CMMC 2.0 Submission to OIRA is Moving Forward

By Heather Bennett

September 23, 2023

The CMMC 2.0 submission to OIRA is moving forward, according to the OMB website. The site lists three meetings taking place on September 6th, September 8th, and September 13th. These meetings are labeled as the “Proposed Rule Stage”. This is creating a stir among the CMMC evangelicals. This is the first major step after the official submission.


On July 24, 2023, the DoD officially submitted CMMC 2.0 to the Office of Information and Regulatory Affairs (OIRA) for review. This is a major step that many in the cybersecurity sphere have been waiting for. Why is it such a big deal? What does this mean?

What is Everyone Talking about?

Let’s start with the significance of this news. CMMC has been a buzzword in the DIB and cybersecurity community for over three years at the time of writing. Three years of debate, revision, speculation, and preparation are one step closer to reality. “Under EO 12866, OIRA has up to 90 days (which can be extended) to review a rule. This review helps to promote adequate interagency review of draft proposed and final regulatory actions so that such actions are coordinated with other agencies to avoid inconsistent, incompatible, or duplicative policies.” ( After 90 days, if there are no revisions, the next step is publishing the proposed rule in the Federal Register. Once the rule is registered, there will be a 60-day comment period. This puts us into 2024 before the rule goes into effect. This means that CMMC requirements could appear in contracts by early 2025.

The Importance of OMB Submission in CMMC Compliance

So, why is the submission of CMMC requirements to OMB so critical? Here are several key reasons:


  1. Alignment with Government Policies: OMB review ensures that CMMC requirements align with government policies and standards, ensuring a unified approach to cybersecurity across government contracts.


  1. Legitimacy and Standardization: OMB approval adds legitimacy and standardization to the CMMC framework. It signifies that the cybersecurity practices mandated by CMMC are recognized and endorsed at the highest levels of government.


  1. Contract Eligibility: Without OMB approval, organizations may not be eligible to bid for or engage in DoD contracts. Compliance with CMMC, including the OMB submission, is often a prerequisite for participation.


  1. National Security: Given the sensitive nature of information involved in defense contracts, OMB ensures that the cybersecurity measures mandated by CMMC are robust, protecting national security interests.


  1. Consistency and Accountability: OMB oversight ensures that CMMC compliance remains consistent and that organizations are held accountable for adhering to cybersecurity best practices.

Waiting in CMMC the Wings

What does this mean for DIB contractors and C3PAOs that have been preparing for the official rule? It’s game time. There is no denying that this requirement is going to go into effect. Any DIB contractor that has been dragging their feet regarding compliance will have to step up their game. Many CMMC evangelists have been warning the community for the past three years that it’s time to get ready or get left behind.


PGS has spent the last three years learning, securing its certification, and preparing clients for the inevitable. We have developed strong CMMC service offerings, from CMMC workshops to full certification assessments. To learn more about how you can be ready for CMMC, we invite you to attend a webinar we will host on October 17, 2023. This interactive session will focus on document preparation specific to CMMC. This webinar is free and open to anyone interested in preparing for CMMC. You can sign up below.

Register for this Webinar Below

Don't miss this opportunity to master CMMC documentation and bolster your organization's cybersecurity efforts. Register now to secure your spot!

Provincia Government Solutions, LLC is a Nashville based HUBZone certified security and risk assurance firm with advanced expertise in government regulatory and compliance cybersecurity requirements including NIST, FISMA, CMMC, SCA, 800-171, TRICARE, MARS-E and ZTA (Zero Trust Architecture) solutions. Our client base includes  government agencies, contractors, and commercial organizations affiliated with government entities. Whether you are seeking audit preparedness, compliance and assurance assessments,  security consulting, or CMMC certification, we have the expertise to help.  Contact us at (615) 807-2822 or at to discuss your security needs today. Consultations are free of charge and we look forward to speaking with you!

Subscribe to our Blog!

Be The First

to Know

When New Blog Content is Published


Contact Information

Social Networks


Provincia Government Solutions is a Nashville TN based Authorized CMMC Third-Party Assessor Organization (C3PAO) and SBA Certified small business specializing in Cybersecurity Assurance Services for government agencies, contractors, and commercial organizations affiliated with government entities.