As we get settled into the New Year it is a good time to reflect on your company’s current data security and plans for 2023. In this five-part series, we reflect on the top important cybersecurity developments for companies that do business with the federal government (whether directly or as a supplier or reseller) and what we anticipate in the new year.

Today, we look at the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) program. This program may once again face delays. In June 2022, DoD announced it finally expected to roll out CMMC by March 2023 as an interim final rule (discussed here). However, in December 2022, DoD announced it had not sent the proposed rule to the Office of Management and Budget (OMB) for review. In early January 2023, OMB’s Office of Information and Regulatory Affairs updated the rulemaking status of the CMMC program proposed rule and associated Open DFARS case and DoD appears to be contemplating additional changes to the program to reduce the burden on the Defense community including potentially exempting contracts exclusively for the acquisition of commercially available off-the-shelf items (COTS). 

Putting it Into Practice – What to Expect in 2023: It remains unclear when CMMC will be rolled out and whether that takes the form of a proposed rule or an interim final rule. In the meantime, defense contractors and their suppliers that handle Controlled Unclassified Information are required to implement the security controls in NIST SP 800-171 and report to DoD the results of their self-assessments against those requirements. We continue to monitor updates to the DoD rulemaking for any significant changes.