The Pentagon’s Cybersecurity Maturity Model Certification program is entering a new stage with the submission of the rulemaking to implement the program now under review at OMB’s Office of Information and Regulatory Affairs.
The rulemaking will amend Title 32 of the Code of Federal Regulations and is expected to be issued as a proposed rule with a 60-day public comment period. The rulemaking was sent to OIRA on Monday.
The Defense Department provides more detail on the rulemaking in an entry on OIRA’s website.
It says, “DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework, to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats -- adversaries with sophisticated levels of expertise and significant resources.”
OIRA has 90 days to review the rule and can extend that if more time is needed. There is no “minimum period for review,” OIRA says in a FAQ on its website. It’s also possible that the rulemaking could be withdrawn if there are issues found during the OIRA review process.
The Small Business Administration’s Office of Advocacy reviewed the rulemaking before it was sent to OIRA, according to a source.
Currently, the CMMC entry on the OIRA website says the notice of proposed rulemaking will come out in September. However, that is subject to change and has been extended several times since the original CMMC rule came out in September 2020.
DOD announced major changes to the CMMC program in November 2021, including a reduction in the number of maturity levels from five to three and taking out extra controls from the new level two that go beyond NIST Special Publication 800-171.
The National Institute of Standards and Technology is working on an update to NIST 800-171 and released the first draft of revision three for public comment in May. The agency posted submissions last week from over 75 organizations.
The Pentagon is also expected to issue a proposed rule to amend Title 48 of the Code of Federal Regulations, following the release of the CMMC rulemaking. The 48 CFR rule will make changes to the 2020 CMMC rule that came out ahead of the internal review process.
Under the original CMMC rule, DOD embarked on a joint surveillance voluntary program that would allow companies undergo an assessment on compliance with NIST 800-171 from an authorized certified third party assessment organization and DCMA’s Defense Industrial Base Cybersecurity Assessment Center.
DOD expects that those assessments will be converted into a CMMC level two certification, but it will not be clear if that’s the case until the CMMC rulemaking is published.
The release of 32 CFR rule for public comment is expected in the fall, followed by the 48 CFR rule. DOD hopes to release the final rules in the fall of 2024. -- Sara Friedman (sfriedman@iwpnews.com)