The U.S. Department of Defense is expecting an interim rule for Cybersecurity Maturity Model Certification program
requirements aimed at strengthening defense contractors' networks and controlled unclassified information security by March 2023 as it hopes to begin adopting the program by May of the same year, according to FedScoop
"Were hoping by March of 2023, they will give us an interim rule. Now thats not guaranteed. They could come back and say, 'No, we don't see the urgency of this meeting to be an interim rule and you will not be allowed to implement until you go through final rule,'" said CMMC Policy Director Stacy Bostjanick.
Bostjanick emphasized that the eventual implementation of CMMC will be phased to ensure the certification management capabilities throughout the CMMC ecosystem. More details have also been shared regarding prioritized and non-prioritized CUI.
"For those companies that would handle non-prioritized CUI, the thinking is that they could merely do a self-assessment, an annual affirmation that they meet the requirements of the NIST 801-71 to handle the non-prioritized CUI... From our analysis, the non-prioritized CUI is going to be a smaller subset of the CUI that we deal with," Bostjanick added.