2024 DIB Rulemaking Calendar (Q2 Update)

    Stay updated on the latest DIB rulemaking updates for 2024, including CMMC, DFARS, NIST, and more. Get insights on incident reporting, cybersecurity requirements, and upcoming regulations in this informative podcast summary.

    3 Minutes Read

    Watch the Podcast


    What's the latest with DFARS, CMMC, FAR, and NIST and other DIB rules this year? 

    Q2 2024 is upon us so this week we are updating the rulemaking calendar based on what we know about DFARS, CMMC, the FAR, and NIST revisions. If the Summer doldrums push things into the Fall, then we could be in for a relentless rulemaking/holiday season.

    What's the latest with the ๐——๐—œ๐—• ๐—–๐—ฆ ๐—ฃ๐—ฟ๐—ผ๐—ด๐—ฟ๐—ฎ๐—บ ๐—™๐—ถ๐—ป๐—ฎ๐—น ๐—ฅ๐˜‚๐—น๐—ฒ?

    • Published March 2024
    • Expands eligibility to the DIB CS Program for non-cleared defense contractors
    • What to know:
      • DoD commonly references the DIB CS Program expansion in response to criticism about not providing defense contractors with sufficient cybersecurity tools and resources.
      • While the DIB CS Program helps contextualize cyber threats through strong information sharing relationships, there is little compliance value for facilitating NIST and CMMC requirements.

    What's the latest with the ๐—–๐—œ๐—ฅ๐—–๐—œ๐—” ๐—ฃ๐—ฟ๐—ผ๐—ฝ๐—ผ๐˜€๐—ฒ๐—ฑ ๐—ฅ๐˜‚๐—น๐—ฒ?

    • Published April 2024
    • Duplicates and expands cyber incident reporting requirements
    • What to know:
      • Defense contractors are โ€œcovered entitiesโ€ under the proposed rule and will have expanded cyber incident reporting requirements on top of their existing obligations pursuant to DFARS contract clause 252.204-7012.
      • If DoD and CISA can reach an agreement, DIB suppliers may be able to report to only one agency instead of two.

    What's the latest with the ๐—ก๐—œ๐—ฆ๐—ง ๐—ฆ๐—ฃ ๐Ÿด๐Ÿฌ๐Ÿฌ-๐Ÿญ๐Ÿณ๐Ÿญ ๐—ฎ๐—ป๐—ฑ ๐Ÿญ๐Ÿณ๐Ÿญ๐—” ๐—ฅ๐—ฒ๐˜ƒ๐—ถ๐˜€๐—ถ๐—ผ๐—ป ๐Ÿฏ?

    • ETA: May 2024
    • Expands the requirements assessed at CMMC Level 2 by ~30%
    • What to know:
      • If DoD doesnโ€™t issue an implementation waiver (known as a โ€œclass deviationโ€), then defense contractors will need to implement SP 800-171 revision 3 as soon as they receive a solicitation after the final revision is published.
      • The CMMC proposed rule specifies SP 800-171 revision 2 so unless DoD is able to sync-up DFARS 7012 and CMMC contractors will need to juggle two different cyber requirement baselines.

    What's the latest with the ๐——๐—™๐—”๐—ฅ๐—ฆ ๐Ÿฎ๐Ÿฑ๐Ÿฎ.๐Ÿฎ๐Ÿฌ๐Ÿฐ-๐Ÿณ๐Ÿฌ๐Ÿญ๐Ÿฎ ๐˜ƒ๐Ÿฏ.๐Ÿฌ ๐—ฃ๐—ฟ๐—ผ๐—ฝ๐—ผ๐˜€๐—ฒ๐—ฑ ๐—ฅ๐˜‚๐—น๐—ฒ

    • ETA: Q4 2024
    • Hopefully kills the term "CDI", explains international reciprocity, includes SP 800-172 requirements, and explains FedRAMP "equivalency"
    • What to know:
      • The DFARS 7012 rulemaking process isnโ€™t run by the same Pentagon team that runs CMMC rulemaking so updates and cross-collaboration are hard to come by.
      • All of the various DFARS clauses (7019, 7020, 7021) and assessment programs like CMMC and the DoD Assessment Methodology (โ€œDoDAMโ€) are intended to verify the implementation of requirements imposed by DFARS 252.204-7012 โ€“ it is the center of gravity.

    What's the latest with ๐—ก๐—œ๐—ฆ๐—ง ๐—ฆ๐—ฃ ๐Ÿด๐Ÿฌ๐Ÿฌ-๐Ÿญ๐Ÿณ๐Ÿฎ ๐—ฎ๐—ป๐—ฑ ๐Ÿญ๐Ÿณ๐Ÿฎ๐—” ๐—ฅ๐—ฒ๐˜ƒ๐—ถ๐˜€๐—ถ๐—ผ๐—ป ๐Ÿญ?

    • ETA: Q4 2024
    • Expands the requirements assess at CMMC Level 3 by TBD%
    • What to know:
      • Unlike NIST SP 800-171, the requirements in SP 800-172 arenโ€™t capped by the size of the SP 800-53 moderate baseline.
      • The requirements in SP 800-172 can therefore be esoteric, complex, and expensive.

    What's the latest with the ๐Ÿฏ๐Ÿฎ ๐—–๐—™๐—ฅ ๐—–๐— ๐— ๐—– ๐—™๐—ถ๐—ป๐—ฎ๐—น ๐—ฅ๐˜‚๐—น๐—ฒ?

    • ETA: 2H 2024
    • Establishes the CMMC Program at Title 32 of the Code of Federal Regulations
    • What to know:
      • DoD (and the Office of Management and Budget) are highly motivated to publish the final rule before the November election in order to avoid additional red tape.
      • Kicks off the "market roll-out" for assessments: a situation where companies can pay a C3PAO for an official CMMC assessment prior to the DoD requiring CMMC certification in contracts (see below).
      • A large gap between the market roll-out and the contractual โ€œphased roll-outโ€ will result in market forces driving assessment requirements long before DoD requires it in a single contract (see below).


    What's the latest with the ๐Ÿฐ๐Ÿด ๐—–๐—™๐—ฅ ๐—–๐— ๐— ๐—– ๐—ฃ๐—ฟ๐—ผ๐—ฝ๐—ผ๐˜€๐—ฒ๐—ฑ ๐—ฅ๐˜‚๐—น๐—ฒ?

    • ETA: Q4 2024 (Maybe)
    • Revises the DFARS 252.204-7021 clause to point to 32 CFR CMMC
    • What to know:
      • Kicks off the "phased roll-out" for CMMC level requirements in contracts.
      • As of late April 2024 the rule is delayed due to internal revisions. While this is completely normal it will significantly extend the time between the market and phased roll-outs โ€“ many companies will be pushed to attain CMMC certification by market forces outside of DoDโ€™s control.


    What's the latest with the ๐—™๐—”๐—ฅ ๐—–๐—จ๐—œ ๐—ฃ๐—ฟ๐—ผ๐—ฝ๐—ผ๐˜€๐—ฒ๐—ฑ ๐—ฅ๐˜‚๐—น๐—ฒ?

    • ETA: 2H 2024
    • Establishes SP 800-171 as the minimum requirement for CUI via a federal-wide contract clause
    • What to know:
      • The FAR CUI rule is the third piece of the three-part plan to implement the federal Controlled Unclassified Information program, but it has been missing in action since 2016.
      • The rule will likely drive other federal agencies reject contractor self-attested implementation of cyber requirements possibly expanding the requirement for CMMC certification.

    Episode Links:

    Sum IT Up Podcast

    With Jacob Horne and Jason Sproesser

    We sum up the news and developments relevant to CMMC, DFARS, and NIST standards such as SP 800-171, SP 800-53, the NIST Cybersecurity Framework, and others.

    SumItUp Spotify Podcast Button SumItUp Apple Podcast Button SumItUp YouTube Podcast Button

    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.