top of page

CMMC Rule Clears OIRA Review: What This Means for DoD Contractors

The long-anticipated revision of the Department of Defense's (DoD) Cybersecurity Maturity Model Certification (CMMC) program has reached a pivotal milestone. Following its initial regulatory review in 2020 and subsequent retooling in 2021, the CMMC program is now poised for a significant leap forward.

Key Developments in the CMMC Journey:

Completion of Regulatory Review by OIRA:

The Office of Information and Regulatory Affairs (OIRA) concluded its review of the CMMC program on November 21, 2023. This marks a crucial step, as OIRA's approval is essential for any new regulations to proceed.

DoD's Commitment to Refinement:

Since deciding to retool the CMMC program in 2021, the DoD has been diligently working on revising the Defense Federal Acquisition Regulations Supplement (DFARS) 252.204-7021 clause and associated documents. The revised documents were submitted to the Office of Management and Budget (OMB) in July 2023, initiating OIRA's review process.

Stakeholder Engagement:

Throughout the review process, OIRA engaged with various stakeholders, discussing issues and potential changes. This collaborative approach reflects the program's commitment to incorporating diverse perspectives and insights.

Next Steps - Federal Register Publication:

With OIRA's review complete, the revised CMMC regulations are ready for public scrutiny. The next critical step is their publication in the Federal Register, the official record of government regulations. While the Office of the Federal Register typically processes documents within three days of receipt, the DoD has indicated that the DFARS publication process may take several weeks.

Anticipated Analysis Post-Publication:

Upon publication in the Federal Register, Aspire Cyber will publish a comprehensive analysis of the regulations, providing valuable insights into their implications and impact. Our analysis will play a crucial role in shedding light on the implications and nuances of the revised program, providing valuable insights for government contractors and the defense sector at large.

Implications for Defense Contractors:

This development is a clear signal that the DoD is moving forward with its enhanced cybersecurity framework. Contractors and stakeholders in the defense sector should be prepared for the forthcoming changes and the opportunities they present. The revised CMMC program is not just a compliance mandate but a strategic tool to strengthen the cybersecurity posture of the defense supply chain.

For contractors, this is a call to action to align with the upcoming standards, ensuring their readiness to meet the enhanced cybersecurity requirements. The CMMC program's evolution highlights the DoD's ongoing commitment to safeguarding national security through robust cyber defenses.

As the defense sector stands on the brink of transformative changes with the upcoming CMMC regulation, it's imperative for defense contractors to be well-prepared and compliant. In this crucial period, Aspire Cyber emerges as a pivotal ally for defense contractors navigating the complexities of cybersecurity compliance. As a CMMC Third Party Assessment Organization (C3PAO) *candidate, with Certified CMMC Assessors (CCAs) on our team, Aspire Cyber is uniquely positioned to guide defense contractors through the evolving CMMC landscape.

Contact Aspire Cyber today for expert guidance and support in your journey towards achieving and maintaining CMMC compliance.


bottom of page