Despite grumbling from some lawmakers on Capitol Hill, the Pentagon’s newly released Cybersecurity Maturity Model Certification (CMMC) rule has successfully completed its 60-day Congressional Review period without any changes, signaling that the rulemaking process is officially complete.
In October, the Department of Defense (DoD) released the final rule for the CMMC program that requires Defense Industrial Base (DIB) contractors and subcontractors to implement necessary security measures for Federal Contract Information and introduce new security requirements for Controlled Unclassified Information related to specific priority programs.
Under the Congressional Review Act, Congress can move to dismiss some agency rules within 60 days of being issued. However, both chambers must pass the resolution, and the president must sign it for it to take effect.
The rules implementation was put into question when Rep. Garry Palmer, R-Ala., on Nov. 15 submitted a joint resolution of disapproval to block the CMMC rule, as part of his effort to give Congress a stronger role in reviewing major regulatory actions.
However, Rep. Palmer’s objection went unheeded, as no other lawmaker raised any concerns during the review process.
With the program now in effect, it’s time for companies to get serious about their CMMC certifications and Certified Third-Party Assessor Organizations (C3PAOs) can finally begin assessments based on the new rule.
But, while the program is officially in effect, don’t expect to start seeing CMMC in contracts just yet. Its full implementation is still on hold, waiting for the revision of the Defense Federal Acquisition Regulation Supplement (DFARS) clause and the final publication of the rule in the Federal Register.
DoD officials expect to publish the DFARS follow-on rule to contractually implement the CMMC Program in early to mid-2025.