DOD, OMB expect September release of proposed CMMC rule

Gettyimages.com/ putilich

Find opportunities — and win them.

The rule that details the defense industrial base's new cybersecurity standard appears ready for review at the Office of Management and Budget.

The Defense Department and Office of Management and Budget are now slating the release of a proposed Cybersecurity Maturity Model Certification rule for September.

The release of the notice of proposed rulemaking was last expected in June, but that month came and went. A new update on the website of OMB’s Office of Information and Regulatory Affairs pegs the release for September.

CMMC will move the defense industry away from self-attestations for compliance with National Institute of Standards and Technology guidelines for how to protect controlled but unclassified data on industry networks.

CMMC will require third-party assessors, who in essence will audit contractors for compliance with NIST-Standard 800-171.

One clear sign of movement is that the OIRA docket says that OMB received the proposed rule on July 24, indicating that OMB can now review the rule.

Once officially released, the proposed rule will include a public comment period. The Defense Department will collect and respond to comments, which adds at least six months to the process and maybe more. A final rule will likely not be in place until deep into calendar year 2024.

The rule has been delayed several times as the DOD revamp its approach, including changing to the longer proposed rule making process. Originally, the expectation was that CMMC would come out as an interim final rule, which would become final in 60 days.

A proposed rulemaking brings more involved comment and feedback process. While the new process is longer, it also indicates that DOD sees this as a significant rule.

The CMMC rule has been anxiously awaited by industry. Some companies have forged ahead with CMMC plans while many have taken a wait-and-see approach.

DOD has in the meantime allowed third-party assessors, certified by the industry group Cyber AB, to conduct joint assessments with the Defense Industry Base Cybersecurity Assessment Center.

They have worked together on the Joint Surveillance Voluntary Assessment program, which validates compliance with NIST 800-171. Those scores are supposed to translate to CMMC Level 2 when the rule becomes final.