The Pentagon submitted its proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) program to the White House for review in July and is now gearing up for the next phase of the rulemaking process: industry comments.
Top CMMC officials said Thursday that the Office of Management and Budget is expected to release the updated rule in the “November [and] December timeframe” for public comments. Industry will then have 60 days to submit their input before the Defense Department (DoD) unveils the finalized rule, which is expected in the fall of 2024.
“The rule is currently under review by OIRA, the Office of Information Regulatory Affairs, they got a significant amount of time to review and [are] expected to send out for public comments November, December timeframe,” Matthew Travis, Cyber AB’s CEO said during day three of the Billington Cybersecurity Summit in Washington.
“Then industry will have the chance to respond to that, and then DoD will have to adjudicate those comments and then hopefully CMMC will actually go live sometime in 2024,” Travis – who also is a former Cybersecurity and Infrastructure Security Agency deputy director – added. Cyber AB is the sole authorized non-governmental partner of the DoD in implementing and overseeing the CMMC program.
Specific details of what is inside the proposed rule have not been made publicly available.
The CMMC framework seeks to help assess defense contractors’ compliance with cybersecurity requirements to protect Federal contract data and controlled unclassified information from advanced persistent threats and other cyberattacks.
The CMMC Director at the Pentagon, Stacy Bostjanick, said it’s critical that industry responds during the forthcoming 60-day comment period.
“We do want the good comments. We do want to be brought to mind what we forgot or didn’t think about,” Bostjanick said. “We do want to hear from each one of the companies. If somebody has a better way to build a mousetrap, let us know. Because we’re open to all of that to try and make this right, and we do recognize the importance of this effort.”
Cyber AB’s Matthews said he hopes CMMC 2.0 is available in the fall of 2024 – before the new election cycle.
The CMMC 2.0 rulemaking process has been a lengthy one, with DoD officials originally stating that they expected the program to become a part of contracts this summer. But the CMMC has been delayed several times as the DoD revamps its approach, including changes to the longer proposed rule-making process. The DoD first expected that the CMMC would be an interim final rule, but the proposed rule involves a more extensive comment and feedback process.
In November 2021, the Pentagon introduced the second iteration of the framework to simplify the program standards and clarify cybersecurity policy, regulatory, and contracting requirements.
As private sector organizations anxiously wait for the final CMMC rule, some companies have forged ahead with CMMC plans while many have taken a wait-and-see approach.
In the meantime, while the CMMC program is under review, the DoD has allowed third-party assessors, certified by Cyber AB, to conduct joint assessments with the Defense Industry Base Cybersecurity Assessment Center; the scores are supposed to translate to CMMC Level 2 when the rule becomes final.