Coming in September: Final CMMC DFARS Rule and More

News:

In September 2020, the US Department of Defense, through the Office of Management and Budget’s Office of Information and Regulatory Affairs (“OIRA”) published in the Federal Register an “Interim Rule” that included three new DFARS clauses, 252.204-7019, -7020, and -7021. Although the clauses became effective 60 days after they were published, the fact that they were published in an interim rule meant that DoD expected to make changes to the clauses once a public comment period closed. That comment period closed on November 30, 2020, and DoD received over 1000 comments on the rules.

Behind the scenes, DoD’s CMMC Program Management Office and others have been adjudicating the comments and modifying the rules based on the adjudication results. According to the notes in DoD’s list of open DFARS cases for the CMMC-related DFARS case (2019-D041), the Defense Acquisition Regulatory Council (“DARC”) in April tasked an ad-hoc team to review the public comments and draft a final rule. That work was due June 8, 2021. However, DARC recently extended that due date to July 7, 2021. Once received by DARC, the council will review and eventually approve some version of the revised, final rule. From there, it will be sent to OIRA for review and publication as a final rule. OIRA recently updated their schedule to indicate that the amended rule is expected to be published sometime in September 2021.

This timing is consistent with several other cybersecurity related initiatives, including those imposed by the Whitehouse’s recent Executive Order on Increasing our Nation’s Cybersecurity. Early October will likely be a busy time for contractors as they move to address these new requirements.

Analysis:

Organizations in the Defense Supply Chain have been anxiously awaiting the adjudication results and the publication of the revised rule and DFARS clauses since the comment period closed more than six (6) months ago. The expectation is that the CMMC Model, and by extension the CMMC Assessment Guides and other related documents, will be modified based on the adjudication results. The delays have caused some to speculate as to the future of the CMMC program, and many contractors have slowed their compliance efforts pending the publication of the final rule and more clarity on the requirements, including scoping and other guidance that has been promised by DoD for several months. OIRA’s publication of an expected publication date is a positive sign that the CMMC program will continue on and that contractors will soon have the information they will need to make appropriate investments to meet DoD’s requirements.