The United States Department of Defense (“DoD”) published a “Notice of Proposed Rulemaking” (“NPRM”) on December 26, 2023 that announced enhanced regulatory components of the Cybersecurity Maturity Model Certification (“CMMC”) to the world as 32 CFR 170. A NPRM allows interested members of the public to review proposed legislation and submit suggestions or other comments to the relevant agency.

In the case of the CMMC proposed regulation, DoD received nearly 2,000 comments. Those comments are available to the public. As part of the regulatory rulemaking process, it was DoD’s obligation to review all of the comments and “adjudicate” them, meaning they had to evaluate whether and how to accommodate the concerns raised in the comments. Due to the sensitive nature of the adjudication process, regardless of the agency, the adjudication occurs outside of public view. The public is left to watch for signs of when the adjudication is complete and the updated regulation will be published in its “final” form.

Yesterday, Jun 27, 2024, DoD submitted the revised regulation to the Office of Information and Regulatory Affairs (“OIRA”), part of the White House’s Office of Management and Budget (“OMB”). There is no minimum period for review, and OIRA could, theoretically, approve the revisions within a few days. At the other end of the spectrum, the period for OIRA review is nominally limited to 90 days. However, under Executive Order 12866, the review period may be extended indefinitely by the head of the rulemaking agency; alternatively, the OMB Director may extend the review period on a one-time basis for no more than 30 days.

All this means that, unless DoD determines that more time is needed, the final version of 32 CFR 170, the rules implementing CMMC program, should be published in the Federal Register no later than October 25, 2024, and it could happen even sooner. 32 CFR 170 is considered a “Major” rule, and is therefore subject to Congressional review. This means that the Final Rule cannot become effective until at least 60 days after its publication in the Federal Register.

It should be noted that, although 32 CFR 170 will likely be published as a Final Rule sometime in Q4 of calendar year 2024, a few additional puzzle pieces must fall into place before CMMC can be fully enforced. Specifically, DoD needs to update portions of the Defense Federal Acquisition Regulations Supplement (“DFARS”) to align with the Final Rule. Those revisions are still percolating within DoD.

As of updates published in the DFARS Case Status Report for June 28, 2024, DoD’s Regulatory Control Officer submitted draft proposed DFARS rule to OIRA on May 14, 2024, and OIRA is still reviewing that draft (this is for case number 2019-D041 which amends DFARS 252.204-7019, -7020, and -7021, among other clauses). Another open case, case number 2023-D024, includes edits to DFARS 252.204-7012. DoD has been working on those edits since October, 2023. Initial drafts were due December 20, 2023, but the due date was extended to August 14, 2024. In still another open case (case number 2022-D017), DoD has been working on edits for a while and the next update is not expected until July 24, 2024.

Although those puzzle pieces must still fall in place before DoD can begin enforcing the CMMC requirements, contractors are strongly encouraged to begin their CMMC compliance process as soon as possible. The core requirements, compliance with NIST SP 800-171, come from other federal agencies (specifically, the National Archives and Records Administration’s Controlled Unclassified Information program), and thus will not change for most contractors, no matter what happens with CMMC.

Stay tuned for more updates!

Leave a Reply