After months of speculation and confusion surrounding the CMMC compliance deadline, prominent Washington contract lawyer Robert Metzger was one of the first to break the news that DoD has sent the proposed rule for CMMC to OMB-OIRA.
The Office of Information and Regulatory Affairs (OIRA) within the Office of Management and Budget (OMB), is responsible for reviewing and approving new regulations from various government departments, including the Department of Defense (DoD).
What does this mean in regards to the deadline for CMMC compliance?
- Once a proposed rule is sent to the OMB for review, they have up to 90 days to complete this review. The review could potentially take less time, as indicated in the statement.
- If OIRA is satisfied with the rule as is, and does not send it back to the DoD for further consideration or modifications, the rule will be published in the Federal Register. The Federal Register is the official journal of the federal government of the United States, and it’s where officially proposed rules, final rules, public notices, and Presidential actions are published.
- Once a Notice of Proposed Rule Making (NPRM) is published in the Federal Register, it is not yet considered to be finalized. The publication of a rule in the Federal Register is typically part of the process of formal rulemaking under the Administrative Procedure Act (APA). Learn more about CMMC rule-making in this blog post, which explains the six steps of the process.
- Tego Advisory Services is speculating that if the OIRA was to complete its review in 60 days, then the NPRM could potentially be published before October 27, 2023. It is important to note that the actual dates can vary based on how long the OMB takes to review the proposed rule and whether or not it is sent back to DoD for changes.
There are a few additional steps before the rule is finalized and an effective date is set. However, the importance of this milestone cannot be understated.
“We are continuing to advise our clients that CMMC compliance will happen. This latest update creates a renewed sense of urgency,” said Greg Manson, VP of Advisory Services. Manson added the thought that “Those who choose to ignore the tide of inevitability will ultimately drown in its waters.”
The expected timeline for completing a pre-assessment and addressing any POA&Ms is expected to take at least 6-12 months. As a RPO, Tego is suited to help in the implementation of CMMC by helping organizations navigate the road to CMMC compliance.
For help with CMMC compliance, contact us today.