Effects of Recent Executive Orders on CMMC & the FAR CUI Rule

Since Inauguration Day, the second Trump administration has bolted off the starting line, making sweeping changes which will impact much of the federal government. While many of these changes are unrelated to IT security governance, we believe it’s important to examine the effects recent Executive Orders and related actions may have on the CMMC program and fledgling FAR CUI Rule to help individuals and organizations make sense of the current state of flux within the federal government.

The Trump administration has issued a flurry of wide-ranging Executive Orders over the past several weeks, signaling its priorities for the President’s second term. In this article, we will focus on the actions which could have implications on U.S. cybersecurity and related regulations—with particular emphasis on the CMMC program and FAR CUI Rule.

TL;DR – CMMC is unlikely to be materially affected, but the FAR CUI Rule may have a bumpier road ahead.

Notable Directives & Administration Priorities

In a whirlwind of Executive actions, many things are changing within the federal government. Some of these wide-ranging actions will result in impacts to U.S. Department of Defense (DoD) contractors as well as federal contractors more broadly in relation to the proposed Federal Acquisition Regulation Controlled Unclassified Information rule (the FAR CUI Rule).

Some of the administration’s most outspoken priorities have been reducing government spending, increasing efficiency, and restructuring federal agency hierarchy. Given the President’s emphasis on domestic priorities, including national security, there will likely be many more changes to come to which federal government contractors will need to adapt.

For example, the Executive Order  (EO) entitled “Regulatory Freeze Pending Review” instructed federal departments and agencies to (a) delay proposal or issuance of any new rules, (b) withdraw any rules sent to the Office of the Federal Register (OFR) but not yet published in the Federal Register, and (c) postpone the effective date for any recently published rules by 60 days.ᶦ

Following this, Office of Management and Budget (OMB) issued Memorandum M-25-13,ᶦᶦ instructing federal agencies to pause much of their spending. While the memo has since been rescinded, the administration has expressed its intent to perform a thorough review of federal government spending by its agencies.

Potential Executive Order Impacts on the CMMC Program

The CMMC program was initially proposed by the DoD during President Trump’s first term to address threats to U.S. national security interests related to sensitive data (i.e., CUI) handled by commercial organizations within the Defense Industrial Base (DIB). Given the Trump administration’s stated commitment to, and long-standing bipartisan support for, national security imperatives, it seems unlikely that such an effort would be de-prioritized. While CMMC program may see some unexpected fits and starts, industry analysts believe there is little chance CMMC will simply disappear.ᶦᶦᶦ,ᶦᵛ

Regulatory Freeze

The regulatory freeze EO, as written, applies to unpublished and recently published rules from federal agencies. Since the Title 32 rule establishing the CMMC program (32 CFR 170) was published as final in October 2024 and went into effect in December, it’s highly unlikely there will be any pause related to the program, itself, resulting from the regulatory freeze.

The other critical part of CMMC implementation is the Title 48 rule (DFARS Case 2019-D041), which would amend several sections of the Code of Federal Regulations (most notably, 48 CFR 252.204-7021) to establish a solicitation provision specifying the requirement for certification at a given CMMC level for inclusion in DoD contracts. 

Effectively, this is what will allow the DoD to enforce the CMMC requirement. While the Title 48 rule has not gone into effect, the final version of the rule was published in the Federal Register in August 2024, with a public comment period ending in October. The rule has gone through much deliberation and revision with little change since its initial announcement in 2019, meaning it is also unlikely to caught up in the freeze before being finalized as part of the Code of Federal Regulations.

OMB Memo on Federal Agency Spending

The OMB memo implies the possibility of modifications to funding for agencies with a hand in implementing the CMMC program, but the CMMC Accreditation Board (Cyber AB), which oversees much of the implementation process (notwithstanding the recent report of its internal inconsistencies with regard to accreditation), is unlikely to be impacted by changes to federal spending reprioritization as its funding originates from fees related to individual and organizational certifications, such Registered Practitioner Organization (RPO) and Certified Third-Party Assessor Organization (C3PAO) applications.

Prior to rescinding the OMB memo entirely, the administration published a Q&A specifying the scope of the memo to be limited to programs “implicated by the President’s Executive Orders” and that any program not implicated is not subject to the pause.ᵛ Despite uncertainty regarding status of the freeze as separate from the rescission of the corresponding memo, this clarification via the Q&A implies the scope of any such freeze would not impact the implementation of CMMC.

Finally, the majority of costs related to implementing CMMC will be borne by businesses within the DIB, rather than funded by the federal government. This means the program will likely stay out of the crosshairs during spending cut reviews, though it may reduce the likelihood of businesses receiving federal assistance related to the cost of implementation (as discussed in our post Concerned About CMMC Costs? Contact Your Reps!)

Implications for the Proposed FAR CUI Rule

The proposed FAR CUI Rule, introduced on January 15, 2025, aims to standardize cybersecurity requirements across all federal contractors and subcontractors—not just those serving the Department of Defense.ᵛᶦ Key provisions of the rule include safeguarding measures for CUI (i.e., through the implementation of NIST SP 800-171 R2), streamlined incident reporting, and enhanced accountability for both contractors and COs (regarding identification of CUI for the latter, thankfully). 

Due to the proposed rule’s more recent publication, it is much more likely to be affected by the regulatory freeze EO.ᵛᶦᶦ At the very least, a delay can be reasonably expected. Since these requirements relate to non-DoD contractors and don’t directly impact national security, the FAR CUI Rule could see a more protracted journey before going into effect. 

Nonetheless, the FAR CUI Rule was originally conceived prior to the DFARS regulations addressing the protection of CUI and the CMMC program, so there is a clear desire at the federal level to control unclassified sensitive information (such as student and medical records, both of which are included in NARA’s CUI Registryᵛᶦᶦᶦ).

Looking Ahead

As the second Trump administration continues to define its priorities, federal contractors with access to CUI should take steps to ensure they are on track to achieve compliance with the proposed safeguarding requirements. An approach of “wait to see how it shakes out” means postponing major investment in achieving compliance, but also runs the risk of being on the back foot when the requirements go into effect.

Considering it from another angle, organizations should contemplate implementing the soon-to-be-required cybersecurity measures as a way to foster competitive advantage by marketing themselves as ahead of the curve on cybersecurity (as discussed in our post Strategic Benefits for CMMC Early Adopters).

Next Steps

Organizations can take the following actions to ready themselves for the adoption of CMMC and FAR CUI Rule requirements:

• Stay Informed: Regularly consult official government publications and trusted news sources (like this blog!) for updates on policy changes affecting cybersecurity requirements.

• Assess Impact: Evaluate how potential policy shifts may influence existing compliance programs and prepare to adjust strategies accordingly. Review existing relationships and obligations to identify current and future security & compliance needs.

• Engage with Stakeholders: Participate in industry groups and forums to stay abreast of developments and share insights on navigating the evolving regulatory landscape.

• Take the First Steps: Perform a gap analysis to determine current cybersecurity stature and begin developing a project plan to achieve compliance.

Wrapping Up

Recent executive actions underscore a period of transition in federal cybersecurity policy with implications for the CMMC program and FAR CUI Rule. However, federal contractors—particularly those engaged with the DoD—must remain vigilant and adaptable to ensure continued compliance and the protection of sensitive information.

Triumvirate Cybersecurity is an IT security and compliance consulting firm specializing in CMMC and NIST SP 800-171 implementation. With hands-on experience as part of the CMMC Joint Voluntary Surveillance Assessment program, as well as regulatory frameworks including ISO 27001, PCI-DSS, and HITRUST, we have the knowledge needed to provide customers with actionable insights for their security programs. Review our service offerings to see how we can help your organization approach security & compliance with confidence and contact us to schedule a discussion about your unique needs!