This episode is from the Sum IT Up podcast. Click here to learn more.
Since 2021 the DoD has made a habit of not saying much about CMMC.
However, back in the Summer of 2023 the DoD was very clear that they sent the CMMC Program proposed rule to the SBA before submitting the rule for regulatory review.
โWe still donโt have CMMC 2.0 out of the building yet because weโre working to get it right. Itโs going to go to the Small Business Administration first and then into [OMB] here in the hopefully very near future โฆ rest assured we want to get this right.โ โ John Sherman, DoD CIO, 5/16/2023
That clearly seems like a preemptive step to addressing public comments...
Speaking of public comments, a significant portion of the proposed rule contained responses to public comments received on the 2020 CMMC rule.
Typically, public comments receive responses in final rules, not proposed rules.
This feels like another preemptive step that has allowed the DoD to take public comments received earlier this year and respond/dismiss them with alacrity.
GAO has analyzed "midnight rulemaking" - the term used for rulemaking in the final year of an administration.
It isn't just individual agencies that are eager to complete their work, but also the administration itself and, therefore, the Office of Management and Budget (OMB) - the ones responsible for final review of the final rule later this year.
๐๐ฐ๐ฐ๐ผ๐ฟ๐ฑ๐ถ๐ป๐ด ๐๐ผ ๐๐ต๐ฒ ๐ฟ๐๐บ๐ผ๐ฟ ๐บ๐ถ๐น๐น, ๐๐ต๐ฒ ๐๐ผ๐ ๐ต๐ฎ๐ ๐ฎ๐น๐ฟ๐ฒ๐ฎ๐ฑ๐ ๐ณ๐ถ๐ป๐ถ๐๐ต๐ฒ๐ฑ ๐ฟ๐ฒ๐๐ฝ๐ผ๐ป๐ฑ๐ถ๐ป๐ด ๐๐ผ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐๐ ๐ฎ๐ป๐ฑ ๐๐ฒ๐ป๐ ๐๐ต๐ฒ ๐ณ๐ถ๐ป๐ฎ๐น ๐ฟ๐๐น๐ฒ ๐ถ๐ป๐๐ผ ๐๐ต๐ฒ ๐น๐ฎ๐๐ ๐๐๐ฎ๐ด๐ฒ๐ ๐ผ๐ณ ๐ฟ๐ฒ๐ฑ ๐๐ฎ๐ฝ๐ฒ.
There were over 1,800 public comments on the CMMC program proposed rule.
Thatโs 140% more comments than the 2020 CMMC rule.
DoD adjudicated comments on a rolling basis as they were submitted which drastically accelerated the process compared to waiting until the end of the comment period.
Ripping through such a huge number of comments so quickly suggests that very little of the proposed rule has changed.
That's a huge advantage for those companies who have implemented NIST SP 800-171 and are ready for CMMC assessment.
For everyone else it's as big as the flashing red warning light has ever been.
With Jacob Horne and Jason Sproesser
We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.