A CMMC interim rule is here — but don’t expect it to change much

The rule change comes as a disappointment to some in industry, who wish DOD had published a draft rule change that would not go into effect until comments were considered.
DOD, Department of Defense, Pentagon, military
(DOD / Army Sgt. Amber I. Smith)

The interim version of the Department of Defense‘s new cybersecurity regulation for contractors was published Tuesday morning after much anticipation from industry — and with some criticism for how the department is handling this latest step.

The publication of the interim final rule Cybersecurity Maturity Model Certification (CMMC) Defense Federal Acquisition Regulation Supplement rule change starts a 60-day comment period for the public. But at least two trade groups representing federal contractors expressed disappointment in how the 89-page document was published because it will take immediate effect at the end of the comment period, meaning there’s little chance for more changes.

The Professional Services Council takes issue with the fact that it was “issued as an interim rule, taking effect immediately [when the comment period closes], and not a proposed rule for which useful comments from industry can be incorporated before taking effect,” a spokesperson for the group told FedScoop. The Information Technology Industry Council also expressed disappointment with the timeline.

Typically, rules are published as a proposed draft and then posted as a final rule after the public comments are considered, which was not the case in this instance.


The rule change will allow DOD to put CMMC requirements into contracts. The new standards are a tiered system of controls that all contractors will need to be tested against by third-party auditors. There will be very few exceptions. The process replaces the current model of contractors attesting that they meet a checklist of security.

Assessors are being accredited by the Accreditation Body, an independent private organization that has a memorandum of understanding with the DOD to implement the CMMC program.

Katie Arrington, chief information security officer for acquisition and sustainment and lead CMMC official, said that DOD needed to work on an accelerated timeline due to the seriousness of the program.

“We have been saying very clearly what the model will look like, what the requirements will be, how it will be rolled out on to contracts, the timeline and reciprocity … we have been very clear,” Arrington told Government Matters over the weekend. “You have know for at least January what this is.”

Many contractors, especially small- and medium-sized businesses, have expressed concerns over the increased cost of meeting the controls and with having to pay a third-party assessor for a cybersecurity test. Some may also require consulting help to get ready for assessments. DOD officials have been adamant that any cost will be worth it, as cybersecurity vulnerabilities in the industrial base have left the door open to theft and attacks on defense systems.


“To maximize the CMMC’s effectiveness while reducing cost and burden to the industrial base, we recommend that DOD provide a standardized approach to determining appropriate levels for each procurement, allow for reciprocity with other federal cybersecurity standards, and take action to protect assessment results,” Gordon Bitko, senior vice president of policy and public sector lead at the Information Technology Industry Council, told FedScoop in a statement.

DOD anticipates CMMC requirements will be in all contracts by the fall of 2025, completing one of the largest changes to defense contracting in years. The rule change was initially supposed to take place in the spring but was delayed due to the ongoing coronavirus pandemic.

One of the surprises in the rule is that it gives the Accreditation Body the authority to conduct assessments on its own. It was not previously known that it would have such authority. Another new part of the regulation includes additional requirements for self-certification to National Institute of Standards and Technology Special Publication 800-171, which serves as the basis for much of CMMC. For low-risk companies, a self-certification that is submitted to the government will be required and others may need a government audit. Self-attestation to 171 is already a requirement, but now the government can inspect compliance more carefully.

Latest Podcasts