DoD Takes Next Step Toward CMMC
When it introduced CMMC 2.0 in 2021, the United States Department of Defense signaled that it was simultaneously both softening some of the requirements that were in early versions of its Cybersecurity Maturity Model Certification (“CMMC”) program and taking a more structured approach to implementing CMMC.
As part of that structured implementation, DoD formalized CMMC by crafting an entirely new section of the Code of Federal Regulations. Known as 32 CFR 170, these new regulations lay out the CMMC ecosystem, the manner in which DoD will work with the Cyber AB, and DoD’s expectation for the CMMC certification process.
DoD published a draft version of 32 CFR 170, known as a “Notice of Proposed Rulemaking”, in December 2024. In response, DoD received nearly 2,000 comments from the public on how to improve the CMMC program and 32 CFR 170. DoD spent the past several months “adjudicating” those comments and tweaking 32 CFR 170.
On June 27, 2024, DoD finalized that adjudication process and sent a “Final Rule” version of the regulation to the Office of Information and Regulatory Affairs (“OIRA”), part of the White House’s Office of Management and Budget (“OMB”). OIRA now has up to ninety (90) days to review, recommend changes to, and approve the Final Rule. This means that the Final Rule should be published in the Federal Register no later than October 26, 2024.
Once published, 32 CFR 170 will not take effect right away. Instead, since 32 CFR 170 is considered a “Major” rule, it must undergo Congressional review. Congress has 60 days from the Final Rule’s publication in the Federal Register to conduct such review. So, the Final Rule will likely not take effect until at least December 26, 2024.
Bigger picture, there are at least two other regulatory processes that must play out before CMMC can really become effective. Those include revisions to DFARS 252.204-7012 and DFARS 252.204-7019, -7020, -7021, and other DFARS clauses (you’ll sometimes hear these referred to as changes to “48 CFR” or the “48 CFR Rules”). DoD has been actively working on these changes as well, and is on track to have all the CMMC puzzle pieces in place by the end of calendar year 2024 or in early 2025.
Contractors are, therefore, STRONGLY encouraged to reevaluate their CMMC compliance timelines. According to 32 CFR 170 as proposed, full implementation of CMMC is expected within 2 years of the Effective Date of some of the 48 CFR Rules. This means that Q1 2027 is likely to be the absolute latest timeframe for CMMC compliance, although many prime contractors are pushing their subcontractors to comply much sooner.