4-minute read time
On November 2021, the Department of Defense (DoD) announced its intent to revise the CMMC program. The DoD predicted the rulemaking process could take up to 24 months to complete the rule package (which needs to be sent to the Office of Management and Budget (OMB) for evaluation). But it has been delayed more than seven months. So, when will CMMC 2.0 go into effect?
We anticipate it will be very soon, but some factors may cause further delays. Let’s look at what’s happened so far, what contractors need to be aware of, and what you should be doing to prepare.
Complications Abound for CMMC 2.0
It’s evident from the continued delay that there is a dispute about how to implement the revised CMMC program. However, the DoD continues to work diligently – planning out two rules that will enforce how government contractors and their subcontractors protect controlled unclassified information in their systems.
In addition to a draft of Code of Federal Regulations (CFR) Title 32, the DoD must send a CFR Title 48 rule to support implementing the CMMC program through contractual requirements. Both rules must be completed before CMMC 2.0 becomes mandatory for contractors and subcontractors.
CFR Title 32
CFR Title 32 contains the codified U.S. Federal laws and regulations about national defense and security of the defense logistics and the Armed Forces, intelligence, and selective service.
CFR Title 48
CFR Title 48 contains the codified U.S. Federal laws and regulations that pertain to the Federal Acquisition System (FARS). FARS aims to “deliver the best value product or service to the customer, while maintaining the public’s trust and fulfilling public policy objectives.” For example, using contractors who consistently fulfill their obligations to a high standard.
The Current CMMC Timeline
Outside of the DoD’s process, the program is subject to many factors that must be considered as they may contribute to future delays. So, what does the timeline currently look like?
The Rulemaking Process
There are two approaches to the rulemaking process once the DoD has completed its portion:
Option 1: The OMB will evaluate the draft rules once they receive the rule package from the DoD. Upon OMB approval, the DoD can publish the regulations as an “interim final” rule, making the rules effective 60 days after the publication.
Option 2: The OMB can approve the regulations as a “proposed rule” allowing a comment period to follow for up to a year preceding the final rule’s effective date. The Fall 2022 Unified Agenda currently has CMMC in the proposed rule stage, with proposed rulemaking to publish in May 2023. If this happens, then CMMC will likely become operational in 2024.
But if there’s anything we’ve learned in this process, nothing is set in stone, and everything is subject to change. For example, the approval may change to an interim final rule to speed up the calendar. Is that likely to happen? Probably not, given the additional factors we must consider.
As the CMMC program continues to undergo its verification requirement updates, we must acknowledge two other updates in progress that may contribute to more delays in the approval process.
NIST SP 800-171 is undergoing updates and is expected to be released in early 2023. This update includes the CUI series of publications and implements feedback about the use, effectiveness, adequacy, and ongoing improvement of the series.
Related content: 800-171r3 Initial Draft Released
The National Defense Authorization Act (NDAA) also mandated that Controlled Unclassified Information (CUI) be clarified in 2022. It is anticipated that the updated definition will be available in 2023. This is a significant aspect to consider as the definition of CUI determines the responsibilities of contractors under CMMC and various DoD guidelines.
Both updates will impact CMMC and DFARS clauses 7012, 7019, and 7020.
Next Steps for Defense Prime and Subcontractors
Defense contractors have been required to adhere to cybersecurity standards since 2017. This remains unchanged. The update adds a verification process showing that you meet the requirements at your CMMC level.
Contractors should take this time to ensure their company is directly aligned with NIST 800-171 standards. If your company comfortably meets NIST requirements, then continue to complete annual assessments and begin looking for potential C3PAOs.
Does your company need help to meet the requirements? If so, it’s wise to set yourself up for success by working with a certified Registered Provider Organization (RPO). They will ensure you are meeting the complicated cybersecurity controls.
Aligned was among the first companies selected as a CMMC RPO. We are passionate about assisting you in safeguarding sensitive information to protect our warfighters. Our plethora of compliance experience has helped defense prime and subcontractors navigate the challenges of DFARS, NIST 800-171, and CMMC.
Choosing to partner with our team of compliance experts will save your organization time and money. Our team will work closely with you to prepare you for contracts when CMMC officially takes effect.
Don’t wait until CMMC rolls out to get started. Contact us for a consultation today to get ahead of your competitors.