The Department of Defense officially submitted the CMMC 2.0 rule to the Office of Information and Regulatory Affairs (OIRA), under the Office of Management and Budget (OMB). Here's what you need to know about the latest CMMC update.
The Department of Defense (DoD) released the announcement of changes to the CMMC program in November of 2021: CMMC version 2.0. With this announcement, DoD projected that the new rulemaking process would take 9-24 months; that original estimate ends in November 2023.
On Monday July 24th 2023, just over a year and a half later, the DoD officially submitted the CMMC 2.0 rule to the Office of Information and Regulatory Affairs (OIRA), under the Office of Management and Budget (OMB).
The CMMC rule should be reviewed and published in late October 2023 and as far as DoD is concerned, the rule is complete. Whether it will be a proposed rule, or interim final rule, is yet to be determined. This will affect the timeline for CMMC requirements showing up in actual contracts.
What does the submission of the text to OIRA mean for the CMMC timeline moving forward? Here’s 7 things you need to know about the upcoming CMMC rule:
1. DoD has officially submitted the CMMC rule for regulatory review which begins the countdown toward official publication.
All executive branch regulations (“rules”) must be reviewed by OIRA (part the Office of Management and Budget (OMB) as part of the regular rulemaking process.
This matters because the “delays” facing CMMC referred to the time it took for DoD to submit the rule to OIRA. Now that the submission has officially occurred, the rest of the rulemaking process has been set in motion.
However, the bureaucracy of federal rulemaking means there are a few more steps to complete before CMMC will show up in contracts.
2. CMMC should be reviewed and published in late October 2023
After receiving the CMMC rule, OIRA has 90 days to review and decide whether to send the rule back for revisions or forward for publication in the Federal Register. Our team analyzed every DoD rule since 2009 to determine exactly how long OIRA review and subsequent publication has taken on average.
The answer: 66 business days
The expected publication window: late October 2023
3. There will be a 60-day public comment period ending in December 2023
60-day public comment periods are standard fare for federal rules and CMMC will be no exception. The comment period begins the day the rule is published in the Federal Register.
Once the comment period closes, most federal rules need to be published a second time as “final rules” in order to go into full effect.
A final rule contains government responses to all relevant public comments received during the comment period. Because rules often receive dozens to hundreds of comments, the adjudication and response process can be quite lengthy (as well as the text of final rules themselves).
Assuming the estimates in the previous point hold up, the expected public comment period would be October – December 2023.
4. CMMC should be finalized and begin showing up in contracts in Q1 2025
The CMMC rule will be published as either an “interim final rule” or a “proposed rule”. The primary difference between the two is when the CMMC rule goes into effect.
- Interim Final Rule: effective before an agency responds to public comments in a “final rule”.
- Proposed Rule: effective after an agency responds to public comments in a final rule.
Our analysis shows that since 2009, on average, DoD proposed rules take 333 business days to be published as final rules.
Combined with the above estimates we expect the CMMC final rule (therefore CMMC in contracts) between February – April 2025.
In contrast, if the CMMC rule is interim final then the rule would be effective and in contracts in Q1 2024.
Ultimately, OIRA gets to decide whether a rule will be interim final or proposed. Both the 2016 and 2020 DFARS cybersecurity rules which established the current versions of contract clauses such 252.204-7012 received interim final status due to the pressing need to bolster national security.
However, interim final rules are extremely rare and represent a massive waiver from the democratic process of “notice and comment” rulemaking. As a result, the government is extremely hesitant to grant interim final rules. The normal, by-the-book process consists of publishing a proposed rule, receiving public comments, and responding to those comments in a final rule that puts the regulation into effect.
5. There will be a 3-year “phased-roll out” for CMMC contract clauses
Whether CMMC is published as an interim final rule or a proposed the DoD will not simply insert CMMC into every single contract overnight. Instead, the DoD has consistently said they intend to insert DFARS 252.204-7021 into groups of contracts in phases over 3 years (hence the term phased roll-out).
Assuming the CMMC final rule is published in Q1 2025, all relevant DoD contracts will contain CMMC by 2028.
For reference, CMMC 1.0 proposed a 5-year phased roll-out between 2020 and 2025.
Of course, many DIB suppliers and subcontractors will be pressured by the prime customers to be ready as soon as possible once the rule is final and companies can officially sign up for assessments. This acceleration effect is a market dynamic that is outside of DoD’s control.
6. As far as DoD is concerned the CMMC rule is done, but they can’t say anything
A key concept to keep in mind is that by handing the rule over to OMB the DoD has signaled that they are officially done with modifying the text of the rule.
If it weren’t for the bureaucratic requirements of the rulemaking process the CMMC rule that exists today is the one that DoD would implement.
Any “downtime” or “silence from DoD” between July 24th, 2023, and the publication of the final rule doesn’t represent or imply instability in the CMMC program or DoD’s position on the matter.
To make matters worse the DoD is officially unable to speak about CMMC rulemaking until the OIRA review process is complete. DoD's radio silence will likely compound the problem of perceiving more time as an indication that CMMC may not happen.
7. Implementation of cyber requirements now takes longer than rulemaking
For the average 50 – 100 employee company operating in the DoD supply chain it takes an average of 12 – 18 months to go from average to assessment-ready.
Now that DoD has submitted the CMMC rule to OIRA, historical rulemaking data shows that CMMC should go into effect in 19 – 21 months.
Many, many companies in the Defense Industrial Base will wait until the publication of the final CMMC rule to begin their implementations under the assumption that they will be starting on day 1. For many contractors, the implementation-rulemaking timeline has already inverted without anyone noticing.
To learn more about how long it takes to become CMMC compliant, and the 7 steps to CMMC compliance, check out our free whitepaper below: