Home » In the Shop » Cybersecurity » Department of Defense “Done” With CMMC Rulemaking
Department of Defense “Done” With CMMC Rulemaking

Department of Defense “Done” With CMMC Rulemaking

It’s been a busy couple of weeks for Cybersecurity Maturity Model Certification (CMMC) rulemaking. On Monday, July 24th, the Department of Defense (DoD) officially submitted the CMMC 2.0 rule to the Office of Information and Regulatory Affairs (OIRA)—part of the Office of Management and Budget (OMB)—for regulatory review. Submitting the rule for review means the DoD has essentially finished its part in drafting the rule.

Let’s be clear though, the process is not done yet. There are still several important steps that will extend months before the rule is published as final. Make no mistake, though, this was a very big milestone. If you aren’t already on your path to CMMC compliance, you’re likely behind the eight ball.

So what’s next?

After receiving the CMMC rule, OIRA has 90 days to review and decide whether to send the rule back for revisions or forward for publication in the Federal Register. Assuming they push forward, that puts the publication date somewhere in the late fall. After that, there is typically a 60-day public comment period.

After the public comment period is over, the CMMC rule will be published as either an “interim final rule,” in which case it goes into effect right away, or (more likely) it will get published as a “proposed rule,” in which case the rule won’t be final until OIRA responds to public comments in a published “final rule.”

What does this mean for shops?

Based on best estimates, CMMC would start showing up in all DoD contracts at the earliest in Q1 2024, but more likely in Q1 2025. Note, however, that some OEMs are ALREADY pushing their vendors to be actively pursuing CMMC compliance, even if the third-party attestation of compliance is not yet required. And while 2025 sounds like a ways away, remember that compliance takes about 18 months from start-to-finish. If you haven’t started, you’re already at risk.

Free Whitepaper: CMMC 2.0 & Paperless Parts: What Job Shops & Contract Manufacturers Need to Know


What does this mean if you already have or are contemplating deploying Paperless Parts?

There are 110 controls called out in CMMC Level 2, and there is a tremendous amount of detail under each control. But surprisingly, there isn’t much specific guidance on how to evaluate cloud service providers (CSPs) such as Paperless Parts.

Under CMMC rules, the relevant details for how to assess CSPs come from DFARS, which is a 2000+ page document that outlines specifically how the DoD is allowed to spend money. In that giant document, the relevant clause to take note of is DFARS 7012, which states that if you’re going to rely on a CSP to store CUI data, that service must have security controls in place equivalent to Federal Risk and Authorization Management (FedRAMP) Moderate baseline.

Unlike previous standards and regulatory compliance processes, however, it’s not simply a matter of taking your vendors’ word for it. Under the CMMC Assessment Process (CAP)—which is currently in draft form but not anticipated to meaningfully change—when shops get audited for CMMC compliance, your CSPs will have to provide a body of evidence that these security controls have been met.

Paperless Parts has invested millions of dollars to ensure that your data is secure and protected. From our earliest days supporting ITAR-registered manufacturers, to today supporting some of the most sophisticated government and defense contractors on the planet, we are committed to the continual investment in our platform to safeguard American intellectual property. The Paperless Parts for Aerospace and Defense solution is specifically tailored to ensure that we’re constantly working with our customers to understand their unique security requirements and that we are the partner you can trust.

If you’d like to learn more about how Paperless Parts specifically supports your efforts to be CMMC compliant, please download our whitepaper or contact us directly.

See how Paperless Parts can help you be the shop defense contractors trust.


Jason Luce is the Senior Vice President of Engineering at Paperless Parts. Previously, Jason was SVP of Engineering at SessionM (acquired by Mastercard in 2019), responsible for driving high growth and global enterprise scale of SessionM’s Merchant Loyalty SaaS platform. Jason was previously VP of Engineering at LogMeIn where he held multiple roles driving growth and engineering excellence for LogMeIn’s highest growth products: LastPass and join.me.