Learn why the CMMC Program final rule might be implemented before the upcoming election. Key reasons include preemptive steps taken by the DoD, the proposed rule's inclusion of responses to prior public comments, and a trend of increased rulemaking in the final year of an administration.
Watch the Podcast
Listen to the Podcast
This episode is from the Sum IT Up podcast. Click here to learn more.
The election is less than 5 months away. Here's 3 reasons I think the CMMC Program final rule will beat it:
๐ญ) ๐ง๐ต๐ฒ ๐ฝ๐ฟ๐ผ๐ฝ๐ผ๐๐ฒ๐ฑ ๐ฟ๐๐น๐ฒ ๐๐ฒ๐ป๐ ๐๐ผ ๐๐ต๐ฒ ๐ฆ๐บ๐ฎ๐น๐น ๐๐๐๐ถ๐ป๐ฒ๐๐ ๐๐ฑ๐บ๐ถ๐ป๐ถ๐๐๐ฟ๐ฎ๐๐ถ๐ผ๐ป ๐ณ๐ถ๐ฟ๐๐.
Since 2021 the DoD has made a habit of not saying much about CMMC.
However, back in the Summer of 2023 the DoD was very clear that they sent the CMMC Program proposed rule to the SBA before submitting the rule for regulatory review.
โWe still donโt have CMMC 2.0 out of the building yet because weโre working to get it right. Itโs going to go to the Small Business Administration first and then into [OMB] here in the hopefully very near future โฆ rest assured we want to get this right.โ โ John Sherman, DoD CIO, 5/16/2023
That clearly seems like a preemptive step to addressing public comments...
๐ฎ) ๐ง๐ต๐ฒ ๐ฝ๐ฟ๐ผ๐ฝ๐ผ๐๐ฒ๐ฑ ๐ฟ๐๐น๐ฒ ๐ถ๐ป๐ฐ๐น๐๐ฑ๐ฒ๐ฑ ๐ฟ๐ฒ๐๐ฝ๐ผ๐ป๐๐ฒ๐ ๐๐ผ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐๐.
Speaking of public comments, a significant portion of the proposed rule contained responses to public comments received on the 2020 CMMC rule.
Typically, public comments receive responses in final rules, not proposed rules.
This feels like another preemptive step that has allowed the DoD to take public comments received earlier this year and respond/dismiss them with alacrity.
๐ฏ) ๐ ๐ผ๐ฟ๐ฒ ๐ฟ๐๐น๐ฒ๐ ๐ฎ๐ฟ๐ฒ ๐ฝ๐๐ฏ๐น๐ถ๐๐ต๐ฒ๐ฑ ๐ถ๐ป ๐๐ฟ๐ฎ๐ป๐๐ถ๐๐ถ๐ผ๐ป ๐๐ฒ๐ฎ๐ฟ๐ ๐๐ต๐ฎ๐ป ๐ฎ๐ป๐ ๐ผ๐๐ต๐ฒ๐ฟ ๐๐ถ๐บ๐ฒ.
GAO has analyzed "midnight rulemaking" - the term used for rulemaking in the final year of an administration.
It isn't just individual agencies that are eager to complete their work, but also the administration itself and, therefore, the Office of Management and Budget (OMB) - the ones responsible for final review of the final rule later this year.
๐ฐ) ๐๐ฒ๐ฟ๐ฒ'๐ ๐ฎ ๐ฏ๐ผ๐ป๐๐:
๐๐ฐ๐ฐ๐ผ๐ฟ๐ฑ๐ถ๐ป๐ด ๐๐ผ ๐๐ต๐ฒ ๐ฟ๐๐บ๐ผ๐ฟ ๐บ๐ถ๐น๐น, ๐๐ต๐ฒ ๐๐ผ๐ ๐ต๐ฎ๐ ๐ฎ๐น๐ฟ๐ฒ๐ฎ๐ฑ๐ ๐ณ๐ถ๐ป๐ถ๐๐ต๐ฒ๐ฑ ๐ฟ๐ฒ๐๐ฝ๐ผ๐ป๐ฑ๐ถ๐ป๐ด ๐๐ผ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐๐ ๐ฎ๐ป๐ฑ ๐๐ฒ๐ป๐ ๐๐ต๐ฒ ๐ณ๐ถ๐ป๐ฎ๐น ๐ฟ๐๐น๐ฒ ๐ถ๐ป๐๐ผ ๐๐ต๐ฒ ๐น๐ฎ๐๐ ๐๐๐ฎ๐ด๐ฒ๐ ๐ผ๐ณ ๐ฟ๐ฒ๐ฑ ๐๐ฎ๐ฝ๐ฒ.
There were over 1,800 public comments on the CMMC program proposed rule.
Thatโs 140% more comments than the 2020 CMMC rule.
DoD adjudicated comments on a rolling basis as they were submitted which drastically accelerated the process compared to waiting until the end of the comment period.
Ripping through such a huge number of comments so quickly suggests that very little of the proposed rule has changed.
That's a huge advantage for those companies who have implemented NIST SP 800-171 and are ready for CMMC assessment.
For everyone else it's as big as the flashing red warning light has ever been.
Sum IT Up Podcast
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.
