House NDAA amendment targets CMMC cost burden
Congress is no longer just watching CMMC rollout mechanics; it is asking whether the market structure is pricing out small suppliers.
TL;DR
Inside Cybersecurity reports that House Armed Services advanced the fiscal 2027 National Defense Authorization Act, 44-12, with a Rep. Jeff Crank amendment requesting a Defense Department briefing on Cybersecurity Maturity Model Certification reforms by March 1, 2027. The amendment cites excessive regulatory burdens, small-business disadvantage, and fee transparency concerns involving the Cyber AB and CMMC Third-Party Assessment Organizations. Primes, subs, assessors, and the Cyber AB get the message: CMMC cost is now a Hill oversight target.
House Armed Services did more than move another defense policy bill with the usual cyber grab bag. According to Inside Cybersecurity, the committee advanced the fiscal 2027 National Defense Authorization Act in a 44-12 vote with a CMMC amendment asking DOD to brief lawmakers by March 1, 2027, on reforms to the Cybersecurity Maturity Model Certification program.
The amendment’s target is specific: the cost structure around CMMC. It says the committee is concerned that the current program imposes excessive regulatory burdens, drives up costs for smaller defense contractors, deters new entrants into the defense industrial base, and disadvantages small businesses. It also names fee transparency in the CMMC ecosystem, including charges by the Cyber AB and CMMC Third-Party Assessment Organizations.
That matters because this is no longer only a rollout story. CMMC has spent years moving toward implementation through rulemaking, assessment capacity, and contract clause mechanics. The House amendment points at a different question: whether the program’s private assessment market is becoming a barrier to entry for the same small and mid-tier suppliers DOD says it wants in the industrial base.
This also is not a one-off grumble. House Armed Services advanced fiscal 2026 NDAA language with CMMC amendments last cycle, Inside Cybersecurity reported at the time (https://insidecybersecurity.com/daily-news/house-armed-services-advances-major-defense-policy-bill-vulnerability-disclosure-cmmc). The FY27 language suggests the committee is moving from implementation oversight toward structural reform, at least if DOD’s briefing comes back with actual options rather than a status review.
For contractors, nothing changes Monday. Primes and subs still have to prepare for CMMC requirements as written, and C3PAOs still operate inside the existing accreditation and fee environment. The practical signal is that cost evidence now matters. If small-business compliance costs, assessment fees, or assessment-market bottlenecks are going to shape the next version of CMMC policy, contractors should be documenting them before March 2027, not after Congress asks why nobody had numbers.
Published ·Deep Fathom