Nearly 300 comment on proposed CMMC rule

The comment period for the Cybersecurity Maturity Model Certification closed on Monday with the proposed final rule receiving nearly 300 comments.

The Defense Department now has to review and respond to the comments before a final rule is published, likely in the fall.

DOD released the proposed final rule on Dec. 26 and the comment period was 60 days.

CMMC is the process the DOD will use to certify that its contractors protect government information on their networks.

Once final, the rule mandates that defense contractors with controlled and unclassified information in their systems will go through a third-party assessment to certify compliance with certain standards laid out by the National Institute of Standards and Technology.

It will take months for DOD to process and resolve the comments, but indications are that the process will be complete by the fall when DOD will release a final rule.

The rule will likely go into effect in early 2025 and by the end of that year, CMMC requirements will begin appearing in contracts. By the end of 2026, CMMC will be a requirement on all defense contracts.

Over the next month or so, another rule will be published for comment that will describe how CMMC will be applied to the procurement process.

DOD is applying a four-phase implementation plan to roll-out CMMC. Phase one starts with the effective date of the rule and requires contracts to plan and prepare for an assessment.

The second phase begins six months later and will require companies to either self-assess for CMMC Level 1 or go through a third-party assessment for Levels 2 and 3.

One year later, contractors will need to report their assessment results as part of phase three.

Phase four means full implementation is complete, including any plan of action or milestones identified during the CMMC assessment.

A quick review of the posted comments show concerns about the impact on small businesses, where data is hosted, and questions about the infrastructure to support third party assessors.

There were several comments and questions about why DOD is using NIST 800-171 revision 2 as the standard when revision 3 of the standard is scheduled to be released in the coming months if not weeks.

Commenters asked whether DOD will need to make a wholesale revision to CMMC. The commenters claimed issues could have been avoided if DOD stated that CMMC will comply with the latest NIST 800-171 version.

In one example, the Coalition for Government Procurement questioned whether there is enough flexibility in the rule because individual businesses can differ greatly. The CMMC framework applies one rule to all companies in the defense industrial base.

Small businesses and primarily commercial businesses that work with DOD have raised concerns about that approach.

Other comments asked for clarification of what DOD considers cloud-service providers and external service providers such as managed security services providers.

DOD has many questions to respond to, but nothing seems to be poised to derail CMMC. So as many informed observers have told us, don’t wait for the final rule. Work on compliance with NIST 800-171 and prepare for your assessments.