CMMC Moves Forward

CMMC Moves Forward

A quick glance at the website for the Office of Information and Regulatory Affairs (OIRA) reveals some news for CMMC. Today the website offers visual proof that the Department of Defense has submitted the CMMC rule to OIRA for review.

Just as was the case when the proposed rule was submitted to the agency for review in 2023, OIRA has 60-90 days to review the proposed rule. If that process runs smoothly, the CMMC rule will officially be entered into the Federal Register.

A Brief CMMC Timeline Review

CMMC was initially introduced in 2020 as an interim rule. By March 2021, an internal review of the interim rule was underway, and in November 2021 the Department of Defense announced that it was working on CMMC 2.0.

The Department of Defense submitted CMMC 2.0 to OIRA for an initial review in July 2023. OIRA applied for a one-time 30-day extension to review the rule. On December 26, 2023, the rule was released for a two-month public comment period, which ended toward the end of February 2024. The Department of Defense reviewed those comments and, having evaluated them as needed, it now has returned the rule to OIRA for a final review and publication.

What This Means For Your Company

Although the timing cannot be predicted yet with precision, the take-away with today’s news is that CMMC is imminent. It is going to happen likely going into effect in early 2025. Even though that seems like a long time, six months when preparing for compliance is not as long as you might need. Indeed, it can take some companies up to a year to become compliant with the security controls in the NIST 800-171 standard. If you are just beginning the compliance journey now, you may still be going through the process when CMMC 2.0 goes into effect. This is not to alarm you, but rather to say that if you have been putting off the steps to compliance, now is the time to get started.

What questions do you have about CMMC or the assessment for NIST 800-171r2? Do you have other questions about CMMC? Contact our experts today.
Show Policy

New! NIST 800-171 assessment checklist!

Download our Cybersecurity Assessment Resource

Latest Resources

See all resources