gettyimages.com/ tboehner

CMMC's final rule has now landed

Several other regulatory steps and Congress' 60-day period to review the defense industrial base's new cybersecurity standard still loom before it takes effect.

The Defense Department on Friday released the final rule for its Cybersecurity Maturity Model Certification program, but this is just one of several final steps until CMMC goes into force.

DOD will publish the rule officially on Monday and that is when the clock starts ticking for Congressional Review Act period.

Congress does not have to approve the rule, but it does have 60 days to block the rule. Most observers have told us that is unlikely.

CMMC is DOD’s effort to get contractors to protect controlled but unclassified information they hold in their systems. Contractors need that information to do their work for defense and intelligence agency customers. This data is generally called CUI.

CMMC creates a third-party certification process contractors must go through to show they comply with the National Institute of Standards and Technology's cybersecurity standard 800-171. Until this point, contractors have self-certified their compliance.

At a Professional Services Council-hosted event on Tuesday, a pair of DOD leaders hinted at CMMC's imminent release and offered advice to industry on how to comply once the rule is final.

The clock begins ticking on Monday (Oct. 14), so the 60-day window ends on Dec. 13.

The final rule released n the Federal Register pre-publication site is known as a part 32 rule, which has been described to us as the internal mechanisms DOD must have in place and hold contractors responsible for.

Comments are due Tuesday for the part 48 CMMC rule, which is the “external.” This rule dictates the changes in Federal Acquisition Regulations that implement the part 32 rule.

The part 48 rule is widely expected to become final by the end of this year, or into early 2025. It also must go through the 60-day Congressional Review Act process.

Only when both part 32 and 48 are final will the full roll-out of CMMC begin.

But DOD can begin to act on the rule while it is going through the Congressional Review Act process.

The final rule released Monday likely does not contain wholesale changes from the draft final rule released in December 2023.

But any changes could be seen as significant. There were open questions with the draft, particularly around how managed service providers would be handled.

The rule is 470 pages long, so there is a lot of reading for all of us to do.

Download the final rule here.