The Defense Department is limiting its engagement plans to an "informational" video for the first rulemaking under the Pentagon's Cybersecurity Maturity Model Certification program in advance of the Feb. 26 comment deadline, according to a Federal Register notice published today.
The first proposed rule was over two years in the making following a DOD announcement in November 2021 on major changes to the CMMC program. The rule amends Title 32 of the Code of Federal Regulations to implement the program.
Another rulemaking is in the works to amend the Defense Federal Acquisition Supplement and will build on the original CMMC interim final rule that went into effect in November 2020.
“The Office of the Department of Defense Chief Information Officer (DOD CIO) has released an informational video to provide the public with an overview of the proposed rule for DOD’s updated Cybersecurity Maturity Model Certification (CMMC) Program, which was published in the Federal Register on December 26, 2023 for public comment,” DOD says in the latest Federal Register notice.
DOD initially planned to hold a “public meeting” on the 32 CFR rulemaking after it was published.
The notice says, “The proposed rule establishes requirements for a comprehensive and scalable assessment mechanism to ensure defense contractors and subcontractors have, as part of the CMMC Program, implemented required existing security requirements for Federal Contract Information and Controlled Unclassified Information (CUI) and adds new CUI security requirements for certain priority programs.”
“This document announces that a video file containing an overview briefing of the CMMC proposed rule, presented by leadership and staff from the Office of the DOD Deputy CIO for Cybersecurity, was posted on the Internet on February 14, 2024,” according to the Pentagon. The notice provides a link to the video.
DOD published a news story on Feb. 15 announcing the release of the video. It says the video is “designed to better inform members of the defense industrial base and other interested parties about the proposed rule for the CMMC program and to help those stakeholders better prepare their own comments and input that will be reviewed before the CMMC program proposed rule is finalized.”
The Pentagon is facing multiple calls from industry groups to provide an extension on the comment period. The news story and video confirm that DOD will stick with the Feb. 26 deadline.
DOD has already received over 150 comments on the CMMC proposed rule. Pentagon spokesperson Tim Gorman told Inside Cybersecurity on Feb. 6, “We have already begun the adjudication process and will move to the next step rapidly after the close of the comment window."
In the video, DOD officials provide an overview of defense industrial base cyber efforts, CMMC ecosystem roles, the maturity model, the phased implementation of CMMC, scoring CMMC assessments, how to submit public comments and the “Way Ahead” for the 32 CFR rule.
The video is designed to “improve the understanding” of DOD’s proposed requirements for the CMMC program and to “increase the impact of the public comment period,” Gurpreet Bhatia, DOD principal director for cybersecurity and deputy CISO, said.
Bhatia said DOD wants to “get comments that clearly articulate your perspective so that the Department can address those key concerns in the final rule.”
DOD didn’t respond to two multi-association letters asking for more time to submit comments on the proposed rule.
The Council of Defense and Space Industry Associations sent a Feb. 2 letter to DOD’s Diane Knight seeking a 60-day extension. A Feb. 9 letter led by the U.S. Chamber of Commerce to DOD CIO John Sherman asked for a 30-day or 45-day extension.
At the time, the U.S. Chamber’s Matthew Eggers told Inside Cybersecurity, “An extension would add value, it’s going to add value to industry and DOD’s consideration of the proposed rule.”
Stakeholders have been under increased pressure in the past four months to provide input on upcoming cyber regulations to the government.
The comment deadline for two proposed federal acquisition rules related to the 2021 cyber executive order closed on Feb. 2, along with an interim final rule amending the FAR on removal and exclusion orders for the Federal Acquisition Security Council.
Eggers also pointed to the Cybersecurity and Infrastructure Security Agency’s work to finalize the secure software self-attestation common form developed in response to the cyber EO.
DOD is aiming to finalize two CMMC rulemakings by the end of 2024, according to a source, recognizing that results from the November election could impact the program if the rulemaking process isn’t fully implemented.
A draft of the DFARS proposed rule was accepted Jan. 17 by the Defense Acquisition Regulations Council and is currently in the case manager processing period, according to the latest DFARS case status report. It hasn’t been submitted to OMB’s Office of Information and Regulatory Affairs to start the interagency review process.
Knight said in the video, “We anticipate the proposed DFARS rule will be published for public comment this year.”
The first CMMC rule details the Pentagon’s plan for a four-phase rollout of CMMC requirements in defense contracts. Knight said the two final rules will be published in the Federal Register with “associated effective dates” that are “concurrent.”