Adam Kangiser, Iviry’s Compliance Analyst
Let’s cut through the noise: the regulatory freeze memo has set social media on fire with bad hot takes, but here’s the truth—CMMC isn’t going anywhere.
The latest freeze memo has reignited fears and misconceptions about the future of the Cybersecurity Maturity Model Certification (CMMC). While the online rumor mill churns, let’s set the record straight. If you’ve been led to believe that the regulatory freeze is a death knell for CMMC, buckle up—because the reality is far less dramatic.
What Is the Regulatory Freeze Memo, and Why Does It Matter?
Every time a new presidential administration takes office, a regulatory freeze memo is issued. It’s standard practice—a routine move that’s happened every time a new president is sworn in since George W. Bush in 2001. The goal? To pause and review rules that were in the pipeline from the previous administration before they take effect. That’s it. Nothing more, nothing less.
The most recent freeze memo follows the same script:
-
- No new rules can be proposed or sent for publication until reviewed.
- Rules pending publication must be withdrawn for reassessment.
- Rules already published but not yet in effect may be postponed for 60 days.
- After 60 days, if a rule presents no major legal or factual concerns, it proceeds as planned.
This isn’t a novel concept. It’s a rinse-and-repeat process, one that’s happened in 2001, 2009, 2017, 2021, and now in 2025. It’s simply a regulatory housekeeping measure, not an apocalypse for compliance programs.
Why CMMC Is Unaffected by the Regulatory Freeze
Despite the panic-driven headlines and LinkedIn hot takes, the CMMC program remains intact. Here’s why:
1) One CMMC rule is already in effect.
The CMMC program rule, which governs certification levels, waivers, scoring, and oversight, went into effect on December 16, 2024. It’s already part of Title 32 of the Code of Federal Regulations (CFR), which means it’s beyond the reach of the freeze memo.
2. The second CMMC rule isn’t up for review within the freeze period.
The CMMC contract clause rule, which dictates how CMMC applies to defense contracts, was published in August 2024 and is expected to go into effect in June 2025. The freeze memo only impacts rules published within 60 days of its issuance (which ends March 21, 2025). CMMC’s contract clause rule falls outside this window, meaning it remains unaffected.
Put simply, if you were hoping the freeze memo would dismantle CMMC, you’re out of luck. The regulatory wheels are still turning, and the compliance train isn’t slowing down.
Regulatory Freezes: A Normal Part of the Process
One of the biggest misconceptions is that a regulatory freeze memo is some kind of political statement against CMMC. That couldn’t be further from the truth.
Every administration since Bush has implemented a freeze memo, and none of them have been specific to any particular rule or program. The process isn’t about targeting regulations—it’s about transitioning leadership and ensuring continuity in governance. If anything, the longevity of CMMC through multiple presidential administrations—despite wildly different regulatory agendas—proves its necessity and resilience.
CMMC isn’t a political pet project. It’s a response to real, documented national security threats stemming from non-compliance with DoD cybersecurity requirements. The lack of external verification for contractor cybersecurity has led to widespread security lapses, data breaches, and, in some cases, outright fraud. That’s not speculation—that’s fact. And CMMC exists because of those facts.
So, What Happens Next?
For businesses in the defense industrial base (DIB), the takeaway is simple: stay the course.
- CMMC is still active. Companies are already undergoing Level 2 certifications. The program rule is codified, and the contract clause rule is following a standard rulemaking timeline.
- Regulatory review is part of the process. The Office of Management and Budget (OMB) and the Office of Information and Regulatory Affairs (OIRA) routinely review rules. This has always been the case, and it’s not stopping now.
- Your compliance strategy shouldn’t change. If you’re a defense contractor or subcontractor, your cybersecurity obligations remain the same. The freeze memo changes nothing about your compliance deadlines or requirements.
The Bottom Line
The regulatory freeze memo isn’t a referendum on CMMC. It’s business as usual in Washington. The fact that CMMC has survived through multiple administrations—despite political changes—proves its legitimacy and necessity.
For companies in the DIB, the smart move is to ignore the noise and stay focused on compliance. Cybersecurity isn’t a trend; it’s a fundamental requirement for doing business with the DoD. The freeze memo won’t change that, and neither should your approach.
So, next time you see someone sounding the alarm on social media about CMMC being “frozen,” you’ll know better. The program is here to stay. Adjust your strategy accordingly.
See you next week.
