The Cybersecurity Maturity Model Certification(CMMC) final rule-making process has been kicked off for architectural and engineering firms that do business with the Department of Defense. The CMMC rules are submitted and will be published by the Office of Information and Regulatory Affairs within 90 days. We can expect CMMC 2.0 to be published by October 2023.
The biggest delays in the published date are now behind us. The CMMC model version 2. 0 has been released, and it incorporates feedback from industry stakeholders and enhances the requirements and practices for each CMMC level. The important point is that the submission of the final rule to the office of management and budget OMB is done. It's still a bureaucratic process like we've seen in the past, but now it's less fraught with delay than previous phases.
Next, OIRA will decide how to publish it, and will likely make CMMC 2.0 a proposed rule making it effective in 2025. However, OIRA may make this an interim final rule, making it effective in 2024. They rarely do this, but according to the rule book, when an agency publishes a final rule, the rule is usually effective no less than 30 days after the date of publication in the Federal Register.
If the agency wants to make the rule effective sooner, it must cite good cause in the public interest. This has happened a few times in the last several years, so be aware of this possibility. In addition, be prepared for a comment period, specified by the agency, that lasts from 30 to 60 days.
Most importantly, implement CMMC now while acquiring contracts for 2024 and 2025.
Here is what you can do:
1. Have a true chief information security officer(CISO) review the version of the CMMC rules submitted for OMB review. Do this with yourself and your CMMC assessor.
2. Assess your business case for acquiring and retaining government contracts using CMMC 2. 0. Know what your business has to gain, what you have to lose, and the timing of opportunities.
3. Assess your timeline and whether your implementer and auditor can accomplish the work in time and within the costs of your business case.
4. Stay tuned for news on the review process. It's becoming public, and we'll know more in the coming days.
If you'd like more insights like this, Please join my free private group for architecture and engineering firm executives: