CMMC has made it to the final rulemaking phase.

The Cybersecurity Maturity Model Certification (CMMC) proposed rule has taken a momentous step towards becoming final! On Monday, July 24th, the CMMC proposed rule entered the final phase of rulemaking, marking a significant milestone in its complex implementation journey.

The OIRA Review 

As of the specified date, the CMMC rule has been officially submitted to the Office of Information and Regulatory Affairs (OIRA), which operates under the Office of Management and Budget (OMB). The OIRA is now tasked with conducting a comprehensive review of the rule. It has a maximum of 90 days (about 3 months) to complete this process, but it may finish its assessment sooner. 

Publication in the Federal Register 

Once the OIRA is satisfied with the CMMC rule and there are no further considerations from the Department of Defense (DoD), the Proposed Rule will be officially published in the Federal Register. This publication will open the floor for public comments, enabling stakeholders and interested parties to provide their insights and feedback on the proposed CMMC framework. 

Significance of the Progress 

This marks a remarkable achievement for the DoD, which has worked tirelessly to bring the CMMC rule package to the OIRA for review. The progress made so far is a testament to the dedication and effort invested by all parties involved. 

The fact that the CMMC has reached the OIRA review stage is a clear indication that its implementation is well underway. While the specific details of the rule are yet to be unveiled, the CMMC community can take solace in knowing that progress is being made towards enhancing the cybersecurity posture of organizations involved in defense contracts. 

Expected Timeline and Preparation 

Considering the current developments, along with various projections and expert opinions, it is anticipated that the CMMC final rule will take effect in 2024. Consequently, it is likely to start appearing in defense contracts by late 2024. The CMMC finalization is indeed on the horizon, and organizations must prepare themselves accordingly. 

The Time to Assess is Now 

With the CMMC final rule drawing nearer, the time to assess and enhance cybersecurity measures is at hand. Organizations seeking to engage in defense contracts should act promptly to ensure compliance with the forthcoming CMMC requirements. Partnering with an Authorized CMMC Third-Party Assessment Organization (C3PAO) for a Joint Surveillance Assessment (JSVAP) can prove to be a strategic move. 

A JSVAP allows organizations to attain early certification and maintain it for three years after the final CMMC rule is in place. Achieving early certification will not only boost an organization’s credibility but also strengthen its cybersecurity resilience. Organizations can learn more about the JSVAP roadmap by referring to an informative infographic that outlines the process here 

The impact of CMMC is not limited to the Department of Defense (DoD) alone. It is projected to extend its influence on other federal agencies, both within the United States and beyond its borders. One notable example is Canada’s intention to adopt a program inspired by CMMC, known as the Canadian Program for Cyber Security Certification (CPCSC) program. This initiative demonstrates how the CMMC framework has garnered international attention and recognition as a robust cybersecurity standard. As more nations and agencies recognize the value of CMMC in fortifying their sensitive data defenses, it becomes evident that CMMC is set to become a significant driver for enhanced cybersecurity practices worldwide, further solidifying its position as a pioneering cybersecurity certification model. The global reach of CMMC indicates that its implementation journey is far from over, as it continues to evolve and influence cybersecurity strategies on an international scale. 


As CMMC enters its final rulemaking phase, defense contractors and organizations who store, transmit, and/or handle CUI for the DoD eagerly await its publication in the Federal Register. This significant progress reflects the ongoing commitment to enhancing cybersecurity practices across the defense sector. With the CMMC final rule expected to come into effect in 2024, organizations must act swiftly to prepare and ensure compliance with the forthcoming requirements. The road ahead may be challenging, but it is also filled with opportunities to strengthen cybersecurity and contribute to a safer digital environment. 


How Redspin can help >>

No matter where you are on your CMMC journey, we are here to help you navigate. If you are interested in the JSVAP process, or would like to begin your path to CMMC compliance, reach out to our team at


Book a meeting to start your CMMC journey by filling out the form below