Inside Cybersecurity

March 3, 2024

Daily News

Pentagon internal review delays plans to release CMMC final rule in September

By Sara Friedman / September 16, 2021

The Defense Department is not planning to release the final rule cementing the implementation of its Cybersecurity Maturity Model Certification program in September, due to an ongoing internal review expected to conclude toward the end of 2021.

“We anticipate the review to be completed in late 2021, at which point the Department will communicate any anticipated changes to the CMMC program to industry and other stakeholders,” Pentagon spokeswoman Jessica Maxwell told Inside Cybersecurity.

Maxwell said, “The Department will complete its internal review of the CMMC program prior to finalizing the DFARS rule.”

The interim final rule to implement the CMMC program for defense contractors and establish new requirements for compliance with NIST 800-171 was issued on Sept. 29, 2020. At a May hearing, Jesse Salazar, deputy assistant secretary of defense for industrial policy, told a Senate Armed Services panel that a rulemaking process on the scale of the CMMC program “typically takes a year.”

The Pentagon received 850 comments on the interim final rule that makes changes to the Defense Federal Acquisition Regulation Supplement and has gotten multiple extensions from the Defense Acquisition Regulations (DAR) Council over the past few months to deliver its final report on the rule.

The most recent extension sets a Sept. 29 deadline for the report, according to the latest case status update on the Defense Pricing and Contracting organization’s website.

After the DAR Council completes its review, the final rule will be sent to OMB’s Office of Information and Regulatory Affairs, which conducts the interagency process involving other agencies outside the Defense Department. The interagency process for the CMMC interim final rule took four months to complete in 2020.

The interim final rule went into effect on Nov. 30, 2020. The Defense Department did not comment on whether the final rule would be released on or prior to Nov. 30, 2021.

When asked about the status of the internal review, Maxwell said, “The Department regularly conducts internal programmatic assessments to ensure our programs are meeting their goals. The CMMC program was designed with scalable implementation in mind, and we regularly identify opportunities to improve the program. We will communicate any changes we make to the program through programmatic announcements.”

Salazar spoke about the goals of the DOD’s review at a Professional Services Council event in June.

He emphasized three priorities: managing costs for small businesses; clarifying “regulatory policy and contracting requirements”; and “reinforce trust and confidence in the maturing CMMC assessment ecosystem.”

The House is also considering requiring the Defense Department to conduct a study on CMMC’s impact on small businesses as part of the fiscal 2022 National Defense Authorization Act. A separate review of the CMMC program is in process at the Government Accountability Office.

Three major trade associations, including PSC, sent a letter to Deputy Defense Secretary Hicks on Sept. 9 asking for more transparency over several components of the program.

The letter said, “We believe it is important for the Department to remain publicly committed to the CMMC program to underscore the program’s importance for national and supporting global cyber ecosystems. This public commitment should be communicated promptly and is particularly important in the context of the Department’s continued internal review, updates to SPRS tracking and reporting, and the pending publication of the Government Accountability Office’s (GAO’s) report on CMMC.”

CMMC assessment launch

Meanwhile, DOD contractors are anxiously awaiting the start of official CMMC assessments, which is currently on hold despite approvals for four certified third party assessment organizations by DOD and the CMMC Accreditation Body.

One component causing potential delays is the release of updated assessment guides for CMMC levels one and three that will provide guidance on the scope of the audits for contractors and their C3PAOs.

Maxwell said, “The Department will release an update to the Assessment Guides in the near future. The update adds the scoping guidance, information to support hashing assessment artifacts, and other administrative changes to support readability of the documents.”

DOD initially planned to release up to 15 contract solicitations with CMMC language during the current fiscal year which ends on Sept. 30.

No requests for proposals featuring CMMC requirements from the military services or DOD agencies have been published yet.

Maxwell said, “The Department’s internal review does not directly impact the quantity of contract solicitations associated FY 2021 CMMC Pilots. The CMMC Program Management Office’s targeted up to 15 contract solicitations for CMMC Pilots by the end of FY 2021.” -- Sara Friedman (