The Department of Defense (DoD) is in the process of updating the Code of Federal Regulations (CFR) to include the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, and DoD’s Principal Deputy CIO Kelly Fletcher said that an updated CFR should be available for public comment by March 2023.
Fletcher, speaking at AFCEA NoVa’s Small Business IT Day on May 5, said that once the rule is available for public comment, she envisions that CMMC 2.0 will begin to become a part of contracts by summer 2023.
“We think that the rule will be published for public comment in March 2023. So in about a little less than a year,” Fletcher said. “And the reason that’s really important is this is public comment. Y’all have the opportunity to comment, and we want your comments. You know, I want you to say [whether] this is too onerous; this is expensive; this isn’t onerous enough.”
The potential clarity on a timeline for CMMC 2.0 comes after those in industry recently complained that they were getting mixed signals on when the new program requirements would be implemented in contracts.
The CMMC 2.0 program was announced in November 2021 after a lengthy internal review process. The bottom-line result of that review was a program with fewer maturity levels: three levels compared to five originally.
“The key takeaway is [CMMC] 1.0 [was a] really, really good effort. Very, very robust,” Kelly said. “[CMMC] 2.0 we think is less onerous. It’s streamlined, [and] we think it’s going to be easier for folks to be successful with 2.0. So that’s really the goal as we move to 2.0. [There are] fewer levels. I think it’s just a more streamlined approach.”
With an expectation that CMMC 2.0 may be required as soon as next summer, Kelly said the time to begin preparing your organization for CMMC 2.0 is now.
“What I would say is if I were you, I would start looking hard at what kind of information do I currently have? Am I compliant with current requirements? And am I sure I am?” Kelly said.
The DoD is looking to drive that early adoption of CMMC 2.0 and is currently exploring options for early adopters of CMMC 2.0 compliance to have their three-year certification timeline begin only after the rule officially goes into effect. However, the department can’t guarantee that effort will ultimately end up working.
“Everything at this point is pre-decisional,” said Stacy Bostjanick, Chief of Implementation and Policy in DoD’s Office of the CIO. “It is our intent that if a company adopts CMMC early, once CMMC becomes a rule, you will still have your CMMC certification valid for three years from that point. [While] understanding that if somebody brings up an issue with it and rulemaking we may not be able to continue with that.”