Cyber

CMMC final rulemaking process kicks off with submission to OMB for review

The submission solidifies the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.

By Billy Mitchell

July 25, 2023

(Getty Images)

The Department of Defense on Monday submitted its plan to certify the cybersecurity compliance of defense industrial base contractors that hold the Pentagon’s sensitive information to the Office of Management and Budget for review, officially kicking off the rulemaking process for the program known as the Cybersecurity Maturity Model Certification (CMMC).

DOD sent its CMMC framework to OMB’s Office of Information and Regulatory Affairs, which will take the next 90 days or less to review the rule.

At that point, OIRA will publish the rule in the Federal Register under one of two classifications. The typical rulemaking process entails publishing a new rule or regulation as a proposed rule, which can be a lengthy endeavor, in many cases taking the better part of a year to get across the finish line. Or, the office could agree to publish CMMC as an interim final rule, a scenario in which the rule, under “good cause,” would bypass certain requirements and take effect as a final rule over the following 60 days, allowing CMMC to hit DOD contracts soon after.

Both processes include a period of taking open public comments on the rule, even if it’s published as an interim final rule.

While the submission signifies yet another period of uncertain waiting for the DOD contracting community to see what happens in what’s already been a yearslong journey, it does solidify the fact that DOD has come to a consensus on a final rule and that CMMC is coming in the not-so-distant future.

CMMC is the Pentagon’s ambitious framework to more thoroughly assess and accredit any contractors that handle its controlled unclassified information (CUI) on their systems, ensuring they meet certain National Institutes of Standards and Technology cybersecurity requirements included in NIST 800-171 and 800-172. After reforming the program in 2021, the Pentagon has been working on a final rule that will mandate those contractors that work with the department’s CUI be CMMC certified, or risk losing its business.

CMMC final rulemaking process kicks off with submission to OMB for review

More Like This

Dashboard aims to give commanders increased ability to assess cyber team readiness

Pentagon network defense arm conducting intelligence for cyber pilot

How the DOD can harness AI for innovation and efficiency

Top Stories

NGA buys maritime data to help Indo-Pacific Command, via first-ever CSO

Pentagon poised to launch inaugural ‘challenge’ for Global Information Dominance Experiments

Army’s Cyber Quest sought to standardize data from vendors

Air Force plans ‘sprint week’ to experiment with ABMS solutions from industry

Joint force, international partners, contractors test command and control capabilities in Pacific exercise

Navy to reset and reinvigorate Operation Cattle Drive

DOD’s new Arctic strategy calls for better tech to ‘monitor and respond’

More Scoops

Pentagon reveals updated cost estimates for CMMC implementation

Proposed rule would allow DOD program managers to request waivers for CMMC requirements

Pentagon releases proposed rule on cybersecurity standards for contractors

Pentagon looks to expand voluntary cyber information-sharing with contractors

DOD working with federal CISO Council on CMMC-like standards for civilian agencies

Microsoft completes voluntary CMMC assessment, a win for smaller contractors using its services

DOD addressing ‘obstacle course’ of impediments holding back work with cybersecurity startups

Latest Podcasts

How the Navy is reducing workforce friction to improve mission outcomes

How DARPA is looking to AI to fend off cyber vulnerabilities through a challenge program

How the DOD protects national security interests by monitoring climate change

Splunk’s Paul Kurtz on the power of automation within DOD

Weapons

Cyber

AI

IT