Navigating New CMMC Changes:
Stay Informed

Rev. 08/2023

The trajectory of the Cybersecurity Maturity Model Certification (CMMC) program is poised for a significant shift as the Department of Defense (DoD) advances towards the finalization of its regulatory framework. As the CMMC rule receives formal submission to the Office of Information and Regulatory Affairs (OIRA), a meticulous analysis of its implications offers valuable insights into the evolving timeline of CMMC implementation.

Formal Submission to OIRA Initiates Progression Towards Publication

A pivotal juncture has been reached with the official submission of the CMMC rule to OIRA for rigorous regulatory scrutiny. According to the OIRA docket, OMB received the proposed rule on July 24, setting into motion a sequence of events that will culminate in its official publication. In accordance with established protocol, all executive branch regulations undergo thorough OIRA review as part of the standard rulemaking process. The duration of delays in the CMMC’s progression, often referred to as hindrances, was associated with the interval taken by the DoD to submit the rule to OIRA. The DoD decided to revamp their approach to CMMC based on public feedback and on assessment process challenges associated with the initial pilot program. Now with the formal submission concluded, the subsequent phases of rulemaking are now set in motion.

A proposed rulemaking brings more involved comment and feedback process. While the new process is longer, it also indicates that DOD sees this as a significant rule.

The CMMC rule has been anxiously awaited by industry. Some companies have forged ahead with CMMC plans while many have taken a wait-and-see approach.

DOD has in the meantime allowed third-party assessors, certified by the industry group Cyber AB, to conduct joint assessments with the Defense Industry Base Cybersecurity Assessment Center.

They have worked together on the Joint Surveillance Voluntary Assessment program, which validates compliance with NIST 800-171. Those scores are supposed to translate to CMMC Level 2 when the rule becomes final.

Projected Timeline of CMMC Rule Review and Publication

Following the receipt of the CMMC rule by OIRA, a period of 90 days is allocated for comprehensive review although historically they have not always taken that long. Accordingly, publication of the CMMC rule is expected in the September or October 2023 timeframe.

Public Comment Period and Elaboration of Final Rules

Integral to the rulemaking process is a standard 60-day public comment period, typically commencing upon the rule’s appearance in the Federal Register. This deliberative period serves as an opportunity for stakeholders to express opinions, thereby fostering an inclusive discourse. Upon the closure of the comment period, the transition to “final rules” necessitates a secondary publication, encompassing government responses to received comments and resultant modifications. The anticipated public comment phase for CMMC is expected to span from October to December 2023.

Determining the Onset of CMMC in Contracts

The prospective categorization of the CMMC rule as either an “interim final rule” or a “proposed rule” holds significant implications for its implementation within contracts. An interim final rule takes effect prior to the completion of agency responses in a final rule, whereas a proposed rule becomes effective after the incorporation of public comments in a final rule. The average duration for DoD proposed rules to transition into final rules is typically close to a year, meaning  the finalization of the CMMC rule and subsequent integration into contracts is forecasted between February and April 2025. However, if the CMMC rule receive interim final status, its presence in contracts could materialize as early as Q1 2024. It is worthwhile to note that the November 202 rule on CMMC was an interim rule.

Phased Roll-Out and Contractual Integration

In an endeavor to foster seamless integration, the DoD aims to implement CMMC through a three-year “phased-roll out” of contract clauses. This strategic approach mirrors the CMMC 1.0 strategy and seeks to gradually incorporate DFARS 252.204-7021 into various contract groups over the designated timeframe, eventually encompassing all relevant DoD contracts by 2028.

Institutional Framework and Regulatory Momentum

A critical aspect to consider is the formal handover of the CMMC rule to OIRA, signifying the completion of DoD’s textual modifications. It is imperative to recognize that any lapse in communication or perceived silence between July 24th, 2023, and the rule’s final publication does not reflect instability in the CMMC program or DoD’s stance on the matter.

Realignment of Timelines: Implementation vs. Rulemaking

Remarkably, the duration required for the implementation of cyber requirements now surpasses that of the rulemaking process itself. For entities operating within the DoD supply chain, the journey from standard operation to assessment-ready status takes an average span of 12 – 18 months, indicating the evolving dynamics of this landscape.

As the CMMC program journeys toward its finalization, enterprises within the Defense Industrial Base are presented with a strategic crossroads. A comprehensive understanding of the anticipated shifts in the CMMC timeline will empower stakeholders to make informed decisions in preparing for the forthcoming regulatory landscape.

Regardless of where you are in your CMMC compliance journey, Coalfire Federal can help.

Our Suite of Certification, Compliance and Advisory Services Include:

About Coalfire Federal

For 20 years, Coalfire Federal has provided cybersecurity services to a wide range of government and commercial organizations, enabling and protecting their mission-specific cyber objectives. Coalfire Federal is the leading FedRAMP 3PAO and an Authorized CMMC C3PAO, and offers a full spectrum of cybersecurity risk management and compliance services. For more information about Coalfire Federal, visit coalfirefederal.com.