The accreditation body behind the Pentagon’s Cybersecurity Maturity Model Certification program provided an update on the voluntary efforts of defense contractors to get third-party assessments at an energized town hall meeting, where stakeholders seemed encouraged by the Defense Department’s recent milestone to move toward a final rule kicking off the formal launch of the initiative.
The second CMMC rulemaking entered the interagency review process on July 22 at OMB’s Office of Information and Regulatory Affairs. At the July 29 meeting, Michael Gruden, a partner at law firm Crowell, spoke with Cyber AB Matthew Travis on the latest rulemaking developments.
Gruden said he expects the final rule will come out in the early fall timeframe, predicting an October release.
Matthew Travis, CEO, Cyber AB
Official CMMC assessments became available on Jan. 2. The first CMMC rulemaking established the CMMC program and went into effect on Dec. 16.
The second rulemaking, when finalized, will kick off the timeline for CMMC requirements to start showing up in DOD contract solicitations.
Travis said the Cyber AB has fully authorized 77 certified third party assessment organizations who can conduct CMMC assessments.
There are 258 organizations who have submitted a final certificate showing their compliance with CMMC level two following a C3PAO assessment through DOD’s Enterprise Mission Assurance Support Service, known as eMASS, which allows DOD acquisition officials to view the results of CMMC assessments by companies who are applying for contracts.
Travis said eMASS shows 11 companies have a conditional CMMC status certificate, eight companies have failed a CMMC level two assessment and 87 CMMC assessments are in progress.
The OIRA entry for the upcoming final rule indicates that the rulemaking is not economically significant. Gruden said this eliminates the formal reviews from Congress and indicates the final rule could come out in a shorter timeframe.
Gruden noted that some primes are already asking their subcontractors for details on compliance, emphasizing that this means companies who have “core contracts” with DOD recognize they need to get their affairs in order before the DOD requirements go into effect.
However, Gruden said there’s a chance through the interagency process that OIRA could send the rulemaking back to DOD if they decide the final rule isn’t compatible with the law or the analysis underlines how the rule is inadequate.
DOD could also find the rules are not justified by the analysis and send it back for further work, according to Gruden. -- Sara Friedman (sfriedman@iwpnews.com)