CMMC Program Update Submitted by DOD to the OMB for Review
We are excited to share that the Department of Defense has taken an essential step toward establishing a more secure cybersecurity landscape. They have submitted the Cybersecurity Model Maturity Certification (CMMC) Program to the Office of Management and Budget (OMB) for review. Submitting a review to the OMB is a significant moment in developing new federal regulations as the Office of Information and Regulatory Affairs (OIRA) within the OMB oversees the implementation of government-wide policies in information policy, privacy, and statistical policy.
According to recent updates, the Defense Department and Office of Management and Budget plan to release a proposed Cybersecurity Maturity Model Certification rule in September. We expect it to require third-party assessors (C3PAOs) to audit contractors for compliance with NIST-Standard 800-171, moving the defense industry away from self-attestations for compliance. While the proposed rule will include a public comment period and may take at least six months to finalize, this longer process indicates that this is a significant rule. Many companies anxiously await the rule's release, while others have already begun forging ahead with CMMC plans.
Once approved, the regulation will appear in the Federal Register, providing a 60-day window for public feedback. The agency can then adjust based on comments received before publishing the final rule in the Federal Register. The comment window presents an exciting opportunity for the public to provide valuable input on cybersecurity.
The DOD and OMB expect the CMMC Program to be open for public comment between October and November 2023, with the final rule potentially published in early 2024. While the exact date when the CMMC certification requirement will start appearing in contract solicitations is unknown, current industry speculation suggests a possible launch in 2024.
It will be interesting to see how quickly the new Cybersecurity Maturity Model Certification rule is implemented, especially considering that fewer than 50 authorized C3PAOs can provide the necessary certifications. The Defense Department must avoid creating a potential shortage of assessors and driving up costs, given that they will be responsible for covering the expenses. Implementing the CMMC underscores the importance that the DoD and the federal government place on cybersecurity, as evidenced by recent cybersecurity-focused regulations such as the Department of Homeland Security's final rule to protect CUI, which prioritizes security over cost concerns.
The CMMC Pilot Program currently mandates Joint Surveillance CMMC assessments weekly. Companies must self-attest compliance by reporting their scores to the Supplier Performance Readiness System (SPRS). The new rule is a critical step toward independent assessments of Defense contractors' cybersecurity and compliance with their FAR and DFARS contractual obligations. DIB companies must accurately report information to SPRS. Recent events show inaccurate reporting may result in severe legal consequences under the False Claims Act (FCA).
James Goepel, one of the Co-Founders of the CMMC Information Institute, highlights the immense importance of the Department of Defense's submission of the CMMC regulation to the Office of Information and Regulatory Affairs. Jim stated, "This significant milestone demonstrated the DoD's unwavering dedication to the CMMC program and serves as a wake-up call for those in the defense supply chain who have been inactive. If your organization handles Controlled Unclassified Information and is part of the defense supply chain, it is essential to proactively prepare for a thorough third-party assessment of your cybersecurity program. Embarking on a comprehensive gap assessment and formulating a robust gap remediation plan should already be well underway, to eliminate all gaps by this time next year. By taking action now, you can seamlessly incorporate the costs of remediation and assessment into your budget. However, delays in these preparations will only result in higher expenses and a more significant future impact on your organization's bottom line."
Keep an eye out for more news regarding the launch of the CMMC Program and how eTrepid can assist you in meeting compliance standards. Don't hesitate to contact us for more information on our cybersecurity offerings designed for the defense industrial base.