Cyber

CMMC final rulemaking process kicks off with submission to OMB for review

The submission solidifies the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.

By Billy Mitchell

July 25, 2023

(Getty Images)

The Department of Defense on Monday submitted its plan to certify the cybersecurity compliance of defense industrial base contractors that hold the Pentagon’s sensitive information to the Office of Management and Budget for review, officially kicking off the rulemaking process for the program known as the Cybersecurity Maturity Model Certification (CMMC).

DOD sent its CMMC framework to OMB’s Office of Information and Regulatory Affairs, which will take the next 90 days or less to review the rule.

At that point, OIRA will publish the rule in the Federal Register under one of two classifications. The typical rulemaking process entails publishing a new rule or regulation as a proposed rule, which can be a lengthy endeavor, in many cases taking the better part of a year to get across the finish line. Or, the office could agree to publish CMMC as an interim final rule, a scenario in which the rule, under “good cause,” would bypass certain requirements and take effect as a final rule over the following 60 days, allowing CMMC to hit DOD contracts soon after.

Both processes include a period of taking open public comments on the rule, even if it’s published as an interim final rule.

While the submission signifies yet another period of uncertain waiting for the DOD contracting community to see what happens in what’s already been a yearslong journey, it does solidify the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.

CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements included in NIST 800-171 and 800-172. After reforming the program in 2021, the Pentagon has been working on a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.

CMMC final rulemaking process kicks off with submission to OMB for review

More Like This

Navy announces new top cyber adviser

Air Force issues call for cyber, electromagnetic, sensing capabilities to support ABMS

DOD developing ‘Gremlin’ capability to help personnel collect real-time UAP data

Top Stories

Air Force plans industry roundtables on effective uses, adoption of generative AI

US to give Israel $1.2B for Iron Beam laser weapon

After Iran’s strikes on Israel, Juniper Oak exercises seen as a ‘harbinger’

General Atomics adding AESA radar and software to upgraded Gray Eagles

Navy to unveil new ‘structured piloting’ framework for IT modernization

Army rethinks its approach to AI-enabled risks via Project Linchpin

More Scoops

With CMMC looming, military services explore ways to extend secure environments to small businesses

Pentagon reveals updated cost estimates for CMMC implementation

Proposed rule would allow DOD program managers to request waivers for CMMC requirements

Pentagon releases proposed rule on cybersecurity standards for contractors

Pentagon looks to expand voluntary cyber information-sharing with contractors

DOD working with federal CISO Council on CMMC-like standards for civilian agencies

Microsoft completes voluntary CMMC assessment, a win for smaller contractors using its services

Latest Podcasts

How the Navy is reducing workforce friction to improve mission outcomes

How DARPA is looking to AI to fend off cyber vulnerabilities through a challenge program

How the DOD protects national security interests by monitoring climate change

Google’s Scott Frohman Talks AI Innovation at Google Cloud Next

Weapons

Cyber

IT

AI