From the Spring 2023 Issue

How It Started and How It’s Going: CMMC Rule-Making Processes in Flux

Guy M. Bilyou
Cybersecurity Lead / ArCybr Lead Assessor | ArCybr

“Fits and starts” is the cliche that comes to mind when considering the rocky roll out of the National Institute of Standards and Technology’s (NIST’s) Cybersecurity Maturity Model Certification (CMMC). Throughout the development of CMMC, numerous aspects have changed – the definitions, characteristics, and controls; the way organizations will be assessed; and even the requirements for assessor training and certification. Announced deadlines have been extended, and previously set expectations have increased or decreased nearly every month. These changes have caused confusion for organizations looking to prepare for their certification. So, what’s coming next, and what can your organization do to prepare in the meantime, while the Government finalizes its approach?


We know that typically NIST Special Publication (SP) 800-53, 800-171, and 800-172 are independent of the rule-making process and serve as constants for cybersecurity controls. These publications can be relied upon by organizations building their cybersecurity programs, who are looking for authoritative standards. Look for a draft of SP 800-171 (Rev 3) in late spring of 2023 for any surprises there. NIST has also announced the likelihood of updates to 800-171, 171A, 800-172, and 172A in mid-2024. Even the constants will present changes in the near term. The pressing issue for the CMMC 2.0 roll-out is the rulemaking for Code of Federal Regulations (CFR) 32 and CFR 48.

Three Steps of the Rule-Making Process

There are three steps to federal rulemaking. First, CMMC program rules are submitted to the Office of Management and Budget (OMB) for regulatory review. The Office of Information and Regulatory Affairs then conducts the review. This step takes an average 66 business days to complete. Next, the CMMC program rules are published in the Federal Register. After that, the published rule will be effective but may come out as either a “Proposed Rule” or an “Interim Final Rule.” A “Proposed Rule” is an official document announcing and explaining the plan to address a problem or accomplish a goal, which gives Industry the opportunity to submit comments. An “Interim Final Rule” is one that is issued without a proposed rule, becoming effective immediately upon publication. In most cases, this interim rule can be modified, if necessary, as a result of public comments. This step takes an average of 333 business days. This entire process can take up to 24 months from rule submission to publication. We should think in terms of the Government’s timelines.

Most of the rule changes are about assessment mechanisms. The Government is trying to solidify the methods and standards for training and certification of assessing organizations. If you are not an assessing organization, upcoming changes will minimally impact you. You can still confidently prepare your organizational processes and start or continue implementing the CMMC 2.0 controls that are already known.

CMMC 2.0 Preparation Major Muscle Movements

To prepare for the rollout of CMMC, set your organization on the right path by implementing a Zero Trust network architecture. This step is the single most effective move any organization can make to mature their cybersecurity program. Doing so will ensure you are checking many of the boxes for 6 of the 14 CMMC 2.0 domains. You may find enormous benefits in a Physical to Virtual (P2V) migration that builds in many of the characteristics of a Zero Trust architecture. Zero Trust will not only launch you to the top of the class, but will also future proof your organization from emerging changes that are certainly on the horizon.

Next, focus on continuous monitoring and documentation processes. Make sure your organization uses tools that keep your information security staff aware of current and emerging threats, and that these personnel are documenting and reporting appropriate metrics. If your organization works in software development, implement a DevSecOps model that speeds risk mitigation. This model incorporates continuous active operational observations that allow developers to patch software in a fraction of the time that legacy development models take. Make sure those observations, changes, and processes are all well documented for audits and assessments. This step covers the bulk of 5 of the 14 CMMC 2.0 domains.

Another action you can take is to sharpen your Incident Response (IR) processes and documentation. Provide clear guidance to IR team members in their roles and ensure they are properly trained in each of their IR tasks. Create and execute relevant IR exercises. These can be table-top or interactive simulations in which IR teams demonstrate their understanding and capabilities on their roles and the IR processes. Refine incident escalation procedures that support help desk ticketing and emergency responses. All steps should be well documented to show evidence of your organization’s readiness to effectively respond to incidents. These improvements cover the entire IR domain, as well as many of the six controls mentioned earlier.

Finally, schedule a Gap Analysis from an approved Certified Third-Party Assessment Organization (C3PAO). The CMMC Accreditation Body (Cyber AB) hosts a marketplace for certified assessors that can help you identify your CMMC 2.0 deficiencies or “gaps” and provide feedback to set you on the road to your eventual CMMC certification. This is a valuable service that gives you a clear, unbiased picture of your current state. You can then turn your gap analysis results into a roadmap to certification. Your gap analysis can also serve as a rehearsal for your staff, showing them what to expect in a formal CMMC assessment, as an added benefit.

Low Hanging Fruit

What are some easy actions that you can take to continue your preparations? You can configure existing tools to generate evidence of CMMC controls that you have already implemented. Conduct an honest self-assessment to see where you currently stand on compliance. Rewrite policies and procedures to comply with CMMC controls that have already been made public. Plan and conduct simple table-top exercises, as mentioned above, which provide insight into your strengths and weaknesses. Similarly, conduct a simulated phishing exercise, which is a feature typically built into email or security management platforms. Review Controlled Unclassified Information (CUI) markings on existing artifacts, correct deficiencies, and consider staff training or revisions to policies and procedures.  Finally, do not forget that physical security measures are often the simplest controls you can address. Self-assess your procedures and make appropriate changes. Remember, many of the controls are organizationally defined, so document your operations and align your everyday work in subtle ways that meet known control standards.

While the rule changes have been somewhat disruptive to the contracting community, there are still some constant and known actions you can take to prepare your organization for CMMC compliance. Continue to keep your eye out for informational updates from the Government; however, you can still keep implementing the known controls that are unlikely to change much and be well prepared when the Government finally decides what it wants from the Defense Industrial Base. lock

Guy M. Bilyou

Leave a Comment