Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041), 66327-66338 [2024-18110]
Download as PDF
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
(3) Government entities or other
entities may file challenges at multiple
locations in a single challenge, but each
challenge must contain all of the
requirements set forth in paragraph
(g)(1) of this section.
(4) Once a challenge containing all the
required elements is submitted in the
online portal, the location shall be
identified on the coverage maps as ‘‘in
dispute/pending resolution.’’ The
Commission shall make public
information about the location that is
the subject of the challenge, including
the street address and/or coordinates
(latitude and longitude) and any
relevant details concerning the basis for
the challenge.
(h) Data retention. Facilities-based
providers shall retain the underlying
data used to create their biannual
Broadband Data Collection submissions
(including supporting data) for at least
three years after the applicable ‘‘as-of’’
reporting date (i.e., June 30 or December
31). In addition, facilities-based
providers shall also retain any and all
data related to responses to the data
verification efforts set forth in
paragraphs (a) through (g) of this section
for at least three years from the date the
provider receives notice of a challenge,
verification inquiry, or initiation of an
audit.
■ 6. Amend § 1.7009 by adding
paragraph (e) to read as follows:
§ 1.7009
Enforcement.
khammond on DSKJM1Z7X2PROD with PROPOSALS
*
*
*
*
*
(e) If, as a result of a verification
inquiry or audit performed pursuant to
§ 1.7006, Commission staff request that
a provider submit corrected availability
data, and the provider fails to submit
corrected data by the required date, then
the Office of Economics and Analytics
(OEA), in coordination with the
Wireless Telecommunications Bureau,
Wireline Competition Bureau, or Space
Bureau (as appropriate), may remove
locations or areas from the availability
data published in the National
Broadband Map pursuant to 47 U.S.C.
642(c). In such an instance, the BDC
system will notify the provider in
writing that some or all of its
availability data have been altered on or
removed from the National Broadband
Map. OEA will abstain from altering or
removing locations or areas subject to an
audit or verification for which the
provider has filed an application for
review or petition for reconsideration
until such time as the Commission rules
upon any such application or petition.
During this period the locations or areas
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
may be indicated as ‘‘in dispute’’ on the
National Broadband Map.
[FR Doc. 2024–16989 Filed 8–14–24; 8:45 am]
BILLING CODE 6712–01–P
66327
two to three days after submission to
verify posting.
FOR FURTHER INFORMATION CONTACT: Ms.
Heather Kitchens, telephone 571–296–
7152.
SUPPLEMENTARY INFORMATION:
DEPARTMENT OF DEFENSE
I. Background
Defense Acquisition Regulations
System
48 CFR Parts 204, 212, 217, and 252
[Docket DARS–2020–0034]
RIN 0750–AK81
Defense Federal Acquisition
Regulation Supplement: Assessing
Contractor Implementation of
Cybersecurity Requirements (DFARS
Case 2019–D041)
Defense Acquisition
Regulations System, Department of
Defense (DoD).
ACTION: Proposed rule.
AGENCY:
DoD is proposing to amend
the Defense Federal Acquisition
Regulation Supplement (DFARS) to
incorporate contractual requirements
related to the proposed Cybersecurity
Maturity Model Certification 2.0
program rule, Cybersecurity Maturity
Model Certification Program. This
proposed DFARS rule also partially
implements a section of the National
Defense Authorization Act for Fiscal
Year 2020 that directed the Secretary of
Defense to develop a consistent,
comprehensive framework to enhance
cybersecurity for the U.S. defense
industrial base.
DATES: Comments on the proposed rule
should be submitted in writing to the
address shown below on or before
October 15, 2024, to be considered in
the formation of a final rule.
ADDRESSES: Submit comments
identified by DFARS Case 2019–D041,
using either of the following methods:
Æ Federal eRulemaking Portal: https://
www.regulations.gov. Search for DFARS
Case 2019–D041. Select ‘‘Comment’’
and follow the instructions to submit a
comment. Please include ‘‘DFARS Case
2019–D041’’ on any attached
documents.
Æ Email: osd.dfars@mail.mil. Include
DFARS Case 2019–D041 in the subject
line of the message.
Comments received generally will be
posted without change to https://
www.regulations.gov, including any
personal information provided. To
confirm receipt of your comment(s),
please check https://
www.regulations.gov, approximately
SUMMARY:
PO 00000
Frm 00038
Fmt 4702
Sfmt 4702
DoD is proposing to revise the DFARS
to implement the contractual
requirements related to the
Cybersecurity Maturity Model
Certification (CMMC) 2.0 program,
published in the Federal Register as a
proposed rule affecting 32 CFR part 170
on December 26, 2023, at 88 FR 89058.
CMMC 2.0 provides a framework for
assessing contractor implementation of
cybersecurity requirements and
enhancing the protection of unclassified
information within the DoD supply
chain. This proposed DFARS rule also
partially implements section 1648 of the
National Defense Authorization Act for
Fiscal Year 2020 (Pub. L. 116–92),
which directed the Secretary of Defense
to develop a consistent, comprehensive
framework to enhance cybersecurity for
the U.S. defense industrial base no later
than February 1, 2020.
On September 29, 2020, an interim
rule under DFARS Case 2019–D041,
Assessing Contractor Implementation of
Cybersecurity Requirements, was
published in the Federal Register at 85
FR 61505, effective November 30, 2020.
On November 17, 2021, the notice,
‘‘Cybersecurity Maturity Model
Certification (CMMC) 2.0 Updates and
Way Forward’’ was published in the
Federal Register at 86 FR 64100 to
suspend the CMMC 1.0 pilot efforts. The
purpose of suspending the CMMC 1.0
pilot efforts was to allow for
development of CMMC 2.0. On
December 26, 2023, DoD published in
the Federal Register at 88 FR 89058 a
proposed CMMC 2.0 program rule,
Cybersecurity Maturity Model
Certification Program, to propose the
establishment of the CMMC 2.0 program
requirements at 32 CFR part 170.
II. Discussion and Analysis
The proposed changes to the existing
DFARS language are primarily to: (1)
add references to the CMMC 2.0
program requirements proposed at 32
CFR part 170; (2) add definitions for
controlled unclassified information
(CUI) and DoD unique identifier (DoD
UID) to the subpart; (3) establish a
solicitation provision and prescription;
and (4) revise the existing clause
language and prescription.
DoD is implementing a phased rollout
of CMMC. Over a three-year period
CMMC will be phased in based on the
E:\FR\FM\15AUP1.SGM
15AUP1
khammond on DSKJM1Z7X2PROD with PROPOSALS
66328
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
CMMC 2.0 program requirements
identified at 32 CFR part 170. The
clause at DFARS 252.204–7021,
Contractor Compliance With the
Cybersecurity Maturity Model
Certification Level Requirements, is
prescribed for use in solicitations and
contracts that require the contractor to
have a specific CMMC level, including
solicitations and contracts using Federal
Acquisition Regulation (FAR) part 12
procedures for the acquisition of
commercial products and commercial
services, excluding acquisitions
exclusively for commercially available
off-the-shelf (COTS) items. In order to
implement the phased rollout of CMMC,
inclusion of a CMMC requirement in a
solicitation during this time period will
be determined by the program office or
requiring activity after consulting the
CMMC 2.0 requirements at 32 CFR part
170. During the phase-in period, when
there is a requirement in the contract for
CMMC, CMMC certification
requirements must be flowed down to
subcontractors at all tiers, when the
subcontractor will process, store, or
transmit Federal contract information
(FCI) or CUI, based on the sensitivity of
the unclassified information flowed
down to each of the subcontractors in
accordance with the proposed CMMC
2.0 requirements to be established at 32
CFR part 170 (see the proposed rule
published December 26, 2023, at 88 FR
89058).
After the phase-in period, CMMC will
apply to all DoD solicitations and
contracts, including those for the
acquisition of commercial products or
commercial services (except those
exclusively for COTS items), valued at
greater than the micro-purchase
threshold that involve processing,
storing, or transmitting FCI or CUI.
When a CMMC level is included in the
solicitation or contract, contracting
officers will not make award, exercise
an option, or extend the period of
performance on a contract, if the offeror
or contractor does not have the results
of a current certification or selfassessment for the required CMMC
level, and an affirmation of continuous
compliance with the security
requirements to be identified at 32 CFR
part 170, in the Supplier Performance
Risk System (SPRS) for all information
systems that process, store, or transmit
FCI or CUI during contract performance.
Furthermore, CMMC certification
requirements must be flowed down to
subcontractors at all tiers when the
subcontractor will process, store, or
transmit FCI or CUI, based on the
sensitivity of the unclassified
information flowed down to each of the
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
subcontractors in accordance with the
proposed CMMC 2.0 requirements to be
established at 32 CFR part 170 (see 88
FR 89058).
A. Proposed Rule Changes
This proposed rule includes
amendments to DFARS 204.7502,
Policy. These amendments require at
the time of award the results of a current
CMMC certificate or CMMC selfassessment, at the level required, for all
information systems that process, store,
or transmit FCI or CUI during contract
performance, when a CMMC level is
included in the solicitation.
The proposed rule also adds a
requirement at DFARS 204.7503,
Procedures, for contracting officers to
work with the program office or
requiring activity to verify in SPRS,
prior to awarding a contract, exercising
an option, or when new DoD UIDs are
provided, that: (1) the results of a
current CMMC certificate or current
CMMC self-assessment at the level
required by the solicitation, or higher,
are posted in SPRS for each DoD UID
applicable to each of the contractor
information systems that will process,
store, or transmit FCI or CUI and that
will be used in performance of the
contract; and (2) the apparently
successful offeror has a current
affirmation of continuous compliance
with the security requirements
identified at 32 CFR part 170 in SPRS
for each DoD UID applicable to each of
the contractor information systems that
process, store, or transmit FCI or CUI
and that are used in performance of the
contract.
The proposed rule also adds a
definition at DFARS 204.7501 for use
only in the subpart for the term CUI
based on the 32 CFR 2002 definition of
CUI. Definitions for current (as it relates
to CMMC) and DoD UID are also added.
This proposed rule includes a new
DFARS provision, 252.204–7YYY,
Notice of Cybersecurity Maturity Model
Certification Level Requirements, to
provide notice to offerors of the CMMC
level required by the solicitation and of
the CMMC certificate or self-assessment
results that are required to have been
posted in SPRS by the apparently
successful offeror prior to award, unless
electronically posted. Offerors post
CMMC Level 1 and Level 2 selfassessments into SPRS. Level 2
certificate assessment results will be
electronically transmitted to SPRS by
the third-party assessment organization
(see the proposed rule published at 88
FR 89058, in the proposed text at 32
CFR 170.17 for details on CMMC Level
2 certification assessment
requirements). Level 3 certificate
PO 00000
Frm 00039
Fmt 4702
Sfmt 4702
assessment results will be electronically
transmitted to SPRS by the DoD assessor
(see the proposed rule published at 88
FR 89058, in the proposed text at 32
CFR 170.18 for details on CMMC Level
3 certification requirements).
Apparently successful offerors are
also required to provide, at the
contracting officer’s request, the DoD
UIDs issued by SPRS for the contractor
information systems that will process,
store, or transmit FCI or CUI during
contract performance. SPRS will issue
DoD UIDs to offerors in connection with
their CMMC self-assessments and
CMMC certificates. Apparently
successful offerors will need to specify
which DoD UIDs are applicable to the
contractor information systems that will
process, store, or transmit FCI or CUI
during contract performance.
This proposed rule at DFARS
204.7504 adds the prescription for the
new DFARS solicitation provision,
252.204–7YYY, Notice of Cybersecurity
Maturity Model Certification Level
Requirements. DFARS 252.204–7YYY is
prescribed for use in solicitations that
include the clause at 252.204–7021. The
provision includes language identifying
the CMMC level required for the
contract and notifies offerors that the
apparently successful offeror will not be
eligible for award of a contract, task
order, or delivery order resulting from
the solicitation in which the provision
appears, if the apparently successful
offeror does not have the results of a
current CMMC certificate or selfassessment entered in SPRS (https://
piee.eb.mil) at the CMMC level required
by the provision and an affirmation of
continuous compliance with the
security requirements identified at 32
CFR part 170 in SPRS for each of the
contractor information systems that
process, store, or transmit FCI or CUI
and that are used in performance of the
contract.
This proposed rule includes changes
to the clause at DFARS 252.204–7021,
Contractor Compliance with the
Cybersecurity Maturity Model
Certification Level Requirement, to:
• Add definitions at paragraph (a) for
Cybersecurity Maturity Model
Certification, current (as it relates to
CMMC), and DoD UID, and remove the
scope statement.
• Require the contractor to have and
maintain the requisite CMMC level for
the life of the contract.
• Require the contractor to submit to
the contracting officer the DoD UID(s)
issued by SPRS for contractor
information systems that will process,
store, or transmit FCI or CUI during
performance of the contract.
E:\FR\FM\15AUP1.SGM
15AUP1
khammond on DSKJM1Z7X2PROD with PROPOSALS
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
• Require the contractor to complete
and maintain on an annual basis, or
when security changes occur, the
affirmation of continuous compliance
with the security requirements
identified at 32 CFR part 170. The
affirmation of continuous compliance is
made by a senior company official (see
definition of ‘‘senior company official’’
at 32 CFR 170.4 in the proposed rule
published at 88 FR 89058) to affirm that
its CMMC self-assessment of CMMC
certification for each DoD UID
applicable to the contractor information
systems that process, store, or transmit
FCI or CUI during contract performance
remains current and the information
system(s) covered by the CMMC selfassessment or CMMC certificate
continue to be in compliance with the
security requirements identified at 32
CFR 170.
• Require the contractor to notify the
contracting officer of any changes in the
contractor information systems that
process, store, or transmit FCI or CUI
during contract performance and to
provide the corresponding DoD UIDs for
those contractor information systems to
the contracting officer. The contractor is
required to provide the DoD UIDS to the
contracting officer so the Government
can review associated CMMC certificate
or CMMC self-assessment results and
contractor affirmations of continued
compliance in SPRS for those additional
contractor information systems.
• Require the contractor to ensure
that its subcontractors also have the
appropriate CMMC level prior to
awarding a subcontract or other
contractual instruments. This
requirement is included in the clause at
DFARS 252.204–7021, paragraph (d),
which tells contractors when to flow the
clause down to subcontractors.
• Require the contractor to include
the requirements of the clause in
subcontracts or other contractual
instruments. The purpose of the clause
is to ensure suppliers at all tiers are in
compliance with the security
requirements identified at 32 CFR part
170 when there is a requirement for
CMMC in the contract, if applicable
based on the information that is being
flowed down. The CMMC program
requirements related to the CMMC level
required for suppliers is based on the
information that is being flowed down,
and those requirements are defined in
the Title 32 CFR CMMC Program
proposed rule.
The proposed rule also adds language
to the clause at DFARS 252.204–7021 to
incorporate a requirement for
contractors to only transmit data on
information systems that process, store,
or transmit FCI or CUI during contract
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
performance that have a certification at
the CMMC level required by the
contract. In addition, the contractor will
be required to notify the contracting
officer if there are any lapses or changes
in CMMC certification levels that affect
the requirements for information
security during contract performance.
The clause will also include language
identifying the CMMC level required by
the contract.
This proposed rule also includes
revisions to the clause prescription at
DFARS 204.7504 to apply the clause at
DFARS 252.204–7021 to solicitations
and contracts, task orders, or delivery
orders that require the contractor to
have a specific CMMC level, including
solicitations and contracts using FAR
part 12 procedures for the acquisition of
commercial products and commercial
services, except for solicitations and
contracts solely for the acquisition of
COTS items.
DoD considered three alternatives for
the timing of the requirement to achieve
a CMMC 2.0 level certification in the
development of this proposed rule,
weighing the benefits and risks
associated with requiring CMMC 2.0
level certification: (1) at time of
proposal submission; (2) at time of
award; or (3) after contract award. DoD
ultimately adopted the second
alternative to require certification at the
time of award. The drawback of the first
alternative (i.e., at time of proposal
submission) is the increased risk for
offerors since they may not have
sufficient time to achieve the required
CMMC certification. The drawback of
the third alternative (i.e., after contract
award) is the increased risk to DoD with
respect to the schedule and uncertainty
due to the possibility that the contractor
may be unable to achieve the required
CMMC level in a reasonable amount of
time given their current cybersecurity
posture. This potential delay would
apply to the entire supply chain and
prevent the appropriate flow of FCI and
CUI to the contractor and
subcontractors.
This proposed rule also includes the
following conforming changes:
• Makes references to the CMMC 2.0
program requirements by incorporating
the citation for 32 CFR part 170
throughout the text of the proposed rule.
• Amends the list in DFARS 212.301
of solicitation provisions and contract
clauses that are applicable for the
acquisition of commercial products and
commercial services to include the new
provision at DFARS 252.204–7YYY,
Notice of Cybersecurity Maturity Model
Certification Level Requirements. The
clause at DFARS 252.204–7021,
Contractor Compliance with the
PO 00000
Frm 00040
Fmt 4702
Sfmt 4702
66329
Cybersecurity Maturity Model
Certification Level Requirements, is
already included in this list from the
prior interim rule under this DFARS
Case 2019–D041.
• Amends DFARS 217.207, Exercise
of Options, to advise contracting officers
that when CMMC is required in the
contract, an option may only be
exercised after verifying in SPRS that
the contractor has the required
affirmation(s) of continuous compliance
with the security requirements
identified at 32 CFR part 170 and has
posted the results of a current CMMC
certificate or CMMC self-assessment at
the level required by the contract, or
higher. The text refers contracting
officers to DFARS 204.7503(c) for
complete details regarding these
requirements.
B. Analysis of Public Comments in
Response to the Interim Rule
This proposed rule follows the
publication of an interim rule under this
DFARS Case 2019–D041, which
received over 750 public comments.
Although this proposed rule does not
finalize the interim rule, it responds to
the public comments received and
anticipates that these responses will
facilitate the public’s understanding of
this proposed rule. Only comments
submitted in response to the interim
rule as it relates to the contractual
requirements are discussed below. The
technical and programmatic comments
on CMMC 1.0 are being handled in the
CMMC program rule affecting 32 CFR
part 170. In addition to technical and
programmatic comments, the comments
related to the CMMC cost analysis are
also being addressed under the CMMC
program rule affecting 32 CFR part 170.
It should also be noted that any
comments related to the National
Institute of Standards and Technology
(NIST) Special Publication (SP) 800–171
DoD Assessment methodology will be
addressed under a separate DFARS Case
2022–D017, NIST SP 800–171 DoD
Assessment Requirements. A discussion
of the comments is provided as follows:
1. Small Business Impact
Comment: Several respondents
requested more information on the
impact to small entities from CMMC.
Response: As described in the
regulatory flexibility analysis in section
VI of this preamble, the phased roll-out
of CMMC over three years is intended
to mitigate the impact of CMMC on
contractors including small entities and
is only expected to apply to 1,104 small
entities in year one. In addition, the
provision and clause in this proposed
E:\FR\FM\15AUP1.SGM
15AUP1
66330
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
rule exempt contracts that are
exclusively for COTS items.
6. CMMC Application to Broad Agency
Announcements (BAAs)
2. Requirement for CMMC
Comment: Many respondents
inquired whether CMMC will apply to
BAAs.
Response: If the program office or
requiring activity identifies a need to
include a CMMC requirement in a
contract, it will be included in the
solicitation and resulting contact. The
proposed rule prescribes the CMMC
clause at 252.204–7021, Contractor
Compliance with the Cybersecurity
Maturity Model Certification Level
Requirements, for use in solicitations
and contracts, task orders, and delivery
orders that require the contractor to
have a specific CMMC level, including
those using FAR part 12 procedures for
the acquisition of commercial products
and commercial services, except those
solely for the acquisition of COTS items.
Comment: Several respondents
inquired about how contractors will
know there is a requirement to have
CMMC certification.
Response: As stated in this proposed
rule, if there is a requirement for a
specific CMMC level, the CMMC
requirement will be identified in the
DFARS solicitation provision 252.204–
7YYY, Notice of Cybersecurity Maturity
Model Certification Level Requirements.
In addition, the DFARS contract clause
252.204–7021, Contractor Compliance
with the Cybersecurity Maturity Model
Certification Level Requirements, will
be included in the contract.
3. CMMC Application to Other
Transaction Agreements (OTAs)
Comment: Many respondents asked
whether CMMC will apply to OTAs.
Response: Applicability to OTAs is
outside the scope of this DFARS rule, as
the DFARS does not provide coverage of
OTA requirements. If the program office
or requiring activity identifies a need to
include a CMMC requirement in an
OTA, it will be included in the
solicitation and resulting agreement.
4. Application to Foreign Suppliers for
CMMC
Comment: Many respondents
commented on whether CMMC will
apply to foreign suppliers.
Response: If the program office or
requiring activity identifies a need to
include a CMMC requirement in a
contract, it will be included in the
solicitation and resulting contract
unless the contract is exclusively for
COTS items. The proposed rule does not
exempt foreign suppliers from CMMC
requirements.
khammond on DSKJM1Z7X2PROD with PROPOSALS
5. CMMC and NIST SP 800–171 DoD
Assessment Requirements
Comment: Many respondents
questioned how CMMC and the NIST
SP 800–171 requirements will interact
and if one requirement will be used for
the other.
Response: As described in the interim
rule at DFARS 204.7501(c), the CMMC
assessments will not duplicate efforts
from any other comparable DoD
assessment, except for rare
circumstances when a reassessment may
be necessary, for example, when there
are indications of issues with
cybersecurity and/or compliance with
CMMC requirements.
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
7. Duplication of DFARS Clause
252.204–7012 and DFARS Clause
252.204–7021
Comment: A respondent commented
on whether DFARS clause 252.204–
7012 and DFARS clause 252.204–7021
duplicate one another.
Response: These clauses are not
duplicative as they have distinct
purposes. DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, levies cybersecurity
requirements on contractors, and
DFARS clause 252.204–7021, Contractor
Compliance with the Cybersecurity
Maturity Model Certification Level
Requirements, levies a requirement for
an assessment of how well a contractor
is meeting those cybersecurity
requirements specified in 252.204–7012.
8. Uniform Definition of CUI
Comment: A respondent commented
that there should be a uniform
definition of CUI.
Response: This proposed rule adds a
definition for use in subpart 204.75 for
the term ‘‘controlled unclassified
information.’’ The definition is based on
the definition of CUI at 32 CFR 2002.
9. Uniformity and Consistency
Comment: Many respondents
commented that the final rule should
provide uniformity and consistency.
Response: This proposed rule does
not conflict with other regulations.
10. Applicability to Contracts at or
Below the Simplified Acquisition
Threshold
Comment: Many respondents
commented that there should be
clarification as to whether this rule
PO 00000
Frm 00041
Fmt 4702
Sfmt 4702
applies to contracts at or below the
simplified acquisition threshold.
Response: As described in section III
of this preamble, this proposed rule
applies to contracts at or below the
simplified acquisition threshold, but not
to purchases at or below the micropurchase threshold.
11. Expected Cost Impact and Benefits
Comment: Several respondents
commented that the interim rule for
2019–D041 had a cost analysis that
lacked a basis for the analysis.
Response: The Regulatory Impact
Analysis associated with this proposed
rule only includes a cost analysis of the
contractual requirements associated
with this proposed rule. The rule for the
CMMC Program affecting 32 CFR part
170 contains the expected cost impact
and benefits of technical requirements
associated with CMMC. Any comments
on the cost estimates of technical or
programmatic requirements related to
the CMMC Program should be directed
to the proposed rule affecting 32 CFR
part 170.
12. Applicability to COTS—Define
Exclusively COTS
Comment: Many respondents
commented that there needs to be a
definition for ‘‘exclusively COTS’’.
Response: As described in this
preamble, this proposed rule does not
apply to awards that are exclusively for
COTS items. The term ‘‘commercially
available off-the-shelf (COTS) item’’ is
defined at FAR 2.101, so any awards
that are exclusively for items falling
within that FAR definition would be
considered ‘‘exclusively COTS’’ awards.
13. Timing of CMMC Certification
Comment: Many respondents
recommended that the CMMC
certification timing be delayed until
after award, or that it should be made
more flexible.
Response: The CMMC policy
identified in the CMMC 2.0 proposed
rule affecting 32 CFR part 170
(published December 26, 2023, at 88 FR
89058) establishes that CMMC
certification and CMMC selfassessments are required at the time of
award.
14. Prime Contractor Validation of
Subcontractor CMMC Level
Comment: Many respondents
commented that there should be a way
for prime contractors to validate
subcontractor CMMC certificates and
CMMC self-assessments.
Response: There is not currently a
tool established that would allow
sharing of subcontractor information
E:\FR\FM\15AUP1.SGM
15AUP1
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
with prime contractors electronically.
Prime contractors are expected to work
with their suppliers to conduct
verifications as they would under any
other clause requirement that applies to
subcontractors.
15. Cost Allowability
Comment: Many respondents
commented that the DFARS rule should
specify whether costs for CMMC are
allowable costs.
Response: Cost allowability
requirements are described at FAR
31.201–2, Determining allowability.
16. Clause Applicability Overly Broad
Comment: Many respondents
commented that the clause applicability
is overly broad.
Response: In this proposed DFARS
rule, the applicability of the clause has
been narrowed to apply only when there
is a requirement in the solicitation for
the contractor to have a specific CMMC
level.
17. Application to Plain Old Telephone
Service (POTS)
Comment: One respondent asked if
handling CUI under a POTS contract
would trigger the requirements of
DFARS 252.204–7012.
Response: The requirements under
252.204–7012, Safeguarding Covered
Defense Information and Cyber Incident
Reporting, are triggered when the
contractor processes, stores, or transmits
CUI on a covered contractor information
system (the contractor’s internal
information system). Common carrier
telecommunications circuits or POTS
would not normally be considered part
of the covered contractor information
system processing FCI or CUI. Data
traversing common carrier systems
should be separately encrypted per
NIST SP 800–171 requirement 3.13.8.
Contracts with common carriers to
provide telecommunications services
may include DFARS clause 252.204–
7012, Safeguarding Covered Defense
Information and Cyber Incident
Reporting, but should not be interpreted
to imply the common carrier
telecommunications systems themselves
have to meet the DFARS requirements.
khammond on DSKJM1Z7X2PROD with PROPOSALS
18. Joint Ventures
Comment: Many respondents
commented on how to handle CMMC
certifications and CMMC selfassessments under joint ventures.
Response: Each individual entity that
has a requirement for CMMC would be
required to comply with the
requirements related to the individual
entity’s information systems that
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
66331
process, store, or transmit FCI or CUI
during contract performance.
requirement for the contractor to have a
specific CMMC level.
19. Training on Marking CUI
24. Application of CMMC Clause to
Service Contracts and Non-Defense
Contracts
Comment: Many respondents
commented that DoD should train
personnel on marking CUI and
recommended that agencies do a better
job of marking CUI.
Response: This comment is outside of
the scope of this rule.
20. Clarification of How CMMC Applies
to Information Systems
Comment: Many respondents
commented that clarification is needed
regarding how CMMC is applied to
information systems.
Response: As described in this
proposed rule, if there is a requirement
for CMMC, then it applies to all
information systems that process, store,
or transmit FCI or CUI in performance
of the contract.
21. Fundamental Research
Comment: Many respondents
commented that clarification is needed
regarding whether CMMC applies to
fundamental research.
Response: Fundamental research, as
defined in National Security Decision
Directive (NSDD) 189, is published and
broadly shared within the scientific
community and, as such, cannot be
safeguarded as either FCI or CUI;
however, if fundamental research has
the potential to become CUI, it would be
subject to the requirements of CMMC.
22. Clause Fill-In With CMMC Level
Comment: One respondent requested
that the clause contain a fill-in with the
CMMC level requirement.
Response: In this proposed rule, the
CMMC level requirement will be
included in the solicitation provision at
252.204–7YYY, Notice of Cybersecurity
Model Certification Level Requirements
and in the contract clause at 252.204–
7021.
23. Application of CMMC to Non-COTS
Item Contracts With No FCI or CUI
Involved
Comment: Many respondents
commented that it appears the CMMC
clause would be included in non-COTS
item contracts with no FCI or CUI
involved at the prime contractor and
subcontractor levels.
Response: The proposed rule
prescribes the CMMC clause for use
only in solicitations and contracts that
require the contractor to have a specific
CMMC level. Contracts that are
exclusively for COTS items and
purchases at or below the micropurchase threshold will not have a
PO 00000
Frm 00042
Fmt 4702
Sfmt 4702
Comment: One respondent
commented on whether the CMMC
clause will be included in services
contracts and non-defense contracts.
Response: The proposed rule
proposes to amend the DFARS, so this
proposed rule only includes changes to
the requirements for DoD. A services
contract may have a requirement for
CMMC.
25. Definition of ‘‘Contractor
Information System Relevant to the
Contract/Offer’’
Comment: Many respondents
requested clarification of the phrase,
‘‘contractor information system relevant
to the contract/offer’’.
Response: The proposed rule includes
language that clarifies that contractor
information systems relevant to the
contract or offer are contractor
information systems that process, store,
or transmit FCI or CUI during
performance of the contract.
26. Effective Date of CMMC Clause for
Contracts and Applicability to
Modifications
Comment: Many respondents
requested clarification on the effective
date of the CMMC clause and
applicability to modifications.
Response: The proposed rule includes
amendments to the DFARS that will not
take effect until a final rule is issued.
Therefore, the effective date of the
clause would be the effective date
specified in the final rule. The clause
will only be included in solicitations
issued on or after the effective date of
the final rule and any resulting
contracts, unless the contracting officer
makes a decision to include the clause
in a solicitation issued prior to the
effective date of the final rule, provided
that any resulting contracts are awarded
on or after the effective date of the final
rule. Contracting officers have the
discretion to bilaterally incorporate the
clause in contracts in effect prior to the
effective date of the clause, with
appropriate consideration. See FAR
1.108(d).
27. Determining CMMC Level for
Subcontracts
Comment: Many respondents
commented that there should be
clarification regarding how to determine
the required CMMC level for
subcontracts.
E:\FR\FM\15AUP1.SGM
15AUP1
66332
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
Response: In determining a CMMC
level appropriate for the information
being flowed down to subcontractors,
see the proposed rule affecting 32 CFR
part 170 published in the Federal
Register on December 26, 2023, at 88 FR
89058.
28. Proliferation of Component-Unique
Security Requirements
Comment: Many respondents
commented that it appeared there was a
proliferation of component-unique
security requirements.
Response: While the comment is
noted, the comment is outside of the
scope of this proposed rule.
29. Reflecting CMMC Levels in SAM.gov
for Prime Contractor Verification of
Subcontractors
Comment: One respondent
recommended reflecting CMMC levels
in SAM.gov for prime contractor
verification of the subcontractors.
Response: The CMMC Program
proposed rule affecting 32 CFR part 170
has identified that SPRS is the
repository for CMMC certificates and
self-assessment information at present.
Contractors will only be able to access
their own CMMC certificate and selfassessment information.
30. Training Contracting Officers
Comment: Many respondents
commented that it would be helpful to
train contracting officers on how to
appropriately identify contracts for
inclusion of the DFARS clause at
252.204–7021, Contractor Compliance
with the Cybersecurity Maturity Model
Certification Level Requirements.
Response: As with any clause,
contracting officers will follow the
prescription language in determining
when to include a contract clause.
khammond on DSKJM1Z7X2PROD with PROPOSALS
31. Vendor Description of CMMC Queue
in Response to Proposals
Comment: One respondent
commented recommending that an
offeror should be able to share where
they are in the queue for a CMMC
assessment and be allowed to have a
late submission of their CMMC
certification.
Response: The CMMC Program
policy, in the proposed rule affecting 32
CFR part 170, is to require a CMMC
certification or CMMC self-assessment
at the time of award if there is a
requirement for CMMC under the
contract.
32. Define ‘‘Certification’’
Comment: A respondent commented
that the term ‘‘certification’’ should be
defined.
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
Response: The term ’’certification’’
referenced in this proposed rule relates
to the Cybersecurity Maturity Model
Certification.
33. Defense Industrial Base
Cybersecurity Assessment Center
(DIBCAC) Assessment Reciprocity
Comment: Several respondents asked
for clarification on reciprocity between
CMMC certification and Defense
Contract Management Agency DIBCAC
assessments.
Response: As described in the interim
rule at DFARS 204.7501(c), the CMMC
assessments will not duplicate efforts
from any other comparable DoD
assessment, except for rare
circumstances when a reassessment may
be necessary, for example, when there
are indications of issues with
cybersecurity and/or compliance with
CMMC requirements.
34. Clearance Procedures for Interim
Rule
Comment: A respondent asked what
clearance procedures were bypassed to
allow for the emergency processing of
the previously published interim rule.
Response: Clearance procedures were
not bypassed in the emergency
processing of the previously published
interim rule under this DFARS Case
2019–D041. As described in section IX
of the preamble for the interim rule, a
determination was made pursuant to 41
U.S.C. 1707(d) and FAR 1.501–3(b) to
issue the interim rule.
35. Recommend Opening a DFARS
Procedures, Guidance, and Information
(PGI) Case
Comment: One respondent
recommended that a PGI case should be
opened to provide procedures,
guidance, and information to the
workforce related to CMMC.
Response: At present, the
requirements in the proposed rule are
simply for contracting officers to
include the provision and clause as
prescribed. Any additional guidance
would be for the program office and
requiring activity community. Such
guidance would not be added to the
DFARS PGI, which speaks to
contracting officers.
36. Existence of the Clause as an
Indication of the Presence of CUI
Comment: Several respondents asked
for clarification on whether the presence
of the clause at 252.204–7021 means
that CUI will be used in performance of
the contract.
Response: CMMC also applies to FCI,
so the existence of the clause at
252.204–7021, Contractor Compliance
PO 00000
Frm 00043
Fmt 4702
Sfmt 4702
with the Cybersecurity Maturity Model
Certification Level Requirements, does
not automatically mean that there is CUI
that will be processed, stored, or
transmitted in the performance of the
contract.
37. Application of the Clause to
Government Furnished Equipment
(GFE)
Comment: One respondent requested
clarification on whether the clause will
apply to GFE or GFE in a test
environment.
Response: If the program office or
requiring activity includes a
requirement in the solicitation and
resulting contract for the contractor to
have a specific CMMC level, then the
clause would apply.
38. Other Contractual Instruments
Comment: A respondent commented
that there should be a definition in the
DFARS of ‘‘other contractual
instruments’’.
Response: ‘‘Other contractual
instruments’’ are agreements with
vendors or suppliers that are not
considered subcontracts. The term has
been used in the DFARS for years and
is well understood.
39. Source Selections
Comment: A respondent requested
information on how CMMC applies to
source selections.
Response: Proposed changes to
DFARS 204.7503 require that
contracting officers shall not award a
contract, task order, or delivery order to
an offeror that does not have a current
CMMC certificate or self-assessment at
the level required by the solicitation. If
CMMC is included in a solicitation, it is
also included as a contract requirement.
III. Applicability to Contracts at or
Below the Simplified Acquisition
Threshold (SAT), for Commercial
Products (Including COTS Items), and
for Commercial Services
This proposed rule amends the clause
at DFARS 252.204–7021, Contractor
Compliance with the Cybersecurity
Maturity Model Certification Level
Requirements, as well as the
prescription at DFARS 204.7504(a). The
clause is prescribed for use in
solicitations and contracts, task orders,
or delivery orders, that require the
contractor to have a specific CMMC
level, including solicitations and
contracts using FAR part 12 procedures
for the acquisition of commercial
products and commercial services,
except for solicitations and contracts
solely for the acquisition of COTS items.
This proposed rule includes a new
E:\FR\FM\15AUP1.SGM
15AUP1
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
provision, DFARS 252.204–7YYY,
Notice of Cybersecurity Maturity Model
Certification Level Requirements. The
provision is prescribed at DFARS
204.7504(b) for use in solicitations that
include the clause at DFARS 252.204–
7021.
DoD intends to apply the provision
and clause to contracts and subcontracts
valued at or below the SAT but greater
than the micro-purchase threshold, for
the acquisition of commercial products
excluding COTS items, and for the
acquisition of commercial services.
A. Applicability to Contracts at or Below
the Simplified Acquisition Threshold
41 U.S.C. 1905 governs the
applicability of laws to contracts or
subcontracts in amounts not greater
than the simplified acquisition
threshold. It is intended to limit the
applicability of laws to such contracts or
subcontracts. 41 U.S.C. 1905 provides
that if a provision of law contains
criminal or civil penalties, or if the
Federal Acquisition Regulatory Council
makes a written determination that it is
not in the best interest of the Federal
Government to exempt contracts or
subcontracts at or below the SAT, the
law will apply to them. The Principal
Director, Defense Pricing, Contracting,
and Acquisition Policy (DPCAP), is the
appropriate authority to make
comparable determinations for
regulations to be published in the
DFARS, which is part of the FAR system
of regulations. DoD does intend to make
that determination. Therefore, this
proposed rule will apply at or below the
simplified acquisition threshold.
khammond on DSKJM1Z7X2PROD with PROPOSALS
B. Applicability to Contracts for the
Acquisition of Commercial Products
Including COTS Items and for the
Acquisition of Commercial Services
10 U.S.C. 3452 exempts contracts and
subcontracts for the acquisition of
commercial products including COTS
items, and commercial services from
provisions of law enacted after October
13, 1994, unless the Under Secretary of
Defense (Acquisition and Sustainment)
(USD(A&S)) makes a written
determination that it would not be in
the best interest of DoD to exempt
contracts for the procurement of
commercial products and commercial
services from the applicability of the
provision or contract requirement,
except for a provision of law that—
• Provides for criminal or civil
penalties;
• Requires that certain articles be
bought from American sources pursuant
to 10 U.S.C. 4862, or that strategic
materials critical to national security be
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
bought from American sources pursuant
to 10 U.S.C. 4863; or
• Specifically refers to 10 U.S.C. 3452
and states that it shall apply to contracts
and subcontracts for the acquisition of
commercial products (including COTS
items) and commercial services.
The statute implemented in this
proposed rule does not impose criminal
or civil penalties, does not require
purchase pursuant to 10 U.S.C. 4862 or
4863, and does not refer to 10 U.S.C.
3452. Therefore, section 1648 of the
NDAA for FY 2020 will not apply to the
acquisition of commercial services or
commercial products including COTS
items unless a written determination is
made. Due to delegations of authority,
the Principal Director, DPCAP is the
appropriate authority to make this
determination. DoD intends to make
that determination to apply this statute
to the acquisition of commercial
products excluding COTS items and to
the acquisition of commercial services.
Therefore, this proposed rule will apply
to the acquisition of commercial
products excluding COTS items and to
the acquisition of commercial services.
C. Determinations
Given that the requirements of section
1648 of the NDAA for FY 2020 were
enacted to promote protection of FCI
and CUI that will be processed, stored,
or transmitted on contractor information
systems, and since FCI and CUI may be
processed, stored, or transmitted on
contractor information systems in the
performance of contracts or orders
valued below the simplified acquisition
threshold and when the Federal
Government is procuring commercial
products and commercial services, it is
in the best interest of the Federal
Government to apply the statute to
contracts for the acquisition of
commercial services and commercial
products, excluding COTS items, as
defined at FAR 2.101. An exception for
contracts for the acquisition of
commercial services and commercial
products, excluding COTS items, would
exclude the contracts intended to be
covered by the law, thereby
undermining the overarching public
policy purpose of the law.
IV. Expected Impact of the Rule
A. Background
DoD is proposing to amend the
DFARS to implement the contractual
requirements related to the DoD policy
for CMMC 2.0 (see the proposed rule
affecting 32 CFR 170, published in the
Federal Register December 26, 2023, at
88 FR 89058). CMMC 2.0 selfassessments and certificates assess a
PO 00000
Frm 00044
Fmt 4702
Sfmt 4702
66333
contractor’s compliance with certain
information system security
requirements. Pursuant to the DoD
policy in the CMMC 2.0 proposed rule,
the CMMC level requirements apply to
every contractor information system that
will process, store, or transmit Federal
contract information (FCI) or controlled
unclassified information (CUI).
DoD is proposing to amend the
DFARS to include the following
solicitation and contractual
requirements related to the CMMC 2.0
policy:
• Offeror and contractor requirement
to post the results of a CMMC 2.0 Level
1 or Level 2 self-assessment to the
Supplier Performance Risk System
(SPRS) prior to award, exercise of an
option, or extension of a period of
performance, if not already posted.
• Contractor requirement to maintain
the required CMMC self-assessment or
certificate level for the life of the
contract.
• Contractor requirement to complete
a contractor senior company official
affirmation of continuous compliance
with the security requirements
identified at 32 CFR part 170 in SPRS
for each DoD unique identifier (UID)
applicable to each of the contractor
information systems that will process,
store, or transmit FCI or CUI and that
will be used in performance of the
contract on an annual basis, or when
CMMC 2.0 compliance status changes
occur.
• Apparently successful offeror and
contractor requirement to identify the
contractor information systems that will
be used to process, store, or transmit FCI
or CUI in performance of the contract
prior to award, exercise of an option, or
extension of any period of performance,
by providing to the Government the
DoD UIDs generated by SPRS.
The costs associated with the
technical completion of the CMMC 2.0
certifications and self-assessments are
included in the CMMC 2.0 proposed
rule affecting title 32 CFR.
B. Summary of Impact
This proposed DFARS rule will
impact certain contracts during a
phased-in, three-year implementation
period. Afterwards, the requirements
will apply to all contracts for which the
contractor will process, store, or
transmit FCI or CUI on contractor
information systems during the
performance of the contract, except for
contracts solely for the acquisition of
commercially available off-the-shelf
(COTS) items.
For the first three years after the
effective date of the final rule, the
information collection requirements
E:\FR\FM\15AUP1.SGM
15AUP1
66334
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
will only impact an offeror or contractor
when the solicitation or contract
requires an offeror or contractor to have
a specific CMMC level, based on a
phased rollout plan, including
solicitations and contracts using Federal
Acquisition Regulation (FAR) part 12
procedures for the acquisition of
commercial products and commercial
services, except for solicitations and
contracts solely for the acquisition of
COTS items.
By the fourth year, the information
collection requirements in the
solicitation provision and contract
clause will impact solicitations and
contracts, task orders, or delivery
orders, including solicitations and
contracts using FAR part 12 procedures
for the acquisition of commercial
products and commercial services,
when there will be a requirement under
the contract to process, store, or
transmit FCI or CUI, except for
solicitations and contracts solely for the
acquisition of COTS items.
Since DoD does not track awards that
may include FCI or CUI, DoD assumes
the number of impacted awardees in
Year 4 and beyond will be the average
number of entities in the Electronic Data
Access (EDA) system from fiscal year
(FY) 2021 through FY 2023 with awards
containing the clause at DFARS
252.204–7012, Safeguarding Covered
Defense Information and Cyber Incident
Reporting, or 29,543 entities, of which
20,395 (69 percent) are small
businesses. DoD also assumes that
offerors or contractors with a
requirement for CMMC in contracts will
have on average 5 contractor
information systems that will be used to
process, store, or transmit FCI or CUI in
performance of the contract.
For each of the information systems
that will process, store, or transmit FCI
or CUI, DoD assumes it will take offerors
and contractors—
• An estimated 5 minutes to post the
results of the CMMC self-assessments in
SPRS;
• An estimated 5 minutes to complete
the required affirmation in SPRS; and
• An estimated 5 minutes to retrieve
DoD UIDs in SPRS for the information
systems that will be used in
performance of the contract and to
submit the DoD UIDs to the
Government.
For the Government, DoD assumes it
will take—
• An estimated 5 minutes to validate
the existence of the correct level and
currency of a CMMC certification or
CMMC self-assessment results
associated with offeror DoD UIDs in
SPRS for the apparently successful
offeror prior to award and for the
contractor prior to exercising an option
or extending any period of performance;
• An estimated 5 minutes to validate
the existence of an affirmation that is
current for each of the contractor
information systems that will process,
store, or transmit FCI or CUI; and
• An estimated 5 minutes to validate
the existence of the correct level and
currency of a CMMC certification or
CMMC self-assessment and affirmation
associated with contractor DoD UIDs in
SPRS, when there are changes in the
information systems during contract
performance.
The primary cost impact of this
proposed rule is that apparently
successful offerors for contracts that
include a CMMC requirement will now
be required to conduct the cost activities
described below in accordance with the
provision at DFARS 252.204–7YYY,
Notice of Cybersecurity Maturity Model
Certification Level Requirement, and the
clause at DFARS 252.204–7021,
Cybersecurity Maturity Model
Certification Requirements.
Summary
Public
Present Value ............................................................................................................
Annualized Costs .......................................................................................................
khammond on DSKJM1Z7X2PROD with PROPOSALS
Public comments are solicited on this
analysis of the estimated burden of the
proposed rule.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and
13563 direct agencies to assess all costs
and benefits of available regulatory
alternatives and, if regulation is
necessary, to select regulatory
approaches that maximize net benefits
(including potential economic,
environmental, public health and safety
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
The benefits of this proposed rule
include verification of a defense
industrial base (DIB) contractor’s
implementation of system security
requirements. The clause at DFARS
252.204–7012, Safeguarding Covered
Defense Information and Cyber Incident
Reporting, does not provide for the DoD
verification of a DIB contractor’s
implementation of the security
requirements specified in National
Institute of Standards and Technology
(NIST) Special Publication (SP) 800–171
prior to contract award. CMMC adds the
element of verification of a DIB
contractor’s cybersecurity through the
use of accredited third-party assessors.
This proposed rule provides increased
assurance to DoD that a DIB contractor
can adequately protect sensitive
unclassified information such as CUI at
a level commensurate with the risk,
accounting for information flow down
to its subcontractors in a multi-tier
supply chain.
Another benefit of this proposed rule
is that it supports the protection of
intellectual property and sensitive
information from malicious activity that
has a significant impact on the U.S.
economy and national security. While
there is not enough information to be
able to estimate the benefits of this rule
at this time, DoD assumes there will be
a benefit from reducing the threat of
malicious cyber activity. The Council of
Economic Advisors estimates that
malicious cyber activity cost the U.S.
economy between $57 billion and $109
billion in 2016. Over a ten-year period,
that burden would equate to an
estimated $512 billion to $979 billion in
costs at a 2 percent discount rate.
The following is a summary of the
estimated public and Government costs
calculated over a 10-year period at a 2
percent discount rate:
$40,687,957
4,529,649
effects, distributive impacts, and
equity). E.O. 13563 emphasizes the
importance of quantifying both costs
and benefits, of reducing costs, of
harmonizing rules, and of promoting
flexibility. This is a significant
regulatory action and, therefore, was
subject to review under section 6(b) of
E.O. 12866, Regulatory Planning and
Review, as amended.
PO 00000
Frm 00045
Fmt 4702
Sfmt 4702
Government
$25,237,882
2,809,646
Total
$65,925,839
7,339,295
VI. Regulatory Flexibility Act
DoD does not expect this proposed
rule, when finalized, to have a
significant economic impact on a
substantial number of small entities
within the meaning of the Regulatory
Flexibility Act, 5 U.S.C. 601, et seq.
However, an initial regulatory flexibility
analysis has been performed and is
summarized as follows:
This proposed rule is necessary to
respond to the threat to the U.S.
economy and national security posed by
E:\FR\FM\15AUP1.SGM
15AUP1
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
ongoing malicious cyber activities
designed to steal hundreds of billions of
dollars of U.S. intellectual property.
This proposed rule includes the
following requirements for apparently
successful offerors responding to a
solicitation, and contractors awarded
contracts, containing a requirement for
CMMC: (1) post in SPRS the results of
a current CMMC certificate or current
CMMC self-assessment at the level
required by the solicitation, or higher,
for each DoD UID applicable to each of
the contractor information systems that
will process, store, or transmit FCI or
CUI and that will be used in
performance of the contract and
maintain the CMMC level for the life of
the contract; (2) provide the DoD UID(s)
applicable to each of those contractor
information systems to the contracting
officer and provide updates, if
applicable; and (3) have a current
affirmation of continuous compliance
with the security requirements
identified at 32 CFR part 170 in SPRS
for each DoD UID applicable to each of
those contractor information systems.
These requirements apply to apparently
successful offerors with a CMMC
requirement in solicitations prior to
award and to contractors with a CMMC
requirement in contracts prior to
exercising an option.
The proposed rule has two objectives.
One objective is to provide DoD with
assurances that a defense industrial base
contractor can adequately protect
sensitive unclassified information at a
level commensurate with the risk,
accounting for information shared with
its subcontractors in a multi-tier supply
chain. Another objective is to partially
implement section 1648 of the NDAA
for FY 2020. The legal basis for the rule
is 41 U.S.C. 1303 and section 1648 of
the NDAA for FY 2020.
Given the enterprise-wide
implementation of CMMC, DoD
developed a three-year phased rollout
strategy. The rollout is intended to
minimize both the financial impacts to
the industrial base, especially small
entities, and disruption to the existing
DoD supply chain. Upon completion of
the phased implementation, this rule
will impact all small entities awarded
contracts with DoD, except those
providing only COTS items and those
that do not handle FCI or CUI. The
estimated number of small entities to
which the rule will apply in year one is
1,104.
By the fourth year, all entities
receiving DoD contracts and orders that
have contractor information systems
that will process, store, or transmit FCI
or CUI and that will be used in
performance of the contract or order,
other than contracts or orders
exclusively for COTS items, will be
required to have, at minimum, a CMMC
Level 1 self-assessment or the CMMC
Level identified in the solicitation and
resulting contract, as appropriate for the
type of information being handled
under the contract. As described
previously, it should be noted that this
requirement does not apply to awards
that do not involve the handling or
transmission of FCI or CUI. By year four,
the total estimated number of small
entities to which the rule will apply will
be 60,783.
khammond on DSKJM1Z7X2PROD with PROPOSALS
CMMC Level
Percentages
66335
During the first three years of the
phased rollout, the CMMC requirement
will be included only in certain
contracts for which the CMMC Program
Office directs DoD component program
offices to include a CMMC requirement.
After three years, DoD component
program offices will be required to
include a requirement for CMMC in
solicitations and contracts that will
require the contractor to process, store,
or transmit FCI or CUI on contractor
information systems during contract
performance. Not every contractor will
be awarded a contract in Year 4, so it
will take several years for every
contractor in the defense industrial base
to be awarded a contract containing a
requirement for CMMC. DoD does not
track how many years it takes for every
contractor to be awarded a DoD
contract, so DoD assumes this will occur
over a period of several years.
Based on data from the Electronic
Data Access system for FY 2021 through
FY 2023, the number of unique entities
with contracts containing the clause at
DFARS 252.204–7012, Safeguarding
Covered Defense Information and Cyber
Incident Reporting, is 29,543, of which
20,395 (69 percent) are small entities.
Therefore, DoD estimates that in Year 4
and beyond, approximately 20,395
small entities will be impacted per year.
DoD anticipates that the following mix
of self-assessments and certificates will
occur starting in Year 4; however, it is
likely to change based on component
program office discretion regarding
whether a CMMC self-assessment or
certificate is required and, if so, at what
level:
Small
entities
Large
entities
Total
entities
Level 1 Self-assessment .................................................................................
Level 2 Self-assessment .................................................................................
Level 2 Certificate ............................................................................................
63
2
35
12,849
408
7,138
5,763
183
3,202
18,612
591
10,340
Total Entities .............................................................................................
100
20,395
9,148
29,543
This proposed rule includes new
reporting, recordkeeping, or other
compliance requirements for small
entities. The following is a summary of
the projected reporting and other
compliance requirements associated
with the proposed rule: (1) a
requirement for apparently successful
offerors to post results of current CMMC
Level 1 and Level 2 self-assessments to
SPRS for each DoD UID applicable to
each of the contractor information
systems that will process, store, or
transmit FCI or CUI and that will be
used in performance of the contract, if
applicable; (2) a requirement for
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
apparently successful offerors and
contractors to provide DoD UIDs for
each of those contractor information
systems, if applicable, prior to award
and when any changes to DoD UIDs
occur; and (3) a requirement for a senior
company official to complete and
maintain on an annual basis, or when
CMMC compliance status changes
occur, the affirmation of continuous
compliance with the security
requirements identified at 32 CFR part
170 in SPRS for each DoD UID
applicable to each of those contractor
information systems.
PO 00000
Frm 00046
Fmt 4702
Sfmt 4702
These reporting requirements would
apply to any small entities that are the
apparently successful offeror for a
contract for which there is a
requirement for a specific CMMC level.
The requirement to post the selfassessment will only apply to small
entities that have a requirement for a
CMMC Level 1 or Level 2 selfassessment. The requirement to provide
DoD UIDs and the requirement for the
senior official to complete the
affirmation in SPRS will apply to all
small entities that are apparently
successful offerors for a solicitation or
E:\FR\FM\15AUP1.SGM
15AUP1
66336
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
contractors awarded a contract for
which there is a requirement for CMMC.
This proposed rule does not
duplicate, overlap, or conflict with any
other Federal rules. This proposed
DFARS rule implements the contractual
requirements related to the CMMC 2.0
program, which was published as a
separate proposed rule affecting 32 CFR
part 170 on December 26, 2023, at 88 FR
89058.
There are no known alternatives that
would accomplish the stated objectives
of the applicable statute. This proposed
rule uses a phased rollout approach to
implementation and applies the CMMC
requirements only to apparently
successful offerors for solicitations and
contractors awarded a contract
containing a CMMC requirement. This
proposed rule exempts contracts and
orders exclusively for the acquisition of
COTS items to minimize any significant
economic impact of the proposed rule
on small entities. Because of the acrossthe-board risks of not implementing
cybersecurity requirements, DoD was
unable to identify any additional
alternatives that would reduce the
burden on small entities and still meet
the objectives of the proposed rule.
DoD invites comments from small
business concerns and other interested
parties on the expected impact of this
proposed rule on small entities.
DoD will also consider comments
from small entities concerning the
existing regulations in subparts affected
by this proposed rule in accordance
with 5 U.S.C. 610. Interested parties
must submit such comments separately
and should cite 5 U.S.C. 610 (DFARS
Case 2019–D041), in correspondence.
khammond on DSKJM1Z7X2PROD with PROPOSALS
VII. Paperwork Reduction Act
This proposed rule contains
information collection requirements that
require the approval of the Office of
Management and Budget under the
Paperwork Reduction Act (44 U.S.C.
chapter 35). Accordingly, DoD has
submitted a request for approval of a
new information collection requirement
concerning 2019–D041, Assessing
Contractor Implementation of
Cybersecurity Requirements, to the
Office of Management and Budget.
A. Estimate of Public Burden
Public reporting burden for this
collection of information is estimated to
average 5 minutes (0.8333) per response,
including the time for reviewing
instructions, searching existing data
sources, gathering and maintaining the
data needed, and completing and
reviewing the collection of information.
The annual reporting burden is
estimated as follows:
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
Respondents: 1,493.
Total annual responses: 30,990.
Total annual burden hours: 2,582.
B. Request for Comments Regarding
Paperwork Burden
Written comments and
recommendations on the proposed
information collection, including
suggestions for reducing this burden,
should be submitted using the Federal
eRulemaking Portal at https://
www.regulations.gov or by email to
osd.dfars@mail.mil. Comments can be
received up to 60 days after the date of
this notice.
Public comments are particularly
invited on: whether this collection of
information is necessary for the proper
performance of the functions of DoD,
including whether the information will
have practical utility; the accuracy of
DoD’s estimate of the burden of this
information collection; ways to enhance
the quality, utility, and clarity of the
information to be collected; and ways to
minimize the burden of the information
collection on respondents, including
through the use of automated collection
techniques or other forms of information
technology.
To obtain a copy of the supporting
statement and associated collection
instruments, please email osd.dfars@
mail.mil. Include DFARS Case 2019–
D041 in the subject line of the message.
List of Subjects in 48 CFR Parts 204,
212, 217, and 252
Government procurement.
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition
Regulations System.
Therefore, the Defense Acquisition
Regulations System proposes to amend
48 CFR parts 204, 212, 217, and 252 as
follows:
■ 1. The authority citation for 48 CFR
parts 204, 212, 217, and 252 continues
to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR
chapter 1.
PART 204—ADMINISTRATIVE AND
INFORMATION MATTERS
2. Revise subpart 204.75 to read as
follows:
■
Subpart 204.75—Cybersecurity Maturity
Model Certification
Sec.
204.7500 Scope of subpart.
204.7501 Definitions.
204.7502 Policy.
204.7503 Procedures.
204.7504 Solicitation provision and
contract clause.
PO 00000
Frm 00047
Fmt 4702
Sfmt 4702
Subpart 204.75—Cybersecurity
Maturity Model Certification
204.7500
Scope of subpart.
(a) This subpart prescribes policies
and procedures for including the
Cybersecurity Maturity Model
Certification (CMMC) level
requirements in DoD contracts. CMMC
is a framework (see 32 CFR part 170) for
assessing a contractor’s compliance with
applicable information security
requirements (see https://DoDcio.
defense.gov/CMMC/).
(b) This subpart does not abrogate any
other requirements regarding contractor
physical, personnel, information,
technical, or general administrative
security operations governing the
protection of unclassified information,
nor does it affect requirements of the
National Industrial Security Program.
204.7501
Definitions.
As used in this subpart—
Controlled unclassified information
means information the Government
creates or possesses, or an entity creates
or possesses for or on behalf of the
Government, that a law, regulation, or
Governmentwide policy requires or
permits an agency to handle using
safeguarding or dissemination controls
(32 CFR 2002.4(h)).
Current means, with regard to
Cybersecurity Maturity Model
Certification—
(1) Not older than 1 year for Level 1
self-assessments, with no changes in
CMMC compliance since the date of the
assessment;
(2) Not older than 3 years for Level 2
certificates and self-assessments, with
no changes in CMMC compliance since
the date of the assessment;
(3) Not older than 3 years for Level 3
certificates, with no changes in CMMC
compliance since the date of the
assessment; and
(4) Not older than 1 year for
affirmations of continuous compliance
with the security requirements
identified at 32 CFR part 170, with no
changes in CMMC compliance since the
date of the affirmation.
DoD unique identifier means an
alpha-numeric string of ten characters
assigned within the Supplier
Performance Risk System to each
contractor assessment with the first two
characters indicating the confidence
level of the assessment.
204.7502
Policy.
(a) The CMMC certificate or CMMC
self-assessment level specified in the
contract is required for all information
systems, used in the performance of the
contract, that will process, store, or
E:\FR\FM\15AUP1.SGM
15AUP1
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
transmit Federal contract information
(FCI) or controlled unclassified
information (CUI).
(b) Contractors are required to
achieve, at time of award, a CMMC
certificate or CMMC self-assessment at
the level specified in the solicitation, or
higher. Contractors are required to
maintain a current CMMC certificate or
CMMC self-assessment at the specified
level, if required by the contract, task
order, or delivery order, throughout the
life of the contract, task order, or
delivery order.
(c) The CMMC assessments shall not
duplicate efforts from any other
comparable DoD assessment, except for
rare circumstances when a reassessment may be necessary, for
example, when there are indications of
issues with cybersecurity and/or
compliance with CMMC requirements.
khammond on DSKJM1Z7X2PROD with PROPOSALS
204.7503
Procedures.
(a) The contracting officer shall
include the CMMC level required by the
program office or requiring activity in
the solicitation and contract.
(b)(1) Contracting officers shall not
award a contract, task order, or delivery
order to an offeror that does not have—
(i) The results of a current CMMC
certificate or current CMMC selfassessment at the level required by the
solicitation, or higher, for each DoD
unique identifier (DoD UID) applicable
to each of the contractor information
systems that will process, store, or
transmit FCI or CUI and that will be
used in performance of the contract
posted in the Supplier Performance Risk
System (SPRS) (see 32 CFR 170.15
through 170.18); and
(ii) A current affirmation of
continuous compliance with the
security requirements identified at 32
CFR part 170 in SPRS for each DoD UID
applicable to each of the contractor
information systems that will process,
store, or transmit FCI or CUI and that
will be used in performance of the
contract.
(2) Contracting officers shall require
the apparently successful offeror to
provide the DoD UID(s) applicable to
each of the contractor information
systems that will process, store, or
transmit FCI or CUI and that will be
used in performance of the contract. The
contracting officer shall ensure the
program office or requiring activity
reviews the information described in
paragraphs (b)(1)(i) and (ii) of this
section.
(c)(1) Contracting officers shall not
exercise an option period or extend the
period of performance on a contract,
task order, or delivery order, unless the
contractor has—
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
(i) A current CMMC certificate or
CMMC self-assessment at the level
required by the contract, task order, or
delivery order, or higher, for each DoD
UID applicable to each of the contractor
information systems that process, store,
or transmit FCI or CUI and that are used
in performance of the contract; and
(ii) A current affirmation of
continuous compliance with the
security requirements identified at 32
CFR part 170 in SPRS for each DoD UID
applicable to each of the contractor
information systems that process, store,
or transmit FCI or CUI and that are used
in performance of the contract (see
252.204–7021, paragraph (b)(5)).
(2) The contracting officer shall
ensure the program office or requiring
activity reviews the information
described in paragraphs (c)(1)(i) and (ii).
(d) If the contractor provides new DoD
UIDs during performance of the
contract, the contracting officer shall
ensure the program office or requiring
activity verifies in SPRS that the
contractor—
(1) Has a current affirmation of
continuous compliance with the
security requirements identified at 32
CFR part 170 for each DoD UID
applicable to each of the contractor
information systems that process, store,
or transmit FCI or CUI (see 252.204–
7021, paragraph (b)(5)); and
(2) Has a current CMMC certificate or
CMMC self-assessment at the required
level, or higher, for each information
system identified that will process,
store, or transmit FCI or CUI during
contract performance using the DoD
UIDs assigned by SPRS.
204.7504 Solicitation provision and
contract clause.
(a) Use the clause at 252.204–7021,
Contractor Compliance with the
Cybersecurity Maturity Model
Certification Level Requirements, in
solicitations and contracts, task orders,
or delivery orders that require the
contractor to have a CMMC certificate or
CMMC self-assessment at a specific
level, including those using FAR part 12
procedures for the acquisition of
commercial products and commercial
services, except for solicitations and
contracts or orders solely for the
acquisition of commercially available
off-the-shelf items.
(b) Use the provision at 252.204–
7YYY, Notice of Cybersecurity Maturity
Model Certification Level Requirements,
in solicitations that include the clause at
252.204–7021.
PO 00000
Frm 00048
Fmt 4702
Sfmt 4702
66337
PART 212—ACQUISITION OF
COMMERCIAL PRODUCTS AND
COMMERCIAL SERVICES
3. Amend section 212.301—
a. In paragraph (f)(ii)(L) by removing
‘‘204.7503(a) and (b)’’ and adding
‘‘204.7504(a)’’ in its place; and
■ b. By adding paragraph (f)(ii)(P) to
read as follows:
■
■
212.301 Solicitation provisions and
contract clauses for the acquisition of
commercial products and commercial
services.
*
*
*
*
*
(f) * * *
(ii) * * *
(P) Use the provision at 252.204–
7YYY, Notice of Cybersecurity Maturity
Model Certification Level Requirements,
as prescribed in 204.7504(b).
*
*
*
*
*
PART 217—SPECIAL CONTRACTING
METHODS
4. Amend section 217.207—
a. In paragraph (c) introductory text by
removing ‘‘after:’’ and adding ‘‘after—’’
in its place;
■ b. In paragraph (c)(1) by removing the
period at the end of the paragraph and
adding ‘‘; and’’ in its place;
■ c. By revising paragraph (c)(2)
introductory text;
■ d. In paragraph (c)(2)(i) by removing
the period at the end of the paragraph
and adding ‘‘; and’’ in its place; and
■ e. By revising paragraph (c)(2)(ii).
The revisions read as follows:
■
■
217.207
Exercise of options.
(c) * * *
(2) Ensuring the program office or
requiring activity verifies in the
Supplier Performance Risk System
(https://piee.eb.mil) that—
*
*
*
*
*
(ii) If there is a requirement for the
contractor to have a Cybersecurity
Maturity Model Certification (CMMC)
certificate or CMMC self-assessment at a
specific level, the contractor has the
required affirmation(s) of continuous
compliance with the security
requirements identified at 32 CFR part
170 and has posted the results of a
current (see 204.7501) CMMC certificate
or CMMC self-assessment at the level
required by the contract, or higher. See
204.7503(c).
PART 252—SOLICITATION
PROVISIONS AND CONTRACT
CLAUSES
5. Revise section 252.204–7021 to
read as follows:
■
E:\FR\FM\15AUP1.SGM
15AUP1
66338
Federal Register / Vol. 89, No. 158 / Thursday, August 15, 2024 / Proposed Rules
252.204–7021 Contractor Compliance With
the Cybersecurity Maturity Model
Certification Level Requirements.
khammond on DSKJM1Z7X2PROD with PROPOSALS
As prescribed in 204.7504(a), insert
the following clause:
Contractor Compliance With the
Cybersecurity Maturity Model Certification
Level Requirements (Date)
(a) Definitions. As used in this clause—
Controlled unclassified information means
information the Government creates or
possesses, or an entity creates or possesses
for or on behalf of the Government, that a
law, regulation, or Governmentwide policy
requires or permits an agency to handle using
safeguarding or dissemination controls (32
CFR part 2002.4(h)).
Current means, with regard to
Cybersecurity Maturity Model Certification
(CMMC)—
(1) Not older than 1 year for Level 1 selfassessments, with no changes in CMMC
compliance since the date of the assessment;
(2) Not older than 3 years for Level 2
certificates and self-assessments, with no
changes in CMMC compliance since the date
of the assessment;
(3) Not older than 3 years for Level 3
certificates, with no changes in CMMC
compliance since the date of the assessment;
and
(4) Not older than 1 year for affirmations
of continuous compliance with the security
requirements identified at 32 CFR part 170,
with no changes in CMMC compliance since
the date of the affirmation.
Cybersecurity Maturity Model Certification
means a framework for assessing a
contractor’s compliance with applicable
information security requirements (see 32
CFR part 170).
DoD unique identifier means an alphanumeric string of ten characters assigned
within the Supplier Performance Risk System
to each contractor assessment, with the first
two characters indicating the confidence
level of the assessment.
(b) Requirements. The Contractor shall—
(1)(i) Have a current CMMC certificate or
current CMMC self-assessment at the
following CMMC level, or higher: lllll
[Contracting Officer to fill in the required
CMMC level]; and
(ii) Consult 32 CFR part 170 related to
flowing down information in order to
establish the correct CMMC level
requirements for subcontracts and other
contractual instruments;
(2) Maintain the CMMC level required by
this contract for the duration of the contract
for all information systems, used in
performance of the contract, that process,
store, or transmit Federal contract
information (FCI) or controlled unclassified
information (CUI);
(3) Only process, store, or transmit data on
information systems that have a CMMC
certificate or CMMC self-assessment at the
CMMC level required by the contract, or
higher;
(4) Notify the Contracting Officer within 72
hours when there are any lapses in
information security or changes in the status
of CMMC certificate or CMMC selfassessment levels during performance of the
contract;
VerDate Sep<11>2014
16:59 Aug 14, 2024
Jkt 262001
(5) Complete and maintain on an annual
basis, or when changes occur in CMMC
compliance status (see 32 CFR part 170), an
affirmation of continuous compliance with
the security requirements associated with the
CMMC level required in paragraph (b)(1) of
this clause in the Supplier Performance Risk
System (SPRS) (https://piee.eb.mil) for each
DoD unique identifier (DoD UID) applicable
to each of the contractor information systems
that process, store, or transmit FCI or CUI
and that are used in performance of the
contract; and
(6) Ensure all subcontractors and suppliers
complete and maintain on an annual basis,
or when changes occur in CMMC compliance
status (see 32 CFR part 170), an affirmation
of continuous compliance with the security
requirements associated with the CMMC
level required for the subcontract or other
contractual instrument for each of the
contractor information systems that process,
store, or transmit FCI or CUI and that are
used in performance of the contract.
(c) Reporting. The Contractor shall—
(1) Submit to the Contracting Officer the
DoD UID(s) issued by SPRS for contractor
information systems that will process, store,
or transmit FCI or CUI during performance of
the contract;
(2) Enter into SPRS the results of selfassessment(s) for each DoD UID applicable to
each of the contractor information systems
that process, store, or transmit FCI or CUI
and that are used in performance of the
contract; and
(3) Report to the Contracting Officer any
changes to the list of DoD UIDs applicable to
each of the contractor information systems
that process, store, or transmit FCI or CUI
and that are used in performance of the
contract.
(d) Subcontracts. The Contractor shall—
(1) Insert the substance of this clause,
including this paragraph (d), and exclude
paragraphs (b)(5) and (c), in subcontracts and
other contractual instruments, including
those for the acquisition of commercial
products and commercial services, excluding
commercially available off-the-shelf items,
when there is a requirement under the
subcontract or similar contractual instrument
for a CMMC level; and
(2) Prior to awarding a subcontract or other
contractual instrument, ensure that the
subcontractor has a current CMMC certificate
or current CMMC self-assessment at the
CMMC level that is appropriate for the
information that is being flowed down to the
subcontractor.
and DoD unique identifier have the meaning
given in the Defense Federal Acquisition
Regulation Supplement 252.204–7021,
Contractor Compliance With the
Cybersecurity Maturity Model Certification
Level Requirements, clause of this
solicitation.
(b)(1) Cybersecurity Maturity Model
Certification (CMMC) level. The CMMC
certificate or CMMC self-assessment level
required by this solicitation is: lllll
[Contracting Officer insert: CMMC Level 1
self-assessment; CMMC Level 2 certificate or
CMMC self-assessment; or CMMC Level 3
certificate]. This CMMC certificate or CMMC
self-assessment level, or higher, is required
prior to award for each contractor
information system that will process, store,
or transmit Federal contract information
(FCI) or controlled unclassified information
(CUI) during performance of the contract.
(2) The apparently successful offeror will
not be eligible for award of a contract, task
order, or delivery order resulting from this
solicitation if the apparently successful
offeror does not have the results of a current
CMMC certificate or self-assessment entered
in the Supplier Performance Risk System
(SPRS) (https://piee.eb.mil) at the CMMC
level required by paragraph (b)(1) of this
provision and an affirmation of continuous
compliance with the security requirements
identified at 32 CFR part 170 in SPRS for
each of the contractor information systems
that will process, store, or transmit FCI or
CUI and that will be used in performance of
a contract resulting from this solicitation.
(c) DoD unique identifiers. At the request
of the Contracting Officer, the apparently
successful offeror shall provide the DoD
unique identifier(s) issued by SPRS for each
contractor information system that will
process, store, or transmit FCI or CUI during
performance of a contract, task order, or
delivery order resulting from this solicitation.
The DoD unique identifier(s) are provided in
SPRS after the Offeror enters the results of
self-assessment(s) for each such information
system.
(End of clause)
■ 6. Add section 252.204–7YYY to read
as follows:
48 CFR Parts 209 and 252
(End of provision)
[FR Doc. 2024–18110 Filed 8–14–24; 8:45 am]
BILLING CODE 6001–FR–P
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations
System
[Docket DARS–2024–0025]
RIN 0750–AM20
252.204–7YYY Notice of Cybersecurity
Maturity Model Certification Level
Requirements.
As prescribed in 204.7504(b) use the
following provision:
Notice of Cybersecurity Maturity Model
Certification Level Requirements (Date)
(a) Definitions. As used in this provision,
controlled unclassified information, current,
Cybersecurity Maturity Model Certification,
PO 00000
Frm 00049
Fmt 4702
Sfmt 4702
Defense Federal Acquisition
Regulation Supplement: Limitation on
Certain Institutes of Higher Education
(DFARS Case 2024–D023)
Defense Acquisition
Regulations System, Department of
Defense (DoD).
ACTION: Proposed rule.
AGENCY:
E:\FR\FM\15AUP1.SGM
15AUP1
Agencies
[Federal Register Volume 89, Number 158 (Thursday, August 15, 2024)]
[Proposed Rules]
[Pages 66327-66338]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-18110]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 204, 212, 217, and 252
[Docket DARS-2020-0034]
RIN 0750-AK81
Defense Federal Acquisition Regulation Supplement: Assessing
Contractor Implementation of Cybersecurity Requirements (DFARS Case
2019-D041)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD is proposing to amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to incorporate contractual requirements
related to the proposed Cybersecurity Maturity Model Certification 2.0
program rule, Cybersecurity Maturity Model Certification Program. This
proposed DFARS rule also partially implements a section of the National
Defense Authorization Act for Fiscal Year 2020 that directed the
Secretary of Defense to develop a consistent, comprehensive framework
to enhance cybersecurity for the U.S. defense industrial base.
DATES: Comments on the proposed rule should be submitted in writing to
the address shown below on or before October 15, 2024, to be considered
in the formation of a final rule.
ADDRESSES: Submit comments identified by DFARS Case 2019-D041, using
either of the following methods:
[cir] Federal eRulemaking Portal: https://www.regulations.gov.
Search for DFARS Case 2019-D041. Select ``Comment'' and follow the
instructions to submit a comment. Please include ``DFARS Case 2019-
D041'' on any attached documents.
[cir] Email: [email protected]. Include DFARS Case 2019-D041 in
the subject line of the message.
Comments received generally will be posted without change to
https://www.regulations.gov, including any personal information
provided. To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission
to verify posting.
FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571-
296-7152.
SUPPLEMENTARY INFORMATION:
I. Background
DoD is proposing to revise the DFARS to implement the contractual
requirements related to the Cybersecurity Maturity Model Certification
(CMMC) 2.0 program, published in the Federal Register as a proposed
rule affecting 32 CFR part 170 on December 26, 2023, at 88 FR 89058.
CMMC 2.0 provides a framework for assessing contractor implementation
of cybersecurity requirements and enhancing the protection of
unclassified information within the DoD supply chain. This proposed
DFARS rule also partially implements section 1648 of the National
Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-92), which
directed the Secretary of Defense to develop a consistent,
comprehensive framework to enhance cybersecurity for the U.S. defense
industrial base no later than February 1, 2020.
On September 29, 2020, an interim rule under DFARS Case 2019-D041,
Assessing Contractor Implementation of Cybersecurity Requirements, was
published in the Federal Register at 85 FR 61505, effective November
30, 2020. On November 17, 2021, the notice, ``Cybersecurity Maturity
Model Certification (CMMC) 2.0 Updates and Way Forward'' was published
in the Federal Register at 86 FR 64100 to suspend the CMMC 1.0 pilot
efforts. The purpose of suspending the CMMC 1.0 pilot efforts was to
allow for development of CMMC 2.0. On December 26, 2023, DoD published
in the Federal Register at 88 FR 89058 a proposed CMMC 2.0 program
rule, Cybersecurity Maturity Model Certification Program, to propose
the establishment of the CMMC 2.0 program requirements at 32 CFR part
170.
II. Discussion and Analysis
The proposed changes to the existing DFARS language are primarily
to: (1) add references to the CMMC 2.0 program requirements proposed at
32 CFR part 170; (2) add definitions for controlled unclassified
information (CUI) and DoD unique identifier (DoD UID) to the subpart;
(3) establish a solicitation provision and prescription; and (4) revise
the existing clause language and prescription.
DoD is implementing a phased rollout of CMMC. Over a three-year
period CMMC will be phased in based on the
[[Page 66328]]
CMMC 2.0 program requirements identified at 32 CFR part 170. The clause
at DFARS 252.204-7021, Contractor Compliance With the Cybersecurity
Maturity Model Certification Level Requirements, is prescribed for use
in solicitations and contracts that require the contractor to have a
specific CMMC level, including solicitations and contracts using
Federal Acquisition Regulation (FAR) part 12 procedures for the
acquisition of commercial products and commercial services, excluding
acquisitions exclusively for commercially available off-the-shelf
(COTS) items. In order to implement the phased rollout of CMMC,
inclusion of a CMMC requirement in a solicitation during this time
period will be determined by the program office or requiring activity
after consulting the CMMC 2.0 requirements at 32 CFR part 170. During
the phase-in period, when there is a requirement in the contract for
CMMC, CMMC certification requirements must be flowed down to
subcontractors at all tiers, when the subcontractor will process,
store, or transmit Federal contract information (FCI) or CUI, based on
the sensitivity of the unclassified information flowed down to each of
the subcontractors in accordance with the proposed CMMC 2.0
requirements to be established at 32 CFR part 170 (see the proposed
rule published December 26, 2023, at 88 FR 89058).
After the phase-in period, CMMC will apply to all DoD solicitations
and contracts, including those for the acquisition of commercial
products or commercial services (except those exclusively for COTS
items), valued at greater than the micro-purchase threshold that
involve processing, storing, or transmitting FCI or CUI. When a CMMC
level is included in the solicitation or contract, contracting officers
will not make award, exercise an option, or extend the period of
performance on a contract, if the offeror or contractor does not have
the results of a current certification or self-assessment for the
required CMMC level, and an affirmation of continuous compliance with
the security requirements to be identified at 32 CFR part 170, in the
Supplier Performance Risk System (SPRS) for all information systems
that process, store, or transmit FCI or CUI during contract
performance. Furthermore, CMMC certification requirements must be
flowed down to subcontractors at all tiers when the subcontractor will
process, store, or transmit FCI or CUI, based on the sensitivity of the
unclassified information flowed down to each of the subcontractors in
accordance with the proposed CMMC 2.0 requirements to be established at
32 CFR part 170 (see 88 FR 89058).
A. Proposed Rule Changes
This proposed rule includes amendments to DFARS 204.7502, Policy.
These amendments require at the time of award the results of a current
CMMC certificate or CMMC self-assessment, at the level required, for
all information systems that process, store, or transmit FCI or CUI
during contract performance, when a CMMC level is included in the
solicitation.
The proposed rule also adds a requirement at DFARS 204.7503,
Procedures, for contracting officers to work with the program office or
requiring activity to verify in SPRS, prior to awarding a contract,
exercising an option, or when new DoD UIDs are provided, that: (1) the
results of a current CMMC certificate or current CMMC self-assessment
at the level required by the solicitation, or higher, are posted in
SPRS for each DoD UID applicable to each of the contractor information
systems that will process, store, or transmit FCI or CUI and that will
be used in performance of the contract; and (2) the apparently
successful offeror has a current affirmation of continuous compliance
with the security requirements identified at 32 CFR part 170 in SPRS
for each DoD UID applicable to each of the contractor information
systems that process, store, or transmit FCI or CUI and that are used
in performance of the contract.
The proposed rule also adds a definition at DFARS 204.7501 for use
only in the subpart for the term CUI based on the 32 CFR 2002
definition of CUI. Definitions for current (as it relates to CMMC) and
DoD UID are also added.
This proposed rule includes a new DFARS provision, 252.204-7YYY,
Notice of Cybersecurity Maturity Model Certification Level
Requirements, to provide notice to offerors of the CMMC level required
by the solicitation and of the CMMC certificate or self-assessment
results that are required to have been posted in SPRS by the apparently
successful offeror prior to award, unless electronically posted.
Offerors post CMMC Level 1 and Level 2 self-assessments into SPRS.
Level 2 certificate assessment results will be electronically
transmitted to SPRS by the third-party assessment organization (see the
proposed rule published at 88 FR 89058, in the proposed text at 32 CFR
170.17 for details on CMMC Level 2 certification assessment
requirements). Level 3 certificate assessment results will be
electronically transmitted to SPRS by the DoD assessor (see the
proposed rule published at 88 FR 89058, in the proposed text at 32 CFR
170.18 for details on CMMC Level 3 certification requirements).
Apparently successful offerors are also required to provide, at the
contracting officer's request, the DoD UIDs issued by SPRS for the
contractor information systems that will process, store, or transmit
FCI or CUI during contract performance. SPRS will issue DoD UIDs to
offerors in connection with their CMMC self-assessments and CMMC
certificates. Apparently successful offerors will need to specify which
DoD UIDs are applicable to the contractor information systems that will
process, store, or transmit FCI or CUI during contract performance.
This proposed rule at DFARS 204.7504 adds the prescription for the
new DFARS solicitation provision, 252.204-7YYY, Notice of Cybersecurity
Maturity Model Certification Level Requirements. DFARS 252.204-7YYY is
prescribed for use in solicitations that include the clause at 252.204-
7021. The provision includes language identifying the CMMC level
required for the contract and notifies offerors that the apparently
successful offeror will not be eligible for award of a contract, task
order, or delivery order resulting from the solicitation in which the
provision appears, if the apparently successful offeror does not have
the results of a current CMMC certificate or self-assessment entered in
SPRS (https://piee.eb.mil) at the CMMC level required by the provision
and an affirmation of continuous compliance with the security
requirements identified at 32 CFR part 170 in SPRS for each of the
contractor information systems that process, store, or transmit FCI or
CUI and that are used in performance of the contract.
This proposed rule includes changes to the clause at DFARS 252.204-
7021, Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirement, to:
Add definitions at paragraph (a) for Cybersecurity
Maturity Model Certification, current (as it relates to CMMC), and DoD
UID, and remove the scope statement.
Require the contractor to have and maintain the requisite
CMMC level for the life of the contract.
Require the contractor to submit to the contracting
officer the DoD UID(s) issued by SPRS for contractor information
systems that will process, store, or transmit FCI or CUI during
performance of the contract.
[[Page 66329]]
Require the contractor to complete and maintain on an
annual basis, or when security changes occur, the affirmation of
continuous compliance with the security requirements identified at 32
CFR part 170. The affirmation of continuous compliance is made by a
senior company official (see definition of ``senior company official''
at 32 CFR 170.4 in the proposed rule published at 88 FR 89058) to
affirm that its CMMC self-assessment of CMMC certification for each DoD
UID applicable to the contractor information systems that process,
store, or transmit FCI or CUI during contract performance remains
current and the information system(s) covered by the CMMC self-
assessment or CMMC certificate continue to be in compliance with the
security requirements identified at 32 CFR 170.
Require the contractor to notify the contracting officer
of any changes in the contractor information systems that process,
store, or transmit FCI or CUI during contract performance and to
provide the corresponding DoD UIDs for those contractor information
systems to the contracting officer. The contractor is required to
provide the DoD UIDS to the contracting officer so the Government can
review associated CMMC certificate or CMMC self-assessment results and
contractor affirmations of continued compliance in SPRS for those
additional contractor information systems.
Require the contractor to ensure that its subcontractors
also have the appropriate CMMC level prior to awarding a subcontract or
other contractual instruments. This requirement is included in the
clause at DFARS 252.204-7021, paragraph (d), which tells contractors
when to flow the clause down to subcontractors.
Require the contractor to include the requirements of the
clause in subcontracts or other contractual instruments. The purpose of
the clause is to ensure suppliers at all tiers are in compliance with
the security requirements identified at 32 CFR part 170 when there is a
requirement for CMMC in the contract, if applicable based on the
information that is being flowed down. The CMMC program requirements
related to the CMMC level required for suppliers is based on the
information that is being flowed down, and those requirements are
defined in the Title 32 CFR CMMC Program proposed rule.
The proposed rule also adds language to the clause at DFARS
252.204-7021 to incorporate a requirement for contractors to only
transmit data on information systems that process, store, or transmit
FCI or CUI during contract performance that have a certification at the
CMMC level required by the contract. In addition, the contractor will
be required to notify the contracting officer if there are any lapses
or changes in CMMC certification levels that affect the requirements
for information security during contract performance. The clause will
also include language identifying the CMMC level required by the
contract.
This proposed rule also includes revisions to the clause
prescription at DFARS 204.7504 to apply the clause at DFARS 252.204-
7021 to solicitations and contracts, task orders, or delivery orders
that require the contractor to have a specific CMMC level, including
solicitations and contracts using FAR part 12 procedures for the
acquisition of commercial products and commercial services, except for
solicitations and contracts solely for the acquisition of COTS items.
DoD considered three alternatives for the timing of the requirement
to achieve a CMMC 2.0 level certification in the development of this
proposed rule, weighing the benefits and risks associated with
requiring CMMC 2.0 level certification: (1) at time of proposal
submission; (2) at time of award; or (3) after contract award. DoD
ultimately adopted the second alternative to require certification at
the time of award. The drawback of the first alternative (i.e., at time
of proposal submission) is the increased risk for offerors since they
may not have sufficient time to achieve the required CMMC
certification. The drawback of the third alternative (i.e., after
contract award) is the increased risk to DoD with respect to the
schedule and uncertainty due to the possibility that the contractor may
be unable to achieve the required CMMC level in a reasonable amount of
time given their current cybersecurity posture. This potential delay
would apply to the entire supply chain and prevent the appropriate flow
of FCI and CUI to the contractor and subcontractors.
This proposed rule also includes the following conforming changes:
Makes references to the CMMC 2.0 program requirements by
incorporating the citation for 32 CFR part 170 throughout the text of
the proposed rule.
Amends the list in DFARS 212.301 of solicitation
provisions and contract clauses that are applicable for the acquisition
of commercial products and commercial services to include the new
provision at DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model
Certification Level Requirements. The clause at DFARS 252.204-7021,
Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirements, is already included in this list from
the prior interim rule under this DFARS Case 2019-D041.
Amends DFARS 217.207, Exercise of Options, to advise
contracting officers that when CMMC is required in the contract, an
option may only be exercised after verifying in SPRS that the
contractor has the required affirmation(s) of continuous compliance
with the security requirements identified at 32 CFR part 170 and has
posted the results of a current CMMC certificate or CMMC self-
assessment at the level required by the contract, or higher. The text
refers contracting officers to DFARS 204.7503(c) for complete details
regarding these requirements.
B. Analysis of Public Comments in Response to the Interim Rule
This proposed rule follows the publication of an interim rule under
this DFARS Case 2019-D041, which received over 750 public comments.
Although this proposed rule does not finalize the interim rule, it
responds to the public comments received and anticipates that these
responses will facilitate the public's understanding of this proposed
rule. Only comments submitted in response to the interim rule as it
relates to the contractual requirements are discussed below. The
technical and programmatic comments on CMMC 1.0 are being handled in
the CMMC program rule affecting 32 CFR part 170. In addition to
technical and programmatic comments, the comments related to the CMMC
cost analysis are also being addressed under the CMMC program rule
affecting 32 CFR part 170. It should also be noted that any comments
related to the National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171 DoD Assessment methodology will be
addressed under a separate DFARS Case 2022-D017, NIST SP 800-171 DoD
Assessment Requirements. A discussion of the comments is provided as
follows:
1. Small Business Impact
Comment: Several respondents requested more information on the
impact to small entities from CMMC.
Response: As described in the regulatory flexibility analysis in
section VI of this preamble, the phased roll-out of CMMC over three
years is intended to mitigate the impact of CMMC on contractors
including small entities and is only expected to apply to 1,104 small
entities in year one. In addition, the provision and clause in this
proposed
[[Page 66330]]
rule exempt contracts that are exclusively for COTS items.
2. Requirement for CMMC
Comment: Several respondents inquired about how contractors will
know there is a requirement to have CMMC certification.
Response: As stated in this proposed rule, if there is a
requirement for a specific CMMC level, the CMMC requirement will be
identified in the DFARS solicitation provision 252.204-7YYY, Notice of
Cybersecurity Maturity Model Certification Level Requirements. In
addition, the DFARS contract clause 252.204-7021, Contractor Compliance
with the Cybersecurity Maturity Model Certification Level Requirements,
will be included in the contract.
3. CMMC Application to Other Transaction Agreements (OTAs)
Comment: Many respondents asked whether CMMC will apply to OTAs.
Response: Applicability to OTAs is outside the scope of this DFARS
rule, as the DFARS does not provide coverage of OTA requirements. If
the program office or requiring activity identifies a need to include a
CMMC requirement in an OTA, it will be included in the solicitation and
resulting agreement.
4. Application to Foreign Suppliers for CMMC
Comment: Many respondents commented on whether CMMC will apply to
foreign suppliers.
Response: If the program office or requiring activity identifies a
need to include a CMMC requirement in a contract, it will be included
in the solicitation and resulting contract unless the contract is
exclusively for COTS items. The proposed rule does not exempt foreign
suppliers from CMMC requirements.
5. CMMC and NIST SP 800-171 DoD Assessment Requirements
Comment: Many respondents questioned how CMMC and the NIST SP 800-
171 requirements will interact and if one requirement will be used for
the other.
Response: As described in the interim rule at DFARS 204.7501(c),
the CMMC assessments will not duplicate efforts from any other
comparable DoD assessment, except for rare circumstances when a
reassessment may be necessary, for example, when there are indications
of issues with cybersecurity and/or compliance with CMMC requirements.
6. CMMC Application to Broad Agency Announcements (BAAs)
Comment: Many respondents inquired whether CMMC will apply to BAAs.
Response: If the program office or requiring activity identifies a
need to include a CMMC requirement in a contract, it will be included
in the solicitation and resulting contact. The proposed rule prescribes
the CMMC clause at 252.204-7021, Contractor Compliance with the
Cybersecurity Maturity Model Certification Level Requirements, for use
in solicitations and contracts, task orders, and delivery orders that
require the contractor to have a specific CMMC level, including those
using FAR part 12 procedures for the acquisition of commercial products
and commercial services, except those solely for the acquisition of
COTS items.
7. Duplication of DFARS Clause 252.204-7012 and DFARS Clause 252.204-
7021
Comment: A respondent commented on whether DFARS clause 252.204-
7012 and DFARS clause 252.204-7021 duplicate one another.
Response: These clauses are not duplicative as they have distinct
purposes. DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, levies cybersecurity
requirements on contractors, and DFARS clause 252.204-7021, Contractor
Compliance with the Cybersecurity Maturity Model Certification Level
Requirements, levies a requirement for an assessment of how well a
contractor is meeting those cybersecurity requirements specified in
252.204-7012.
8. Uniform Definition of CUI
Comment: A respondent commented that there should be a uniform
definition of CUI.
Response: This proposed rule adds a definition for use in subpart
204.75 for the term ``controlled unclassified information.'' The
definition is based on the definition of CUI at 32 CFR 2002.
9. Uniformity and Consistency
Comment: Many respondents commented that the final rule should
provide uniformity and consistency.
Response: This proposed rule does not conflict with other
regulations.
10. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
Comment: Many respondents commented that there should be
clarification as to whether this rule applies to contracts at or below
the simplified acquisition threshold.
Response: As described in section III of this preamble, this
proposed rule applies to contracts at or below the simplified
acquisition threshold, but not to purchases at or below the micro-
purchase threshold.
11. Expected Cost Impact and Benefits
Comment: Several respondents commented that the interim rule for
2019-D041 had a cost analysis that lacked a basis for the analysis.
Response: The Regulatory Impact Analysis associated with this
proposed rule only includes a cost analysis of the contractual
requirements associated with this proposed rule. The rule for the CMMC
Program affecting 32 CFR part 170 contains the expected cost impact and
benefits of technical requirements associated with CMMC. Any comments
on the cost estimates of technical or programmatic requirements related
to the CMMC Program should be directed to the proposed rule affecting
32 CFR part 170.
12. Applicability to COTS--Define Exclusively COTS
Comment: Many respondents commented that there needs to be a
definition for ``exclusively COTS''.
Response: As described in this preamble, this proposed rule does
not apply to awards that are exclusively for COTS items. The term
``commercially available off-the-shelf (COTS) item'' is defined at FAR
2.101, so any awards that are exclusively for items falling within that
FAR definition would be considered ``exclusively COTS'' awards.
13. Timing of CMMC Certification
Comment: Many respondents recommended that the CMMC certification
timing be delayed until after award, or that it should be made more
flexible.
Response: The CMMC policy identified in the CMMC 2.0 proposed rule
affecting 32 CFR part 170 (published December 26, 2023, at 88 FR 89058)
establishes that CMMC certification and CMMC self-assessments are
required at the time of award.
14. Prime Contractor Validation of Subcontractor CMMC Level
Comment: Many respondents commented that there should be a way for
prime contractors to validate subcontractor CMMC certificates and CMMC
self-assessments.
Response: There is not currently a tool established that would
allow sharing of subcontractor information
[[Page 66331]]
with prime contractors electronically. Prime contractors are expected
to work with their suppliers to conduct verifications as they would
under any other clause requirement that applies to subcontractors.
15. Cost Allowability
Comment: Many respondents commented that the DFARS rule should
specify whether costs for CMMC are allowable costs.
Response: Cost allowability requirements are described at FAR
31.201-2, Determining allowability.
16. Clause Applicability Overly Broad
Comment: Many respondents commented that the clause applicability
is overly broad.
Response: In this proposed DFARS rule, the applicability of the
clause has been narrowed to apply only when there is a requirement in
the solicitation for the contractor to have a specific CMMC level.
17. Application to Plain Old Telephone Service (POTS)
Comment: One respondent asked if handling CUI under a POTS contract
would trigger the requirements of DFARS 252.204-7012.
Response: The requirements under 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting, are triggered when
the contractor processes, stores, or transmits CUI on a covered
contractor information system (the contractor's internal information
system). Common carrier telecommunications circuits or POTS would not
normally be considered part of the covered contractor information
system processing FCI or CUI. Data traversing common carrier systems
should be separately encrypted per NIST SP 800-171 requirement 3.13.8.
Contracts with common carriers to provide telecommunications services
may include DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, but should not be interpreted
to imply the common carrier telecommunications systems themselves have
to meet the DFARS requirements.
18. Joint Ventures
Comment: Many respondents commented on how to handle CMMC
certifications and CMMC self-assessments under joint ventures.
Response: Each individual entity that has a requirement for CMMC
would be required to comply with the requirements related to the
individual entity's information systems that process, store, or
transmit FCI or CUI during contract performance.
19. Training on Marking CUI
Comment: Many respondents commented that DoD should train personnel
on marking CUI and recommended that agencies do a better job of marking
CUI.
Response: This comment is outside of the scope of this rule.
20. Clarification of How CMMC Applies to Information Systems
Comment: Many respondents commented that clarification is needed
regarding how CMMC is applied to information systems.
Response: As described in this proposed rule, if there is a
requirement for CMMC, then it applies to all information systems that
process, store, or transmit FCI or CUI in performance of the contract.
21. Fundamental Research
Comment: Many respondents commented that clarification is needed
regarding whether CMMC applies to fundamental research.
Response: Fundamental research, as defined in National Security
Decision Directive (NSDD) 189, is published and broadly shared within
the scientific community and, as such, cannot be safeguarded as either
FCI or CUI; however, if fundamental research has the potential to
become CUI, it would be subject to the requirements of CMMC.
22. Clause Fill-In With CMMC Level
Comment: One respondent requested that the clause contain a fill-in
with the CMMC level requirement.
Response: In this proposed rule, the CMMC level requirement will be
included in the solicitation provision at 252.204-7YYY, Notice of
Cybersecurity Model Certification Level Requirements and in the
contract clause at 252.204-7021.
23. Application of CMMC to Non-COTS Item Contracts With No FCI or CUI
Involved
Comment: Many respondents commented that it appears the CMMC clause
would be included in non-COTS item contracts with no FCI or CUI
involved at the prime contractor and subcontractor levels.
Response: The proposed rule prescribes the CMMC clause for use only
in solicitations and contracts that require the contractor to have a
specific CMMC level. Contracts that are exclusively for COTS items and
purchases at or below the micro-purchase threshold will not have a
requirement for the contractor to have a specific CMMC level.
24. Application of CMMC Clause to Service Contracts and Non-Defense
Contracts
Comment: One respondent commented on whether the CMMC clause will
be included in services contracts and non-defense contracts.
Response: The proposed rule proposes to amend the DFARS, so this
proposed rule only includes changes to the requirements for DoD. A
services contract may have a requirement for CMMC.
25. Definition of ``Contractor Information System Relevant to the
Contract/Offer''
Comment: Many respondents requested clarification of the phrase,
``contractor information system relevant to the contract/offer''.
Response: The proposed rule includes language that clarifies that
contractor information systems relevant to the contract or offer are
contractor information systems that process, store, or transmit FCI or
CUI during performance of the contract.
26. Effective Date of CMMC Clause for Contracts and Applicability to
Modifications
Comment: Many respondents requested clarification on the effective
date of the CMMC clause and applicability to modifications.
Response: The proposed rule includes amendments to the DFARS that
will not take effect until a final rule is issued. Therefore, the
effective date of the clause would be the effective date specified in
the final rule. The clause will only be included in solicitations
issued on or after the effective date of the final rule and any
resulting contracts, unless the contracting officer makes a decision to
include the clause in a solicitation issued prior to the effective date
of the final rule, provided that any resulting contracts are awarded on
or after the effective date of the final rule. Contracting officers
have the discretion to bilaterally incorporate the clause in contracts
in effect prior to the effective date of the clause, with appropriate
consideration. See FAR 1.108(d).
27. Determining CMMC Level for Subcontracts
Comment: Many respondents commented that there should be
clarification regarding how to determine the required CMMC level for
subcontracts.
[[Page 66332]]
Response: In determining a CMMC level appropriate for the
information being flowed down to subcontractors, see the proposed rule
affecting 32 CFR part 170 published in the Federal Register on December
26, 2023, at 88 FR 89058.
28. Proliferation of Component-Unique Security Requirements
Comment: Many respondents commented that it appeared there was a
proliferation of component-unique security requirements.
Response: While the comment is noted, the comment is outside of the
scope of this proposed rule.
29. Reflecting CMMC Levels in SAM.gov for Prime Contractor Verification
of Subcontractors
Comment: One respondent recommended reflecting CMMC levels in
SAM.gov for prime contractor verification of the subcontractors.
Response: The CMMC Program proposed rule affecting 32 CFR part 170
has identified that SPRS is the repository for CMMC certificates and
self-assessment information at present. Contractors will only be able
to access their own CMMC certificate and self-assessment information.
30. Training Contracting Officers
Comment: Many respondents commented that it would be helpful to
train contracting officers on how to appropriately identify contracts
for inclusion of the DFARS clause at 252.204-7021, Contractor
Compliance with the Cybersecurity Maturity Model Certification Level
Requirements.
Response: As with any clause, contracting officers will follow the
prescription language in determining when to include a contract clause.
31. Vendor Description of CMMC Queue in Response to Proposals
Comment: One respondent commented recommending that an offeror
should be able to share where they are in the queue for a CMMC
assessment and be allowed to have a late submission of their CMMC
certification.
Response: The CMMC Program policy, in the proposed rule affecting
32 CFR part 170, is to require a CMMC certification or CMMC self-
assessment at the time of award if there is a requirement for CMMC
under the contract.
32. Define ``Certification''
Comment: A respondent commented that the term ``certification''
should be defined.
Response: The term ''certification'' referenced in this proposed
rule relates to the Cybersecurity Maturity Model Certification.
33. Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
Assessment Reciprocity
Comment: Several respondents asked for clarification on reciprocity
between CMMC certification and Defense Contract Management Agency
DIBCAC assessments.
Response: As described in the interim rule at DFARS 204.7501(c),
the CMMC assessments will not duplicate efforts from any other
comparable DoD assessment, except for rare circumstances when a
reassessment may be necessary, for example, when there are indications
of issues with cybersecurity and/or compliance with CMMC requirements.
34. Clearance Procedures for Interim Rule
Comment: A respondent asked what clearance procedures were bypassed
to allow for the emergency processing of the previously published
interim rule.
Response: Clearance procedures were not bypassed in the emergency
processing of the previously published interim rule under this DFARS
Case 2019-D041. As described in section IX of the preamble for the
interim rule, a determination was made pursuant to 41 U.S.C. 1707(d)
and FAR 1.501-3(b) to issue the interim rule.
35. Recommend Opening a DFARS Procedures, Guidance, and Information
(PGI) Case
Comment: One respondent recommended that a PGI case should be
opened to provide procedures, guidance, and information to the
workforce related to CMMC.
Response: At present, the requirements in the proposed rule are
simply for contracting officers to include the provision and clause as
prescribed. Any additional guidance would be for the program office and
requiring activity community. Such guidance would not be added to the
DFARS PGI, which speaks to contracting officers.
36. Existence of the Clause as an Indication of the Presence of CUI
Comment: Several respondents asked for clarification on whether the
presence of the clause at 252.204-7021 means that CUI will be used in
performance of the contract.
Response: CMMC also applies to FCI, so the existence of the clause
at 252.204-7021, Contractor Compliance with the Cybersecurity Maturity
Model Certification Level Requirements, does not automatically mean
that there is CUI that will be processed, stored, or transmitted in the
performance of the contract.
37. Application of the Clause to Government Furnished Equipment (GFE)
Comment: One respondent requested clarification on whether the
clause will apply to GFE or GFE in a test environment.
Response: If the program office or requiring activity includes a
requirement in the solicitation and resulting contract for the
contractor to have a specific CMMC level, then the clause would apply.
38. Other Contractual Instruments
Comment: A respondent commented that there should be a definition
in the DFARS of ``other contractual instruments''.
Response: ``Other contractual instruments'' are agreements with
vendors or suppliers that are not considered subcontracts. The term has
been used in the DFARS for years and is well understood.
39. Source Selections
Comment: A respondent requested information on how CMMC applies to
source selections.
Response: Proposed changes to DFARS 204.7503 require that
contracting officers shall not award a contract, task order, or
delivery order to an offeror that does not have a current CMMC
certificate or self-assessment at the level required by the
solicitation. If CMMC is included in a solicitation, it is also
included as a contract requirement.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT), for Commercial Products (Including COTS Items), and
for Commercial Services
This proposed rule amends the clause at DFARS 252.204-7021,
Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirements, as well as the prescription at DFARS
204.7504(a). The clause is prescribed for use in solicitations and
contracts, task orders, or delivery orders, that require the contractor
to have a specific CMMC level, including solicitations and contracts
using FAR part 12 procedures for the acquisition of commercial products
and commercial services, except for solicitations and contracts solely
for the acquisition of COTS items. This proposed rule includes a new
[[Page 66333]]
provision, DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model
Certification Level Requirements. The provision is prescribed at DFARS
204.7504(b) for use in solicitations that include the clause at DFARS
252.204-7021.
DoD intends to apply the provision and clause to contracts and
subcontracts valued at or below the SAT but greater than the micro-
purchase threshold, for the acquisition of commercial products
excluding COTS items, and for the acquisition of commercial services.
A. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
41 U.S.C. 1905 governs the applicability of laws to contracts or
subcontracts in amounts not greater than the simplified acquisition
threshold. It is intended to limit the applicability of laws to such
contracts or subcontracts. 41 U.S.C. 1905 provides that if a provision
of law contains criminal or civil penalties, or if the Federal
Acquisition Regulatory Council makes a written determination that it is
not in the best interest of the Federal Government to exempt contracts
or subcontracts at or below the SAT, the law will apply to them. The
Principal Director, Defense Pricing, Contracting, and Acquisition
Policy (DPCAP), is the appropriate authority to make comparable
determinations for regulations to be published in the DFARS, which is
part of the FAR system of regulations. DoD does intend to make that
determination. Therefore, this proposed rule will apply at or below the
simplified acquisition threshold.
B. Applicability to Contracts for the Acquisition of Commercial
Products Including COTS Items and for the Acquisition of Commercial
Services
10 U.S.C. 3452 exempts contracts and subcontracts for the
acquisition of commercial products including COTS items, and commercial
services from provisions of law enacted after October 13, 1994, unless
the Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S))
makes a written determination that it would not be in the best interest
of DoD to exempt contracts for the procurement of commercial products
and commercial services from the applicability of the provision or
contract requirement, except for a provision of law that--
Provides for criminal or civil penalties;
Requires that certain articles be bought from American
sources pursuant to 10 U.S.C. 4862, or that strategic materials
critical to national security be bought from American sources pursuant
to 10 U.S.C. 4863; or
Specifically refers to 10 U.S.C. 3452 and states that it
shall apply to contracts and subcontracts for the acquisition of
commercial products (including COTS items) and commercial services.
The statute implemented in this proposed rule does not impose
criminal or civil penalties, does not require purchase pursuant to 10
U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore,
section 1648 of the NDAA for FY 2020 will not apply to the acquisition
of commercial services or commercial products including COTS items
unless a written determination is made. Due to delegations of
authority, the Principal Director, DPCAP is the appropriate authority
to make this determination. DoD intends to make that determination to
apply this statute to the acquisition of commercial products excluding
COTS items and to the acquisition of commercial services. Therefore,
this proposed rule will apply to the acquisition of commercial products
excluding COTS items and to the acquisition of commercial services.
C. Determinations
Given that the requirements of section 1648 of the NDAA for FY 2020
were enacted to promote protection of FCI and CUI that will be
processed, stored, or transmitted on contractor information systems,
and since FCI and CUI may be processed, stored, or transmitted on
contractor information systems in the performance of contracts or
orders valued below the simplified acquisition threshold and when the
Federal Government is procuring commercial products and commercial
services, it is in the best interest of the Federal Government to apply
the statute to contracts for the acquisition of commercial services and
commercial products, excluding COTS items, as defined at FAR 2.101. An
exception for contracts for the acquisition of commercial services and
commercial products, excluding COTS items, would exclude the contracts
intended to be covered by the law, thereby undermining the overarching
public policy purpose of the law.
IV. Expected Impact of the Rule
A. Background
DoD is proposing to amend the DFARS to implement the contractual
requirements related to the DoD policy for CMMC 2.0 (see the proposed
rule affecting 32 CFR 170, published in the Federal Register December
26, 2023, at 88 FR 89058). CMMC 2.0 self-assessments and certificates
assess a contractor's compliance with certain information system
security requirements. Pursuant to the DoD policy in the CMMC 2.0
proposed rule, the CMMC level requirements apply to every contractor
information system that will process, store, or transmit Federal
contract information (FCI) or controlled unclassified information
(CUI).
DoD is proposing to amend the DFARS to include the following
solicitation and contractual requirements related to the CMMC 2.0
policy:
Offeror and contractor requirement to post the results of
a CMMC 2.0 Level 1 or Level 2 self-assessment to the Supplier
Performance Risk System (SPRS) prior to award, exercise of an option,
or extension of a period of performance, if not already posted.
Contractor requirement to maintain the required CMMC self-
assessment or certificate level for the life of the contract.
Contractor requirement to complete a contractor senior
company official affirmation of continuous compliance with the security
requirements identified at 32 CFR part 170 in SPRS for each DoD unique
identifier (UID) applicable to each of the contractor information
systems that will process, store, or transmit FCI or CUI and that will
be used in performance of the contract on an annual basis, or when CMMC
2.0 compliance status changes occur.
Apparently successful offeror and contractor requirement
to identify the contractor information systems that will be used to
process, store, or transmit FCI or CUI in performance of the contract
prior to award, exercise of an option, or extension of any period of
performance, by providing to the Government the DoD UIDs generated by
SPRS.
The costs associated with the technical completion of the CMMC 2.0
certifications and self-assessments are included in the CMMC 2.0
proposed rule affecting title 32 CFR.
B. Summary of Impact
This proposed DFARS rule will impact certain contracts during a
phased-in, three-year implementation period. Afterwards, the
requirements will apply to all contracts for which the contractor will
process, store, or transmit FCI or CUI on contractor information
systems during the performance of the contract, except for contracts
solely for the acquisition of commercially available off-the-shelf
(COTS) items.
For the first three years after the effective date of the final
rule, the information collection requirements
[[Page 66334]]
will only impact an offeror or contractor when the solicitation or
contract requires an offeror or contractor to have a specific CMMC
level, based on a phased rollout plan, including solicitations and
contracts using Federal Acquisition Regulation (FAR) part 12 procedures
for the acquisition of commercial products and commercial services,
except for solicitations and contracts solely for the acquisition of
COTS items.
By the fourth year, the information collection requirements in the
solicitation provision and contract clause will impact solicitations
and contracts, task orders, or delivery orders, including solicitations
and contracts using FAR part 12 procedures for the acquisition of
commercial products and commercial services, when there will be a
requirement under the contract to process, store, or transmit FCI or
CUI, except for solicitations and contracts solely for the acquisition
of COTS items.
Since DoD does not track awards that may include FCI or CUI, DoD
assumes the number of impacted awardees in Year 4 and beyond will be
the average number of entities in the Electronic Data Access (EDA)
system from fiscal year (FY) 2021 through FY 2023 with awards
containing the clause at DFARS 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting, or 29,543 entities,
of which 20,395 (69 percent) are small businesses. DoD also assumes
that offerors or contractors with a requirement for CMMC in contracts
will have on average 5 contractor information systems that will be used
to process, store, or transmit FCI or CUI in performance of the
contract.
For each of the information systems that will process, store, or
transmit FCI or CUI, DoD assumes it will take offerors and
contractors--
An estimated 5 minutes to post the results of the CMMC
self-assessments in SPRS;
An estimated 5 minutes to complete the required
affirmation in SPRS; and
An estimated 5 minutes to retrieve DoD UIDs in SPRS for
the information systems that will be used in performance of the
contract and to submit the DoD UIDs to the Government.
For the Government, DoD assumes it will take--
An estimated 5 minutes to validate the existence of the
correct level and currency of a CMMC certification or CMMC self-
assessment results associated with offeror DoD UIDs in SPRS for the
apparently successful offeror prior to award and for the contractor
prior to exercising an option or extending any period of performance;
An estimated 5 minutes to validate the existence of an
affirmation that is current for each of the contractor information
systems that will process, store, or transmit FCI or CUI; and
An estimated 5 minutes to validate the existence of the
correct level and currency of a CMMC certification or CMMC self-
assessment and affirmation associated with contractor DoD UIDs in SPRS,
when there are changes in the information systems during contract
performance.
The primary cost impact of this proposed rule is that apparently
successful offerors for contracts that include a CMMC requirement will
now be required to conduct the cost activities described below in
accordance with the provision at DFARS 252.204-7YYY, Notice of
Cybersecurity Maturity Model Certification Level Requirement, and the
clause at DFARS 252.204-7021, Cybersecurity Maturity Model
Certification Requirements.
The benefits of this proposed rule include verification of a
defense industrial base (DIB) contractor's implementation of system
security requirements. The clause at DFARS 252.204-7012, Safeguarding
Covered Defense Information and Cyber Incident Reporting, does not
provide for the DoD verification of a DIB contractor's implementation
of the security requirements specified in National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-171 prior
to contract award. CMMC adds the element of verification of a DIB
contractor's cybersecurity through the use of accredited third-party
assessors. This proposed rule provides increased assurance to DoD that
a DIB contractor can adequately protect sensitive unclassified
information such as CUI at a level commensurate with the risk,
accounting for information flow down to its subcontractors in a multi-
tier supply chain.
Another benefit of this proposed rule is that it supports the
protection of intellectual property and sensitive information from
malicious activity that has a significant impact on the U.S. economy
and national security. While there is not enough information to be able
to estimate the benefits of this rule at this time, DoD assumes there
will be a benefit from reducing the threat of malicious cyber activity.
The Council of Economic Advisors estimates that malicious cyber
activity cost the U.S. economy between $57 billion and $109 billion in
2016. Over a ten-year period, that burden would equate to an estimated
$512 billion to $979 billion in costs at a 2 percent discount rate.
The following is a summary of the estimated public and Government
costs calculated over a 10-year period at a 2 percent discount rate:
----------------------------------------------------------------------------------------------------------------
Summary Public Government Total
----------------------------------------------------------------------------------------------------------------
Present Value.......................................... $40,687,957 $25,237,882 $65,925,839
Annualized Costs....................................... 4,529,649 2,809,646 7,339,295
----------------------------------------------------------------------------------------------------------------
Public comments are solicited on this analysis of the estimated
burden of the proposed rule.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under section 6(b) of E.O. 12866, Regulatory Planning and
Review, as amended.
VI. Regulatory Flexibility Act
DoD does not expect this proposed rule, when finalized, to have a
significant economic impact on a substantial number of small entities
within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et
seq. However, an initial regulatory flexibility analysis has been
performed and is summarized as follows:
This proposed rule is necessary to respond to the threat to the
U.S. economy and national security posed by
[[Page 66335]]
ongoing malicious cyber activities designed to steal hundreds of
billions of dollars of U.S. intellectual property. This proposed rule
includes the following requirements for apparently successful offerors
responding to a solicitation, and contractors awarded contracts,
containing a requirement for CMMC: (1) post in SPRS the results of a
current CMMC certificate or current CMMC self-assessment at the level
required by the solicitation, or higher, for each DoD UID applicable to
each of the contractor information systems that will process, store, or
transmit FCI or CUI and that will be used in performance of the
contract and maintain the CMMC level for the life of the contract; (2)
provide the DoD UID(s) applicable to each of those contractor
information systems to the contracting officer and provide updates, if
applicable; and (3) have a current affirmation of continuous compliance
with the security requirements identified at 32 CFR part 170 in SPRS
for each DoD UID applicable to each of those contractor information
systems. These requirements apply to apparently successful offerors
with a CMMC requirement in solicitations prior to award and to
contractors with a CMMC requirement in contracts prior to exercising an
option.
The proposed rule has two objectives. One objective is to provide
DoD with assurances that a defense industrial base contractor can
adequately protect sensitive unclassified information at a level
commensurate with the risk, accounting for information shared with its
subcontractors in a multi-tier supply chain. Another objective is to
partially implement section 1648 of the NDAA for FY 2020. The legal
basis for the rule is 41 U.S.C. 1303 and section 1648 of the NDAA for
FY 2020.
Given the enterprise-wide implementation of CMMC, DoD developed a
three-year phased rollout strategy. The rollout is intended to minimize
both the financial impacts to the industrial base, especially small
entities, and disruption to the existing DoD supply chain. Upon
completion of the phased implementation, this rule will impact all
small entities awarded contracts with DoD, except those providing only
COTS items and those that do not handle FCI or CUI. The estimated
number of small entities to which the rule will apply in year one is
1,104.
By the fourth year, all entities receiving DoD contracts and orders
that have contractor information systems that will process, store, or
transmit FCI or CUI and that will be used in performance of the
contract or order, other than contracts or orders exclusively for COTS
items, will be required to have, at minimum, a CMMC Level 1 self-
assessment or the CMMC Level identified in the solicitation and
resulting contract, as appropriate for the type of information being
handled under the contract. As described previously, it should be noted
that this requirement does not apply to awards that do not involve the
handling or transmission of FCI or CUI. By year four, the total
estimated number of small entities to which the rule will apply will be
60,783.
During the first three years of the phased rollout, the CMMC
requirement will be included only in certain contracts for which the
CMMC Program Office directs DoD component program offices to include a
CMMC requirement. After three years, DoD component program offices will
be required to include a requirement for CMMC in solicitations and
contracts that will require the contractor to process, store, or
transmit FCI or CUI on contractor information systems during contract
performance. Not every contractor will be awarded a contract in Year 4,
so it will take several years for every contractor in the defense
industrial base to be awarded a contract containing a requirement for
CMMC. DoD does not track how many years it takes for every contractor
to be awarded a DoD contract, so DoD assumes this will occur over a
period of several years.
Based on data from the Electronic Data Access system for FY 2021
through FY 2023, the number of unique entities with contracts
containing the clause at DFARS 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting, is 29,543, of which
20,395 (69 percent) are small entities. Therefore, DoD estimates that
in Year 4 and beyond, approximately 20,395 small entities will be
impacted per year. DoD anticipates that the following mix of self-
assessments and certificates will occur starting in Year 4; however, it
is likely to change based on component program office discretion
regarding whether a CMMC self-assessment or certificate is required
and, if so, at what level:
----------------------------------------------------------------------------------------------------------------
CMMC Level Percentages Small entities Large entities Total entities
----------------------------------------------------------------------------------------------------------------
Level 1 Self-assessment......................... 63 12,849 5,763 18,612
Level 2 Self-assessment......................... 2 408 183 591
Level 2 Certificate............................. 35 7,138 3,202 10,340
---------------------------------------------------------------
Total Entities.............................. 100 20,395 9,148 29,543
----------------------------------------------------------------------------------------------------------------
This proposed rule includes new reporting, recordkeeping, or other
compliance requirements for small entities. The following is a summary
of the projected reporting and other compliance requirements associated
with the proposed rule: (1) a requirement for apparently successful
offerors to post results of current CMMC Level 1 and Level 2 self-
assessments to SPRS for each DoD UID applicable to each of the
contractor information systems that will process, store, or transmit
FCI or CUI and that will be used in performance of the contract, if
applicable; (2) a requirement for apparently successful offerors and
contractors to provide DoD UIDs for each of those contractor
information systems, if applicable, prior to award and when any changes
to DoD UIDs occur; and (3) a requirement for a senior company official
to complete and maintain on an annual basis, or when CMMC compliance
status changes occur, the affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 in SPRS for each
DoD UID applicable to each of those contractor information systems.
These reporting requirements would apply to any small entities that
are the apparently successful offeror for a contract for which there is
a requirement for a specific CMMC level. The requirement to post the
self-assessment will only apply to small entities that have a
requirement for a CMMC Level 1 or Level 2 self-assessment. The
requirement to provide DoD UIDs and the requirement for the senior
official to complete the affirmation in SPRS will apply to all small
entities that are apparently successful offerors for a solicitation or
[[Page 66336]]
contractors awarded a contract for which there is a requirement for
CMMC.
This proposed rule does not duplicate, overlap, or conflict with
any other Federal rules. This proposed DFARS rule implements the
contractual requirements related to the CMMC 2.0 program, which was
published as a separate proposed rule affecting 32 CFR part 170 on
December 26, 2023, at 88 FR 89058.
There are no known alternatives that would accomplish the stated
objectives of the applicable statute. This proposed rule uses a phased
rollout approach to implementation and applies the CMMC requirements
only to apparently successful offerors for solicitations and
contractors awarded a contract containing a CMMC requirement. This
proposed rule exempts contracts and orders exclusively for the
acquisition of COTS items to minimize any significant economic impact
of the proposed rule on small entities. Because of the across-the-board
risks of not implementing cybersecurity requirements, DoD was unable to
identify any additional alternatives that would reduce the burden on
small entities and still meet the objectives of the proposed rule.
DoD invites comments from small business concerns and other
interested parties on the expected impact of this proposed rule on
small entities.
DoD will also consider comments from small entities concerning the
existing regulations in subparts affected by this proposed rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (DFARS Case 2019-
D041), in correspondence.
VII. Paperwork Reduction Act
This proposed rule contains information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD
has submitted a request for approval of a new information collection
requirement concerning 2019-D041, Assessing Contractor Implementation
of Cybersecurity Requirements, to the Office of Management and Budget.
A. Estimate of Public Burden
Public reporting burden for this collection of information is
estimated to average 5 minutes (0.8333) per response, including the
time for reviewing instructions, searching existing data sources,
gathering and maintaining the data needed, and completing and reviewing
the collection of information.
The annual reporting burden is estimated as follows:
Respondents: 1,493.
Total annual responses: 30,990.
Total annual burden hours: 2,582.
B. Request for Comments Regarding Paperwork Burden
Written comments and recommendations on the proposed information
collection, including suggestions for reducing this burden, should be
submitted using the Federal eRulemaking Portal at https://www.regulations.gov or by email to [email protected]. Comments can be
received up to 60 days after the date of this notice.
Public comments are particularly invited on: whether this
collection of information is necessary for the proper performance of
the functions of DoD, including whether the information will have
practical utility; the accuracy of DoD's estimate of the burden of this
information collection; ways to enhance the quality, utility, and
clarity of the information to be collected; and ways to minimize the
burden of the information collection on respondents, including through
the use of automated collection techniques or other forms of
information technology.
To obtain a copy of the supporting statement and associated
collection instruments, please email [email protected]. Include DFARS
Case 2019-D041 in the subject line of the message.
List of Subjects in 48 CFR Parts 204, 212, 217, and 252
Government procurement.
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
Therefore, the Defense Acquisition Regulations System proposes to
amend 48 CFR parts 204, 212, 217, and 252 as follows:
0
1. The authority citation for 48 CFR parts 204, 212, 217, and 252
continues to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 204--ADMINISTRATIVE AND INFORMATION MATTERS
0
2. Revise subpart 204.75 to read as follows:
Subpart 204.75--Cybersecurity Maturity Model Certification
Sec.
204.7500 Scope of subpart.
204.7501 Definitions.
204.7502 Policy.
204.7503 Procedures.
204.7504 Solicitation provision and contract clause.
Subpart 204.75--Cybersecurity Maturity Model Certification
204.7500 Scope of subpart.
(a) This subpart prescribes policies and procedures for including
the Cybersecurity Maturity Model Certification (CMMC) level
requirements in DoD contracts. CMMC is a framework (see 32 CFR part
170) for assessing a contractor's compliance with applicable
information security requirements (see https://DoDcio.defense.gov/CMMC/
).
(b) This subpart does not abrogate any other requirements regarding
contractor physical, personnel, information, technical, or general
administrative security operations governing the protection of
unclassified information, nor does it affect requirements of the
National Industrial Security Program.
204.7501 Definitions.
As used in this subpart--
Controlled unclassified information means information the
Government creates or possesses, or an entity creates or possesses for
or on behalf of the Government, that a law, regulation, or
Governmentwide policy requires or permits an agency to handle using
safeguarding or dissemination controls (32 CFR 2002.4(h)).
Current means, with regard to Cybersecurity Maturity Model
Certification--
(1) Not older than 1 year for Level 1 self-assessments, with no
changes in CMMC compliance since the date of the assessment;
(2) Not older than 3 years for Level 2 certificates and self-
assessments, with no changes in CMMC compliance since the date of the
assessment;
(3) Not older than 3 years for Level 3 certificates, with no
changes in CMMC compliance since the date of the assessment; and
(4) Not older than 1 year for affirmations of continuous compliance
with the security requirements identified at 32 CFR part 170, with no
changes in CMMC compliance since the date of the affirmation.
DoD unique identifier means an alpha-numeric string of ten
characters assigned within the Supplier Performance Risk System to each
contractor assessment with the first two characters indicating the
confidence level of the assessment.
204.7502 Policy.
(a) The CMMC certificate or CMMC self-assessment level specified in
the contract is required for all information systems, used in the
performance of the contract, that will process, store, or
[[Page 66337]]
transmit Federal contract information (FCI) or controlled unclassified
information (CUI).
(b) Contractors are required to achieve, at time of award, a CMMC
certificate or CMMC self-assessment at the level specified in the
solicitation, or higher. Contractors are required to maintain a current
CMMC certificate or CMMC self-assessment at the specified level, if
required by the contract, task order, or delivery order, throughout the
life of the contract, task order, or delivery order.
(c) The CMMC assessments shall not duplicate efforts from any other
comparable DoD assessment, except for rare circumstances when a re-
assessment may be necessary, for example, when there are indications of
issues with cybersecurity and/or compliance with CMMC requirements.
204.7503 Procedures.
(a) The contracting officer shall include the CMMC level required
by the program office or requiring activity in the solicitation and
contract.
(b)(1) Contracting officers shall not award a contract, task order,
or delivery order to an offeror that does not have--
(i) The results of a current CMMC certificate or current CMMC self-
assessment at the level required by the solicitation, or higher, for
each DoD unique identifier (DoD UID) applicable to each of the
contractor information systems that will process, store, or transmit
FCI or CUI and that will be used in performance of the contract posted
in the Supplier Performance Risk System (SPRS) (see 32 CFR 170.15
through 170.18); and
(ii) A current affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 in SPRS for each
DoD UID applicable to each of the contractor information systems that
will process, store, or transmit FCI or CUI and that will be used in
performance of the contract.
(2) Contracting officers shall require the apparently successful
offeror to provide the DoD UID(s) applicable to each of the contractor
information systems that will process, store, or transmit FCI or CUI
and that will be used in performance of the contract. The contracting
officer shall ensure the program office or requiring activity reviews
the information described in paragraphs (b)(1)(i) and (ii) of this
section.
(c)(1) Contracting officers shall not exercise an option period or
extend the period of performance on a contract, task order, or delivery
order, unless the contractor has--
(i) A current CMMC certificate or CMMC self-assessment at the level
required by the contract, task order, or delivery order, or higher, for
each DoD UID applicable to each of the contractor information systems
that process, store, or transmit FCI or CUI and that are used in
performance of the contract; and
(ii) A current affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 in SPRS for each
DoD UID applicable to each of the contractor information systems that
process, store, or transmit FCI or CUI and that are used in performance
of the contract (see 252.204-7021, paragraph (b)(5)).
(2) The contracting officer shall ensure the program office or
requiring activity reviews the information described in paragraphs
(c)(1)(i) and (ii).
(d) If the contractor provides new DoD UIDs during performance of
the contract, the contracting officer shall ensure the program office
or requiring activity verifies in SPRS that the contractor--
(1) Has a current affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 for each DoD UID
applicable to each of the contractor information systems that process,
store, or transmit FCI or CUI (see 252.204-7021, paragraph (b)(5)); and
(2) Has a current CMMC certificate or CMMC self-assessment at the
required level, or higher, for each information system identified that
will process, store, or transmit FCI or CUI during contract performance
using the DoD UIDs assigned by SPRS.
204.7504 Solicitation provision and contract clause.
(a) Use the clause at 252.204-7021, Contractor Compliance with the
Cybersecurity Maturity Model Certification Level Requirements, in
solicitations and contracts, task orders, or delivery orders that
require the contractor to have a CMMC certificate or CMMC self-
assessment at a specific level, including those using FAR part 12
procedures for the acquisition of commercial products and commercial
services, except for solicitations and contracts or orders solely for
the acquisition of commercially available off-the-shelf items.
(b) Use the provision at 252.204-7YYY, Notice of Cybersecurity
Maturity Model Certification Level Requirements, in solicitations that
include the clause at 252.204-7021.
PART 212--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL
SERVICES
0
3. Amend section 212.301--
0
a. In paragraph (f)(ii)(L) by removing ``204.7503(a) and (b)'' and
adding ``204.7504(a)'' in its place; and
0
b. By adding paragraph (f)(ii)(P) to read as follows:
212.301 Solicitation provisions and contract clauses for the
acquisition of commercial products and commercial services.
* * * * *
(f) * * *
(ii) * * *
(P) Use the provision at 252.204-7YYY, Notice of Cybersecurity
Maturity Model Certification Level Requirements, as prescribed in
204.7504(b).
* * * * *
PART 217--SPECIAL CONTRACTING METHODS
0
4. Amend section 217.207--
0
a. In paragraph (c) introductory text by removing ``after:'' and adding
``after--'' in its place;
0
b. In paragraph (c)(1) by removing the period at the end of the
paragraph and adding ``; and'' in its place;
0
c. By revising paragraph (c)(2) introductory text;
0
d. In paragraph (c)(2)(i) by removing the period at the end of the
paragraph and adding ``; and'' in its place; and
0
e. By revising paragraph (c)(2)(ii).
The revisions read as follows:
217.207 Exercise of options.
(c) * * *
(2) Ensuring the program office or requiring activity verifies in
the Supplier Performance Risk System (https://piee.eb.mil) that--
* * * * *
(ii) If there is a requirement for the contractor to have a
Cybersecurity Maturity Model Certification (CMMC) certificate or CMMC
self-assessment at a specific level, the contractor has the required
affirmation(s) of continuous compliance with the security requirements
identified at 32 CFR part 170 and has posted the results of a current
(see 204.7501) CMMC certificate or CMMC self-assessment at the level
required by the contract, or higher. See 204.7503(c).
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
5. Revise section 252.204-7021 to read as follows:
[[Page 66338]]
252.204-7021 Contractor Compliance With the Cybersecurity Maturity
Model Certification Level Requirements.
As prescribed in 204.7504(a), insert the following clause:
Contractor Compliance With the Cybersecurity Maturity Model
Certification Level Requirements (Date)
(a) Definitions. As used in this clause--
Controlled unclassified information means information the
Government creates or possesses, or an entity creates or possesses
for or on behalf of the Government, that a law, regulation, or
Governmentwide policy requires or permits an agency to handle using
safeguarding or dissemination controls (32 CFR part 2002.4(h)).
Current means, with regard to Cybersecurity Maturity Model
Certification (CMMC)--
(1) Not older than 1 year for Level 1 self-assessments, with no
changes in CMMC compliance since the date of the assessment;
(2) Not older than 3 years for Level 2 certificates and self-
assessments, with no changes in CMMC compliance since the date of
the assessment;
(3) Not older than 3 years for Level 3 certificates, with no
changes in CMMC compliance since the date of the assessment; and
(4) Not older than 1 year for affirmations of continuous
compliance with the security requirements identified at 32 CFR part
170, with no changes in CMMC compliance since the date of the
affirmation.
Cybersecurity Maturity Model Certification means a framework for
assessing a contractor's compliance with applicable information
security requirements (see 32 CFR part 170).
DoD unique identifier means an alpha-numeric string of ten
characters assigned within the Supplier Performance Risk System to
each contractor assessment, with the first two characters indicating
the confidence level of the assessment.
(b) Requirements. The Contractor shall--
(1)(i) Have a current CMMC certificate or current CMMC self-
assessment at the following CMMC level, or higher: _____
[Contracting Officer to fill in the required CMMC level]; and
(ii) Consult 32 CFR part 170 related to flowing down information
in order to establish the correct CMMC level requirements for
subcontracts and other contractual instruments;
(2) Maintain the CMMC level required by this contract for the
duration of the contract for all information systems, used in
performance of the contract, that process, store, or transmit
Federal contract information (FCI) or controlled unclassified
information (CUI);
(3) Only process, store, or transmit data on information systems
that have a CMMC certificate or CMMC self-assessment at the CMMC
level required by the contract, or higher;
(4) Notify the Contracting Officer within 72 hours when there
are any lapses in information security or changes in the status of
CMMC certificate or CMMC self-assessment levels during performance
of the contract;
(5) Complete and maintain on an annual basis, or when changes
occur in CMMC compliance status (see 32 CFR part 170), an
affirmation of continuous compliance with the security requirements
associated with the CMMC level required in paragraph (b)(1) of this
clause in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil) for each DoD unique identifier (DoD UID) applicable to
each of the contractor information systems that process, store, or
transmit FCI or CUI and that are used in performance of the
contract; and
(6) Ensure all subcontractors and suppliers complete and
maintain on an annual basis, or when changes occur in CMMC
compliance status (see 32 CFR part 170), an affirmation of
continuous compliance with the security requirements associated with
the CMMC level required for the subcontract or other contractual
instrument for each of the contractor information systems that
process, store, or transmit FCI or CUI and that are used in
performance of the contract.
(c) Reporting. The Contractor shall--
(1) Submit to the Contracting Officer the DoD UID(s) issued by
SPRS for contractor information systems that will process, store, or
transmit FCI or CUI during performance of the contract;
(2) Enter into SPRS the results of self-assessment(s) for each
DoD UID applicable to each of the contractor information systems
that process, store, or transmit FCI or CUI and that are used in
performance of the contract; and
(3) Report to the Contracting Officer any changes to the list of
DoD UIDs applicable to each of the contractor information systems
that process, store, or transmit FCI or CUI and that are used in
performance of the contract.
(d) Subcontracts. The Contractor shall--
(1) Insert the substance of this clause, including this
paragraph (d), and exclude paragraphs (b)(5) and (c), in
subcontracts and other contractual instruments, including those for
the acquisition of commercial products and commercial services,
excluding commercially available off-the-shelf items, when there is
a requirement under the subcontract or similar contractual
instrument for a CMMC level; and
(2) Prior to awarding a subcontract or other contractual
instrument, ensure that the subcontractor has a current CMMC
certificate or current CMMC self-assessment at the CMMC level that
is appropriate for the information that is being flowed down to the
subcontractor.
(End of clause)
0
6. Add section 252.204-7YYY to read as follows:
252.204-7YYY Notice of Cybersecurity Maturity Model Certification
Level Requirements.
As prescribed in 204.7504(b) use the following provision:
Notice of Cybersecurity Maturity Model Certification Level Requirements
(Date)
(a) Definitions. As used in this provision, controlled
unclassified information, current, Cybersecurity Maturity Model
Certification, and DoD unique identifier have the meaning given in
the Defense Federal Acquisition Regulation Supplement 252.204-7021,
Contractor Compliance With the Cybersecurity Maturity Model
Certification Level Requirements, clause of this solicitation.
(b)(1) Cybersecurity Maturity Model Certification (CMMC) level.
The CMMC certificate or CMMC self-assessment level required by this
solicitation is: _____ [Contracting Officer insert: CMMC Level 1
self-assessment; CMMC Level 2 certificate or CMMC self-assessment;
or CMMC Level 3 certificate]. This CMMC certificate or CMMC self-
assessment level, or higher, is required prior to award for each
contractor information system that will process, store, or transmit
Federal contract information (FCI) or controlled unclassified
information (CUI) during performance of the contract.
(2) The apparently successful offeror will not be eligible for
award of a contract, task order, or delivery order resulting from
this solicitation if the apparently successful offeror does not have
the results of a current CMMC certificate or self-assessment entered
in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil)
at the CMMC level required by paragraph (b)(1) of this provision and
an affirmation of continuous compliance with the security
requirements identified at 32 CFR part 170 in SPRS for each of the
contractor information systems that will process, store, or transmit
FCI or CUI and that will be used in performance of a contract
resulting from this solicitation.
(c) DoD unique identifiers. At the request of the Contracting
Officer, the apparently successful offeror shall provide the DoD
unique identifier(s) issued by SPRS for each contractor information
system that will process, store, or transmit FCI or CUI during
performance of a contract, task order, or delivery order resulting
from this solicitation. The DoD unique identifier(s) are provided in
SPRS after the Offeror enters the results of self-assessment(s) for
each such information system.
(End of provision)
[FR Doc. 2024-18110 Filed 8-14-24; 8:45 am]
BILLING CODE 6001-FR-P