Pentagon officials are providing an overview of major ecosystem components and upcoming regulations for the Cybersecurity Maturity Model Certification program in a new recorded video posted in advance of a Feb. 26 public comment deadline for the first rulemaking and eight draft guidance documents.
The Defense Department issued the first proposed rule to implement the CMMC program on Dec. 26. The 234-page rulemaking outlines the Pentagon’s process for assessments, CMMC ecosystem roles and the flow down of CMMC requirements through the supply chain.
The video is designed to “improve the understanding” of DOD’s proposed requirements for the CMMC program and to “increase the impact of the public comment period,” according to DOD official Gurpreet Bhatia who gave opening remarks. The CMMC program is based in the DOD office of the CIO.
Bhatia in the video said DOD wants to “get comments that clearly articulate your perspective so that the department can address those key concerns in the final rule.”
DOD posted the video on Thursday as part of a news story on its website.
Bhatia is DOD principal director for cybersecurity and deputy chief information security officer. The video also features Stacy Bostjanick, chief of defense industrial base cybersecurity; Buddy Dees, director of the CMMC Program Management Office; Diane Knight, acquisition and rulemaking lead at the CMMC PMO; and Jen Henderson of the Defense Contract Management Agency.
The first CMMC rule amends Title 32 of the Code of Federal Regulations. Knight said the office of the Pentagon acquisition chief is leading work on a second proposed rule that amends the Title 48 of the Code of Federal Regulations, which is the Defense Federal Acquisition Regulation Supplement.
Knight said, “We anticipate the proposed DFARS rule will be published for public comment this year.”
The first CMMC rule details the Pentagon’s plan for a four-phase rollout of CMMC requirements in defense contracts.
Knight said the two final rules will be published in the Federal Register with “associated effective dates” that are “concurrent.”
She noted that contractors are currently required under DFARS 252.204-7012 to meet the 110 security requirements in NIST Special Publication 800-171. Level two of the CMMC program is aligned with NIST 800-171 and level three adds on 24 security requirements from NIST 800-172.
“The CMMC DFARS clause will require CMMC assessment to verify that the respective CMMC level requirements are implemented,” Knight said. CMMC will require an assessment prior to a contract award, Knight said, and the contractor needs to maintain their CMMC assessment status through out the “contract performance period.”
Dees spoke about the broader CMMC ecosystem including the roles and responsibilities outlined the proposed rule for the CMMC PMO, the CMMC Accreditation Body, the CMMC Assessor and Instructor Certification Organization, DCMA’s Defense Industrial Base Cybersecurity Assessment Center and CMMC third-party assessment organizations.
Dees also walked through three CMMC assessment levels and associated requirements.
At level one, contractors will need to meet all 15 requirements for handling federal contract information.
Level three assessments will be conducted by the DIBCAC, Dees explained. However, he said a contractor must achieve a CMMC level two certification by a C3PAO first where they meet all 110 requirements from NIST 800-171.
The 32 CFR rule allows contractors to have a plan of action and milestones at CMMC level two. It contains a 180-day closeout period for meeting the remaining security requirements.
If not closed out, Henderson said, “Conditional certification will expire and normal contractual remedies will apply.”
Knight presented on the timeline for the 32 CFR rule, explaining how the CMMC PMO will draft the final rulemaking and complete comment adjudication when the comment period closes.
Knight said the final rule will go to the Small Business Administration for review after it is cleared by the DOD Office of the General Counsel.
The DOD regulatory process officer needs to approval the rulemaking and then it will be sent to the White House Office of Management and Budget for the interagency review and approval process, which DOD estimates could take 90 days.
The final rule will be published in the Federal Register and then needs to complete Congressional Review Act requirements, which means that there is a mandatory 60 days before the rule can become effective, according to Knight.
Knight said, “The objective timeline for implementing contractor compliance with CMMC requirements has been and remains fiscal year 2025.”