DOD, OMB expect September release of proposed CMMC rule.
The Defense Department and Office of Management and Budget are planning to release the proposed Cybersecurity Maturity Model Certification (CMMC) rule in September. This rule aims to move the defense industry away from self-attestations for compliance with National Institute of Standards and Technology (NIST) guidelines and will require third-party assessors to audit contractors for compliance. The release of the proposed rule was delayed and is now expected in September. Once released, there will be a public comment period, and the Defense Department will collect and respond to comments, potentially leading to a final rule sometime in 2024.
The CMMC rule has been eagerly anticipated by the industry, and some companies have already started preparing for it, while others have taken a more cautious approach. In the meantime, third-party assessors certified by Cyber AB have been conducting joint assessments with the Defense Industry Base Cybersecurity Assessment Center to validate compliance with NIST 800-171, which is expected to translate to CMMC Level 2 once the rule is finalized.