On July 24th, the Department of Defense submitted the Cybersecurity Model Maturity Certification (CMMC) Program to the Office of Management and Budget (OMB) for review.
So, what exactly does this mean for Defense contractors?
To start, the OMB approval process is a key step in the development of new federal regulations. Within the OMB, the Office of Information and Regulatory Affairs (OIRA) is the organization that reviews all significant regulations and oversees the implementation of government-wide policies in the areas of information policy, privacy, and statistical policy.
The regulatory approval process begins when an agency (in this case the DoD) submits a proposed regulation to OIRA. OIRA then reviews the regulation to determine whether it meets the following criteria:
The regulation is consistent with the President's policies and priorities.
The regulation meets certain administrative requirements and is carefully considered from a cost-benefit analysis.
The regulation has been adequately coordinated with other agencies and is not inconsistent, incompatible, or duplicative of existing policies.
Per Executive Order 12866, OIRA has 90 days to review a proposed regulation, with the ability to extend the review period for an additional 30 days. If the regulation is approved, it is then published in the Federal Register. The public then has an opportunity to comment on the regulation for a period of 60 days. After the comment period closes, the agency may make changes to the regulation in response to the comments. The final regulation is then published in the Federal Register.
OIRA may also return a proposed regulation to an agency for further consideration if it is not consistent with the President's priorities or if it does not meet certain administrative requirements.
Bottom line, this is a significant step in the journey towards a final CMMC rule being incorporated into DoD contracts. If OIRA takes the full allotted time to deliberate we could expect to see it open for public comment between October and November of 2023. Once all public comments have been addressed a final rule could in theory be expected as soon as early 2024.
This begs the question of when, then, would a CMMC certification requirement start to show up in contracts solicitations? That would ultimately be up to the DoD, but current industry thinking is later in 2024. The speed of roll out will also be worth watching, as there are less than 50 authorized C3PAOs at this time who can provide certifications, and it would be in the DoD’s best interest to take a measured approach and not create a “supply problem” given that they will ultimately foot the bill for the cost of these certifications. That said, the very existence of CMMC indicates the priority that cybersecurity is for the DoD and the Federal government in general (see recent Department of Homeland Security final rule to protect CUI), regardless of cost.
For now, this is another step towards third party independent assessments of Defense contractor’s cybersecurity and compliance with their FAR and DFARS contractual obligations. In the meantime, we continue in the present, where Joint Surveillance CMMC assessments are occurring weekly as part of the CMMC Pilot Program and companies are required to self-attest to their compliance by reporting their scores to the Supplier Performance Readiness System (SPRS) prior to being awarded a contract as part of DFARS 252.204-7019. Accurate reporting of information to SPRS is key given recent events where the DOJ has pursued contractors under the False Claims Act (FCA).