Breaking News: Final Rule for CMMC Framework Sent to OMB-OIRA

Breaking News: Final Rule for CMMC Framework Sent to OMB-OIRA

After months of speculation and confusion surrounding the CMMC compliance deadline, prominent Washington contract lawyer Robert Metzger was one of the first to break the news that DoD has sent the proposed rule for CMMC to OMB-OIRA

The Office of Information and Regulatory Affairs (OIRA) within the Office of Management and Budget (OMB), is responsible for reviewing and approving new regulations from various government departments, including the Department of Defense (DoD).

What does this mean in regards to the deadline for CMMC compliance?

  • Once a proposed rule is sent to the OMB for review, they have up to 90 days to complete this review. The review could potentially take less time, as indicated in the statement. 
  • If OIRA is satisfied with the rule as is, and does not send it back to the DoD for further consideration or modifications, the rule will be published in the Federal Register. The Federal Register is the official journal of the federal government of the United States, and it’s where officially proposed rules, final rules, public notices, and Presidential actions are published.
  • Once a Notice of Proposed Rule Making (NPRM) is published in the Federal Register, it is not yet considered to be finalized. The publication of a rule in the Federal Register is typically part of the process of formal rulemaking under the Administrative Procedure Act (APA). Learn more about CMMC rule-making in this blog post, which explains the six steps of the process. 
  • Tego Advisory Services is speculating that if the OIRA was to complete its review in 60 days, then the NPRM could potentially be published before October 27, 2023. It is important to note that the actual dates can vary based on how long the OMB takes to review the proposed rule and whether or not it is sent back to DoD for changes.

There are a few additional steps before the rule is finalized and an effective date is set.  However, the importance of this milestone cannot be understated. 

“We are continuing to advise our clients that CMMC compliance will happen. This latest update creates a renewed sense of urgency,” said Greg Manson, VP of Advisory Services. Manson added the thought that “Those who choose to ignore the tide of inevitability will ultimately drown in its waters.” 

The expected timeline for completing a pre-assessment and addressing any POA&Ms is expected to take at least 6-12 months. As a RPO, Tego is suited to help in the implementation of CMMC by helping organizations navigate the road to CMMC compliance. 

For help with CMMC compliance, contact us today. 

About the author
Jennifer Vosburgh is a seasoned Marketing and Communications professional. With over 15 years of experience, she has a strong background in Marketing, Communications, and Event Management. As Vice President of Tego Data Systems in Raleigh, NC, Jennifer is responsible for delivering full-scale Marketing Campaigns across all platforms including website, email, social media, events, and more.

By using this website you agree to our updated Conditions of Use and consent to the collection and use of your personal information as described in our updated Privacy Notice, which includes the categories of data we collect and information about your preferences and rights.