The Department of Defense (DoD) on Monday submitted its proposed rule to implement the Cybersecurity Maturity Model Certification (CMMC) program to the Office of Management and Budget (OMB) for review.
OMB’s Office of Information and Regulatory Affairs is now set to review the CMMC framework, officially kicking off the Pentagon’s CMMC program rulemaking process. The review process will take place within the next few days and could take as long as 90 days to complete.
Specific details of what is inside the proposed rule have not been made publicly available.
The CMMC framework seeks to help assess defense contractors’ compliance with cybersecurity requirements to protect Federal contract data and controlled unclassified information from advanced persistent threats and other cyberattacks.
The CMMC has been delayed several times as the DoD revamps its approach, including changes to the longer proposed rule-making process. The DoD first expected that the CMMC would be an interim final rule, but the proposed rule involves a more extensive comment and feedback process.
In November 2021, the Pentagon introduced the second iteration of the framework to simplify the program standards and clarify cybersecurity policy, regulatory and contracting requirements.
As private sector organizations anxiously wait for the final CMMC rule, some companies have forged ahead with CMMC plans while many have taken a wait-and-see approach.
In the meantime, while the CMMC program is under review, the DoD has allowed third-party assessors, certified by Cyber AB, to conduct joint assessments with the Defense Industry Base Cybersecurity Assessment Center; the scores are supposed to translate to CMMC Level 2 when the rule becomes final.