs conflicts directly with the government's interest in uniformly managing national security cyber risks.
The resolution is blunt in effect but narrow in scope: it annuls the published regulatory text without changing the statutes that underpin DoD procurement authority. That separation creates an administrative dilemma.
DoD could respond by (a) rescinding related DFARS clauses that depend on the rule, (b) issuing new guidance or contract language that attempts to achieve similar outcomes without using identical regulatory text, or (c) pursuing fresh rulemaking with altered substance. Each path has legal and practical risks: rescission leaves gaps, guidance lacks the force of a final rule, and new rulemaking may be foreclosed if its text is "substantially the same" as the disapproved rule.
Another unresolved question is contractual and evidentiary: the resolution does not say whether existing CMMC certifications remain meaningful for contract performance or audit purposes. Courts and contracting officers will likely confront disputes over whether certification-based contract clauses survive the rule’s nullification, whether contractors can seek equitable adjustments for compliance costs, and how to treat solicitations issued while the rule was in effect.
Finally, the resolution imposes distributional impacts: firms that invested early in compliance lose their competitive advantage and sunk costs, while those that deferred compliance gain short‑term relief—an outcome that may skew market incentives and complicate efforts to build durable cybersecurity capability across the supply chain.
Try it yourself.
Ask a question in plain English, or pick a topic below. Results in seconds.