Providing for congressional disapproval under chapter 8 of title 5, United States Code, of the rule submitted by the Department of Defense relating to "Cybersecurity Maturity Model Certification (CMMC) Program".

# Summary of HJRES 40 **What It Would Do** This bill would cancel a cybersecurity rule that the Department of Defense finalized in October 2024. The rule created the Cybersecurity Maturity Model Certification (CMMC) Program, which requires defense contractors and their subcontractors to meet specific security standards when handling sensitive government information. If passed, HJRES 40 would eliminate these requirements, preventing the DOD from enforcing the new cybersecurity certification program. **Who It Affects** The bill directly impacts defense contractors and subcontractors—companies that work on government defense contracts. These businesses currently must comply with the CMMC standards to protect federal contract information and classified government data on their computer systems.

The bill would also affect the DOD's ability to oversee cybersecurity across its supply chain of private contractors. **Current Status** HJRES 40 was introduced by Representative Andrew Clyde (R-GA) and is currently in committee. The bill uses Congress's authority under federal law to reject executive agency rules (known as the Congressional Review Act). Supporters of canceling the rule argue it may be burdensome for contractors, while those supporting the CMMC program contend it strengthens national security by ensuring contractors adequately protect sensitive defense information from cyber threats.