Last Updated on May 20, 2024
CMMC Rulemaking Changes Again—What’s the Timeline Now?
The US Department of Defense (DoD) has consistently asserted that federal rulemaking to support its Cybersecurity Maturity Model Certification (CMMC) program could take up to two years from the time of the CMMC 2.0 announcement in late 2021. More optimistic subsequent DoD projections called for Office of Management and Budget (OMB) review of the new rule in July 2022, completion of CMMC rulemaking by March 2023, and the initial appearance of CMMC 2.0 language in contracts in May 2023.
However, we now know that the proposed CMMC rule published on November 17, 2021 will not be reviewed by the Office of Management and Budget (OMB) until January 2023. Given an average time from publication to finalization of about a year to allow for comments, that puts “full implementation” of CMMC sufficient to support a pilot program and/or initial inclusion of a CMMC requirement in DoD contracts sometime in 2024 at the earliest.
Rulemaking details
Per the proposed rule, the CMMC rulemaking will come in two phases. First will be the title 32 CFR rulemaking for CMMC 2.0. This will be followed by additional title 48 CFR rulemaking to support CMMC 2.0 contract requirements via the DFARS.
Then there’s a parallel third rulemaking in 48 CFR to finalize NIST 800-171 assessment methodology and requirements.
While originally slated to be an interim final rule, the new rule is actually a proposed rule. Further, changes to align the CMMC 1.0 rulemaking with CMMC 2.0 in 48 CFR, originally published as an interim final rule, will also be issued as a proposed rule. Both rules are now scheduled for release in May 2023.
So… what’s the timeline now?
Until both the 32 CFR and 48 CFR rulemaking processes are complete and the CMMC 2.0 changes thus become effective, the DoD has suspended any CMMC pilot efforts and “will not approve inclusion of a CMMC requirement in DoD solicitations.”
DoD says it will “work through the rulemaking processes as expeditiously as possible.” That may be true. But it’s not exactly an official CMMC rollout timeline.
According to a DoD spokesperson, “The DoD continues to anticipate sending the draft 32 CFR rule to OMB in the very near term. However, as DoD has previously stated, the rulemaking process may take up to 24 months to complete.”
Further, “The objective timeline for implementing contractor compliance with CMMC requirements has been and remains FY25.”
What changes now for defense contractors?
Especially since the DoD’s official compliance timeline “remains FY25,” this somewhat unannounced and unacknowledged slip in the CMMC rulemaking and rollout doesn’t materially change anything for orgs in the US defense industrial base (DIB).
While the new proposed rule is being commented on and potentially amended, the current DFARS clauses 7012, 7019 and 7020 remain in effect and continue to appear in DoD contracts. Basically:
- DFARS 7012 mandates DIB orgs to self-attest to NIST 800-171 compliance
- DFARS 7019 makes those compliance scores available to DoD officials in the DoD’s Supplier Performance Risk System (SPRS) database, and to keep them current
- DFARS 7020 gives the DoD’s Defense Contract Management Agency (DCMA) the right to access a DIB org’s systems to perform their own NIST 800-171 compliance assessment
If you have these clauses in your DoD contract(s), you need to have NIST 800-171 controls in place today to protect controlled unclassified information (CUI).
While the CMMC rollout has been bumpy, the DoD’s commitment to protecting CUI across the DIB has not budged. Further, prime contractors are more strongly enforcing 800-171/CMMC cybersecurity requirements in their supply chains in order to participate in their RFPs.
As the DoD continues to emphasize, failure to comply with DFARS contract requirements could have both business and legal impacts. Meanwhile, the barrage of cyber threats continues to escalate. If your cybersecurity posture is insufficient to protect CUI, your entire business is at risk.
To get expert support to identify any gaps in your DFARs/CMMC compliance posture and planning next steps to achieve “provable security and compliance,” contact Pivot Point Security.