We have progress! The Department of Defense (DoD) submitted the CMMC 2.0 rule to the Office of Information and Regulatory Affairs (OIRA) on July 24^th, 2023. From the perspective of the DOD they are done and ready to publish. So, now what?

1 ) OIRA has 90 days to review the rule on behalf of the Office of Management and Budget (OMB).

What does that mean? Well, OIRA can return the rule for correction/revision or otherwise send the rule back to the DoD with guidance and feedback they feel warrants change to the rule itself. OR They approve the rule for publication in the federal register. Time will tell, but we know whatever happens will happen inside 90 days.

2) Federal rules are open to public comment upon publishing, 60 days of public comment to be exact.

We can anticipate the final rule to go into effect once responses to public comments are finalized, and that, unfortunately, is where the timeline gets a bit unpredictable.

3) The main driver for timeline unpredictability is the fact OIRA can choose to publish a rule as either Interim Final or Proposed.

a. Interim Final means the rule will go into effect PRIOR to the final rule. Our crystal ball says this option means the rule will be in effect in early 2024.

b.  Proposed will mean that the rule will only be in effect AFTER the final rule is published. We do not know how this option will play out; our best guidance is to anticipate an additional year before the rule is effective, call it Q1-Q2 of 2025.

What does this mean for the DIB, Primes, and subs?  Work on NIST 800-171 compliance! What does your SSP look like, have you checked off your POAM? Where is CUI at in your environment? And if you need help – we’re here.

—

Image by David Mark from Pixabay

BACK TO BLOGS