The White House appears ready to review the proposed cybersecurity standard for defense companies.
The Defense Department and Office of Management and Budget are now slating the release of a proposed Cybersecurity Maturity Model Certification rule for September.
The release of the notice of proposed rulemaking was last expected in June, but that month came and went. A new update on the website of OMB’s Office of Information and Regulatory Affairs pegs the release for September.
CMMC will move the defense industry away from self-attestations for compliance with National Institute of Standards and Technology guidelines for how to protect controlled but unclassified data on industry networks.
CMMC will require third-party assessors, who in essence will audit contractors for compliance with NIST-Standard 800-171.
One clear sign of movement is that the OIRA docket says that OMB received the proposed rule on July 24, indicating that OMB can now review the rule.
Once officially released, the proposed rule will include a public comment period. The Defense Department will collect and respond to comments, which adds at least six months to the process and maybe more. A final rule will likely not be in place until deep into calendar year 2024.
The rule has been delayed several times as the DOD revamps its approach, including changing to the longer proposed rulemaking process. Originally, the expectation was that CMMC would come out as an interim final rule, which would become final in 60 days.