CMMC Town Crier | Ask me about NIST cybersecurity controls | Smashing compliance frameworks for fun and profit | Cyber policy wonk |
๐จ ๐๐ช๐ข๐ข๐ฃ ๐๐ช๐ข๐ข๐ฃ ๐จ ๐ฃ ๐๐ ๐ ๐ ๐๐๐ก๐๐ ๐ฅ๐จ๐๐ ๐๐๐๐ฅ๐ง ๐ฃ โ ๐ง๐๐๐ฆ ๐๐ฆ ๐ก๐ข๐ง ๐ ๐๐ฅ๐๐๐ โ Well folks, they really did it and I got a raven in the middle of vacay. Just 185 days after the CMMC proposed rule was published, the DoD has officially submitted the 32 CFR CMMC program rule and all supporting documentation to OIRA for final review. This is the last step before publication of the final rule in the Federal Register. OIRA has up to 90 - 120 days for their review. ๐ง๐ต๐ฎ๐ ๐ฝ๐๐๐ ๐๐ต๐ฒ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ๐ฎ๐๐ถ๐ผ๐ป ๐๐ถ๐ป๐ฑ๐ผ๐ ๐ฏ๐ฒ๐๐๐ฒ๐ฒ๐ป ๐น๐ฎ๐๐ฒ ๐ฆ๐ฒ๐ฝ๐๐ฒ๐บ๐ฏ๐ฒ๐ฟ - ๐น๐ฎ๐๐ฒ ๐ข๐ฐ๐๐ผ๐ฏ๐ฒ๐ฟ. Once published, there will be a delay of ~60 days before the final rule is "effective". At that point, that's it. The CMMC program will be official. A couple of notes: - DoD ripped through ๐ผ๐๐ฒ๐ฟ ๐ญ,๐ด๐ฌ๐ฌ ๐ฝ๐๐ฏ๐น๐ถ๐ฐ ๐ฐ๐ผ๐บ๐บ๐ฒ๐ป๐๐, made their edits, and officially submitted the final rule in six months and two days so the odds of any major changes from the proposed rule in response to public comments is extremely low. - The rule is officially in the queue well ahead of the November election and I wouldn't be surprised to see OIRA wrap up well before the 90 day mark. - For those keeping score at home DoD pumped out this final rule ๐ฑ๐ฑ% ๐ณ๐ฎ๐๐๐ฒ๐ฟ ๐๐ต๐ฎ๐ป ๐๐ต๐ฒ ๐ฎ๐๐ฒ๐ฟ๐ฎ๐ด๐ฒ (127 business days instead of 283). I hope companies have been using the last several years of prep time wisely. โ๐๐ตโ๐ด ๐ฐ๐ฏ๐ญ๐บ ๐ธ๐ฉ๐ฆ๐ฏ ๐ต๐ฉ๐ฆ ๐ต๐ช๐ฅ๐ฆ ๐จ๐ฐ๐ฆ๐ด ๐ฐ๐ถ๐ต ๐ต๐ฉ๐ข๐ต ๐บ๐ฐ๐ถ ๐ฅ๐ช๐ด๐ค๐ฐ๐ท๐ฆ๐ณ ๐ธ๐ฉ๐ฐโ๐ด ๐ฃ๐ฆ๐ฆ๐ฏ ๐ด๐ธ๐ช๐ฎ๐ฎ๐ช๐ฏ๐จ ๐ฏ๐ข๐ฌ๐ฆ๐ฅโ - Warren Buffet Happy Friday ๐จ ๐๐ช๐ข๐ข๐ฃ ๐๐ช๐ข๐ข๐ฃ ๐จ ๐ฃ ๐๐ ๐ ๐ ๐๐๐ก๐๐ ๐ฅ๐จ๐๐ ๐๐๐๐ฅ๐ง ๐ฃ โ ๐ง๐๐๐ฆ ๐๐ฆ ๐ก๐ข๐ง ๐ ๐๐ฅ๐๐๐ โ
Perhaps I lack creativity, but I canโt see how CMMC v2.0 becomes anything but a program destined to be mired in regulatory lawsuit hell โ particularly in light of yesterdayโs SCOTUS Chevronโs ruling. John Sherman cited lengthy lawsuit as a reason for cancelling JEDI. Lots of popcorn still remains imoโฆ ๐ฟ https://thehill.com/regulation/court-battles/4745680-supreme-court-chevron-case/amp/
Oh man. I owe you Scotch. I guess I better start selecting a nice bottle.
That was a lot faster than I expected! Thanks for posting between golf swings!
You mean they aren't listening to actual technicians and engineers that work in the field that they are passing legislation in? That's surprising
๐ต "guess who's back....back again...๐ต ...and with good news.
So dope with the reaction meme ๐
Prime contractors: "Every time someone says CMMC isn't happening, I do one push-up."
"Secure by Design" has caught fire and people are seeing the value that these prudent principles provide to help parties identify secure software and digital products that meet minimum security requirements, as described in the "CISA Secure Software Attestation Form" that vendors upload to the US Government for approval as "Secure by Design" in CISAs RSAA portal. Form collection began on June 8. CISAs "Software Assurance Buyers Guide" provides details for what is expected from vendors to pass the "Secure by Design" approval process.
But....that timeline of 90 -120 days is only if OIRA-- -- needs the full time (90, possible and will depend on the extent of changes from the proposed rule) -- needs a full 30-day extension (120, which I doubt but...never say never) -- doesn't find issues that require the case manager to go back to the agency for coordination (which is possible if discrepancies are found where changes were made). Don't forget the time at the Federal Register preparing the rule for publication.. That can take a couple weeks. Once this is out, watch for the FAR Cases 2021-019 and -017 to follow rather quickly (well, quickly in rulemaking time).
CMMC Town Crier | Ask me about NIST cybersecurity controls | Smashing compliance frameworks for fun and profit | Cyber policy wonk |
1mo๐ Haters will say it's fake: https://www.reginfo.gov/public/jsp/EO/eoDashboard.myjsp