Pentagon plans to publish CMMC 'interim rule' by May 2023

By Sara Friedman / April 8, 2022

[Editor's note: This article has been updated to clarify how the waiver process will work, based on additional information from the Defense Department.]

CMMC director Stacy Bostjanick says the Pentagon is planning to release the “interim rule” to implement its Cybersecurity Maturity Model Certification program by May 2023, with initial requirements showing up in DOD contracts 60 days after the rule publication.

“The CMMC team is in Groundhog Day because now we have to go through the 32 CFR rulemaking activities and relook at the 48 [CFR] that we did last time to update it for what is going to happen with CMMC 2.0,” Bostjanick said at an event on Thursday.

Bostjanick said, “We estimated when we started this journey [in November 2021] that it would take us nine to twenty-four months. The nine months has gone away. We hope to have everything ready to submit to OMB to start the rulemaking process by July.”

Title 32 of the Code of Federal Regulations is focused on the CMMC program, while Title 48 is an update to the original interim final rule that went into effect in November 2020.

Bostjanick said DOD is going to submit the 32 CFR rulemaking to the Office of Management and Budget to “get it started and then we [will] ask for an interim and then we [will] follow up with [the] 48 [CFR]. Our hope and prayer is that we are accepted for an interim rule and by May of 2023 we will be able to have that interim rule and CMMC requirements will show up in contracts 60 days later.”

Bostjanick spoke Thursday at a cyber event hosted by the New England chapter of the National Defense Industrial Association. The event featured industry speakers talking about various CMMC topics and a presentation from DOD chief software officer Jason Weiss on the Pentagon’s Software Bill of Materials “vision.”

The Pentagon expects CMMC requirements to show up first in requests for information that will provide details on what maturity level is needed before a request for proposal is released, Bostjanick said.

Bostjanick provided details on the interim period where the companies will be able to get a CMMC assessment ahead of the rule going into effect.

The goal is to be able to obtain a three-year certification that goes into effect when a contract is awarded, but Bostjanick told attendees, “Legal counsel says I cannot promise that we will be able to do that because we don’t know what is going to happen with rulemaking. One of your compatriots may complain about it and we may not be able to allowed to do it.”

Bosjtanick said, “So we have to think that through but we are encouraging companies to move forward and get that CMMC certification today. We have eight C3PAOs that are already” approved on the CMMC-AB’s Marketplace website.

She added, “We need to finish a couple of documents on the government side to get the LTPs [licensed training providers] and LLPs [licensed partner publishers] running and we are close to that. We are working as fast as we possibly can so we can get the ecosystem kicked into gear.”

DCMA’s Defense Industrial Base Cybersecurity Assessment Center is working with the CMMC program management office on “early adoption,” Bostjanick said.

The DIBCAC started conducting assessments of contractors against NIST Special Publication 800-171 in 2019. CMMC level two is closely aligned with the NIST publication.

At an event in March, DCMA’s John Ellis said he expects the early adopter assessments to start “later this summer.” His thinking is that the initial assessments will be for the companies who passed a DIBCAC NIST 800-171 audit in 2019.

Bostjanick said the current plan is to allow a certified third party assessment organization to do the assessment “and the DIBCAC team would do a bit of oversight.” She added, “They would be able to accept the DIBCAC High assessment and move forward.”

Under CMMC 2.0, the Pentagon announced plans for CMMC level two to have a bifurcated assessment regime where third party assessments are only needed for some DOD contracts with information critical to national security. Level two focuses on controlled unclassified information.

Bostjanick said, “What we are doing shortly is a tabletop exercise to be able to map it to provide the proper instruction to the DIB and our program managers to make sure we recognize which CUI is considered not as important as the other.”

The DOD “program manager is going to be the one who will deconstruct and work through the CUI as we go through the program,” Bosjanick said, adding that she realized when CMMC started “program managers need a desk guide to figure out how” to establish the requirements in a contract.

Bostjanick created the guide, but she said “my guide probably needs a little bit more refinement to make sure we’ve got the instructions down so they understand and we understand.”

CMMC 2.0 allows for companies to have a plan of action and milestones for the first time as well as waivers.

“We heard a lot of squawking from the services who said ‘Hey I may have a brand new innovative capability where none of the participants could possibly be ready for CMMC by the time we have to award this because it is such an emerging thing’ so we want to be able to waive it,” Bosjtanick said.

The acquisition official would have to go to the DOD service acquisition executive (SAE) “to get approval” for the waiver, Bostjanick said. “The company that gets the contract is going to have to pursue and close out their CMMC certification. We are thinking the 180-day timeline again and we are going to expect the program and contractor to have some sort of risk mitigation plan for that data while it is exposed because [they] don’t have the CMMC requirements in place.”