The Department of Defense is eyeing another interim rule for its Cybersecurity Maturity Model Certification program in May 2023.
Currently, the department is in the process of updating its Code of Federal Regulations to include the program’s most recent update, CMMC 2.0, which was launched in November 2021 after an internal review.
The rule is expected to be available for public comment in March 2023, and DOD officials say CMMC might start to be included in contracts as soon as that summer.
However, there is still a lengthy rulemaking process to go through before CMMC can be implemented, according to Stacy Bostjanick, director of CMMC policy at DOD’s Office of the Under Secretary of Defense for Acquisition and Sustainment.
“Once we get through this rulemaking process, we hope there will be only one more aspect that we’ll have to address and that will be the international partners,” Bostjanick said during an AFCEA event in April 2022. “That will probably take some rulemaking effort. We’re working through how that’s going to work in getting that laid flat today.”
“Our anticipation is that we will be allowed to have another interim rule like we did last time, we’re hoping that that interim rule will go into effect by May [2023],” she explained.
Bostjanick also noted that CMMC 2.0 will undergo its first tabletop exercises in June or July 2022 to test out the new updates and receive feedback from members of the Defense Industrial Base.
Hear more insights from Stacy Bostjanick during the Potomac Officers Club’s 2022 CMMC Forum on May 18. She will serve as keynote speaker for the forum, which will assemble prominent government and industry leaders with expertise on the CMMC program. Click here to register.