Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward, 64100 [2021-24880]

Download as PDF 64100 Federal Register / Vol. 86, No. 219 / Wednesday, November 17, 2021 / Proposed Rules DEPARTMENT OF DEFENSE Office of the Secretary 32 CFR Chapter I Defense Acquisition Regulations System 48 CFR Chapter 2 Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and Way Forward Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DoD). ACTION: Advanced notice of proposed rulemaking. AGENCY: This document provides updated information on DoD’s way forward for the approved Cybersecurity Maturity Model Certification (CMMC) program changes, designated as ‘‘CMMC 2.0.’’ CMMC 2.0 builds upon the initial CMMC framework to dynamically enhance Defense Industrial Base (DIB) cybersecurity against evolving threats. The CMMC framework is designed to protect sensitive unclassified information that is shared by the Department with its contractors and subcontractors and provide assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at a level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats. Under the CMMC program, DIB contractors will be required to implement certain cybersecurity protection standards, and, as required, perform self-assessments or obtain third-party certification as a condition of DoD contract award. DATES: November 17, 2021. ADDRESSES: Visit the updated CMMC website for CMMC 2.0 updates: https:// www.acq.osd.mil/cmmc/. FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the Under Secretary of Defense for Acquisition and Sustainment, at 202–770–9100 or diane.l.knight10.civ@mail.mil. SUPPLEMENTARY INFORMATION: khammond on DSKJM1Z7X2PROD with PROPOSALS SUMMARY: Background The CMMC program is designed to enhance DIB cybersecurity to meet evolving threats and safeguard the information that supports and enables the Warfighter. Interim Defense Federal Acquisition Regulation Supplement (DFARS) rule, Assessing Contractor Implementation of Cybersecurity Requirements (DFARS VerDate Sep<11>2014 16:34 Nov 16, 2021 Jkt 256001 Case 2019–D041), effective November 30, 2020, implemented DFARS clause 252.204–7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement. This clause implemented the initial version of CMMC program, hereafter ‘‘CMMC 1.0.’’ CMMC 1.0 was designed to protect FCI and CUI shared with and handled by DoD contractors and subcontractors on non-federal contractor information systems. CMMC 1.0 involved five progressively advanced levels of cybersecurity standards and required that DIB contractors undergo a certification process to demonstrate compliance with the CMMC cybersecurity standards at a given level. In March 2021, the Department initiated an internal assessment of CMMC 1.0 implementation that was informed by more than 850 public comments in response to the interim DFARS rule. This comprehensive, programmatic assessment of CMMC engaged cybersecurity and acquisition leaders within DoD to refine policy and program implementation. This review resulted in ‘‘CMMC 2.0,’’ which updates the program structure and the requirements to streamline and improve implementation of the CMMC program. Way Forward The changes reflected in the CMMC 2.0 framework will be implemented through the rulemaking process. DoD will pursue rulemaking in both: (1) Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 CFR, to establish CMMC 2.0 program requirements and implement any needed changes to the CMMC program content in 48 CFR. Both rules will have public comment periods. Publication of title 32 and title 48 CFR rules will implement DoD’s requirements for the updated CMMC version 2.0, which include various modifications from CMMC 1.0. These modifications include: • Eliminating levels 2 and 4, and renaming the remaining three levels in CMMC 2.0 as follows: Æ Level 1 (Foundational) will remain the same as CMMC 1.0 Level 1; Æ Level 2 (Advanced) will be similar to CMMC 1.0 Level 3; Æ Level 3 (Expert) will be similar to CMMC 1.0 Level 5. • Removing CMMC-unique practices and all maturity processes from all levels; • For CMMC Level 1 (Foundational), allowing annual self-assessments with an annual affirmation by DIB company leadership; • Bifurcating CMMC Level 2 (Advanced) assessment requirements: PO 00000 Frm 00016 Fmt 4702 Sfmt 4702 Æ Prioritized acquisitions involving CUI will require an independent third party assessment; Æ Non-prioritized acquisitions involving CUI will require an annual self-assessment and annual company affirmation; • For CMMC Level 3 (Expert), requiring Government-led assessments. • Developing a time-bound and enforceable Plan of Action and Milestone process; and, • Developing a selective, time-bound waiver process, if needed and approved. The title 32 CFR rulemaking for CMMC 2.0 will be followed by additional title 48 CFR rulemaking, as needed, to implement any needed changes to the CMMC program content in 48 CFR. DoD will work through the rulemaking processes as expeditiously as possible. Until the CMMC 2.0 changes become effective through both the title 32 CFR and title 48 CFR rulemaking processes, the Department will suspend the CMMC Piloting efforts and will not approve inclusion of a CMMC requirement in DoD solicitations. The CMMC 2.0 program requirements will not be mandatory until the title 32 CFR rulemaking is complete, and the CMMC program requirements have been implemented as needed into acquisition regulation through title 48 rulemaking. Dated: November 8, 2021. Patricia L. Toppings, OSD Federal Register Liaison Officer, Department of Defense. [FR Doc. 2021–24880 Filed 11–16–21; 8:45 am] BILLING CODE 5001–06–P LIBRARY OF CONGRESS U.S. Copyright Office 37 CFR Parts 201, 220, 222, 223, and 224 [Docket No. 2021–6] Copyright Claims Board: Initiation of Proceedings and Related Procedures U.S. Copyright Office, Library of Congress. ACTION: Notice of proposed rulemaking; extension of comment period. AGENCY: The U.S. Copyright Office is further extending the deadline for the submission of written comments in response to its September 29, 2021, notice of proposed rulemaking regarding initiating proceedings before the Copyright Claims Board. DATES: The comment period for the notice of proposed rulemaking SUMMARY: E:\FR\FM\17NOP1.SGM 17NOP1

Agencies

[Federal Register Volume 86, Number 219 (Wednesday, November 17, 2021)]
[Proposed Rules]
[Page 64100]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-24880]



[[Page 64100]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

32 CFR Chapter I

Defense Acquisition Regulations System

48 CFR Chapter 2


Cybersecurity Maturity Model Certification (CMMC) 2.0 Updates and 
Way Forward

AGENCY: Office of the Under Secretary of Defense for Acquisition and 
Sustainment, Department of Defense (DoD).

ACTION: Advanced notice of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This document provides updated information on DoD's way 
forward for the approved Cybersecurity Maturity Model Certification 
(CMMC) program changes, designated as ``CMMC 2.0.'' CMMC 2.0 builds 
upon the initial CMMC framework to dynamically enhance Defense 
Industrial Base (DIB) cybersecurity against evolving threats. The CMMC 
framework is designed to protect sensitive unclassified information 
that is shared by the Department with its contractors and 
subcontractors and provide assurance that Federal Contract Information 
(FCI) and Controlled Unclassified Information (CUI) will be protected 
at a level commensurate with the risk from cybersecurity threats, 
including Advanced Persistent Threats. Under the CMMC program, DIB 
contractors will be required to implement certain cybersecurity 
protection standards, and, as required, perform self-assessments or 
obtain third-party certification as a condition of DoD contract award.

DATES: November 17, 2021.

ADDRESSES: Visit the updated CMMC website for CMMC 2.0 updates: https://www.acq.osd.mil/cmmc/.

FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the Under 
Secretary of Defense for Acquisition and Sustainment, at 202-770-9100 
or [email protected].

SUPPLEMENTARY INFORMATION:

Background

    The CMMC program is designed to enhance DIB cybersecurity to meet 
evolving threats and safeguard the information that supports and 
enables the Warfighter.
    Interim Defense Federal Acquisition Regulation Supplement (DFARS) 
rule, Assessing Contractor Implementation of Cybersecurity Requirements 
(DFARS Case 2019-D041), effective November 30, 2020, implemented DFARS 
clause 252.204-7021, Contractor Compliance with the Cybersecurity 
Maturity Model Certification Level Requirement. This clause implemented 
the initial version of CMMC program, hereafter ``CMMC 1.0.''
    CMMC 1.0 was designed to protect FCI and CUI shared with and 
handled by DoD contractors and subcontractors on non-federal contractor 
information systems. CMMC 1.0 involved five progressively advanced 
levels of cybersecurity standards and required that DIB contractors 
undergo a certification process to demonstrate compliance with the CMMC 
cybersecurity standards at a given level.
    In March 2021, the Department initiated an internal assessment of 
CMMC 1.0 implementation that was informed by more than 850 public 
comments in response to the interim DFARS rule. This comprehensive, 
programmatic assessment of CMMC engaged cybersecurity and acquisition 
leaders within DoD to refine policy and program implementation. This 
review resulted in ``CMMC 2.0,'' which updates the program structure 
and the requirements to streamline and improve implementation of the 
CMMC program.

Way Forward

    The changes reflected in the CMMC 2.0 framework will be implemented 
through the rulemaking process. DoD will pursue rulemaking in both: (1) 
Title 32 of the Code of Federal Regulations (CFR); and, (2) title 48 
CFR, to establish CMMC 2.0 program requirements and implement any 
needed changes to the CMMC program content in 48 CFR. Both rules will 
have public comment periods.
    Publication of title 32 and title 48 CFR rules will implement DoD's 
requirements for the updated CMMC version 2.0, which include various 
modifications from CMMC 1.0.
    These modifications include:
     Eliminating levels 2 and 4, and renaming the remaining 
three levels in CMMC 2.0 as follows:
    [cir] Level 1 (Foundational) will remain the same as CMMC 1.0 Level 
1;
    [cir] Level 2 (Advanced) will be similar to CMMC 1.0 Level 3;
    [cir] Level 3 (Expert) will be similar to CMMC 1.0 Level 5.
     Removing CMMC-unique practices and all maturity processes 
from all levels;
     For CMMC Level 1 (Foundational), allowing annual self-
assessments with an annual affirmation by DIB company leadership;
     Bifurcating CMMC Level 2 (Advanced) assessment 
requirements:
    [cir] Prioritized acquisitions involving CUI will require an 
independent third party assessment;
    [cir] Non-prioritized acquisitions involving CUI will require an 
annual self-assessment and annual company affirmation;
     For CMMC Level 3 (Expert), requiring Government-led 
assessments.
     Developing a time-bound and enforceable Plan of Action and 
Milestone process; and,
     Developing a selective, time-bound waiver process, if 
needed and approved.
    The title 32 CFR rulemaking for CMMC 2.0 will be followed by 
additional title 48 CFR rulemaking, as needed, to implement any needed 
changes to the CMMC program content in 48 CFR. DoD will work through 
the rulemaking processes as expeditiously as possible.
    Until the CMMC 2.0 changes become effective through both the title 
32 CFR and title 48 CFR rulemaking processes, the Department will 
suspend the CMMC Piloting efforts and will not approve inclusion of a 
CMMC requirement in DoD solicitations.
    The CMMC 2.0 program requirements will not be mandatory until the 
title 32 CFR rulemaking is complete, and the CMMC program requirements 
have been implemented as needed into acquisition regulation through 
title 48 rulemaking.

    Dated: November 8, 2021.
Patricia L. Toppings,
OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2021-24880 Filed 11-16-21; 8:45 am]
BILLING CODE 5001-06-P