Inside Cybersecurity

May 28, 2023

Daily News

Pentagon official: First CMMC 2.0 rulemaking not expected in 2021

By Sara Friedman / November 19, 2021

The Defense Department is in the early stages of developing two new rulemakings to change the Pentagon’s acquisition rules for its Cybersecurity Maturity Model Certification program, and does not expect to release the first rule for public comment during 2021 because details are still under discussion, according to CMMC program leader Buddy Dees.

The rulemaking is “not going to be this calendar year,” Dees said Wednesday at a conference hosted by the Coalition for Government Procurement. Dees said he is working with John Ellis of DCMA’s Defense Industrial Base Cybersecurity Assessment Center and others to develop the policies that will ultimately go into the rulemaking effort.

The Pentagon unveiled major changes to the CMMC program on Nov. 4, providing details on the new strategic direction of the new effort called CMMC 2.0. There will be two rulemakings, one to amend the current interim final rule implementing CMMC that went into effect on Nov. 30, 2020, and a second rule to change Title 32 of the Code of Federal Regulations (CFR).

Dees said, “We just this week had our first session on a policy working group where we worked down a pretty decent sized list on areas we need to write policy on for the 32 CFR. We will certainly continue it but obviously we know the holiday season is coming up which is going to slow things done a little bit.”

Dees said he would expect “coming back off the holidays this calendar [year]” that the group “will have a lot of energy to get most of those policy pieces drafted so we can work through the process to get them approved and then get them out for publishing on the Federal Register for public comment review.”

The Pentagon expects the rulemaking processes to be completed “somewhere between nine and 24 months,” Dees said. He said having the rulemakings go into effect within the next nine months is “very aggressive” and would only be possible “in a best case scenario if the stars align in theory.”

Dees said, “Folks that have gone through rulemaking know it is a very arduous process and so somewhere around 24 months [is] what we are anticipating as the worst case if we have to go back and redo [the policy]. A lot of it depends on how many comments we get in.”

The Pentagon has halted all CMMC pilot programs until the new rulemakings go into effect.

Dees participated on a panel at a training conference hosted by CGP with Ellis, contracting attorney Robert Metzger, and Stacy Bostjanick, director of supply chain management in the Office of the Under Secretary of Defense for Acquisition and Sustainment.

Bostjanick provided an overview of two incentives options that the Pentagon is considering for companies that adopt CMMC standards before the official CMMC 2.0 rollout begins.

Dees spoke about how DOD decided to allow companies to submit a plan of action and milestones for unmet controls in a CMMC assessment by reviewing data from DIBCAC on their assessments of certified third party assessment organizations. -- Sara Friedman (