Blog

CMMC Update June 2024

Written by Lawrence Cruciana | Jul 1, 2024 7:06:34 PM

The CMMC program has continued to advance at a rapid pace as it moves towards finalization and widespread implementation. The current version of CMMC “CMMC 2.0” was introduced in 2021 by the United States Department of Defense (“DoD”). This revision of the program signaled that it was simultaneously simplifying the program while also softening some of the requirements that were in early (1.0) versions of its Cybersecurity Maturity Model Certification ("CMMC") program. DoD indicated that it would take a more structured approach to implementing CMMC 2.0 throughout the Defense Industrial Base (“DIB”), using a multi-phase roll-out period over the course of multiple years.

As part of their “structured implementation” initiatives, DoD created an entirely new section of the Code of Federal Regulations. Known as 32 CFR 170, these new regulations lay out the CMMC ecosystem, the manner in which DoD will work with a third-party assessment and certification body (The Cyber AB), and DoD's expectation for the CMMC certification process.

The 32 CFR 170 rule was published as a “Proposed Rule” in December 2023. In response, DoD was flooded with over 1800 comments from the public and stakeholders on how to improve the CMMC program and 32 CFR 170. DoD has spent the past several months "adjudicating" those comments and making changes to 32 CFR 170.

That process completed on June 27th when the Department of Defense completed their review and adjudication of the over 1800 comments made on the proposed CMMC 2.0 rule. DoD completed this review in record time, signifying their commitment to completing the implementation and roll-out of the CMMC program.

With the completion of the DoD’s adjudication process, a "Final Rule" version of the regulation has been sent to the Office of Information and Regulatory Affairs ("OIRA"), part of the White House's Office of Management and Budget ("OMB"). OIRA now has up to ninety (90) days to review, recommend changes to, and approve the Final Rule. This means that the Final Rule should be published in the Federal Register no later than October 26, 2024. T

he movement of the Cybersecurity Maturity Model Certification (CMMC) 2.0 program into the Office of Information and Regulatory Affairs (OIRA) review marks a significant step in the regulatory process and impacts the overall timeline of the program. OIRA's review is a standard procedure for all executive branch regulations and is crucial for ensuring that the proposed rules are sound and well-formulated before they are finalized and published. 

Once published, 32 CFR 170 will not take effect immediately. Since 32 CFR 170 is considered a "Major" rule, it must undergo Congressional review. Congress has 60 days from the Final Rule's publication in the Federal Register to complete such review. So, the Final Rule will likely not take effect until at least mid-December 2024.

Impact on the CMMC Program:

  1. Completion of Regulatory Review: The completion of OIRA's review means that the CMMC 2.0 rules have cleared a major regulatory hurdle. This review, which can take up to 90 days, ensures that the rules are aligned with broader regulatory frameworks and adequately address public and industry feedback. 
  2. Publication and Comment Period: Following OIRA's review, the proposed CMMC 2.0 rules are set to be published in the Federal Register. This publication will be followed by a 60-day public comment period, allowing stakeholders to provide further input on the rules.
  3. Final Rule and Implementation: After the public comment period and subsequent revisions, the final CMMC 2.0 rule is expected to be published. The program is anticipated to go into effect and be integrated into defense contracts by the first quarter of 2025. This timeline includes time for addressing public comments and making necessary adjustments to the rule before it becomes enforceable.
For any organization that is inside of the DIB, even those (ESPECIALLY those) way-way down the food chain, this Christmas time deadline should be very carefully watched. Beyond 32 CFR 170, there’s more to the CMMC story. There’s the operationalization of 32 CFR 170, which DoD is doing through changes to 48 CFR, or the Defense Federal Acquisition Regulation (DFARS) rules. These include revisions to DFARS 252.204-7012, -7019, -7020, and -7021, amongst others. DoD has been actively working on changes to these “48 CFR Rules” as well. These changes are on track to be implemented around the same time as 32 CFR 170, roughly Christmas time of 2024.
 
Going back to the structured implementation that DoD set out to accomplish with CMMC, the DoD has consistently said they intend to insert DFARS clause 252.204-7021 into groups of contracts in phases over multiple years (hence the term “structured roll-out”). Full implementation of CMMC is expected within 2 years of the Effective Date the 48 CFR Rules. This means that Q1 2027 is likely to be the absolute latest timeframe for CMMC compliance, although many prime contractors are pushing their subcontractors to comply much sooner.
 
In anticipation of the CMMC 2.0 Rule being sent to OIRA, many large DIB prime contractors have begun pressuring their suppliers and subcontractors to get certified as soon as possible, with assessments starting as early as October of 2024. As a result, customer expectations will have a much larger effect on when companies will need to get certified than DoD’s high-level roll out.
 
Smaller DIB contractors need to pay special attention to these timelines and their own internal CMMC readiness. Large prime contractors are actively taking measures to secure and ensure the continuity of their supply chain in advance of the Final Rule. Those subcontractors that are ready for CMMC assessment potentially stand to benefit from this process.
 

CorpInfoTech, a CMMC Compliant MSP

CorpInfoTech is a managed service provider (MSP) that offers IT and cybersecurity solutions to SMBs seeking to bolster their security posture and achieve CMMC compliance. It is important for contractors to realize that if they use an MSP, their provider must also be CMMC compliant to continue offering its services. As an MSP, CorpInfoTech is committed to CMMC level 2 compliance and is registered under the CyberAB as a certified RPO (Registered Practitioner Organization). We are ready and willing to help contractors achieve CMMC compliance on time, on budget, and with tangible results! 

Other CMMC blogs:

CorpInfoTech (Corporate Information Technologies) provides small to mid-market organizations with expert I.T. services, including security assessment, cybersecurity penetration tests, managed services (MSP),  firewall management, and vulnerability managementCorpInfoTech can help organizations, quantify, create, refine, and mitigate the risks presented by business threatening disasters in whatever form they may be disguised.

 
View full post