Milestone: Final CMMC Implementation Rule Clears OMB Review Process
September 2024 CMMC Update: Final Rule Cleared by OMB – Publication Expected Soon
On September 13, 2024, the long-awaited Cybersecurity Maturity Model Certification (CMMC) Final Rule cleared its final regulatory hurdle by the Office of Management and Budget (OMB). This represents the last significant milestone before the rule is published in the Federal Register, where it will become official, locking in the framework for contractors to meet critical cybersecurity requirements.
Key Milestones
- The final rule is expected to be published between late September and mid-October 2024, ahead of schedule. Once published, no further changes will be made.
- Once published, the rule will establish its effective date, typically 30-90 days after publication.
- The rapid pace of this regulatory process shows the urgency behind CMMC’s implementation. Expected in late 2024, the rule is advancing well ahead of schedule.
What’s Next?
After publication, the rule will undergo Congressional Review, which allows Congress 60 legislative days to review the regulation. Historically, Congress rarely overturns such rules; only 20 of over 200,000 final rules have been overturned since the Congressional Review Act was enacted in 1996.
Fun Facts:
- 1 rule during the 107th Congress (2001-2002) under President George W. Bush.
- 16 rules during the 115th Congress (2017-2018) under President Donald Trump.
- 3 rules during the 117th Congress (2021-2022) under President Joe Biden
What Should Contractors Do?
Contractors should prepare for the effective date and plan for their CMMC Level 2 assessments. If you are currently undergoing a Joint Surveillance Voluntary Assessment (JSVA), ensure your assessment is completed before the effective date to convert it into a CMMC Level 2 certification.
With the rule likely taking effect in late 2024, now is the time to schedule consultations and start planning with C3PAOs (Certified Third-Party Assessment Organizations). Waiting until the final rule’s effective date could delay compliance, which is crucial to maintaining eligibility for defense contracts.
July 2024 Summary: Final CMMC Implementation Rule Enters OMB Review Process
- With the submission of both the CFR Title 32 and Title 48 rule changes for a 90-day OMB and interagency review, the CMMC program is well on its way to begin implementation in early 2025.
- Once cleared by OMB, the rule will undergo review by Washington Headquarters security and the Defense Office of Prepublication and Review before it is approved by the DoD CIO and reviewed by the National Archives and Records Administration Office.
- The rule will then undergo a 60-day review by Congress and the Government Accountability Office.
- These are the final steps before publication of the rule in the Federal Register and with all the final hurdles overcome, it’s unlikely that publication of the rule will be delayed further.
- The DoD is planning a phased approach to CMMC implementation after publication of the rule in early 2025:
- Phase 1 – Estimated start in March 2025 (30 days after the final rule is published): Self assessments become a condition for contract award.
- Phase 2 – Estimated start in Sep 2025 (6 months after the effective date of the final rule): Level 2 third-party assessment becomes a condition for contract award for contracts handling CUI. Some select contracts may include a requirement for Level 3 assessments.
- Phase 3 – Estimated start in Sep 2026 (1 year after the start of Phase 2): Options periods on contracts awarded before CMMC implementation will require Level 2 third-party assessments. Level 3 assessments will be required for all applicable contracts.
- Phase 4 – Estimated start in Sep 2027 (1 year after the start of Phase 3): Full implementation of CMMC. The DoD will include all CMMC program requirements in all applicable DoD solicitations and contracts, including options periods.
- If they haven’t already, DoD contractors – especially small to medium businesses – need to start developing their cybersecurity programs now to ensure they are ready for new contract requirements as early as March 2025.
CMMC CFR Title 32 and 48 Rulemaking
The DoD has submitted its final rule to implement the Cybersecurity Maturity Model Certification (CMMC) program to the White House Office of Management and Budget’s (OMB) Office of Information and Regulatory Affairs (OIRA).
This step represents a significant milestone in the implementation of the CMMC program.
Once accepted and published in the Federal Register, the rule will establish the CMMC program requirements in Title 32 of the Code of Federal Regulations, which covers regulations related to various aspects of national defense and military operations. The DoD CIO, through the CMMC PMO, is developing the CMMC program, requiring DoD contractors to adopt a set of cybersecurity standards to protect sensitive information.
Concurrently, the DoD acquisition community has been working on a second rule which will implement CMMC requirements via Title 48 of the CFR. Title 48 covers regulations related to federal government contracts and procurement processes and includes the Defense Federal Acquisition Supplement (DFARS). The Office of the Undersecretary of Defense for Acquisition and Sustainment submitted this rule to the OIRA May 15th.
Essentially, the Title 32 rule establishes the program and informs the specific contract requirements outlined by DFARS. Both of these rules must be finalized to fully implement CMMC requirements in solicitations and subsequent contracts.
Phased Approach to CMMC Implementation
Once the rules are finalized, the DoD plans a phased approach to implementing CMMC.
The Administrative Procedure Act (APA) – which governs federal agencies’ rulemaking process – specifies that agency rules usually cannot take effect until 30 days after publication in the Federal Register (known as the “effective date.”) We currently expect publication of the final rules by February 2025.
Phase 1 – Estimated Start March 2025 – of CMMC implementation will begin on the effective date of DoD’s final CMMC rule (i.e., 30 days after the rule is published). During Phase 1, CMMC Level 1 or Level 2 self-assessments become a condition for contract award.
This means that contractors must self-assess their compliance with the cybersecurity requirements of CMMC Level 1 or 2 (whichever level is applicable to the contract) to be eligible for award. DoD may also include third-party CMMC Level 2 assessment requirements in certain contracts at its discretion.
Phase 2 – Estimated Start September 2025 – Begins six months after Phase 1. During Phase 2, DoD will add CMMC Level 2 certification assessment requirements to all applicable contract awards.
This means that contractors will need to pass a third-party Level 2 CMMC assessment to be eligible for contracts with the CMMC Level 2 certification requirement. DoD may also include CMMC Level 3 certification assessment requirements in certain contracts at its discretion.
Phase 3 – Estimated Start September 2026 – Begins one year after Phase 2. During Phase 3, DoD will extend the CMMC Level 2 certification assessment requirement to applicable contracts that were awarded prior to DoD’s finalization of the CMMC rule.
This means that DoD will not exercise options on existing contracts unless the contractor has passed a third-party Level 2 CMMC assessment (assuming the CMMC Level 2 requirements are applicable to the contract). In addition, DoD will add CMMC Level 3 certification assessment requirements to all applicable contract awards.
Phase 4 – Estimated Start September 2027 – begins one year after Phase 3 and will mark the full implementation of the CMMC program. During Phase 4, the DoD will include all CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on existing contracts.
The Bottom Line for DoD Contractors
Compliance with CMMC will soon be a contractual requirement. Developing cybersecurity standards now that mesh with your company’s current policies and procedures will make those standards easier to adopt while enhancing your productivity.
Contractors need to start preparing to meet CMMC requirements now to avoid disruptions to their business operations and penalties for non-compliance. Achieving compliance with CMMC can be a complex and time-consuming process. Starting early allows contractors to assess their cybersecurity posture, identify gaps, implement necessary controls and policies that consider their current business operations and needs, and undergo the certification process smoothly.
Ardalyst’s Tesseract program streamlines and simplifies cyber program development, enhances productivity, and provides affordable solutions to ensure DoD contractors are prepared to meet emerging compliance requirements.
Schedule your free assessment now to learn more about Tesseract can help your business excel.