Final CMMC rule expected to be finished in about a month
The final Defense Federal Acquisition Regulation Supplement (DFARS) rule that will require all contractors to have third-party inspections of their networks prior to working with the Department of Defense will get its final tweaks within the next 30-40 days, the program’s lead official said Thursday.
The interim final rule for the Cybersecurity Maturity Model Certification (CMMC) that was published in September received many comments from industry that the DOD has been working to adjudicate, said Katie Arrington, the department’s chief information security officer for acquisition and sustainment. She said the team is working to make the rule “go final” in about a month.
“You shouldn’t be waiting to build [cybersecurity] costs in” to rates, Arrington said to contractors during a Deltek webinar.
The interim final rule put CMMC into effect in December but had an open comment period for industry to give feedback to the government. As the CMMC program management office works through feedback, it has been tweaking the rule.
Issuing an interim final rule is not the norm but was needed because of the importance of securing industrial base contractors, Arrington said. CMMC is the department’s latest attempt to secure the industrial base’s cybersecurity, which has been vulnerable to massive data breaches of government information down the supply chain.
One of the biggest questions about the rule has been about reciprocity between CMMC and other federal cyber compliance programs. Arrington didn’t say what reciprocity may be coming but said that there will be guidance in CMMC Assessment Guides the DOD is working on.
There are other parts of the CMMC DFARs rule that will impact contractors before they are required to get an assessment. They now need to submit a self-assessment of their cyber compliance to the DOD, according to the rule. That process is separate from the CMMC assessment but could help companies prepare for their inspection by giving themselves a test first.
“The only thing they need to wait for is for the assessor to be aligned with the [third party assessment organizations],” Arrington said. No organization has been fully cleared yet to give assessments.