CMMC final rulemaking process kicks off with submission to OMB for review

The submission solidifies the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.
(Getty Images)

The Department of Defense on Monday submitted its plan to certify the cybersecurity compliance of defense industrial base contractors that hold the Pentagon’s sensitive information to the Office of Management and Budget for review, officially kicking off the rulemaking process for the program known as the Cybersecurity Maturity Model Certification (CMMC).

DOD sent its CMMC framework to OMB’s Office of Information and Regulatory Affairs, which will take the next 90 days or less to review the rule.

At that point, OIRA will publish the rule in the Federal Register under one of two classifications. The typical rulemaking process entails publishing a new rule or regulation as a proposed rule, which can be a lengthy endeavor, in many cases taking the better part of a year to get across the finish line. Or, the office could agree to publish CMMC as an interim final rule, a scenario in which the rule, under “good cause,” would bypass certain requirements and take effect as a final rule over the following 60 days, allowing CMMC to hit DOD contracts soon after.

Both processes include a period of taking open public comments on the rule, even if it’s published as an interim final rule.


While the submission signifies yet another period of uncertain waiting for the DOD contracting community to see what happens in what’s already been a yearslong journey, it does solidify the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.

CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements included in NIST 800-171 and 800-172. After reforming the program in 2021, the Pentagon has been working on a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.

Billy Mitchell

Written by Billy Mitchell

Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group's editorial brands. He oversees operations, strategy and growth of SNG's award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. Prior to joining Scoop News Group in early 2014, Billy embedded himself in Washington, DC's tech startup scene for a year as a tech reporter at InTheCapital, now known as DC Inno. After earning his degree at Virginia Tech and winning the school's Excellence in Print Journalism award, Billy received his master's degree from New York University in magazine writing while interning at publications like Rolling Stone.

Latest Podcasts