Although the United States Department of Defense’s Cybersecurity Maturity Model Certification (“CMMC”) program was previously the subject of a regulatory review process in 2020, DoD decided in 2021 to retool the program before it was fully in effect. DoD has been working on corresponding revisions to the Defense Federal Acquisition Regulations Supplement (“DFARS”) ever since. Government contractors and others have been eagerly awaiting the release of the revised program.
In July, 2023 DoD’s finished its internal draft of the new DFARS clauses and related documents, and those documents were submitted to the White House’s Office of Management and Budget (“OMB”). OMB’s Office of Information and Regulatory Affairs (“OIRA”) has been reviewing and refining the program ever sense. This process included meeting with various stakeholders to discuss issues and proposed changes identified by those stakeholders.
OIRA’s review process officially concluded yesterday (Nov. 21, 2023), and the regulations are ready to undergo public review. For that to happen, the regulations must be published in the Federal Register, the government’s official publication of all new and updated regulations.
The Office of the Federal Register’s official position is that it takes 3 days for them to process a document once received from an agency. However, it was previously noted by DoD that the DFARS publication process typically takes several weeks.
Once the regulations are published in the Federal Register, the CMMC Information Institute will publish an analysis.