The CMMC Proposed Rule is Coming

The Pentagon submitted its Cybersecurity Maturity Model Certification (CMMC) proposed rule to the Office of Information and Regulatory Affairs (OIRA) for review in July 2023. In November/December timeframe, officials plan to release an updated rule for public comments. This public comment period will mark another milestone in the process, reducing the time contractors have to prepare before the rule finalizes.

Table of Contents

CMMC Public Comment Period

The DIB is eagerly awaiting the forthcoming 60-day comment period, as it is expected to be a critical time for response. According to the CMMC Director at the Pentagon, Stacy Bostjanick, it is important that the industry prepares to respond effectively during this period to tackle the challenges before the rule takes effect.

“We do want the good comments. We do want to be brought to mind what we forgot or didn’t think about,” Bostjanick said. “We do want to hear from each one of the companies. If somebody has a better way to build a mousetrap, let us know. Because we’re open to all of that to try and make this right, and we do recognize the importance of this effort.”

It is unclear what specific details are in the proposed rule. However, Cyber AB’s CEO, Matthew Travis hopes CMMC 2.0 will be available by fall 2024, before the next election cycle.

How to Avoid Delays to Your CMMC Readiness

Three months ago, our certified CMMC experts shared a power-packed Master Class designed to provide you with quick insights after the DoD’s OIRA update to ensure you’re ready for the final rule.

Justin Weeks, Teal CCA and VP of Cybersecurity & Compliance, explained: 

  • The OIRA announcement 
  • How it impacts the CMMC timeline 
  • Where you should be in your preparation process 
  • Whether you can push out your deadline due to class variance 

“Historically, it has taken 400 days from OIRA to the final ruling,” said Weeks. “If that timeline holds, companies who start preparing today will not be ready until at least [239.5] days after the rule takes effect.”

Watch the Master Class now to see if you’re on track to be ready when the CMMC rule is finalized.


CMMC Compliance Recommendations

To prepare for the evolving CMMC 2.0 rollout, contractors should take the following steps:

  1. Determine the CMMC level that your organization needs to obtain.
  2. Determine the scope of the data that the assessment will cover.
  3. Establish boundaries for how data is managed to put clearly defined limits around the assessment.
  4. Review all processes and the level of documentation that exists for each.
  5. Fill in any documentation gaps that you identify.
  6. Review relevant practices and determine who performs them. Determine if the identified individuals can explain how they perform the tasks.
  7. Determine if your organization can conduct these pre-assessment activities or if you will require assistance from an RPO.
Advanced CMMC Guide and Compliance Checklist eBook

Empower your company with CMMC knowledge. This guide covers the process, benefits, maturity levels, and how to prepare for your CMMC audit.

The CMMC Levels

CMMC is designed to enhance cybersecurity within the DIB. The DoD strives to ensure that implementation is affordable – even for small businesses – to promote secure engagements even at the lower CMMC levels. 

As the framework is cumulative, earlier levels’ requirements must be met for the desired certification level. Understanding the necessary maturity levels and capabilities needed for each is crucial for successful DoD collaboration. Here’s an overview.

Level 1: Foundational Cyber Hygiene

This level is all about ensuring that companies take basic steps to keep sensitive information (Federal Contract Information, or FCI) safe from cyber threats. While specific rules must be followed, there isn’t an official evaluation of how well these rules are being followed. It’s understood that some companies may not have all the proper paperwork or may not always follow the rules perfectly. Still, it’s essential to make an effort to protect sensitive data.

Basic Safeguarding of Covered Contractor Information Systems

Level 2: Advanced Cyber Hygiene

Moving up to CMMC Level 2 is significant. It means that an organization has gone beyond the basics (Level 1) and has taken extra steps to protect Controlled Unclassified Information (CUI). At this level, organizations must be officially certified. To achieve this certification level, an organization must carefully document its cyber hygiene processes and follow them precisely as CMMC Level 2 dictates.

Level 2 is a crucial transitional step in the journey to safeguarding CUI

Level 3: Expert Cyber Hygiene

Level 3 certification is an advancement from Levels 1 and 2, with the utmost priority placed on safeguarding CUI. Organizations need to prove that they have a good plan in place to manage their processes properly to get this certification. This plan covers training, resources, project planning, and other essential details.

110+ Practices mandated in Level 3 are spread across 17 Domains
Latest Teal News

Subscribe to Our Newsletter

Join Teal Exclusive now to be notified of the latest news, tech tips, and more.

Recent Articles
Don’t Stop Here

More To Explore

Remote Work

Solving Common Remote Work Security Challenges

Organizations face increasing threats from phishing scams, the use of insecure passwords, and the complexity of managing personal devices. Tackling these issues head-on is essential