2024 DIB Rulemaking Calendar (Q2 Update)

This timeline information is outdated, please check out our official CMMC timeline page here for accurate updates.

Watch the Podcast

What's the latest with DFARS, CMMC, FAR, and NIST and other DIB rules this year? 

Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall, then we could be in for a relentless rulemaking/holiday season.

What's the latest with the 𝗗𝗜𝗕 𝗖𝗦 𝗣𝗿𝗼𝗴𝗿𝗮𝗺 𝗙𝗶𝗻𝗮𝗹 𝗥𝘂𝗹𝗲?

• Published March 2024
• Expands eligibility to the DIB CS Program for non-cleared defense contractors
• What to know:
  • DoD commonly references the DIB CS Program expansion in response to criticism about not providing defense contractors with sufficient cybersecurity tools and resources.
  • While the DIB CS Program helps contextualize cyber threats through strong information sharing relationships, there is little compliance value for facilitating NIST and CMMC requirements.

What's the latest with the 𝗖𝗜𝗥𝗖𝗜𝗔 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲?

• Published April 2024
• Duplicates and expands cyber incident reporting requirements
• What to know:
  • Defense contractors are “covered entities” under the proposed rule and will have expanded cyber incident reporting requirements on top of their existing obligations pursuant to DFARS contract clause 252.204-7012.
  • If DoD and CISA can reach an agreement, DIB suppliers may be able to report to only one agency instead of two.

What's the latest with the 𝗡𝗜𝗦𝗧 𝗦𝗣 𝟴𝟬𝟬-𝟭𝟳𝟭 𝗮𝗻𝗱 𝟭𝟳𝟭𝗔 𝗥𝗲𝘃𝗶𝘀𝗶𝗼𝗻 𝟯?

• ETA: May 2024
• Expands the requirements assessed at CMMC Level 2 by ~30%
• What to know:
  • If DoD doesn’t issue an implementation waiver (known as a “class deviation”), then defense contractors will need to implement SP 800-171 revision 3 as soon as they receive a solicitation after the final revision is published.
  • The CMMC proposed rule specifies SP 800-171 revision 2 so unless DoD is able to sync-up DFARS 7012 and CMMC contractors will need to juggle two different cyber requirement baselines.

What's the latest with the 𝗗𝗙𝗔𝗥𝗦 𝟮𝟱𝟮.𝟮𝟬𝟰-𝟳𝟬𝟭𝟮 𝘃𝟯.𝟬 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲

• ETA: Q4 2024
• Hopefully kills the term "CDI", explains international reciprocity, includes SP 800-172 requirements, and explains FedRAMP "equivalency"
• What to know:
  • The DFARS 7012 rulemaking process isn’t run by the same Pentagon team that runs CMMC rulemaking so updates and cross-collaboration are hard to come by.
  • All of the various DFARS clauses (7019, 7020, 7021) and assessment programs like CMMC and the DoD Assessment Methodology (“DoDAM”) are intended to verify the implementation of requirements imposed by DFARS 252.204-7012 – it is the center of gravity.

What's the latest with 𝗡𝗜𝗦𝗧 𝗦𝗣 𝟴𝟬𝟬-𝟭𝟳𝟮 𝗮𝗻𝗱 𝟭𝟳𝟮𝗔 𝗥𝗲𝘃𝗶𝘀𝗶𝗼𝗻 𝟭?

• ETA: Q4 2024
• Expands the requirements assess at CMMC Level 3 by TBD%
• What to know:
  • Unlike NIST SP 800-171, the requirements in SP 800-172 aren’t capped by the size of the SP 800-53 moderate baseline.
  • The requirements in SP 800-172 can therefore be esoteric, complex, and expensive.

What's the latest with the 𝟯𝟮 𝗖𝗙𝗥 𝗖𝗠𝗠𝗖 𝗙𝗶𝗻𝗮𝗹 𝗥𝘂𝗹𝗲?

• ETA: 2H 2024
• Establishes the CMMC Program at Title 32 of the Code of Federal Regulations
• What to know:
  • DoD (and the Office of Management and Budget) are highly motivated to publish the final rule before the November election in order to avoid additional red tape.
  • Kicks off the "market roll-out" for assessments: a situation where companies can pay a C3PAO for an official CMMC assessment prior to the DoD requiring CMMC certification in contracts (see below).
  • A large gap between the market roll-out and the contractual “phased roll-out” will result in market forces driving assessment requirements long before DoD requires it in a single contract (see below).

What's the latest with the 𝟰𝟴 𝗖𝗙𝗥 𝗖𝗠𝗠𝗖 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲?

• ETA: Q4 2024 (Maybe)
• Revises the DFARS 252.204-7021 clause to point to 32 CFR CMMC
• What to know:
  • Kicks off the "phased roll-out" for CMMC level requirements in contracts.
  • As of late April 2024 the rule is delayed due to internal revisions. While this is completely normal it will significantly extend the time between the market and phased roll-outs – many companies will be pushed to attain CMMC certification by market forces outside of DoD’s control.
    
    

What's the latest with the 𝗙𝗔𝗥 𝗖𝗨𝗜 𝗣𝗿𝗼𝗽𝗼𝘀𝗲𝗱 𝗥𝘂𝗹𝗲?

• ETA: 2H 2024
• Establishes SP 800-171 as the minimum requirement for CUI via a federal-wide contract clause
• What to know:
  • The FAR CUI rule is the third piece of the three-part plan to implement the federal Controlled Unclassified Information program, but it has been missing in action since 2016.
  • The rule will likely drive other federal agencies reject contractor self-attested implementation of cyber requirements possibly expanding the requirement for CMMC certification.

Episode Links:

• Register for our upcoming CS2 Replay here
• Q1 Rulemaking Calendar

Sum IT Up Podcast

With Jacob Horne and Jason Sproesser

We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.