{"id":23608,"date":"2024-07-17T11:12:40","date_gmt":"2024-07-17T10:12:40","guid":{"rendered":"https:\/\/www.riskinsight-wavestone.com\/?p=23608"},"modified":"2024-07-18T10:00:18","modified_gmt":"2024-07-18T09:00:18","slug":"timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking","status":"publish","type":"post","link":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/","title":{"rendered":"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking"},"content":{"rendered":"\n

Not familiar with CMMC 2.0? For more information regarding CMMC 2.0, please refer to <\/em>this article<\/em><\/a>.<\/em><\/p>\n

The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework <\/strong>designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with contractors and subcontractors <\/strong>of the Department of Defense (DoD) <\/strong>through acquisition programs, as defined by Executive Order 13556<\/strong>.<\/p>\n

The CMMC 2.0 Proposed Rule, published on December 26, 2023, represents the latest evolution of the CMMC cybersecurity model.<\/p>\n

On June 27, 2024, after adjudicating nearly 2,000 comments, following a 60-day open-comment period, the DoD submitted a draft of the CMMC 2.0 Final Rule<\/a> (32 CFR) to the Office of Information and Regulatory Affairs (OIRA) at the White House.<\/p>\n

The summited draft represents the <\/span>final step before the CMMC 2.0 rule is published in the Federal Register<\/span>. As the final draft has been submitted the focus <\/span>now shifts to the timeline for <\/span>when the CMMC 2.0 regulation will take effect and be enforced.<\/strong><\/p>\n

Before addressing this shift in focus, it is essential to understand that the security requirements, upon which CMMC 2.0 Level 2 is founded (NIST SP 800-171), have been mandatory<\/strong> for DoD contractors handling sensitive information since December 2017<\/strong>, when the DFARS clause 252.204-7012 was included in DoD contracts. However, during this period, compliance mostly relied on self-attestation without a robust enforcement mechanism<\/strong>, leaving the DoD unable to verify adherence.<\/strong> As a result, many contractors neglected<\/strong><\/span> to fully implement the required controls.<\/p>\n

To address this issue, the DoD launched the CMMC program<\/strong>, which essentially serves as the mechanism through which the DoD will verify compliance<\/strong> with the requirements outlined in DFARS clause 252.204-7012 (NIST SP 800-171), mandated in contracts since 2017.<\/p>\n

As the DoD puts it: “A key difference between the DFARS 252.204-7012 and CMMC Level 2 requirements is that compliance with NIST SP 800-171 under DFARS 252.204-7012 has not been consistently verified. Under CMMC, compliance will be checked by independent third-party assessors certified by DoD<\/strong><\/em><\/a>.<\/em><\/strong>“<\/p>\n

The significant change<\/strong> introduced by CMMC<\/strong>, requires contractors to obtain certification through assessments<\/strong> conducted by a CMMC Third Party Assessment Organization (C3PAO) to demonstrate compliance<\/strong> to retain and secure DoD contracts.<\/p>\n

\u00a0<\/p>\n

CMMC Rulemaking Timeline<\/strong><\/span><\/h2>\n

The CMMC rulemaking timeline is summarized below based on publicly available information as of July 17, 2024.<\/p>\n

\"\"<\/p>\n

As with all federal regulations, CMMC requires a legal basis for implementation. Therefore, to determine when the CMMC 2.0 regulation will come into effect, we need to understand the rulemaking process behind CMMC 2.0, involving two rules from the Code of Federal Regulations<\/a>: 32 CFR and 48 CFR.<\/p>\n

For the CMMC 2.0 regulation to come fully into effect, two things need to happen<\/strong>.<\/p>\n

    \n
  1. The 32 CFR CMMC<\/a> Final Rule has to come into effect. This rule outlines and codifies the CMMC program and will allow CMMC third-party assessments to begin, known as the “market rollout<\/strong>“.<\/li>\n<\/ol>\n

    The 32 CFR CMMC Final Rule is estimated to be published no later than October 26, 2024, after OIRA’s review of up to 120 days, and will come into effect approximately 60 days later, in late Q3 or early Q4 2024<\/strong>.<\/p>\n

      \n
    1. 48 CFR CMMC<\/a> Final Rule must come into effect. This rule revises the DFARS clause 252.204-7021 to point to the CMMC program (32 CFR) and will introduce CMMC compliance as a contractual clause gradually over 3 years, known as the “phased rollout<\/strong>“.<\/li>\n<\/ol>\n

      The 48 CFR Proposed Rule was submitted to OIRA<\/strong> in May 2024. After a 90 to 120-day regulatory review and an initial 60-day public comment period, the Proposed Rule will undergo another 60-day public comment period, followed by a Final Rule review and adjudication process, estimated to take 150 to 280 business days. The 48 CFR Final Rule is expected to come into effect around Q3 or Q4 2025<\/strong> but could be sooner, as it revises an existing, small clause (DFARS clause 252.204-7021).<\/p>\n

      \u00a0<\/p>\n

      The 32 CFR is the Starting Gun for the CMMC Race<\/strong><\/span><\/h2>\n

      While the effective date of the 48 CFR Final Rule (expected in Q3 or Q4 2025) will determine when the CMMC 2.0 regulation is mandatorily included in contracts, known as the “phase-rollout<\/strong>,” it’s a significant misconception<\/strong> that the pivotal milestone for the start of the CMMC race is the effective date of the 48 CFR.<\/p>\n

      Indeed, the kickoff for the CMMC race will be determined by the effective date of the 32 CFR Final Rule<\/strong> (expected late Q3 or early Q4 2024), not the 48 CFR Final Rule.<\/p>\n

      The 32 CFR Final Rule will trigger the “market rollout<\/strong>“, which will allow CMMC assessments to begin<\/strong>. Once these assessments are available, prime contractors (e.g., Lockheed Martin, Boeing, Raytheon) will likely require subcontractors to obtain CMMC certification<\/strong> as soon as possible, well before DoD does <\/strong>through the “phased rollout<\/strong>“, to maintain their competitive edge and mitigate the risk of non-certified suppliers jeopardizing their own certification status.<\/p>\n

      \"\"<\/p>\n

      \u00a0<\/p>\n

      Midnight Rulemaking and CMMC 2.0<\/strong><\/span><\/h2>\n

      In the past 6 months, there has been a notable acceleration in the CMMC rulemaking process<\/strong>. This is evident in several key milestones, including the publication of the 32 CFR Proposed Rule in December 2023, the submission of a 48 CFR Proposed Rule to OIRA in May 2024, and most recently, the submission of the 32 CFR Final Rule to OIRA in June 2024. This phenomenon is often referred to as <\/strong>“Midnight Rulemaking<\/a>“, which describes the rush to finalize regulations in the final months before a presidential administration concludes.<\/p>\n

      Thus, if we anticipate the 32 CFR Final Rule to be finalized and effective in late Q3 or early Q4 2024, given the Department of Defense’s strong motivation to complete the CMMC regulations before the U.S. 2024 elections, there is a very strong possibility it will become effective before November 5, 2024<\/strong>.<\/p>\n

      \u00a0<\/p>\n

      Don\u2019t Wait for the Starting Gun to Begin the CMMC Compliance Journey<\/span><\/strong><\/h2>\n

      The DoD anticipates that it will take two years<\/a> for companies with existing contracts to become CMMC certified, assuming they have already implemented the NIST SP 800-171 Rev. 2 requirements <\/strong>as per DFARS clause 252.204-7012. This extended timeline is due to several factors:<\/p>\n

        \n
      1. Once 32 CFR becomes effective, CMMC third-party assessments for CMMC Level 2 will commence, requiring organizations to achieve 100% self-attestation readiness before undergoing assessment<\/strong>. This preparatory phase demands significant time and effort.<\/li>\n
      2. On average, organizations spend between 12 to 18 months preparing<\/strong> for a CMMC Level 2 assessment.<\/li>\n
      3. Due to a shortage<\/strong> of CMMC assessors, organizations may expect to wait approximately 9 to 15 months<\/strong> (3 to 5 quarters) for a CMMC assessment.<\/li>\n<\/ol>\n

        Therefore, to stay prepared for future DoD contract opportunities and maintain a competitive edge, it is recommended that organizations begin their CMMC compliance process today. <\/strong><\/p>\n

        Feel free to reach out<\/a> to discuss your CMMC journey with us and explore how #Wavestone can assist you in navigating the intricate landscape of CMMC 2.0 compliance, supporting your path to certification, and enhancing your cybersecurity readiness into a strategic advantage.<\/p>\n

        Our CMMC 2.0 Compliance Services:<\/strong><\/h3>\n
          \n
        1. CUI Identification:<\/u>\n
            \n
          • We assist in identifying Controlled Unclassified Information (CUI) within your organization to ensure compliance with CMMC requirements.<\/li>\n<\/ul>\n<\/li>\n
          • CMMC Assessment Scope Identification:<\/u>\n
              \n
            • We help define and minimize your CMMC Assessment Scope to stay cost-effective and pragmatic. By clearly identifying the scope, we ensure that all necessary systems and processes are included while avoiding unnecessary complexity and costs.<\/li>\n<\/ul>\n<\/li>\n
            • CMMC Readiness Assessments<\/u>:\n
                \n
              • Our experts conduct CMMC Level 1 and 2 readiness assessments, evaluating your current state against the respective assessment objectives (e.g., NIST SP 800-171A) to provide you with actionable recommendations.<\/li>\n<\/ul>\n<\/li>\n
              • CMMC Compliance Roadmap Definition<\/u>:\n
                  \n
                • We work with you to define a clear roadmap to achieve CMMC compliance, tailored to your needs, whether for CMMC clusters or all-in scenarios.<\/li>\n<\/ul>\n<\/li>\n
                • CMMC Implementation Support<\/u>:\n
                    \n
                  • We offer comprehensive guidance and support throughout the implementation phase, helping you effectively integrate the required controls and reach CMMC 2.0 compliance.<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"

                    Not familiar with CMMC 2.0? For more information regarding CMMC 2.0, please refer to this article. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with…<\/p>\n","protected":false},"author":176,"featured_media":23603,"comment_status":"open","ping_status":"closed","sticky":true,"template":"page-templates\/tmpl-one.php","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3270,3977],"tags":[4426,4425,4432,4490,4430,4428,4492,3156,4493,3696],"coauthors":[1177,4434],"class_list":["post-23608","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cyberrisk-management-strategy-en","category-focus","tag-cmmc-2","tag-cui-2","tag-cybersecurity-maturity-model-certification-2","tag-department-of-defense-2","tag-dod-2","tag-fci-2","tag-midnight-rulemaking-2","tag-risk-management-en","tag-supply-chain-attacks-2","tag-third-party"],"acf":[],"yoast_head":"\nTimeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking - RiskInsight<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking - RiskInsight\" \/>\n<meta property=\"og:description\" content=\"Not familiar with CMMC 2.0? For more information regarding CMMC 2.0, please refer to this article. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\" \/>\n<meta property=\"og:site_name\" content=\"RiskInsight\" \/>\n<meta property=\"article:published_time\" content=\"2024-07-17T10:12:40+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-07-18T09:00:18+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"960\" \/>\n\t<meta property=\"og:image:height\" content=\"540\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Baptistin Buchet, Jonathan Deglise\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Baptistin Buchet, Jonathan Deglise\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"8 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\"},\"author\":{\"name\":\"Baptistin Buchet\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/16aec9608a95cf2d00a82212bf85ea4d\"},\"headline\":\"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking\",\"datePublished\":\"2024-07-17T10:12:40+00:00\",\"dateModified\":\"2024-07-18T09:00:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\"},\"wordCount\":1230,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg\",\"keywords\":[\"CMMC\",\"CUI\",\"Cybersecurity Maturity Model Certification\",\"Department of Defense\",\"DoD\",\"FCI\",\"Midnight Rulemaking\",\"risk management\",\"supply chain attacks\",\"third party\"],\"articleSection\":[\"Cyberrisk Management & Strategy\",\"Focus\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\",\"name\":\"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking - RiskInsight\",\"isPartOf\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg\",\"datePublished\":\"2024-07-17T10:12:40+00:00\",\"dateModified\":\"2024-07-18T09:00:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg\",\"width\":960,\"height\":540},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#website\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"name\":\"RiskInsight\",\"description\":\"The cybersecurity & digital trust blog by Wavestone's consultants\",\"publisher\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#organization\",\"name\":\"Wavestone\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"contentUrl\":\"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png\",\"width\":50,\"height\":50,\"caption\":\"Wavestone\"},\"image\":{\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/16aec9608a95cf2d00a82212bf85ea4d\",\"name\":\"Baptistin Buchet\",\"url\":\"https:\/\/www.riskinsight-wavestone.com\/en\/author\/baptistin-buchet\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking - RiskInsight","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/","og_locale":"en_US","og_type":"article","og_title":"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking - RiskInsight","og_description":"Not familiar with CMMC 2.0? For more information regarding CMMC 2.0, please refer to this article. The Cybersecurity Maturity Model Certification (CMMC) is a comprehensive framework designed to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), shared with...","og_url":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/","og_site_name":"RiskInsight","article_published_time":"2024-07-17T10:12:40+00:00","article_modified_time":"2024-07-18T09:00:18+00:00","og_image":[{"width":960,"height":540,"url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg","type":"image\/jpeg"}],"author":"Baptistin Buchet, Jonathan Deglise","twitter_misc":{"Written by":"Baptistin Buchet, Jonathan Deglise","Est. reading time":"8 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#article","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/"},"author":{"name":"Baptistin Buchet","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/16aec9608a95cf2d00a82212bf85ea4d"},"headline":"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking","datePublished":"2024-07-17T10:12:40+00:00","dateModified":"2024-07-18T09:00:18+00:00","mainEntityOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/"},"wordCount":1230,"commentCount":0,"publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg","keywords":["CMMC","CUI","Cybersecurity Maturity Model Certification","Department of Defense","DoD","FCI","Midnight Rulemaking","risk management","supply chain attacks","third party"],"articleSection":["Cyberrisk Management & Strategy","Focus"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/","url":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/","name":"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking - RiskInsight","isPartOf":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage"},"thumbnailUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg","datePublished":"2024-07-17T10:12:40+00:00","dateModified":"2024-07-18T09:00:18+00:00","breadcrumb":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#primaryimage","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2024\/07\/cover.jpg","width":960,"height":540},{"@type":"BreadcrumbList","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/2024\/07\/timeline-update-cmmc-2-0-and-the-phenomenon-of-midnight-rulemaking\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.riskinsight-wavestone.com\/en\/"},{"@type":"ListItem","position":2,"name":"Timeline Update: CMMC 2.0 and the Phenomenon of Midnight Rulemaking"}]},{"@type":"WebSite","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#website","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","name":"RiskInsight","description":"The cybersecurity & digital trust blog by Wavestone's consultants","publisher":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.riskinsight-wavestone.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#organization","name":"Wavestone","url":"https:\/\/www.riskinsight-wavestone.com\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","contentUrl":"https:\/\/www.riskinsight-wavestone.com\/wp-content\/uploads\/2021\/08\/Monogramme\u2013W\u2013NEGA-RGB-50x50-1.png","width":50,"height":50,"caption":"Wavestone"},"image":{"@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.riskinsight-wavestone.com\/en\/#\/schema\/person\/16aec9608a95cf2d00a82212bf85ea4d","name":"Baptistin Buchet","url":"https:\/\/www.riskinsight-wavestone.com\/en\/author\/baptistin-buchet\/"}]}},"_links":{"self":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/23608","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/users\/176"}],"replies":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/comments?post=23608"}],"version-history":[{"count":13,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/23608\/revisions"}],"predecessor-version":[{"id":23659,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/posts\/23608\/revisions\/23659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media\/23603"}],"wp:attachment":[{"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/media?parent=23608"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/categories?post=23608"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/tags?post=23608"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.riskinsight-wavestone.com\/en\/wp-json\/wp\/v2\/coauthors?post=23608"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}