CMMC 2.1 — What We Know Now

Some of you have been following the evolving CMMC process closely. Others have intentionally avoided thinking about it, or started seeking therapy. Either way, let us borrow a moment of your holiday week to share why the next few days are going to be exciting no matter where you fall on the spectrum.

This is the week we’ve been “waiting” for…

Odds are, sometime this week, we are going to be gifted with details of what is generally termed CMMC 2.1, referencing the latest draft of the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC) framework. 

You may be saying, “Old News. Already heard about it.” And in a way, you’d be right. We notoriously had an early glimpse (aka an unintentionally published link that was quickly retracted by someone literally unplugging the server for the Federal Register’s website) back in July of this year.

But in reality, the rule making for CMMC 2.1 wasn’t completely done at that point. The White House’s Office of Information and Regulatory Affairs (OIRA), which falls under the Office of Management & Budget (OMB), had not yet applied its polish. Most of us industry insiders expect the official documents to be published just before the masses head home for Thanksgiving. *Or shortly thereafter.* But let’s all admit this: there’s no better pairing for CMMC than a glass of wine and a side of tryptophan. 

“Clarity” is coming

Now that we have you on the edge of your seat, what does this mean? We will finally have some clarity about where the DoD is going with its rules — that happen to apply to ALL DoD CONTRACTORS, SUBCONTRACTORS, and MOST COMPANIES SERVICING THEM. 

If you were careful to read the ALL CAPS above, you probably noticed a lot of people will be impacted. And if you thought electronic service providers (ESPs) were going to be exempt from the rules, we wouldn’t suggest you bet on that. Those earlier-leaked documents would suggest otherwise.

The Timing Will Be Unveiled

We also expect to know whether these rules will go through another prolonged public comment period (the “Proposed Rule” route), or be assigned “Interim Final Rule” status. If we see the latter, CMMC becomes the law of the land, effective immediately. 

Which will it be? While the majority of industry insiders believe the longer path will be taken, it’s important to keep in mind that CMMC 1.0 was given interim rule status, DFARS 7012 was given interim rule status, and the “good cause” exception that the DoD would need to rely upon — that prolonged rule making would be “impracticable, unnecessary, or contrary to the public interest” — seems to be justified as much today as it was back then.

Wherever you are placing your bets there, this is the week when you cash in your chips — or kiss them goodbye. Stay tuned! 


More Posts

Send Us A Message