The Defense Department needs to adjudicate comments and Congress needs to review the final rule on how contractors protect information before the standard takes effect.
One frequent question we continue to receive is simple: When will the Cybersecurity Maturity Model Certification rule become final?
The short answer is we don’t really know. Many informed observers we speak to are pointing to the first quarter of calendar year 2025. But there is a lot for industry and government alike to do between now and then.
Once finalized, CMMC will govern how contractors certify how they protect controlled unclassified information on their networks. The rule will require contractors to go through a third-party certification process.
As every CMMC observer and practitioner says, do not wait for the final rule. Preparations should already be ongoing, otherwise you risk falling behind competitors and not being ready when CMMC starts showing up as a requirement in contracts.
Several steps are ahead before the rule becomes final.
The draft rule was released Dec. 26 and the comment period runs through Feb. 26. That’s the current step and according to comments at the Cyber AB town hall on Jan 30, there is a possibility that the comment period could be extended.
It is wise to assume there will be no extension.
Once the comment period is finished, the Defense Department will need to respond to the comments in some form. That represents the adjudication period.
The rule also has to go back to the White House's Office of Information and Regulatory Affairs for another review. Cyber AB CEO Matt Travis said no one knows for sure how long that review will take.
A second proposed rule will be coming in March when the Title 48 rule for CMMC is released.
The Title 48 rule will describe how procurement and acquisition processes will enforce the CMMC requirement. There will be a 30-day or-60-day comment period for that rule. The Title 48 rule is expected to be much shorter than the proposed CMMC rule released in December.
Once DOD works through all the comments and OIRA finishes their review, the rule goes Capitol Hill to meet Congressional Review Act requirements. The rule also goes to the House, Senate and Government Accountability Office.
Congress can stop a rule from moving forward by passing a joint resolution of disapproval, which would then be signed by the president.
That is very unlikely to happen with CMMC, but 2024 being an election year creates a pressure point.
The Congressional Review Act gives Congress 60 days to act. But because this is an election year, a new Congress will be seated in January. The 60-day review period cannot straddle two sessions of Congress.
If DOD wants CMMC become effective in early 2025, then the rule has to get to Congress by mid-October in order for it to be 60 days before this congressional session ends.
If DOD can’t meet that deadline, then the rule goes to the next session of Congress when it begins in January. A new 60-day clock starts then, which would push the effective date of CMMC to sometime in March.
All of that is to say, no one can really answer the question of when CMMC becomes effective with much precision. It should be somewhere between early January and late March.
Once CMMC is effective, DOD will start its implementation plan. By Oct. 1 in 2026, CMMC will be required on all defense contracts. That’s a date everyone should feel confident in.
But clearly, there is a lot of work for everyone to do and not much time to do it.