Full implementation of the Pentagon’s CMMC program for defense contractors will likely shift to 2024 based on revised estimates from the Defense Department in the fall 2022 unified agenda, which indicates two proposed rules are expected for release in the coming months.
The Pentagon is implementing major changes to its Cybersecurity Maturity Model Certification program coming out of a 2021 internal review and had planned to seek an interim final designation to change defense acquisition regulations.
The unified agenda says the new rule to implement the CMMC program is now a proposed rule and changes to the 2020 CMMC rulemaking, originally released as an interim final rule, will also be issued as a notice of proposed rulemaking. The unified agenda sets a May 2023 release for both items.
“Typically, it takes about a year from the point of publication and imprint for a rule to be final,” contracting attorney Robert Metzger told Inside Cybersecurity. The new rule will likely have significant interest and generate a lot of comments that need to be adjudicated by DOD officials, he said.
Making time for DOD to review the comments is helpful, Metzger said, compared to a potential alternative where reaction to the new IFR is “hostile” and could result in “consequences and a political response that would be contrary to the best interest of the department or its industrial base.”