The Department of Defense (DoD) is on the verge of implementing a key aspect of its Cybersecurity Maturity Model Certification (CMMC) program, following the completed review of a proposed rule that will modify the Defense Federal Acquisition Regulations.
The Office of Information and Regulatory Affairs (OIRA) completed its review of the rule on Wednesday, which mandates the inclusion of CMMC requirements in contracts, marking a significant advancement in the CMMC implementation process that has been underway since 2020.
In September 2020, the DoD issued an interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS Case 2019-D041), outlining the initial vision for the CMMC program, or ‘CMMC 1.0.’ This rule detailed the framework’s core features, including a tiered model, required assessments, and contract implementation.
The interim rule took effect on Nov. 30, 2020, initiating a five-year compliance phase-in period.
In March 2021, the DoD began an internal review of CMMC’s implementation, incorporating over 850 public comments to refine policy and execution. By November 2021, the department introduced ‘CMMC 2.0,’ with an updated structure and requirements addressing the review’s key objectives.
Over the years, the program has undergone significant revisions and stakeholder feedback, resulting in a more refined approach to cybersecurity that integrates multiple frameworks.
With OIRA’s review now complete, the proposed rule will be sent back to the DoD for final approval before it can be published in the Federal Register.
OIRA is currently reviewing the DoD’s final CMMC rule, which details the specifics of CMMC at the program level, submitted in December 2023. This final rule has been under OIRA’s review since late June.
