Author: Tara Lemieux, CMMC Consultant, PA/PI/CCP/CCA/ISO Lead Auditor
There’s been a swirl of rumors in our community regarding the ‘realness’ of the Cybersecurity Maturity Model Certification (CMMC) and its implementation timeline, suggesting that rulemaking is not likely to be finalized until 2025. Let’s set the record straight and dive into the actual process, timelines, and what it means for us.
The Office of Information and Regulatory Affairs (OIRA) plays a key role in the federal rulemaking process. Here’s a simplified breakdown:
- Rule Submission: An agency, like the DoD for CMMC, submits a proposed rule to OIRA.
- Review Period: OIRA reviews the rule, which typically takes about 90 days, though they can extend it by 30 days if needed.
- Completion and Next Steps: Once OIRA completes its review, the rule is ready for the next big step – publication in the Federal Register.
As of today, OIRA has finished reviewing the CMMC rule. The next anticipated milestone is the publication of the proposed rule in the Federal Register. Historically, it takes about 1-2 weeks on average for a rule to move from OIRA’s completed review to Federal Register publication. This step is crucial because it officially brings the rule into the public domain for further action. Once the proposed rule is published in the Federal Register, we expect additional details will be made available.
Yes, there is a public comment period after it is published, but this public comment period does not change our current trajectory; rather, it offers members of the public an opportunity to clarify ambiguous or conflicting language such that the final rule is achievable.
Typically, the public comment period for federal proposed rules like CMMC lasts for 60 days. This period begins on the day the proposed rule is published in the Federal Register. The public, including industry stakeholders, experts, and any interested parties, will have access to the proposed rule and can submit their comments through specified channels, often electronically via government websites.
If the proposed rule is lengthy or complex, the Department of Defense (DoD) may extend the comment period beyond the typical 60 days. This extension would be to accommodate a thorough and objective review and consideration of the detailed aspects of the rule.
The proposed rule is not finalized until after adjudication of the public comments. Once the review and response to public comments are complete, the DoD will publish the final rule. This final rule will incorporate changes made in response to public input and will provide the definitive framework for CMMC implementation.
So, let’s tackle the elephant in the room: the 2025 timeline.
While certain phases of CMMC implementation – such as the assessment phase (where an organization may have already successfully completed a Joint Surveillance Voluntary Assessment (JSVAP) and would be required to periodically recertify) or contract integration phase (where the language requiring a CMMC assessment may be completely integrated into all existing and new contracts) – may extend into 2025, it’s important to understand what’s already in place:
- NIST Compliance Through DFARS: Organizations involved with the DoD are already required to adhere to NIST standards, as mandated by the Defense Federal Acquisition Regulation Supplement (DFARS).
- CMMC Final Rule: This upcoming rule doesn’t introduce new compliance standards out of thin air. Instead, it’s about formalizing the assessment methodology for demonstrating compliance with the existing NIST standards.
While rulemaking can be influenced by various factors, it’s essential to focus on where we are today.
With OIRA’s review completed, we’re in the ‘waiting room’ for the Federal Register publication. This step is more about formalizing and operationalizing what many are already practicing, rather than introducing something entirely new. Timeframes may vary, of course, however, the average timeframe from OIRA completed review and publication into the Federal Register is about 2 weeks. That means, organizations should expect the final proposed rule publication in December of 2023.
In the spirit of clarity and community understanding, let’s remember: CMMC isn’t a distant future concept. It’s a part of our present regulatory landscape, soon to be further formalized. The final rule’s publication is the next chapter in this ongoing story of cybersecurity diligence and defense.
Are you confident in your readiness?
Book a meeting to start your CMMC journey by filling out the form below