The Pentagon's Cybersecurity Maturity Model Certification program enters a new stage this week with the end of the public comment period for a massive, proposed rulemaking that sets up parameters to implement the long-awaited initiative.
The Defense Department issued the CMMC proposed rule to implement the program on Dec. 26, kicking off a two-month comment period for stakeholders to review the 234-page rulemaking and accompanying CMMC guidance documents.
Some industry groups asked for an extension to allow more time to get feedback from their members, but DOD has rejected those requests as part of an effort to finalize the rulemaking by the end of this year.
DOD announced plans to start the CMMC program in 2019 and signed a non-cost contract in 2020 with a new independent accreditation body established to accredit CMMC assessors and third-party assessment organizations.
The CMMC program was formally launched in late 2020 with the publication of an interim final rule, but then paused as Deputy Defense Secretary Kathleen Hicks ordered an internal review in the first months of the Biden administration. The internal review concluded in November 2021 and DOD announced major changes that would be implemented through two rulemakings.
The Dec. 26 rulemaking is the culmination of a 25-month process to implement those changes.
The process included drafting the rulemaking to amend Title 32 of the Code of Federal Regulations, getting feedback from the military services and agencies, DOD general counsel and the Small Business Administration’s Office of Advocacy and the interagency review process at OMB’s Office of Information and Regulatory Affairs.
The Office of the Under Secretary of Defense for Acquisition and Sustainment is leading work on a second proposed rule that amends the Title 48 of the CFR, which is the Defense Federal Acquisition Regulation Supplement.
DOD officials provided details on the 32 CFR rule and upcoming proposed DFARS rule in an “informational” video following the release of first rulemaking.
Diane Knight, acquisition and rulemaking lead at the CMMC Program Management Office, said, “We anticipate the proposed DFARS rule will be published for public comment this year.”
The first CMMC rule details the Pentagon’s plan for a four-phase rollout of CMMC requirements in defense contracts.
Knight said the two final rules will be published in the Federal Register with “associated effective dates” that are “concurrent.”
Knight said, “The objective timeline for implementing contractor compliance with CMMC requirements has been, and remains, FY2025.”
The first CMMC rulemaking provides details on the assessment process, ecosystem roles, scoping requirements and more. It goes into depth on specific requirements for defense contractors, assessment organizations, DOD and on the CMMC model itself.
Nearly 200 comments have been filed as of Friday afternoon on Regulations.gov. DOD is already in the process of adjudicating the comments received so far.
The CMMC is expected to impact a broad range of defense contractors and subcontractors with most companies needing a level one self-assessment. DOD estimates that 220,000 companies fall under CMMC where they are holding federal contract information or controlled unclassified information.
Defense officials emphasize the importance of the CMMC rulemaking in the video.
Stacy Bostjanick, chief of defense industrial base cybersecurity, said, “Cybersecurity is essential to the basic functioning of our economy, the operation of our critical infrastructure, the strength of our democracy and democratic institutions, the privacy of our data and communications, and our national defense. The CMMC program is a key component to ensuring our national security.”
Bostjanick said, “Improving your cybersecurity against evolving threats will safeguard the information that preserves our technological advantages over adversaries. Your cooperation is critical.”