Learn about the upcoming implementation of the CMMC Program final rule, including key reasons for the timeline and the two different CMMC rules. Explore the implications for defense contractors and the phased roll-out process.
DoD has officially submitted the 48 CFR CMMC proposed rule for regulatory review.
As a result, we can now estimate the timelines for CMMC rules.
Whatever was delaying the 48 CFR rule has apparently been fixed and that means contractors need to start getting serious about preparing for the coming CMMC roll-outs (yes, there are two of them).
Watch the Podcast
Listen to the Podcast
This episode is from the Sum IT Up podcast. Click here to learn more.
Are there two CMMC rules?
There are, in fact, two different CMMC rules. (Check out our webinar covering all the details)
The first rule codifies the CMMC program and, in addition to many other things, finally makes certification assessments officially available on the market.
National Security programs like CMMC are codified in Title 32 of the Code of Federal Regulations (CFR) so we refer to this rule as “32 CFR CMMC”.
This is the rule that was published as a proposed rule in December 2023.
The second rule revises the DFARS contract clause 252.204-7021 Cybersecurity Maturity Model Certification Requirements to point to the details of the CMMC program at 32 CFR.
Since all federal contract clauses and provisions are codified at Title 48 of the Code of Federal Regulations, we refer to this rule as “48 CFR CMMC”.
The “7021 clause” was originally published in 2020. It needs to be revised because the original CMMC model (“1.0”) had five levels instead of three, no allowance for temporary findings (“POAMs”), no waiver process, etc.
When rulemaking is done and both rules are final and effective contractors will find out what CMMC certification level they need to support a given contract thanks to the details in their 7021 clause.
The process of going through and assessment, what’s required, what temporary deficiencies are allowed, etc. is written down in title 32 of the CFR.
Simple enough, but the problem sets in when the two rules end up on two different publication timelines.
When will CMMC be published?
Since the 48 CFR CMMC rule was submitted in May of 2024, we expect to see the rule published in August 2024.
From there it’s standard to have a 60-day public comment period which would end in October 2024.
DoD will need to adjudicate those public comments and make any necessary tweaks to the rule before submitting the final rule to OIRA one last time – a process that typically takes around 280 business days.
After somewhere between 30 – 60 days later the rule will be “effective” once and for all, likely Q4 2025 based on the information available at the time of writing.
Rulemaking is a long, opaque process so it’s difficult to know what’s happening up until regulations are submitted to the Office of Information and Regulatory Affairs (OIRA) for regulatory review.
OIRA only has 90 days (they can request a 30-day extension) to review the text of regulations and either send them back to the agency for changes or forward them on to the Office of the Federal Register for publication.
At that point the public is able to see the text of proposed and final rules and submit their comments.
Therefore, officially submitting the 48 CFR CMMC rule to OIRA for review provides us with a knowable point in time from which we can estimate the remaining process.
A Tale of Two Rollouts
Since there are two different CMMC rules on two different publication timelines we are facing a situation in which there are two different “roll-outs” for the CMMC program.
When the 32 CFR CMMC rule is final and effective, the CMMC program officially exists and can begin executing it’s mission.
However, the DoD isn’t able to include a specific CMMC level requirement in contracts and solicitations without an updating 48 CFR CMMC contract clause – that’s what the second rule is doing.
Therefore, a soft roll-out (something we call the “market roll-out) will occur in which early adopters and competitors can seek certification of their own volition even though DoD doesn’t require it in any contract.
Large prime contractors will also be inclined to require their suppliers to get certified once the certifications are available (“market roll-out”) rather than waiting for DoD to spell things out (what DoD calls the “phased roll-out”).
Ultimately, that means that defense contractors will start feeling the pressure to get CMMC certified long before a CMMC requirement shows up in a contract solicitation.
According to our current estimates, that pressure will start in Q4 2024.
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
