The CMMC program has continued to advance at a rapid pace as it moves towards finalization and widespread implementation. The current version of CMMC “CMMC 2.0” was introduced in 2021 by the United States Department of Defense (“DoD”). This revision of the program signaled that it was simultaneously simplifying the program while also softening some of the requirements that were in early (1.0) versions of its Cybersecurity Maturity Model Certification ("CMMC") program. DoD indicated that it would take a more structured approach to implementing CMMC 2.0 throughout the Defense Industrial Base (“DIB”), using a multi-phase roll-out period over the course of multiple years.
As part of their “structured implementation” initiatives, DoD created an entirely new section of the Code of Federal Regulations. Known as 32 CFR 170, these new regulations lay out the CMMC ecosystem, the manner in which DoD will work with a third-party assessment and certification body (The Cyber AB), and DoD's expectation for the CMMC certification process.
The 32 CFR 170 rule was published as a “Proposed Rule” in December 2023. In response, DoD was flooded with over 1800 comments from the public and stakeholders on how to improve the CMMC program and 32 CFR 170. DoD has spent the past several months "adjudicating" those comments and making changes to 32 CFR 170.
That process completed on June 27th when the Department of Defense completed their review and adjudication of the over 1800 comments made on the proposed CMMC 2.0 rule. DoD completed this review in record time, signifying their commitment to completing the implementation and roll-out of the CMMC program.
With the completion of the DoD’s adjudication process, a "Final Rule" version of the regulation has been sent to the Office of Information and Regulatory Affairs ("OIRA"), part of the White House's Office of Management and Budget ("OMB"). OIRA now has up to ninety (90) days to review, recommend changes to, and approve the Final Rule. This means that the Final Rule should be published in the Federal Register no later than October 26, 2024.
Update 10/15: The final CMMC 2.0 rule is here The Cybersecurity Maturity Model Certification has been officially published into the federal register as a final rule on October 15th. What does this mean for your organization? With this final rule, contractors must take immediate action to protect CUI and align with regulatory requirements! If your business needs guidance on navigating the complexities of CMMC 2.0, CorpInfoTech is here to help.
The movement of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program into the Office of Information and Regulatory Affairs (OIRA) review marks a significant step in the regulatory process and impacts the overall timeline of the program. OIRA's review is a standard procedure for all executive branch regulations and is crucial for ensuring that the proposed rules are sound and well-formulated before they are finalized and published.
Once published, 32 CFR 170 will not take effect immediately. Since 32 CFR 170 is considered a "Major" rule, it must undergo Congressional review. Congress has 60 days from the Final Rule's publication in the Federal Register to complete such review.
Impact on the CMMC Program:
- Completion of Regulatory Review: The completion of OIRA's review means that the CMMC 2.0 rules have cleared a major regulatory hurdle. This review, which can take up to 90 days, ensures that the rules are aligned with broader regulatory frameworks and adequately address public and industry feedback.
- Publication and Comment Period: Following OIRA's review, the proposed CMMC 2.0 rules are set to be published in the Federal Register. This publication will be followed by a 60-day public comment period, allowing stakeholders to provide further input on the rules.
- Final Rule and Implementation: After the public comment period and subsequent revisions, the final CMMC 2.0 rule is expected to be published. The program is anticipated to go into effect and be integrated into defense contracts by the first quarter of 2025. This timeline includes time for addressing public comments and making necessary adjustments to the rule before it becomes enforceable.
CorpInfoTech, a CMMC Compliant MSP
CorpInfoTech is a managed service provider (MSP) that offers IT and cybersecurity solutions to SMBs seeking to bolster their security posture and achieve CMMC compliance. It is important for contractors to realize that if they use an MSP, their provider must also be CMMC compliant to continue offering its services. As an MSP, CorpInfoTech is committed to CMMC level 2 compliance and is registered under the CyberAB as a certified RPO (Registered Practitioner Organization). We are ready and willing to help contractors achieve CMMC compliance on time, on budget, and with tangible results!
Other CMMC blogs:
- Does My MSP Need to be CMMC Compliant
- What Is CMMC and Who Needs It
- The History of CMMC
- Check out CorpInfoTech’s Resource tab for more CMMC blogs, whitepapers and guides
CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services, including security assessment, cybersecurity penetration tests, managed services (MSP), firewall management, and vulnerability management. CorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.