Rulemaking, supporting documentation for Pentagon's CMMC program nears formal publication

By Sara Friedman  / December 1, 2023

The Defense Department's work to prepare the proposed rule for its Cybersecurity Maturity Model Certification program is nearing completion, according to a Pentagon spokesperson, with publication in the Federal Register expected as soon as next week.

“The CMMC 32 CFR Proposed Rule is in the final stages of review and processing prior to posting to the Federal Register for a 60-day public comment period,” Pentagon spokesperson Tim Gorman told Inside Cybersecurity on Thursday.

The Pentagon announced major changes to the CMMC program in November 2021, following an internal review. DOD embarked on a process to amend Title 32 of the Code of Federal Regulations to implement those changes and will also update Title 48 of the CFR, which contains the first CMMC rule published in 2020 under the government’s Defense Federal Acquisition Regulation Supplement.

The 48 CFR rule is on a separate track. According to the latest DFARS Case Status report, the process to review public comments and draft a proposed DFARS rule is ongoing through an “Adhoc Team.”

The current deadline for the report from the team was Nov. 29. There have been multiple extensions on the report over the past year and a half. The 48 CFR rule will be finalized after the 32 CFR rule is published, according to a source.

The 32 CFR rule was approved on Nov. 21 by OMB’s Office of Information and Regulatory Affairs.

OIRA also finished its review on Nov. 17 of eight CMMC documents that are each categorized as a “Notice.” They include an update to the CMMC model and assessment and scoping guides for the three levels. There is also a “CMMC Hashing Guide.”

DOD provided a sneak peek in July of the documents as drafts via an information collection request that was unintentionally made public on the OIRA website. The documents were removed the following week after gaining attention from stakeholders.

The source said the documents are expected to be published individually in the Federal Register as soon as next week. However, the source said their publication may not align exactly with the release of the 32 CFR rule.

The documents will remain drafts and offer an opportunity for the public to provide comments, the source said. During the sneak peak, DOD revealed details for what will be required in CMMC level three for the first time.

The source said the CMMC rule and supporting documents are hundreds of pages long. The proposed rule starts with a preamble, the source said, that explains DOD’s thought process and summarizes each section of the rule.

The rule also contains a regulatory impact analysis and other components that are typically found in a rulemaking implementing a major DOD program, according to the source.