Submission for OMB Review; Comment Request, 52034-52036 [2024-13464]
Download as PDF
<![CDATA[
ddrumheller on DSK120RN23PROD with NOTICES1
52034
Federal Register / Vol. 89, No. 120 / Friday, June 21, 2024 / Notices
established by the David L. Boren
National Security Education Act, Title
VII of Public Law 102–183, as amended.
Agenda: Monday, June 24, 2024 from
9:00 a.m. to 4:00 p.m. the NSEB will
begin an open session with opening
remarks by Alternate Designated Federal
Officer, Ms. Alison Patz, and the
Honorable Shawn Skelly, Assistant
Secretary of Defense for Readiness, who
will Chair the meeting. The NSEB will
receive briefings on the NSEB Statutory
Responsibilities and Program Updates,
the class of 2024 Boren Scholars and
Fellows, and Department of Defense
Language Roadmap. The meeting will
continue with a mission highlight from
Project Global Officer, followed by
working group discussion. The
meeting’s final session will be an
overview of the Boren Awards Alumni
Survey. General discussion and closing
remarks by the Chair and the DFO will
adjourn the meeting.
Meeting Accessibility: Pursuant to 5
U.S.C. 552b and 41 CFR 102–3.140
through 102–3.165, and the availability
of space, this meeting is open to the
public, subject to the availability of
space.
Special Accommodations: Individuals
requiring special accommodations to
access the public meeting should
contact Ms. Alison Patz at
alison.m.patz.civ@mail.mil (email) or
(571) 329–3894 (voice) no later than
Thursday, June 20, 2024, so that
appropriate arrangements can be made.
Written Statements: This meeting is
being held under the provisions of the
FACA of 1972 (5 U.S.C., Appendix, as
amended), the Government in the
Sunshine Act of 1976 (5 U.S.C. 552b, as
amended), and 41 CFR 102–3.140 and
102–3.150. Pursuant to 41 CFR 102–
3.140 and sections 10(a)(3) of the FACA
of 1972, the public or interested
organizations may submit written
statements to the Department of Defense
National Security Education Board
about its mission and functions. Written
statements may be submitted at any
time or in response to the stated agenda
of the planned meeting. All written
statements shall be submitted to the
point of contact at the email address or
phone number listed in the FOR FURTHER
INFORMATION CONTACT section, and this
individual will ensure that the written
statements are provided to the
membership for their consideration.
Statements being submitted in response
to the agenda items mentioned in this
notice must be received by the point of
contact listed in the FOR FURTHER
INFORMATION CONTACT section at least
five calendar days prior to the meeting
that is the subject of this notice. Written
statements received after this date may
VerDate Sep<11>2014
17:46 Jun 20, 2024
Jkt 262001
not be provided to or considered by the
NSEB until its next meeting.
Dated: June 13, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison
Officer, Department of Defense.
[FR Doc. 2024–13637 Filed 6–20–24; 8:45 am]
BILLING CODE 6001–FR–P
DEPARTMENT OF DEFENSE
Office of the Secretary
[Docket ID: DoD–2023–OS–0063]
Submission for OMB Review;
Comment Request
Office of the Department of
Defense Chief Information Officer (CIO),
Department of Defense (DoD).
ACTION: 30-Day information collection
notice.
AGENCY:
The DoD has submitted to the
Office of Management and Budget
(OMB) for clearance the following
proposal for collection of information
under the provisions of the Paperwork
Reduction Act.
DATES: Consideration will be given to all
comments received by July 22, 2024.
ADDRESSES: Written comments and
recommendations for the proposed
information collection should be sent
within 30 days of publication of this
notice to www.reginfo.gov/public/do/
PRAMain. Find this particular
information collection by selecting
‘‘Currently under 30-day Review—Open
for Public Comments’’ or by using the
search function.
FOR FURTHER INFORMATION CONTACT:
Reginald Lucas, (571) 372–7574,
whs.mc-alex.esd.mbx.dd-dodinformation-collections@mail.mil.
SUPPLEMENTARY INFORMATION:
Title; Associated Form; and OMB
Number: Cybersecurity Maturity Model
Certification (CMMC) Program
Reporting and Recordkeeping
Requirements Information Collection;
OMB Control Number 0704–0677.
Type of Request: New.
SUMMARY:
Level 2 Certification Assessments
Number of Respondents: 10,942.
Responses per Respondent: 1.
Annual Responses: 10,942.
Average Burden per Response:
525.955 hours.
Annual Burden Hours: 5,754,999.61.
Level 3 Certification Assessments
Number of Respondents: 213.
Responses per Respondent: 1.
Annual Responses: 213.
Average Burden per Response: 79.01
hours.
PO 00000
Frm 00025
Fmt 4703
Sfmt 4703
Annual Burden Hours: 16,829.13.
Total
Number of Respondents: 11,155.
Annual Responses: 11,155.
Annual Burden Hours: 5,771,829.
Needs and Uses: The CMMC Program
provides for the assessment of
contractor implementation of
cybersecurity requirements to enhance
confidence in contractor protection of
unclassified information within the DoD
supply chain. CMMC contractual
requirements are implemented under a
Title 48 acquisition rule, with
associated rulemaking for the CMMC
Program requirements (e.g., CMMC
Scoring Methodology, certificate
issuance, information accessibility)
under a Title 32 program rule (32 Code
of Federal Regulations (CFR) part 170).
The Title 32 program rule includes two
separate information collection requests
(ICR), this one for the CMMC Program
and one for CMMC eMASS.
This information collection is
necessary to support the
implementation of the CMMC
assessment process for Levels 2 and 3
certification assessment, as defined in
32 CFR 170.17 and 170.18 respectively.
Level 2 Certification Assessments
The Level 2 certification assessment
process is conducted by CMMC
Certified Assessors, employed by
CMMC Third-Party Assessment
Organizations (C3PAOs). During the
assessment process, Organizations
Seeking Certification (OSCs) hire
C3PAOs to conduct the third-party
assessment required for certification.
The Level 2 Certification Assessment
information collection reporting and
recordkeeping requirements are
included in the Title 32 program rule
with the exception of the requirement
for the OSC to upload the affirmation in
SPRS that is included in the Title 48
acquisition rule. Additionally, the
information collection requirements for
the CMMC instantiation of eMASS are
addressed in a separate Title 32 program
rule information collection request
(ICR). OSCs follow the procedures
defined in 32 CFR 170.17 to prepare for
Level 2 certification assessment.
Certified Assessors assigned by C3PAOs
follow the requirements and procedures
defined in 32 CFR 170.17 to conduct
CMMC assessments on defense
contractor information systems to
determine conformance with the
information safeguarding requirements
associated with Level 2 certification
assessment to validate implementation
of the 110 security requirements from
NIST SP 800–171 Rev 2. C3PAOs must
generate and collect pre-assessment and
E:\FR\FM\21JNN1.SGM
21JNN1
ddrumheller on DSK120RN23PROD with NOTICES1
Federal Register / Vol. 89, No. 120 / Friday, June 21, 2024 / Notices
planning material (contact information
for the OSC, information about the
C3PAO and assessors conducting the
assessment, the level of assessment
planned, the CMMC Model and
Assessment Guide versions, and
assessment approach), artifact
information (list of artifacts, hash of
artifacts, and hashing algorithm used),
final assessment reports, appropriate
CMMC certificates of assessment, and
assessment appeal information. C3PAOs
submit the data they generate and
collect into the CMMC instantiation of
eMASS. The information collection
required for this submission is
addressed in a separate CMMC eMASS
ICR for the Title 32 program rule. OSCs
may have a POA&M at Level 2
certification assessment as addressed in
32 CFR 170.21. C3PAOs perform a
POA&M closeout assessment. The
C3PAO process to conduct a POA&M
closeout assessment, when applicable,
is the same as the initial assessment
with the same information collection
requirements. OSCs must retain artifacts
used as evidence for the assessment for
the duration of the validity period of the
certificate of assessment, and at
minimum, for six years from the date of
certification assessment as addressed in
32 CFR 170.17(c)(4). The OSC is
responsible for compiling relevant
artifacts as evidence and having
knowledgeable personnel available
during the assessment. The
organizational artifacts are proprietary
to the OSC and will not be retained by
the assessment team unless expressly
permitted by the OSC. To preserve the
integrity of the artifacts reviewed, the
OSC creates a hash of assessment
evidence (to include a list of the artifact
names, the return values of the hashing
algorithm, and the hashing algorithm
used) and retains the artifact
information for six years. The
information obtained from the artifacts
is an information collection and is
provided to the C3PAO for uploading
into the CMMC instantiation of eMASS.
If an OSC does not agree with the
assessment results, it may formally
dispute the assessment and initiate an
Assessment Appeal process with the
C3PAO who conducted the assessment.
C3PAOs submit assessment appeals
using eMASS. Appeals are tracked in
the CMMC instantiation of eMASS and
any resulting changes to the assessment
results are uploaded into the CMMC
instantiation of eMASS. C3PAOs
maintain records for a period of six
years of monitoring, education, training,
technical knowledge, skills, experience,
and authorization of each member of its
personnel involved in inspection
VerDate Sep<11>2014
17:46 Jun 20, 2024
Jkt 262001
activities; contractual agreements with
OSCs; any working papers generated
from Level 2 certification assessments;
and organizations for whom consulting
services were provided as addressed in
32 CFR 170.9(b)(10).
Level 3 Certification Assessments
The Level 3 certification assessment
process is conducted by the Defense
Contract Management Agency (DCMA)
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC). The Level
3 certification assessment information
collection reporting and recordkeeping
requirements are included in the Title
32 program rule except for the
requirement for the OSC to upload the
affirmation in SPRS that is included in
the Title 48 acquisition rule. OSCs
follow procedures as defined in 32 CFR
170.18 to prepare for Level 3
certification assessment. DCMA
DIBCAC assessors follow requirements
and procedures as defined in 32 CFR
170.18 to conduct CMMC assessments
on defense contractor information
systems to determine conformance with
the information safeguarding
requirements associated with CMMC
Level 3. This is an assessment to
validate the implementation of the 24
selected security requirements from
NIST SP 800–172. Because DCMA
DIBCAC is a government entity, there
are no public information collection
requirements. DCMA DIBCAC must
generate and collect pre-assessment and
planning material (contact information
for the OSC, information about the
assessors conducting the assessment,
the level of assessment planned, the
CMMC Model and Assessment Guide
versions, and assessment approach),
artifact information (list of artifacts,
hash of artifacts, and hashing algorithm
used), final assessment reports,
appropriate CMMC certificates of
assessment, and assessment appeal
information. DCMA DIBCAC submits
the data it generates and collects into
the CMMC instantiation of. OSCs may
have a POA&M at CMMC Level 3 as
addressed in 32 CFR 170.21. DCMA
DIBCAC performs a POA&M closeout
assessment. The DCMA DIBCAC process
to conduct a POA&M closeout
assessment, when applicable, is the
same as the initial assessment with the
same information collection
requirements. OSCs must retain artifacts
used as evidence for the assessment for
the duration of the validity period of the
certificate of assessment, and at
minimum, for six years from the date of
certification assessment as addressed in
32 CFR 170.18(c)(4). The OSC is
responsible for compiling relevant
artifacts as evidence and having
PO 00000
Frm 00026
Fmt 4703
Sfmt 4703
52035
knowledgeable personnel available
during the assessment. Assessors will
not permanently retain assessment
artifacts. To preserve the integrity of the
artifacts reviewed during the
assessment, the OSC creates a hash of
assessment evidence (to include a list of
the artifact names, the return values of
the hashing algorithm, and the hashing
algorithm used) and retains the artifact
information for six years. The
information obtained from the artifacts
is an information collection and DCMA
DIBCAC uploads the information into
the CMMC instantiation of eMASS
(addressed in a separate CMMC eMASS
ICR for the Title 32 program rule); the
artifacts themselves are not an
information collection. If an OSC does
not agree with the assessment results, it
may formally dispute the assessment
and initiate an Assessment Appeal
process with DCMA DIBCAC. DCMA
DIBCAC submits assessment appeals
using eMASS. Appeals are tracked in
the CMMC instantiation of eMASS and
any resulting changes to the assessment
results are uploaded into CMMC
eMASS. DCMA DIBCAC maintains
records for a period of six years of
monitoring, education, training,
technical knowledge, skills, experience,
and authorization of each member of its
personnel involved in inspection
activities and working papers generated
from Level 3 certification assessments.
Accreditation Body and CMMC
Assessor and Instructor Certification
Organizations (CAICOs)
The Accreditation Body provides all
plans related to potential sources of
revenue, to include but not limited to:
fees, licensing, processes, membership,
and/or partnerships to the Government
CMMC PMO as addressed in 32 CFR
170.8(b)(13).
CAICOs maintain records for a period
of six years of all procedures, processes,
and actions related to fulfillment of the
requirements set forth in 32 CFR
170.10(b)(9).
Affected Public: Business or other forprofit.
Frequency: On occasion.
Respondent’s Obligation: Voluntary.
OMB Desk Officer: Ms. Jasmeet
Seehra.
You may also submit comments and
recommendations, identified by Docket
ID number and title, by the following
method:
• Federal eRulemaking Portal: https://
www.regulations.gov. Follow the
instructions for submitting comments.
Instructions: All submissions received
must include the agency name, Docket
ID number, and title for this Federal
Register document. The general policy
E:\FR\FM\21JNN1.SGM
21JNN1
52036
Federal Register / Vol. 89, No. 120 / Friday, June 21, 2024 / Notices
for comments and other submissions
from members of the public is to make
these submissions available for public
viewing on the internet at https://
www.regulations.gov as they are
received without change, including any
personal identifiers or contact
information.
DOD Clearance Officer: Mr. Reginald
Lucas.
Requests for copies of the information
collection proposal should be sent to
Mr. Lucas at whs.mc-alex.esd.mbx.dddod-information-collections@mail.mil.
Dated: June 14, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison
Officer, Department of Defense.
[FR Doc. 2024–13464 Filed 6–20–24; 8:45 am]
BILLING CODE 6001–FR–P
DEPARTMENT OF ENERGY
Federal Energy Regulatory
Commission
[Project No. 10853–043]
ddrumheller on DSK120RN23PROD with NOTICES1
Otter Tail Power Company; Notice of
Application for Non-Capacity
Amendment of License Accepted for
Filing, Soliciting Comments, Motions
To Intervene, and Protests
Take notice that the following
hydroelectric application has been filed
with the Commission and is available
for public inspection:
a. Application Type: Non-capacity
Amendment of License.
b. Project No: 10853–043.
c. Date Filed: September 29, 2023, and
supplemented November 21, 2023, and
June 4, 2024.
d. Applicant: Otter Tail Power
Company (licensee).
e. Name of Project: Otter Tail River
Hydroelectric Project.
f. Location: The project is located on
the Otter Tail River in Otter Tail
County, Minnesota, and does not
occupy federal land. The project’s five
developments, from upstream to
downstream, are: (1) Friberg; (2) Hoot;
(3) Central; (4) Pisgah; and (5) Dayton
Hollow.
g. Filed Pursuant to: Federal Power
Act, 16 U.S.C. 791a–825r.
h. Applicant Contact: Michael Olson,
Otter Tail Power Company, 215 South
Cascade Street, Fergus Falls, MN 56537,
(218) 739–8411, mjolson@otpco.com
and Laura Cowan, Kleinschmidt
Associates, P.O. Box 278, 400 Historic
Drive, Strasburg, PA 17579, (717) 983–
4065, Laura.Cowan@
KleinschmidtGroup.com.
i. FERC Contact: Jeremy Jessup, (202)
502–6779, Jeremy.Jessup@ferc.gov.
VerDate Sep<11>2014
17:46 Jun 20, 2024
Jkt 262001
j. Cooperating agencies: With this
notice, the Commission is inviting
federal, state, local, and Tribal agencies
with jurisdiction and/or special
expertise with respect to environmental
issues affected by the proposal, that
wish to cooperate in the preparation of
any environmental document, if
applicable, to follow the instructions for
filing such requests described in item k
below. Cooperating agencies should
note the Commission’s policy that
agencies that cooperate in the
preparation of any environmental
document cannot also intervene. See 94
FERC ¶ 61,076 (2001).
k. Deadline for filing comments,
motions to intervene, and protests: July
15, 2024.
The Commission strongly encourages
electronic filing. Please file comments,
motions to intervene, and protests using
the Commission’s eFiling system at
https://www.ferc.gov/docs-filing/
efiling.asp. Commenters can submit
brief comments up to 6,000 characters,
without prior registration, using the
eComment system at https://
www.ferc.gov/docs-filing/
ecomment.asp. You must include your
name and contact information at the end
of your comments. For assistance,
please contact FERC Online Support at
FERCOnlineSupport@ferc.gov, (866)
208–3676 (toll free), or (202) 502–8659
(TTY). In lieu of electronic filing, you
may submit a paper copy. Submissions
sent via the U.S. Postal Service must be
addressed to: Debbie-Anne A. Reese,
Acting Secretary, Federal Energy
Regulatory Commission, 888 First Street
NE, Room 1A, Washington, DC 20426.
Submissions sent via any other carrier
must be addressed to: Debbie-Anne A.
Reese, Acting Secretary, Federal Energy
Regulatory Commission, 12225 Wilkins
Avenue, Rockville, Maryland 20852.
The first page of any filing should
include the docket number P–10853–
043. Comments emailed to Commission
staff are not considered part of the
Commission record.
The Commission’s Rules of Practice
and Procedure require all intervenors
filing documents with the Commission
to serve a copy of that document on
each person whose name appears on the
official service list for the project.
Further, if an intervenor files comments
or documents with the Commission
relating to the merits of an issue that
may affect the responsibilities of a
particular resource agency, they must
also serve a copy of the document on
that resource agency.
l. Description of Request: The licensee
is proposing to amend Article 401 of the
license to continue operating in a runof-river mode, with reservoir levels as
PO 00000
Frm 00027
Fmt 4703
Sfmt 4703
close to target levels as practicable, but
adding an operating band of ±0.5 foot
for reservoir elevations except during
flood conditions, at all five
developments of the project. The
licensee states that it has historically
managed reservoir levels as close to
target levels as practicable, and within
±0.5 foot of the target elevations, except
during flood conditions. The licensee
explains that continuous management of
reservoir levels at the exact target
elevation is not possible due to natural
variability from wave run-up,
precipitation events, etc. The licensee
states the proposal would not change
run-of-river operation, existing project
facilities, the project boundary, or
project management and need for
project power, nor is there any ground
disturbance associated with the
amendment.
m. Locations of the Application: This
filing may be viewed on the
Commission’s website at https://
www.ferc.gov using the ‘‘eLibrary’’ link.
Enter the docket number excluding the
last three digits in the docket number
field to access the document. You may
also register online at https://
www.ferc.gov/docs-filing/
esubscription.asp to be notified via
email of new filings and issuances
related to this or other pending projects.
For assistance, call 1–866–208–3676 or
email FERCOnlineSupport@ferc.gov, for
TTY, call (202) 502–8659. Agencies may
obtain copies of the application directly
from the applicant.
n. Individuals desiring to be included
on the Commission’s mailing list should
so indicate by writing to the Secretary
of the Commission.
o. Comments, Protests, or Motions to
Intervene: Anyone may submit
comments, a protest, or a motion to
intervene in accordance with the
requirements of Rules of Practice and
Procedure, 18 CFR 385.210, .211, .214,
respectively. In determining the
appropriate action to take, the
Commission will consider all protests or
other comments filed, but only those
who file a motion to intervene in
accordance with the Commission’s
Rules may become a party to the
proceeding. Any comments, protests, or
motions to intervene must be received
on or before the specified comment date
for the particular application.
p. Filing and Service of Documents:
Any filing must (1) bear in all capital
letters the title ‘‘COMMENTS’’,
‘‘PROTEST’’, or ‘‘MOTION TO
INTERVENE’’ as applicable; (2) set forth
in the heading the name of the applicant
and the project number of the
application to which the filing
responds; (3) furnish the name, address,
E:\FR\FM\21JNN1.SGM
21JNN1
]]>Agencies
[Federal Register Volume 89, Number 120 (Friday, June 21, 2024)]
[Notices]
[Pages 52034-52036]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-13464]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
[Docket ID: DoD-2023-OS-0063]
Submission for OMB Review; Comment Request
AGENCY: Office of the Department of Defense Chief Information Officer
(CIO), Department of Defense (DoD).
ACTION: 30-Day information collection notice.
-----------------------------------------------------------------------
SUMMARY: The DoD has submitted to the Office of Management and Budget
(OMB) for clearance the following proposal for collection of
information under the provisions of the Paperwork Reduction Act.
DATES: Consideration will be given to all comments received by July 22,
2024.
ADDRESSES: Written comments and recommendations for the proposed
information collection should be sent within 30 days of publication of
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.
FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574,
[email protected].
SUPPLEMENTARY INFORMATION:
Title; Associated Form; and OMB Number: Cybersecurity Maturity
Model Certification (CMMC) Program Reporting and Recordkeeping
Requirements Information Collection; OMB Control Number 0704-0677.
Type of Request: New.
Level 2 Certification Assessments
Number of Respondents: 10,942.
Responses per Respondent: 1.
Annual Responses: 10,942.
Average Burden per Response: 525.955 hours.
Annual Burden Hours: 5,754,999.61.
Level 3 Certification Assessments
Number of Respondents: 213.
Responses per Respondent: 1.
Annual Responses: 213.
Average Burden per Response: 79.01 hours.
Annual Burden Hours: 16,829.13.
Total
Number of Respondents: 11,155.
Annual Responses: 11,155.
Annual Burden Hours: 5,771,829.
Needs and Uses: The CMMC Program provides for the assessment of
contractor implementation of cybersecurity requirements to enhance
confidence in contractor protection of unclassified information within
the DoD supply chain. CMMC contractual requirements are implemented
under a Title 48 acquisition rule, with associated rulemaking for the
CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate
issuance, information accessibility) under a Title 32 program rule (32
Code of Federal Regulations (CFR) part 170). The Title 32 program rule
includes two separate information collection requests (ICR), this one
for the CMMC Program and one for CMMC eMASS.
This information collection is necessary to support the
implementation of the CMMC assessment process for Levels 2 and 3
certification assessment, as defined in 32 CFR 170.17 and 170.18
respectively.
Level 2 Certification Assessments
The Level 2 certification assessment process is conducted by CMMC
Certified Assessors, employed by CMMC Third-Party Assessment
Organizations (C3PAOs). During the assessment process, Organizations
Seeking Certification (OSCs) hire C3PAOs to conduct the third-party
assessment required for certification. The Level 2 Certification
Assessment information collection reporting and recordkeeping
requirements are included in the Title 32 program rule with the
exception of the requirement for the OSC to upload the affirmation in
SPRS that is included in the Title 48 acquisition rule. Additionally,
the information collection requirements for the CMMC instantiation of
eMASS are addressed in a separate Title 32 program rule information
collection request (ICR). OSCs follow the procedures defined in 32 CFR
170.17 to prepare for Level 2 certification assessment. Certified
Assessors assigned by C3PAOs follow the requirements and procedures
defined in 32 CFR 170.17 to conduct CMMC assessments on defense
contractor information systems to determine conformance with the
information safeguarding requirements associated with Level 2
certification assessment to validate implementation of the 110 security
requirements from NIST SP 800-171 Rev 2. C3PAOs must generate and
collect pre-assessment and
[[Page 52035]]
planning material (contact information for the OSC, information about
the C3PAO and assessors conducting the assessment, the level of
assessment planned, the CMMC Model and Assessment Guide versions, and
assessment approach), artifact information (list of artifacts, hash of
artifacts, and hashing algorithm used), final assessment reports,
appropriate CMMC certificates of assessment, and assessment appeal
information. C3PAOs submit the data they generate and collect into the
CMMC instantiation of eMASS. The information collection required for
this submission is addressed in a separate CMMC eMASS ICR for the Title
32 program rule. OSCs may have a POA&M at Level 2 certification
assessment as addressed in 32 CFR 170.21. C3PAOs perform a POA&M
closeout assessment. The C3PAO process to conduct a POA&M closeout
assessment, when applicable, is the same as the initial assessment with
the same information collection requirements. OSCs must retain
artifacts used as evidence for the assessment for the duration of the
validity period of the certificate of assessment, and at minimum, for
six years from the date of certification assessment as addressed in 32
CFR 170.17(c)(4). The OSC is responsible for compiling relevant
artifacts as evidence and having knowledgeable personnel available
during the assessment. The organizational artifacts are proprietary to
the OSC and will not be retained by the assessment team unless
expressly permitted by the OSC. To preserve the integrity of the
artifacts reviewed, the OSC creates a hash of assessment evidence (to
include a list of the artifact names, the return values of the hashing
algorithm, and the hashing algorithm used) and retains the artifact
information for six years. The information obtained from the artifacts
is an information collection and is provided to the C3PAO for uploading
into the CMMC instantiation of eMASS. If an OSC does not agree with the
assessment results, it may formally dispute the assessment and initiate
an Assessment Appeal process with the C3PAO who conducted the
assessment. C3PAOs submit assessment appeals using eMASS. Appeals are
tracked in the CMMC instantiation of eMASS and any resulting changes to
the assessment results are uploaded into the CMMC instantiation of
eMASS. C3PAOs maintain records for a period of six years of monitoring,
education, training, technical knowledge, skills, experience, and
authorization of each member of its personnel involved in inspection
activities; contractual agreements with OSCs; any working papers
generated from Level 2 certification assessments; and organizations for
whom consulting services were provided as addressed in 32 CFR
170.9(b)(10).
Level 3 Certification Assessments
The Level 3 certification assessment process is conducted by the
Defense Contract Management Agency (DCMA) Defense Industrial Base
Cybersecurity Assessment Center (DIBCAC). The Level 3 certification
assessment information collection reporting and recordkeeping
requirements are included in the Title 32 program rule except for the
requirement for the OSC to upload the affirmation in SPRS that is
included in the Title 48 acquisition rule. OSCs follow procedures as
defined in 32 CFR 170.18 to prepare for Level 3 certification
assessment. DCMA DIBCAC assessors follow requirements and procedures as
defined in 32 CFR 170.18 to conduct CMMC assessments on defense
contractor information systems to determine conformance with the
information safeguarding requirements associated with CMMC Level 3.
This is an assessment to validate the implementation of the 24 selected
security requirements from NIST SP 800-172. Because DCMA DIBCAC is a
government entity, there are no public information collection
requirements. DCMA DIBCAC must generate and collect pre-assessment and
planning material (contact information for the OSC, information about
the assessors conducting the assessment, the level of assessment
planned, the CMMC Model and Assessment Guide versions, and assessment
approach), artifact information (list of artifacts, hash of artifacts,
and hashing algorithm used), final assessment reports, appropriate CMMC
certificates of assessment, and assessment appeal information. DCMA
DIBCAC submits the data it generates and collects into the CMMC
instantiation of. OSCs may have a POA&M at CMMC Level 3 as addressed in
32 CFR 170.21. DCMA DIBCAC performs a POA&M closeout assessment. The
DCMA DIBCAC process to conduct a POA&M closeout assessment, when
applicable, is the same as the initial assessment with the same
information collection requirements. OSCs must retain artifacts used as
evidence for the assessment for the duration of the validity period of
the certificate of assessment, and at minimum, for six years from the
date of certification assessment as addressed in 32 CFR 170.18(c)(4).
The OSC is responsible for compiling relevant artifacts as evidence and
having knowledgeable personnel available during the assessment.
Assessors will not permanently retain assessment artifacts. To preserve
the integrity of the artifacts reviewed during the assessment, the OSC
creates a hash of assessment evidence (to include a list of the
artifact names, the return values of the hashing algorithm, and the
hashing algorithm used) and retains the artifact information for six
years. The information obtained from the artifacts is an information
collection and DCMA DIBCAC uploads the information into the CMMC
instantiation of eMASS (addressed in a separate CMMC eMASS ICR for the
Title 32 program rule); the artifacts themselves are not an information
collection. If an OSC does not agree with the assessment results, it
may formally dispute the assessment and initiate an Assessment Appeal
process with DCMA DIBCAC. DCMA DIBCAC submits assessment appeals using
eMASS. Appeals are tracked in the CMMC instantiation of eMASS and any
resulting changes to the assessment results are uploaded into CMMC
eMASS. DCMA DIBCAC maintains records for a period of six years of
monitoring, education, training, technical knowledge, skills,
experience, and authorization of each member of its personnel involved
in inspection activities and working papers generated from Level 3
certification assessments.
Accreditation Body and CMMC Assessor and Instructor Certification
Organizations (CAICOs)
The Accreditation Body provides all plans related to potential
sources of revenue, to include but not limited to: fees, licensing,
processes, membership, and/or partnerships to the Government CMMC PMO
as addressed in 32 CFR 170.8(b)(13).
CAICOs maintain records for a period of six years of all
procedures, processes, and actions related to fulfillment of the
requirements set forth in 32 CFR 170.10(b)(9).
Affected Public: Business or other for-profit.
Frequency: On occasion.
Respondent's Obligation: Voluntary.
OMB Desk Officer: Ms. Jasmeet Seehra.
You may also submit comments and recommendations, identified by
Docket ID number and title, by the following method:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
Instructions: All submissions received must include the agency
name, Docket ID number, and title for this Federal Register document.
The general policy
[[Page 52036]]
for comments and other submissions from members of the public is to
make these submissions available for public viewing on the internet at
https://www.regulations.gov as they are received without change,
including any personal identifiers or contact information.
DOD Clearance Officer: Mr. Reginald Lucas.
Requests for copies of the information collection proposal should
be sent to Mr. Lucas at [email protected].
Dated: June 14, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-13464 Filed 6-20-24; 8:45 am]
BILLING CODE 6001-FR-P
