Download our CMMC Guide for Manufacturers
Learn more about CMMC with our guide for manufacturers.
.jpg?ext=.jpg)
What is Happening with CMMC and NIST SP 800-171
Toward the end of 2023, there was a flurry of activity in and around the Defense Industrial Base (DIB). The proposed CMMC rule was published on December 26, and NIST announced that the public comment period on NIST SP 800-171 r3 would end on January 26, 2024. Public commenting on the CMMC rule would end in sixty days, which translated to a date of February 26, 2024.
Now, as the end of the first quarter of 2024 approaches, the industry has become a little more calm. The rush of excitement about CMMC rulemaking moving forward has quieted down. Questions about how CMMC will relate to the newest iteration of 800-171 have slowed because the answer has always been the same – we will have to wait and see how it rolls out. So what is happening now?
NIST SP 800-171r3 Update
Public commenting on the latest edition of the 800-171 standard did in fact end on January 26, 2024. On February 21, 2024, Ron Ross, co-author of the standard, announced that a summary of the public comments was available for review. The public comment period for the main standard, 800-171r3 was also the public comment period for the first draft of NIST SP 800-171Ar3. The difference in draft stages can be a little confusing. Even though the draft of 171Ar3 is called an initial draft, it will be finalized at the same time as the main standard.
CMMC Update
The public comment period for CMMC ended on February 26, as planned. The Department of Defense now has 180 days to address the comments received. According to Washington Technology, the Department of Defense received 300 comments on CMMC 2.0. This is a drop from CMMC 1.0 which, in 2021, received approximately 850 comments. This does not mean there is less interest in CMMC, but many of the questions from the previous version were addressed in the 234-page document published on December 26, 2023. You can review all documents associated with the CMMC proposed rule here.
While there is the previously mentioned 180-day timeframe during which the DoD will review public comments, there is no published date that will mark the official start of CMMC. There is one important fact to remember when discussing dates around CMMC, however. There is a difference between a federal calendar and a fiscal calendar. The federal calendar for 2025 begins in the fourth quarter of 2024. If you see a time prediction that does not specify and only refers to which quarter, be wary. This also applies to the roll-out process of CMMC and the timing tied to that facet of the rulemaking and publication process.
Feeling Confused?
The world of NIST 800-171 and CMMC intimidates many business owners because there is so much to remember, so many different timelines, and, of course, so many acronyms. If you have any questions, please feel free to contact us. We will continue to post updates throughout the year.