CMMC Rulemaking Timeline in 2023

On November 2021, the Department of Defense (DoD) announced its intent to revise the CMMC program. The DoD predicted the rulemaking process could take up to 24 months to complete the rule package (which needs to be sent to the Office of Management and Budget (OMB) for evaluation). But it has been delayed more than seven months. So, when will the new CMMC rule go into effect?

We anticipate it will be very soon, but some factors may cause further delays. Let’s look at what’s happened so far, what contractors need to be aware of, and what you should be doing to prepare.

Advanced CMMC Guide and Compliance Checklist eBook

Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.

The Current CMMC Timeline 

Outside of the DoD’s process, the program is subject to many factors that must be considered as they may contribute to future delays. So, what does the timeline currently look like?  

The Rulemaking Process 

There are two approaches to the rulemaking process once the DoD has completed its portion.

Option 1

The OMB will evaluate the draft rules once they receive the rule package from the DoD. Upon OMB approval, the DoD can publish the regulations as an “interim final” rule, making the rules effective 60 days after the publication. 

Option 2

The OMB can approve the regulations as a “proposed rule” allowing a comment period to follow for up to a year preceding the final rule’s effective date. The Fall 2022 Unified Agenda currently has CMMC in the proposed rule stage, with proposed rulemaking to publish in May 2023. If this happens, then CMMC will likely become operational in 2024.  
 

But if there’s anything we’ve learned in this process, nothing is set in stone, and everything is subject to change. For example, the approval may change to an interim final rule to speed up the calendar. Is that likely to happen? Probably not, given the additional factors we must consider.  

Additional Factors 

As the CMMC program continues to undergo its verification requirement updates, we must acknowledge two other updates in progress that may contribute to more delays in the approval process. 

NIST SP 800-171 is undergoing updatesand is expected to be released in early 2023. This update includes the CUI series of publications and implements feedback about the use, effectiveness, adequacy, and ongoing improvement of the series. 

The National Defense Authorization Act (NDAA) also mandated that Controlled Unclassified Information (CUI) be clarified in 2022. It is anticipated that the updated definition will be available in 2023. This is a significant aspect to consider as the definition of CUI determines the responsibilities of contractors under CMMC and various DoD guidelines. 

Both updates will impact CMMC and DFARS clauses 7012, 7019, and 7020. 

Next Steps for Defense Prime and Subcontractors

Defense contractors have been required to adhere to cybersecurity standards since 2017. This remains unchanged. The update adds a verification process showing that you meet the requirements at your CMMC level. 

Contractors should take this time to ensure their company is directly aligned with NIST 800-171 standards. If your company comfortably meets NIST requirements, then continue to complete annual assessments and begin looking for potential C3PAOs. 

Need Assistance Meeting Requirements? 

It’s a good idea to set yourself up for success by working with a certified Registered Provider Organization (RPO). They will ensure you are meeting the complicated cybersecurity controls. 

The CyberAB CyberAB Registered Practitioner RP 2023 02 24

Teal was among the first companies selected as a CMMC RPO. We are passionate about helping you safeguard sensitive information to protect our warfighters. Our decades of compliance experience have helped defense prime and subcontractors navigate the challenges of:  

  • DFARS 

Choosing to partner with our team of compliance experts will save your organization time and money. Our team will work closely with you to prepare you for contracts when CMMC officially takes effect.  

Don’t wait until CMMC rolls out to get started. Contact us for a consultation today to get ahead of your competitors.  

Latest Teal News

Subscribe to Our Newsletter

Join Teal Exclusive now to be notified of the latest news, tech tips, and more.

Recent Articles
Categories
Don’t Stop Here

More To Explore

IT Consulting

Guide to IT Consulting Services for Small Businesses

IT consulting bridges the gap between your current capabilities and future goals – helping you navigate unique business challenges. However, many small businesses overlook this resource because they assume it’s

Reducing IT Costs Without Compromising Cybersecurity

Robust cybersecurity can be affordable, but it requires reducing IT costs the right way. And it also depends on how you define “robust” and “inexpensive.”   If you mean cybersecurity measures