CMMC ecosystem prepares for rulemaking release, while exact timing remains uncertain

By Sara Friedman  / November 21, 2023

Stakeholders are getting ready for the upcoming release of a long-awaited rulemaking to implement the Pentagon's Cybersecurity Maturity Model Certification program, while the exact timing and content of the rule remains unclear two years after the Defense Department announced a major revamp.

“The CMMC train is gaining steam,” Cyber Accreditation Body CEO Matthew Travis said at the second annual CMMC Ecosystem Summit. Travis said the train is currently “at the station,” emphasizing to stakeholders that “it’s not too late to get on board but you have to do it now.”

DOD has required contractors to meet the 110 controls in NIST Special Publication 800-171 since December 2017 and put mechanisms into defense acquisition rules in 2020 that require reporting to DOD on compliance through the Pentagon’s Supplier Performance Risk System.

Through CMMC, defense contractors handling controlled unclassified information will need to obtain a third-party assessment through a certified authorized third-party assessment organization accredited by the Cyber AB.

Over 500 people attended the Nov. 8 CMMC summit in person. Travis provided an opening presentation, followed by industry speakers and concluding session with NIST 800-171 co-author Victoria Pillitteri and GovExec 360’s Troy Schneider. The final public draft of NIST 800-171 Rev. 3 was released the following day, along with a draft revision to its companion publication NIST 800-171A.

Excitement over the CMMC rule was palpable at the event, which offered opportunities for C3PAOs and other consulting firms to network and interact with potential clients who are getting ready for a CMMC assessment.

The CMMC rulemaking was submitted on July 24 to OMB’s Office of Information and Regulatory Affairs for review. OIRA had up to 90 days to review the rule and the review is under a one-month extension that concludes on Nov. 22.

Stakeholders who spoke with Inside Cybersecurity recognized the deadline could be extended again, while also being optimistic that the rule would be released by the end of November.

Once the OIRA review is concluded, the rulemaking will go back to DOD to be prepared for publication in the Federal Register. That process would take a few days or possibly longer, according to one stakeholder.

The rule is expected to be “proposed” with a 60-day public comment period. Contracting attorney Robert Metzger noted that the comment period could be extended, following a recent pattern where industry groups have sought extensions on major cyber regulatory activities to allow more time for collecting input from their members.

Metzger is chair of the Cybersecurity and Privacy Practice Group at Rogers Joseph O’Donnell. He participated in a panel discussion at the summit with Jack Wilmer, former DOD deputy CIO for cybersecurity, and spoke with Inside Cybersecurity on the sidelines of the event.

Metzger said he expects the final CMMC rule will be published in the first quarter of 2025.

Travis has stated in public forums that he also expects an early 2025 final release, while noting there could be a delay if Congress is unable to come up with an agreement for the fiscal year 2024 budget by November 17 and there’s a government shutdown.

Meanwhile, there is intense speculation on supporting documentation for the CMMC program that is also under review at OIRA.

Eight documents, each described as a “Notice” by OIRA were submitted for review on Sept. 27. The documents are the CMMC model overview and assessment and scoping guides for the three CMMC levels, as well as a “CMMC Hashing Guide.”

DOD provided a sneak peek in July of the documents as drafts via an information collection request that was unintentionally made public on the OIRA website. The documents were removed the following week after gaining attention from stakeholders.

Wilmer, now CEO at cyber firm Core4ce, said DOD isn’t required to put out the guidance documents at the same time as the proposed rule. It is likely that timing for the release of the documents will depend on how much feedback DOD gets on the proposed rule itself, Wilmer said.

There will be a “ripple effect,” Wilmer said, where feedback on the CMMC rule results in changes being made to the CMMC model and accompanying documents.

Metzger encouraged summit attendees to provide constructive feedback to DOD on the proposed rule when it is released. Metzger said the rule adjudication process typically takes a year and he expects DOD will leverage resources from federally funded research and development centers to help “accelerate it.”

The CMMC model and associated assessment and scoping guides were developed under a DOD contract with Carnegie Mellon’s Software Engineering Institute, an FFRDC, and Johns Hopkins’ Applied Physics Laboratory LLC, a university-affiliated research center.

CMMC rule content

The Pentagon has provided little concrete information over the past two years on what will be in the proposed rule when it is released.

Major changes to the program were announced in November 2021, following an internal review. DOD issued an advance notice of proposed rulemaking at the time highlighting major changes including reducing the number of maturity levels from five to three and allowing companies to self-assess compliance with level one.

The ANPRM also establishes that DOD will allow companies to submit a plan of action and milestones and opens up the option of issuing waivers.

Metzger said he expects the rule will be around 150 pages and start with an “extended treatment” explaining why DOD is implementing the CMMC program and what the benefits are. CMMC leader Stacy Bostjanick has argued for making NIST 800-171 a standard for contractors across the entire federal government.

The Department of Homeland Security is moving forward with its own version of checking NIST 800-171 compliance through the launch of a “Cyber Readiness Factor” that can be used by acquisition officials as part of the evaluation process for contract bids. There is no rulemaking planned to implement the DHS initiative.

Metzger encouraged summit attendees to look at the back of the rule to find out what changes will be made to Parts 32 and 48 of the Code of Federal Regulations. He also highlighted the regulatory flexibility analysis accompanying the rule that will provide more insight into DOD’s decision-making process for CMMC.

Travis provided a rundown of burning questions where he expects the rule will provide important guidance to CMMC participants in his opening remarks at the summit.

First, Travis said the rule should address the role of managed service providers and managed security service providers. Travis expects that the providers will be able to obtain a CMMC certification.

Second, Travis emphasized the need for DOD to provide clarity on reciprocity with the General Services Administration’s FedRAMP program and what will be accepted for “FedRAMP Moderate” equivalency.

The third issue is small business concerns. Travis said small businesses need to be held “accountable” for reaching compliance with CMMC, but they shouldn’t be driven out of the defense industrial base.

Travis said he also expects to get information on the plan for phased implementation of CMMC and the appeals and dispute resolution process for assessments.

More clarity is needed whether the rule will be based on the upcoming revision to NIST 800-171 or be more general by requiring compliance with 800-171 and leaving out a specific revision number for the NIST publication, according to Travis.

Details on how to close out the joint surveillance voluntary assessments should be in the rule, Travis said, along with information who is the “technical authority” for CMMC. Travis said he is pushing for the creation of an adjudication council that will be a backstop.