CMMC Rulemaking Process Updates


Regulatory review of the CMMC 2.0 rule complete

Back in November of 2021, the Department of Defense (DoD) estimated that it would take between 9 – 24 months to complete the CMMC rulemaking process. Here we are, 24 months later and the Office of Information and Regulatory Affairs (OIRA) has completed their review of the CMMC rule. With this important hurdle out of the way, this means that we are nearing the end of the CMMC rulemaking process.

OIRA concluded their review of CMMC Program

Publication of CMMC Program As “Proposed Rule” vs “Interim final rule”

There are two different outcomes once OIRA has finished reviewing a proposed rule. They can either publish it to the Federal Register as an “interim final rule” or as a “proposed rule”. The difference in the two options is when the rule will actually take effect, either before or after the public comment period. With every rule that an agency proposes, the public has the opportunity to submit feedback. This is normally a 60-day period, but it can be extended.

  • As an interim final rule, the rule gets implemented and enforced before the DoD has the opportunity to respond to the public comment period. This is extremely unlikely and very rarely happens.
  • The far more likelier outcome is that CMMC will be a proposed rule. A proposed rule goes into effect after both the 60 day public comment period, and the DoD has responded to those comments.

This sets the stage for CMMC to be published in the Federal Register as a proposed rule sometime in the middle of December. Once the rule is published, a 60-day public comment period begins which allows the public to submit input on the proposed rule. While it is possible for the DoD to extend the comment period past 60 days, we are expecting for the comment period to close sometime in Q1 of 2024.

When Will CMMC Requirements Show up in DoD Contracts?

Once the comment period is closed, the DoD must then respond to the public comments. That is expected to take approximately a year, which means we will officially see CMMC in contracts beginning in Q1 of 2025 with select pilot contracts. This does not mean that every single contract in 2025 will have a CMMC requirement. The DoD is planning to have a three year phased roll out for the CMMC program. This means that beginning sometime in 2028, all new DoD contracts will have the CMMC requirement.

What’s next for DoD Contractors?

With the CMMC rulemaking process in the final stages, members of the defense industrial base should already be preparing for third party assessments. The CMMC certification process requires DoD contractors to demonstrate compliance by undergoing a third party audit from a Certified Third Party Assessment Organization (C3PAO).

These CMMC assessments are required every three years for any member of the defense industrial base that handles controlled unclassified information. For any member of the defense industrial base that only handles federal contract information, they do not have to undergo third party assessments and can instead conduct an annual self assessment. These annual self assessments are for organizations at CMMC Level 1 and are the basic safeguarding requirements.

The time it takes for DoD contractors to implement the cybersecurity requirements and become CMMC compliant depends on what level is required and where they are currently starting from. Cybersecurity and acquisition leaders should prioritize their efforts into 3 distinct phases:

  • Perform Self Assessments against the cybersecurity requirements
  • Remediate any gaps
  • Audit Preparation

All evidence should be documented within the System Security Plan (SSP), and any gaps that are unable to be remediated should be documented within the Plan of Action and Milestones (POAM). The POAM should clearly define who is responsible for remediation, along with an expected completion date. These two documents are the backbone to ensure compliance throughout the CMMC certification process.

Contact Us Today

Whether you are one of the large prime contractors or a small subcontractor in the DoD supply chain, everyone is going to have to meet the same CMMC requirements. The DoD has made clear the contractor compliance is not just a contractual requirement, it is a matter of national security. Sensitive unclassified information has been stolen by our adversaries overseas, putting our service men and women at risk as well as national security.

If you are unsure of how to start, contact the expert team at FirstCall Consulting today. Our team will conduct a full assessment of your cybersecurity posture and create a roadmap to full implementation of the CMMC requirements. Don’t undergo this alone, the stakes are too high, contact us today to protect your organization and keep your DoD contracts.


Published On: November 29th, 2023 / Categories: CMMC /

Subscribe To Receive The Latest News

Looking to keep a finger on the pulse of SAP advancements? Subscribe to our FirstCall newsletter. It’s not just an update—it’s your insider access to SAP secrets, expert analyses, and the freshest trends. All thoughtfully curated and delivered to your inbox.