Congressional Review Act Targets CMMC Rollback

Show Notes

Representative Gary Palmer introduced a resolution to overturn a Pentagon rule establishing the Cybersecurity Maturity Model Certification (CMMC) program. This Congressional Review Act resolution aims to allow Congress a vote on significant regulatory actions. The Department of Defense completed the necessary steps to implement the CMMC rule, which adds third-party assessments to existing cybersecurity standards for contractors. While some stakeholders support CMMC for improving cybersecurity and enabling more efficient compliance, the resolution's success is uncertain due to limited legislative support. The resolution's goal is to ensure Congressional oversight of major rules impacting the public, not necessarily to oppose CMMC itself. Opponents warn that halting CMMC could jeopardize the defense industrial base's efforts toward cybersecurity compliance.

Ref: https://insidedefense.com/insider/lawmaker-introduces-resolution-roll-back-cmmc-program-final-rule

Transcript

0:13

Alright. So let's jump into this, Let's do it. Deep dive. Yeah. And today, we're taking a look at this article from inside defense.com. Okay. And it's all about this potential shakeup Uh-huh. To the CMMC program. Right. And so, like, imagine you're a business owner. You're working with the DOD. Okay. You're getting everything ready. Yeah. You're trying to make your system secure to get all those nice, juicy defense contracts. I gotcha. Yeah. But then, bam, a political bombshell drops. That could really change everything. Yeah. I know exactly what you're talking about. So this article lays out a maneuver in Congress Mhmm. That could really put the future of CMMC in question. Yeah. So, maybe you can just break it down for everybody listening. Sure. What is CMMC, and why does it matter? CMMC, it's like it's like a cybersecurity seal of approval Gotcha. For companies that handle sensitive defense information. Oh, so it's like okay. It's a way to know that they can be trusted. Like a guarantee. Right. Exactly. So the DOD is rolling this out to make sure that everyone in their supply chain Uh-huh. Is up to par when it comes to cybersecurity. So think of it like a guarantee that you can handle sensitive data in a responsible way. Exactly. Okay. So that's what it is. And now we've got this this congressman Gary Palmer Uh-huh. And he's introduced this resolution Yes. That could potentially roll back CMMC's final rule. Yeah. He's using this thing called the Congressional Review Review Act Oh, wow. Or CRA. And this is a tool that congress can use to overturn certain federal regulations. Hold on. Back up for a second. Sure. The Congressional Review Act. How could this affect CMMC? Well, it's important to remember that even though this resolution's been introduced, it has a long way to go Okay. Before it actually becomes reality. Okay. It's facing an uphill battle in congress Okay. Especially with the strong support that CMMC has already. That That is a little bit reassuring. Yeah. You know, this whole situation, it's gotta be Structure. Creating a ton of uncertainty. Oh, absolutely. Especially for all these businesses that have been getting ready. Yeah. They've been for They have invested time and resources. You know? Right. And time is ticking too. It is because the CMMC final rule was published in October. Okay. And that triggered a 60 day review period. So there's, like, a deadline. Right. So congress has a limited time to use the CRA Gotcha. If they wanna overturn it. So what happens if they don't act in time? Well, that's a good question. Is CMMC safe? Not necessarily. There are other ways that opponents of CMMC could try to delay or weaken the program. Like what? Well, one thing they could do is try to influence the implementation of CMMC Mhmm. Even if they can't overturn the rule completely. Oh, so they might try to, like, tweak it. Right. Exactly. Like, lobby for less stringent requirements Uh-huh. Or a slower rollout. You know? Sure. Something that would cause more uncertainty Gotcha. And delays for businesses. So even if this resolution fails Right. Businesses shouldn't just, like No. They shouldn't get complacent. To back and relax. No. This is just the beginning. You know, the fact that this resolution was introduced shows that CMMC has some powerful opponents. Yeah. And they're not going away. No. They're gonna keep looking for ways to to slow it down. And this is where it gets interesting. Okay. So the article mentions that the Government Accountability Office The GAO? The GAO Yeah. Confirmed that the DOD Uh-huh. Followed all the proper procedures Okay. When they implemented the final rule. Right. So that's a really big deal because that finding from the GAO strengthens the DOD's position. Okay. And it makes it harder for people to argue that Yeah. That the rollout was flawed or rushed. So it sounds like DOD did their homework. Yeah. They did. And they're ready to defend CMMC. They are they're committed to strengthening cybersecurity Mhmm. In the defense industrial base. Okay. So I bet our listeners are wondering I bet they are. What does all this mean for me? That is the $1,000,000 question. Right. Well, despite all the maneuvering, the core message here is pretty clear. What's that? Cybersecurity is nonnegotiable if you wanna do business with the DOD. So you might be familiar with this thing called NIST 80171. Right. Which has been a requirement Yeah. For handling certain types of defense information Mhmm. Since 2017. 17. Yeah. And CMMC builds on those foundations. Exactly. So if you're already meeting those requirements, you're on the right track. You're on the right track. Okay. But even if this resolution fails, it highlights that businesses need to stay agile and informed because things are changing all the time in the cybersecurity world. So don't just sit back and wait Right. For the dust to settle. No. This is the time to really double down Right. On your cybersecurity efforts regardless of what happens with this resolution. Absolutely. Right? And remember, even if congressman Palmer's resolution succeeds, the fight over CMMC is far from over. Oh. The Department of Defense is committed to implementing this, and they're likely to explore all their options to make that happen. Okay. So it sounds like CMMC Uh-huh. Is facing a pretty significant challenge. It is. But it's not dead yet. Not dead yet. Right. No. And this resolution could cause some uncertainty Definitely. But it's unlikely to succeed. That's right. So smart businesses should keep preparing Yes. They should. No matter what happens. Absolutely. Because at the end of the day, cybersecurity is critical. Yeah. And the DOD is serious about it. So stay informed. Stay informed. And don't hesitate to reach out Right. If you have any questions. We're here to help. We'll be back with part 2 in just a moment. This whole CMMC thing, you know, it really shows how cybersecurity and government policy are all mixed up these days. Yeah. Like a high stakes game where the rules are always changing. That's a great way to put it. And the stakes are high. You know? We're talking about national security Right. Advanced tech data that could be really damaging if it fell into the wrong hands. Okay. So let's get down to brass tacks here. Uh-oh. What does this all mean for businesses? Well, the article mentions that congressman Palmer has actually introduced over 30 CRAs targeting various regulations. Wow. So it seems like he's challenging a lot of what the federal government's doing. So is he just against CMMC, or is there something bigger going on here? Well, his spokesperson said that congressman Palmer is really focusing on rules that have a significant impact on the American people. Uh-huh. And he's arguing that agencies shouldn't pass major rules without congress having a say. Yeah. I could see where he's coming from, but it does feel like he's trying to, you know, kinda hit the brakes Mhmm. On a lot of these important initiatives. It raises the question of where CMMC falls on that. Right. You know, is it a burdensome regulation, or is it a vital national security measure? I mean, considering all the sensitive information Right. That defense contractors handle, I'd say it's pretty vital. I would agree with that. And I think that's why the Department of Defense has been so adamant about raising the bar for cybersecurity within its supply chain. Right. They've said it. Cybersecurity is nonnegotiable. Exactly. If you want those defense contracts If you wanna play ball You gotta step up your game. Yeah. And we're not just talking about, you know, protecting data from foreign adversaries. No. Absolutely not. Cybercriminals are constantly evolving. It's a cat mouse game. It is. It's an arms race in the digital world Right. And companies need to stay ahead of the curve. So the article also highlights some concerns Yeah. From this group called the Managed Service Provider Collective. Right. They represent a bunch of companies that help other businesses achieve CMMC compliance. Okay. And they're worried that this resolution, even if it doesn't pass, could create uncertainty and discourage companies from investing in cybersecurity. Yeah. Because, like, why bother if the rules might change? Exactly. Uncertainty leads to hesitation. And in cybersecurity, hesitation can be really costly. So with all this back and forth, what's the bottom line? What should our listeners be doing right now? Don't panic. CMMC is still in play. The DOD is committed to making it happen. Okay. Don't let the political noise distract you from the importance of cybersecurity. Protect your information. Do the right thing. Exactly. Companies that prioritize cybersecurity will be better off. It's like investing in a good security system for your house. Yeah. You you don't wait until after a break in to install an alarm. Exactly. You gotta be proactive. K. Think of cybersecurity as an investment. Not a burden. Right. Building resilience and trust. And stay informed. Stay informed. Absolutely. The article also mentions the second CMMC rulemaking, the one that's gonna change the DFARS. Right. It's already been through public comment Yeah. And is being reviewed by the DOD. So even if the CRA resolution succeeds, the second one could still move forward and keep CMMC on track. Potentially. Yeah. It's a complicated situation, and it'll be interesting to see how it all unfolds. It's a multilayered cake, this whole CMMC situation. You got the cybersecurity foundation. You got the political frosting, and now we've got this legal cherry on top. And you never know what kind of surprise you might find baked inside. Oh, that's good. But speaking of surprises, the article mentioned something I think is worth highlighting. Remember how congressman Palmer's resolution is targeting the CMMC final rule that was published back in October? The one that launched the program. Right. Okay. Well, here's the twist. Even if his resolution succeeds and that rule is overturned, the DOD could potentially just reissue the rule. Wait. So they could just sidestep the whole CRA process? It's not quite that simple, but the CRA does have limitations. It's meant to stop agencies from circumventing congress with major rule changes. Uh-huh. But it doesn't prevent them from reissuing a rule if they follow the correct procedures the first time. So it's like a speed bump, not a roadblock. Exactly. And considering how committed the DOD is to CMMC and the support it has in congress, it's very likely they would just reissue the rule. So all the work businesses have been doing to prepare wouldn't be wasted? Exactly. The fundamentals of cybersecurity, the need to protect sensitive information. Those things remain constant Right. Regardless of the political maneuvering. So for our listeners who might be feeling a bit overwhelmed by all this, what's the most important thing to remember? Focus on the fundamentals. Invest in cybersecurity measures that align with the CMMC framework even if there are delays or uncertainties. Right. The long term benefits far outweigh any short term, costs, or inconveniences. It's about seeing cybersecurity as an investment Exactly. Not a burden. Right. Okay. And stay informed, of course. Keep an eye on developments Understand how they might impact your business. And be prepared to adapt. The world of cybersecurity is constantly evolving. It is. So it sounds like even with all this political stuff, getting ready for CMMC is still the smart move. Absolutely. You know, strong cybersecurity, it's not just about checking boxes for the DOD. It's about protecting your business, your data, your reputation. Uh-huh. It's a win win no matter what happens with this resolution. It's like investing in a good security system for your house. Exactly. You pay upfront Yeah. But you get that peace of mind. Right. You don't wait for a break in to install an alarm system That's exact. And be proactive. So true. But I'm curious. If this resolution doesn't pass Mhmm. What else could they try? What other moves are out there? Well, that's a great question, and it's tough to predict exactly what they'll do, but there are some possibilities. Okay. Like what? Well, they could try to influence the funding that's allocated to CMMC implementation. So they could try to starve the beast. Exactly. Limit the resources the DOD has to roll out and enforce CMMC. Sneaky but effective, I guess. They could also try to sway public opinion So against CMMC. How would they do that? Well, they might highlight the cost of compliance, argue that it's too burdensome for small businesses. Right. Play up that big government angle. Exactly. Frame it as an unnecessary regulation. That stifles innovation and hurts businesses. Well, it's not just a legal battle. It's a PR battle too. It is. And that's why it's so important for CMMC supporters to be vocal about the benefits. Make sure their voices are heard. Highlight the importance of cybersecurity for national security Yeah. And economic stability. Right. Show that CMMC is a step in the right direction. It sounds like this whole CMMC saga is far from over. What's the most important takeaway for our listeners? The DOD is serious about cybersecurity. They're committed to making CMMC work. Okay. They're going to overcome these obstacles. So don't get discouraged. Don't give up. Invest in your cybersecurity. Stay informed. Be prepared to adapt. Exactly. A strong cybersecurity posture is valuable no matter what happens with CMMC. And that brings our deep dive to a close. I hope you found this exploration of the CMMC shakeup insightful and maybe even a little bit thrilling. It's certainly a fascinating case study in how cybersecurity and government policy are all intertwined. Remember, knowledge is power. Stay curious, stay informed Duh. And stay ahead of the curve. And if you have any questions or wanna dive deeper into any aspect of CMMC, don't hesitate to reach out. We're here to help. Until next time. Stay safe and stay secure.