Unlocking Federal Rulemaking and CMMC Implementation

e813069f

Welcome back to CMMC Unlocked. I’m Roz, and today we’re diving into the nuts and bolts of federal rulemaking—how it actually works, why agencies issue rules, and what all those stages mean for folks in defense and cybersecurity. Eric, Ruby, Paul—let’s get into it. So, at the core, agencies get their authority to issue regulations from Congress. Congress passes a law, and that law either gives broad authority or sometimes very specific marching orders to an agency. The agency can’t go beyond what Congress allows, and it has to follow the Constitution, of course. Now, once an agency decides to start rulemaking, it’s usually because Congress told them to, or maybe there’s a new technology, a problem, or even a petition from the public. Sometimes, it’s a lawsuit or a presidential directive that gets things rolling. The public can actually see what’s coming down the pike through the Unified Agenda, which agencies publish twice a year. That’s where you’ll see what rules are being considered, what’s pending, and what’s been completed. It’s all about transparency and giving the public a heads-up.

Eric Marquette

Yeah, Roz, and I think a lot of people don’t realize just how open this process is supposed to be. Agencies don’t just cook up rules in a back room. There’s this whole notice-and-comment process, right? They’ll publish a Notice of Proposed Rulemaking—NPRM—in the Federal Register, and that’s the official invitation for the public to weigh in. You can comment online, by mail, even at public hearings. And, honestly, sometimes those comments really do shape the final rule. It’s not just a box-ticking exercise. The agency has to consider the record—comments, data, expert opinions—when finalizing the rule. And, Roz, you mentioned oversight. Congress can review new rules, and courts can get involved if someone thinks a rule oversteps or wasn’t done properly. So, there’s a lot of checks and balances built in.

Ruby Sturt

Yeah, and I love that you brought up the public comment bit, Eric. I mean, it’s not just for show. Agencies sometimes even reopen comment periods if they get a flood of new info or realize they missed something. And, look, if you’re a defense contractor or a small business, this is your chance to flag issues before they become law. Plus, the President and OIRA—Office of Information and Regulatory Affairs—get a crack at reviewing significant rules, especially if there’s a big economic impact or policy question. So, it’s not just the agency in a vacuum. There’s a lot of eyes on these things.

Paul Netopski

That’s right, Ruby. And from a compliance perspective, it’s critical to understand that the Administrative Procedure Act—the APA—sets the baseline for how this all works. Agencies have to publish proposed rules, allow for public comment, and then justify their decisions in the final rule. If they skip steps or don’t respond to substantive comments, that’s where you see legal challenges. And, as Roz said, Congress can even nullify a rule under the Congressional Review Act, though that’s pretty rare. But the point is, transparency and participation are baked into the process, and that’s what gives these rules legitimacy and staying power.

e813069f

Let’s use a real-world example: 32 CFR Part 170, the CMMC Program rule. This is a great case study in modern rulemaking. The Department of Defense started with a proposed rule, published it in the Federal Register, and then opened it up for public comment. They got feedback from contractors, industry groups, small businesses, and even foreign suppliers. The process was iterative—DoD had to balance speed with rigor, especially since the stakes are high for the defense industrial base. They had to analyze the impact on small businesses under the Regulatory Flexibility Act, and estimate paperwork burdens under the Paperwork Reduction Act. And, of course, they had to justify everything to OIRA and, ultimately, Congress.

Paul Netopski

Yeah, and the CMMC rule is a textbook example of how complex this can get. The DoD had to define who’s covered—basically, any contractor or subcontractor that processes, stores, or transmits Federal Contract Information or Controlled Unclassified Information. The rollout was phased, with Levels 1 through 3 certification requirements, and the requirements flow down to subcontractors at all tiers. The DoD also had to structure the rule so it could scale across the entire defense industrial base, from the biggest primes to the smallest suppliers. And, as Roz mentioned, they had to show their work—cost analyses, impact statements, and responses to hundreds of public comments. It’s a lot of moving parts.

Ruby Sturt

And, Paul, I think it’s worth pointing out that the DoD didn’t just drop this on everyone overnight. They used a phased approach—four phases, actually—so organizations had time to adapt. In the first year, only a subset of contracts had CMMC requirements. By year four, it’s basically all in. And they had to be really clear about scoping—what systems are in, what’s out, how to handle cloud providers, external service providers, all that. It’s not just a checkbox. There’s a lot of nuance, and the rule had to reflect that.

Eric Marquette

Yeah, and the iterative process is key. The DoD got a ton of feedback—some of it pretty pointed—from small businesses worried about costs, from primes about supply chain complexity, and from folks asking for clarity on definitions. They had to go back, revise, clarify, and sometimes even delay certain requirements. It’s a balancing act between moving fast enough to address real threats and making sure you don’t break the supply chain in the process. And, as we’ve seen, the final rule is a product of all that back-and-forth.

e813069f

Now, let’s look ahead to the next big thing: the proposed DFARS rule at 48 CFR 204. This is the Defense Federal Acquisition Regulation Supplement, and it’s how the CMMC requirements get baked into actual contracts. The new rule is designed to align with what’s in 32 CFR 170, but it adds contract provisions, phased implementation, and specific requirements for both contractors and subcontractors. There’s a lot of attention on how this will impact small businesses, and the DoD is trying to learn from the rollout of 32 CFR 170—what worked, what didn’t, and where the pain points were.

Paul Netopski

Absolutely, Roz. I’ve worked with contractors who had to navigate both the interim DFARS rule and the proposed changes. It’s not always straightforward. For example, you might have a contract that’s still under the old interim rule, but you’re bidding on new work that requires compliance with the proposed CMMC requirements. That means you’re juggling different timelines, different assessment types, and sometimes different definitions of what counts as CUI or FCI. It can get messy, especially for organizations with complex supply chains. The new DFARS rule tries to clarify some of that, but there are still open questions—like how to validate subcontractor compliance, or how to handle joint ventures.

Ruby Sturt

And, Paul, you mentioned small business impact. The DoD is really trying to mitigate the burden—there’s a phased rollout, exemptions for COTS items, and a lot of guidance on what’s in scope. But, honestly, it’s still a heavy lift for a lot of small entities. The rulemaking process included a regulatory flexibility analysis, and they’re asking for public comments on the cost estimates and paperwork burden. So, if you’re a small business, now’s the time to speak up.

Eric Marquette

Yeah, and just to add, the public comment process is still open for the proposed DFARS rule. If you’ve got concerns, or if you’ve run into issues with overlapping requirements, this is your chance to get your voice heard. The DoD is looking for feedback on everything from timing to cost allowability to how to handle CMMC in joint ventures. It’s a living process, and the final rule will reflect what they hear from the field.

e813069f

So, what can organizations do to get ahead of these changes? First, develop a comprehensive timeline for the upcoming 48 CFR 204 implementation. Look at the key milestones from the 32 CFR 170 process—when the proposed rule dropped, how long the comment period lasted, when the final rule was published, and when the requirements actually kicked in. Map those out for your own planning.

Paul Netopski

Right, Roz. And don’t just focus on the deadlines. Identify and establish channels for ongoing stakeholder engagement. That means tracking scheduled public comment periods, joining industry forums, and staying plugged into updates from the DoD and the CMMC PMO. The organizations that do this well are the ones that don’t get blindsided by last-minute changes. They’re also the ones who have a seat at the table when the rules are being shaped.

Ruby Sturt

And, honestly, don’t wait for the final rule to start preparing. Get your internal compliance teams together, do a gap analysis against the proposed requirements, and start developing targeted training programs. The sooner you start, the less painful it’ll be when the new obligations hit. And, look, if you’re not sure where to start, there are a ton of resources out there—industry groups, webinars, even the DoD’s own guidance docs.

Eric Marquette

Yeah, and I’d add—don’t underestimate the value of documentation. As we talked about in our last episode, meticulous documentation and logs are crucial, not just for audits but for your own sanity when things change. If you’ve got your processes mapped out and your evidence in order, adapting to new requirements is a lot less daunting.

e813069f

Once the rules are finalized, it’s all about implementation. One best practice is to establish a cross-functional task force—bring together folks from IT, legal, procurement, and compliance. Their job is to monitor rulemaking developments and assess how they impact your current cybersecurity practices. This isn’t just a one-and-done exercise. It’s ongoing.

Paul Netopski

Exactly. And once you’ve identified gaps, develop a detailed action plan. That means allocating resources, setting internal deadlines, and assigning responsibilities. Don’t forget to include a communication strategy—make sure everyone who needs to know about rule changes, upcoming deadlines, and best practices is kept in the loop. I’ve seen organizations trip up because the left hand didn’t know what the right was doing. Clear, consistent communication is key.

Ruby Sturt

And, look, don’t be afraid to ask for help. There’s no shame in reaching out to consultants, industry peers, or even the DoD help desk if you’re stuck. The rules are complex, and nobody expects you to have all the answers on day one. What matters is that you’re proactive and willing to adapt as things evolve.

Eric Marquette

Yeah, and just to echo what Ruby said, keep your teams informed and engaged. Regular updates, training sessions, and open forums for questions can make a huge difference. The more you empower your people, the smoother the transition will be.

e813069f

Adapting to regulatory changes isn’t a one-time event—it’s a continuous process. Implement a system for real-time monitoring of updates and amendments in the 48 CFR 204 rulemaking process. That way, you’re not caught off guard by new requirements or deadlines.

Paul Netopski

And don’t forget about training. Develop a comprehensive program tailored to different stakeholder groups—procurement officers, IT staff, legal advisors. Each group needs to understand how the changes affect their day-to-day work. The more targeted your training, the more effective your compliance efforts will be.

Ruby Sturt

And, honestly, set up a feedback loop with your contractors and industry partners. If you’re running into challenges, chances are others are too. Sharing best practices and lessons learned can help everyone adapt more efficiently. Plus, it gives you a direct line to the folks who are actually living with these rules on the ground.

Eric Marquette

Yeah, and don’t underestimate the value of collaboration. The organizations that thrive are the ones that treat compliance as a team sport, not a solo act. Keep those lines of communication open, both internally and with your external partners.

e813069f

Finally, let’s talk about technology. There are some real opportunities to make compliance more efficient. Invest in compliance management software that automates tracking of rulemaking milestones, documentation, and reporting requirements. That can save you a ton of time and reduce the risk of missing something important.

Paul Netopski

Absolutely. Real-time monitoring tools are a game-changer. They can alert your teams to regulatory updates and amendments as soon as they happen, so you can respond quickly and stay ahead of the curve. And don’t forget about developing a centralized knowledge base—a training portal where all stakeholders can access the latest resources, guidance, and updates. That way, everyone’s working from the same playbook.

Ruby Sturt

And, look, if you’re not already using automation for compliance, now’s the time to start. It’s not about replacing people—it’s about freeing them up to focus on higher-value work. The more you can automate the routine stuff, the more bandwidth you have for strategic thinking and problem-solving.

Eric Marquette

Yeah, and I’ll just add—continuous learning is key. The regulatory landscape is always shifting, so make sure your teams have access to ongoing training and up-to-date resources. That’s how you build resilience and stay compliant, no matter what comes next.

e813069f

Well, that’s a wrap for today’s episode. We’ve covered a lot—from the basics of federal rulemaking to the nitty-gritty of CMMC implementation and the upcoming DFARS changes. Thanks for joining us, and thanks to Eric, Ruby, and Paul for sharing your insights. We’ll be back soon with more on CMMC and federal compliance. Until then, stay vigilant, stay informed, and keep those questions coming. Eric, Ruby, Paul—always a pleasure.

Eric Marquette

Thanks, Roz. Always great to dig into the details with you all. See you next time.

Ruby Sturt

Cheers, everyone! Don’t forget to check the show notes for links to resources, and we’ll catch you in the next episode.

Paul Netopski

Thanks, team. Stay secure, and keep those compliance engines running.