The original CMMC faced industry pushback and delays, and the Pentagon significantly revamped the program as part of “CMMC 2.0” rolled out in late 2021. DoD officials said then the rulemaking process could take as long as two years to complete.
Now, the Pentagon is on the cusp of sending the rulemaking to the White House Office of Management. CMMC is closer than ever to becoming a reality. But it could still take more than a year, and questions continue to swirl around the program…
Stacy Bostjanick, chief of defense industrial base cybersecurity within the office of DoD’s chief information officer, said DoD “continues to anticipate sending the draft 32 CFR rule to OMB in the very near term,” referring to Title 32 for federal regulations that govern national defense.
“As DoD has previously stated, the rulemaking process may take up to 24 months to complete,” Bostjanick said in a statement provided to Federal News Network. “In addition to the 32 CFR rule, a 48 CFR [Federal Acquisition Regulations System] rule will be completed to support implementation of CMMC through contractual requirements. The objective timeline for implementing contractor compliance with CMMC requirements has been and remains [fiscal 2025].” … Read the full article here.