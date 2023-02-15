The White House Office of Information and Regulatory Affairs had a few surprises in its agenda released in the fall.

A surprise is that instead of one rule, the DOD provides two rules to enforce how government contractors and their subcontractors protect controlled unclassified information in their systems. The OIRA agenda indicates that June is when the DOD plans to release the proposed final rules.

Those eagerly awaiting the next steps in the DOD’s Cybersecurity Maturity Model certification standard may be surprised to see two rules instead of one.

But two sets aren’t a bad thing, according to Cyber ​​Accreditation BodyCEOMatthew Travis.

The Cyber ​​AB organization oversees third-party entities and assessors responsible for certifying contractors’ compliance with CMMC rules once they become final.

Travis and the rest of the CMMC ecosystem expected the DOD to announce the timing of a Title 48 rule, which would add CMMC requirements to the DOD procurement and acquisition rules. Title 48 refers to the section of the Code of Federal Regulations.

In addition to Part 48, OIRA also announced DOD’s intention to add a Title 32 rule, which Travis says is a significant change. Title 32 is the portion of federal regulations that governs the operation of the Department of Defense.

What the DOD is saying with Part 32 is that they want to permanently integrate CMMC into the defense policy of this country, Travis said. With Part 48, it was just a contractual condition with the Pentagon, not an investment in national security.

According to Travis, this is a resounding endorsement of the purpose and value of CMMC.

But a potential downside is how Cyber ​​AB and others expected an interim final rule to be released in March that would turn into a final rule in about 60 days. The OIRA calendar now indicates that the proposed regulations for Parts 32 and 48 will be released in May.

With a rulemaking proposal, the DOD will need to collect and respond to feedback, which will add at least six months and possibly more than a year to the timeline for a final rule, he said.

Travis said the protracted rule-making process of a regulatory proposal was disappointing, as it now looks like 2024 is the year CMMC will become operational.

But these are consequential rules and they will certainly impact the way the sector does business, so the department wants to get it right. We want to do it right, Travis said.

Travis is also concerned about the economic viability of the ecosystem of third-party assessment organizations, trainers, assessors, and others who have invested in CMMC over the past few years.

We want to make sure that everyone who is going to make CMMC is able to support this protracted rulemaking process, Travis said.

A potential lifeline is that the DOD recognizes the investments made and allows third-party assessor organizations to conduct joint assessments with the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), which is part of the Defense Contract Management Agency.

The Joint Surveillance Voluntary Assessment program validates compliance with the National Institute of Standards and Technology’s 800-171 standard, which is at the heart of CMMC.

While we can’t legally do CMMC assessments, 3PAOs were able to jointly conduct assessments with DIBCAC, Travis said.

Travis’ understanding is that DIBCAC will record the scores from the assessments, which will be converted to CMMC level two once the rules are final.

Travis recommends that companies review the Joint Surveillance Assessment Program and not wait for the CMMC to become final.

Taking these first steps shows your government customers that you talk and walk and it shows your employees how much you care about cybersecurity, Travissaid.

So far, 60 companies have registered to go through the process and seven have completed it.

I expect others to follow, Travis said.