CMMC Rulemaking Updates: 7 Things You Need to Know (Updated November 2023)

    By
    4 Minutes Read

    The Department of Defense (DoD) announced CMMC 2.0 in November 2021 and estimated that it would take 9–24 months to codify the program via rulemaking.

    24 months later in November 2023, the regulatory review process is complete and the CMMC rule should be published by mid-to-late-December.

    Here are 7 things you need to know about the status of the CMMC rule:

    TL;DR:

    The CMMC rule should be published as a proposed rule by mid-to-late December 2023 followed by a 60-day public comment period that could be extended due to the large size of the rule. Once DoD responds to public comments via a “final rule” the CMMC program will go into effect (and into contracts) in Q1 2025.

    7 Things to Know About the Status of the CMMC Rule

    1. Regulatory review of the CMMC rule complete. 

    All executive branch regulations (“rules”) must be reviewed by the Office of Information and Regulatory Affairs (OIRA) as part of the regular rulemaking process.

    DoD officially submitted the CMMC rule to the OIRA on July 24th, 2023.

    “The rule” consists of eight CMMC model documents and the core of the “program rule” itself.

    As of November 22nd, 2023, OIRA has completed their review of all nine CMMC model documents, clearing the way for publication.

    CMMC-Rule-DoD-Contractors-Summit7

    2. The CMMC rule should be published by mid-December 2023. 

    By default, OIRA has 90 days to review agency rules and decide whether to send a rule back for revisions or forward for publication in the Federal Register.

    On average it has taken 66 business days for DoD rules to be reviewed and published so we should have seen the published CMMC rule in late October 2023.

    In late October, OIRA requested a one-time, 30-day extension for their review which pushed the review process, and subsequent publication, to the right – directly into the path of a narrowly avoided government shutdown and the Thanksgiving holiday.

    It can take 1-2 weeks for the Federal Register team to publish the text of a rule once it is received from OIRA.

    While there is still a chance for the CMMC rule to be published before the end of November 2023, we expect to see the rule published in the Federal Register by mid-December.

     

    3. The standard 60-day public comment period could be extended.

    60-day public comment periods are standard fare for federal rules and CMMC will be no exception.

    The comment period begins the day the rule is published in the Federal Register.

    The CMMC rule is rumored to be more than 150 pages long, so it won’t be surprising if DoD extends the comment deadline in response to demand.

    DoD extended the public comment period for the 2016 rule that revised DFARS clause 252.204-7012. Several other recent comment deadlines have also been extended.

    We expect the public comment period to be open in December 2023 and close in Q1 2024.

    4. Official updates from DoD will remain limited until the end of the public comment period.

    You may have noticed that DoD has been conspicuously absent from webinars, podcasts, interviews, and press releases despite the CMMC rule being on the verge of publication.

    Thanks to the quirkiness of the rulemaking process, the DoD is officially unable to speak about CMMC rulemaking until the OIRA review process is complete.

    Even after the publication of the CMMC rule, the DoD communications will be severely limited until the end of the public comment period in order to funnel all public interactions into the public comment process.

    It’s critical to remember that the radio silence since the CMMC rule was submitted to OIRA on July 24th is not an indication of instability in the rulemaking process, the CMMC program, or DoD’s resolve – it’s a signal that CMMC is in the final stages of rulemaking.

    5. CMMC should be finalized and begin showing up in contracts in Q1 2025

    It’s an open secret that the CMMC rule will be published as a “proposed rule” rather than an “interim final rule”.

    The primary difference between the two is when the CMMC rule goes into effect.

       Interim Final Rule: effective before an agency responds to public comments in a “final rule”.

       Proposed Rule: effective after an agency responds to public comments in a final rule.

    A final rule contains government responses to all relevant public comments received during the comment period.

    Because rules often receive dozens to hundreds of comments, the adjudication and response process (as well as the text of final rules themselves) can be quite lengthy.

    Our analysis shows that since 2009, on average, DoD takes 280 – 333 business days to publish final rules thereby responding to public comments.

    As a result, we expect the CMMC final rule will be published and CMMC will go into effect between February – April 2025.

    After the CMMC program goes into effect, CMMC will start showing up in contracts.

    At this point companies would be able to pursue official CMMC certifications whether they have DFARS clause 252.204-7021 in their contracts or not. 

    6. There will be a multi-year “phased-roll out” for CMMC contract clauses.

    Once the final CMMC rule is published and CMMC goes into effect, DoD will not simply insert CMMC into every single contract overnight.

    Instead, the DoD has consistently said they intend to insert DFARS clause 252.204-7021 into groups of contracts in phases over 3 years (hence the term “phased roll-out”).

    Assuming the CMMC final rule is published in Q1 2025, all relevant DoD contracts will contain CMMC by 2028.

    Of course, many DIB suppliers and subcontractors will be pressured by the prime customers to get certified as soon as possible once the rule is final and companies can officially sign up for assessments.

    As result, customer expectations will have a much larger effect on when companies will need to get certified than DoD’s high-level roll out.

    This acceleration effect is a market dynamic that is outside of DoD’s control.

    Stacy Bostjanick at CS2 DC, July 2022

    7. Implementation of cyber requirements now takes longer than rulemaking.

    Many companies in the defense industrial base will fall into “the implementation trap” where they believe the day the CMMC rule is published is the day to start their implementation of NIST SP 800-171 requirements.

    For many contractors, the implementation-rulemaking timeline has already inverted without anyone noticing.

    For the average 50 – 100 employee company operating in the DoD supply chain it takes an average of 12 – 18 months to go from average to assessment-ready.

    Now that OIRA’s review of the CMMC rule is nearly complete and publication is imminent, CMMC should go into effect in 13 – 16 months.

    7-things-to-know-screenshot-3

     


     

    To learn more about how long it takes to become CMMC compliant, and the 7 steps to CMMC compliance, check out our free whitepaper below:

    7-Steps-Detailed-Graphic

     

    Picture of Jacob Horne

    Jacob Horne

    Jacob has 15 years of interdisciplinary cybersecurity experience. He uses his knowledge of cybersecurity, NIST standards, and federal rulemaking to help people make sense of cybersecurity regulations and requirements.

    Author