DOD Sends its CMMC Rule to OMB, Setting the Clock Moving on Final Implementation

On Monday, the Department of Defense (DoD) sent its highly anticipated proposed rule for the Cybersecurity Maturity Model Certification (CMMC) program to the Office of Information and Regulatory Affairs (OIRA) at the Office of Management and Budget (OMB).

The submission sets the clock moving on the release and implementation of the final rules governing DoD contractor cybersecurity compliance requirements under CMMC to begin potentially as early as fiscal year (FY) 2024. The news of the proposed rule submission l was a major discussion item at the July 25 Cyber AB Town Hall, which included a presentation on the implications from Jacob Horne of Summit 7 Systems.

Next Steps and Potential Timelines for CMMC

While I am not a contract attorney or federal acquisition official, my understanding of the review and rulemaking process sets up the following general timeline for the progression and implementation of CMMC.

• OMB Regulatory Review completed by September or October. OIRA has 60-90 days to complete their regulatory review of the CMMC rule, after which they will publish the rule in the Federal Register. That will likely come in September or October. One caveat, it is possible that OMB could send the rule back to DoD for revision, but this is not a typical occurrence as there seems to have been significant collaboration between DoD and OMB on the rule.
• Federal Register Publication of CMMC Rule after Regulatory Review. Most likely by the end of September, or possibly in early October, OMB will publish the CMMC rule in the Federal Register, similar to how DoD published updates for CMMC 2.0 in November 2021.
• Potential Timeline Divergence, based on OMB’s Rule Choice. OMB has two options from which to choose when publishing the forthcoming CMMC rule. Each has implementation timeline implications for when CMMC requirements begin appearing in DoD contracts.
  • Proposed Rule: (More likely) If OMB publishes a CMMC Proposed Rule, then a 60-day public comment period is required before OMB and DoD may begin to implement the rule. This is the most likely path anticipated by those watching the process, including many in industry. Under this path, after the 60-day comment period closes, we are looking at somewhere between 280 and 333 business days, on average, before DoD begins phasing in CMMC into its contract requirements, based on DOD’s recent track record, according to Horn. So, a September/October publication of a Proposed Rule would place a phased CMMC implementation beginning in Q2 FY 2025, possibly Q3.
  • Interim Final Rule: (Less likely) OMB could choose to release an Interim Final Rule, which allows OMB and DoD to begin rolling out CMMC into contract requirements while they review public comments, i.e., in parallel. Therefore, choosing an Interim Final Rule means that CMMC could begin to be added to DoD contracts in Q1 of FY 2024, because such rules are effective immediately upon publication. This is the less likely/anticipated scenario, but it is possible.

• NIST Revision of CMMC Compliance Standards in Late FY 2023 or Early FY 2024. The National Institute of Standards and Technology (NIST) is updating its guidelines that form the underlying cybersecurity standards required for CMMC. Compared to the previous version, Revision 2, NIST’s Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (Special Publication (SP) 800-171 Revision 3), clarifies and adds additional cybersecurity controls/requirements for contractors. As a result, the bar continues to rise for cyber compliance assessments. The public comment period on the Rev 3 draft closed on July 14, so now NIST is in the process of finalizing the document. A final Rev 3 document is anticipated in Q1 FY 2024, but NIST could take until Q2.
• Potential DoD Extension on NIST SP 800-171 Compliance. (Anticipated) While CMMC has been under development, the DoD has consistently reminded contractors that they are required to implement and adhere to the security controls provided in NIST SP 800-171. With the anticipated finalization of Rev 3 of this SP, it is expected that DoD will give industry an extension on meeting these requirements via a “class deviation,” in contract/regulatory parlance. If the expectation of a 12-month extension is valid, that would coincide with CMMC going live in FY 2025. However, that 1-year class deviation window could shift to the left if NIST publishes the final Rev3 before the end of FY 2023 or in early FY 2024. Historically, NIST tends to beat their timelines on these revisions.

Contractor Implications

The DoD’s submission of their CMMC rule to OMB should dispel much of the conjecture that CMMC is unlikely to become a reality which DoD contractors need to address. Although CMMC has its roots in previous White House and Pentagon administrations, it generally fits with the mindset of the Biden Administration’s National Cybersecurity Strategy and subsequent Implementation Plan in their pursuit of raising contractor and industry cybersecurity requirements.

Which option OMB chooses to publish the forthcoming CMMC rule will drive the timeline going forward. That said, DoD contractors continue to be well advised to get working on complying with the NIST SP 800-171 and other relevant standards that will position them for successful CMMC compliance and accreditation.

Firms that have not already been implementing 800-171 Rev 2 and begun working through the available provisional cybersecurity assessment review processes are at risk of coming up against tough deadlines and potential timeline crunches, as the demand for such assessments and other related efforts will likely drive resource constraints and a growing “wait list” for these activities. Some of these implementations can take an average of 12-18 months to complete, placing some firms at risk of missing compliance deadlines and potentially losing DoD business as a result.