Summit 7 Blogs

Will CMMC Beat the Election in November?

Written by Jacob Horne | Jun 24, 2024 7:11:23 PM

Watch the Podcast


Listen to the Podcast


This episode is from the Sum IT Up podcast. Click here to learn more.


The election is less than 5 months away. Here's 3 reasons I think the CMMC Program final rule will beat it:

๐Ÿญ) ๐—ง๐—ต๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐—ฝ๐—ผ๐˜€๐—ฒ๐—ฑ ๐—ฟ๐˜‚๐—น๐—ฒ ๐˜„๐—ฒ๐—ป๐˜ ๐˜๐—ผ ๐˜๐—ต๐—ฒ ๐—ฆ๐—บ๐—ฎ๐—น๐—น ๐—•๐˜‚๐˜€๐—ถ๐—ป๐—ฒ๐˜€๐˜€ ๐—”๐—ฑ๐—บ๐—ถ๐—ป๐—ถ๐˜€๐˜๐—ฟ๐—ฎ๐˜๐—ถ๐—ผ๐—ป ๐—ณ๐—ถ๐—ฟ๐˜€๐˜. 

Since 2021 the DoD has made a habit of not saying much about CMMC.

However, back in the Summer of 2023 the DoD was very clear that they sent the CMMC Program proposed rule to the SBA before submitting the rule for regulatory review.

โ€œWe still donโ€™t have CMMC 2.0 out of the building yet because weโ€™re working to get it right. Itโ€™s going to go to the Small Business Administration first and then into [OMB] here in the hopefully very near future โ€ฆ rest assured we want to get this right.โ€ โ€“ John Sherman, DoD CIO, 5/16/2023

That clearly seems like a preemptive step to addressing public comments...

๐Ÿฎ) ๐—ง๐—ต๐—ฒ ๐—ฝ๐—ฟ๐—ผ๐—ฝ๐—ผ๐˜€๐—ฒ๐—ฑ ๐—ฟ๐˜‚๐—น๐—ฒ ๐—ถ๐—ป๐—ฐ๐—น๐˜‚๐—ฑ๐—ฒ๐—ฑ ๐—ฟ๐—ฒ๐˜€๐—ฝ๐—ผ๐—ป๐˜€๐—ฒ๐˜€ ๐˜๐—ผ ๐—ฝ๐˜‚๐—ฏ๐—น๐—ถ๐—ฐ ๐—ฐ๐—ผ๐—บ๐—บ๐—ฒ๐—ป๐˜๐˜€.

Speaking of public comments, a significant portion of the proposed rule contained responses to public comments received on the 2020 CMMC rule.

Typically, public comments receive responses in final rules, not proposed rules.

This feels like another preemptive step that has allowed the DoD to take public comments received earlier this year and respond/dismiss them with alacrity.


๐Ÿฏ) ๐— ๐—ผ๐—ฟ๐—ฒ ๐—ฟ๐˜‚๐—น๐—ฒ๐˜€ ๐—ฎ๐—ฟ๐—ฒ ๐—ฝ๐˜‚๐—ฏ๐—น๐—ถ๐˜€๐—ต๐—ฒ๐—ฑ ๐—ถ๐—ป ๐˜๐—ฟ๐—ฎ๐—ป๐˜€๐—ถ๐˜๐—ถ๐—ผ๐—ป ๐˜†๐—ฒ๐—ฎ๐—ฟ๐˜€ ๐˜๐—ต๐—ฎ๐—ป ๐—ฎ๐—ป๐˜† ๐—ผ๐˜๐—ต๐—ฒ๐—ฟ ๐˜๐—ถ๐—บ๐—ฒ.

GAO has analyzed "midnight rulemaking" - the term used for rulemaking in the final year of an administration.

It isn't just individual agencies that are eager to complete their work, but also the administration itself and, therefore, the Office of Management and Budget (OMB) - the ones responsible for final review of the final rule later this year.

๐Ÿฐ) ๐—›๐—ฒ๐—ฟ๐—ฒ'๐˜€ ๐—ฎ ๐—ฏ๐—ผ๐—ป๐˜‚๐˜€:

๐—”๐—ฐ๐—ฐ๐—ผ๐—ฟ๐—ฑ๐—ถ๐—ป๐—ด ๐˜๐—ผ ๐˜๐—ต๐—ฒ ๐—ฟ๐˜‚๐—บ๐—ผ๐—ฟ ๐—บ๐—ถ๐—น๐—น, ๐˜๐—ต๐—ฒ ๐——๐—ผ๐—— ๐—ต๐—ฎ๐˜€ ๐—ฎ๐—น๐—ฟ๐—ฒ๐—ฎ๐—ฑ๐˜† ๐—ณ๐—ถ๐—ป๐—ถ๐˜€๐—ต๐—ฒ๐—ฑ ๐—ฟ๐—ฒ๐˜€๐—ฝ๐—ผ๐—ป๐—ฑ๐—ถ๐—ป๐—ด ๐˜๐—ผ ๐—ฝ๐˜‚๐—ฏ๐—น๐—ถ๐—ฐ ๐—ฐ๐—ผ๐—บ๐—บ๐—ฒ๐—ป๐˜๐˜€ ๐—ฎ๐—ป๐—ฑ ๐˜€๐—ฒ๐—ป๐˜ ๐˜๐—ต๐—ฒ ๐—ณ๐—ถ๐—ป๐—ฎ๐—น ๐—ฟ๐˜‚๐—น๐—ฒ ๐—ถ๐—ป๐˜๐—ผ ๐˜๐—ต๐—ฒ ๐—น๐—ฎ๐˜€๐˜ ๐˜€๐˜๐—ฎ๐—ด๐—ฒ๐˜€ ๐—ผ๐—ณ ๐—ฟ๐—ฒ๐—ฑ ๐˜๐—ฎ๐—ฝ๐—ฒ.

There were over 1,800 public comments on the CMMC program proposed rule.

Thatโ€™s 140% more comments than the 2020 CMMC rule.

DoD adjudicated comments on a rolling basis as they were submitted which drastically accelerated the process compared to waiting until the end of the comment period.

Ripping through such a huge number of comments so quickly suggests that very little of the proposed rule has changed.

That's a huge advantage for those companies who have implemented NIST SP 800-171 and are ready for CMMC assessment.

For everyone else it's as big as the flashing red warning light has ever been.


Sum IT Up Podcast

With Jacob Horne and Jason Sproesser

We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.