C3 has merged with Ingalls Read Press Release >>

Caution: CMMC (and its requirements) may be closer than they appear

On Nov 21, the OIRA website indicates that the status of the eight (8) components (and that of the overarching Framework) of the CMMC Program has changed from “Pending Review” to “Consistent with Change.” Here's what that means.

  • Collin Overby

    Collin Overby, J.D., LL.M., Policy Analyst, C3 Integrated Solutions

While the actual CMMC rule has not yet been released, the past week brought with it some important updates.  As of November 21, 2023, the website of the Office of Information and Regulatory Affairs (OIRA) indicates that the status of the eight (8) components (and that of the overarching Framework) of the Cybersecurity Maturity Model Certification Program (CMMC) has changed from “Pending Review” to “Consistent with Change.”

With this change in the “Conclusion Action” to “Consistent with Change,”  the CMMC program and its eight (8) policy ‘building blocks’ move closer to CMMC publication (likely in the Agency recommended format) and its initial steps (publication in the Federal Register, public comment period and any necessary revisions) toward full codification. As illustrated below, the “Consistent with Change” Conclusion Action designation signals progress for the Model, as it is the most frequent response by OIRA and an indicator of positive momentum regarding the progress of CMMC within the rule-making process.

CMMC Rule-Making Process

What does “Consistent with Change” mean?

Under Executive Order 12866, the OIRA is responsible for reviewing and coordinating what it deems to be all significant regulatory actions made by federal agencies, excluding those defined as independent federal agenciesSignificant regulatory actions include agency rules that have had or may have a large impact on the economy, environment, public health, or state and local governments and communities. Significant regulatory actions also include agency rules that may conflict with other regulations or with the priorities of the president.

As part of its review process, OIRA examines the rulemaking agency’s analysis of the costs and benefits of its rule. It also attempts to ensure that executive agency policies reflect the priorities of the president. Under E.O. 12866, OIRA has 90 days (with a possible 30 day extension) to complete its review of a significant regulatory action; the rule in question cannot be published in the Federal Register until the office completes its review without recommendations or the review period expires. OIRA review may result in one of the following outcomes:

  • Consistent without change: OIRA approved of the rule and no changes were made.
  • Consistent with change: OIRA approved of the intent of the rule but made changes to the content. This is the most common outcome of an OIRA review.
  • Returned: OIRA found fault with the substance or intent of the rule during the review process and returned the rule to the agency for further consideration. A returned rule is accompanied by a return letter from OIRA that outlines the issues with the rule and offers suggestions to either improve the rule or withdraw the proposal.
  • Withdrawn: The agency withdrew the rule from the review process. The agency may intend to revise and resubmit the rule or abandon the proposal altogether.

So what does this mean for the timing of the CMMC rule?

What this likely means is that publication of the new CMMC Rule is fast approaching, and that the window to timely complete requirements is beginning to close. To maintain market viability, Defense Industrial Base (DIB) companies (regardless of size) must start to accelerate progress in preparation for the CMMC certification requirement. Once the rule becomes final, non-compliance will threaten the ability of companies to maintain existing or win new contracts related to the Department of Defense. Organizations Seeking Certification (OSCs) should view compliance as a high-priority issue.

If your organization has yet to adjust to the imminent requirements for CMMC compliance at the appropriate level, now is the time to partner with an accomplished and experienced External Service Provider (ESP). An ESP with proven knowledge of the CMMC landscape will save most organizations resources and critical time-to-compliance, by outsourcing a part of their compliance effort. Procuring the services from the right ESP, that will help organizations to navigate their journey towards compliance at the appropriate level, could be invaluable to an OSC, moving forward.

Meet the Author

Collin Overby

Collin Overby, J.D., LL.M., Policy Analyst, C3 Integrated Solutions

Collin Overby is a Policy Analyst for C3 Integrated Solutions, specializing in the areas of CMMC & NIST Compliance, Cyber Law/Regulation & Compliance, Homeland & National Security Law, and Cybersecurity. He is a Registered Practitioner (RP) with the CMMC Accreditation Board, a graduate of the Cybersecurity Bootcamp at the University of Pennsylvania, a Juris Doctor (member of the Illinois State Bar and Washington D.C. Bar) and has earned an LL.M. in Homeland & National Security Law.