The Pentagon will start the formal process in July to make regulatory changes to its Cybersecurity Maturity Model Certification program with the submission of a new rulemaking to OMB for review, according to a Pentagon spokesman.
The new rulemaking updates Title 32 of the Code of Federal Regulations. A second rulemaking submission will follow to update the original interim final rule that amended Title 48 of the CFR. The original IFR went into effect on Nov. 30, 2020.
Submissions will be reviewed by Office of Management and Budget’s Office of Information and Regulatory Affairs. Pentagon spokesman Russell Goemaere confirmed DOD’s plans to Inside Cybersecurity and said DOD expects the rules to be published by May 2023.
The Defense Department announced substantial changes to the CMMC program in November 2022 and put out an advanced notice of proposed rulemaking detailing upcoming rulemaking changes.
The original IFR contains three clauses to amending the Pentagon’s acquisition rules -- two focused on NIST 800-171 (DFARS 7019 and 7020) and one to implement the CMMC program (DFARS 7021). The CMMC clause was delayed due to a Pentagon internal review of the CMMC program.
DOD formally split the IFR into two rulemakings in February. It is not clear whether the 32 CFR will also contain CMMC policy changes.
The Pentagon has set a May 4 deadline to submit a draft of the new rule amending the 32 CFR to the Defense Acquisition Regulatory Council, according to the latest version of the DFARS Case Status report from Defense Pricing and Contracting.
The original IFR update needs to be submitted to the DARC by April 20, according to the DFARS report. The DARC has granted extensions on both rulemaking updates in the past so the deadlines could change.
CMMC director Stacy Bostjanick announced DOD’s rulemaking plans at a cyber event last week hosted by the New England chapter of the National Defense Industrial Association.
Bostjanick said DOD is going to submit the 32 CFR rulemaking to the Office of Management and Budget to “get it started and then we [will] ask for an interim and then we [will] follow up with [the] 48 [CFR]. Our hope and prayer is that we are accepted for an interim rule and by May of 2023 we will be able to have that interim rule and CMMC requirements will show up in contracts 60 days later.”
Contracting attorneys Robert Metzger and Eleanor Ross commented on what to expect in the two rulemakings.
Metzger and Ross said, “DoD will not approach all of CMMC 2.0 as a new rulemaking. The existing Interim Final Rule (IFR) was issued under Part 48 and DoD received hundreds of Comments, from stakeholders, that should be reflected in the update or finalization of the Part 48 IFR. We do expect there will be adjustments to the existing clauses, -7019 and -7020, which concern contractor self-assessment and submission of scores to DoD’s SPRS system. As to these, DoD may require annual affirmations. Where the Part 48 rule will change most is with respect to -7021, the clause which was to implement CMMC requirements. From what DoD has shared about CMMC 2.0, we expect considerable elaboration as to contract requirements and contractor obligations.”
Metzger is the co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group, and a co-author of MITRE’s “Deliver Uncompromised” report. Ross is an associate at Rogers Joseph O’Donnell.
Submitting the rulemakings in July gives OMB ten months to review the rule based Bostjanick’s schedule. DOD’s Goemaere said the May 2023 public release is an attempt to manage “expectations” for CMMC stakeholders and said “May is a safe bet.”
Metzger and Ross agreed saying, “Ten months seems like a realistic period for OMB review of a rulemaking. If DoD intends to submit the Part 32 and Part 48 rulemakings sequentially, with Part 32 first, that is likely to extend the review period. DoD likely will wait until it has resolved all issues with OMB on Part 32, the new component, before it submits the updates to Part 48. It’s no secret that proposed rules often reside at OMB for a longer than rule proponents anticipate.
They added, “Here, where Part 32 is new, there will be back-and-forth to address and resolve objections that OMB may raise. DoD may conclude it needs a ‘lock’ (or close) on Part 32 before it finalizes the Part 48 submission to OMB. And DoD likely is giving itself some margin, on the date of release of the new rules, rather than cite an earlier date that is unlikely to be achieved complexities.”
The May 2023 release “does not indicate a lack of effort or intensity” on behalf of DOD, Metzger and Ross said, “rather, it is likely to be a realistic prediction based on the intricacies of the regulatory process.” -- Sara Friedman (email@example.com)