The Defense Department will hold a public meeting on its Cybersecurity Maturity Model Certification program after the proposed rule implementing the initiative is published in the Federal Register, according to the latest unified agenda and regulatory plan.
The proposed rule will make changes to Title 32 of the Code of Federal Regulations. The rulemaking was approved on Nov. 21 by the White House Office of Management and Budget's Office of Information and Regulatory Affairs and is on track for publication in the Federal Register soon. The fall 2023 unified agenda was published on Wednesday.
The CMMC entry in the fall unified agenda says the CMMC framework will help DOD “assess a Defense Industrial Base (DIB) contractor’s compliance with implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems to help mitigate the threats posed by Advanced Persistent Threats -- adversaries with sophisticated levels of expertise and significant resources.”
It continues, “Office of the DOD CIO/CMMC Program Management Office plans to host a public meeting on the 32 CFR CMMC Program proposed rule after it is published in the Federal Register for public review and comment.”
The proposed rule will have a 60-day public comment period. The CMMC entry contains potential alternatives considered by DOD to “reduce the burden on the DIB community and still meet the objectives of this rule.”
On anticipated costs and benefits, the entry says, “The theft of intellectual property and sensitive information, including FCI and CUI, from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.”
“By incorporating heightened cybersecurity standards into acquisition programs, the CMMC Program provides the Department assurance that contractors and subcontractors are meeting DOD’s cybersecurity requirements and provides a key mechanism to adapt to an evolving threat landscape,” the entry says.
The rule was expected in November, according to the entry. Agencies were required to send their submissions for the fall 2023 unified agenda by Aug. 17 and may not have a firm expected date at that time to provide to OIRA.
The unified agenda contains an update on the second CMMC rule which will make updates to the original Title 48 CFR rule. DOD issued an interim final rule in 2020 for CMMC under the government’s Defense Federal Acquisition Regulation Supplement.
The 48 CFR proposed rule will be published in March, according to the unified agenda entry.
The entry says, “DOD is amending an interim rule to implement the CMMC framework 2.0 in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. The CMMC framework, as defined in Title 32 of the Code of Federal Regulations (CFR), assesses compliance with applicable information security requirements.”
“This rule provides the Department with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain,” the entry says.
There is a third cyber rule in the pipeline at DOD on the DIB Cybersecurity program. DOD issued a proposed rule in May that would expand the program to include more contractors who hold sensitive data for the services and DOD agencies.
DOD plans to finalize the rulemaking in April 2024, according to the unified agenda.