Over the course of the last two and a half years, the Department of Defense’s Cybersecurity Maturity Model Certification program, known as CMMC, has undergone multiple changes, organizational shifts, revisions and updates. Now, DOD officials are expecting to include CMMC requirements in federal contracts as soon as May 2023 — but there is still much to be done in the meantime.
Currently, CMMC is going through a lengthy rulemaking process. Stacy Bostjanick, director of CMMC policy for the Defense Department, said part of the reason the process is being held up is because of an adjustment to the program’s rulemaking requirements.
Originally, CMMC was expected to be a Defense Federal Acquisition Regulation Supplement clause — but upon further review, it was determined that CMMC would need to go through a different Code of Federal Regulations rulemaking process to become a formal program.
In February 2022, the CMMC program was rolled under the responsibility of DOD Chief Information Officer and Wash100 Award winner John Sherman, moving from the Office of the Under Secretary of Defense for Acquisition and Sustainment. The move has “elongated” the program’s timeline and necessitated additional rulemaking activities, but overall, Bostjanick said the extra work may not be a bad thing.
“I think having CMMC codified as a program in the 32 CFR rule makes it a stronger program and gives it more lifespan, quite frankly,” Bostjanick said during the Potomac Officers Club’s 2022 CMMC Forum. “So the changes have been good,” Bostjanick shared, mentioning that the importance of the program and the changes it will bring to the industry are worth the added effort.
“The team right now is working very hard to finalize all of our rule text,” Bostjanick said. Next, Bostjanick said the rule text will head to the Office of Management and Budget, where it will go through “several reviews.”
“If we can get our documentation completed and in by July, we’re hoping by March of 2023, they will give us an interim rule,” she shared. However, she noted that an interim rule is not guaranteed.
In the event that an interim rule decision is granted, CMMC will go through a 60-day public comment period, and the program requirements would be able to be included in contracts and acquisitions by May 2023.
“Our plan is to have a phased rollout like we did before to ensure that the CMMC ecosystem is ready and capable of handling all those that would need to get a certification for any acquisition that the DOD would request,” Bostjanick commented.
To hear more about the federal government’s cybersecurity initiatives, goals and plans, join the Potomac Officers Club’s Reframing Cyber Posture Around Data Collection, Analysis and Action Forum on May 24.
Ann Dunkin, the Department of Energy’s chief information officer, will deliver the forum’s keynote address and share her insights into the department’s technology and cybersecurity priorities. Click here to register.