The Pentagon is planning to submit the first rulemaking under its cyber certification program in January for review by the Office of Management and Budget, according to a Defense Department spokeswoman, shifting the official launch timeframe farther down the road than previously expected.
The Defense Department is in the process of making changes to its Cybersecurity Maturity Model Certification program following an internal review in 2021.
There will be two rulemakings, according to a 2021 notice posted in the Federal Register. The first rule will change Title 32 of the Code of Federal Regulations, followed by an update to the 2020 interim final rule that amended Title 48 of the CFR and put in place regulations for the initial CMMC program.
Stacy Bostjanick, CMMC Director, Office of the DOD Chief Information Officer, Department of Defense
CMMC director Stacy Bostjanick announced earlier this year that the 32 CFR rule would be sent over to OMB’s Office of Information and Regulatory Affairs in July. The expectation was to release an interim final rule in March 2023 with a 60-day public comment period and CMMC requirements to start in showing up in DOD contracts the following May.
“The Department of Defense anticipates sending the draft 32 Code of Federal Regulations (CFR) rule to the Office of Management and Budget in January 2023,” Navy Commander Jessica McNulty, a Department of Defense spokesperson, told Inside Cybersecurity on Tuesday.
McNulty noted that DOD has “previously stated” that “the rulemaking process may take up to 24-months to complete.” When CMMC 2.0 was announced, DOD officials said it could take 15 to 24 months to implement the changes through rulemaking.
McNulty said, “In addition to the 32 CFR rule, a 48 CFR rule will be completed to support implementation of Cybersecurity Maturity Model Certification (CMMC) through Defense Federal Acquisition Regulation Supplement contractual requirements. The objective timeline for implementing contractor compliance with CMMC requirements has been and remains FY25.”
It is now likely that the 32 CFR rule will go out for public comment in next year in the summer as a proposed rule, contracting attorney Robert Metzger told Inside Cybersecurity, and be released as a final rule in 2024.
Metzger said, “That OMB doesn’t have the rule already suggests that important subjects are still being worked out among the many interested national security constituencies. Industry can only guess, today, what’s being debated.”
Metzger is a co-author of MITRE’s “Deliver Uncompromised,” and co-chair of law firm Rogers Joseph O’Donnell’s Cybersecurity and Privacy Practice Group.
“In the meantime,” he said, “I expect DoD will continue to encourage defense contractors to obtain early assessment using the expanding body of certified third party assessment organizations. And DoD may step up oversight and enforcement actions using its existing authorities. Delay in CMMC really is just a delay in mandatory assessments. The underlying contractual cyber requirements are binding now and will remain so.”
The Pentagon’s acquisition office has stepped up its compliance activities to remind acquisition officials that defense companies need to meet the 110 controls in NIST Special Publication 800-171 to obtain a DOD contract. NIST 800-171 concerns the handling of controlled unclassified information and CMMC level two is largely based on the 110 controls in the publication.
A June memorandum from Defense Pricing and Contracting principal director John Tenaglia describes penalties for non-compliance and considerations regarding NIST 800-171 assessments conducted by DOD.
Metzger added, “It may be in the best interest of all stakeholders to issue the new rules on a proposed basis and take the time needed to receive and consider comments before finalizing the rule. When effective, CMMC regulations will have broad impact across the defense industrial base.”
“That it’s taken so long for DoD to ready the rule package for OMB suggests there are many complexities in the forthcoming rules -- and potential issues for industry,” Metzger said. “This increases the benefit of an extended rulemaking process as it means industry will be informed and can react before the rules become final. In the meantime, companies remain subject to the existing cyber contract requirements, and they can demonstrate their achieved security by having C3PAO assessments done before the rules are final.” -- Sara Friedman (firstname.lastname@example.org)