Bostjanick: DOD plans to submit CMMC rule 'imminently' for OMB review, urges companies to reach compliance

By Sara Friedman  / November 10, 2022

Cybersecurity Maturity Model Certification program Director Stacy Bostjanick urged defense companies to get prepared for assessment under the CMMC effort, as the process to finalize version 2.0 changes gets closer to fruition.

“We are working very diligently to get the rule submitted and anticipate that imminently,” Bostjanick said Wednesday at the first CMMC conference supported by the Cyber Accreditation Body.

“Of course you know, once it goes in for formal review we will not be allowed to discuss anything with regard to the rule until it comes out for public comment,” she told attendees.

Bostjanick announced plans in May to issue the new interim final rule in March 2023, with a 60-day public comment period before the regulation goes into effect. At that time, the expectation was the interim rule would be submitted in July, but that timeline has shifted significantly.

However, DOD officials cautioned in May that their initial estimated timeframe would allow for delays if the White House Office of Management and Budget review process takes longer than expected. It’s unclear when the rule will be officially submitted.

“The biggest thing that we need to keep in the forefront of our minds is we need to get on this,” Bostjanick said, referring to reaching CMMC compliance. “This is not something to wait for it to come out through rulemaking. It is going to happen.”

“We are trudging along that line” toward the rule, according to Bostjanick.

The Defense Department announced a significant revamp of the CMMC program in November 2021 following an internal review. As a result, the department decided to undergo a new rulemaking to update Title 48 of the Code of Federal Regulations.

Following the release of the interim rule, DOD will finalize the original CMMC rule from 2020 amending Title 32 of the CFR based on the 850 comments received on the initial regulation.

Bostjanick was expected to appear in person at the CMMC conference in Tysons Corner, VA. She filmed a short video after a scheduling conflict occurred.

Speakers at the conference included NIST’s Victoria Pillitteri, Cyber AB CEO Matthew Travis, CAICO interim executive director Melanie Kyle Gingrich, the Information Technology Industry Council’s Leopold Wildenauer and Robert Metzger of law firm Rogers Joseph O’Donnell.

Pillitteri provided an update on the next revision of NIST Special Publication 800-171 which focuses on the handling of controlled unclassified information on nonfederal systems. The 110 controls in the publication are foundational to the CMMC level two certification.

NIST plans to release the first draft of 800-171 Rev. 3 in the spring and will hold a workshop to go over proposed changes. The standards agency released an analysis of comments received to inform the update on Nov. 1.

According to the analysis, the upcoming draft will:

* Update the security requirements for consistency and alignment with SP 800-53, Revision 5 (including inclusive language updates), and the SP 800-53B moderate-impact baseline;

* Develop a CUI overlay (Supplementary Appendix to the existing security requirement catalog) to better link the CUI security requirements to the SP 800-53 controls for stakeholder feedback; and

* Consider and propose options on how best to address stakeholder feedback on the NFO control tailoring.

NIST found that many of the comments received were out of scope including “[c]urrent and planned requirements” related to implementation of the CMMC program, establishing reciprocity between CUI requirements and other federal cybersecurity requirements such as FedRAMP, contractual requirements of federal agencies and Software Bill of Materials.