A reader's guide to the upcoming draft CMMC rule

Government and industry leaders widely expect the last draft rule for the Cybersecurity Maturity Model Certification program to be released in the coming weeks and almost certainly before this year ends.

Depending on who one asks, the estimates range from the middle of November to the last day of the month.

Industry should prepare now for when that release comes and part of that needs to include comments to file once the release happens, industry officials said at Washington Technology’s second annual CMMC Summit held Wednesday.

CMMC is the Defense Department’s effort to move industry away from self-attestations for compliance guidelines for how to protect controlled but unclassified data on industry networks.

CMMC will require a network of third-party assessors, who will be responsible for verifying that contractors are complying with National Institute of Standards and Technology Standard 800-171.

The draft CMMC rule will likely have a 60-day comment period, so speakers at the event offered several pieces of advice on how to get ready for a very long and dense document.

Bob Metzger, considered the father of CMMC, said he expects the proposed rule to exceed 150 pages.

“I’ve been told that there will be an extended treatment at the start of the rule that explains why they’re doing this and what it is supposed to mean,” he said.

Metzger co-authored the report Deliver Uncompromised for Mitre Corp. to catalog current and potential risks across the defense supply chain.

The start of the document is a signal to the rest of government as well as industry about the importance of what CMMC is and why the Defense Department is putting so much emphasis on it, Metzger said.

“You’ll really want to read that part because it puts the rule into context,” he said.

For companies that plan to attain a CMMC certification, the back portion of the draft will be important because it will contain explanations of how CMMC fits into two specific parts of the Code of Federal Regulations.

Metzger pointed to Part 32, which describes how DOD operates; and Part 48, which contains federal acquisition regulations.

Part 32 will tell the Defense Department how to implement CMMC, but Metzger cautioned that "will be very instructive to companies as to how their circumstances will be accommodated and what rights or potential remedies they may have."

Jack Wilmer, former DOD deputy chief information officer for cybersecurity, worked on CMMC before leaving government for the CEO role Core4ce.

Wilmer recommends companies avoid complaining about the draft.

“Make sure that your comments are as constructive as possible because that can be really, really helpful and can actually affect change,” he said.

DOD received 800 comments when it proposed the original CMMC 1.0 effort in 2020.

Metzger expects more comments this time around and said mere complaints will have little impact.

“If there are things that you really don't like or you think need to be clarified, please tell them what you propose instead,” Metzger said. “They will be receptive to constructive criticism, because I think we're more likely to see action on your criticism if it is accompanied by your recommendations.”