April’s CMMC-AB Town Hall meeting was a big one. It included the Accreditation Body’s unofficial estimate for anticipated CMMC Rulemaking timeline. We’ll take a closer look at the milestone dates provided as well as the actions DoD might make in the coming months.
For stakeholders within the defense supply chain and CMMC ecosystem, understanding this timeline will serve to inform the actions you’re taking now and planning over the next 12 to 18 months.
Here are a few of our key takeaways…
Voluntary Assessments expected to begin this summer
DoD could publish Interim Final Rule by mid 2023
Rulemaking in both Title 32 and 48 of the CFR
Pace of Authorized C3PAOs has improved
Ecosystem scale may impact DoD rollout
Table of Contents
Voluntary Assessments This Summer
CMMC-AB CEO Matthew Travis said that DoD is intent on getting the voluntary assessment program up and running this summer. One of the last hurdles to overcome before voluntary assessments can begin is drafting the policy documentation that will govern the assessment process.
A few days after the Town Hall, Inside Cybersecurity reported that DoD CMMC Director Stacy Bostjanick indicated that DoD would have all documentation completed and submitted to the Office of Management and Budget (OMB) by July. This aligns with Mr. Travis' timeframe for kicking off the voluntary assessment period in late July or early August of 2022.
Some of the outstanding policies that DoD has yet to publish include…
CMMC Assessment Process (CAP)
Security requirements permissible on a Plan of Action & Milestones (POA&M)
Waiver policy
The CAP should be available to individuals who have enrolled in the Certified CMMC Professional (CCP) training program in June 2022. Since the CAP encompasses the assessment process, it should detail which requirements are permissible to be on a POA&M and for how long.
On the subject of Waivers, Stacy Bostjanick recently noted that the process would not involve contractors. Inside Cybersecurity reported on April 13, 2022 that the DoD Program Manager would request the waiver from the Service Acquisition Executive (SAE) before releasing the RFP.
Interim Final Rule by Mid 2023
DoD initiated the CMMC rulemaking process in November of 2021. At the time, DoD estimated that the rulemaking process would take 9 to 24 months. Matt Travis shared in April that the DoD is currently in the process of developing preamble and rule language.
Using the Regulation Map provided by OMB’s Office of Information and Regulatory Affairs (OIRA), we see that we are currently in step three, Preparation of the Proposed Rule. Both Stacy Bostjanick and Matt Travis expect completion of step three by July 2022.
In step 4, OIRA will review the draft rule by discussing it with other agencies and stakeholders outside of the federal government. OIRA reviews “major rules” that have at least a $100 million annual impact. They must also conclude the draft rule is consistent with Executive Order 12866 before moving it to publication.
The CMMC-AB is forecasting step 5, publication of the proposed rule, will occur in May of 2023. However, DoD Principal Deputy CIO Kelly Fletcher recently told MeriTalk that the publication of the proposed rule might be as soon as March 2023. Stacy Bostjanick told FedScoop that “we’re hoping by March of 2023, they will give us an interim rule”.
If Stacy is correct, then DoD may believe they have good cause to issue a final rule without first publishing a proposed rule and jumping straight to step nine by publishing an interim final rule. She cautioned that OIRA or DoD could say, ““No, we don’t see the urgency of this meeting to be an interim rule and [we will not allow] you implement [it] until you go through [the] final rule”.
If DoD publishes an Interim Final Rule in March of 2023, you could see CMMC requirements inserted into new contracts and acquisitions by May 2023.
Without approval of an interim final rule, DoD would need to publish the proposed rule and move into step 6. This step includes a 60-day period for public comments. Following publication of the first Interim Final Rule in 2020, DoD adjudicated over 850 public comments.
The notice-and-comment process enables anyone to submit comments. The quantity of comments, for or against the final rule, do not affect the rulemaking process. Only persuasive new data or policy arguments may change aspects of the rule.
To move forward to step 7, DoD must conclude that the final rule will help achieve the goals or solve the problems identified.
In preparing the final rule, DoD will structure it as follows…
Summary - explains why the rule is necessary
Effective Date - compliance or applicability dates
Supplementary Information
States the basis and purpose of the rule
Presents the data that DoD relied on
Responds to criticisms in the public comments
Explains why alternatives were not chosen
Regulatory text with instructions for changing the Code of Federal Regulations (CFR)
Step 8 would send the drafted final rule back to OIRA for a review of any changes made since their last review in step 4.
Step 9 would be the publication of the Final Rule or the Interim Final Rule. Going back to the initial time frame announced at the onset of CMMC 2.0, if DoD does not issue an Interim Final Rule, the process will likely end around November 2023.
Title 32 and 48 of The CFR
The original CMMC rulemaking occurred in Title 48 of the CFR through DFARS Case 2019-D401. The first aspect of the current rulemaking process will update this Interim Final Rule.
Title 48 governs the Federal Acquisition Regulations System and Chapter 2 deals with the Department of Defense.
There were four parts of Title 48 that the original CMMC Interim Final Rule amended…
Part 204 - Administrative and Information Matters
204.73 Safeguarding Covered Defense Information and Cyber Incident Reporting
204.7302 Policy
204.7303 Procedures
204.7304 Solicitation provisions and contract clauses
204.75 Cybersecurity Maturity Model Certification
204.7500 Scope of subpart
204.7501 Policy
204.7502 Procedures
204.7503 Contract clause
Part 212 - Acquisition of Commercial Items
212.3 Solicitation Provisions and Contract Clauses for the Acquisition of Commercial Items
212.301 Solicitation provisions and contract clauses for acquisition of commercial items
Part 217 - Special Contracting Methods
217.2 Options
217.207 Exercise of options
Part 252 - Solicitation Provisions and Contract Clauses
252.2 Text of Provisions and Clauses
252.204-7019
252.204-7020
252.204-7021
The second aspect of the current rulemaking process will create a new Interim Final Rule or Final Rule for Title 32 of the CFR. Title 32 governs National Defense and according to Bostjanick, “having CMMC codified as a program and 32 CFR rule makes it a stronger program and gives it more lifespan”.
The only reference of NIST SP 800-171 in Title 32 CFR is Chapter 20 (XX). This chapter governs the Information Security Oversight Office, National Archives and Records Administration.
CMMC rulemaking would likely impact this part for safeguarding Controlled Unclassified Information…
Part 2002 - Controlled Unclassified Information
2002.14 Safeguarding
(g) Information systems that process, store, or transmit CUI
There is another reference to the basic cybersecurity requirements outlined in 52.204-21 in Title 32 Chapter I.
CMMC rulemaking would likely impact this part for safeguarding Federal Contract Information…
Part 117
117.15 Safeguarding Classified Information
(h) Disclosure
When disclosing information to the public that does not qualify as CUI, non-federal entities should protect it in accordance with the basic safeguarding requirements in 48 CFR 52.204-21.
Pace of Authorized C3PAOs
There were two new Certified 3rd Party Assessor Organizations (C3PAOs) added to the list of Authorized C3PAOs bringing the total to 10. On April 25, La Jolla Logic, headquartered in San Diego, announced their designation as an authorized C3PAO. CISEVE, a Service-Disabled Veteran Owned Small Business (SDVOSB) with headquarters in Las Vegas, announced their designation on April 28.
In May, we have already seen two more authorizations: Booz Allen Hamilton, Inc. and SteelToad. We might see more authorizations before the end of the month but to Matt Travis’ point during the Town Hall, the pace has improved.
The question is, has the pace improved enough to meet the demand expected by the time rulemaking is complete?
The last time we calculated the authorization rate was following the October Town Hall. The pace has more than doubled since then. There is still a long queue of 210 C3PAOs waiting for their Level 2 assessment as shown in the CMMC-AB Marketplace. However, looking back at February’s Town Hall, we see the total population of C3PAOs that have applied with the CMMC-AB is actually 433.
Federal News Network recently reported that the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), who conducts the Level 2 assessments of C3PAOs, has recently received funding to hire an additional 140 assessors. Based on our previous analysis of their assessment capabilities, this will likely double their existing capacity.
Ecosystem Scale
Aside from the number of authorized C3PAOs, the other limiting factor of scaling the ecosystem is the number of individuals authorized to take part on or lead assessment teams.
There are currently 155 Provisional Assessors, which has only increased by 9 since February of this year. There are zero Certified CMMC Professionals (CCP) and there won’t be any until the first certification exam in October of 2022. The last time we had an ecosystem update from the CMMC-AB was in February. Back then, they reported that 2,188 had applied and 759 had enrolled in CCP training from a Licensed Training Provider (LTP).
If DoD continues with the rule of 4 assessors per assessment team, then the scope of assessments during the voluntary period will be small and expensive based on the limited number of assessors available.
The capacity should increase in October as CCPs become certified. CCPs can only support assessors; they cannot lead the assessment teams. LTPs have not yet started offering training for Certified CMMC Assessors so we can’t yet project when the pool of CCPs will be able to graduate to become lead assessors, but it likely won’t be until 2023 at the earliest.
This bottleneck begs the question, what happens in May or July of 2023 if DoD issues an Interim Final Rule and starts inserting CMMC requirements into new solicitations?
There is a popular post on LinkedIn that posits CMMC requirements will be in all DoD contracts two years earlier than originally scheduled. They pointed to the potential rulemaking that could occur as soon as March 2023 and statements from DoD officials that requirements start showing up in contracts soon after.
Earlier in the month, DoD officials started indicating that implementing CMMC requirements into contracts may be a gradual process. For example, on May 5 at the AFCEA NOVA Small Business Enterprise IT Day 2022, Federal News Network quoted Kelly Fletcher as saying that “DoD estimates it could take two years from when the final rule is out in mid-2023 for CMMC to hit operational capability”.
Later in May, at the CMMC Day Conference outside of Washington DC, Inside Cybersecurity quoted Bostjanick as saying the rollout will happen under a phased approach. She stated, “Day one everyone [is] required to do the self-assessment, then we will move into the RFPs with the third party certifications from that point.”
Lastly, FedScoop reported that Bostjanick repeated this prediction at an event hosted by the Potomac Officers Club. More specifically, it said the rollout will be a “phased approach to ensure the entire CMMC ecosystem will be capable of handling certifications requested for contractors.”
There certainly will be a competitive advantage for early adopters. But we caution that within the last 30-days, DoD has started to indicate the rollout will be gradual. They want to accommodate the capacity of the ecosystem responsible for conducting the certification assessments.
Organizations should identify the roles assigned to each statement within the policy. Mapping policy commitments to requirements and roles creates a shared responsibility matrix.