It was in May 2019 that the CMMC, or the Cybersecurity Maturity Model Certification 2019, was released. The goal at the time was to start certifying contractors by 2020.
Fast forward to the present, there needs to be more clarity around the strategies and the future of CMMC.
READ MORE: CMMC Announcement in 2021, Further Processes May Experience A Delay
As a result of industry opposition and delays with the first CMMC, the Pentagon significantly revised the program as part of “CMMC 2.0,” which was launched in late 2021.
When the rule making process will be completed and whether the regulations will go into effect in 2023 are the two main uncertainties surrounding the CMMC program. In addition, the delay might hint at the possibility of differences among the officials involved in the process.
READ MORE: Mailchimp Suffers Yet Another Cyber Attack In About Six Months
“DoD continues to anticipate sending the draft 32 CFR rule to OMB in the very near term. As DoD has previously stated, the rulemaking process may take up to 24 months to complete. In addition to the 32 CFR rule, a 48 CFR rule will be completed to support the implementation of CMMC through contractual requirements,” Informs Stacy Bostjanick, chief of defense industrial base cybersecurity.
We can conclude from the official sources that the anticipated timeline for contractor compliance implementation with CMMC requirements will be toward 2025.
Officials from the Pentagon earlier voiced optimism that the CMMC criteria will start to be implemented this year. However, the possibility is less as that would require OMB to give the go-ahead for DoD to publish the rules as an “interim final” rule. The law could go into force 60 days after publication.