The Department of Defense on Monday submitted its plan to certify the cybersecurity compliance of defense industrial base contractors that hold the Pentagon’s sensitive information to the Office of Management and Budget for review, officially kicking off the rulemaking process for the program known as the Cybersecurity Maturity Model Certification (CMMC).
DOD sent its CMMC framework to OMB’s Office of Information and Regulatory Affairs, which will take the next 90 days or less to review the rule.
At that point, OIRA will publish the rule in the Federal Register under one of two classifications. The typical rulemaking process entails publishing a new rule or regulation as a proposed rule, which can be a lengthy endeavor, in many cases taking the better part of a year to get across the finish line. Or, the office could agree to publish CMMC as an interim final rule, a scenario in which the rule, under “good cause,” would bypass certain requirements and take effect as a final rule over the following 60 days, allowing CMMC to hit DOD contracts soon after.
Both processes include a period of taking open public comments on the rule, even if it’s published as an interim final rule.
While the submission signifies yet another period of uncertain waiting for the DOD contracting community to see what happens in what’s already been a yearslong journey, it does solidify the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.
CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements included in NIST 800-171 and 800-172. After reforming the program in 2021, the Pentagon has been working on a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.