CMMC interim rule could land in May
The move would come nearly two years after the Defense Department's first interim rule for its fledgling unified cybersecurity standard for contractors.
The Defense Department expects to release another interim rule this summer for its Cybersecurity Maturity Model Certification program, which aims to hold contractors accountable to keeping up with key cybersecurity measures to protect sensitive unclassified data.
Stacy Bostjanick, the director for CMMC policy for the Office of the Undersecretary of Defense for Acquisition and Sustainment, said the department has to get through additional rulemaking processes before the program can be official. But the next step will be an interim rule expected in May.
"Our anticipation is that we will be allowed to have another interim rule like we did last time, we're hoping that that interim rule will go into effect by May. In fact, my team is very frustrated with me today because I'm sitting here with you guys, and they're stuck in a room going through a rule that's like hundreds of pages long," Bostjanick said during AFCEA DC's Cyber Summit in Washington, D.C. on April 20.
"To that end, once we get through this rulemaking process, we hope there will be only one more aspect that we'll have to address and that will be the international partners. That will probably take some rulemaking effort. We're working through how that's going to work in getting that laid flat today."
The road to implementing CMMC, which is intended to serve as a verifiable cybersecurity standard for defense contractors, has had its challenges in the past year. The Defense Department revamped the program following an extended review process in 2021, which resulted in fewer certification levels and the re-introduction of a limited self-assessment component. Oversight of the program also shifted from the undersecretary of defense for acquisition and sustainment to DOD's chief information officer earlier this year.
CMMC's first interim rule went into effect in September 2020, something that Bostjanick said has to be revisited "time to see what needs to be updated." A final rule for the program is expected in the next two years.
The Department expects that the next CMMC interim rule will go into effect May 2023.