After what feels like an eternity in regulatory limbo, the Department of Defense’s (DoD) long-awaited cybersecurity compliance policy cleared the regulatory review process, moving toward Congressional review before it becomes law.
The Office of Information and Regulatory Affairs (OIRA) cleared the final rule for the DoD’s Cybersecurity Maturity Model Certification (CMMC) program on Sept. 13, meaning no further changes can be made unless the House, Senate, and president decide to overturn it – an unlikely scenario.
The final rule has been under OIRA’s review since late June.
As part of the CMMC program, Defense Industrial Base (DIB) contractors and subcontractors will need to implement necessary security measures for Federal Contract Information (FCI) and introduce new security requirements for Controlled Unclassified Information (CUI) related to specific priority programs.
DoD published interim rules for the CMMC program in 2020, aiming to establish a standardized framework for safeguarding sensitive information within the defense supply chain. However, the initial rollout faced significant criticism from the defense contractor community, particularly regarding the compliance costs associated with the original framework.
In response to the feedback, the DoD introduced CMMC 2.0 in 2021, which aimed to address these concerns and streamline the compliance process. One of the key changes in the final rule is the reduction of required cybersecurity assessment levels for DIB contractors and subcontractors from five to three.
CMMC Level 1 incorporates “basic safeguarding” of FCI, CMMC Level 2 incorporates “general protection” of CUI, and CMMC Level 3 incorporates a “higher level of protection against risk from advanced persistent threats.”
Notably, OIRA previously cleared a proposed rule to incorporate CMMC requirements into the contracting process. This proposed amendment to the Defense Acquisition Regulations Supplement (DFARS), published in the Federal Register on Aug. 15, seeks to embed CMMC standards into the Pentagon’s solicitations and contracts.
The comment period for the DFARS rule will close on Oct.14.
The CMMC final rule is now headed to Congress for a 60-day review, after which it will become law. If Congress takes no action during this period, the rule will automatically take effect.