The Defense Department is moving forward with its plans to split cyber certification requirements for contractors into two separate rulemakings, focused on NIST Special Publication 800-171 and the Cybersecurity Maturity Model Certification program.
The split is part of the Pentagon’s effort to implement CMMC 2.0, which was outlined in a November advanced notice of proposed rulemaking. The notice said, “DOD will pursue rulemaking in both: (1) Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods.”
It continued, “Publication of title 32 and title 48 CFR rules will implement DOD's requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0.”
DOD opened a new case for “NIST SP 800-171 DoD Assessment Requirements” on Feb. 16, according to the Feb. 18 edition of the DFARS Open Cases report from Defense Pricing and Contracting. The latest edition of the DFARS report says the Defense Acquisition Regulatory Council director has “tasked [an] Ad-hoc team to review public comments, draft final DFARS rule.” The report deadline for the Ad-hoc team is April 6.
“This establishes the 32 CFR status and separates the 7021 clause effort from the 7019 & 7020 so those clauses can move to final rule while CMMC executes its 32CFR Rule making and updates its 48 CFR rulemaking,” DOD spokesman Russell Goemaere told Inside Cybersecurity.
In the 2020 interim final rule, the DFARS clause 252.204-7021 sets up the CMMC program. The other two clauses are focused on NIST 800-171, including a requirement for contractors submit their NIST 800-171 compliance scores to DOD’s Supplier Performance Risk System.
The public comments in the new case “are from the original 48 CFR effort and there will still be opportunity for more public comments in association with 32 CFR effort,” Goemaere said.
The synopsis for the original rule in the DFARS report has changed to reflect the new rulemaking. It states: “Implements a DOD certification process, known as the Cybersecurity Maturity Model Certification (CMMC), that measures a company’s maturity and institutionalization of cybersecurity practices and processes. Partially implements section 1648 of the FY20 NDAA. (See DFARS case 2022-D017 for the NIST SP 800-171 DoD assessment requirements.)”
The deadline for the Ad-hoc team on the original case to submit their report evaluating public comments and the final rule draft is today. However, this deadline has been extended multiple times over the past year and getting a complete report filed today is unlikely.
Currently, the two rulemakings are on track for release in December, according to DOD’s Fall 2021 Unified Agenda of Regulatory and Deregulatory Actions. Pentagon officials have said the rulemaking process will be completed within 15 to 24 months, but the exact timing remains unclear.
The CMMC Accreditation Body is preparing the launch of official voluntary CMMC assessments that can take place during the interim period before the rulemakings go into effect.
At a CMMC-AB “Town Hall” meeting last week, CMMC-AB CEO Matthew Travis said he expects those assessments to start in the second quarter of 2022, but there are details that need to be sorted out with DOD, including the public release of the CMMC assessment process guide.