Skip to content

CMMC Rulemaking: An Introduction


The Office of Information and Regulatory Affairs (OIRA, pronounced “oh-eye-ruh”) is a Federal office that Congress established in the 1980 Paperwork Reduction Act (44 U.S.C. Chapter 35). OIRA is part of the Office of Management and Budget (OMB), which is an agency within the Executive Office of the President. In addition to reviewing government collections of information from the public under the Paperwork Reduction Act, OIRA reviews draft proposed and final regulations under Executive Order 12866 and develops and oversees the implementation of government-wide policies in the areas of information policy, privacy, and statistical policy.


A regulation is a general statement issued by an agency, board, or commission that has the force and effect of law. Congress often grants agencies the authority to issue regulations. Sometimes Congress requires agencies to issue a regulation; sometimes Congress grants agencies the discretion to do so. Many laws passed by Congress give Federal agencies some flexibility in deciding how best to implement those laws. Federal regulations specify the details and requirements necessary to implement and to enforce legislation enacted by Congress.

Rulemaking Process

Federal regulations are created through a process known as “rulemaking,” which is governed by the Administrative Procedure Act (APA) (5 U.S.C. Chapter 5). View the Reg Map® for a graphical illustration of this process.

Once an agency decides that a regulatory action is necessary or appropriate, it develops and typically publishes a proposed rule in the Federal Register, soliciting comments from the public on the regulatory proposal. After the agency considers this public feedback and makes changes where appropriate, it then publishes a final rule in the Federal Register with a specific date upon which the rule becomes effective and enforceable. In issuing a final rule, the agency must describe and respond to the public comments it received.

 The Federal Register is the official daily publication for agency rules, proposed rules, and notices of Federal agencies and organizations, as well as for Executive Orders and other presidential documents. The Federal Register is published by the Office of the Federal Register within the National Archives and Records Administration (NARA). To learn more, visit the Federal Register website at:

To learn more about the rulemaking process please read A Guide to the Rulemaking Process.

CMMC Rulemaking

The following are five regulatory actions on the OIRA unified agenda for Spring 2023, which are related to the Department of Defense (DoD) and cybersecurity.

Use of Supplier Performance Risk System (SPRS) Assessments (DFARS Case 2019-D009): DoD is issuing a final rule amending the Defense Federal Acquisition Regulation Supplement to incorporate the use of Supplier Performance Risk System (SPRS) risk assessments, to include price, item, and supplier risk factors, into determinations of responsibility and the evaluation of quotations and offers.

Cybersecurity Maturity Model Certification (CMMC) Program: DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework, to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats–adversaries with sophisticated levels of expertise and significant resources.

NIST SP 800-171 DoD Assessment Requirements (DFARS Case 2022-D017): This rule was split from RIN 0750-AK81. DoD is finalizing an interim rule (see RIN 0750-AK81, interim rule for DFARS Case 2019-D041) to implement the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. This methodology enables DoD to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations.

Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041): DoD is amending an interim rule to implement the CMMC framework 2.0 in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. The CMMC framework is a DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices. This rule provides the Department with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities: The DIB CS Program currently provides cyber threat information to cleared defense contractors. Proposed revisions would allow all defense contractors who process, store, develop, or transit DoD controlled unclassified information to be eligible for the program and to receive cyber threat information. Expanding participation will allow a broader community of defense contractors to participate in the DIB CS Program and is in alignment with the National Defense Strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *