DOD's CMMC rulemaking clears OIRA review process

By Sara Friedman  / November 22, 2023

The Pentagon's rulemaking to implement its Cybersecurity Maturity Model Certification program has completed the Office of Information and Regulatory Affairs review process, a major milestone that indicates the new regulation should show up in the Federal Register soon.

The Defense Department announced major changes to CMMC in November 2021 and a process to go through rulemaking to implement them. In an advanced notice of proposed rulemaking, DOD said the number of CMMC levels will be reduced from five to three and the “CMMC-unique practices and all maturity processes” would be removed from all levels.

The ANPRM also announced plans to make level one a self-assessment with an “annual affirmation by [defense industrial base] company leadership.” DOD will allow contractors to submit a “time-bound and enforceable Plan of Action and Milestone[s]” and will develop a “selective, time-bound waiver process, if needed and approved,” according to the ANPRM.

OIRA, which is part of the White House Office of Management and Budget, concluded the review of the CMMC rule on Nov. 21 with an action that says “Consistent with Change.” The rule will be sent back to the Pentagon to prepare for publication.

OIRA also finished its review on Nov. 17 of eight CMMC documents that are each categorized as a “Notice.” They include an update to the CMMC model and assessment and scoping guides for the three levels. There is also a “CMMC Hashing Guide.”

DOD provided a sneak peek in July of the documents as drafts via an information collection request that was unintentionally made public on the OIRA website. The documents were removed the following week after gaining attention from stakeholders.

It is unclear when the documents will be released publicly and if they will be part of the rulemaking or separate to allow specific comments for each item.

The CMMC rulemaking is expected to be a proposed rule and make changes to Title 32 of the Code of Federal Regulations.

The rulemaking entry on the OIRA website says: “DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework, to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats -- adversaries with sophisticated levels of expertise and significant resources.”