CMMC Final Rule moves to OIRA review

CMMC final rule moves to regulatory review, DoD CIO

Exciting morning in Defense Contractor land! The CMMC Final Rule (32 CFR) has moved to its last phase before publication. It is in OIRA review (Office of Information and Regulatory Affairs – the technical editors/reviewers for government regulations).

All the comments were responded to…
Even the angry ones… (Golly geez I hope some of those errors in the proposed rule got fixed, since I and Kieri Solutions – Authorized C3PAO will be helping enforce it! ๐Ÿ˜ฌ)

32 CFR for CMMC Final Rule

One of the complexities of the CMMC rollout is that it needs two different regulations (or even more than two) to go into full effect.

The part of the CMMC rule in the 32 CFR (the 32nd Title in the Code of Federal Regulations) gives instructions for how the CMMC program will work. For example, 32 CFR will talk about:

  • Requirements to be a CMMC assessor
  • The CMMC assessment guides and scoping guides
  • FedRAMP requirements for external service providers / clouds
  • What it takes to “pass” a CMMC assessment
  • How long a certification will be good for

The part of the CMMC rule in the 48 CFR (the 48th Title in the Code of Federal Regulations) is used by contract officers (KOs) to ensure that contractors have a CMMC certification (or self-certification in the first 6 months of rollout) before they are awarded a new or renewing contract. For example, the 48 CFR clause might look like:

Instructions for contract officer: Insert this clause into defense contracts which may need to handle Controlled Unclassified Information. “As a requirement for contract award, the submitter must hold a current (not older than 3 years) CMMC Level 2 Certification and attest that CMMC Level 2 Certified information systems will be used to store, process, and transmit all CUI related to this contract. This clause will be flowed down to all sub-contractors that will need to handle CUI in order to perform on this contract.”

If you want a real example of what the 48 CFR rule started out as, and will look like, check this DFARS 252.204-7021 regulation (this, and DFARS 252.204-7012, are the clauses that we think will be modified by 48 CFR.

Today’s news is regarding 32 CFR – the overall rule that describes and establishes the CMMC program. 48 CFR is still somewhere in DoD regulatory ether, we don’t have much information about it. But since the 48 CFR portion is extremely simple, it will probably move fast when it comes out.

What can we expect next for the CMMC rule?

Disclaimer: Below projections are best guesses, with help from the esteemed Jacob Horne (follow him on LinkedIn!).

CMMC Final Rule publish – September October 2024

The CMMC final rule (32 CFR) should be published in the Federal Register around Sept-Oct this year.
Then we get 60 days to freak out before it “goes into effect”.

Somewhere around this time, CMMC eMASS (the database that holds the certification statuses of each company) should come online and C3PAOs like Kieri Solutions will start using it.

CMMC certifications start – January to March 2025

Between News Years and March 2025, I think we assessors will be allowed to start doing CMMC assessments and certifications at full speed. I’m sure the DoD’s intent is for it to be closer to New Years, but we will still need some prerequisites (eMASS, Cyber-AB procedures, a CMMC “certificate” template) to be figured out.

The DFARS clause (48 CFR) that adds a certification requirement for contract award will go into effect a bit later – maybe March 2025? It will start with self-attestations for CMMC, then 6 months later new and renewing contracts will start requiring actual certifications for most programs (especially ITAR and Controlled Technical Information programs).

Above is our best guess at the rollout schedule.

The OIRA Regulatory page showing the rule movement

๐‡๐š๐ฌ ๐ญ๐ก๐ข๐ฌ ๐Ÿ๐ข๐ง๐š๐ฅ๐ฅ๐ฒ ๐œ๐จ๐ง๐ฏ๐ข๐ง๐œ๐ž๐ ๐ฒ๐จ๐ฎ๐ซ ๐ฅ๐ž๐š๐๐ž๐ซ๐ฌ๐ก๐ข๐ฉ ๐ญ๐ก๐š๐ญ ๐‚๐Œ๐Œ๐‚ ๐ข๐ฌ ๐ซ๐ž๐š๐ฅ?

If your company has over $30m in defense contract revenue, here is your call to action – get into a C3PAO’s queue for Gap Analysis or Assessment. You can afford the cost to make sure you’re ready to go when contracts start including CMMC requirements. If you have subcontractors that are vital to your operations, talk to them. You will be responsible for ensuring that your entire CUI supply chain is certified.

If you’re scrambling at this late hour with a non-compliant network, let us suggest a few solutions:

Our sponsor, Kieri Solutions, has a CMMC compliance program (the KCD) that tells you exactly what you need to do, how to do it, and when, to get and stay compliant.

If your current network can’t pass assessment, check out their Reference Architecture (the KRA), which can be built and assessment ready in about 4-6 months, either by your team or theirs. Kieri Solutions specializes in helping IT teams be responsible for their own compliance.

Amira Armond is the chief editor of, the vice chair of the C3PAO Stakeholder Forum, and the President of Kieri Solutions, an authorized C3PAO. Connect with Amira on LinkedIn for more frequent CMMC news and information.

Leave a Reply

Your email address will not be published. Required fields are marked *