Waiting game continues for release of draft CMMC rule
It appears the White House budget office has finished its review of the new industry-wide cybersecurity standard ahead of the final unveiling.
With the first full week of December halfway over, there is still no public release of a draft rule for the Cybersecurity Maturity Model Certification standard for certifying that sensitive government data on private sector networks is protected.
Many people including myself expected the draft final rule would go out before the end of November. There were also signs from the Office of Management and Budget that the release was going to happen.
OMB’s Office of Information and Regulatory Affairs dashboard shows that several CMMC-related documents finished their reviews on Nov. 17.
That includes an overview of CMMC, along with scoping and assessment guides. But the guides have not been released yet because the draft rule has not been unveiled yet.
With all of the documents poised for public debuts, indications are that OIRA met its Nov. 30 deadline for completing a review of CMMC.
So what is the hold up?
It appears that CMMC is back at the Defense Department undergoing what should be a final review before the draft rule is published in the Federal Register. The national security mission behind CMMC is one big reason for the final review.
The draft rule apparently will include information on the justification for CMMC. In other words, DOD will give its why-we-need-to-do-this reasoning behind the rule. It is unclear how long this review will take.
The only early indication we expect to get is the Federal Register’s custom of publishing the names of notices the day before the notice is published. That will pretty much be a notice of the notice.
We’ll continue to check Federal Register each morning to see if the proposed rule is coming out the next day. Right now the earliest CMMC will be released is Friday, but only if the Federal Register has a notice Thursday morning.
In the meantime, we continue to hear from informed observers that companies should be preparing now for CMMC and not wait for the draft rule or even the final rule to be published.
You can find a lot of advice and insights on the CMMC page of our website. You will also find coverage of our Nov. 8 CMMC Summit and other related content on the topic.