The Defense Department expects to issue the final rule to implement its Cybersecurity Maturity Model Certification program in September, according to a recent update from the Office of Management and Budget.
The Pentagon issued an interim final rule on Sept. 29, 2020, establishing the CMMC program and setting up new requirements for defense contractors under National Institute of Standards and Technology Special Publication 800-171.
Several trade associations expressed concerns over costs for compliance and the need for consistent assessment standards for the defense industrial base. The interim final rule became effective the following Nov. 30 and DOD is currently in the process of adjudicating 850 public comments from a wide range of stakeholders.
The White House Office of Management and Budget's Office of Information and Regulatory Affairs recently published its semi-annual regulatory agenda for Spring 2021, which includes updates from departments and agencies on rulemakings and expected timeframes for publication. OIRA's website lists September 2021 as the expected month for the release of the CMMC final rule.
DOD is working on the rule internally through its Defense Acquisition Regulation Council. The group created an "Adhoc Team" to review the comments to the rule in April and draft changes.
The "Adhoc Team" was supposed to deliver its report to the DARC on June 8 but their deadline was extended to July 7, according to the latest update of Defense Pricing and Contracting's Defense Federal Acquisition Regulation Supplement Case Status report.
Once DOD has completed its review of the rule, they will send it to OIRA to start the interagency review process.
The planned release timeframe for DOD's final rule is consistent with testimony by Jesse Salazar, deputy assistant secretary of defense for industrial policy, who said at a May Senate Armed Services Committee hearing that completing a rulemaking for a program similar to CMMC "typically takes a year."