Cybersecurity Maturity Model Certification (CMMC) Program, 83092-83237 [2024-22905]
Download as PDF
<![CDATA[
83092
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 170
[Docket ID: DoD–2023–OS–0063]
RIN 0790–AL49
Cybersecurity Maturity Model
Certification (CMMC) Program
Office of the Department of
Defense Chief Information Officer (CIO),
Department of Defense (DoD).
ACTION: Final rule.
AGENCY:
With this final rule, DoD
establishes the Cybersecurity Maturity
Model Certification (CMMC) Program in
order to verify contractors have
implemented required security
measures necessary to safeguard Federal
Contract Information (FCI) and
Controlled Unclassified Information
(CUI). The mechanisms discussed in
this rule will allow the Department to
confirm a defense contractor or
subcontractor has implemented the
security requirements for a specified
CMMC level and is maintaining that
status (meaning level and assessment
type) across the contract period of
performance. This rule will be updated
as needed, using the appropriate
rulemaking process, to address evolving
cybersecurity standards, requirements,
threats, and other relevant changes.
DATES: This rule is effective December
16, 2024. The incorporation by reference
of certain material listed in this rule is
approved by the Director of the Federal
Register as of December 16, 2024.
FOR FURTHER INFORMATION CONTACT: Ms.
Diane Knight, Office of the DoD CIO at
osd.pentagon.dod-cio.mbx.cmmcinquiries@mail.mil or 202–770–9100.
SUPPLEMENTARY INFORMATION:
SUMMARY:
khammond on DSKJM1Z7X2PROD with RULES2
History of the Program
The beginnings of CMMC start with
the November 2010, Executive Order
(E.O.) 13556,1 Controlled Unclassified
Information. The intent of this Order
was to ‘‘establish an open and uniform
program for managing [unclassified]
information that requires safeguarding
or dissemination controls.’’ Prior to this
E.O., more than 100 different markings
for this information existed across the
executive branch. This ad hoc, agencyspecific approach created inefficiency
and confusion, led to a patchwork
system that failed to adequately
safeguard information requiring
1 www.federalregister.gov/citation/75-FR-68675
(November 4, 2010).
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
protection, and unnecessarily restricted
information-sharing.
As a result, the E.O. established the
CUI Program to standardize the way the
executive branch handles information
requiring safeguarding or dissemination
controls (excluding information that is
classified under E.O. 13526, Classified
National Security Information 2 or any
predecessor or successor order; or the
Atomic Energy Act of 1954,3 as
amended).
In 2019, DoD announced the
development of CMMC in order to move
away from a ‘‘self-attestation’’ model of
security. It was first conceived by the
Office of the Under Secretary of Defense
for Acquisition and Sustainment
(OUSD(A&S)) to secure the Defense
Industrial Base (DIB) sector against
evolving cybersecurity threats. In
September 2020, DoD published the 48
CFR CMMC interim final rule, Defense
Federal Acquisition Regulation
Supplement (DFARS): Assessing
Contractor Implementation of
Cybersecurity Requirements (DFARS
Case 2019–D041 85 FR 48513,
September 9, 2020),4 which
implemented the DoD’s vision for the
initial CMMC Program and outlined the
basic features of the framework (tiered
model of practices and processes,
required assessments, and
implementation through contracts) to
protect FCI and CUI. The 48 CFR CMMC
interim final rule became effective on 30
November 2020, establishing a five-year
phase-in period. In response to
approximately 750 public comments on
the 48 CFR CMMC interim final rule, in
March 2021, the Department initiated an
internal review of CMMC’s
implementation.
In November 2021, the Department
announced the revised CMMC Program,
an updated program structure and
requirements designed to achieve the
primary goals of the internal review:
• Safeguard sensitive information to
enable and protect the warfighter
• Enforce DIB cybersecurity standards
to meet evolving threats
• Ensure accountability while
minimizing barriers to compliance
with DoD requirements
• Perpetuate a collaborative culture of
cybersecurity and cyber resilience
• Maintain public trust through high
professional and ethical standards
The revised CMMC Program has three
key features:
2 www.federalregister.gov/citation/75-FR-707
(December 29, 2009).
3 www.govinfo.gov/link/uscode/42/2011, et seq.
4 www.federalregister.gov/documents/2020/09/
29/2020-21123/defense-federal-acquisitionregulation-supplement-assessing-contractorimplementation-of.
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
• Tiered Model: CMMC requires
companies entrusted with Federal
contract information and controlled
unclassified information to implement
cybersecurity standards at progressively
advanced levels, depending on the type
and sensitivity of the information. The
program also describes the process for
requiring protection of information
flowed down to subcontractors.
• Assessment Requirement: CMMC
assessments allow the Department to
verify the implementation of clear
cybersecurity standards.
• Phased Implementation: Once
CMMC rules become effective, certain
DoD contractors handling FCI and CUI
will be required to achieve a particular
CMMC level as a condition of contract
award. CMMC requirements will be
implemented using a 4-phase
implementation plan over a three-year
period.
Current Status of the CMMC Program
Separate from this rulemaking, DoD
has a proposed acquisition rule (48 CFR
part 204 CMMC Acquisition rule) to
amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to
address procurement related
considerations and requirements related
to this program rule (32 CFR part 170
CMMC Program rule). The 48 CFR part
204 CMMC Acquisition rule also
partially implements a section of the
National Defense Authorization Act for
Fiscal Year 2020 directing the Secretary
of Defense to develop a consistent,
comprehensive framework to enhance
cybersecurity for the U.S. defense
industrial base.5 The 48 CFR part 204
CMMC Acquisition rule, when
finalized, will allow DoD to require a
specific CMMC level in a solicitation or
contract. When CMMC requirements are
applied to a solicitation, Contracting
officers will not make award, exercise
an option, or extend the period of
performance on a contract, if the offeror
or contractor does not have the passing
results of a current certification
assessment or self-assessment for the
required CMMC level, and an
affirmation of continuous compliance
with the security requirements in the
Supplier Performance Risk System
(SPRS) 6 for all information systems that
process, store, or transmit FCI or CUI
during contract performance.
Furthermore, the appropriate CMMC
certification requirements will flow
down to subcontractors at all tiers when
5 www.federalregister.gov/documents/2024/08/
15/2024-18110/defense-federal-acquisitionregulation-supplement-assessing-contractorimplementation-of.
6 www.sprs.csd.disa.mil/ under OMB control
number 0750–0004.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
the subcontractor processes, stores, or
transmits FCI or CUI. It should be noted
the Department may include CMMC
requirements on contracts awarded
prior to 48 CFR part 204 CMMC
Acquisition rule becoming effective, but
doing so will require bilateral contract
modification after negotiations.
To date, the DoD has relied on offeror
representation that the security
requirements of National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171,
‘‘Protecting Controlled Unclassified
Information in Nonfederal Systems and
Organizations’’ have been met, as
described by 48 CFR 252.204–7008. In
some instances, the DoD has verified
contractor implementation of NIST SP
800–171 through assessment by the
Defense Contract Management Agency
(DCMA) Defense Industrial Base
Cybersecurity Assessment Center
(DIBCAC). As part of this responsibility,
DCMA DIBCAC assesses DIB companies
to ensure they are meeting contractually
required cybersecurity standards and to
ensure contractors have the ability to
protect CUI for government contracts
they are awarded. DCMA DIBCAC
conducts NIST SP 800–171 assessments
in support of 48 CFR 252.204–7012
(DFARS clause 252.204–7012),
Safeguarding Covered Defense
Information and Cyber Incident
Reporting,7 and 48 CFR 252.204–7020
(DFARS clause 252.204–7020), NIST SP
800–171 DoD Assessment
Requirements.8 The DCMA DIBCAC
prioritization process is designed to
adjust as DoD’s cyber priorities evolve
based on ongoing threats. DCMA
DIBCAC collects and analyzes data on
DoD contractors to include:
• Mission critical programs,
technologies, and infrastructure and the
contractors (prime or lower tier) that
support DoD capabilities.
• Cyber threats, vulnerabilities, or
incidents.
• DoD Leadership requests.
To date, DCMA DIBCAC has assessed
357 entities including DoD’s major
prime contractors. In accordance with
NIST SP 800–171, titled ‘‘Protecting
Controlled Unclassified Information in
Nonfederal Systems and
Organizations,’’ Revision 2, February
2020 (includes updates as of January 28,
2021) (NIST SP 800–171 R2),
contractors must describe in a System
Security Plan (SSP) 9 how the security
7 www.acquisition.gov/dfars/252.204-7012safeguarding-covered-defense-information-andcyber-incident-reporting.
8 www.acquisition.gov/dfars/252.204-7020-nistsp-800-171dod-assessment-requirements.
9 Required since November 2016, NIST SP 800–
171 R2 security requirement 3.12.4 states
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requirements are met or how the
organizations plan to meet the
requirements and address known and
anticipated threats. In the event
companies cannot establish full
compliance, they must develop plans of
action that describe how
unimplemented security requirements
will be met and how any planned
mitigations will be implemented.
Although an explicit time limit for
mitigation is not specified in NIST SP
800–171 R2, contractors that fail to
reasonably comply with applicable
requirements may be subject to standard
contractual remedies. The CMMC
Program’s assessment phase-in plan, as
described in § 170.3, does not preclude
entities from immediately seeking a
CMMC certification assessment prior to
the 48 CFR part 204 CMMC Acquisition
rule being finalized and the clause being
added to new or existing DoD contracts.
The Department estimates 8350
medium and large entities will be
required to meet CMMC Level 2 C3PAO
assessment requirements as a condition
of contract award. CMMC Level 2
requirements will apply to all
contractors that process, store, or
transmit CUI, and will provide DoD
with a means to assess that CUI
safeguarding requirements prescribed in
32 CFR part 2002 have been met. DoD
estimates 135 CMMC Third-Party
Assessment Organization (C3PAO)-led
certification assessments will be
completed in the first year, 673 C3PAO
certification assessments in year 2,
2,252 C3PAO certification assessments
in year 3, and 4,452 C3PAO certification
assessments in year four.
Any DoD component can request
DCMA DIBCAC to initiate an
assessment and these requests will take
priority in the assessment scheduling
process. Once identified for assessment,
DCMA DIBCAC determines the
assessment date and notifies the
company to begin the pre-assessment
process. Typically, planning and
scheduling takes place 3 to 6 months in
advance of a DCMA DIBCAC assessment
to allow DCMA DIBCAC and the DIB
company time to prepare, however,
DoD’s identified priorities may expedite
the execution of an assessment. As
discussed in more detail in the
regulatory text, assessment results are
reported to DoD, including key
stakeholders via SPRS and made
available to the DIB company. Please see
the DCMA DIBCAC website at
organizations must ‘‘develop, document, and
periodically update system security plans that
describe system boundaries, system environments
of operation, how security requirements are
implemented, and the relationships with or
connections to other systems.’’
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
83093
www.dcma.mil/DIBCAC/ that includes
links to the pre-assessment documents;
a publicly releasable version of the
assessment database; FAQs; an
informational video; a link to
Procurement Integrated Enterprise
Environment (PIEE), the primary
enterprise procure-to-pay application
for the DoD; a link to SPRS where
assessment scores are posted; and links
to other reference materials.
As discussed in more detail later in
the regulatory text, all requirements that
are scored as NOT MET are identified in
a Plan of Action and Milestones
(POA&M) to meet the CMMC
requirement. Organizations Seeking
Assessment (OSAs) satisfy the CMMC
requirements needed for contract award
by successfully meeting all 110 security
requirements of NIST SP 800–171 R2 or
by receiving a Conditional CMMC
Status when achieving the minimum
passing score of 80 percent and only
including permittable NOT MET
requirements as described in § 170.21
on the POA&M. All requirements that
were scored ‘‘NOT MET’’ and placed on
the POA&M must be remedied within
180 days of receiving their Conditional
CMMC Status. Proper implementation
of these requirements must be verified
by a second assessment, called a
POA&M closeout assessment. If the
POA&M closeout assessment finds that
all requirements have been met, then
the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2
(C3PAO) as applicable. However, if the
POA&M closeout assessment does not
validate all requirements have been met
by the end of the 180 days, then the
CMMC Status of Conditional Level 2
(Self) or Conditional Level 2 (C3PAO)
will expire and at this point, standard
contractual remedies will apply for any
current contract.
DoD has created a series of guidance
documents to assist organizations in
better understanding the CMMC
Program and the assessment process and
scope for each CMMC level. These
guidance documents are available on
the DoD CMMC website at https://
dodcio.defense.gov/CMMC/
Documentation/ and on the DoD Open
Government website at https://
open.defense.gov/Regulatory-Program/
Guidance-Documents/. The CMMC
Program has also been incorporated in
the Department’s 2024 Defense
Industrial Base Cybersecurity Strategy.10
The strategy requires the Department to
coordinate and collaborate across
components to identify and close gaps
10 https://media.defense.gov/2024/Mar/28/
2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_
DSD_SIGNED_20240325.PDF.
E:\FR\FM\15OCR2.SGM
15OCR2
83094
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
in protecting DoD networks, supply
chains, and other critical resources.
Other prongs of the Department’s
cybersecurity strategy are described in
the Department’s National Industrial
Security Program Operating Manual
(NISPOM) which address
implementation of the Security
Executive Agent Directive (SEAD) 3 11
procedures for the protection and
reproduction of classified information;
controlled unclassified information
(CUI); National Interest Determination
(NID) requirements for cleared
contractors operating under a Special
Security Agreement for Foreign
Ownership, Control, or Influence; and
eligibility determinations for personnel
security clearance processes and
requirements.12
Overview of Revised CMMC Program
khammond on DSKJM1Z7X2PROD with RULES2
Current Requirements for Defense
Contractors and Subcontractors
Currently, Federal contracts
(including defense contracts) involving
the transfer of FCI to a non-Government
organization follow the requirements
specified in 48 CFR 52.204–21 (Federal
Acquisition Regulation (FAR) clause
52.204–21), Basic Safeguarding of
Covered Contractor Information
Systems.13 FAR clause 52.204–21
requires compliance with 15 security
requirements, FAR clause 52.204–21
(b)(1), items (i) through (xv). These
requirements are the minimum
necessary for any entity wishing to
receive FCI from the US Government
(USG).
Defense contracts involving the
development or transfer of CUI to a nonGovernment organization require
applicable requirements of DFARS
clause 252.204–7012.14 This clause
requires defense contractors to provide
adequate security on all covered
contractor information systems by
implementing the 110 security
requirements specified in NIST SP 800–
171. This clause includes additional
requirements; for example, defense
contractors must confirm that any Cloud
Service Providers (CSPs) used by the
contractor to handle CUI meet Federal
Risk and Authorization Management
Program (FedRAMP) Moderate Baseline
or the equivalent requirements. It also
requires defense contractors to flow
down all the requirements to their
11 www.govinfo.gov/content/pkg/FR-2020-12-21/
pdf/2020-27698.pdf).
12 www.dcsa.mil/Industrial-Security/NationalIndustrial-Security-Program-Oversight/32-CFR-Part117-NISPOM-Rule/.
13 www.acquisition.gov/far/52.204-21.
14 www.acquisition.gov/dfars/252.204-7012safeguarding-covered-defense-information-andcyber-incident-reporting.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
subcontractors who process, store, or
transmit CUI. The CMMC Program
currently does not include any
requirements for contractors operating
systems on behalf of the DoD.
To comply with DFARS clause
252.204–7012, contractors are required
to develop a SSP 15 detailing the policies
and procedures their organization has in
place to comply with NIST SP 800–171.
The SSP serves as a foundational
document for the required NIST SP
800–171 self-assessment. To comply
with 48 CFR 252.204–7019 (DFARS
provision 252.204–7019) and DFARS
clause 252.204–7020, self-assessment
scores must be submitted.16 The highest
score is 110, meaning all 110 NIST SP
800–171 security requirements have
been fully implemented. If a contractor’s
Supplier Performance Risk System
(SPRS) score is less than 110, indicating
security gaps exist, then the contractor
must create a plan of action 17
identifying security tasks that still need
to be accomplished. In essence, an SSP
describes the cybersecurity plan the
contractor has in place to protect CUI.
The SSP needs to address each NIST SP
800–171 security requirement and
explain how the requirement is
implemented. This can be through
policy, technology, or a combination of
both.
In November 2020, the DoD released
its 48 CFR CMMC interim final rule, the
Defense Federal Acquisition Regulation
Supplement: Assessing Contractor
Implementation of Cybersecurity
Requirements 18 (DFARS Case 2019–
D041, 85 FR 61505, November 30,
2020). The goal of this rule was to
increase compliance with its
cybersecurity regulations and improve
security throughout the DIB. This rule
introduced one new provision and two
new clauses—DFARS provision
252.204–7019, DFARS clause 252.204–
7020, and 48 CFR 252.204–7021
(DFARS clause 252.204–7021).
• DFARS provision 252.204–7019
complements DFARS clause 252.204–
15 Required since November 2016, NIST SP 800–
171 R2 security requirement 3.12.4 states
organizations must ‘‘develop, document, and
periodically update system security plans that
describe system boundaries, system environments
of operation, how security requirements are
implemented, and the relationships with or
connections to other systems.’’
16 www.sprs.csd.disa.mil/ under OMB control
number 0750–0004.
17 The plan of action requirement described under
DFARS clause 252.204–7020 is different from a
Plan of Action and Milestones (POA&M)
requirement in CMMC as plans of action do not
require milestones.
18 www.federalregister.gov/documents/2020/09/
29/2020-21123/defense-federal-acquisitionregulation-supplement-assessing-contractorimplementation-of.
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
7012 by requiring contractors to have a
NIST SP 800–171 assessment (basic,
medium, or high) according to NIST SP
800–171 DoD Assessment
Methodology.19 Assessment scores must
be reported to the Department via SPRS.
SPRS scores must be submitted by the
time of contract award and not be more
than three years old.
• DFARS clause 252.204–7020
notifies contractors that DoD reserves
the right to conduct a higher-level
assessment of contractors’ cybersecurity
compliance, and contractors must give
DoD assessors full access to their
facilities, systems, and personnel.
Further, DFARS clause 252.204–7020
complements DFARS clause 252.204–
7012’s flow down requirements by
holding contractors responsible for
confirming their subcontractors have
SPRS scores on file prior to awarding
them contracts.
• DFARS clause 252.204–7021 paves
the way for rollout of the CMMC
Program. Once CMMC is implemented,
the required CMMC Level and
assessment type will be specified in the
solicitation and resulting contract.
Contractors handling FCI or CUI will be
required to meet the CMMC requirement
specified in the contract. DFARS clause
252.204–7021 also stipulates contractors
will be responsible for flowing down the
CMMC requirements to their
subcontractors.
CFR Part 170 Additional
Requirements for Defense Contractors
and Subcontractors Discussed in This
Final Rule
When this 32 CFR part 170 CMMC
Program rule and the complementary 48
CFR part 204 CMMC Acquisition rule
are finalized and following a phased
implementation plan, solicitations and
resulting defense contracts involving the
processing, storing, or transmitting of
FCI or CUI on a non-Federal system
will, unless waived, have a CMMC level
and assessment type requirement that a
contractor must meet to be eligible for
a contract award. The four phases of the
implementation plan add CMMC level
requirements incrementally, starting in
Phase 1 with self-assessments, and
ending in Phase 4, which represents full
implementation of program
requirements. The DoD elected to base
the phase-in plan on the level and type
of assessment to provide time to train
the necessary number of assessors, and
to allow companies time to understand
and implement CMMC requirements.
Details of each phase are addressed in
19 www.acq.osd.mil/asda/dpc/cp/cyber/docs/
safeguarding/NIST-SP-800-171-AssessmentMethodology-Version-1.2.1-6.24.2020.pdf.
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
§ 170.3(e). In Phases 2 and 3, DoD will
implement CMMC Level 2 and Level 3
certification requirements, respectively.
At full implementation (Phase 4), DoD
will include CMMC requirements in all
applicable DoD contracts and option
periods on contracts awarded after the
beginning of Phase 4.
83095
Table 1 defines the requirements for
each CMMC level and assessment type.
TABLE 1—CMMC LEVEL AND ASSESSMENT REQUIREMENTS
CMMC status
Source & number of security
reqts.
Level 1 (Self) ...
• 15 required by FAR clause
52.204–21.
Level 2 (Self) ...
• 110 NIST SP 800–171 R2 required by DFARS clause
252.204–7012.
Level 2
(C3PAO).
• 110 NIST SP 800–171 R2 required by DFARS clause
252.204–7012.
Level 3
(DIBCAC).
• 110 NIST SP 800–171 R2 required by DFARS clause
252.204–7012.
• 24 selected from NIST SP
800–172 Feb2021, as detailed in table 1 to
§ 170.14(c)(4).
Program Walkthrough—Contractor
Perspective
This section will provide a simplified
walkthrough of the CMMC Program
from the perspective of an Organization
Seeking Assessment (OSA) seeking to
comply with program requirements.
khammond on DSKJM1Z7X2PROD with RULES2
CMMC Level Selection
An OSA will select the CMMC level
it desires to attain. Once the CMMC
Program is implemented, a DoD
solicitation will specify the minimum
CMMC Status required to be eligible for
award. One of four CMMC Statuses will
be specified:
• Level 1 (Self) is a self-assessment to
secure FCI processed, stored, or
transmitted in the course of fulfilling
the contract. The OSA must comply
with the 15 security requirements set by
FAR clause 52.204–21. All 15
requirements must be met in full—no
exceptions are allowed.
• Level 2 (Self) is a self-assessment to
secure CUI processed, stored, or
transmitted in the course of fulfilling
the contract. The OSA must comply
with the 110 Level 2 security
requirements derived from NIST SP
800–171 R2.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Assessment reqts.
Plan of action & milestones
(POA&M) reqts.
• Conducted by Organization Seeking Assessment (OSA) annually.
• Results entered into SPRS (or its successor capability).
• Conducted by OSA every 3 years ............
• Results entered into SPRS (or its successor capability).
• CMMC Status will be valid for three years
from the CMMC Status Date as defined in
§ 170.4.
• Not permitted ........................
• After each assessment.
• Entered into SPRS.
• Permitted as defined in
§ 170.21(a)(2) and must be
closed out within 180 days.
• Final CMMC Status will be
valid for three years from the
Conditional CMMC Status
Date.
• Permitted as defined in
§ 170.21(a)(2) and must be
closed out within 180 days.
• Final CMMC Status will be
valid for three years from the
Conditional CMMC Status
Date.
• Permitted as defined in
§ 170.21(a)(3) and must be
closed out within 180 days.
• Final CMMC Status will be
valid for three years from the
Conditional CMMC Status
Date.
• After each assessment and
annually thereafter.
• Assessment will lapse upon
failure to annually affirm.
• Entered into SPRS (or its
successor capability).
• Conducted by C3PAO every 3 years ........
• Results entered into CMMC Enterprise
Mission Assurance Support Service
(eMASS) (or its successor capability).
• CMMC Status will be valid for three years
from the CMMC Status Date as defined in
§ 170.4.
• Pre-requisite CMMC Status of Level 2
(C3PAO) for the same CMMC Assessment Scope, for each Level 3 certification
assessment.
• Conducted by Defense Contract Management Agency (DCMA) Defense Industrial
Base Cybersecurity Assessment Center
(DIBCAC) every 3 years.
• Results entered into CMMC eMASS (or its
successor capability).
• CMMC Status will be valid for three years
from the CMMC Status Date as defined in
§ 170.4.
• Level 2 (C3PAO) differs from Level
2 (Self) in the method of verifying
compliance. OSAs must hire a C3PAO
to conduct an assessment of the OSA’s
compliance with the 110 security
requirements of NIST SP 800–171 R2.
OSAs can shop for C3PAOs on the
CMMC Accreditation Body (AB)
Marketplace.
• Level 3 (DIBCAC) is a government
assessment of 24 additional
requirements derived from NIST SP
800–172, titled ‘‘Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement
to NIST Special Publication 800–171,’’
February 2021 (NIST SP 800–172
Feb2021). The OSA must ensure that
they have already achieved a CMMC
Status of Final Level 2 (C3PAO) before
seeking CMMC Status of Final Level 3
(DIBCAC). Once this is done, an OSA
should then initiate a Level 3
certification assessment by emailing a
request to Defense Contract
Management Agency (DCMA) Defense
Industrial Base Cybersecurity
Assessment Center (DIBCAC) point of
contact found at www.dcma.mil/
DIBCAC, being sure to include the Level
2 (C3PAO) certification unique
identifier in the email.
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
Affirmation reqts.
• After each assessment and
annually thereafter.
• Assessment will lapse upon
failure to annually affirm.
• Entered into SPRS (or its
successor capability).
• After each assessment and
annually thereafter.
• Assessment will lapse upon
failure to annually affirm.
• Level 2 (C3PAO) affirmation
must also continue to be
completed annually.
• Entered into SPRS (or its
successor capability).
Scoping
In order to achieve a specified CMMC
Status, OSAs must first identify which
information systems, including systems
or services provided by External Service
Providers (ESPs), will process, store, or
transmit FCI, for Level 1 (Self), and CUI
for all other CMMC Statuses. These
information systems constitute the
scope of the assessment.
Within these information systems, for
Level 2 and Level 3 the assets should be
further broken down into asset
categories: Contractor Risk Managed
Assets (Level 2), Security Protection
Assets (Level 2 and 3), and Specialized
Assets (Level 2 and 3). For Level 1 all
assets, with the exclusion of Specialized
Assets, are simply identified as either
in-scope or out-of-scope based on
whether they process, store, or transmit
FCI. Definitions and treatment of these
categories as they relate to assessment
scoping, treatment of ESPs, and
treatment of assets which cannot be
secured due to their inherent design,
can be found at § 170.19.
Assessment and Affirmation
a. OSAs that meet all 15 Level 1
requirements have achieved CMMC
Status of Final Level 1 (Self). The OSA
E:\FR\FM\15OCR2.SGM
15OCR2
83096
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
must submit an affirmation of
compliance with FAR clause 52.204–21
requirements in SPRS. At this point,
OSAs have satisfied the CMMC
requirements needed for award of
contracts requiring a CMMC Status of
Final Level 1 (Self). To maintain a
CMMC Status of Final Level 1 (Self),
this entire process must be repeated in
full on an annual basis, including both
self-assessment and affirmation.
b. For Level 2 assessments, if all 110
requirements are satisfied, the
assessment score will be 110 and the
OSA will have achieved a CMMC Status
of Final Level 2 (Self) or Final Level 2
(C3PAO) as applicable and is eligible for
contract award as long as all other
contractual requirements are met.
Not all requirements must
immediately be MET to be eligible for
contract award. If the minimum score is
achieved on the assessment (equal to
80% of the maximum score) and certain
critical requirements are met, OSAs will
achieve a CMMC Status of Conditional
Level 2 (Self) or Conditional Level 2
(C3PAO) as applicable. All NOT MET
requirements must be noted in an
assessment Plan of Action and
Milestones (POA&M). At this point the
OSA will have satisfied the CMMC
requirements needed for contract award
OSAs must have met all 110 security
requirements of NIST SP 800–171 R2
within 180 days of receiving their
Conditional CMMC Status, which must
be verified with a second assessment,
called a POA&M closeout assessment. If
the POA&M closeout assessment finds
that all requirements have been met,
then the OSA will achieve a CMMC
Status of Final Level 2 (Self) or Final
Level 2 (C3PAO) as applicable.
However, if a POA&M closeout
assessment does not find that all
requirements have been met by the end
of 180 days, then the CMMC Status of
Conditional Level 2 (Self) or
Conditional Level 2 (C3PAO) will
expire. At this point, standard
contractual remedies will apply.
The OSA should submit an
affirmation into SPRS after achieving a
CMMC Status of Conditional Level 2
(Self) or CMMC Status of Conditional
Level 2 (C3PAO) as applicable. OSAs
should submit an affirmation once a
CMMC Status of Final Level 2 (Self) or
Final Level 2 (C3PAO) as applicable is
achieved. Being eligible for contracts
subject to CMMC Level 2 (Self) also
indicates eligibility for contracts subject
to Level 1 (Self), and being eligible for
contracts subject to CMMC Level 2
(C3PAO) also indicates eligibility for
contracts subject to Level 1 (Self) and
Level 2 (Self), assuming all other
contractual requirements are met. OSAs
must reaffirm in SPRS their compliance
with CMMC Level 2 requirements
annually but need only conduct a new
assessment every three years. These
deadlines are based on the CMMC
Status Date of the Conditional Status if
a POA&M was required or the Final
Status if the assessment resulted in a
score of 110. CMMC Status date is not
based on the date of a POA&M closeout
assessment.
c. For Level 3 assessments, OSAs
should note that asset categories are
assessed against security requirements
differently than they are at Level 2. In
particular, Contractor Risk Managed
Assets identified in a Level 2 scope are
treated as CUI Assets if they reside
within a Level 3 scope. Definitions and
treatment of these assets at Level 3 as
they relate to scoping of the assessment,
in addition to treatment of ESPs, are
described in § 170.19(d).
During the course of assessment,
DCMA DIBCAC will focus on assessing
compliance with all 24 selected
requirements derived from NIST SP
800–172 Feb2021, but limited checks
may be performed on the 110
requirements from NIST SP 800–171 R2.
If DCMA DIBCAC identifies that all 24
requirements from NIST SP 800–172
Feb2021 are satisfied, the OSA will have
achieved a CMMC Status of Final Level
3 (DIBCAC) and is eligible for contract
award as long as all other contractual
requirements are met. Not all
requirements must immediately be MET
to be eligible for contract award. If the
minimum score is achieved on the
assessment (equal to 80% of the
maximum score of 24) and certain
critical requirements are met, OSAs will
achieve a CMMC Status of Conditional
Level 3 (DIBCAC), and all NOT MET
requirements must be noted in a
POA&M. At this point the OSA will
have satisfied the CMMC requirements
needed for contract award.
OSAs must have met all 24 selected
security requirements of NIST SP 800–
172 Feb2021 within 180 days of
receiving their Conditional CMMC
Status, which must be verified with a
POA&M closeout assessment by DCMA
DIBCAC. If the POA&M closeout
assessment finds that all requirements
have been met, then the OSA will
achieve a CMMC Status of Final Level
3 (DIBCAC). However, if a POA&M
closeout assessment does not find that
all requirements have been met by the
end of 180 days, then the CMMC Status
of Conditional Level 3 (DIBCAC) will
expire. At this point, standard
contractual remedies will apply.
The OSA should submit an
affirmation into SPRS after achieving a
CMMC Status of Conditional Level 3
(DIBCAC) if applicable and once a
CMMC Status of Final Level 3 (DIBCAC)
is achieved. Being eligible for contracts
subject to CMMC Level 3 (DIBCAC) also
indicates eligibility for contracts subject
to Level 1 (Self), Level 2 (Self), and
Level 2 (C3PAO), assuming all other
contractual requirements are met. To
maintain CMMC Level 3 (DIBCAC)
status, an OSA must undergo both a
Level 2 certification assessment and a
Level 3 certification assessment every
three years and separately affirm
compliance with Level 2 and Level 3
requirements in SPRS annually. These
deadlines are based on the CMMC
Status Date of the Conditional
certification if applicable or the CMMC
Status Date of the Final determination.
CMMC Status Date is not based on the
date of a POA&M closeout assessment.
Flow-Down
If the OSA employs subcontractors to
fulfill the contract, those subcontractors
must also have a minimum CMMC
Status as shown in table 2.
TABLE 2—MINIMUM FLOW-DOWN REQUIREMENTS
Minimum subcontractor requirement
If the subcontractor will process, store, or transmit
khammond on DSKJM1Z7X2PROD with RULES2
Prime contractor requirement
FCI
Level
Level
Level
Level
1
2
2
3
(Self) ......................................................
(Self) ......................................................
(C3PAO) ................................................
(DIBCAC) ...............................................
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Level
Level
Level
Level
PO 00000
1
1
1
1
(Self)
(Self)
(Self)
(Self)
Frm 00006
CUI
....................................................
....................................................
....................................................
....................................................
Fmt 4701
Sfmt 4700
N/A.
Level 2 (Self).
Level 2 (C3PAO).
Level 2 (C3PAO).
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Summary of Provisions Contained in
This Rule
Section 170.1
Purpose
Section 170.1 addresses the purpose
of this rule. It describes the CMMC
Program and establishes policy for
requiring the protection of FCI and CUI
that is processed, stored, or transmitted
on defense contractor and subcontractor
information systems. The security
standards utilized in the CMMC
Program are from the FAR clause
52.204–21; DFARS clause 252.204–7012
that implements NIST SP 800–171 R2;
and selected requirements from the
NIST SP 800–172 Feb2021, as
applicable. The purpose of the CMMC
Program is for contractors and
subcontractors to demonstrate that FCI
and CUI being processed, stored, or
transmitted is adequately safeguarded
through the methodology provided in
the rule.
Section 170.2
Reference
Incorporation by
Section 170.2 addresses the standards
and guidelines that are incorporated by
reference. The Director of the Federal
Register under 5 U.S.C. 552(a) and 1
CFR part 51 approves any materials that
are incorporated by reference. Materials
that are incorporated by reference in
this rule are reasonably available.
Information on how to access the
documents is detailed in § 170.2.
Materials that are incorporated by
reference in this rule are from the NIST
(see § 170.2(a)), the Committee on
National Security Systems (see
§ 170.2(b)), and the International
Organization for Standardization/
International Electrotechnical
Commission (ISO/IEC) (see § 170.2(c))
which may require payment of a fee.
khammond on DSKJM1Z7X2PROD with RULES2
Note: While the ISO/IEC standards are
issued jointly, they are available from the ISO
Secretariat (see § 170.2(c)).
The American National Standards
Institute (ANSI) IBR Portal provides
access to standards that have been
incorporated by reference in the U.S.
Code of Federal Regulations at https://
ibr.ansi.org. These standards
incorporated by the U.S. government in
rulemakings are offered at no cost in
‘‘read only’’ format and are presented
for online reading. There are no print or
download options. All users will be
required to install the FileOpen plug-in
and accept an online end user license
agreement prior to accessing any
standards.
The materials that are incorporated by
reference are summarized below.
(a) Federal Information Processing
Standard (FIPS) Publication (PUB) 200
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
(FIPS PUB 200), titled ‘‘Minimum
Security Requirements for Federal
Information and Information Systems,’’
is the second of two security standards
mandated by the Federal Information
Security Management Act (FISMA). It
specifies minimum security
requirements for information and
information systems supporting the
executive agencies of the Federal
government and a risk-based process for
selecting the security controls necessary
to satisfy the minimum-security
requirements. This standard promotes
the development, implementation, and
operation of more secure information
systems within the Federal Government
by establishing minimum levels of due
diligence for information security and
facilitating a more consistent,
comparable, and repeatable approach
for selecting and specifying security
controls for information systems that
meet minimum security requirements.
This document is incorporated by
reference as a source for definitions.
(b) FIPS PUB 201–3, titled ‘‘Personal
Identity Verification (PIV) of Federal
Employees and Contractors,’’ establishes
a standard for a PIV system that meets
the control and security objectives of
Homeland Security Presidential
Directive-12. It is based on secure and
reliable forms of identity credentials
issued by the Federal Government to its
employees and contractors. These
credentials are used by mechanisms that
authenticate individuals who require
access to federally controlled facilities,
information systems, and applications.
This Standard addresses requirements
for initial identity proofing,
infrastructure to support
interoperability of identity credentials,
and accreditation of organizations and
processes issuing PIV credentials. This
document is incorporated by reference
as a source for definitions.
(c) NIST SP 800–37, titled ‘‘Risk
Management Framework for Information
Systems and Organizations: A System
Life Cycle Approach for Security and
Privacy,’’ Revision 2 (NIST SP 800–37
R2), describes the Risk Management
Framework (RMF) and provides
guidelines for applying the RMF to
information systems and organizations.
The RMF provides a disciplined,
structured, and flexible process for
managing security and privacy risk that
includes information security
categorization; control selection,
implementation, and assessment;
system and common control
authorizations; and continuous
monitoring. The RMF includes activities
to prepare organizations to execute the
framework at appropriate risk
management levels. The RMF also
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
83097
promotes near real-time risk
management and ongoing information
system and common control
authorization through the
implementation of continuous
monitoring processes; provides senior
leaders and executives with the
necessary information to make efficient,
cost-effective, risk management
decisions about the systems supporting
their missions and business functions;
and incorporates security and privacy
into the system development life cycle.
Executing the RMF tasks links essential
risk management processes at the
system level to risk management
processes at the organization level. In
addition, it establishes responsibility
and accountability for the controls
implemented within an organization’s
information systems and inherited by
those systems. This document is
incorporated by reference as a source for
definitions.
(d) NIST SP 800–39, titled ‘‘Managing
Information Security Risk: Organization,
Mission, and Information System
View,’’ March 2011 (NIST SP 800–39
Mar2011), provides guidance for an
integrated, organization-wide program
for managing information security risk
to organizational operations (i.e.,
mission, functions, image, and
reputation), organizational assets,
individuals, other organizations, and the
Nation resulting from the operation and
use of Federal information systems.
NIST SP 800–39 Mar2011 provides a
structured, yet flexible approach for
managing risk that is intentionally
broad-based, with the specific details of
assessing, responding to, and
monitoring risk on an ongoing basis
provided by other supporting NIST
security standards and guidelines. The
guidance provided in this publication is
not intended to replace or subsume
other risk-related activities, programs,
processes, or approaches that
organizations have implemented or
intend to implement addressing areas of
risk management covered by other
legislation, directives, policies,
programmatic initiatives, or mission/
business requirements. Rather, the risk
management guidance described herein
is complementary to and should be used
as part of a more comprehensive
Enterprise Risk Management (ERM)
program. This document is incorporated
by reference as a source for definitions.
(e) NIST SP 800–53, titled ‘‘Security
and Privacy Controls for Information
Systems and Organizations,’’ Revision 5
(NIST SP 800–53 R5), provides a catalog
of security and privacy controls for
information systems and organizations
to protect organizational operations and
assets, individuals, other organizations,
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83098
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and the Nation from a diverse set of
threats and risks, including hostile
attacks, human errors, natural disasters,
structural failures, foreign intelligence
entities, and privacy risks. The controls
are flexible and customizable and
implemented as part of an organizationwide process to manage risk. The
controls address diverse requirements
derived from mission and business
needs, laws, executive orders,
directives, regulations, policies,
standards, and guidelines. Finally, the
consolidated control catalog addresses
security and privacy from a
functionality perspective (i.e., the
strength of functions and mechanisms
provided by the controls) and from an
assurance perspective (i.e., the measure
of confidence in the security or privacy
capability provided by the controls).
Addressing functionality and assurance
helps to ensure that information
technology products and the systems
that rely on those products are
sufficiently trustworthy. This document
is incorporated by reference as a source
for definitions.
(f) NIST SP 800–82r3, titled ‘‘Guide to
Operational Technology (OT) Security,’’
September 2023 (NIST SP 800–82r3),
provides guidance on how to secure
ICS, including Supervisory Control and
Data Acquisition (SCADA) systems,
Distributed Control Systems (DCS), and
other control system configurations
such as Programmable Logic Controllers
(PLC), while addressing their unique
performance, reliability, and safety
requirements. The document provides
an overview of ICS and typical system
topologies, identifies typical threats and
vulnerabilities to these systems, and
provides recommended security
countermeasures to mitigate the
associated risks. This document is
incorporated by reference as a source for
definitions.
(g) NIST SP 800–115, titled
‘‘Technical Guide to Information
Security Testing and Assessment,’’
September 2008 (NIST SP 800–115
Sept2008), assists organizations in
planning and conducting technical
information security tests and
examinations, analyzing findings, and
developing mitigation strategies. The
guide provides practical
recommendations for designing,
implementing, and maintaining
technical information security test and
examination processes and procedures.
These can be used for several purposes,
such as finding vulnerabilities in a
system or network and verifying
compliance with a policy or other
requirements. The guide is not intended
to present a comprehensive information
security testing and examination
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
program but rather an overview of key
elements of technical security testing
and examination, with an emphasis on
specific technical techniques, the
benefits and limitations of each, and
recommendations for their use. This
document is incorporated by reference
as a source for definitions.
(h) NIST SP 800–160, Volume 2, titled
‘‘Developing Cyber-Resilient Systems: A
Systems Security Engineering
Approach,’’ Revision 1, December 2021
(NIST SP 800–160 V2R1), focuses on
cyber resiliency engineering—an
emerging specialty systems engineering
discipline applied in conjunction with
systems security engineering and
resilience engineering to develop
survivable, trustworthy secure systems.
Cyber resiliency engineering intends to
architect, design, develop, implement,
maintain, and sustain the
trustworthiness of systems with the
capability to anticipate, withstand,
recover from, and adapt to adverse
conditions, stresses, attacks, or
compromises that use or are enabled by
cyber resources. From a risk
management perspective, cyber
resiliency is intended to help reduce the
mission, business, organizational,
enterprise, or sector risk of depending
on cyber resources. This document is
incorporated by reference as a source for
definitions.
(i) NIST SP 800–171, titled
‘‘Protecting Controlled Unclassified
Information in Nonfederal Systems and
Organizations,’’ Revision 2, February
2020 (includes updates as of January 28,
2021) (NIST SP 800–171 R2), provides
agencies with recommended security
requirements for protecting the
confidentiality of CUI when the
information is resident in nonfederal
systems and organizations; when the
nonfederal organization is not collecting
or maintaining information on behalf of
a Federal agency or using or operating
a system on behalf of an agency; and
where there are no specific safeguarding
requirements for protecting the
confidentiality of CUI prescribed by the
authorizing law, regulation, or
governmentwide policy for the CUI
category listed in the CUI Registry. The
requirements apply to all components of
nonfederal systems and organizations
that process, store, and/or transmit CUI,
or that provide protection for such
components. The security requirements
are intended for use by Federal agencies
in contractual vehicles or other
agreements established between those
agencies and nonfederal organizations.
This document is incorporated by
reference as a foundational source for
definitions and security requirements.
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
(j) NIST SP 800–171A, titled
‘‘Assessing Security Requirements for
Controlled Unclassified Information,’’
June 2018 (NIST SP 800–171A Jun2018),
provides Federal and non-Federal
organizations with assessment
procedures and a methodology that can
be employed to conduct assessments of
the CUI security requirements in NIST
SP 800–171 R2. The assessment
procedures are flexible and can be
customized to the needs of the
organizations and the assessors
conducting the assessments. Security
assessments can be conducted as selfassessments; independent, third-party
assessments; or government-sponsored
assessments and can be applied with
various degrees of rigor, based on
customer-defined depth and coverage
attributes. The findings and evidence
produced during the security
assessments can facilitate risk-based
decisions by organizations related to the
CUI requirements. This document is
incorporated by reference as a
foundational source for definitions and
assessment.
(k) NIST SP 800–172, titled
‘‘Enhanced Security Requirements for
Protecting Controlled Unclassified
Information: A Supplement to NIST
Special Publication 800–171,’’ February
2021 (NIST SP 800–172 Feb2021),
provides Federal agencies with
recommended enhanced security
requirements for protecting the
confidentiality of CUI: (1) when the
information is resident in nonfederal
systems and organizations; (2) when the
nonfederal organization is not collecting
or maintaining information on behalf of
a Federal agency or using or operating
a system on behalf of an agency; and (3)
where there are no specific safeguarding
requirements for protecting the
confidentiality of CUI prescribed by the
authorizing law, regulation, or
government-wide policy for the CUI
category listed in the CUI Registry. The
enhanced requirements apply only to
components of nonfederal systems that
process, store, or transmit CUI or that
provide security protection for such
components when the designated CUI is
associated with a critical program or
high value asset. The enhanced
requirements supplement the basic and
derived security requirements in NIST
SP 800–171 R2 and are intended for use
by Federal agencies in contractual
vehicles or other agreements established
between those agencies and nonfederal
organizations. This document is
incorporated by reference as a
foundational source for security
requirements.
(l) NIST SP 800–172A, titled
‘‘Assessing Enhanced Security
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Requirements for Controlled
Unclassified Information,’’ March 2022
(NIST SP 800–172A Mar2022), provides
Federal agencies and nonfederal
organizations with assessment
procedures that can be used to carry out
assessments of the requirements in NIST
SP 800–172 Feb2021. The assessment
procedures are flexible and can be
tailored to the needs of organizations
and assessors. Assessments can be
conducted as (1) self-assessments; (2)
independent, third-party assessments;
or (3) government-sponsored
assessments. The assessments can be
conducted with varying degrees of rigor
based on customer-defined depth and
coverage attributes. The findings and
evidence produced during the
assessments can be used to facilitate
risk-based decisions by organizations
related to the CUI enhanced security
requirements. This document is
incorporated by reference as a
foundational source for definitions and
assessment.
(m) ISO/IEC 17011:2017(E), titled
‘‘Conformity assessment—Requirements
for accreditation bodies accrediting
conformity assessment bodies,’’ Second
edition, November 2017 (ISO/IEC
17011:2017(E)), specifies requirements
for the competence, consistent operation
and impartiality of accreditation bodies
assessing and accrediting conformity
assessment bodies. This document is
incorporated by reference as a source for
requirements on the CMMC Ecosystem.
(n) ISO/IEC 17020:2012(E), titled
‘‘Conformity assessment—Requirement
for the operation of various types of
bodies performing inspection,’’ Second
edition, March 1, 2012 (ISO/IEC
17020:2012(E)), specifies requirements
for the competence of bodies performing
inspection and for the impartiality and
consistency of their inspection
activities. It applies to inspection bodies
of type A, B or C, as defined in ISO/IEC
17020:2012(E), and it applies to any
stage of inspection.’’ This document is
incorporated by reference as a source for
requirements on the CMMC Ecosystem.
(o) ISO/IEC 17024:2012(E), titled
‘‘Conformity assessment—General
requirements for bodies operating
certification of persons,’’ Second
edition, July 1, 2012 (ISO/IEC
17024:2012(E)), contains principles and
requirements for a body certifying
persons against specific requirements
and includes the development and
maintenance of a certification scheme
for persons.’’ This document is
incorporated by reference as a source for
requirements on the CMMC Ecosystem.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Section 170.3
Applicability
Section 170.3 identifies entities to
which the rule applies and how the
Department intends to implement the
rule. The rule applies to defense
contractors and subcontractors that will
process, store, or transmit FCI or CUI in
performance of a DoD contract, and
private-sector businesses or other
entities that are specified in Subpart C.
This rule does not apply to Federal
information systems operated by
contractors and subcontractors in
support of the Government. CMMC
Program requirements apply to DoD
solicitations and contracts requiring
defense contractors and subcontractors
to process, store, or transmit FCI or CUI.
Exceptions to the applicability of this
rule are addressed in § 170.3(c)(1) and
(2). Department Program Managers or
requiring activities will determine
which CMMC Level and assessment
type will apply to a contract or
procurement. Applicability of the
required CMMC Level and assessment
type to subcontractors is addressed in
§ 170.23.
Section 170.3 addresses the fourphased implementation plan of the
CMMC Program requirements in
solicitations and contracts. Phase 1
begins on the effective date of this
CMMC 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part
204 CMMC Acquisition rule, whichever
occurs later. More information regarding
Phase 1 can be found in § 170.3(e)(1).
Phase 2 begins one calendar year after
the start date of Phase 1. More
information regarding Phase 2 can be
found in § 170.3(e)(2). Phase 3 begins
one calendar year after the start date of
Phase 2. More information regarding
Phase 3 can be found in § 170.3(e)(3).
Phase 4, or full implementation, begins
one calendar year after the start date of
Phase 3. More information regarding
Phase 4 can be found in § 170.3(e)(4).
Section 170.4
Definitions
Acronyms and
Section 170.4 includes acronyms and
definitions used in the rule text and can
be used as a reference while reading the
text and tables. CMMC introduces new
terms and associated definitions, and
customizes definitions for existing
terms, as applied to the CMMC Program.
CMMC-custom terms and definitions are
clearly marked to distinguish from
terms sourced externally. CMMC also
utilizes terms created by other
authoritative sources, including NIST.
Terms from other authoritative sources
are also listed in § 170.4 and are
properly sourced.
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
83099
The Department developed the
following CMMC-custom terms to
enhance understanding of the
requirements and elements of the
CMMC Program:
• Accreditation
• Accreditation Body
• Affirming Official
• Assessment
• Level 1 self-assessment
• Level 2 self-assessment
• Level 2 certification assessment
• Level 3 certification assessment
• POA&M closeout self-assessment
• POA&M closeout certification
assessment
• Assessment Findings Report
• Assessment Team
• Asset Categories
• Authorized
• Cloud Service Provider
• CMMC Assessment and Certification
Ecosystem
• CMMC Assessment Scope
• CMMC Assessor and Instructor
Certification Organization (CAICO)
• CMMC instantiation of eMASS
• CMMC Status
• Final Level 1 (Self)
• Conditional Level 2 (Self)
• Final Level 2 (Self)
• Conditional Level 2 (C3PAO)
• Final Level 2 (C3PAO)
• Conditional Level 3 (DIBCAC)
• Final Level 3 (DIBCAC)
• CMMC Status Date
• CMMC Third-Party Assessment
Organization (C3PAO)
• Contractor Risk Managed Assets
• Controlled Unclassified Information
(CUI) Assets
• Enduring Exception
• External Service Provider (ESP)
• Operational plan of action
• Organization-defined
• Organization Seeking Assessment
(OSA)
• Organization Seeking Certification
(OSC)
• Out-of-Scope Assets
• Periodically
• Process, store, or transmit
• Restricted Information Systems
• Security Protection Assets
• Security Protection Data
• Specialized Assets
• Temporary Deficiency
• Test Equipment.
Section 170.5
Policy
Section 170.5 addresses the policy
underlying the rule. The protection of
FCI and CUI on defense contractor
information systems is crucial to the
continuity of the missions and functions
of the DoD. To that end, this rule
requires that contractors and
subcontractors implement the specified
security requirements for the applicable
E:\FR\FM\15OCR2.SGM
15OCR2
83100
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level. For CMMC Level 3, the
selected security requirements are
defined in NIST SP 800–172 Feb2021
with the applicable DoD OrganizationDefined Parameters (ODPs) defined in
table 1 to § 170.14(c)(4).
Program Managers and requiring
activities identify the applicable CMMC
Level and assessment type. Factors used
to determine which CMMC Level and
assessment type will be applied are
included but not limited to the list
found in § 170.5(b)(1–5). CMMC
Program requirements will flow down to
subcontractors, as applicable (see
§ 170.23). A DoD Service Acquisition
Executive or a Component Acquisition
Executive may elect to waive inclusion
of CMMC Program requirements in a
solicitation or contract.
Section 170.5 addresses that the
CMMC Program does not alter the
requirements imposed on contractors
and subcontractors in FAR clause
52.204–21, DFARS clause 252.204–
7012, or any other applicable
safeguarding of information
requirement. The CMMC Program
verifies implementation of security
requirements in FAR clause 52.204–21,
NIST SP 800–171 R2, and selected
security requirements in NIST SP 800–
172 Feb2021, as applicable.
Section 170.6
CMMC PMO
Section 170.6 addresses the CMMC
Program Management Office (PMO)
functions that are performed within the
Department of Defense Chief
Information Officer (DoD CIO).
Section 170.7
DCMA DIBCAC
Section 170.7 addresses how DCMA
DIBCAC will support the CMMC
Program by conducting CMMC Level 2
certification assessments of the
Accreditation Body and C3PAOs;
conducting CMMC Level 3 certification
assessments for OSCs; and recording
results, issuing certificates, tracking
appeals, and retaining records as
required.
khammond on DSKJM1Z7X2PROD with RULES2
Section 170.8
Accreditation Body
Section 170.8 addresses the roles and
responsibilities of the Accreditation
Body, as well as requirements that the
Accreditation Body must meet. The
Accreditation Body must be US-based
and be and remain a member in good
standing with the Inter-American
Accreditation Cooperation (IAAC) and
become an International Laboratory
Accreditation Cooperation (ILAC)
Mutual Recognition Arrangement
(MRA) signatory, with a signatory status
scope of ISO/IEC 17020:2012(E) and be
compliant with ISO/IEC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
17011:2017(E) 20. There is only one
Accreditation Body for the DoD CMMC
Program at any given time, and its
primary mission is to authorize and
accredit the C3PAOs. The Accreditation
Body authorizes and accredits C3PAOs
in accordance with the requirements in
section 170.8(b).
The Accreditation Body also oversees
the CAICO to ensure compliance with
ISO/IEC 17024:2012(E) 21 and to ensure
all training products, instruction, and
testing materials are of high quality.
Section 170.8 addresses specific
requirements for the Accreditation Body
with regards to national security
background checks, foreign ownership,
reporting, information protection, and
appeals. The Accreditation Body will
also develop policies for Conflict of
Interest (CoI), Code of Professional
Conduct (CoPC), and Ethics that comply
with all ISO/IEC 17011:2017(E) and DoD
requirements. These policies will apply
to the Accreditation Body as well as to
all other individuals, entities, and
groups within the CMMC Ecosystem.
The information systems used by the
Accreditation Body to process CMMC
information have to meet all of the
security requirements for CMMC Level
2 and will be assessed by DCMA’s
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC).
Section 170.9 CMMC Third-Party
Assessment Organizations (C3PAOs)
Section 170.9 addresses the roles,
responsibilities, and requirements for
C3PAOs, which are the organizations
that perform CMMC Level 2 certification
assessments for OSCs. The C3PAOs will
submit assessment data into the CMMC
instantiation of government owned and
operated system called eMASS,22 a
CMMC instance of the Enterprise
Mission Assurance Support Service.
C3PAOs issue Certificates of CMMC
Status, in accordance with the
requirements in § 170.17 of this part.
Section 170.9 addresses detailed
requirements for C3PAOs with regards
to national security background checks,
foreign ownership, reporting, records
management, information protection,
quality assurance, and appeals. The
information systems used by C3PAOs to
process Level 2 certification assessment
information have to meet all of the
security requirements for CMMC Level
2 and will be assessed by DCMA
DIBCAC. C3PAOs need to comply with
ISO/IEC 17020:2012(E), as well as with
20 www.iso.org/standard/67198.html.
21 www.iso.org/standard/52993.html.
22 This system is accessible only to authorized
users.
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
the Accreditation Body’s policies for
CoI, CoPC, and Ethics.
Prior to a C3PAO being compliant
with ISO/IEC 17020:2012(E), the C3PAO
may be authorized but not accredited.
After a C3PAO is compliant with ISO/
IEC 17020:2012(E), the C3PAO may be
accredited.
Section 170.10 CMMC Assessor and
Instructor Certification Organization
(CAICO)
Section 170.10 addresses the roles,
responsibilities, and requirements for
the CAICO, the organization that trains,
tests, designates Provisional Instructors
(PIs), and certifies CMMC Certified
Professionals (CCPs), CMMC Certified
Assessors (CCAs), CMMC Certified
Instructors (CCIs). There is only one
CAICO for the DoD CMMC Program at
any given time. The CAICO must
comply with ISO/IEC 17024:2012(E), as
well as with the Accreditation Body’s
policies for CoI, CoPC, and Ethics.
Section 170.10 addresses detailed
requirements for the CAICO with
regards to certification examinations,
quality assurance, appeals, records
management, reporting, separation of
duties, and information protection.
Section 170.11 CMMC Certified
Assessor (CCA)
Section 170.11 addresses the roles
and responsibilities of a CMMC
Certified Assessor (CCA) who conduct
Level 2 certification assessments. In
order to be a CCA, a candidate must first
be a CCP, must adhere to the
requirements set forth in § 170.10,
§ 170.8(b)(17), and complete a Tier 3
background investigation or equivalent.
The required cybersecurity experience
for different CCA roles is addressed in
§ 170.11(b)(6) and (10). Section 170.11
addresses CCA requirements with
respect to security breaches; completion
of a Tier 3 background investigation or
equivalent; reporting; sharing
assessment information; and permitted
use of C3PAO equipment, devices, and
services.
Section 170.12 CMMC Instructor
Section 170.12 addresses the roles
and responsibilities of a CMMC
Provisional Instructor (PI) and CMMC
Certified Instructor (CCI) to teach
CMMC assessor candidates. Candidate
PIs and CCIs are trained and tested per
the requirements set forth in § 170.12(c).
Section 170.12(c) also provides
candidate PIs and CCIs with the
requirements to obtain and maintain
designation or certification (as
applicable), compliance with
Accreditation Body policies, work
activity exclusions, confidentiality
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
expectations, non-disclosure clause,
non-public training related information,
forbidden consulting services, and
reporting requirements.
Section 170.13 CMMC Certified
Professional (CCP)
Section 170.13 addresses the roles
and responsibilities of a CMMC
Certified Professional (CCP) required to
provide advice, consulting, and
recommendations to clients. The CAICO
trains and tests candidate CCPs per the
requirements set forth in § 170.13(b)
with CCP certification issued upon
successful completion. A CCP can
participate on CMMC Level 2
certification assessments with CCA
oversight, however CCAs are
responsible for making final assessment
determinations for a CMMC Status of
Conditional or Final Level 2 (C3PAO). A
list of CCP requirements is provided for
obtaining and maintaining certification,
compliance with Accreditation Body
policies, completion of a Tier 3
background investigation or equivalent,
sharing assessment specific information,
and reporting requirements.
khammond on DSKJM1Z7X2PROD with RULES2
Section 170.14
CMMC Model
Section 170.14 addresses the
structure, security requirement contents,
organization, sourcing, and numbering
of the security requirements that
comprise the CMMC Model. It also
provides an overview of the assessment
process. The CMMC Model consists of
three (3) levels, each containing security
requirements taken directly from
existing regulations and guidelines.
Firstly, § 170.14(2) defines CMMC Level
1 as the 15 security requirements listed
in the FAR clause 52.204–21(b)(1).
Secondly, § 170.14(3) defines CMMC
Level 2 as the 110 security requirements
from the NIST SP 800–171 R2. Lastly,
§ 170.14(4) defines CMMC Level 3 as 24
selected security requirements from the
NIST SP 800–172 Feb2021.
The CMMC security requirements are
organized into domains following the
approach taken in NIST SP 800–171 R2.
The numbering of the CMMC security
requirements, addressed in
§ 170.14(c)(1), is of the form DD.L#-REQ
where the ‘DD’ is the two-letter domain
abbreviation, the ‘L#’ is the CMMC
Level, and the ‘REQ’ is based directly on
the numbering in the source.
Assessment criteria for these security
requirements, as described in
§ 170.14(d), is based on security
requirement assessment guidance
provided in NIST SP 800–171A Jun2018
and NIST SP 800–172A Mar2022.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Section 170.15 CMMC Level 1 SelfAssessment and Affirmation
Requirements
Section 170.15 addresses how an OSA
will achieve and maintain compliance
with the CMMC Status of Level 1 (Self).
The OSA must successfully implement
the security requirements listed in
§ 170.14(c)(2) within their Level 1
CMMC Assessment Scope as described
in § 170.19(b). Successful
implementation requires meeting all
objectives defined in NIST SP 800–171A
Jun2018 for the corresponding CMMC
Level 1 security requirements as
outlined in the mapping table 1 to
§ 170.15(c)(1)(i).
After implementation, the OSA must
perform a Level 1 self-assessment to
verify the implementation and score
themselves using the scoring
methodology provided in § 170.24. All
objectives must be met in order for a
security requirement to be considered
fully implemented; no security
requirements may be placed on a
POA&M for Level 1. The OSA must then
input their results into SPRS as
described in § 170.15(a)(1)(i) and submit
an affirmation as described in § 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 1 (Self), the OSA must have
achieved a CMMC Status of Final Level
1 (Self) and have submitted an
affirmation. These activities must be
completed annually.
Section 170.16 CMMC Level 2 SelfAssessment and Affirmation
Requirements
Section 170.16 addresses how an OSA
will achieve and maintain compliance
with the CMMC Status of Level 2 (Self).
The OSA must successfully implement
the security requirements listed in
§ 170.14(c)(3) within its Level 2 CMMC
Assessment Scope as described in
§ 170.19(c). Successful implementation
requires meeting all objectives defined
in NIST SP 800–171A Jun2018 for the
corresponding CMMC Level 2 security
requirements. Requirements for ESPs
and CSPs that process, store, transmit
CUI are provided in § 170.16(c)(2) and
(3).
After implementation, the OSA must
perform a Level 2 self-assessment to
verify the implementation and score
themselves using the scoring
methodology provided in § 170.24. All
objectives must be met in order for a
security requirement to be considered
fully implemented; in some cases, if not
all objectives are met, some security
requirements may be placed on a
POA&M as provided for in § 170.21. If
the minimum score has been achieved
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
83101
and some security requirements are in a
POA&M, the OSA has achieved the
CMMC Status of Conditional Level 2
(Self); if all requirements are MET as
defined in § 170.24(b), the OSA has
achieved a CMMC Status of Final Level
2 (Self). For Conditional Level 2 (Self),
a POA&M closeout must be conducted
within 180 days as described in
§ 170.21(b) or the Conditional Level 2
(Self) CMMC Status will expire.
After a Level 2 self-assessment, as
well as after a POA&M closeout, the
OSA must input their results into SPRS
as described in § 170.16(a)(1)(i) and
submit an affirmation as described in
§ 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 2 (Self), the OSA must have
achieved the CMMC Status of either
Conditional Level 2 (Self) or Final Level
2 (Self) and have submitted an
affirmation. The Level 2 self-assessment
must be completed every three years
and the affirmation must be completed
annually following the Final CMMC
Status Date.
Section 170.17 CMMC Level 2
Certification Assessment and
Affirmation Requirements
Section 170.17 addresses how an OSC
will achieve and maintain compliance
with the CMMC Status of Level 2
(C3PAO). The OSC must successfully
implement the security requirements
listed in § 170.14(c)(3) within its Level
2 CMMC Assessment Scope as
described in § 170.19(c). Successful
implementation requires meeting all
objectives defined in NIST SP 800–171A
Jun2018 for the corresponding CMMC
Level 2 security requirements.
Requirements for ESPs and CSPs that
process, store, transmit CUI are
provided in § 170.17(c)(5) and (6).
After implementation, the OSC must
hire a C3PAO to perform an assessment
to verify the implementation. The
C3PAO will score the OSC using the
scoring methodology provided in
§ 170.24. All objectives must be met in
order for a security requirement to be
considered fully implemented; in some
cases, if not all objectives are met, some
security requirements may be placed on
a POA&M as defined in § 170.21. If the
minimum score has been achieved and
some security requirements are in a
POA&M, the OSC has achieved the
CMMC Status of Conditional Level 2
(C3PAO); if all requirements are MET as
defined in § 170.24(b), the OSC has
achieved the CMMC Status of Final
Level 2 (C3PAO). For Conditional Level
2 (C3PAO), a POA&M closeout must be
conducted within 180 days as described
E:\FR\FM\15OCR2.SGM
15OCR2
83102
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
in § 170.21(b) or the Conditional Level
2 (C3PAO) CMMC Status will expire.
After a Level 2 certification
assessment, as well as after a POA&M
closeout, the C3PAO will input the
OSC’s results into the CMMC
instantiation of eMASS as described in
§ 170.17(a)(1)(i). After a Level 2
certification assessment, as well as after
a POA&M closeout, the OSC must
submit an affirmation as described in
§ 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 2 (C3PAO), the OSC must have
achieved the CMMC Status of either
Conditional Level 2 (C3PAO) or Final
Level 2 (C3PAO) and have submitted an
affirmation. The Level 2 certification
assessment must be completed every
three years and the affirmation must be
completed annually following the Final
CMMC Status Date.
Section 170.18 CMMC Level 3
Certification Assessment and
Affirmation Requirements
Section 170.18 addresses how an OSC
will achieve and maintain compliance
with the CMMC Status of Level 3
(DIBCAC). The OSC must have achieved
the CMMC Status of Final Level 2
(C3PAO) for information systems within
the Level 3 CMMC Assessment Scope as
a prerequisite to undergo a Level 3
certification assessment. The OSC must
successfully
implement the security requirements
listed in § 170.14(c)(4) and table 1 to
§ 170.14(c)(4) within its Level 3 CMMC
Assessment Scope as described in
§ 170.19(d). Successful implementation
requires meeting all objectives defined
in NIST SP 800–172A Mar2022 for the
corresponding CMMC Level 3 security
requirements. Requirements for ESPs
and CSPs that process, store, transmit
CUI are provided in § 170.18(c)(5) and
(6).
After implementation, the OSC must
contact DCMA DIBCAC to perform an
assessment to verify the
implementation. DCMA DIBCAC will
score the OSC using the scoring
methodology provided in § 170.24. All
objectives must be met in order for a
security requirement to be considered
fully implemented; in some cases, if not
all objectives are met, some security
requirements may be placed on a
POA&M as defined in § 170.21. If the
minimum score has been achieved and
some security requirements are in a
POA&M, the OSC has achieved the
CMMC Status of Conditional Level 3
(DIBCAC); if all requirements are MET
as defined in § 170.24(b), the OSC has
achieved the CMMC Status of Final
Level 3 (DIBCAC). For Conditional
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Level 3 (DIBCAC), a POA&M closeout
must be conducted within 180 days as
described in § 170.21(b) or the
Conditional Level 3 (DIBCAC) CMMC
Status will expire.
After a Level 3 certification
assessment, as well as after a POA&M
closeout, DCMA DIBCAC will input the
OSC’s results into the CMMC
instantiation of eMASS as described in
§ 170.18(a)(1)(i). After a Level 3
certification assessment, as well as after
a POA&M closeout, the OSC must
submit an affirmation as described in
§ 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 3 (DIBCAC), the OSC must have
achieved the CMMC Status of either
Conditional Level 3 (DIBCAC) or Final
Level 3 (DIBCAC) and have submitted
an affirmation. The Level 3 certification
assessment must be completed every
three years and the affirmation must be
completed annually following the Final
CMMC Status Date.
Section 170.19 CMMC Scoping
Section 170.19 addresses the
requirements for the scoping of each
CMMC Level and determines which
assets are included in a given
assessment and the degree to which
each is assessed. The CMMC
Assessment Scope is specified prior to
any CMMC assessment, based on the
CMMC Level being assessed. The Level
2 CMMC Assessment Scope may also be
affected by any intent to achieve a
CMMC Level 3 Certification
Assessment, as detailed in § 170.19(e).
Scoping for CMMC Level 1, as
detailed in § 170.19(b), consists of all
assets that process, store, or transmit
FCI. These assets are fully assessed
against the applicable CMMC security
requirements identified in § 170.14(c)(2)
and following the procedures in
§ 170.15(c). All other assets are out-ofscope and are not considered in the
assessment.
Scoping for CMMC Level 2, as
detailed in § 170.19(c), consists of all
assets that process, store, or transmit
CUI, and all assets that provide security
protections for these assets. These assets
are fully assessed against the applicable
CMMC security requirements identified
in § 170.14(c)(3) and following the Level
2 self-assessment procedures in
§ 170.16(c) or the Level 2 certification
assessment procedures in § 170.17(c). In
addition, Contractor Risk Managed
Assets, which are assets that can, but are
not intended to, process, store, or
transmit CUI because of security policy,
procedures, and practices in place, are
documented and are subject to a limited
check that may result in the
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
identification of a deficiency, as
addressed in table 3 to § 170.19(c)(1).
Finally, Specialized Assets, which are
assets that can process, store, or
transmit CUI but are unable to be fully
secured, including: Internet of Things
(IoT) devices, Industrial Internet of
Things (IIoT) devices, Operational
Technology (OT), Government
Furnished Equipment (GFE), Restricted
Information Systems, and Test
Equipment, are documented but are not
assessed against other CMMC security
requirements, as addressed in table 3 to
§ 170.19(c)(1). All other assets are outof-scope and are not considered in the
assessment.
Scoping for CMMC Level 3, as
detailed in § 170.19(d), consists of all
assets that can (whether intended to or
not) or do process, store, or transmit
CUI, and all assets that provide security
protections for these assets. The CMMC
Level 3 Assessment Scope also includes
all Specialized Assets but allows an
intermediary device to provide the
capability for the Specialized Asset to
meet one or more CMMC security
requirements, as needed. These assets
(or the applicable intermediary device,
in the case of Specialized Assets) are
fully assessed against the applicable
CMMC security requirements identified
in § 170.14(c)(4) and following the
procedures in § 170.18(c). All other
assets are out-of-scope and are not
considered in the assessment.
If an OSA utilizes an ESP, including
a Cloud Service Provider (CSP), that
does not process, store, or transmit CUI,
the ESP does not require its own CMMC
assessment. The services provided by
the ESP are assessed as part of the OSC’s
assessment as Security Protection
Assets.
Section 170.20 Standards Acceptance
Section 170.20 addresses how OSCs
that, prior to the effective date of this
rule, have achieved a perfect score on a
DCMA DIBCAC High Assessment with
the same scope as a Level 2 CMMC
Assessment Scope, will be given a
CMMC Status of Level 2 (C3PAO).
Section 170.21 Plan of Action and
Milestones Requirements
Section 170.21 addresses rules for
having a POA&M for the purposes of a
CMMC assessment and satisfying
contract eligibility requirements for
CMMC. All POA&Ms must be closed
within 180 days of the Conditional
CMMC Status Date. To satisfy CMMC
Level 1 requirements, a POA&M is not
allowed. To satisfy CMMC Level 2
requirements, a POA&M is allowed.
Section 170.21 details the overall
minimum score that must be achieved
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and identifies the Level 2 security
requirements that cannot have a
POA&M and must be fully met at the
time of the assessment. To satisfy
CMMC Level 3 requirements, a POA&M
is allowed. Section 170.21 details the
overall minimum score that must be
achieved and identifies the Level 3
security requirements that cannot have
a POA&M and must be fully met at the
time of the assessment. Section 170.21
also established rules for closing
POA&Ms.
Section 170.22
Affirmation
Section 170.22 addresses that the
OSA’s Affirming Official must affirm, in
SPRS, compliance with the CMMC
Status: upon completion of any selfassessment, certification assessment, or
POA&M closeout assessment (as
applicable), and annually following a
Final CMMC Status Date.
Section 170.23 Application to
Subcontractors
Section 170.23 addresses flow down
of CMMC requirements from the prime
contractor to the subcontractors in the
supply chain. Prime contractors shall
comply and shall require subcontractor
compliance throughout the supply
chain at all tiers with the applicable
CMMC Level for each subcontract as
addressed in § 170.23(a).
khammond on DSKJM1Z7X2PROD with RULES2
Section 170.24
Methodology
CMMC Scoring
Section 170.24 addresses the
assessment finding types MET, NOT
MET, and NOT APPLICABLE (N/A) in
the context of CMMC assessments, and
the CMMC Scoring Methodology used to
measure the implementation status of
security requirements for CMMC Level
2 and CMMC Level 3. Scoring is not
calculated for CMMC Level 1 since all
requirements must be MET at the time
of assessment.
For CMMC Level 2, the maximum
score is the total number of Level 2
security requirements and is the starting
value for assessment scoring. Any
security requirement that has one or
more NOT MET objectives reduces the
current score by the value of the specific
security requirement. Values for each
CMMC Level 2 requirement are
enumerated in § 170.24(c)(2)(i)(B).
For CMMC Level 3, the maximum
score is the total number of Level 3
security requirements and is the starting
value for assessment scoring. Any
security requirement that has one or
more NOT MET objectives reduces the
current score by the value of the specific
security requirement. CMMC Level 3
does not use varying values; the value
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
for each requirement is one (1), as
described in § 170.24(c)(3).
Appendix A to Part 170: Guidance
Appendix A lists the guidance
documents that are available to support
defense contractors and the CMMC
Ecosystem in the implementation and
assessment of CMMC requirements.
Discussion of Public Comments and
Resulting Changes
The Department of Defense published
the proposed rule, on December 26,
2023 (88 FR 89058). Approximately 361
public submissions were received in
response to the publication. Some
comments were beyond the scope of the
CMMC Program and are described but
not addressed in this final rule. The
majority of comments received were
relevant and are summarized in the
discussion and analysis section here.
Additional comments were received in
response to the CMMC supplemental
documents published concurrently with
the rule; the discussion and analysis of
those comments is located at
www.regulations.gov. Some comments
received lacked relevance to the rule’s
content, which is limited to specific
CMMC program requirements codified
in the 32 CFR part 170 CMMC Program
rule, responses for those comments are
not provided.
Any contractual requirements related
to the CMMC Program rule will be
implemented in the DFARS, as needed,
which may result in revisions to the
DFARS clause 252.204–7021, CMMC
Requirements. DoD will address
comments regarding the DFARS clause
252.204–7021 in a separate 48 CFR part
204CMMC Acquisition rulemaking.
1. Extension of the Public Comment
Period
Comment: DoD received requests from
industry associations for an extension of
the 60-day public comment period on
the CMMC Proposed Rule that the
Office of the Federal Register published
on 26 December 2023. The length of
extensions requested ranged from 30–60
days. Commenters argued that the
proposed rule was initially published
following a holiday, or more time was
needed for associations to fully review
member comments about the CMMC
Proposed Rule prior to submitting. In
addition, they argued that other rules
pertaining to cyber incident reporting
obligations and security of Federal
Information Systems had also been
published for public comment, which
created a need for additional review
time.
Response: The DoD CIO denied
requests for an extension of the 60-day
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
83103
public comment period. The DoD
provided regular communication to the
public through the DoD CMMC website
and updates in the semiannual Unified
Agenda in preparation for publication of
the CMMC Proposed Rule to initiate the
60-day public comment period. The
Department has an urgent need to
improve DIB cybersecurity by further
enforcing compliance with security
requirements that were to be
implemented by the DIB ‘‘as soon as
possible but not later than December
2017.’’
2. The CUI Program
a. CUI Program Guidance
Comment: Many comments were
submitted related to the NARA CUI
policies or the DoD CUI Program, and
while relevant for understanding CMMC
requirements, those are separate policies
or programs beyond the scope of the
CMMC program or this rule. However,
several comments recommended that
the CMMC rule be revised to address
them.
Twenty-two comments requested the
government provide more guidance,
preferably within RFPs or contracts, to
better identify what will be considered
CUI for that contract, and how it should
be appropriately marked. One comment
specifically noted a need for contractual
instructions on whether data created in
performance of a contract rises to the
level of CUI. Another person asked
when is does information created or
possessed by a contractor become CUI.
One comment asked whether digital or
physical items derived from CUI are
treated as CUI while another asked what
specific information qualifies as CUI for
OT and IoT assets. Another comment
asked whether FCI and or CUI created
or provided under a non-DoD agency
contract, but which is also used in
support of a DoD contract, would be
subject to the applicable CMMC level
requirement. Another comment noted
that DoD focuses too narrowly on data
security aspects of major system
acquisition and largely fails to address
securing data generated by operational
and/or maintenance operations, such as
invoices and bills of lading for
operational support purchases.
One comment stated there was a need
for CUI policy guidance for the entire
Federal Government. Another comment
inferred, incorrectly, that the CMMC
Accreditation Body makes
determinations about what is and what
is not CUI and stated that the
Government should make those
determinations. Another comment
stated that to better address the needs of
contractors tasked with safeguarding
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83104
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CUI, NARA should initiate a public
comment period to reevaluate its CUI
Registry. The comment also noted that
NARA should identify when a CUI
designation automatically applies to
contractor-created information and
revise the CUI Registry to stipulate that
a specific basis in statute (or a contract)
is required for information to be
considered CUI. Another comment
recommended a study be conducted on
protections for systems and data at
Confidential and higher classification
levels and should assess whether
NARA’s CUI protection requirements
(32 CFR part 2002) have yielded any
real benefits in protecting critical data.
Another comment stated that the CUI
program is a costly proposition whose
security value is questionable given data
can still be compromised, even over
systems with a CMMC assessment. The
comment stated that if data is to be
controlled for Critical Items, then the
existing system used for
CONFIDENTIAL information should
suffice. Finally, another comment
suggested that CUI information should
be under the control of the Federal
Government and access granted only to
appropriately trained, and qualified
contractors through a portal.
Response: Neither the CUI program
(established in E.O. 13556) nor the
safeguarding requirements codified in
its implementing directives are changed
by virtue of the compliance assessment
framework established by this rule.
CMMC requirements apply to prime
contractors and subcontractors
throughout the supply chain at all tiers
that will process, store, or transmit any
FCI or CUI on contractor information
systems in the performance of the DoD
contract or subcontract, irrespective of
the origin of the information.
The executive branch’s CUI Program
is codified in 32 CFR part 2002 and
establishes policy for designating,
handling, and decontrolling information
that qualifies as CUI. The definition of
CUI and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14, respectively. 32
CFR 2002.14(h)(2) specifically requires
agencies to use NIST SP 800–171 when
establishing security requirements to
protect CUI’s confidentiality on nonFederal information systems. At the
time of award, the DoD may have no
visibility into whether the awardee will
choose to further disseminate DoD’s
CUI, but DFARS clause 252.204–7012
and DFARS clause 252.204–7021
require the prime contractor to flow
down the information security
requirement to any subcontractor with
which the CUI will be shared. Decisions
regarding which DoD information must
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
be shared to support completion of
subcontractor tasks is between the
prime contractor and the subcontractors.
The DoD encourages prime contractors
to work with subcontractors to lessen
the burden of flowing down CUI. The
DoD declines to adopt alternatives such
as policy-based solutions that lack a
rigorous assessment component or
require sharing CUI only through DoDhosted secure platforms. Suggested
alternatives to implementing NIST SP
800–171 and identifying what data is
CUI are beyond the scope of the CMMC
Program and this rule.
b. FCI and CUI Definitions
Comment: Five comments stated that
what DoD considers CUI is not well
defined. Another comment stated that
companies should be provided a
reference list of what the DoD considers
CUI. Another recommended DoD use
existing mechanisms like the DD Form
254 architecture to clearly define the
scope of CUI on a contract-by-contract
basis. Seven comments recommended
the CMMC rule mandate a Security
Classification Guide (SCG) or similar
document.
Nine comments stated there was too
much confusion and ambiguity
regarding FCI and CUI and that the
government needed to provide clear and
standardized FCI and CUI definitions
that are tailored to the specific
requirements of the CMMC rule. One
comment recommended rule edits to
address this perceived ambiguity. One
comment requested clarification and
examples of differences between CUI
Basic and Specialized CUI.
Response: Federal Contract
Information is defined in FAR clause
52.204–21, which also provides the
security requirements applicable for
basic safeguarding of such information.
The DoD has no authority to modify
definitions established in the FAR for
application to all executive branch
agencies. This rule makes no change to
the definition or handling of CUI.
c. Marking Requirements
Comment: Twenty-three comments
expressed concern with or requested
clarification regarding CUI marking.
Twelve comments specifically noted
concern with CUI markings being
applied to too many documents, in part
because CUI was an ambiguous concept.
They requested the DoD encourage
personnel to mark documents as CUI
only when appropriate and provide
better guidance for managing flow-down
clauses. Another comment noted that
many small businesses are currently
subject to NIST SP 800–171
requirements through DFARS contract
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
clause flow-down and cannot say with
certainty that they have CUI in their
possession. The comment further noted
that small businesses regularly receive
mismarked data. One comment stated
there is an increased use of automatic
CUI marking on DoD communications,
seemingly without regard to content.
One comment stated that the rule fails
to outline a mechanism for reporting
government mishandling, and that
contractors should use a reporting
system to minimize their own risk and
liability. One comment requested the
rule be edited to prevent Program
Managers or requesting activities from
assigning a CMMC Level 3 requirement
unless they have high confidence that
80+ percent of CUI and/or FCI under the
relevant contract has complete CUI
markings. Another comment stated that
the Federal government should develop
a marking schema to communicate
information safeguarding requirements,
while yet another stated that DoD must
publish a training module for
contracting officers so that they are
properly classifying documents prior to
finalization of this rule.
One comment stated CUI across the
DoD is diverse and what may be CUI for
one system may not be for another. The
comment then questioned how this
proposed rule and SPRS would
accommodate these facts without
assuming and mandating that all
defense contractor information systems
meet the same architecture, security,
and cybersecurity standards.
Response: The CMMC Program will
not provide CUI guidance materials to
industry as it is outside the scope of this
CMMC rule. Relevant information
regarding what to do when there are
questions regarding appropriate marking
of CUI may be found at 32 CFR
2002.50—Challenges to designation of
information as CUI. The DoD declined
to incorporate suggested edits to the
CMMC Level 3 requirements regarding
confidence in proper CUI and/or FCI
markings.
The DoD’s role as data owner is
documented in the CUI Program
implementing policies and the
requirements of 32 CFR part 2002. DoDI
5200.48, states: The authorized holder
of a document or material is responsible
for determining, at the time of creation,
whether information in a document or
material falls into a CUI category. If so,
the authorized holder is responsible for
applying CUI markings and
dissemination instructions accordingly.
DoD Manual 5200.01 outlines DoD’s
Information Security Program and
includes Volume 2, Marking of
Information. The DoD declines to
incorporate by reference those
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
documents describing the Department’s
data governance role because the
content is beyond the scope of CMMC
requirements. The DoD issued policy
guidance to its program managers
regarding programmatic indicators to
consider when selecting CMMC
requirements. Program managers have a
vested interested in knowing whether a
contractor can comply with these
existing requirements to adequately
safeguard CUI.
The DoD elected not to make any
recommended edits to the CMMC
Program related to FCI or CUI marking
requirements or provide clarifying
examples of the differences between
Basic CUI and Specified CUI, as these
are beyond the scope of this rule.
Mishandling of information by the
government is beyond the scope of this
rule. DCMA DIBCAC processes, stores,
and transmits all data on DoD-approved
networks. DoD’s adherence to NARA’s
CUI Program policies is beyond the
scope of this rule.
khammond on DSKJM1Z7X2PROD with RULES2
d. Applicability and Governance of CUI
Requirements
Comment: In addition, one utilities
sector representative submitted a
lengthy analysis of data types often
generated by electric or other utilities,
with regulatory references and rationale
for why such data would not likely be
subject to DoD’s CUI safeguarding
requirements or CMMC compliance
assessments. Such rationale included
the fact that some Government-Private
CUI categories, such as DoD Critical
Infrastructure Information, require
explicit designation in that category
which (according to the commenter) has
not occurred in the electricity subsector.
One contractor requested that CMMC
clarify requirements around U.S.
persons and foreign dissemination of
CUI for both contractors, subcontractors’
employees, and contingent workers.
Two comments suggested it would be
appropriate to reference data
governance in § 170.1 and the DoD’s
role as the data owner of FCI and CUI
across the ecosystem. Another comment
stated the classification efforts must
themselves be audited.
Response: The quantity of FCI and
CUI a defense contractor possesses,
including copies of the same material, is
irrelevant to the CMMC assessment
required. All copies of FCI or CUI
related to the DoD contract must be
safeguarded. The CMMC Program is not
intended to validate compliance with
cybersecurity requirements of non-DoD
agencies’ contracts. The requirements
for sharing of CUI with non-US persons
is beyond the scope of this rule.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
The CMMC program provides a
mechanism to assess contractor
compliance with applicable security
requirements for the safeguarding of FCI
or CUI. CMMC program requirements
make no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides, are separate from this rule.
Discussion in this rule regarding DoD
programs providing CUI training and
the implementation of E.O. 13556 are
beyond the scope of this rule.
CMMC program requirements are
applicable when DoD requires
processing, storing, or transmitting of
either FCI or CUI on a non-Federal
contractor owned information system in
the performance of a contract between
DoD and the contractor. The DoD does
not manage nor is it involved in data
exchanges between contractors and
subcontractors.
3. Other DoD Policies and Programs
Many comments dealt with DoD
policies and programs that, while
relevant for understanding CMMC
requirements, are still entirely separate
programs or policies that are not within
the scope of the CMMC program.
However, several commenters
recommended that the rule be revised to
address them. Key topics among such
comments include:
a. Adaptive Acquisition Framework
Comment: One commenter
misunderstood CMMC program purpose
and thought the requirements applied to
systems and capabilities acquired or
developed for DoD’s use, using formal
policies of the Defense Acquisition
System. Based on this misinterpretation,
this commenter made dozens of
recommendations related to integration
of CMMC assessment and program
requirements with other existing DoD
acquisition frameworks and suggested
relying on the assessors that complete
TRAs, in place of implementing the
CMMC program. One of their comments
also proposed establishing a single
responsible office for CUI and SCRM,
hosting CUI material within a single,
separate secure and existing cloudbased data warehouse and including
hardware and software approving
authorities as part of the proposed rule
for GFE. The commentor also stated the
role of the Office of Small Business
Programs (OSBP) needs to flow down to
the Small Business Administration
military service offices. The commentor
also asked how to reconcile CMMC
against the DoDI 8582.01 requirement
stating a DoD Component should not
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
83105
specify the content and format of plans
of action that address deficiencies or
specifying the parameters of security
controls.
This commenter also recommended
creation of a MIL-Standard in lieu of
aligning cybersecurity requirements to
existing NIST standards, and linkage of
CMMC requirements to procedures
related to Approval to Operate (which
applies to DoD systems. This
commenter suggested that the CMMC
PMO be made responsible to provide
system scans to check for Software Bills
of Material as part of DoD’s response to
Executive Order 14028 regarding
Supply Chain Risk Management. The
commenter further requested a DoDlevel working group outline how DoD
program offices might identify which
components are mission or safety
critical or which associated production
processes should be identified as CTI.
That commenter recommended this rule
be held in abeyance until AT&L [sic] has
reviewed and provided their insight into
the impacts of CMMC on existing DoD
acquisition documentation and
deliverables. Yet another comment
recommended that ‘‘this proposed
DFARS ruling’’ be vetted through
‘‘AT&L, ASD and OUSD’’ [sic] as a
minimum to determine if changes
would be required in the Program
Protection Improvement Plan and
System Security Plan. Lastly, this
commenter recommended the DoD
engage with NDIA and ISO/IEC to
develop alternate standards for securing
data and supply chains.
Response: CMMC Program
requirements apply to contractor-owned
information systems that process, store,
or transmit FCI and CUI and do not
apply to systems developed or acquired
for DoD through the formal Defense
Acquisition System (DAS). Therefore,
integrating the CMMC assessment
process and internal DAS processes
(including technical reviews prior to
RFP development) is not appropriate
and is beyond the scope of this rule.
Note that CMMC applicability is broader
than just the Major Defense Acquisition
Programs.
DoD’s organizational alignment of
responsibilities (between OSBP and
SBA military offices) for assisting small
businesses or establishing new offices
within OSD is beyond the scope of this
rule. Due to national security concerns,
DoD declines the recommendation to
further delay implementation of the
CMMC Program. Each passing day in
delay of implementing the security
requirements for safeguarding DoD FCI
and CUI increases the risk for
exfiltration of non-public information
on unsecured nonfederal systems that
E:\FR\FM\15OCR2.SGM
15OCR2
83106
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
may result in the loss of DoD’s
technological advantages in its
warfighting capabilities and programs.
Discussions regarding acquisition
strategies and frameworks are beyond
the scope of this CMMC rule. The
CMMC Program does not alleviate or
supersede any existing requirements of
the Adaptive Acquisition Framework,
nor does it alter any statutory or
regulatory requirement for acquisition
program documentation or deliverables.
Note that CMMC Program requirements
do not apply to systems delivered to
DoD. DoD Instructions for required
acquisition program documentation are
beyond the scope of this rule. CMMC
assessment certifications are not
integrated into System Security Plans
(SSPs).
The role of System Engineering and
associated processes within the DoD
acquisition process is beyond the scope
of this rule. ITRA assessments provide
a view of program technical risk and are
not well-suited to the assessment of
contractor owned information systems
against standards for safeguarding CUI.
CMMC Program requirements do not
clash with Program Office
responsibilities, but instead provide
Program Manager’s with a mechanism
for validating that contractors are
compliant with the rules for protecting
DoD CUI.
b. FedRAMP Program and FedRAMP
Equivalency
Comment: Many commenters took
issue with the requirements for
FedRAMP Moderate Equivalency, as
referenced in DFARS clause 252.204–
7012 and defined in a separate DoD
policy memo. Some merely highlighted
discrepancies or highlighted concerns
about their ability to meet the FedRAMP
Moderate Equivalency requirements.
Others recommended revisions to that
policy, or to the DFARS clause 252.204–
7012 clause, or both. Some
recommended the FedRAMP Moderate
Equivalency policy memo be
incorporated into the DFARS clause
252.204–7012 clause. Other suggestions
ranged from eliminating equivalency to
meet requirements, allowing 3PAO
attestation to equivalency, requiring all
FedRAMP Moderate Equivalency
candidates to be assessed by the same
C3PAO or allowing equivalency to be
established through other industry
certifications or third-party security
assessments, i.e., SOC, ISO/IEC 27001.
One commenter requested that
applications hosted on a FedRAMP
Moderate environment only need to
meet the CMMC level of the data the
application will process. Another
suggested that all Cloud Service
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Providers be required to meet the same
CMMC requirement as the OSCs they
support. One commenter recommended
expanding the scope of CMMC Program
to include assessing other security
requirements in DFARS clause 252.204–
7012, to include the use of FedRAMP
Moderate cloud environment.
Comments also expressed that it is
unreasonable to expect any cloud
provider to share security
documentation with a customer or
C3PAO since they limit dissemination
of this information due to operational
security needs. Another commenter
noted that the proposed rule does not
cover all types of information that
contractors may handle, such as
classified information, export-controlled
information, or proprietary information
and they recommended the DoD clarify
applicability of the CMMC program for
these types of information.
Response: Although some
commercially based Cloud Service
Offerings (CSOs) may experience
limitations in trying to support the
Defense Industrial Base with the
FedRAMP Moderate equivalent
requirement, the DoD is not willing to
assume all the risk of non-FedRAMP
Moderate Equivalent CSOs when the
CSO is used to process, store, or
transmit CUI. If the offering does not
process, store, or transmit CUI, then
FedRAMP certification is not required.
Although the DoD considered
acceptance of the ISO/IEC 27001
certification, it chose the NIST
cybersecurity requirement to meet
FedRAMP Moderate baseline
equivalency standard to stay aligned
with the FedRAMP Moderate baseline
which is based on NIST standards
versus ISO/IEC standards.
The rule was updated to require
FedRAMP moderate or FedRAMP
moderate equivalency in accordance
with DoD Policy. CMMC Program
Requirements make no change to
existing policies for information
security requirements implemented by
DoD. Comments related to applications
hosted on a FedRAMP Moderate
environment are outside the scope of
this rule.
The requirements for CSPs that
process, store, or transmit CUI are set by
DFARS clause 252.204–7012 and the
DoD CIO policy memo on FedRAMP
Moderate equivalency. These
requirements are beyond the scope of
this rule. ESPs that are not CSPs will be
required to meet the CMMC
requirements and be assessed as part of
the scope of an acquiring OSA. ESPs
that are not a CSP may voluntarily
request a C3PAO assessment if they
decide it would be to their advantage.
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
c. Other DoD Programs and Policies
Comment: One commenter expressed
dissatisfaction with results obtained
from previously submitted FOIA
requests related to development of the
CMMC program.
Two commenters asked if there was a
mechanism to update FAR clause
52.204–21 to address evolving threats
and recommended the Department
specifically identify the frequency and
identify accountable parties to review
and update FAR security requirements.
Another commenter cited responses
visible on the DoD CIO’s Frequently
Asked Questions (FAQ) website and
criticized both the utility of the
information (given that does not
constitute formal policy) and the
frequency with which the information is
updated. Similarly, one commenter
asked for more frequent updates to
FAQs on the DoD Procurement Toolbox
URL.
One commenter asserted that the
Federal Government sometimes
contracts for support to perform
sensitive tasks and permits access to
‘‘highly classified’’ information that
should only be accessed by Federal
employees.
One commenter requested NIST
develop a simplified inspection
standard for organizations with less
than 20 employees.
One commenter asked about the
transfer of CMMC Program oversight
from OUSD(A&S) to DoD CIO.
A comment cited the utility of free
cybersecurity related services that DoD
agencies offer, such as security alerts
and vulnerability scanning, and
encouraged expansion of those
programs.
One person suggested that DoD’s
Zero-Trust approach would provide a
higher level of security for CUI data
than the CMMC program.
One commenter stated the
Department should develop clear,
flexible guidelines and alternative
pathways for global companies to
achieve CMMC compliance without
relying on enclave architectures and
recommended that this approach rely on
Zero Trust principals.
One comment noted that under FAR
clause 52.204–21, FCI does not include
simple transactional information (STI)
and asked if certain data would be
considered STI and therefore not subject
to CMMC.
One comment stated that conflicting
regulatory guidance exists between the
content of E.O. 15028, NIST SP 800–
218, NIST SP 800–171 R2, and NIST SP
800–171 Revision 3.
Response: One comment lacked
clarity and failed to clearly articulate
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
any relevance to the content of this rule,
so no response can be provided.
SPRS will be used for reporting
CMMC Status of all contractors,
regardless of which service issued the
contract. Publication of this rule follows
completion of OMB’s formal rulemaking
process, which includes both DoD
internal coordination (including the
USD(A&S) and USD(R&E)) and
Interagency coordination.
CMMC is consistent with Section 3.4
of DoDI 8582.01, Validation and
Compliance. CMMC does not specify
the content and format of plans of action
beyond what is specified in NIST SP
800–171 R2, which is required under
DoDI 8582.01.
Clinger Cohen Act requirements,
which apply to DoD’s IT investments,
are not relevant to CMMC Program
requirements, which apply to
contractor-owned information systems.
The classification marking of existing
DoD documentation is beyond the scope
of this rule, as is engagement with
INCOSE and ISO/IEC certification
organizations.
Executive Orders state mandatory
requirements for the Executive Branch
and have the effect of law. E.O. 14028—
‘‘Improving the Nation’s Cybersecurity’’
(issued May 12, 2021) requires agencies
to enhance cybersecurity and software
supply chain integrity. NIST SP 800–
171 R2 and NIST SP 800–218 are
guidelines, not regulations. NIST SP
800–171 Revision 3 is not currently
applicable to this rule.
Recommendations to add or modify
requirements specified in NIST
documentation should be submitted in
response to NIST requests for public
comment on the applicable guidelines.
Federal and DoD requirements for
delivery of software bills of material of
secure software development are
beyond the scope of this rule, which is
limited to the assessment of compliance
with requirements for adequate
protection of FCI and CUI. Federal
Contract Information is defined in FAR
clause 52.204–21, which also provides
the security requirements applicable for
basic safeguarding of such information.
The Department has no authority to
modify definitions established in the
FAR for application to all executive
branch agencies. Any data that meets
the definition of FCI, is subject to
CMMC Level 1. It is beyond the scope
of the CMMC rule to render decisions
on specific elements of data.
The OUSD(A&S) was not replaced by
the DoD CIO, rather, CMMC Program
management oversight has been
realigned from the OUSD(A&S) to the
Office of the DoD CIO for better
integration with the Department’s other
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
DIB cybersecurity related initiatives.
Comments pertaining to DoD’s
organizational structure are not relevant
to the content of this rule. DoD’s
processing of FOIA requests is also not
within the scope of this rule. The DoD
declines to respond to speculative or
editorial comments about private
citizens or outside entities, all of which
are beyond the scope of this rule.
Likewise, the DoD will not comment
here on other DoD cybersecurity related
programs, such as Zero Trust.
Some comments expressed
appreciation for cybersecurity related
services that DoD provides free of
charge, including protected DNS,
vulnerability scanning, and security
alerts, but these programs are outside
the CMMC program. The government
cannot comment on specific
implementation or documentation
choices of an OSA. Comments on
alternate risk mitigation strategies such
as product monitoring or software
testing are not within the scope of this
rule text.
d. DoD Policies Supporting CMMC
Implementation
Comment: Some comments addressed
the DoD’s internal policies and training
efforts to prepare the Government
workforce for CMMC program
implementation. For example, some
commenters opined that the rule’s focus
on contactor responsibilities misses the
true risk that lies further up obscure
supply chains. Another commenter
recommended DoD work with
contractors in each sector to provide
clear guidance on the types of data that
the Department would consider CTI.
One commenter requested DoD
acknowledge that human factors
influence DIB cybersecurity while
another stated DoD should provide
uniform web-based training at no cost to
ensure applicable training requirements
are satisfactorily met. Another asked
whether DoD PMs would receive CMMC
related training prior to implementation.
Another comment asked whether
specific risk mitigating approaches,
such as product monitoring or software
testing might suffice to manage supply
chain risk considering lack of visibility
into the origins of 3rd and 4th tier
components.
One commenter perceived the CMMC
requirement for Program Managers to
identify the level of assessment
requirement appropriate for a
solicitation as removing the contract
award decision from the USD(A&S).
One commenter stated more information
about procedures for implementing
CMMC into government-wide contracts
is needed. Another commenter
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
83107
expressed a need to use a basic contract
that is unclassified, and any CUI would
be contained in a separate appendix to
allow sub-contractors to plan with their
Prime to access the information on the
Prime’s network and avoid requirements
for their own CMMC certification.
Another comment recommended
revisions to describe that medium
assurance certificates for incident
reporting are a DFARS clause 252.204–
7012 requirement, independent of
CMMC program requirements.
Two commenters criticized the
DFARS clause 252.204–7020
requirement to allow ‘‘full access’’ to
contractor facilities, systems, and
personnel for the purposes of DIBCAC
assessment, or for damage assessment
following incident, and recommended
that the CMMC program not include or
rely on this authority.
Another commenter recommended
that, prior to issuing a final rule on
CMMC, DoD work with other relevant
agencies to integrate and harmonize the
numerous regulatory changes that
impact contractors’ capacity to
safeguard data and systems. One
commenter suggested rule publication
be delayed until DoD articulates the
benefit expected from contractor
compliance with the rule.
Response: All recommendations to
revise other Government-wide or DoD
policies and programs are beyond the
scope of the CMMC rule.
CMMC Program Requirements make
no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides and FedRAMP equivalency are
separate from this rule. Relevant
policies include DoDI 5200.48
‘‘Controlled Unclassified Information’’
and DoD Manual 5200.45 ‘‘Instructions
for Developing Security Classification
Guides’’ for example.23 Some comments
received lacked relevance to the rule’s
content, which is limited to specific
CMMC program requirements. Changes
to FAR and DFARS requirements are
beyond the scope of this rule, as are the
contents and updating of DoD’s FAQ
and Procurement Toolbox web pages.
CMMC program requirements do not
result in any change to which DoD
organization makes the contract award.
Recommendations to adopt standard
DoD contracting procedures (i.e., to
exclude CUI information in the basic
award) are not within the scope of this
rule, which outlines program
requirements. The DoD limits the
23 DoD Issuances (www.esd.whs.mil/DD/DoDIssuances).
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83108
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
burden of CMMC compliance by
requiring annual affirmations rather
than annual assessments. Affirmations
required for the CMMC program
indicate that a DoD contractor has
achieved and intends to maintain
compliance with the applicable DoD
information security requirements.
The CMMC program is designed only
to validate implementation of the
information security standards in FAR
clause 52.204–21, NIST SP 800–171 R2,
and a selected subset of NIST SP 800–
172 Feb2021. This rule does not address
the other DFARS clause 252.204–7012
requirements for cyber incident
reporting. The CMMC assessment
framework will not alter, alleviate, or
replace the cyber incident reporting
aspects of DFARS clause 252.204–7012,
which will remain effective where
applicable. Classified information is
managed differently from CUI, and
different safeguarding regulations apply
to these different categories of
information (each of which are defined
in 32 CFR part 2002). CMMC Program
requirements are aligned to the
requirements for safeguarding of CUI
and are unrelated to the requirements
for safeguarding classified information.
‘‘Export Controlled’’ is a category of
CUI. To the extent that a company
generates information it considers
proprietary, but which is explicitly
excluded from the definition of CUI (see
32 CFR part 2002), no CMMC
requirements would apply.
As the CMMC program requirements
make no change to existing policies for
information security requirements
implemented by DoD, dialogues with
industry to identify CUI is outside the
scope of this 32 CFR part 170 CMMC
Program rule. Several existing
requirements directly address the
human factors of cybersecurity,
particularly those in the Awareness and
Training, Personnel Security, and
Physical Protection domains. Additional
training and education on the topics of
CUI safeguarding requirements,
cybersecurity hygiene, and other useful
topics may be found at:
www.archives.gov/cui/training.html
https://securityawareness.
usalearning.gov/
https://business.defense.gov/Resources/
Be-Cyber-Smart/
OSAs may develop their own policies
to validate completion of training.
Developing and providing cyber
security awareness training is not
within the scope of the CMMC Program.
DoD program managers will receive
training.
In support of 32 CFR part 170 CMMC
Program final rule, DoD issued guidance
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
to reiterate the most appropriate
information safeguarding requirements
for DoD information and the associated
CMMC assessment requirement for any
given solicitation. Irrespective of CMMC
Program assessment requirements, when
CUI is processed, stored, or transmitted
on contractor owned information
systems, those systems are subject to the
security requirements of NIST SP 800–
171, due to the applicability of DFARS
clause 252.204–7012. Program Managers
have a vested interested in knowing
whether a contractor can comply with
these existing requirements to
adequately safeguard DoD CUI.
Applicability of and compliance with
DFARS clause 252.204–7020 is beyond
the scope of the CMMC Program.
Implementation of the CMMC Program
does not require or rely upon DFARS
clause 252.204–7020. The existing
assessments described in DFARS clause
252.204–7020 are entirely different than
those described in this rule. This rule
contains no cyber incident reporting
requirements. Concerns related to a
CISA rule pertaining to cyber incident
reporting are beyond the scope of this
rule and should have been submitted
instead to the relevant docket for that
rule. The DoD has declined the
recommendation to address certificate
requirements for the cyber incident
reporting requirements of DFARS clause
252.204–7012 in this rule. The DoD is
unable to comment on, balance with, or
modify contractual or regulatory
requirements to comply with any other
agency’s future requirements.
The preamble of this rule articulates
how contractor compliance with CMMC
will contribute to counteracting the
cyber security threat. Implementation of
the CMMC Program will help protect
DoD’s FCI and CUI that is processed,
stored, and transmitted on non-Federal
information systems of defense
contractors and subcontractors.
Adequately securing that information as
required, down to the smallest, most
vulnerable innovative companies, helps
mitigate the security risks that result
from the significant loss of FCI and CUI,
including intellectual property and
proprietary data. Hence the
implementation of the DoD CMMC
Program is vital, practical, and in the
public interest. Working with NIST and
other regulatory authorities to align
standards is beyond the scope of this
rule.
4. DFARS Requirements
Comment: Two commenters
recommended the DoD fully implement
CMMC requirements to standardize
contract requirements to avoid
proliferation of unique contract clauses
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
across the Department. One comment
suggested the rule should state
explicitly that CMMC requirements do
not apply to other agencies and advise
DoD contractors to seek legal guidance
before complying with CMMC
requirements if other agency
requirements also apply.
In addition, several commenters
thought the 32 CFR part 170 CMMC
Program rule requirements lacked
sufficient information about the
associated 48 CFR part 204 CMMC
Acquisition rule requirements to
implement them. One person
erroneously identified the DFARS
clause 252.204–7021 as part of the 32
CFR part 170 CMMC Program rule, and
one person asked what additional
rulemaking is needed to implement
CMMC requirements. Another person
recommended close coordination and
synchronization between the two rules.
One comment recommended the
contract clauses be simplified to be
‘‘stand alone’’, rather than requiring
cognizance of the 32 CFR part 170
CMMC Program rule content.
One commenter asked whether
contractors must meet CMMC
requirements during the solicitation
phase, or to view RFPs that contain CUI.
Another asked how DoD plans to
integrate CMMC requirements into
DoD’s Adaptive Acquisition Framework.
One contractor disagreed with CMMC’s
pre-award approach, and worried it
could create a need to become
compliant in anticipation of future
solicitations. This commenter posited
that any information designated as CUI
after contract award will create a
‘‘chicken and egg’’ dilemma for CMMC
compliance. Other comments asked
whether conditional certifications
would be weighted differently than final
certifications in the proposal evaluation
and award process and suggested that
DoD provide 6 months advance notice
for all solicitations containing a CMMC
requirement.
Some comments urged the DoD to
describe how DoD will identify CUI in
solicitations and when CUI markings
should apply in CSP or ESP scenarios.
They also requested modification of
DoD contracting procedures to provide
criteria for identifying CUI information
in each contract award along with the
corresponding CMMC assessment level.
One commenter inquired about the
difference between implementing
security requirements and assessing
compliance. Some comments pertained
to other DFARS contractual
requirements, rather than CMMC
requirements. For example, some
recommended changing DFARS clause
252.204–7012 to remove the definition
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
of Covered Defense Information and to
deviate from a requirement to comply
with the NIST SP 800–171 version
current at the time of solicitation. In
addition, they asked about cost
allowability for time and materials or
cost type contracts. Some comments
posited that costs for reassessment or
recertification should be explicitly
identified as reimbursable in the 48 CFR
part 204 CMMC Acquisition rule, while
one similar comment suggested that
CMMC level 3 certification costs should
be allowable when CMMC level 3
requirements are initially implemented.
One comment addressed cyber
incident reporting timelines for cloud
service providers and recommended
that the DoD’s FedRAMP moderate
equivalency policy be revised to align
with DFARS clause 252.204–7012
timelines. Another asked whether the
rule inadvertently omitted requirements
to assess compliance with DFARS
clause 252.204–7012 cyber incident
requirements.
Other commenters asked for the
CMMC contract clause verbiage, as was
subsequently published in the related
48 CFR part 204 CMMC Acquisition
rule. For example, some people asked
whether CMMC requirements would be
levied in ID/IQ contract awards versus
task order awards, and GSA schedules.
They asserted that adding CMMC
clauses in GSA schedules might
inadvertently allow contracting officers
to include them in non-DoD issued task
orders. Another opined that ID/IQ
contracting procedures might
necessitate changing the CMMC level
needed for the base contract after its
initial award, based on the needs of a
task order. One commenter incorrectly
inferred that a single Program Manager
would make the CMMC level and type
determination for every task order
issued against an ID/IQ. In addition, two
comments suggested that the DoD
communicate with every current DoD
contractor to identify which CMMC
level would apply to their existing
contracts.
One company identified their specific
DoD contract and asked whether it
would be cancelled absent CMMC
compliance. Another asked whether a
current DFARS clause 252.204–7020
self-assessment score could be
submitted to meet a CMMC level 2 selfassessment requirement. They also
recommended elimination of the
DFARS clause 252.204–7020
requirements when CMMC is
implemented.
One commenter speculated about
whether DoD’s CMMC contract clauses
can be applied to DoD contractors that
also make and sell the same product to
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
other US Government agencies. They
noted that export licenses do not restrict
companies from providing product data
to other parties and posited that this
might conflict with CMMC
requirements. One person asked about
the potential for conflicts between
CMMC clauses and the Berry
amendment and suggested that Berry
amendment compliance take
precedence over CMMC clauses.
Response: Some comments received
lacked relevance to the rule’s content,
which is limited to specific CMMC
program requirements. Changes to FAR
and DFARS requirements are out of
scope of the 32 CFR part 170 CMMC
Program rule, as contractual changes
would occur under the 48 CFR part 204
CMMC Acquisition rule. This rule does
not discuss the Berry Amendment. The
rule does not address recovery of
assessment costs because it does not
make any change to 48 CFR 31.201–2.
This 32 CFR part 170 CMMC Program
rule is not an acquisition regulation,
however, a CMMC Conditional
Certification meets the CMMC program
certification requirements. Any
comments related to contract
requirements should be directed to the
related 48 CFR part 204 CMMC
Acquisition rule.
CMMC requirements apply to
contracts that include FAR clause
52.204–21 or DFARS clause 252.204–
7012 and result in processing, storing,
or transmitting of FCI or CUI on a
contractor owned information system.
The CMMC program is not a verification
program for compliance with all
requirements of DFARS clause 252.204–
7012, rather, its purpose is to ensure
compliance with FAR clause 52.204–21,
NIST SP 800–171 R2, and NIST 800–172
Feb2021 when applicable. The DoD
does not provide detailed instruction on
how to implement specific solutions to
meet security requirements identified in
the FAR clause or applicable NIST
requirements, which is determined by
the OSA. Any deviation from or change
to the DFARS clause 252.204–7012
clause is beyond the scope of this rule.
Each of the teams responsible for
developing these two CMMC rules has
reviewed both documents.
There are no CMMC requirements for
reviewing FCI or CUI solicitation
material. Recommendations to adopt
standard contracting procedures for
award of DoD contracts (i.e., to exclude
CUI information in the basic award) are
out the scope of this 32 CFR part 170
CMMC Program rule. In support of the
32 CFR part 170 CMMC Program final
rule, DoD issued policy guidance to its
program managers and acquisition
workforce to identify the appropriate
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
83109
CMMC requirement in solicitations and
contracts. The CMMC assessment level
required does not change based on
acquisition lifecycle phase and is based
on whether FCI and CUI are processed,
stored, or transmitted on contractor
owned information systems used in the
performance of a contract.
Discussion of DoD’s willingness to
provide advance notice of CMMC
requirements or to remove the PM’s
discretion to include the CMMC level
that best suits program requirements is
a 48 CFR part 204 CMMC Acquisition
rule matter and outside the scope of this
rule. The CMMC Level will be identified
in the solicitation. Once attained, a
CMMC self-assessment or certification
can be used in support of any number
of proposals and solicitations.
5. Litigation and False Claims
Comment: Some commenters
expressed concern that CMMC
implementation would result in
increased litigation by DIB companies or
pursuit of False Claims Act penalties by
DoD against DIB companies. One
commenter erroneously believed that
Mexico would participate in oversight
of the CMMC ecosystem, and that ‘‘a
flood of litigation’’ may result from DIB
companies losing contracts due to noncompliance with CMMC requirements.
One commenter suggested that DoD
should absolve contractors from False
Claims Act prosecution when
differences are found between C3PAO
assessment results and a previously
submitted contractor self-assessment,
due to potentially valid reasons for the
differing outcomes. Another suggested
that DoD establish protections from
regulatory and legal liability related to
cyber incidents when the affected
contractor has complied with relevant
CMMC Program requirements.
Response: The DoD lacks the
authority to change the False Claims
Act, which is a Federal law that imposes
liability persons and companies who
defraud or knowingly submit false
claims to the government. Comments
related to Safe Harbor provisions are
outside the scope of this rule.
Comments about potential industry
litigation are also beyond the scope of
the final rule and the recommendations
provided were not appropriate for
inclusion in this rule. Nothing in the
rule prevents frivolous private lawsuits,
but the rule does provide that the
CMMC AB maintain an appeals process.
The DoD has faithfully followed the
formal rulemaking process, to include
completion of the public comment
period. Implementation of the CMMC
program will be carried out objectively
and in accordance with the tenets of the
E:\FR\FM\15OCR2.SGM
15OCR2
83110
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
final rule. No foreign actors have any
role in DoD’s administration of the
program.
khammond on DSKJM1Z7X2PROD with RULES2
6. DoD Metrics
Comment: Several commenters
inquired about the types of metrics the
DoD plans to use to monitor progress
toward the DIB cybersecurity objectives
that the CMMC program was designed
to meet. One asked whether DoD’s
metrics would include testing, and
another recommended they capture
changes in the population of DoD
contractors caused by cost impacts of
CMMC implementation. Others
referenced a December 2021 GAO
Report that critiqued DoD’s earlier
attempts to implement the CMMC
program. Specifically, they cited the
GAO’s finding that, at that time, DoD
had not defined how it would analyze
data to measure performance.
A comment recommended the DoD
identify responses to other GAO
findings, which dealt with
improvements to communications with
industry and metrics for program
management. Another comment asked
whether management alignment within
OSD, budget, and staffing of the CMMC
program office are adequate.
Two comments asked how many
current contract awardees had received
notification or identification of CUI to
be provided in performance of their
contracts, and asked which CMMC level
would theoretically apply to those
contracts. Another asked the DoD to
provide DIBCAC assessment results data
as a more relevant justification for the
CMMC program than the 2019 DoDIG
report on DIB Cybersecurity.
Response: DoD’s response to the
referenced GAO and DoD IG reports are
beyond the scope of this rule. Likewise,
the DoD does not comment on analysis
methods supporting the DoD IG’s
conclusions. Publishing DIBCAC
assessments results is also beyond the
scope of this rule, as are CMMC Program
effectiveness metrics and return on
investment calculations. The DoD is
establishing CMMC assessment
requirements as part of a comprehensive
effort to verify that underlying
information security requirements are
met, as required, for all contractor
owned information systems that
process, store, or transmit CUI or FCI in
the performance of a DoD Contract.
DoD’s calculation of ROI for the security
controls that CMMC will assess, and
cost elasticity of the DIB are also beyond
the scope of this rule.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
7. Phased Implementation of the
Program
Comment: Many comments asked for
additional explanation of DoD’s
expected start and progression through
phases of the CMMC implementation
plan. Several asked that the phase-in
plan be extended. One commenter asked
whether contracts that would otherwise
be associated with CMMC Level 3
would include a CMMC Level 2
requirement if issued prior to Phase 4 of
the plan. Another misread the phase-in
plan to mean that self-assessments
would no longer be permitted at Full
Implementation. One comment asked if
the USG would be revisiting acquisition
timelines to add more time for due
diligence to ensure all entities meet
CMMC requirements or have a POA&M
in place.
Some commenters observed that
DoD’s intended dates for CMMC
implementation, as published in an
earlier 48 CFR CMMC interim final rule,
are unachievable and must be changed
via another CMMC DFARS rule. Some
commenters were confused by the
differences between the dates of
implementation phases in the rule, and
the seven years described in cost
estimates as necessary to complete
implementation. Another commenter
asked why the rule only applies to DoD.
Some commenters suggested changes
to prioritize different kinds of contracts,
programs, or companies earlier or later
in the implementation plan, rather than
basing the phase-in on assessment type.
For example, one suggested capping the
number of contracts with CMMC
requirements each year. Another
suggested phasing in by increasing the
numerical assessment score required for
compliance, with additional time
permitted for POA&M close-out beyond
the current limit of 180 days. Another
suggested reversing the phase-in to
begin with CMMC Level 3. Several
commenters requested extension of the
phase-in plan to allow more time. One
speculated that ‘‘tens of thousands’’ of
contractors would require certification
in less than 18 months. One commenter
suggested the DoD modify the timing of
implementation for CMMC levels 2 and
3, and that DoD consider allowing
sufficient time to develop a robust
CMMC ecosystem and demonstrate the
CMMC model before full
implementation.
Flexibility in the implementation plan
that allows Program Managers and
requiring activities to include CMMC
requirements earlier in the plan than
will be mandated by policy also
generated questions and comments.
Some commenters asked whether this
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
could result in the DoD applying CMMC
requirements to previously awarded
contracts or asked that the rule specify
they will apply only to new contracts.
Another asked about opportunities to
renegotiate the contract ceiling price if
CMMC assessments are required for
option period exercise. One commenter
asked that the rule be revised to exclude
these flexibilities to result in an ‘‘on/
off’’ approach to implementation.
Another commenter asked what
mechanisms the DoD would have to
change the pace of implementation or
monitor the contracts that include
CMMC requirements.
Response: The DoD lacks the
authority to implement CMMC as a
Federal-wide program. The 48 CFR part
204 CMMC Acquisition rule for CMMC
will be updated to align with this 32
CFR part 170 CMMC Program rule and
will modify DFARS clause 252.204–
7021. CMMC Phase 1 implementation
will commence when both the 32 CFR
part 170 CMMC Program rule and the 48
CFR part 204 CMMC Acquisition rule
are in effect. Some commenters may
have overlooked that § 170.3(e) states
Phase 1 begins on the effective date of
this 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part
204 CMMC Acquisition rule, whichever
occurs later. The implementation plan
describes when CMMC level
requirements will appear in
solicitations, it does not define a
timeframe by which all contractors must
be certified. During the first phases of
the plan, a majority of CMMC
requirements will be for self-assessment.
In response to public comments, the
DoD has updated the rule to extend
Phase 1 by 6 months, with appropriate
adjustments to later phases. DoD is not
conducting Pilots in the updated CMMC
implementation plan. The phased
implementation plan described in
§ 170.3(e) is intended to address rampup issues, provide time to train the
necessary number of assessors, and
allow companies the time needed to
understand and implement CMMC
requirements. DoD has updated the rule
to add an additional six months to the
Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1.
The DoD’s objective timeline to begin
implementing the CMMC requirements
has been, and remains, FY2025. The
implementation period will consist of
four (4) phases, 1 through 4, and is
intended to address any CMMC
assessment ramp-up issues, provide the
time needed to train the necessary
number of assessors, and to allow
companies time to understand and
implement CMMC requirements. It is
estimated that full implementation of
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC by all defense contractors will
occur over seven years, given the
number of DoD solicitations contractors
respond to and are awarded each year.
The four phases add CMMC level
requirements incrementally, starting in
Phase 1 with Level 1 and Level 2 Selfassessments, and ending with Phase 4
for Full Implementation, as addressed in
§ 170.3(e)(4). By Phase 3, all CMMC
Levels 1, 2, and 3 will be included in
some DoD solicitations and contracts,
but Level 3 requirements may be
identified for implementation as option
period requirements rather than for
initial contract award. In Phase 4, DoD
will include CMMC requirements in all
applicable DoD contracts and option
periods on contracts awarded after the
beginning of Phase 4. As addressed in
§ 170.18(a), receipt of a CMMC Level 2
Final CMMC Status for information
systems within the Level 3 CMMC
Assessment Scope is a prerequisite for
a CMMC Level 3 certification
assessment.
CMMC self-assessment requirements
build on the existing DFARS clause
252.204–7020 requirement for basic
safeguarding of CUI. CMMC Level 3
requires advanced implementation, and
the phase-in period provides additional
time for OSC to achieve the higher
standard. In phase 4, which is full
implementation, CMMC requirements
must apply to new contracts and option
year awards. The DoD may choose to
negotiate modifications adding CMMC
requirements to contracts awarded prior
to CMMC implementation, as needed.
No changes to this rule are needed to
reflect existing contract administration
processes. Questions on specific
contracting matters, including contract
costs and funding, are outside of the
scope of this rule.
With the implementation of the final
32 CFR part 170 CMMC Program rule
and 48 CFR part 204 CMMC Acquisition
rule, prospective DoD contractors and
subcontractors should be actively
preparing for DoD contract
opportunities that will include CMMC
Program requirements when
performance will require the contractor
or subcontractor to process, store, or
transmit FCI or CUI. The respective
phases of the implementation plan
provide adequate time to complete
CMMC requirements and DoD program
requirements and timelines will dictate
the programs that may warrant CMMC
Level 3 requirements during the phased
implementation of CMMC.
DoD considered many alternatives
before deciding upon the current CMMC
implementation plan. The phased
implementation plan is based on CMMC
assessment level and type, which DoD
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
believes to be a fair approach for all
prospective offerors. Defining the phasein based on contract type, company size
standard, or other potential bases could
lead to unfair advantage. Program
Managers will have discretion to
include CMMC Status requirements or
rely upon existing DFARS clause
252.204–7012 requirements, in
accordance with DoD policy. The DoD
will monitor the Program Managers’
exercise of this discretion to ensure a
smooth phase-in period. The decision to
rely upon CMMC self-assessment in lieu
of certification assessment is a
Government risk-based decision based
upon the nature of the effort to be
performed and CUI to be shared. Note
that section § 170.20 Standards
acceptance states OSCs that completed
a DCMA DIBCAC High Assessment with
a score of 110 and aligned with CMMC
Level 2 Scoping, will receive Final
CMMC Status for a Level 2 certification
assessment.
As noted by one commenter, selfassessments against NIST SP 800–171
are already required, and verifying
compliance with applicable security
requirements is necessary for the
protection of DoD CUI. For all CMMC
independent assessments (i.e., Level 2
or 3), DoD policy guides Program
Managers in appropriately including
these requirements in DoD solicitations.
DoD systems that support the
procurement process can identify the
number of contracts issued that include
any specific clause. Such metrics for the
CMMC Program are not within the
scope of this rule.
The seven-year timespan reflects the
DoD’s estimate for all defense
contractors to achieve CMMC
compliance. The implementation plan
ramps up CMMC assessment
requirements over 4 phases, such that
the ecosystem will reach maximum
capacity by year four. One commenter
referenced the response to a specific
comment to the 2020 CMMC rule. Those
earlier questions about the 2020 rule
publication are no longer relevant due
to changes made in the more recent
2023 rule publication. DoD estimates
acknowledge that contractors with
existing contracts may not receive
another contract award or even submit
another proposal immediately.
The DoD has developed CMMC to
increase consistency of implementation
of NIST SP 800–171 R2 and NIST SP
800–172 Feb2021. Specifically, this rule
provides extensive information on
scoring methodology, in an effort to
improve self-assessments. The use of
independent C3PAOs further enforces
consistency for those companies that
need to meet a CMMC Level 2
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
83111
certification requirement. The DoD has
considered the suggestions and declines
to modify the phase-in periods based on
total score required, or other criteria,
which would not provide the desired
improvements in DIB cybersecurity.
The DoD notes the commenter’s
concern that self-assessments go away
after Phase 4. Requirements from earlier
phases continue as each additional
phase is implemented. When
applicable, self-assessments will still be
allowed, as appropriate, in Phase 4. This
rule describes flow down requirements
to subcontractors. This rule makes no
change to 48 CFR 252.204–7008.
8. Commercially Available Off-the-Shelf
(COTS) Procurements
Comment: One comment suggested
the definition of COTS should be more
explicitly defined or the model outlined
in § 170.2 should encompass COTS
products. Two comments questioned
the exemption of CMMC requirements
for contracts or subcontracts exclusively
for commercial off-the-shelf (COTS)
items. Others questioned applicability
of CMMC requirements to COTS
procurements and/or purchases at or
below the micro-purchase threshold.
Finally, one commenter questioned the
validity of a COTS exclusion, stating
that no COTS components are exempt
from DoD’s certification requirements
from DISA or NSA.
Response: The term Commercially
available off-the-shelf (COTS) is defined
in FAR part 2.101. Some comments
pertained to content of the 48 CFR part
204 CMMC Acquisition rule, including
applicability of CMMC clauses to COTS
procurements and/or those below the
micro-purchase threshold. Such
comments are not within the scope of
this CMMC 32 CFR part 170 CMMC
Program rule, which outlines program
requirements and not acquisition
procedures. CMMC requirements do not
apply to contracts and subcontracts that
are exclusively for the delivery of COTS
products to a DoD buyer. The exemption
does not apply to a contractor’s use of
COTS products within its information
systems that process, store, or transmit
CUI. CMMC assessments are conducted
on contractor owned information
systems to ascertain compliance with
the designated FAR, DFARS, and NIST
requirements.
9. Specific Product Recommendations
Comment: One managed service
provider expressed concern that the
specific tools they use to provide
services might be considered Security
Protection Assets or generate Security
Protection Data in the context of CMMC
assessment requirements, which might
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83112
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
result in clients electing to use their
own tools and products in lieu of the
managed service provider. This
commenter attached a list of more than
a dozen commercial product and tools
they use as examples associated with
this concern. One commenter used their
public comment submission to submit
materials marketing services their
company can provide, while another
commenter suggested the rule direct
readers to a website listing all software,
tools, and applications deemed ‘‘safe
and cost effective’’ by virtue of CMMC
assessment.
Another commenter asserted that all
companies need access to cybersecurity
solutions from DHS/CISA and grants to
assist them in buying Zero Trust
technologies to protect CUI. Similarly,
some commenters recommended
various other cybersecurity tools,
programs, or technologies that could be
used to meet CMMC security
requirement and provide threat
intelligence to DIB companies. Such
recommendations included portals used
in conjunction with perimeter and
privileged access management systems.
One commenter proposed delaying
implementation of the CMMC rule until
all DoD contractors’ system
architectures could be analyzed for
possible implementation of Virtual
Machines, or Blockchain for secure data
transmission, or hosting of all CUI on
DoD hosted platforms.
Response: The government cannot
comment on specific products or
vendors, including marketing materials
submitted via public comment.
However, companies that act as ESPs
should note this rule does not require
CMMC assessment or certification of
ESPs that do not process, store, or
transmit CUI. Services provided by an
ESP are in the OSA’s assessment scope.
Comments pertaining to solutions
available from other Federal agencies or
expressing a desire for grants to obtain
Zero Trust solutions or other
cybersecurity solutions are also beyond
the scope of the CMMC rule. A wide
range of technologies may be used to
implement CMMC requirements. DoD
will not comment on specific OSA
technology choices. The Department
declines the recommendation to review
the system architectures of all DoD
contractors. The DoD did not modify the
rule to identify a repository of ‘‘safe and
cost effective’’ software, applications,
and tools because a CMMC assessment
does not evaluate commercial products
or services for those characteristics and
the government does not provide
product endorsements.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
10. Applicability
a. Systems Operated on Behalf of DoD
and National Security Systems
Comment: The DoD received
questions about whether CMMC
requirements apply to information
systems that are designated as National
Security Systems, Defense Business
Systems, or systems operated on the
DoD’s behalf. In concert with those
questions, one person recommended
adding NIST SP 800–53 R5
requirements to the rule for such
systems. The commenter further
recommended expanding applicability
of the rule to include contractor-owned
systems that directly affect DoD NSS.
Two commenters recommend edits to
clarify that CMMC requirements do not
apply to NSS or to government systems
operated by contractors on the DoD’s
behalf.
One commenter asked if a Cloud
Service Provider that stores CUI would
have to be at Impact Level 4 in
accordance with the DISA Cloud
Computing Security Requirements
Guide.
Response: The CMMC assessment
requirements apply in conjunction with
FAR clause 52.204–21 and DFARS
clause 252.204–7012 requirements and
provide a mechanism for verifying
compliance with the security
requirements for safeguarding FCI or
CUI (e.g., NIST SP 800–171) levied by
those clauses.
The CMMC Program does not alter
any additional security requirements
that may be applicable to contractorowned information systems that may
also meet the criteria for designation as
NSS.
There is no conflict between the
CMMC rule and the DISA Cloud SRG,
which applies to contractor information
systems that are part of Information
Technology (IT) services or systems
operated on behalf of the Government.
The CMMC rule does not apply to those
systems (§ 170.3(b)). The DoD declines
to modify the rule because the
applicability section already states this
rule applies to contractor-owned
information systems.
b. Infrastructure Entities
Comment: Many commenters had
concerns about CMMC’s potential
impact to the energy and electric
industries, internet Service Providers
(ISPs) and small, disadvantaged
businesses looking to contract with the
DoD, especially given dependencies on
appropriate marking of Controlled
Unclassified Information (CUI).
Another commenter referenced
Executive Order 13175, ‘‘Consultation
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
and Coordination with Indian Tribal
Governments’’ and requested
information on CMMC impact to and
potential exemptions for Native
American and small disadvantaged
contractors. Another commenter stated
that some small businesses may stop
providing cost estimating services to
Federal agencies due to ‘‘threatened
penalties’’ under CMMC requirements.
One commenter recommended adding
the definition of the defense industrial
base (DIB), and referenced the
Cybersecurity and Infrastructure
Security Agency definition, which
explicitly excludes commercial
infrastructure providers from their
definition of the Defense Industrial Base
Sector. One commenter stated the lack
of clarity around requirements for
electric cooperatives under the CMMC
framework is causing concern about
unanticipated cost impacts for these
smaller entities. The commenter
requested that DoD provide contractors
the ability to recover unanticipated
costs incurred to achieve CMMC
certification.
Another commenter asked about
potential CMMC exemptions for
telecommunications providers,
specifically for end user encryption. The
commenter stated the DoD needs to
impose CUI encryption requirements on
the relevant contractors and not
telecommunications network providers,
who have no control over whether a
user encrypts information it sends over
those networks. The commenter also
noted that definitions of ‘‘common
carrier’’ vary across Federal Government
and suggested the DoD should create a
blanket exemption for contracts
involving commercial communications
networks that are not ‘‘purpose-built’’ to
transmit sensitive government data.
Another commenter suggested the
CMMC Rule should further clarify that
encryption must be configured such that
the common carrier does not have
access to the decryption key(s).
Several commenters requested clarity
around CUI, citing general confusion
among industry about which CUI is
subject to the CMMC Program. Some
commenters interpreted the rule as
proposing to apply to all CUI
information, rather than just
information handled by the contractor
‘‘in support of a defense contract’’ and
asserted that this would be an
expansion beyond the current DFARS
clause 252.204–7012 requirements.
They further suggested this broad
definition could result in companies
applying costly controls to all apparent
CUI, regardless of its association with
DoD, to avoid penalties under the False
Claims Act. They recommended clearly
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
stating that CUI provided to contractors
by non-DoD agencies should be subject
to the requirements of those agencies
and not the CMMC Program.
A commenter said the electric
industry will experience increased costs
as electric utilities comb through vast
amounts of data across the electric grid
to determine all potential CUI, even if
that CUI is not specifically subject to a
DoD contract. One commenter stated
that guidance DoD has provided for
electric utilities to identify CUI in the
past is insufficient and suggested that
use of Security Classifications Guides
could help by minimizing the need for
CMMC compliance. In addition, they
speculated that inclusion of CMMC
requirements could create requirements
after award which might require
adjustments to contract price. Another
commenter stated energy companies
servicing military customers must
develop governance programs around
data protection years in advance, with
significant investments. The commenter
is concerned that CMMC requires these
companies to make these large
investments prior to knowing if a
proposed contract may contain CUI and
without adequate guidance about what
data is considered CUI.
Response: This rule has no
disproportionate impact on Native
American-owned businesses. Once
identified as a requirement, the CMMC
Level will apply uniformly to all
prospective competitors. DoD must
enforce safeguarding requirements
uniformly across the Defense Industrial
Base for all contractors and
subcontractors who process, store, or
transmit CUI. The value of information
(and impact of its loss) does not
diminish when the information moves
to DoD contractors and DoD
subcontractors, regardless of their status
as Native American or small
disadvantaged businesses.
The CMMC Program rule does not
include ‘‘threatened penalties.’’ If a
requirement of a DoD contract is not
met, then standard contractual and
other remedies applicable to that
contract may apply.
CMMC Program requirements make
no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides, are separate from this rule.
Section 170.4(b) of the rule states
Defense Industrial Base (DIB) is defined
in 32 CFR part 236, which addresses
DoD and DIB Cyber Security Activities.
Section 236.2 includes the DoD
approved definition for DIB.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
The CMMC Program applies only to
DoD contracts that include the DFARS
clause 252.204–7021 and under which
FCI or CUI is processed, stored, or
transmitted on contractor information
systems.
This includes CUI outside the
category of the Defense Organizational
Index Group. Contracts for the provision
of electricity or other utilities which do
not contain FAR clause 52.204–21 or
DFARS clause 252.204–7012 and which
do not require the processing, storing, or
transmitting of FCI or CUI on contractor
owned information systems will not
require CMMC assessment. The CMMC
rule makes no change to FAR cost
allowability or cost accounting
standards. The 32 CFR part 170 CMMC
Program rule has been updated to add
‘‘in performance of the DoD contract’’ to
§ 170.3, and the 48 CFR part 204 CMMC
Acquisition rule will provide the
contractual direction.
A common carrier’s information
system is not within the contractor’s
CMMC Assessment Scope if CUI is
properly encrypted during transport
across the common carrier’s information
system. A common carrier who is a DoD
contractor or subcontractor is
responsible for complying with the
CMMC requirements in their contracts.
CUI encryption requirements already
apply to the OSA, not the
telecommunications network provider.
The lack of adequate encryption on the
part of the OSA would not trigger
application of CMMC requirements to
the common carrier’s network. The term
‘‘common carrier’’ appears in the
comment section to a previous rule
making process. Its definition and use
are taken from CNSSI 4009. Efforts to
define it or related terms by other
agencies are outside the scope of the
CMMC Program. Commenter scenarios
where a common carrier would be privy
to an OSA’s encryption keys are
unrealistic. DoD declines to provide
additional guidance.
CMMC Program requirements make
no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides, are separate from this rule.
Relevant policies include DoDI 5200.48
‘‘Controlled Unclassified Information’’
and DoD Manual 5200.45 ‘‘Instructions
for Developing Security Classification
Guides’’. CMMC Program requirements
will be identified as solicitation
requirements. Contractors will be
required to meet the stated CMMC
requirements, when applicable, at or
above the level identified. For this
reason, it is up to each DIB organization
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
83113
to determine which CMMC level they
should attain.
Questions regarding specific
contractual matters are outside of the
scope of this rule and may be addressed
by the 48 CFR part 204 CMMC
Acquisition rule. The CMMC program
will be implemented as a pre-award
requirement.
c. Joint Ventures
Comment: Two commenters requested
clarification as to whether CMMC
requirements will apply to companies
engaged in Joint Ventures.
Response: CMMC program
requirements are applicable when DoD
requires processing, storing, or
transmitting of either FCI or CUI in the
performance of a contract between DoD
and the respective contractor. CMMC
Program requirements will apply to
information systems associated with
contract efforts that process, store, or
transmit FCI or CUI, and to any
information system that provides
security protections for such systems, or
information systems not logically or
physically isolated from all such
systems. The identity of an offeror or
contractor as a joint venture does not in
and of itself define the scope of the
network to be assessed.
d. Fundamental Research Efforts
Comment: One commenter
recommended that both the sharing of
CUI and the decision to apply a CMMC
compliance assessment should only be
considered for contracts of sufficient
contract value and performance period
to make the expense of safeguarding CUI
worthwhile. This commenter asserted
that small businesses are selected for
SBIR contract award not based on
ability to protect information, but
instead on the unique product or service
they offer.
Some commenters expressed concern
that CMMC could result in state-funded
universities incurring costs to comply
with CMMC level 2, while even the
costs for implementing required FCI
safeguarding requirements is a
significant financial burden. These
commenters speculated that applying
FCI or CUI markings to fundamental
research information negatively impact
academic institutions by requiring them
to remove such data from the public
domain. This commenter cited DFARS
clause 252.204–7000 as rationale to
modify the CMMC rule to exclude
fundamental research.
One commenter requested that when
contracting for fundamental research,
the Government include a CMMC
requirement based only on whether
information shared is currently FCI or
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83114
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CUI, and not whether the effort might
lead to development of FCI or CUI.
Another commenter requested that DoD
issue policies clearly describing how to
recognize or identify circumstances that
could result in fundamental research
becoming FCI or CUI such that it would
require being processed, stored, or
transmitted on CMMC compliant
information systems. The commenter
expressed concern that absent such
policies, research institutions may
house all DoD-related project activities
in CUI enclaves ‘‘out of an abundance
of caution’’, thereby unnecessarily
expanding CUI applicability at
significant cost. They asked that DoD
Instruction 5200.48, ‘‘Controlled
Unclassified Information,’’ and a related
DoD policy memorandum ‘‘Clarifying
Guidance for Marking and Handling
Controlled Technical Information in
accordance with Department of Defense
Instruction 5200.48, ‘Controlled
Unclassified Information’’ be
incorporated into the rule by reference.
One commenter questioned whether
and how CMMC requirements may
apply to non-contract efforts, including
grants, or efforts conducted under Other
Transactional Authorities.
Response: One of the main purposes
of the CMMC Program is to ensure that
DoD contracts that require contractors to
safeguard CUI will be awarded to
contractors with the ability to protect
that information. All contractor-owned
information systems that process, store,
or transmit CUI are subject to the
requirements of NIST SP 800–171 when
DFARS clause 252.204–7012 is included
in the contract. This is the case whether
or not the contractor is engaged in
fundamental research.
To the extent that universities are
solely engaged in fundamental research
that only includes information intended
for public release and does not include
FCI or CUI, no CMMC requirement is
likely to apply. When a research
institution does process, store, or
transmit FCI, the information should be
adequately safeguarded in accordance
with the FAR clause 52.204–21, if
applied. When a research institution
does process, store, or transmit CUI, the
information should be adequately
safeguarded in accordance with the
DFARS clause 252.204–7012, if applied.
That clause makes the contractor owned
information system subject to NIST SP
800–171, which includes requirements
for Awareness and Training (AT) and
Physical Protection (PE). The CMMC
Program provides a means to verify
compliance.
DoD’s CUI program policies already
address responsibilities for identifying
and marking information, including
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
procedures for changing markings. The
DoD declined to incorporate all the
references associated with marking and
handling CUI. The DoD instructions and
policy guidance are authoritative and
incorporating them into the CMMC
regulation is beyond the scope of this
rule. DoD declines to update the
preamble to exclude the possibility that
information may be designated CUI over
the course of time. According to A&S
memo dated 31 March 2021, titled
Clarifying Guidance for Marking and
Handling Controlled Technical
Information in accordance with
Department of Defense Instruction
5200.48, ‘‘Controlled Unclassified
Information,’’ ‘‘Information related to
RDT&E-funded research efforts, other
than fundamental research, do not
always qualify as CUI.’’ This implies
that some DoD fundamental research
may qualify as CUI. When the DoD does
determine that research meets the
definition of CUI, safeguarding
requirements of DFARS clause 252.204–
7012 will apply regardless of whether
the contractor’s work is fundamental
research. In such instances, CMMC
assessment requirements may also be
applied. Contractors should work
closely with Government Program
Managers to ensure a proper
understanding of the data being
developed and the appropriate markings
and safeguarding.
Questions regarding the application of
CMMC requirements to specific
transactions, including grants and
OTAs, are outside of the scope of this
32 CFR part 170 CMMC Program rule.
e. DoD Waiver of CMMC Applicability
Comment: Several questions were
submitted about waiver procedures for
CMMC requirements. For example,
someone asked which DoD person or
office has authority to approve waiver
requests. Others also requested insight
to the specific criteria for waiver
approval. One commenter submitted
preferred rewording of the rule section
that describes waivers while another
suggested self-assessment should be
required even when certification is
waived.
Response: DoD internal policies,
procedures, and approval requirements
will govern the process for DoD to waive
inclusion of the CMMC requirement in
the solicitation. Once applicable to a
solicitation, there is no process for
OSAs to seek waivers of CMMC
requirements from the DoD CIO. In
accordance with § 170.5(d), a limited
waiver authority is provided to the
Acquisition Executive with acquisition
oversight for the program in question.
These officials may issue supplemental
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
guidance dictating specific coordination
requirements for waiver requests.
Recommended administrative changes
have been incorporated into § 170.5(d)
to add clarity.
11. Determination of Applicable
Assessment Type
a. Process for Level Determination
Comment: Multiple comments asked
how DoD will determine the CMMC
level to include in solicitations.
Multiple comments inquired about the
criteria DoD will use to determine when
to require a CMMC Level 2 selfassessment, CMMC Level 2 certification,
or CMMC Level 3 certification
assessment. Multiple comments asked
specifically about when CMMC Level 2
self-assessment will be required versus
CMMC Level 2 Certification. One
comment requested more information
on which companies may ‘‘self-attest’’.
One comment requested § 170.5(a) be
modified to prevent CMMC level 2 or 3
being assigned for contracts where only
FCI is exchanged. One comment
emphasized that requirement(s) for
Contractor certification levels must be
the same as stated throughout this
proposed ruling. Two comments
recommended providing contracting
officers with interim guidance to ensure
consistency in applying CMMC
requirements. One comment requested
the detailed guidance ensure CMMC
requirements are selected based on risk,
and that certification is not required by
default.
Some commenters objected to the
wording of one criterion for level
selection as ‘‘potential for and impacts
from exploitation of information
security deficiencies’’. One asserted this
equates to a sub-CONFIDENTIAL
security classification. One comment
expressed that all information systems
that process CUI should have the same
level of ‘‘program criticality,
information sensitivity, and the severity
of cyber threat’’ since CUI is
Unclassified Information which is a
‘‘handling caveat’’.
Multiple comments requested a
clearer description of what contracts
require CMMC Level 3 Certification, one
of which requested a definition of what
constitutes a ‘‘priority program’’ that
might require CMMC Level 3. One
comment requested that acquisition
processes first analyze the CUI for a
proposed effort using published factors
for aligning CUI to high value assets
before setting CMMC levels. They
asserted use of such published factors
would improve accuracy of CUI
marking.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Response: Pre-award contracting
procedures and processes for CMMC
assessment requirements will be
addressed in the 48 CFR part 204
CMMC Acquisition rule. CMMC is a
pre-award requirement. As stated in the
Applicability section summary of the
CMMC rule (§ 170.3), once CMMC is
implemented in the 48 CFR part 204
CMMC Acquisition rule, DoD will
specify the required CMMC Level in the
solicitation and the resulting contract.
DoD’s policies and procedures for the
length of time allowed for proposal
submission in response to any
solicitation are beyond the scope of this
rule. PMs typically consider the totality
of the requirement when deciding how
much time to allow for proposal
submission or whether to seek industry
input through Request for Information
to inform solicitation details. Note that
once attained, companies may reference
a CMMC Status as part of any number
of proposals to various solicitations
with that level of CMMC requirement if
the same assessment scope is used.
The type and sensitivity of
information to be utilized during the
contract, FCI or CUI, determines the
requirements in the solicitation, which
then informs the CMMC level required.
CMMC level 1 requirements are
designed to be applied when FAR
clause 52.204–21 security requirements
apply to the contract, whereas CMMC
level 2 and 3 requirements are designed
for the protection of CUI information,
and to be applied when DFARS clause
252.204–7012 also applies.
When CMMC Program requirements
are effective, the DoD will begin
including CMMC assessment
requirements in solicitations as
described in § 170.3 Applicability. DoD
solicitations will specify which
requirements will apply to the contract
award. Prior to issuance of a
solicitation, DoD will determine the
appropriate CMMC level and type of
assessment needed to ensure adequate
safeguarding of the DoD program
information to be shared in performance
of the contract. Identification of the
CMMC level and assessment type will
be part of the DoD’s requirement
definition process. As addressed in
§ 170.18(a) of this rule, a CMMC Level
2 Final CMMC Status is a prerequisite
for CMMC Level 3 assessment and must
be achieved for information systems
within the Level 3 Assessment Scope.
Identification of priority programs is a
function of the requirements definition
process for any DoD effort. The DoD will
issue policy guidance to Program
Managers to clarify which programmatic
indicators should be considered for
selecting the most appropriate
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
information safeguarding requirement
and associated CMMC assessment
requirement for any given solicitation.
Once identified as a requirement, the
CMMC Status required will apply
uniformly to all prospective
competitors.
b. Who Determines the CMMC Level
Comment: Two comments asked who,
within the Department, determines the
CMMC level required for a contract. One
comment suggested that DoD should
require senior-level approval to include
CMMC Level 3 Certification
requirements in solicitations to limit
unnecessary application. One comment
inquired about when and how CMMC
levels change during the program
office’s Agile Acquisition Framework
lifecycle.
Response: Based on DoD decision
criteria that include the type and
sensitivity of program information to be
shared, Program Managers will identify
and coordinate as appropriate the
CMMC requirement in the solicitation.
Internal policies for implementation of
CMMC requirements by DoD’s
acquisition community have been
developed, and work will continue as
needed to integrate CMMC policies into
relevant acquisition policies,
guidebooks, and training materials. The
DoD intends that requiring activities
will determine when compliance should
be assessed through CMMC Level 3 as
part of the ordinary acquisition
planning and requirements generation
process.
The CMMC assessment level required
does not change based on acquisition
lifecycle phase, but based on whether
FCI and CUI are processed, stored, or
transmitted on contractor owned
information systems. All contractorowned information systems that
process, store, or transmit CUI are
subject to the requirements of NIST SP
800–171 when DFARS clause 252.204–
7012 is included in the contract.
c. CMMC Level 3 Determination
Comment: Multiple comments
requested further clarification about
which types or categories of CUI require
enhanced protection against Advanced
Persistent Threats (APTs) at CMMC
Level 3 and whether the CMMC level
would be based on the Program or the
data. Two comments expressed concern
or asked how DoD Components will
avoid assigning CMMC Level 3
requirements to too many contracts. One
comment recommended that DoD
modify its criteria for CMMC Level 3 to
consider factors such as Acquisition
Program Category.
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
83115
Response: CMMC levels do not
correspond to CUI levels as the CMMC
Program requirements make changes to
neither the CUI Program, categories of
CUI, nor existing DoD policies for
information security requirements. The
CMMC Flow down requirement is
defined in § 170.23.
The Requiring Activity knows the
type and sensitivity of information that
will be shared with or developed by the
awarded contractor and selects the
CMMC Level required to protect the
information according to DoD guidance.
The DoD declines to modify CMMC
Level 3 selection criteria as described in
the commenters recommended
alternatives, which have no bearing on
DoD’s need for increased confidence in
a contractor’s ability to safeguard certain
CUI against Advanced Persistent
Threats. The value of information, and
impact of its loss, does not diminish
based on the total number or dollar
value of contracts held by the awardee,
or acquisition program category. The
DoD reserves the right to decide when
compliance should be assessed by the
Government through CMMC Level 3
certification. The DoD defines the work
requirements to be solicited for any
given program contract.
d. Environments Processing Both FCI
and CUI
Comment: Two commentors
recommended the elimination of
separate assessments when the FCI and
CUI environments are the same. One of
these comments requested clarification
regarding the scenario of an OSC having
one assessment scope environment for
both FCI and CUI that meets Level 2
requirements.
Response: CMMC Level 2 is required
when CUI will be processed, stored, or
transmitted on contractor information
systems. Successful completion of a
CMMC Level 2 self-assessment or
CMMC Level 2 certification assessment
will suffice to meet the CMMC Level 1
requirement for FCI if/when the scope is
identical. The CMMC Level 2 Scoping
Guide reflects this language.
e. Recommendations and Scenarios
Comment: One comment
recommended removing CMMC Level 2
self-assessment, changing the CUI
Program, or creating a new type of CUI
to distinguish between CMMC Level 2
self-assessment and CMMC Level 2
Certification. Another comment noted
that the requirements for CMMC Level
2 certification assessment are almost
identical to requirements for CMMC
Level 2 self-assessment. One comment
expressed concern that DoD’s
designation of CMMC Level 2 self-
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83116
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
assessment and certification assessment
runs contrary to FCI (FAR requirements)
and the CUI Program. One comment
asked if the designation of information
as FCI or CUI changes the scope of
CMMC.
One comment asked for clarification
on which contracts will have sensitive
unclassified DoD information but will
not require CMMC assessment. One
comment recommended removing the
option for CMMC Level 2 selfassessments to reduce complexity. One
comment posed multiple questions
about what DoD will do if contracting
officers assign CMMC Level 2 or CMMC
Level 3 Certification requirements at a
rate substantially higher than projected.
Response: The DoD CIO looked at CUI
from a risk-based perspective and
determined that different approaches to
assessments could be implemented to
address risk and help lower the burden
for the DIB. The security requirements
for a CMMC Level 2 self-assessment and
a CMMC Level 2 certification
assessment are the same, the only
difference in these assessments is
whether it is performed by the OSA or
by an independent C3PAO.
The decision to rely upon selfassessment in lieu of certification
assessment is a Government risk-based
decision based upon the nature of the
effort to be performed and CUI to be
shared. The size of the company with
access to the CUI is not a basis for this
determination. The value of information
(and impact of its loss) does not
diminish when the information moves
to contractors of smaller size. The DoD
declines to modify the rule to include
its internal decision process.
To select a CMMC Level for a
procurement, Program Managers and
requiring activities will identify the
applicable CMMC Level using the
factors included in § 170.5(b)(1) through
(5). The DoD did agree with one
comment to rephrase § 170.5(b)(4) to
delete a reference to the ‘‘potential for’’
impact from exploitation of information
security deficiencies, which likely
cannot be effectively determined. The
DoD does not agree that the wording
equates to a sub-CONFIDENTIAL
classification and declines to delete that
criterion. § 170.5(b)(3) is appropriately
worded in that it states Program
Managers will consider the listed
criteria in selecting a CMMC
requirement level. It does not have the
effect of ‘‘transforming FCI into CUI’’.
The DoD reserves the right to define the
criteria for selection of the CMMC
assessment requirement, just as it
defines all other requirements for
inclusion in a solicitation.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
The Department remains committed
to implementing the CMMC program to
require compliance assessment against
applicable security requirements in all
DoD contracts involving FCI or CUI.
Some such contracts will require only a
CMMC self-assessment, while others
will require a certification assessment.
The commenter misinterprets that some
contracts that do require processing of
FCI or CUI will not require CMMC
assessment of either kind, without
approval of a waiver.
The DoD declines to remove selfassessments from the rule. Selfassessments allow the acquiring
organization to balance the cost and
complexity of assessment with the risk
to the information being shared with the
OSA.
Supporting guidance for CMMC
implementation will be updated, as
necessary. DoD has options to mitigate
implementation issues such as waivers
and other contractual remedies. DoD’s
estimate for the number of contractor’s
requiring CMMC Level 1 and cost
estimates represent derived estimates
based on internal expertise and public
feedback in accordance with OMB
Circular A–4.
12. Flow-Down/Applicability to Sub
Contractors
a. Applicability and Compliance
Comment: Several comments
requested clarification about the
applicability of CMMC requirements to
subcontractors and how to correctly
flow down requirements. Some asked
whether prime contractors would have
flexibility to flow down a lower CMMC
level than required for the prime
contract. Three comments expressed
confusion about the type of Level 2
assessment required for subcontractors
when supporting a prime that is
required to meet CMMC Level 3
requirements. Two asked about the
impact to flow-down when contractors
hold multiple contracts. A couple
comments requested clarity on how to
determine the correct CMMC level to
flow down.
Some comments asked what factors
would result in flow-down of a
particular CMMC requirement level, or
whether affirmations submitted by
primes would require knowledge of
subcontractor compliance status.
Other comments asked what tools
would be available to assist contractors
in checking subcontractor compliance
with CMMC requirements or suggested
that SPRS should be made available for
this purpose. One suggested that
without this transparency, CMMC
compliance would become a
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
meaningless effort to ‘‘check the box’’
without actual steps to secure their
systems. Another simply asked if they
would have their own SPRS and eMASS
access, or access through their prime.
Some asked what action meets the rule’s
requirement to ‘‘require subcontractor
compliance’’, i.e., does simply including
the CMMC clause in subcontracts meet
that requirement.
One comment objected to the
definition of subcontractor used in the
rule, which they stated was overly broad
and would result in application of
CMMC requirements to too many
businesses. Some comments suggested
the flow-down requirement apply only
to one sub-tier, while another requested
advance notice of solicitations that plan
to include CMMC requirements. One
comment suggested that CUI be treated
more like classified information,
meaning to limit sharing of CUI with
subcontractors. Some comments asked
whether prime contractors are
responsible for verifying subcontractor
compliance with DFARS clause
252.204–7012, as C3PAOs do during an
assessment. Two comments
recommended rephrasing the flowdown section, with one specifically
asking to clarify it is required only when
FCI or CUI will be processed, stored, or
transmitted in the performance of any
particular prime contract. Another
suggested edits for clarity or for
consistency with DFARS clause
252.204–7012.
Response: It is up to each OSA to
protect FCI and CUI and to determine
the assessment boundary, policies, and
procedures necessary to do that. Section
170.23 specifically addresses the CMMC
requirements that apply to
subcontractors that will process, store,
or transmit FCI or CUI. Section 170.23
addresses flow down of CMMC
requirements from the prime contractor
to the subcontractors in the supply
chain. Prime contractors are responsible
for complying with contract terms and
conditions, including the requirement to
flow down applicable CMMC
requirements to subcontractors. The
DoD modified § 170.23(a)(3) to clarify
that when a subcontractor will process,
store, or transmit CUI in performance of
the subcontract and the Prime
contractor has, for the associated prime
contract, a requirement of Level 2
certification assessment, then CMMC
Level 2 certification assessment is the
minimum requirement for the
subcontractor. Requirements for
External Service Providers are defined
in § 170.4; not all companies that
provide services to an OSA are
considered ESPs.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
As in other contexts, the Government
may specify additional guidance in the
solicitation. CMMC assessments will be
identified as pre-award requirements.
Subcontractors at each tier are
responsible for submitting their own
assessment and affirmation information
in SPRS. CMMC self-assessments and
certifications will be reflected in SPRS,
including an indicator of the currency of
the credentials. Contracting Officers and
Program Managers need not review any
assessment artifacts, only the resulting
scores and certificate validity period.
Work arrangements between the
prime and subcontractor are beyond the
scope of this rule, however, if CUI is
flowed down and will be processed,
stored, or transmitted on subcontractor
information systems in the performance
of a DoD contract then CMMC
requirements also flow down as
described in § 170.23. The DoD will not
track progress toward certification but
will implement CMMC as a pre-award
requirement. An OSA’s pursuit of a
C3PAO assessment is a business
decision to be made by each contractor
considering the contract opportunities it
wishes to pursue.
The DoD disagrees with one
commenter’s assertion that CMMC
requirement will flow down ‘‘regardless
of what work they do’’, because it does
not acknowledge the point that flowdown requirements are for
subcontractors who process, store, or
transmit CUI. The text of § 170.23,
clearly conditions the flow-down to
those cases when a subcontractor will
process, store, or transmit FCI or CUI.
The prime contractor’s responsibility is
to flow down CMMC assessment
requirements as described in § 170.23
and to ensure that FCI and CUI are not
further disseminated to subcontractors
that do not meet the CMMC requirement
indicated in § 170.23. Likewise,
subcontractors must also flow down
CMMC requirements and ensure that
FCI and CUI are not further
disseminated to subcontractors that do
not meet the CMMC requirement
indicated in § 170.23. Section 170.23
has been revised to make this clearer.
DoD declines to accept the
recommendation to treat CUI like
classified data. Classified information is
managed differently from CUI, and
different safeguarding regulations apply
to these different categories of
information (each of which are defined
in 32 CFR part 2002).
This rule makes no change to CUI
policies for marking of data, and CMMC
levels are not CUI categories in the DoD
CUI registry. Primes and their
subcontractors must understand flowdown requirements based on § 170.23,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
which clearly identifies requirements
that apply when subcontractors will
process, store, or transmit CUI in
performance of the subcontract and the
Prime contractor has a requirement of
Level 3 certification assessment (i.e.,
CMMC Level 2 certification assessment
is the minimum requirement for the
subcontractor). In addition, the rule has
been revised to make clear that the
requirement applies in the performance
of a subcontract when the relevant
prime contract has a CMMC
requirement. The rationale for the
minimum level 2 certification flowdown requirement is that the DoD made
a risk-based decision not to mandate
flow down of the level 3 requirement
unless explicit guidance is provided to
do so. As stated in § 170.23(a)(3), when
a Prime contractor has a requirement of
Level 2 certification, any CUI that is
flowed down for a subcontractor to
process, store, or transmit in
performance of the subcontract will also
carry a minimum requirement of Level
2 certification assessment.
CMMC Program requirements will be
identified as solicitation and contract
requirements, and contractors will be
required to meet the stated CMMC
requirements, when applicable, at or
above the level identified. One
commenter misinterpreted a response to
a prior public comment. The quoted
content says that contractors and
subcontractors each must verify
(through CMMC assessment) that all
applicable security requirements of
NIST SP 800–171 required via DFARS
clause 252.204–7012 have been
implemented. Contractors are not
required to assess subcontractor
implementation of the requirements of
NIST SP 800–171. The prime
contractor’s responsibility is to flow
down CMMC assessment requirements
as described in § 170.23 and also to
refrain from disseminating FCI or CUI to
subcontractors that have not indicated
meeting the CMMC level described in
that section for the type of information
to be shared. Likewise, subcontractors
must also flow down CMMC
requirements or refrain from
disseminating FCI or CUI. The DoD does
not provide SPRS access or other tools
for contractors to identify the CMMC
status or other companies. The DoD
expects that defense contractors will
share information about CMMC status
with other DIB members to facilitate
effective teaming arrangements when
bidding for DoD contracts.
Prime contractors will not be granted
access to subcontractor’s information in
SPRS. However, prime contractors
should communicate early and often
with prospective subcontractors to
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
83117
confirm current CMMC status, including
whether the level matches that required.
This interaction does not involve the
government and is beyond the scope of
this rule.
This rule follows the format and
includes all sections required in OMB
guidelines for formal rulemaking. The
DoD lacks authority to modify the
template or omit required sections,
which results in some repetition.
DIB contractors are responsible for
submitting their Level 1 and Level 2
self-assessments and will access SPRS
to enter the results. DIB contractors do
not have access to CMMC eMASS, as
that system is used to support
certification assessments only.
CMMC Program requirements are
designed to require completion of an
assessment and an annual affirmation.
The purpose of the annual affirmation
addressed in § 170.22 is to validate to
the DoD that the contractor is actively
maintaining its CMMC level status,
which is more than a checkbox exercise.
One commenter misinterpreted the
quoted definition of subcontractor,
which makes clear that term includes
only those entities providing supplies,
materials, equipment, or services under
a subcontract in connection with the
prime contract. DFARS clause 252.204–
7012 and FAR clause 52.204–21 also
flow-down the requirement to safeguard
information. CMMC program
requirements will be flowed down
similarly, therefore there is no
anticipated expansion of scope. The cost
estimates included in the published rule
include costs for both existing DIB
members and new entrants (or newly
covered entities).
The DoD modified the Overview
summary of CMMC 2.0 to read ‘‘The
DFARS clause 252.204–7012 also
requires defense contractors to include
this clause in all subcontracts that will
require the subcontractor to process,
store, or transmit CUI.’’ The DoD
declined additional edits in this
location that requested reframing the
criteria Program Managers will use
select CMMC requirements to address
Levels 2 and 3 only. The DoD may apply
CMMC Level 2 or 3 requirements when
there is anticipation of the need for the
contactor or subcontractors to process,
store, or transmit CUI during the
performance of a contract.
b. Prime and Subcontractor
Relationships
Comment: Many requested specific
examples of when a prime contractor
should flow down its CMMC
requirements to a subcontractor or ESP,
and how to determine the appropriate
CMMC level to flow down. For example,
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83118
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
one comment asked whether the
subcontract document would require
safeguarding, necessitating flow-down
of the CMMC requirement. Some
comments expressed concern that flowdown requirements are not sufficiently
clear to prevent prime contractors from
unnecessarily sharing CUI and applying
CMMC requirements to lower tier
suppliers. Another thought that the
flow-down requirements will drastically
expand the scope of the program and
drive cost increases for the DIB.
Several comments suggested strategies
for minimizing the burden of security
implementation on lower tier
subcontractors, such as requiring prime
contractors to provide access to CUI on
prime contractor systems, or prohibiting
prime contractors from unnecessarily
sharing CUI information that would
necessitate a CMMC requirement. One
asked whether the prime contractor has
a responsibility to check which CMMC
level the subcontractor has flowed down
to the next tier. One comment
referenced industry activities aimed at
gauging subcontractor preparedness for
CMMC and expressed concern with
anecdotal evidence that primes will not
issue orders until the subcontractor has
submitted CMMC scores into SPRS.
Response: One commentor correctly
interpreted § 170.23(a)(3) as meaning
that CMMC level 2 Certification
requirements (not self-assessments) flow
down for subcontractors that will
handle CUI when the Prime contract
specifies a CMMC Level 2 Certification
requirement.
At the time of award, the DoD may
have no visibility into whether the
awardee will choose to further
disseminate DoD’s CUI, but DFARS
clause 252.204–7012 and DFARS clause
252.204–7021 require that the prime
contractor flow down the information
security requirement to any
subcontractor with which the CUI will
be shared. Decisions regarding the DoD
information that must be shared to
support completion of subcontractor
tasks, will take place between the prime
contractor and the subcontractors
chosen to complete the specific tasks.
The DoD encourages prime contractors
to work with its subcontractors to flow
down CUI with the required security
and the least burden. The DoD declines
to revise the rule to address
responsibilities for derivative marking
of CUI because this rule makes no
change to DFARS clause 252.204–7012
or DoD’s CUI policies regarding marking
of CUI, including creation of
information.
The specific contractual language is
part of the 48 CFR part 204 CMMC
Acquisition rule and beyond the scope
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
of this 32 CFR part 170 CMMC Program
rule. This rule describes DoD’s intent for
CMMC Program requirements, which
include that all prime and
subcontractors at all tiers that process,
store, or transmit CUI in the
performance of a DoD contract (or subcontract) are required to demonstrate
compliance with the contract
requirements (i.e., FAR clause 52.204–
21 or DFARS clause 252.204–7012) for
adequately safeguarding FCI or CUI.
CMMC flow-down requirements are
designed to apply consistent assessment
requirements to all subcontractors,
regardless of company size, who are
required to adequately safeguard CUI.
The DoD cannot dictate DIB business
practices and encourages prime
contractors to carefully consider the
necessity of sharing CUI information
and work with subcontractors to flow
down CUI only when deemed
appropriate.
Likewise, the criteria by which
contractors select CSPs for support or
the availability of GFE for any particular
contract are beyond the scope of this
rule. The DoD declines to limit CMMC
program requirements to the first-tier
subcontractor, as suggested by the
commenter. When a contractor or
subcontractor responds to multiple
solicitations, that contractor should
complete the highest assessment level
among them for the assessment scope
defined for use in performance of the
contracts. The contractor may also elect
to structure its environment to meet
differing CMMC requirements based on
the contract(s) in question.
Contractual remedies for noncompliance are a 48 CFR part 204
CMMC Acquisition rule matter and
beyond the scope of this rule.
c. Requirements
Comment: Some comments objected
to CMMC Level 2 certification
assessment being identified as the
minimum flow-down from prime
contractors with a CMMC Level 3
requirement. They asked how the more
sensitive data associated with a Level 3
requirement would be tracked. Three
asked whether CMMC Level 2
certification assessment must be flowed
down as the CMMC requirement when
the prime contract requires a higher
level, and the subcontract is for limited
scope. One comment complained that
the rule does not actively encourage
primes to flow down Level 2 selfassessment requirements instead of
certification requirements.
One comment suggested the
Department is impermissibly attempting
to make sensitivity determinations of
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
other agencies’ CUI and FCI through the
implementation of this rule.
Another comment requested
affirmation that contractors remain
responsible for determining whether
information that they create (derived
from CUI) retains its CUI identity when
sharing that information with lower tier
suppliers, and for determining any
associated CMMC flow-down
requirement.
Response: DoD will issue guidance to
Program Managers to reiterate the most
appropriate information safeguarding
requirements for DoD information and
the associated CMMC assessment
requirement for any given solicitation.
CMMC program requirements will be
identified in the solicitation, and
contractors will be required to meet the
stated CMMC requirements, when
applicable, at or above the level
identified by the time of contract award.
CMMC requirements flow down from
primes to subcontractors, as described
in section § 170.23.
The DoD declined to provide forecasts
of upcoming DoD solicitations with
CMMC assessment requirements. Given
that FAR clause 52.204–21 was effective
in 2016 and DFARS clause 252.204–
7012 was effective in 2017, OSAs have
had over seven years to implement NIST
SP 800–171 R2 requirements and close
out POA&Ms. DoD contracts that require
OSAs to process, store, or transmit CUI
and include DFARS clause 252.204–
7020, also require a minimum of a selfassessment against NIST SP 800–171
requirements. That self-assessment
includes the same requirements as the
CMMC Level 1 and CMMC Level 2 selfassessments.
DoD must enforce CMMC
requirements uniformly for all defense
contractors and subcontractors,
regardless of size, who process, store, or
transmit FCI, and CUI, regardless of
size. The value of DoD information (and
impact of its loss) does not diminish
when the information moves to
contractors and subcontractors. The
DoD cannot dictate business practices
but encourages prime contractors to
work with its subcontractors to limit the
flow down of FCI and CUI. The DoD
declines to base CUI safeguarding
requirements on contract ceiling value.
This DoD 32 CFR part 170 CMMC
Program rule does not impact or
supersede 32 CFR part 2002 (the CUI
Program) or make exceptions for the
categories of CUI or the Designating
Agency for the CUI. CMMC
requirements apply to DoD contracts
that will involve processing, storing, or
transmitting of FCI or CUI on any nonFederal information system.
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
13. The CMMC Ecosystem Roles,
Responsibilities and Requirements
a. Government
Comment: Some comments asked
how the Department plans to address
complaints and concerns from
ecosystem stakeholders and the process
by which disputes between OSCs and
C3PAOs or the CMMC AB are resolved.
Two comments wanted the CMMC PMO
to document a process for ecosystem
stakeholders to register complaints or
use of Service Level Agreements to hold
the Department accountable to respond.
Some asked whether the DoD could
be subject to litigation challenging
DoD’s reliance on the CMMC AB’s
appeals process to resolve disputes
between OSCs and C3PAOs. The
commenters asserted resolving such
disputes may be an inherently
governmental function. One commenter
noted that transactions between OSCs
and C3PAOs for initiating an assessment
are beyond the DoD’s authority to
regulate, since the DoD is not a party to
the transaction. They perceived DoD’s
indirect oversight of C3PAOs through
the CMMC AB as creating conflicts of
interest and potential legal liabilities.
One commenter requested the DoD
modify the rule to state the CMMC PMO
is responsible for the assessment and
monitoring of the CMMC AB, as well as
the CMMC AB’s performance of its
roles.
One commenter noted the ISO/IEC
17011:2017(E) requirements that the
CMMC AB must meet and asked why
the rule identifies a timeline for
compliance instead of requiring
immediate accreditation.
One commenter referenced a CMMCrelated Request for Information issued
prior to CMMC program development to
gauge industry’s capability to provide
the necessary ecosystem accreditation
and management functions. They
asserted no response was provided to
their RFI response.
One comment suggested the CMMC
PMO should develop a process to act as
the authoritative source for assessment
interpretations to ensure consistency.
One person asked which DoD office
authored the rule. Another noted the
realignment of the CMMC PMO from
OUSD(A&S) to DoD CIO and asked
whether this indicated a lack of
OUSD(A&S) involvement in the
program. One commenter noted that
DoD Program Managers and requiring
activities have a role in the CMMC
Program and suggested that their
responsibilities for marking and
managing CUI be added to the rule.
One commenter wanted to require
DIBCAC assessors to complete CCP and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
CCA training and certification exams
through a CAICO approved licensed
training provider.
Response: DoD agreed with the
commenter that the government does
not have authority over transactions
between the OSC and C3PAO. The roles
and responsibilities of the government
are set forth in § 170.6. The interaction
between the CMMC Accreditation Body
and C3PAOs is governed by the
requirements of this rule in §§ 170.8 and
170.9, including Conflict of Interest,
Code of Professional Conduct, and
Ethics policies, as well as ISO/IEC
standards.
All DCMA DIBCAC assessors comply
with DoD regulations regarding the
cybersecurity workforce, to include DoD
Directives 8140 and 8570 and other
internal training standards. DCMA
DIBCAC assessors’ credentials for
CMMC Levels 2 and 3 exceed the
training that CCPs and CCAs complete
through Approved Training Providers
and include industry certification and a
security clearance. Additionally, DCMA
DIBCAC assessors must take the CMMC
certification examinations.
DoD’s contract with the CMMC AB
assigned places responsibility for Level
2 assessment interpretation to the
CMMC Accreditation Body. The CMMC
Accreditation Body publishes
assessment procedures and guidance for
C3PAO’s conducting CMMC Level 2
Certification Assessments. The CMMC
AB is required to provide the CMMC
PMO with all plans or changes related
to its own activities and activities
within the CMMC Ecosystem for review
prior to implementation and
publication. The DCMA DIBCAC is
responsible for CMMC Level 3
assessment interpretation and will use
the same process that is used for
DIBCAC High Assessments.
Management oversight of the CMMC
Program was realigned from the
OUSD(A&S) to the Office of the DoD
CIO for better integration with the
Department’s other DIB cybersecurity
related initiatives. Comments pertaining
to DoD’s organizational structure are not
relevant to the content of this rule. The
DoD CIO is responsible for all matters
relating to the DoD information
enterprise, including network policy
and standards and cybersecurity. In this
capacity, the DoD CIO prescribes IT
standards, including network and
cybersecurity standards. The DoD CIO
oversees programs to enhance and
supplement DIB company capabilities to
safeguard DoD information that resides
on or transits DIB unclassified
information systems.
The DoD reviewed and assessed
whitepapers that were submitted by RFI
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
83119
respondents and determined that no
single respondent could meet all the
broad facets required to serve as the
CMMC Accreditation Body.
§§ 170.8, 170.9, and 170.10 document
the roles of the CMMC AB and the
CAICO in managing a complaints/
appeals process for CCAs, CCPs, and
C3PAOs. OSCs concerned about the
results of a Level 2 or Level 3
Certification assessment have a route of
appeal documented in § 170.9. DoD, as
the contracting entity, is not subject to
service level agreements. Vendors and
prospective vendors can voice concerns
with the relevant contracting officer.
External organizations may utilize
existing DoD procedures to file
complaints or concerns against any DoD
organization.
This rule establishes requirements for
the conduct of assessments, as well as
the requirements for handling of
disputes, to include an appeals process.
In the roles established by this rule,
C3PAOs and the CMMC AB execute
program requirements as codified in the
32 CFR part 170 CMMC Program rule,
with appropriate DoD oversight. For
ISO/IEC 17020:2012(E) and ISO/IEC
17011:2017(E) compliance, an appeals
process is required. Appeals are
addressed in §§ 170.8(b)(16) and
170.9(b)(9), (14), (20), and (21).
The DoD declines to update the rule
content of § 170.6 to include a new
subsection on DoD PMs and requesting
activities and their responsibilities
regarding marking CUI as that subject
matter is already addressed for the DoD.
DoD Instruction 5200.48 on CUI
establishes policy, assigns
responsibilities, and prescribes
procedures for CUI throughout the DoD
in accordance with 32 CFR part 2002,
CFR for CUI to include 32 CFR 2002.20
Marking CUI; and 48 CFR 252.204–7008
and DFARS clause 252.204–7012. The
CMMC Program requirements make no
change to existing policies for
information security implemented by
the DoD.
The DoD declined to modify the rule
to further define the existing CMMC
PMO oversight responsibilities,
identified in § 170.6, which includes the
CMMC AB and all other aspects of the
program.
b. CMMC-AB
Comment: There were multiple
comments regarding the CMMC
Accreditation Body (AB). Ten comments
were not relevant to the rule text.
Multiple commenters asked about
mechanisms to monitor the CMMC AB
and how the DoD provides oversight.
Seven comments provided valuable
editorial recommendations that
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83120
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
enhanced the existing rule text. Seven
comments also raised concerns and
asked for clarification about certification
of the CMMC AB, its standing with
international accreditation bodies and
the effects of that standing on the
C3PAOs. Two comments sought clarity
on the CMMC AB’s responsibilities and
what resources they will provide to the
CMMC ecosystem. One comment
suggested incorporation by reference of
specific CMMC AB generated artifacts.
One comment requested clarity on terms
and definitions regarding the CMMC
AB.
Response: Some comments received
lacked relevance to the rule’s content,
including the establishment of outside
entities. The DoD declines to respond to
speculative or editorial comments about
private citizens or entities, which are
outside the scope of this rule. The DoD
declines to respond to requests for
documents related to the CMMC AB and
the CAICO that lack relevance to the
CMMC rule.
The term CMMC Accreditation Body
is a generic term for whichever
accreditation body is supporting the
DoD at a given time. The rule has been
updated to remove reference to any
specific accreditation body. There is
only one Accreditation Body for the
DoD CMMC Program at any given time,
and its primary mission is to authorize
and accredit the C3PAOs. The
Accreditation Body does not issue
certifications. The current CMMC AB is
under a no-cost contract that has
followed normal DoD contracting
procedures. The DoD declines to delete
the section outlining requirements for
the CMMC AB, which are enduring and
apply irrespective of which entity the
DoD has currently approved to serve in
that capacity.
This rule identifies the requirements
for the Accreditation Body’s role in the
CMMC Ecosystem. The DoD has a
variety of options available to address
the commenter’s concern should the
current CMMC AB not be able to fulfill
this role. These include but are not
limited to, contracting with a new/
replacement Accreditation Body. And
authorized and accredited C3PAOs
would be able to continue conducting
CMMC assessments.
§ 170.8(b)(6) requires the CMMC AB
to complete a CMMC Level 2 assessment
conducted by DCMA DIBCAC that must
meet all CMMC Final Level 2
certification assessment requirements
and will not result in a CMMC Level 2
certification. This requirement for an
assessment is based on the potential
compilation of sensitive information on
the CMMC AB’s information systems.
After the CMMC AB’s successful
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
completion of this Level 2 assessment,
the DoD reserves the right to send CUI
to the CMMC AB, as appropriate.
Requirements for the CMMC AB,
detailed in § 170.8(b) of this rule,
include DoD requirements to comply
with Conflict of Interest, Code of
Professional Conduct and Ethics
policies as set forth in the DoD contract
with the AB. § 170.8(b)(3) details the
ISO/IEC requirements the CMMC AB
must meet and the timeline for meeting
them. § 170.8(b)(3)(i) and (ii) further
detail the requirements for the CMMC
AB to authorize and accredit C3PAOs.
The CMMC AB is under contract with
the DoD and must fully comply with the
contract requirements.
The CMMC rule was updated to
clarify that the CMMC AB must be a
U.S.-based signatory to the International
Laboratory Accreditation Cooperation
Mutual Recognition Arrangement
within 24 months of DoD approval and
must operate in accordance with ISO/
IEC 17011:2017(E). The rule was also
updated to clarify that a disqualifying
eligibility determination may result in
the CMMC AB losing its authorization
or accreditation under the CMMC
Program.
All CMMC ecosystem members are
required to abide by the appropriate
ethics and conflicts of interest policies
established by the CMMC AB and
CAICO. Rule content pertaining to
ethics, quality assurance functions,
record keeping, data encryption,
security, etc. functions across the
ecosystem are tailored to reflect the role
each entity fills in the ecosystem. The
CMMC AB is not an agency of the
Federal government; it is a private
sector organization operating under
contract with the DoD. As described in
§ 170.6(a), the Office of the Department
of Defense Chief Information Officer
(DoD CIO) provides oversight of the
CMMC Program and is responsible for
establishing CMMC assessment,
accreditation, and training requirements
as well as developing and updating
CMMC Program implementing
guidance. The Accreditation Body must
be under contract with the DoD. The
rule has been modified to include
additional CMMC AB oversight
responsibilities for the CMMC PMO.
The Department declines to incorporate
CMMC AB generated artifacts into the
rule by reference. The responsibilities of
the DoD CIO and CMMC PMO are
outlined in § 170.6 and the
responsibilities of the Accreditation
Body are outlined in § 170.8.
The DoD acknowledges that the
CMMC AB may not offer both
accreditation services and certification
services. DoD declines to make edits to
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
these sections as they are in alignment
with the roles and responsibilities of the
CMMC AB. The DoD has revised
§ 170.8(b)(17)(i)(C) in the rule to clarify
that the ‘‘CMMC activities’’ which
former Accreditation Body members are
prohibited from include any or all
responsibilities described in Subpart C
of this rule.
The rule was updated to indicate that
C3PAOs must also meet administrative
requirements as determined by the
CMMC AB. It was also updated to
clarify that the term ‘‘independent
assessor staff’’ in § 170.8(b)(4) refers to
independent CMMC Certified Assessor
staff, and to clarify the meaning of the
term ‘‘members’’ at § 170.8(b)(17)(i)(B).
DoD declines to modify § 170.8(b)(15) to
include the phrase ‘‘technical accuracy
and alignment with all applicable legal,
regulatory, and policy requirements’’, as
this does not result in a substantive
change to the requirements as currently
specified.
c. C3PAOs
Comment: Clarification was requested
regarding C3PAOs’ timelines for
accreditation and their dependencies on
the CMMC AB accreditation process.
Some commenters requested additional
time. Clarification was also requested on
the current disposition of authorized
C3PAOs. A few comments asked for
simplification and clarification of the
difference between the terms
‘‘authorized’’ and ‘‘accredited’’ with the
establishment of C3PAOs. One comment
requested that the rule be edited to
require full compliance before C3PAOs
can conduct certifications, and that
duplicative language relating to ethics,
record keeping, etc., be moved to a
central location in the rule. One
commentor questioned whether
§ 170.9(b)(16), which states ‘‘Ensure that
all CMMC assessment activities are
performed on the information system
within the CMMC Assessment Scope’’,
applies to all C3PAO personnel or just
those involved in the Quality Assurance
process.
Other comments objected to the
requirement that C3PAOs obtain a
CMMC Level 2 certification assessment
because the assessment does not result
in a Level 2 certification. They asked
whether this would require two separate
assessments every three years for
C3PAOs that also conduct contractor
work for DoD. Two comments requested
clarification on determining the scope
for a CMMC Level 2 assessment of a
C3PAO to be used by DIBCAC, and if or
when they would be required to obtain
a FedRAMP Moderate certification.
Also, clarification was requested on
whether a C3PAO is permitted to
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
possess OSC CUI and other artifacts
during the assessment so long as they
are destroyed upon completion of the
assessment. One comment suggested
that all information collected by the
C3PAO be encrypted.
Three comments asked for
clarification on what constitutes a
C3PAO assessment team and whether it
can consist of solely a Lead CCA. One
commentor asked whether entities
accredited under ISO 17020:2012(E) by
another accreditation body, rather than
the CMMC AB, meets CMMC C3PAO
requirements. A couple of comments
asked for clarification on whether a
C3PAO could be foreign owned and
participate in the current CMMC AB
Marketplace.
Response: One commenter
misinterpreted several sections of the
CMMC rule. By defining the
requirements in this rule to become a
C3PAO, and defining a scoring
methodology, the DoD is providing the
authority and guidance necessary for
C3PAOs to conduct assessments.
DoD considered many alternatives
before deciding upon the current CMMC
structure. The DoD has established
requirements for a CMMC Accreditation
Body, and this accreditation body will
administer the CMMC Ecosystem. The
appeals process is defined in
§§ 170.8(b)(16) and 170.9(b)(9), (14),
(20), and (21). The DoD will not assume
the workload of directly managing the
CMMC ecosystem or the other
alternatives suggested. DoD must treat
all potential defense contractors and
subcontractors fairly. DoD cannot
inadvertently create a pathway to a free
assessment for an organization by virtue
of its dual-purpose as a C3PAO and
separately as a defense contractor.
Therefore, DoD assesses C3PAOs free of
charge, but the assessment does not
result in a Certificate of CMMC Status.
The C3PAOs determine the people,
processes, and technologies that are inscope for their DIBCAC assessment to
become a C3PAO. The need to protect
the assessment information is
independent of its status as FCI or CUI.
Assessment information, such as which
requirements are MET or not, as well as
the evidence and analysis leading to
that result, would provide valuable
insights to an adversary if not protected.
A C3PAO is not a CSP and therefore
would not require a FedRAMP moderate
assessment to be a C3PAO. However, if
they use a CSP to process, store, or
transmit assessment information, then
the CSP would require a FedRAMP
Moderate, or equivalent, assessment.
The CSP assessment results and CRM
would be in scope for the C3PAO
assessment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
The requirements in § 170.9 apply to
both authorized and accredited
C3PAOs. The only difference between
authorization and accreditation is the
status of the CMMC Accreditation Body.
Prior to the CMMC AB achieving its full
ISO/IEC 17011:2017(E) compliance, the
interim term ‘‘authorized’’ is used for
C3PAOs. As stated in §§ 170.8(b)(3)(i)
and 170.9(b)(1) and (2), currently
authorized C3PAOs must achieve and
maintain compliance with ISO/IEC
17020:2012(E) within 27 months of
authorization. As stated in § 170.9(b)(6),
C3PAOs must obtain a Level 2
certification assessment, but this does
not result in a CMMC Level 2 certificate.
The DoD declines to modify the rule
text related to C3PAO requirements as it
does not make a substantive change.
Requirements are specified in the rule
for each entity within the CMMC
ecosystem.
A C3PAO may start preparing for
compliance with ISO/IEC 17020:2012(E)
before the Accreditation Body achieves
compliance with ISO/IEC
17011:2017(E). The 27-month timeline
for a C3PAO to achieve and maintain
compliance with ISO/IEC 17020:2012(E)
begins on the date that the C3PAO is
authorized by the Accreditation Body,
as addressed in § 170.9(b)(2) C3PAOs
authorized by the CMMC AB prior to
becoming compliant with ISO/IEC
17020:2012(E) must be accredited by the
CMMC AB within 27 months of the
C3PAO’s initial authorization to meet
CMMC program requirements. The
accreditation process is not tied to, nor
is it impacted by, the DoD’s
appropriations period.
The rule has been updated to add
‘‘authorized’’ to the definition of a
C3PAO. Authorized is defined in
§ 170.4.
DoD disagrees with the suggestion
that certain C3PAO requirements are not
needed or redundant. C3PAO’s must
follow specific requirements for CMMC
assessment record retention and
disposition, audits, personal
information, and CMMC Assessment
Scope. Each paragraph number is
independent, dependent sub-paragraphs
are numbered with lower case Roman
numerals. The requirement in
§ 170.9(b)(16) applies to all C3PAO
company personnel participating in the
CMMC assessment process.
The size of a C3PAO assessment team
is variable based on factors including
the scope of the assessment and the
arrangements between the OSC and
C3PAO. The rule has been updated in
§ 170.9(b)(12) to clarify that, at a
minimum, the assessment team must
have a Lead CCA, as defined in
§ 170.11(b)(10), and one other CCA. A
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
83121
C3PAO is permitted to possess OSC CUI
and artifacts during an assessment.
CMMC Certified Assessors must use the
C3PAO’s information technology which
has received a CMMC Level 2
certification assessment as stated in
§ 170.11(b)(7) and any copies of the
OSC’s original artifacts must be
destroyed when the assessment is
complete as defined in § 170.9(1).
The DoD has considered the
recommendation to require encryption
of all information and declines to revise
the rule text, since the C3PAO is
required in § 170.9(b)(6) to obtain a
Level 2 certification assessment
conducted by DCMA DIBCAC.
Several foreign or international
companies submitted comments
expressing interest in the rule section
pertaining to C3PAO requirements
(§ 170.9(b)) and correctly noted that this
section does not preclude otherwise
qualified foreign companies from
achieving C3PAO accreditation. Also,
the DoD does permit C3PAO personnel
who are not eligible to obtain a Tier 3
background investigation to meet the
equivalent of a favorably adjudicated
Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
d. CAICO
Comment: Numerous comments
requested correction of perceived
misstatements, oversights, or erroneous
paragraph references in the CAICO
responsibilities section. One commenter
suggested the level of detail in
§ 170.10(b) is more appropriate for a
statement of work and some paragraphs
could be deleted from the rule. They
offered preferred rewording to clarify
that the CAICO must also comply with
AB and ISO/IEC requirements, and
further recommended deleting the
requirement to provide all
documentation in English. In addition,
they recommended deleting separation
of duties as a requirement, because it is
already required under ISO/IEC
certification. One commenter conflated
CAICO subcontractors with DIB
subcontractors and suggested deletion of
the rule’s restrictions on releasing
CMMC-related information. One
comment asked whether the Cyber AB
and CAICO have documented processes
for regular review and updates to their
compliance documentation. Lastly, one
comment requested duplicative
language relating to ethics, record
keeping, etc. be moved to a central
location in the rule.
A few commenters suggested
preferred edits to improve the role of the
CAICO. One comment noted that the
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83122
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
accreditor for certifying the CAICO
should be a U.S.-based signatory to
ILAC or relevant International
Accreditation Forum (IAF) in addition
to complying with ISO/IEC
17011:2017(E). Two comments noted
concerns that having only one CAICO
would create an untenable bottleneck
should something happen to the single
CAICO. One commenter asserted that
the CMMC Certified Instructor (CCI)
certification requirement is redundant
and not cost-effective since instructors
will need to be certified as CCPs or
CCAs to teach those courses. One
comment suggested a grace period of
18–24 months from final rule
publication, to allow update of training
and examinations, before implementing
the CCP and CCA certification
requirements. Three comments
recommended that Approved
Publishing Partner (APP) and Approved
Training Providers (ATP) sections be
added to Subpart C of the rule. One
commenter asked for clarification on
what constitutes a CAICO subcontractor
and if this includes LTPs and LPPs, and
asked why an authorization process for
LTPs and LPPs is not included in the
rule.
One commenter appreciated that
CAICO responsibilities include
compliance with relevant ISO/IEC
standards, as those are internationally
recognized standards.
One commenter provided an
attachment containing an image of an
article published in the February 2024
issue of National Defense Magazine. The
commentor did not provide specific
questions or comments regarding the
article, they simply submitted an article.
DoD declines to comment on the
reposting of information being reported
in the media.
Response: The DoD declines to
comment on the reposting of
information being reported in the
media. This rule identifies requirements
for the CAICO role in the ecosystem.
The DoD has a variety of options
available to address issues with reliance
on a single CAICO. These include but
are not limited to working with the
CMMC AB to identify a new/
replacement CAICO.
The final rule includes a requirement
for the Accreditation Body, CAICO, and
C3PAOs to adhere to appropriate ISO/
IEC standards, which include the
current version of the standard for
conformity assessment (ISO/IEC
17024:2012(E) located at ISO website:
www.iso.org/standard/52993.html).
All CMMC ecosystem members are
required inter alia to abide by the
appropriate ethics and conflicts of
interest policies established by the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
CMMC AB and CAICO. Rule content
pertaining to ethics, quality assurance
functions, record keeping, data
encryption, security, etc. functions
across the ecosystem are tailored to
reflect the role each entity fills in the
ecosystem. Repeating this content in the
section of each ecosystem role serves to
emphasize the importance of adherence
to these requirements.
DoD disagrees with the commenter’s
suggestion that certain CAICO
requirements are not needed or are
redundant. The DoD requirement for
documentation in English refers to
official information provided to the
Accreditation Body or the DoD. The
commenter’s preferred rewording of
§ 170.10(b)(3) is unnecessary because
there is a separate requirement for the
CAICO to meet ISO/IEC standards, and
this rule does not codify non-DoD
requirements. The DoD declines to
remove the requirement in
§ 170.10(b)(10) to provide status
information to the CMMC AB because it
is necessary for program management.
The rule retains the separation of duties
requirement at § 170.10(b)(11), which is
more specific than the management of
impartiality required under ISO/IEC
17024:2012(E).
The DoD declines to delete
certification requirements for CCI.
Having the technical background as a
CCP or CCA does not ensure all the
instructor-unique qualifications
necessary to be a CCI are met. The DoD
also declines to remove the reference to
§ 170.10 from § 170.12(b)(1) since it is
accurate that the CAICO certifies CCIs.
Section § 170.10(b)(13) ensures that
personal information is encrypted and
protected in all CAICO information
systems and databases and those of any
CAICO training support service
providers. DoD disagrees with the
commentor’s statement that training
support service providers of the CAICO
be allowed to disclose information
about CCAs and/or CCPs. § 170.10
references the CAICO requirements.
Entities providing training support
services to the CAICO are not a part of
the assessment process in the
ecosystem. It is not up to them to release
data on certified persons in the
ecosystem. Any metrics regarding
certifications will come from the
CAICO.
DoD declines to add Approved
Publishing Partner (APP) and Approved
Training Providers (ATP), or sections to
the rule. The CMMC Program defines
the requirements for the ecosystem.
Specific requirements for publishing
and training guidelines are determined
by the CAICO and do not require the
oversight of the DoD. The CMMC Rule
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
does not use the term Licensed Training
Provider (LTP), as the LTPs are not
required to be licensed. The acronym
ATP means Approved Training Provider
which encompasses the same role in the
CMMC Ecosystem. The DoD does not
intend to further delay implementation
of CMMC to provide an 18 to 24-month
grace period from the official release of
the rule to build curriculum.
The DoD has reviewed commenter
recommendations and revised the rule
as follows:
The CMMC rule has been updated to
state that the CAICO must be accredited
by a U.S. based signatory to ILAC or
other relevant IAF mutual recognition
arrangements and operate in accordance
with ISO/IEC 17011:2017(E). The DoD
has removed the term ‘‘practitioner’’
from § 170.10(b)(8) for clarity and
changed the term subcontractor to
training service support provider.
e. CCPs and CCAs
Comment: Some comments requested
DoD’s response to speculations about
market forces, competitiveness of the
CMMC Certified Professional (CCP) and
CMMC Certified Assessment (CCA)
roles and career opportunities, assessor
burnout, complexity of CMMC
ecosystem, and a limited assessor pool.
Several comments identified
administrative changes or preferred
rewording or reordering of the CCP and
CCA sections of the ecosystem
requirements. For example, two
commenters objected to repeating the
requirement to meet CoPC and COI
requirements for each Ecosystem
member in § 170.8. Another comment
requested deletion of the requirement
for all documentation and records to be
provided in English.
One commenter recommended
revising proficiency and experience
requirements for CCPs, CCAs, and Lead
CCAs. Another requested clarification
on what requirements govern the
certification of a CCA and requested the
rule allow the CAICO to establish the
certification validity period. One
comment recommended all additional
assessor certification requirements in
§ 170.11(b)(6)(ii) be removed from the
rule, so that only those prerequisite
training requirements identified by the
CAICO would apply.
Another comment suggested that a
requirement prohibiting assessors from
use of personally owned IT that is
contained in the CCA section at § 170.11
also be added to the C3PAO
requirements section at § 170.9. Two
commenters objected to the restrictions
on CCAs sharing information with
people outside the assessment team.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
One comment questioned the
requirement for a Tier 3 background
investigation for CCPs and another
suggested the validity period of CCP
certification should be determined by
the CAICO. Yet another comment
suggested changing certification periods
from 3 to 4 years for those certified prior
to the rule becoming effective. One
comment suggested there is insufficient
clarity regarding the role CCPs may play
in an assessment and another asked
whether a CCPs was allowed to review
more than just Level 1 requirements.
Two other comments recommended
updating CCP training to include Level
2 practices. Another comment noted
that assessor cannot be robotic and that
they must be allowed to evaluate the
situation as it pertains to the company
being evaluated.
One comment asked for clarification
on Lead CCA requirements and
requested a reduction in the
management experience to 2 years. Two
other comments recommended adding
IT and cybersecurity experience as
relevant skills. One comment also
recommended that Lead CCAs have
industry-specific knowledge of the
industry in which the OSC being
assessed participates. Another comment
requested clarification whether years of
experience are cumulative for the Lead
CCA. One comment recommended
changing the name of Lead CCA and
adding roles and responsibilities
requirements. One stated that the rule’s
CCA prerequisites is too low a skill set
and recommended increasing the
requirements for both CCAs and Lead
CCAs. While another comment noted
the rule referenced both DoD Manual
8570 and DoD Manual 8140.03 and one
or the either should be used.
One commenter suggested that should
sufficient assessors not be available to
meet demand, the DoD should provide
a delay or ‘‘grace period’’ to meet
certification requirements.
Response: The CMMC rule provides
detail on anticipated impacts on the DIB
in the Impact and Cost Analysis
summary of the preamble. Speculation
on market forces on roles in the CMMC
ecosystem such as CCPs and CCAs are
outside of the scope of the CMMC
program rulemaking. Likewise,
limitations on career opportunities and
associated issues such as burn-out or job
satisfaction are beyond the scope of the
program.
The DoD updated the rule to clarify
that CCAs must meet all the
requirements set forth in § 170.11(b) and
modified the rule in § 170.10(b)(10) to
include CMMC Certified Professionals
(CCPs). § 170.13(b)(6) was changed to
conform to rule text in § 170.11(b)(9)
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
and to clarify with whom information
may be shared.
The DoD determined the certification
requirements specified in § 170.11(b)(6)
meet the needs of ensuring certified
assessors have the required depth of
cybersecurity knowledge and
experience that is beyond what the
CMMC-specific training provides.
The DoD disagreed with the comment
that the CAICO should determine the
length of time a CCP certification is
valid. DoD has a significant interest in
ensuring the quality of assessors in the
CMMC ecosystem and the currency of
their training. The DoD does not agree
with the assertion that managerial, and
personnel related skills are most
relevant for success as a Lead Assessor.
As written, § 170.11 of the rule requires
Lead Assessors to have a balance of
technical and managerial expertise. A
Lead Assessor also requires assessment
or audit experience. The DoD views
these skills as the minimum required to
adequately provide the technical
guidance and managerial oversight of
the assessment team. The DoD declined
to revise the rule to specify IT and/or
Cybersecurity for the required audit
experience.
The DoD also disagreed with a
recommendation to require Lead CCAs
to have industry-specific knowledge of
the industry in which the OSC being
assessed participates. The DoD found
that this requirement would
unreasonably restrict C3PAOs from
participating in a broad range of
assessments and could have a negative
effect on the ability of the DIB to
schedule CMMC Level 2 certification
assessments. The OSC can select a
C3PAO with the experience it considers
valuable.
The DoD declined a commentor’s
request to modify the rule to allow the
CAICO to determine the requirement for
the frequency of CCA/CCP certification.
The DoD considers the 3 years
certification period a key CMMC
program requirement that will be
enacted and managed by the CAICO.
The DoD also declined to change the
rule to extend the certification timeline
to 4 years for those earning a
certification prior to completion of
rulemaking. Additionally, the DoD did
not accept the recommendation to
remove the requirement for providing
documentation in the English language,
which applies to all official information
that would be provided to the CAICO,
CMMC AB, or the DoD.
The DoD disagreed with a
commenter’s recommendation to
remove the second sentence in
§ 170.11(b)(7) that prohibits individual
assessors from using any IT other than
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
83123
that provided to them by the C3PAO
that has been contracted to perform that
OSA’s assessment. This sentence is
required to eliminate ambiguity,
particularly for C3PAOs that may have
implemented a BYOD program or that
allow some work roles to use personal
devices. The DoD updated the rule to
provide additional clarity.
The DoD does not concur with the
comment calling for a DoD Manual
8140.03 requirement on CCAs.
Assessment teams are required to have
a Lead Assessor who must meet the
higher level of the DoDM 8140.03
requirements. The rule has been
updated to remove reference to DoD
Manual 8570.
The experience requirements
referenced for the Lead CCA are
cumulative. The rule has been updated
to move Lead CCA requirements to the
end of § 170.11, but not to create a new
section.
The DoD disagreed with the
commenter’s assertion that Assessors
are robotic. Assessors will go through
CMMC training and will assess each
unique CMMC Assessment Scope, as
defined by the OSA, against the security
requirements. As specified in
§ 170.13(a) CCPs can participate on
CMMC Level 2 certification assessments
with CCA oversight where the CCA
makes all final decisions. Updates to
training are beyond the scope of this
rule. Statements made in training
materials produced prior to final
adoption of the CMMC rule are beyond
the scope of CMMC rulemaking. DoD
disagrees with the comment that
§ 170.13 does not provide sufficient
detail regarding the role CCPs may play
in an assessment. The requirement in
the rule that ‘‘with CCA oversight where
the CCA makes all final determinations’’
provides sufficient flexibility to adapt to
a wide variety of assessments while
ensuring the responsibility for
assessment findings rests with the CCA
and Lead CCA.
The rule restates COI and CoPC
requirements in each ecosystem section
because all CMMC ecosystem members
are required to abide by the appropriate
ethics and conflicts of interest policies
established by the CMMC AB and the
CAICO. Rule content pertaining to
ethics, quality assurance functions,
record keeping, data encryption,
security, and other functions across the
ecosystem are tailored to reflect the role
each entity fills in the ecosystem.
DoD CIO, in coordination with OUSD/
I&S, evaluated the requirements for the
CMMC Ecosystem. Based on the access
to sensitive unclassified information, a
Tier 3 background investigation that
results in determination of national
E:\FR\FM\15OCR2.SGM
15OCR2
83124
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
security eligibility is required.
§ 170.13(a) states that a CCP is eligible
to participate in Level 2 certification
assessment with CCA oversight and is
eligible to become a CCA and will
receive additional training and testing
per the requirements in § 170.11.
The phased implementation plan
described in § 170.3(e) is intended to
address ramp-up issues and provide
time to train the necessary number of
assessors. DoD has updated the rule to
add an additional six months to the
Phase 1 timeline.
e. CCI
1. Training and Training Materials
Comment: One comment mistook the
requirement to ‘‘provide all
documentation and records in English’’
as applying to training materials. Four
comments expressed concerns about the
requirements for confidentiality
surrounding training records. These
concerns arose primarily from a
misinterpretation of the requirement to
‘‘keep confidential all information
obtained during the performance of
CMMC training activities’’ to mean a
requirement to keep the training
materials themselves confidential,
rather than keeping student records
confidential.
Response: The requirement to
‘‘provide all documentation and records
in English’’ refers to official information
that would be provided to the CMMC
Assessor and Instructor Certification
Organization (CAICO) or the DoD. The
terms do not pertain to all materials
used in the delivery of a course. The
DoD disagreed with the
recommendation to delete the
§ 170.12(b)(7) requirement for keeping
CMMC training records and information
confidential. ‘‘Training activities’’ do
not include course material. The
example in § 170.12(b)(7) (student
records) makes clear the type of data
covered by the rule.
khammond on DSKJM1Z7X2PROD with RULES2
2. Time Limits and Other Constraints
Comment: One comment
recommended that the CAICO, instead
of the DoD, determine the frequency of
CMMC Certified Instructor (CCI)
certification. Another requested
clarification on the length of time that
a CCI may not provide consulting
services. One comment recommended
changing the rule to require CCIs to
provide updates to the CAICO and the
CMMC AB no less than annually, in lieu
of ‘‘most up to date’’.
Two comments expressed concern
that CCIs are not allowed to provide
consulting services to OSCs; one of the
comments asserted this would result in
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
reduced quality of training for CMMC
Certified Professionals (CCP) and
CMMC Certified Assessors (CCA). One
comment expressed disagreement with
the requirement prohibiting CCIs from
exam development and exam
proctoring. Another comment
recommended a rule update indicating
CCIs can teach both CCA and CMMC
Certified Professional (CCP) candidates.
Response: The DoD declined a
commenter’s request to modify the rule
to allow the CAICO to determine the
requirement for validity period of a CCI
certification. The DoD considers the 3year certification period for CCIs as a
key CMMC program requirement that is
to be enforced by the CAICO.
The DoD modified § 170.12(b)(4) to
read ‘‘annually’’ instead of ‘‘most up to
date’’ to clarify the reporting
requirement.
All CMMC ecosystem members are
required to abide by the appropriate
ethics and conflicts of interest (COI)
policies established by the CMMC AB
and CAICO. Rule content pertaining to
ethics, quality assurance functions,
record keeping, data encryption,
security, and other functions across the
ecosystem are tailored to reflect the role
each entity fills in the ecosystem. The
DoD defined COI requirements to
reduce the possibility that a CMMC
Ecosystem member acting in one
capacity may bias, or be biased by,
clients that are paying them to perform
another CMMC related service. CCIs are
not permitted to develop or proctor
exams to avoid participating in any
activity, practice, or transaction that
could result in an actual or perceived
conflict of interest.
3. Relationship to CAICO and Other
Ecosystem Members
Comment: One comment asked why
the rule does not include requirements
for LTPs, and another requested
additional rule text to clarify the
relationship between an ATP and the
CAICO in administrative matters of
students. One comment recommended
not requiring CCIs to provide
qualification and training information to
the CAICO.
One comment recommended a
method for reducing a perceived
redundancy in the rule text between
ecosystem-related sections. Two
comments asserted that a CCI
certification is redundant because
individuals attempting to become CCIs
are already certified as CCPs or CCAs.
One comment asked that a new
requirement be added to the rule under
§ 170.12 to address the transition of
Provisional Instructors to CCIs.
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
Response: The CMMC rule does not
use the term Licensed Training Provider
(LTP), as training providers are not
required to be licensed. The correct term
for CMMC training providers is
Approved Training Provider (ATP). The
CMMC rule contains the requirements
to create the training for the CMMC
Program. § 170.10 contains the
requirements for the CAICO to ensure
compliance with ISO/IEC 17024:2012(E)
and to ensure all training products,
instruction, and testing materials are of
high quality.
DoD disagreed with a comment to
delete a requirement in the rule for CCIs
to update the CAICO regarding
qualification, training experience, and
other information relating to their
competency to teach within the CMMC
ecosystem. Viewing and verifying CCI
qualifications is an important element of
quality assurance in the CAICO’s role of
training, testing, authorizing, certifying,
and recertifying CMMC assessors,
instructors, and related individuals.
§ 170.12(b) in the rule was updated to
add the requirement for a CCI to be
certified at or above the level of training
they are delivering. The DoD also
modified § 170.12(a)(11) to add CMMC
Certified Professional (CCP) candidates.
The DoD declined to remove the
certification requirement for CCIs.
Although CMMC Certified Assessors
have the technical background, that
does not imply that they meet all the
instructor-unique qualifications
necessary to be a CCI.
The DoD modified § 170.12 to include
requirements for Provisional Instructors
prior to their transition to a CMMC
Certified Instructor. Any Provisional
Instructor (PI) will be required to
achieve certification under the CMMC
Certified Instructor (CCI) program
within 18 months of the final rule
publication. The PI designation ends 18
months after the effective date of the
rule.
f. Conflicts of Interest and Code of
Professional Conduct
Comment: Many commenters had
questions about existing CMMC conflict
of interest (CoI) requirements and had
suggestions for further protecting the
impartiality of the CMMC Program. One
commenter requested the Department
develop a mechanism to prevent thirdparty assessment organizations from
delaying re-evaluation of NOT MET
requirements to create a pipeline of
future assessment work. The commenter
recommended removing the 10-day reevaluation deadline requirement
currently in the CMMC Rule to prevent
any conflicts of interest. Another
commenter stated that allowing a
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
commercial entity to manage the CMMC
‘ecosystem’ creates a scenario ‘fox
watching the henhouse’’ condition and
that fraud and abuse will be rampant.
Some commenters questioned the
legality of the current CMMC AB’s
establishment and alleged unethical
behavior by its Board of Directors. They
cited the number of resignations among
its Board of Directors as evidence of
internal politics, conflicts of interests, or
ethics concerns. One commenter
suggested the 6-month ‘‘cooling off
period’’ between an employee leaving
the CMMC AB and supporting other
CMMC roles be extended to one year to
ensure impartiality within the CMMC
Program. Another commenter claimed
an informational newsletter offered by
the CMMC AB to ecosystem members
violates the conflicts of interest
requirements. In addition, commenters
alleged that the CMMC AB’s progress
(prior to final rule publication) toward
ISO/IEC compliance violates the terms
of its contract with DoD, which the DoD
should terminate.
Commenters also stated that DoD’s
no-cost contract with the current CMMC
AB has forced them to focus on
generating revenue instead of building a
CMMC Assessor cadre. One commenter
cited publicly available tax filings of the
current CMMC AB to substantiate that
view. Another commenter noted
concerns that the rule permits a timeline
for meeting the ISO/IEC requirements,
rather than requiring immediate
compliance, and suggested that it would
be more advantageous to cite different
ISO/IEC requirements (for conformity
assessment) than those identified in the
rule.
One commenter wrote that significant
delays in CMMC implementation this
far beyond the Department’s earlier
objectives of 2020 constitute fraud and
claimed that DoD representatives
directed companies to comply with
requirements that have become
irrelevant due to changes in program
requirements that occurred during
rulemaking.
Many commenters stated the
Department needs to further clarify
existing CoI requirements for CCIs,
CCAs, and CCPs in the CMMC Rule text.
Specifically, commenters suggested the
DoD:
—Revise § 170.12(b)(5) to state that CCIs
may serve on an assessment team for
a student’s company, provided the
CCI does not provide consulting to an
OSC during delivery of the CMMC
Instruction or breach other conflict of
interest rules, and add that the CCI
must ‘‘[b]e a currently certified CCA
and conduct at least one certified or
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
mock assessment under the direction
of a C3PAO annually.’’
—Revise § 170.12(b)(6) to allow CCIs to
craft exam objectives and content, as
CCIs are the ‘‘most in tune with issues
faced by candidate CCPs and CCAs.’’
—Strike § 170.12 altogether, because
potential CoIs will be rare and can be
‘‘managed by existing conflicts of
interest mechanisms’’; clarify that
‘‘while serving as a CMMC instructor’’
means ‘‘limited only to while actively
teaching or any time while the person
holds the CCI certification’’; and that
CoI concerns could be addressed by
the addition of an Instructor Code of
Conduct. One commenter also
suggested this section would
significantly decrease the available
pool of CMMC instructors, as they
would be forced to choose between
instructing and consulting, which
may be a more lucrative option. They
also claimed it prevented CCIs who
teach CCP/CCA courses at night from
providing consulting services during
the day.
—Impose a three- or four-year
prohibition on ecosystem members
from participating in the CMMC
assessment process for an assessment
in which they previously served as a
consultant or ‘‘since the OSC last
obtained CMMC certification,
whichever is most recent.’’
—Add language to §§ 170.11 and 170.13
to clarify if an individual consults
with a defense industrial base
company, they are prohibited from
participating as a CMMC assessor for
that same company.
—Update § 170.8(b)(ii)(17)(ii)(G) and
add a time limit to this requirement
to ensure a consultant can perform
assessments, given an appropriate
amount of time has passed.
—Revise § 170.8(b)(17)(ii)(G) to say,
‘‘Prohibit CMMC Ecosystem members
from participating in the CMMC
assessment process for a CMMC
assessment in which they previously
served as an employee or consultant
to prepare the organization for any
CMMC assessment,’’ as both an OSC
employee and a CCPA/CCP serving as
a consultant would face identical CoI.
—Provide more detail on the scope of
CCA and CCP conflict of interest
disclosure required, particularly
around the definition of ‘‘process,
store, or transmit’’ in § 170.4(b).
—More narrowly tailor the CoI
requirement in § 170.8(b)(17)(i)(D)
and more expressly identify the
‘‘perceived conflicts of interest’’
scenarios to help ecosystem members
avoid legal risk.
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
83125
—Rewrite § 170.8(b)(17)(iii)(C) to clarify
what constitutes a ‘‘satisfactory record
of integrity and business ethics.’’
—Provide more detail in § 170.10(b)(11)
on the term ‘‘separation of duties,’’ so
CCAs know whether they can
volunteer to develop test questions or
provide training.
Response Summary: Some comments
received lacked relevance to the rule’s
content, which is limited to specific
CMMC Program requirements. The DoD
declines to respond to speculative or
editorial comments about private
citizens or entities, all of which are not
within the scope of this rule. Personnel
actions taken by the CMMC AB and
comments regarding filing of IRS forms
are not within the scope of this rule.
§ 170.8(b) of this final rule provides
requirements of the CMMC AB. CMMC
Program requirements as described in
this rule requires the CMMC
Accreditation Body and the CAICO to
have and abide by ethics and conflicts
of interest rules and to have and
maintain a Code of Professional
Conduct (CoPC). § 170.8(b)(3) describes
the ISO/IEC requirements and the
timeline in which the CMMC AB needs
to meet those requirements. The DoD
declines to comment on business
decisions made by the current CMMC
AB in the performance of its CMMC
related roles, responsibilities, and
requirements. Based on information
currently known to DoD, the CMMC AB
is currently performing as defined in
this final rule and the terms of the
contract. The ANSI National
Accreditation Body is performing the
function of accrediting the CAICO,
which is appropriate given its status as
a subsidiary of the CMMC AB.
The DoD defined CMMC Conflict of
Interest requirements to reduce the
possibility that a member of the CMMC
Ecosystem acting in one capacity may
bias, or be biased by, clients that are
paying them to perform another CMMC
related service. The rule text includes
ethics requirements for members of the
CMMC ecosystem, to include the CMMC
AB (§ 170.8). The DoD concurred with
some comments and has increased the
cooling off period from six months to
one year in § 170.8(b)(17)(i)(C).
DoD considered many alternatives
before deciding upon the current CMMC
structure. The DoD has established
requirements for a CMMC Accreditation
Body, and this accreditation body will
administer the CMMC Ecosystem. The
phased CMMC implementation plan
provides time to train the necessary
number of assessors and, the rule has
been updated to add an additional six
months to the Phase 1 timeline.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83126
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The DoD requires that the
Accreditation Body must achieve and
maintain compliance with the ISO/IEC
17011:2017(E) standard (the
international benchmark used in
demonstrating an accreditation body’s
impartiality, technical competency, and
resources) and the requirements set
forth in § 170.8. The CMMC Proposed
rule also requires compliance with ISO/
IEC 17020:2012(E) for conformity
assessments. § 170.12(b)(5) was revised
to indicate that a CMMC instructor,
subject to the Code of Professional
Ethics and Conflict of Interest policies,
may serve on an assessment team but
cannot consult. CCIs are not permitted
to develop or proctor exams to avoid
participating in any activity, practice, or
transaction that could result in an actual
or perceived conflict of interest.
The CAICO is responsible to ensure
the separation of duties for individuals
volunteering to assist with testing,
training, and certification activities. An
example of separation of duties is
shown in § 170.12(b)(6), which specifies
that a CCI cannot be involved in
examination activities.
DoD modified § 170.8(b)(17)(ii)(G) to
add that a consultant is only limited
from participation in the assessment
process for 36 months. CMMC
Ecosystem members do not participate
in an assessor capacity on DIBCAC
assessments. The DoD declined to add
explicit requirements prohibiting
ecosystem members from participating
in an assessment of an OSC by whom
they were previously employed (directly
or as a consultant), because the scenario
is already covered under
§ 170.8(b)(17)(ii)(G).
DoD disagreed with the comments
that a CMMC Ecosystem member is
unable to avoid perceived conflicts of
interest. The Accreditation Body is
required to provide a CoI policy in
§ 170.8(b)(17) for CMMC Ecosystem
members. The Department expects that
a reasonable person subject to the CoI
policy should understand how to avoid
the appearance of conflicts of interest
and, if unsure, seek clarity from the
Accreditation Body. Details of the
disclosure requirements are in the
Accreditation Body conflict of interest
policy.
A satisfactory record of integrity and
business ethics is a record that does not
indicate derogatory behavior in relation
to professional conduct or conflict of
interest.
The DoD declined to remove the 10day re-evaluation deadline in
§§ 170.17(c)(2) and 170.18(c)(2) to
ensure consistency in the assessment
process. The OSC may utilize the
appeals process, as necessary. The DoD
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
is required to codify CMMC program
requirements through a prescribed and
formal rulemaking process. The timeline
for CMMC implementation changed due
in part to DoD’s decision to pause and
assess the program, seek opportunities
to streamline and ease the burden of its
implementation, and respond to public
comments. The DoD declines to respond
to speculative or editorial comments
regarding the actions of private citizens,
which are not within the scope of this
rule.
g. Ecosystem Eligibility
1. Foreign Ownership
Comment: Two comments noted the
rule does not include Foreign
Ownership, Control, or Influence (FOCI)
requirements for the CAICO. One
comment recommended the rule
incorporate the definition of the
‘‘national technology and industrial
base’’ and exclude those companies
from FOCI requirements. The NTIB
includes organizations from the United
States, the United Kingdom of Great
Britain and Northern Ireland, Australia,
New Zealand, and Canada that are
engaged in research, development,
production, integration, services, or
information technology activities.
Response: The CAICO has no FOCI
requirement because they do not have
knowledge of the OSC’s network or
potential vulnerabilities identified in
the assessment process. Per
§ 170.9(b)(5), the CMMC Program
implements the FOCI program that is
managed by DCSA. Potential FOCI
exemptions are outside the scope of this
32 CFR part 170 CMMC Program rule
and must be addressed through
international arrangements or
agreements.
2. Personnel Security
Comment: There were numerous
comments regarding the Tier 3
Personnel Security requirements.
Several comments recommended
editorial clarification. Multiple
comments requested clarification on
what ‘‘not eligible’’ meant and what is
the ‘‘equivalent process’’. One comment
recommended the Tier 3 background
investigation be required for all
authorized personnel while two
comments recommended eliminating
the Tier 3 background investigation
requirement. Two other comments
requested clarification on why a Tier 3
investigation is required when no secret
information is handled and there is no
clearance granted. Another comment
requested clarification on the Tier 3
process. Three comments requested
clarity on the citizenship requirements
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
and how the Tier 3 requirement will be
enforced for international C3PAO’s.
Another comment recommended
adding a requirement for CMMC
Instructors and Assessors to report to
the CAICO within 30 days of conviction,
or guilty pleas to certain crimes.
Response: In coordination with the
OUSD/I&S, the DoD CIO evaluated
requirements for the CMMC Ecosystem.
Based on the access to sensitive
unclassified information, a Tier 3
background investigation that results in
determination of national security
eligibility is required as specified in this
rule. The concept of ‘‘not eligible’’ in
§ 170.9(b)(4) is intended to cover those
applicants who do not meet the
entrance requirements for a DCSA Tier
3 background investigation, it is not an
alternative for applicants who do not
pass its Tier 3 background investigation.
The DCSA maintains a record of all
background investigation information in
the Personnel Vetting Records system of
records, DUSDI 02-DoD, as published in
the Federal Register. The details of the
Tier 3 background investigation are
included in this rule to inform the
public of the CMMC requirement and
that the investigation will not result in
a clearance. The DoD declines to remove
reference to the Standard Form 86 from
the rule. All documentation and records
for the background investigation process
must be provided in English;
rulemaking as a Federal regulation
requires this level of detail to ensure
clarity of understanding and
interpretation. Details about background
investigation equivalency is available
from DCSA at www.dcsa.mil/IndustrialSecurity/International-Programs/
Security-Assurances-for-PersonnelFacilities/. As stated in the 32 CFR part
170 CMMC Program rule, C3PAOs must
meet the criteria defined in section
§ 170.9. If a non-U.S. organization, and
its employees, meet all the requirements
in § 170.9 and § 170.11, it would not be
prohibited from operating as a C3PAO
within the U.S. or abroad. The DoD
declined to make recommended
administrative changes to § 170.9(b)(3),
because they did not result in a
substantive change.
While a C3PAO may use its own
employees to staff an assessment, it also
may leverage CCAs and CCPS who are
independent contractors, rather than
employees of a specific C3PAO. Because
these independent CCAs and CCPs may
not be covered by the C3PAO’s
background check requirement, CMMC
requires CCAs and CCPs to have their
own Type 3 background checks or
equivalent.
Section 170.10 has been updated to
specify the CAICO must require CMMC
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
information must be provided upon
request.
khammond on DSKJM1Z7X2PROD with RULES2
Ecosystem members to report to the
CAICO, within 30 days, if they are
convicted, plead guilty, or plead no
contest for certain specified legal
matters or criminal activities.
h. ISO/IEC Standards
Comment: Several comments
addressed ISO/IEC standards referenced
in the proposed rule. Most of these were
related to ISO/IEC 17020:2012(E). One
commenter wanted to know what the
proposed rule meant by ‘‘out-of-cycle
from ISO/IEC 17020:2012(E).’’ Another
felt the section outlining CMMC AB
responsibilities should clarify that the
CMMC PMO must approve all C3PAO
accreditation requirements established
by the Accreditation Body under ISO/
IEC 17020:2012(E). One person felt the
rule should give C3PAOs more time to
achieve compliance with ISO/IEC
17020:2012(E) and one commenter
asserted that including a revocation
process in the CMMC PMO roles and
responsibilities section was inconsistent
with ISO/IEC 17020:2012(E) standards
because the C3PAO was the certification
body.
One comment asserted the
requirement in the rule for the CMMC
AB to complete the ILAC Peer Review
prior to accrediting C3PAOs is too
onerous and not consistent with the
ISO/IEC process for gaining
international recognition as an
accreditation body in accordance with
ISO/IEC 17011:2017(E).
Response: The rule was updated in
§ 170.8(a) to clarify responsibilities of
the Accreditation Body. DoD agreed
with the comment that the requirement
to complete the Peer Review prior to
accrediting C3PAOs was too onerous
and inconsistent with the ISO/IEC
process under ISO/IEC 17011:2017(E).
The rule has been updated for clarity.
Using the terms of the ISO/IEC
17020:2012(E), the activity of the
C3PAO is an ‘‘inspection’’, rather than
a ‘‘certification’’. The C3PAO is an
inspection body, not a certification
body, and is responsible for conducting
the Level 2 certification assessment
[Inspection]. The rule was revised to
delete terms related to granting or
revoking certification assessment status.
The DoD reserves the right to conduct
a DCMA DIBCAC assessment of the
OSA, as provided for under the DFARS
clause 252.204–7012 and DFARS clause
252.204–7020. DoD declines to extend
the period for C3PAOs to achieve
compliance with ISO/IEC
17020:2012(E). The Department has
determined that 27 months is reasonable
and sufficient for a C3PAO to achieve
compliance. The rule was also updated
in § 170.9(b)(11) to clarify that audit
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
14. Ecosystem Capacity
Comment: Commenters expressed
concern that the demand for third-party
assessments amongst the defense
industrial base will exceed the capacity
of available Certified CMMC Assessors
and Certified CMMC Professionals and
government assessors which may
prevent timely and affordable audits or
cause businesses to lose out on DoD
contracts. To mitigate the concerns, one
commenter suggested delaying phase-in
of certification assessment by two years,
by relying on self-assessment. One
commenter warned of solicitation
protests if companies are kept out of a
competitive procurement due to a slow
CMMC assessment process. Another
suggested that insufficient assessors
may shrink the market for DoD
contractors and compromise assessment
quality. Commenters were apprehensive
that DoD projections for certification
demand didn’t factor in all
subcontractors and that the CMMC
Accreditation Body lacks a strategy for
scaling to meet increased C3PAO
demand.
Additionally, one commenter pointed
out that the rule indicates companies
can pursue a certification assessment at
any time after the rule is published,
which could tie up already limited
C3PAO resources and impede
assessment opportunities for other
companies bidding on an upcoming
contract. Another expressed concern
that often-extensive travel times
required for assessors to reach ruralbased companies like electric
cooperatives will disincentivize
assessors from prioritizing these
companies and prevent their timely
assessment.
Commenters suggested several actions
the Department could take to mitigate
capacity-related risks, including:
extending the phase-in of Level 2
certification requirements; prioritizing
companies for Level 2 phase-in;
allowing C3PAOs to issue interim or
conditional certifications when unable
to timely complete contractor
assessments; and waiving requirements
for OSCs that are in the assessment
process but not yet certified. Some
asked that DoD forecast the volume and
timing of Level 3 certification
requirements and clearly communicate
those assessment requirements with
contractors. Another requested forecasts
of both Level 2 and Level 3 assessment
capacity against various demand
scenarios for each certification level.
Several commenters suggested that
CMMC assessment requirements for
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
83127
External Service Providers (ESPs) will
also impede CMMC implementation, as
ESPs (1) must be CMMC certified before
an OSC can include them in their
CMMC certification assessment scope
and (2) will be competing with DIB
companies for scarce C3PAO assessors.
Commenters suggested ways to reduce
burden on ESPs, which included:
allowing use of non-compliant ESPs
until Phase 3 and prioritizing
certification assessments for ESPs ahead
of other assessments.
Several commenters expressed
concern about CCA and CCP roles,
based on perceived scarcity of
candidates in the job market compared
with demand for similar services.
Concerns included the potential for
CCA and CCP burnout from overwork,
dissatisfaction with repetitive
assessments tasks, limited career path in
the roles, and the complexity of
operating within the CMMC ecosystem.
One commenter compared CCA and
CCP roles with those of Certified Public
Accountants and Certified Information
System Auditors, who have access to
more varied opportunities and
industries.
Response: DoD received numerous
comments about the use of ESPs which
do not process, store, or transmit CUI.
In response, the DoD revised the rule to
reduce the assessment burden for ESPs.
ESP assessment, certification, and
authorization requirements in 32
CFR 170.19(c)(2) and (d)(2) have been
updated. ESPs that are not CSPs and do
NOT process, store, or transmit CUI, do
not require CMMC assessment or
certification. Services provided by an
ESP are in the OSA’s assessment scope.
The phased implementation plan
described in § 170.3(e) is intended to
address ramp-up issues, provide time to
train the necessary number of assessors,
and allow companies time to
understand and implement CMMC
requirements. The DoD has updated the
rule to add an additional six months to
the Phase 1 timeline. Phase 2 will start
one calendar year after the start of Phase
1. It is beyond the scope of this rule for
DoD to determine the order in which
organizations are assessed.
The DoD declined to delete text
stating that OSAs may elect to complete
a self-assessment or pursue CMMC
certification assessment to distinguish
themselves as competitive because the
recommendation did not result in a
substantive change. CMMC rule
describes anticipated impacts on the
DIB in the Impact and Cost Analysis
section. Speculation on market forces
affecting the DIB is outside of the scope
of the CMMC program. Speculation on
market forces affecting CMMC
E:\FR\FM\15OCR2.SGM
15OCR2
83128
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
ecosystem CCP and CCA roles are also
outside of the scope of the CMMC
program. Likewise, limitations on career
opportunities and associated issues
such as burn-out or job satisfaction are
beyond the scope of the program.
The DoD declines to comment on
external market factors impacting
CMMC compliance. The seven-year
timespan reflects the DoD’s estimate for
all DIB members to achieve CMMC
compliance. The implementation plan
ramps up CMMC assessment
requirements over 4 phases, such that
the ecosystem will reach maximum
capacity by year four. The DoD does not
agree with commenter assertions that
70,000 or more entities will require
CMMC Level 2 assessment by October 1,
2026. Table 6 of the Impact and Cost
Analysis of CMMC 2.0 section provides
the DoD’s estimate of CMMC assessment
numbers by year and level.
DoD considered many alternatives
before deciding upon the current CMMC
structure. By design, the CMMC
program depends on the supply and
demand dynamics of the free market,
enabling it to naturally scale and adapt
to capacity requirements. Planned
changes to DCMA staffing levels have
been considered with regard to
implementation of CMMC Level 3 and
C3PAO assessments as described in this
rule. The DIBCAC will communicate
extensively with contractors about the
conduct of a Level 3 assessment during
the pre-assessment planning phase.
khammond on DSKJM1Z7X2PROD with RULES2
15. Assessments
a. Level 1 and Mapping of 15 Level 1 to
17 Level 2 Requirements
Comment: A few questions were
submitted about CMMC level 1
requirements, on topics such as whether
DoD intended affirmations for CMMC
level 1 be required annually versus
triennially, and whether specific
policies and procedures documentation
is required for Level 1 self-assessments.
One commenter asked about limits on
deficiency remediation and reaccomplishing an assessment in the
event a company fails a CMMC Level 1
self-assessment. Another commenter
asked for the specific wording to reflect
a CMMC Level 1 assessment score in
SPRS.
One commenter objected to CMMC
level 1 annual affirmation, which they
considered an unwarranted expansion
of CUI safeguarding requirements to
information systems that process only
FCI. One commenter recommended
revisions to explicitly indicate that
OSAs may choose to engage the services
of a C3PAO to inform the OSA’s Level
1 self-assessment submission. Another
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
commenter recommended editorial
revisions to avoid use of the term
‘‘CMMC security requirements’’ based
on the observation that CMMC
requirements are aligned directly to
those identified in FAR clause 52.204–
21 or NIST publications.
One commenter asked for explanation
of perceived differences between tables
in the published rule that map CMMC
Level 1 Security Requirements to NIST
SP 800–171A Jun2018, as compared
with prior versions of the document.
One commenter asked for the
rationale associated with mapping 15
requirements for CMMC level 1 to 17
requirements in CMMC level 2. Two
commenters asked if systems that
process FCI (and require CMMC level 1)
are considered within scope for CMMC
level 2 or 3 assessments, and if so, how
they should be documented.
Response: When applicable, the DoD
does require an annual CMMC Level 1
self-assessment against the 15
safeguarding requirements aligned with
FAR clause 52.204–21. Annual
affirmations are required at every
CMMC level. There are no explicit
documentation requirements for a
CMMC Level 1 Self-Assessment. The
DoD modified the Level 1 Scoping
Guide to provide clarity.
An OSA may complete as many selfassessments as desired, and there is no
required timeframe between Level 1
self-assessments and updating CMMC
Status in SPRS. The entry in SPRS for
CMMC Level 1 is a binary selection
between Yes and No based on meeting
all Level 1 security requirements.
The CMMC Program verifies
implementation of security
requirements for FCI in accordance with
FAR clause 52.204–21. The DoD has
elected to use the CMMC Status
postings and attestations in SPRS as the
mechanism to verify compliance with
applicable CMMC requirements.
An OSA engaging an authorized
C3PAO to perform the Level 1 selfassessment and then using the resulting
CMMC Status when ‘‘self-assessing’’ is
permissible. The OSA however retains
all the responsibilities and liabilities of
the affirmation. No revisions to the rule
were necessary.
Writing style recommendations were
not incorporated and no responses were
provided to those comments based on
comparison of pre-publication draft
versions with those officially published
for public comment. DoD aligned the
security requirements for Level 1
exactly with those in FAR clause
52.204–21 and aligned the security
requirements in Level 2 exactly with
those in NIST SP 800–171 R2. The 15
security requirements in FAR clause
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
52.204–21, which make up CMMC Level
1, were mapped by NIST into 17
security requirements in NIST SP 800–
171 R2. This was accomplished by
splitting 1 requirement into 3 parts,
while the other 14 align. Table 2 to
§ 170.15(c)(1)(ii) provides a mapping.
Meeting the CMMC Level 2 selfassessment (§ 170.16) or CMMC Level 2
certification assessment (§ 170.17)
requirements also satisfies the CMMC
Level 1 self-assessment requirements
detailed in § 170.15 for the same CMMC
Assessment Scope.
b. Level 2
Comment: Commenters provided a
number of very specific Level 2
assessment scenarios and asked for rule
interpretation for each scenario.
Scenarios included differing scores for
self-assessment and third-party
assessment; assessment timing;
conditional assessment expiration; and
CUI enclaves.
One commenter stated the language
describing certificates of assessment
lacked clarity and seems to allow an
OSC to be issued a certificate of
assessment but not be certified. Two
comments stated that wording
describing the expiration of a
Conditional Level 2 self-assessment or
certification could be interpreted to
mean that the OSA/OSC would be
permanently barred from seeking further
contracts using information systems
within that CMMC Assessment Scope.
One comment said it was not clearly
stated that a Level 2 third party
assessment would satisfy contractual
requirements for a Level 2 selfassessment. One comment stated that
the rule does not clearly indicate
whether a Level 2 assessment checks for
more than just proper implementation
of the 110 requirements in NIST SP
800–171 R2 and includes paragraphs—
(c) through (g) of DFARS clause
252.204–7012. This commenter
advocated that those requirements be
assessed only during DIBCAC
assessments.
Response: The rule has been updated
to clarify that meeting the requirements
for a CMMC Level 2 certification
assessment satisfies a CMMC Level 2
self-assessment requirement for the
same CMMC Assessment Scope.
The term ‘‘certificate of assessment’’
has been replaced with the term
‘‘Certificate of CMMC Status’’ in the
final rule. When an OSC has met all the
requirements for a Level 2 certification
assessment, a Certificate of CMMC
Status is obtained from the C3PAO
conducting the assessment. See § 170.9.
Under CMMC, OSCs are not certified;
rather, the assessed network receives a
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Certificate of CMMC Status for the
CMMC Assessment Scope if the network
meets all applicable certification
requirements. No rule edit is necessary
because § 170.19 is clear on this point.
The phrase ‘‘until such time as a valid
CMMC Level 2 self-assessment is
achieved’’ is added to the rule in the
event a Conditional Level 2 selfassessment or Conditional Level 3
expires [see sections
§§ 170.16(a)(1)(ii)(B)) and
170.17(a)(1)(ii)(B)].
The CMMC program does not assess
paragraph (c) through (g) of DFARS
clause 252.204–7012. The CMMC
Program assesses the security
requirements set forth in the FAR clause
52.204–21; National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171 R2;
and selected requirements from the
NIST SP 800–172 Feb2021, as
applicable (see table 1 to § 170.14(c)(4)
CMMC Level 3 Requirements).
If the contract requires a Level 2 selfassessment (i.e., a CMMC Status of
‘‘Conditional/Final Level 2 (Self)’’), then
the Level 2 self-assessment score with a
current affirmation is valid for that
contract but not for a contract with a
Level 2 certification assessment
requirement. The DoD does not consider
it realistic or likely that C3PAOs will
purposefully ‘‘slow roll’’ completion of
assessments for which they have been
engaged by an OSC. However, the OSA’s
CMMC Status is based on final results
of an assessment and a valid
affirmation. A POA&M Close-out
assessment need only re-assess those
requirements that were assessed as NOT
MET in the original assessment as
addressed in § 170.21(b). The OSA
status is based on the results of this
POA&M Close-out assessment with a
valid affirmation. If the subcontractor
will process, store, or transmit CUI, then
the flow down requirement for a Prime
contract that specifies CMMC Level 3
certification assessment is, at a
minimum, CMMC Level 2 certification
assessment (i.e., a CMMC Status of
‘‘Conditional/Final Level 2 (C3PAO)’’).
A POA&M closeout applies to all
NOT–MET requirements so if one
practice is not remediated within the
180-day time limit, the conditional
certification will expire. Scope cannot
be changed in the middle of an
assessment, so the conditional
certification will expire. If the scope is
changed, a new assessment is required.
The assessment is performed based on
the defined CMMC Assessment Scope.
The OSA is only approved to process,
store, or transmit FCI and CUI within
the CMMC Assessment Scope defined.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
If the conditional assessment
certification expires due to exceeding
the 180-day limit, a new full
certification assessment is required.
Contracting officers can utilize standard
contract remedies during any period
under which the OSA is not in
compliance with CMMC requirements.
If an OSC closed out their POA&M 32
months ago, that Level 2 Conditional
certification assessment would have
closed and the OSC would have
received a Level 2 Final certification
assessment for the remainder of the 3year validity period. If after completing
the Level 2 Final certification
assessment, the OSC is reassessed and
does not achieve a score of 110, then the
OSC will either get a new Conditional
Level 2 (C3PAO) CMMC Status
certificate (if they meet the associated
POA&M requirements), or the OSC will
not receive a new certificate.
c. Level 3
Comment: Several comments
addressed CMMC Level 3 assessment
requirements and the relationship of
Level 3 assessments to Level 2
assessments. One comment noted that a
final version of the Level 3 assessment
guidance was not available at the same
time as other CMMC assessment guides.
Another recommended the DoD first
pilot implementation of CMMC Level 3
security requirements and clearly
identify (in advance) the data or
programs that will be subject to them.
One commenter asked how DoD will
maintain Level 3 requirements to align
with NIST’s guidance since Level 3
includes only a subset of NIST’s SP
800–172 Feb2021 requirements.
Another asked about validating
compliance for assets that changed asset
categories when transitioning from
Level 2 certification to Level 3
certification. One comment said it was
that Level 2 certification is not clearly
identified as a prerequisite for Level 3
certification, and that organizations
might try to bypass Level 2. One
comment asked whether those entities
that would need a CMMC level 3
assessment could seek a combined Level
2 and Level 3 certification from the
DIBCAC to reduce cost to the OSC.
One comment sought clarification of
how long an OSC would be prohibited
from seeking additional contract awards
if a Level 3 certification expired. Two
comments were concerned about the
DIBCAC’s ability to terminate a Level 3
assessment if the review identifies a
Level 2 requirement that is not met.
Response: For CMMC Level 3, the
DoD selected a subset of NIST SP 800–
172 Feb2021 requirements for enhanced
safeguarding. The CMMC Level 3
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
83129
supplemental documents were not
finalized prior to publication of the
Proposed Rule. DoD’s final
determination of the specific subset of
NIST SP 800–172 Feb2021 requirements
is included in this final rule, which
defines the ODPs for Level 3 in table 1
to § 170.14(c)(4). DoD will update the
rule when required to change the
security requirements, to include
CMMC Level 3.
DoD has reviewed and declined the
recommendation to conduct a pilot
prior to phasing in CMMC Level 3
requirements. Given the evolving
cybersecurity threat, DoD’s best interests
are served by ensuring that the selected
CMMC Level 3 NIST SP 800–172
Feb2021 security requirements are in
place to provide enhanced protections
for sensitive DoD CUI.
In those cases when DCMA DIBCAC
identifies that a Level 2 security
requirement is NOT MET, DCMA
DIBCAC may allow for remediation,
place the assessment process on hold, or
may immediately terminate the Level 3
assessment, depending on significance
of the NOT MET security requirement(s)
and the nature of the required
remediation. The determination of
whether a NOT MET requirement is
significant is reserved for the judgment
of the DCMA DIBCAC.
The rule has been updated to clarify
that DCMA DIBCAC has the
responsibility to validate compliance of
all assets that changed asset category
(i.e., CRMA to CUI Asset) or assessment
requirements (i.e., Specialized Assets)
between the Level 2 and Level 3
assessments. As addressed in § 170.18, a
condition to request a Level 3
certification assessment from DCMA
DIBCAC is the receipt of a Final Level
2 (C3PAO) CMMC Status. The DoD
considered, but declined, the
recommendation to allow OSAs to
simultaneously pursue Level 2 and
Level 3 in one assessment. DoD must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI,
regardless of an OSA’s intended CMMC
level. Permitting OSCs to seek combined
CMMC Level 2 and 3 assessments
would unfairly benefit only a subset of
OSCs that were identified to meet
CMMC Level 3 requirements.
The rule has been updated to clarify
that the OSC will be ineligible for
additional contract awards that require
a CMMC Level 3 certification
assessment until such time as a valid
(Conditional or Final) CMMC Level 3
(DIBCAC) CMMC Status is achieved for
the information systems within the
CMMC Assessment Scope.
E:\FR\FM\15OCR2.SGM
15OCR2
83130
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
d. Scoring Methodology
1. CMMC Point Value System
Comment: Multiple comments were
received concerning the point values
assigned to CMMC security
requirements, their association to other
frameworks, consistency between
CMMC levels, and their use in POA&M
eligibility determination. Numerous
comments recommended that the
CMMC Level 2 weighted point system
where security requirements are valued
as 1, 3, or 5 be modeled after the one
point per requirement used in CMMC
Level 3 scoring. Some also questioned
why the CMMC Level 2 scoring
structure was the same as the NIST SP
800–171 DoD Assessment Methodology
(DODAM). Four comments
recommended changes to the criteria for
adding unimplemented security
requirements to an Assessment POA&M.
One comment noted that temporary
deficiencies which are appropriately
addressed in plans of action should be
assessed as implemented. Some of the
comments recommended not assigning
point values to determine POA&M
eligibility. Two other comments
recommended dropping the NIST Basic
and Derived security requirement
designations and disassociating them
from CMMC point values.
Response: Recommendations to assign
a point value of 1 to all CMMC Level 2
security requirements were not
accepted. CMMC adopted the scoring as
included in the NIST SP 800–171 DoD
Assessment Methodology (DoDAM)
used by the DCMA DIBCAC and
referenced in DFARS clause 252.204–
7020. As addressed in § 170.20(a) in this
rule, there is qualified standards
acceptance between a DCMA DIBCAC
High Assessment and CMMC Level 2
certification assessment. Revisions to
the CMMC Scoring Methodology will be
made concurrently with changes to the
DoDAM. The variable point values of 1,
3, and 5 are linked to the NIST
determination of Basic Security
Requirements and Derived Security
Requirements as described in § 170.24.
The DoD has updated the rule text at
§ 170.24 to clarify which requirements
may be included on a POA&M. CMMC
Level 2 security requirement SC.L2–
3.13.11 can be partially effective and
may be included on a POA&M if
encryption is employed and is not FIPSvalidated.
The DoD added a definition for
enduring exceptions and temporary
deficiencies to the rule. § 170.21
addresses POA&Ms for assessments.
Security requirement CA.L2–3.12.2
allows for the development and
implementation of an operational plans
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
of action designed to correct
deficiencies and reduce or eliminate
vulnerabilities in organizational
systems. These operational plans of
action are different from POA&Ms
permitted under Conditional
assessment. The rule has been updated
to make this distinction clear. The
CMMC rule does not prohibit the use of
an operational plan of action to address
necessary information system updates,
patches, or reconfiguration as threats
evolve.
2. NIST SP 800–171A Jun2018
Assessment Objectives
Comment: Multiple comments
questioned the role of NIST SP 800–
171A Jun2018 Assessment Objectives
within the CMMC assessment process.
Three comments asked whether all
assessment objectives needed to be met
to score a security requirement as MET.
Two comments questioned the need to
report assessment results at the
assessment objective level within the
CMMC instantiation of eMASS for
CMMC Level 2 and CMMC Level 3
certification assessments. Some
comments suggested that the DoD allow
for contractors to take a more risk-based
approach to include compensating
controls instead of a strict security
requirement-based model.
Response: DoD must enforce CMMC
requirements uniformly for all defense
contractors and subcontractors who
process, store, or transmit CUI. Each
assessment objective in NIST SP 800–
171A Jun2018 must yield a finding of
MET or NOT APPLICABLE for the
overall security requirement to be
scored as MET. Assessors exercise
judgment, within CMMC guidelines, in
determining when sufficient and
adequate evidence has been presented
to make an assessment finding. A
security requirement can be applicable,
even with assessment objectives that are
N/A. The security requirement is NOT
MET when one or more applicable
assessment objectives is NOT MET.
CMMC assessments are conducted at the
security requirement objective level,
and the results are captured at the
security requirement objective level.
Assessment results are entered into the
CMMC instantiation of eMASS at the
NIST SP 800–171A Jun2018 assessment
objective level of detail to provide
metrics on which assessment objectives
are proving difficult to implement and
to indicate where additional assessor
training and guidance may be
warranted.
The DoD declines to change
requirements to allow additional
organization-specific risk-based
approaches. National Institute of
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
Standards and Technology (NIST)
determined the appropriate
characteristics and considered the
appropriate attack vectors when NIST
SP 800–171 R2 was created, and tailored
the security requirements to protect the
confidentiality of CUI. Questions and
comments related to NIST SP 800–171
R2 background, development and
scenarios are outside the scope of the
CMMC rule.
3. Other Scoring Comments
Comment: Three comments were
received concerning the use of
operational plans of action to document
security requirements which are not
fully implemented due to limitations
beyond the ability of an OSA to address.
The use of temporary deficiencies and
enduring exceptions were suggested
along with the recommendation that
these items be scored as MET.
The scoring of FIPS-validated
modules was questioned in four
comments. An error in the point value
for encryption (1 and 3 points vs the
correct 3 and 5 points) was identified.
Clarification on full credit for
incomplete implementation of FIPS
encryption was also requested.
Two comments were received about
the relationship between CMMC Level 2
and CMMC Level 3 scoring asking if the
point values in each assessment were
cumulative and how the 80% eligibility
for an assessment POA&M and
Conditional certification would be
calculated.
Three comments requested
clarification around the use of N/A in
security requirements, assessment
objectives, and in matters pertaining to
previously granted DoD CIO variances.
One comment questioned what types of
artifacts are required to substantiate a
determination of N/A for a security
requirement or assessment objective.
Three comments addressed the need for
a System Security Plan, its point value,
if any, and the need for an SSP as a
prerequisite for assessment as it exists
in the DIBCAC DODAM.
Response: The government cannot
comment on the suitability of specific
implementations or products to meet
CMMC security requirements and is
aware that FIPS module validation can
exceed the 180-day CMMC assessment
POA&M threshold. Guidance regarding
FIPS implementation on Windows 11 is
not appropriate for inclusion in the rule
text and DoD declines to make an
update. Limitations of the FIPSvalidated module process do not impact
the implementation status of FIPS
cryptography. The rule has been
updated to include enduring exceptions
and temporary deficiencies. Vendor
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
limitations with respect to FIPS
validation could be considered enduring
exceptions or temporary deficiencies
and should be addressed in an OSA’s
operational plan of action.
Several requirements within NIST SP
800–171 R2 specify the use of
encryption without consideration of the
processing, storage, or transmission of
CUI. Requirement 3.13.11 requires that
the encryption used be a FIPS-validated
module if the encryption is used to
protect the confidentiality of CUI. The
scoring in § 170.24(c)(2)(i)(B)(4)(ii) is
based on the use of encryption and
whether the encryption uses a FIPSvalidated module. There is no
consideration for multiple layers of
encryption so specific guidance to
assessors regarding layers of encryption
is not needed and DoD declines to make
the suggested addition. OSAs may
choose how they implement security
requirements and C3PAOs will assess
based on the stated implementations.
CCAs are trained in the correct process
to assess security requirements. The
DoD has updated the rule text at
§ 170.24(c) to clarify which
requirements may be included on a
POA&M, which addresses the error in
the point value for encryption.
The scoring for CMMC Level 3 is
separate from the scoring for CMMC
Level 2. As stated in § 170.24(c)(3), the
CMMC Level 3 assessment score is
equal to the number of CMMC Level 3
security requirements that are assessed
as MET. There are twenty-four CMMC
Level 3 security requirements, identified
in table 1 to § 170.14(c)(4). CMMC Level
3 POA&M eligibility is based on the
number of CMMC Level 3 security
requirements and does NOT include the
110 CMMC Level 2 requirements.
‘‘Not applicable’’ was removed from
§ 170.24(c)(9) for the case where the
DoD CIO previously approved a
variance. The rule has been updated to
reflect the language of DFARS clause
252.204–7012 and the DoDAM,
including nonapplicable or to have an
alternative, but equally effective,
security measure. Regarding the
comment on N/A objectives, § 170.23 is
clear that MET means all applicable
objectives for the requirement and that
if an objective does not apply, then it is
equivalent to being MET. A security
requirement can be applicable, even
with one or more objectives that are N/
A. The overall requirement is only NOT
MET when one or more applicable
objectives is not satisfied. The
determination of assessment findings is
made by an Assessor following the
assessment methodology. In the case of
a self-assessment, the Assessor is from
the OSA. In the case of a certification
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
assessment, the Assessor is from the
C3PAO or DIBCAC. An assessment
finding of NOT APPLICABLE (N/A)
means a security requirement (or
assessment objective) does not apply at
the time of the CMMC assessment. For
each assessment objective or security
requirement marked N/A, the Certified
Assessor includes a statement that
explains why it does not apply to the
contractor. The OSC should document
in its SSP why the security requirement
does not apply and provide justification.
There is no standard set of artifacts
required to justify a finding of N/A.
A System Security Plan as described
in security requirement CA.L2–3.12.4 is
required to conduct an assessment. The
rule has been updated at
§ 170.24(c)(2)(i)(B)(6) for clarity.
Security requirement CA.L2–3.12.4 does
not have an associated point value. The
OSA will not receive a -1 for a missing
or incomplete SSP. The absence of an
up-to-date system security plan at the
time of the assessment would result in
a finding that ‘an assessment could not
be completed due to incomplete
information and noncompliance with
DFARS clause 252.204–7012.’ The rule
has been updated in § 170.24(c)(6) to
clarify this.
e. Artifacts
Comment: Several comments and
requests for clarification dealt with
artifacts that are reviewed or created
during a CMMC assessment, or as part
of compliance with other contractual
requirements, including DFARS clause
252.204–7012. Some commenters asked
whether standardized SSP and POA&M
templates would be provided to assist
with compliance. Other templates
requested included pre-assessment
planning materials, final assessment
reports, and the resulting Certificate of
CMMC Status.
Others expressed concern that sharing
certain artifacts during the assessment
process or permitting assessors to retain
them would create vulnerability. In
addition, commenters asked whether
security protections are required for
documents held due to the artifact
retention requirements. One commenter
asked how CMMC assessment scores, or
affirmation information will be
protected, and whether the CMMC
program office will share this
information outside of DoD. Another
suggested that C3PAOs should not be
required to retain any OSC provided
materials.
One commenter misinterpreted the
supplemental hashing guide as
requiring use of the MS PowerShell
script with the SHA256 algorithm. The
commenter also stated it would be more
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
83131
efficient to specify a single hash be
provided for combined artifacts rather
than requiring separate hash values for
each artifact. They recommended
deletion of the hashing requirement.
Another commenter suggested requiring
OSCs to generate hashes for artifacts as
part of a Level 2 self-assessment. One
comment also asked whether hashing is
required for Level 3 artifacts. One
comment asked how long OSAs must
retain artifacts following an assessment.
Some comments expressed concern
that C3PAOs that receive or retain OSA
artifacts identified as CUI would be
required to undergo assessment by both
the DIBCAC and another C3PAO. Four
commenters objected to the 6-year
artifact retention requirement for
C3PAOs and requested reduction to 1
year. Three commenters asked whether
self-assessors at level 1 or level 2 must
also retain supporting artifacts for 6
years. Two commenters recommended
revised wording of CMMC Level 3
requirements to provide greater clarity
about artifact retention and integrity.
One commenter requested edits to the
description of SSP content, advocating
for deletion of references to
organizational policies and procedures
in place to comply with NIST SP 800–
171 R2. The recommended edits also
changed attribution of the requirement
to create an SSP to reflect DFARS clause
252.204–7020 rather than DFARS clause
252.204–7012. This commenter also
suggested additional wording to specify
that the OSA need not define roles and
responsibilities of security personnel in
the SSP but may do so in ancillary
documents.
Response: This rule retains the
reference to DFARS clause 252.204–
7012 that implements NIST SP 800–171
as the basis for the requirement to create
and update an SSP. The DoD has
considered the recommended changes
to the rule regarding the SSP content
and declines to make the revision. The
NIST SP 800–171 R2 requirement for an
SSP is foundational to performing a
NIST SP 800–171 R2 self-assessment
and its purpose is to provide critical
information for performing the
assessment. The SSP should detail the
policies and procedures that support
‘‘. . . how security requirements are
implemented . . .’’ for all NIST SP 800–
171 R2 controls. DoD declines to
establish a specific SSP format, as OSAs
should define the best format for their
organizations. The Overview section of
the rule has been updated to remove the
statement indicating SSPs will outline
the roles and responsibilities of security
personnel. DoD does not plan to provide
document templates for SSPs and
POA&Ms, as they are already available
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83132
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
in existing NIST guidance. Templates
and schemas for the pre-assessment and
assessment results documents are
available to authorized CMMC eMASS
users at https://cmmc.emass.apps.mil.
Commenter concerns about artifact
retention reflect misunderstanding of
the assessment process. Assessors and
C3PAOs do not retain OSC artifacts,
they only retain the hash value captured
during the assessment process.
Assessors will retain documents created
during the assessment such as their
notes and the Assessment Findings
Reports. To facilitate the protection of
these documents, authorized C3PAOs
are required to go through a DIBCAC
conducted CMMC Level 2 assessment
and CMMC Assessors are only
authorized to use C3PAO issued
equipment that was within the scope of
the DIBCAC assessment. Separately, the
DIBCAC processes, stores, and transmits
its assessment related data on DoD
networks. Assessment Reports are
submitted to DoD via eMASS, which is
a government-owned, secured database.
Sharing of this information is subject to
DoD policies.
The OSC is responsible for
maintaining and hashing all artifacts
that supported the assessment. The rule
has been modified to clarify C3PAOs do
not maintain artifacts from the OSC. The
OSCs artifacts must be hashed, and the
value provided to the assessor for
submission into CMMC eMASS. That
hash value contains no sensitive
information. An OSC’s System Security
Plan (SSP) will be reviewed as part of
a CMMC certification assessment, but
not shared outside of the OSC.
Assessors will not retain copies of the
SSP or any other proprietary OSC
information. Assessors will retain the
name, date, and version of the SSP for
uploading in SPRS or eMASS, as
appropriate for the level of assessment.
Assessors will upload assessment
information (e.g., list of artifacts, hash of
artifacts, and hashing algorithm used)
into CMMC eMASS as addressed in
§ 170.9(b)(17), and the OSC will retain
its assessment documentation as
addressed in § 170.17(c)(4) and
§ 170.18(c)(4)
CMMC Level 2 self-assessments
procedures as described in
§ 170.16(c)(1) require assessment in
accordance with NIST SP 800–171A
Jun2018, which if conducted properly
will generate evidence. The rule has
been modified to incorporate data
retention requirements for selfassessments into §§ 170.15 and 170.16.
OSAs are not required to generate
hashes for self-assessment artifacts.
Hashing is only required for Level 2 or
Level 3 assessments by C3PAOs and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
DCMA DIBCAC. The rule and Hashing
Guide have been updated to add clarity
that only a single hash is required, and
that artifact retention is for six years.
The use of SHA256 algorithm is not
mandatory and therefore, the name of
the hash algorithm needs to be stored in
eMASS.
There are no additional requirements
for artifact storage and retention beyond
those identified in the rule. It is up to
the OSA to determine the best way to
ensure artifact availability during the
six-year retention period. The rule has
been updated in §§ 170.15 through
170.18 to clarify artifact retention
requirements.
DoD declines to reduce the artifact
retention period from six years to one
year. The rule has been updated to
clarify that all OSAs and Assessors are
required to retain their respective
assessment data for six years. The
requirement for an artifact retention
period of six years is a result of the
Department of Justice’s input to the
proposed rule.
f. POA&Ms
Comment: Over forty comments were
received about POA&Ms seeking
clarification or revision to the rule
content on that topic.
Several commenters misinterpreted
the requirement to remediate or close
POA&M items within 180 days as
eliminating acceptability of operational
plans of action for normal corrective
actions such as patching or other
routine maintenance activities, thus
making the achievement of 100%
compliance impossible. Some
commenters requested rule revisions to
describe operational plans of action in
more detail. One commenter asked that
the concept of Enduring Exceptions be
added to the rule to address special
circumstances when remediation and
full compliance with CMMC security
requirements is not feasible as described
in the NIST SP 800–171A Jun2018
assessment methodology.
Several commenters expressed
concern with the 180-day timeline to
close out POA&Ms or limits on which
practices can be placed on them.
Recommendations for changing the
POA&M timeline ranged from
completely deleting the time limit to
extending it by 1 to 3 years. One
variation was to permit more than 180
days for closeout only during an initial
one-year ‘‘ramp-up’’ period. One
commenter encouraged DoD to reduce
POA&M restrictions to facilitate
contractors’ genuine attempts to meet
requirements and mitigate information
security risks. Three commenters also
thought the rule should allow
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
contractors to request approval to delay
POA&M close-out when meeting the
original timeline is impracticable, while
another commenter suggested defining
the close-out timeline in the contract,
allowing negotiation of extension or
renewal of POA&Ms through the
contracting officer. Two commenters
asked when the 180-day timeline begins
and one asked what actions occur if the
POA&M is not closed out within that
period.
Four commenters noted that the
number of security requirements
explicitly precluded from POA&Ms
makes CMMC challenging and
requested greater flexibility in how
many, and which practices may be
included. Three commenters
recommended that companies be
allowed to have any number of failed
practices reassessed for up to sixmonths after an assessment without
having to complete and pay for a new
full assessment. Three other
commenters recommended that the DoD
allow for risk informed POA&Ms, while
one stated that the rule should not
specify which requirements must be
met. One commenter requested
clarification on how many items of each
point value may be included on a
POA&M for CMMC Level 2 conditional
certification. One commenter also asked
DoD to consider abandoning controls
with high failure rates, lowering score
requirements based on evidence of
sufficient mitigation.
Several comments expressed concern
that CMMC conditional certification
does not allow higher weighted
practices on a POA&M and
recommended the rule reduce those
restrictions to allow more security
practices. One commenter also
recommended eliminating weighting
altogether, permitting any requirement
to be part of the POA&M. As rationale,
one commenter referenced DFARS
clause 252.204–7012 verbiage that
permits contractors to request DoD CIO
approval to vary from NIST SP 800–171
requirements, saying that since all
approved variances are considered as
‘‘Not Applicable’’, all requirements
should be POA&M eligible.
Two commenters asked where
POA&Ms are maintained, who is
responsible for validating close-out, and
whether affirmation is required after
each assessment (including POA&M
close-out). One commenter asked about
applicability of the 180-day POA&M
close-out requirement to Critical, High,
Medium, or Low findings against
Service Level Agreements.
One commenter recommended that a
description of appropriate POA&M
entries to be added to the rule and
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
provided other recommended edits to
the POA&M section, including addition
of terms of art such as ‘‘assessmentrelated’’ and ‘‘non-assessment-related’’,
and deletion of the words ‘‘as
applicable.’’
Response: The CMMC Program allows
the use of POA&Ms. Section 170.21
delineates the requirements that may be
addressed as part of an assessment with
a POA&M, that must be closed out by
a POA&M closeout assessment within
180 days of the initial assessment to
achieve the assessment requirement for
Final certification. At Level 1, the OSA
must affirm annually that it has
reassessed its environment. Security
requirement CA.L2–3.12.2 allows for the
development and implementation of an
operational plans of action designed to
correct deficiencies and reduce or
eliminate vulnerabilities in
organizational systems. The CMMC rule
does not prohibit an OSA from using an
operational plan of action at any CMMC
level to address necessary information
system updates, patches, or
reconfiguration as threats evolve. These
are different from POA&Ms permitted
under a Conditional certification
assessment. The DoD has updated the
rule to make this distinction clear. The
Department also updated the rule to
include a definition and clarity for
enduring exceptions. The DoD CIO
option for variances in DFARS clause
252.204–7012 is beyond the scope of
this rule.
Operational plans of action are the
appropriate mechanism to handle CSPs,
ESPs (not a CSP) and third-party
vendors that are no longer compliant
with a CMMC requirement. Operational
plans of action may be necessary when
the relevant security requirement or
control was fully implemented, but a
vulnerability or deficiency is discovered
after gaining a CMMC final compliance
status, such as, but not limited to,
routine updates, patches, or updates to
CMMC compliance status. For purposes
of CMMC compliance, operational plans
of action are acceptable and are not
subject to the 180-day timetable
established for initial assessment. In
addition, the rule has been modified to
include a definition for Enduring
Exceptions.
The DoD does not accept the
recommendation to change the criteria
for POA&Ms or the timeline allowed to
remediate open POA&M items. The 180day period allowed for POA&Ms and the
determination of which weighted
practices can be placed on a POA&M
was a risk-based decision. The
determination considers the relative risk
DoD is willing to accept when a
particular practice is not met and the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
amount of risk the DoD is willing to
accept for those security practices that
go ‘‘NOT MET’’ for an extended period.
The DoD declined to edit the rule
regarding the closeout of security
requirements that are not allowed on the
POA&M as stated in § 170.21. The
decision in this scenario is a business
decision between the applicable C3PAO
and the OSC.
Given the evolving cybersecurity
threat, DoD’s best interests are served by
ensuring that POA&Ms remain open for
no longer than 180 days, regardless of
which controls are included or the plan
for remediation.
The 180-day period starts when the
CMMC assessment results are finalized
and submitted to SPRS or eMASS, as
appropriate. As addressed in
§§ 170.17(a)(1)(ii)(B) and
170.18(a)(1)(ii)(B), if the POA&M is not
closed out within the 180-day
timeframe, the Conditional Certification
will expire. If the Conditional
Certification expires within the period
of performance of a contract, standard
contractual remedies will apply, and the
OSC will be ineligible for additional
awards with CMMC Level 2 or 3
requirements for the information
systems within the same CMMC
Assessment Scope. The scoring
methodology created by the DoD reflects
the relative risk to DoD information
when a security requirement is NOT
MET. As defined in § 170.17(c)(2), a
security requirement that is NOT MET
may be re-evaluated during the Level 2
certification assessment and for 10
business days following the active
assessment period under certain
conditions. Likewise, when an OSC
executes a contract with a C3PAO it
may account for the timeliness of any
re-assessments. The language in DFARS
clause 252.204–7012 describing the DoD
CIO’s authority to approve variances is
beyond the scope of this rule.
A POA&M for CMMC Level 2 can
include up to 22 security requirements
that have a value of 1, excluding those
in § 170.21(a)(2)(iii), or may include
non-FIPS-validated encryption and up
to 19 security requirements that have a
value of 1.
The OSA is responsible for
maintaining the POA&M that resulted
from a CMMC assessment; however,
those security requirements that were
NOT MET and placed on a POA&M are
recorded in eMASS. The OSA is
responsible for validating the close-out
of the security requirements on the
POA&M within 180 days of a selfassessment. The C3PAO or DCMA (as
applicable) must perform the POA&M
Close-out Assessment for a Final
certification assessment. An affirmation
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
83133
of compliance is required upon the
completion of any assessment—
Conditional, Close-out, or Final—and
annually after the completion of a Final
assessment. The requirement outlined
in § 170.21 for POA&M close out does
not apply to Service Level Agreement
(SLA) severity levels.
The Department declines to include
recommended POA&M examples in the
rule, as they are already available in
existing NIST guidance, or make other
word changes to § 170.21. This section
of the CMMC rule has been updated to
add clarity when discussing the POA&M
regarding security requirements that
were assessed as NOT MET during a
CMMC assessment. These POA&Ms are
distinct from an operational plan of
action.
g. Assessment Activities and Reporting
1. Data Entry
Comment: One comment requested
the rule state that records in SPRS must
be updated within six months of the
rule’s effective date or when the
functionality is in place, whichever is
longer. Two comments asked for
mitigations for assessment delays that
could impact the timeliness of
certification. One comment asked for
more information about assessment
frequency guidelines, and one asked
which date would be used to determine
timing of CMMC Level 2 triennial
assessments, where this date is
maintained, and who is responsible for
ensuring contractors meet all applicable
security requirements.
Response: To be eligible for a contract
with a CMMC Level 1 self-assessment
requirement, the OSA must perform a
Level 1 self-assessment, input the result
into SPRS, and submit an affirmation.
The timeline for initiating and reporting
a self- assessment is a business decision
to be made by each contractor
considering contract opportunities it
wishes to pursue. Because the OSA can
fully control timelines for completion of
self-assessments and plan for changes
within the assessment scope, and
because CMMC certification
assessments occur on a standard 3-year
cycle, the DoD expects that companies
will plan assessments well in advance
of need. The required assessment
frequency is every year for CMMC Level
1, and every 3 years for CMMC Levels
2 and 3, or when changes within the
CMMC Assessment Scope invalidate the
assessment.
Certification dates for CMMC levels 2
and 3 are set to the date the certification
assessment results are entered into
SPRS for self-assessments or the date
the Certificate of CMMC Status is
E:\FR\FM\15OCR2.SGM
15OCR2
83134
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
entered into eMASS for third-party
assessments. The triennial requirement
renews on that date; there is no grace
period. Each OSA’s annual affirmation
attests that they have implemented, and
are maintaining their implementation
of, the security requirements.
2. Supplier Risk Performance System
and eMASS
Comment: Three commenters viewed
CMMC’s intent to store CMMC related
data in an existing DoD system, SPRS,
as an indication that SPRS would
replace other DoD risk tracking systems
or the risk monitoring responsibilities of
other agencies. One commenter asked
whether other Services would have their
own systems, as the SPRS Program
Office is within the Navy. Another
comment stated CMMC and SPRS
should not be tasked with the
responsibility of addressing Supply
Chain Risk Management (SCRM). One
comment asked if the DoD intended to
make CMMC Level 2 and 3 certification
information available to other agencies,
which could reduce the cost burden of
compliance with assessment/
certification programs adopted by other
agencies. One comment asked how PII
would be protected in SPRS. Another
comment asked for SPRS to be
redesigned to list assessment results for
each security requirement instead of the
aggregate level. One comment asked for
a CMMC-specific process for entering
data into SPRS to make it easier for
small businesses and another comment
asked for vendor visibility into a
potential sub-contractor’s SPRS score.
Several comments asked about the
CAGE code requirement and noted a
perception that businesses outside the
U.S are unable to obtain a CAGE or
become a member of PIEE and therefore
unable to access SPRS. One comment
asked whether each contract would
require a new SPRS entry.
One comment asked if OSCs that
already have an eMASS account would
be able to access the CMMC
instantiation of eMASS and one
comment questioned the cost/benefit of
entering pre-assessment data into
eMASS. Another comment asked for
clarification on the roles and
responsibilities of DoD Program
Managers regarding the data uploaded
into eMASS. One commenter suggested
that eMASS be modified to permit
tracking of self-assessment, in addition
to certification assessments.
Response: SPRS is used to provide
CMMC Status, score results, and
affirmation status to contracting officers
and program managers as part of the
contract award process. It does not
supersede other DoD program office risk
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
register systems. SPRS will be used for
reporting CMMC Status of all
contractors, regardless of which service
issued the contract. Although the SPRS
program is managed by the Department
of the Navy, its use spans across the
Department. There is no role for other
agencies associated with this CMMC
rule, which applies only to DoD
contractors that process, store, or
transmit FCI or CUI. The CMMC PMO
has no current agreements with other
Federal agencies to share CMMC
assessment results. There is nothing that
prevents an OSA from sharing their
CMMC Status with other entities.
SPRS is an existing DoD database that
is compliant with DoD regulations,
which includes meeting Privacy
requirements. DoD suppliers are already
required to use SPRS to record NIST SP
800–171 self-assessment scores, as
referenced in DFARS clause 252.204–
7020. The CMMC rule expands the use
of SPRS to include CMMC Status,
certification assessment scores, and
affirmations.
SPRS is the tool that the DoD
acquisition workforce will use to verify
companies meet CMMC requirements to
be eligible for contract award. SPRS data
entry does not make available to
Contracting Officers scoring of
individual security requirements.
The DoD does not concur with
granting prime contractors access to
view the CMMC scores or Certificates of
CMMC Status for potential
subcontractors in SPRS. Subcontractors
may voluntarily share their CMMC
Status, assessment scores, or certificates
to facilitate business teaming
arrangements. Changing access to PIEE
and SPRS is outside the scope of this
rule.
CMMC eMASS is a tailored, standalone instantiation of eMASS for use by
authorized representatives from
C3PAOs, the DCMA DIBCAC, and the
CMMC PMO. Individuals from each
C3PAO will have access to CMMC
eMASS to upload Level 2 assessment
data. DCMA DIBCAC personnel will
have access to CMMC eMASS to upload
Level 3 assessment data. OSAs will not
have access to CMMC eMASS.
Authorized personnel from OSAs may
access SPRS, which will host
assessment certification and selfassessment data, and will be able to
upload and view scores only for their
OSA.
The DOD declines to add
requirements for submitting selfassessments in eMASS. The
requirement is for the OSA to enter
scores into SPRS. There is value to the
DoD in having the pre-assessment
information in CMMC eMASS for
PO 00000
Frm 00044
Fmt 4701
Sfmt 4700
overall program management and
oversight. The information indicates
that an assessment is either scheduled
or in-process. The CMMC PMO seeks to
track CMMC program adoption, and preassessment information allows reporting
on upcoming assessments. Based on the
DoD cost analysis, the effort to upload
pre-assessment material is minimal.
DoD Program Managers are not
responsible for uploading data into
eMASS, nor do they have any
responsibility regarding the data
uploaded to eMASS by DCMA. An ESP,
OSA, or OSC seeking CMMC assessment
will need a CAGE code and an account
in SPRS to complete the annual
attestation required of all CMMC
certified or CMMC compliant
organizations.
An OSA/OSC must obtain a CAGE
code via https://sam.gov before
registering in PIEE. Step by Step
instructions for how to obtain an
account can be found on the PIEE
Vendor Account website: https://
piee.eb.mil/xhtml/unauth/web/
homepage/vendorGettingStartedHelp.
xhtml.
CAGE codes (or NCAGE codes for
non-US-based companies) are also
required. US-based contractors obtain a
Commercial and Government Entity
(CAGE) code from https://cage.dla.mil/
Home/UsageAgree. Businesses outside
of the US must obtain a NATO
Commercial and Government Entity
(NCAGE) code from https://
eportal.nspa.nato.int/Codification/
CageTool/home.
As specified in §§ 170.15 and 170.16,
SPRS inputs include the industry CAGE
codes(s) associated with the information
system(s) addressed by the CMMC
Assessment Scope. For each new
information system used to support a
DoD contract with FCI or CUI, a new
SPRS entry is required. If the contractor
or subcontractor will use an information
system associated with a CAGE code
already recorded in SPRS then a new
entry is not required.
3. Assessors and Certificates
Comment: One commenter asked if an
assessor is prohibited from interacting
with OSA IT tools such as MS Office
365 or cloud based GRC tools. One
commenter requested the CMMC rule
require C3PAOs to clearly indicate the
CMMC Assessment Scope on the CMMC
Certificate of CMMC Status, to include
CAGE codes, that could be shared with
trusted partners.
Response: The rule text in
§ 170.11(b)(7) does not prohibit
collecting assessment evidence within
the OSC environment using the OSC’s
IT. This section applies only to IT used
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
by the assessors to process, store, or
transmit assessment-related information
once it leaves the OSC environment.
The rule has been modified to list the
minimum required information to be
included on the Certificate of CMMC
Status, including CAGE code.
h. Reassessment
Comment: Some commenters
interpreted the end of a CMMC
assessment validity period (and need for
new assessment) as having the same
significance or meaning as a
‘‘reassessment’’, which the rule
describes as potentially necessary only
in rare circumstances when
cybersecurity risks, threats, or
awareness have changed.
Another commenter asked for
examples of circumstances that might
prompt a re-assessment and description
of the process for completing one. Four
commenters expressed concern that reassessments might be frequent, costly,
and time-consuming. These commenters
sought confirmation that relatively
common system maintenance activities
would not require a new assessment or
prevent annual affirmation.
One commenter questioned the
rationale for differences between
validity periods for CMMC Level 1
versus Levels 2 and 3 assessment and
recommended standardization on either
a 1-year or 3-year frequency for all
levels. Other commenters asserted that
annual affirmations would drive a need
for annual assessments at levels 2 or 3
and requested deletion of the
affirmation requirement.
One commenter asked whether
system changes within an assessment
scope would require notification to the
contracting agency. Another asked for
guidance on remediation of POA&M
items and asked whether systems that
fall out of compliance must be
identified to the contracting agency.
Response: The DoD considered
duration of assessment validity periods
and has chosen to require selfassessment of the basic Level 1
requirements every year, rather than
every three years. Levels 2 and 3 require
implementation of a significantly larger
number of more complex security
requirements, which require more time
and attention to assess.
The DoD also declines to delete the
annual affirmation requirement and
does not agree that it equates to an
annual assessment. The rule was
modified to clarify that reassessments
may be required based on postassessment indicators of cybersecurity
issues or non-compliance and are
different from new assessments that
occur when an assessment validity
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
period expires. Reassessment is
expected to be infrequent, conducted by
the DoD, and necessary when
cybersecurity risks, threats, or
awareness have changed, or indicators
of cybersecurity deficiencies and/or
non-compliance are present. When
required, DCMA DIBCAC will initiate
the re-assessment process using
established procedures. The rule has
been further updated to add this DCMA
DIBCAC responsibility in § 170.7. OSCs
seeking confirmation upon CMMC Level
2 POA&M close-out may undergo
POA&M close-out assessment by a
C3PAO, which is different from
reassessment.
Self-assessments and certification
assessments are valid for a defined
CMMC Assessment Scope as outlined in
§ 170.19 CMMC Scoping. A new
assessment is required if there are
significant architectural or boundary
changes to the previous CMMC
Assessment Scope. Examples include,
but are not limited to, expansions of
networks or mergers and acquisitions.
Operational changes within a CMMC
Assessment Scope, such as adding or
subtracting resources within the existing
assessment boundary that follow the
existing SSP do not require a new
assessment, but rather are covered by
the annual affirmations to the
continuing compliance with
requirements. The CMMC rule does not
prohibit an OSA from using an
operational plan of action at any CMMC
Level to address necessary information
system updates, patches, or
reconfiguration as threats evolve.
If the CMMC Assessment Scope
changes, then the current assessment is
no longer valid and a new assessment is
required. Requirements to notify the
contracting agency of compliance
changes are described in the 48 CFR
part 204 CMMC Acquisition rule. An
annual affirmation is required at each
CMMC level.
16. CMMC Assessment Scoping Policy
Comment: One comment asked
whether the requirements of DFARS
clause 252.204–7012 apply to the entire
contractor-owned information system,
or only those components of the system
that process, store, or transmit the CUI.
Another questioned whether assets that
process both FCI and CUI require
CMMC Level 1 assessment.
One comment asserted that
assessments described in DFARS
provision 252.204–7019 and 7020 are
scoped differently than CMMC
assessments, and requested the rule be
revised to avoid duplication with those
assessments, where applicable. Another
recommended that DoD determine
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
83135
scoping, boundaries, standards, and
assessments based on CUI data rather
than by systems.
One comment suggested that the rule
be modified to address CMMC
applicability to service providers that
only provide temporary services, such
as penetration testing, cyber incident
response, or forensic analysis.
Response: OSAs determine the CMMC
Assessment Scope based on how and
where they will process, store, and
transmit FCI and CUI. DoD has reviewed
the suggested changes and declines to
make any updates. Additional
information for CMMC Scoping
(§ 170.19) can be found in the relevant
scoping guides. The applicability of
DFARS clause 252.204–7012
requirements is not within the scope of
this rule.
Meeting CMMC Level 2 selfassessment or certification assessment
requirements also satisfies CMMC Level
1 self-assessment requirements for the
same CMMC Assessment Scope. One
commenter incorrectly assumes that
CMMC asset categories drive a change to
the assessment scope from what exists
in DFARS clause 252.204–7012, which
implements NIST SP 800–171 R2. No
conflicts exist between the DFARS
clause 252.204–7012 requirements and
the CMMC requirements in this rule.
The DoD declines to change the rule
to base scoping, boundaries, standards,
or assessments solely on CUI data rather
than on systems. The purpose of the
CMMC Program is for contractors and
subcontractors to demonstrate that FCI
and CUI is adequately safeguarded
through the methodology provided in
the rule. The decision on what CMMC
level is required for a contract is made
by the Government after considering the
nature of the planned effort, associated
risks, and CUI to be shared. OSAs
determine the CMMC Assessment Scope
based on how and where they will
process, store, and transmit FCI and
CUI.
Service providers who only need
temporary access to perform services
such as penetration testing, cyber
incident response, or forensic analysis
do not meet the definition of an ESP in
§ 170.4 and do not process, store, or
transmit CUI. Therefore, they are not
within scope and the DoD declines to
modify the rule to include them.
17. CMMC Assessment Scope for ESPs
a. CMMC Applicability to ESPs
Comment: DoD received numerous
comments about the implications of
using an ESP while seeking to comply
with CMMC requirements. Many
comments were concerns that the ESP
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83136
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
assessment requirements expanded the
scope and cost of the CMMC program.
Additionally, some comments described
overarching concerns about
applicability of CMMC requirements to
an ESP when it only provided a Security
Protection Asset or processed Security
Protection Data. In general, commenters
requested to narrow the rule while
providing more clarity and definition
related to CMMC requirements for ESPs
and CSPs. Many comments gave either
hypothetical or actual scenarios and
asked whether the ESP in that scenario
would be required to complete a CMMC
assessment at the level required for the
OSA being supported.
One comment suggested that ESPs
should be treated the same as Risk
Managed Assets. Another comment
suggested that they be treated as
Specialized Assets. Two comments
proposed that DoD restrict DoD
contractors to the use of an ESP/MSP/
MSSP that is ISO/IEC 27001:2022(E)
certified. Two comments suggest that
OSA’s be allowed to use non-certified or
some form of conditionally certified
ESPs if they retain the appropriate
artifacts for review.
Response: The DoD has revised the
rule to reduce the assessment burden on
External Service Providers (ESP). ESP
assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2) have been
updated. The use of an ESP, its
relationship to the OSA, and the
services provided need to be
documented in the OSA’s SSP and
described in the ESP’s service
description and customer responsibility
matrix (CRM), which describes the
responsibilities of the OSA and ESP
with respect to the services provided.
ESPs that are CSPs, and process, store,
or transmit CUI, must meet the
FedRAMP requirements in DFARS
clause 252.204–7012. ESPs that are
CSPs and do NOT process, store, or
transmit CUI, are not required to meet
FedRAMP requirements in DFARS
clause 252.204–7012. Services provided
by the CSP are in the OSA’s scope.
When ESPs that are not CSPs, process,
store, or transmit CUI, a CMMC
assessment is required to verify
compliance with requirements for
safeguarding CUI. Any ESP services
used to meet OSA requirements are
within the scope of the OSA’s CMMC
assessment.
When ESPs that are not CSPs do NOT
process, store, or transmit CUI, they do
not require CMMC assessment or
certification, however, services they
provide are in the OSA’s assessment
scope. There is nothing in the rule that
precludes an ESP, that is not a CSP,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
from voluntarily requesting a C3PAO
assessment. A C3PAO may perform
such an assessment if the ESP makes
that business decision.
ESPs can be part of the same
corporate/organizational structure but
still be external to the OSA such as a
centralized Security Operations Center
(SOC) or Network Operations Center
(NOC) which supports multiple
business units. The same requirements
apply and are based on whether the ESP
provides cloud services and whether the
ESP processes, stores, or transmits CUI
on their systems.
An ESP that is used as on-site staff
augmentation only, i.e., the OSA
provides all processes, technology, and
facilities, does not need CMMC
assessment. When ESPs are assessed as
part of an OSA’s assessment, the
assessment type is dictated by the
OSA’s DoD contract CMMC
requirement. The DoD declines to make
any other suggested changes to the
assessment of ESPs.
b. Definitions
Comment: Multiple comments state
that the definition of CSP in the rule is
overly broad and overlaps with the
definition of ESP. One comment
questioned whether a C3PAO is also a
Security Protection Asset and by
extension an ESP. Two comments
requested change to the definition of
Out-of-Scope Assets to stipulate that
SPD is Out-of-Scope.
Response: Several comments
requested clarification on when an ESP
would be considered a CSP. CSPs,
MSPs, and MSSPs are always
considered ESPs. The DoD has updated
the rule to narrow the definition of
Cloud Service Provider based on the
definition for cloud computing from
NIST SP 800–145 Sept2011. An ESP
would be considered a CSP when it
provides its own cloud services based
on a model for enabling ubiquitous,
convenient, on-demand network access
to a shared pool of configurable
computing that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction on the part of the OSA.
An ESP (not a CSP) that provides
technical support services to its clients
would be considered an MSP. It does
not host its own cloud platform offering.
An ESP may utilize cloud offerings to
deliver services to clients without being
a CSP. An ESP that manages a thirdparty cloud service on behalf of an OSA
would not be considered a CSP.
C3PAOs need not ‘‘receive’’ security
protection data as part of an assessment;
they view the security protection data
while on premises at the OSC for the
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
assessment. A C3PAO is not an ESP or
security protection asset and is therefore
not within the OSA assessment
boundary. DoD declines to delete the
phrase ‘‘except for assets that provide
security protection for a CUI asset’’ from
the definition of Out-of-Scope Assets.
Assets that provide security protection
for CUI are not Out-of-Scope Assets. A
CMMC definition for Security
Protection Data has been added to the
rule.
c. OSA Relationship to ESP
Comment: Several comments request
clarification related to use of an ESP
that is internal to the OSA. One
comment requested that DoD require
CSPs grant the US Government, as part
of the contract between the OSA and the
CSP, access to any CUI that is subject to
CMMC requirements in the event of
contractual failures, criminal actions or
other legal situations that warrant
seizure of CUI data. Some comments
also asked whether the DoD has
standing or authority to require C3PAO
assessment or conduct CMMC level 3
assessments of ESPs, given that the
ESP’s direct contractual relationship is
not with the Government but with the
OSA. Two comments suggest that ESPs
will be covered by the subcontractor
flow down requirements from an OSA.
Response: DoD agrees with the need
for added clarity around internal ESPs
and the rule was modified to remove the
term internal ESP. An ESP that provides
staff augmentation, where the OSA
provides all processes, technology, and
facilities, does not need CMMC
assessment. Alternatively, an ESP can
be part of the same organizational
structure but still be external to the
OSA, such as a centralized SOC or NOC
which supports multiple business units.
The CMMC requirements apply and are
based on whether the ESP provides
cloud services and whether the ESP
processes, stores, or transmits CUI on
their systems.
The OSA’s contractual rights with its
CSP are beyond the scope of this rule.
The rule states requirements for the
OSA, not the ESP. The rule requires
OSAs that process, store, or transmit FCI
and CUI to protect that data. If those
OSAs elect to use an ESP, and that ESP
processes, stores, or transmits FCI or
CUI from the OSA, then the OSA must
require that the ESP protect the FCI and
CUI and the ESP will be assessed as part
of the OSA’s assessment or require
FedRAMP Moderate or equivalent.
Specifically for Level 3, if an OSC is
seeking Level 3 certification and uses an
ESP that is not a CSP and that DOES
process, store, or transmit CUI, then the
ESP will need to be assessed by DIBCAC
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
against the same Level 3 requirements
as the OSC as part of the OSC’s
assessment unless the ESP voluntarily
seeks a DIBCAC Assessment. If an OSC
is seeking Level 3 certification and uses
an ESP that DOES NOT process, store,
or transmit CUI, then the ESP will NOT
need to be assessed by DIBCAC against
the same Level 3 requirements as the
OSC. ESPs provide a service that meets
the requirements specified by the OSA,
and therefore ESPs are not
subcontractors on a DoD contract and
are not bound by subcontractor flow
down requirements.
d. Assessment of ESPs
Comment: There were multiple
comments regarding the assessment of
an ESP. One comment recommends the
rule be revised to identify the specific
assessment requirements that would be
considered NOT MET by the OSA when
using a non-compliant ESP, and to
further require C3PAOs to validate the
OSCs use of compliant ESPs during a
CMMC Level 2 assessment. One
comment asks if an ESP, when assessed,
will require a CAGE code, and enter
scores into SPRS. Another comment
asked whether CMMC certification
would be required when offering full IT
management and online storage,
including CUI, if the MSP policies
prevent employees from accessing
customer data.
One comment asks for clarification on
the contents of the System Security Plan
when documenting the use of an ESP.
Two comments ask how to assess an
OSA that is using a CSP to store CUI
that does not meet the FedRAMP
requirements. One comment asks how
C3PAOs can check on the assessment
status of an ESP. Three comments ask
how to avoid redundant assessments of
ESPs. One comment asks to clarify how
to handle ESPs at Level 3 with respect
to requirement AC.L3–3.1.2e that
restricts access to systems that are
owned, provisioned, or issued by the
organization. One comment
recommends DoD exempt CSPs that
provide service with end-to-end
encryption from CMMC requirements,
similar to a common carrier.
Several comments inquired about
guidelines and practices for obtaining
Customer Responsibility Matrices
(CRM) from CSPs and suggest the rule
be modified to also require them from
ESPs. One comment asks about how to
obtain a CSP’s System Security Plan.
Response: Implications for OSAs and
C3PAOs for using non-compliant ESPs
are adequately addressed in the rule.
The CMMC compliance of an ESP,
including a CSP, falls under the OSA’s
assessment. If an ESP is used to meet
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
any of the CMMC requirements for the
OSA, then the ESP is part of the scope
of the OSA’s assessment, and the
compliance of the ESP will be verified.
An ESP that is seeking CMMC
assessment will need to obtain a CAGE
code and an account in SPRS to enable
the reporting of its assessment results
via CMMC eMASS. A SPRS account is
required to complete the CMMC annual
affirmation requirement included in
DoD contracts that include a CMMC
certification requirement.
An ESP that processes, stores, or
transmits CUI, is an extension of the
OSA’s environment. As part of that
environment, the ESP will be assessed
against all requirements and
accountable for all users who have
access to CUI as part of the ESP’s
service, not just OSA employees. The
government cannot comment on specific
implementation or documentation
choices of an OSA, including the use of
an ESP.
The C3PAO can only give credit to a
FedRAMP Moderate Authorized or
equivalent CSP. Any requirements
dependent on contributions from a CSP
in any other stage of compliance are
considered NOT MET. The
requirements in the rule for FedRAMP
Moderate equivalency have been
updated to reflect DoD policy. OSAs can
consider CSPs in the FedRAMP process
for equivalency if they meet the
requirements in DoD policy.
An ESP that is a CSP will be listed on
the FedRAMP Marketplace. An ESP that
is not a CSP and processes, stores, or
transmits CUI will be within the OSA’s
assessment scope. An ESP can also
volunteer to have a C3PAO assessment
and could make that information
available to the OSA.
ESPs that are not CSPs may request
voluntary CMMC assessments of their
environment and use that as a business
discriminator. The marketplace for ESP
services will adjust to find the efficient
manner for ESPs to support OSA
assessments that may include their
services. With respect to requirement
AC.L3–3.1.2e, when an OSA adds an
ESP’s services to its network, the ESP is
considered to be provisioned by the
OSA. It is subject to the requirements
for the use of an ESP.
A common carrier’s information
system is not within the contractor’s
CMMC Assessment Scope if CUI is
properly encrypted during transport
across the common carrier’s information
system.
In a cloud model, the end-to-end
encryption would apply when
transmitting between OSA CUI assets
and a cloud service. Once within the
security boundary of the CSP, the
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
83137
common carrier’s system no longer
contributes to the handling of the CUI
and the CSP’s security practices apply.
If an OSA chooses to use a CSP to
process, store, or transmit CUI,
FedRAMP Moderate or equivalency
requirements apply.
The rule has been updated to include
the use of a Customer Responsibility
Matrix by all ESPs, not just CSPs.
Obtaining a copy of a CSP’s SSP is not
required for a CSP that is FedRAMP
Authorized. Documentation on the
services provided by the CSP and a
CRM will be required.
e. Capacity for Assessment of ESPs
Comment: Some comments
questioned whether the CMMC
ecosystem would be adequate to provide
the number of CMMC assessments
necessary for ESPs. In response, some
comments recommend ESPs be given
priority for completing assessments.
Others recommend different phasing or
forms of assessment and certification
during ramp up.
Response: DoD declines to make
suggested changes to the ramp up and
phasing of assessments for ESPs. DoD
considered many alternatives before
deciding upon the current CMMC
assessment structure. By design, the
CMMC program depends on the supply
and demand dynamics of the free
market, enabling it to naturally scale
and adapt to capacity requirements.
DoD declines to set priorities for the
assessment marketplace. The DoD has
utilized a phased implementation
approach to reduce implementation
risk. DoD expects that the public has
utilized the lead-time prior to the
publication of this rule to prepare for
CMMC implementation and buy-down
risk. CMMC Program requirements make
no changes to existing policies for
information security requirements
implemented by the DoD. It is beyond
the scope of this rule for DoD to
determine the order in which
organizations are assessed.
f. Remote Access by ESPs
Comment: Two comments ask for
clarification on requirements for remote
access by an ESP to an OSA, whether
with OSA provided equipment or a
VPN.
Response: The assessment of remote
access may fall into several categories
and is dependent on the specific
architecture used and how the OSA
creates its assessment environment.
When an ESP is providing staff
augmentation to the OSA and the OSA
is providing all the systems used for
remote access, then the OSA’s policies
and procedures apply and the ESP is not
E:\FR\FM\15OCR2.SGM
15OCR2
83138
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
considered to be processing, storing, or
transmitting CUI. When the ESP is using
a Virtual Desktop solution, then the
endpoint client device will be
considered out of scope when it is
configured to prevent storage,
processing, or transmission of CUI on
the end client beyond the Keyboard,
Video, Mouse input that is part of the
Virtual Desktop Infrastructure (VDI)
solution.
Establishing a VPN connection with
MSP equipment brings that equipment
into the OSA’s assessment scope. The
equipment must meet the OSA’s
requirements for external access and
connection to the network. Depending
on the processing performed by the ESP
with the VPN connection, other
requirements may apply.
18. CMMC Assessment Scope for
Security Protection Assets and Data
khammond on DSKJM1Z7X2PROD with RULES2
a. Scope and Authority
Comment: Multiple comments
asserted that the use of Security
Protection Data and Security Protection
Assets increases the scope and cost of
CMMC assessments and recommend
changes to the costs or removing SPD
and SPA from the rule. One comment
presented the increased scope as an
inconsistency between NARA and NIST
SP 800–171A Jun2018. A few comments
asked what authority DoD uses to
include SPD as part of CMMC
assessment.
Response: The commenter misread
the rule’s application to ESPs and SPA/
SPD. Security Protection Assets are
specified in NIST SP 800–171 R2 Sec
1.1 which states: ‘‘The requirements
apply only to components of nonfederal
systems that process, store, or transmit
CUI, or that provide security protection
for such components.’’ The rule has
been updated in table 3 to § 170.19(c)(1)
and table 5 to § 170.19(d)(1) to change
the definition and requirements of
Security Protection Assets. The phrase
‘‘irrespective of whether or not these
assets process, store, or transmit CUI’’
has been removed from the SPA
description and the CMMC assessment
requirements have been changed to read
‘‘Assess against CMMC security
requirements that are relevant to the
capabilities provided.’’ Similar changes
were made to the guidance documents.
In order to clarify and address concerns
about the perceived ‘‘expansion’’ of
requirements, the rule was revised to
reflect that ESPs that only store SPD or
provide an SPA and do not process,
store, or transmit CUI do not require
CMMC assessment or certification.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
b. Definition and Requirements
Comment: Numerous comments
requested that the DoD provide a
definition for Security Protection Data
(SPD) and configuration data, as well as
requirements for SPD to help
understand the scope of SPD and how
that impacts the scope of Security
Protection Assets and the assessment
requirements of ESPs. One comment
recommended the removal of the
definition and use of SPD.
Multiple comments requested more
information on the definition and
scoping of Security Protection Assets,
their relationship to CUI, and their
requirements. Some comments
suggested that the definition narrow the
scope of Security Protection Assets and/
or their security and assessment
requirements. Other comments
recommended eliminating the concept
of SPA. Additional comments
recommended changing the assessment
requirements for SPAs to be the same as
CRMAs Specialized Assets applicable
NIST SP 800–171 R2 requirements,
commensurate with the level of
involvement with the security of CUI or
to only assess the requirements
provided by the SPA. Two comments
recommended that the phrase’’
irrespective of whether these assets
process, store, or transmit CUI’’ be
removed from the definition of SPA.
Two comments asked for clarification
on the requirements for CSPs that only
handle SPD.
Two comments recommended
different security and assessment
requirements for ESPs that host SPD but
do not process, store, or transmit CUI.
Response: DoD added a CMMC
definition for Security Protection Data
to the rule. The DoD considered the
NIST definitions for System Information
and Security Relevant Information in
the development of the CMMC
definition for SPD.
This rule does not regulate OSA
Security Protection Data, but instead
implements existing regulatory
requirements for the safeguarding of
CUI, as defined in 32 CFR 2002.14(h)(2)
and implemented by DFARS clause
252.204–7012. This clause requires
protection of security protection assets
and security protection data through its
specification of NIST SP 800–171.
DoD does not agree with the
commentor’s statement that the
definition of Security Protection Assets
‘‘is an exceedingly dangerous
adjustment to the NIST SP 800–171
Revision 2 Paragraph 1.1 Scope of
Applicability.’’ Security Protection
Assets provide security to the entirety of
an OSA’s assessment scope which
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
includes CUI Assets and other in-scope
assets.
The SPD definition also defines
configuration data as data required to
operate a security protection asset. This
limits the possible interpretations of
configuration data. Further, the rule has
been updated to reflect that ESPs that do
NOT process, store, or transmit CUI do
not require CMMC assessment or
certification.
All assets within an OSA defined
CMMC Level 2 or 3 assessment
boundary have access to CUI and can
process, store, or transmit CUI. They are
therefore subject to DFARS clause
252.204–7012 and required to meet
NIST SP 800–171 requirements. This is
the authority for including Contractor
Risk Managed Assets (CRMAs) within
CMMC assessments. For Level 2, DoD
has decided to assume some risk and
lessen the assurance burden for a class
of these assets called Contractor Risk
Managed Assets, as specified in table 3
to § 170.19(c)(1). DoD does not assume
this risk at Level 3. CRMAs are subject
to assessment against all CMMC
requirements as specified in table 5 to
§ 170.19(d)(1).
19. CMMC Assessment Scope and
FedRAMP Moderate Equivalency
Requirements
Comment: Several commenters
identified inconsistencies between rule
content and a separate DoD policy
memo that defines requirements Cloud
Service Providers (CSPs) must meet to
be considered FedRAMP moderate
‘‘equivalent’’ in the context of DFARS
clause 252.204–7012. One commenter
requested administrative changes to the
rule for consistency, while others
requested more substantive changes to
deconflict the rule with DoD’s policies.
Differences between the two documents
left some commenters unclear about
when a CSP would be considered
within a CMMC assessment scope or
required to meet CMMC requirements.
They also noted that some CSPs refuse
to provide clients with Customer
Responsibility Matrices (CRMs), which
could impede an OSAs ability to meet
CMMC requirements. One commenter
asked for specific instances when a
FedRAMP-moderate-authorized CSP
would not be accepted as meeting
CMMC requirements or which
requirements such a CSP could not
meet.
Another commenter stated the
FedRAMP moderate equivalency
requirements for CSPs in this rule will
create confusion because they address
only the NIST SP 800–171 requirements
and do not include the additional cyber
incident reporting requirements
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
identified in DFARS clause 252.204–
7012. One comment suggested that any
expectation for CSPs to meet the DFARS
clause 252.204–7012 requirements for
cyber incident reporting or completion
of a System Security Plan should be
referenced in this CMMC rule. Another
commenter suggested that all DoD
contracts with CUI should include
clauses and provisions for CSPs to meet
Federal requirements, including a selfassessment and certification of their
systems.
One commenter asked whether it is
sufficient for MSP/MSSPs to have
FedRAMP certification instead of
CMMC certification. Another
interpreted the rule’s wording related to
security protection assets and data as
expanding requirements levied on CSPs.
One commenter interpreted CMMC
Level 3 assessment requirements as
meaning all parts of an OSCs
infrastructure are within scope for
CMMC assessment if the OSC uses a
CSP, and recommended the rule specify
that security requirements from the
CRM must be documented in the SSP.
Another asked whether OSCs must track
all FedRAMP controls in their SSP or
only those relevant to NIST SP 800–171
R2.
Response: Requirements associated
with the use of cloud service providers
(CSPs) are covered under section
(b)(2)(ii)(D) of DFARS clause 252.204–
7012. When a CSP is used, it must meet
the requirements of the FedRAMP
moderate baseline or the equivalent.
The rule was updated for consistency
with those requirements, and now
requires FedRAMP moderate or
FedRAMP moderate equivalency as
defined in DoD Policy.
§§ 170.16(c)(2), 170.17(c)(5),
170.18(c)(5) address CMMC
requirements for CSPs. The CMMC rule
does not add new requirements on the
use of CSPs, which are found in DFARS
clause 252.204–7012. A CSP must be
assessed against the FedRAMP moderate
baseline when the CSP processes, stores,
or transmits CUI. The CMMC rule does
not oppose or contradict the
requirements of DFARS clause 252.204–
7012, nor does this rule relieve a CSP
from any requirement defined in DFARS
clause 252.204–7012.
§ 170.17(c)(5)(iii) and the
corresponding requirement in
§ 170.18(c)(5)(iii) only apply to CSPs
used to process, store, or transmit CUI
in the execution of the contract or
subcontract requiring CMMC
assessment. It does not expand to any
cloud provider outside the scope of the
assessment. Interactions between DoD
contractors and their service providers
are beyond the scope of the rule.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
CMMC Level 2 self-assessment and
affirmation requirements described in
§ 170.16 make clear that an OSA using
a FedRAMP Authorized CSP (at the
FedRAMP Moderate or higher baseline)
is not responsible for the CSP’s
compliance. The OSA needs to
document in its SSP how the OSA
meets its requirements assigned in the
CSP’s CRM. When using a CSP that is
not FedRAMP Authorized, the OSA is
responsible for determining if the CSP
meets the requirements for FedRAMP
Moderate equivalency as specified in
DoD policy. In this case, the OSA also
needs to document in its SSP how the
OSA meets the requirements assigned to
it in the CSP’s CRM.
The rule has been updated to include
verbiage from the DFARS clause
252.204–7012 ‘‘in the performance of a
contract’’ for consistency. Use of the
term CUI in this rule is deliberate
because DoD intends to assess
compliance with NIST SP 800–171 R2
for all CUI. The DoD declines to replace
the word CUI with the word CDI, as the
term CUI more clearly conveys that
NIST SP 800–171 is the requirement for
all CUI information, as described in 32
CFR 2002.14.
DoD received numerous comments
about the use of ESPs which do not
process, store, or transmit CUI. In
response to comments, the DoD has
reduced the assessment burden on ESPs.
ESP assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2) have been
updated.
20. CMMC Assessment Scope for
Devices and Asset Categorization
a. Asset Categorization
Comment: There were many
comments regarding the scoping and
treatment of assets when using table 3
to § 170.19(c)(1) and table 5 to
§ 170.19(d)(1). Several comments asked
about when asset categorization occurs,
who approves it and how to document
it. Two comments questioned the
applicability of using NIST SP 800–171
R2 for Specialized Assets. Two
comments suggested modifying the
definition of Out-of-Scope assets by
removing the last bullet or discussing
the use of encryption. One commenter
suggested adding more detailed
definitions of the asset categories to the
rule. One comment recommended
removing asset categories from the rule.
Many comments requested scoping
and categorization of specific scenarios,
such as ERP systems, MRP systems,
quantum computing systems, data
diodes, asset isolation, and encrypted
CUI. Numerous additional comments
PO 00000
Frm 00049
Fmt 4701
Sfmt 4700
83139
requested clarification on scoping and
categorization of various security
product classes.
Response: The OSA performs asset
categorization and documents it in their
SSP. The OSA may choose the format
and content of its SSP. Table 3 to
§ 170.19(c)(1) requires that all asset
categories, including Specialized Assets,
be included in the asset inventory.
There is no requirement to embed every
asset in the SSP. In the SSP for Level 2,
the OSA must show how Specialized
Assets are managed using the
contractor’s risk-based security policies,
procedures, and practices. Prior to the
conduct of an assessment, the OSC
engages with the C3PAO assessor. It is
during this time that the classification of
assets should be agreed upon, and the
results of these discussions are
documented in pre-planning materials.
This is an example of the preassessment and planning material
submitted by the C3PAO as required in
§ 170.9(b)(8) and the CMMC Assessment
Scope submitted to eMASS as required
in § 170.17(a)(i)(D). It is beyond the
scope of this rule to address DoD review
of specific Specialized Assets for
individual contractors.
DoD does not agree with a
commentor’s statement that Specialized
Assets are not actually assessed against
CMMC security requirements. As
documented in § 170.19, Specialized
Assets are identified by the OSC.
Assessment requirements of Specialized
Assets differ between CMMC Level 2
and CMMC Level 3. If Specialized
Assets are part of a CMMC Level 2
assessment, the OSA must document
them in the asset inventory, document
them in the SSP, and show how these
assets are managed using the
contractor’s risk-based security policies,
procedures, and practices. If Specialized
Assets are part of a CMMC Level 3
assessment, they must be assessed
against all CMMC Level 2 security
requirements and CMMC Level 3
security requirements, identified in
§ 170.14(c)(4).
DoD agrees with one comment that
even if NIST SP 800–171 R2 cannot be
implemented, that does not mean the
Specialized Assets cannot be secured.
CMMC requirements are defined to
align directly to NIST SP 800–171 R2
and NIST SP 800–172 Feb2021
requirements. For additional ease of
burden, at Level 1, IoT and OT are not
in scope, at Level 2 there are reduced
requirements, but they become in-scope
at Level 3, unless they are physically or
logically isolated.
DoD has reviewed the text and
declines to change the definition of Outof-scope assets because CUI should not
E:\FR\FM\15OCR2.SGM
15OCR2
83140
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
be transmitted via clear-text per NIST
SP 800–171 R2. The DoD has reviewed
the suggested changes to asset categories
and scoping tables and declines to make
an update. The asset categories in the
rule help the OSA understand the
requirements of various asset types that
might be found within the assessment
boundary.
OSAs determine the asset categories
and assessment scope based on how and
where they will process, store, and
transmit FCI and CUI. DoD cannot
comment on the suitability of any
specific approach or technology to
successfully implement CMMC security
requirements.
khammond on DSKJM1Z7X2PROD with RULES2
b. Virtual Desktop Infrastructure
Comment: Several comments
requested clarification on the use of
Virtual Desktop Infrastructures and how
to scope its components.
Response: The rule has been updated
in table 3 to § 170.19(c)(1) and table 5
to § 170.19(d)(1) to state that an
endpoint hosting a VDI client
configured to not allow any processing,
storage, or transmission of FCI and CUI
beyond the Keyboard/Video/Mouse sent
to the VDI client is considered out of
scope.
c. Contractor Risk Managed Assets
Comment: There were numerous
comments regarding Contractor Risk
Managed Assets. Several comments
perceived conflicts in the changes
between the current rule and previous
intermediate documents regarding
CRMA requirements. Multiple
comments recommended additional
details explaining risk-based
management of assets. Two comments
requested additional details on the
limited checks that are permitted during
assessment of CRMAs. Multiple
comments requested clarification on
CRMA requirements at Level 3 for the
OSA and ESP. One comment requested
clarification about the documentation
requirements for CRMAs.
One comment asserted that the rule
co-mingled CRMAs with assets of an
ESP. One comment questioned why
CRMAs were being included as in-scope
assets subject to CMMC security
requirements. One comment asked for
clarification between the security
requirements and assessment
requirements for CRMAs.
Response: There was confusion and
concern over conflicts from commenters
regarding responses to comments on a
previous version of the rule, other
documentation, and the current rule.
The DoD did not find any conflicting
language around CRMAs. There is no
conflict between CRMAs and the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requirements for logical or physical
boundaries. CRMAs are only applicable
within the CMMC Assessment Scope.
DoD does not agree with the statement
that the wording change around
Contractor Risk Managed Asset (CRMA)
effectively makes the asset category
moot.
The CRMA category was created to
ease the assessment burden, based on
the Department’s risk tolerance. It is not
intended to reduce the level of
protection and the CMMC security
requirements which apply to the assets.
Despite the wording changes identified
by the commentor, the CMMC security
requirements and the assessor’s ability
to conduct a limited check to identify
deficiencies as addressed in table 3 to
§ 170.19(c)(1) are unchanged.
Contractor Risk Managed Assets
(CRMA) should be prepared to be
assessed against CMMC security
requirements at Level 2, and included in
the SSP, asset inventory, and network
diagrams.
Table 3 to § 170.19(c)(1) clearly
addresses the assessment requirements
for Contractor Risk Managed Assets. All
CMMC security requirements must be
MET when the OSA chooses to
designate certain assets as Contractor
Risk Managed Assets.
Eight guidance documents for the
CMMC Program are listed in Appendix
A to Part 170—Guidance. These
documents provide additional guidance
for the CMMC model, assessments,
scoping, and hashing. Use of the
guidance documents is optional.
The OSA is responsible for
determining its CMMC Assessment
Scope and its relationship to security
domains. Assets are out-of-scope when
they are physically or logically
separated from the assessment scope.
Contractor Risk Managed Assets are
only applicable within the OSA’s
assessment scope. Table 3 to
§ 170.19(c)(1) is used to identify the
asset categories within the assessment
scope and the associated requirements
for each asset category. Contractor’s
risk-based security policies, procedures,
and practices are not used to define the
scope of the assessment, they are
descriptive of the types of documents an
assessor will use to meet the CMMC
assessment requirements.
It is beyond the scope of the CMMC
rule to provide a detailed explanation of
the usage of ‘‘risk-based’’ terminology
when implementing or assessing CMMC
requirements. DoD declines to speculate
and clarify the relationship between any
NIST SP 800–171 R2 definitions and
any pending NIST SP 800–171 Revision
3 definitions.
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
The DoD has defined the effort
allowed during a limited check in table
1 to 170.19(c)(1). A limited check may
require submission of evidence.
The DoD cannot anticipate how an
OSC will scope its CMMC Level 3
assessment with respect to its CMMC
Level 2 environment. As specified in
table 5 to § 170.19(d)(1), Level 2
Contractor Risk Managed Assets are
categorized as CUI Assets at Level 3.
The rule has been updated to clarify
that ESPs do not require a Level 3
certification unless they process, store,
or transmit CUI in the performance of a
contract with a CMMC Level 3
requirement.
3 As stated in table 1 to § 170.19(c)(1),
CRMA assets must be prepared to be
assessed against CMMC requirements.
The SSP must provide sufficient
documentation describing how security
requirements are met to allow the
assessor to follow the instruction in
table 1 to not assess against other
requirements. The assessor will then
decide if a limited spot check is
warranted. The results of the limited
spot check can result in a requirement
being scored as NOT MET.
The rule does not create two classes
of Contractor Risk Managed Assets as
one commenter asserts. Contractor Risk
Managed Assets are only those assets
that are owned by the OSC and within
the assessment scope. ESP assets are
subject to the ESP requirements of the
rule.
All assets within the OSA defined
assessment boundary have access to CUI
and can process, store, or transmit CUI,
and are therefore subject to DFARS
clause 252.204–7012 and required to
meet NIST SP 800–171 requirements.
This is the authority for including
CRMAs within CMMC assessments. For
Level 2, DoD has decided to assume
some risk and lessen the assurance
burden for a class of these assets called
Contractor Risk Managed Assets, as
specified in table 3 to § 170.19(c)(1).
DoD does not assume this risk at Level
3. Contractor Risk Managed Assets are
subject to assessment against all CMMC
requirements as specified in table 5 to
§ 170.19(d)(1).
At CMMC Level 2, Contractor Risk
Managed Assets and Specialized Assets
are assessed differently. Both types of
assets must be documented in the SSPs;
Specialized Assets will not, however, be
assessed by the C3PAO while limited
checks may be performed on Contractor
Risk Managed Assets. OSCs should be
prepared for assessment of Contractor
Risk Managed Assets because a deeper
assessment will be done if the assessor’s
evaluation of the OSC’s policies and
procedures raise questions. However, at
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
Level 3, Contractor Risk Managed Assets
and Specialized Assets are assessed, like
CUI assets, against all CMMC security
requirements, so no additional
explanation is required.
d. Specialized Assets
Comment: There were numerous
comments regarding Specialized Assets.
Several comments discuss the use of
enduring exceptions for Specialized
Assets and the use of the term in NIST
SP 800–171 R2. Two comments confuse
the current rule with responses to a
previous version of the rule. A comment
requests clarification why specialized
assets are not CUI assets. Another
comment asks about the difference in
assessment requirements between
CRMAs and Specialized assets. One
comment requested processes and best
practices for evaluation of specialized
assets.
Two comments recommend that the
Specialized asset requirements for Level
3 remain the same as Level 2 due to the
difficulty of meeting the Level 3
requirements in a manufacturing
environment. Two comments request
additional clarification on the Level 2
assessment of Specialized assets when
the assessment is a precursor to a Level
3 assessment.
Response: Definitions for enduring
exceptions and temporary deficiencies
have been added to the rule. Specialized
Assets are a type of enduring exception
and cover a broad range of
circumstances and system types that
may not be able to be fully secured as
described in NIST SP 800–171 R2. It
does not give an OSA the flexibility to
broadly categorize assets as Specialized
Assets.
The OSA would be expected to
address asset categorization with a
C3PAO during the initial scoping
discussion to avoid disagreements
during the assessment process.
In one example provided, a single
asset which is unable to meet a single
security requirement would be a
temporary deficiency and be addressed
using an operational plan of action,
describing the cause with appropriate
mitigation and remediation identified.
The sentence ‘‘NIST SP 800–171 Rev
2 uses the term ‘‘enduring exceptions’’
to describe how to handle exceptions for
Specialized Assets’’ appears in answers
to public comments on a previous
version of the rule, which responded to
the initial CMMC Program
requirements, therefore the inclusion of
the sentence is not relevant to the rule.
One commenter has misinterpreted
the answer to a public comment on a
previous version of the rule, which
responded to the initial CMMC Program
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requirements. Specialized Assets are not
evaluated at Level 1. Specialized Assets
at Level 2 need to be documented in the
SSP and included in the asset inventory
and network diagrams. They also are to
be managed using the contractor’s riskbased security policies, procedures, and
practices.
At Level 2, Specialized Assets do not
need to be assessed against other CMMC
security requirements. At Level 3,
Specialized Assets should be prepared
to be assessed against CMMC security
requirements. CMMC also provides for
the use of intermediary devices to
safeguard OT and IOT devices that
otherwise would be difficult or
expensive to protect. The phrase ‘‘or
information systems not logically or
physically isolated from all such
systems’’ only appears in answers to
public comments on the original 48 CFR
CMMC interim final rule publication,
therefore the inclusion of the phrase is
not relevant to the rule.
Specialized Assets span a broad
spectrum of components and have
different limitations on the application
of security controls. Processes and
practices to implement and assess
security requirements on these devices
are outside the scope of the CMMC rule.
The Level 3 assessment is designed to
provide additional safeguards to protect
the most sensitive CUI against advanced
persistent threats (APTs). DoD estimates
that only one percent of defense
contractors will require a CMMC Level
3 assessment. DoD has judged that the
risks associated with the exposure of
this CUI are sufficient to justify the
increased cost of a Level 3 assessment
on the small percentage of the DIB that
is processing, storing, or transmitting
this type of data.
CMMC also provides for the use of
intermediary devices to safeguard OT
and IOT devices that otherwise would
be difficult or expensive to protect. This
difference between how a Specialized
Asset is assessed at Level 2 and Level
3 is risk-based and affords a reduction
in cost for a Level 2 certification. The
CMMC Assessment Scope for a CMMC
Level 2 certification assessment is
discussed between the OSC and the
C3PAO. If the OSC has a goal to undergo
a CMMC Level 3 certification
assessment for the same assessment
scope, it may be good business practice
for the OSC to disclose this information
to the C3PAO and be assessed based on
the Level 3 scoping, however this is not
required.
e. Intermediary Devices
Comment: One comment asks for
additional information on intermediary
devices as referenced in table 5 to
PO 00000
Frm 00051
Fmt 4701
Sfmt 4700
83141
§ 170.19(d)(1). Another comment asks
for direction in situations where the
comment asserts intermediary devices
are not practical.
Response: An intermediary device is
used in conjunction with a specialized
asset to provide the capability to meet
one or more of the CMMC security
requirements. For example, such a
device could be a boundary device or a
proxy, depending on which
requirements are being met. The rule is
agnostic as to how many requirements
are met and what technology is used to
meet them. Implementation guidance
for OT/IOT/IIOT is outside the scope of
the CMMC rule.
21. CMMC Assessment Scope for
Enterprise Versus Segmented
Environments
Comment: Two commenters sought
guidance for segmented networks that
inherit some controls from an enterprise
network that has a valid CMMC
certification, and asked whether
certification assessments may be shared
between the networks.
Response: § 170.19 states that prior to
a CMMC assessment, the OSA must
define the CMMC Assessment Scope for
the assessment, representing the
boundary with which the CMMC
assessment will be associated. Any
CMMC certification granted applies
only to the assessed CMMC Assessment
Scope. An enclave may be able to
leverage some elements of the enterprise
assessment by inheriting some
requirements from the enterprise
network, but it cannot inherit the
enterprise certification. Enclaves
beyond the certified CMMC Assessment
Scope must be assessed separately based
on their own CMMC Assessment Scope.
There is no established metric for
inherited implementations from an
enterprise to any defined enclaves. The
OSA determines the architecture that
best meets its business needs and
complies with CMMC requirements.
Within the enclave, the OSA determines
which requirements are implemented
and which requirements are inherited;
all requirements must be MET. If a
process, policy, tool, or technology
within the enclave would invalidate an
implementation at the Enterprise level,
that requirement cannot be inherited
and the OSA must demonstrate that it
is MET by implementation in some
other way. Additional guidance related
to assessments and enclaves has been
added to the CMMC Scoping Guide
Level 2 and Level 3.
22. Revocations and Appeals Process
Comment: One comment asked for
more clarification regarding the granting
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83142
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and revoking of interim validity status
for a CMMC assessment. Several
comments requested an appeal and
remediation process if a CMMC
assessment status is revoked by the
DoD. One comment requested that the
revocation process not be arbitrary or
capricious and provide for due process.
And one comment recommended
removing the word ‘‘maintained’’ from
the criteria for revocation of the validity
status because maintenance is part of
ongoing operations as specified in the
security requirement for Risk
Assessments and Continuous
Monitoring (CA.L2–3.12.2). One
commenter asked whether SPRS
reporting is the only mechanism in
place to ensure that OSAs maintain the
SSP and conduct self-assessments
correctly.
Three comments recommended that
the DoD or CMMC PMO have a role in
the assessment appeals process. Of
these, one cited the DFARS clause
252.204–7012 clause as precedent for
DoD CIO to render final decisions. Some
commenters suggested the CMMC AB
relationship to C3PAOs would bias any
decisions they may make, and that final
appeal authority is an inherently
governmental risk acceptance decision.
One comment suggested that the
DIBCAC or other DoD entity render final
appeals decisions or take responsibility
for certifying OSCs. They also asked for
the C3PAOs to be released from liability
for reasonable assessment judgments.
Two comments asked whether the only
means to appeal a CMMC AB final
decision is through litigation. Another
comment asked who could escalate an
appeal to the CMMC AB. One comment
requested the rule include more
requirements for the C3PAO appeals
process, including that the process be
time bound and address disputes related
to perceived assessor errors,
malfeasance, and unethical conduct,
while another comment requested a
simpler appeals process. One comment
requested clarification as to how the
OSC interfaces with the C3PAO for
appeals purposes. One comment asked
if there was a process to challenge
C3PAOs’ findings of non-compliance if
additional requirements are applied
from an assessment guide that are not
included in the source standard. One
comment asked how to dispute the
specific CMMC level included in a
solicitation.
Response: Requirements for CMMC
Conditional certification assessments for
each level are defined in §§ 170.16
through 170.18. Section 170.6(e)
describes indications that may trigger
investigative evaluations of an OSA’s
CMMC Status. The DoD has revised the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
rule throughout to delete the term
‘‘revocation’’ and to clarify that the DoD
reserves its right to conduct a DCMA
DIBCAC assessment of the OSA, as
permitted under DFARS clause
252.204–7012 and DFARS clause
252.204–7020. If the results of a
subsequent DIBCAC assessment show
that adherence to provisions of this rule
have not been achieved or maintained,
the DIBCAC results take precedence
over any pre-existing CMMC selfassessment(s) or Final certification
assessment(s) and will result in SPRS
reflecting that the OSA is not in
compliance (i.e., lacks a current
Certificate of CMMC Status). There are
no additional requirements or checks on
self-assessments to ensure that OSAs
maintain the SSP and conduct selfassessments correctly, beyond those
identified in the rule.
One commenter misunderstood the
meaning of ’maintained’ with respect to
the Level 1, 2, and 3 provisions. An
operational plan of action can be created
without risk to the certification validity
period. If a security event generates risk
for the protection of FCI or CUI, the
associated security requirements should
be readdressed expeditiously. If one or
more of the requirements can’t be
remediated, the OSA should create an
operational plan of action and resolve it
in a time frame that continues to
provide protection to FCI or CUI.
The Accreditation Body must have its
own appeals process, as required under
ISO/IEC 17011:2017(E). Each C3PAO is
required to have an appeals process
which involves elevation to the CMMC
Accreditation Body for resolution. The
appeals process is derived from and
consistent with ISO/IEC 17020:2012(E)
and ISO/IEC 17011:2017(E). The appeals
process is addressed in §§ 170.7(b),
170.8(b)(16), and 170.9(b)(13), (19), and
(20). An OSC, the CMMC AB, or a
C3PAO may appeal the outcome of its
DCMA DIBCAC conducted assessment
within 21 days of the assessment by
submitting a written basis for appeal
that include the requirements in
question for DCMA DIBCAC
consideration. An OSC, the CMMC AB,
or a C3PAO should visit www.dcma.mil/
DIBCAC to obtain the latest for contact
information for submitting appeals. A
DCMA DIBCAC Quality Assurance
Review Team will respond to
acknowledge receipt of the appeal and
may request additional supporting
documentation.
By defining the requirements in this
rule to become a C3PAO, and defining
a scoring methodology, the DoD is
providing the authority and guidance
necessary for C3PAOs to conduct
assessments. The CMMC Accreditation
PO 00000
Frm 00052
Fmt 4701
Sfmt 4700
Body will administer the CMMC
Ecosystem. The DoD will not assume
the workload of directly managing the
CMMC ecosystem or the other
alternatives suggested. DoD declines to
give the PMO responsibility to render
the final decision on all CMMC Level 2
assessment appeals as this role is
properly aligned to the CMMC
Accreditation Body. The CMMC AB is
under contract with the Department of
Defense to execute defined roles and
responsibilities for the DoD CMMC
Program as outlined in § 170.8. The
specified CMMC AB requirements were
selected and approved by the DoD. They
include Conflict of Interest, Code of
Professional Conduct, and Ethics
policies as set forth in the DoD contract.
For ISO/IEC 17020:2012(E) and ISO/
IEC 17011:2017(E) compliance, an
appeals process is required. CMMCspecific requirements for appeals are
addressed in §§ 170.8(b)(16) and
170.9(b)(13), (19), and (20). The DoD
expects the process to be managed
efficiently, however setting a specific
timeline is not appropriate as the time
may vary based on the complexity of the
issue.
Responsibility for final appeals
determination rests with the CMMC AB.
The DoD declines to mandate that the
CMMC AB consult with the CMMC
PMO or DIBCAC prior to rendering a
decision. The CMMC PMO will serve in
the oversight role for the entire CMMC
program.
OSCs may submit any appeal arising
from CMMC Level 2 assessment
activities to C3PAOs as addressed in
§ 170.9(b)(19). OSCs may request a copy
of the process from their C3PAO. The
rule has been revised to reflect that any
dispute over assessment findings which
cannot be resolved by the C3PAO may
be escalated to the CMMC AB by either
the C3PAO or the OSC. The decision
rendered by the CMMC AB will be final
as stated in § 170.8(b)(16). Appeals
pertaining to an assessor’s professional
conduct that is not resolved with the
C3PAO will also be escalated and
resolved by the CMMC AB.
As addressed in § 170.9(b)(13), the
C3PAO will have a quality assurance
individual responsible for managing the
appeals process in accordance with ISO/
IEC 17020:2012(E) and ISO/IEC
17011:2017(E). Identification of the
C3PAO staff that an OSC should
interface with is beyond the scope of
this rule. It is a business decision that
may vary by C3PAO and should be
addressed between the OSC and C3PAO
prior to conduct of an assessment.
The supplemental documents listed
in Appendix A provide additional
guidance to aid in CMMC
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
implementation and are not
authoritative. In the event of conflicts
with the security requirements
incorporated by reference, this rule and
NIST SP 800–171A Jun2018 or NIST SP
800–172A Mar2022 guidance will
always take precedence. Disputes
regarding the CMMC level specified in
a contract solicitation should be
addressed with the contracting officer
using normal pre-award or post-award
communications processes. No revision
to the rule is required. Selection of the
CMMC level is a DoD risk-based
decision made by the Program Manager
or Requiring Activity.
23. CMMC Cybersecurity Requirements
khammond on DSKJM1Z7X2PROD with RULES2
a. NIST SP 800–171 R2 Requirements
Comment: Several comments were
received regarding FIPS-validated
cryptography. Some recommended
mitigating delays with FIPS validation
testing and reducing the risk of CMMC
assessment failures by allowing FIPS
POA&Ms or POA&M extensions,
waivers, or making encryption an
organizationally defined parameter
(ODP). Similarly, some recommended
the DoD accept alternate FIPS solutions
such as commercially viable modules
with FIPS-approved protocols or FIPScompliant—as opposed to FIPSvalidated—protocols. One comment
recommended that DoD collaborate with
NIST to either improve the processing of
FIPS validation testing and/or to define
the encryption ODP for NIST SP 800–
171 Revision 3. One comment
recommended DoD work with NIST to
align NIST ODPs in NIST SP 800–171
Revision 3 to DoD ODPs defined in the
CMMC Rule for CMMC Level 3 to
ensure consistency. Another commenter
asked if FIPS 140–3 was an acceptable
FIPS implementation.
Multiple comments addressed NIST
requirements. One comment stated the
NIST cybersecurity standards and
guidelines are not legal requirements.
The commenter recommended edits to
the CMMC rule to require contractors
implement requirements ‘‘derived’’ from
NIST SP 800–171 R2 with measurable
specifications to protect CUI. Two
commentors felt the body of the
proposed rule should have included a
list of the NIST requirements to be
assessed at each CMMC level. One
comment suggested clarifying when a
Systems Security Plan is required for
each level. And, one asked if the CMMC
Assessment Scope and attestation
requirements included Non-Federal
Organization (NFO) controls or the flowdown and reporting requirements from
DFARS clause 252.204–7012.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Some comments were speculative in
nature and outside the scope of the rule.
One commenter was concerned that a
CMMC assessment would not address
the risk of insider threats and national
security problems driven by political
divisions within Congress.
Response: DoD is aware of industry
concerns regarding FIPS validation
required in NIST SP 800–171 R2
requirement 3.13.11. Because this is a
NIST requirement, changing it is beyond
the scope of the CMMC rule. As stated
in § 170.5(3), the CMMC Program does
not alter any separately applicable
requirements to protect FCI or CUI,
including the requirement to use FIPSvalidated cryptography which comes
from NIST SP 800–171 as required by
DFARS clause 252.204–7012.
Limitations of the FIPS-validated
module process do not impact the
implementation status of FIPS
cryptography. However, the rule has
been updated to allow for Enduring
Exceptions and temporary deficiencies,
which may apply to the implementation
of FIPS.
DoD declined to update the rule to
include ‘‘FIPS-compliant’’ encryption as
opposed to ‘‘FIPS-validated’’
encryption. NIST SP 800–171 R2
requires the use of validated modules in
specific conditions. Comments on the
specific security requirements contained
in NIST documentation are beyond the
scope of this rule and should be
directed to NIST. Collaboration between
DoD and NIST about the NIST
cryptographic module validation
program, or to define cryptography
related ODPs in NIST SP 800–171
Revision 3, is also beyond the scope of
the rule. Recommendations for desired
changes in NIST documentation should
be directed to NIST.
The NIST Cryptographic Module
Validation Program website provides a
list of approved solutions and their
timelines: https://csrc.nist.gov/projects/
cryptographic-module-validationprogram.
NIST SP 800–171 information
security requirements were codified in
32 CFR part 2002 in response to
guidance (in E.O. 13556) to standardize
Federal agency policies for safeguarding
CUI. The DoD has elected to use FAR
clause 52.204–21, NIST SP 800–171 R2,
and a subset of NIST SP 800–172
Feb2021 as the basis for the security
requirements in this rule.
As stated in § 170.14(c), CMMC Level
1 requirements are found in FAR clause
52.204–21, CMMC Level 2 requirements
are found in NIST SP 800–171 R2, and
CMMC Level 3 requirements are a
selected subset of NIST SP 800–172
Feb2021 requirements as specified in
PO 00000
Frm 00053
Fmt 4701
Sfmt 4700
83143
the 32 CFR part 170 CMMC Program
rule in table 1 of § 170.14.
NIST SP 800–171A Jun2018 provides
authoritative procedures for assessing
NIST SP 800–171 R2 security
requirements and the CMMC Level 2
Assessment Guide provides additional
guidance for assessing CMMC Level 2
security requirements. Both documents
are referenced in the 32 CFR part 170
CMMC Program rule, at §§ 170.16(c) and
170.17(c).
It is recommended that an OSA
develop a SSP as a best practice at Level
1, however, it is not required for a
CMMC Level 1 self-assessment. A
CMMC assessment does not include
Non-Federal Organization (NFO)
controls from table E in NIST SP 800–
171 R2 nor the DFARS clause 252.204–
7021 flow down and reporting
requirements.
DoD concurs that CMMC provides no
mechanism for addressing insider
threats posed by political divisions in
Congress. However, insider threat in
general is addressed in the following
CMMC security requirements: AT.L2–
3.2.3—Insider Threat Awareness;
AC.L2–3.1.7—Privileged Functions;
PS.L3–3.9.2e–Adverse Information.
b. Transition to Future NIST
Requirements
Comment: Many commenters raised
concerns about the CMMC Proposed
Rule’s citation of a specific version of a
relevant baseline document, i.e., NIST
SP 800–171 R2. The expressed concerns
focused mainly on a perceived potential
for a timing conflict between the NIST
revision requirements based on DFARS
clause 252.204–7012 (revision in effect
at time of solicitation) and this CMMC
Program rule which specifies NIST SP
800–171 R2. Commentors provided a
variety of differing suggestions to
address these concerns. Some
commenters recommended that no
revision number be included, while
others recommended citing Revision 3
rather than Revision 2. Others
recommended delaying the CMMC
Program. Some recommended changing
DFARS clause 252.204–7012 or issuing
a class deviation to address differences
between the NIST revisions cited. Those
that recommended citing to Revision 3
noted that to do otherwise could delay
compliance with Revision 3 beyond
NIST’s anticipated finalization of that
publication. Commenters noted that the
criteria defined in guidance explaining
how to assess against NIST
requirements (i.e., NIST SP 800–171A
Jun2018) does not identify a revision
number for the NIST SP 800–171
requirements to which they apply. In
addition to the comments about NIST
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83144
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
SP 800–171 R2 and NIST SP 800–171
Revision 3, some commenters
questioned how DoD would implement
or how long the DoD would allow for
transitioning to each future version of
NIST standards once approved.
One commenter recommended
defining a waiver process to manage the
transition for each new NIST revision.
Another commenter asked whether
contract work stoppages are expected
during such transitions and if industry
would be afforded time to understand
the impacts of new requirements to
existing systems. One commenter
suggested that CMMC affirmations
should indicate continued compliance
to the NIST SP 800–171 version that
applied to the corresponding selfassessment or certification assessment.
Two commenters recommended
changing the incorporation by reference
version of NIST 800–53 that is cited in
this rule be changed from Revision 5 to
Revision 4, to better align with the
incorporation of NIST SP 800–171 R2.
Another commenter noted that both
NIST SP 800–171 R2 and NIST SP 800–
172 Feb2021 include Organizationally
Defined Parameters (ODP), the latter of
which are defined in this rule. The
commenter advised against defining
ODP for either reference, and
recommended deletion of specific rule
text that does so.
Response: DoD is aware of the
differences between the language of
DFARS clause 252.204–7012 and the
proposed rule. 1 CFR part 51, which
governs drafting of this rule, requires
the specification of a revision to a
standard. Specifying a revision benefits
the CMMC Ecosystem by ensuring it
moves forward from one NIST standard
to the next in an organized manner. The
DoD cites NIST SP 800–171 R2 in this
final rule for a variety of reasons,
including the time needed for industry
preparation to implement the
requirements and the time needed to
prepare the CMMC Ecosystem to
perform assessments against subsequent
revisions. DoD is unable to incorporate
suggestions that CMMC assessments be
aligned to whichever NIST revision is
current at the time of solicitation and
declines to respond to speculation about
the release timing of other publications.
In May 2024, NIST published SP 800–
171 Revision 3, Protecting Controlled
Unclassified Information in Nonfederal
Systems and Organizations, after these
comments were received. DoD will issue
future amendments to this rule to
incorporate the current version at that
time. Comments on the content of the
NIST SP 800–171 Revision 3
publication or future NIST SP 800–171
revisions should be directed to NIST.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
The final rule has been updated to
specify the use of NIST SP 800–171A
Jun2018, Assessing Security
Requirements for Controlled
Unclassified Information, and NIST SP
800–172A Mar2022, Assessing
Enhanced Security Requirements for
Controlled Unclassified Information.
The DoD has included the numbering
scheme in the rule because the
numbering scheme is a key element of
the model. The CMMC numbering
scheme for security requirements must
pull together the independent
numbering schemes of FAR clause
52.204–21 (for Level 1), NIST SP 800–
171 R2 (for Level 2), and NIST SP 800–
172 Feb2021 (for Level 3); it must also
identify the domain and CMMC level of
the security requirement. DoD
developed the least complicated scheme
that met all these criteria.
The CMMC Program Office is unable
to respond to comments proposing
changes to the DFARS, which is subject
to separate rulemaking procedures. One
commenter described a hypothetical
scenario wherein a solicitation is issued
such that DFARS clause 252.204–7012
would require compliance with NIST SP
800–171 Revision 3, but the CMMC
requirement identified is for assessment
against NIST SP 800–171 R2. In this
hypothetical scenario, it is possible that
the bidder may meet the CMMC
requirement by citing a valid CMMC
assessment against NIST SP 800–171
R2, while also availing themselves of
the flexibilities provided in DFARS
clause 252.204–7012 (2)(ii)(B) to submit
a written request to the Contracting
Officer to vary from the current version
of NIST SP 800–171.
Recommendations for modification to
or deviation from DFARS clause
252.204–7012 are beyond the scope of
this rule. The DoD has evaluated the
potential interaction between the
CMMC program requirements and the
existing requirements in DFARS clause
252.204–7012 and believes that
potential conflicts have been resolved.
NIST SP 800–53 R5 is incorporated by
reference only for applicable definitions
because DoD chose to use the latest
definitions available. While it is also
true that NIST SP 800–171 R2 was based
on NIST SP 800–53 Revision 4, the
origination of NIST SP 800–171 R2 is
beyond the scope of this rule.
Contractors and subcontractors will
not be expected to stop work while they
implement changing standards.
Implementation of this rule will be
introduced as a pre-award requirement
in new DoD solicitations, as described
in the timeline at § 170.3(e).
Any substantive change to CMMC
security requirements must go through
PO 00000
Frm 00054
Fmt 4701
Sfmt 4700
rulemaking, and its associated timeline,
which may include public comment.
The new rule may include a transition
period for implementation of the new
security requirements.
The commenter correctly identifies
that the programmatic intent of this rule
is for affirmations to signify systems in
question remain compliant as indicated
by the assessment that was conducted.
Assessments are conducted against the
specified NIST publication versions or
the requirements in FAR clause 52.204–
21. The 48 CFR part 204 CMMC
Acquisition rule also reinforces this
thought by providing specific wording
of the affirmation.
c. NIST SP 800–172 Feb2021
Requirements
Comment: Multiple comments
recommended adding all the omitted
requirements from NIST SP 800–172
Feb2021 or a subset including Network
Intrusion Detection System, Deception
and Unpredictability, arguing that they
are necessary for protecting CUI and to
defend against advanced persistent
threats.
Two comments inferred that the
requirement to restrict access to systems
owned, provisioned or issued by the
OSC means that the OSC must provide
all equipment used to access the system,
which they asserted is impossible
because outside entities using GFE, to
include DoD, may need access. One
commenter also asked if DIB Furnished
Equipment would be required, and one
commenter argued for an exception for
GFE, even though it is not owned,
provisioned, or issued by the OSC.
Three comments stated that
Organizationally Defined Parameters
(ODP) values need to be set by OSAs,
not DoD. One commenter argued this
will be necessary because of the
emerging ODPs at Level 2 associated
with NIST SP 800–171 Revision 3. One
commenter argued this is critical for
uniformity across the Federal enterprise
as many contractors support multiple
Federal agencies. The commenter
further offered that allowing ODP values
to be set by OSAs could be limited to
contractor systems not operated on
behalf of the DoD. One commenter
suggested that ODP values set by OSAs
may require approval by the contracting
officer. One comment stated that the
ODPs are too detailed for the 32 CFR
part 170 CMMC Program rule, and table
1 to § 170.14 should be moved to the
Level 3 Assessment Guide.
One comment argued that removal or
quarantine of components to facilitate
patching or re-configuration, as
specified in table 1 to § 170.14(c)(4)
CM.L3–3.4.2e, is a disruptive and
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
possibly a destructive operational
constraint affecting business operations.
They asserted that patching and
reconfiguration are standard day-to-day
IT administrative activity, and
components do not need to be removed
or quarantined.
One comment asserted that CMMC
should be based on NIST SP 800–53 R5
requirements (linked to the associated
NIST SP 800–172 Feb2021
requirements) due to additional labor
required to create NIST SP 800–53 R5
solutions and benefits to be gained from
NIST SP 800–53 R5 overlays.
Two comments argued that IA:L3–
3.5.3e regarding ’the prohibition of
system components from connecting to
organizational systems unless certain
conditions are met’ is essentially the
same requirement as CM:L2–3.4.7
’restricting, disabling, or preventing the
use of nonessential programs, functions,
ports, protocols, and services’.
Response: DoD considered many
alternatives before deciding which NIST
SP 800–172 Feb2021 requirements to
include as part of CMMC Level 3. NIST
SP 800–172 Feb2021 notes that ‘‘There
is no expectation that all of the
enhanced security requirements will be
selected by Federal agencies
implementing this guidance.’’ For a
variety of reasons, including DoD’s
estimation of cybersecurity maturity and
complexity across the DIB, and potential
cost of certain Level 3 requirements
compared with the benefit, the DoD has
included a limited set of NIST SP 800–
172 Feb2021 requirements. On a
contract-by-contract basis, additional
requirements may be added. OSAs are at
liberty to implement additional
requirements.
The intent of AC.L3–3.1.2e, which
requires restricted access to systems and
system components, is not that DIB
companies issue laptops to external
users wishing to access Level 3
enclaves. While laptop issuance is one
solution, other options are available.
The important concept in this
requirement is ‘‘comply to connect’’,
and it applies to all users, both within
the OSA and externally, equally. In
complying with this requirement, GFE
may be considered provisioned by the
OSC and therefore is not restricted
under that requirement.
DoD defines the ODPs for NIST SP
800–172 Feb2021 included in CMMC
Level 3. This eliminates the risk of
different parameters being set for
different DoD programs. Rulemaking
requirements dictate that table 1 to
170.14(c)(4) be codified in the rule. The
Assessment Guide is an optional
document.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
DoD declines to accept the risk of
removing security requirement CM.L3–
3.4.2e. The Assessment Guide has been
updated to include additional
discussion on this security requirement.
Feedback on individual security
requirements should be direct to NIST.
Any relationship to the NIST SP 800–
53 R5 controls is for information only.
The requirements that must be
implemented for CMMC Level 3 are
defined in the rule table 1 to
§ 170.14(c)(4).
IA:L3–3.5.3e and CM:L2–3.4.7 are
different requirements. The L2
requirement is about functionality, and
the L3 requirement is about trust.
Feedback on individual security
requirements should be direct to NIST.
24. CMMC Annual Affirmation
Requirements
Comment: One commenter
recommended the affirmation statement
include a statement confirming the
scope has not changed and requested
the rule be modified to identify types of
changes that would constitute a change
of system scope. Another commenter
recommended removing any
requirement for affirmation after
assessment certificate issuance or else
revising the rule to identify any benefits
the affirmation provides that conducting
an independent assessment does not
already provide. Another commenter
recommended the DoD clarify that outof-cycle affirmations are not needed.
Three comments said the affirmation
language needs revision because
maintaining perfect scores is not
possible and asking individuals to
affirm continuous compliance is
unreasonable. One commenter voiced
apprehension that signing the
affirmation statement would make a
person criminally liable under the False
Claims Act, due to the need for system
maintenance to fix things that break.
One commenter expressed concern that
continuous monitoring by contractors
increases cost and burden to stay in
compliance and opens companies up to
False Claims Act liabilities. One of these
commenters recommended DoD rely on
representation and self-assessment in
lieu of affirmations to indicate that the
offeror meets the requirements of the
CMMC level required by the
solicitation. Two commenters requested
clarification on what affirmation entails.
Another commenter requested
modification to clarify that the
Affirming Official will attest only that
the requirements are implemented as of
the certification date, or proposal
submission date, and requested removal
of affirmation references to continuous
compliance.
PO 00000
Frm 00055
Fmt 4701
Sfmt 4700
83145
Two commenters urged the
Department to align the annual
affirmation timeline with the 3-year
assessment timeline to ensure
consistency and reduce potential False
Claims Act liability. One commenter
also incorrectly believed a prime
contractor affirmation would be made
on behalf of its entire supply chain.
Another commenter asked DoD to
clarify that an organization may obtain
from C3PAOs a limited review of
changes made since the last assessment
in support of required affirmations and
noted that the DoD or CMMC AB may
wish to clarify what supporting
evidence is required for annual
affirmations. Additionally, the
commenter recommended that DoD
reconsider the requirements for CMMC
Level 1 since these are covered by
System for Award Management (SAM).
One commenter asked, in reference to
POA&M closeout affirmations, if there
was no longer an expectation that a
C3PAO will confirm the close out of a
POA&M. One commenter provided a
recommendation to include an
executive summary in the affirmation
that includes POA&M related metrics as
an indicator of an OSA’s effective O&M,
security, and continuous monitoring
activities.
Response: As described in
§ 170.22(a)(2)(ii), the CMMC affirmation
shall include a statement to the effect
that the OSA has implemented and will
maintain implementation ‘‘within the
relevant assessment scope’’, which
adequately addresses the commenters
suggestion. No change to the rule text
was therefore required. Annual
affirmations ensure OSAs conduct
periodic checks and verify to the
Department that changes to their
networks have not taken them out of
compliance during the certification
period. The annual affirmation
requirement enables DoD to permit 3
years between CMMC Level 2 or 3
assessments, rather than requiring
annual assessments. The DoD does not
agree with the comment that following
the procedures in § 170.22 creates an
additional burden. The DoD does not
concur with removing the terms
‘‘continuing’’ or ‘‘continuous ‘‘as it
relates to an OSA’s affirmation.
Continuing compliance means that the
contractor system in question remains
in compliance and that the OSA intends
to maintain compliance over time, not
that the OSA cannot have an operational
plan of action. Any changes to the
information system beyond use of
operational plans of action require a
new assessment and a new affirmation.
Operational plans of action as described
in CA.L2–3.12.2 are part of normal
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83146
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
maintenance of a system and do not
require a separate out-of-cycle
affirmation. The DoD declines to
address specific cases when affirmations
are not required. DoD’s use of the term
OSA within the affirmations section is
deliberate and conveys that each
organization is responsible for
affirmations pertaining to their own
assessments. An Affirming Official
definition was added to the rule and
provides that clarification.
The rule delineates which
requirements may be addressed with a
POA&M for up to 180 days to achieve
Final CMMC Status. As stated in
§ 170.22, an Affirming Official attests
the organization is satisfying and will
maintain its specified cybersecurity
requirements. An OSA may complete a
self-assessment and submit a new
affirmation at any time. POA&Ms
associated with conditional assessments
are closed-out by C3PAOs for Level 2
final certification assessments and by
DCMA DIBCAC for Level 3 final
certification assessments. OSAs must
affirm results in SPRS for all
assessments.
If an OSA makes significant changes
within the CMMC Assessment Scope, a
new assessment and affirmation are
required. The rule does not preclude
OSAs from contacting a C3PAO for a
review prior to an annual affirmation,
however this is not required. No
supporting evidence is required for an
annual affirmation. Annual
representations and certifications
submitted in the System for Award
Management (SAM) serve a different
purpose from the CMMC affirmation
requirement completed in SPRS.
Furthermore, given the sensitivity of an
OSA’s cyber security status, the DoD has
elected not to use SAM, a public
website.
Details for completion of the annual
affirmation, including wording of the
affirmation statement, are addressed in
the 48 CFR part 204 CMMC Acquisition
rule. The affirmation signifies the
requirements were implemented as of
the date of the self-assessment or
certification, and that the OSA has and
intends to maintain the system as
assessed. The DoD declines to require
the use of an executive summary or the
publication of metrics in the affirmation
statement as part of the affirmation
because that is not consistent with the
purpose of the affirmation requirement.
Regarding the alignment of
assessments and affirmation timelines,
the DoD declines to adopt
recommended changes which would
allow up to 3 years to elapse before DIB
companies would be required to assess
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
the status of their cybersecurity
compliance.
25. CMMC Acceptance of Alternate
Standards
a. CMMC and Other Agency Standards
or Acceptance of CMMC Assessments
Comment: Several commenters asked
for additional detail about § 170.20
Standards Acceptance. One commenter
described discussions from various DoD
industry engagements and suggested the
rule is inconsistent with information
provided at those information exchange
events.
Some commenters observed the rule
does not describe DoD efforts to
coordinate with other agencies
regarding any additional cybersecurity
requirements they choose to implement,
which could conflict or add burden for
companies that must also comply
CMMC requirements. One comment
suggested implementing the CMMC
program government wide. An industry
association submitted several comments
regarding perceived duplication
between this rule and cybersecurity
requirements of other Federal agencies
and foreign governments. They also
recommended the DoD modify the rule
to reflect other agency standards, such
as TSA and CISA security directives
requiring cyber incident reporting for
natural gas utilities.
Several commenters thought the rule
did not adequately explain potential
portability of CMMC assessments,
referring to whether other agencies
might recognize CMMC compliance as
meeting or partially meeting their
requirements. One specifically
suggested CMMC affirmations could be
accepted as evidence of compliance
with any similar cybersecurity
requirements other agencies may
implement. One comment suggested
that by assessing compliance of all
applicable security requirements, the
CMMC program will impede efforts to
establish DoD information sharing
agreements with other non-DoD
organizations, including other agencies
and foreign governments.
Response: Some comments received
lacked relevance to the rule’s content,
which is limited to specific CMMC
Program requirements. The DoD
declines to respond to speculative or
editorial comments about private
citizens or entities, all of which are not
within the scope of this rule.
Similar data security requirements are
already applied to contractors across all
Federal agencies, due to the
applicability of FAR clause 52.204–21,
and 32 CFR part 2002. All executive
agencies are required to comply with
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
the same standards for protection of FCI
and CUI in those regulations. Once
attained, a current CMMC certification
may be presented for consideration by
any entity (including other government
agencies) as an indicator that the
security requirements associated with
the certificate level (e.g., CMMC Level 2)
have in fact been implemented.
CMMC Program requirements are
designed to ensure compliance with
existing standards for protection of FCI
and CUI and align directly to NIST
guidelines (e.g., NIST SP 800–171 R2)
and the basic safeguarding requirements
of FAR clause 52.204–21 that apply to
all executive agencies. Regulations
issued by any executive agency must be
aligned to these overarching
requirements, therefore CMMC Program
requirements will not conflict with any
FCI or CUI safeguarding regulations that
may be issued by other agencies as cited
by the commenter. All executive
agencies are permitted to submit and
review comments as part of the formal
rulemaking process, and additional
coordination is not required. This rule
provides a consistent way of verifying
contractors’ compliance with the
referenced FAR and NIST requirements,
in addition to those from NIST SP 800–
172 Feb2021 where applicable.
b. Requests To Recognize Alternate
Standards
Comment: Several commenters
requested the rule be modified to accept
or recognize alternate standards for the
purpose of meeting CMMC assessment
requirements. Some small to medium
businesses recommended acceptance of
healthcare relevant standards or other
recognized certification frameworks as a
substitute for CMMC and FedRAMP
Equivalency.
Another comment cited verbiage in
the DFARS clause 252.204–7012 clause
that references DoD CIO approval to
‘‘vary’’ from NIST SP 800–171
requirements as rationale for revising
the CMMC rule to permit acceptance of
other standards such as the NERC
Critical Infrastructure Protection
standards which apply to North
America’s Bulk Electric System (BES).
Some comments expressed concern
that absent greater acceptance of the
standards required by other agencies,
companies complying with CMMC
would be at a competitive disadvantage
due to the perceived costs of complying
with CMMC standards. Another
comment expressed a similar concern
but cited the need for acceptance of
foreign C3PAOs to effectively scale
CMMC to include assessment of foreign
OSCs.
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
Response: CMMC Program
requirements apply to those contractors
that seek to bid for DoD work which
requires processing, storing, or
transmitting FCI or CUI in a contractor
owned information system. Section
170.20 addresses Standards Acceptance
and delineates the only existing bases
for accepting alternate standards in this
rule. The DoD does not currently have
standards acceptance with other Federal
entities in lieu of the CMMC
requirement.
DoD’s harmonization of requirements
with other agencies is achieved through
compliance with NIST standards. DoD’s
recognition of the standards of other
nations occurs through negotiation of
international arrangements and
agreements, which is beyond the scope
of this rule. The CMMC Program has
aligned requirements with NIST
standards, and many foreign nations are
adopting NIST standards as well. In
developing this rule, the DoD worked
with standards bodies, removed unique
requirements, and aligned new
requirements directly with NIST SP
800–171 R2 and select NIST SP 800–172
Feb2021 requirements to reduce and
streamline cybersecurity burden across
the industry. CMMC Program
requirements make no change to
existing policies for limits on
dissemination of CUI. Comments on
information sharing between other
agencies or foreign entities are beyond
the scope of this rule. The requirement
to comply with NIST SP 800–171 was
mandated in DFARS clause 252.204–
7012. Granting alternatives to that
standard is beyond the scope of this
rule.
Several foreign or international
companies submitted comments
expressing interest in the rule section
pertaining to C3PAO requirements
(§ 170.9(b)) and correctly noted that this
section does not preclude otherwise
qualified foreign companies from
achieving C3PAO accreditation. Note
that the DoD does permit C3PAO
personnel who are not eligible to obtain
a Tier 3 background investigation to
meet the equivalent of a favorably
adjudicated Tier 3 background
investigation. DoD will determine the
Tier 3 background investigation
equivalence for use with the CMMC
Program only.
c. CMMC Acceptance of Other DIBCAC
Assessments
Comment: Some commenters either
did not understand or objected to the
fact that standards acceptance
requirements for DIBCAC High
Assessments require a score of 110
without POA&Ms. Other comments
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requested clarity regarding standards
acceptance of DIBCAC High
Assessments at CMMC Levels 2 and 3.
One comment inquired about the
programmatic details of DCMA’s Joint
Surveillance Program.
Another comment expressed concerns
over disparities between how CMMC
C3PAOs and DIBCAC assess, given the
fact that DIBCAC assessors are
empowered to make risk acceptance
decisions on behalf of the Government,
whereas C3PAO assessors are not. One
commenter questioned the use of the
NIST SP 800–171 R2 Cybersecurity
FAQs as published in the DoD
Procurement Toolbox. Another
commenter asked whether C3PAOs
assess for compliance with DFARS
clause 252.204–7012, paragraphs c–g, as
DCMA DIBCAC does in their
assessments of OSAs. One commenter
suggested that the DIBCAC is not
certified to conduct Level 3 assessments
and that training requirements for
CMMC Level 2 C3PAO assessors should
also apply to DIBCAC assessors, or else
Level 3 assessments should be
conducted by C3PAOs.
Response: There is qualified
standards acceptance between DCMA
DIBCAC High Assessment and CMMC
Level 2 Certification Assessment as
described in § 170.20(a). There is no
standards acceptance between DCMA
DIBCAC High Assessment and CMMC
Level 3. To be eligible for standards
acceptance resulting in a CMMC
certification, an OSC must achieve a
perfect 110 score on the Joint
Surveillance assessment without any
open POA&Ms at the time of
assessment. If the Joint Surveillance
assessment results in POA&M actions,
any POA&M must be closed prior to
standards acceptance.
Completion of a prior DCMA DIBCAC
High Assessment does not necessarily
indicate the likelihood of a future
CMMC Level 3 requirement. DIBCAC
High assessments are currently
conducted against the NIST SP 800–171
R2 requirements, whereas the DoD will
identify the need for a CMMC Level 3
assessment when its internal policies
indicate the added protections of NIST
SP 800–172 Feb2021 are necessary to
adequately safeguard DoD information.
Acceptance of a small number of
DIBCAC High or Joint Surveillance
Program assessments to meet future
CMMC Level 2 assessment requirements
will reduce the initial demand for
C3PAO assessment. Only those DIBCAC
High Assessments completed prior to
the effective date of the rule are eligible
for standards acceptance to meet CMMC
Level 2 Certification requirements. The
DoD will enter CMMC Level 2
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
83147
Certifications into eMASS for suitable
DIBCAC High Assessments, with a
validity period of 3 years from the date
of the original High Assessment. A
CMMC Final Level 2 certification
assessment is entered into eMASS by
the C3PAO following a successful (i.e.,
perfect score with no POA&Ms) joint
surveillance assessment against NIST SP
800–171 R2. It is not the result of a
CMMC Level 3 assessment but can be
provided as evidence that an OSC is
ready to initiate a CMMC Level 3
assessment.
Although Joint Surveillance is listed
as standards acceptance in 170.20(a)(1),
the details of this DCMA program and
any changes to it are beyond the scope
of this rule. A Joint surveillance is a
DCMA DIBCAC assessment and falls
under their purview. The CMMC office
understands that there is disparity
between what is assessed by a C3PAO
and the DIBCAC and that the guidance
information in the DoD Procurement
Toolbox is the driving factor. Since the
Procurement Toolbox is outside of the
scope of the 32 CFR part 170 CMMC
Program rule, it cannot be properly
addressed here or in the rule. With
CMMC the DoD utilizes a risk-based
approach in its allowance for POA&Ms,
gradient scoring for certain controls
(e.g., FIPS and MFA), temporary
deficiencies, and enduring exceptions.
DCMA DIBCAC assessors are trained
and qualified to conduct assessment
against NIST SP 800–171 R2 for the
DoD. DoD determined that C3PAOs
conducting assessments on other
C3PAOs introduced a significant
conflict of interest. Given the sensitivity
of the programs requiring Level 3
assessments, the DoD determined that
those assessments must be completed by
a DoD entity. The DoD declines to
respond to speculative or editorial
comments regarding DCMA DIBCAC
assessments.
The CMMC model (§ 170.14) only
incorporates requirements from FAR
clause 52.204–21, NIST SP 800–171 R2,
and NIST SP 800–172 Feb2021. C3PAOs
are only responsible for assessing the
requirements of § 170.17. DCMA
DIBCAC operates under different
authorities and can address all the
requirements of DFARS clause 252.204–
7012.
d. Validity Period for Standards
Acceptance
Comment: Two comments asked how
SPRS would be updated to reflect
CMMC Level 2 certification when based
on standards acceptance. One asked
whether that update would be
automatic. One comment asked whether
CMMC standards acceptance for
E:\FR\FM\15OCR2.SGM
15OCR2
83148
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
DIBCAC joint surveillance assessments
would result in certifications being
issued to the OSA by the C3PAO or by
DIBCAC.
Some comments, including those
from three industry associations,
objected to the start date for the 3-year
validity of CMMC certification based on
standards acceptance of prior DIBCAC
assessments. Those comments requested
the validity period begin with the
effective date of the 32 CFR part 170
CMMC Program rule. Along these lines,
another commenter asked whether
C3PAOs may certify an OSA based on
evidence of a perfect 110-scored
DIBCAC High Assessment. One
comment requested a 1-year extension
of the validity period to 4 years.
Response: The DoD has considered
the recommendation to modify the
validity period for certifications
resulting from standards acceptance and
declines to revise the rule text. It is
important that contractors maintain
security compliance for systems that
process, store, or transmit DoD CUI.
Given the evolving cybersecurity threat,
DoD’s best interests are served by
ensuring that CMMC Level 2
assessments remain valid for no longer
than a 3-year period, regardless of who
performs the assessment.
A C3PAO may not simply read the
DIBCAC assessment score in SPRS and
grant a completed CMMC Level 2
certification assessment. C3PAOs may
only submit certification assessment
results based on having conducted a
certification assessment. An OSA is free
to seek a C3PAO certification
assessment, but this would be
unnecessary, because a valid DIBCAC
High assessment with a 110 score will
automatically be converted in SPRS to
reflect a CMMC Final Level 2
certification assessment provided all
requirements of § 170.20(a)(1) are met. A
DIBCAC High assessment conducted
after the rule is effective is not eligible
for standards acceptance.
26. CMMC Requirements and
International Entities
khammond on DSKJM1Z7X2PROD with RULES2
a. Applicability to International Entities
Comment: Several public commenters
asked whether and how the CMMC rule
content would apply to foreign based or
international companies, either as
companies seeking to comply with
assessment requirements or as
companies seeking to participate in the
CMMC Ecosystem.
Some questions asked for
interpretation of requirements for
specific scenarios, such as how CMMC
requirements might affect Status of
Forces Agreements for DoD installations
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
overseas. Others asked about
application of flow-down requirements
to foreign subcontractors, including in
circumstances when DFARS clauses do
not apply or when international
agreements supersede application of
DFARS clause 252.204–7012. A few
comments asked how foreign or
multinational corporations with
facilities abroad can attain CAGE codes,
access SPRS, or meet other aspects of
CMMC requirements. Some asserted
that specific systems contractors need to
access, such as SPRS and PIEE, are not
designed to accommodate foreign
address formats and requested
modifications or alternative options to
facilitate submission of CMMC
affirmations. One commenter suggested
that assessment of foreign contractor
information systems should only be
conducted by the host country, and
asked whether foreign contractors
should be partially exempted from
CMMC requirements.
Response: CMMC Program
requirements are applicable when DoD
requires processing, storing, or
transmitting of either FCI or CUI during
performance of a DoD contract. CMMC
Program requirements would not apply
to a DoD Installation’s communication
with a Host Nation government on
matters related to the Installation.
CMMC program requirements apply to
all DoD contractors alike when contract
performance will require processing,
storing, or transmitting of FCI or CUI on
contractor-owned information systems.
This 32 CFR part 170 CMMC Program
rule does not permit partial exemption
of assessment requirements for foreign
contractors. Any discussion of
exemptions or deviations for foreign
businesses are outside the scope of the
32 CFR part 170 CMMC Program rule
and must be addressed through
government-to-government international
arrangements or agreements. Pathways
and timelines for achieving these
agreements are outside the scope of this
rule.
CMMC requirements apply to both
domestic and international primes and
flow down to subcontractors throughout
the supply chain if their information
systems process, store, or transmit FCI
or CUI. CMMC requirements are based
upon the type of information processed
and shared, regardless of where the
company is headquartered or operates.
Certification requirements for
subcontractors are addressed in
§ 170.23(a)(1) through (4). For additional
information about flow-down of
contractual requirements, see the 48
CFR part 204 CMMC Acquisition rule.
The CMMC process is the same for
international and domestic contractors
PO 00000
Frm 00058
Fmt 4701
Sfmt 4700
and subcontractors. International subcontractors must undergo a CMMC
assessment at the appropriate level to
demonstrate compliance with NIST SP
800–171 R2 requirements. All OSAs
must register in https://sam.gov, which
has instructions for obtaining applicable
CAGE or NATO CAGE codes (NCAGE
codes).
Address data is not a required SPRS
data input for CMMC purposes.
Contractor address information is
required to obtain a CAGE code that,
along with a Unique Entity ID, is
required to register in SAM. SPRS
currently receives assessment
information from domestic and
international entities. International
organizations get CAGE codes in the
same manner that US organizations do,
including in some instances NCAGE
codes. CAGE codes are required for a
contractor to register for a user account
in Procurement Integrated Enterprise
Environment (PIEE) that provides
contractors access to SPRS and other
applications as necessary for DoD
contracts.
b. International Agreements
Comment: Several commenters asked
about procedures for establishing
recognition of other nations’
cybersecurity standards or assessment
programs as acceptable alternatives to
CMMC program requirements. Another
commenter noted the rule provides no
explicit recognition of existing
agreements between the DoD and other
nations related to information sharing
and defense procurement. They and
other commenters asked that the rule
identify a specific process for reaching
agreements related to CMMC program
requirements. Some of these
commenters identified specific foreign
cybersecurity programs and requested
that the DoD work toward reciprocal
recognition of their underlying
standards. One of these commenters
requested that DoD identify timelines
for establishing bilateral agreements.
In particular, the Canadian
counterpart for the CMMC program
expressed concern that Canadian
companies could be disadvantaged in
seeking CMMC certification and
requested the DoD consider establishing
a unified accreditation body for
Canadian and US C3PAOs.
Response: While the rule does address
application to foreign contractors and
ecosystem participants throughout,
these requirements may be superseded
by the terms and conditions of
applicable international arrangements or
agreements.
CMMC validates cybersecurity
requirements, as defined in FAR clause
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
52.204–21, NIST SP 800–171 R2, and a
selected subset of NIST SP 800–172
Feb2021, where applicable. These
cybersecurity requirements apply to
international and domestic companies
when included in a DoD contract. The
Department cannot speculate about the
arrangements of any international
agreement and how it may or may not
impact international partners, as these
arrangements are beyond the scope of
this 32 CFR part 170 CMMC Program
rule.
The DoD has designed CMMC
Program requirements to apply to those
contractors that bid for DoD work which
will require access to process, store, or
transmit FCI or CUI in a contractor
owned information system. A CMMC
certification assessment is portable in
the sense that it provides confidence
that the holder has been assessed by an
authorized third party for compliance
with the applicable security standards
(e.g., NIST SP 800–171 R2 or NIST SP
800–172 Feb2021). Once attained,
CMMC certification assessment status
may be presented for consideration by
any entity as an indicator that they have
implemented security requirements
associated with the certificate level (e.g.,
NIST SP 800–171 R2 or NIST SP 800–
172 Feb2021). Section 170.20 delineates
the only existing bases for accepting
alternate standards in this rule.- It is
beyond the scope of this rule to provide
a specific set of directions or guidance
on recognition for alternate
cybersecurity standards. Deviations
from DFARS clauses are also beyond the
scope of this rule.
Section 170.20 has been modified to
state that an OSC with a perfect score
from a prior DCMA DIBCAC High
Assessment aligned with the same
CMMC Level 2 Scoping may meet
CMMC Final Level 2 certification
assessment requirements via acceptance
of the prior DIBCAC assessment in lieu
of a C3PAO assessment. Standards
Acceptance does not refer to
international standards acceptance,
which is not described within the rule.
c. C3PAO, CCP, and CCA Requirements
Comment: In addition to the interest
in international agreements, some
commenters expressed concern about
CMMC ecosystem capacity to meet
demand for Level 2 certification. They
advocated support for accreditation of
non-U.S. based C3PAOs. One
commenter suggested that FOCI
requirements be deleted from the rule
and managed via DoD’s oversight of the
CMMC AB. One commenter speculated
the phased CMMC implementation plan
would require all non-U.S. firms to
comply simultaneously and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
recommended that foreign contractors
be allowed additional time to comply.
Another recommended that foreign
companies be permitted to simply selfassess in lieu of obtaining a CMMC
Level 2 certification assessment.
Several commenters asked about
foreign nationals participating in the
CMMC ecosystem and noted
discrepancies between qualifications
identified in the rule and content on the
CMMC AB’s website at the time of rule
publication. These commenters
expressed interest in the ability for
foreign citizens to become CCAs, CCPs,
and LTPs (a term no longer used in the
rule).
One commenter presumed that only
U.S.-based Cloud Service Providers
(CSPs) may become FedRAMP
authorized, and asserted a need to
authorize or accredit foreign-based CSPs
that foreign DIB contractors might use
while still achieving CMMC
compliance. Another asked how foreign
small businesses can comply with
CMMC without access to U.S. approved
CSPs. One commenter asked for
guidance on how to get foreign products
and services, such as encryption and
decryption mechanisms, approved for
use in information systems that require
CMMC assessment. One commenter
suggested that the CMMC program
permit assessment by C3PAOs and
assessors accredited in accordance with
other ISO/IEC standards than those
identified in this rule. They cited ISO/
IEC 27001 or 9901 as suitable alternate
ISO/IEC standards.
Response: The DoD declines to delay
CMMC Program implementation for
non-U.S. organizations. International
businesses will not receive special
accommodations because the CMMC
Program’s phased implementation will
impact both U.S. and non-U.S. defense
contractors equally. The
implementation plan described in the
rule does not promote or prioritize
certification assessments of any
contractor over any other contractor. All
companies, regardless of location or
nationality, will have access to any
authorized C3PAO. The rule does not
preclude non-U.S. citizens or foreignowned C3PAOs from operating in the
U.S. Additionally, U.S. owned C3PAOs
may operate in a foreign nation.
As stated in the rule, C3PAOs must
meet the criteria in § 170.9. Non-U.S.
organizations and employees that meet
all the requirements in §§ 170.9 and
170.11 will not be prohibited from
operating as a C3PAO within the U.S. or
abroad. A list of authorized C3PAOs is
available on the current CMMC AB
marketplace. DoD does not concur with
the recommendation to delete
PO 00000
Frm 00059
Fmt 4701
Sfmt 4700
83149
§ 170.9(b)(5) content identifying FOCI
requirements. Those details for
complying with FOCI are necessary for
understanding the requirement.
Some commenters noted differences
between the rule content and
information on the CMMC AB website.
The CMMC AB is part of the public and
had no access to advance information
prior to publication of the proposed
rule. The rule takes precedence in the
event of any discrepancy with CMMC
AB materials.
The document ‘Career Pathway
Certified Assessor 612’, dated 2020, has
been replaced by a regularly updated
DoD Cyberspace Workforce Framework
which may be found at https://
public.cyber.mil/dcwf-work-role/
security-control-assessor/. Intermediate
and Advanced Foundational
Qualification Options in the DoD
Cyberspace Workforce Framework’s
Security Control Assessor (612) Work
Role are available to foreign nationals.
The rule has been updated to reflect this
reference update.
A domestic or international business
seeking a contract that contains DFARS
clause 252.204–7012, and using a cloud
service provider to process, store, or
transmit covered defense information in
performance of that DoD contract, must
ensure that the CSP meets FedRAMP
authorization or equivalency
requirements. As the FedRAMP program
and FedRAMP equivalency are available
to international organizations, foreign
entities do not need to develop their
own FedRAMP program. FedRAMP
authorization or equivalency is also
available to small businesses. The DoD
leverages the FedRAMP program to
implement requirements for the
adoption of secure cloud services across
the Federal Government and provide a
standardized approach to security and
risk assessment for cloud technologies.
Export controlled goods and ITAR are
outside the scope of the 32 CFR part 170
CMMC Program rule.
The process for identifying specific
products or services that may meet NIST
security requirements is beyond the
scope of this rule. CMMC program
requirements are unrelated to evaluation
or approval of encryption or decryption
products manufactured by foreign
information security companies.
DoD considered many alternatives
before deciding upon the current CMMC
structure. Alternative methods of
assessment have proven inadequate and
necessitated the establishment of
CMMC. DoD declines to accept the
recommendation of an alternate path to
C3PAO accreditation.
E:\FR\FM\15OCR2.SGM
15OCR2
83150
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
27. Impact to Small Businesses
a. Funding the CMMC Program
Comment: One comment asserted that
the rule does not address CMMC
program funding, affordability, and
sustainability. They recommended the
DoD conduct and publish a
comprehensive cost assessment for each
level of CMMC certification and explore
ways to reduce the financial burden on
contractors.
Response: DoD included an analysis
of costs to meet CMMC requirements in
the regulatory impact analysis for this
rule.
As described in the estimate included
with the rule, the major cost categories
for compliance with CMMC
requirements are anticipated to include
costs for completing a self-assessment
(e.g., Level 1 or 2); costs to prepare for
and undergo C3PAO assessment (Level
2); costs required to implement the
Level 3 security requirements and for
preparing to undergo DCMA DIBCAC
assessment (Level 3). All of these except
the market costs of a C3PAO are
controlled by the organization seeking
assessment. Market forces of supply and
demand will determine C3PAO pricing
for CMMC Level 2 certification
assessments.
Analysis of costs to meet CMMC
requirements is provided in the
regulatory impact analysis for this rule.
The CMMC rule does not make any
change to cost allowability as defined in
the FAR 31.201–2 Determining
Allowability. Verifying compliance with
applicable security requirements may
increase cost and is necessary for the
protection of DoD CUI. With the revised
CMMC, the DoD has streamlined
requirements to align directly to NIST
guidelines and has eliminated unique
security practices to ease the burden on
smaller companies. DoD must enforce
CMMC requirements uniformly across
the Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. The
value of information (and impact of its
loss) does not diminish when the
information moves to contractors and
subcontractors. The DoD declines to
speculate about how OSCs and C3PAOs
negotiate mutually acceptable terms and
conditions for assessment agreements.
The DoD declined to modify the
estimates, which are intended to be
representative and to inform
rulemaking.
b. Disproportionate Cost Burden
Comment: Many comments
emphasized the importance of small
business to the DoD contracting
environment and expressed the concern
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
that increased cost burden on small
companies will result in an anticompetitive barrier to entry.
Specifically, commenters state the lack
of in-house security resources, inability
to amortize costs, upfront costs to
comply with CMMC Level 1 and 2
without guaranteed contracts, keeping
pace with requirements changes, paying
market rates for C3PAO assessments,
and obtaining ‘‘perfect’’ compliance
with requirement or assessment
objectives may not be affordable or may
cause unacceptable enterprise
disruption. One comment asserted that
the DoD is not considering additional
costs to small- and medium-sized
businesses (SMBs) for ongoing
compliance. One comment stated the
cost of entry for a new SMB may be
insurmountable even with cost
recovery. One comment suggested
‘‘right-sizing’’ CMMC by tailoring
security requirements based on business
size and number of employees.
Additionally, one comment asserted
that small businesses would be unfairly
punished while large, legacy primes
would lobby and get waivers.
Two comments noted that CMMC will
increase costs, perhaps doubling annual
IT and security spending, ultimately
passing the cost to customers, the
government and the taxpayer and asked
how the DoD plans to deal with price
increases from subcontractors and
primes. One comment suggested the
DoD pay contractor employees to learn
to cyber defend rather than pay auditor
assessment costs.
Response: The DoD concurs with
commenters’ assessment of the
importance of small businesses to the
DoD. The DoD has streamlined CMMC
requirements to align directly to NIST
guidelines and has eliminated unique
security practices to ease the burden on
smaller companies. In recognition of the
cyber threat both to DoD and to the DIB,
CMMC Program requirements are
designed to ensure compliance with
existing standards for protection of FCI
and CUI. These cybersecurity
requirements align directly to NIST
guidelines (i.e., NIST SP 800–171 R2
and NIST SP 800–172 Feb2021) and the
basic safeguarding requirements (FAR
clause 52.204–21) that apply to all
executive agencies.
The analysis of costs to meet CMMC
Level 1 and 2 requirements are provided
in the Regulatory Impact Analysis
published with this rule. Note that
certification is never required for CMMC
Level 1, which is a self-assessment
requirement. CMMC Level 2 may either
be met via self-assessment, or via
certification following a C3PAO
assessment, depending on the specific
PO 00000
Frm 00060
Fmt 4701
Sfmt 4700
requirement cited in the solicitation.
Some comments appeared to reference
costs to meet the requirements of
existing DFARS clause 252.204–7012.
Please refer to 81 FR 72990, October 21,
2016, for DoD’s final rule implementing
the DoD’s requirement that ‘‘contractors
shall implement NIST SP 800–171 as
soon as practical, but not later than
December 31, 2017.’’
The cost estimates for SMBs represent
average derived estimates based on
internal expertise and public feedback
in accordance with OMB Circular A–4.
The size and complexity of the network
within scope of the assessment impacts
the estimates as well.
The DoD has streamlined CMMC
requirements to align directly to NIST
guidelines and has eliminated unique
security practices to ease the burden on
smaller companies. In addition, CMMC
Level 1 and select CMMC Level 2
requirements are now met via selfassessment, which reduces burden to
small businesses.
The CMMC program incorporates
flexibility with the use of selfassessment, POA&Ms, and waivers.
Since December 2017, DFARS clause
252.204–7012 has required contractors
to implement the NIST SP 800–171
security requirements to provide
adequate security applicable for
processing, storing, or transmitting CUI
in support of the performance of a DoD
contract. OSAs that are currently
attesting that they meet DFARS clause
252.204–7012 should not have difficulty
successfully achieving a Level 2 selfassessment.
Some comments received lacked
relevance to the rule’s content, which is
limited to specific CMMC Program
requirements. The DoD declines to
address speculation about lobbying
activities. Verifying compliance with
applicable security requirements may
increase financial cost to the DoD due
to increased contract costs but it is
necessary for the protection of DoD CUI.
The cost of lost technological advantage
over potential adversaries is greater than
the costs of such enforcement. The
value of information (and impact of its
loss) does not diminish when the
information moves to contractors.
The trade-off is between protecting
sensitive information from our nation’s
adversaries and accepting the fact that
security costs increase for numerous
reasons. Many of those cost-drivers are
completely independent of CMMC.
While CMMC compliance adds to an
organization’s cost, no member of the
DIB can assume the status-quo in
today’s ever-changing cyber security
environment. Increasing costs to protect
the nation’s data and industries from
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
emerging threats is simply a component
of doing business anywhere in the
world. Processing, storing, or
transmitting sensitive Government
information comes with a handling cost
that needs to be built into each
organization’s business model.
Some comments included suggestions
about how workflow should occur
between prime and subcontractors to
decrease or eliminate the transfer of CUI
to subcontractors. The DoD cannot
dictate these business practices but
encourages prime contractors to work
with its subcontractors to flow down
CUI with the required security and the
least burden. Questions regarding what
to mark as CUI are out of scope of this
rule. At the time of award, the DoD may
have no visibility into whether the
awardee will choose to further
disseminate DoD’s CUI, but DFARS
clause 252.204–7012 and DFARS clause
252.204–7021 require that the prime
contractor to flow down the information
security requirement to any
subcontractor with which the CUI will
be shared. Decisions regarding which
DoD information must be shared to
support completion of which
subcontractor tasks takes place between
the prime contractor and the
subcontractors chosen to complete the
specific tasks.
khammond on DSKJM1Z7X2PROD with RULES2
c. Phasing the Cost To Comply
Comment: Two comments suggested a
phased compliance would help offset
financial burden while working toward
full compliance. One comment
expressed concern that Managed Service
Providers (MSPs), many of which are
small businesses, will not have time to
achieve Level 2 certification before their
OSA and OSC customers need them to
be certified and recommended
extending the phased timeline.
Several comments stated that
recouping compliance costs could take
years, forcing SMBs into financial debt,
contract termination, and exclusion
from the market for DoD contracts. One
commenter expressed concern about
implementation of CMMC as a
condition of contract award and the
implication that compliance costs are
incurred prior to receiving a DoD
contract.
Response: DoD declined to implement
a small entity specific ‘‘phased
compliance’’. Since December 2017,
DFARS clause 252.204–7012 has
required contractors to implement the
NIST SP 800–171 security requirements
to provide adequate security applicable
for processing, storing, or transmitting
CUI in support of the performance of a
DoD contract.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
DoD received numerous comments
about the use of ESPs, including MSPs,
which do not process, store, or transmit
CUI. In response to comments, the DoD
has reduced the assessment burden on
External Service Providers (ESPs). ESP
assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2) have been
updated. ESPs that are not CSPs and do
NOT process, store, or transmit CUI, do
not require CMMC assessment or
certification. Services provided by an
ESP are in the OSA’s assessment scope.
CMMC has taken several steps to keep
the cost of compliance with the rule
commensurate with the risk to the
DoD’s information. Level 1 only requires
self-assessment, and many contracts
with CUI will only require a Level 2
self-assessment. Companies that
currently attest that they meet DFARS
clause 252.204–7012 should not have
difficulty completing a Level 2 selfassessment. In accordance with the
rulemaking process, this rule was
reviewed by both DoD cost analysts and
OMB economists for realism and
completeness.
This is a 32 CFR part 170 CMMC
Program rule, not an acquisition rule.
The 48 CFR part 204 CMMC Acquisition
rule will address implementation of
CMMC as it pertains to DoD contracts.
d. Detailed Cost Analysis
Comment: A few comments suggested
a detailed cost analysis should consider
SMBs of various sizes, types, and
challenges to ensure compliance is
sustainable. One comment asked
whether a profit margin analysis was
performed, while another asserted that
other third-party assessments are less
expensive than the estimates for CMMC
assessment. Another stated CMMC
Level 3 cost estimates are too low and
suggested using costs associated with
SECRET-level networks for calculation.
Response: The DoD provided an
analysis of costs to meet CMMC Level
1 and 2 requirements in the regulatory
impact analysis for this rule. The cost
estimates provided for this rule
represent average costs for companies to
comply with CMMC requirements,
including the need for self-assessment
or independent assessment against the
specified standards. Comparing costs
with other third-party security audits
presumes that the security and
assessment requirements are identical,
and DoD disagrees with that
assumption.
The DoD declined to produce another
cost estimate for CMMC assessment and
certification. As required by the
Rulemaking Guidance, the DoD
provided cost estimates and impact
PO 00000
Frm 00061
Fmt 4701
Sfmt 4700
83151
analyses in the proposed rule. The
analysis included estimated costs for
each level and type of assessment or
certification for different sized
contractor businesses. The cost
estimates did not include an analysis of
profit margins, which is not required.
This rule also does not provide the cost
analysis for all actions, personnel, and
security measures required to protect
CUI information, data, systems, and
technical products through the life cycle
of the work and data generated. The cost
estimates represent derived estimates
based on internal expertise and public
feedback in accordance with OMB
Circular A–4.
Market forces of supply and demand
will determine C3PAO pricing for
CMMC Level 2 certification
assessments. The size and complexity of
the network within scope of the
assessment impacts the costs as well.
CMMC Level 3 assessments against the
NIST SP 800–172 Feb2021 baseline are
performed free of cost by DoD assessors,
which reduces the cost of CMMC Level
3.
The costs associated with a
government-owned SECRET-level
network are not relevant to the CMMC
Program which ensures protection of
FCI and CUI.
e. Assistance Programs or Other Relief
Comment: Several commenters
proposed that financial assistance,
contract incentives, direct
reimbursement of assessment costs (in
whole or in part), and market rate price
caps be considered to lessen financial
burden and decrease the entry barrier
for SMBs. Several comments also
inquired about DoD SMB grant
programs to help SMBs cover the cost of
CMMC Level 2 certification
assessments.
Multiple comments suggested DOD
provide actionable guidance through
outreach support and assistance along
with free or reduced cost cybersecurity
services to SMBs, with two referencing
the DoD Office of Small Business
Programs and one the DoD Procurement
Toolbox. One comment, from a large
business with SMB suppliers, requested
clearer guidance and support for flow
down to sub-tier suppliers and SMB
supply chains.
One comment stated firms who
receive a low number of CUI documents
(30 docs in 3-years on 10 computers) do
not justify the cost of becoming CMMC
compliant, and added the cost is nearly
as much as protection for classified
documents. One commenter suggested
NIST SP 800–171 R2 security
requirements would not apply to their
specific characteristics, i.e., a very small
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83152
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
business with minimal internet
connectivity, no remote access, no
public access, no mobile devices, no
remote work, and no known
cybersecurity issues. The comment
asserted that the company posed
minimal risk to CUI and should be
excused from adhering to CMMC
program requirements based on cost
burden.
One comment proposed eliminating
third party assessment costs and relying
only on self-certification to address the
cost burdens. One comment noted that
free market pricing and a short supply
of C3PAOs combined with excessive
waiting times may result in SMB
attrition.
Response: It is not within in scope of
this rule to address how companies
recover assessment costs. The CMMC
rule makes no change to the cost
allowability parameters described in
FAR 31.201–2 Determining
Allowability.
Contractors are required to comply
with all terms and conditions of DoD
contracts, to include terms and
conditions relating to cybersecurity
protections and assessment
requirements, as implemented by this
rule. This holds true when a contract
clause is flowed down to
subcontractors.
Several of the commenters’
recommendations have potential benefit
for the contractor and sub-contractor
communities; however, they are beyond
the scope of the rule. These
recommendations included creation or
expansion of:
grants and assistance programs,
financial support for small business, the
DoD [Procurement] Toolbox, the DoD
Office of Small Business Programs,
contract incentives and free or reduced
cost DoD cybersecurity services.
DoD understands the burden on small
business. Nonetheless, DoD must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors who process, store, or
transmit CUI. The requirements
necessary to protect a single document
are the same as to protect many
documents, therefore scaling by amount
of CUI expected is not a viable
approach.
Solicitations for DoD contracts that
will involve the processing, storing, or
transmitting of FCI or CUI on any
nonfederal system, regardless of the size
or configuration of the nonfederal
system, will specify the required CMMC
Level (1, 2 or 3) and assessment type
(self-assessment or independent thirdparty assessment). That requirement
applies, regardless of the number of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
computers or components in a
nonfederal information system.
DoD’s original implementation of
security requirements for adequate
safeguarding of CUI relied upon selfattestation by contractors. Since that
time, the DoD Inspector General and
DCMA found that contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information.
All contactors or sub-contractors with
access to CUI need to be capable of
protecting that information to the
standard specified in 32 CFR part 2002.
If a small business cannot comply with
DFARS clause 252.204–7012 and NIST
SP 800–171 R2, then that business
should not be processing, storing, or
transmitting CUI. DoD’s programs,
technological superiority, and best
interests are not served if CUI is not
consistently safeguarded by all who
process, store, or transmit it.
28. Perceived Cost of CMMC Program
Comment: Several comments
expressed disagreement with
assumptions supporting the cost
estimate, namely that implementation
costs to comply with the requirements
of FAR clause 52.204–21 and DFARS
clause 252.204–7012 predate and are
not included as CMMC costs. These
comments assert that the cost of CMMC
compliance should include those costs,
and therefore dwarfs the cost of CMMC
certification. They further assert that
DoD’s position does not account for
those contractors who have only
recently joined the DIB marketplace or
those that aspire to do so. The concern
expressed in the comments is that the
cost of standing up an infrastructure to
achieve and maintain DoD cybersecurity
requirements regarding the protection of
FCI and CUI, combined with CMMC
assessment costs, is prohibitive and will
create a lack of diverse suppliers.
Two commenters asserted the CMMC
Program expanded application of
DFARS clause 252.204–7012
requirements due to a perceived
extension of those requirements to
additional organizations, such as
External Service Providers (ESPs). One
of the commenters further speculated
that CMMC requirements may decrease
the availability of ESPs that are
available and suitable to support DIB
members as needed to comply with
CMMC requirements. Another
commenter stated that this scope
expansion increases direct
implementation and compliance costs
above and beyond the CMMC Program’s
PO 00000
Frm 00062
Fmt 4701
Sfmt 4700
estimated assessment costs. The
comment cites the introduction of the
terms ‘‘Security Protection Assets’’ and
‘‘Security Protection Data’’ as extending
applicability of those requirements and
incurring the additional direct
implementation and compliance costs.
Lastly, the comment notes these changes
will drive costs to ‘‘rip and replace’’
existing tools and likely purchase more
expensive FedRAMP or CMMC-certified
tools.
One comment indicated that, while
compliance with NIST SP 800–171 was
required by December 31, 2017,
compliance with NIST SP 800–171A
Jun2018 increases requirements and
cost because NIST SP 800–171A
Jun2018 emphasizes process and
documentation in addition to the intent
of the security requirement.
Two comments pointed out that some
contractors may need to accelerate
remediation efforts and close out
POA&Ms under existing DoD contracts
that are subject to DFARS clause
252.204–7012 to meet CMMC
requirements. These comments
requested that since these contractors
will now be faced with accelerating
close-out of their POA&Ms, which will
incur additional costs, that DoD account
for those costs in the estimate and
potentially allow for recovery of those
costs.
One comment asserts that CMMC
assessment failures, remediation
implementation, and subsequent
reassessments will be very costly in
both time and money.
Response: 81 FR 72990, October 21,
2016 implemented the DoD’s
requirement that ‘‘contractors shall
implement NIST SP 800–171 as soon as
practical, but not later than December
31, 2017.’’ Public comments related to
costs for implementation were
published with that final rule, along
with DoD’s responses. CMMC cost
estimates are derived estimates based on
internal expertise and public feedback
in accordance with OMB Circular A–4
and are representative of average
assessment efforts not actual prices of
C3PAO services available in the
marketplace. Market forces of supply
and demand will determine C3PAO
pricing for CMMC Level 2 certification
assessments and how C3PAOs choose to
distinguish their service offerings from
other C3PAOs, including the timely
availability of an assessment team, or reassessments after an assessment failure.
The size and complexity of the network
within the scope of the assessment
impacts the costs as well. The DoD
declines to speculate about how OSCs
and C3PAOs negotiate mutually
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
acceptable terms and conditions for
assessment agreements.
OSA implementation of the
requirements of FAR clause 52.204–21
and DFARS clause 252.204–7012 long
predate CMMC and are not included in
CMMC cost estimates, since those
requirements are not driven by or
attributable to CMMC, even for new or
aspiring defense contractors, and have
been in force since 2017 on DoD
contracts that include the processing,
storing, or transmitting of FCI or CUI in
the performance of a DoD contract. The
DoD has taken measures to make a selfassessment as straight forward as
possible and provided guidance to
mitigate any variance in assessment
scores. Additionally, the DoD has
streamlined CMMC requirements to
align directly to NIST guidelines and
has eliminated unique security practices
to ease the burden on smaller
companies. DoD must enforce CMMC
requirements uniformly across the
Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. Creation
of a grants and assistance programs are
beyond the scope of this rule. DFARS
clause 252.204–7012 requires protection
of security protection assets and
security protection data. Section 1.1 of
NIST SP 800–171 R2 states: ‘‘The
requirements apply only to components
of nonfederal systems that process,
store, or transmit CUI, or that provide
security protection for such
components.’’ There is therefore no
increase in the scope as described in the
rule.
Security protection data requires
protection commensurate with the CUI
it protects and is based on how and
where the security protection data is
stored. The FedRAMP requirements for
handling security protection data is
therefore the same as that for handling
CUI. Any impact to the cost of serving
Government customers across the DoD
is beyond the scope of this rule.
As NIST states in NIST SP 800–171A
Jun2018, ‘‘The assessment procedures
are flexible and can be customized to
the needs of the organizations and the
assessors conducting the assessments.
Security assessments can be conducted
as self-assessments; independent, thirdparty assessments; or governmentsponsored assessments and can be
applied with various degrees of rigor,
based on customer-defined depth and
coverage attributes.’’ CMMC Program
requirements are designed to ensure
compliance with existing standards for
protection of FCI and CUI and align
directly to NIST guidelines (i.e., NIST
SP 800–171 R2 and NIST SP 800–172
Feb2021) and the basic safeguarding
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requirements (of FAR clause 52.204–21)
that apply to all executive agencies. The
rule accounts for costs associated with
assessment via NIST SP 800–171A
Jun2018.
Within the limitations of section
§ 170.21 Plan of Action and Milestones
Requirements, offerors may bid on a
contract while continuing to work
towards full CMMC compliance. DoD
rejects the notion that organizations
must ‘‘accelerate’’ to meet a requirement
in place since 2017. DoD did not intend
nor expect that POA&Ms would remain
open-ended and unimplemented for
years.
The DoD provided an analysis of costs
to meet CMMC Level 1 and 2
requirements in the regulatory impact
analysis for this rule. Certification is
never required for CMMC Level 1,
which is a self-assessment requirement.
CMMC Level 2 may either be met via
self-assessment, or via a C3PAO
assessment, depending on the specific
requirement cited in the solicitation. It
is not within in scope of this rule to
address the way companies recover
assessment costs.
Verifying compliance with applicable
security requirements may increase cost
and is necessary for the protection of
DoD FCI and CUI. The cost of lost
technological advantage over potential
adversaries is greater than the costs of
such enforcement.
29. CMMC Benefits and Cost Estimates
a. Cost Estimate Assumptions
Comment: Some comments proposed
the DoD directly assume the costs for
industrial base compliance, increase
contract award prices, offer grants and
loans, or provide tax credits to offset the
costs associated with compliance. One
asked for clarification regarding
allowable versus unallowable costs. One
comment stated the cost estimate was a
good guesstimate of the total cost to the
USG, but the flow down costs and the
price of doing business will be at the
Program Office level. The commenter
requested the DoD provide a table of
Program Office funding requirements to
aid Program Managers in reflecting
CMMC costs in an Acquisition Strategy
and Cost Analysis Requirements
Document (CARD).
A few comments asked about the
assumptions used to estimate numbers
of assessments by category and stated
the labor rates for ESPs and C3PAOs
were too low, and costs associated with
small entities were incorrect. Two
comments also suggested the number of
hours estimated for self-assessment are
too low, and three questioned the
accuracy of small and medium sized
PO 00000
Frm 00063
Fmt 4701
Sfmt 4700
83153
business labor rates and asserted that
the assessment costs for small
businesses were not sustainable. One
comment suggested that cost data in
existing/past contracts should be used
as a part of CMMC cost analysis and
Section H costs should apply to the
current CMMC cost estimate.
One comment claimed it is cost
prohibitive for individuals to obtain a
CCP or CCA certification, which will
hamper the CMMC Program’s
scalability.
One comment requested the
government elaborate on how the
estimated 417.83 hours per response
was derived for table 39, C3PAOs Level
1 Certification and Assessment, in
section § 170.17(a). Another comment
asserted that assessments conducted by
Defense Technical Risk Assessment
Methodology (DTRAM) assessment
teams require more manhours than are
anticipated for CMMC certification
assessments.
One comment stated that while DoD
included an estimate for annual senior
official affirmations in the Regulatory
Impact Analysis, it assumed a minimal
number of hours will be required to
complete this task which may not be
adequate to complete a full compliance
review.
One comment stated the DoD selfassessment resource allocations for an
ESP for both CMMC Level 1 and Level
2 are estimated 125% to 175% too low
based on the belief that a selfassessment should have more rigor than
a gap analysis. Specifically, the
commenter posed questions on what
inputs from potential OSAs were used
and identifying the rigor a Certifying
Official would require for attestation.
Recommendations include that the DoD
clearly state its assumptions regarding
self-assessment rigor, have OSA legal
counsel review assumptions and cost
factors, and identify a representative
cross-section of stakeholders to
determine appropriate rigor
assumptions for company’s ESPs and
new to CMMC self-assessments.
One comment stated that the DoD’s
assumptions for the level of effort
expressed as Director and staff IT
specialist hours are too low. Although
there are continuous monitoring
requirements of NIST 800–171 R2, those
requirements do not invoke the level of
effort necessary for an executive to make
an attestation corresponding to the level
of personal risk and corporate liability
incurred under the False Claims Act.
The comment asserted that DoD’s
assumptions failed to account for an
SMB to acquire and manage technical
tools or manage the reaffirmation or an
enterprise change management effort.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83154
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The comment included several
questions regarding the inputs used to
determine lack of ongoing management
resource requirements for reaffirmation,
a risk management application, and
inputs across the DIB regarding the level
of assurance needed for affirmations to
address liability concerns with the False
Claims Act. Another recommendation
suggested the DoD clearly state the
degree of rigor an OSA should assume
and revisit the cost assumptions
involved to provide the Entity official
with assurance for reaffirmation.
One commenter reviewed the CMMC
AB’s draft CMMC Assessment Process
(CAP) document and agreed that 120
hours for a C3PAO’s three-person team
inclusive of Phases 1, 2 and 3 is
appropriate for smaller companies and
should be considered a lower bound for
C3PAOs deployed resources but
suggested the 156 ESP assessment hours
should be decreased.
One comment highlighted the
following rule text, ‘‘The total estimated
Public (large and small entities) and
Government costs associated with this
rule, calculated in over a 20-year
horizon in 2023 dollars at a 7 percent
discount rate and a 3 percent discount
rate are provided as follows,’’ and asked
how an organization could become
eligible for the 7% discount.
One comment proposed DOD remove
CMMC Level 1, or defer CMMC Level 1
implementation for several years, since
it does not involve CUI. The comment
stated CMMC Level 1 cost estimations
and burden of compliance in the rule
were greatly understated, that few
companies subject to this CMMC level
have any idea what is expected of them,
and most will struggle with financial,
technical, and human resources.
Though FAR clause 52.204–21 is widely
used in Federal contracts, it has not
been successfully communicated that
NIST SP 800–171A Jun2018 will be
used. The comment concludes stating
CMMC Level 1 does not include CUI,
therefore making cost and compliance
an excessive demand.
Response: Subsidizing costs for the
defense industrial base compliance is
not within the scope of this rule. The
rule has taken several steps to keep the
cost of compliance with the rule
commensurate with the risk to the
DoD’s information. In addition, Level 1
only requires self-assessment, and many
contracts with CUI will only require a
Level 2 self-assessment. Companies that
are currently and validly attesting that
they meet DFARS clause 252.204–7012
should not have difficulty passing a
Level 2 self-assessment.
Cost estimates provided in this rule
were based on internal expertise,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
compliant with OMB Circular A–4, and
informed by public feedback. Certain
elements of the estimated costs will be
influenced by market forces of supply
and demand, which will determine
C3PAO pricing for CMMC Level 2
certification assessments.
The number of assessments over the
phase-in period were estimated using
data from the Electronic Data Access
system for the contracts containing
DFARS clause 252.204–7012 in fiscal
years 2019, 2020, and 2021, as well as
data calculated for the initial CMMC
Program. This data was used in
combination with an expected growth
factor to estimate DoD contracts and
orders in the future. Data also showed
the number of awards that were made to
small entities and other than small
entities. The resulting estimate was
phased in over 7 years to allow the
ecosystem to grow and accommodate an
increasing number of assessments.
The assumptions and analysis of costs
are provided in the regulatory impact
analysis for this rule and are explained
in depth. One of the assumptions is that
Non-Small Entities have a team of fulltime cybersecurity professionals on staff
while Small Entities do not. The
assumptions reflect Small Entities will
likely obtain support from External
Service Providers and have a staff
member submit affirmations and SPRS
scores for self-assessments (when
applicable).
DoD included an analysis of costs to
meet CMMC requirements in the
regulatory impact analysis for this rule.
As described in the estimate included
with the rule, the major cost categories
for compliance with CMMC
requirements are anticipated to include
costs for completing a self-assessment
(e.g., Level 1 or 2); costs to prepare for
and undergo C3PAO assessment (Level
2); costs required to implement the
Level 3 security requirements and for
preparing to undergo DCMA DIBCAC
assessment (Level 3). Market forces of
supply and demand will determine
C3PAO pricing for CMMC Level 2
certification assessments. The CMMC
rule does not make any change to cost
allowability as defined in the FAR
31.201–2, Determining Allowability.
As addressed in the Assumptions
section of the Regulatory Impact
Analysis (RIA), the cost estimates for
CMMC Levels 1 and 2 are based only on
the assessment, certification, and
affirmation activities that a defense
contractor, subcontractor, or ecosystem
member must take to allow DoD to
verify implementation of the relevant
underlying security requirements. For
CMMC Level 3, cost estimates to
implement applicable security
PO 00000
Frm 00064
Fmt 4701
Sfmt 4700
requirements are included as they are a
new addition to current security
protection requirements. Section H costs
of existing/past contracts do not apply.
CCP and CCA certification costs are
set by the CAICO and are market driven.
The hours used in the cost estimations
are based on estimates by subject matter
experts. The 417.83 hours per response
questioned by the commentor ties to
C3PAO reporting and recordkeeping
requirements for Level 2 certification
assessment on small entities as
identified in table 36, not Level 1 or
table 39 as stated in the comment.
In response to public comments
received in the initial 48 CFR CMMC
interim final rule public comment
period, DoD streamlined the CMMC
model to ease the assessment burden. At
the same time, estimates were increased
for the time and cost of self-assessment
based on industry and DIBCAC input.
DoD estimates are based on defendable
assumptions and documented labor
rates. Therefore, DoD declines to modify
the self-assessment estimates.
The DoD has streamlined CMMC
requirements to align directly to NIST
guidelines and eliminated unique
security practices to ease the burden on
smaller companies, included an analysis
of costs to meet CMMC requirements in
the regulatory impact analysis for this
rule. The DoD declined to modify the
estimates, which are intended to be
representative and to inform
rulemaking.
Verifying compliance with applicable
security requirements may increase cost
and is necessary for the protection of
DoD CUI. The cost of lost technological
advantage over potential adversaries is
greater than the costs of such
enforcement. The value of information
(and impact of its loss) does not
diminish when the information moves
to contractors.
DoD rejected the recommendation to
adjust the annual requirement for senior
affirmations to a triennial requirement
to decrease senior affirmation costs. The
requirement for annual affirmations is to
ensure the Affirming Official
responsible for CMMC requirements are
monitoring compliance with the
requirements. If compliance is being
maintained as required, this should not
require more time or cost than provided
in the estimates. Further, DFARS clause
252.204–7012 already requires NIST SP
800–171 continuous monitoring via
requirement 3.12.3. DoD also declined
to make the recommended edits to
further delineate a company’s internal
review of self-assessments and
reaffirmations in the cost assumptions.
The cost estimates provided for this
rule represent average costs for
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
companies to comply with the CMMC
requirement, including the need for selfassessment or independent assessment
against the specified standards. Whether
the OSA elects to satisfy those
requirements themselves, or by using
one ESP for many requirements, or by
using several ESPs for individual
requirements, is a decision to be made
by the OSA. That decision does not
change DoDs estimate of average costs to
meet CMMC requirements. The DoD
declined to recalculate cost estimates
using lower costs for ESP assessments.
The 7% discount rate is not a
discount for organizations. The discount
rate is a part of a formula used in a
business impact analysis calculation.
When calculating 20 years in the future,
a discount rate is used to determine the
net present value of money. Discount
rates are explained in step seven of
OMB Circular A–4: Regulatory Impact
Analysis: A Primer. The DoD does not
agree with the commenter’s assertion
that the cost estimates greatly understate
the costs and burden to Level 1
compliance. The 15 FAR security
requirements that comprise CMMC
Level 1 should already have the
requirements implemented if an OSA
network processes, stores, or transmits
FCI. In addition to NIST SP 800–171A
Jun2018, the CMMC Level 1 Assessment
Guide provides supplemental
information to help facilitate
implementation and assessment of the
Level 1 security requirements.
b. Economic Impact
Comment: One comment suggested
the government evaluate the economic
impact of implementing the rule’s
reporting requirements at scale. Another
comment expressed the notion that the
cost impact analysis does not account
for the free market response, referring to
the associated cost increases and
schedule delays that directly impact the
warfighter and taxpayer. The
commentor suggested the cost could
dwarf both the cost of implementing
compliance and achieving certification.
One comment stated the CMMC Level
2 and Level 3 cost burdens for
companies that were historically never
subjected to such requirements may be
disproportionate to the risk their
operations pose to the inadvertent
disclosure of CUI or FCI. It suggested
ensuring requirements be proportional
to the subcontractor’s activity and risk
levels. The comment further mentioned
that costs may be passed on to the prime
contractor, and DoD should consider
providing recovery costs in the price of
implementation.
One comment stated the 100%
compliance to CMMC Level 2
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
certification may be financially
unachievable and suggests if a risk
assessment shows the likelihood of
harm is comparatively low, the DoD
should direct CMMC Program assessors
to use their professional judgments and
not require seeking maximum evidence
of compliance where there is evidence
of sufficiency.
Response: The DoD has already
evaluated the reporting requirements
and the analysis of the costs is provided
in the Regulatory Impact Analysis
published with this rule. The DoD
declined to respond to speculative or
editorial comments about downstream
impacts of the market’s reaction to
CMMC, all of which are beyond the
scope of this rule.
The DoD declined the
recommendation to restructure CMMC
to be proportional to the subcontractor’s
activity and risk levels. DoD must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. The
value of information (and impact of its
loss) does not diminish when the
information moves to contractors and
subcontractors.
Assessors exercise judgment in
determining when sufficient and
adequate evidence has been presented
to make an assessment finding. This is
consistent with current DIBCAC High
Assessments and assessments
conducted under the Joint Surveillance
Voluntary Assessment (JSVA) program.
Furthermore, to reduce burden to small
businesses, the CMMC program has
implemented flexibility with selfassessment, POA&Ms, and waivers.
c. Cross-Functional Requirements and
Artifacts
Comment: Multiple comments
maintained that DoD underestimated
the cross-functional (Human Resources,
Physical Security, Training, etc.)
manhours and associated cost to collect
artifacts and evidence in preparation for
a C3PAO assessment. One comment
stated the DoD’s overestimation of
CMMC Level 1 requirements would
correspond to an underestimation of
compliance costs. The comment referred
to current NIST requirements and
asserted that potential revisions would
force changes to POA&Ms causing
additional costs beyond those included
in the estimates. The comment
suggested the DoD should determine the
range of potential compliance timelines,
the use and value of existing and
planned POA&Ms, and true certification
costs, both for initial compliance as well
as ongoing maintenance and oversight.
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
83155
One commentor claimed too much
funding was expended over the past 5
years for the CMMC database system.
Response: OSCs prepare for C3PAO
assessments based upon NIST
guidelines as addressed in § 170.17. The
cost and time estimates represent the
time to gather the evidence to address
all assessment objectives are derived
averages based on internal expertise and
public feedback in accordance with
OMB Circular A–4 Regulatory Impact
Analysis: A Primer. The size and
complexity of the network within scope
of the assessment impacts the costs as
well.
The time estimates represent average
derived estimates based on internal
expertise and public feedback in
accordance with OMB Circular A–4.
The size and complexity of the network
within scope of the assessment impacts
the time estimates as well. The DoD
does not concur with the commenter’s
claim that too much funding has been
spent to develop the DoD’s database for
the CMMC Program.
d. Duplication or Overlap
Comment: One comment asserted
CMMC requirements may be duplicative
or conflict with existing utility industry
compliance requirements that address
CUI, since utility companies will not
require CMMC Level 3 certification.
They proposed the utilities and the DoD
collaborate to harmonize requirements
to limit the financial burden.
One comment highlighted a concern
that cost for companies that have
multiple contracts, each requiring
different CMMC Program requirements.
Concerns were specifically based on the
increased costs from CMMC Level 2 to
CMMC Level 3 compliancy and
assuming costs would be borne by
contractors. They expressed similar
concerns about costs for FedRAMP
certification, given a purported backlog
in FedRAMP authorizations.
Response: Addressing the
harmonization between the DoD,
contractors, and subcontractors is
beyond the scope of this rule. These are
functions of the DIB Sector Coordinating
Council and the DIB Government
Coordinating Council. Additionally,
non-DoD programs are outside the
control and scope of the 32 CFR part
170 CMMC Program rule. The DoD
encourages prime contractors to work
with its subcontractors to flow down
CUI with the required security and the
least burden.
DoD is aware organizations may
receive multiple contracts that may
require different CMMC levels based
upon programmatic data security needs.
It is beyond the scope of this rule to
E:\FR\FM\15OCR2.SGM
15OCR2
83156
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
dictate how OSAs manage varying
contract requirements. Contractors that
have achieved a CMMC Level 2 or Level
3 certification automatically meet a
stated requirement of a lower CMMC
level if the same system/assessment
scope will be used in performance of the
contract.
khammond on DSKJM1Z7X2PROD with RULES2
30. Alternatives
a. Alternate Programs
Comment: Many comment
submissions included lengthy proposals
for alternatives to the CMMC program
purported to alleviate specific concerns
with aspects of CMMC program
requirements. In some cases, the
concerns were based on a misreading of
the rule’s content. The DoD has
addressed some valid concerns through
rule revisions that differ from the
recommendations.
One commenter suggested eliminating
compliance assessments in favor of
establishing a DoD office to conduct
penetration testing of each DIB
company’s network every two years.
Other commenters also recommended
the DoD establish a secure portal and
share CUI with contractors only through
that portal, as a way for the DIB to avoid
the cost of securing their information
systems. One commenter suggested the
DoD monitor use of waivers and utilize
this secure portal approach when
CMMC waivers apply. Similar
recommendations included sharing CUI
only through password encrypted files
or requiring contractors to store CUI in
restricted access folders. In similar
suggestions, several commenters
thought the DoD should provide its
contractors with training, GFE and other
tools necessary to secure the contractor
owned information systems being used
to process or store CUI. One such
commenter stated that the Government
should appropriate funding for secure
solutions rather than phasing in
compliance assessments. One
commenter suggested the DoD consider
industry’s application of alternate
security mechanisms in lieu of CMMC
Levels 2 and 3. Another recommended
the DoD stand up a voluntary DIB Cyber
Protection Program to improve real-time
monitoring of the DIB, improve
cybersecurity for firms that cannot
afford the needed professional staff, and
offer data and legal protections to DIB
firms. Another such commenter
suggested that DoD fund securing the
DIB through contract incentives.
One commenter recommended
mandating DIB use of the DoD CIO’s DIB
CS Program or other DoD cybersecurity
related services as alternatives to the
CMMC program. That comment
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
suggested reassigning Government
personnel to provide training for all
assessors, to reduce training cost and
ensure enough assessors to meet
demand. Another commenter made
similar recommendations about CISA
cybersecurity service offerings.
Response: Many comments included
lengthy proposals for alternate
approaches to the CMMC program
which would alleviate specific concerns
with aspects of CMMC program
requirements. In some cases, the
suggestions were based on a misreading
of the rule’s content. The DoD has
addressed some valid concerns via rule
revisions that differ from commenter
recommendations.
The DoD notes with interest one
commenter’s reference to initiatives
described in a report to Congress about
the breadth of cybersecurity related
initiatives within the Department. While
the CMMC is an important initiative, it
is by no means the Department’s only
effort to improve DIB cybersecurity. The
CMMC Program addresses adequate
safeguarding of contractor owned
information systems which process,
store, or transmit FCI or CUI. Other DoD
initiatives related to secure cloud or
software development environments are
beyond the scope of the CMMC
Program.
The DoD did not adopt suggested
alternatives, such as policy-based
solutions that lack a rigorous assessment
component. The DoD determined that
sharing CUI only through DoD-hosted
secure platforms, in lieu of
implementing the CMMC Program, was
not a scalable or cost-effective solution.
Although the DoD expanded the
availability of resources through the DIB
Collaborative Information Sharing
Environment (DCISE) program, the DoD
also declines to rely only on training in
lieu of assessment.
The purpose of CMMC is to require
defense contractors and subcontractors
to undergo an assessment to verify the
implementation of prescribed
cybersecurity standards. The security
requirements are already specified in
existing regulations (32 CFR part 2002,
DFARS clause 252.204–7012, and FAR
clause 52.204–21).
Comments which suggest that
enrollment in the DoD’s DIB CS Program
can be an alternative means of meeting
the objectives of CMMC misinterpret the
services that the DIB CS Program
provides. The DIB CS Program does not
provide any mechanism for verifying
whether those participants have secured
their contractor owned information
systems to the standards required by
DFARS clause 252.204–7012. Likewise,
the recommended NSA cybersecurity
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
offerings also do not provide the same
verification mechanism that CMMC will
provide. CMMC Program requirements
apply to contractor-owned information
systems that process, store, or transmit
FCI and CUI. Hardware and software
approving authorities for GFE are not
relevant to this CMMC rule. The DoD
declined to adopt the recommendation
to provide GFE to DIB contractors to
maintain security, ownership of data
and support Clinger-Cohen Act
compliance.
Some comments received reflect a
misinterpretation of the cost estimates
that accompany this rule, which are
intended to inform the rulemaking
process. The cost estimates are not
indicative of a funded budget line
which could be reprogrammed to fund
a new agency to meet the objectives of
the CMMC Program. Comments
recommending that funding be
appropriated (by Congress) to provide
the DIB with security solutions are
beyond the scope of this rule.
b. Alternate Standards
Comment: One commenter
recommended aligning requirements to
DoD policies rather than to NIST
standards and relying on FISMA
compliance assessments in lieu of the
CMMC model. Another commenter
recommended the DoD and NIST work
with other international standards
organizations to incorporate CMMC
requirements (really NIST standards)
into existing ISO/IEC and CMMI
standards. In general, these commenters
recommended DoD accept alternate
assessments conducted against alternate
standards by assessors with alternate
training and qualifications. They further
recommended that DoD issue an RFI
seeking recommendation of alternate
third-party assessment schemes. One
commenter recommended the rule be
modified to require that contracts with
a CMMC level 3 requirement also
require use of a FedRAMP moderate or
higher CSP, and that contracts with a
CMMC level 2 requirement permit use
of CSPs with either FedRAMP Moderate
authorization (or higher) or CMMC level
2 or 3 certification assessment.
Response: CMMC is based on the
executive branch’s CUI Program as the
authoritative source, as codified in 32
CFR part 2002. The definition of CUI
and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14, respectively. 32
CFR 2002.14(h)(2) specifically requires
that ‘‘Agencies must use NIST SP 800–
171 when establishing security
requirements to protect CUI’s
confidentiality on non-Federal
information systems . . .’’ The CMMC
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Program makes no change to the CUI
program or its implementing policies.
Contractually, DFARS clause 252.204–
7012, effective since December 2017,
requires contractors to implement the
NIST SP 800–171 security requirements
to provide adequate security applicable
for processing, storing, or transmitting
CUI in support of the performance of a
DoD contract. That requirement applies,
regardless of the number of computers
or components in a non-Federal
information system.
The CMMC Program provides an
assessment mechanism to verify that
prospective offerors comply with the
applicable information security
requirements. All executive agencies are
required to follow the policies described
in 32 CFR 2002.14. DoD aligned CMMC
requirements with NIST SP 800–171 R2
because it is enterprise focused and is
already required in DoD contracts when
DFARS clause 252.204–7012 is
applicable. DFARS clause 252.204–7012
and NIST SP 800–171 R2 provide the
cybersecurity requirements, whereas
CMMC validates implementation of
those requirements. CMMC does not
duplicate these documents.
The DoD publishes Security
Technical Implementation Guides
(STIGs) for specific products, primarily
to guide secure implementation in DoD
systems. The OSA is responsible for
creating the implementation guidance
they will use to meet the CMMC
security requirements. OSAs are free to
use the DoD STIGS if they feel they are
appropriate. The DoD does not want to
limit the choices available to the OSA
for implementation guidance. In
addition, the DoD declines to create
STIGs for all products that might be
used in the OSA’s environment. Some
comments lacked relevance to the rule’s
content, which is limited to specific
CMMC program requirements.
Changes to DFARS clause 252.204–
7012 are outside the scope of this rule.
DoD declines to modify CMMC Level 2
or Level 3 requirements related to use of
Cloud Service Providers (CSP). A CSP is
assessed against the FedRAMP
Moderate baseline. This is required
when a CSP, regardless of the
component or type of CSP, processes,
stores, or transmits CUI.
The DoD declines to align CMMC
requirements to alternate standards or
accept compliance with alternate
standards in lieu of the NIST SP 800–
171 standard mandated by 32 CFR part
2002 for the protection of CUI. CMMI is
focused on improving the software
development process, while CMMC is
focused on verifying the proper
implementation of DIB cybersecurity
requirements. Incorporating
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requirements into new or other existing
standards would unacceptably delay
action to improve DIB cybersecurity.
The DoD must take action to improve
DIB cybersecurity, regardless of the
global state of cybersecurity. DoD’s
publication of this rule follows
completion of OMB’s formal rulemaking
process, which includes both DoD
internal coordination and Interagency
coordination. The recommendation for
the DoD to establish a voluntary DIB
Cyber Protection Program is beyond the
scope of this rule.
One commenter recommended
administrative edits to identify CMMC
levels at a particular place in the preamble description of the program. The
preamble is not part of the official
regulation. In addition to background
and overview information about the
proposed or final rule, the preamble
includes responses to all comments
received during the public comment
period on the proposed rule. The
certification requirements are in subpart
D, §§ 170.15 through 170.18.
c. Alternate Implementation Timelines
Comment: Several commenters
suggested that DoD abandon CMMC
requirements in favor of simply
continuing to rely upon selfassessments, or else allowing
contractors to comply with DFARS
clause 252.204–7012 requirements
absent any assessment (self-conducted
or third-party). Of those recommending
self-assessment, two commenters
limited the suggestion only to
companies that self-certified as small
businesses and one further
recommended that DoD pay for
certification assessment of all small
businesses. One such commenter based
their opinion on an interpretation that
text in NIST SP 800–171 R2 identifies
the requirements as a model for selfassessment. Another commenter made
no suggestion to change assessment
requirements, other than to implement
them post-award, rather than pre-award.
One comment expressed doubt in the
ability of the ecosystem to scale
sufficiently to meet the demand for
C3PAO assessments and assessor
training.
One commenter suggested the rule be
revised to eliminate POA&Ms but
expand the period during which
deficiencies can be reassessed from
within 10 days of initial assessment to
60 days for those prospective
contractors. Another commenter
suggested varying timelines for
POA&Ms based on a variety of criteria,
including how many DoD contracts are
held.
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
83157
Response: The DoD declined to accept
the risk associated with implementing
CMMC solely as a post-award
requirement. When contracts require
contractors to process, store, or transmit
CUI, DoD requires that they be
compliant with DFARS clause 252.204–
7012 and competent to adequately
safeguard CUI from the beginning of the
period of performance. DoD declines the
recommendation to require primes to
assume the cost of CMMC for their
subcontractors. Arrangements between
contractors and subcontractors are
negotiated directly between those
parties. The DoD does not accept the
recommendation to eliminate or change
the criteria for POA&Ms or the timeline
allowed to remediate open POA&M
items. The 180-day period allowed for
POA&Ms and the determination of
which weighted practices can be placed
on a POA&M was a risk-based decision.
The determination considers the relative
risk DoD is willing to accept when a
particular practice is not met and the
amount of risk the DoD is willing to
accept for those security practices that
go ‘‘NOT MET’’ for an extended period.
The Department declines to adopt the
recommendation to allow DIB members
to assist in designing the DoD’s
mechanism for assessing DIB
compliance with DoD’s contractual
requirements. In developing the CMMC
program, the DoD sought and
considered DIB input. DoD disagrees
with the comment that there is a lack of
scalability in the CMMC program. The
phased implementation plan described
in § 170.3(e) is intended to address any
CMMC Ecosystem ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. The rule has been
updated to add an additional six months
to the Phase 1 timeline. As with all its
programs, the Department intends to
effectively oversee the CMMC Program
and act as needed to manage its effective
implementation. Although the full
extent of DoD’s oversight process is
beyond the scope of this rule, the rule
text addresses DoD’s authority to waive
the application of CMMC requirements
when warranted in accordance with all
applicable policies, procedures, and
approval requirements.
DoD has utilized a phased approach
to the rollout to reduce implementation
risk. CMMC Program requirements make
no changes to existing policies for
information security requirements
implemented by the DoD. It is beyond
the scope of this rule for DoD to
determine the order in which
organizations are assessed.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83158
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
d. Alternate Assessors or Assessments
(Including Self-Assessment Only)
Comment: One commenter submitted
numerous recommendations based on
an opinion that skills required for
conducting CMMC compliance
assessments are like those required for
conducting Independent Technical Risk
Assessments (ITRAs) on Major Defense
Acquisition Programs (MDAPs). Such
assessments are conducted by the Office
of the Undersecretary of Defense for
Research & Engineering (OUSD(R&E)) in
accordance with Defense Technical Risk
Assessment Methodology (DTRAM)
criteria. These criteria extend beyond
compliance with cybersecurity
requirements and include
characteristics such as modular open
systems architecture, software,
manufacturing, reliability, availability,
maintainability, and others. This
commenter noted the DoD’s Adaptive
Acquisition Framework applies to both
Information Systems and National
Security Systems and suggested that
existing acquisition requirements
pertaining to ITRA and DTRAM should
suffice in lieu of CMMC assessments.
The commenter recommended that DoD
use existing ITRA teams to perform
compliance assessments of contractorowned information systems. In addition,
they recommended aligning
requirements to DoD policies rather
than to NIST standards. Other
comments made similar suggestions to
synchronize cybersecurity requirements
with DoD policies rather than NIST
standards but cited FISMA compliance
assessments as the appropriate model
rather than the DTRAM.
One comment suggested that C3PAOs
be permitted to conduct partial
assessments of ESPs, MSPs, and MSSPs.
Multiple comments expressed concern
with CMMC assessment requirements
for OSAs that use ESPs, stating that
OSAs would be unlikely to know which
components of the services they
purchased were covered by a required
CMMC Level 2 assessment. This
commenter recommended the creation
of a separate type of CMMC assessment
specifically for ESPs, which they further
recommended should be highlighted on
the CMMC AB marketplace to assist
OSAs in selecting an appropriately
vetted ESP. These comments provided
an extended description of the specific
scoping guidance that should be adding
to existing CMMC supplemental
documentation, as well as several
sample scenarios explaining how
requirements for this new type of
assessment should be applied. Two
comments highlighted that the rule’s
preamble does not include details of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
assessment and implementation
requirements.
Several commenters recommended
the DoD abandon the CMMC ecosystem
model and conduct all cybersecurity
compliance assessments using DIBCAC
assessors, which would reduce cost to
the DIB. One such commenter suggested
that DIBCAC assessment of C3PAOs, as
part of the accreditation process,
detracts from DIBCAC’s capacity to
perform CMMC level 2 assessments for
the DIB. Another noted that as
Government employees, DIBCAC
assessors could exercise judgement to
make risk-tolerance decisions that nonGovernment C3PAOs cannot, including
possible acceptance of partial noncompliance.
Response: DoD must enforce CMMC
requirements uniformly across the
Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. The
value of information and impact of its
loss does not diminish when the
information moves to contractors and
subcontractors. The DoD has considered
the recommendation and declines to
revise the rule text to rely solely on selfassessment or eliminate the 3-year
validity period to rely on a one-time
certification. It is important that
contractors maintain security
compliance for systems that process,
store, or transmit DoD CUI. Given the
evolving cybersecurity threat, DoD’s
best interests are served by ensuring that
CMMC Level 2 assessments remain
valid for no longer than a 3-year period,
regardless of who performs the
assessment.
CMMC Program requirements in this
rule are designed to improve
compliance with requirements for
safeguarding of FCI and CUI. DoD has
privity of contract to enforce these
requirements and CISA does not. OSAs
are free to choose CISA services as part
of their implementation of DoD
requirements. FISMA is for Federal
systems that are used by Government
personnel or the public and is therefore
an unsuitable surrogate for CMMC
requirements. If a contractor provides
outsourced IT services to a Federal
agency, the system is considered a
Federal system and FISMA applies. In
contrast, CMMC requirements apply to
nonfederal systems that are used
internally by contractor personnel.
The DoD disagreed with the
commenter’s assertions about NIST SP
800–171 R2 and the available
assessment methods. DoD’s DIBCAC
currently performs assessments using
the procedures in NIST SP 800–171A
Jun2018, and these documents
explicitly identify the target audience to
PO 00000
Frm 00068
Fmt 4701
Sfmt 4700
include individuals with security
assessment responsibilities, such as
auditors, assessors, and ‘‘independent
verifiers’’. The aggregated SPRS
reporting and scoring is CUI. The DoD
does not wish to make this information
public, which might aid adversaries in
coordinating their attacks.
The CMMC Program does not
alleviate or supersede any existing
requirements of the Adaptive
Acquisition Framework, nor does
CMMC alter any statutory or regulatory
requirement for acquisition program
documentation or deliverables.
One commenter referenced
assessments required during the
acquisition process for DoD systems.
DoD’s policies governing acquisition
programs require that Independent
Technical Risk Assessments be
conducted on Major Defense
Acquisition Programs. These
assessments provide a view of program
technical risk and are not well-suited to
the assessment of contractor owned
information systems against standards
for safeguarding CUI. CMMC
assessments are conducted on
contractor owned information systems
to gauge compliance with FAR and
DFARS requirements for safeguarding
FCI and CUI that is processed, stored, or
transmitted within those contractorowned information systems. One
commenter incorrectly asserts that the
CMMC Scoring Methodology does not
parallel existing scoring methods,
however the CMMC methodology is
based on the DoDAM.
The DoD declined to accept the
recommended alternative of selfassessment with the potential to require
DIBCAC assessment for a sampling of
DoD contractors, which is essentially
the status quo. Both GAO reporting and
other DoD analysis have shown that the
DIB has not consistently implemented
the NIST SP 800–171 requirements
needed to comply with DFARS clause
252.204–7012, even though DoD’s
objective was for the contactor to
implement NIST SP 800–171 as soon as
practical, but not later than December
31, 2017.
The DoD reserves the right to decide
when reliance on self-assessment will
suffice, and when compliance should be
assessed through CMMC certification.
Based on DoD decision criteria that
includes a risk assessment of the type
and sensitivity of program information
to be shared, Program Managers will
identify the appropriate CMMC
requirement (e.g., CMMC Level 2 selfassessment or Level 2 certification) in
the solicitation.
The government does not have the
capacity in house to adequately assess
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
the 220,00+ companies in the DIB. The
DoD cannot assume the workload of
directly assessing every DIB contractor.
With this final rule, DoD established a
scalable way to verify, through
assessment, that contractors have
implemented required security
measures necessary to safeguard DoD
information. The DIBCAC’s mission is
derived from DoD priorities and the
Department is actively working to
ensure that the DIBCAC is adequately
resourced to effectively execute its
mission areas. Planned changes to
DCMA staffing levels have been
considered and are necessary to
implement the elements of the CMMC
program described in this rule (i.e.,
Level 3 and C3PAO assessments).
By design, the CMMC Program
depends on the supply and demand
dynamics of the free market, enabling it
to naturally scale and adapt to capacity
requirements. The DoD established
requirements for each part of the CMMC
ecosystem to support a robust
compliance assessment mechanism for
DoD’s contractual requirements to
safeguard CUI that is processed, stored,
or transmitted in contractor owned
information systems. The DoD cannot
assume the workload of directly
assessing every DIB contractor.
One commenter provided numerous
comments expressing concern that
OSAs that use ESPs will be unlikely to
know which ESP services require
CMMC assessment within the OSAs
boundary or scope. This commenter
recommended an alternate type of
CMMC assessment specifically for ESPs.
In lieu of adopting that
recommendation, the DoD has updated
the rule in §§ 170.19(c)(2) and (d)(2) to
reduce the assessment burden on ESPs.
DoD declined to allow partial CMMC
Assessments. ESPs may request
voluntary CMMC assessments of their
environment and use that as a business
discriminator. The marketplace for ESP
services will adjust to find the efficient
manner for ESPs to support OSA
assessments.
e. Alternate Governance
Comment: Rather than abandon the
CMMC ecosystem model entirely, some
commenters recommended only that
DoD revise the CMMC Accreditation
Body’s roles and responsibilities. Three
recommended the DoD eliminate the
CMMC AB and take on its
responsibilities; of these, one further
suggested the DoD publish detailed
Security Technical Implementation
Guides describing how to implement
the applicable NIST requirements. One
commenter questioned the reasons for
creating a CMMC AB rather than
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
accepting another existing accreditation
body or multiple accreditation bodies.
One comment expressed doubt in the
ability of the ecosystem to scale
sufficiently to meet the demand for
C3PAO assessments and assessor
training.
Multiple comments called for
organizations other than the current
CMMC AB to run the CMMC ecosystem
such as a CMMC Advisory Council or a
Civilian Cybersecurity Corps comprised
of government and private sector staff.
One such comment requested that,
unlike the current CMMC AB, the
proposed body would be funded and
managed by the government. Two
commenters recommended the DoD
consider accepting other types of
conformance assessment such as ISO/
IEC 27001:2022(E) and Health
Information Trust Alliance (HITRUST)
certification. One noted this would
require guidance to describe how to
address the gaps between standards
those assessments are aligned to and
those that CMMC are aligned to (e.g.,
NIST SP 800–171 R2 for CMMC Level
2). This commenter further suggested
that DoD accept alternate industry
certifications in lieu of the training
requirements identified for CMMC
Assessors. One commenter suggested
the DoD accept FedRAMP authorization
to meet CMMC assessment
requirements.
Response: DoD considered many
alternatives before deciding upon the
current CMMC structure. The DoD
established requirements for a CMMC
Accreditation Body, and this
accreditation body will administer the
CMMC Ecosystem. The DoD reviewed
and assessed the whitepapers that were
submitted by RFI respondents and
determined that no single respondents
could meet all the broad facets required
to serve as the CMMC Accreditation
Body. Based on this assessment, the
DoD published notice of a planned
meeting in November 2019 to allow the
respondents and other members of the
public to hear the senior DoD leadership
address DoD perspectives regarding the
notional CMMC implementation flow;
the notional program structure; the
notional CMMC Accreditation Body
activities, structure, and relationship
with the DoD; and the notional CMMC
implementation schedule. The DoD also
provided information regarding the
Department’s planned way forward. The
result of the November 2019 meeting
was the establishment of the current
CMMC Accreditation Body. The
relationship between the current CMMC
Accreditation Body and the DoD was
formalized through a Memorandum of
Understanding and then a No-Cost
PO 00000
Frm 00069
Fmt 4701
Sfmt 4700
83159
Contract. The DoD cannot assume the
risk or the workload of directly
managing the CMMC Ecosystem or the
other alternatives suggested. The current
CMMC Accreditation Body is aligned to
the DoD through contractual
arrangements.
31. Rulemaking Process
Comment: Some comments were
submitted to identify problems with
using the Federal eRulemaking Portal (at
www.regulations.gov) or the Federal
Register website and did not address
content of the proposed rule. One
commenter was confused by the
identification of the rule as ‘‘Proposed’’
rather than final. Another asked
whether the rule could be republished
with page numbers.
Many comments critiqued the format,
heading and section numbering, use of
incorporation by reference, or sections
contained within the rule, rather than
the substance of the content. For
example, some comments described the
CMMC rule as overly repetitive or
containing duplicative sections. Some
comments recommended deleting
specific sections to shorten or simplify
the rule, including ‘‘History of the
Program’’. Some commenters perceived
the preamble to the rule as unnecessary
and recommended deleting or
shortening that section. In addition, one
commenter noted that responses to
public comments received against an
earlier CMMC rule publication ought to
be published with the 48 CFR part 204
CMMC Acquisition rule rather than this
32 CFR part 170 CMMC Program rule.
Several commenters simply thought the
rule text too verbose and recommended
rewriting the content with fewer words
and simpler language or using tables to
shorten the content. One comment
criticized the organization of the
documents.
Several comments addressed
references to documents outside the
rule, or those that are incorporated by
reference. One commenter asked how
the DoD will recognize when revisions
to documents incorporated by reference
cause them to be misaligned
requirements identified in this rule.
Other comments requested that
additional documents be incorporated
by reference, such as DoD Instructions
on CUI and the DISA Cloud Security
Technical Reference Architecture. Some
commenters complained that the page
count of the rule and documents
incorporated by reference was too high
and asked whether contractors are
expected to read them all. Two
commenters objected to certain terms in
the definitions section pointing to other
documents as the source of the
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83160
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
definition. One further suggested that
such definitions be revised to simply
point to the URL of the source
definition.
Some comments recommended
moving content from the new 32 CFR
part 170 CMMC Program rule to the
CMMC supplemental documents or
changing citations to reference them
rather than the NIST documents that are
incorporated by reference. Another
asked why the scoring methodology was
incorporated into the rule, rather than
incorporated by reference. One
comment questioned whether the
supplemental documents are truly
optional, rather than required for
compliance with CMMC program
requirements. One comment stated a
public comment period should be
required for all supplemental guidance
prior to final publication.
One commenter asked what
precipitated implementation of the CFR,
which the DoD interpreted as a question
about codification of the CMMC
program in the CFR. One commenter
asked whether the rulemaking process
had afforded a certain group the
opportunity to coordinate or comment
on the rule. Another referenced the
separate 48 CFR part 204 CMMC
Acquisition rulemaking effort needed to
implement the content of this rule and
urged the DoD to consider public
comments of both rules prior to their
publication as final.
One comment specifically suggested
the CMMC program be implemented
Government-wide. One commenter
simply submitted a copy of a CMMCrelated article from the February 2024
issue of National Defense Magazine and
quoted or extracted from it rather than
providing any specific comment or
question.
Response: The process for creating
Federal regulations generally has three
main phases: initiating rulemaking
actions, developing proposed rules, and
developing final rules. A proposed rule
is published for public comment prior
to developing the final rule. A final rule
must identify its effective date and be
published 60 days prior to that date.
The structure and formatting
requirements for proposed and final
rules and the process for submitting
public comments are prescribed by the
Office of the Federal Register and OMB,
respectively, and are outside of DoD’s
control.
OMB approved publishing the CMMC
rule as a Proposed Rule. It has
undergone a required notice-andcomment process to give the public an
opportunity to submit comments. The
Proposed Rule and the comments
received informed the final rule. Issues
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
with the Federal Register or
www.regulations.gov functionality for
submitting comments via attachment of
pdf or other file type were raised with
the appropriate help desk and resolved
before conclusion of the public
comment period. The public comment
period for this rule permitted review
and feedback from any member of the
public.
This rule follows the format and
includes all sections required in OMB
guidelines for formal rulemaking. The
length of this rule is necessary to ensure
all affected parties have sufficient
information to understand and comply
with the rule. Federal Register page
numbers are visible when viewing the
PDF version of the rule published
Tuesday, December 26, 2023 (88 FR
89058; www.govinfo.gov/content/pkg/
FR-2023-12-26/pdf/2023-27280.pdf).
Material published in the Federal
Register contains numerous sections,
including portions that do not amend
the CFR. Specifically, the preamble for
this rule, is written in a summary format
and is not intended to provide the
detailed information that is in the
regulatory text.
DoD declines to delete reserved
sections because the editorial standard
for orderly codification is that for every
(a) there must be at least a (b), and for
every (1) there must be at least a (2), etc.
‘‘Reserved’’ meets this standard when
there is no additional text required. The
DoD declined to make other
administrative changes, because the
recommendations did not result in a
substantive change.
One commenter correctly identified
that the initial 32 CFR part 170 CMMC
Program proposed rule included
discussion and analysis of comments
made against prior publication of a 48
CFR CMMC interim final rule. The
decision to include that material was
made for the public’s convenience and
to facilitate greater understanding of the
32 CFR part 170 CMMC Program
proposed rule and the CMMC Program.
Codification of the CMMC Program
requires publication of both the 32 CFR
part 170 CMMC Program final rule and
the 48 CFR part 204 CMMC Acquisition
final rule. Each of those final rules will
include a discussion and analysis of
public comments received during their
respective comment periods. The DoD
CIO worked in conjunction with
OUSD(A&S) to ensure that the 32 CFR
part 170 CMMC Program rule and the 48
CFR part 204 CMMC Acquisition rule
are in sync.
The preamble is not regulatory text.
The preamble includes a response to the
significant, relevant issues raised in
previous public comments on the
PO 00000
Frm 00070
Fmt 4701
Sfmt 4700
original CMMC program. DoD declines
to adopt recommendations to move
content from the 32 CFR part 170
CMMC Program rule to the
supplemental documents, which are not
codified. As such, the supplemental
documents are provided for optional
use, and the regulatory text takes
precedence. The CMMC Assessment
Process (CAP) guidance is a product of
the Accreditation Body and is not
codified in the CFR as part of the CMMC
rule, and the regulatory text in part 170
takes precedence.
Comments on the CMMC
Supplemental Guidance were received
as part of the public comment period
review. Final versions of these
documents were published with this
rule. Other supplemental materials
published by the Accreditation Body do
not convey government direction and
are therefore do not require rulemaking.
Supplemental documents (e.g., CMMC
assessment and scoping guides) are not
codified in the CFR as part of the
regulatory text. To codify CMMC
program requirements, content must be
included in the 32 CFR part 170 CMMC
Program rule text. DoD developed the
CMMC Assessment Guides to provide
supplemental information to the public
offering added clarity on the intent of
the NIST SP 800–171A Jun2018 and
NIST SP 800–172A Mar2022 guides.
The CMMC Assessment Guides are
particularly important for security
requirements with organization-defined
parameters (ODPs) (e.g., CMMC Level
3). There is no requirement to use the
supplemental guidance documents.
Office of the Federal Register (OFR)
regulations, at 1 CFR part 51, govern the
IBR process. IBR is only available if the
applicable regulations are published in
the Federal Register and codified in the
CFR. When incorporated by reference,
this material has the force and effect of
law, as do all regulations published in
the Federal Register and codified in the
CFR. 1 CFR part 51 requires the
specification of a revision to a standard,
for example NIST SP 800–171,
Protecting Controlled Unclassified
Information in Nonfederal Systems and
Organizations, Revision 2, February
2020 (includes updates as of January 28,
2021), which is incorporated by
reference in this rule. The DoD will
determine when to update this rule after
documents incorporated by reference
have been revised. Per OFR guidance,
§ 170.4 points to other sections of part
170 where applicable and repeats
definitions for terms incorporated by
reference.
Contractors complying with CMMC
requirements need to be familiar with
those documents that are incorporated
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
by reference. The definition of
subcontractor is not incorporated by
reference, but rather points to a
definition codified in 48 CFR 3.502–1,
as recommended in OMB guidelines for
formal rulemaking. DoD has determined
that the Defense Information Systems
Agency’s Cloud Security Technical
Reference Architecture does not meet
the criteria for approved IBR material.
However, the rule has been updated to
use a different definition for Cloud
Service Provider. The requirements of
NARA’s CUI program (32 CFR part
2002) and DoD’s implementing policies
for identifying and managing CUI are
beyond the scope of the CMMC rule.
The CFR is the codification of the
Federal Government’s rules and
regulations published in the Federal
Register. The CFR was created with the
passage of the Federal Register Act and
amended in 1937 to provide a
‘‘codification’’ of all regulations at least
once a year. The CFR reflects the tenet
that the Federal Government must
follow an open public process when
rulemaking.
Due to the broad application of
CMMC requirements for DoD
acquisition support by the defense
industrial base, the Department
determined that codifying the CMMC
Program and its associated requirements
in 32 CFR part 170 CMMC Program rule
(for national defense and security) was
needed in conjunction with the
corresponding DFARS contractual
requirements codified in 48 CFR part
204 CMMC Acquisition rule.
The DoD has no authority to make
CMMC a Federal-wide program. The
notice of the required CMMC level is
provided at time of solicitation. This
does not prohibit contractors from
pursuing CMMC assessments prior to
receipt of a solicitation.
DoD declines to comment on the
reposting of information being reported
in the media.
32. Administrative Changes to Terms,
References and Notations
Comment: Over 160 comments asked
for clarification of terminology or the
addition, removal, or modification of a
definition. Most requests focused on
Security Protection Data and Assets,
Senior Officials, Information System,
External Service Providers, Cloud
Service Providers, Managed Support
Providers, Internet of Things, CMMC
Security Requirements, Organization
Seeking Assessment, and Organization
Seeking Certification. Numerous
comments recommended the following
terms could be clarified, expanded, or
defined: ‘‘Defense Industrial Base’’,
‘‘personal information’’, ‘‘contractor’’,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
‘‘sub-contractor’’, ‘‘Prime Contractor’’,
‘‘equipment’’, ‘‘contractor information
system’’, ‘‘Information System’’,
‘‘system’’ ‘‘Information Resource’’,
‘‘CMMC Approved Training Materials
(CATM)’’, ‘‘CMMC Certified Instructor
(CCI)’’, ‘‘Provisional Instructor (PI)’’,
‘‘cyber incident’’, ‘‘Accreditation Body’’,
‘‘Assessment Findings Report’’,
‘‘Organizationally-Defined’’,
‘‘Organizationally-Defined Parameter
(ODP)’’, ‘‘Periodically’’, ‘‘Risk
Assessment’’, ‘‘Risk Analysis’’,
Supervisory Control’’, Data
Acquisition’’, ‘‘Operationally Critical
Support’’, ‘‘System Security Plan
(SSP)’’, ‘‘TTP’’, ‘‘CMMC’’, ‘‘COTS’’,
‘‘NARA’’,’’C3PAO’’ ‘‘IS’’, NSS’’,
‘‘Technology Asset’’, ‘‘Personnel
Assets’’, ‘‘Asset Categories’’, ‘‘DIBCAC
High’’, and ‘‘Enterprise’’.
Response: All requests for changes to
terminology definitions, references, and
usage have been reviewed. In response,
many terms were updated in § 170.4
Acronyms and definitions. The DoD
determined those terms that were not
changed to be sufficiently defined and
appropriately referenced, and the
requested administrative changes would
not have resulted in a substantive
change.
a. SPA/SPD/Asset
Comment: Numerous comments asked
the DoD to expand on the definition,
explanation, and guidance for Security
Protection Data (SPD) and Security
Protection Assets (SPA). Several other
comments requested that the rule and
supplemental documents add or expand
definitions for ‘‘Asset’’, including
various specific types of assets like
‘‘Technology Assets’’, ‘‘Personnel
Assets’’, ‘‘Organizational Assets’’
‘‘Specialized Assets’’. Some comments
asked to modify the definition for
‘‘Security Protection Asset’’, ‘‘CUI
Asset’’, ‘‘FCI Asset’’, and ‘‘Out-of-Scope
Assets’’.
Response: The DoD modified the rule
to add a definition for ‘‘Security
Protection Data (SPD).’’ The DoD
considered the NIST definitions for
‘‘System Information’’ and ‘‘Security
Relevant Information’’ in the
development of the new SPD definition.
CMMC does not regulate the OSA’s
SPD, but instead implements existing
regulatory requirements for the
safeguarding of CUI. The DoD does not
agree with the statement that the ESP
definition conflates SPA with CUI
assets. The definition of Security
Protection Assets is consistent with its
application in the NIST SP 800–171 R2
abstract. The phrase ‘‘FCI Assets are part
of the Level 1 CMMC Assessment Scope
and are assessed against all CMMC
PO 00000
Frm 00071
Fmt 4701
Sfmt 4700
83161
Level 1 requirements’’ was removed
from the rule. The DoD declined to
rephrase the term ‘‘CUI Assets.’’ The
DoD reviewed the recommended edit
and declined to make an update to
‘‘Out-of-Scope Assets.’’ The definition,
as written, provides a clear distinction
with Security Protection Assets (SPAs).
b. Senior Official
Comment: Several comments asked
for additional definition or guidance
about the Senior Official role.
Response: The DoD modified the rule
to replace all references to the ‘‘Senior
Official’’ with ‘‘Affirming Official’’ and
provided additional clarity on this term.
It is beyond the purview of the DoD to
define technical qualifications for an
OSA Affirming Official.
c. ESP/CSP/MSP
Comment: Some comments asked for
additional clarification of the terms
related to External Service Providers
(ESPs) and Cloud Service Providers
(CSPs). Two comments requested the
rule add a definition and acronym for
‘‘Managed Service Provider’’.
Response: The DoD received
numerous comments about the use of
ESPs which do not process, store, or
transmit CUI. In response to these
comments, the DoD modified the rule to
reduce the assessment burden on ESPs.
An ESP that utilizes staff augmentation,
where the OSA provides all processes,
technology, and facilities, does not
require a CMMC assessment. The rule
was also updated to add a definition of
‘‘CSP’’ that is based on the NIST SP
800–145 Sept2011 definition of cloud
computing. The term ‘‘Managed Service
Provider’’ is not used in the rule;
therefore, the acronym was removed
from § 170.4.
d. IoT/OT/ICS
Comment: Several comments
recommended DoD clarify the definition
of IoT, OT, and ICS. Regarding IoT, one
comment requested the rule specify that
the exchange of data and information
between devices occurs over the
internet.
Response: As specified in the rule,
IoT, IIoT, and OT, are Specialized
Assets, and all requirements associated
with Specialized Assets apply to any
equipment that processes, stores, or
transmits CUI but is unable to be fully
secured. The description of Internet of
Things (IoT) in the level 2 and level 3
Scoping Guides is consistent with the
definition of IOT in § 170.4 and is
defined in NIST SP 800–172A Mar2022.
Scoping Guide text also provides
examples to help clarify what types of
devices may be IoT. The definition of
E:\FR\FM\15OCR2.SGM
15OCR2
83162
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
OT is from NIST SP 800–60 V2R1 and
the definition of ICS is from NIST SP
800–82r3. Requests for revisions to
these definitions should be addressed to
NIST. OSAs determine the asset
categories and assessment scope based
on how and where they will process,
store, and transmit FCI and CUI. The
DoD declined to comment on individual
use cases included in the comments.
khammond on DSKJM1Z7X2PROD with RULES2
e. Program and Security Requirements
Comment: Two comments asked for a
definition of ‘‘Security Requirements’’
while another asked for the DoD to
define the term ‘‘CMMC Program
requirements’’ in the rule. Three
comments addressed concerns with the
CMMC security practices numbering
scheme in §§ 170.14(c)(i). One comment
requested clarification on what
constitutes a ‘‘priority’’ program.
Another commenter stated the term ‘‘all
applicable CMMC security
requirements’’ is ambiguous and many
OSAs will only attest to fulfilling the
FAR 52.204–21 or NIST SP 800–171 R2
security requirements. The commenter
felt this could lead to a significant
disconnect at CMMC Level 2 since Level
2 includes security requirements
associated with the use of ESPs, as
defined in DFARS clause 252.204–7012
paragraphs (e.g., para (b)(2)(ii)(D)) and
the DoD CIO FedRAMP Equivalency
memorandum.
Response: CMMC Program
requirements are all the requirements
codified in the 32 CFR part 170 CMMC
Program rule. The term ‘‘CMMC
Security Requirements’’ is defined in
§ 170.14(c). The CMMC supplemental
guidance documents add clarity;
however, they are not authoritative and
the rule itself takes precedence. The
CMMC numbering scheme in the rule is
a key element of the model that must
pull together the independent
numbering schemes of FAR clause
52.204–21 (for Level 1), NIST SP 800–
171 R2 (for Level 2), and NIST SP 800–
172 Feb2021 (for Level 3). For the
CMMC Program, the numbering scheme
must also identify the domain and
CMMC Level of each security
requirement. The term ‘‘priority
program’’ is not used in the rule;
therefore, no definition of this term is
needed. A commenter incorrectly
associated CMMC Program requirements
as CMMC security requirements. To
address potential confusion, the rule
was updated to define ‘‘CMMC security
requirements’’ as the 15 Level 1 FAR
requirements, the 110 NIST SP 800–171
R2 requirements, and the 24 selected
NIST SP 800–172 Feb2021
requirements.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
f. OSA and OSC
Comment: Several comments
requested clarification of the terms OSA
and OSC. One recommended combining
them into a single term.
Response: The definitions of
Organization Seeking Assessment (OSA)
and Organization Seeking Certification
(OSC) are provided in § 170.4. It is
important to note that OSC is a sub-set
of OSA.
g. Process, Store, or Transmit
Comment: Several comments asked
about use of the term, ‘‘Process, store or
transmit’’. One asked about its
application to a turnkey cloud based
CMMC solution and whether the intent
was to consider ‘‘access’’ a subset of
‘‘process’’. Another recommended using
the term ‘‘Handle’’ in lieu of this term
and noted that this would also require
amendments to DFARS clause 252–204–
7012. Another comment recommended
rephrasing the definition to provide
clarity while another asked that the
definition of ‘‘Process, store, or
transmit’’ (§ 170.4(b)) explicitly include
residence of data in memory, which has
not previously been identified in this
context and could raise interpretation
issues.
Response: The phrase ‘‘process, store,
or transmit’’ is more specific than the
term ‘‘handle’’ and is consistent with
DoD contract requirements for NonFederal Information systems as
specified in DFARS clause 252.204–
7012. The DoD intended ‘‘Access’’ to be
included in the ‘‘Process, store, or
transmit definition as written in
§ 170.4(b). An organization offering a
turnkey cloud based CMMC solution
would be considered an ESP by this
rule, and the rule was updated to
address assessment and certification
requirements of ESPs. The rule
definitions are provided for additional
clarity of the terms included in the rule
and does not nor cannot include every
potential instance of the term’s
application to a contractor’s information
systems.
h. Clarification of Definitions for FCI
and CUI
Comment: Three comments requested
clarification of and noted inconsistency
between the terms ‘‘FCI’’ and ‘‘CUI’’.
One perceived ‘‘[FCI]’’ and ‘‘[CUI]’’ as
new acronyms and asked why this rule
includes them. One comment noted the
inconsistent use of the terms ‘‘CUI and
FCI’’ and ‘‘sensitive unclassified
information’’ and recommended
selecting one term for use throughout
the rule. Another comment requested
definitions for CMMC be distinguished
with formatting or another notation.
PO 00000
Frm 00072
Fmt 4701
Sfmt 4700
Response: FCI is defined in FAR
clause 52.204–21. The definition of CUI
and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14, respectively. CUI is
not a new acronym. The notation
‘‘[FCI]’’ is identified in table 2 to
§ 170.15(c)(1)(ii) to reflect its alignment
to the requirements of FAR clause
52.204–21 for basic safeguarding of
information. Similarly, ‘‘[CUI]’’ has been
added to reflect the use of those
requirements for CMMC Level 2, which
is designed to protect CUI, not FCI. The
DoD amended the rule such that
‘‘sensitive unclassified information’’
will consistently be replaced with ‘‘FCI
and/or CUI’’ as appropriate.
i. Use of Terms Information and Data
Comment: One comment noted the
terms ‘‘data’’, ‘‘technical data’’, and
‘‘information’’ are used synonymously
throughout the rule and supplemental
documents. They also noted that neither
NARA’s CUI Registry nor the NIST SP
800–171 R2 define the word
‘‘information’’ and asserted this was a
major oversight by NARA ISOO, the CUI
Program Executive Agent. The
commenter requested this rule adopt the
term ‘‘Information’’ throughout the rule
and only use ‘‘data’’ when specifically
intended based on its definition.
Another commenter requested the term
‘‘Technical Data’’ be replaced with the
term ‘‘Information’’.
Response: As a commenter stated,
both the CUI program and NIST use the
term ‘‘information’’. Suggestions that
the DoD work with NARA or NIST to
define this term are outside the scope of
this rule. Within this rule, data
generally refers to individual facts, such
as those submitted to eMASS or SPRS;
however, data and information may be
used interchangeably. DoD declined to
make requested administrative edits
because they would not result in a
substantive change.
j. Source Materials Incorporated by
Reference
Comment: Four comments asked for
clarification of those documents
incorporated by reference, or the
specific versions of documents
referenced in the rule.
Response: The DoD declined to
incorporate by reference the
Department’s role as data owner. NIST
SP 800–53 R5 was incorporated by
reference only for use with applicable
definitions because it provided the
latest definitions available.
The OSA is responsible for
determining its CMMC Assessment
Scope and its relationship to security
domains. Assets are out-of-scope when
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
they are physically or logically
separated from the assessment scope.
Contractor Risk Managed Assets are
only applicable within the OSA’s
assessment scope. Table 3 to
§ 170.19(c)(1) is used to identify the
asset categories within the assessment
scope and the associated requirements
for each asset category. Contractor’s
risk-based security policies, procedures,
and practices are not used to define the
scope of the assessment, they are
descriptive of the types of documents an
assessor will use to meet the CMMC
assessment requirements.
To ensure the source of every
definition is accounted for, the terms in
§ 170.4 either cite a reference or are
designated as CMMC-custom using the
notation ‘‘(CMMC-custom term).’’ The
rule has been updated to eliminate the
CNSS Glossary definitions and replaced
them with appropriate NIST definitions.
k. Miscellaneous Other Terms,
References and Notations
Comment: Three comments asked
about references to the DoD Manual
8570, ‘‘Information Assurance
Workforce Improvement Program,’’ and
one asked if the references should be
replaced by the newer DoD Manual
8140.
One commenter suggested DoD add
an enhanced definition of ‘‘Security
Domain’’ domain to the glossary.
One questioned use of the CNSSI–
4009 Glossary instead of the NIST
Glossary of Terms. One comment
requested a change to text quoted from
another source. One commenter asserted
that the rule includes no reference to
‘‘existing FAR, DFARS, or DoD
authoritative sources’’ and
recommended that they be added in
instead referencing NIST publications
only.
One comment asked if it is necessary
to read and understand all FIPS, NIST
SP 800, CNSSI, and ISO/IEC documents
incorporated by referenced in § 170.2.
One comment requested the references
for CMMC Assessment Guides in
Appendix A be changed to NIST SP
800–171A Jun2018 and NIST SP 800–
172A Mar2022. Two comments noted
version numbers are not always
provided for two specific document
sources. Another comment requested
references for supporting information,
resources, and training for the DIB.
A commenter asked if the term
‘‘Government Information Systems’’ was
equivalent to the term ‘‘Federal
Information Systems’’ while another
expressed that the term, ‘‘CMMC Level
2 Final Certification Assessment was
confusing given that ‘‘Assessment’’ and
‘‘Certification’’ are two separate and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
distinct terms. Another comment noted
that the Summary Information section
states there is a difference between a
POA and a POA&M but recommended
both terms be defined for clarity.
One comment stated the ‘‘CMMC
Certified Assessor (CCA)’’ definition
and acronym are not used consistently
in the rule and the current CMMC AB’s
website. Another comment noted that
the term, ‘‘related practitioners’’ under
the definition of CAICO in § 170.4 could
be confused with the term ‘‘Registered
Practitioners (RP)’’ used by the CMMC
AB as their designation for consultants.
One comment stated that the DoD
must be deliberate in its use of certain
terms, especially the words ‘‘must’’ and
‘‘shall’’, which connote legal
requirements, versus words like ‘‘will’’,
‘‘expected’’, ‘‘can’’, ‘‘may’’, ‘‘should’’,
etc., which are permissive (i.e.,
optional)
One commenter noted the word
‘‘practice’’ was replaced multiple times
based on a comparison of prepublication drafts with the formal drafts
that were published for public
comment.
Another comment asserted that the
DoD is falsely describing the CMMC
program as addressing ‘‘basic’’
cybersecurity requirements when this is
the most demanding cybersecurity
standard ever produced.
One commenter objected to the
CMMC Level 1, 2, and 3 Assessment
definitions in § 170.4 referring to the
content of corresponding rule sections
and suggested that the definitions be
deleted from § 170.4 unless they can be
succinctly defined without doing so.
Response: The rule has been updated
to reference DoD Manual 8140
‘‘Cyberspace Workforce Qualification
and Management Program’’ which
replaced DoD Manual 8570,
‘‘Information Assurance Workforce
Improvement Program.’’ DOD Manual
8140.03 is available at: https://
dodcio.defense.gov/Portals/0/
Documents/Library/DoDM-8140-03.pdf.
No changes were made to quotations
from sources outside the rule. A
definition cited from a source must
exactly match the source, it cannot be
altered. To address a commenter’s
misperception that the rule does not
reference ‘‘existing FAR/DFARS, or
other DoD authoritative sources,’’ it
should be noted that the CMMC
proposed rule includes 54 mentions
each of FAR clause 52.204–21 and
DFARS clause 252.204–7012. The
DFARS clause 252.204–7012 is added to
DoD contracts to implement the
requirements of NIST SP 800–171,
which is the authoritative reference for
adequate safeguarding of CUI.
PO 00000
Frm 00073
Fmt 4701
Sfmt 4700
83163
Contractors complying with CMMC
need to be familiar with those
documents that are incorporated by
reference, which address requirementrelated topics. NIST SP 800–53 R5 is
incorporated by reference only for
applicable definitions because DoD
chose to use the latest definitions
available. The purpose of a reference
listed in § 170.2 should be interpreted
based on the context in which it is used.
For example, the references provided in
§ 170.4 specify the source of the
definition. The references for the CMMC
Assessments Guides listed in Appendix
A have been updated. These guides are
largely derived from NIST SP 800–171
R2, NIST SP 800–171A Jun2018, NIST
SP 800–172 Feb2021, and NIST SP 800–
172A Mar2022.
The DoD has updated § 170.3 to align
with the FAR terminology and now
reflects ‘‘Federal Information System’’
instead of ‘‘Government Information
System’’.
The DoD updated the rule to reference
the latest version of ‘‘Cloud Security
Technical Reference Architecture’’ and,
where appropriate, to identify a revision
number for NIST SP 800–171. Specific
details of cybersecurity-related
resources and training developed to
support the DIB are outside the scope of
this rule. As it becomes available,
supporting resources and training
information will be disseminated.
Currently, multiple public resources are
available to help educate companies on
NIST and CMMC requirements.
The DoD declined to respond to
comments based on comparison of prepublication draft versions of the
supplemental guidance documents.
A commenter’s claim that DoD views
the CMMC program as only addressing
‘‘basic cybersecurity’’ is incorrect.
Throughout the rule, references to
‘‘basic safeguarding’’ mean the
requirements of CMMC Level 1, which
align directly to the requirements of
FAR clause 52.204–21. That FAR clause
is titled ‘‘Basic Safeguarding of Covered
Contractor Information Systems’’.
Similarly, the CMMC program
establishes a CMMC Level 3
requirement to comply with a subset of
requirements from NIST SP 800–172
Feb2021, titled, ‘‘Enhanced Security
Requirements for Protecting Controlled
Unclassified Information.’’
Section 170.4 includes acronyms and
definitions used in the rule text. Terms
from other authoritative sources are
listed in § 170.4 and are properly
sourced. 1 CFR part 51 governs drafting
of this rule.
The DoD updated the rule throughout
to reflect new terminology better
differentiating between the activity of
E:\FR\FM\15OCR2.SGM
15OCR2
83164
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
undergoing an assessment and the
CMMC Status that may result from that
activity. An OSA undergoes one of the
following: Level 1 self-assessment; Level
2 self-assessment; Level 2 certification
assessment; or Level 3 certification
assessment. The result of that
assessment activity is either failure to
meet minimum requirements or one of
the following CMMC Statuses: Final
Level 1 (Self); Conditional Level 2 (Self);
Final Level 2 (Self); Conditional Level 2
(C3PAO); Final Level 2 (C3PAO);
Conditional Level 3 (DIBCAC); or Final
Level 3 (DIBCAC).
The official DoD acronym for CCA is
‘‘CMMC Certified Assessor,’’ as
addressed in § 170.4. All CMMC terms
and definitions provided in this 32 CFR
part 170 CMMC Program rule are
codified and therefore take precedence
over definitions and acronym usage
from the CMMC website or other
sources.
To avoid confusion in the ecosystem
with the term ‘‘practitioner’’, the DoD
modified the definition in § 170.4 to
replace the word ‘‘practitioners’’ with
‘‘professionals.’’
While ‘‘must’’ is a more commonly
used term than ‘‘shall’’, both terms
impose a requirement as defined in FAR
2.101 Definitions.
33. Rule Text Modifications
khammond on DSKJM1Z7X2PROD with RULES2
a. Changes to the Preamble
Comment: One commenter
recommended that the supplemental
Assessment Guides be consolidated
with and cross referenced to
requirements for the CMMC Levels in
the same document. Eighty-three
comments requested changes to the
preamble section of the rule text. Of
those, 17 were incorporated and are
summarized below.
Writing Style: Multiple commenters
wanted shorter, simpler, and more
focused wording starting with changes
to the first sentence in the Summary
section.
Word Choices: In the ‘‘CMMC 2.0
Overview as Proposed by this Rule’’
section several comments objected to
the description of FAR clause 52.204–21
requirements as ‘‘elementary’’ or
‘‘basic’’. One comment asserted that
‘‘may’’ is not the correct verb for
‘‘Defense contracts . . . may include
applicable requirements . . . ,’’. One
comment suggested the preamble
sentence ‘‘Once CMMC is implemented,
the required CMMC level for contractors
will be specified in the solicitation,’’ be
revised to use wording that is more
consistent with other parts of the
preamble and rule text. One commenter
proposed edits to remove passive voice
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
from a sentence in the preamble
description of Key Changes
Incorporated in the Revised CMMC
Program. One commenter requested a
change to reference the relevant DFARS
clause 252.204–7012, rather than the
DFARS subpart 204.73.
Clarifications: Two comments
asserted that the description of
affirmations requirement could be misinterpreted as suggesting that primes
and subcontractors all submit a single
affirmation or that one contractor must
affirm another’s continuing compliance.
One comment requested clarification
about FedRAMP requirements for Cloud
Service Providers. Some comments
asked whether POA&Ms must be
documented in the System Security
Plan. One comment recommended
punctuation and grammatical edits and
asked for clarification of rule text that
discusses the impact of not logically or
physically separating contractor-owned
information systems that process, store,
or transmit FCI (or CUI) from those that
do not.
Response: This rule follows the
format and includes all sections
required in OMB guidelines for formal
rulemaking. The DoD lacks authority to
modify the template or omit required
sections, as requested by some
commenters. In addition, one
commenter recommended that the
supplemental Assessment Guides be
consolidated with and cross referenced
to requirements for the CMMC Levels in
the same document. The DoD
interpreted this recommendation as a
request to integrate all information in
the supplemental guidance into the rule
text, which does not align with
rulemaking guidelines (1 CFR part 51).
No changes were made to consolidate or
integrate the supplemental guidance
documents, which are not codified and
are provided as optional resources to
assist OSAs. The regulatory content in
the 32 CFR part 170 CMMC Program
rule takes precedence.
Some commenters criticized the
preamble summary paragraph, and one
submitted a preferred rewrite that
oversimplified the content so far as to
alter the intended meaning. For that
reason, the specific revisions were not
incorporated. However, the DoD has
revised the final rule to begin with a
simplified statement of its purpose, as
follows: ‘‘With this final rule, DoD
establishes a scalable way to verify,
through assessment, that contractors
have implemented required security
measures necessary to safeguard DoD’s
Federal Contract Information (FCI) and
Controlled Unclassified Information
(CUI)’’.
PO 00000
Frm 00074
Fmt 4701
Sfmt 4700
The DoD strove to streamline the
writing style. Note that the preamble is
not part of the regulatory text, however,
it is a required part of the rulemaking
template. The DoD made the following
changes to the preamble based on
requests for text modifications.
The preamble is updated to change
the verb ‘‘will’’ to ‘‘should’’, where
appropriate. The preamble and
regulatory text have been updated to
clarify that a Plan of Action need not be
part of the System Security Plan. The
sentence in the preamble overview
about FAR clause 52.204–21
requirements has been rewritten to
describe them as ‘‘the minimum
necessary’’ to receive FCI, rather than
describing them as ‘‘elementary’’ for
‘‘basic’’ cybersecurity. Note that the title
of the FAR clause 52.204–21 clause is
Basic Safeguarding Requirements.
A preamble overview paragraph about
Affirming Officials is revised to clarify
that CMMC affirmations shall be
submitted by the OSA and apply only
to the information systems of that
organization. DoD’s use of the term OSA
within the affirmations section is
deliberate and conveys that each
organization is responsible for
affirmations pertaining to their own
assessments. A preamble overview
paragraph about Cloud Service
Providers has been aligned to DFARS
clause 252.204–7012 language and
specifies that defense contractors must
confirm that any CSPs they use to
handle CUI must meet FedRAMP
Moderate Baseline standards. Wording
in the preamble overview of the rule has
been edited from ‘‘may include’’ to
‘‘require’’, to clarify a statement about
when DFARS clause 252.204–7012
applies. One sentence in the preamble
about the regulatory impact of CMMC
Requirements has been edited into two
sentences to make clear that
solicitations identify CMMC contract
requirements, rather than ‘‘for
contractors’’, and that only contractors
handling FCI or CUI must meet the
specified CMMC requirements.
The DoD has incorporated a suggested
re-wording to simplify the description
of CMMC Level 2 assessments in the
preamble paragraph describing Key
Changes Incorporated in the Revised
CMMC Program.
b. Changes to the Regulatory Text
Comment: Of the 52 comments that
requested changes to the regulatory text
(§§ 170.1 through 170.24), the nine
which DoD incorporated are
summarized below.
Word choices: In § 170.1(b), two
comments posited that the word
‘‘enhance’’ is inaccurate in the phrase
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
‘‘The CMMC Program is designed to
enhance protection of FCI and CUI
. . .’’. In § 170.9(a) one comment noted
that C3PAOs do not ‘‘grant’’
assessments, they ‘‘conduct’’ them.
Another asked why, in table 3 to
§ 170.19(c)(1), the CUI Asset category
needs to be assessed against ‘‘CMMC
security requirements’’ but in table 5 to
§ 170.19(d)(1), the same category is
assessed against ‘‘all CMMC security
requirements.’’ For § 170.4(b) One
comment requested appending ‘‘and to
the DoD’’ to the definition of
Assessment Findings Report.
Paragraph Organization: For
Applicability, a comment recommended
changing the order of paragraphs in
§ 170.3 and other text changes to
improve clarity.
Reference: One comment noted that
the § 170.6(b) phrase ‘‘as provided for
under DFARS clauses 252.204–7012 and
7020 . . .’’ is in error because the
section describes CMMC PMO
responsibilities and only DFARS clause
252.204–7020 references DIBCAC
assessments of OSAs.
Redundancy: One comment asserted
that § 170.9(b)(9) and § 170.9(b)(20) are
redundant as both describe that
assessment appeals and results are
entered into eMASS.
Consistency: One comment pointed
out an inconsistency between the text in
§ 170.18(c)(1)(i) and the Scoping Guide
related to whether a CMMC Level 3
Assessment Scope must be the same as,
or may be a subset of, the Assessment
Scope of the prerequisite CMMC Level
2 certification.
Clarifications: One comment asked
whether the stipulation that CCIs must
not disclose CMMC data or metrics
applies to all data or only ‘‘non-public’’
data.
Consistency: One commenter asked
for clarification regarding templates and
formats required for information
uploaded into the CMMC instantiation
of eMASS.
Response: The DoD has incorporated
a request to delete the word ‘‘enhance’’
from § 170.1(b), and the purpose of the
CMMC Program now reads that the
CMMC Program is designed as a
compliance assessment to assist in
DoD’s enforcement of information
safeguarding requirements. Lower level
paragraphs in § 170.3 have been
reordered for added clarity.
The words ‘‘and to the DoD via
CMMC eMASS’’ have been added to the
end of the Assessment Findings Report
definition in § 170.4(b). In addition,
§ 170.9(b)(17) has been rephrased to
stipulate that all assessment data and
information uploaded into the CMMC
instantiation of eMASS must be
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
compliant with the data standard
provided in the eMASS CMMC
Assessment Import Templates available
on the CMMC eMASS website.
The DoD replaced the word
‘‘granting’’ with the word ‘‘conducting’’
in the description of C3PAO
assessments in § 170.9(a). Sections
170.9(b)(9) and (b)(20) have been
modified to eliminate redundancy
between the two paragraphs, however
the DoD did not concur that
§§ 170.9(b)(17) and (18) are redundant
and made no change.
Section 170.18(c)(1)(i) was revised to
clarify that the CMMC Assessment
Scope for Level 3 must be equal to or
a subset of the CMMC Assessment
Scope for the Level 2 certification
assessment of the system in question.
Section 170.19 was revised to clarify
that, for CMMC Level 2, OSAs will be
assessed against all Level 2
requirements. For CMMC Level 3, OSAs
will be assessed against all Level 2 and
Level 3 requirements.
Section 170.1 has been revised to
correct punctuation and improve
grammar. The section now conveys
more clearly that the CMMC Program is
designed as a compliance assessment to
assist in DoD’s enforcement of
information safeguarding requirements.
No changes were made regarding use of
‘‘not logically or physically isolated
from all such CUI systems’’. Specifying
a CMMC Assessment Scope is a
necessary preparatory step for a CMMC
assessment. Assessment requirements
are specified in § 170.19. At Levels 2
and 3, logical or physical isolation is the
primary mechanism used to separate inscope from out-of-scope assets. CRMA
and Specialized Asset categories only
apply to assets that are within the
Assessment Scope or boundary.
§ 170.6(b) has been revised to
reference DFARS clause 252.204–7020
rather than DFARS clause 252.204–
7012. In addition, § 170.05 was revised
to reference DFARS clause 252.204–
7012, rather than DFARS 204.73, for
consistency and clarity.
The title of § 170.16(c)(1) has been
updated to specify self-assessment of
the OSA. DoD declined to make other
administrative changes because they
would not result in a substantive
change.
§ 170.12(b)(8) has been revised to
clarify that CCIs must not disclose
CMMC data or metrics that are PPI, FCI,
or CUI without prior coordination with
and approval from DoD.
c. Changes Recommended but Not
Incorporated
Comment: Many comments addressed
non-substantive administrative changes
PO 00000
Frm 00075
Fmt 4701
Sfmt 4700
83165
or writing style and were not
incorporated. Many comments
requested substantive changes that were
not incorporated, and which are
described more fully in the response
below.
Response: In addition, thirty-eight
other recommendations were not
incorporated because they did not result
in substantive changes. The DoD
declines to delete references or convert
narrative text explanations into tables,
bullets, or other truncated formats
because the intent is to facilitate reader
understanding of complex requirements.
Other recommended administrative
changes which did not result in a
substantive change were also not
incorporated.
Other changes were not incorporated
because the revisions would result in
unintended or inaccurate meaning of
the text. The following explanation is
provided for those unincorporated but
substantive recommendations.
The DoD did not change content in
the Discussion of Public Comments
section that addressed responses to the
original 48 CFR CMMC interim final
rule, because intervening rule changes
made in response to public comments
received about the more recent
proposed rule(s) supersede text of the
earlier rule.
Section 170.3(a)(1) applies to contract
awardees. While the rule may impact
External Service Providers and Cloud
Service providers, the rule is not
directly applicable to them. CMMC
requirements apply at the time of
contract award and thereafter.
DoD declined to change the program
name as it is well known in the
community, and the tiered approach to
the model still embodies a concept of
cybersecurity maturity. OSA
responsibilities for complying with
CMMC are provided throughout the rule
and do not need to be repeated.
CMMC is a program that validates
implementation via assessment, the rule
does not prescribe how to implement.
In the first sentence of the Summary,
this rule describes that the CMMC
assessment mechanism will cover both
existing security requirements for CUI,
and new security requirements for
certain programs. No additional
reference is necessary in the
introductory summary because the
specific NIST reference documents are
mentioned shortly after the summary
and throughout the rule text.
DoD declined to revise § 170.2 to use
the word ‘‘competent’’ because
‘‘competence’’ is the word included in
the referenced ISO/IEC 17011:2017(E)
Abstract.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83166
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The rule retains requirements to
provide all documentation and records
in English because it is necessary for
adequate program management and
specifying this requirement is required
to ensure clarity of interpretation.
The DoD has reviewed
§ 170.17(c)(2)(ii) and does not agree that
a noun is missing. The lead-in
paragraph provides the noun, and it is
not necessary to repeat the phrase. The
DoD disagrees that portions of
§ 170.18(c)(1) are redundant and
therefore did not delete the lower level
paragraphs, however revisions were
made to clarify that a Level 2
certification assessment is needed prior
to Level 3 certification assessment.
Recommended edits to § 170.24(9)
that would change the meaning were
not accepted. During the assessment
process, the Lead Assessor/Assessor
must view any prior DoD CIO
adjudication of proposed variances to
security requirements in the system
security plan to ensure correct
implementation and render a
determination of MET if there have been
no changes in the environment.
The DoD did not modify § 170.10 to
permit CCAs, CCPs, and CCIs to retrain
‘‘or’’ recertify, instead of both, upon
significant change to DoD’s CMMC
Program requirements under this rule.
The DoD disagreed with one
commenter’s assertion that the summary
within the preamble to the rule implies
CMMC assessments address all DFARS
clause 252.204–7012 requirements,
therefore no edits were necessary. The
rule indicates that the applicable CMMC
Level 2 security requirements are those
in NIST SP 800–171 R2 as implemented
in DFARS clause 252.204–7012.
Revisions suggesting that all
objectives identified in NIST SP 800–
171A Jun2018 need not be met are not
accurate and not incorporated. Each
assessment objective in NIST SP 800–
171A Jun2018 must yield a finding of
MET or NOT APPLICABLE for the
overall security requirement to be
scored as MET. Assessors exercise
judgment in determining when
sufficient and adequate evidence has
been presented to make an assessment
finding. This is consistent with current
DIBCAC High Assessments and
assessments conducted under the Joint
Surveillance Voluntary Assessment
Program (JSVAP). A security
requirement can be applicable, even
with assessment objectives that are N/A.
The security requirement is NOT MET
when one or more applicable
assessment objectives is NOT MET.
Recommendations to address specific
contractual matters were not addressed,
because this is a 32 CFR part 170 CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Program rule and not an acquisition
regulation. Any comments related to
contract requirements should be
provided in response to the 48 CFR part
204 CMMC Acquisition rule.
The CMMC rule does not specify the
number of POA&Ms that may be used to
address one or more CMMC security
requirement that were NOT MET during
a CMMC assessment. The OSA may
choose to use a single POA&M or
multiple POA&Ms.
No edits were made to reference CCAs
in § 170.7, which covers responsibilities
for only the DIBCAC, and not CCAs.
§ 170.11 covers responsibilities for
CCAs. DoD declined to add verbiage to
address the potential revision or
cancellation of an ISO/IEC standard
because § 170.8 adequately reflects that
the Accreditation Body shall achieve
full compliance with revised ISO/IEC
17011:2017(E) standards. Standards are
not effective until published as final.
The DoD declined to adopt one
commenter’s suggestion to submit all
appeals investigation materials with the
final decision into eMASS, however, an
updated assessment result, if any, will
be input into eMASS. In addition,
C3PAOs are required to retain
assessment artifacts for 6 years.
DoD did not agree with one
commenter’s assertion that the preamble
description of the CMMC Program is
incomplete or inaccurate, or that the
rule makes implicit changes to DFARS
clause 252.204–7010 reporting
requirements for activities subject to the
U.S.-International Atomic Energy
Agency Additional Protocol. The
referenced paragraph, which appears
both in the preamble background
section and in an overview paragraph of
the supplemental documents, accurately
portrays the CMMC Program as a
compliance assessment model to assist
in DoD’s enforcement of FCI and CUI
safeguarding requirements. No change
has been made in either location.
The DoD also declines to specify in
the rule the DoD offices that review Tier
3 background investigations or
equivalency determinations. No
language related to Cloud Service
Offerings (CSO) was added in § 170.19
column two. Assets that process, store,
or transmit CUI are handled the same
way regardless of whether they are from
a CSO or otherwise. Therefore, there is
no need to call out CSOs in the table.
The DoD minimized use of the
passive voice to an extent in this final
rule; however, in some places the
passive voice is used to emphasize the
action occurring rather than the
individual or entity performing the
action.
PO 00000
Frm 00076
Fmt 4701
Sfmt 4700
There is no version number in the
title of the CMMC Program. Terms such
as versions 1.0 or 2.0 have previously
been used in DoD’s public engagements
as a colloquial way to communicate
differences in content as the program
has evolved. This final rule codifies the
program and does include changes from
the proposed rule. Only those public
comments received during the 60-day
comment period following the
December 26, 2023 publication (88 FR
89058) are addressed in this final rule.
34. Error Corrections
Comment: Numerous administrative
comments were received that addressed
formatting grammar, punctuation, and
typographical errors as well as word
usage and acronym errors: Wording
discrepancies, redundancies, and
inaccuracies were also reported by
multiple comments.
Several comments identified
inconsistencies between FedRAMP
equivalency as stated § 170.16(c)(2)(ii)
and as described in the DOD CIO’s
December 21, 2023, Federal Risk and
Authorization Management Program
Moderate Equivalency for Cloud Service
Provider’s Cloud Service Offerings
memorandum. One comment requested
moving the phrase ‘‘in accordance with
all applicable policies, procedures, and
requirements’’ in § 170.5(d) to an earlier
part of the sentence to be grammatically
correct.
One comment noted that DFARS
provision 252.204–7019 does not
stipulate assessments must be a ‘‘selfassessment’’ as stated in the CMMC 2.0
Overview as Proposed by this Rule
section. Also in the same section, one
comment indicated the SSP description
should not direct the user to explain
how each requirement is implemented,
monitored, and enforced.
One comment asked if the reference to
NIST SP 900–171A refers to the current
version or if a version number should be
specified. Three comments indicated
issues using embedded links to
websites. One comment noted that
‘‘inspection activities’’ should be
changed to ‘‘assessment activities’’ in
170.9(b)(10). One comment asserted that
in 170.17(a)(1) the word ‘‘obtaining’’
should be deleted in the phrase ‘‘. . .
the OSC must achieve either CMMC
Level 2 Conditional Certification or
Final Certification through obtaining a
CMMC Level 2 Certification Assessment
. . .’’
Response:
Typographical, Grammatical, and
Punctuation Errors, and Formatting
The DOD reviewed all reported
grammatical, punctuation,
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
typographical, and acronym-related
errors and the preamble, RIA, and rule
have been updated to address all
confirmed errors. Additionally, the
formatting errors in the CMMC Level 2
Asset Categories and Associated
Requirements row of table 1 of
§ 170.19(c)(1), have been corrected. The
final rule has been revised to correct
document titles as needed.
A commenter provided feedback on
the PRA and identified incorrect
markings in information collection
samples. DoD will work with DISA to
ensure the final versions of the eMASS
templates contain the proper markings.
An OSA’s CMMC certification
assessment results will be ingested into
DoD’s CMMC instance using the eMASS
CMMC Assessment Import Templates
published at https://
cmmc.emass.apps.mil. The
requirements for C3PAOs and DCMA
DIBCAC and what is submitted into
CMMC eMASS is described in §§ 170.7,
170. 9, 170.17(a)(1)(i), 170.18(a)(1)(i),
and 170.19. The documents
accompanying the PRA were intended
to serve as samples. The comment also
contained an incorrect assumption that
commercial privileged information ‘‘is
not CUI because it is incidental to the
performance of the contract.’’ The
commenter has confused CDI with CUI
and is incorrect in the assumption that
commercial privileged information is
not CUI because of it being incidental to
the performance of the contract.
khammond on DSKJM1Z7X2PROD with RULES2
Word Usage
Incorrect uses of ‘‘tri-annually’’ have
been corrected. Where appropriate the
wording has been changed to ‘‘every
three years’’ for clarity. In the preamble
to the rule, the statement ‘‘. . . and
triennial affirmation . . .’’ has been
corrected to indicate the affirmations are
an ‘‘annual’’ requirement.—DoD has
updated the preamble to the rule to the
correct certification assessment
terminology.
The link on the Federal Register
website has been corrected and now
resolves to the website indicated.
Incorrect or Incomplete References
Several incorrect or incomplete
references have also been corrected.
§ 170.9(b)(1) has been corrected to refer
to the authorization in § 170.8(a). One
comment asserted that there is no
section (c) associated with the reference
‘‘§ 170.17(a)(1) and (c)’’ which is in
§ 170.9(b)(6). The section ‘‘§ 170.17(c)
Procedures’’ does exist and addresses
the procedures associated with a CMMC
Level 2 Certification Assessment.
Section 170.17(a)(1) addresses the Level
2 Certification Assessment requirements
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
for an OSC. The rule has been updated
in § 170.9(b)(6) for clarity.
Commenters accurately noted that
§ 170.17(a)(1) should refer to the Level
2 requirements in § 170.14(c)(3), and
this has been corrected. The reference in
§ 170.18(c)(5)(ii) has been updated to
say, ‘‘that maps to the NIST SP 800–171
R2 and a subset of the NIST SP 800–172
Feb2021 requirements’’. The rule is
updated to replace the instruction
‘‘(insert references L1–3)’’ with
‘‘§ 170.19 CMMC scoping.’’
Wording Discrepancies, Redundancies,
and Inaccuracies
To address a discrepancy between the
rule and scoping guidance, the Level 2
Scoping Guide has been updated for
clarity and alignment with § 170.16(a)
which states that meeting the CMMC
Level 2 Self-Assessment requirements
also satisfies the CMMC Level 1 SelfAssessment requirements for the same
CMMC Assessment Scope. Additionally,
the preamble to this rule has been
updated to clarify that not all
affirmations will occur prior to contract
award because POA&M closeout
affirmations may occur after contract
award.
To address a discrepancy about Level
1 scoring, in § 170.24 the phrase ‘‘;
therefore, no score is calculated, and no
scoring methodology is needed,’’ has
been deleted.
The regulatory text was updated to
require FedRAMP moderate or
FedRAMP moderate equivalency in
accordance with DoD Policy. CMMC
Program Requirements make no change
to existing policies for information
security requirements implemented by
DoD. The preamble was modified to
indicate DFARS provision 252.204–
7019 requires an assessment (basic,
medium, or high) and not just a selfassessment (basic).
The data input at § 170.17(a)(1)(i)(F)
for CMMC eMASS is redundant so it has
been removed. In the preamble, the DoD
has also removed the inaccurate phrase,
‘‘certified by DoD’’, from the statement
‘‘Under CMMC, compliance will be
checked by independent third-party
assessors certified by DoD.’’
DoD has updated language in
§ 170.18(a)(1)(i)(B) to reflect for each
DCMA DIBCAC Assessor conducting the
assessment, ‘‘name and government
organization information’’ will be
required for the CMMC instantiation of
eMASS.
The DoD has considered the
recommendation to change the
description of what an SSP should
contain and declines to revise the rule
text. The NIST SP 800–171 R2
requirement states that an SSP must
PO 00000
Frm 00077
Fmt 4701
Sfmt 4700
83167
describe ‘‘. . . how security
requirements are implemented . . .’’
which is equivalent to going ‘‘. . .
through each NIST SP 800–171 security
requirement and explain how the
requirement is implemented, monitored,
and enforced.’’
Perceived Errors
DoD declines to make the edit to
change ‘‘shall’’ to ‘‘will’’ in § 170.9(b).
The existing language is consistent with
standard rulemaking usage. The title for
NIST SP 800–171A Jun2018 is the
current title used by NIST and does not
have a version number, so no change
was needed. While not used in the rule
text, the term enterprise is used in the
description of the CMMC Program in the
preamble’s Statement of Need for This
Rule section: Defense contractors can
achieve a specific CMMC Level for its
entire enterprise network or an
enclave(s), depending upon where the
information to protected is processed,
stored, or transmitted, therefore
enterprise remains in the definitions
list.
DoD verified links by clicking on
them in the PDF and by copying and
pasting the links into a web browser. In
both cases links resolved correctly.
The DoD has changed ‘‘all personnel
involved in inspection activities’’ to ‘‘all
personnel involved in assessment
activities’’ in § 170.9(b)(9).
A comment asserted that there was a
rulemaking formatting error in
§ 170.4(b). DoD is following the Office of
the Federal Register standards for this
section. In sections or paragraphs
containing only definitions, paragraph
designations are not used, and the terms
are listed in alphabetical order. The
definition paragraph begins with the
term being defined. If a definition
contains subordinate paragraphs, these
paragraphs are numbered with
paragraph designations beginning with
the next appropriate level based on the
dedicated definitions section.
The 2nd sentence of § 170.17(a)(1)
includes the word ‘‘obtaining’’ for
clarity.
35. Comments in Favor of the CMMC
Program
Comment: Some commenters
expressed favorable opinions about the
CMMC program as a viable long-term
solution to ensure cybersecurity
controls are in place. Others commented
about specific content of the 32 CFR
part 170 CMMC Program proposed rule
and the supplemental documents. For
example, two commenters specifically
complimented the inclusion of an
Affirmation requirement and another
supported CMMC implementation as a
E:\FR\FM\15OCR2.SGM
15OCR2
83168
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
pre-award requirement. Another
commenter appreciated the regulatory
text which ‘‘encourages’’ contractors to
consult with the Government for
additional guidance if or when unsure
of appropriate CMMC Level to assign a
subcontract solicitation. Two
commenters applauded the use of
already established workforce
qualifications while another concurred
with the regulatory text permitting
CMMC Certified Professionals (CCPs) to
participate in assessments with
oversight of a CMMC Certified Assessor
(CCA). A commenter also expressed
appreciation for the regulatory text’s
alignment to a specific version of the
guidelines (i.e., NIST SP 800–171 R2).
One commenter appreciated the video
that DoD published to accompany and
explain the proposed rule. Several
comments cited the longstanding
requirements of DFARS clause 252.204–
7012 and cybersecurity risks of not
implementing NIST SP 800–171 R2 as
reasons that the 32 CFR part 170 CMMC
Program final rule should be
implemented as soon as possible.
Response: The Department
appreciates that several commenters
expressed agreement to and
encouragement for the CMMC Program
requirement and its associated specific
rule text. The DoD recognizes that not
all entities impacted by these
regulations hold the same view of its
requirements and appreciates those that
took the time to express both positive
and constructive feedback.
khammond on DSKJM1Z7X2PROD with RULES2
Applicability
Once CMMC is implemented in the 48
CFR part 204 CMMC Acquisition rule,
the CMMC Program will require DoD to
identify the CMMC Level and
assessment type as a solicitation
requirement and in the resulting
contract for any effort that will cause a
contractor or subcontractor to process,
store, or transmit FCI or CUI on its
unclassified information system(s).
Once CMMC is implemented in the 48
CFR part 204 CMMC Acquisition rule,
contractors handling FCI or CUI will be
required to meet the CMMC Level and
assessment type specified in the
solicitation and resulting contract.
Summary of Program Changes:
DFARS Case 2019–D041 implemented
DoD’s original model for assessing
contractor information security
protections. The initial CMMC Program
was comprised of five progressively
advanced levels of cybersecurity
standards and required defense
contractors and subcontractors to
undergo a certification process to
demonstrate compliance with the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
cybersecurity standards associated with
a given CMMC Level.
In March 2021, the Department
initiated an internal review of CMMC’s
implementation that engaged DoD’s
cybersecurity and acquisition leaders to
refine policy and program
implementation, focusing on the need to
reduce costs for small businesses and
align cybersecurity requirements to
other Federal standards and guidelines.
This review resulted in the revised
CMMC Program, which streamlines
assessment and certification
requirements and improves
implementation of the CMMC Program.
These changes include:
• Eliminating Levels 2 and 4, and
renaming the remaining three CMMC
Levels as follows:
• Level 1 will remain the same as the
initial CMMC Program Level 1;
• Level 2 will be similar to the initial
CMMC Program Level 3;
• Level 3 will be similar to the initial
CMMC Program Level 5.
• Removing CMMC-unique
requirements and maturity processes
from all levels;
• For CMMC Level 1, allowing annual
self-assessments with an annual
affirmation by company leadership;
• Allowing a subset of companies at
Level 2 to demonstrate compliance
through self-assessment rather than
C3PAO assessment.
• For CMMC Level 3, requiring
Department-conducted assessments; and
• Developing a time-bound and
enforceable POA&M process.
In December 2023, the Department
published a proposed rule to amend 32
CFR part 170 in the Federal Register
(Docket ID DOD–2023–OS–0063, 88 FR
89058), which implemented the DoD’s
vision for the revised CMMC Program
outlined in November 2021. The
comment period for the proposed rule
concluded on February 26, 2024.
Changes have been made to the CMMC
Program based on public comment.
Significant changes include:
• The Implementation Phase 1 has
been extended by an additional six
months.
• A new taxonomy was created
differentiating the level and type of
assessment conducted from the CMMC
Status achieved as a result.
• Clarification was added regarding
the DoD’s role in achievement or loss of
CMMC Statuses.
• CMMC Status will be automatically
updated in SPRS for OSAs who have
met standards acceptance.
• Requirements regarding conflict of
interest were updated to expand the
cooling-off period for the CMMC
Accreditation Body to one year and
PO 00000
Frm 00078
Fmt 4701
Sfmt 4700
bounded the timeframe between
consulting and assessing for the CMMC
Ecosystem to three years.
• A requirement was added for the
CMMC Ecosystem members to report
adverse information to the CAICO.
• A Provisional Instructor role was
added to cover the transitional period
that ends 18 months after the effective
date of this rule.
• A CCI requirement was added to
clarify that a CCI must be certified at the
same or higher level than the classes
they are instructing.
• A requirement for artifact retention
was added to Level 1 self-assessments
and Level 2 self-assessments.
• The assessment requirements for
ESPs have been reduced.
• The definition of CSP has been
narrowed and is now based on NIST SP
800–145 Sept2011.
• The assessment requirements for
Security Protection Assets and Security
Protection Data have been reduced.
• References to FedRAMP
equivalency have been tied to DoD
policy.
• Clarified the requirements for CSPs
for an OSC seeking a CMMC Status of
Level 3 (DIBCAC).
• Clarified that DCMA DIBCAC has
the authority to perform limited checks
of compliance of assets that changed
asset category or changed assessment
requirements between the Level 2 and
Level 3 certification assessment.
• Clarification was added around the
use of VDI clients.
• Provided clarification to distinguish
between Plan of Action & Milestones
(POA&Ms) and operational plan of
action.
• Definitions have been added for:
Affirming Official, Assessment
objective, Asset, CMMC security
requirement, CMMC Status, DoD
Assessment Methodology, Enduring
Exception, Operational plan of action,
Personally Identifiable Information,
Security Protection Data (SPD), and
Temporary deficiency. Some definitions
were also changed to source from NIST
documentation instead of Committee on
National Security Systems (CNSS)
Instruction No. 4009.
Background
A. Statement of Need for This Rule
The Department of Defense (DoD)
requires defense contractors to protect
FCI and CUI. To verify contractor and
subcontractor implementation of DoD’s
cybersecurity information protection
requirements, the Department
developed the Cybersecurity Maturity
Model Certification (CMMC) Program as
a means of assessing and verifying
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
adequate protection of contractor
information systems that process, store,
or transmit either FCI or CUI.
The CMMC Program is intended to:
(1) align cybersecurity requirements to
the sensitivity of unclassified
information to be protected, (2) add a
self-assessment element to affirm
implementation of applicable
cybersecurity requirements, (3) add a
certification element to verify
implementation of cybersecurity
requirements, and (4) add an affirmation
to attest to continued compliance with
assessed requirements. As part of the
program, DoD also intends to provide
supporting resources and training to the
DIB, to help support companies who are
working to achieve the required CMMC
Status. The CMMC Program provides for
assessment at three levels, starting with
basic safeguarding of FCI at CMMC
Level 1, moving to the broad protection
of CUI at CMMC Level 2, and
culminating with higher-level
protection of CUI against risk from
Advanced Persistent Threats (APTs) at
CMMC Level 3.
The CMMC Program addresses DoD’s
need to protect FCI and CUI during the
acquisition and sustainment of products
and services from the DIB. This effort is
instrumental in establishing
cybersecurity as a foundation for DoD
acquisitions.
Although DoD contract requirements
to provide adequate security for covered
defense information (reflected in
DFARS clause 252.204–7012) predate
CMMC by many years, a verification
requirement for the handling of CUI to
assess a contractor or subcontractor’s
implementation of those required
information security controls is new
with the CMMC Program.
The theft of intellectual property and
sensitive information from all U.S.
industrial sectors from malicious cyber
activity threatens economic security and
national security. The Council of
Economic Advisers estimates that
malicious cyber activity cost the U.S.
economy between $57 billion and $109
billion in 2016.24 The Center for
Strategic and International Studies
estimates that the total global cost of
cybercrime was as high as $600 billion
in 2017.25
Malicious cyber actors have targeted
and continue to target defense
contractors and the DoD supply chain.
These attacks not only focus on the large
24 Based on information from the Council of
Economic Advisors report: The Cost of Malicious
Cyber Activity to the U.S. Economy, 2018.
25 Based on information from the Center for
Strategic and International Studies report on the
Economic Impact of Cybercrime; www.csis.org/
analysis/economic-impact-cybercrime.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
prime contractors, but also target
subcontractors that make up the lower
tiers of the DoD supply chain. Many of
these subcontractors are small entities
that provide critical support and
innovation. Overall, the DIB sector
consists of over 220,000 companies 26
that process, store, or transmit CUI or
FCI in support of the warfighter and
contribute towards the research,
engineering, development, acquisition,
production, delivery, sustainment, and
operations of DoD systems, networks,
installations, capabilities, and services.
The aggregate loss of intellectual
property and controlled unclassified
information from the DoD supply chain
can undercut U.S. technical advantages
and innovation, as well as significantly
increase the risk to national security. As
part of multiple lines of effort focused
on the security and resiliency of the
DIB, the Department is working with
industry to enhance the protection of
FCI and CUI within the DoD supply
chain. Toward this end, DoD has
developed the CMMC Program.
Cybersecurity Maturity Model
Certification Program
The CMMC Program provides a
comprehensive and scalable
certification approach to verify the
implementation of requirements
associated with the achievement of a
cybersecurity level. CMMC is designed
to provide increased assurance to the
Department that defense contractors can
adequately protect FCI and CUI at a
level commensurate with the risk,
accounting for information flow down
to its subcontractors in a multi-tier
supply chain. Defense contractors can
achieve a specific CMMC Status for
their entire enterprise network or an
enclave(s), depending upon where the
information to be protected is
processed, stored, or transmitted.
The CMMC Program assesses
implementation of cybersecurity
requirements. The CMMC requirements
for safeguarding and security are the
same as those required by FAR Subpart
4.19 and DFARS clause 252.204–7012,
as well as selected NIST SP 800–172
Feb201 requirements. CMMC Level 1
requires implementation of the
safeguarding requirements set forth in
FAR clause 52.204–21. CMMC Level 2
requires implementation of the security
requirements in NIST SP 800–171 R2.
CMMC Level 3 requires implementation
of the security requirements in NIST SP
800–171 R2 as well as selected NIST SP
26 Based on information from the Federal
Procurement Data System, the average number of
unique prime contractors is approximately 212,650
and the number of known unique subcontractors is
approximately 8,300. (FPDS from FY18–FY21).
PO 00000
Frm 00079
Fmt 4701
Sfmt 4700
83169
800–172 Feb2021 requirements, with
DoD specified parameters. The CMMC
security requirements for all three
Levels are provided in § 170.14. In
general, CMMC assessments do not
duplicate efforts from existing DoD
assessments. In rare circumstances a reassessment may be necessary when
cybersecurity risks, threats, or
awareness have changed.
Under the CMMC Program, CMMC
contract requirements include selfassessments and third-party assessments
for CMMC Level 2, predicated on
program criticality, information
sensitivity, and the severity of cyber
threat. Based on the type and sensitivity
of the information to be protected, a
defense contractor must achieve the
appropriate CMMC Status and
demonstrate implementation of the
associated set of information protection
requirements.
If the CMMC Status of Level 1 (Self)
or Level 2 (Self) is a contract
requirement, the defense contractor will
be required to self-assess its compliance
with the CMMC Level 1 or Level 2
security requirements and submit both
the self-assessment results and an
affirmation of conformance in SPRS.
Level 1 self-assessment and associated
affirmation is required annually. Level 2
self-assessment is required every three
years with an affirmation following the
self-assessment and annually after the
Final CMMC Status Date.
If the CMMC Status of Level 2
(C3PAO) is a contract requirement, the
Level 2 certification assessment must be
performed by an authorized or
accredited CMMC Third Party
Assessment Organization (C3PAO).
When the CMMC Status of Level 3
(DIBCAC) is a contract requirement, the
Level 3 certification assessment by
DCMA DIBCAC is required following
the achievement of the CMMC Status of
Final Level 2 (C3PAO). Upon
achievement of the CMMC Status of
Level 2 (C3PAO) or Level 3 (DIBCAC),
the offeror will be issued a Certificate of
CMMC Status. The assessment results
are documented in SPRS to enable
contracting officers to verify the CMMC
Status and CMMC Status Date (i.e., not
more than three years old) of an offeror
prior to contract award. The offeror
must also submit an affirmation of
conformance in SPRS following the
assessment and annually after the Final
CMMC Status Date.
CMMC allows the use of a Plan of
Action and Milestones (POA&Ms) for
specified CMMC Level 2 and Level 3
security requirements. Each POA&M
must be closed (i.e., all requirements
completed), within 180 days of the
initial assessment.
E:\FR\FM\15OCR2.SGM
15OCR2
83170
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
The details of the requirements for
self-assessment, certification
assessment, and affirmation for each
CMMC Level, are provided in §§ 170.15
through 170.18. POA&M requirements
and affirmation requirements are
provided in §§ 170.21 and 170.22.
DoD’s phased implementation of the
CMMC Status requirements is described
in § 170.3(e). Once CMMC requirements
have been implemented in the DFARS,
the solicitation and resulting contract
will identify the specific CMMC Status
required for that procurement. Selection
of a CMMC Status will be based upon
careful consideration of market research
and the likelihood of a robust
competitive market of prospective
offerors capable of meeting the
requirement. In some scenarios, DoD
may elect to waive application of
CMMC Status requirements to a
particular procurement. In such cases,
the solicitation will not include a
CMMC Status requirement. Such
waivers may be requested and approved
by the Department in accordance with
DoD’s internal policies and procedures.
For a DoD solicitation or contract that
does include CMMC requirements,
including those for the acquisition of
commercial items (except those
exclusively COTS items) valued at
greater than the micro-purchase
threshold, contracting officers will not
make award, or exercise an option on a
contract, if the offeror or contractor does
not meet the requirements for the
required CMMC Status. Furthermore,
CMMC requirements are required to
flow down to subcontractors as
prescribed in the solicitation and
resulting contract at all tiers,
commensurate with the sensitivity of
the unclassified information flowed
down to each subcontractor.
B. Legal Authority
5 U.S.C. 301 authorizes the head of an
Executive department or military
department to prescribe regulations for
the government of his or her
department, the conduct of its
employees, the distribution and
performance of its business, and the
custody, use, and preservation of its
records, papers, and property (www.
govinfo.gov/content/pkg/USCODE-2009title5/pdf/USCODE-2009-title5-partIchap3-sec301.pdf).
Section 1648 of the National Defense
Authorization Act for Fiscal Year 2020
(Pub. L. 116–92) 27 directs the Secretary
of Defense to develop a consistent,
comprehensive framework to enhance
cybersecurity for the U.S. Defense
27 www.govinfo.gov/content/pkg/PLAW116publ92/pdf/PLAW-116publ92.pdf.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Industrial Base (DIB). The CMMC
Program is an important part of this
framework.
C. Community Impact
This final rule impacts all prospective
and actual DoD contractors and
subcontractors that are handling or will
handle DoD information that meets the
standards for FCI or CUI on a contractor
information system during performance
of the DoD contract or subcontract. This
final rule also impacts all companies
who are performing or will perform
accreditation, training, certification, or
assessment functions in connection
with implementation of the CMMC
Program.
D. Regulatory History
The CMMC Program verifies defense
contractor compliance with DoD’s
cybersecurity information protection
requirements. It is designed to protect
FCI and CUI that is shared by the
Department with, or generated by, its
contractors and subcontractors. The
cybersecurity standards required by the
program are the same as those set forth
in FAR clause 52.204–21 (CMMC Level
1), the NIST SP 800–171 R2 guidelines,
which is presently required by DFARS
clause 252.204–7012 (CMMC Level 2),
and additional selected requirements
from the NIST SP 800–172 Feb2021
guidelines (CMMC Level 3). The
program adds a robust assessment
element and provides the Department
increased assurance that contractors and
subcontractors are meeting these
requirements.
In September 2020, the DoD
published the 48 CFR CMMC interim
final rule to the DFARS in the Federal
Register (DFARS Case 2019–D041, 85
FR 48513, September 9, 2020), which
implemented the DoD’s vision for the
initial CMMC Program and outlined the
basic features of the program (tiered
model, required assessments, and
implementation through contracts). The
48 CFR CMMC interim final rule
became effective on November 30, 2020,
establishing a five-year phase-in period.
In March 2021, the Department
initiated an internal review of CMMC’s
implementation, informed by more than
750 CMMC-related public comments in
response to the 48 CFR CMMC interim
final rule. This comprehensive,
programmatic assessment engaged
cybersecurity and acquisition leaders
within DoD to refine policy and
program implementation.
In November 2021, the Department
announced plans for a revised CMMC
Program, which incorporates an
updated program structure and
requirements designed to achieve the
PO 00000
Frm 00080
Fmt 4701
Sfmt 4700
primary goals of an internal DoD review
of the CMMC Program. With the
implementation of the CMMC Program,
the Department introduced several key
changes that build on and refine the
original program requirements. These
include:
• Streamlining the model from five to
three certification levels;
• Allowing all companies at Level 1
and a subset of companies at Level 2 to
demonstrate compliance through selfassessments;
• Increased oversight of professional
and ethical standards of third-party
assessors; and
• Allowing companies, under certain
limited circumstances, to make
POA&Ms to achieve certification.
In December 2023, the Department
published a proposed rule to amend 32
CFR part 170 in the Federal Register
(Docket ID 2023–OS–0063, 88 FR 89058,
December 26, 2023), which
implemented the DoD’s vision for the
revised CMMC Program outlined in
November 2021. The comment period
for the proposed rule concluded on
February 26, 2024.
The CMMC requirements established
pursuant to DFARS Case 2019–D041
have not been revised as of the date of
publication of this final rule. However,
the CMMC Program requirements in this
final rule will be implemented in the
DFARS, as needed, which may result in
changes to the current DFARS text,
solicitation provisions, and contract
clauses relating to DoD’s cybersecurity
protection requirements, including
DFARS subpart 204.75 and DFARS
clause 252.204–7021, Cybersecurity
Maturity Model Certification (CMMC)
Requirements.
Context of the CMMC Program in Light
of Other DoD-Related Work
At present, and prior to the DFARS
CMMC Acquisition rule becoming
effective, the Department is using the
DCMA DIBCAC to conduct CMMC Level
2-like assessments. To date, the DCMA
DIBCAC has assessed 357 entities
including DoD’s major prime
contractors. The CMMC Program’s
assessment phase-in plan, as described
in § 170.3 Applicability, does not
preclude entities from immediately and
voluntarily seeking a CMMC
certification assessment prior to the
DFARS CMMC Acquisition rule being
finalized and the clause being added to
new or existing DoD contracts.
The Department estimates 8,350
medium and large entities will require
CMMC Level 2 certification
assessments. Once the CMMC DFARS
coverage is effective, the Department
will contractually mandate CMMC Level
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
2 certification assessments on these
entities. It is estimated that 135 CMMC
Third-Party Assessment Organization
(C3PAO)-led assessments will be
completed in the first year. The
Department estimates 673 C3PAO-led
assessments in year 2 followed by 2,252
C3PAO-led assessments in year 3.
During the fourth year, the Department
estimates,4,452 C3PAO-led assessments
will be completed. The DCMA DIBCAC
will perform assessments upon DoD’s
request.
Additionally, the Department may
include CMMC Level 2 certification
requirements on contracts awarded
prior to the CMMC DFARS coverage
becoming effective, but doing so will
require bilateral contract modification
after negotiations.
The CMMC Program has been
incorporated in the Department’s 2024
Defense Industrial Base Cybersecurity
Strategy.28 The strategy requires the
Department to coordinate and
collaborate across components to
identify and close gaps in protecting
DoD networks, supply chains, and other
critical resources. Other prongs of the
Department’s cybersecurity strategy are
described in the Department’s National
Industrial Security Program Operating
Manual (NISPOM) which address
implementation of the Security
Executive Agent Directive (SEAD) 3,29
including clarifications on procedures
for the protection and reproduction of
classified information; controlled
unclassified information (CUI); National
Interest Determination (NID)
requirements for cleared contractors
operating under a Special Security
Agreement for Foreign Ownership,
Control, or Influence; and eligibility
determinations for personnel security
clearance processes and requirements.30
In addition, DCMA DIBCAC is
responsible for leading the Department’s
contractor cybersecurity risk mitigation
efforts. As part of this work, the DIBCAC
assesses the defense industrial base
companies to ensure they are meeting
contractually required cybersecurity
standards. The DIBCAC team ensures
contractors have the ability to protect
controlled unclassified information for
government contracts they are awarded.
DIBCAC conducts NIST SP 800–171
assessments in support of DFARS clause
252.204–7012, Safeguarding Covered
Defense Information and Cyber Incident
28 https://media.defense.gov/2024/Mar/28/
2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_
DSD_SIGNED_20240325.PDF.
29 www.govinfo.gov/content/pkg/FR-2020-12-21/
pdf/2020-27698.pdf.
30 www.dcsa.mil/Industrial-Security/NationalIndustrial-Security-Program-Oversight/32-CFR-Part117-NISPOM-Rule/.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Reporting, and DFARS clause 204.204–
7020, NIST SP 800–171 DoD
Assessment Requirements. The DFARS
204.204–7020 DIBCAC prioritization
process is designed to adjust as DoD’s
cyber priorities evolve based on ongoing
threats. DIBCAC analysts collect and
analyze data on DoD contractors to
include:
• Mission critical programs,
technologies, and infrastructure and the
contractors (prime or lower tier) that
support DoD capabilities.
• Cyber threats, vulnerabilities, or
incidents.
• DoD Leadership requests.
Regulatory Impact Analysis
FAR Subpart 4.19 and DFARS clause
252.204–7012 address safeguarding of
FCI and CUI in contractor information
systems and prescribe contract clauses
requiring protection of FCI and CUI
within the supply chain. The FAR and
DFARS requirements for safeguarding
FCI and CUI predate the CMMC
Program by many years, and baseline
costs for their implementation are
assumed to vary widely based on factors
including, but not limited to, company
size and complexity of the information
systems to be secured. FAR clause
52.204–21 is prescribed at FAR section
4.1903 for use in solicitations and
contracts when the contractor or
subcontractor at any tier may have FCI
residing in or transiting through its
information system. This clause requires
contractors and subcontractors to apply
basic safeguarding requirements and
procedures to protect applicable
contractor information systems that
process, store, or transmit FCI. In
addition, DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, is prescribed at DFARS
section 204.7304(c) for use by DoD in all
solicitations and contracts, including
solicitations and contracts using FAR
part 12 procedures for the acquisition of
commercial items, except for
solicitations and contracts solely for the
acquisition of commercially available
off-the-shelf items. This clause applies
when a contractor information system
processes, stores, or transmits covered
defense information and requires
contractors and subcontractors to
provide ‘‘adequate security’’ to
safeguard that information when it
resides on or transits through a
contractor information system, and to
report cyber incidents that affect that
system or network. The clause states
that to provide adequate security, the
contractor shall implement, at a
minimum, the security requirements in
National Institute of Standards and
PO 00000
Frm 00081
Fmt 4701
Sfmt 4700
83171
Technology (NIST) Special Publication
(SP) 800–171 R2, Protecting CUI in
Nonfederal Systems and Organizations.
Contractors are also required to flow
down DFARS clause 252.204–7012 to
all subcontracts for operationally critical
support or for which subcontractor
performance will involve covered
defense information.
However, neither FAR clause 52.204–
21 nor DFARS clause 252.204–7012
provide for DoD assessment of a
contractor’s implementation of the
information protection requirements
required by those clauses. The
Department developed the CMMC
Program to verify implementation of
cybersecurity requirements in DoD
contracts and subcontracts, by assessing
adequacy of contractor information
system security compliance prior to
award and during performance of the
contract. With limited exceptions, the
Department intends to require
compliance with CMMC as a condition
of contract award. Once CMMC is
implemented, the required CMMC
Status will be specified in the
solicitation and resulting contract.
Contractors handling FCI or CUI will be
required to meet the CMMC Status
specified in the contract.
There are three different levels of
CMMC assessment, starting with basic
safeguarding of FCI at Level 1, moving
to the broad protection of CUI at Level
2, and culminating with higher level
protection of CUI against risk from
Advanced Persistent Threats (APTs) at
Level 3. The benefits and costs
associated with implementing this final
rule, as well as alternative approaches
considered, are as follows:
Costs
A Regulatory Impact Analysis (RIA)
that includes a detailed discussion and
explanation about the assumptions and
methodology used to estimate the cost
of this regulatory action follows and is
available at www.regulations.gov (search
for ‘‘DoD–2023–OS–0063,’’ click ‘‘Open
Docket,’’ and view ‘‘Supporting
Documents’’).
Background
The Department of Defense (DoD or
Department) requires a secure and
resilient supply chain to ensure the
development, production, and
sustainment of capabilities critical to
national security. The DoD supply chain
is targeted by adversaries with
increasing frequency and sophistication,
and to devastating effect. Therefore,
implementation of cybersecurity
standards and enforcement mechanisms
are critically important. Executive Order
(E.O.) 14028, ‘‘Improving the Nation’s
E:\FR\FM\15OCR2.SGM
15OCR2
83172
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
khammond on DSKJM1Z7X2PROD with RULES2
Cybersecurity,’’ emphasizes the need to
strengthen cybersecurity protections for
both the Federal Government and the
private sector.
Nation-state adversaries attack the
U.S. supply chain for a myriad of
reasons, including exfiltration of
valuable technical data (a form of
industrial espionage); disruption to
control systems used for critical
infrastructure, manufacturing, and
weapons systems; corruption of quality
and assurance across a broad range of
product types and categories; and
manipulation of software to achieve
unauthorized access to connected
systems and to degrade the integrity of
system operations. For example, since
September 2020, major cyber-attacks
such as the SolarWinds,31 Colonial
Pipeline, Hafnium,32 and Kaseya 33
attacks, have been spearheaded or
influenced by nation-state actors 34 and
resulted in significant failures and
disruption. In context of this threat, the
size and complexity of defense
procurement activities provide
numerous pathways for adversaries to
access DoD’s sensitive systems and
information. Moreover, adversaries
continue to evolve their tactics,
techniques, and procedures. For
example, on April 28, 2022, CISA and
the FBI issued an advisory on
destructive ‘‘wiperware,’’ a form of
malware which can destroy valuable
information 35. Protection of FCI and
CUI is critically important, and the DoD
needs assurance that contactor
information systems are adequately
secured to protect such information
when it resides on or transits those
systems.
The Department is committed to
working with defense contractors to
protect FCI and CUI.
• Federal Contract Information (FCI):
As defined in section 4.1901 of the FAR,
FCI means information, not intended for
public release, that is provided by or
generated for the Government under a
contract to develop or deliver a product
or service to the Government, but not
including information provided by the
Government to the public, such as that
on public websites, or simple
transactional information, such as that
necessary to process payments.
• Controlled Unclassified Information
(CUI): 32 CFR 2002.4(h) defines CUI, in
31 www.gao.gov/assets/gao-22-104746.pdf.
32 www.ic3.gov/Media/News/2021/210310.pdf.
33 www.cisa.gov/uscert/ncas/current-activity/
2021/07/04/cisa-fbi-guidance-msps-and-theircustomers-affected-kaseya-vsa.
34 www.mitre.org/sites/default/files/publications/
pr-18-2417-deliver-uncompromised-MITRE-study26AUG2019.pdf.
35 www.cisa.gov/uscert/ncas/alerts/aa22-057a.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
part, as information the Government
creates or possesses, or that an entity
creates or possesses for or on behalf of
the Government, that a law, regulation,
or Government-wide policy requires or
permits an agency to handle using
safeguarding or dissemination controls,
including FCI.
In September 2020, the DoD
published 48 CFR CMMC interim final
rule (DFARS Case 2019–D041, 85 FR
48513, September 9, 2020), which
implemented DoD’s vision for the initial
Cybersecurity Maturity Model
Certification (CMMC) Program and
outlined basic program features, to
include: 5-level tiered model, CMMC
Certified Third Party Assessment
Organization (C3PAO) assessments in
support of contractor and subcontractor
certification, with no allowance for a
Plan of Action and Milestones
(POA&Ms), and implementation of all
security requirements by the time of a
contract award. A total of 750 comments
were received on the 48 CFR CMMC
interim final rule during the public
comment period that ended on
November 30, 2020. These comments
highlighted a variety of industry
concerns including concerns relating to
the costs for a C3PAO certification, and
the costs and burden associated with
implementing, prior to award, the
required process maturity and 20
additional cybersecurity practices that
were included in the initial CMMC
Program. The Small Business
Administration Office of Advocacy also
raised similar concerns on the impact
the rule would have on small businesses
in the DIB.
Pursuant to DFARS clause 252.204–
7012, DoD has required certain defense
contractors and subcontractors to
implement the security protections set
forth in the National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171 R2 to
provide adequate security for CUI that is
processed, stored, or transmitted on
contractor information systems. The
CMMC Program provides the
Department the mechanism needed to
verify that a defense contractor or
subcontractor has implemented the
security requirements at each CMMC
Level and is maintaining that status
across the contract period of
performance, as required.
In calendar year (CY) 2021 DoD
paused the planned CMMC rollout to
conduct an internal review of the
CMMC Program. The internal review
resulted in a refined and streamlined set
of requirements that addressed many of
the concerns identified in the public
comments received relating to the initial
CMMC Program. These changes have
PO 00000
Frm 00082
Fmt 4701
Sfmt 4700
been incorporated into the revised
CMMC Program structure and policies.
In July 2022, the CMMC PMO met with
the Office of Advocacy for the United
States Small Business Administration
(SBA) to address the revisions planned
to the CMMC Program that are
responsive to prior SBA concerns.
The CMMC Program will enhance the
ability of the DoD to safely share FCI
and CUI with defense contractors and
know the information will be suitably
safeguarded. Once fully implemented,
CMMC will incorporate a set of
cybersecurity requirements into
acquisition contracts to provide
verification that applicable cyber
protections have been implemented.
Under the CMMC Program, defense
contractors and subcontractors will be
required to implement certain
cybersecurity protection requirements
tied to a designated CMMC level and
either perform a self-assessment or
obtain an independent assessment from
either a C3PAO or DCMA DIBCAC as a
condition of a DoD contract award.
CMMC is designed to validate the
protection of FCI and CUI that is shared
with and generated by the Department’s
contractors and subcontractors. Through
protection of information by adherence
to the requirements verified in the
revised CMMC Program, the Department
and its contractors will prevent
disruption in service and the loss of
intellectual property and assets, and
thwart access to FCI and CUI by the
nation’s adversaries.
The CMMC Program is intended to:
(1) align cybersecurity requirements to
the sensitivity of unclassified
information to be protected, and (2) add
a certification element, where
appropriate, to verify implementation of
cybersecurity requirements. As part of
the program, DoD also intends to
provide supporting resources and
training to defense contractors to help
support companies who are working to
achieve the required CMMC Status. The
CMMC Program provides for assessment
at three levels: basic safeguarding of FCI
at CMMC Level 1, broad protection of
CUI at CMMC Level 2, and enhanced
protection of CUI against risk from
Advanced Persistent Threats (APTs) at
CMMC Level 3. The CMMC Program is
designed to provide increased assurance
to the Department that a defense
contractor can adequately protect FCI
and CUI in accordance with prescribed
security requirements, accounting for
information flow down to its
subcontractors in a multi-tier supply
chain.
The CMMC Program addresses DoD’s
need to protect FCI and CUI during the
acquisition and sustainment of products
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and services from the DIB. This effort is
instrumental in establishing
cybersecurity as a foundation for future
DoD acquisition.
Although DoD contract requirements
to provide adequate security for covered
defense information (reflected in
DFARS clause 252.204–7012) predate
CMMC by many years, a certification
requirement for the handling of CUI to
assess a contractor or subcontractor’s
compliance of those required
information security controls is new
with the CMMC Program. Findings from
DoD Inspector General report 36 indicate
that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information. The report emphasizes that
malicious actors can exploit the
vulnerabilities of contractors’ networks
and systems and exfiltrate information
related to some of the Nation’s most
valuable advanced defense technologies.
Currently, the FAR and DFARS
prescribe contract clauses intended to
protect FCI and CUI. Specifically, the
clause at FAR 52.204–21, Basic
Safeguarding of Covered Contractor
Information Systems, is prescribed at
FAR 4.1903 for use in Government
solicitations and contracts when the
contractor or a subcontractor at any tier
may have FCI residing in or transiting
through its information system(s). This
clause requires contractors and
subcontractors to implement basic
safeguarding requirements and
procedures to protect FCI being
processed, stored, or transmitted on
contractor information systems. In
addition, DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, is prescribed at DFARS
204.7304(c) for use in all solicitations
and contracts except for solicitations
and contracts solely for the acquisition
of commercially available off-the-shelf
(COTS) items. This clause requires
contractors and subcontractors to
provide ‘‘adequate security’’ to process,
store or transmit covered defense
information when it resides on or
transits a contractor information system,
and to report cyber incidents that affect
that system or network. The clause
states that to provide adequate security,
the contractor shall implement, at a
minimum, the security requirements in
NIST Special Publication (SP) 800–171
R2, Protecting CUI in Nonfederal
Systems and Organizations. Contractors
36 DODIG–2019–105 ‘‘Audit of Protection of DoD
CUI on Contractor-Owned Networks and Systems.’’
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
are also required to flow down DFARS
clause 252.204–7012 to all subcontracts
that require processing, storing, or
transmitting of covered defense
information.
However, neither FAR clause 52.204–
21 nor DFARS clause 252.204–7012
provide for DoD verification of a
contractor’s implementation of the basic
safeguarding requirements specified in
FAR clause 52.204–21 nor the security
requirements specified in NIST SP 800–
171 R2, implementation of which is
required by DFARS clause 252.204–
7012, prior to contract award. As part of
multiple lines of effort focused on the
security and resilience of the DIB, the
Department is working with industry to
enhance the protection of FCI and CUI
within the DoD supply chain. Toward
this end, DoD has developed the CMMC
Program.
Revised CMMC Program Requirements
The CMMC Program requirements
will be implemented through the DoD
acquisition and contracting process.
With limited exceptions, the
Department intends to require
compliance with CMMC as a condition
of contract award. Once CMMC is
implemented, the required CMMC
Status will be specified in the
solicitation and resulting contract.
Contractors handling FCI or CUI will be
required to meet the CMMC Status
specified in the contract. In accordance
with the implementation plan described
in § 170.3(e), CMMC Status
requirements will apply to new DoD
solicitations and contracts, and shall
flow down to subcontractors, based on
the sensitivity of the FCI and CUI to be
processed, stored or transmitted to or by
the subcontractor. Before contract
award, the offeror must achieve the
specified CMMC Status for the
contractor information system (e.g.,
enterprise network, network enclave)
that will process, store, or transmit the
information to be protected. The
contractor or subcontractor will also
submit affirmations in the Supplier
Performance Risk System (SPRS). An
overview of requirements at each level
is shown:
Level 1 Self-Assessment
• Level 1 self-assessment requires
compliance with basic safeguarding
requirements to protect FCI are set forth
in FAR clause 52.204–21. CMMC Level
1 does not add any additional security
requirements to those identified in FAR
clause 52.204–21.
• OSAs will submit the following
information in SPRS:
1. the results of a self-assessment of
the OSA’s implementation of the basic
PO 00000
Frm 00083
Fmt 4701
Sfmt 4700
83173
safeguarding requirements set forth in
§ 170.15 associated with the contractor
information system(s) used in
performance of the contract; and
2. an initial affirmation of
compliance, and then annually
thereafter, an affirmation of continued
compliance as set forth in § 170.22.
3. the Level 1 self-assessment cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
final rule.
Level 2 Self-Assessment
• Level 2 self-assessment requires
compliance with the security
requirements set forth in NIST SP 800–
171 R2 to protect CUI. CMMC Level 2
does not add any additional security
requirements to those identified in NIST
SP 800–171 R2.
• OSAs will submit the following
information in SPRS:
1. the results of a self-assessment of
the OSA’s implementation of the NIST
SP 800–171 R2 requirements set forth in
§ 170.16 associated with the covered
contractor information system(s) used in
performance of the applicable contract.
2. an initial affirmation of
compliance, and, if applicable, a
POA&M closeout affirmation, and then
annually thereafter, an affirmation of
continued compliance set forth in
§ 170.22.
3. the Level 2 self-assessment cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
final rule.
Level 2 Certification Assessment
• Level 2 certification assessment
requires compliance with the security
requirements set forth in in § 170.17 to
protect CUI. CMMC Level 2 does not
add any additional security
requirements to those selected in NIST
SP 800–171 R2.
• A Level 2 certification assessment
of the applicable contractor information
system(s) provided by an authorized or
accredited C3PAO is required to
validate implementation of the NIST SP
800–171 R2 security requirements prior
to award of any prime contract or
subcontract and exercise of option.
• The C3PAO will upload the Level 2
certification assessment results in the
CMMC instantiation of eMASS which
will feed the information into SPRS.
• OSCs will submit in SPRS an initial
affirmation of compliance, and, if
necessary, a POA&M closeout
affirmation, and then annually
following the Final CMMC Status Date,
an affirmation of continued compliance
as set forth in § 170.22.
The Level 2 certification assessment
cost burdens are included in this part
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83174
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
with the exception of the requirement
for the OSC to upload the affirmation in
SPRS that is included in the 48 CFR part
204 CMMC Acquisition final rule and
an update to DFARS collection
approved under OMB Control Number
0750–0004, Assessing Contractor
Implementation of Cybersecurity
Requirements. Additionally, the
information collection reporting
requirements for the CMMC
instantiation of eMASS are included in
a separate ICR for this part and cover
only those requirements pertaining to
the CMMC process.
implementation of cybersecurity
requirements, as applicable.
The CMMC Program addresses DoD’s
need to protect FCI and CUI during the
acquisition and sustainment of products
and services from the DIB. This effort is
instrumental in ensuring cybersecurity
is the foundation of future DoD
acquisitions.
Level 3 Certification Assessment
Lack of Verification of Contractor
Compliance With Cybersecurity
Requirements
Neither FAR clause 52.204–21 nor
DFARS clause 252.204–7012 provide for
DoD assessment of a defense contractor
or subcontractor’s implementation of
the information protection requirements
within those clauses. Defense
contractors represent that they will
implement the requirements in NIST SP
800–171 R2 upon submission of their
offer. Findings from DoD Inspector
General report (DODIG–2019–105
‘‘Audit of Protection of DoD Controlled
Unclassified Information on ContractorOwned Networks and Systems’’)
indicate that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information. CMMC adds new
assessment requirements for contractor
implementation of underlying
information security requirements, to
allow DoD to assess a defense
contractor’s cybersecurity posture using
authorized or accredited C3PAOs. The
contractor and subcontractor must
achieve the required CMMC Level as a
condition of contract award.
• Level 3 certification assessment
requires the CMMC Status of Final Level
2 (C3PAO) and compliance with the
security requirements set forth in
§ 170.18 to protect CUI. CMMC Level 3
adds additional security requirements to
those required by existing acquisition
regulations as specified in this rule.
• A Level 3 certification assessment
of the applicable contractor information
system(s) provided by the DCMA
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC) is required
to validate implementation of the DoDdefined selected security requirements
set forth in NIST SP 800–172 Feb2021.
A CMMC Status of Final Level 2
(C3PAO) is a prerequisite to schedule a
DCMA DIBCAC Level 3 certification
assessment.
• DCMA DIBCAC will upload the
Level 3 certification assessment results
into the CMMC instantiation of eMASS,
which will feed the information into
SPRS.
• OSCs will submit in SPRS an initial
affirmation of compliance, and, if
necessary, a POA&M closeout
affirmation, and then annually
following the Final CMMC Status Date,
an affirmation of continued compliance
as set forth in § 170.22.
The Level 3 certification assessment
cost burdens are included in this part
with the exception of the requirement
for the OSC to upload the affirmation in
SPRS that is included in the 48 CFR part
204 CMMC Acquisition rule and an
update to DFARS collection approved
under OMB Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements.
Additionally, the information collection
reporting requirements for the CMMC
instantiation of eMASS are included in
a separate ICR for this part and cover
only those requirements pertaining to
the CMMC process. As described, the
CMMC Program couples an affirmation
of compliance with certification
assessment requirements to verify OSA
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Policy Problems Addressed by the
Revised CMMC Program
Implementation of the CMMC
Program is intended to solve the
following policy problems:
Inadequate Implementation of
Cybersecurity Requirements
Under DFARS clause 252.204–7012
and DFARS clause 252.204–7020,
defense contractors and subcontractors
must document implementation of the
security requirements in NIST SP 800–
171 R2 in a system security plan and
may use a plan of action to describe
how and when any unimplemented
security requirements will be met. For
the CMMC Program, the solicitation and
resulting contract, will specify the
required CMMC Status, which will be
determined considering program
criticality, information sensitivity, and
severity of cyber threat. Although the
security requirements in NIST SP 800–
171 R2 address a range of threats,
PO 00000
Frm 00084
Fmt 4701
Sfmt 4700
additional requirements are needed to
significantly reduce the risk posed by
APTs. An APT is an adversary that
possesses sophisticated levels of
expertise and significant resources that
allow it to create opportunities to
achieve its objectives by using multiple
attack vectors (e.g., cyber, physical, and
deception). CMMC Level 3 requires
implementation of selected security
requirements from NIST SP 800–172
Feb2021 to reduce the risk of APT
threats.
The CMMC Program will require
prime contractors to flow the
appropriate CMMC Status requirement
down throughout the entire supply
chain relevant to a particular contract.
Defense contractors or subcontractors
that handle FCI, must meet the
requirements for CMMC Level 1.
Defense contractors that handle CUI
must meet the requirements for CMMC
Level 2 or higher, depending on the
sensitivity of the information associated
with a program or technology being
developed.
Insufficient Scale and Depth of
Resources To Verify Compliance
Today, DoD prime contractors must
include DFARS clause 252.204–7012 in
subcontracts for which performance will
involve covered defense information,
but this does not provide the
Department with sufficient insights with
respect to the cybersecurity posture of
all members of a multi-tier supply chain
for any given program or technology
development effort. The revised CMMC
Program requires prime contractors to
flow down appropriate CMMC Status
requirements, as applicable, to
subcontractors throughout their supply
chain(s).
Given the size and scale of the DIB,
the Department cannot scale its existing
cybersecurity assessment capability to
conduct on-site assessments of
approximately 220,000 DoD contractors
and subcontractors every three years.
The Department’s existing assessment
capability is best suited for conducting
targeted assessments for the relatively
small subset of DoD contractors and
subcontractors that support designated
high-priority programs involving CUI.
CMMC addresses the Department’s
scaling challenges by utilizing a privatesector accreditation structure. A DoDauthorized Accreditation Body will
authorize, accredit, and provide
oversight of C3PAOs which in turn will
conduct Level 2 certification
assessments of actual and prospective
DoD contractors and subcontractors.
Defense contractors will directly
contract with an authorized or
accredited C3PAO to obtain a Level 2
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
certification assessment. The cost of
Level 2 certification assessment
activities is driven by multiple factors,
including market forces that govern
availability of C3PAOs and the size and
complexity of the enterprise or enclave
under assessment. The Government will
perform Level 3 certification
assessments. Government resource
limitations may affect schedule
availability.
khammond on DSKJM1Z7X2PROD with RULES2
Reduces Duplicate or Respective
Assessments of Our Industry Partners
CMMC assessment results will be
posted in SPRS, DoD’s authoritative
source for supplier and product
performance information. Posting
CMMC assessment results in SPRS
precludes the need to validate CMMC
implementation on a contract-bycontract basis. This enables DoD to
identify whether the CMMC
requirements have been met for relevant
contractor information systems, avoids
duplicative assessments, and eliminates
the need for program level assessments,
all of which decreases costs to both DoD
and industry.
Revised CMMC Program
Implementation
The DoD is implementing a phased
implementation for the revised CMMC
Program and intends to introduce
CMMC Status requirements in
solicitations over a three-year period to
provide appropriate ramp-up time. This
phased implementation is intended to
minimize the financial impacts to
defense contractors, especially small
businesses, and disruption to the
existing DoD supply chain. After CMMC
is implemented in acquisition
regulation, DoD will include CMMC
self-assessment requirements in
solicitations and resulting contracts
when warranted by the type of
information that will be handled by the
contractor of subcontractor(s). CMMC
Status requirements for Levels 1, 2, and
3 will be included in solicitations and
resulting contracts issued after the
phase-in period when warranted by any
FCI and/or CUI information protection
requirements for the contract effort. In
the intervening period, Government
Program Managers will have discretion
to include CMMC Status requirements
or exclude them and rely upon existing
DFARS clause 252.204–7012
requirements, in accordance with DoD
policy. As stated in § 170.20(a), there is
qualified standards acceptance between
DCMA DIBCAC High Assessment and
the CMMC Status of Level 2(C3PAO),
which will result in staggering of the
dates for new Level 2 certification
assessments. The implementation
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
period will consist of four (4) phases as
set forth in § 170.3(e), during which
time the Government will include
CMMC requirements in certain
solicitations and contracts. During the
CMMC phase-in period, program
managers and requiring activities will
be required to include CMMC Status
requirements in certain solicitations and
contracts and will have discretion to
include in others.
A purpose of the phased
implementation is to ensure adequate
availability of authorized or accredited
C3PAOs and assessors to meet the
demand.
Revised CMMC Program Flow Down
CMMC Level requirements will be
flowed down to subcontractors at all
tiers as set forth in § 170.23; however,
the specific CMMC Status required for
a subcontractor will be based on the
type of unclassified information and the
priority of the acquisition program and/
or technology being developed.
Key Changes Incorporated in the
Revised CMMC Program
In November 2021, the Department
announced the revised CMMC Program,
which is an updated program structure
with revised requirements. In the
revised CMMC Program, the Department
has introduced several key changes that
build on and refine the original program
requirements. These include:
• Streamlining the model from five
levels to three levels.
• Exclusively implementing National
Institute of Standards and Technology
(NIST) cybersecurity standards and
guidelines.
• Allowing all companies subject to
Level 1, and a subset of companies
subject to Level 2 to demonstrate
compliance through self-assessments.
• Increased oversight of professional
and ethical standards of CMMC thirdparty assessors.
• Allowing Plans of Action &
Milestones (POA&M) under limited
circumstances to achieve conditional
certification.
As a result of the alignment of the
revised CMMC Program to NIST
guidelines, the Department’s
requirements will continue to evolve as
changes are made to the underlying
NIST SP 800–171 R2, NIST SP 800–
171A Jun2018, NIST SP 800–172
Feb2021, and NIST SP 800–172A
Mar2022 requirements.
CMMC Assessment
Assessment Criteria
CMMC requires that defense
contractors and subcontractors
PO 00000
Frm 00085
Fmt 4701
Sfmt 4700
83175
entrusted with FCI and CUI implement
cybersecurity standards at progressively
more secure levels, depending on the
type and sensitivity of the information.
Level 1 Self-Assessment
An annual Level 1 self-assessment
and annual affirmation asserts that an
OSA has implemented all the basic
safeguarding requirements to protect
FCI as set forth in § 170.14(c)(2).
An OSA can choose to perform the
annual self-assessment internally or
engage a third-party to assist with
evaluating its Level 1 compliance. Use
of a third party to assist with the
assessment process is still considered a
self-assessment and results in a CMMC
Status of Final Level 1 (Self). An OSA
achieve the CMMC Status of Level 1
(Self) for an entire enterprise network or
for a particular enclave(s), depending
upon where the FCI is or will be
processed, stored, or transmitted.
Level 2 Self-Assessment
A Level 2 self-assessment and annual
affirmation attests that an OSA has
implemented all the security
requirements to protect CUI as specified
in § 170.14(c)(3).
Level 2 Certification Assessment
A Level 2 certification assessment,
conducted by a C3PAO, verifies that an
OSC is conforming to the security
requirements to protect CUI as specified
in § 170.14(c)(3). Each OSC information
system that will process, store, or
transmit CUI in the execution of the
contract is subject to the corresponding
CMMC Status requirements set forth in
the contract.
Level 3 Certification Assessment
Achievement of the CMMC Status of
Final Level 2 (C3PAO) for information
systems within the Level 3 CMMC
Assessment Scope is a prerequisite for
initiating a Level 3 certification
assessment. A Level 3 certification
assessment, conducted by DCMA
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC), verifies
that an OSC has implemented the
CMMC Level 3 security requirements to
protect CUI as specified in
§ 170.14(c)(4). A Level 3 certification
assessment must be conducted for each
OSC information system that will be
used in the execution of the contract
that will process, store, or transmit CUI.
Impact and Cost Analysis of the
Revised CMMC Program
Summary of Impact
Public comment feedback on the
initial CMMC Program indicated that
cost estimates were too low. The revised
E:\FR\FM\15OCR2.SGM
15OCR2
83176
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Program cost estimates account
for that feedback with the following
improvements:
• Allowance for outsourced IT
services
• Increased total time for the
contractor to prepare for the assessment,
including limited time for learning the
reporting and affirmation processes
• Allowance for use of consulting
firms to assist with the assessment
process
• Time for a senior level manager to
review the assessment and affirmation
before submitting the results in SPRS
• Updated government and contractor
labor rates that include applicable
burden costs
As a result, some costs of the revised
CMMC Program may be higher than
those included in the initial CMMC
Program.
The revised CMMC Program impact
analysis includes estimated costs for
implementation of the revised CMMC
Program requirements across Level 1,
Level 2, and Level 3 for the Public
(small and other than small entities,
including the CMMC Ecosystem as set
forth in 32 CFR subpart C) and the
Government. In summary, the total
estimated Public and Government costs
associated with this rule, calculated for
a 20-year horizon in 2023 dollars at a 7
percent discount rate and a 3 percent
discount rate are provided as follows:
Table 3 - Total Estimated Costs of CMMC Requirements for the Public and the
Government
(7 percent discount)
Annualized Costs
Present Value Costs
$3,989,182,374
$9,508,593
$3,998,690,967
$42,261,454,899
$100,734,168
$42,362,189,067
Table 4 - Total Estimated Costs of CMMC Requirements for the Public and the
Government
(3 percent discount)
Annualized Costs
Present Value Costs
Estimating the number of CMMC
assessments for unique entities per level
per year is complicated by the fact that
companies may serve as a prime
contractor on one effort but a
subcontractor on others, and may also
enter into subcontract agreements with
more than one prime contractor for
various opportunities.
In addition, the CMMC Program relies
upon free market influences of supply
and demand to propel implementation.
Specifically, the Department does not
control which defense contractors aspire
$4,219,513,555
$9,953,205
$4,229,466,760
$62,775,706,830
$148,078,564
$62,923,785,394
to compete for which business
opportunities, nor does it control access
to the assessment services offered by
C3PAOs. OSAs may elect to complete a
self-assessment or pursue a certification
assessment at any time after issuance of
the rule, in an effort to distinguishthemselves as competitive for efforts
that require an ability to adequately
protect CUI. For that reason, the number
of CMMC assessments for unique
entities per level per year may vary
significantly from the assumptions used
in generating the cost estimate. The
estimates represent the best estimates at
this time based on internal expertise
and public feedback.
DoD utilized historical metrics
gathered for the initial CMMC Program
and subject matter expertise from
Defense Pricing and Contracting (DPC)
and DCMA DIBCAC to estimate the
number of entities by type and by
assessment level for this analysis. The
following table summarizes the
estimated profile used in this analysis.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
103,010
2,961
56,689
Frm 00086
Fmt 4701
Sfmt 4725
36,191
1,039
19,909
E:\FR\FM\15OCR2.SGM
139,201
4,000
76,598
15OCR2
63%
2%
35%
ER15OC24.001</GPH> ER15OC24.003</GPH>
Level l self-assessment
Level 2 self-assessment
Level 2 certification assessment
ER15OC24.002</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
Table 5 - Estimated Number of Entities by Type and Level
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
DoD is planning for a phased roll-out
of each assessment level across 7 years
with the entity numbers reaching a
maximum by Year 4 as shown in the
tables. The target of Year 4 was selected
based on the projected capacity of the
CMMC Ecosystem to grow to efficiently
support the entities in the pipeline. For
modeling efficiency, a similar roll-out is
assumed regardless of entity size or
assessment level. It is assumed that by
year 7 the maximum number of entities
83177
is reached. Beyond year 7, the number
of entities entering and exiting are
expected to net to zero. The following
tables reflect the number of new entities
in each year and for each level.
Table 6 - *Number of Small Entities Over Phase-In Period
1
2
3
4
5
6
7
20
101
335
642
642
642
699
3,493
11,654
22,336
22,333
22,333
20,162
382
1,926
6,414
12,293
12,289
12,289
11,096
579
3
45
151
289
289
289
261
1,104
5,565
18,554
35,560
35,553
35,553
32,098
Table 7 - *Number of Other than Small Entities Over Phase-In Period
1
2
3
4
5
6
7
246
1,227
4,094
7,848
7,846
7,846
7,084
7
35
118
225
225
225
204
135
673
2,252
4,317
4,317
4,317
3,898
1
5
18
34
34
34
34
389
1,940
6,482
12,424
12,422
12,422
11,220
4
50
169
323
323
323
295
1,493
7,505
25,036
47,984
47,975
47,975
43,318
945
4,720
15,748
30,184
30,179
30,179
27,246
5
6
7
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
27
136
453
867
867
867
783
PO 00000
Frm 00087
Fmt 4701
517
2,599
8,666
16,610
16,606
16,606
14,994
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.004</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
1
2
3
4
ER15OC24.005</GPH> ER15OC24.006</GPH>
Table 8 - *Number of Total Entities Over Phase-In Period
83178
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Public Costs
Summary of Impacted Awardee Entities
According to data available in the
Electronic Data Access system for fiscal
years (FYs) 2019, 2020, and 2021, DoD
awards an average of 1,366,262
contracts and orders per year that
contain DFARS clause 252.204–7012, to
31,338 unique awardees, of which
683,718 awards (50%) are made to
23,475 small entities (75%).37
Public Cost Analysis
The following is a summary of the
estimated Public costs the revised
CMMC Program for other than small 38
entities, per assessment of a contractor
information system, at the required
periodicity for each CMMC level.
Table 9 - Other Than Small Entities (per Assessment)
Periodicity
Plan and Prepare the
Assessment
Conduct the Assessment
Report Assessment Results
Annual Affirmation(s)
Subtotal
**POA&M
Annual
$1,146
Triennial
$18,015
Triennial
$26,264
Triennial
$7,066
$1,728
$584
$584
$4,042
$0
$19,964
$2,712
*$8,136
$48,827
$0
$80,656
$2,712
*$8,136
$117,768
$0
$23,136
$2,712
*$8,136
$41,050
$3,394
*Reflects the 3-year cost to match the periodicity.
**Requirements NOT MET (if needed and when allowed) will be documented in a Plan of Action and
Milestones.
The following is a summary of the
estimated Public costs of the revised
CMMC Program for Small Entities, per
assessment of each contractor
information system, estimated at one
per entity, at the required periodicity for
each CMMC level.
Table 10 - Small Entities (per Assessment)
Periodicity
Plan and Prepare the
Assessment
Conduct the Assessment
Report Assessment Results
Affirmations
Subtotal
**POA&M
Annual
$1,803
Triennial
$14,426
Triennial
$20,699
Triennial
$1,905
$2,705
$909
$560
$5,977
$0
$15,542
$2,851
*$4,377
$37,196
$0
$76,743
$2,851
*$4,377
$104,670
$0
$1,524
$1,876
*$5,628
$10,933
$1,869
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
39 The Level I self-assessment and Level 2 selfassessment information collection reporting and
recordkeeping requirements will be included in a
modification of an existing DFARS collection
approved under OBM Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the
48 CFR part 204 CMMC Acquisition rule.
PO 00000
Frm 00088
Fmt 4701
Sfmt 4725
40 The Level 1 self-assessment and Level 2 selfassessment information collection reporting and
recordkeeping requirements will be included in a
modification of an existing DFARS collection
approved under OBM Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the
48 CFR part 204 CMMC Acquisition rule.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.008</GPH>
37 The number of unique awardees impacted each
year is 1⁄3 of the average number of annual awardees
according to the Electronic Data Access system
(31,338/3 = 10,446). This estimate does not address
new entrants or awardees who discontinue doing
business with DoD.
38 Includes all businesses with the exception of
those defined under the small business criteria and
size standards provided in 13 CFR 121.201 (See
FAR Part 19.102)
ER15OC24.007</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
*Reflects the 3-year cost to match the periodicity.
**Requirements ''NOT MET" (if needed and when allowed) will be documented in a Plan of Action and
Milestones.
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The total estimated Public (large and
small entities) costs associated with this
rule, calculated for a 20-year horizon in
2023 dollars at a 7 percent and 3 percent
83179
discount rate, per OMB guidance, is
provided as follows:
Table 11 - Total Estimated Costs of CMMC Requirements for Large and Small Entities
khammond on DSKJM1Z7X2PROD with RULES2
Assumptions
In estimating the Public costs, DoD
considered applicable nonrecurring
engineering costs, recurring engineering
costs,41 assessment costs, and
affirmation costs for each CMMC Level.
For CMMC Levels 1 and 2, the cost
estimates are based only upon the selfassessment, certification assessment,
and affirmation activities that a defense
contractor, subcontractor, or ecosystem
member must take to allow DoD to
verify implementation of the relevant
underlying security requirements, i.e.,
for CMMC Level 1, the security
requirements set forth in FAR clause
52.204–21, and for CMMC Level 2, the
security requirements set forth in NIST
SP 800–171 R2. DoD did not consider
the cost of implementing the security
requirements themselves because
implementation is already required by
FAR clause 52.204–21, effective June 15,
2016, and by DFARS clause 252.204–
7012, requiring implementation by Dec.
31, 2017, respectively; therefore, the
costs of implementing the security
requirements for CMMC Levels 1 and 2
should already have been incurred and
are not attributed to this rule. As such,
the nonrecurring engineering and
recurring engineering costs to
implement the security requirements
defined for CMMC Level 1 and Level 2
are not included in this economic
analysis. However, cost estimates to
implement CMMC Level 3, are
included, as that CMMC level will
require defense contractors and
subcontractors, as applicable, to
implement a DoD-defined subset of the
security requirements set forth in NIST
SP 800–172 Feb2021, a new addition to
current security protection
requirements.
In estimating the public cost for a
defense contractor small entity to
comply with CMMC Program
requirements for each CMMC level, DoD
considered non-recurring engineering
costs, recurring engineering costs,
assessment costs, and affirmation costs
41 The terms nonrecurring engineering costs and
recurring engineering costs are terms of art and do
not only encompass actual engineering costs.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
for each CMMC Level. These costs
include labor and consulting.
Estimates include size and complexity
assumptions to account for typical
organizational differences between
small entities and other than small
entities with respect to the handling of
Information Technology (IT) and
cybersecurity:
• small entities are likely to have a
less complex, less expansive operating
environment and IT/Cybersecurity
infrastructure compared to larger
defense contractors
• small entities are likely to outsource
IT and cybersecurity to an External
Service Provider (ESP)
• entities (small and other than small)
pursuing Level 2 self-assessment are
likely to seek consulting or
implementation assistance from an ESP
to either help them prepare for the
assessment technically or participate in
the assessment with the C3PAOs.
Estimates do not include the cost to
implement (Non-recurring Engineering
Costs (NRE)) or maintenance costs
(Recurring Engineering (RE)) associated
with the security requirements
prescribed in current regulations.
For CMMC Levels 1 and 2, cost
estimates are based upon assessment,
reporting, and affirmation activities that
a contractor or subcontractor will need
to take to verify implementation of
existing security requirements set forth
in FAR clause 52.204–21, effective June
15, 2016, to protect FCI, and DFARS
clause 252.204–7012 which required
implementation of NIST SP 800–171
requirements not later than December
31, 2017, to protect CUI. As such, cost
estimates are not included for an entity
to implement the CMMC Level 1 or 2
security requirements, maintain
implementation of these existing
security requirements, or remediate a
plan of action for unimplemented
requirements.
For CMMC Level 3, the cost estimates
factor in the assessment, reporting, and
affirmation activities in addition to
estimates for NRE and RE to implement
and maintain CMMC Level 3 security
requirements. In addition to
implementing the CMMC Level 2
security requirements, CMMC Level 3
PO 00000
Frm 00089
Fmt 4701
Sfmt 4700
requires implementing selected security
requirement set forth in NIST SP 800–
172 Feb2021 as described in
§ 170.14(c)(4) which are not currently
required through other regulations.
CMMC Level 3 is expected to apply only
to a small subset of defense contractors
and subcontractors.
The Cost Categories used for each
CMMC Level are described:
1. Nonrecurring Engineering Costs:
Estimates consist of hardware, software,
and the associated labor to implement
the same. Costs associated with
implementing the requirements set forth
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
already implemented and, therefore, are
not accounted for in this cost estimate.
As such, these costs only appear in
CMMC Level 3. If nonrecurring
engineering costs are referenced, they
are only accounted for as a one-time
occurrence and are reflected in the year
of the initial assessment.
2. Recurring Engineering Costs:
Estimates consist of annually recurring
fees and associated labor for technology
refresh. Costs associated with
implementing the requirements set forth
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
already implemented and, therefore, are
not accounted for in this cost estimate.
As such, these costs only appear in
CMMC Level 3.
3. Assessment Costs: Estimates consist
of activities for pre-assessment
preparations (which includes gathering
and/or developing evidence that the
assessment objectives for each
requirement have been satisfied),
conducting and/or participating in the
actual assessment, and completion of
any post-assessment work. Assessment
costs are represented by notional
phases. Assessment costs assume the
OSA passes the assessment on the first
attempt (conditional—with an allowable
POA&M or final). Each phase includes
an estimate of hours to conduct the
assessment activities including:
(a) Labor hour estimates for a company
(and any ESP support) to prepare
for and participate in the
assessment.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.009</GPH>
Present Value Costs
83180
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(b) C3PAO cost estimates for companies
pursuing a certification
• labor hour estimates for authorized or
certified assessors to work with the
business to conduct the actual
assessment
• Assessment Costs broken down into
phases
• Phase 1: Planning and preparing for
the assessment
• Phase 2: Conducting the assessment
(self or C3PAO)
• Phase 3: Reporting of Assessment
Results
• Phase 4: POA&M Closeout (for
CMMC Level 3 only, if applicable
and allowed)
• CMMC allows a limited open Plan
of Action and Milestones (POA&M)
for a period of 180 days to
remediate the POA&M, see § 170.21.
4. Affirmations: Estimates consist of
costs for an OSA to submit to SPRS an
initial and, as applicable, any
subsequent affirmations of compliance
that the contractor information system is
compliant with and will maintain
compliance with the security
requirements of the applicable CMMC
Level. If POA&Ms are allowed, an
affirmation must be submitted with the
POA&M closeout. With the exception of
Small Entities for Level 1 and Level 2,
it is assumed the task requires the same
labor categories and estimated hours as
the final reporting phase of the
assessment.
The categories and rates used for
estimating purposes were compiled by
subject matter experts based on current
data available from within the DoD
contractor database for comparable labor
categories. A factor estimate of 30
percent was added to the labor rate per
hour to include but are not limited to
company-sponsored benefits (fringe)
and limited employee-related expenses
such as training and certifications. This
estimate is based on labor performed by
indirect personnel (i.e., personnel who
are part of overhead expense); therefore,
the 30 percent factor represents an
estimate for fringe expense and G&A
expenses versus full overhead expense.
The categories and rates inclusive of the
labor cost plus the additional factor are
defined in the table.
Table 12 - Other than Small Entities - Labor Rates Used for Estimate
ITS
$ 116.87
Senior Staff IT Specialist
IT4
IT3
IT2
ITl
$ 97.49
$ 81.96
$ 54.27
$ 36.32
Staff IT Specialist
Senior IT Specialist
IT Specialist
Associate IT Specialist
MGMT5
MGMT4
MGMT3
MGMT2
MGMTl
$ 190.52
$ 143.50
$ 128.64
$ 95.96
$ 82.75
C3PAO45
$ 260.28
Director
Staff Manager
Senior Manager
Manager
Associate Manager
Cyber Subject Matter
Expert
Cyber Background,
years
Cyber Background,
years
Cyber Background,
Cyber Background,
Cyber Background,
10 +
7-10
5-7 years
2-5 years
0-2 years
5-7 years
2-5 years
0-2 years
Chieflnfo. Systems Officer/
Chieflnfo. Officer
Vice President
Program Manager
5-7 years
1-5 years
4 years
$ 190.52
Director
IT4-SB
ESP/
C3PAO 45
$ 86.24
Staff IT Specialist
Cyber Subject Matter
Expert
$ 260.28
42 IT = Information Technology, MGMT =
Management.
43 IT and MGMT rates represent an estimate for
in-house labor and includes the labor rate plus
fringe and employee-related expenses.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
4 years
44 Background assumes a Bachelor’s degree as the
minimum education level, additional requirements
are noted including required years of experience. A
Master’s degree may reduce the required years of
experience as noted.
PO 00000
Frm 00090
Fmt 4701
5-7 years
Sfmt 4725
45 The ESP/C3PAO rate represents an estimate for
outsourced labor and includes the labor rate,
overhead expense, G&A expense, and profit.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.011</GPH>
MGMT5
Chieflnfo. Systems Officer I
Chieflnfo. Officer
Cyber Background, 7-10
years
ER15OC24.010</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
Table 13 - Small Entities - Labor Rates Used for Estimate
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level 1 Self-Assessment and
Affirmation Costs
Other Than Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 1,
since it is assumed that the contractor
or subcontractor has already
implemented the applicable security
requirements.46
• Assessments Costs: It is estimated
that the cost to support a CMMC Level
1 self-assessment and affirmation is
*$4,042 (as summarized in 4.1.2, table
9). A Level 1 self-assessment is
conducted annually, and is based on the
assumptions detailed:
• Phase 1: Planning and preparing for
the self-assessment: $1,146
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• Phase 2: Conducting the selfassessment: $1,728
• A director (MGMT5) for 6 hours
($190.52/hr × 6hrs = $1,143)
• A staff IT specialist (IT4) for 6 hours
($97.49/hrs × 6hrs = $585)
• Phase 3: Reporting of self-assessment
results into SPRS: $584
• A director (MGMT5) for 2 hours
($190.52/hr × 2hrs = $381)
• A staff IT specialist (IT4) for 2.08
hours ($97.49/hrs × 2.08hrs = $203)
• Affirmations: It is estimated that the
costs to perform an initial and
83181
annual affirmation of compliance
with CMMC Level 1 for an ‘‘other
than small’’ entity is $584
• A director (MGMT5) for 2 hours
($190.52/hr × 2hrs = $381)
• A staff IT specialist (IT4) for 2.08
hours ($97.49/hrs × 2.08hrs = $203)
• The Level 1 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual other than small entities total
cost summary for Level 1 selfassessments and affirmations over a tenyear period: (Example calculation, Year
1: *$4,042 per entity × 246 entities
(cumulative) = $994,233)
Table 14-Level 1: Self-Assessment for Other Than Small Entities
246
1,227
4,094
7,848
7,846
7,846
7,084
khammond on DSKJM1Z7X2PROD with RULES2
Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 1
since it is assumed the contractor or
subcontractor has implemented the
applicable security requirements.47
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 1 selfassessment and affirmation is *$5,977
(as summarized in 4.1.2, table 10). A
Level 1 self-assessment is conducted
annually, and is based on the
assumptions detailed:
• Phase 1: Planning and preparing for
the self-assessment: $1,803
46 CMMC Level 1 consists of the same 15 basic
safeguarding requirements specified in FAR clause
52.204–21. This cost analysis assumes that defense
contractors and subcontractors already have
contracts with FAR clause 52.204–21 and, therefore,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
246
1,473
5,567
13,415
21,261
29,107
36,191
36,191
36,191
36,191
$994,233
$5,953,271
$22,499,565
$54,218,010
$85,928,372
$117,638,733
$146,269,399
$146,269,399
$146,269,399
$146,269,399
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• An external service provider (ESP)
for 4 hours ($260.28 × 4hrs =
$1,041)
• Phase 2: Conducting the selfassessment: $2,705
• A director (MGMT5) for 6 hours
($190.52/hr × 6hrs = $1,143)
• An external service provider (ESP)
for 6 hours ($260.28 × 6hrs =
$1,562)
• Phase 3: Reporting of assessment
results into SPRS: $909
• A director (MGMT5) for 2 hours
($190.52/hr × 2hrs = $381)
• An external service provider (ESP)
for 2 hours ($260.28/hr * 2hrs =
$521)
• A staff IT specialist (IT4–SB) for
0.08 hours 48 ($86.24/hr × 0.08hrs =
$7)
• Affirmation: initial affirmation post
assessment: $ 560
• Reaffirmations: It is estimated that the
costs to reaffirm a CMMC Level 1
annually for a small entity is $560
• A director (MGMT5) for 2 hours
($190.52/hr × 2hrs = $381)
• A staff IT specialist (IT4–SB) for
2.08 hours ($86.24/hr × 2.08hrs =
$179)
• The Level 1 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual small entities total cost summary
have already implemented the 15 basic
safeguarding requirements.
47 Again, it is assumed that that defense
contractors and subcontractors have already
implemented the 15 basic safeguarding
requirements in FAR clause 52.204–21.
48 A person needs to enter the information into
SPRS, which should only take five minutes.
PO 00000
Frm 00091
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.012</GPH>
1
2
3
4
5
6
7
8
9
10
83182
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
per entity × 699 entities (cumulative) =
$4,177,845)
for Level 1 self-assessments and
affirmations over a ten-year period:
(Example calculation, Year 1: *$5,977
Table 15-Level 1: Self-Assessment for Small Entities
1
2
3
4
5
6
7
8
9
10
699
3,493
11,654
22,336
22,333
22,333
20,162
All Entities Summary
The following is a summary of the
combined costs for both small and other
$4,177,845
$25,055,116
$94,709,771
$228,209,547
$361,691,392
$495,173,237
$615,679,258
$615,679,258
$615,679,258
$615,679,258
699
4,192
15,846
38,182
60,515
82,848
103,010
103,010
103,010
103,010
than small entities for Level 1 selfassessments and affirmations over a tenyear period:
945
945
$5,172,077
2
4,720
5,665
$31,008,386
3
4
15,748
30,184
21,413
51,597
$117,209,336
$282,427,557
5
30,179
81,776
$447,619,764
6
7
30,179
27,246
111,955
139,201
$612,811,971
$761,948,657
8
0
139,201
$761,948,657
9
10
0
0
139,201
$761,948,657
139,201
$761,948,657
CMMC Level 2 Self-Assessment and
Affirmation Costs
Other Than Small Entities
• Nonrecurring and Recurring
Engineering Costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2 selfassessment since it is assumed the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
contractor or subcontractor has
implemented the NIST SP 800–171 R2
security requirements.
• Self-Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 2 selfassessment and affirmation is *$43,403.
The three-year cost is $48,827 (as
PO 00000
Frm 00092
Fmt 4701
Sfmt 4700
summarized in 4.1.2, table 9), which
includes the triennial assessment +
affirmation, and two additional annual
affirmations ($43,403 + $2,712 +
$2,712).
• Phase 1: Planning and preparing for
the self-assessment: $18,015
• A director (MGMT5) for 30 hours
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.014</GPH>
1
ER15OC24.013</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
Table 16-Level 1: Self-Assessment for All Entities
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
($190.52/hr × 30hrs = $5,716)
• A manager (MGMT2) for 40 hours
($95.96/hr × 40hrs = $3,838)
• A staff IT specialist (IT4) for 46
hours ($97.49/hr × 46hrs = $4,485)
• A senior IT specialist (IT3) for 26
hours ($81.96/hr × 26hrs = $2,131)
• An IT specialist (IT2) for 34 hours
($54.27/hr × 34hrs = $1,845)
• Phase 2: Conducting the selfassessment: $19,964
• A director (MGMT5) for 24 hours
($190.52/hr × 24hrs = $4,572)
• A manager (MGMT2) for 24 hours
($95.96/hr × 24hrs = $2,303)
• A staff IT specialist (IT4) for 56
hours ($97.49/hr × 56hrs = $5,460)
• A senior IT specialist (IT3) for 56
hours ($81.96/hr × 56hrs = $4,590)
• An IT specialist (IT2) for 56 hours
($54.27/hr × 56hrs = $3,039)
• Phase 3: Reporting of self-assessment
results into SPRS: $2,712
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr × 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr × 0.08hrs = $7)
• Affirmation: initial affirmation post
assessment: $ 2,712
• Reaffirmations: It is estimated that the
cost to perform an annual
affirmation for CMMC Level 2 selfassessment is $2,712 (three-year
cost is $8,136, or $2,712 × 3):
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
83183
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr × 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr × 0.08hrs = $7)
• The Level 2 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual other than small entities total
cost summary for CMMC Level 2 selfassessments and affirmations over a tenyear period: (Example calculation, Year
2: (*$43,403 assessment per entity × 35
entities) + ($2,712 annual affirmation
per entity × 7 entities) = $1,538,092
Table 17 - Level 2: Self-Assessment for Other Than Small Entities
2
3
4
5
6
7
9
10
khammond on DSKJM1Z7X2PROD with RULES2
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2 selfassessment since it is assumed the
contractor or subcontractor has
implemented the NIST SP 800–171 R2
security requirements.
• Self-Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 2 selfassessment and affirmation for a small
entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2, table
10), which includes the triennial
assessment + affirmation, plus two
18:51 Oct 11, 2024
$1,538,092
$5,235,473
232
153
$10,484,485
260
343
350
492
$12,234,099
$16,221,701
436
603
779
$20,559,249
436
Small Entities
VerDate Sep<11>2014
0
7
42
260
343
8
Jkt 265001
additional annual affirmations ($34,277
+ $1,459 + $1,459).
• Phase 1: Planning and preparing for
the self-assessment: $14,426
• A director (MGMT5) for 32 hours
($190.52/hr x* 32hrs = $6,097)
• An external service provider (ESP)
for 32 hours ($260.28/hr × 32hrs =
$8,329)
• Phase 2: Conducting the selfassessment: $15,542
• A director (MGMT5) for 16 hours
($190.52/hr × 16hrs = $3,048)
• An external service provider (ESP)
for 48 hours ($260.28/hr × 48hrs =
$12,493)
• Phase 3: Reporting of self-assessment
results into SPRS: $2,851
• A director (MGMT5) for 4 hours
PO 00000
Frm 00093
$303,821
7
35
118
Fmt 4701
Sfmt 4700
696
$13,397,691
$16,775,017
603
$20,559,249
($190.52/hr × 4hrs = $762)
• An external service provider (ESP)
for 8 hours ($260.28/hr × 8hrs =
$2,082)
• A staff IT specialist (IT4–SB) for
0.08 hours ($86.24/hr × 0.08hrs =
$7)
• Affirmation: initial affirmation post
assessment: $ 1,459
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 2 selfassessment annually is $1,459
(three-year costs to reaffirm a Level
2 self-assessment annually is
$4,377, or $1,459 × 3):
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A staff IT specialist (IT4–SB) for
8.08 hours ($86.24/hr × 8.08hrs =
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.015</GPH>
1
83184
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
$697)
• The Level 2 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual small entities total cost summary
for Level 2 self-assessments and
affirmations over a ten-year period:
(Example calculation, Year 2: (*$34,277
self-assessment per entity × 101 entities)
+ ($1,459 annual affirmation per entity
× 20 entities) = $3,491,193)
Table 18 - Level 2: Self-Assessment for Small Entities
1
2
3
4
5
6
7
8
9
10
20
101
335
662
743
977
1,241
743
977
1,241
All Entities Summary
The following is a summary of the
cost to all entities regardless of size for
0
20
121
436
997
1,405
1,720
2,218
1,984
1,720
$685,547
$3,491,193
$11,659,448
$23,327,706
$26,922,622
$35,538,762
$45,047,546
$28,703,951
$36,383,471
$45,047,546
Level 2 self-assessments and
affirmations over a ten-year period:
Table 19 - Level 2: Self-Assessment for All Entities
27
136
453
0
27
$989,369
$5,029,285
163
$16,894,921
894
1,003
589
1,347
$33,812,191
$39,156,721
1,320
1,897
$51,760,463
7
8
1,677
2,323
1,003
2,997
$65,606,795
$42,101,642
9
1,320
2,680
$53,158,488
10
1,677
2,323
$65,606,795
1
2
3
4
ER15OC24.017</GPH>
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00094
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.016</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
5
6
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level 2 Certification Assessment
and Affirmation Costs
Other Than Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2
certification assessment since it is
assumed the contractor or subcontractor
has implemented the NIST SP 800–171
R2 security requirements.
• Assessment and Initial Affirmation
Costs: It is estimated that the cost to
support a Level 2 certification
assessment and annual affirmation for
an ‘‘other than small’’ entity is
*$112,345. The three-year cost is
$117,768 (as summarized in 4.1.2, table
9), and includes a triennial assessment
+ affirmation, plus two additional
annual affirmations ($112,345 + $2,712
+ $2,712, with a minor rounding
difference.)
• Phase 1: Planning and preparing for
the certification assessment:
$26,264
• A director (MGMT5) for 32 hours
($190.52/hr × 32hrs = $6,097)
• A manager (MGMT2) for 64 hours
($95.96/hr × 64hrs = $6,141)
• A staff IT specialist (IT4) for 72
hours ($97.49/hr × 72hrs = $7,019)
• A senior IT specialist (IT3) for 40
hours ($81.96/hr × 40hrs = $3,278)
• An IT specialist (IT2) for 58 hours
($54.27/hr × 58hrs = $3,148)
• An associate IT specialist (IT1) for
16 hours ($36.32/hr × 16hrs = $581)
• Phase 2: Conducting the certification
assessment: $28,600
• A director (MGMT5) for 32 hours
($190.52/hr × 32hrs = $6,097)
• A manager (MGMT2) for 32 hours
($95.96/hr × 32hrs = $3,071)
• A staff IT specialist (IT4) for 72
hours ($97.49/hr × 72hrs = $7,019)
• A senior IT specialist (IT3) for 72
hours ($81.96/hr × 72hrs = $5,901)
• An IT specialist (IT2) for 120 hours
($54.27/hr × 120hrs = $6,512)
• Phase 3: Reporting of certification
assessment results: $2,712
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr × 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr × 0.08hrs = $7)
• Affirmations: initial affirmation post
assessment: $2,712
83185
• C3PAO Costs: C3PAO engagement
inclusive of Phases 1, 2, and 3 (5person team) for 200 hours
($260.28/hr × 200hrs = $52,056)
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 2
certification assessment annually is
$2,712 (three-year cost is $8,136 or
$2,712 × 3)
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• A staff IT specialist (IT4) for 8 hours
($97.49/hr × 8hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr × 0.08hrs = $7)
• The Level 2 affirmations cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
rule.
• Summary: The following is the
annual other than small entities total
cost summary for Level 2 certification
assessments and affirmations over a tenyear period: (Example calculation, Year
2: (*$112,345 assessment per entity ×
673 entities) + ($2,712 annual
affirmation per entity × 135 entities) =
$75,974,425)
Table 20 - Level 2: Certification Assessment for Other Than Small Entities
135
673
2,252
4,452
4,990
6,569
8,350
4,990
6,569
8,350
khammond on DSKJM1Z7X2PROD with RULES2
Small Entities
• Nonrecurring or recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2
certification assessment since it is
assumed the contractor or subcontractor
has implemented the NIST SP 800–171
R2 security requirements.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
0
135
808
2,925
6,704
9,442
11,559
14,919
13,340
11,559
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 2
certification assessment and affirmation
for a small entity is *$101,752. The
three-year cost is $104,670 (as
summarized in 4.1.2, table 10), and
includes the triennial assessment +
affirmation plus two additional annual
PO 00000
Frm 00095
Fmt 4701
Sfmt 4700
$15,166,590
$75,974,425
$255,192,758
$508,094,016
$578,785,599
$763,604,903
$969,433,559
$601,067,429
$774,177,583
$969,433,559
affirmations ($101,752 + $1,459 +
$1,459).
• Phase 1: Planning and preparing for
the certification assessment:
$20,699
• A director (MGMT5) for 54 hours
($190.52/hr × 54hrs = $10,288)
• An external service provider (ESP)
for 40 hours ($260.28/hr × 40hrs =
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.018</GPH>
1
2
3
4
5
6
7
8
9
10
83186
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
$10,411)
• Phase 2: Conducting the certification
assessment: $45,509
• A director (MGMT5) for 64 hours
($190.52/hr × 64hrs = $12,193)
• An external service provider (ESP) for
128 hours ($260.28/hr × 128hrs =
$33,316)
• Phase 3: Reporting of certification
assessment results: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• An ESP for 8 hours ($260.28/hr ×
8hrs = $2,082)
• A staff IT specialist (IT4–SB) for
0.08 hours ($86.24/hr × 0.08hrs =
$7)
• Affirmations: cost to post initial
affirmation $1,459
• C3PAO Costs: C3PAO engagement
inclusive of Phases 1, 2, and 3 (3person team) for 120 hours
($260.28/hr × 120hrs = $31,234)
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 2
certification assessment annually is
$1,459 (three-year cost is $4,377, or
$1,459 × 3)
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A staff IT specialist (IT4–SB) for
8.08 hours ($86.24/hr × 8.08hrs =
$697)
• The Level 2 affirmations cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
rule.
• Summary: The following is the
annual small entities total cost summary
for Level 2 certification assessments and
affirmations over a ten-year period:
(Example calculation, Year 2:
(*$101,752 assessment per entity ×
1,926 entities) + ($1,459 annual
affirmation per entity × 382 entities) =
$196,531,451)
Table 21 - Level 2: Certification Assessment for Small Entities
1
2
3
4
5
6
7
8
9
10
382
1,926
6,414
12,675
14,215
18,703
23,771
14,215
18,703
23,771
khammond on DSKJM1Z7X2PROD with RULES2
The following is a summary of the
cost to all entities regardless of size for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
$38,869,223
$196,531,451
$656,003,811
$1,301,872,564
$1,474,252,306
$1,942,295,763
$2,466,768,671
$1,508,368,920
$1,958,483,830
$2,466,768,671
Level 2 certification assessment and
affirmation costs over a ten-year period:
PO 00000
Frm 00096
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.019</GPH>
All Entities Summary
0
382
2,308
8,340
19,089
26,890
32,918
42,474
37,986
32,918
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
83187
Table 22 - Level 2: Certification Assessment for All Entities
517
2,599
8,666
17,127
19,205
25,272
32,121
19,205
25,272
32,121
khammond on DSKJM1Z7X2PROD with RULES2
CMMC Level 3 Certification Assessment
and Affirmation Costs
An OSC pursuing Level 3 certification
assessment must have a CMMC Status of
Final Level 2 (C3PAO), and also must
demonstrate compliance with CMMC
Level 3, which includes implementation
of selected security requirements from
NIST SP 800–172 Feb2021 not required
in prior rules. Therefore, the
Nonrecurring Engineering and
Recurring Engineering cost estimates
have been included for the initial
implementation and maintenance of the
required selected NIST SP 800–172
Feb2021 security requirements. The cost
estimates account for time for an OSC to
implement these security requirements
and prepare for, support, participate in,
and closeout a Level 3 certification
assessment conducted by DCMA
DIBCAC. The OSC should keep in mind
that the total cost of a Level 3
certification assessment includes the
cost of a Level 2 certification assessment
as well as the costs to implement and
assess the security requirements specific
to Level 3. CMMC Level 3 is expected
to affect a small subset of the DIB.
Other Than Small Entities, per Entity
• Nonrecurring Engineering Costs:
$21,100,000.49
• Recurring Engineering Costs:
$4,120,000.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 3
49 DoD utilized subject matter expertise from
Defense Pricing and Contracting (DPC) and DCMA
DIBCAC to estimate the Nonrecurring and
Recurring Engineering Costs.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
0
517
3,116
11,265
25,793
36,332
44,477
57,393
51,326
44,477
certification assessment and affirmation
for an other than small entity is
*$39,021. The three-year cost is $44,445
(as summarized in 4.1.2, table 23), and
includes the triennial assessment +
affirmation, plus two additional annual
affirmations ($39,021 + $2,712 +
$2,712).
• Phase 1: Planning and preparing for
the certification assessment: $7,066
• A director (MGMT5) for 12 hours
($190.52/hr × 12hrs = $2,286)
• A manager (MGMT2) for 12 hours
($95.96/hr × 12hrs = $1,152)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr × 16hrs = $1,560)
• A senior IT specialist (IT3) for 12
hours ($81.96/hr × 12hrs = $984)
• An IT specialist (IT2) for 20 hours
($54.27/hr × 20hrs = $1,085)
• Phase 2: Conducting the certification
assessment: $23,136
• A director (MGMT5) for 24 hours
($190.52/hr × 24hrs = $4,572)
• A manager (MGMT2) for 24 hours
($95.96/hr × 24hrs = $2,303)
• A staff IT specialist (IT4) for 64
hours ($97.49/hr × 64hrs = $6,239)
• A senior IT specialist (IT3) for 64
hours ($81.96/hr × 64hrs = $5,245)
• An IT specialist (IT2) for 88 hours
($54.27/hr × 88hrs = $4,776)
• Phase 3: Reporting of certification
assessment results: $2,712
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr × 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr × 0.08hrs = $7)
PO 00000
Frm 00097
Fmt 4701
Sfmt 4700
$54,035,813
$272,505,876
$911,196,569
$1,809,966,579
$2,053,037,904
$2,705,900,665
$3,436,202,230
$2,109,436,349
$2,732,661,414
$3,436,202,230
• Phase 4: Closing out POA&Ms 50 (for
CMMC Level 3 if necessary and
allowed): $3,394
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• A senior staff IT specialist (IT5) for
16 hours ($116.87/hr × 16hrs =
$1,870)
• Affirmations: initial affirmation
post assessment: $2,712
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 3
certification assessment annually is
$2,712 (three-year cost is $8,136, or
$2,712 × 3)
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr × 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr × 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr × 0.08hrs = $7)
The Level 3 affirmations cost burden
will be addressed as part of the 48 CFR
part 204 CMMC Acquisition rule.
• Summary: The following is the
annual other than small entities total
cost summary for Level 3 certification
assessments and affirmations over a tenyear period. Example calculation, Year
2 (reference per entity amounts shown):
• *($39,021 Certification per entity × 5
entities) + ($2,712 Annual
Affirmation per entity × 1 entity) =
$197,818, and
50 Costs for closing out POA&Ms are included at
Level 3 because the requirement to implement a
subset of NIST SP 800–172 Feb2021 security
requirements is new with the CMMC rule. These
costs are not included at Level 2 because the
implementation of all NIST SP 800–171 R2 security
requirements are already required.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.020</GPH>
1
2
3
4
5
6
7
8
9
10
83188
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
• $105,500,000 Nonrecurring
Engineering cost ($21,100,000 per
entity × 5 entities being certified),
and
• $24,720,000 Recurring Engineering
cost ($4,120,000 per entity × 5
entities being certified) +
($4,120,000 per entity × 1 entity
performing affirmations)
• $130,417,818 Total Cost =
Certification and Affirmation Cost
($197,818) + Nonrecurring
Engineering cost ($105,500,000) +
Recurring Engineering cost
($24,720,000), or $145,432,897.
Table 23 - Level 3: Certification Assessment for Other Than Small Entities
1
2
5
18
0
1
$21,100,000
$4,120,000
$25,259,021
$197,818
$105,500,000
$24,720,000
$130,417,818
$718,654
$98,880,000
$238,960,000
$479,398,654
35
6
23
$1,428,123
$379,800,000
$717,400,000
39
52
53
74
$1,665,578
$2,229,811
$717,400,000
$717,400,000
$379,040,000
$519,120,000
$1,098,105,578
$1,238,749,811
7
69
91
$2,939,280
$717,400,000
$659,200,000
$1,379,539,280
8
9
39
52
121
108
$1,850,016
$2,322,031
$659,200,000
$659,200,000
$661,050,016
$661,522,031
10
69
91
$2,939,280
$659,200,000
$662,139,280
3
4
5
6
Small Entities
khammond on DSKJM1Z7X2PROD with RULES2
$39,021
• Nonrecurring Engineering Costs:
$2,700,000.
• Recurring Engineering Costs:
$490,000.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 3
certification assessment for a small
entity is *$9,050 The three-year cost is
$12,802 (summarized in 4.1.2, table 10),
and includes the triennial assessment +
affirmation, plus two additional annual
affirmations ($9,050 + $1,876 + $1,876):
• Phase 1: Planning and preparing for
the certification assessment: $1,905
• A director (MGMT5) for 10 hours
($190.52/hr × 10hrs = $1,905)
• Phase 2: Conducting the certification
assessment: $1,524
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• Phase 3: Reporting of certification
assessment results: $1,876
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• A staff IT specialist (IT4–SB) for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
4.08 hours ($86.24/hr × 4.08hrs =
$352)
• Phase 4: Closing out POA&Ms 51 (for
CMMC Level 3 if necessary and
allowed): $1,869
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• A staff IT specialist (IT4–SB) for 48
hours ($86.24/hr × 48hrs = $345)
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 3
certification assessment annually is
$1,876 (three-year cost is $5,628, or
$1,876 × 3)
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• A staff IT specialist (IT4–SB) for
4.08 hours ($86.24/hr × 4.08hrs =
$352)
$957,788,123
• The Level 3 affirmations cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
rule.
Summary: The following is the annual
small entities total cost summary for
Level 3 certification assessments and
affirmations over a ten-year period.
Example calculation, Year 2 (reference
per entity amounts shown):
• *($9,050 Certification per entity × 45
entities) + ($1,876 Annual
Affirmation per entity × 3 entities)
= $412,897, and
• $121,500,000 Nonrecurring
Engineering cost ($2,700,000 per
entity × 45 entities being certified),
and
51 Costs for closing out POA&Ms are included at
Level 3 because the requirement to implement a
subset of NIST SP 800–172 Feb2021 security
requirements is new with the CMMC rule. These
costs are not included at Level 2 because the
implementation of all NIST SP 800–171 R2 security
requirements is already required.
PO 00000
Frm 00098
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.021</GPH>
1
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
• $23,520,000 Recurring Engineering
cost ($490,000 per entity × 45
entities being certified) + ($490,000
per entity × 3 entities performing
affirmations)
• $145,432,897 Total Cost =
Certification and Affirmation Cost
83189
($412,897) + Nonrecurring
Engineering cost ($121,500,000) +
Recurring Engineering cost
($23,520,000), or $145,432,897.
Table 24 - Level 3: Certification Assessment for Small Entities
1
3
0
$27,151
$8,100,000
$1,470,000
$9,597,151
2
45
3
$412,897
$121,500,000
$23,520,000
$145,432,897
3
151
48
$1,456,663
$407,700,000
$97,510,000
$506,666,663
4
292
196
$3,010,423
$780,300,000
$239,120,000
$1,022,430,423
5
334
443
$3,853,914
$780,300,000
$380,730,000
$1,164,883,914
6
440
626
$5,156,569
$780,300,000
$522,340,000
$1,307,796,569
7
553
774
$6,456,917
$704,700,000
$650,230,000
$1,361,386,917
8
334
993
$4,885,718
$650,230,000
$655,115,718
9
440
887
$5,646,207
$650,230,000
$655,876,207
10
553
774
$6,456,917
$650,230,000
$656,686,917
khammond on DSKJM1Z7X2PROD with RULES2
The following is a summary of the
cost to all entities regardless of size for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Level 3 certification assessments and
affirmations over a ten-year period:
PO 00000
Frm 00099
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.022</GPH>
All Entities Summary
83190
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Table 25 - Level 3: Certification Assessment for All Entities
1
4
0
$66,172
$29,200,000
$5,590,000
$34,856,172
2
50
4
$610,715
$227,000,000
$48,240,000
$275,850,715
3
169
54
$2,175,317
$787,500,000
$196,390,000
$986,065,317
4
327
219
$4,438,546
$1,497,700,000
$478,080,000
$1,980,218,546
5
373
496
$5,519,492
$1,497,700,000
$759,770,000
$2,262,989,492
6
492
700
$7,386,381
$1,497,700,000
$1,041,460,000
$2,546,546,381
7
622
865
$9,396,197
$1,422,100,000
$1,309,430,000
$2,740,926,197
8
373
1,114
$6,735,735
$-
$1,309,430,000
$1,316,165,735
9
492
995
$7,968,238
$-
$1,309,430,000
$1,317,398,238
10
622
865
$9,396,197
$-
$1,309,430,000
$1,318,826,197
Government Costs
Summary of Impact
The following is a summary of the
estimated Government costs calculated
for a 20-year horizon in 2023 dollars at
a 7 percent and 3 percent discount rate.
The Government costs include
conducting Level 3 certification
assessments, uploading results into the
CMMC instantiation of eMASS, and the
CMMC PMO costs.
Table 26 - Total Estimated Government Costs of CMMC Requirements for All Entities
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
$9,953,205
$100,734,168
$148,078,564
of the labor) to arrive at the estimated
labor rates. The Government labor in
this estimate is performed by DCMA,
which is a labor-intensive agency with
limited overhead expenses. Therefore,
the overall added factor of 51 percent is
appropriate versus a typical full
overhead factor of 100 percent.
CMMC Database Infrastructure Costs
The Government will develop the
operational CMMC instantiation of
eMASS. The cost analysis assumes that
the nonrecurring engineering (NRE) cost
includes the requirements development,
architecture design, security,
prototyping and testing, and approvals
or certifications.52 Nonrecurring
52 Nonrecurring engineering costs were first
incurred in FY20. The cost has inflation applied to
put the value in 2023 base year (BY) dollars.
PO 00000
Frm 00100
Fmt 4701
Sfmt 4700
engineering costs is a one-time fee of
$4,631,213 and is reflected here as
incurred in the initial year of the
estimate. The Year 1 amount is based on
the actual cost incurred in FY2020 with
adjustment for inflation to arrive at base
year (BY) 1 dollars (2023).
The recurring engineering (RE) cost
includes database management, data
analysis, cybersecurity, storage and
backups, licensing, and infrastructure.53
The cost for recurring engineering in
Year 1 ($2,336,038) and Year 2
($1,804,480) are based on historical
53 The cost for the recurring engineering cost is
based on the costs incurred in FY20 and FY21. The
values for Year 1 (FY20) and Year 2 ((FY21) are
actual historic values that have inflation applied to
them to put them in base year 2023 dollars. Every
proceeding years’ recurring engineering cost is
based on the average of the two historic actual
values.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.024</GPH>
Government Costs (All Levels)
The estimated Government costs
utilize the entity numbers and phased
roll-out detailed in the Public cost
section. The DIBCAC estimated the
detailed hours for all activities and
other costs in a manner similar to the
details shown in the Public cost section.
Labor efforts for the Government are
focused on Level 3. For purposes of the
cost estimate, Government labor is
based on the average of step one, five,
and ten for GS–11 through GS–15 labor
elements for the Washington DC area.
The cost of labor was increased by a
factor of approximately 51 percent
which includes an estimated fringe
factor (fringe factor includes estimated
average insurance and pension benefits)
plus overhead (overhead factor
represents supervision and management
$9,508,593
ER15OC24.023</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
Annualized Costs
Present Value Costs
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
amounts incurred for FY 2020 and FY
2021 with adjustment for inflation to
arrive at base year 1 and Year 2 dollars
(2023 and 2024). The estimated
recurring engineering for Year 3 forward
is calculated as the average of the Year
1 and Year 2 amounts (($2,336,038 +
$1,804,480)/2 = $2,070,259).
83191
The table summarizes the
nonrecurring engineering (NRE) and
recurring engineering (RE) costs for Year
1 through Year 5:
Table 27 - Government Costs for CMMC Database Infrastructure (BY23$)
Year 1
Year2
Year3
Year4
Year 5
$4,631,213
0
0
0
0
$2,336,038.92
$1,804,480
$2,070,259
$2,070,259
$2,070,259
$6,967,252
$1,804,480
$2,070,259
$2,070,259
$2,070,259
Total Government Costs
The following is a summary of the
total Government costs over a ten-year
period:
Table 28 - Estimated CMMC Costs --Government (BY23$)
$79,698
$6,967,252
$7,046,950
2
$826,063
$1,804,480
$2,630,543
$2,871,167
$2,070,259
$4,941,426
3
4
$5,713,930
$2,070,259
$7,784,189
5
$6,830,268
$2,070,259
$8,900,527
6
$9,083,729
$2,070,259
$11,153,988
7
$11,533,002
$2,070,259
$13,603,261
$2,070,259
$9,740,314
8
$7,670,055
$9,486,082
$2,070,259
$11,556,342
9
$] 1,533,002
10
$2,070,259
$13,603,261
**Government activities associated with all Government costs associated with the CMMC Program.
Total Public and Government Costs
ER15OC24.026</GPH>
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00101
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.025</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
The following is a summary of the
total estimated annual Public and
Government cost associated with
implementation of the CMMC Program
over a ten-year period:
83192
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Table 29 - Estimated CMMC Costs - Public and Government (BY23$)
$95,053,432
$584,394,262
$2,031,366,143
$4,106,424,873
$4,802,803,881
$5,917,019,480
$7,004,683,879
$4,229,652,383
$4,865,166,797
$5,582,583,879
Alternatives
DoD considered and adopted several
alternatives during the development of
this rule that reduce the burden on
defense contractors and still meet the
objectives of the rule. These alternatives
include: (1) maintaining status quo and
leveraging only the current
requirements implemented in DFARS
provision 252.204–7019 and DFARS
clause 252.204–7020 requiring defense
contractors and offerors to self-assess
utilizing the DoD Assessment
Methodology and entering a Basic
Summary Score; (2) revising CMMC to
reduce the burden for small businesses
and contractors who do not process,
store, or transmit critical CUI by
eliminating the requirement to hire a
C3PAO and instead allow selfassessment with affirmation to maintain
compliance at CMMC Level 1, and
allowing triennial self-assessment with
an annual affirmation to maintain
compliance for some CMMC Level 2
programs; (3) exempting contracts and
orders exclusively for the acquisition of
commercially available off-the-shelf
items; and (4) implementing a phased
implementation for CMMC.
In addition, the Department took into
consideration the timing of the
requirement to achieve a specified
CMMC Status: (1) at time of proposal or
offer submission, (2) after contract
award, (3) at the time of contract award,
or (4) permitting government Program
Managers to seek approval to waive
inclusion of CMMC Status requirements
in solicitations that involve disclosure
or creation of FCI or CUI as part of the
contract effort. Such waivers will be
requested and approved by DoD in
accordance with internal policies,
procedures, and approval requirements.
The Department ultimately adopted
alternatives 3 and 4. The drawback of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
$102,100,382
$587,024,805
$2,036,307,570
$4,114,209,062
$4,811,704,408
$5,928,173,468
$7,018,287,140
$4,239,392,697
$4,876,723,139
$5,596,187,140
$7,046,950
$2,630,543
$4,941,427
$7,784,189
$8,900,527
$11,153,988
$13,603,261
$9,740,314
$11,556,342
$13,603,261
alternative 1 (at time of proposal or offer
submission) is the increased risk for
contractors since they may not have
sufficient time to achieve the required
CMMC Status after the release of the
solicitation. The drawback of alternative
2 (after contract award) is the increased
risk to the Department with respect to
the costs, program schedule, and
uncertainty in the event the contractor
is unable to achieve the required CMMC
Status in a reasonable amount of time
given their current cybersecurity
posture. This potential delay would
apply to the entire supply chain and
prevent the appropriate flow of CUI and
FCI.
Benefits
The Department of Defense expects
this final rule to protect DoD and
industry from the loss of FCI and CUI,
including intellectual property. The
theft of intellectual property and FCI
and CUI due to malicious cyber activity
threatens U.S. economic security and
national security. In 2010, the
Commander of the U.S. Cyber Command
and Director of the National Security
Agency estimated the value of U.S.
intellectual property to be $5 trillion
and that $300 billion is stolen over
networks annually.54 The 2013
Intellectual Property Commission
Report provided concurrence and noted
that the ongoing theft represents ‘‘the
greatest transfer of wealth in history.’’
The report also highlighted the
challenges of generating an exact figure
because Government and private studies
tend to understate the impacts due to
inadequate data or scope, which is
evidenced in subsequent analyses.55
The responsibility of Federal agencies
to protect FCI or CUI does not change
when such information is shared with
defense contractors. A comparable level
of protection is needed when FCI or CUI
is processed, stored, or transmitted on
contractor information systems.56 The
protection of FCI, CUI, and intellectual
property on defense contractor systems
can directly impact the ability of the
Federal Government to successfully
conduct its essential missions and
functions.57
Malicious cyber actors have targeted
and continue to target the DIB sector
that consists of approximately 220,000
small-to-large sized entities that support
the warfighter. In particular, actors
ranging from cyber criminals to nationstates continue to attack companies and
organizations that comprise the
Department’s multi-tier supply chain
including smaller entities at the lower
tiers. From at least January 2020,
through February 2022, the Federal
Bureau of Investigation (FBI), National
Security Agency (NSA), and
Cybersecurity and Infrastructure
Security Agency (CISA) observed
regular targeting of U.S. cleared defense
contractors (CDCs) by Russian statesponsored cyber actors. The actors have
targeted sensitive, unclassified
information, as well as proprietary and
export-controlled technology. The
acquired information provides
significant insight into U.S. weapons
platforms development and deployment
timelines, vehicle specifications, and
plans for communications infrastructure
and IT. By acquiring proprietary
internal documents and email
56 www.cybernc.us/fci-cui/.
54 www.govinfo.gov/content/pkg/CHRG-
113hhrg86391/html/CHRG-113hhrg86391.htm.
55 www.nbr.org/program/commission-on-thetheft-of-intellectual-property/.
PO 00000
Frm 00102
Fmt 4701
Sfmt 4700
57 GAO Report to Congress, Defense Contractor
Cybersecurity Stakeholder Communication and
Performance Goals Could Improve Certification
Framework, December 2021.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.027</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
1
2
3
4
5
6
7
8
9
10
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
communications, adversaries may be
able to adjust their own military plans
and priorities, hasten technological
development efforts, inform foreign
policymakers of U.S. intentions, and
target potential sources for
recruitment.58
In addition to stealing intellectual
property for military gains, Russia may
conduct cyber-attacks against the U.S.
for retaliatory purposes. On March 21,
2022, the Biden-Harris Administration
stated intelligence indicates that the
Russian Government and Russianaligned cybercrime groups have
threatened to conduct cyber operations
in retaliation for perceived cyber
offensives against the Russian
Government or the Russian people.59
The aggregate loss of intellectual
property and CUI from the DoD supply
chain severely undercuts U.S. technical
advantage, limits and disrupts business
opportunities associated with
technological superiority, and
ultimately threatens our national
defenses and economy. By incorporating
heightened cybersecurity into
acquisition programs, the CMMC
Program provides the Department
assurance that contractors and
subcontractors are meeting DoD’s
cybersecurity requirements and
provides a key mechanism to adapt to
an evolving threat landscape. This is
critically important to the Department
because defense contractors are the
target of increasingly frequent and
complex cyberattacks by adversaries
and non-state actors. Dynamically
enhancing DIB cybersecurity to meet
these evolving threats and safeguarding
the information that supports and
enables our warfighters is a top priority
for the Department. The CMMC Program
is a key component of the Department’s
DIB cybersecurity effort.
CMMC provides uniform and
improved DoD cybersecurity
requirements in three (3) levels, using
the security requirements in NIST SP
800–171 R2 and a selected subset of
those in NIST SP 800–172 Feb2021.
With this rule, the Department is
publishing supplemental guidance
documents to assist the public and in
particular, small businesses, with
CMMC implementation, increasing the
likelihood of successful implementation
and strengthening cybersecurity across
the DIB. CMMC decreases the burden
and cost on companies protecting FCI
by allowing all companies at Level 1,
58 www.cisa.gov/news-events/cybersecurityadvisories/aa22-047a.
59 www.whitehouse.gov/briefing-room/statementsreleases/2022/03/21/statement-by-president-bidenon-our-nations-cybersecurity/.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
and a subset of companies at Level 2, to
demonstrate compliance through selfassessments. CMMC allows companies,
under certain limited circumstances, to
make a Plan of Action & Milestones
(POA&M) to provide additional time to
achieve a Final CMMC Status. These
key updates to CMMC benefit the DoD
and our national interest by providing:
• improved safeguarding of
competitive advantages through
requirements flow-down to the defense
contractor supply chain and protections
for proprietary information and
capabilities, and
• increased efficiency in the economy
and private markets as a result of the
streamlining of cybersecurity
requirements, the resulting
improvements in cybersecurity, and
accountability across the supply chain.
In summary, the CMMC Program
enforces and validates implementation
of DoD’s required cyber protection
standards for companies in the DIB,
preserving U.S. technical advantage. In
addition, CMMC increases security for
the most sensitive CUI by applying
additional requirements at Level 3.
Implementation of CMMC will help
protect FCI and CUI upon which DoD
systems and critical infrastructure rely,
making it vital to national security.
CMMC is focused on securing the
Department’s supply chain, including
the smallest, most vulnerable innovative
companies. The security risks that result
from the significant loss of FCI and CUI,
including intellectual property and
proprietary data, make implementation
of the CMMC Program vital, practical,
and in the public interest.
III. Regulatory Compliance Analysis
A. Executive Order 12866, ‘‘Regulatory
Planning and Review’’ and Executive
Order 13563, ‘‘Improving Regulation
and Regulatory Review,’’ as Amended
by Executive Order 14094,
‘‘Modernizing Regulatory Review’’
These Executive Orders direct
agencies to assess all costs, benefits, and
available regulatory alternatives and, if
regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health,
safety effects, distributive impacts, and
equity). These Executive Orders
emphasize the importance of
quantifying both costs and benefits, of
reducing costs, of harmonizing rules,
and of promoting flexibility. The Office
of Management and Budget (OMB) has
determined this final rule is significant
as defined by Section 3(f)(1) for
purposes of Executive Order 12866, as
amended by Executive Order 14094.
PO 00000
Frm 00103
Fmt 4701
Sfmt 4700
83193
B. Congressional Review Act (5 U.S.C.
801 et seq.)
As defined by 5 U.S.C. 804(2), a major
rule is a rule that the Administrator of
the Office of Information and Regulatory
Affairs of the Office of Management and
Budget finds has resulted in or is likely
to result in—(a) an annual effect on the
economy of $100,000,000 or more; (b) a
major increase in costs or prices for
consumers, individual industries,
Federal, State, or local government
agencies, or geographic regions; or (c)
significant adverse effects on
competition, employment, investment,
productivity, innovation, or on the
ability of United States-based
enterprises to compete with foreignbased enterprises in domestic and
export markets. This rule has been
designated a major rule as it is expected
to have annual effect on the economy of
$100M dollars or more.
C. Public Law 96–354, ‘‘Regulatory
Flexibility Act’’ (5 U.S.C. 601)
The Department of Defense Chief
Information Officer certified that this
rule is subject to the Regulatory
Flexibility Act (5 U.S.C. 601) because it
would, if promulgated, have a
significant economic impact on a
substantial number of small entities.
DoD has considered previous
comments from Small Business
Administration (SBA) regarding the
impact and cost to small businesses to
implement CMMC. In July 2022, the
CMMC PMO met with the Office of
Advocacy for the U.S. SBA to address
the revisions planned in CMMC that are
responsive to prior SBA concerns, with
which the SBA was satisfied.
An Initial Regulatory Flexibility
Analysis that includes a detailed
discussion and explanation about the
assumptions and methodology used to
estimate the cost of this regulatory
action on small entities follows and is
available at www.regulations.gov (search
for ‘‘DoD–2023–OS–0063,’’ click ‘‘Open
Docket,’’ and view ‘‘Supporting
Documents’’).
This final regulatory flexibility
analysis has been prepared consistent
with 5 U.S.C. 603.
D. Final Regulatory Flexibility Analysis
This final regulatory flexibility
analysis has been prepared consistent
with 5 U.S.C. 604(a).
Reasons for the Action
This final rule is necessary to create
a secure and resilient supply chain, by
addressing threats to the U.S. economy
and national security from ongoing
malicious cyber activities and
preventing theft of hundreds of billions
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83194
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
of dollars of U.S. intellectual property.
The President’s Executive Order (E.O.)
14028, ‘‘Improving the Nation’s
Cybersecurity,’’ 60 emphasized that
industrial security needs strengthening
to ensure investments are not lost
through intellectual property theft or
among other supply chain risks.
Currently, the Federal Acquisition
Regulation (FAR) and Defense Federal
Acquisition Regulation Supplement
(DFARS) prescribe contract clauses
intended to protect Federal Contract
Information (FCI) and Controlled
Unclassified Information (CUI) within
the Department of Defense (DoD) supply
chain. Specifically, the clause at FAR
clause 52.204–21, Basic Safeguarding of
Covered Contractor Information
Systems, is prescribed at FAR 4.1903 for
use in Government solicitations and
contracts when the contractor or a
subcontractor at any tier may have FCI
residing in or transiting through its
information system. The FAR clause
focuses on ensuring a basic level of
cybersecurity hygiene and is reflective
of actions that a prudent businessperson
would employ.
In addition, DFARS clause 252.204–
7012, Safeguarding Covered Defense
Information and Cyber Incident
Reporting, is prescribed in DFARS
204.7304 (c) for use in DoD solicitations
and contracts that require processing,
storing, or transmitting of CUI in
contractor owned information systems.
DFARS clause 252.204–7012 requires
defense contractors and subcontractors
to provide ‘‘adequate security’’ to
process, store or transmit CUI on
information systems or networks, and to
report cyber incidents that affect these
systems or networks. The clause states
that to provide adequate security, the
contractor shall implement, at a
minimum, the security requirements in
‘‘National Institute of Standards and
Technology (NIST) Special Publication
(SP) 800–171 R2, Protecting CUI in
Nonfederal Systems and Organizations.’’
Contractors are also required to flow
down DFARS clause 252.204–7012 to
all subcontracts that involve CUI.
However, neither FAR clause 52.204–
21 nor DFARS clause 252.204–7012,
provide for DoD verification of a
contractor’s implementation of basic
safeguarding requirements specified in
those clauses prior to contract award.
DFARS clause 252.204–7020, NIST SP
800–171 DoD Assessment Requirements,
applies to contractor information
systems that are subject to NIST SP 800–
171 requirements pursuant to DFARS
60 www.gsa.gov/technology/it-contract-vehiclesand-purchasing-programs/technology-productsservices/it-security/executive-order-14028.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
clause 252.204–7012. DFARS provision
252.204–7019 and DFARS clause 7020
require offerors and contractors
(including subcontractors) respectively
to score their implementation of NIST
SP 800–171 requirements for each
contractor information system that is
relevant to the offer or contract and to
submit, at minimum, summary level
self-assessment scores in the Supplier
Performance Risk System (SPRS) for a
minimum of a Basic Assessment, which
is a contractor self-assessment. The
SPRS submission includes the NIST SP
800–171 version against which the
assessment was conducted, all industry
Commercial and Government Entity
(CAGE) code(s) associated with the
information system(s) addressed by the
required system security plan, the date
of assessment, the summary level score,
and the date all NIST SP 800–171 R2
requirements are expected to be
implemented based on the associated
plan(s) of action in accordance with
NIST SP 800–171 R2. Accordingly, and
upon submission of an offer, when
applicable, the contractor must verify
that a summary level score(s) of a
current NIST SP 800–171 DoD
Assessment is posted in SPRS for all
contractor information systems relevant
to the offer to signify appropriate
implementation of NIST SP 800–171 R2
requirements.
Findings from DoD Inspector General
report (DODIG–2019–105 ‘‘Audit of
Protection of DoD CUI on ContractorOwned Networks and Systems’’)
indicate that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI. That report included
recommendations for DoD take steps to
assess a contractor’s ability to protect
this information. The report emphasizes
that malicious actors can exploit
vulnerabilities in contractors’
information systems and exfiltrate
information related to some of the
Nation’s most valuable advanced
defense technologies. Due to these
shortcomings and the associated risks to
national security, the Department
developed the Cybersecurity Maturity
Model Certification (CMMC) Program to
assess contractor and subcontractor
implementation of DoD’s required
cybersecurity standards.
The CMMC Program verifies
compliance with DoD cyber protection
standards by defense contractors and
subcontractors and is designed to
protect FCI and CUI that is shared by
the Department with its contractors and
subcontractors, and when developed by
a contractor in the course of contract
performance but not shared. The
program incorporates a set of
PO 00000
Frm 00104
Fmt 4701
Sfmt 4700
cybersecurity requirements into
acquisition contracts and provides the
Department increased assurance that
contractors and subcontractors are
meeting these requirements. The CMMC
Program has three key features:
• Tiered Model: CMMC requires that
companies demonstrate, through
assessment that they have implemented
cybersecurity requirements. The type of
assessment and requirements against
which it is conducted are selected based
on the information that must be
safeguarded. The program also sets forth
the requirements for flow down of
CMMC requirements to subcontractors.
• Assessment Requirement: CMMC
assessments allow the Department to
verify the implementation of
cybersecurity requirements.
• Implementation through Contracts:
Once CMMC is fully implemented, DoD
contractors that handle FCI and CUI on
their non-Federal information systems
will be required to achieve a particular
CMMC Status as a condition of contract
award.
In September 2020, the DoD
published the 48 CFR CMMC interim
final rule in the Federal Register
(DFARS Case 2019–D041) that
implemented the DoD’s initial vision for
the CMMC Program and outlined the
key features of the program. The 48 CFR
CMMC interim final rule became
effective on November 30, 2020.
In March 2021, the Department
initiated an internal review of CMMC’s
implementation, informed by more than
750 public comments in response to the
48 CFR CMMC interim final rule. This
comprehensive, programmatic
assessment engaged cybersecurity and
acquisition leaders within DoD to refine
policy and program implementation.
In November 2021, the Department
announced an updated program
structure with revised requirements
designed to achieve the primary goals
identified by DoD’s internal review of
the CMMC Program. With the
implementation of the revised CMMC
program, the Department introduced
several key changes that build on and
refine the original program
requirements. These include:
• Streamlining the CMMC model
from five levels to three levels.
• Exclusively implementing National
Institute of Standards and Technology
(NIST) cybersecurity guidelines.
• Allowing all companies subject to
CMMC Level 1 requirements and subset
of companies subject to CMMC Level 2
requirements to demonstrate CMMC
compliance through self-assessments.
• Increased oversight of professional
and ethical standards of third-party
assessors.
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
• Allowing Plans of Action &
Milestones (POA&M) under limited
circumstances to achieve conditional
certification.
In July 2022, the CMMC Program
Management Office (PMO) met with the
Office of Advocacy for the U.S. SBA to
address the revisions planned for
CMMC and again met in July 2023 to
review the proposed 32 CFR part 170
CMMC Program rule updates that are
responsive to prior SBA concerns. As a
result of the alignment of CMMC
requirements to NIST guidelines, the
Department’s requirements continue to
evolve as changes are made to the
underlying NIST SP 800–171 R2 and
NIST SP 800–172 Feb2021
requirements. Such changes will not be
effective as CMMC requirements unless
and until made effective through
rulemaking.
khammond on DSKJM1Z7X2PROD with RULES2
Objectives of, and Legal Basis for, the
Rule
Legal Basis: 5 U.S.C. 301; Sec. 1648,
Public Law 116–92, 133 Stat. 1198.
The objective of this final CMMC
Program rule is to provide the
Department with increased assurance
that a defense contractor can adequately
protect FCI and CUI commensurate with
the risk, also accounting for information
flow down to its subcontractors in a
multi-tier supply chain. This rule meets
the objective by providing a mechanism
to assess contractor and subcontractor
implementation of DoD’s cyber security
protection requirements for FCI and
CUI. Implementation of the CMMC
Program is intended to address the
following policy issues:
(a) Verification of a Contractor’s
Cybersecurity Posture
Effective June 2016, FAR clause
52.204–21 Basic Safeguarding of
Contractor Information Systems,
requires Federal contractors and
subcontractors to implement 15 basic
safeguarding requirements, as
applicable, to protect contractor
information systems that process, store,
or transmit FCI.
December 31, 2017, was the DoD
deadline for contractors to implement,
as applicable, the cybersecurity
protection requirements set forth in
NIST SP 800–171 Re2, Protecting
Controlled Unclassified Information in
Nonfederal Systems and Organizations,
in accordance with requirements of
DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting. NIST SP 800–171A Jun2018
states, ‘‘For the CUI security
requirements in NIST Special
Publication 800–171 Rev 2, nonfederal
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
organizations describe in a system
security plan, how the specified
requirements are met or how
organizations plan to meet the
requirements.’’ 61 The NIST process
provides contractors with a tool to
assess their security posture and decide
if or when to mitigate the risks based
upon the organizational risk tolerance.
When the DoD implemented the NIST
SP 800–171 requirements with a notlater-than date of December 2017, the
policy intent was to permit contractors
some flexibility to remediate lagging
NIST requirements, and document them
in plans of action, and resolve those
deficiencies within a reasonable period.
An unintended consequence of this
flexibility was that some contractors far
exceeded the intention to secure
systems that must adequately safeguard
CUI in a timely manner and instead
created open-ended plans of action with
undefined closure dates. The effect was
to delay full compliance with
safeguarding requirements for years. As
a result, the DoD’s implementation of
the NIST SP 800–171 requirements, as
mandated by 32 CFR part 2002, has not
been fully effective or validated. This
necessitates implementation of the
CMMC Program to enforce a finite
timeline for full compliance of
contractual requirements.
Findings from DoD Inspector General
report (DODIG–2019–105 ‘‘Audit of
Protection of DoD Controlled
Unclassified Information on ContractorOwned Networks and Systems’’)
indicated that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information.
CMMC adds an assessment
requirement to verify defense
contractors and subcontractors have
implemented the applicable security
requirements prior to award. CMMC
also adds requirements at each CMMC
level for contractors and subcontractors
to affirm initial compliance with the
specified CMMC security requirements
and provide annual affirmations
thereafter.
(b) Comprehensive Implementation of
Cybersecurity Requirements
Although the security requirements in
NIST SP 800–171 R2 address a range of
threats, they do not sufficiently address
Advanced Persistent Threats (APTs). An
APT is an adversary that possesses
sophisticated levels of expertise and
61 https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-171A.pdf.
PO 00000
Frm 00105
Fmt 4701
Sfmt 4700
83195
significant resources, which allow it to
create opportunities to achieve its
objectives by using multiple attack
vectors (e.g., cyber, physical, and
deception). To address APTs, NIST has
published NIST SP 800–172 Feb2022.
CMMC Level 3 certification assessment
provides for government assessment of
a contractor’s implementation of a
defined subset of NIST SP 800–172
Feb2021 Enhanced Security
Requirements with DoD predefined
parameters and specifications.
(c) Scale and Depth
Today, DoD prime contractors must
include DFARS clause 252.204–7012 in
subcontracts for which performance will
involve covered defense information,
but this does not provide the
Department with sufficient insights with
respect to the cybersecurity posture of
all members of a multi-tier supply chain
for any given program or technology
development effort. The revised CMMC
Program requires prime contractors to
flow down CMMC requirements, as
applicable, to subcontractors throughout
their supply chain(s).
Given the size of the Defense
Industrial Base (DIB), the Department
cannot scale its existing cybersecurity
assessment workforce to conduct on-site
assessments of approximately 220,000
DoD contractors and subcontractors
every three years. The Department’s
existing assessment capability is best
suited for conducting targeted
assessments for the relatively small
subset of DoD contractors and
subcontractors that support designated
high-priority programs.
CMMC addresses the Department’s
scaling challenges by utilizing a privatesector accreditation structure. The DoDrecognized Accreditation Body will
authorize, accredit, and provide
oversight of CMMC Third-Party
Assessment Organizations (C3PAO)
which in turn will conduct CMMC
Level 2 certification assessments of
actual and prospective DoD contractors
and subcontractors. Organizations
Seeking Certification (OSCs) will
directly contract with an authorized or
accredited C3PAO to undergo a Level 2
certification assessment to achieve a
CMMC Status of Conditional and Final
Level 2 (C3PAO). The cost of CMMC
Level 2 activities is driven by multiple
factors, including market forces that
govern availability of C3PAOs and the
size and complexity of the enterprise or
enclave under assessment. The
Government will perform Level 3
certification assessments. Government
resource limitations may affect schedule
availability.
E:\FR\FM\15OCR2.SGM
15OCR2
83196
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(d) Reduces Duplicate or Repetitive
Assessments of Our Industry Partners
CMMC assessment results and
contractor affirmations of compliance
will be posted in Supplier Performance
Risk System (SPRS), DoD’s authoritative
source for supplier and product
performance information. Posting
CMMC assessment results in SPRS
precludes the need to validate CMMC
implementation on a contract-bycontract basis. This enables DoD to
identify whether the CMMC assessment
requirements have been met for relevant
contractor information system(s), avoids
duplicative assessments, and eliminates
the need for program level assessments,
all of which results in decreased costs
to both DoD and industry.
khammond on DSKJM1Z7X2PROD with RULES2
Significant Issues Raised by Public
Comments
The CMMC proposed rule was
published in the Federal Register on
December 26, 2023, to initiate the
mandatory 60-day public review and
comment period for this rule and the
supporting documents that ended on 26
February 2024. From the volume of
comments received on the CMMC rule
documents, from or concerning Small
Businesses, the following significant
issues were raised.
1. Cost. Some comments identified
that the proposed rule does not address
how the CMMC Program will be funded,
or how the costs of certification and
compliance will be shared between the
DoD and the contractors. This may raise
questions about the affordability and
sustainability of the CMMC program,
especially for small businesses.
Commenters suggested that the DoD
conduct and publish a comprehensive
cost assessment for each level of CMMC
certification and explore ways to reduce
the financial burden on the contractors,
such as providing incentives, subsidies,
loans, grants, tax credits or
reimbursements. Several comments
presented the opinion that the cost
estimates in the preamble/rule did not
adequately address all possible costs to
become compliant with regulations and
attain a certification i.e., ongoing
Recurring Engineering and NonRecurring Engineering costs. Others
commented that the mandate to comply
with requirements, attain verification of
compliance, and the inability to recoup
costs prior to completing compliance
will be barriers to entry and will drive
many small businesses out of the DoD
market. Concern was also expressed
regarding the cost of failing an
assessment and not being able to recoup
costs fast enough, through increased
Overhead and G&A [General and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Administrative] rates. Another concern
was raised that IR&D [Independent
Research and Development] spending
will be negatively impacted due to the
diversion of funds to Cybersecurity
compliance. Some shared concerns
about the potential for overmarking CUI
data, that will drive a higher than
necessary demand for CMMC
certification and create an overburdened
Ecosystem, thereby preventing timely
certification and incentivizing ‘‘price
gouging’’ by assessors. Several suggested
that the Government regulate the prices
for assessment services. Many
commenters also suggested the DoD
needed to find ways to reduce the
financial burdens on small businesses
through direct payment for compliance,
tax incentives, increased profits, or
increased flexibility to comply with
requirements, i.e., by reducing
requirements for small businesses or
providing more time to comply after
contract award. Commenters also felt
the handling of CUI by small businesses
was too difficult, and recommended
prime contractors should be responsible
for handling all CUI. If a small business
needs CUI to execute its work, the prime
or the Government should provide an
environment for the small business to
complete its work.
DoD Response. In recognition of the
pervasive cyber threat both to DoD and
to the DIB, CMMC Program
requirements are designed to ensure
compliance with existing standards for
protection of FCI and CUI. These
cybersecurity requirements align
directly to NIST guidelines (NIST SP
800–171 R2 and NIST SP 800–172
Feb2021) and the basic safeguarding
requirements in FAR clause 52.204–21
that apply to all executive agencies.
Since December 2017, DFARS clause
252.204–7012 has required contractors
to implement the NIST SP 800–171
security requirements to provide
adequate security as applicable for
processing, storing, or transmitting CUI
on non-Federal information systems, as
needed in support of the performance of
a DoD contract.
The executive branch’s CUI Program
is codified in 32 CFR part 2002 and
establishes policy for designating,
handling, and decontrolling information
that qualifies as CUI. The definition of
CUI and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14. 32 CFR
2002.14(h)(2) specifically requires that
Agencies must use NIST SP 800–171
when establishing security requirements
to protect CUI’s confidentiality on nonFederal information systems . . .’’
Contractually, DFARS clause 252.204–
7012 requires contractors to implement
PO 00000
Frm 00106
Fmt 4701
Sfmt 4700
the NIST SP 800–171 R2 security
requirements, and that requirement
applies, regardless of the number of
computers or components in a nonFederal information system or the size
of the contractor or subcontractor, as
applicable. DoD’s original
implementation of security
requirements for adequate safeguarding
of CUI relied upon self-attestation by
contractors. Since that time, the DoD
Inspector General and the DCMA found
contractors did not consistently
implement mandated system security
requirements for safeguarding CUI and
recommended DoD take steps to assess
a contractor’s ability to protect this
information. The DoD has streamlined
requirements to reduce the burden of
compliance on contractors. Analysis of
costs to meet CMMC requirements is
provided in the regulatory impact
analysis for this rule. As described in
the estimate included with the rule, the
major cost categories for compliance
with CMMC requirements include costs
for completing a self-assessment (e.g.,
Level 1 or 2); costs to prepare for and
undergo Level 2 certification
assessment; and costs required to
implement the Level 3 security
requirements and for preparing to
undergo DCMA DIBCAC assessment
(Level 3). CMMC Level 3 certification
assessments against the NIST SP 800–
172 Feb2021 baseline are performed free
of cost by DoD assessors, which reduces
the overall cost of achieving CMMC
Status of Level 3 (DIBCAC). Notably,
certification is never required for CMMC
Level 1, and the requirement can be
satisfied through self-assessment. When
CMMC Level 2 requirements apply, they
may be met via self-assessment, or a
certification assessment conducted by a
C3PAO, depending on the specific
CMMC requirement cited in the
solicitation or resulting contract. When
the CMMC Program requirements are
effective, solicitations for DoD contracts
that will involve the processing, storing,
or transmitting of FCI or CUI on any
non-Federal system, notwithstanding
the size or configuration of the nonFederal system, will specify the
required CMMC Level (1, 2 or 3) and
assessment type (self-assessment or
certification assessment). An
assumption for the cost estimates is that
Non-Small Entities have a full-time
team of cybersecurity professionals on
staff while Small Entities do not. The
assumptions, explained in the
regulatory impact analysis, reflect Small
Entities will likely obtain support from
External Service Providers and have a
staff member submit affirmations and
SPRS scores for self-assessments. All
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
these costs, except the open market cost
of a C3PAO, are directly controllable by
the organization seeking assessment.
The CMMC rule does not make any
change to cost allowability as defined in
FAR 31.201–2 Determining
Allowability. The DoD declined to
modify the estimates, which are
intended to be representative and to
inform rulemaking. The cost estimates
represent average derived estimates
based on internal expertise and public
feedback in accordance with OMB
Circular A–4 and represent average
costs for companies to comply with the
CMMC requirements. This rule does not
provide the cost analysis for all actions,
personnel, and security measures
required to protect CUI information,
data, systems, and technical products
through the life cycle of the work and
data generated. The size and complexity
of the network within scope of the
assessment impacts the costs as well. As
required by rulemaking guidance, the
DoD provided cost estimates and impact
analyses. An analysis of profit margins
is not required. Additionally, this rule
and the required cost analysis and
resulting cost estimates were reviewed
by DoD cost analysts and OMB
economists for realism and
completeness.
Some public comments received
reflect a misinterpretation of the cost
estimates that accompany this rule,
which are representative of average
assessment efforts, and do not include
actual prices of C3PAO services
available in the marketplace. Market
forces of supply and demand will
determine C3PAO pricing for CMMC
Level 2 certification assessments.
Costs associated with meeting the
requirements of existing DFARS clause
252.204–7012 are not captured in the
CMMC rule documentation. Please refer
to 81 FR 72990, October 21, 2016, for
DoD’s final rule implementing the DoD’s
requirement that ‘‘contractors shall
implement NIST SP 800–171 as soon as
practical, but not later than December
31, 2017.’’ Public comments related to
implementation costs were published
with that final rule, along with DoD’s
responses. Within the limitations of
section § 170.21 Plan of Action and
Milestones Requirements, offerors may
bid on contract opportunities while
continuing to work towards full
compliance.
Verifying compliance with applicable
security requirements may increase
costs and is necessary for the adequate
protection of DoD FCI and CUI. The cost
of lost technological advantage over
potential adversaries is far greater than
the costs of such enforcement. The
value of information and impact of its
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
loss does not diminish when the
information is shared with contractors.
At the time of contract award, the
DoD may not have visibility into
whether the prime contractor’s decision
to further disseminate DoD FCI and CUI.
However, FAR clause 52–204–21,
DFARS clause 252.204–7012, and
DFARS clause 252.204–7021 require the
prime contractor to flow down these
clauses and the included information
security requirement to any
subcontractor that will process, store, or
transmit FCI or CUI, as applicable.
Decisions regarding DoD’s information
that must be shared to support
completion of the contract tasks,
including those performed by
subcontractors, takes place between the
prime contractor and their
subcontractors. The DoD cannot dictate
business practices between prime
contractors and their subcontractors,
who should work together to determine
the necessary flow down of FCI and
CUI, only as needed in performance of
the contract, and ensuring compliance
with the CMMC security requirements
and in consideration of minimizing the
burden. While DoD understands the
burden on small business, it must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors who process, store, or
transmit FCI and CUI. The requirements
necessary to protect a single document
are the same as to protect many
documents.
Although CMMC compliance may add
to an organization’s cost, no member of
the DIB can assume the status-quo in
today’s ever-changing cybersecurity
environment. Increasing costs to protect
the nation’s data and industries from
emerging threats is simply a component
of doing business anywhere in the
world. Processing, storing, or
transmitting sensitive Government
information comes with a handling cost
that needs to be built into each
organization’s business model. All
contractors or sub-contractors with
access to CUI need to be capable of
protecting that information to the
standards specified in 32 CFR part 2002.
If a small business cannot comply with
the requirements of DFARS clause
252.204–7012 and NIST SP 800–171 R2,
then that business should not receive
CUI or process, store, or transmit CUI.
If the DoD information flowed by the
prime to a subcontractor is only FCI,
then only a CMMC Level 1 selfassessment is required for the
subcontractor prior to the flow of
information under contract. DoD’s
programs, technological superiority, and
best interests are not served if FCI and
CUI are not consistently and adequately
PO 00000
Frm 00107
Fmt 4701
Sfmt 4700
83197
safeguarded by all who process, store, or
transmit it.
2. Cost Benefit. Some commenters
suggested it would be more cost
effective for DoD to provide an
environment or a DoD managed portal
for the handling of CUI. A significant
concern expressed was that companies
have delayed complying with DoD
cybersecurity standards until the CMMC
rule was released and they could
understand what level of compliance
they will require. Several commenters
felt DoD underestimated the costs and
should have include the
implementation cost of the requirements
in this rule as well. One commenter was
confused about how the discount rates
were applied. Another commenter
suggested that DoD provide flexibility to
allow small businesses to not meet all
the requirements and still be allowed to
handle CUI and another expressed
concerns regarding the cost of
compliance and the degradation of the
DIB that will be unable to afford
compliance.
DoD Response: The DoD declined to
adopt the alternatives suggested in the
comments, such as policy-based
solutions that lack a rigorous assessment
component or sharing CUI only through
DoD-hosted secure platforms. The
current DFARS clause 252.204–7012
requires protection of Security
Protection Assets (SPA) and Security
Protection Data (SPD). Section 1.1 of
NIST SP 800–171 R2 states: ‘‘The
requirements apply only to components
of nonfederal systems that process,
store, or transmit CUI, or that provide
security protection for such
components.’’ There is therefore no
increase in the scope because of the
CMMC Program as described in the rule.
SPD requires protection
commensurate with the CUI it protects
and is based on how and where the SPD
is stored. The FedRAMP requirements
for handling SPD are therefore the same
as that for handling CUI.
The CMMC rule made no change to
the FAR cost allowability or cost
accounting standards. The 7% discount
rate is not a discount for organizations;
it is a part of a formula used in the
regulatory impact analysis (RIA)
calculations. When calculating 20 years
in the future, a discount rate is used to
determine the net present value of
money. The cost estimate represents
derived estimates based on internal
expertise and public feedback in
accordance with OMB Circular A–4:
Regulatory Impact Analysis: A Primer.
Step 7 in the manual explains discount
rates.
As written, this rule amply provides
for the flexibility sought by the
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83198
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
commenter. Rule section § 170.21
specifically addresses the flexibility to
have a Plan of Action and Milestones
(POA&M) to delay meeting certain
requirements subject to CMMC
assessment for up to 180 days.
In addition, DFARS clause 252.204–
7012 already permits contractors to
request DoD CIO permission to utilize
alternative security measures to those
prescribed by NIST SP 800–171. If an
OSC previously received a favorable
adjudication from the DoD CIO for an
alternative security measure, the DoD
CIO adjudication must be included in
the system security plan to receive
consideration during an assessment.
Implemented security measures
adjudicated by the DoD CIO as equally
effective are assessed as MET if there
have been no changes in the
environment.
3. CMMC Model. Some commenters
claimed that the requirement for all
subcontractors of Level 3 prime
contractors to be at least Level 2
certified, regardless of what work they
do, will generate more demand for Level
2 assessments than the Department is
anticipating. Since much of DoD’s
contract dollars flow through a
relatively small number of companies, it
is likely those companies will have at
least one CMMC Level 3 project. The
result would be Level 2 certification
requirements being flowed down to
nearly the entirety of the DIB. Some
commenters believed this to be an
unintended consequence of
implementing the enhanced protection
of CMMC Level 3.
DoD Response: It is possible the
commenters misunderstood § 170.23
Application to subcontractors in the
rule. § 170.23(a)(4) states: ‘‘If a
subcontractor will process, store, or
transmit CUI in performance of the
subcontract and the associated prime
contractor has a requirement for the
CMMC Status of Level 3 (DIBCAC), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.’’ The commenter’s phrase
‘‘regardless of what work they do’’ does
not acknowledge the fact that the Level
2 certification assessment is required for
subcontractors who process, store, or
transmit CUI.
It is also possible that the commenter
interpreted that a Level 2 selfassessment is adequate for
subcontractors working with a prime
that has a contractual requirement for a
Level 3 certification assessment. In this
case, a CMMC Status of Final Level 2
(Self) is not adequate. A CMMC Status
of Final Level 3 (DIBCAC) signifies that
the prime first achieved a CMMC Status
of Final Level 2 (C3PAO) as the risk to
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
their CUI was deemed high enough to
require Level 2 certification assessment.
Since this same information may be
shared with subcontractors who
process, store, or transmit CUI, the
subcontractor must also achieve CMMC
Status of Final Level 2 (C3PAO).
The decision to rely upon a CMMC
Level 2 self-assessment in lieu of a
certification assessment is a
Government risk-based decision based
upon the nature of the effort to be
performed and CUI to be shared. The
size of the company with access to the
CUI is not a basis for this determination.
The value of information and impact of
its loss does not diminish when the
information moves to contractors of
smaller size.
4. Assessment. Commenters
questioned whether CMMC will accept
reciprocity with other compliance
methodologies. Another questioned
what would drive a company to seek a
reassessment of their environment.
Other commenters suggested that we
allow small businesses 365 days to close
their POA&M requirements, as well as
suggesting that pre-assessment materials
do not need to be uploaded into eMASS,
and that the hashing requirements
should be simplified. Other suggestions
made were to allow Program Managers
to relax requirements based on a risk
decision and allow assessors to make
judgement calls on what evidence
constitutes compliance with the
requirement. One commenter requested
the DoD publish an overview of the
assessment methodology that includes
the defined frequency guidelines.
Additionally, one commenter requested
that access to Procurement Integrated
Enterprise Environment (PIEE) and
Supplier Performance Risk System
(SPRS) be made easier for small
contractors.
DoD Response: CMMC requirements
apply to DoD contracts, and not to
contracts issued by other agencies. Flow
down of CMMC requirements from a
prime contractor to its subcontractors
shall apply, as addressed in § 170.23(a)
of this rule.
DoD intends to allow qualified
standards acceptance of a DIBCAC High
Assessment using NIST SP 800–171 R2
for CMMC Status of Final Level 2
(C3PAO) as addressed in § 170.20.
CMMC Level 2 self-assessment, Level
2 certification assessment, and Level 3
certification assessment are valid for a
defined CMMC Assessment Scope as
outlined in § 170.19 CMMC Scoping. A
new CMMC assessment may be required
if significant architectural or boundary
changes are made to the previous
Assessment Scope. Examples include,
but are not limited to, expansions of
PO 00000
Frm 00108
Fmt 4701
Sfmt 4700
networks or mergers and acquisitions.
Operational changes within an
Assessment Scope, such as adding or
subtracting resources within the existing
assessment boundary that follow the
existing SSP do not require a new
assessment, but rather are covered by
the annual affirmations to the
continuing compliance with
requirements.
The DoD did not accept the
recommendation to change the criteria
for POA&Ms or the timeline allowed to
remediate open POA&M items. The 180day timeline and the determination of
the weighted practices that may be
included in a POA&M were risk-based
decisions. The determination factored
the relative risk DoD is willing to accept
when a particular practice is Not Met
and the amount of risk the DoD is
willing to accept for those security
practices that remain ‘‘NOT MET’’ for
an extended period. Unlike the original
CMMC Program, the revised CMMC
Program accepts some risk with the use
of limited POA&Ms.
There is value to the DoD in having
the pre-assessment information in
CMMC eMASS for overall program
management and oversight. The
information indicates that an
assessment is either scheduled or inprocess. The CMMC PMO seeks to track
CMMC Program adoption, and the preassessment information allows reporting
on upcoming assessments. Based on the
DoD’s cost analysis, the cost to upload
pre-assessment material is minimal. The
rule and Hashing Guide have been
updated to add clarity that only
reporting a single hash is required, and
the name of the hash algorithm used
needs to be stored in CMMC eMASS.
Each Assessment Objective in NIST SP
800–171A Jun2018 must yield a finding
of MET or NOT APPLICABLE for the
overall security requirement to be
scored as MET. Assessors exercise
judgment in determining when
sufficient and adequate evidence has
been presented to make an assessment
finding. This is consistent with current
DIBCAC High Assessments and
assessments conducted under the Joint
Surveillance Voluntary Assessment
(JSVA) program.
A security requirement can be
applicable, even with assessment
objectives that are N/A. The security
requirement is NOT MET when one or
more applicable assessment objectives is
NOT MET. The requirements of each
Level of the CMMC Model are defined
in sections §§ 170.15 through 170.18
and the scoring of assessments is
described in § 170.24. The assessment
frequency required is every year for a
CMMC Status of Final Level 1 (Self),
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and every 3 years for a CMMC Statuses
of Final Level 2 (Self), Final Level 2
(C3PAO), and Final Level 3 (DIBCAC),
or when changes within the CMMC
Assessment Scope invalidate the
assessment.
The phased implementation plan for
CMMC described in § 170.3(e) is
intended to address ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. The rule has been
updated to add an additional six months
to the Phase 1 timeline. Phase 2 will
start one calendar year after the start of
Phase 1.
5. Scoping. Commenters expressed
concerns about how External Service
Providers (ESP) and SPA and SPD are
handled with regard to certification.
Another commenter expressed concern
about the lack of FedRAMP Moderate
certified capabilities in the market as
well as requesting clarification on the
definition of ‘‘Specialized Assets’’,
specifically regarding equipment in
manufacturing that may not fall under
the conventional categories of IoT, IIoT,
and OT. Another commenter expressed
concerns about how Contractor Risk
Managed Assets (CRMA) are handled,
along with concerns about available
FedRAMP certified capabilities. Other
comments identified concerns with the
responsibility of a company that adopts
an ESP and their adherence to security
requirements, and the lack of time given
in Phase 2 of the CMMC roll-out to
garner certification. A question was also
asked regarding the Department’s
assumptions on the rigor a Certifying
Officer [Affirming Official in the rule]
would require before signing an
attestation and the methodology used to
determine the resultant actions that
must be taken. Another raised a concern
regarding how sub-environments are
handled as well as end-to-end
encryption in handling CUI. Another
expressed concern regarding the
marking of data as CUI and the potential
for overmarking. Some commenters
made suggestions that all CUI be held in
a special appendix for contracts and
only be allowed to be accessed at the
prime’s facility or through a government
hosted secure portal. A commenter also
suggested that small businesses should
not be made to meet the CMMC Level
3 requirements. Another commenter
raised questions about the alternatives
that the Department considered in
developing the CMMC Program.
Another suggestion was to provide
uniform web-based training on
cybersecurity and that the definition of
CUI was unclear, and CUI should stay
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
under the control of the Federal
Government and be maintained in a
government owned secure portal. A
suggestion was also made that DoD
establish a Cyber Protection Program
that monitors DIB companies and
provides real time health reports on the
DIB and dynamic intelligence security
alerts and recommended actions. A
suggestion that NIST establish a special
standard for micro-organizations was
also provided. Commenters also
suggested that the rule was too
stringent, and CUI was not marked well
or flowed down to subcontractors
appropriately.
DoD Response: The Department is
committed to overseeing the CMMC
Program and will take appropriate
measures to ensure its efficient
execution. Presently, the Department
has no intention of mandating that
contracting offices adopt presumptive
measures that would reduce the number
of small contracts subject to Level 2
certification assessment, nor does it
plan to impose affirmative requirements
on prime contracts to utilize enclaves.
Prior to conduct of an assessment, the
OSC engages with the C3PAO assessor.
It is during this time that classification
of assets should be established, and the
results of these discussions documented
in pre-planning materials. This is an
example of the pre-assessment and
planning material submitted by the
C3PAO as required in § 170.9(b)(8) and
the CMMC Assessment Scope submitted
to eMASS as required in
§ 170.17(a)(1)(i)(D). The DoD considered
the NIST definitions for System
Information and Security Relevant
Information in the development of the
CMMC definition for SPD. This rule
does not regulate an OSA’s SPD, but
instead implements existing regulatory
requirements for the safeguarding of
CUI, as defined in 32 CFR 2002.14(h)(2)
and implemented by DFARS clause
252.204–7012. The DFARS clause
252.204–7012 requires protection of
security protection assets and security
protection data through its specification
of NIST SP 800–171. Section 1.1 of
NIST SP 800–171 R2 states: ‘‘The
requirements apply only to components
of nonfederal systems that process,
store, or transmit CUI, or that provide
security protection for such
components.’’ There is therefore no
increase in the scope as described in the
rule, and no revisions to cost estimates
are required.
The DoD received numerous
comments about the requirements for
CMMC when an ESP is used. In
response to these comments, the DoD
revised the rule to reduce the
assessment burden on External Service
PO 00000
Frm 00109
Fmt 4701
Sfmt 4700
83199
Providers (ESPs) by updating the ESP
assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2).
The use of an ESP, its relationship to
the OSA, and the services provided
need to be documented in the OSA’s
System Security Plan and described in
the ESP’s service description and
customer responsibility matrix (CRM),
which describes the responsibilities of
the OSA and ESP with respect to the
services provided.
An ESP is considered a Cloud Service
Provider (CSP) when it provides its own
cloud services based on a model for
enabling ubiquitous, convenient, ondemand network access to a shared pool
of configurable computing that can be
rapidly provisioned and released with
minimal management effort or service
provider interaction on the part of the
OSA. ESPs that are CSPs, and process,
store, or transmit CUI, must meet the
FedRAMP requirements in DFARS
clause 252.204–7012. ESPs that are
CSPs and do not process, store, or
transmit CUI, are not required to meet
FedRAMP requirements in DFARS
clause 252.204–7012.
An ESP that is not an CSP and
processes, stores, or transmits CUI, is
considered an extension of the OSA’s
environment and the ESP services used
to meet OSA requirements are within
the scope of the OSA’s CMMC
assessment. As part of that environment,
the ESP will be assessed against all
applicable requirements and
accountable for all users who have
access to CUI as part of the ESP’s
service, not just OSA employees. ESPs
that are not CSPs and do NOT process,
store, or transmit CUI, do not require
CMMC assessment.
Nothing in the rule precludes an ESP,
that is not a CSP, from voluntarily
requesting a C3PAO assessment, and a
C3PAO from performing such an
assessment, if the ESP makes that
business decision. Similarly, the ESP
can request a Level 3 certification
assessment from the DCMA DIBCAC if
they have successfully met all the
requirements during a Level 2
certification assessment.
ESPs can be part of the same
corporate/organizational structure but
still be external to the OSA such as a
centralized SOC or NOC which supports
multiple business units. An ESP that is
used as staff augmentation and the OSA
provides all processes, technology, and
facilities does not need a CMMC
assessment.
An ESP (not a CSP) that provides
technical support services to its clients
would be considered an MSP, since it
does not host its own cloud platform
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83200
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
offering. An ESP may utilize cloud
offerings to deliver services to clients
without being a CSP. An ESP that
manages a third-party cloud service on
behalf of an OSA would not be
considered a CSP.
6. POA&M. Commenters expressed
concern regarding the limited nature of
POA&Ms in CMMC as well as the
timeline and lack of flexibility in
remediating the POA&Ms.
DoD Response. The DoD did not
accept the recommendation to change
the criteria in § 170.21 for POA&M
requirements or the timeline allowed to
remediate open POA&M items. The 180day timeline and the determination of
which weighted practices can be placed
on a POA&M were risk-based decisions.
The determination factored into account
for the relative risk DoD is willing to
accept when a particular practice is not
met and the amount of risk the DoD is
willing to accept for those security
practices that remain ‘‘NOT MET’’ for
the extended period of time. The phased
implementation plan in § 170.3(e) is
intended to address ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. DoD has updated the rule
to add an additional six months to the
Phase 1 timeline, now one year. Phase
2 will start one calendar year after the
start of Phase 1.
7. Incorporation by Reference.
Commenters expressed concern about
the confusion between the NIST 800–
171 R2 being included in the CMMC
rule and not the recently published Rev
3.
DoD Response. The Office of the
Federal Register regulations (1 CFR part
51) require the specification of a
revision to a standard. Specifying a
revision benefits the CMMC Ecosystem
by ensuring it moves forward from one
NIST standard to the next in an
organized manner. The DoD cites NIST
SP 800–171 R2 in this final rule for a
variety of reasons, including the time
needed for industry preparation to
implement and time needed to prepare
the CMMC Ecosystem to perform
assessments against subsequent
revisions. DoD is unable to incorporate
suggestions that CMMC assessments be
aligned to whichever NIST revision is
current at the time of solicitation.
Comments on the specifics on NIST SP
800–171 Revision 3 should be directed
to NIST.
8. Affirmation. Commenters expressed
confusion regarding the definition of the
Affirming Official as well as how the
affirmation process works i.e., is the
affirmation for each company or the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
whole supply chain. One commenter
also expressed confusion regarding
whether an affirmation was required at
each certification level annually.
DoD Response. The rule was modified
to include a definition for Affirming
Official in § 170.4.
The DoD considered the
recommended text revisions and
modified the text for added clarity about
affirmations. DoD’s use of the term OSA
within the affirmations section is
deliberate and conveys that each
organization is responsible for
affirmations pertaining to their own
assessments. To help clarify the point in
question, § 170.22(a)(1) addresses
Affirming Official and has been revised
to clarify that CMMC affirmations shall
be submitted by the OSA and apply
only to the information systems of that
organization.
The DoD deems that the requirement
to annually affirm continuing
compliance with the CMMC
requirements at the designated CMMC
Level and following the procedures in
§ 170.22 is not a significant additional
burden. The requirement for annual
affirmations takes the place of an annual
recertification and ensures the
Affirming Official responsible for
CMMC requirements is monitoring
compliance.
9. Alternatives. Several commenters
provided suggestions for alternative
means to implement verification of
compliance with cybersecurity
standards. These suggestions included
the following:
• Provide flexibility for the CMMC
AB to allow a C3PAO partial assessment
of perspective Managed Service
Providers.
• Allow small businesses to continue
performing self-assessments and selfcertify along with increasing the support
provided to small business from DC3 to
expand paying for consultants to assist
with compliance as well as paying for
small businesses assessments,
• Integrate cybersecurity and
traditional counterintelligence
measures, establishing a secure software
development environment in a cloud
that DoD hosts, as well as providing a
secure environment in which small
businesses could operate.
• Require Prime contractors to
assume the cost of CMMC for their
supply chain.
• Only assess a sampling of the
Defense Industrial Base.
• Increase the Certification validity
time period from 3 to 10 years.
• Shift the requirement to post award.
• Re-evaluate the program to reduce
requirements to make it easier.
PO 00000
Frm 00110
Fmt 4701
Sfmt 4700
• Stay with only the DCMA DIBCAC
performing assessments on the DIB.
DoD Response: DoD considered many
alternatives before deciding upon the
current CMMC structure. To date,
alternative methods of assessment have
proven inadequate and necessitated the
establishment of CMMC. The DoD
determined the requirements for a
CMMC Accreditation Body, and this
accreditation body will administer the
CMMC Ecosystem.
DoD must enforce CMMC
requirements uniformly across the DIB
for all contractors and subcontractors
who process, store, or transmit CUI. The
value of information and the impact of
its loss does not diminish when the
information moves to contractors and
subcontractors.
The DoD notes with interest the
commenter’s reference to initiatives in a
report to Congress describing the
breadth of cybersecurity related
initiatives within the Department. While
the CMMC Program is an important
initiative, it is by no means the
Department’s only effort to improve DIB
cybersecurity. The CMMC Program
addresses the adequate safeguarding of
contractor owned information systems
which process, store, or transmit FCI or
CUI. Other DoD initiatives related to
secure cloud or software development
environments are beyond the scope of
the CMMC Program.
The DoD declined to accept the
recommended alternative of relying
exclusively on self-assessment with the
potential to require a DIBCAC
assessment for only a sampling of DoD
contractors, which is essentially the
status quo. Both GAO reporting and
other DoD analysis have shown that the
DIB has not consistently implemented
the NIST SP 800–171 requirements
needed to comply with DFARS clause
252.204–7012, notwithstanding DoD’s
stated objective in this clause is for
compliance ‘‘as soon as practical, but
not later than December 31, 2017.’’
The DoD declined to accept the risk
associated with implementing CMMC as
a post-award requirement. When
contracts require contractors to process,
store, or transmit CUI, DoD requires that
they be compliant with DFARS clause
252.204–7012 and competent to
adequately safeguard CUI from the
beginning of the period of performance.
DoD declined the recommendation to
require primes to assume the cost of
CMMC compliance for their
subcontractors.
The aggregated SPRS reporting and
scoring is CUI. The DoD does not plan
to make this information public at this
time, as it may aid adversaries in
coordinating their attacks.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The Department declined to adopt the
recommendation to allow DIB members
to assist in designing the DoD’s
mechanism for assessing DIB
compliance with DoD’s contractual
requirements. In developing the CMMC
program, the DoD sought and
considered DIB input.
DoD disagreed with the comment that
there is a lack of scalability in the
CMMC Program. The phased
implementation plan described in
§ 170.3(e) is intended to address rampup issues within the CMMC Ecosystem,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements.
The rule was updated to add an
additional six months to the Phase 1
timeline, now one year. Further
extension of the implementation period
or other solutions may be considered in
the future to mitigate any C3PAO
capacity issues, but the Department has
no such plans at this time.
As with all DoD programs, the
Department intends to effectively
oversee the CMMC Program and take the
actions needed to manage its effective
implementation. Although the full
extent of DoD’s oversight process is
beyond the scope of this rule, the rule
text does address DoD’s authority to
waive the application of CMMC
requirements when warranted.
The DoD disagrees with commenters’
assertions about NIST SP 800–171 R2
and the available assessment methods.
The NIST SP 800–171 R2 standard was
chosen since it is enterprise focused and
already required in DoD contracts when
DFARS clause 252.204–7012 is
applicable.
DCMA DIBCAC currently performs
assessments against NIST SP 800–171
R2, which identifies the target audience
to include individuals with security
assessment responsibilities, such as
auditors, assessors, and ‘‘independent
verifiers.’’
The Department does not have the
organic capacity to adequately assess
the 220,000+ companies in the DIB. The
DoD will not assume the workload of
directly assessing every DIB contractor.
In this final rule, DoD established a
scalable way to verify, through
assessment, that contractors have
implemented required security
measures necessary to safeguard DoD’s
information.
It is important that contractors
maintain security compliance for
systems that process, store, or transmit
DoD CUI. Given the evolving
cybersecurity threat, DoD’s best interests
are served by ensuring that Level 2 self-
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
assessment and certification
assessments remain valid for no longer
than a 3-year period, regardless of who
performs the assessment.
10. Applicability. Commenters
expressed frustration with exempting
Commercial- Off-The-Shelf (COTS)
products and procurements under the
micro-purchase threshold from CMMC
certification, and not providing
exemptions for Native American, small,
disadvantaged businesses, and Small
Business Innovative Research contracts.
They also expressed concerns about
perceived threatened penalties and lack
of recognition of recurring costs to Level
1 assessments. A commenter also
recommended reversing the phased
approach to require Level 3
requirements be implemented first.
DoD Response: Some comments
pertain to the 48 CFR part 204 CMMC
Acquisition rule, including applicability
of the CMMC clause to COTS
procurements and those below the
micro-purchase threshold. Such
comments are not within the scope of
this 32 CFR part 170 CMMC Program
rule, which outlines program
requirements rather than contracting
procedures.
This rule has no disproportionate
impact on Native American owned
businesses. Once identified as a
requirement, the CMMC Program
requirements will apply uniformly to all
prospective contractors.
DoD must enforce safeguarding
requirements uniformly across the DIB
for all contractors and subcontractors
who process, store, or transmit CUI. The
value of information and impact of its
loss does not diminish when the
information moves to DoD contractors
and DoD subcontractors, regardless of
their status as Native American or small
disadvantaged businesses.
The purpose of the CMMC Program is
to ensure that DoD contracts that require
contractors to safeguard FCI and CUI
(i.e., contracts that include FAR clause
52.204–21 and DFARS clause 252.204–
7012) will be awarded to contractors
with the ability to protect that
information appropriately. Accordingly,
all contractor owned information
systems that process, store, or transmit
FCI or CUI in the performance of a
contract are subject to the requirements
of FAR clause 52.204–21 and NIST SP
800–171 as implemented by DFARS
clause 252.204–7012.
The CMMC Program rule does not
include ‘‘threatened penalties.’’ If a
requirement of a DoD contract is not
met, then standard contractual remedies
applicable to that contract may apply.
The phased implementation plan
described in § 170.3(e) is intended to
PO 00000
Frm 00111
Fmt 4701
Sfmt 4700
83201
address ramp-up issues, provide time to
train the necessary number of assessors,
and allow companies the time needed to
understand and implement CMMC
requirements.
The self-assessment requirements
build on the existing DFARS clause
252.204–7020 requirement as part of
basic safeguarding of CUI. CMMC Level
3 requires advanced implementation,
and the phase-in period provides
additional time for an OSC to achieve
the higher standard.
11. Flow down. Commenters
expressed concern that the CMMC rule
language was not clear enough regarding
when self-assessments are allowed. One
commenter believed requiring prime
contractors to validate the compliance
of those they transmit CUI to was too
onerous and that the rule language was
not clear on how to determine what
level of CUI is being passed.
DoD Response: DoD policies guide
Program Managers to appropriately
apply CMMC Status requirements in
DoD solicitations and resulting
contracts, to include when Level 2 selfassessment rather than Level 2
certification assessment is appropriate.
The commenter misinterprets the text
of § 170.23, which states: If a
subcontractor will process, store, or
transmit CUI in performance of the
subcontract and the associated prime
contractor has a requirement for a
CMMC Status of Level 2 (C3PAO), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.
CMMC flow down requirements are
designed to apply consistent assessment
requirements to all contractors, whether
prime or subcontractor and regardless of
company size, who are required to
adequately safeguard CUI. The DoD
cannot dictate DIB business practices
and encourages prime contractors to
carefully consider the necessity of
sharing CUI information and to work
with its subcontractors to flow down
CUI with the required security and the
least burden.
Defense contractors may share
information about their CMMC Status
with other DIB members to facilitate
effective teaming arrangements when
competing for DoD contract
opportunities.
In addition, CMMC requirements
apply for prime contractors and their
subcontractors as outlined in § 170.23.
For additional information about flow
down of contractual requirements, see
the 48 CFR part 204 CMMC Acquisition
rule, RIN 0750–AK81, Assessing
Contractor Implementation of
Cybersecurity Requirements (DFARS
Case 2019–D041).
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83202
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
12. International. Commenters
expressed concern about international
partners’ use of cloud services that do
not have FedRAMP or GovCloud
equivalency. Also concerns that the
draft language [in the proposed rule] did
not explain reciprocity of cybersecurity
standards between the U.S. and
International Partners. One commenter
recommended exempting foreign
businesses from assessment
requirements.
DoD Response: A domestic or
international business seeking a contract
that includes DFARS clause 252.204–
7012, and using a cloud service provider
to process, store, or transmit covered
defense information in performance of
that DoD contract, must meet FedRAMP
authorization or equivalency
requirements. As the FedRAMP program
and FedRAMP equivalency are available
to international organizations, foreign
partners do not need to develop their
own FedRAMP program.
The DoD leverages FedRAMP to
provide the requirements for the
adoption of secure cloud services across
the Federal Government by providing a
standardized approach to security and
risk assessment for cloud technologies
and Federal agencies.
The Implementation of CMMC
Program requirements described in
§ 170.3(e) of the rule does not promote
assessments of any contractors over any
other contractors. All companies,
regardless of size, location, or
nationality, will have access to
authorized C3PAOs for certification
assessments. The rule does not preclude
non-U.S. citizens or foreign-owned
C3PAOs from operating in the U.S.
Additionally, U.S.-owned C3PAOs may
operate in a foreign nation.
Section 170.20 states that OSCs that
have completed a DCMA DIBCAC High
Assessment aligned with CMMC Level 2
Scoping will be given the CMMC Status
of Final Level 2 (C3PAO). International
standards acceptance is not addressed
in this rule.
Any consideration of reciprocity
between foreign partner protected
information and CUI and FCI would
require a formal government to
government international arrangement
or agreement and is outside the scope of
this 32 CFR part 170 CMMC Program
rule.
Any discussion of exemptions for
foreign businesses are outside the scope
of the 32 CFR part 170 CMMC Program
rule and may be addressed through
government-to-government international
arrangements or agreements.
The Discussion of Public Comments
and Resulting Changes section in the
preamble of the final rule addresses all
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
public comments received during the
mandatory 60-day public comment
period for the proposed rule and
supporting documents.
Response to Comments From Chief
Counsel for Advocacy of the SBA
On December 26, 2023, the
Department of Defense (DoD) published
a proposed rule entitled Cybersecurity
Maturity Model Certification (CMMC)
Program, 88 CFR 89058. This proposed
rule intends to create a mechanism by
which the DoD can certify that
contractors and subcontractors are in
compliance with the stated
cybersecurity guidelines. The SBA
Office of Advocacy (SBA or Advocacy)
submitted the following comments and
concerns on the proposed rule in a letter
addressed to the DoD CIO within the
public comment period for the proposed
32 CFR part 170 CMMC Program rule.
‘‘Advocacy is principally concerned
with the ability for small businesses to
meet and comply with the standards
and timelines set out in the CMMC
Program without further clarification
and guidance documents from the DoD.
The current rule does not provide clear
guidance on the process to create
enclaves, which would allow more
small business subcontractors to
participate in DoD contracts without
meeting the full requirements necessary
for the prime contractor. Advocacy
seeks clarification on the role of ThirdParty Assessment Organizations
(C3PAO) and the indemnification a
C3PAO has if a contractor or
subcontractor is out of compliance.’’
‘‘Advocacy concerns also include the
process of how and if more C3PAOs can
be certified by the DoD to review the
numerous contracts that will be subject
to certifications. Advocacy urges the
DoD to provide clarification about the
enforcement mechanisms for breaches
of cybersecurity.’’
‘‘Lastly, Advocacy reminds the DoD
that this rule will impose a high cost of
compliance on small businesses and any
means to reduce the burden on small
businesses will increase the
participation of these impacted
businesses.’’
‘‘The proposed rule would give
contractual effect to NIST SP 800–171
and 172, requiring companies to meet
the three levels of compliance if the
contracts involve FCI or CUI. CMMC
attempts to redesign previous iterations
of cybersecurity models with a more
streamlined process. This proposal
would simplify previous systems to
create a more streamlined certification
system. This rule differs from previous
iterations by allowing for businesses to
create enclaves within their business
PO 00000
Frm 00112
Fmt 4701
Sfmt 4700
models, allowing the business to
implement the CMMC standards while
not drastically changing every aspect of
their business process.’’
‘‘SBA Comment 1: Under the
proposed rule, the CMMC Program will
require all DoD contractors and
subcontractors who handle Federal
contract information (FCI) and
Controlled Unclassified Information
(CUI) to maintain cybersecurity
protections of their systems. CMMC will
create three levels of compliance,
depending on the level of security
necessary for which the contractor has
access. Level 1 has 15 requirements
focused on logging access to potential
FCI. Level 2 includes minimum
requirements for contractors handling
CUI and adds 110 requirements. Level 3
addresses an additional 24
requirements. Each level will pose
varying challenges for small businesses
of every kind to comply with the
progressing requirements. Advocacy has
commented on previous proposals for
CMMC concerning the significant
impact this will have on small business
contractors.’’
‘‘Advocacy held outreach meetings
with diverse small business
stakeholders concerning this rule, both
in-person and virtually.—Small
businesses expressed concerns with
how to compensate the increased costs
due to implementing CMMC and asked
for clarity on aspects of the proposed
CMMC rule. Advocacy has four chief
concerns with the proposed rule.’’
‘‘Advocacy requests clear and concise
guidance for small business contractors
and subcontractors to create enclaves in
order to lessen the burden of
compliance on the businesses.’’
‘‘The proposed rule states that
different business segments or different
enclaves of a business can be assessed
or certified at different CMMC levels.
Creating and implementing enclaves
will be most effective when a large
prime contractor creates these enclaves
to ease the burden on small
subcontractors. The rule mentions the
use of enclaves but does not provide
guidance on how to implement enclaves
within a business.’’
DoD Response: The Department
acknowledges the concerns articulated
by the Small Business Administration
(SBA) and commits to enhancing
training provisions after the rule is final
and effective. Moreover, the Department
pledges to reinstate outreach endeavors
targeting the broader industry and
specifically small businesses to facilitate
familiarity with CMMC requirements
once the rule is final and effective.
However, the Department does not
intend to formulate specific directives
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
pertaining to the configuration and
segregation of corporate information
systems into enclaves. Such
determinations must be tailored to
individual companies, considering a
multitude of unique factors.
External service providers (ESPs) will
be a driving force for small businesses’
compliance with CMMC requirements.
ESPs are vendors that handle security
related data or CUI on their own assets
and software. The ability of ESPs to
create effective and economically
feasible services will allow businesses
to enclave different operations more
easily and avoid unduly costly
compliance expenses.
‘‘SBA Comment 2: Advocacy
recommends that the DoD create a
presumption to reduce the number of
small contracts that are subject to
CMMC Level 2. This can be achieved
through varying means, including a
positive requirement for prime
contractors or the ability for a prime
contractor to engage in using enclaves as
a positive value marker for their
contracts. Further, the agency
contracting officer could be required to
engage in mitigating efforts if such
CMMC related issues arise between a
subcontractor and prime contractor.’’
DoD Response: The Department is
committed to robustly supervising the
CMMC Program and will take
appropriate measures to ensure its
efficient execution. Presently, the
Department has no intention to mandate
contracting offices adopt presumptive
measures that would diminish the
number of small contracts subject to
CMMC Level 2 assessment, nor does it
plan to impose affirmative requirements
on prime contracts to utilize enclaves.
‘‘SBA Comment 3: Advocacy seeks
clarity on the role of C3PAOs and the
ability of C3PAOs to meet the demand
for CMMC.
‘‘For CMMC Level 2 compliance, a
CMMC third-party assessor (C3PAO)
will triennially inspect the businesses’
compliance with the 110 requirements
of CMMC Level 2. Stakeholders raised
concerns regarding the role C3PAOs
will play in Level 2 certification and
sought clarity on the indemnification of
issues arising from a certification.
Stakeholders raised concerns that if
there are an insufficient number of
C3PAOs to timely inspect every
contractor before the rule is effective,
then small businesses will be the last
ones to be certified. Advocacy
recommends creating a streamlined
process to provide organizations with
C3PAO certifications. This process
would meet the immediate need of
contractors to initially certify with a
C3PAO that the business meets CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Level 2 requirements. Particularly, there
should be availability of C3PAOs for
small businesses and ensure small
business owners are not falling behind.’’
DoD Response: In alignment with its
standard practice across all programs,
the Department is committed to diligent
oversight of the CMMC Program and
will enact appropriate measures to
ensure its successful execution. The
phased implementation strategy
outlined in § 170.3(e) in the rule is
designed to tackle initial challenges,
facilitate assessor training, and afford
companies sufficient time to
comprehend and integrate CMMC
prerequisites.
While the Department remains open
to considering future adjustments,
including potential extensions to the
implementation timeline or alternative
solutions to address any capacity
constraints faced by C3PAOs, no such
initiatives are currently under active
consideration.
‘‘SBA Comment 4: Advocacy asks the
DoD to clarify enforcement guidelines/
mechanisms.
As proposed, Level 1 contractors
would annually attest their compliance
with the requirements. While at Level 2,
there would be attestations with C3PAO
certifications every three years.
Stakeholders raised questions about the
practical steps the DoD will take in
enforcement actions for breaches.
Further, stakeholders raised concerns
regarding the availability of remediating
steps in the instance of failure to meet
a CMMC requirement. Advocacy
recommends the agency create guidance
documents for small business
contractors to better understand the
legal effects of the CMMC.’’
DoD Response: Regarding
enforcement, as the CMMC is slated for
implementation as a precondition for
contract award consideration, noncompliance with CMMC requirements
will result in disqualification from
contract award; or post-award, could
result in standard contractual and other
remedies for failure to timely and
satisfactorily address outstanding
POA&Ms to fully implement CMMC
requirements and meet contractual
obligations.
‘‘SBA Comment 5: Advocacy
highlights the need for DoD to create
rules that encourage and improve small
business participation in contracting
programs. Advocacy reiterates the
importance of small businesses in
Federal contracting. [Excerpt from
footnote 21: ‘‘Small businesses make up
99.9 percent of all U.S. businesses as
well as 73 percent of companies in the
defense industrial base, and last year
small businesses were awarded over 25
PO 00000
Frm 00113
Fmt 4701
Sfmt 4700
83203
percent of all DoD prime contracts. As
the economic engine of our nation,
small businesses create jobs, generate
innovation, and are essential, daily
contributors to national security and the
defense mission.] Creating accessible,
commercially viable, and secure cyber
systems is critical for the future of
national security. Small businesses wish
to continue to be a powerful driver of
national defense contracting. Advocacy
heard small business stakeholders from
across the country express their strong
commitment to protecting our country
from cyber-attacks and recognize the
critical need for CMMC and other
cybersecurity measures.
‘‘Small businesses urge DoD to create
flexibilities such as using Plan of Action
and Milestones (POA&Ms) when this
rule goes into effect initially, allowing
small businesses to ramp up to full
compliance with their respective CMMC
level.’’
DoD Response: Department
acknowledges the concerns voiced by
the SBA regarding the participation of
small businesses in contracting
programs and the importance of
fostering their involvement in Federal
contracting, particularly within the
defense industrial base. Recognizing the
significant role small businesses play in
national security and defense missions,
the Department is committed to
diligently addressing these concerns.
While the Department values the
input provided by small business
stakeholders and understands the desire
for flexibilities, including the use of
POA&Ms during the initial
implementation phase, it must carefully
balance multiple factors to ensure the
effectiveness and integrity of the CMMC
Program.
‘‘SBA Comment 6: Advocacy’s chief
concerns surround a lack of clarity on
key aspects of the proposed rule.
Advocacy requests clarification from
DoD as to how to create enclaves within
businesses. Encouraging the use of ESPs
and incentivizing large prime
contractors to keep all subcontractors
from being subject to high levels of
cybersecurity will be key in keeping
small businesses engaged in DoD
contracting. Guidance documents for
small businesses (especially aimed at
the smallest of small businesses) and
ESPs will create an easier ramp for
small business compliance. Advocacy
requests clarity from DoD regarding the
role of C3PAOs and encourages the DoD
to ensure small businesses can obtain
certification from C3PAOs in a timely
manner. Further, the DoD should clarify
the enforcement and procedural
repercussions for a failure to meet
various CMMC levels. Lastly, the DoD
E:\FR\FM\15OCR2.SGM
15OCR2
83204
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
should set achievable goals as CMMC is
implemented, ensuring that current
small businesses contracting with the
agency can continue work with the
government while ensuring our nation’s
defense.’’
DoD Response: The DoD
acknowledges the SBA advocacy chief’s
concerns and will make additional
training resources available following
finalization of this rule. The DoD deems
that the level of detail on the topics
identified is appropriate for codification
in the 32 CFR part 170 CMMC Program
rule. The DoD will resume outreach
efforts with the aim of promoting
CMMC familiarization among small
businesses once the rule is final and
effective and any constraints on such
engagements no longer apply. However,
DoD caveats that providing any specific
instructions for configuring corporate
information systems into enclaves is
beyond the guidance that DoD intends
to provide, as such decisions are unique
to each company.
The role of C3PAOs is thoroughly
described in § 170.9 CMMC Third-Party
Assessment Organizations (C3PAOs)
and in the supplemental documents.
In terms of enforcement, since CMMC
will be implemented as a pre-award
requirement, the repercussions of failure
to meet CMMC requirements will
include failure to be selected for
contract award, or standard contractual
and other remedies for failure to timely
and satisfactorily close-out a POA&M
and meet or maintain the contractual
CMMC requirements.
As with all of DoD programs, the
Department intends to effectively
oversee the CMMC Program and take the
appropriate actions needed to manage
its effective implementation. The
phased implementation plan described
in § 170.3(e) was extended by six
months and is intended to address
ramp-up issues, provide time to train
the necessary number of assessors, and
allow companies the time needed to
understand and implement CMMC
requirements.
khammond on DSKJM1Z7X2PROD with RULES2
Small Business Entities Impacted
This rule will impact small businesses
that do business with the Department of
Defense, except those competing on
contracts or orders that are exclusively
for COTS items or when receiving
contracts or orders valued at or below
the micro-purchase threshold.
According to the Federal Procurement
Data System (FPDS) there is an average
of 29,260 unique small business
contractors: FY 2019 (31,189), FY 2020
(29,166) and FY 2021 (27,427).
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Cost Assumptions and Analysis for
CMMC
Complete details on CMMC
requirements and associated costs,
savings, and benefits of this rule are
provided in the Regulatory Impact
Analysis referenced in the preamble.
Key Components of the model are
described in §§ 170.14 through 170.24.
(a) Assumptions for the updated CMMC
Program Cost Analysis
In estimating the public cost for a
small DIB company to achieve CMMC
compliance or certification at each
CMMC level, DoD considered nonrecurring engineering costs, recurring
engineering costs, assessment costs, and
affirmation costs for each CMMC
Level.62 These costs include labor and
consulting.
Estimates include size and complexity
assumptions to account for
organizational differences and how it
handles Information Technology (IT)
and cybersecurity:
• small entities have a less complex,
less expansive operating environment
and Information Technology (IT)/
Cybersecurity infrastructure compared
to larger DIB companies.
• small entities outsource IT and
cybersecurity to an External Service
Provider (ESP) entities (large or small)
pursuing CMMC Level 2 self-assessment
will seek consulting or
• implementation assistance from an
ESP to either help them prepare for the
assessment technically or participate in
the assessment with the C3PAOs.
Estimates do not include
implementation (Non-recurring
Engineering Costs (NRE)) or
maintenance costs (Recurring
Engineering (RE)) for requirements
prescribed in current regulations.
For CMMC Levels 1 and 2, cost
estimates are based upon assessment,
reporting and affirmation activities
which a contractor will take to validate
conformance with existing cybersecurity
requirements from the FAR clause
52.204–21 (effective June 15, 2016) to
protect FCI, and the DFARS clause
252.204–7012 which required contractor
implementation of NIST SP 800–171 not
later than December 31, 2017, to protect
CUI. As such, costs estimates are not
included for an entity to implement
security requirements, maintain existing
security requirements, or remediate a
Plan of Action for unimplemented
requirements.
62 DoD estimates of the hours, recurring and nonrecurring costs, and labor rates are based upon
subject matter expertise from the DOD Chief
Information Office, CMMC Program Office, and
DoD/DIBCAC.
PO 00000
Frm 00114
Fmt 4701
Sfmt 4700
For CMMC Level 3, the estimates
factor in the assessment, reporting and
affirmation activities in addition to
estimates for NRE and RE to implement
and maintain CMMC Level 3
requirements. CMMC Level 3
requirements are a subset of NIST SP
800–172 Feb2021 Enhanced Security
Requirements as described in § 170.30
of the CMMC rule and are not currently
required through other regulations.
CMMC Level 3 is expected to apply only
to a small subset of DIB contractors.
The Cost Categories used for each
CMMC Level are described below:
1. Nonrecurring Engineering Costs:
Estimates consist of hardware, software,
and the associated labor to implement
the same. Costs associated with
implementing the requirements defined
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
implemented and are therefore not
accounted for in this cost estimate. As
such, these costs only appear in CMMC
Level 3. Where nonrecurring
engineering costs are referenced, they
are only accounted for as a one-time
occurrence and are reflected in the year
of the initial assessment.
2. Recurring Engineering Costs:
Estimates consist of annually recurring
fees and associated labor for technology
refresh. Costs associated with
implementing the requirements defined
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
implemented and are therefore not
accounted for in this cost estimate. As
such, these costs only appear in CMMC
Level 3.
Assessment Costs: Estimates consist
of activities for pre-assessment
preparations (which includes gathering
and/or developing evidence that the
assessment objectives for each
requirement have been satisfied),
conducting and/or participating in the
actual assessment, and completion of
any post-assessment work. Assessment
costs are represented by notional
phases. Assessment costs assume the
offeror/contractor passes the assessment
on the first attempt (conditional—with
an allowable POA&M or final). Each
phase includes an estimate of hours to
conduct the assessment activities
including:
(a) Labor hour estimates for a
company (and any ESP support) to
prepare for and participate in the
assessment.
(b) C3PAO cost estimates for
companies pursuing a certification.
—Labor hour estimates for certified
assessors to work with the small
business to conduct the actual
assessment.
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(c) Assessment Costs broken down
into phases.
—Phase 1: Planning and preparing for
the assessment.
—Phase 2: Conducting the assessment
(self or C3PAO).
—Phase 3: Reporting of Assessment
Results.
—Phase 4: POA&M Closeout (for CMMC
Level 3 only, where allowed, if
applicable).
• CMMC allows a limited open Plan
of Action and Milestones (POA&M) for
a period of 180 days to remediate the
POA&M, see § 170.37.
3. Affirmations: Estimates consist of
costs for a contractor to submit to SPRS
an initial and affirmation of compliance
that the covered contractor information
system is compliant with and will
maintain compliance with the
requirements of the applicable CMMC
Level. Where POA&Ms are allowed, an
affirmation must be submitted with the
POA&M closeout. Except for Small
Entities for Level 1 and Level 2, it is
assumed the task requires the same
labor categories and estimated hours as
the final reporting phase of the
assessment.
(b) Comparison to the Initial CMMC
Program Cost Analysis
khammond on DSKJM1Z7X2PROD with RULES2
Public comments on the initial CMMC
Program indicated that cost estimates
were too low. Updated CMMC Program
cost estimates account for that feedback
with the following improvements:
• Allowance for outsourced IT
services.
• Increased total time for the
contractor to prepare for the assessment,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
including limited time for learning the
reporting and affirmation processes.
• Allowance for use of consulting
firms to assist with the assessment
process.
• Time for a senior level manager to
review the assessment and affirmation
before submitting the results into SPRS.
• Updated government and contractor
labor rates that include applicable
burden costs.
As a result, some cost estimates for
the updated CMMC Program may be
higher than those included in the initial
CMMC Program.
(c) Cost Analysis/Estimates by CMMC
Level
CMMC Level 1 Self-Assessment and
Affirmation Costs for Small Business
Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 1
since it is assumed the contractor has
implemented basic safeguarding
requirements.63
• Self-Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 1
assessment and affirmation is * $5,977
(as summarized in table 1). A Level
1self-assessment is conducted annually,
and is based on the assumptions
detailed below:
—Phase 1: Planning and preparing for
the assessment: $1,803
• A director (MGMT5) for 4 hours
63 Again,
it is assumed that that DIB contractors
and subcontractors have already implemented the
15 basic safeguarding requirements in FAR clause
52.204–21.
PO 00000
Frm 00115
Fmt 4701
Sfmt 4700
83205
($190.52/hr × 4hrs = $762)
• An external service provider
(ESP) 64 for 4 hours ($260.28 × 4hrs
= $1,041)
—Phase 2: Conducting the selfassessment: $2,705
• A director (MGMT5) for 6 hours
($190.52/hr × 6hrs = $1,143)
• An external service provider (ESP)
for 6 hours ($260.28 × 6hrs =
$1,562)
—Phase 3: Reporting of Assessment
Results into SPRS: $909
• A director (MGMT5) for 2 hours
($190.52/hr × 2hrs = $381)
• An external service provider (ESP)
for 2 hours ($260.28/hr * 2hrs =
$521)
• A staff IT specialist (IT4) for 0.08
hours 65 ($86.24/hr × 0.08hrs = $7)
—Affirmation: initial affirmation post
assessment: $560
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level I
annually for a small entity is $560
—A director (MGMT5) for 2 hours
($190.52/hr × 2hrs = $381)
—A staff IT specialist (IT4) for 2.08
hours ($86.24/hr × 2.08hrs = $179)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 1 self-assessments and
affirmations over a ten-year period:
(Example calculation, Year 1: *$5,977
per entity (detailed above) × 699 entities
(cumulative) = $4,177,845)
64 An external service provider is assumed to be
an ‘‘Information Assurance Specialist Level 7’’ with
an hourly rate of $260.
65 A person needs to enter the information into
SPRS, which should only take five minutes.
E:\FR\FM\15OCR2.SGM
15OCR2
83206
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Table 30 - Total Cost Summary for Small Entities for CMMC Level 1 Self-Assessments
and Affirmations
khammond on DSKJM1Z7X2PROD with RULES2
CMMC Level 2 Self-Assessment and
Affirmation Costs for Small Business
Entities
The costs below account for a CMMC
Level 2 self-assessment of the applicable
contractor information system(s) with
NIST SP 800–171 R2 requirements
based on assumptions defined above.
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 2
self-assessment since it is assumed the
contractor has implemented NIST SP
800–171 R2 requirements.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 2 selfassessment and affirmation for a small
entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2 above,
table 2), which includes the triennial
assessment + affirmation, plus two
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
additional annual affirmations ($34,277
+ $1,459 + $1,459).
—Phase 1: Planning and preparing for
the self-assessment: $14,426
• A director (MGMT5) for 32 hours
($190.52/hr ×* 32hrs = $6,097)
• An external service provider (ESP)
for 32 hours ($260.28/hr × 32hrs =
$8,329)
—Phase 2: Conducting the selfassessment: $15,542
• A director (MGMT5) for 16 hours
($190.52/hr × 16hrs = $3,048)
• An external service provider (ESP)
for 48 hours ($260.28/hr × 48hrs =
$12,493)
—Phase 3: Reporting of assessment
results: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• An external service provider (ESP)
for 8 hours ($260.28/hr × 8hrs =
$2,082)
PO 00000
Frm 00116
$4,177,845
$25,055,116
$94,709,771
$228,209,547
$361,691,392
$495,173,237
$615,679,258
$615,679,258
$615,679,258
$615,679,258
699
4,192
15,846
38,182
60,515
82,848
103,010
103,010
103,010
103,010
Fmt 4701
Sfmt 4700
• A staff IT specialist (IT4) for 0.08
hours ($86.24/hr × 0.08hrs = $7)
—Affirmation—initial affirmation post
assessment: $1,459
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level 2
self-assessment annually is $1,459
(three-year costs to reaffirm a CMMC
Level 2 self-assessment annually is
$4,377, or $1,459 × 3):
—A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
—A staff IT specialist (IT4) for 8.08
hours ($86.24/hr × 8.08hrs = $697)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 2 self-assessments and
Affirmations over a ten-year period:
(Example calculation, Year 2: (*$34,277
self-assessment per entity × 101 entities)
+ ($1,459 annual affirmation per entity
× 20 entities) = $3,491,193)
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.028</GPH>
699
3,493
11,654
22,336
22,333
22,333
20,162
1
2
3
4
5
6
7
8
9
10
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
83207
Table 31- Total Cost Summary for Small Entities for CMMC Level 2 Self-assessments and
Affirmations
CMMC Level 2 Certification and
Affirmation Costs for Small Business
Entities
khammond on DSKJM1Z7X2PROD with RULES2
The costs below account for a CMMC
Level 2 Certification assessment and
affirmation costs of the applicable
contractor information system(s) with
NIST SP 800–171 R2 requirements
based on assumptions defined above.
CMMC Level 2 certification assessments
require hiring a C3PAO to perform the
assessment.
• Nonrecurring or recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 2
C3PAO Certification since it is assumed
the contractor has implemented NIST
SP 800–171 R2 requirements.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 2
C3PAO Certification and affirmation for
a small entity is *$101,752. The threeyear cost is $104,670 (as summarized in
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
0
20
121
436
997
1,405
1,720
2,218
1,984
1,720
section 3(b) above, table 1), and
includes the triennial assessment +
affirmation plus two additional annual
affirmations ($101,752 + $1,459 +
$1,459).
—Phase 1: Planning and preparing for
the assessment: $20,699
• A director (MGMT5) for 54 hours
($190.52/hr × 54hrs = $10,288)
• An external service provider (ESP)
for 40 hours ($260.28/hr × 40hrs =
$10,411)
—Phase 2: Conducting the C3PAO
assessment: $45,509
• A director (MGMT5) for 64 hours
($190.52/hr x 64hrs = $12,193)
• An external service provider (ESP)
for 128 hours ($260.28/hr × 128hrs =
$33,316)
—Phase 3: Reporting of C3PAO
Assessment Results: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
• An external service provider (ESP)
for 8 hours ($260.28/hr × 8hrs =
$2,082)
PO 00000
Frm 00117
Fmt 4701
Sfmt 4700
$685,547
$3,491,193
$11,659,448
$23,327,706
$26,922,622
$35,538,762
$45,047,546
$28,703,951
$36,383,471
$45,047,546
• A staff IT specialist (IT4) for 0.08
hours ($86.24/hr × 0.08hrs = $7)
—Affirmation—initial affirmation post
assessment: $1,459
—C3PAO Costs: C3PAO engagement
inclusive of Phases 1, 2, and 3 (3person team) for 120 hours
($260.28/hr × 120hrs = $31,234)
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level 2
C3PAO Assessment annually is $1,459
(three-year cost is $4,377, or $1,459 × 3)
—A director (MGMT5) for 4 hours
($190.52/hr × 4hrs = $762)
—A staff IT specialist (IT4) for 8.08
hours ($86.24/hr × 8.08hrs = $697)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 2 Certifications and
Affirmations over a ten-year period:
(Example calculation, Year 2:
(*$101,752 assessment per entity ×
1,926 entities) + ($1,459 annual
affirmation per entity × 382 entities) =
$196,531,451)
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.029</GPH>
20
101
335
662
743
977
1,241
743
977
1,241
1
2
3
4
5
6
7
8
9
10
83208
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Table 32 - Total Cost Summary for Small Entities for CMMC Level 2 Certifications
and Affirmations
khammond on DSKJM1Z7X2PROD with RULES2
CMMC Level 3 Certification and
Affirmation Costs for Small Business
Entities
Contractors pursuing CMMC Level 3
certification assessment must have a
current Final CMMC Level 2
certification assessment, and
demonstrate compliance with CMMC
Level 3, which is a subset of security
requirements from NIST SP 800–172
Feb2021 that have DoD predefined
selections and parameters. CMMC Level
3 requires compliance with security
requirements not required in prior rules.
Therefore, Nonrecurring Engineering
and Recurring Engineering cost
estimates have been included for the
initial implementation and maintenance
of the required subset of NIST 800–172
Feb2021 requirements. The cost
estimates below accounts for time for a
contractor to implement the security
requirements and prepare for, support,
and participate in a CMMC Level 3
assessment conducted by DCMA
DIBCAC. The contractor should
therefore keep in mind that the cost of
a Level 3 certification will also incur the
cost of a CMMC Level 2 certification
assessment by a C3PAO in addition to
the costs to assess the requirements
specific to Level 3. Inclusion of CMMC
Level 3 certification is expected to affect
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
0
382
2,308
8,340
19,089
26,890
32,918
42,474
37,986
32,918
only a small subset of defense
contractors or subcontractors in the DIB.
The estimated engineering costs per
small entity is associated with the
CMMC Level 3.
• Nonrecurring Engineering Costs:
$2,700,000.
• Recurring Engineering Costs:
$490,000.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 3
C3PAO Certification for a small entity is
*$9,050 The three-year cost is $12,802
(summarized in 4.1.2 above, table 2),
and includes the triennial assessment +
affirmation, plus two additional annual
affirmations ($9,050 + $1,876 + $1,876):
—Phase 1: Planning and preparing for
the Level 3 assessment: $1,905
• A director (MGMT5) for 10 hours
($190.52/hr × 10hrs = $1,905)
—Phase 2: Conducting the Level 3
assessment: $1,524
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
—Phase 3: Reporting of Level 3
assessment results: $1,876
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• A staff IT specialist (IT4) for 4.08
hours ($86.24/hr × 4.08hrs = $352)
—Phase 4: Remediation (for CMMC
Level 3 if necessary and allowed):
$1,869
PO 00000
Frm 00118
Fmt 4701
Sfmt 4700
$38,869,223
$196,531,451
$656,003,811
$1,301,872,564
$1,474,252,306
$1,942,295,763
$2,466,768,671
$1,508,368,920
$1,958,483,830
$2,466,768,671
• A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
• A staff IT specialist (IT4) for 48
hours ($86.24/hr × 48hrs = $345)
• Affirmation—initial affirmation
post assessment: $1,876
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level 3
Assessment annually is $1,876 (threeyear cost is $5,628, or $1,876 × 3)
—A director (MGMT5) for 8 hours
($190.52/hr × 8hrs = $1,524)
—A staff IT specialist (IT4) for 4.08
hours ($86.24/hr × 4.08hrs = $352)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 3 Certifications and
Affirmations over a ten-year period.
Example calculation, Year 2 (reference
per entity amounts above):
—*($9,050 Certification per entity × 45
entities) + ($1,876 Annual Affirmation
per entity × 3 entities) = $412,897,
and
—$121,500,000 Nonrecurring
Engineering cost ($2,700,000 per
entity × 45 entities being certified),
and
—$23,520,000 Recurring Engineering
cost ($490,000 per entity × 45 entities
being certified) + ($490,000 per entity
× 3 entities performing affirmations)
—$145,432,897 Total Cost =
Certification and Affirmation Cost
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.030</GPH>
382
1,926
6,414
12,675
14,215
18,703
23,771
14,215
18,703
23,771
1
2
3
4
5
6
7
8
9
10
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
($412,897) + Nonrecurring
Engineering cost ($121,500,000) +
83209
Recurring Engineering cost
($23,520,000), or $145,432,897.
Table 33 - Total Cost Summary for Small Entities for CMMC Level 3 Certifications and
3
45
0
$1,470,000
$23,520,000
$9,597,151
$145,432,897
151
$1,456,663
$407,700,000
$97,510,000
4
292
334
440
196
443
626
$3,010,423
$3,853,914
$5,156,569
$780,300,000
$239,120,000
$780,300,000
$780,300,000
$380,730,000
$522,340,000
$506,666,663
$1,022,430,423
$1,164,883,914
$1,307,796,569
774
$6,456,917
$4,885,718
$704,700,000
$650,230,000
$650,230,000
$1,361,386,917
$655,115,718
6
8
553
334
9
10
7
440
993
887
$5,646,207
$650,230,000
$655,876,207
553
774
$6,456,917
$650,230,000
$656,686,917
Projected Reporting, Recordkeeping,
and Compliance Requirements
khammond on DSKJM1Z7X2PROD with RULES2
$8,100,000
$121,500,000
3
5
The CMMC Program provides for the
assessment of contractor
implementation of cybersecurity
requirements to enhance confidence in
contactor protection of unclassified
information within the DoD supply
chain. CMMC contractual requirements
are implemented under the 48 CFR part
204 CMMC Acquisition rule, with
associated rulemaking for the CMMC
Program requirements (e.g., CMMC
Scoring Methodology, certificate
issuance, information accessibility)
under the 32 CFR part 170 CMMC
Program rule. The 32 CFR part 170
CMMC Program rule includes two
separate information collection requests
(ICR), one for the CMMC Program and
one for CMMC eMASS.
This information collection is
necessary to support the
implementation of the CMMC
assessment process for Levels 2 and 3
certification assessment, as defined in
§§ 170.17 and 170.18 respectively.
The CMMC Level 2 certification
assessment process is conducted by
Certified Assessors, employed by
CMMC Third-Party Assessment
Organizations (C3PAOs). During the
assessment process, Organizations
Seeking Certification 66 (OSCs) hire
66 An Organization Seeking Certification (OSC) is
an entity seeking to contract, obtain, or maintain
CMMC certification for a given information system
at a particular CMMC Level. An OSC is also an
OSA.
VerDate Sep<11>2014
$27,151
$412,897
3
48
2
18:51 Oct 11, 2024
Jkt 265001
C3PAOs to conduct the third-party
assessment required for certification.
The CMMC Level 3 certification
assessment process is conducted by the
Defense Contract Management Agency
(DCMA) Defense Industrial Base
Cybersecurity Assessment Center
(DIBCAC).
Use of the Information
Level 1 and Level 2 CMMC SelfAssessments. Organizations Seeking
Assessment 67 (OSAs) follow procedures
as defined in §§ 170.15(a)(1) and
170.16(a)(1) to conduct CMMC Level 1
and Level 2 self-assessments on their
information systems to determine
conformance with the information
safeguarding requirements associated
with the CMMC level requirements. The
Level 1 and Level 2 self-assessment
information collection reporting and
recordkeeping requirements will be
included in a modification of an
existing Defense Federal Acquisition
Regulation Supplement (DFARS)
collection approved under OMB Control
Number 0750–0004, Assessing
Contractor Implementation of
Cybersecurity Requirements.
Modifications to this DFARS collection
will be addressed as part of the 48 CFR
part 204 CMMC Acquisition final rule.
67 An Organization Seeking Assessment (OSA) is
an entity seeking to conduct, obtain, or maintain a
CMMC assessment for a given information system
at a particular CMMC Level. The term OSA
includes all OSCs.
PO 00000
Frm 00119
Fmt 4701
Sfmt 4700
CMMC Level 2 Certification Assessment
The Level 2 certification assessment
information collection burden for
reporting and recordkeeping
requirements are included in the 32 CFR
part 170 CMMC Program rule. The
information collection burden for the
OSCs to upload affirmations in SPRS is
included in the 48 CFR part 204 CMMC
Acquisition final rule. Additionally, the
information collection burden
requirements for the CMMC
instantiation of eMASS are addressed in
a separate 32 CFR part 170 CMMC
Program final rule information
collection request (ICR).
OSCs follow procedures as defined in
§ 170.17 to prepare for CMMC Level 2
certification assessment.
Certified Assessors assigned by
C3PAOs follow requirements and
procedures as defined in § 170.17 to
conduct CMMC assessments on defense
contractor information systems to
determine conformance with the
information safeguarding requirements
associated with CMMC Level 2. This is
an assessment to validate
implementation of the 110 security
requirements from NIST SP 800–171 R2.
Prospective C3PAOs must complete
and submit the Standard Form (SF) 328
Certificate Pertaining to Foreign
Interests (OMB control number 0704–
0579) upon request from Defense
Counterintelligence and Security
Agency (DCSA).
C3PAOs must generate and collect
pre-assessment and planning material
(contact information for the OSC,
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.031</GPH>
Affirmations
khammond on DSKJM1Z7X2PROD with RULES2
83210
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
information about the C3PAO and
assessors conducting the assessment,
the level of assessment planned, the
CMMC Model and Assessment Guide
versions, and assessment approach),
artifact information (list of artifacts,
hash of artifacts, and hashing algorithm
used), final assessment reports,
appropriate CMMC certificates of
assessment, and assessment appeal
information. C3PAOs submit the data
they generate and collect into the
CMMC instantiation of eMASS, the
information collection required for this
submission is addressed in a separate
CMMC eMASS ICR for the 32 CFR part
170 CMMC Program rule. OSCs may
have a POA&M at CMMC Level 2 as
addressed in § 170.21. C3PAOs perform
a POA&M closeout assessment. The
C3PAO process to conduct a POA&M
Close-out Assessment, where
applicable, is the same as the initial
assessment with the same information
collection requirements.
OSCs must retain artifacts used as
evidence for the assessment for the
duration of the validity period of the
certificate of assessment, and at
minimum, for six years from the date of
certification assessment as addressed in
§ 170.17(c)(4). The OSC is responsible
for compiling relevant artifacts as
evidence and having knowledgeable
personnel available during the
assessment. The organizational artifacts
are proprietary to the OSC and will not
be retained by the assessment team
unless expressly permitted by the OSC.
To preserve the integrity of the artifacts
reviewed, the OSC creates a hash of
assessment evidence (to include a list of
the artifact names, the return values of
the hashing algorithm, and the hashing
algorithm used) and retains the artifact
information for six years. The
information obtained from the artifacts
is an information collection and is
provided to the C3PAO for uploading
into the CMMC instantiation of eMASS
(addressed in a separate CMMC eMASS
ICR for the 32 CFR part 170 CMMC
Program final rule); the artifacts
themselves are not an information
collection. The OSC process to support
a POA&M Close-out Assessment, where
applicable, is the same as the initial
assessment with the same information
collection requirements.
If an OSC does not agree with the
assessment results, it may formally
dispute the assessment and initiate an
Assessment Appeal process with the
C3PAO who conducted the assessment.
C3PAOs submit assessment appeals
using eMASS (addressed in a separate
CMMC eMASS ICR for the 32 CFR part
170 CMMC Program final rule). Appeals
are tracked in the CMMC instantiation
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
of eMASS and any resulting changes to
the assessment results are uploaded into
the CMMC instantiation of eMASS.
C3PAOs maintain records for a period
of six years of monitoring, education,
training, technical knowledge, skills,
experience, and authorization of each
member of its personnel involved in
inspection activities; contractual
agreements with OSCs; any working
papers generated from Level 2
certification assessments; and
organizations for whom consulting
services were provided as addressed in
§ 170.9(b)(9). The Accreditation Body
provides the CMMC PMO with current
data on C3PAOs, including
authorization and accreditation records
and status using the CMMC
instantiation of eMASS (addressed in a
separate CMMC eMASS ICR for the 32
CFR part 170 CMMC Program final
rule).
The Accreditation Body provides all
plans related to potential sources of
revenue, to include but not limited to
fees, licensing, processes, membership,
and/or partnerships to the Government’s
CMMC PMO as addressed in
§ 170.8(b)(13).
CAICOs maintain records for a period
of six years of all procedures, processes,
and actions related to fulfillment of the
requirements set forth in § 170.10(b)(9).
CMMC Level 3 Certification Assessment
The Level 3 certification assessment
information collection burden for
reporting and recordkeeping
requirements are included in the 32 CFR
part 170 CMMC Program final rule. The
information collection burden for OSCs
to upload affirmations in SPRS is
included in the 48 CFR part 204 CMMC
Acquisition final rule. Additionally, the
information collection burden
requirements for the CMMC
instantiation of eMASS are addressed in
a separate CMMC eMASS ICR for the 32
CFR part 170 CMMC Program final rule.
OSCs follow procedures as defined in
§ 170.18 to prepare for CMMC Level 3
certification assessment.
DCMA DIBCAC Assessors follow
requirements and procedures as defined
in § 170.18 to conduct CMMC
assessments on defense contractor
information systems to determine
conformance with the information
safeguarding requirements associated
with CMMC Level 3. This is an
assessment to validation the
implementation of the 24 selected
security requirements from NIST SP
800–172 Feb2021. Because DCMA
DIBCAC is a government entity, there
are no public information collection
requirements.
PO 00000
Frm 00120
Fmt 4701
Sfmt 4700
DCMA DIBCAC must generate and
collect pre-assessment and planning
material (contact information for the
OSC, information about the assessors
conducting the assessment, the level of
assessment planned, the CMMC Model
and Assessment Guide versions, and
assessment approach), artifact
information (list of artifacts, hash of
artifacts, and hashing algorithm used),
final assessment reports, appropriate
CMMC certificates of assessment, and
assessment appeal information. DCMA
DIBCAC submits the data it generates
and collects into the CMMC
instantiation of eMASS (addressed in a
separate CMMC eMASS ICR for the 32
CFR part 170 CMMC Program final
rule).
OSCs may have a POA&M at CMMC
Level 3 as addressed in § 170.21. DCMA
DIBCAC performs a POA&M closeout
assessment. The DCMA DIBCAC process
to conduct a POA&M close-out
assessment, where applicable, is the
same as the initial assessment with the
same information collection
requirements.
OSCs must retain artifacts used as
evidence for the assessment for the
duration of the validity period of the
certificate of assessment, and at
minimum, for six years from the date of
certification assessment as addressed in
§ 170.18(c)(4). The OSC is responsible
for compiling relevant artifacts as
evidence and having knowledgeable
personnel available during the
assessment. Assessors will not
permanently retain assessment artifacts.
To preserve the integrity of the artifacts
reviewed during the assessment, the
OSC creates a hash of assessment
evidence (to include a list of the artifact
names, the return values of the hashing
algorithm, and the hashing algorithm
used) and retains the artifact
information for six years. The
information obtained from the artifacts
is an information collection and DCMA
DIBCAC uploads the information into
the CMMC instantiation of eMASS; the
artifacts themselves are not an
information collection. The OSC process
to support a POA&M close-out
assessment, where applicable, is the
same as the initial assessment with the
same information collection
requirements.
If an OSC does not agree with the
assessment results, it may formally
dispute the assessment and initiate an
Assessment Appeal process with DCMA
DIBCAC. DCMA DIBCAC submits
assessment appeals using eMASS.
Appeals are tracked in the CMMC
instantiation of eMASS and any
resulting changes to the assessment
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
results are uploaded into CMMC
eMASS.
DCMA DIBCAC maintains records for
a period of six years of monitoring,
education, training, technical
knowledge, skills, experience, and
authorization of each member of its
personnel involved in inspection
activities and working papers generated
from Level 3 Certification Assessments.
Use of Information Technology
khammond on DSKJM1Z7X2PROD with RULES2
CMMC assessment data and results
are collected using information
technology. C3PAOs and DCMA
DIBCAC electronically upload
assessment data and results into the
CMMC instantiation of eMASS
(addressed in a separate CMMC eMASS
ICR for the 32 CFR part 170 CMMC
Program final rule). The CMMC
instantiation of eMASS electronically
transfers certification results to SPRS.
For Level 1 and 2 self-assessments,
OSAs upload their assessment data
directly into SPRS.
Use of the CMMC instantiation of
eMASS provides DoD visibility into the
cybersecurity posture of the defense
contractor supply chain and is the
mechanism to generate reports on the
health of the CMMC Ecosystem. SPRS is
DoD’s authoritative source for supplier
and product performance information.
Use of this electronic system to collect
CMMC information eliminates the need
for contractors to respond directly to
multiple DoD requiring activities. SPRS
serves as a single repository for
Government access to CMMC
assessment results. Modifications to
information collections in SPRS will be
addressed in the 48 CFR part 204
CMMC Acquisition final rule.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
83211
Non-Duplication
The information obtained through this
collection is unique and is not already
available for use or adaptation from
another cleared source.
contracts with a single CMMC selfassessment or certification assessment,
thereby reducing the cost to both DoD
and industry.
Burden on Small Businesses
For Level 1 and 2 self-assessments,
OSAs must report annually and
triennially, respectively. Level 2 and
Level 3 certification assessments must
be conducted every three years by a
C3PAO or DCMA DIBCAC, respectively.
At all levels, an annual affirmation is
required. In all cases, the burden
applied to small business is the
minimum consistent with applicable
laws, Executive orders, regulations, and
prudent business practices.
A C3PAO, although not a defense
contractor, may also be a small business.
Efforts to minimize the burden on
C3PAOs include the electronic
collection of data using the CMMC
instantiation of eMASS and providing
Microsoft Excel spreadsheet templates.
The Department consulted with
members of the DIB Sector Coordinating
Council (SCC), and government
organizations including the DCMA
DIBCAC and the Missile Defense
Agency in determining what data to
collect in the CMMC instantiation of
eMASS.
The 60-Day Federal Register notice
information is included in the preamble
of the 32 CFR part 170 CMMC Program
final rule for public comment.
The CMMC PMO is also working with
a records management point-of-contact
to ensure records produced from this
information collection are retained and
disposed of according to a NARAapproved records retention and
disposition schedule. Records will be
treated as permanent until the
appropriate schedule is identified or
approved.
Less Frequent Collection
CMMC certifications last up to three
years. The assessment frequency for
each level was determined by the DoD
based on the sensitivity of information
processed, stored, or transmitted by the
OSA at each level.
DoD Program Managers use the
CMMC information in SPRS to confirm
the validity status of an OSA’s CMMC
self-assessment or certification
assessment prior to contract award.
Rather than taking a contract-bycontract approach to securing Federal
Contract Information (FCI) and
Controlled Unclassified Information
(CUI), the OSA may obtain multiple
PO 00000
Frm 00121
Fmt 4701
Sfmt 4700
Consultation and Public Comments
Part A & B: Respondent Burden and Its
Labor Costs
The Level 1 and Level 2 selfassessment information collection
reporting and recordkeeping
requirements for the CMMC Program
will be included in a modification of an
existing DFARS collection approved
under OMB Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements.
Modifications to this DFARS collection
will be addressed as part of the 48 part
204 CMMC Acquisition final rule.
E:\FR\FM\15OCR2.SGM
15OCR2
83212
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Table 34 - Public Respondent Burden and Labor Costs for CMMC Level 2 and Level 3
Certification Assessment
Collection
Instrument
and Rule
Citation
Level 2
Certification
Assessment
§ 170.17(a)
Level 3
Certification
Assessment
§ 170.18(a)
Entity
Type
Number of
Responses
Hours per
Response
68
69
OSC(&
hired
C3PAO71 )
- Small
OSC(&
hired
C3PAO71)
- Other
Than Small
OSCSmall
OSCOther Than
Small
The public burden costs associated
with Level 2 and Level 3 certification
assessment information collection
reporting and recordkeeping
requirements for the CMMC Program are
addressed here, except for the eMASS
reporting requirements which will be
addressed as part of a separate CMMC
eMASS ICR for the 32 CFR part 170
CMMC Program final rule. Respondent
burden and cost for these information
collection reporting and recordkeeping
requirements are as follows:
Burden
Hours
Hourly
Rate70
Burden Per
Response
Total
Burden
8,098
417.83
3,383,587.34
$239.89
$100,233
$811,688,767
2,844
833.83
2,371,412.52
$131.44
$109,599
$311,698,462
190
42.08
7,995.20
$170.48
$7,174
$1,363,022
23
384.08
8,833.84
$ 94.53
$36,307
$ 835,063
Respondent Costs Other Than Burden
Hour Costs
Non-Recurring and Recurring
Engineering estimated costs are
included for Level 3 certification
assessments. Non-Recurring Engineering
reflects a one-time cost consisting of
hardware, software, and the associated
labor to implement the same. Recurring
Engineering reflects annually recurring
fees and associated labor for technology
refresh. The estimated amounts below
are average annual amounts for all
entities as indicated.
Travel costs for C3PAO assessors may
represent an additional cost for
respondents.
Cost to the Federal Government
The government burden costs
associated with Level 3 certification
assessment information collection
reporting and recordkeeping
requirements for the CMMC Program are
addressed here, except for the eMASS
reporting requirements which will be
addressed as part of a separate CMMC
eMASS ICR for the 32 CFR part 170
CMMC Program rule. Respondent
burden and cost for these information
collection reporting and recordkeeping
requirements are as follows:
Table 35 - Respondent Costs Other Than Burden
§ 170.18(a)
Level 3
Certification
Non-Recurring
Cost
Entity Type
OSC- Small
OSC - Other Than
Small
Recurring
Cost
Total Costs
$513,000,000
$ 93,100,000
$ 606,100,000
$ 485,300,000
$94,760,000
$ 580,060,000
$ 1,186,160,000
khammond on DSKJM1Z7X2PROD with RULES2
TOTAL
68 Respondent is equivalent to an entity; an entity
provides one response annually.
69 Hours per Response represents the estimated
burden hours to complete the indicated assessment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
70 Hourly Rate represents a composite hourly rate
derived from the detailed type of labor and
associated rates estimated in the CMMC cost
estimate model.
PO 00000
Frm 00122
Fmt 4701
Sfmt 4725
71 The entity type refers to the size of the OSC as
either Small or Other Than Small; the entity type
does not refer to the size of the C3PAO.
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.033</GPH>
Collection
Requirement
ER15OC24.032</GPH>
Rule
Citation
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
83213
Table 36 - Government Respondent Burden and Labor Costs for Level 3 Certification
Assessment
Level 3
Certification
Assessment
~ 170.18(a)
Entity Type
khammond on DSKJM1Z7X2PROD with RULES2
72 Respondent is equivalent to an entity; an entity
provides one response annually.
73 Hours per Response represents the estimated
Government burden hours to complete the
indicated assessment.
74 The Hourly Rate represents a composite hourly
rate derived from the detailed type of Government
labor and associated rates estimated in the CMMC
cost estimate model.
75 The entity type refers to the size of the OSC as
either Small or Other Than Small; the entity type
does not refer to the size of DCMA DIBCAC.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Hourly
Rate3
Burden
Per
Response
117.75
22,372.50
$108.47
$12,772
$2,426,745
435.75
10,022.25
$ 81.01
$35,300
$ 811,902
Hours per
Response2
190
23
OSC(&DCMA
DIBCAC 4)Small
OSC(&DCMA
DIBCAC 75 )Other Than
Small
Steps Taken To Minimize Economic
Impact
DoD took aggressive steps to minimize
the economic impact of this program by
streamlining requirements to reduce the
number of steps in the process and the
number of requirements that needed to
be met, and reduced the requirement of
100% compliance, and the number of
third-party assessments required.
To further elaborate the DoD
established a review body that evaluated
the CMMC Program to ensure it was
meeting the programmatic requirements
to secure Controlled Unclassified
Information within the non-Federal
networks of the Defense Industrial Base.
A special independent team was
established to review and provide
recommendations on improving the
program.
The DoD determined that the CMMC
program should only employ the
Cybersecurity Standards prescribed by
the NIST SP 800–171 that had been
required for defense contractors since
2017 as implemented by the DFARS
clause 252.204–7012, which resulted in
the removal of 20 requirements aligned
with cybersecurity maturity. The ESG
also recommended simplifying the
program structure to require only 3
levels of certification vice the original 5.
The program further determined that
certifications should not be required at
CMMC Level 1 and that self-assessment
with an annual affirmation was
Burden
Hours
Number of
Responses 1
sufficient for this level. Level 2 CMMC
was further evaluated and determined
that bifurcation of this level was
appropriate, and some CUI would only
require a Level 2 self-assessment with
annual affirmation, which further
reduced the costs for the program.
Further the ESG recommended that
Plans of Actions and Milestones
(POA&Ms) for lower-level requirements
that were not met be allowed for a
limited period of time. This rule was
updated to allow POA&Ms for no more
than 180 days to give contractors the
ability to achieve contract award
without being fully compliant with all
requirements of NIST SP 800–171 R2.
And, in another effort to minimize the
economic impact the program
developed a Phase-in approach to
incrementally implement CMMC in four
phases over 4 years, with the first year
being focused on Self-assessment and
compliance with NIST SP 800–171 R2
giving contractors more time to
implement the requirements already
required in their contracts since 2017. A
CMMC waiver process was also
included in the program which allows
DoD the discretion to waive CMMC
Program requirements to a procurement
or class of procurements in advance of
the solicitation in accordance with all
applicable policies, procedures, and
approval requirements. This waiver
would allow contract award and the
contractor would be expected to achieve
compliance and certification at a
defined time post-award.
The DoD is employing a phased
approach to the CMMC rollout to reduce
implementation risk. DoD expects that
the public has utilized the lead-time
prior to the publication of this rule to
prepare for CMMC implementation.
CMMC Program requirements make no
changes to existing policies for
PO 00000
Frm 00123
Fmt 4701
Sfmt 4700
Total
Burden
information security requirements
implemented by the DoD.
The phased CMMC implementation
plan described in § 170.3(e) is intended
to address CMMC ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. DoD has updated the rule
to add an additional six months to the
Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1,
and Phase 3 will start one calendar year
after the start of Phase 2. As with all
DoD programs, the Department intends
to effectively oversee CMMC, and take
appropriate actions needed to manage
its effective implementation.
Alternatives
DoD considered and adopted several
alternatives during the development of
this rule that reduce the burden on
defense contractors and still meet the
objectives of the rule. These alternatives
include:
Maintaining status quo and leveraging
only the current requirements
implemented in DFARS provision
252.204–7019 and DFARS clause
252.204–7020 requiring defense
contractors and offerors to self-assess
compliance and utilizing the DoD
Assessment Methodology and entering a
Basic Summary Score in SPRS.
Revising CMMC to reduce the burden
for small businesses and contractors
who do not process, store, or transmit
CUI by eliminating the requirement to
hire a C3PAO and instead allow selfassessment with affirmation to maintain
compliance at CMMC Level 1, and
allowing triennial self-assessment with
an annual affirmation to maintain
compliance for some CMMC Level 2
programs.
Exempting contracts and orders
exclusively for the acquisition of
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.034</GPH>
Collection
Instrument
and Rule
Citation
83214
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
commercially available off-the-shelf
items; and,
Implementing a phased
implementation for CMMC.
In addition, the Department took into
consideration the timing of the
requirement to achieve a specified
CMMC level: (1) at time of proposal or
offer submission, (2) after contract
award, (3) at the time of contract award,
or (4) permitting government Program
Managers to seek approval to waive
inclusion of CMMC requirements in
solicitations and resulting contracts that
involve disclosure or creation of FCI or
CUI as part of the contract effort. Such
waivers will be requested and approved
by DoD in accordance with internal
policies, procedures, and approval
requirements.
The Department ultimately adopted
alternatives (3) and (4). The drawback of
alternative 1 (at time of proposal or offer
submission) is the increased risk for
contractors since they may not have
sufficient time to achieve the required
CMMC level after the release of the
solicitation and before contract award.
The drawback of alternative 2 (after
contract award) is the increased risk to
the Department with respect to the
costs, program schedule, and
uncertainty in the event the contractor
is unable to achieve the required CMMC
level in a reasonable amount of time
given its current cybersecurity posture.
This potential delay would apply to the
entire supply chain and prevent the
appropriate flow of CUI and FCI.
CMMC does not require
implementation of any additional
security protection requirements beyond
those identified in current FAR clause
52.204–21 and in NIST SP 800–171 R2
for CMMC Levels 1 and Level 2,
respectively. CMMC Level 3
requirements are new and based upon
NIST SP 800–172 Feb2021.
khammond on DSKJM1Z7X2PROD with RULES2
Steps Taken To Minimize Additional
Cost of Credit
The DoD is not a ‘‘covered agency’’
under 5 U.S.C. 604.
E. Public Law 96–511, ‘‘Paperwork
Reduction Act’’ (44 U.S.C. Chapter 35)
Sections of this rule contain
information collection requirements. As
required by the Paperwork Reduction
Act (44 U.S.C. Chapter 35), DoD has
submitted information collection
packages to the Office of Management
and Budget for review and approval.
The titles and proposed OMB control
numbers are as follows.
• Cybersecurity Maturity Model
Certification (CMMC) Enterprise
Mission Assurance Support-Service
(eMASS) Instantiation Information
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Collection (OMB control number 0704–
0676).
• Cybersecurity Maturity Model
Certification (CMMC) Program
Reporting and Recordkeeping
Requirements Information Collection
(OMB Control Number 0704–0677).
In the proposed rule, DoD invited
comments on these information
collection requirements and the
paperwork burden associated with this
rule. Five comments were received on
the information clearance packages that
were not applicable to the information
collection requirements; however, the
comments were applicable to other
aspects of the rule, and they are
addressed in the comments section of
this preamble. There were no changes to
paperwork burden included in the
proposed rule that published December
26, 2023 (88 FR 89058) based on public
comments received. To review these
collections—including all background
materials—please visit at https://
www.reginfo.gov/public/do/PRAMain
and use the search function to enter
either the title of the collection or the
OMB Control Number.
F. Executive Order 13132, ‘‘Federalism’’
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a final
rule that imposes substantial direct
requirement costs on state and local
governments, preempts state law, or
otherwise has federalism implications.
This final rule will not have a
substantial effect on State and local
governments.
G. Executive Order 13175,
‘‘Consultation and Coordination With
Indian Tribal Governments’’
Executive Order 13175 establishes
certain requirements that an agency
must meet when it promulgates a final
rule that imposes substantial direct
compliance costs on one or more Indian
Tribes, preempts Tribal law, or effects
the distribution of power and
responsibilities between the Federal
Government and Indian Tribes. This
final rule will not have a substantial
effect on Indian Tribal governments.
List of Subjects in 32 CFR Part 170
Certification, CMMC, CMMC Levels,
CMMC Program, Contracts, Controlled
unclassified information, Cybersecurity,
Federal contract information,
Government procurement, Incorporation
by reference.
Accordingly, the Department of
Defense adds 32 CFR part 170 to read
as follows:
■
PO 00000
Frm 00124
Fmt 4701
Sfmt 4700
PART 170—CYBERSECURITY
MATURITY MODEL CERTIFICATION
(CMMC) PROGRAM
Subpart A—General Information
Sec.
170.1 Purpose.
170.2 Incorporation by reference.
170.3 Applicability.
170.4 Acronyms and definitions.
170.5 Policy.
Subpart B—Government Roles and
Responsibilities
170.6 CMMC PMO.
170.7 DCMA DIBCAC.
Subpart C—CMMC Assessment and
Certification Ecosystem
170.8 Accreditation Body.
170.9 CMMC Third-Party Assessment
Organizations (C3PAOs).
170.10 CMMC Assessor and Instructor
Certification Organization (CAICO).
170.11 CMMC Certified Assessor (CCA).
170.12 CMMC Instructor.
170.13 CMMC Certified Professional (CCP).
Subpart D—Key Elements of the CMMC
Program
170.14 CMMC Model.
170.15 CMMC Level 1 self-assessment and
affirmation requirements.
170.16 CMMC Level 2 self-assessment and
affirmation requirements.
170.17 CMMC Level 2 certification
assessment and affirmation
requirements.
170.18 CMMC Level 3 certification
assessment and affirmation
requirements.
170.19 CMMC scoping.
170.20 Standards acceptance.
170.21 Plan of Action and Milestones
requirements.
170.22 Affirmation.
170.23 Application to subcontractors.
170.24 CMMC Scoring Methodology.
Appendix A to Part 170—Guidance
Authority: 5 U.S.C. 301; Sec. 1648, Pub.
L. 116–92, 133 Stat. 1198.
Subpart A—General Information.
§ 170.1
Purpose.
(a) This part describes the
Cybersecurity Maturity Model
Certification (CMMC) Program of the
Department of Defense (DoD) and
establishes requirements for defense
contractors and subcontractors to
implement prescribed cybersecurity
standards for safeguarding Federal
Contract Information (FCI) and
Controlled Unclassified Information
(CUI). This part (the CMMC Program)
also establishes requirements for
conducting an assessment of
compliance with the applicable
prescribed cybersecurity standard for
contractor information systems that:
process, store, or transmit FCI or CUI;
provide security protections for systems
which process, store, or transmit CUI; or
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
are not logically or physically isolated
from systems which process, store, or
transmit CUI.
(b) The CMMC Program provides DoD
with a viable means of conducting the
volume of assessments necessary to
verify contractor and subcontractor
implementation of required
cybersecurity requirements.
(c) The CMMC Program is designed to
ensure defense contractors are properly
safeguarding FCI and CUI that is
processed, stored, or transmitted on
defense contractor information systems.
FCI and CUI must be protected to meet
evolving threats and safeguard
nonpublic, unclassified information that
supports and enables the warfighter.
The CMMC Program provides a
consistent methodology to assess a
defense contractor’s implementation of
required cybersecurity requirements.
The CMMC Program utilizes the
security standards set forth in the 48
CFR 52.204–21; National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171, Basic
Safeguarding of Covered Contractor
Information Systems, Revision 2,
February 2020 (includes updates as of
January 28, 2021) (NIST SP 800–171
R2); and selected requirements from the
NIST SP 800–172, Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement
to NIST Special Publication 800–171,
February 2021 (NIST SP 800–172
Feb2021), as applicable (see table 1 to
§ 170.14(c)(4) for requirements, see
§ 170.2 for availability of NIST
publications).
(d) The CMMC Program balances the
need to safeguard FCI and CUI and the
requirement to share information
appropriately with defense contractors
in order to develop capabilities for the
DoD. The CMMC Program is designed to
ensure implementation of cybersecurity
practices for defense contractors and to
provide DoD with increased assurance
that FCI and CUI information will be
adequately safeguarded when residing
on or transiting contractor information
systems.
(e) The CMMC Program creates no
right or benefit, substantive or
procedural, enforceable by law or in
equity by any party against the United
States, its departments, agencies, or
entities, its officers, employees, or
agents, or any other person.
§ 170.2
Incorporation by reference.
Certain material is incorporated by
reference into this part with the
approval of the Director of the Federal
Register under 5 U.S.C. 552(a) and 1
CFR part 51. Material approved for
incorporation by reference (IBR) is
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
available for inspection at the
Department of Defense (DoD) and at the
National Archives and Records
Administration (NARA). Contact DoD
online: https://DoDcio.defense.gov/
CMMC/; email: osd.mc-alex.DoDcio.mbx.cmmc-rule@mail.mil; or phone:
(202) 770–9100. For information on the
availability of this material at NARA,
visit: www.archives.gov/federal-register/
cfr/ibr-locations or email: fr.inspection@
nara.gov. The material may be obtained
from the following sources:
(a) National Institute of Standards and
Technology, U.S. Department of
Commerce, 100 Bureau Drive,
Gaithersburg, MD 20899; phone: (301)
975–8443; website: https://csrc.nist.gov/
publications/.
(1) FIPS PUB 200, Minimum Security
Requirements for Federal Information
and Information Systems, March 2006
(FIPS PUB 200 Mar2006); IBR approved
for § 170.4(b).
(2) FIPS PUB 201–3, Personal Identity
Verification (PIV) of Federal Employees
and Contractors, January 2022 (FIPS
PUB 201–3 Jan2022); IBR approved for
§ 170.4(b).
(3) SP 800–37, Risk Management
Framework for Information Systems and
Organizations: A System Life Cycle
Approach for Security and Privacy,
Revision 2, December 2018 (NIST SP
800–37 R2); IBR approved for § 170.4(b).
(4) SP 800–39, Managing Information
Security Risk: Organization, Mission,
and Information System View, March
2011 (NIST SP 800–39 Mar2011); IBR
approved for § 170.4(b).
(5) SP 800–53, Security and Privacy
Controls for Information Systems and
Organizations, Revision 5, September
2020 (includes updates as of December
10, 2020) (NIST SP 800–53 R5); IBR
approved for § 170.4(b).
(6) SP 800–82r3, Guide to Operational
Technology (OT) Security, September
2023 (NIST SP 800–82r3); IBR approved
for § 170.4(b).
(7) SP 800–115, Technical Guide to
Information Security Testing and
Assessment, September 2008 (NIST SP
800–115 Sept2008); IBR approved for
§ 170.4(b).
(8) SP 800–160, Volume 2, Developing
Cyber-Resilient Systems: A Systems
Security Engineering Approach,
Revision 1, December 2021 (NIST SP
800–160 V2R1); IBR approved for
§ 170.4(b).
(9) SP 800–171, Protecting Controlled
Unclassified Information in Nonfederal
Systems and Organizations, Revision 2,
February 2020 (includes updates as of
January 28, 2021), (NIST SP 800–171
R2); IBR approved for §§ 170.4(b) and
170.14(a) through (c).
PO 00000
Frm 00125
Fmt 4701
Sfmt 4700
83215
(10) SP 800–171A, Assessing Security
Requirements for Controlled
Unclassified Information, June 2018
(NIST SP 800–171A Jun2018); IBR
approved for §§ 170.11(a), 170.14(d),
170.15(c), 170.16(c), 170.17(c), and
170.18(c).
(11) SP 800–172, Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement
to NIST Special Publication 800–171,
February 2021 (NIST SP 800–172
Feb2021); IBR approved for §§ 170.4(b),
170.5(a), and 170.14(a) and (c).
(12) SP 800–172A, Assessing
Enhanced Security Requirements for
Controlled Unclassified Information,
March 2022 (NIST SP 800–172A
Mar2022); IBR approved for §§ 170.4(b),
170.14(d), and 170.18(c).
(b) International Organization for
Standardization (ISO) Chemin de
Blandonnet 8, CP 401—1214 Vernier,
Geneva, Switzerland; phone: +41 22 749
01 11; website: www.iso.org/popularstandards.html.
(1) ISO/IEC 17011:2017(E),
Conformity assessment—Requirements
for accreditation bodies accrediting
conformity assessment bodies, Second
edition, November 2017 (ISO/IEC
17011:2017(E)); IBR approved for
§§ 170.8(b)(3), 170.9(b)(13), and
170.10(b)(4).
(2) ISO/IEC 17020:2012(E),
Conformity assessment—Requirement
for the operation of various types of
bodies performing inspection, Second
edition, March 1, 2012 (ISO/IEC
17020:2012(E)); IBR approved for
§§ 170.8(a), (b)(1), (b)(3) and 170.9(b)(2)
and (b)(13).
(3) ISO/IEC 17024:2012(E),
Conformity assessment—General
requirements for bodies operating
certification of persons, second edition,
July 1, 2012 (ISO/IEC 17024:2012(E));
IBR approved for §§ 170.8(b)(2) and
170.10(a) and (b)(4), (7), and (8).
Note 1 to paragraph (b): The ISO/IEC
standards incorporated by reference in this
part may be viewed at no cost in ‘‘read only’’
format at https://ibr.ansi.org.
§ 170.3
Applicability.
(a) The requirements of this part
apply to:
(1) All DoD contract and subcontract
awardees that will process, store, or
transmit information, in performance of
the DoD contract, that meets the
standards for FCI or CUI on contractor
information systems; and,
(2) Private-sector businesses or other
entities comprising the CMMC
Assessment and Certification
Ecosystem, as specified in subpart C of
this part.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83216
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(b) The requirements of this part do
not apply to Federal information
systems operated by contractors or
subcontractors on behalf of the
Government.
(c) CMMC Program requirements
apply to all DoD solicitations and
contracts pursuant to which a defense
contractor or subcontractor will process,
store, or transmit FCI or CUI on
unclassified contractor information
systems, including those for the
acquisition of commercial items (except
those exclusively for COTS items)
valued at greater than the micropurchase threshold except under the
following circumstances:
(1) The procurement occurs during
Implementation Phase 1, 2, or 3 as
described in paragraph (e) of this
section, in which case CMMC Program
requirements apply in accordance with
the requirements for the relevant phasein period; or
(2) Application of CMMC Program
requirements to a procurement or class
of procurements may be waived in
advance of the solicitation at the
discretion of DoD in accordance with all
applicable policies, procedures, and
approval requirements.
(d) DoD Program Managers or
requiring activities are responsible for
selecting the CMMC Status that will
apply for a particular procurement or
contract based upon the type of
information, FCI or CUI, that will be
processed on, stored on, or transmitted
through a contractor information
system. Application of the CMMC
Status for subcontractors will be
determined in accordance with § 170.23.
(e) DoD is utilizing a phased approach
for the inclusion of CMMC Program
requirements in solicitations and
contracts. Implementation of CMMC
Program requirements will occur over
four (4) phases:
(1) Phase 1. Begins on the effective
date of the complementary 48 CFR part
204 CMMC Acquisition final rule. DoD
intends to include the requirement for
CMMC Statuses of Level 1 (Self) or
Level 2 (Self) for all applicable DoD
solicitations and contracts as a
condition of contract award. DoD may,
at its discretion, include the
requirement for CMMC Status of Level
1 (Self) or Level 2 (Self) for applicable
DoD solicitations and contracts as a
condition to exercise an option period
on a contract awarded prior to the
effective date. DoD may also, at its
discretion, include the requirement for
CMMC Status of Level 2 (C3PAO) in
place of the Level 2 (Self) CMMC Status
for applicable DoD solicitations and
contracts.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
(2) Phase 2. Begins one calendar year
following the start date of Phase 1. In
addition to Phase 1 requirements, DoD
intends to include the requirement for
CMMC Status of Level 2 (C3PAO) for
applicable DoD solicitations and
contracts as a condition of contract
award. DoD may, at its discretion, delay
the inclusion of requirement for CMMC
Status of Level 2 (C3PAO) to an option
period instead of as a condition of
contract award. DoD may also, at its
discretion, include the requirement for
CMMC Status of Level 3 (DIBCAC) for
applicable DoD solicitations and
contracts.
(3) Phase 3. Begins one calendar year
following the start date of Phase 2. In
addition to Phase 1 and 2 requirements,
DoD intends to include the requirement
for CMMC Status of Level 2 (C3PAO) for
all applicable DoD solicitations and
contracts as a condition of contract
award and as a condition to exercise an
option period on a contract awarded
after the effective date. DoD intends to
include the requirement for CMMC
Status of Level 3 (DIBCAC) for all
applicable DoD solicitations and
contracts as a condition of contract
award. DoD may, at its discretion, delay
the inclusion of requirement for CMMC
Status of Level 3 (DIBCAC) to an option
period instead of as a condition of
contract award.
(4) Phase 4, full implementation.
Begins one calendar year following the
start date of Phase 3. DoD will include
CMMC Program requirements in all
applicable DoD solicitations and
contracts including option periods on
contracts awarded prior to the beginning
of Phase 4.
§ 170.4
Acronyms and definitions.
(a) Acronyms. Unless otherwise
noted, the following acronyms and their
terms are for the purposes of this part.
AC—Access Control
APT—Advanced Persistent Threat
AT—Awareness and Training
C3PAO—CMMC Third-Party
Assessment Organization
CA—Security Assessment
CAICO—CMMC Assessors and
Instructors Certification Organization
CAGE—Commercial and Government
Entity
CCA—CMMC-Certified Assessor
CCI—CMMC-Certified Instructor
CCP—CMMC-Certified Professional
CFR—Code of Federal Regulations
CIO—Chief Information Officer
CM—Configuration Management
CMMC—Cybersecurity Maturity Model
Certification
CMMC PMO—CMMC Program
Management Office
CNC—Computerized Numerical Control
PO 00000
Frm 00126
Fmt 4701
Sfmt 4700
CoPC—Code of Professional Conduct
CSP—Cloud Service Provider
CUI—Controlled Unclassified
Information
DCMA—Defense Contract Management
Agency
DD—Represents any two-character
CMMC Domain acronym
DFARS—Defense Federal Acquisition
Regulation Supplement
DIB—Defense Industrial Base
DIBCAC—DCMA’s Defense Industrial
Base Cybersecurity Assessment Center
DoD—Department of Defense
DoDI—Department of Defense
Instruction
eMASS—Enterprise Mission Assurance
Support Service
ESP—External Service Provider
FAR—Federal Acquisition Regulation
FCI—Federal Contract Information
FedRAMP—Federal Risk and
Authorization Management Program
GFE—Government Furnished
Equipment
IA—Identification and Authentication
ICS—Industrial Control System
IIoT—Industrial Internet of Things
IoT—Internet of Things
IR—Incident Response
IS—Information System
IEC—International Electrotechnical
Commission
ISO/IEC—International Organization for
Standardization/International
Electrotechnical Commission
IT—Information Technology
L#—CMMC Level Number
MA—Maintenance
MP—Media Protection
MSSP—Managed Security Service
Provider
NARA—National Archives and Records
Administration
NAICS—North American Industry
Classification System
NIST—National Institute of Standards
and Technology
N/A—Not Applicable
ODP—Organization-Defined Parameter
OSA—Organization Seeking Assessment
OSC—Organization Seeking
Certification
OT—Operational Technology
PI—Provisional Instructor
PIEE—Procurement Integrated
Enterprise Environment
PII—Personally Identifiable Information
PLC—Programmable Logic Controller
POA&M—Plan of Action and Milestones
PRA—Paperwork Reduction Act
RM—Risk Management
SAM—System of Award Management
SC—System and Communications
Protection
SCADA—Supervisory Control and Data
Acquisition
SI—System and Information Integrity
SIEM—Security Information and Event
Management
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
SP—Special Publication
SPD—Security Protection Data
SPRS—Supplier Performance Risk
System
SSP—System Security Plan
(b) Definitions. Unless otherwise
noted, these terms and their definitions
are for the purposes of this part.
Access Control (AC) means the
process of granting or denying specific
requests to obtain and use information
and related information processing
services; and/or entry to specific
physical facilities (e.g., Federal
buildings, military establishments, or
border crossing entrances), as defined in
FIPS PUB 201–3 Jan2002 (incorporated
by reference, see § 170.2).
Accreditation means a status pursuant
to which a CMMC Assessment and
Certification Ecosystem member (person
or organization), having met all criteria
for the specific role they perform
including required ISO/IEC
accreditations, may act in that role as set
forth in § 170.8 for the Accreditation
Body and § 170.9 for C3PAOs. (CMMCcustom term)
Accreditation Body is defined in
§ 170.8 and means the one organization
DoD contracts with to be responsible for
authorizing and accrediting members of
the CMMC Assessment and Certification
Ecosystem, as required. The
Accreditation Body must be approved
by DoD. At any given point in time,
there will be only one Accreditation
Body for the DoD CMMC Program.
(CMMC-custom term)
Advanced Persistent Threat (APT)
means an adversary that possesses
sophisticated levels of expertise and
significant resources that allow it to
create opportunities to achieve its
objectives by using multiple attack
vectors (e.g., cyber, physical, and
deception). These objectives typically
include establishing and extending
footholds within the information
technology infrastructure of the targeted
organizations for purposes of exfiltrating
information, undermining or impeding
critical aspects of a mission, program, or
organization; or positioning itself to
carry out these objectives in the future.
The advanced persistent threat pursues
its objectives repeatedly over an
extended period-of-time, adapts to
defenders’ efforts to resist it, and is
determined to maintain the level of
interaction needed to execute its
objectives, as is defined in NIST SP
800–39 Mar2011 (incorporated by
reference, see § 170.2).
Affirming Official means the senior
level representative from within each
Organization Seeking Assessment (OSA)
who is responsible for ensuring the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
OSA’s compliance with the CMMC
Program requirements and has the
authority to affirm the OSA’s continuing
compliance with the specified security
requirements for their respective
organizations. (CMMC-custom term)
Assessment means the testing or
evaluation of security controls to
determine the extent to which the
controls are implemented correctly,
operating as intended, and producing
the desired outcome with respect to
meeting the security requirements for an
information system or organization, as
defined in §§ 170.15 through 170.18.
(CMMC-custom term)
(i) Level 1 self-assessment is the term
for the activity performed by an OSA to
evaluate its own information system
when seeking a CMMC Status of Level
1 (Self).
(ii) Level 2 self-assessment is the term
for the activity performed by an OSA to
evaluate its own information system
when seeking a CMMC Status of Level
2 (Self).
(iii) Level 2 certification assessment is
the term for the activity performed by a
C3PAO to evaluate the information
system of an OSC when seeking a
CMMC Status of Level 2 (C3PAO).
(iv) Level 3 certification assessment is
the term for the activity performed by
the DCMA DIBCAC to evaluate the
information system of an OSC when
seeking a CMMC Status of Level 3
(DIBCAC).
(v) POA&M closeout self-assessment
is the term for the activity performed by
an OSA to evaluate only the NOT MET
requirements that were identified with
POA&M during the initial assessment,
when seeking a CMMC Status of Final
Level 2 (Self).
(vi) POA&M closeout certification
assessment is the term for the activity
performed by a C3PAO or DCMA
DIBCAC to evaluate only the NOT MET
requirements that were identified with
POA&M during the initial assessment,
when seeking a CMMC Status of Final
Level 2 (C3PAO) or Final Level 3
(DIBCAC) respectively.
Assessment Findings Report means
the final written assessment results by
the third-party or government
assessment team. The Assessment
Findings Report is submitted to the OSC
and to the DoD via CMMC eMASS.
(CMMC-custom term)
Assessment objective means a set of
determination statements that, taken
together, expresses the desired outcome
for the assessment of a security
requirement. Successful implementation
of the corresponding CMMC security
requirement requires meeting all
applicable assessment objectives
defined in NIST SP 800–171A Jun2018
PO 00000
Frm 00127
Fmt 4701
Sfmt 4700
83217
(incorporated by reference, see § 170.2)
or NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
(CMMC-custom term)
Assessment Team means participants
in the Level 2 certification assessment
(CMMC Certified Assessors and CMMC
Certified Professionals) or the Level 3
certification assessment (DCMA
DIBCAC assessors). This does not
include the OSC participants preparing
for or participating in the assessment.
(CMMC-custom term)
Asset means an item of value to
stakeholders. An asset may be tangible
(e.g., a physical item such as hardware,
firmware, computing platform, network
device, or other technology component)
or intangible (e.g., humans, data,
information, software, capability,
function, service, trademark, copyright,
patent, intellectual property, image, or
reputation). The value of an asset is
determined by stakeholders in
consideration of loss concerns across
the entire system life cycle. Such
concerns include but are not limited to
business or mission concerns, as
defined in NIST SP 800–160 V2R1
(incorporated by reference, see § 170.2).
Asset Categories means a grouping of
assets that process, store or transmit
information of similar designation, or
provide security protection to those
assets. (CMMC-custom term)
Authentication is defined in FIPS
PUB 200 Mar2006 (incorporated by
reference, see § 170.2).
Authorized means an interim status
during which a CMMC Ecosystem
member (person or organization), having
met all criteria for the specific role they
perform other than the required ISO/IEC
accreditations, may act in that role for
a specified time as set forth in § 170.8
for the Accreditation Body and § 170.9
for C3PAOs. (CMMC-custom term)
Capability means a combination of
mutually reinforcing controls
implemented by technical means,
physical means, and procedural means.
Such controls are typically selected to
achieve a common information security
or privacy purpose, as defined in NIST
SP 800–37 R2 (incorporated by
reference, see § 170.2).
Cloud Service Provider (CSP) means
an external company that provides
cloud services based on cloud
computing. Cloud computing is a model
for enabling ubiquitous, convenient, ondemand network access to a shared pool
of configurable computing resources
(e.g., networks, servers, storage,
applications, and services) that can be
rapidly provisioned and released with
minimal management effort or service
provider interaction. This definition is
based on the definition for cloud
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83218
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
computing in NIST SP 800–145
Sept2011. (CMMC-custom term)
CMMC Assessment and Certification
Ecosystem means the people and
organizations described in subpart C of
this part. This term is sometimes
shortened to CMMC Ecosystem.
(CMMC-custom term)
CMMC Assessment Scope means the
set of all assets in the OSA’s
environment that will be assessed
against CMMC security requirements.
(CMMC-custom term)
CMMC Assessor and Instructor
Certification Organization (CAICO) is
defined in § 170.10 and means the
organization responsible for training,
testing, authorizing, certifying, and
recertifying CMMC certified assessors,
certified instructors, and certified
professionals. (CMMC-custom term)
CMMC Instantiation of eMASS means
a CMMC instance of the Enterprise
Mission Assurance Support Service
(eMASS), a government owned and
operated system. (CMMC-custom term)
CMMC Security Requirements means
the 15 Level 1 requirements listed in the
48 CFR 52.204–21(b)(1), the 110 Level 2
requirements from NIST SP 800–171 R2
(incorporated by reference, see § 170.2),
and the 24 Level 3 requirements
selected from NIST SP 800–172 Feb2021
(incorporated by reference, see § 170.2).
CMMC Status is the result of meeting
or exceeding the minimum required
score for the corresponding assessment.
The CMMC Status of an OSA
information system is officially stored in
SPRS and additionally presented on a
Certificate of CMMC Status, if the
assessment was conducted by a C3PAO
or DCMA DIBCAC. The potential CMMC
Statuses are outlined in the paragraphs
that follow. (CMMC-custom term)
(i) Final Level 1 (Self) is defined in
§ 170.15(a)(1) and (c)(1). (CMMC-custom
term)
(ii) Conditional Level 2 (Self) is
defined in § 170.16(a)(1)(ii). (CMMCcustom term)
(iii) Final Level 2 (Self) is defined in
§ 170.16(a)(1)(iii). (CMMC-custom term)
(iv) Conditional Level 2 (C3PAO) is
defined in § 170.17(a)(1)(ii). (CMMCcustom term)
(v) Final Level 2 (C3PAO) is defined
in § 170.17(a)(1)(iii). (CMMC-custom
term)
(vi) Conditional Level 3 (DIBCAC) is
defined in § 170.18(a)(1)(ii). (CMMCcustom term)
(vii) Final Level 3 (DIBCAC) is defined
in § 170.18(a)(1)(iii). (CMMC-custom
term)
CMMC Status Date means the date
that the CMMC Status results are
submitted to SPRS or the CMMC
instantiation of eMASS, as appropriate.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
The date of the Conditional CMMC
Status will remain as the CMMC Status
Date after a successful POA&M closeout.
A new date is not set for a Final that
follows a Conditional. (CMMC-custom
term)
CMMC Third-Party Assessment
Organization (C3PAO) means an
organization that has been authorized or
accredited by the Accreditation Body to
conduct Level 2 certification
assessments and has the roles and
responsibilities identified in § 170.9.
(CMMC-custom term)
Contractor is defined in 48 CFR
3.502–1.
Contractor Risk Managed Assets are
defined in table 3 to § 170.19(c)(1).
(CMMC-custom term)
Controlled Unclassified Information
(CUI) is defined in 32 CFR 2002.4(h).
Controlled Unclassified Information
(CUI) Assets means assets that can
process, store, or transmit CUI. (CMMCcustom term)
DCMA DIBCAC High Assessment
means an assessment that is conducted
by Government personnel in accordance
with NIST SP 800–171A Jun2018 and
leveraging specific guidance in the DoD
Assessment Methodology that:
(i) Consists of:
(A) A review of a contractor’s Basic
Assessment;
(B) A thorough document review;
(C) Verification, examination, and
demonstration of a contractor’s system
security plan to validate that NIST SP
800–171 R2 security requirements have
been implemented as described in the
contractor’s system security plan; and
(D) Discussions with the contractor to
obtain additional information or
clarification, as needed; and
(ii) Results in a confidence level of
‘‘High’’ in the resulting score. (Source:
48 CFR 252.204–7020).
Defense Industrial Base (DIB) is
defined in 32 CFR 236.2.
DoD Assessment Methodology
(DoDAM) documents a standard
methodology that enables a strategic
assessment of a contractor’s
implementation of NIST SP 800–171 R2,
a requirement for compliance with 48
CFR 252.204–7012. (Source: DoDAM
Version 1.2.1)
Enduring Exception means a special
circumstance or system where
remediation and full compliance with
CMMC security requirements is not
feasible. Examples include systems
required to replicate the configuration of
‘fielded’ systems, medical devices, test
equipment, OT, and IoT. No operational
plan of action is required but the
circumstance must be documented
within a system security plan.
Specialized Assets and GFE may be
PO 00000
Frm 00128
Fmt 4701
Sfmt 4700
enduring exceptions. (CMMC-custom
term)
Enterprise means an organization
with a defined mission/goal and a
defined boundary, using information
systems to execute that mission, and
with responsibility for managing its own
risks and performance. An enterprise
may consist of all or some of the
following business aspects: acquisition,
program management, financial
management (e.g., budgets), human
resources, security, and information
systems, information and mission
management, as defined in NIST SP
800–53 R5 (incorporated by reference,
see § 170.2).
External Service Provider (ESP) means
external people, technology, or facilities
that an organization utilizes for
provision and management of IT and/or
cybersecurity services on behalf of the
organization. In the CMMC Program,
CUI or Security Protection Data (e.g., log
data, configuration data), must be
processed, stored, or transmitted on the
ESP assets to be considered an ESP.
(CMMC-custom term)
Federal Contract Information (FCI) is
defined in 48 CFR 4.1901.
Government Furnished Equipment
(GFE) has the same meaning as
‘‘government-furnished property’’ as
defined in 48 CFR 45.101.
Industrial Control Systems (ICS)
means a general term that encompasses
several types of control systems,
including supervisory control and data
acquisition (SCADA) systems,
distributed control systems (DCS), and
other control system configurations that
are often found in the industrial sectors
and critical infrastructures, such as
Programmable Logic Controllers (PLC).
An ICS consists of combinations of
control components (e.g., electrical,
mechanical, hydraulic, pneumatic) that
act together to achieve an industrial
objective (e.g., manufacturing,
transportation of matter or energy), as
defined in NIST SP 800–82r3
(incorporated by reference, see § 170.2).
Information System (IS) is defined in
NIST SP 800–171 R2 (incorporated by
reference, see § 170.2).
Internet of Things (IoT) means the
network of devices that contain the
hardware, software, firmware, and
actuators which allow the devices to
connect, interact, and freely exchange
data and information, as defined in
NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
Operational plan of action as used in
security requirement CA.L2–3.12.2,
means the formal artifact which
identifies temporary vulnerabilities and
temporary deficiencies (e.g., necessary
information system updates, patches, or
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
reconfiguration as threats evolve) in
implementation of requirements and
documents how they will be mitigated,
corrected, or eliminated. The OSA
defines the format (e.g., document,
spreadsheet, database) and specific
content of its operational plan of action.
An operational plan of action does not
identify a timeline for remediation and
is not the same as a POA&M, which is
associated with an assessment for
remediation of deficiencies that must be
completed within 180 days. (CMMCcustom term)
Operational Technology (OT) means
programmable systems or devices that
interact with the physical environment
(or manage devices that interact with
the physical environment). These
systems or devices detect or cause a
direct change through the monitoring or
control of devices, processes, and
events. Examples include industrial
control systems, building management
systems, fire control systems, and
physical access control mechanisms, as
defined in NIST SP 800–160 V2R1
(incorporated by reference, see § 170.2).
Organization-defined means as
determined by the OSA except as
defined in the case of OrganizationDefined Parameter (ODP). (CMMCcustom term)
Organization-Defined Parameters
(ODPs) means selected enhanced
security requirements contain selection
and assignment operations to give
organizations flexibility in defining
variable parts of those requirements, as
defined in NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
Note 1 to ODPs: The organization
defining the parameters is the DoD.
Organization Seeking Assessment
(OSA) means the entity seeking to
undergo a self-assessment or
certification assessment for a given
information system for the purposes of
achieving and maintaining any CMMC
Status. The term OSA includes all
Organizations Seeking Certification
(OSCs). (CMMC-custom term)
Organization Seeking Certification
(OSC) means the entity seeking to
undergo a certification assessment for a
given information system for the
purposes of achieving and maintaining
the CMMC Status of Level 2 (C3PAO) or
Level 3 (DIBCAC). An OSC is also an
OSA. (CMMC-custom term)
Out-of-Scope Assets means assets that
cannot process, store, or transmit CUI
because they are physically or logically
separated from information systems that
do process, store, or transmit CUI, or are
inherently unable to do so; except for
assets that provide security protection
for a CUI asset (see the definition for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Security Protection Assets). (CMMCcustom term)
Periodically means occurring at a
regular interval as determined by the
OSA that may not exceed one year.
(CMMC-custom term)
Personally Identifiable Information
means information that can be used to
distinguish or trace an individual’s
identity, either alone or when combined
with other information that is linked or
linkable to a specific individual, as
defined in NIST SP 800–53 R5
(incorporated by reference, see § 170.2).
Plan of Action and Milestones
(POA&M) means a document that
identifies tasks needing to be
accomplished. It details resources
required to accomplish the elements of
the plan, any milestones in meeting the
tasks, and scheduled completion dates
for the milestones, as defined in NIST
SP 800–115 Sept2008 (incorporated by
reference, see § 170.2).
Prime Contractor is defined in 48 CFR
3.502–1.
Process, store, or transmit means data
can be used by an asset (e.g., accessed,
entered, edited, generated, manipulated,
or printed); data is inactive or at rest on
an asset (e.g., located on electronic
media, in system component memory,
or in physical format such as paper
documents); or data is being transferred
from one asset to another asset (e.g.,
data in transit using physical or digital
transport methods). (CMMC-custom
term)
Restricted Information Systems means
systems (and associated IT components
comprising the system) that are
configured based on government
requirements (e.g., connected to
something that was required to support
a functional requirement) and are used
to support a contract (e.g., fielded
systems, obsolete systems, and product
deliverable replicas). (CMMC-custom
term)
Risk means a measure of the extent to
which an entity is threatened by a
potential circumstance or event, and is
typically a function of:
(i) The adverse impacts that would
arise if the circumstance or event
occurs; and
(ii) The likelihood of occurrence, as
defined in NIST SP 800–53 R5
(incorporated by reference, see § 170.2).
Risk Assessment means the process of
identifying risks to organizational
operations (including mission,
functions, image, reputation),
organizational assets, individuals, other
organizations, and the Nation, resulting
from the operation of a system. Risk
Assessment is part of risk management,
incorporates threat and vulnerability
analyses, and considers mitigations
PO 00000
Frm 00129
Fmt 4701
Sfmt 4700
83219
provided by security controls planned
or in place. Synonymous with risk
analysis, as defined in NIST SP 800–39
Mar2011 (incorporated by reference, see
§ 170.2).
Security Protection Assets (SPA)
means assets providing security
functions or capabilities for the OSA’s
CMMC Assessment Scope. (CMMCcustom term)
Security Protection Data (SPD) means
data stored or processed by Security
Protection Assets (SPA) that are used to
protect an OSC’s assessed environment.
SPD is security relevant information and
includes but is not limited to:
configuration data required to operate
an SPA, log files generated by or
ingested by an SPA, data related to the
configuration or vulnerability status of
in-scope assets, and passwords that
grant access to the in-scope
environment. (CMMC-custom term)
Specialized Assets means types of
assets considered specialized assets for
CMMC: Government Furnished
Equipment, Internet of Things (IoT) or
Industrial Internet of Things (IIoT),
Operational Technology (OT), Restricted
Information Systems, and Test
Equipment. (CMMC-custom term)
Subcontractor is defined in 48 CFR
3.502–1.
Supervisory Control and Data
Acquisition (SCADA) means a generic
name for a computerized system that is
capable of gathering and processing data
and applying operational controls over
long distances. Typical uses include
power transmission and distribution
and pipeline systems. SCADA was
designed for the unique communication
challenges (e.g., delays, data integrity)
posed by the various media that must be
used, such as phone lines, microwave,
and satellite. Usually shared rather than
dedicated, as defined in NIST SP 800–
82r3 (incorporated by reference, see
§ 170.2).
System Security Plan (SSP) means the
formal document that provides an
overview of the security requirements
for an information system or an
information security program and
describes the security controls in place
or planned for meeting those
requirements. The system security plan
describes the system components that
are included within the system, the
environment in which the system
operates, how the security requirements
are implemented, and the relationships
with or connections to other systems, as
defined in NIST SP 800–53 R5
(incorporated by reference, see § 170.2).
Temporary deficiency means a
condition where remediation of a
discovered deficiency is feasible, and a
known fix is available or is in process.
E:\FR\FM\15OCR2.SGM
15OCR2
83220
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The deficiency must be documented in
an operational plan of action. A
temporary deficiency is not based on an
‘in progress’ initial implementation of a
CMMC security requirement but arises
after implementation. A temporary
deficiency may apply during the initial
implementation of a security
requirement if, during roll-out, specific
issues with a very limited subset of
equipment is discovered that must be
separately addressed. There is no
standard duration for which a
temporary deficiency may be active. For
example, FIPS-validated cryptography
that requires a patch and the patched
version is no longer the validated
version may be a temporary deficiency.
(CMMC-custom term)
Test Equipment means hardware and/
or associated IT components used in the
testing of products, system components,
and contract deliverables. (CMMCcustom term)
User means an individual, or (system)
process acting on behalf of an
individual, authorized to access a
system, as defined in NIST SP 800–53
R5 (incorporated by reference, see
§ 170.2).
khammond on DSKJM1Z7X2PROD with RULES2
§ 170.5
Policy.
(a) Protection of FCI and CUI on
contractor information systems is of
paramount importance to the DoD and
can directly impact its ability to
successfully conduct essential missions
and functions. It is DoD policy that
defense contractors and subcontractors
shall be required to safeguard FCI and
CUI that is processed, stored, or
transmitted on contractor information
systems by applying specified security
requirements. In addition, defense
contractors and subcontractors may be
required to implement additional
safeguards defined in NIST SP 800–172
Feb2021 (incorporated by reference, see
§ 170.2), implementing DoD specified
parameters to meet CMMC Level 3
security requirements (see table 1 to
§ 170.14(c)(4)). These additional
requirements are necessary to protect
CUI being processed, stored, or
transmitted in contractor information
systems, when designated by a
requirement for CMMC Status of Level
3 (DIBCAC) as defined by a DoD
program manager or requiring activity.
In general, the Department will identify
a requirement for a CMMC Status of
Level 3 (DIBCAC) for solicitations and
resulting contracts supporting its most
critical programs and technologies.
(b) Program managers and requiring
activities are responsible for identifying
the CMMC Status that will apply to a
procurement. Selection of the applicable
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
CMMC Status will be based on factors
including but not limited to:
(1) Criticality of the associated
mission capability;
(2) Type of acquisition program or
technology;
(3) Threat of loss of the FCI or CUI to
be shared or generated in relation to the
effort;
(4) Impacts from exploitation of
information security deficiencies; and
(5) Other relevant policies and factors,
including Milestone Decision Authority
guidance.
(c) In accordance with the
implementation plan described in
§ 170.3, CMMC Program requirements
will apply to new DoD solicitations and
contracts, and shall flow down to
subcontractors who will process, store,
or transmit FCI or CUI in performance
of the subcontract, as described in
§ 170.23.
(d) In very limited circumstances, and
in accordance with all applicable
policies, procedures, and requirements,
a Service Acquisition Executive or
Component Acquisition Executive in
the DoD, or as delegated, may elect to
waive inclusion of CMMC Program
requirements in a solicitation or
contract. In such cases, contractors and
subcontractors will remain obligated to
comply with all applicable
cybersecurity and information security
requirements.
(e) The CMMC Program does not alter
any separately applicable requirements
to protect FCI or CUI, including those
requirements in accordance with 48
CFR 52.204–21, Basic Safeguarding of
Covered Contractor Information
Systems, or covered defense information
in accordance with 48 CFR 252.204–
7012, Safeguarding Covered Defense
Information and Cyber Incident
Reporting, or any other applicable
information protection requirements.
The CMMC Program provides a means
of verifying implementation of the
security requirements set forth in 48
CFR 52.204–21, NIST SP 800–171 R2,
and NIST SP 800–172 Feb2021, as
applicable.
Subpart B—Government Roles and
Responsibilities.
§ 170.6
CMMC PMO.
(a) The Office of the Department of
Defense Chief Information Officer (DoD
CIO) Office of the Deputy CIO for
Cybersecurity (DoD CIO(CS)) provides
oversight of the CMMC Program and is
responsible for establishing CMMC
assessment, accreditation, and training
requirements as well as developing and
updating CMMC Program policies and
implementing guidance.
PO 00000
Frm 00130
Fmt 4701
Sfmt 4700
(b) The CMMC PMO is responsible for
monitoring the CMMC AB’s
performance of roles assigned in this
rule and acting as necessary to address
problems pertaining to effective
performance.
(c) The CMMC PMO retains, on behalf
of the DoD CIO(CS), the prerogative to
review decisions of the CMMC
Accreditation Body as part of its
oversight of the CMMC program and
evaluate any alleged conflicts of interest
purported to influence the CMMC
Accreditation Body’s objectivity.
(d) The CMMC PMO is responsible for
sponsoring necessary DCSA activities
including FOCI risk assessment and Tier
3 security background investigations for
the CMMC Ecosystem members as
specified in §§ 170.8(b)(4) and (5),
170.9(b)(3) through (5), 170.11(b)(3) and
(4), and 170.13(b)(3) and (4).
(e) The CMMC PMO is responsible for
investigating and acting upon
indications that an active CMMC Status
has been called into question.
Indications that may trigger
investigative evaluations include, but
are not limited to, reports from the
CMMC Accreditation Body, a C3PAO, or
anyone knowledgeable of the security
processes and activities of the OSA.
Investigative evaluations include, but
are not limited to, reviewing pertinent
assessment information, and exercising
the right to conduct a DCMA DIBCAC
assessment of the OSA, as provided for
under the 48 CFR 252.204–7020.
(f) If a subsequent DCMA DIBCAC
assessment shows that adherence to the
provisions of this rule and the required
CMMC Status have not been achieved or
maintained, the DIBCAC results will
take precedence over any pre-existing
CMMC Status recorded in SPRS, or its
successor capability. The DoD will
update SPRS to reflect that the OSA is
out of compliance and does not meet
DoD CMMC requirements. If the OSA is
working on an active contract requiring
CMMC compliance, then standard
contractual remedies will apply.
§ 170.7
DCMA DIBCAC.
(a) DCMA DIBCAC assessors in
support of the CMMC Program will:
(1) Complete CMMC Level 2 and
Level 3 training.
(2) Conduct Level 3 certification
assessments and upload assessment
results into the CMMC instantiation of
eMASS, or its successor capability.
(3) Issue Certificates of CMMC Status
resulting from Level 3 certification
assessments.
(4) Conduct Level 2 certification
assessments of the Accreditation Body
and prospective C3PAOs’ information
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
systems that process, store, and/or
transmit CUI.
(5) Create and maintain a process for
assessors to collect the list of assessment
artifacts to include artifact names, their
return value of the hashing algorithm,
the hashing algorithm used, and upload
that data into the CMMC instantiation of
eMASS.
(6) As authorized and in accordance
with all legal requirements, enter and
track, OSC appeals and updated results
arising from Level 3 certification
assessment activities into the CMMC
instantiation of eMASS.
(7) Retain all records in accordance
with DCMA–MAN 4501–04.
(8) Conduct an assessment of the
OSA, when requested by the CMMC
PMO per §§ 170.6(e) and (f), as provided
for under the 48 CFR 252.204–7019 and
48 CFR 252.204–7020.
(9) Identify assessments that meet the
criteria in § 170.20 and verify that SPRS
accurately reflects the CMMC Status.
(b) An OSC, the CMMC AB, or a
C3PAO may appeal the outcome of its
DCMA DIBCAC conducted assessment
within 21 days by submitting a written
basis for appeal with the requirements
in question for DCMA DIBCAC
consideration. Appeals may be
submitted for review by visiting
www.dcma.mil/DIBCAC for contact
information, and a DCMA DIBCAC
Quality Assurance Review Team will
provide a written response or request
additional supporting documentation.
Subpart C—CMMC Assessment and
Certification Ecosystem.
khammond on DSKJM1Z7X2PROD with RULES2
§ 170.8
Accreditation Body.
(a) Roles and responsibilities. The
Accreditation Body is responsible for
authorizing and ensuring the
accreditation of CMMC Third-Party
Assessment Organizations (C3PAOs) in
accordance with ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2)
and all applicable authorization and
accreditation requirements set forth.
The Accreditation Body is responsible
for establishing the C3PAO
authorization requirements and the
C3PAO Accreditation Scheme and
submitting both for approval by the
CMMC PMO. At any given point in
time, there will be only one
Accreditation Body for the DoD CMMC
Program.
(b) Requirements. The CMMC
Accreditation Body shall:
(1) Be US-based and be and remain a
member in good standing of the InterAmerican Accreditation Cooperation
(IAAC) and become an International
Laboratory Accreditation Cooperation
(ILAC) Mutual Recognition
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Arrangement (MRA) signatory, with a
signatory status scope of ISO/IEC
17020:2012(E) (incorporated by
reference, see § 170.2).
(2) Be and remain a member in good
standing of the International
Accreditation Forum (IAF) with mutual
recognition arrangement signatory status
scope of ISO/IEC 17024:2012(E)
(incorporated by reference, see § 170.2).
(3) Achieve and maintain full
compliance with ISO/IEC 17011:2017(E)
(incorporated by reference, see § 170.2)
and complete a peer assessment by
other ILAC signatories for competence
in accrediting conformity assessment
bodies to ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2),
both within 24 months of DoD approval.
(i) Prior to achieving full compliance
as set forth in this paragraph (b)(3), the
Accreditation Body shall:
(A) Authorize C3PAOs who meet all
requirements set forth in § 170.9 as well
as administrative requirements as
determined by the Accreditation Body
to conduct Level 2 certification
assessments and issue Certificates of
CMMC Status to OSCs based on the
assessment results.
(B) Require all C3PAOs to achieve and
maintain the ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2)
requirements within 27 months of
authorization.
(ii) The Accreditation Body shall
accredit C3PAOs, in accordance with
ISO/IEC 17020:2012(E) (incorporated by
reference, see § 170.2), who meet all
requirements set forth in § 170.9 to
conduct Level 2 certification
assessments and issue Certificates of
CMMC Status to OSCs based on the
results.
(4) Ensure that the Accreditation
Body’s Board of Directors, professional
staff, Information Technology (IT) staff,
accreditation staff, and independent
CMMC Certified Assessor staff complete
a Tier 3 background investigation
resulting in a determination of national
security eligibility. This Tier 3
background investigation will not result
in a security clearance and is not being
executed for the purpose of government
employment. The Tier 3 background
investigation is initiated using the
Standard Form (SF) 86 (www.gsa.gov/
reference/forms/questionnaire-fornational-security-positions) and
submitted by DoD CIO Security to
Washington Headquarters Services
(WHS) for coordination for processing
by the Defense Counterintelligence and
Security Agency (DCSA). These
positions are designated as non-critical
sensitive with a risk designation of
‘‘Moderate Risk’’ in accordance with 5
CFR 1400.201(b) and (d) and the
PO 00000
Frm 00131
Fmt 4701
Sfmt 4700
83221
investigative requirements of 5 CFR
731.106(c)(2).
(5) Comply with Foreign Ownership,
Control or Influence (FOCI) by:
(i) Completing the Standard Form (SF)
328 (www.gsa.gov/reference/forms/
certificate-pertaining-to-foreigninterests), Certificate Pertaining to
Foreign Interests, and submit it directly
to Defense Counterintelligence and
Security Agency (DCSA) and undergo a
National Security Review with regards
to the protection of controlled
unclassified information based on the
factors identified in 32 CFR 117.11(b)
using the procedures outlined in 32 CFR
117.11(c). The Accreditation Body must
receive a non-disqualifying eligibility
determination by the CMMC PMO to be
recognized by the Department of
Defense.
(ii) Reporting any change to the
information provided on its SF 328 by
resubmitting the SF 328 to DCSA within
15 business days of the change being
effective. A disqualifying eligibility
determination, based on the results of
the change, will result in the
Accreditation Body losing its
authorization or accreditation under the
CMMC Program.
(iii) Identifying all prospective
C3PAOs to the CMMC PMO. The CMMC
PMO will sponsor the prospective
C3PAO for a FOCI risk assessment
conducted by the DCSA using the SF
328 as part of the authorization and
accreditation processes.
(iv) Notifying prospective C3PAOs of
the CMMC PMO’s eligibility
determination resulting from the FOCI
risk assessment.
(6) Obtain a Level 2 certification
assessment in accordance with the
procedures specified in § 170.17(a)(1)
and (c). This assessment, conducted by
DCMA DIBCAC, shall meet all
requirements for a Final Level 2
(C3PAO) but will not result in a CMMC
Status of Level 2 (C3PAO). The Level 2
certification assessment process must be
performed every three years.
(7) Provide all documentation and
records in English.
(8) Establish, maintain, and manage
an up-to-date list of authorized and
accredited C3PAOs on a single publicly
accessible website and provide the list
of these entities and their status to the
DoD through submission in the CMMC
instantiation of eMASS.
(9) Provide the CMMC PMO with
current data on C3PAOs, including
authorization and accreditation records
and status in the CMMC instantiation of
eMASS. This data shall include the
dates associated with the authorization
and accreditation of each C3PAO.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83222
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(10) Provide the DoD with
information about aggregate statistics
pertaining to operations of the CMMC
Ecosystem to include the authorization
and accreditation status of C3PAOs or
other information as requested.
(11) Provide inputs for assessor
supplemental guidance to the CMMC
PMO. Participate and support
coordination of these and other inputs
through DoD-led Working Groups.
(12) Ensure that all information about
individuals is encrypted and protected
in all Accreditation Body information
systems and databases.
(13) Provide all plans that are related
to potential sources of revenue, to
include but not limited to: fees,
licensing, processes, membership, and/
or partnerships to the Department’s
CMMC PMO.
(14) Ensure that the CMMC Assessors
and Instructors Certification
Organization (CAICO) is compliant with
ISO/IEC 17024:2012(E)
(15) Ensure all training products,
instruction, and testing materials are of
high quality and subject to CAICO
quality control policies and procedures,
to include technical accuracy and
alignment with all applicable legal,
regulatory, and policy requirements.
(16) Develop and maintain an internal
appeals process, as required by ISO/IEC
17020:2017(E), and render a final
decision on all elevated appeals.
(17) Develop and maintain a
comprehensive plan and schedule to
comply with all ISO/IEC 17011:2017(E),
and DoD requirements for Conflict of
Interest, Code of Professional Conduct,
and Ethics policies as set forth in the
DoD contract. All policies shall apply to
the Accreditation Body, and other
individuals, entities, and groups within
the CMMC Ecosystem who provide
Level 2 certification assessments,
CMMC instruction, CMMC training
materials, or Certificates of CMMC
Status on behalf of the Accreditation
Body. All policies in this section must
be approved by the CMMC PMO prior
to effectivity in accordance with the
following requirements.
(i) Conflict of Interest (CoI) policy.
The CoI policy shall:
(A) Include a detailed risk mitigation
plan for all potential conflicts of interest
that may pose a risk to compliance with
ISO/IEC 17011:2017(E).
(B) Require employees, Board
directors, and members of any
accreditation committees or appeals
adjudication committees to disclose to
the CMMC PMO, in writing, as soon as
it is known or reasonably should be
known, any actual, potential, or
perceived conflict of interest with
sufficient detail to allow for assessment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
(C) Require employees, Board
directors, and members of any
accreditation committees or appeals
adjudication committees who leave the
board or organization to enter a ‘‘cooling
off period’’ of one (1) year whereby they
are prohibited from working with the
Accreditation Body or participating in
any and all CMMC activities described
in Subpart C.
(D) Require CMMC Ecosystem
members to actively avoid participating
in any activity, practice, or transaction
that could result in an actual or
perceived conflict of interest.
(E) Require CMMC Ecosystem
members to disclose to Accreditation
Body leadership, in writing, any actual
or potential conflict of interest as soon
as it is known, or reasonably should be
known.
(ii) Code of Professional Conduct
(CoPC) policy. The CoPC policy shall:
(A) Describe the performance
standards by which the members of the
CMMC Ecosystem will be held
accountable and the procedures for
addressing violations of those
performance standards.
(B) Require the Accreditation Body to
investigate and resolve any potential
violations that are reported or are
identified by the DoD.
(C) Require the Accreditation Body to
inform the DoD in writing of new
investigations within 72 hours.
(D) Require the Accreditation Body to
report to the DoD in writing the
outcome of completed investigations
within 15 business days.
(E) Require CMMC Ecosystem
members to represent themselves and
their companies accurately; to include
not misrepresenting any professional
credentials or status, including CMMC
authorization or CMMC Status, nor
exaggerating the services that they or
their company are capable or authorized
to deliver.
(F) Require CMMC Ecosystem
members to be honest and factual in all
CMMC-related activities with
colleagues, clients, trainees, and others
with whom they interact.
(G) Prohibit CMMC Ecosystem
members from participating in the Level
2 certification assessment process for an
assessment in which they previously
served as a consultant to prepare the
organization for any CMMC assessment
within 3 years.
(H) Require CMMC Ecosystem
members to maintain the confidentiality
of customer and government data to
preclude unauthorized disclosure.
(I) Require CMMC Ecosystem
members to report results and data from
Level 2 certification assessments and
PO 00000
Frm 00132
Fmt 4701
Sfmt 4700
training objectively, completely, clearly,
and accurately.
(J) Prohibit CMMC Ecosystem
members from cheating, assisting
another in cheating, or allowing
cheating on CMMC examinations.
(K) Require CMMC Ecosystem
members to utilize official training
content developed by a CMMC training
organization approved by the CAICO in
all CMMC certification courses.
(iii) Ethics policy. The Ethics policy
shall:
(A) Require CMMC Ecosystem
members to report to the Accreditation
Body within 30 days of convictions,
guilty pleas, or no contest pleas to
crimes of fraud, larceny, embezzlement,
misappropriation of funds,
misrepresentation, perjury, false
swearing, conspiracy to conceal, or a
similar offense in any legal proceeding,
civil or criminal, whether or not in
connection with activities that relate to
carrying out their role in the CMMC
Ecosystem.
(B) Prohibit harassment or
discrimination by CMMC Ecosystem
members in all interactions with
individuals whom they encounter in
connection with their roles in the
CMMC Ecosystem.
(C) Require CMMC Ecosystem
members to have and maintain a
satisfactory record of integrity and
business ethics.
§ 170.9 CMMC Third-Party Assessment
Organizations (C3PAOs).
(a) Roles and responsibilities. C3PAOs
are organizations that are responsible for
conducting Level 2 certification
assessments and issuing Certificates of
CMMC Status to OSCs based on the
results. C3PAOs must be accredited or
authorized by the Accreditation Body in
accordance with the requirements set
forth.
(b) Requirements. C3PAOs shall:
(1) Obtain authorization or
accreditation from the Accreditation
Body in accordance with § 170.8(b)(3)(i)
and (ii).
(2) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17); and
achieve and maintain compliance with
ISO/IEC 17020:2012(E) (incorporated by
reference, see § 170.2) within 27 months
of authorization.
(3) Require all C3PAO company
personnel participating in the Level 2
certification assessment process to
complete a Tier 3 background
investigation resulting in a
determination of national security
eligibility. This includes the CMMC
Assessment Team and the quality
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
assurance individual. This Tier 3
background investigation will not result
in a security clearance and is not being
executed for the purpose of government
employment. The Tier 3 background
investigation is initiated using the
Standard Form (SF) 86 (www.gsa.gov/
reference/forms/questionnaire-fornational-security-positions). These
positions are designated as non-critical
sensitive with a risk designation of
‘‘Moderate Risk’’ in accordance with 5
CFR 1400.201(b) and (d) and the
investigative requirements of 5 CFR
731.106(c)(2).
(4) Require all C3PAO company
personnel participating in the Level 2
certification assessment process who are
not eligible to obtain a Tier 3
background investigation to meet the
equivalent of a favorably adjudicated
Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
(5) Comply with Foreign Ownership,
Control or Influence (FOCI) by:
(i) Completing and submitting
Standard Form (SF) 328 (www.gsa.gov/
reference/forms/certificate-pertainingto-foreign-interests), Certificate
Pertaining to Foreign Interests, upon
request from DCSA and undergo a
National Security Review with regards
to the protection of controlled
unclassified information based on the
factors identified in 32 CFR 117.11(b)
using the procedures outlined in 32 CFR
117.11(c).
(ii) Receiving a non-disqualifying
eligibility determination from the
CMMC PMO resulting from the FOCI
risk assessment in order to proceed to a
DCMA DIBCAC CMMC Level 2
assessment, as part of the authorization
and accreditation process set forth in
paragraph (b)(6) of this section.
(iii) Reporting any change to the
information provided on its SF 328 by
resubmitting the SF 328 to DCSA within
15 business days of the change being
effective. A disqualifying eligibility
determination, based on the results of
the change, will result in the C3PAO
losing its authorization or accreditation.
(6) Undergo a Level 2 certification
assessment meeting all requirements for
a Final Level 2 (C3PAO) in accordance
with the procedures specified in
§ 170.17(a)(1) and (c), with the following
exceptions:
(i) The assessment will be conducted
by DCMA DIBCAC.
(ii) The assessment will not result in
a CMMC Status of Level 2 (C3PAO) nor
receive a Certificate of CMMC Status.
(7) Provide all documentation and
records in English.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
(8) Submit pre-assessment and
planning material, final assessment
reports, and CMMC certificates of
assessment into the CMMC instantiation
of eMASS.
(9) Unless disposition is otherwise
authorized by the CMMC PMO,
maintain all assessment related records
for a period of six (6) years. Such
records include any materials generated
by the C3PAO in the course of an
assessment, any working papers
generated from Level 2 certification
assessments; and materials relating to
monitoring, education, training,
technical knowledge, skills, experience,
and authorization of all personnel
involved in assessment activities;
contractual agreements with OSCs; and
organizations for whom consulting
services were provided.
(10) Provide any requested audit
information, including any out-of-cycle
from ISO/IEC 17020:2012(E)
requirements, to the Accreditation
Body.
(11) Ensure that all personally
identifiable information (PII) is
encrypted and protected in all C3PAO
information systems and databases.
(12) Meet the requirements for
Assessment Team composition. An
Assessment Team must include at least
two people: a Lead CCA, as defined in
§ 170.11(b)(10), and at least one other
CCA. Additional CCAs and CCPs may
also participate on an Assessment Team.
(13) Implement a quality assurance
function that ensures the accuracy and
completeness of assessment data prior
to upload into the CMMC instantiation
of eMASS. Any individual fulfilling the
quality assurance function must be a
CCA and cannot be a member of an
Assessment Team for which they are
performing a quality assurance role. A
quality assurance individual shall
manage the C3PAO’s quality assurance
reviews as defined in paragraph (b)(14)
of this section and the appeals process
as required by paragraphs (b)(19) and
(20) of this section and in accordance
with ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2)
and ISO/IEC 17011:2017(E)
(incorporated by reference, see § 170.2).
(14) Conduct quality assurance
reviews for each assessment, including
observations of the Assessment Team’s
conduct and management of CMMC
assessment processes.
(15) Ensure that all Level 2
certification assessment activities are
performed on the information system
within the CMMC Assessment Scope.
(16) Maintain all facilities, personnel,
and equipment involved in CMMC
activities that are in scope of their Level
2 certification assessment and comply
PO 00000
Frm 00133
Fmt 4701
Sfmt 4700
83223
with all security requirements and
procedures as prescribed by the
Accreditation Body.
(17) Ensure that all assessment data
and information uploaded into the
CMMC instantiation of eMASS
assessment data is compliant with the
CMMC assessment data standard as set
forth in eMASS CMMC Assessment
Import Templates on the CMMC eMASS
website: https://cmmc.emass.apps.mil.
This system is accessible only to
authorized users.
(18) Issue Certificates of CMMC Status
to OSCs in accordance with the Level 2
certification assessment requirements
set forth in § 170.17, that include, at a
minimum, all industry CAGE codes
associated with the information systems
addressed by the CMMC Assessment
Scope, the C3PAO name, assessment
unique identifier, the OSC name, and
the CMMC Status date and level.
(19) Address all OSC appeals arising
from Level 2 certification assessment
activities. If the OSC or C3PAO is not
satisfied with the result of the appeal
either the OSC or the C3PAO can
elevate the matter to the Accreditation
Body for final determination.
(20) Submit assessment appeals,
review records, and decision results of
assessment appeals to DoD using the
CMMC instantiation of eMASS.
§ 170.10 CMMC Assessor and Instructor
Certification Organization (CAICO).
(a) Roles and responsibilities. The
CAICO is responsible for training,
testing, authorizing, certifying, and
recertifying CMMC assessors,
instructors, and related professionals.
Only the CAICO may make decisions
relating to examination certifications,
including the granting, maintaining,
recertifying, expanding, and reducing
the scope of certification, and
suspending or withdrawing certification
in accordance with current ISO/IEC
17024:2012(E) (incorporated by
reference, see § 170.2). At any given
point in time, there will be only one
CAICO for the DoD CMMC Program.
(b) Requirements. The CAICO shall:
(1) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17); and
achieve and maintain ISO/IEC 17024(E)
accreditation within 12 months of
December 16, 2024.
(2) Provide all documentation and
records in English.
(3) Train, test, and designate PIs in
accordance with the requirements of
this section. Train, test, certify, and
recertify CCPs, CCAs, and CCIs in
accordance with the requirements of
this section.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83224
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(4) Ensure the instructor and assessor
certification examinations are certified
under ISO/IEC 17024:2012(E)
(incorporated by reference, see § 170.2),
by a recognized US-based accreditor
who is not a member of the CMMC
Accreditation Body. The US-based
accreditor must be a signatory to
International Laboratory Accreditation
Cooperation (ILAC) or relevant
International Accreditation Forum (IAF)
Mutual Recognition Arrangement
(MRA) and must operate in accordance
with ISO/IEC 17011:2017(E)
(incorporated by reference, see § 170.2).
(5) Establish quality control policies
and procedures for the generation of
training products, instruction, and
testing materials.
(6) Oversee development,
administration, and management
pertaining to the quality of training and
examination materials for CMMC
assessor and instructor certification and
recertification.
(7) Establish and publish an
authorization and certification appeals
process to receive, evaluate, and make
decisions on complaints and appeals in
accordance with ISO/IEC 17024:2012(E)
(incorporated by reference, see § 170.2).
(8) Address all appeals arising from
the CCA, CCI, and CCP authorizations
and certifications process through use of
internal processes in accordance with
ISO/IEC 17024:2012(E) (incorporated by
reference, see § 170.2).
(9) Maintain records for a period of
six (6) years of all procedures,
processes, and actions related to
fulfillment of the requirements set forth
in this section and provide the
Accreditation Body access to those
records.
(10) Provide the Accreditation Body
information about the authorization and
accreditation status of assessors,
instructors, training community, and
publishing partners.
(11) Ensure separation of duties
between individuals involved in testing
activities, training activities, and
certification activities.
(12) Safeguard and require any CAICO
training support service providers, as
applicable, to safeguard the
confidentiality of applicant, candidate,
and certificate-holder information and
ensure the overall security of the
certification process.
(13) Ensure that all PII is encrypted
and protected in all CAICO information
systems and databases and those of any
CAICO training support service
providers.
(14) Ensure the security of assessor
and instructor examinations and the fair
and credible administration of
examinations.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
(15) Neither disclose nor allow any
CAICO training support service
providers, as applicable, to disclose
CMMC data or metrics related to
authorization or certification activities
to any entity other than the
Accreditation Body and DoD, except as
required by law.
(16) Require retraining and
redesignation of PIs upon significant
change to DoD’s CMMC Program
requirements. Require retraining and
recertification of CCPs, CCAs, and CCIs
upon significant change to DoD’s CMMC
Program requirements, as determined by
the DoD or the CAICO.
(17) Require CMMC Ecosystem
members to report to the CAICO within
30 days of convictions, guilty pleas, or
no contest pleas to crimes of fraud,
larceny, embezzlement,
misappropriation of funds,
misrepresentation, perjury, false
swearing, conspiracy to conceal, or a
similar offense in any legal proceeding,
civil or criminal, whether or not in
connection with activities that relate to
carrying out their role in the CMMC
Ecosystem.
§ 170.11
CMMC Certified Assessor (CCA).
(a) Roles and responsibilities. CCAs,
in support of a C3PAO, conduct Level
2 certification assessments of OSCs in
accordance with NIST SP 800–171A
Jun2018 (incorporated by reference, see
§ 170.2), the assessment processes
defined in § 170.17, and the scoping
requirements defined in § 170.19(c).
CCAs must meet all of the requirements
set forth in paragraph (b) of this section.
A CCA may conduct Level 2
certification assessments and participate
on a C3PAO Assessment Team.
(b) Requirements. CCAs shall:
(1) Obtain and maintain certification
from the CAICO in accordance with the
requirements set forth in § 170.10.
Certification is valid for 3 years from the
date of issuance.
(2) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17).
(3) Complete a Tier 3 background
investigation resulting in a
determination of national security
eligibility. This Tier 3 background
investigation will not result in a security
clearance and is not being executed for
the purpose of government employment.
The Tier 3 background investigation is
initiated using the Standard Form (SF)
86 (www.gsa.gov/reference/forms/
questionnaire-for-national-securitypositions). These positions are
designated as non-critical sensitive with
a risk designation of ‘‘Moderate Risk’’ in
accordance with 5 CFR 1400.201(b) and
PO 00000
Frm 00134
Fmt 4701
Sfmt 4700
(d) and the investigative requirements of
5 CFR 731.106(c)(2).
(4) Meet the equivalent of a favorably
adjudicated Tier 3 background
investigation when not eligible for a
Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
(5) Provide all documentation and
records in English.
(6) Be a CCP who has at least 3 years
of cybersecurity experience, at least 1
year of assessment or audit experience,
and at least one foundational
qualification, aligned to at least the
Intermediate Proficiency Level of the
DoD Cyberspace Workforce
Framework’s Security Control Assessor
(612) Work Role, from DoD Manual
8140.03, Cyberspace Workforce
Qualification and Management Program
(https://dodcio.defense.gov/Portals/0/
Documents/Library/DoDM-8140-03.pdf).
Information on the Work Role 612 can
be found at https://public.cyber.mil/
dcwf-work-role/security-controlassessor/.
(7) Only use IT, cloud, cybersecurity
services, and end-point devices
provided by the authorized/accredited
C3PAO that has been engaged to
perform that OSA’s Level 2 certification
assessment and which has undergone a
Level 2 certification assessment by
DCMA DIBCAC (or higher) for all
assessment activities. Individual
assessors are prohibited from using any
other IT, including IT that is personally
owned, to include internal and external
cloud services and end-point devices, to
process, store, or transmit CMMC
assessment reports or any other CMMC
assessment-related information. The
evaluation of assessment evidence
within the OSC environment, using OSC
tools, is permitted.
(8) Immediately notify the responsible
C3PAO of any breach or potential
breach of security to any CMMC-related
assessment materials under the
assessors’ purview.
(9) Not share any information about
an OSC obtained during CMMC preassessment and assessment activities
with any person not involved with that
specific assessment, except as otherwise
required by law.
(10) Qualify as a Lead CCA by having
at least 5 years of cybersecurity
experience, 5 years of management
experience, 3 years of assessment or
audit experience, and at least one
foundational qualification aligned to
Advanced Proficiency Level of the DoD
Cyberspace Workforce Framework’s
Security Control Assessor (612) Work
Role, from DoD Manual 8140.03,
Cyberspace Workforce Qualification and
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Management Program (https://
dodcio.defense.gov/Portals/0/
Documents/Library/DoDM-8140-03.pdf).
Information on the Work Role 612 can
be found at https://public.cyber.mil/
dcwf-work-role/security-controlassessor/.
khammond on DSKJM1Z7X2PROD with RULES2
§ 170.12
CMMC Instructor.
(a) CMMC Provisional Instructor (PI)
roles and responsibilities. A CMMC
Provisional Instructor (PI) teaches CCA
and CCP candidates during the
transitional period that ends 18 months
after December 16, 2024. A PI is trained,
tested, and designated to perform
CMMC instructional duties by the
CAICO to teach CCP and CCA
candidates. PIs are designated by the
CAICO after successful completion of
the PI training and testing requirements
set forth by the CAICO. A PI with a
valid CCP certification may instruct CCP
candidates, while a PI with a valid CCA
certification may instruct CCP and CCA
candidates. PIs are required to meet
requirements in (c) of this section.
(b) CMMC Certified Instructor (CCI)
roles and responsibilities. A CMMC
Certified Instructor (CCI) teaches CCP,
CCA, and CCI candidates and performs
CMMC instructional duties. Candidate
CCIs are certified by the CAICO after
successful completion of the CCI
training and testing requirements. A CCI
is required to obtain and maintain
assessor and instructor certifications
from the CAICO in accordance with the
requirements set forth in § 170.10 and in
paragraph (c) of this section. A CCI with
a valid CCP certification may instruct
CCP candidates, while a CCI with a
valid CCA certification may instruct
CCP, CCA, and CCI candidates.
Certifications are valid for 3 years from
the date of issuance. CCIs are required
to meet requirements in paragraph (c) of
this section.
(c) Requirements. CMMC Instructors
shall:
(1) Obtain and maintain instructor
designation or certification, as
appropriate, from the CAICO in
accordance with the requirements set
forth in § 170.10.
(2) Obtain and maintain CCP or CCA
certification to deliver CCP training.
(3) Obtain and maintain a CCA
certification to deliver CCA training.
(4) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17).
(5) Provide all documentation and
records in English.
(6) Provide the Accreditation Body
and the CAICO annually with accurate
information detailing their
qualifications, training experience,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
professional affiliations, and
certifications, and, upon reasonable
request, submit documentation verifying
this information.
(7) Not provide CMMC consulting
services while serving as a CMMC
instructor; however, subject to the Code
of Professional Conduct and Conflict of
Interest policies, can serve on an
assessment team.
(8) Not participate in the development
of exam objectives and/or exam content
or act as an exam proctor while at the
same time serving as a CCI.
(9) Keep confidential all information
obtained or created during the
performance of CMMC training
activities, including trainee records,
except as required by law.
(10) Not disclose any CMMC-related
data or metrics that is PII, FCI, or CUI
to anyone without prior coordination
with and approval from DoD.
(11) Notify the Accreditation Body or
the CAICO if required by law or
authorized by contractual commitments
to release confidential information.
(12) Not share with anyone any
CMMC training-related information not
previously publicly disclosed.
§ 170.13
(CCP).
CMMC Certified Professional
(a) Roles and responsibilities. A
CMMC Certified Professional (CCP)
completes rigorous training on CMMC
and the assessment process to provide
advice, consulting, and
recommendations to their OSA clients.
Candidate CCPs are certified by the
CAICO after successful completion of
the CCP training and testing
requirements set forth in paragraph (b)
of this section. CCPs are eligible to
become CMMC Certified Assessors and
can participate as a CCP on Level 2
certification assessments with CCA
oversight where the CCA makes all final
determinations.
(b) Requirements. CCPs shall:
(1) Obtain and maintain certification
from the CAICO in accordance with the
requirements set forth in § 170.10.
Certification is valid for 3 years from the
date of issuance.
(2) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics as set forth in § 170.8(b)(17).
(3) Complete a Tier 3 background
investigation resulting in a
determination of national security
eligibility. This Tier 3 background
investigation will not result in a security
clearance and is not being executed for
the purpose of government employment.
The Tier 3 background investigation is
initiated using the Standard Form (SF)
86 (www.gsa.gov/reference/forms/
PO 00000
Frm 00135
Fmt 4701
Sfmt 4700
83225
questionnaire-for-national-securitypositions). These positions are
designated as non-critical sensitive with
a risk designation of ‘‘Moderate Risk’’ in
accordance with 5 CFR 1400.201(b) and
(d) and the investigative requirements of
5 CFR 731.106(c)(2).
(4) Meet the equivalent of a favorably
adjudicated Tier 3 background
investigation when not eligible to obtain
a Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
(5) Provide all documentation and
records in English.
(6) Not share any information about
an OSC obtained during CMMC preassessment and assessment activities
with any person not involved with that
specific assessment, except as otherwise
required by law.
Subpart D—Key Elements of the
CMMC Program
§ 170.14
CMMC Model.
(a) Overview. The CMMC Model
incorporates the security requirements
from:
(1) 48 CFR 52.204–21, Basic
Safeguarding of Covered Contractor
Information Systems;
(2) NIST SP 800–171 R2, Protecting
Controlled Unclassified Information in
Nonfederal Systems and Organizations
(incorporated by reference, see § 170.2);
and
(3) Selected security requirements
from NIST SP 800–172 Feb2021,
Enhanced Security Requirements for
Protecting Controlled Unclassified
Information: A Supplement to NIST
Special Publication 800–171
(incorporated by reference, see § 170.2).
(b) CMMC domains. The CMMC
Model consists of domains that map to
the Security Requirement Families
defined in NIST SP 800–171 R2
(incorporated by reference, see § 170.2).
(c) CMMC level requirements. CMMC
Levels 1–3 utilize the safeguarding
requirements and security requirements
specified in 48 CFR 52.204–21 (for Level
1), NIST SP 800–171 R2 (incorporated
by reference, see § 170.2) (for Level 2),
and selected security requirements from
NIST SP 800–172 Feb2021
(incorporated by reference, see § 170.2)
(for Level 3). This paragraph discusses
the numbering scheme and the security
requirements for each level.
(1) Numbering. Each security
requirement has an identification
number in the format—DD.L#-REQ—
where:
(i) DD is the two-letter domain
abbreviation;
(ii) L# is the CMMC level number; and
E:\FR\FM\15OCR2.SGM
15OCR2
83226
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(iii) REQ is the 48 CFR 52.204–21
paragraph number, NIST SP 800–171 R2
requirement number, or NIST SP 800–
172 Feb2021 requirement number.
(2) CMMC Level 1 security
requirements. The security requirements
in CMMC Level 1 are those set forth in
48 CFR 52.204–21(b)(1)(i) through (xv).
(3) CMMC Level 2 security
requirements. The security requirements
in CMMC Level 2 are identical to the
requirements in NIST SP 800–171 R2.
(4) CMMC Level 3 security
requirements. The security requirements
in CMMC Level 3 are selected from
NIST SP 800–172 Feb2021, and where
applicable, Organization-Defined
Parameters (ODPs) are assigned. Table 1
to this paragraph identifies the selected
requirements and applicable ODPs that
represent the CMMC Level 3 security
requirements. ODPs for the NIST SP
800–172 Feb2021 requirements are
italicized, where applicable:
TABLE 1 TO § 170.14(c)(4)
Security requirement No.*
CMMC Level 3 security requirements
(selected NIST SP 800–172 Feb2021 security requirement with DoD ODPs italicized)
(i) AC.L3–3.1.2e .......................
Restrict access to systems and system components to only those information resources that are owned,
provisioned, or issued by the organization.
Employ secure information transfer solutions to control information flows between security domains on connected systems.
Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused
on recognizing and responding to threats from social engineering, advanced persistent threat actors,
breaches, and suspicious behaviors; update the training at least annually or when there are significant
changes to the threat.
Include practical exercises in awareness training for all users, tailored by roles, to include general users, users
with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feedback to individuals involved in the training and their supervisors.
Establish and maintain an authoritative source and repository to provide a trusted source and accountability for
approved and implemented system components.
Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection,
remove the components or place the components in a quarantine or remediation network to facilitate
patching, re-configuration, or other mitigations.
Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily
available inventory of system components.
Identify and authenticate systems and system components, where possible, before establishing a network connection using bidirectional authentication that is cryptographically based and replay resistant.
Employ automated or manual/procedural mechanisms to prohibit system components from connecting to organizational systems unless the components are known, authenticated, in a properly configured state, or in a
trust profile.
Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/oncall staff.
Establish and maintain a cyber-incident response team that can be deployed by the organization within 24
hours.
Ensure that organizational systems are protected if adverse information develops or is obtained about individuals with access to CUI.
Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as
part of a risk assessment to guide and inform the development of organizational systems, security architectures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search
for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade existing controls.
Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to organizations, systems, and system components.
Document or reference in the system security plan the security solution selected, the rationale for the security
solution, and the risk determination.
Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat information, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the
organization based on current and accumulated threat intelligence.
Assess, respond to, and monitor supply chain risks associated with organizational systems and system components.
Develop a plan for managing supply chain risks associated with organizational systems and system components; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response
to a relevant cyber incident.
Conduct penetration testing at least annually or when significant security changes are made to the system,
leveraging automated scanning tools and ad hoc tests using subject matter experts.
Employ physical isolation techniques or logical isolation techniques or both in organizational systems and system components.
Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic
signatures.
Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems, and test equipment are included in the scope of the specified enhanced security requirements or are segregated in purpose-specific networks.
Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial
sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.
(ii) AC.L3–3.1.3e ......................
(iii) AT.L3–3.2.1e .....................
(iv) AT.L3–3.2.2e .....................
(v) CM.L3–3.4.1e .....................
(vi) CM.L3–3.4.2e ....................
(vii) CM.L3–3.4.3e ...................
(viii) IA.L3–3.5.1e .....................
(ix) IA.L3–3.5.3e ......................
(x) IR.L3–3.6.1e .......................
(xi) IR.L3–3.6.2e ......................
(xii) PS.L3–3.9.2e ....................
(xiii) RA.L3–3.11.1e .................
(xiv) RA.L3–3.11.2e .................
(xv) RA.L3–3.11.3e ..................
(xvi) RA.L3–3.11.4e .................
(xvii) RA.L3–3.11.5e ................
(xviii) RA.L3–3.11.6e ...............
(xix) RA.L3–3.11.7e .................
(xx) CA.L3–3.12.1e ..................
(xxi) SC.L3–3.13.4e .................
khammond on DSKJM1Z7X2PROD with RULES2
(xxii) SI.L3–3.14.1e ..................
(xxiii) SI.L3–3.14.3e .................
(xxiv) SI.L3–3.14.6e .................
* Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming
convention for the requirement.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00136
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(d) Implementation. Assessment of
security requirements is prescribed by
NIST SP 800–171A Jun2018
(incorporated by reference, see § 170.2)
and NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
Descriptive text in these documents
support OSA implementation of the
security requirements and use the terms
organization-defined and periodically.
Except where referring to OrganizationDefined Parameters (ODPs),
organization-defined means as
determined by the OSA. Periodically
means occurring at regular intervals. As
used in many requirements within
CMMC, the interval length is
organization-defined to provided
contractor flexibility, with an interval
length of no more than one year.
§ 170.15 CMMC Level 1 self-assessment
and affirmation requirements.
(a) Level 1 self-assessment. To comply
with CMMC Level 1 self-assessment
requirements, the OSA must meet the
requirements detailed in paragraphs
(a)(1) and (2) of this section. An OSA
conducts a Level 1 self-assessment as
detailed in paragraph (c) of this section
to achieve a CMMC Status of Final Level
1 (Self).
(1) Level 1 self-assessment
requirements. The OSA must complete
and achieve a MET result for all security
requirements specified in § 170.14(c)(2)
to achieve the CMMC Status of Final
Level 1 (Self). No POA&Ms are
permitted for CMMC Level 1. The OSA
must conduct a self-assessment in
accordance with the procedures set
forth in § 170.15(c)(1) and submit
assessment results in SPRS. To maintain
compliance with the requirements for
the CMMC Status of Final Level 1 (Self),
the OSA must conduct a Level 1 selfassessment on an annual basis and
submit the results in SPRS, or its
successor capability.
(i) Inputs to SPRS. The Level 1 selfassessment results in the Supplier
Performance Risk System (SPRS) shall
include, at minimum, the following
items:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s)
associated with the information
system(s) addressed by the CMMC
Assessment Scope.
(E) Compliance result.
(ii) [Reserved]
(2) Affirmation. Affirmation of the
Level 1 (Self) CMMC Status is required
for all Level 1 self-assessments.
Affirmation procedures are set forth in
§ 170.22.
83227
(b) Contract eligibility. Prior to award
of any contract or subcontract with a
requirement for the CMMC Status of
Level 1 (Self), OSAs must both achieve
a CMMC Status of Level 1 (Self) and
have submitted an affirmation of
compliance into SPRS for all
information systems within the CMMC
Assessment Scope.
(c) Procedures—(1) Level 1 selfassessment. The OSA must conduct a
Level 1 self-assessment scored in
accordance with the CMMC Scoring
Methodology described in § 170.24. The
Level 1 self-assessment must be
performed in accordance with the
CMMC Level 1 scope requirements set
forth in § 170.19(a) and (b) and the
following:
(i) The Level 1 self-assessment must
be performed using the objectives
defined in NIST SP 800–171A Jun2018
(incorporated by reference, see § 170.2)
for the security requirement that maps
to the CMMC Level 1 security
requirement as specified in table 1 to
paragraph (c)(1)(ii) of this section. In
any case where an objective addresses
CUI, FCI should be substituted for CUI
in the objective.
(ii) Mapping table for CMMC Level 1
security requirements to the NIST SP
800–171A Jun2018 objectives.
TABLE 2 TO § 170.15(c)(1)(ii)—CMMC LEVEL 1 SECURITY REQUIREMENTS MAPPED TO NIST SP 800–171A JUN2018
CMMC Level 1 security requirements as set forth in § 170.14(c)(2)
NIST SP 800–171A Jun2018
AC.L1–b.1.i ..................................................................................................................................................................
AC.L1–b.1.ii .................................................................................................................................................................
AC.L1–b.1.iii .................................................................................................................................................................
AC.L1–b.1.iv ................................................................................................................................................................
IA.L1–b.1.v ...................................................................................................................................................................
IA.L1–b.1.vi ..................................................................................................................................................................
MP.L1–b.1.vii ...............................................................................................................................................................
PE.L1–b.1.viii ...............................................................................................................................................................
First phrase of PE.L1–b.1.ix (FAR b.1.ix *) .................................................................................................................
Second phrase of PE.L1–b.1.ix (FAR b.1.ix *) ............................................................................................................
Third phrase of PE.L1–b.1.ix (FAR b.1.ix *) ................................................................................................................
SC.L1–b.1.x .................................................................................................................................................................
SC.L1–b.1.xi ................................................................................................................................................................
SI.L1–b.1.xii .................................................................................................................................................................
SI.L1–b.1.xiii ................................................................................................................................................................
SI.L1–b.1.xiv ................................................................................................................................................................
SI.L1–b.1.xv .................................................................................................................................................................
3.1.1
3.1.2
3.1.20
3.1.22
3.5.1
3.5.2
3.8.3
3.10.1
3.10.3
3.10.4
3.10.5
3.13.1
3.13.5
3.14.1
3.14.2
3.14.4
3.14.5
khammond on DSKJM1Z7X2PROD with RULES2
* Three of the 48 CFR 52.204–21 requirements were broken apart by ‘‘phrase’’ when NIST SP 800–171 R2 was developed.
(iii) Additional guidance can be found
in the guidance document listed in
paragraph (b) of appendix A to this part.
(2) Artifact retention. The artifacts
used as evidence for the assessment
must be retained by the OSA for six (6)
years from the CMMC Status Date.
§ 170.16 CMMC Level 2 self-assessment
and affirmation requirements.
(a) Level 2 self-assessment. To comply
with Level 2 self-assessment
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
requirements, the OSA must meet the
requirements detailed in paragraphs
(a)(1) and (2) of this section. An OSA
conducts a Level 2 self-assessment as
detailed in paragraph (c) of this section
to achieve a CMMC Status of either
Conditional or Final Level 2 (Self).
Achieving a CMMC Status of Level 2
(Self) also satisfies the requirements for
a CMMC Status of Level 1 (Self) detailed
PO 00000
Frm 00137
Fmt 4701
Sfmt 4700
in § 170.15 for the same CMMC
Assessment Scope.
(1) Level 2 self-assessment
requirements. The OSA must complete
and achieve a MET result for all security
requirements specified in § 170.14(c)(3)
to achieve the CMMC Status of Level 2
(Self). The OSA must conduct a selfassessment in accordance with the
procedures set forth in paragraph (c)(1)
of this section and submit assessment
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83228
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
results in Supplier Performance Risk
System (SPRS). To maintain compliance
with the requirements for a CMMC
Status of Level 2 (Self), the OSA must
conduct a Level 2 self-assessment every
three years and submit the results in
SPRS, within three years of the CMMC
Status Date associated with the
Conditional Level 2 (Self).
(i) Inputs to SPRS. The Level 2 selfassessment results in the SPRS shall
include, at minimum, the following
information:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s)
associated with the information
system(s) addressed by the CMMC
Assessment Scope.
(E) Overall Level 2 self-assessment
score (e.g., 105 out of 110).
(F) POA&M usage and compliance
status, if applicable.
(ii) Conditional Level 2 (Self). The
OSA has achieved the CMMC Status of
Conditional Level 2 (Self) if the Level 2
self-assessment results in a POA&M and
the POA&M meets all the CMMC Level
2 POA&M requirements listed in
§ 170.21(a)(2).
(A) Plan of Action and Milestones. A
Level 2 POA&M is allowed only in
accordance with the CMMC POA&M
requirements listed in § 170.21.
(B) POA&M closeout. The OSA must
remediate any NOT MET requirements,
must perform a POA&M closeout selfassessment, and must post compliance
results to SPRS within 180 days of the
CMMC Status Date associated with the
Conditional Level 2 (Self). If the
POA&M is not successfully closed out
within the 180-day timeframe, the
Conditional Level 2 (Self) CMMC Status
for the information system will expire.
If Conditional Level 2 (Self) CMMC
Status expires within the period of
performance of a contract, standard
contractual remedies will apply, and the
OSA will be ineligible for additional
awards with a requirement for the
CMMC Status of Level 2 (Self), or higher
requirement, for the information system
within the CMMC Assessment Scope
until such time as a new CMMC Status
is achieved.
(iii) Final Level 2 (Self). The OSA has
achieved the CMMC Status of Final
Level 2 (Self) if the Level 2 selfassessment results in a passing score as
defined in § 170.24. This score may be
achieved upon initial self-assessment or
as the result of a POA&M closeout selfassessment, as applicable.
(iv) CMMC Status investigation. The
DoD reserves the right to conduct a
DCMA DIBCAC assessment of the OSA,
as provided for under the 48 CFR
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
252.204–7020. If the investigative
results of a subsequent DCMA DIBCAC
assessment show that adherence to the
provisions of this part have not been
achieved or maintained, these DCMA
DIBCAC results will take precedence
over any pre-existing CMMC Status. At
that time, standard contractual remedies
will be available and the OSA will be
ineligible for additional awards with
CMMC Status requirement of Level 2
(Self), or higher requirement, for the
information system within the CMMC
Assessment Scope until such time as a
new CMMC Status is achieved.
(2) Affirmation. Affirmation of the
Level 2 (Self) CMMC Status is required
for all Level 2 self-assessments at the
time of each assessment, and annually
thereafter. Affirmation procedures are
set forth in § 170.22.
(b) Contract eligibility. Prior to award
of any contract or subcontract with
requirement for CMMC Status of Level
2 (Self), the following two requirements
must be met:
(1) The OSA must achieve, as
specified in paragraph (a)(1) of this
section, a CMMC Status of either
Conditional Level 2 (Self) or Final Level
2 (Self).
(2) The OSA must submit an
affirmation of compliance into SPRS, as
specified in paragraph (a)(2) of this
section.
(c) Procedures—(1) Level 2 selfassessment of the OSA. The OSA must
conduct a Level 2 self-assessment in
accordance with NIST SP 800–171A
Jun2018 (incorporated by reference, see
§ 170.2) and the CMMC Level 2 scoping
requirements set forth in §§ 170.19(a)
and (c) for the information systems
within the CMMC Assessment Scope.
The Level 2 self-assessment must be
scored in accordance with the CMMC
Scoring Methodology described in
§ 170.24 and the OSA must upload the
results into SPRS. If a POA&M exists, a
POA&M closeout self-assessment must
be performed by the OSA when all NOT
MET requirements have been
remediated. The POA&M closeout selfassessment must be performed within
180-days of the Conditional CMMC
Status Date. Additional guidance can be
found in the guidance document listed
in paragraph (c) of appendix A to this
part.
(2) Level 2 self-assessment with the
use of Cloud Service Provider (CSP). An
OSA may use a cloud environment to
process, store, or transmit CUI in
performance of a contract or subcontract
with a requirement for the CMMC Status
of Level 2 (Self) under the following
circumstances:
(i) The CSP product or service offering
is FedRAMP Authorized at the
PO 00000
Frm 00138
Fmt 4701
Sfmt 4700
FedRAMP Moderate (or higher) baseline
in accordance with the FedRAMP
Marketplace; or
(ii) The CSP product or service
offering is not FedRAMP Authorized at
the FedRAMP Moderate (or higher)
baseline but meets security
requirements equivalent to those
established by the FedRAMP Moderate
(or higher) baseline. FedRAMP
Moderate or FedRAMP Moderate
equivalent is in accordance with DoD
Policy.
(iii) In accordance with § 170.19(c)(2),
the OSA’s on-premises infrastructure
connecting to the CSP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the Customer
Responsibility Matrix (CRM) must be
documented or referred to in the OSA’s
System Security Plan (SSP).
(3) Level 2 self-assessment with the
use of an External Service Provider
(ESP), not a CSP. An OSA may use an
ESP that is not a CSP to process, store,
or transmit CUI in performance of a
contract or subcontract with a
requirement for the CMMC Status of
Level 2 (Self) under the following
circumstances:
(i) The use of the ESP, its relationship
to the OSA, and the services provided
are documented in the OSA’s SSP and
described in the ESP’s service
description and CRM.
(ii) The ESP services used to meet
OSA requirements are assessed within
the scope of the OSA’s assessment
against all Level 2 security
requirements.
(iii) In accordance with § 170.19(c)(2),
the OSA’s on-premises infrastructure
connecting to the ESP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the CRM must be
documented or referred to in the OSA’s
SSP.
(4) Artifact retention. The artifacts
used as evidence for the assessment
must be retained by the OSA for six (6)
years from the CMMC Status Date.
§ 170.17 CMMC Level 2 certification
assessment and affirmation requirements.
(a) Level 2 certification assessment.
To comply with Level 2 certification
assessment requirements, the OSC must
meet the requirements set forth in
paragraphs (a)(1) and (2) of this section.
An OSC undergoes a Level 2
certification assessment as detailed in
paragraph (c) of this section to achieve
a CMMC Status of either Conditional or
Final Level 2 (C3PAO). Achieving a
CMMC Status of Level 2 (C3PAO) also
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
satisfies the requirements for a CMMC
Statuses of Level 1 (Self) and Level 2
(Self) set forth in §§ 170.15 and 170.16
respectively for the same CMMC
Assessment Scope.
(1) Level 2 certification assessment
requirements. The OSC must complete
and achieve a MET result for all security
requirements specified in § 170.14(c)(3)
to achieve the CMMC Status of Level 2
(C3PAO). The OSC must obtain a Level
2 certification assessment from an
authorized or accredited C3PAO
following the procedures outlined in
paragraph (c) of this section. The
C3PAO must submit the Level 2
certification assessment results into the
CMMC instantiation of eMASS, which
then provides automated transmission
to SPRS. To maintain compliance with
the requirements for a CMMC Status of
Level 2 (C3PAO), the Level 2
certification assessment must be
completed within three years of the
CMMC Status Date associated with the
Conditional Level 2 (C3PAO).
(i) Inputs into the CMMC instantiation
of eMASS. The Level 2 certification
assessment results input into the CMMC
instantiation of eMASS shall include, at
minimum, the following information:
(A) Date and level of the assessment.
(B) C3PAO name.
(C) Assessment unique identifier.
(D) For each Assessor conducting the
assessment, name and business contact
information.
(E) All industry CAGE codes
associated with the information systems
addressed by the CMMC Assessment
Scope.
(F) The name, date, and version of the
SSP.
(G) CMMC Status Date.
(H) Assessment result for each
requirement objective.
(I) POA&M usage and compliance, as
applicable.
(J) List of the artifact names, the
return value of the hashing algorithm,
and the hashing algorithm used.
(ii) Conditional Level 2 (C3PAO). The
OSC has achieved the CMMC Status of
Conditional Level 2 (C3PAO) if the
Level 2 certification assessment results
in a POA&M and the POA&M meets all
CMMC Level 2 POA&M requirements
listed in § 170.21(a)(2).
(A) Plan of Action and Milestones. A
Level 2 POA&M is allowed only in
accordance with the CMMC POA&M
requirements listed in § 170.21.
(B) POA&M closeout. The OSC must
remediate any NOT MET requirements,
must undergo a POA&M closeout
certification assessment from a C3PAO,
and the C3PAO must post compliance
results into the CMMC instantiation of
eMASS within 180 days of the CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Status Date associated with the
Conditional Level 2 (C3PAO). If the
POA&M is not successfully closed out
within the 180-day timeframe, the
Conditional Level 2 (C3PAO) CMMC
Status for the information system will
expire. If Conditional Level 2 (C3PAO)
CMMC Status expires within the period
of performance of a contract, standard
contractual remedies will apply, and the
OSC will be ineligible for additional
awards with a requirement for the
CMMC Status of Level 2 (C3PAO), or
higher requirement, for the information
system within the CMMC Assessment
Scope until such time as a new CMMC
Status is achieved.
(iii) Final Level 2 (C3PAO). The OSC
has achieved the CMMC Status of Final
Level 2 (C3PAO) if the Level 2
certification assessment results in a
passing score as defined in § 170.24.
This score may be achieved upon initial
certification assessment or as the result
of a POA&M closeout certification
assessment, as applicable.
(iv) CMMC Status investigation. The
DoD reserves the right to conduct a
DCMA DIBCAC assessment of the OSC,
as provided for under the 48 CFR
252.204–7020. If the investigative
results of a subsequent DCMA DIBCAC
assessment show that adherence to the
provisions of this part have not been
achieved or maintained, these DCMA
DIBCAC results will take precedence
over any pre-existing CMMC Status. At
that time, standard contractual remedies
will be available and the OSC will be
ineligible for additional awards with
CMMC Status requirement of Level 2
(C3PAO), or higher requirement, for the
information system within the CMMC
Assessment Scope until such time as a
new CMMC Status is achieved.
(2) Affirmation. Affirmation of the
Level 2 (C3PAO) CMMC Status is
required for all Level 2 certification
assessments at the time of each
assessment, and annually thereafter.
Affirmation procedures are provided in
§ 170.22.
(b) Contract eligibility. Prior to award
of any contract or subcontract with a
requirement for the CMMC Status of
Level 2 (C3PAO), the following two
requirements must be met:
(1) The OSC must achieve, as
specified in paragraph (a)(1) of this
section, a CMMC Status of either
Conditional Level 2 (C3PAO) or Final
Level 2 (C3PAO).
(2) The OSC must submit an
affirmation of compliance into SPRS, as
specified in paragraph (a)(2) of this
section.
(c) Procedures—(1) Level 2
certification assessment of the OSC. An
authorized or accredited C3PAO must
PO 00000
Frm 00139
Fmt 4701
Sfmt 4700
83229
perform a Level 2 certification
assessment in accordance with NIST SP
800–171A Jun2018 (incorporated by
reference, see § 170.2) and the CMMC
Level 2 scoping requirements set forth
in § 170.19(a) and (c) for the information
systems within the CMMC Assessment
Scope. The Level 2 certification
assessment must be scored in
accordance with the CMMC Scoring
Methodology described in § 170.24 and
the C3PAO must upload the results into
the CMMC instantiation of eMASS.
Final results are communicated to the
OSC through a CMMC Assessment
Findings Report.
(2) Security requirement reevaluation. A security requirement that
is NOT MET (as defined in § 170.24)
may be re-evaluated during the course
of the Level 2 certification assessment
and for 10 business days following the
active assessment period if all of the
following conditions exist:
(i) Additional evidence is available to
demonstrate the security requirement
has been MET;
(ii) Cannot change or limit the
effectiveness of other requirements that
have been scored MET; and
(iii) The CMMC Assessment Findings
Report has not been delivered.
(3) POA&M. If a POA&M exists, a
POA&M closeout certification
assessment must be performed by a
C3PAO within 180-days of the
Conditional CMMC Status Date.
Additional guidance can be found in
§ 170.21 and in the guidance document
listed in paragraph (c) of appendix A to
this part.
(4) Artifact retention and integrity.
The hashed artifacts used as evidence
for the assessment must be retained by
the OSC for six (6) years from the
CMMC Status Date. To ensure that the
artifacts have not been altered, the OSC
must hash the artifact files using a
NIST-approved hashing algorithm. The
OSC must provide the C3PAO with a
list of the artifact names, the return
value of the hashing algorithm, and the
hashing algorithm for upload into the
CMMC instantiation of eMASS.
Additional guidance for hashing
artifacts can be found in the guidance
document listed in paragraph (h) of
appendix A to this part.
(5) Level 2 certification assessment
with the use of Cloud Service Provider
(CSP). An OSC may use a cloud
environment to process, store, or
transmit CUI in performance of a
contract or subcontract with a
requirement for the CMMC Status of
Level 2 (C3PAO) under the following
circumstances:
(i) The CSP product or service offering
is FedRAMP Authorized at the
E:\FR\FM\15OCR2.SGM
15OCR2
83230
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
FedRAMP Moderate (or higher) baseline
in accordance with the FedRAMP
Marketplace; or
(ii) The CSP product or service
offering is not FedRAMP Authorized at
the FedRAMP Moderate (or higher)
baseline but meets security
requirements equivalent to those
established by the FedRAMP Moderate
(or higher) baseline. FedRAMP
Moderate or FedRAMP Moderate
equivalent is in accordance with DoD
Policy.
(iii) In accordance with § 170.19(c)(2),
the OSC’s on-premises infrastructure
connecting to the CSP’s product or
service offering is part of the CMMC
Assessment Scope. As such, the security
requirements from the CRM must be
documented or referred to in the OSC’s
SSP.
(6) Level 2 certification assessment
with the use of an External Service
Provider (ESP), not a CSP. An OSA may
use an ESP that is not a CSP to process,
store, or transmit CUI in performance of
a contract or subcontract with a
requirement for the CMMC Status of
Level 2 (C3PAO) under the following
circumstances:
(i) The use of the ESP, its relationship
to the OSA, and the services provided
are documented in the OSA’s SSP and
described in the ESP’s service
description and customer responsibility
matrix.
(ii) The ESP services used to meet
OSA requirements are assessed within
the scope of the OSA’s assessment
against all Level 2 security
requirements.
(iii) In accordance with § 170.19(c)(2),
the OSA’s on-premises infrastructure
connecting to the ESP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the CRM must be
documented or referred to in the OSA’s
SSP.
khammond on DSKJM1Z7X2PROD with RULES2
§ 170.18 CMMC Level 3 certification
assessment and affirmation requirements.
(a) Level 3 certification assessment.
To comply with Level 3 certification
assessment requirements, the OSC must
meet the requirements set forth in
paragraphs (a)(1) and (2) of this section.
An OSC undergoes a Level 3
certification assessment as detailed in
paragraph (c) of this section to achieve
a CMMC Status of either Conditional or
Final Level 3 (DIBCAC). A CMMC
Status of Final Level 2 (C3PAO) for
information systems within the Level 3
CMMC Assessment Scope is a
prerequisite to undergo a Level 3
certification assessment. CMMC Level 3
recertification also has a prerequisite for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
a new CMMC Level 2 assessment.
Achieving a CMMC Status of Level 3
(DIBCAC) also satisfies the requirements
for CMMC Statuses of Level 1 (Self),
Level 2 (Self), and Level 2 (C3PAO) set
forth in §§ 170.15 through 170.17
respectively for the same CMMC
Assessment Scope.
(1) Level 3 certification assessment
requirements. The OSC must achieve a
CMMC Status of Final Level 2 (C3PAO)
on the Level 3 CMMC Assessment
Scope, as defined in § 170.19(d), prior to
initiating a Level 3 certification
assessment, which will be performed by
DCMA DIBCAC (www.dcma.mil/
DIBCAC) on behalf of the DoD. The OSC
must complete and achieve a MET
result for all security requirements
specified in table 1 to § 170.14(c)(4) to
achieve the CMMC Status of Level 3
(DIBCAC). DCMA DIBCAC will submit
the Level 3 certification assessment
results into the CMMC instantiation of
eMASS, which then provides automated
transmission to SPRS. To maintain
compliance with the requirements for a
CMMC Status of Level 3 (DIBCAC), the
Level 3 certification assessment must be
performed every three years for all
information systems within the Level 3
CMMC Assessment Scope. In addition,
given that compliance with Level 2
requirements is a prerequisite for
applying for CMMC Level 3, a Level 2
(C3PAO) certification assessment must
also be conducted every three years to
maintain CMMC Level 3 (DIBCAC)
status. Level 3 certification assessment
must be completed within three years of
the CMMC Status Date associated with
the Final Level 3 (DIBCAC) or, if there
was a POA&M, then within three years
of the CMMC Status Date associated
with the Conditional Level 3 (DIBCAC).
(i) Inputs into the CMMC instantiation
of eMASS. The Level 3 certification
assessment results input into the CMMC
instantiation of eMASS shall include, at
minimum, the following items:
(A) Date and level of the assessment.
(B) For each Assessor(s) conducting
the assessment, name and government
organization information.
(C) All industry CAGE code(s)
associated with the information
system(s) addressed by the CMMC
Assessment Scope.
(D) The name, date, and version of the
system security plan(s) (SSP).
(E) CMMC Status Date.
(F) Result for each security
requirement objective.
(G) POA&M usage and compliance, as
applicable.
(H) List of the artifact names, the
return value of the hashing algorithm,
and the hashing algorithm used.
PO 00000
Frm 00140
Fmt 4701
Sfmt 4700
(ii) Conditional Level 3 (DIBCAC). The
OSC has achieved the CMMC Status of
Conditional Level 3 (DIBCAC) if the
Level 3 certification assessment results
in a POA&M and the POA&M meets all
CMMC Level 3 POA&M requirements
listed in § 170.21(a)(3).
(A) Plan of Action and Milestones. A
Level 3 POA&M is allowed only in
accordance with the CMMC POA&M
requirements listed in § 170.21.
(B) POA&M closeout. The OSC must
remediate any NOT MET requirements,
must undergo a POA&M closeout
certification assessment from DCMA
DIBCAC, and DCMA DIBCAC must post
compliance results into the CMMC
instantiation of eMASS within 180 days
of the CMMC Status Date associated
with the Conditional Level 3 (DIBCAC).
If the POA&M is not successfully closed
out within the 180-day timeframe, the
Conditional Level 3 (DIBAC) CMMC
Status for the information system will
expire. If Conditional Level 3 (DIBCAC)
CMMC Status expires within the period
of performance of a contract, standard
contractual remedies will apply, and the
OSC will be ineligible for additional
awards with a requirement for the
CMMC Status of Level 3 (DIBCAC) for
the information system within the
CMMC Assessment Scope until such
time as a new CMMC Status is achieved.
(iii) Final Level 3 (DIBCAC). The OSC
has achieved the CMMC Status of Final
Level 3 (DIBCAC) if the Level 3
certification assessment results in a
passing score as defined in § 170.24.
This score may be achieved upon initial
certification assessment or as the result
of a POA&M closeout certification
assessment, as applicable.
(iv) CMMC Status investigation. The
DoD reserves the right to conduct a
DCMA DIBCAC assessment of the OSC,
as provided for under the 48 CFR
252.204–7020. If the investigative
results of a subsequent DCMA DIBCAC
assessment show that adherence to the
provisions of this part have not been
achieved or maintained, these DCMA
DIBCAC results will take precedence
over any pre-existing CMMC Status. At
that time, standard contractual remedies
will be available and the OSC will be
ineligible for additional awards with
CMMC Status requirement of Level 3
(DIBCAC) for the information system
within the CMMC Assessment Scope
until such time as a new CMMC Status
is achieved.
(2) Affirmation. Affirmation of the
Level 3 (DIBCAC) CMMC Status is
required for all Level 3 certification
assessments at the time of each
assessment, and annually thereafter.
Affirmation procedures are provided in
§ 170.22.
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(b) Contract eligibility. Prior to award
of any contract or subcontract with
requirement for CMMC Status of Level
3 (DIBCAC), the following two
requirements must be met:
(1) The OSC must achieve, as
specified in paragraph (a)(1) of this
section, a CMMC Status of either
Conditional Level 3 (DIBCAC) or Final
Level 3 (DIBCAC).
(2) The OSC must submit an
affirmation of compliance into SPRS, as
specified in paragraph (a)(2) of this
section.
(c) Procedures—(1) Level 3
certification assessment of the OSC. The
CMMC Level 3 certification assessment
process includes:
(i) Final Level 2 (C3PAO). The OSC
must achieve a CMMC Status of Final
Level 2 (C3PAO) for information
systems within the Level 3 CMMC
Assessment Scope prior to the CMMC
Level 3 certification assessment. The
CMMC Assessment Scope for the Level
3 certification assessment must be equal
to, or a subset of, the CMMC Assessment
Scope associated with the OSC’s Final
Level 2 (C3PAO). Asset requirements
differ for each CMMC Level. Scoping
differences are set forth in § 170.19.
(ii) Initiating the Final Level 3
(DIBCAC). The OSC (including ESPs
that voluntarily elect to undergo a Level
3 certification assessment) initiates a
Level 3 certification assessment by
emailing a request to DCMA DIBCAC
point of contact found at
www.dcma.mil/DIBCAC. The request
must include the Level 2 certification
assessment unique identifier. DCMA
DIBCAC will validate the OSC has
achieved a CMMC Status of Level 2
(C3PAO) and will contact the OSC to
schedule their Level 3 certification
assessment.
(iii) Conducting the Final Level 3
(DIBCAC). DCMA DIBCAC will perform
a Level 3 certification assessment in
accordance with NIST SP 800–171A
Jun2018 (incorporated by reference, see
§ 170.2) and NIST SP 800–172A
Mar2022 (incorporated by reference, see
§ 170.2) and the CMMC Level 3 scoping
requirements set forth in § 170.19(d) for
the information systems within the
CMMC Assessment Scope. The Level 3
certification assessment will be scored
in accordance with the CMMC Scoring
Methodology set forth in § 170.24 and
DCMA DIBCAC will upload the results
into the CMMC instantiation of eMASS.
Final results are communicated to the
OSC through a CMMC Assessment
Findings Report. For assets that changed
asset category (i.e., CRMA to CUI Asset)
or assessment requirements (i.e.,
Specialized Assets) between the Level 2
and Level 3 certification assessments,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
DCMA DIBCAC will perform limited
checks of Level 2 security requirements.
If the OSC had these upgraded asset
categories included in their Level 2
certification assessment, then DCMA
DIBCAC may still perform limited
checks for compliance. If DCMA
DIBCAC identifies that a Level 2
security requirement is NOT MET, the
Level 3 assessment process may be
paused to allow for remediation, placed
on hold, or immediately terminated.
(2) Security requirement reevaluation. A security requirement that
is NOT MET (as defined in § 170.24)
may be re-evaluated during the course
of the Level 3 certification assessment
and for 10 business days following the
active assessment period if all of the
following conditions exist:
(i) Additional evidence is available to
demonstrate the security requirement
has been MET;
(ii) The additional evidence does not
materially impact previously assessed
security requirements; and
(iii) The CMMC Assessment Findings
Report has not been delivered.
(3) POA&M. If a POA&M exists, a
POA&M closeout certification
assessment will be performed by DCMA
DIBCAC within 180-days of the
Conditional CMMC Status Date.
Additional guidance is located in
§ 170.21 and in the guidance document
listed in paragraph (d) of appendix A to
this part.
(4) Artifact retention and integrity.
The hashed artifacts used as evidence
for the assessment must be retained by
the OSC for six (6) years from the
CMMC Status Date. The hashed artifacts
used as evidence for the assessment
must be retained by the OSC for six (6)
years from the CMMC Status Date. To
ensure that the artifacts have not been
altered, the OSC must hash the artifact
files using a NIST-approved hashing
algorithm. Assessors will collect the list
of the artifact names, the return value of
the hashing algorithm, and the hashing
algorithm used and upload that data
into the CMMC instantiation of eMASS.
Additional guidance for hashing
artifacts can be found in the guidance
document listed in paragraph (h) of
appendix A to this part.
(5) Level 3 certification assessment
with the use of Cloud Service Provider
(CSP). An OSC may use a cloud
environment to process, store, or
transmit CUI in performance of a
contract or subcontract with a
requirement for the CMMC Status of
Level 3 (DIBCAC) under the following
circumstances:
(i) The OSC may utilize a CSP product
or service offering that meets the
FedRAMP Moderate (or higher)
PO 00000
Frm 00141
Fmt 4701
Sfmt 4700
83231
baseline. If the CSP’s product or service
offering is not FedRAMP Authorized at
the FedRAMP Moderate (or higher)
baseline, the product or service offering
must meet security requirements
equivalent to those established by the
FedRAMP Moderate (or higher) baseline
in accordance with DoD Policy.
(ii) Use of a CSP does not relieve an
OSC of its obligation to implement the
24 Level 3 security requirements. These
24 requirements apply to every
environment where the CUI data is
processed, stored, or transmitted, when
Level 3 (DIBCAC) is the designated
CMMC Status. If any of these 24
requirements are inherited from a CSP,
the OSC must demonstrate that
protection during a Level 3 certification
assessment via a Customer
Implementation Summary/Customer
Responsibility Matrix (CIS/CRM) and
associated Body of Evidence (BOE). The
BOE must clearly indicate whether the
OSC or the CSP is responsible for
meeting each requirement and which
requirements are implemented by the
OSC versus inherited from the CSP.
(iii) In accordance with § 170.19(d)(2),
the OSC’s on-premises infrastructure
connecting to the CSP’s product or
service offering is part of the CMMC
Assessment Scope. As such, the security
requirements from the CRM must be
documented or referred to in the OSC’s
SSP.
(6) Level 3 certification assessment
with the use of an ESP, not a CSP. An
OSC may use an ESP that is not a CSP
to process, store, or transmit CUI in
performance of a contract or subcontract
with a requirement for the CMMC Status
of Level 3 (DIBCAC) under the following
circumstances:
(i) The use of the ESP, its relationship
to the OSC, and the services provided
are documented in the OSC’s SSP and
described in the ESP’s service
description and customer responsibility
matrix.
(ii) The ESP services used to meet
OSC requirements are assessed within
the scope of the OSC’s assessment
against all Level 2 and Level 3 security
requirements.
(iii) In accordance with § 170.19(d)(2),
the OSC’s on-premises infrastructure
connecting to the ESP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the CRM must be
documented or referred to in the OSC’s
SSP.
§ 170.19
CMMC scoping.
(a) Scoping requirement. (1) The
CMMC Assessment Scope must be
specified prior to assessment in
E:\FR\FM\15OCR2.SGM
15OCR2
83232
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
accordance with the requirements of
this section. The CMMC Assessment
Scope is the set of all assets in the
OSA’s environment that will be
assessed against CMMC security
requirements.
(2) The requirements for defining the
CMMC Assessment Scope for CMMC
Levels 1, 2, and 3 are set forth in this
section. Additional guidance regarding
scoping can be found in the guidance
documents listed in paragraphs (e)
through (g) of appendix A to this part.
(b) CMMC Level 1 scoping. Prior to
performing a Level 1 self-assessment,
the OSA must specify the CMMC
Assessment Scope.
(1) Assets in scope for Level 1 selfassessment. OSA information systems
which process, store, or transmit FCI are
in scope for CMMC Level 1 and must be
self-assessed against applicable CMMC
security requirements.
(2) Assets not in scope for Level 1 selfassessment—(i) Out-of-Scope Assets.
OSA information systems which do not
process, store, or transmit FCI are
outside the scope for CMMC Level 1. An
endpoint hosting a VDI client
configured to not allow any processing,
storage, or transmission of FCI beyond
the Keyboard/Video/Mouse sent to the
VDI client is considered out-of-scope.
There are no documentation
requirements for out-of-scope assets.
(ii) Specialized Assets. Specialized
Assets are those assets that can process,
store, or transmit FCI but are unable to
be fully secured, including: Internet of
Things (IoT) devices, Industrial Internet
of Things (IIoT) devices, Operational
Technology (OT), Government
Furnished Equipment (GFE), Restricted
Information Systems, and Test
Equipment. Specialized Assets are not
part of the Level 1 CMMC Assessment
Scope and are not assessed against
CMMC security requirements.
(3) Level 1 self-assessment scoping
considerations. To scope a Level 1 selfassessment, OSAs should consider the
people, technology, facilities, and
External Service Providers (ESP) within
its environment that process, store, or
transmit FCI.
(c) CMMC Level 2 Scoping. Prior to
performing a Level 2 self-assessment or
Level 2 certification assessment, the
OSA must specify the CMMC
Assessment Scope.
(1) The CMMC Assessment Scope for
CMMC Level 2 is based on the
specification of asset categories and
their respective requirements as defined
in table 3 to this paragraph (c)(1).
Additional information is available in
the guidance document listed in
paragraph (f) of appendix A to this part.
TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
Asset category
Asset description
OSA requirements
CMMC assessment requirements
khammond on DSKJM1Z7X2PROD with RULES2
Assets that are in the Level 2 CMMC Assessment Scope
Controlled Unclassified Information (CUI) Assets.
• Assets that process, store, or transmit
CUI.
Security Protection Assets ........
• Assets that provide security functions
or capabilities to the OSA’s CMMC Assessment Scope.
Contractor Risk Managed Assets.
• Assets that can, but are not intended
to, process, store, or transmit CUI because of security policy, procedures,
and practices in place.
• Assets are not required to be physically
or logically separated from CUI assets.
Specialized Assets ....................
• Assets that can process, store, or
transmit CUI but are unable to be fully
secured, including: Internet of Things
(IoT) devices, Industrial Internet of
Things (IIoT) devices, Operational
Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment.
• Document in the asset inventory ...........
• Document asset treatment in the System Security Plan (SSP).
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 security requirements.
• Document in the asset inventory ...........
• Document asset treatment in SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 security requirements.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 security requirements.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Show these assets are managed using
the contractor’s risk-based security policies, procedures, and practices.
• Document in the network diagram of
the CMMC Assessment Scope.
• Assess against all Level 2 security requirements.
• Assess against Level 2 security requirements that are relevant to the capabilities provided.
• Review the SSP:
• If sufficiently documented, do not
assess against other CMMC security requirements, except as noted.
• If OSA’s risk-based security policies, procedures, and practices
documentation or other findings
raise questions about these assets,
the assessor can conduct a limited
check to identify deficiencies.
• The limited check(s) shall not materially increase the assessment
duration nor the assessment cost.
• The limited check(s) will be assessed against CMMC security requirements.
• Review the SSP.
• Do not assess against other CMMC security requirements.
Assets that are not in the Level 2 CMMC Assessment Scope
Out-of-Scope Assets .................
VerDate Sep<11>2014
• Assets that cannot process, store, or
transmit CUI; and do not provide security protections for CUI Assets.
• Assets that are physically or logically
separated from CUI assets.
• Assets that fall into any in-scope asset
category cannot be considered an Outof-Scope Asset.
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00142
• Prepare to justify the inability of an Outof-Scope Asset to process, store, or
transmit CUI.
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
• None.
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
83233
TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
Asset category
Asset description
OSA requirements
CMMC assessment requirements
• An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the
Keyboard/Video/Mouse sent to the VDI
client is considered an Out-of-Scope
Asset.
(2)(i) Table 4 to this paragraph (c)(2)(i)
defines the requirements to be met
when utilizing an External Service
Provider (ESP). The OSA must consider
whether the ESP is a Cloud Service
Provider (CSP) and whether the ESP
processes, stores, or transmits CUI and/
or Security Protection Data (SPD).
TABLE 4 TO § 170.19(c)(2)(i)—ESP SCOPING REQUIREMENTS
When the ESP processes,
stores, or transmits:
When utilizing an ESP that is:
CUI (with or without SPD) ..
The CSP shall meet the FedRAMP requirements in 48
CFR 252.204–7012.
SPD (without CUI) ..............
The services provided by the CSP are in the OSA’s assessment scope and shall be assessed as Security
Protection Assets.
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
A CSP
Neither CUI nor SPD ..........
(ii) The use of an ESP, its relationship
to the OSA, and the services provided
need to be documented in the OSA’s
SSP and described in the ESP’s service
description and customer responsibility
matrix (CRM), which describes the
responsibilities of the OSA and ESP
with respect to the services provided.
Note that the ESP may voluntarily
Not a CSP
The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as part of the
OSA’s assessment.
The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security
Protection Assets.
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
undergo a CMMC certification
assessment to reduce the ESP’s effort
required during the OSA’s assessment.
The minimum assessment type for the
ESP is dictated by the OSA’s DoD
contract requirement.
(d) CMMC Level 3 scoping. Prior to
performing a Level 3 certification
assessment, the CMMC Assessment
Scope must be specified.
(1) The CMMC Assessment Scope for
Level 3 is based on the specification of
asset categories and their respective
requirements as set forth in table 5 to
this paragraph (d)(1). Additional
information is available in the guidance
document listed in paragraph (g) of
appendix A to this part.
TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
Asset category
Asset description
OSC requirements
CMMC assessment requirements
khammond on DSKJM1Z7X2PROD with RULES2
Assets that are in the Level 3 CMMC Assessment Scope
Controlled Unclassified Information (CUI) Assets.
• Assets that process, store, or transmit
CUI.
• Assets that can, but are not intended
to, process, store, or transmit CUI (defined as Contractor Risk Managed Assets in table 1 to paragraph (c)(1) of
this section CMMC Scoping).
Security Protection Assets ........
• Assets that provide security functions
or capabilities to the OSC’s CMMC Assessment Scope, irrespective of whether or not these assets process, store,
or transmit CUI.
Specialized Assets ....................
• Assets that can process, store, or
transmit CUI but are unable to be fully
secured, including: Internet of Things
(IoT) devices, Industrial Internet of
Things (IIoT) devices, Operational
Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00143
• Document in the asset inventory ...........
• Document asset treatment in the System Security Plan (SSP).
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 and Level 3 security requirements.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 and Level 3 security requirements.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 and Level 3 security requirements.
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
• Limited check against Level 2 and assess against all Level 3 CMMC security
requirements.
• Limited check against Level 2 and assess against all Level 3 CMMC security
requirements that are relevant to the
capabilities provided.
• Limited check against Level 2 and assess against all Level 3 CMMC security
requirements.
• Intermediary devices are permitted to
provide the capability for the specialized asset to meet one or more CMMC
security requirements.
15OCR2
83234
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
Asset category
Asset description
OSC requirements
Out-of-Scope Assets .................
• Assets that cannot process, store, or
transmit CUI; and do not provide security protections for CUI Assets.
• Assets that are physically or logically
separated from CUI assets.
• Assets that fall into any in-scope asset
category cannot be considered an Outof-Scope Asset.
• An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of CUI beyond the
Keyboard/Video/Mouse sent to the VDI
client is considered an Out-of-Scope
Asset.
CMMC assessment requirements
Assets that are not in the Level 3 CMMC Assessment Scope
(2)(i) Table 6 to this paragraph
(d)(2)(i) defines the requirements to be
met when utilizing an External Service
• Prepare to justify the inability of an Outof-Scope Asset to process, store, or
transmit CUI.
Provider (ESP). The OSA must consider
whether the ESP is a Cloud Service
Provider (CSP) and whether the ESP
• None.
processes, stores, or transmits CUI and/
or Security Protection Data (SPD).
TABLE 6 TO § 170.19(d)(2)(i)—ESP SCOPING REQUIREMENTS
When the ESP processes,
stores, or transmits:
When utilizing an ESP that is:
CUI (with or without SPD) ..
The CSP shall meet the FedRAMP requirements in 48
CFR 252.204–7012.
SPD (without CUI) ..............
The services provided by the CSP are in the OSA’s assessment scope and shall be assessed as Security
Protection Assets.
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
khammond on DSKJM1Z7X2PROD with RULES2
Neither CUI nor SPD ..........
A CSP
(ii) The use of an ESP, its relationship
to the OSC, and the services provided
need to be documented in the OSC’s
SSP and described in the ESP’s service
description and customer responsibility
matrix (CRM), which describes the
responsibilities of the OSC and ESP
with respect to the services provided.
Note that the ESP may voluntarily
undergo a CMMC certification
assessment to reduce the ESP’s effort
required during the OSA’s assessment.
The minimum. The minimum
assessment type for the ESP is dictated
by the OSC’s DoD contract requirement.
(e) Relationship between Level 2 and
Level 3 CMMC Assessment Scope. The
Level 3 CMMC Assessment Scope must
be equal to or a subset of the Level 2
CMMC Assessment Scope in accordance
with § 170.18(a) (e.g., a Level 3 data
enclave with greater restrictions and
protections within a Level 2 data
enclave). Any Level 2 POA&M items
must be closed prior to the initiation of
the Level 3 certification assessment.
DCMA DIBCAC may check any Level 2
security requirement of any in-scope
asset. If DCMA DIBCAC identifies that
a Level 2 security requirement is NOT
MET, the Level 3 assessment process
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Not a CSP
The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as part of the
OSA’s assessment.
The services provided by the ESP are in the OSA’s assessment scope and shall be assessed as Security
Protection Assets.
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
may be paused to allow for remediation,
placed on hold, or immediately
terminated. For further information
regarding scoping of CMMC Level 3
assessments please contact DCMA
DIBCAC at www.dcma.mil/DIBCAC/.
§ 170.20
Standards acceptance.
(a) NIST SP 800–171 R2 DoD
assessments. In order to avoid
duplication of efforts, thereby reducing
the aggregate cost to industry and the
Department, OSCs that have completed
a DCMA DIBCAC High Assessment
aligned with CMMC Level 2 Scoping
will be given the CMMC Status of Final
Level 2 (C3PAO) under the following
conditions:
(1) DCMA DIBCAC High Assessment.
An OSC that achieved a perfect score
with no open POA&M from a DCMA
DIBCAC High Assessment conducted
prior to the effective date of this rule,
will be given a CMMC Status of Level
2 Final (C3PAO) with a validity period
of three (3) years from the date of the
original DCMA DIBCAC High
Assessment. DCMA DIBCAC will
identify assessments that meet these
criteria and verify that SPRS accurately
reflects the CMMC Status. Eligible
PO 00000
Frm 00144
Fmt 4701
Sfmt 4700
DCMA DIBCAC High Assessments
include ones conducted with Joint
Surveillance in accordance with the
DCMA Manual 2302–01 Surveillance.
The scope of the Level 2 certification
assessment is identical to the scope of
the DCMA DIBCAC High Assessment. In
accordance with § 170.17(a)(2), the OSC
must also submit an affirmation in SPRS
and annually thereafter to achieve
contractual eligibility.
(2) [Reserved].
(b) [Reserved].
§ 170.21 Plan of Action and Milestones
requirements.
(a) POA&M. For purposes of achieving
a Conditional CMMC Status, an OSA is
only permitted to have a POA&M for
select requirements scored as NOT MET
during the CMMC assessment and only
under the following conditions:
(1) Level 1 self-assessment. A POA&M
is not permitted at any time for Level 1
self-assessments.
(2) Level 2 self-assessment and Level
2 certification assessment. An OSA is
only permitted to achieve the CMMC
Status of Conditional Level 2 (Self) or
Conditional Level 2 (C3PAO), as
appropriate, if all the following
conditions are met:
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(i) The assessment score divided by
the total number of CMMC Level 2
security requirements is greater than or
equal to 0.8;
(ii) None of the security requirements
included in the POA&M have a point
value of greater than 1 as specified in
the CMMC Scoring Methodology set
forth in § 170.24, except SC.L2–3.13.11
CUI Encryption may be included on a
POA&M if encryption is employed but
it is not FIPS-validated, which would
result in a point value of 3; and
(iii) None of the following security
requirements are included in the
POA&M:
(A) AC.L2–3.1.20 External
Connections (CUI Data).
(B) AC.L2–3.1.22 Control Public
Information (CUI Data).
(C) CA.L2–3.12.4 System Security
Plan.
(D) PE.L2–3.10.3 Escort Visitors (CUI
Data).
(E) PE.L2–3.10.4 Physical Access Logs
(CUI Data).
(F) PE.L2–3.10.5 Manage Physical
Access (CUI Data).
(3) Level 3 certification assessment.
An OSC is only permitted to achieve the
CMMC Status of Conditional Level 3
(DIBCAC) if all the following conditions
are met:
(i) The assessment score divided by
the total number of CMMC Level 3
security requirements is greater than or
equal to 0.8; and
(ii) The POA&M does not include any
of following security requirements:
(A) IR.L3–3.6.1e Security Operations
Center.
(B) IR.L3–3.6.2e Cyber Incident
Response Team.
(C) RA.L3–3.11.1e Threat-Informed
Risk Assessment.
(D) RA.L3–3.11.6e Supply Chain Risk
Response.
(E) RA.L3–3.11.7e Supply Chain Risk
Plan.
(F) RA.L3–3.11.4e Security Solution
Rationale.
(G) SI.L3–3.14.3e Specialized Asset
Security.
(b) POA&M closeout assessment. A
POA&M closeout assessment is a CMMC
assessment that assesses only the NOT
MET requirements that were identified
with POA&M in the initial assessment.
The closing of a POA&M must be
confirmed by a POA&M closeout
assessment within 180-days of the
Conditional CMMC Status Date. If the
POA&M is not successfully closed out
within the 180-day timeframe, the
Conditional CMMC Status for the
information system will expire.
(1) Level 2 self-assessment. For a
Level 2 self-assessment, the POA&M
closeout self-assessment shall be
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
performed by the OSA in the same
manner as the initial self-assessment.
(2) Level 2 certification assessment.
For Level 2 certification assessment, the
POA&M closeout certification
assessment must be performed by an
authorized or accredited C3PAO.
(3) Level 3 certification assessment.
For Level 3 certification assessment,
DCMA DIBCAC will perform the
POA&M closeout certification
assessment.
§ 170.22
Affirmation.
(a) General. The OSA must affirm
continuing compliance with the
appropriate level self-assessment or
certification assessment. An Affirming
Official from each OSA, whether a
prime or subcontractor, must affirm the
continuing compliance of their
respective organizations with the
specified security requirement after
every assessment, including POA&M
closeout, and annually thereafter.
Affirmations are entered electronically
in SPRS. The affirmation shall be
submitted in accordance with the
following requirements:
(1) Affirming Official. The Affirming
Official is the senior level representative
from within each Organization Seeking
Assessment (OSA) who is responsible
for ensuring the OSA’s compliance with
the CMMC Program requirements and
has the authority to affirm the OSA’s
continuing compliance with the
specified security requirements for their
respective organizations.
(2) Affirmation content. Each CMMC
affirmation shall include the following
information:
(i) Name, title, and contact
information for the Affirming Official;
and
(ii) Affirmation statement attesting
that the OSA has implemented and will
maintain implementation of all
applicable CMMC security requirements
to their CMMC Status for all information
systems within the relevant CMMC
Assessment Scope.
(3) Affirmation submission. The
Affirming Official shall submit a CMMC
affirmation in the following instances:
(i) Upon achievement of a Conditional
CMMC Status, as applicable;
(ii) Upon achievement of a Final
CMMC Status;
(iii) Annually following a Final
CMMC Status Date; and
(iv) Following a POA&M closeout
assessment, as applicable.
(b) Submission procedures. All
affirmations shall be completed in
SPRS. The Department will verify
submission of the affirmation in SPRS to
ensure compliance with CMMC
solicitation or contract requirements.
PO 00000
Frm 00145
Fmt 4701
Sfmt 4700
83235
(1) Level 1 self-assessment. At the
completion of a Level 1 self-assessment
and annually thereafter, the Affirming
Official shall submit a CMMC
affirmation attesting to continuing
compliance with all requirements of the
CMMC Status Level 1 (Self).
(2) Level 2 self-assessment. At the
completion of a Level 2 self-assessment
and annually following a Final CMMC
Status Date, the Affirming Official shall
submit a CMMC affirmation attesting to
continuing compliance with all
requirements of the CMMC Status Level
2 (Self). An affirmation shall also be
submitted at the completion of a
POA&M closeout self-assessment.
(3) Level 2 certification assessment. At
the completion of a Level 2 certification
assessment and annually following a
Final CMMC Status Date, the Affirming
Official shall submit a CMMC
affirmation attesting to continuing
compliance with all requirements of the
CMMC Status Level 2 (C3PAO). An
affirmation shall also be submitted at
the completion of a POA&M closeout
certification assessment.
(4) Level 3 certification assessment. At
the completion of a Level 3 certification
assessment and annually following a
Final CMMC Status Date, the Affirming
Official shall submit a CMMC
affirmation attesting to continuing
compliance with all requirements of the
CMMC Status Level 3 (DIBCAC).
Because C3PAOs and DCMA DIBCAC
check for compliance with different
requirements in their respective
assessments, OSCs must annually affirm
their CMMC Status of Level 2 (C3PAO)
in addition to their CMMC Status of
Level 3 (DIBCAC) to maintain eligibility
for contracts requiring compliance with
Level 3. An affirmation shall also be
submitted at the completion of a
POA&M closeout certification
assessment.
§ 170.23
Application to subcontractors.
(a) CMMC requirements apply to
prime contractors and subcontractors
throughout the supply chain at all tiers
that will process, store, or transmit any
FCI or CUI on contractor information
systems in the performance of the DoD
contract or subcontract. Prime
contractors shall comply and shall
require subcontractors to comply with
and to flow down CMMC requirements,
such that compliance will be required
throughout the supply chain at all tiers
with the applicable CMMC level and
assessment type for each subcontract as
follows:
(1) If a subcontractor will only
process, store, or transmit FCI (and not
CUI) in performance of the subcontract,
E:\FR\FM\15OCR2.SGM
15OCR2
83236
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
then a CMMC Status of Level 1 (Self) is
required for the subcontractor.
(2) If a subcontractor will process,
store, or transmit CUI in performance of
the subcontract, then a CMMC Status of
Level 2 (Self) is the minimum
requirement for the subcontractor.
(3) If a subcontractor will process,
store, or transmit CUI in performance of
the subcontract and the associated
prime contract has a requirement for a
CMMC Status of Level 2 (C3PAO), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.
(4) If a subcontractor will process,
store, or transmit CUI in performance of
the subcontract and the associated
prime contract has a requirement for the
CMMC Status of Level 3 (DIBCAC), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.
(b) As with any solicitation or
contract, the DoD may provide specific
guidance pertaining to flow-down.
khammond on DSKJM1Z7X2PROD with RULES2
§ 170.24
CMMC Scoring Methodology.
(a) General. This scoring methodology
is designed to provide a measurement of
an OSA’s implementation status of the
NIST SP 800–171 R2 security
requirements (incorporated by reference
elsewhere in this part, see § 170.2) and
the selected NIST SP 800–172 Feb2021
security requirements (incorporated by
reference elsewhere in this part, see
§ 170.2). The CMMC Scoring
Methodology is designed to credit
partial implementation only in limited
cases (e.g., multi-factor authentication
IA.L2–3.5.3).
(b) Assessment findings. Each security
requirement assessed under the CMMC
Scoring Methodology must result in one
of three possible assessment findings, as
follows:
(1) Met. All applicable objectives for
the security requirement are satisfied
based on evidence. All evidence must
be in final form and not draft.
Unacceptable forms of evidence include
but are not limited to working papers,
drafts, and unofficial or unapproved
policies.
(i) Enduring exceptions when
described, along with any mitigations,
in the system security plan shall be
assessed as MET.
(ii) Temporary deficiencies that are
appropriately addressed in operational
plans of action (i.e., include deficiency
reviews and show progress towards the
implementation of corrections to reduce
or eliminate identified vulnerabilities)
shall be assessed as MET.
(2) Not Met. One or more applicable
objectives for the security requirement
is not satisfied. During an assessment,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
for each security requirement objective
marked NOT MET, the assessor will
document why the evidence does not
conform.
(3) Not Applicable (N/A). A security
requirement and/or objective does not
apply at the time of the CMMC
assessment. For example, Public-Access
System Separation (SC.L2–3.13.5) might
be N/A if there are no publicly
accessible systems within the CMMC
Assessment Scope. During an
assessment, an assessment objective
assessed as N/A is equivalent to the
same assessment objective being
assessed as MET.
(c) Scoring. At each CMMC Level,
security requirements are scored as
follows:
(1) CMMC Level 1. All CMMC Level
1 security requirements must be fully
implemented to be considered MET. No
POA&M is permitted for CMMC Level 1,
and self-assessment results are scored as
MET or NOT MET in their entirety.
(2) CMMC Level 2 Scoring
Methodology. The maximum score
achievable for a Level 2 self-assessment
or Level 2 certification assessment is
equal to the total number of CMMC
Level 2 security requirements. If all
CMMC Level 2 security requirements
are MET, OSAs are awarded the
maximum score. For each requirement
NOT MET, the associated value of the
security requirement is subtracted from
the maximum score, which may result
in a negative score.
(i) Procedures. (A) Scoring
methodology for Level 2 self-assessment
and Level 2 certification assessment is
based on all CMMC Level 2 security
requirement objectives, including those
NOT MET.
(B) In the CMMC Level 2 Scoring
Methodology, each security requirement
has a value (e.g., 1, 3 or 5), which is
related to the designation by NIST as
basic or derived security requirements.
Per NIST SP 800–171 R2, the basic
security requirements are obtained from
FIPS PUB 200 Mar2006, which provides
the high-level and fundamental security
requirements for Federal information
and systems. The derived security
requirements, which supplement the
basic security requirements, are taken
from the security controls in NIST SP
800–53 R5.
(1) For NIST SP 800–171 R2 basic and
derived security requirements that, if
not implemented, could lead to
significant exploitation of the network,
or exfiltration of CUI, five (5) points are
subtracted from the maximum score.
The basic and derived security
requirements with a value of five (5)
points include:
PO 00000
Frm 00146
Fmt 4701
Sfmt 4700
(i) Basic security requirements.
AC.L2–3.1.1, AC.L2–3.1.2, AT.L2–3.2.1,
AT.L2–3.2.2, AU.L2–3.3.1, CM.L2–3.4.1,
CM.L2–3.4.2, IA–L2–3.5.1, IA–L2–3.5.2,
IR.L2–3.6.1, IR.L2–3.6.2, MA.L2–3.7.2,
MP.L2–3.8.3, PS.L2–3.9.2, PE.L2–3.10.1,
PE.L2–3.10.2, CA.L2–3.12.1, CA.L2–
3.12.3, SC.L2–3.13.1, SC.L2–3.13.2,
SI.L2–3.14.1, SI.L2–3.14.2, and SI.L2–
3.14.3.
(ii) Derived security requirements.
AC.L2–3.1.12, AC.L2–3.1.13, AC.L2–
3.1.16, AC.L2–3.1.17, AC.L2–3.1.18,
AU.L2–3.3.5, CM.L2–3.4.5, CM.L2–
3.4.6, CM.L2–3.4.7, CM.L2–3.4.8, IA.L2–
3.5.10, MA.L2–3.7.5, MP.L2–3.8.7,
RA.L2–3.11.2, SC.L2–3.13.5, SC.L2–
3.13.6, SC.L2–3.13.15, SI.L2–3.14.4, and
SI.L2–3.14.6.
(2) For basic and derived security
requirements that, if not implemented,
have a specific and confined effect on
the security of the network and its data,
three (3) points are subtracted from the
maximum score. The basic and derived
security requirements with a value of
three (3) points include:
(i) Basic security requirements.
AU.L2–3.3.2, MA.L2–3.7.1, MP.L2–
3.8.1, MP.L2–3.8.2, PS.L2–3.9.1, RA.L2–
3.11.1, and CA.L2–3.12.2.
(ii) Derived security requirements.
AC.L2–3.1.5, AC.L2- 3.1.19, MA.L2–
3.7.4, MP.L2–3.8.8, SC.L2–3.13.8, SI.L2–
3.14.5, and SI.L2–3.14.7.
(3) All remaining derived security
requirements, other than the exceptions
noted, if not implemented, have a
limited or indirect effect on the security
of the network and its data. For these,
1 point is subtracted from the maximum
score.
(4) Two derived security
requirements, IA.L2–3.5.3 and SC.L2–
3.13.11, can be partially effective even
if not completely or properly
implemented, and the points deducted
may be adjusted depending on how the
security requirement is implemented.
(i) Multi-factor authentication (MFA)
(CMMC Level 2 security requirement
IA.L2–3.5.3) is typically implemented
first for remote and privileged users
(since these users are both limited in
number and more critical) and then for
the general user, so three (3) points are
subtracted from the maximum score if
MFA is implemented only for remote
and privileged users. Five (5) points are
subtracted from the maximum score if
MFA is not implemented for any users.
(ii) FIPS-validated encryption (CMMC
Level 2 security requirement SC.L2–
3.13.11) is required to protect the
confidentiality of CUI. If encryption is
employed, but is not FIPS-validated,
three (3) points are subtracted from the
maximum score; if encryption is not
E:\FR\FM\15OCR2.SGM
15OCR2
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
employed; five (5) points are subtracted
from the maximum score.
(5) OSAs must have a System Security
Plan (SSP) (CMMC security requirement
CA.L2–3.12.4) in place at the time of
assessment to describe each information
system within the CMMC Assessment
Scope. The absence of an up to date SSP
at the time of the assessment would
result in a finding that ‘an assessment
could not be completed due to
incomplete information and
noncompliance with 48 CFR 252.204–
7012.’
(6) For each NOT MET security
requirement the OSA must have a
POA&M in place. A POA&M addressing
NOT MET security requirements is not
a substitute for a completed
requirement. Security requirements not
implemented, whether described in a
POA&M or not, is assessed as ‘NOT
MET.’
(7) Specialized Assets must be
evaluated for their asset category per the
CMMC scoping guidance for the level in
question and handled accordingly as set
forth in § 170.19.
(8) If an OSC previously received a
favorable adjudication from the DoD
CIO indicating that a security
requirement is not applicable or that an
alternative security measure is equally
effective (in accordance with 48 CFR
83237
252.204–7008 or 48 CFR 252.204–7012),
the DoD CIO adjudication must be
included in the system security plan to
receive consideration during an
assessment. A security requirement for
which implemented security measures
have been adjudicated by the DoD CIO
as equally effective is assessed as MET
if there have been no changes in the
environment.
(ii) CMMC Level 2 Scoring Table.
CMMC Level 2 scoring has been
assigned based on the methodology set
forth in table 1 to this paragraph
(c)(2)(ii).
TABLE 7 TO § 170.24(c)(2)(ii)—CMMC LEVEL 2 SCORING TABLE
Point value
subtracted from
maximum score
CMMC Level 2 requirement categories
Basic Security Requirements:
If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................
If not implemented, has specific and confined effect on the security of the network and its data .......................................
Derived Security Requirements:
If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................
If not completely or properly implemented, could be partially effective and points adjusted depending on how the security requirement is implemented: ........................................................................................................................................
—Partially effective implementation—3 points.
—Non-effective (not implemented at all)—5 points.
If not implemented, has specific and confined effect on the security of the network and its data .......................................
If not implemented, has a limited or indirect effect on the security of the network and its data ..........................................
khammond on DSKJM1Z7X2PROD with RULES2
(3) CMMC Level 3 assessment scoring
methodology. CMMC Level 3 scoring
does not utilize varying values like the
scoring for CMMC Level 2. All CMMC
Level 3 security requirements use a
value of one (1) point for each security
requirement. As a result, the maximum
score achievable for a Level 3
certification assessment is equivalent to
the total number of the selected subset
of NIST SP 800–172 Feb2021 security
requirements for CMMC Level 3, see
§ 170.14(c)(4). The maximum score is
reduced by one (1) point for each
security requirement NOT MET. The
CMMC Level 3 scoring methodology
reflects the fact that all CMMC Level 2
security requirements must already be
MET (for the Level 3 CMMC Assessment
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
Scope). A maximum score on the Level
2 certification assessment is required to
be eligible to initiate a Level 3
certification assessment. The Level 3
certification assessment score is equal to
the number of CMMC Level 3 security
requirements that are assessed as MET.
Appendix A to Part 170—Guidance
Guidance documents include:
(a) ‘‘CMMC Model Overview’’ available at
https://DoDcio.defense.gov/CMMC/.
(b) ‘‘CMMC Assessment Guide—Level 1’’
available at https://DoDcio.defense.gov/
CMMC/.
(c) ‘‘CMMC Assessment Guide—Level 2’’
available at https://DoDcio.defense.gov/
CMMC/.
(d) ‘‘CMMC Assessment Guide—Level 3’’
available at https://DoDcio.defense.gov/
CMMC/.
PO 00000
Frm 00147
Fmt 4701
Sfmt 9990
5
3
5
3 or 5
(e) ‘‘CMMC Scoping Guide—Level 1’’
available at https://DoDcio.defense.gov/
CMMC/.
(f) ‘‘CMMC Scoping Guide—Level 2’’
available at https://DoDcio.defense.gov/
CMMC/.
(g) ‘‘CMMC Scoping Guide—Level 3’’
available at https://DoDcio.defense.gov/
CMMC/.
(h) ‘‘CMMC Hashing Guide’’ available at
https://DoDcio.defense.gov/CMMC/.
Dated: September 30, 2024.
Patricia L. Toppings,
OSD Federal Register Liaison Officer,
Department of Defense.
[FR Doc. 2024–22905 Filed 10–11–24; 8:45 am]
BILLING CODE 6001–FR–P
E:\FR\FM\15OCR2.SGM
15OCR2
3
1
]]>Agencies
[Federal Register Volume 89, Number 199 (Tuesday, October 15, 2024)]
[Rules and Regulations]
[Pages 83092-83237]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-22905]
[[Page 83091]]
Vol. 89
Tuesday,
No. 199
October 15, 2024
Part II
Department of Defense
-----------------------------------------------------------------------
32 CFR Part 170
Cybersecurity Maturity Model Certification (CMMC) Program; Final Rule
��Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 /
Rules and Regulations��
[[Page 83092]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 170
[Docket ID: DoD-2023-OS-0063]
RIN 0790-AL49
Cybersecurity Maturity Model Certification (CMMC) Program
AGENCY: Office of the Department of Defense Chief Information Officer
(CIO), Department of Defense (DoD).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: With this final rule, DoD establishes the Cybersecurity
Maturity Model Certification (CMMC) Program in order to verify
contractors have implemented required security measures necessary to
safeguard Federal Contract Information (FCI) and Controlled
Unclassified Information (CUI). The mechanisms discussed in this rule
will allow the Department to confirm a defense contractor or
subcontractor has implemented the security requirements for a specified
CMMC level and is maintaining that status (meaning level and assessment
type) across the contract period of performance. This rule will be
updated as needed, using the appropriate rulemaking process, to address
evolving cybersecurity standards, requirements, threats, and other
relevant changes.
DATES: This rule is effective December 16, 2024. The incorporation by
reference of certain material listed in this rule is approved by the
Director of the Federal Register as of December 16, 2024.
FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the DoD
CIO at [email protected] or 202-770-
9100.
SUPPLEMENTARY INFORMATION:
History of the Program
The beginnings of CMMC start with the November 2010, Executive
Order (E.O.) 13556,\1\ Controlled Unclassified Information. The intent
of this Order was to ``establish an open and uniform program for
managing [unclassified] information that requires safeguarding or
dissemination controls.'' Prior to this E.O., more than 100 different
markings for this information existed across the executive branch. This
ad hoc, agency-specific approach created inefficiency and confusion,
led to a patchwork system that failed to adequately safeguard
information requiring protection, and unnecessarily restricted
information-sharing.
---------------------------------------------------------------------------
\1\ www.federalregister.gov/citation/75-FR-68675 (November 4,
2010).
---------------------------------------------------------------------------
As a result, the E.O. established the CUI Program to standardize
the way the executive branch handles information requiring safeguarding
or dissemination controls (excluding information that is classified
under E.O. 13526, Classified National Security Information \2\ or any
predecessor or successor order; or the Atomic Energy Act of 1954,\3\ as
amended).
---------------------------------------------------------------------------
\2\ www.federalregister.gov/citation/75-FR-707 (December 29,
2009).
\3\ www.govinfo.gov/link/uscode/42/2011, et seq.
---------------------------------------------------------------------------
In 2019, DoD announced the development of CMMC in order to move
away from a ``self-attestation'' model of security. It was first
conceived by the Office of the Under Secretary of Defense for
Acquisition and Sustainment (OUSD(A&S)) to secure the Defense
Industrial Base (DIB) sector against evolving cybersecurity threats. In
September 2020, DoD published the 48 CFR CMMC interim final rule,
Defense Federal Acquisition Regulation Supplement (DFARS): Assessing
Contractor Implementation of Cybersecurity Requirements (DFARS Case
2019-D041 85 FR 48513, September 9, 2020),\4\ which implemented the
DoD's vision for the initial CMMC Program and outlined the basic
features of the framework (tiered model of practices and processes,
required assessments, and implementation through contracts) to protect
FCI and CUI. The 48 CFR CMMC interim final rule became effective on 30
November 2020, establishing a five-year phase-in period. In response to
approximately 750 public comments on the 48 CFR CMMC interim final
rule, in March 2021, the Department initiated an internal review of
CMMC's implementation.
---------------------------------------------------------------------------
\4\ www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
---------------------------------------------------------------------------
In November 2021, the Department announced the revised CMMC
Program, an updated program structure and requirements designed to
achieve the primary goals of the internal review:
Safeguard sensitive information to enable and protect the
warfighter
Enforce DIB cybersecurity standards to meet evolving threats
Ensure accountability while minimizing barriers to compliance
with DoD requirements
Perpetuate a collaborative culture of cybersecurity and cyber
resilience
Maintain public trust through high professional and ethical
standards
The revised CMMC Program has three key features:
Tiered Model: CMMC requires companies entrusted with
Federal contract information and controlled unclassified information to
implement cybersecurity standards at progressively advanced levels,
depending on the type and sensitivity of the information. The program
also describes the process for requiring protection of information
flowed down to subcontractors.
Assessment Requirement: CMMC assessments allow the
Department to verify the implementation of clear cybersecurity
standards.
Phased Implementation: Once CMMC rules become effective,
certain DoD contractors handling FCI and CUI will be required to
achieve a particular CMMC level as a condition of contract award. CMMC
requirements will be implemented using a 4-phase implementation plan
over a three-year period.
Current Status of the CMMC Program
Separate from this rulemaking, DoD has a proposed acquisition rule
(48 CFR part 204 CMMC Acquisition rule) to amend the Defense Federal
Acquisition Regulation Supplement (DFARS) to address procurement
related considerations and requirements related to this program rule
(32 CFR part 170 CMMC Program rule). The 48 CFR part 204 CMMC
Acquisition rule also partially implements a section of the National
Defense Authorization Act for Fiscal Year 2020 directing the Secretary
of Defense to develop a consistent, comprehensive framework to enhance
cybersecurity for the U.S. defense industrial base.\5\ The 48 CFR part
204 CMMC Acquisition rule, when finalized, will allow DoD to require a
specific CMMC level in a solicitation or contract. When CMMC
requirements are applied to a solicitation, Contracting officers will
not make award, exercise an option, or extend the period of performance
on a contract, if the offeror or contractor does not have the passing
results of a current certification assessment or self-assessment for
the required CMMC level, and an affirmation of continuous compliance
with the security requirements in the Supplier Performance Risk System
(SPRS) \6\ for all information systems that process, store, or transmit
FCI or CUI during contract performance. Furthermore, the appropriate
CMMC certification requirements will flow down to subcontractors at all
tiers when
[[Page 83093]]
the subcontractor processes, stores, or transmits FCI or CUI. It should
be noted the Department may include CMMC requirements on contracts
awarded prior to 48 CFR part 204 CMMC Acquisition rule becoming
effective, but doing so will require bilateral contract modification
after negotiations.
---------------------------------------------------------------------------
\5\ www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
\6\ www.sprs.csd.disa.mil/ under OMB control number 0750-0004.
---------------------------------------------------------------------------
To date, the DoD has relied on offeror representation that the
security requirements of National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-171, ``Protecting Controlled
Unclassified Information in Nonfederal Systems and Organizations'' have
been met, as described by 48 CFR 252.204-7008. In some instances, the
DoD has verified contractor implementation of NIST SP 800-171 through
assessment by the Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC). As part of
this responsibility, DCMA DIBCAC assesses DIB companies to ensure they
are meeting contractually required cybersecurity standards and to
ensure contractors have the ability to protect CUI for government
contracts they are awarded. DCMA DIBCAC conducts NIST SP 800-171
assessments in support of 48 CFR 252.204-7012 (DFARS clause 252.204-
7012), Safeguarding Covered Defense Information and Cyber Incident
Reporting,\7\ and 48 CFR 252.204-7020 (DFARS clause 252.204-7020), NIST
SP 800-171 DoD Assessment Requirements.\8\ The DCMA DIBCAC
prioritization process is designed to adjust as DoD's cyber priorities
evolve based on ongoing threats. DCMA DIBCAC collects and analyzes data
on DoD contractors to include:
---------------------------------------------------------------------------
\7\ www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
\8\ www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements.
---------------------------------------------------------------------------
Mission critical programs, technologies, and
infrastructure and the contractors (prime or lower tier) that support
DoD capabilities.
Cyber threats, vulnerabilities, or incidents.
DoD Leadership requests.
To date, DCMA DIBCAC has assessed 357 entities including DoD's
major prime contractors. In accordance with NIST SP 800-171, titled
``Protecting Controlled Unclassified Information in Nonfederal Systems
and Organizations,'' Revision 2, February 2020 (includes updates as of
January 28, 2021) (NIST SP 800-171 R2), contractors must describe in a
System Security Plan (SSP) \9\ how the security requirements are met or
how the organizations plan to meet the requirements and address known
and anticipated threats. In the event companies cannot establish full
compliance, they must develop plans of action that describe how
unimplemented security requirements will be met and how any planned
mitigations will be implemented. Although an explicit time limit for
mitigation is not specified in NIST SP 800-171 R2, contractors that
fail to reasonably comply with applicable requirements may be subject
to standard contractual remedies. The CMMC Program's assessment phase-
in plan, as described in Sec. 170.3, does not preclude entities from
immediately seeking a CMMC certification assessment prior to the 48 CFR
part 204 CMMC Acquisition rule being finalized and the clause being
added to new or existing DoD contracts.
---------------------------------------------------------------------------
\9\ Required since November 2016, NIST SP 800-171 R2 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
---------------------------------------------------------------------------
The Department estimates 8350 medium and large entities will be
required to meet CMMC Level 2 C3PAO assessment requirements as a
condition of contract award. CMMC Level 2 requirements will apply to
all contractors that process, store, or transmit CUI, and will provide
DoD with a means to assess that CUI safeguarding requirements
prescribed in 32 CFR part 2002 have been met. DoD estimates 135 CMMC
Third-Party Assessment Organization (C3PAO)-led certification
assessments will be completed in the first year, 673 C3PAO
certification assessments in year 2, 2,252 C3PAO certification
assessments in year 3, and 4,452 C3PAO certification assessments in
year four.
Any DoD component can request DCMA DIBCAC to initiate an assessment
and these requests will take priority in the assessment scheduling
process. Once identified for assessment, DCMA DIBCAC determines the
assessment date and notifies the company to begin the pre-assessment
process. Typically, planning and scheduling takes place 3 to 6 months
in advance of a DCMA DIBCAC assessment to allow DCMA DIBCAC and the DIB
company time to prepare, however, DoD's identified priorities may
expedite the execution of an assessment. As discussed in more detail in
the regulatory text, assessment results are reported to DoD, including
key stakeholders via SPRS and made available to the DIB company. Please
see the DCMA DIBCAC website at www.dcma.mil/DIBCAC/ that includes links
to the pre-assessment documents; a publicly releasable version of the
assessment database; FAQs; an informational video; a link to
Procurement Integrated Enterprise Environment (PIEE), the primary
enterprise procure-to-pay application for the DoD; a link to SPRS where
assessment scores are posted; and links to other reference materials.
As discussed in more detail later in the regulatory text, all
requirements that are scored as NOT MET are identified in a Plan of
Action and Milestones (POA&M) to meet the CMMC requirement.
Organizations Seeking Assessment (OSAs) satisfy the CMMC requirements
needed for contract award by successfully meeting all 110 security
requirements of NIST SP 800-171 R2 or by receiving a Conditional CMMC
Status when achieving the minimum passing score of 80 percent and only
including permittable NOT MET requirements as described in Sec. 170.21
on the POA&M. All requirements that were scored ``NOT MET'' and placed
on the POA&M must be remedied within 180 days of receiving their
Conditional CMMC Status. Proper implementation of these requirements
must be verified by a second assessment, called a POA&M closeout
assessment. If the POA&M closeout assessment finds that all
requirements have been met, then the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable. However,
if the POA&M closeout assessment does not validate all requirements
have been met by the end of the 180 days, then the CMMC Status of
Conditional Level 2 (Self) or Conditional Level 2 (C3PAO) will expire
and at this point, standard contractual remedies will apply for any
current contract.
DoD has created a series of guidance documents to assist
organizations in better understanding the CMMC Program and the
assessment process and scope for each CMMC level. These guidance
documents are available on the DoD CMMC website at https://dodcio.defense.gov/CMMC/Documentation/ and on the DoD Open Government
website at https://open.defense.gov/Regulatory-Program/Guidance-Documents/. The CMMC Program has also been incorporated in the
Department's 2024 Defense Industrial Base Cybersecurity Strategy.\10\
The strategy requires the Department to coordinate and collaborate
across components to identify and close gaps
[[Page 83094]]
in protecting DoD networks, supply chains, and other critical
resources. Other prongs of the Department's cybersecurity strategy are
described in the Department's National Industrial Security Program
Operating Manual (NISPOM) which address implementation of the Security
Executive Agent Directive (SEAD) 3 \11\ procedures for the protection
and reproduction of classified information; controlled unclassified
information (CUI); National Interest Determination (NID) requirements
for cleared contractors operating under a Special Security Agreement
for Foreign Ownership, Control, or Influence; and eligibility
determinations for personnel security clearance processes and
requirements.\12\
---------------------------------------------------------------------------
\10\ https://media.defense.gov/2024/Mar/28/2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_DSD_SIGNED_20240325.PDF.
\11\ www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf).
\12\ www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/.
---------------------------------------------------------------------------
Overview of Revised CMMC Program
Current Requirements for Defense Contractors and Subcontractors
Currently, Federal contracts (including defense contracts)
involving the transfer of FCI to a non-Government organization follow
the requirements specified in 48 CFR 52.204-21 (Federal Acquisition
Regulation (FAR) clause 52.204-21), Basic Safeguarding of Covered
Contractor Information Systems.\13\ FAR clause 52.204-21 requires
compliance with 15 security requirements, FAR clause 52.204-21 (b)(1),
items (i) through (xv). These requirements are the minimum necessary
for any entity wishing to receive FCI from the US Government (USG).
---------------------------------------------------------------------------
\13\ www.acquisition.gov/far/52.204-21.
---------------------------------------------------------------------------
Defense contracts involving the development or transfer of CUI to a
non-Government organization require applicable requirements of DFARS
clause 252.204-7012.\14\ This clause requires defense contractors to
provide adequate security on all covered contractor information systems
by implementing the 110 security requirements specified in NIST SP 800-
171. This clause includes additional requirements; for example, defense
contractors must confirm that any Cloud Service Providers (CSPs) used
by the contractor to handle CUI meet Federal Risk and Authorization
Management Program (FedRAMP) Moderate Baseline or the equivalent
requirements. It also requires defense contractors to flow down all the
requirements to their subcontractors who process, store, or transmit
CUI. The CMMC Program currently does not include any requirements for
contractors operating systems on behalf of the DoD.
---------------------------------------------------------------------------
\14\ www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
---------------------------------------------------------------------------
To comply with DFARS clause 252.204-7012, contractors are required
to develop a SSP \15\ detailing the policies and procedures their
organization has in place to comply with NIST SP 800-171. The SSP
serves as a foundational document for the required NIST SP 800-171
self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision
252.204-7019) and DFARS clause 252.204-7020, self-assessment scores
must be submitted.\16\ The highest score is 110, meaning all 110 NIST
SP 800-171 security requirements have been fully implemented. If a
contractor's Supplier Performance Risk System (SPRS) score is less than
110, indicating security gaps exist, then the contractor must create a
plan of action \17\ identifying security tasks that still need to be
accomplished. In essence, an SSP describes the cybersecurity plan the
contractor has in place to protect CUI. The SSP needs to address each
NIST SP 800-171 security requirement and explain how the requirement is
implemented. This can be through policy, technology, or a combination
of both.
---------------------------------------------------------------------------
\15\ Required since November 2016, NIST SP 800-171 R2 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
\16\ www.sprs.csd.disa.mil/ under OMB control number 0750-0004.
\17\ The plan of action requirement described under DFARS clause
252.204-7020 is different from a Plan of Action and Milestones
(POA&M) requirement in CMMC as plans of action do not require
milestones.
---------------------------------------------------------------------------
In November 2020, the DoD released its 48 CFR CMMC interim final
rule, the Defense Federal Acquisition Regulation Supplement: Assessing
Contractor Implementation of Cybersecurity Requirements \18\ (DFARS
Case 2019-D041, 85 FR 61505, November 30, 2020). The goal of this rule
was to increase compliance with its cybersecurity regulations and
improve security throughout the DIB. This rule introduced one new
provision and two new clauses--DFARS provision 252.204-7019, DFARS
clause 252.204-7020, and 48 CFR 252.204-7021 (DFARS clause 252.204-
7021).
---------------------------------------------------------------------------
\18\ www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
---------------------------------------------------------------------------
DFARS provision 252.204-7019 complements DFARS clause
252.204-7012 by requiring contractors to have a NIST SP 800-171
assessment (basic, medium, or high) according to NIST SP 800-171 DoD
Assessment Methodology.\19\ Assessment scores must be reported to the
Department via SPRS. SPRS scores must be submitted by the time of
contract award and not be more than three years old.
---------------------------------------------------------------------------
\19\ www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf.
---------------------------------------------------------------------------
DFARS clause 252.204-7020 notifies contractors that DoD
reserves the right to conduct a higher-level assessment of contractors'
cybersecurity compliance, and contractors must give DoD assessors full
access to their facilities, systems, and personnel. Further, DFARS
clause 252.204-7020 complements DFARS clause 252.204-7012's flow down
requirements by holding contractors responsible for confirming their
subcontractors have SPRS scores on file prior to awarding them
contracts.
DFARS clause 252.204-7021 paves the way for rollout of the
CMMC Program. Once CMMC is implemented, the required CMMC Level and
assessment type will be specified in the solicitation and resulting
contract. Contractors handling FCI or CUI will be required to meet the
CMMC requirement specified in the contract. DFARS clause 252.204-7021
also stipulates contractors will be responsible for flowing down the
CMMC requirements to their subcontractors.
CFR Part 170 Additional Requirements for Defense Contractors and
Subcontractors Discussed in This Final Rule
When this 32 CFR part 170 CMMC Program rule and the complementary
48 CFR part 204 CMMC Acquisition rule are finalized and following a
phased implementation plan, solicitations and resulting defense
contracts involving the processing, storing, or transmitting of FCI or
CUI on a non-Federal system will, unless waived, have a CMMC level and
assessment type requirement that a contractor must meet to be eligible
for a contract award. The four phases of the implementation plan add
CMMC level requirements incrementally, starting in Phase 1 with self-
assessments, and ending in Phase 4, which represents full
implementation of program requirements. The DoD elected to base the
phase-in plan on the level and type of assessment to provide time to
train the necessary number of assessors, and to allow companies time to
understand and implement CMMC requirements. Details of each phase are
addressed in
[[Page 83095]]
Sec. 170.3(e). In Phases 2 and 3, DoD will implement CMMC Level 2 and
Level 3 certification requirements, respectively. At full
implementation (Phase 4), DoD will include CMMC requirements in all
applicable DoD contracts and option periods on contracts awarded after
the beginning of Phase 4.
Table 1 defines the requirements for each CMMC level and assessment
type.
Table 1--CMMC Level and Assessment Requirements
----------------------------------------------------------------------------------------------------------------
Plan of action &
CMMC status Source & number of Assessment reqts. milestones (POA&M) Affirmation reqts.
security reqts. reqts.
----------------------------------------------------------------------------------------------------------------
Level 1 (Self)........ 15 required Conducted by Not After each
by FAR clause 52.204- Organization Seeking permitted. assessment.
21. Assessment (OSA) Entered
annually. into SPRS.
Results
entered into SPRS
(or its successor
capability)..
Level 2 (Self)........ 110 NIST SP Conducted by Permitted After each
800-171 R2 required OSA every 3 years. as defined in Sec. assessment and
by DFARS clause Results 170.21(a)(2) and annually
252.204-7012. entered into SPRS must be closed out thereafter.
(or its successor within 180 days. Assessment
capability).. Final CMMC will lapse upon
CMMC Status Status will be failure to annually
will be valid for valid for three affirm.
three years from the years from the Entered
CMMC Status Date as Conditional CMMC into SPRS (or its
defined in Sec. Status Date.. successor
170.4.. capability).
Level 2 (C3PAO)....... 110 NIST SP Conducted by Permitted After each
800-171 R2 required C3PAO every 3 years. as defined in Sec. assessment and
by DFARS clause Results 170.21(a)(2) and annually
252.204-7012. entered into CMMC must be closed out thereafter.
Enterprise Mission within 180 days. Assessment
Assurance Support Final CMMC will lapse upon
Service (eMASS) (or Status will be failure to annually
its successor valid for three affirm.
capability).. years from the Entered
CMMC Status Conditional CMMC into SPRS (or its
will be valid for Status Date.. successor
three years from the capability).
CMMC Status Date as
defined in Sec.
170.4..
Level 3 (DIBCAC)...... 110 NIST SP Pre- Permitted After each
800-171 R2 required requisite CMMC as defined in Sec. assessment and
by DFARS clause Status of Level 2 170.21(a)(3) and annually
252.204-7012. (C3PAO) for the same must be closed out thereafter.
24 selected CMMC Assessment within 180 days. Assessment
from NIST SP 800-172 Scope, for each Final CMMC will lapse upon
Feb2021, as detailed Level 3 Status will be failure to annually
in table 1 to Sec. certification valid for three affirm.
170.14(c)(4).. assessment. years from the Level 2
Conducted by Conditional CMMC (C3PAO) affirmation
Defense Contract Status Date.. must also continue
Management Agency to be completed
(DCMA) Defense annually.
Industrial Base Entered
Cybersecurity into SPRS (or its
Assessment Center successor
(DIBCAC) every 3 capability).
years..
Results
entered into CMMC
eMASS (or its
successor
capability)..
CMMC Status
will be valid for
three years from the
CMMC Status Date as
defined in Sec.
170.4..
----------------------------------------------------------------------------------------------------------------
Program Walkthrough--Contractor Perspective
This section will provide a simplified walkthrough of the CMMC
Program from the perspective of an Organization Seeking Assessment
(OSA) seeking to comply with program requirements.
CMMC Level Selection
An OSA will select the CMMC level it desires to attain. Once the
CMMC Program is implemented, a DoD solicitation will specify the
minimum CMMC Status required to be eligible for award. One of four CMMC
Statuses will be specified:
Level 1 (Self) is a self-assessment to secure FCI
processed, stored, or transmitted in the course of fulfilling the
contract. The OSA must comply with the 15 security requirements set by
FAR clause 52.204-21. All 15 requirements must be met in full--no
exceptions are allowed.
Level 2 (Self) is a self-assessment to secure CUI
processed, stored, or transmitted in the course of fulfilling the
contract. The OSA must comply with the 110 Level 2 security
requirements derived from NIST SP 800-171 R2.
Level 2 (C3PAO) differs from Level 2 (Self) in the method
of verifying compliance. OSAs must hire a C3PAO to conduct an
assessment of the OSA's compliance with the 110 security requirements
of NIST SP 800-171 R2. OSAs can shop for C3PAOs on the CMMC
Accreditation Body (AB) Marketplace.
Level 3 (DIBCAC) is a government assessment of 24
additional requirements derived from NIST SP 800-172, titled ``Enhanced
Security Requirements for Protecting Controlled Unclassified
Information: A Supplement to NIST Special Publication 800-171,''
February 2021 (NIST SP 800-172 Feb2021). The OSA must ensure that they
have already achieved a CMMC Status of Final Level 2 (C3PAO) before
seeking CMMC Status of Final Level 3 (DIBCAC). Once this is done, an
OSA should then initiate a Level 3 certification assessment by emailing
a request to Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) point of
contact found at www.dcma.mil/DIBCAC, being sure to include the Level 2
(C3PAO) certification unique identifier in the email.
Scoping
In order to achieve a specified CMMC Status, OSAs must first
identify which information systems, including systems or services
provided by External Service Providers (ESPs), will process, store, or
transmit FCI, for Level 1 (Self), and CUI for all other CMMC Statuses.
These information systems constitute the scope of the assessment.
Within these information systems, for Level 2 and Level 3 the
assets should be further broken down into asset categories: Contractor
Risk Managed Assets (Level 2), Security Protection Assets (Level 2 and
3), and Specialized Assets (Level 2 and 3). For Level 1 all assets,
with the exclusion of Specialized Assets, are simply identified as
either in-scope or out-of-scope based on whether they process, store,
or transmit FCI. Definitions and treatment of these categories as they
relate to assessment scoping, treatment of ESPs, and treatment of
assets which cannot be secured due to their inherent design, can be
found at Sec. 170.19.
Assessment and Affirmation
a. OSAs that meet all 15 Level 1 requirements have achieved CMMC
Status of Final Level 1 (Self). The OSA
[[Page 83096]]
must submit an affirmation of compliance with FAR clause 52.204-21
requirements in SPRS. At this point, OSAs have satisfied the CMMC
requirements needed for award of contracts requiring a CMMC Status of
Final Level 1 (Self). To maintain a CMMC Status of Final Level 1
(Self), this entire process must be repeated in full on an annual
basis, including both self-assessment and affirmation.
b. For Level 2 assessments, if all 110 requirements are satisfied,
the assessment score will be 110 and the OSA will have achieved a CMMC
Status of Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable
and is eligible for contract award as long as all other contractual
requirements are met.
Not all requirements must immediately be MET to be eligible for
contract award. If the minimum score is achieved on the assessment
(equal to 80% of the maximum score) and certain critical requirements
are met, OSAs will achieve a CMMC Status of Conditional Level 2 (Self)
or Conditional Level 2 (C3PAO) as applicable. All NOT MET requirements
must be noted in an assessment Plan of Action and Milestones (POA&M).
At this point the OSA will have satisfied the CMMC requirements needed
for contract award OSAs must have met all 110 security requirements of
NIST SP 800-171 R2 within 180 days of receiving their Conditional CMMC
Status, which must be verified with a second assessment, called a POA&M
closeout assessment. If the POA&M closeout assessment finds that all
requirements have been met, then the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable. However,
if a POA&M closeout assessment does not find that all requirements have
been met by the end of 180 days, then the CMMC Status of Conditional
Level 2 (Self) or Conditional Level 2 (C3PAO) will expire. At this
point, standard contractual remedies will apply.
The OSA should submit an affirmation into SPRS after achieving a
CMMC Status of Conditional Level 2 (Self) or CMMC Status of Conditional
Level 2 (C3PAO) as applicable. OSAs should submit an affirmation once a
CMMC Status of Final Level 2 (Self) or Final Level 2 (C3PAO) as
applicable is achieved. Being eligible for contracts subject to CMMC
Level 2 (Self) also indicates eligibility for contracts subject to
Level 1 (Self), and being eligible for contracts subject to CMMC Level
2 (C3PAO) also indicates eligibility for contracts subject to Level 1
(Self) and Level 2 (Self), assuming all other contractual requirements
are met. OSAs must reaffirm in SPRS their compliance with CMMC Level 2
requirements annually but need only conduct a new assessment every
three years. These deadlines are based on the CMMC Status Date of the
Conditional Status if a POA&M was required or the Final Status if the
assessment resulted in a score of 110. CMMC Status date is not based on
the date of a POA&M closeout assessment.
c. For Level 3 assessments, OSAs should note that asset categories
are assessed against security requirements differently than they are at
Level 2. In particular, Contractor Risk Managed Assets identified in a
Level 2 scope are treated as CUI Assets if they reside within a Level 3
scope. Definitions and treatment of these assets at Level 3 as they
relate to scoping of the assessment, in addition to treatment of ESPs,
are described in Sec. 170.19(d).
During the course of assessment, DCMA DIBCAC will focus on
assessing compliance with all 24 selected requirements derived from
NIST SP 800-172 Feb2021, but limited checks may be performed on the 110
requirements from NIST SP 800-171 R2. If DCMA DIBCAC identifies that
all 24 requirements from NIST SP 800-172 Feb2021 are satisfied, the OSA
will have achieved a CMMC Status of Final Level 3 (DIBCAC) and is
eligible for contract award as long as all other contractual
requirements are met. Not all requirements must immediately be MET to
be eligible for contract award. If the minimum score is achieved on the
assessment (equal to 80% of the maximum score of 24) and certain
critical requirements are met, OSAs will achieve a CMMC Status of
Conditional Level 3 (DIBCAC), and all NOT MET requirements must be
noted in a POA&M. At this point the OSA will have satisfied the CMMC
requirements needed for contract award.
OSAs must have met all 24 selected security requirements of NIST SP
800-172 Feb2021 within 180 days of receiving their Conditional CMMC
Status, which must be verified with a POA&M closeout assessment by DCMA
DIBCAC. If the POA&M closeout assessment finds that all requirements
have been met, then the OSA will achieve a CMMC Status of Final Level 3
(DIBCAC). However, if a POA&M closeout assessment does not find that
all requirements have been met by the end of 180 days, then the CMMC
Status of Conditional Level 3 (DIBCAC) will expire. At this point,
standard contractual remedies will apply.
The OSA should submit an affirmation into SPRS after achieving a
CMMC Status of Conditional Level 3 (DIBCAC) if applicable and once a
CMMC Status of Final Level 3 (DIBCAC) is achieved. Being eligible for
contracts subject to CMMC Level 3 (DIBCAC) also indicates eligibility
for contracts subject to Level 1 (Self), Level 2 (Self), and Level 2
(C3PAO), assuming all other contractual requirements are met. To
maintain CMMC Level 3 (DIBCAC) status, an OSA must undergo both a Level
2 certification assessment and a Level 3 certification assessment every
three years and separately affirm compliance with Level 2 and Level 3
requirements in SPRS annually. These deadlines are based on the CMMC
Status Date of the Conditional certification if applicable or the CMMC
Status Date of the Final determination. CMMC Status Date is not based
on the date of a POA&M closeout assessment.
Flow-Down
If the OSA employs subcontractors to fulfill the contract, those
subcontractors must also have a minimum CMMC Status as shown in table
2.
Table 2--Minimum Flow-Down Requirements
------------------------------------------------------------------------
Minimum subcontractor requirement If the
subcontractor will process, store, or
Prime contractor requirement transmit
-------------------------------------------
FCI CUI
------------------------------------------------------------------------
Level 1 (Self).............. Level 1 (Self)...... N/A.
Level 2 (Self).............. Level 1 (Self)...... Level 2 (Self).
Level 2 (C3PAO)............. Level 1 (Self)...... Level 2 (C3PAO).
Level 3 (DIBCAC)............ Level 1 (Self)...... Level 2 (C3PAO).
------------------------------------------------------------------------
[[Page 83097]]
Summary of Provisions Contained in This Rule
Section 170.1 Purpose
Section 170.1 addresses the purpose of this rule. It describes the
CMMC Program and establishes policy for requiring the protection of FCI
and CUI that is processed, stored, or transmitted on defense contractor
and subcontractor information systems. The security standards utilized
in the CMMC Program are from the FAR clause 52.204-21; DFARS clause
252.204-7012 that implements NIST SP 800-171 R2; and selected
requirements from the NIST SP 800-172 Feb2021, as applicable. The
purpose of the CMMC Program is for contractors and subcontractors to
demonstrate that FCI and CUI being processed, stored, or transmitted is
adequately safeguarded through the methodology provided in the rule.
Section 170.2 Incorporation by Reference
Section 170.2 addresses the standards and guidelines that are
incorporated by reference. The Director of the Federal Register under 5
U.S.C. 552(a) and 1 CFR part 51 approves any materials that are
incorporated by reference. Materials that are incorporated by reference
in this rule are reasonably available. Information on how to access the
documents is detailed in Sec. 170.2. Materials that are incorporated
by reference in this rule are from the NIST (see Sec. 170.2(a)), the
Committee on National Security Systems (see Sec. 170.2(b)), and the
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) (see Sec. 170.2(c)) which may
require payment of a fee.
Note: While the ISO/IEC standards are issued jointly, they are
available from the ISO Secretariat (see Sec. 170.2(c)).
The American National Standards Institute (ANSI) IBR Portal
provides access to standards that have been incorporated by reference
in the U.S. Code of Federal Regulations at https://ibr.ansi.org. These
standards incorporated by the U.S. government in rulemakings are
offered at no cost in ``read only'' format and are presented for online
reading. There are no print or download options. All users will be
required to install the FileOpen plug-in and accept an online end user
license agreement prior to accessing any standards.
The materials that are incorporated by reference are summarized
below.
(a) Federal Information Processing Standard (FIPS) Publication
(PUB) 200 (FIPS PUB 200), titled ``Minimum Security Requirements for
Federal Information and Information Systems,'' is the second of two
security standards mandated by the Federal Information Security
Management Act (FISMA). It specifies minimum security requirements for
information and information systems supporting the executive agencies
of the Federal government and a risk-based process for selecting the
security controls necessary to satisfy the minimum-security
requirements. This standard promotes the development, implementation,
and operation of more secure information systems within the Federal
Government by establishing minimum levels of due diligence for
information security and facilitating a more consistent, comparable,
and repeatable approach for selecting and specifying security controls
for information systems that meet minimum security requirements. This
document is incorporated by reference as a source for definitions.
(b) FIPS PUB 201-3, titled ``Personal Identity Verification (PIV)
of Federal Employees and Contractors,'' establishes a standard for a
PIV system that meets the control and security objectives of Homeland
Security Presidential Directive-12. It is based on secure and reliable
forms of identity credentials issued by the Federal Government to its
employees and contractors. These credentials are used by mechanisms
that authenticate individuals who require access to federally
controlled facilities, information systems, and applications. This
Standard addresses requirements for initial identity proofing,
infrastructure to support interoperability of identity credentials, and
accreditation of organizations and processes issuing PIV credentials.
This document is incorporated by reference as a source for definitions.
(c) NIST SP 800-37, titled ``Risk Management Framework for
Information Systems and Organizations: A System Life Cycle Approach for
Security and Privacy,'' Revision 2 (NIST SP 800-37 R2), describes the
Risk Management Framework (RMF) and provides guidelines for applying
the RMF to information systems and organizations. The RMF provides a
disciplined, structured, and flexible process for managing security and
privacy risk that includes information security categorization; control
selection, implementation, and assessment; system and common control
authorizations; and continuous monitoring. The RMF includes activities
to prepare organizations to execute the framework at appropriate risk
management levels. The RMF also promotes near real-time risk management
and ongoing information system and common control authorization through
the implementation of continuous monitoring processes; provides senior
leaders and executives with the necessary information to make
efficient, cost-effective, risk management decisions about the systems
supporting their missions and business functions; and incorporates
security and privacy into the system development life cycle. Executing
the RMF tasks links essential risk management processes at the system
level to risk management processes at the organization level. In
addition, it establishes responsibility and accountability for the
controls implemented within an organization's information systems and
inherited by those systems. This document is incorporated by reference
as a source for definitions.
(d) NIST SP 800-39, titled ``Managing Information Security Risk:
Organization, Mission, and Information System View,'' March 2011 (NIST
SP 800-39 Mar2011), provides guidance for an integrated, organization-
wide program for managing information security risk to organizational
operations (i.e., mission, functions, image, and reputation),
organizational assets, individuals, other organizations, and the Nation
resulting from the operation and use of Federal information systems.
NIST SP 800-39 Mar2011 provides a structured, yet flexible approach for
managing risk that is intentionally broad-based, with the specific
details of assessing, responding to, and monitoring risk on an ongoing
basis provided by other supporting NIST security standards and
guidelines. The guidance provided in this publication is not intended
to replace or subsume other risk-related activities, programs,
processes, or approaches that organizations have implemented or intend
to implement addressing areas of risk management covered by other
legislation, directives, policies, programmatic initiatives, or
mission/business requirements. Rather, the risk management guidance
described herein is complementary to and should be used as part of a
more comprehensive Enterprise Risk Management (ERM) program. This
document is incorporated by reference as a source for definitions.
(e) NIST SP 800-53, titled ``Security and Privacy Controls for
Information Systems and Organizations,'' Revision 5 (NIST SP 800-53
R5), provides a catalog of security and privacy controls for
information systems and organizations to protect organizational
operations and assets, individuals, other organizations,
[[Page 83098]]
and the Nation from a diverse set of threats and risks, including
hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks. The controls are
flexible and customizable and implemented as part of an organization-
wide process to manage risk. The controls address diverse requirements
derived from mission and business needs, laws, executive orders,
directives, regulations, policies, standards, and guidelines. Finally,
the consolidated control catalog addresses security and privacy from a
functionality perspective (i.e., the strength of functions and
mechanisms provided by the controls) and from an assurance perspective
(i.e., the measure of confidence in the security or privacy capability
provided by the controls). Addressing functionality and assurance helps
to ensure that information technology products and the systems that
rely on those products are sufficiently trustworthy. This document is
incorporated by reference as a source for definitions.
(f) NIST SP 800-82r3, titled ``Guide to Operational Technology (OT)
Security,'' September 2023 (NIST SP 800-82r3), provides guidance on how
to secure ICS, including Supervisory Control and Data Acquisition
(SCADA) systems, Distributed Control Systems (DCS), and other control
system configurations such as Programmable Logic Controllers (PLC),
while addressing their unique performance, reliability, and safety
requirements. The document provides an overview of ICS and typical
system topologies, identifies typical threats and vulnerabilities to
these systems, and provides recommended security countermeasures to
mitigate the associated risks. This document is incorporated by
reference as a source for definitions.
(g) NIST SP 800-115, titled ``Technical Guide to Information
Security Testing and Assessment,'' September 2008 (NIST SP 800-115
Sept2008), assists organizations in planning and conducting technical
information security tests and examinations, analyzing findings, and
developing mitigation strategies. The guide provides practical
recommendations for designing, implementing, and maintaining technical
information security test and examination processes and procedures.
These can be used for several purposes, such as finding vulnerabilities
in a system or network and verifying compliance with a policy or other
requirements. The guide is not intended to present a comprehensive
information security testing and examination program but rather an
overview of key elements of technical security testing and examination,
with an emphasis on specific technical techniques, the benefits and
limitations of each, and recommendations for their use. This document
is incorporated by reference as a source for definitions.
(h) NIST SP 800-160, Volume 2, titled ``Developing Cyber-Resilient
Systems: A Systems Security Engineering Approach,'' Revision 1,
December 2021 (NIST SP 800-160 V2R1), focuses on cyber resiliency
engineering--an emerging specialty systems engineering discipline
applied in conjunction with systems security engineering and resilience
engineering to develop survivable, trustworthy secure systems. Cyber
resiliency engineering intends to architect, design, develop,
implement, maintain, and sustain the trustworthiness of systems with
the capability to anticipate, withstand, recover from, and adapt to
adverse conditions, stresses, attacks, or compromises that use or are
enabled by cyber resources. From a risk management perspective, cyber
resiliency is intended to help reduce the mission, business,
organizational, enterprise, or sector risk of depending on cyber
resources. This document is incorporated by reference as a source for
definitions.
(i) NIST SP 800-171, titled ``Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations,'' Revision 2,
February 2020 (includes updates as of January 28, 2021) (NIST SP 800-
171 R2), provides agencies with recommended security requirements for
protecting the confidentiality of CUI when the information is resident
in nonfederal systems and organizations; when the nonfederal
organization is not collecting or maintaining information on behalf of
a Federal agency or using or operating a system on behalf of an agency;
and where there are no specific safeguarding requirements for
protecting the confidentiality of CUI prescribed by the authorizing
law, regulation, or governmentwide policy for the CUI category listed
in the CUI Registry. The requirements apply to all components of
nonfederal systems and organizations that process, store, and/or
transmit CUI, or that provide protection for such components. The
security requirements are intended for use by Federal agencies in
contractual vehicles or other agreements established between those
agencies and nonfederal organizations. This document is incorporated by
reference as a foundational source for definitions and security
requirements.
(j) NIST SP 800-171A, titled ``Assessing Security Requirements for
Controlled Unclassified Information,'' June 2018 (NIST SP 800-171A
Jun2018), provides Federal and non-Federal organizations with
assessment procedures and a methodology that can be employed to conduct
assessments of the CUI security requirements in NIST SP 800-171 R2. The
assessment procedures are flexible and can be customized to the needs
of the organizations and the assessors conducting the assessments.
Security assessments can be conducted as self-assessments; independent,
third-party assessments; or government-sponsored assessments and can be
applied with various degrees of rigor, based on customer-defined depth
and coverage attributes. The findings and evidence produced during the
security assessments can facilitate risk-based decisions by
organizations related to the CUI requirements. This document is
incorporated by reference as a foundational source for definitions and
assessment.
(k) NIST SP 800-172, titled ``Enhanced Security Requirements for
Protecting Controlled Unclassified Information: A Supplement to NIST
Special Publication 800-171,'' February 2021 (NIST SP 800-172 Feb2021),
provides Federal agencies with recommended enhanced security
requirements for protecting the confidentiality of CUI: (1) when the
information is resident in nonfederal systems and organizations; (2)
when the nonfederal organization is not collecting or maintaining
information on behalf of a Federal agency or using or operating a
system on behalf of an agency; and (3) where there are no specific
safeguarding requirements for protecting the confidentiality of CUI
prescribed by the authorizing law, regulation, or government-wide
policy for the CUI category listed in the CUI Registry. The enhanced
requirements apply only to components of nonfederal systems that
process, store, or transmit CUI or that provide security protection for
such components when the designated CUI is associated with a critical
program or high value asset. The enhanced requirements supplement the
basic and derived security requirements in NIST SP 800-171 R2 and are
intended for use by Federal agencies in contractual vehicles or other
agreements established between those agencies and nonfederal
organizations. This document is incorporated by reference as a
foundational source for security requirements.
(l) NIST SP 800-172A, titled ``Assessing Enhanced Security
[[Page 83099]]
Requirements for Controlled Unclassified Information,'' March 2022
(NIST SP 800-172A Mar2022), provides Federal agencies and nonfederal
organizations with assessment procedures that can be used to carry out
assessments of the requirements in NIST SP 800-172 Feb2021. The
assessment procedures are flexible and can be tailored to the needs of
organizations and assessors. Assessments can be conducted as (1) self-
assessments; (2) independent, third-party assessments; or (3)
government-sponsored assessments. The assessments can be conducted with
varying degrees of rigor based on customer-defined depth and coverage
attributes. The findings and evidence produced during the assessments
can be used to facilitate risk-based decisions by organizations related
to the CUI enhanced security requirements. This document is
incorporated by reference as a foundational source for definitions and
assessment.
(m) ISO/IEC 17011:2017(E), titled ``Conformity assessment--
Requirements for accreditation bodies accrediting conformity assessment
bodies,'' Second edition, November 2017 (ISO/IEC 17011:2017(E)),
specifies requirements for the competence, consistent operation and
impartiality of accreditation bodies assessing and accrediting
conformity assessment bodies. This document is incorporated by
reference as a source for requirements on the CMMC Ecosystem.
(n) ISO/IEC 17020:2012(E), titled ``Conformity assessment--
Requirement for the operation of various types of bodies performing
inspection,'' Second edition, March 1, 2012 (ISO/IEC 17020:2012(E)),
specifies requirements for the competence of bodies performing
inspection and for the impartiality and consistency of their inspection
activities. It applies to inspection bodies of type A, B or C, as
defined in ISO/IEC 17020:2012(E), and it applies to any stage of
inspection.'' This document is incorporated by reference as a source
for requirements on the CMMC Ecosystem.
(o) ISO/IEC 17024:2012(E), titled ``Conformity assessment--General
requirements for bodies operating certification of persons,'' Second
edition, July 1, 2012 (ISO/IEC 17024:2012(E)), contains principles and
requirements for a body certifying persons against specific
requirements and includes the development and maintenance of a
certification scheme for persons.'' This document is incorporated by
reference as a source for requirements on the CMMC Ecosystem.
Section 170.3 Applicability
Section 170.3 identifies entities to which the rule applies and how
the Department intends to implement the rule. The rule applies to
defense contractors and subcontractors that will process, store, or
transmit FCI or CUI in performance of a DoD contract, and private-
sector businesses or other entities that are specified in Subpart C.
This rule does not apply to Federal information systems operated by
contractors and subcontractors in support of the Government. CMMC
Program requirements apply to DoD solicitations and contracts requiring
defense contractors and subcontractors to process, store, or transmit
FCI or CUI. Exceptions to the applicability of this rule are addressed
in Sec. 170.3(c)(1) and (2). Department Program Managers or requiring
activities will determine which CMMC Level and assessment type will
apply to a contract or procurement. Applicability of the required CMMC
Level and assessment type to subcontractors is addressed in Sec.
170.23.
Section 170.3 addresses the four-phased implementation plan of the
CMMC Program requirements in solicitations and contracts. Phase 1
begins on the effective date of this CMMC 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part 204 CMMC Acquisition rule,
whichever occurs later. More information regarding Phase 1 can be found
in Sec. 170.3(e)(1). Phase 2 begins one calendar year after the start
date of Phase 1. More information regarding Phase 2 can be found in
Sec. 170.3(e)(2). Phase 3 begins one calendar year after the start
date of Phase 2. More information regarding Phase 3 can be found in
Sec. 170.3(e)(3). Phase 4, or full implementation, begins one calendar
year after the start date of Phase 3. More information regarding Phase
4 can be found in Sec. 170.3(e)(4).
Section 170.4 Acronyms and Definitions
Section 170.4 includes acronyms and definitions used in the rule
text and can be used as a reference while reading the text and tables.
CMMC introduces new terms and associated definitions, and customizes
definitions for existing terms, as applied to the CMMC Program. CMMC-
custom terms and definitions are clearly marked to distinguish from
terms sourced externally. CMMC also utilizes terms created by other
authoritative sources, including NIST. Terms from other authoritative
sources are also listed in Sec. 170.4 and are properly sourced.
The Department developed the following CMMC-custom terms to enhance
understanding of the requirements and elements of the CMMC Program:
Accreditation
Accreditation Body
Affirming Official
Assessment
Level 1 self-assessment
Level 2 self-assessment
Level 2 certification assessment
Level 3 certification assessment
POA&M closeout self-assessment
POA&M closeout certification assessment
Assessment Findings Report
Assessment Team
Asset Categories
Authorized
Cloud Service Provider
CMMC Assessment and Certification Ecosystem
CMMC Assessment Scope
CMMC Assessor and Instructor Certification Organization
(CAICO)
CMMC instantiation of eMASS
CMMC Status
Final Level 1 (Self)
Conditional Level 2 (Self)
Final Level 2 (Self)
Conditional Level 2 (C3PAO)
Final Level 2 (C3PAO)
Conditional Level 3 (DIBCAC)
Final Level 3 (DIBCAC)
CMMC Status Date
CMMC Third-Party Assessment Organization (C3PAO)
Contractor Risk Managed Assets
Controlled Unclassified Information (CUI) Assets
Enduring Exception
External Service Provider (ESP)
Operational plan of action
Organization-defined
Organization Seeking Assessment (OSA)
Organization Seeking Certification (OSC)
Out-of-Scope Assets
Periodically
Process, store, or transmit
Restricted Information Systems
Security Protection Assets
Security Protection Data
Specialized Assets
Temporary Deficiency
Test Equipment.
Section 170.5 Policy
Section 170.5 addresses the policy underlying the rule. The
protection of FCI and CUI on defense contractor information systems is
crucial to the continuity of the missions and functions of the DoD. To
that end, this rule requires that contractors and subcontractors
implement the specified security requirements for the applicable
[[Page 83100]]
CMMC Level. For CMMC Level 3, the selected security requirements are
defined in NIST SP 800-172 Feb2021 with the applicable DoD
Organization-Defined Parameters (ODPs) defined in table 1 to Sec.
170.14(c)(4).
Program Managers and requiring activities identify the applicable
CMMC Level and assessment type. Factors used to determine which CMMC
Level and assessment type will be applied are included but not limited
to the list found in Sec. 170.5(b)(1-5). CMMC Program requirements
will flow down to subcontractors, as applicable (see Sec. 170.23). A
DoD Service Acquisition Executive or a Component Acquisition Executive
may elect to waive inclusion of CMMC Program requirements in a
solicitation or contract.
Section 170.5 addresses that the CMMC Program does not alter the
requirements imposed on contractors and subcontractors in FAR clause
52.204-21, DFARS clause 252.204-7012, or any other applicable
safeguarding of information requirement. The CMMC Program verifies
implementation of security requirements in FAR clause 52.204-21, NIST
SP 800-171 R2, and selected security requirements in NIST SP 800-172
Feb2021, as applicable.
Section 170.6 CMMC PMO
Section 170.6 addresses the CMMC Program Management Office (PMO)
functions that are performed within the Department of Defense Chief
Information Officer (DoD CIO).
Section 170.7 DCMA DIBCAC
Section 170.7 addresses how DCMA DIBCAC will support the CMMC
Program by conducting CMMC Level 2 certification assessments of the
Accreditation Body and C3PAOs; conducting CMMC Level 3 certification
assessments for OSCs; and recording results, issuing certificates,
tracking appeals, and retaining records as required.
Section 170.8 Accreditation Body
Section 170.8 addresses the roles and responsibilities of the
Accreditation Body, as well as requirements that the Accreditation Body
must meet. The Accreditation Body must be US-based and be and remain a
member in good standing with the Inter-American Accreditation
Cooperation (IAAC) and become an International Laboratory Accreditation
Cooperation (ILAC) Mutual Recognition Arrangement (MRA) signatory, with
a signatory status scope of ISO/IEC 17020:2012(E) and be compliant with
ISO/IEC 17011:2017(E) \20\. There is only one Accreditation Body for
the DoD CMMC Program at any given time, and its primary mission is to
authorize and accredit the C3PAOs. The Accreditation Body authorizes
and accredits C3PAOs in accordance with the requirements in section
170.8(b).
---------------------------------------------------------------------------
\20\ www.iso.org/standard/67198.html.
---------------------------------------------------------------------------
The Accreditation Body also oversees the CAICO to ensure compliance
with ISO/IEC 17024:2012(E) \21\ and to ensure all training products,
instruction, and testing materials are of high quality.
---------------------------------------------------------------------------
\21\ www.iso.org/standard/52993.html.
---------------------------------------------------------------------------
Section 170.8 addresses specific requirements for the Accreditation
Body with regards to national security background checks, foreign
ownership, reporting, information protection, and appeals. The
Accreditation Body will also develop policies for Conflict of Interest
(CoI), Code of Professional Conduct (CoPC), and Ethics that comply with
all ISO/IEC 17011:2017(E) and DoD requirements. These policies will
apply to the Accreditation Body as well as to all other individuals,
entities, and groups within the CMMC Ecosystem. The information systems
used by the Accreditation Body to process CMMC information have to meet
all of the security requirements for CMMC Level 2 and will be assessed
by DCMA's Defense Industrial Base Cybersecurity Assessment Center
(DIBCAC).
Section 170.9 CMMC Third-Party Assessment Organizations (C3PAOs)
Section 170.9 addresses the roles, responsibilities, and
requirements for C3PAOs, which are the organizations that perform CMMC
Level 2 certification assessments for OSCs. The C3PAOs will submit
assessment data into the CMMC instantiation of government owned and
operated system called eMASS,\22\ a CMMC instance of the Enterprise
Mission Assurance Support Service. C3PAOs issue Certificates of CMMC
Status, in accordance with the requirements in Sec. 170.17 of this
part.
---------------------------------------------------------------------------
\22\ This system is accessible only to authorized users.
---------------------------------------------------------------------------
Section 170.9 addresses detailed requirements for C3PAOs with
regards to national security background checks, foreign ownership,
reporting, records management, information protection, quality
assurance, and appeals. The information systems used by C3PAOs to
process Level 2 certification assessment information have to meet all
of the security requirements for CMMC Level 2 and will be assessed by
DCMA DIBCAC. C3PAOs need to comply with ISO/IEC 17020:2012(E), as well
as with the Accreditation Body's policies for CoI, CoPC, and Ethics.
Prior to a C3PAO being compliant with ISO/IEC 17020:2012(E), the
C3PAO may be authorized but not accredited. After a C3PAO is compliant
with ISO/IEC 17020:2012(E), the C3PAO may be accredited.
Section 170.10 CMMC Assessor and Instructor Certification Organization
(CAICO)
Section 170.10 addresses the roles, responsibilities, and
requirements for the CAICO, the organization that trains, tests,
designates Provisional Instructors (PIs), and certifies CMMC Certified
Professionals (CCPs), CMMC Certified Assessors (CCAs), CMMC Certified
Instructors (CCIs). There is only one CAICO for the DoD CMMC Program at
any given time. The CAICO must comply with ISO/IEC 17024:2012(E), as
well as with the Accreditation Body's policies for CoI, CoPC, and
Ethics. Section 170.10 addresses detailed requirements for the CAICO
with regards to certification examinations, quality assurance, appeals,
records management, reporting, separation of duties, and information
protection.
Section 170.11 CMMC Certified Assessor (CCA)
Section 170.11 addresses the roles and responsibilities of a CMMC
Certified Assessor (CCA) who conduct Level 2 certification assessments.
In order to be a CCA, a candidate must first be a CCP, must adhere to
the requirements set forth in Sec. 170.10, Sec. 170.8(b)(17), and
complete a Tier 3 background investigation or equivalent. The required
cybersecurity experience for different CCA roles is addressed in Sec.
170.11(b)(6) and (10). Section 170.11 addresses CCA requirements with
respect to security breaches; completion of a Tier 3 background
investigation or equivalent; reporting; sharing assessment information;
and permitted use of C3PAO equipment, devices, and services.
Section 170.12 CMMC Instructor
Section 170.12 addresses the roles and responsibilities of a CMMC
Provisional Instructor (PI) and CMMC Certified Instructor (CCI) to
teach CMMC assessor candidates. Candidate PIs and CCIs are trained and
tested per the requirements set forth in Sec. 170.12(c). Section
170.12(c) also provides candidate PIs and CCIs with the requirements to
obtain and maintain designation or certification (as applicable),
compliance with Accreditation Body policies, work activity exclusions,
confidentiality
[[Page 83101]]
expectations, non-disclosure clause, non-public training related
information, forbidden consulting services, and reporting requirements.
Section 170.13 CMMC Certified Professional (CCP)
Section 170.13 addresses the roles and responsibilities of a CMMC
Certified Professional (CCP) required to provide advice, consulting,
and recommendations to clients. The CAICO trains and tests candidate
CCPs per the requirements set forth in Sec. 170.13(b) with CCP
certification issued upon successful completion. A CCP can participate
on CMMC Level 2 certification assessments with CCA oversight, however
CCAs are responsible for making final assessment determinations for a
CMMC Status of Conditional or Final Level 2 (C3PAO). A list of CCP
requirements is provided for obtaining and maintaining certification,
compliance with Accreditation Body policies, completion of a Tier 3
background investigation or equivalent, sharing assessment specific
information, and reporting requirements.
Section 170.14 CMMC Model
Section 170.14 addresses the structure, security requirement
contents, organization, sourcing, and numbering of the security
requirements that comprise the CMMC Model. It also provides an overview
of the assessment process. The CMMC Model consists of three (3) levels,
each containing security requirements taken directly from existing
regulations and guidelines. Firstly, Sec. 170.14(2) defines CMMC Level
1 as the 15 security requirements listed in the FAR clause 52.204-
21(b)(1). Secondly, Sec. 170.14(3) defines CMMC Level 2 as the 110
security requirements from the NIST SP 800-171 R2. Lastly, Sec.
170.14(4) defines CMMC Level 3 as 24 selected security requirements
from the NIST SP 800-172 Feb2021.
The CMMC security requirements are organized into domains following
the approach taken in NIST SP 800-171 R2. The numbering of the CMMC
security requirements, addressed in Sec. 170.14(c)(1), is of the form
DD.L#-REQ where the `DD' is the two-letter domain abbreviation, the
`L#' is the CMMC Level, and the `REQ' is based directly on the
numbering in the source. Assessment criteria for these security
requirements, as described in Sec. 170.14(d), is based on security
requirement assessment guidance provided in NIST SP 800-171A Jun2018
and NIST SP 800-172A Mar2022.
Section 170.15 CMMC Level 1 Self-Assessment and Affirmation
Requirements
Section 170.15 addresses how an OSA will achieve and maintain
compliance with the CMMC Status of Level 1 (Self). The OSA must
successfully implement the security requirements listed in Sec.
170.14(c)(2) within their Level 1 CMMC Assessment Scope as described in
Sec. 170.19(b). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 1 security requirements as outlined in the mapping table 1
to Sec. 170.15(c)(1)(i).
After implementation, the OSA must perform a Level 1 self-
assessment to verify the implementation and score themselves using the
scoring methodology provided in Sec. 170.24. All objectives must be
met in order for a security requirement to be considered fully
implemented; no security requirements may be placed on a POA&M for
Level 1. The OSA must then input their results into SPRS as described
in Sec. 170.15(a)(1)(i) and submit an affirmation as described in
Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 1 (Self), the OSA must have achieved a CMMC Status
of Final Level 1 (Self) and have submitted an affirmation. These
activities must be completed annually.
Section 170.16 CMMC Level 2 Self-Assessment and Affirmation
Requirements
Section 170.16 addresses how an OSA will achieve and maintain
compliance with the CMMC Status of Level 2 (Self). The OSA must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 2 security requirements. Requirements for ESPs and CSPs that
process, store, transmit CUI are provided in Sec. 170.16(c)(2) and
(3).
After implementation, the OSA must perform a Level 2 self-
assessment to verify the implementation and score themselves using the
scoring methodology provided in Sec. 170.24. All objectives must be
met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as provided for in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSA has achieved the CMMC Status of
Conditional Level 2 (Self); if all requirements are MET as defined in
Sec. 170.24(b), the OSA has achieved a CMMC Status of Final Level 2
(Self). For Conditional Level 2 (Self), a POA&M closeout must be
conducted within 180 days as described in Sec. 170.21(b) or the
Conditional Level 2 (Self) CMMC Status will expire.
After a Level 2 self-assessment, as well as after a POA&M closeout,
the OSA must input their results into SPRS as described in Sec.
170.16(a)(1)(i) and submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 2 (Self), the OSA must have achieved the CMMC
Status of either Conditional Level 2 (Self) or Final Level 2 (Self) and
have submitted an affirmation. The Level 2 self-assessment must be
completed every three years and the affirmation must be completed
annually following the Final CMMC Status Date.
Section 170.17 CMMC Level 2 Certification Assessment and Affirmation
Requirements
Section 170.17 addresses how an OSC will achieve and maintain
compliance with the CMMC Status of Level 2 (C3PAO). The OSC must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 2 security requirements. Requirements for ESPs and CSPs that
process, store, transmit CUI are provided in Sec. 170.17(c)(5) and
(6).
After implementation, the OSC must hire a C3PAO to perform an
assessment to verify the implementation. The C3PAO will score the OSC
using the scoring methodology provided in Sec. 170.24. All objectives
must be met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as defined in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has achieved the CMMC Status of
Conditional Level 2 (C3PAO); if all requirements are MET as defined in
Sec. 170.24(b), the OSC has achieved the CMMC Status of Final Level 2
(C3PAO). For Conditional Level 2 (C3PAO), a POA&M closeout must be
conducted within 180 days as described
[[Page 83102]]
in Sec. 170.21(b) or the Conditional Level 2 (C3PAO) CMMC Status will
expire.
After a Level 2 certification assessment, as well as after a POA&M
closeout, the C3PAO will input the OSC's results into the CMMC
instantiation of eMASS as described in Sec. 170.17(a)(1)(i). After a
Level 2 certification assessment, as well as after a POA&M closeout,
the OSC must submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 2 (C3PAO), the OSC must have achieved the CMMC
Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO)
and have submitted an affirmation. The Level 2 certification assessment
must be completed every three years and the affirmation must be
completed annually following the Final CMMC Status Date.
Section 170.18 CMMC Level 3 Certification Assessment and Affirmation
Requirements
Section 170.18 addresses how an OSC will achieve and maintain
compliance with the CMMC Status of Level 3 (DIBCAC). The OSC must have
achieved the CMMC Status of Final Level 2 (C3PAO) for information
systems within the Level 3 CMMC Assessment Scope as a prerequisite to
undergo a Level 3 certification assessment. The OSC must successfully
implement the security requirements listed in Sec. 170.14(c)(4)
and table 1 to Sec. 170.14(c)(4) within its Level 3 CMMC Assessment
Scope as described in Sec. 170.19(d). Successful implementation
requires meeting all objectives defined in NIST SP 800-172A Mar2022 for
the corresponding CMMC Level 3 security requirements. Requirements for
ESPs and CSPs that process, store, transmit CUI are provided in Sec.
170.18(c)(5) and (6).
After implementation, the OSC must contact DCMA DIBCAC to perform
an assessment to verify the implementation. DCMA DIBCAC will score the
OSC using the scoring methodology provided in Sec. 170.24. All
objectives must be met in order for a security requirement to be
considered fully implemented; in some cases, if not all objectives are
met, some security requirements may be placed on a POA&M as defined in
Sec. 170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has achieved the CMMC Status of
Conditional Level 3 (DIBCAC); if all requirements are MET as defined in
Sec. 170.24(b), the OSC has achieved the CMMC Status of Final Level 3
(DIBCAC). For Conditional Level 3 (DIBCAC), a POA&M closeout must be
conducted within 180 days as described in Sec. 170.21(b) or the
Conditional Level 3 (DIBCAC) CMMC Status will expire.
After a Level 3 certification assessment, as well as after a POA&M
closeout, DCMA DIBCAC will input the OSC's results into the CMMC
instantiation of eMASS as described in Sec. 170.18(a)(1)(i). After a
Level 3 certification assessment, as well as after a POA&M closeout,
the OSC must submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 3 (DIBCAC), the OSC must have achieved the CMMC
Status of either Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC)
and have submitted an affirmation. The Level 3 certification assessment
must be completed every three years and the affirmation must be
completed annually following the Final CMMC Status Date.
Section 170.19 CMMC Scoping
Section 170.19 addresses the requirements for the scoping of each
CMMC Level and determines which assets are included in a given
assessment and the degree to which each is assessed. The CMMC
Assessment Scope is specified prior to any CMMC assessment, based on
the CMMC Level being assessed. The Level 2 CMMC Assessment Scope may
also be affected by any intent to achieve a CMMC Level 3 Certification
Assessment, as detailed in Sec. 170.19(e).
Scoping for CMMC Level 1, as detailed in Sec. 170.19(b), consists
of all assets that process, store, or transmit FCI. These assets are
fully assessed against the applicable CMMC security requirements
identified in Sec. 170.14(c)(2) and following the procedures in Sec.
170.15(c). All other assets are out-of-scope and are not considered in
the assessment.
Scoping for CMMC Level 2, as detailed in Sec. 170.19(c), consists
of all assets that process, store, or transmit CUI, and all assets that
provide security protections for these assets. These assets are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(3) and following the Level 2 self-assessment
procedures in Sec. 170.16(c) or the Level 2 certification assessment
procedures in Sec. 170.17(c). In addition, Contractor Risk Managed
Assets, which are assets that can, but are not intended to, process,
store, or transmit CUI because of security policy, procedures, and
practices in place, are documented and are subject to a limited check
that may result in the identification of a deficiency, as addressed in
table 3 to Sec. 170.19(c)(1). Finally, Specialized Assets, which are
assets that can process, store, or transmit CUI but are unable to be
fully secured, including: Internet of Things (IoT) devices, Industrial
Internet of Things (IIoT) devices, Operational Technology (OT),
Government Furnished Equipment (GFE), Restricted Information Systems,
and Test Equipment, are documented but are not assessed against other
CMMC security requirements, as addressed in table 3 to Sec.
170.19(c)(1). All other assets are out-of-scope and are not considered
in the assessment.
Scoping for CMMC Level 3, as detailed in Sec. 170.19(d), consists
of all assets that can (whether intended to or not) or do process,
store, or transmit CUI, and all assets that provide security
protections for these assets. The CMMC Level 3 Assessment Scope also
includes all Specialized Assets but allows an intermediary device to
provide the capability for the Specialized Asset to meet one or more
CMMC security requirements, as needed. These assets (or the applicable
intermediary device, in the case of Specialized Assets) are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(4) and following the procedures in Sec. 170.18(c).
All other assets are out-of-scope and are not considered in the
assessment.
If an OSA utilizes an ESP, including a Cloud Service Provider
(CSP), that does not process, store, or transmit CUI, the ESP does not
require its own CMMC assessment. The services provided by the ESP are
assessed as part of the OSC's assessment as Security Protection Assets.
Section 170.20 Standards Acceptance
Section 170.20 addresses how OSCs that, prior to the effective date
of this rule, have achieved a perfect score on a DCMA DIBCAC High
Assessment with the same scope as a Level 2 CMMC Assessment Scope, will
be given a CMMC Status of Level 2 (C3PAO).
Section 170.21 Plan of Action and Milestones Requirements
Section 170.21 addresses rules for having a POA&M for the purposes
of a CMMC assessment and satisfying contract eligibility requirements
for CMMC. All POA&Ms must be closed within 180 days of the Conditional
CMMC Status Date. To satisfy CMMC Level 1 requirements, a POA&M is not
allowed. To satisfy CMMC Level 2 requirements, a POA&M is allowed.
Section 170.21 details the overall minimum score that must be achieved
[[Page 83103]]
and identifies the Level 2 security requirements that cannot have a
POA&M and must be fully met at the time of the assessment. To satisfy
CMMC Level 3 requirements, a POA&M is allowed. Section 170.21 details
the overall minimum score that must be achieved and identifies the
Level 3 security requirements that cannot have a POA&M and must be
fully met at the time of the assessment. Section 170.21 also
established rules for closing POA&Ms.
Section 170.22 Affirmation
Section 170.22 addresses that the OSA's Affirming Official must
affirm, in SPRS, compliance with the CMMC Status: upon completion of
any self-assessment, certification assessment, or POA&M closeout
assessment (as applicable), and annually following a Final CMMC Status
Date.
Section 170.23 Application to Subcontractors
Section 170.23 addresses flow down of CMMC requirements from the
prime contractor to the subcontractors in the supply chain. Prime
contractors shall comply and shall require subcontractor compliance
throughout the supply chain at all tiers with the applicable CMMC Level
for each subcontract as addressed in Sec. 170.23(a).
Section 170.24 CMMC Scoring Methodology
Section 170.24 addresses the assessment finding types MET, NOT MET,
and NOT APPLICABLE (N/A) in the context of CMMC assessments, and the
CMMC Scoring Methodology used to measure the implementation status of
security requirements for CMMC Level 2 and CMMC Level 3. Scoring is not
calculated for CMMC Level 1 since all requirements must be MET at the
time of assessment.
For CMMC Level 2, the maximum score is the total number of Level 2
security requirements and is the starting value for assessment scoring.
Any security requirement that has one or more NOT MET objectives
reduces the current score by the value of the specific security
requirement. Values for each CMMC Level 2 requirement are enumerated in
Sec. 170.24(c)(2)(i)(B).
For CMMC Level 3, the maximum score is the total number of Level 3
security requirements and is the starting value for assessment scoring.
Any security requirement that has one or more NOT MET objectives
reduces the current score by the value of the specific security
requirement. CMMC Level 3 does not use varying values; the value for
each requirement is one (1), as described in Sec. 170.24(c)(3).
Appendix A to Part 170: Guidance
Appendix A lists the guidance documents that are available to
support defense contractors and the CMMC Ecosystem in the
implementation and assessment of CMMC requirements.
Discussion of Public Comments and Resulting Changes
The Department of Defense published the proposed rule, on December
26, 2023 (88 FR 89058). Approximately 361 public submissions were
received in response to the publication. Some comments were beyond the
scope of the CMMC Program and are described but not addressed in this
final rule. The majority of comments received were relevant and are
summarized in the discussion and analysis section here. Additional
comments were received in response to the CMMC supplemental documents
published concurrently with the rule; the discussion and analysis of
those comments is located at www.regulations.gov. Some comments
received lacked relevance to the rule's content, which is limited to
specific CMMC program requirements codified in the 32 CFR part 170 CMMC
Program rule, responses for those comments are not provided.
Any contractual requirements related to the CMMC Program rule will
be implemented in the DFARS, as needed, which may result in revisions
to the DFARS clause 252.204-7021, CMMC Requirements. DoD will address
comments regarding the DFARS clause 252.204-7021 in a separate 48 CFR
part 204CMMC Acquisition rulemaking.
1. Extension of the Public Comment Period
Comment: DoD received requests from industry associations for an
extension of the 60-day public comment period on the CMMC Proposed Rule
that the Office of the Federal Register published on 26 December 2023.
The length of extensions requested ranged from 30-60 days. Commenters
argued that the proposed rule was initially published following a
holiday, or more time was needed for associations to fully review
member comments about the CMMC Proposed Rule prior to submitting. In
addition, they argued that other rules pertaining to cyber incident
reporting obligations and security of Federal Information Systems had
also been published for public comment, which created a need for
additional review time.
Response: The DoD CIO denied requests for an extension of the 60-
day public comment period. The DoD provided regular communication to
the public through the DoD CMMC website and updates in the semiannual
Unified Agenda in preparation for publication of the CMMC Proposed Rule
to initiate the 60-day public comment period. The Department has an
urgent need to improve DIB cybersecurity by further enforcing
compliance with security requirements that were to be implemented by
the DIB ``as soon as possible but not later than December 2017.''
2. The CUI Program
a. CUI Program Guidance
Comment: Many comments were submitted related to the NARA CUI
policies or the DoD CUI Program, and while relevant for understanding
CMMC requirements, those are separate policies or programs beyond the
scope of the CMMC program or this rule. However, several comments
recommended that the CMMC rule be revised to address them.
Twenty-two comments requested the government provide more guidance,
preferably within RFPs or contracts, to better identify what will be
considered CUI for that contract, and how it should be appropriately
marked. One comment specifically noted a need for contractual
instructions on whether data created in performance of a contract rises
to the level of CUI. Another person asked when is does information
created or possessed by a contractor become CUI. One comment asked
whether digital or physical items derived from CUI are treated as CUI
while another asked what specific information qualifies as CUI for OT
and IoT assets. Another comment asked whether FCI and or CUI created or
provided under a non-DoD agency contract, but which is also used in
support of a DoD contract, would be subject to the applicable CMMC
level requirement. Another comment noted that DoD focuses too narrowly
on data security aspects of major system acquisition and largely fails
to address securing data generated by operational and/or maintenance
operations, such as invoices and bills of lading for operational
support purchases.
One comment stated there was a need for CUI policy guidance for the
entire Federal Government. Another comment inferred, incorrectly, that
the CMMC Accreditation Body makes determinations about what is and what
is not CUI and stated that the Government should make those
determinations. Another comment stated that to better address the needs
of contractors tasked with safeguarding
[[Page 83104]]
CUI, NARA should initiate a public comment period to reevaluate its CUI
Registry. The comment also noted that NARA should identify when a CUI
designation automatically applies to contractor-created information and
revise the CUI Registry to stipulate that a specific basis in statute
(or a contract) is required for information to be considered CUI.
Another comment recommended a study be conducted on protections for
systems and data at Confidential and higher classification levels and
should assess whether NARA's CUI protection requirements (32 CFR part
2002) have yielded any real benefits in protecting critical data.
Another comment stated that the CUI program is a costly proposition
whose security value is questionable given data can still be
compromised, even over systems with a CMMC assessment. The comment
stated that if data is to be controlled for Critical Items, then the
existing system used for CONFIDENTIAL information should suffice.
Finally, another comment suggested that CUI information should be under
the control of the Federal Government and access granted only to
appropriately trained, and qualified contractors through a portal.
Response: Neither the CUI program (established in E.O. 13556) nor
the safeguarding requirements codified in its implementing directives
are changed by virtue of the compliance assessment framework
established by this rule.
CMMC requirements apply to prime contractors and subcontractors
throughout the supply chain at all tiers that will process, store, or
transmit any FCI or CUI on contractor information systems in the
performance of the DoD contract or subcontract, irrespective of the
origin of the information.
The executive branch's CUI Program is codified in 32 CFR part 2002
and establishes policy for designating, handling, and decontrolling
information that qualifies as CUI. The definition of CUI and general
requirements for its safeguarding are included in 32 CFR 2002.4 and
2002.14, respectively. 32 CFR 2002.14(h)(2) specifically requires
agencies to use NIST SP 800-171 when establishing security requirements
to protect CUI's confidentiality on non-Federal information systems. At
the time of award, the DoD may have no visibility into whether the
awardee will choose to further disseminate DoD's CUI, but DFARS clause
252.204-7012 and DFARS clause 252.204-7021 require the prime contractor
to flow down the information security requirement to any subcontractor
with which the CUI will be shared. Decisions regarding which DoD
information must be shared to support completion of subcontractor tasks
is between the prime contractor and the subcontractors. The DoD
encourages prime contractors to work with subcontractors to lessen the
burden of flowing down CUI. The DoD declines to adopt alternatives such
as policy-based solutions that lack a rigorous assessment component or
require sharing CUI only through DoD-hosted secure platforms. Suggested
alternatives to implementing NIST SP 800-171 and identifying what data
is CUI are beyond the scope of the CMMC Program and this rule.
b. FCI and CUI Definitions
Comment: Five comments stated that what DoD considers CUI is not
well defined. Another comment stated that companies should be provided
a reference list of what the DoD considers CUI. Another recommended DoD
use existing mechanisms like the DD Form 254 architecture to clearly
define the scope of CUI on a contract-by-contract basis. Seven comments
recommended the CMMC rule mandate a Security Classification Guide (SCG)
or similar document.
Nine comments stated there was too much confusion and ambiguity
regarding FCI and CUI and that the government needed to provide clear
and standardized FCI and CUI definitions that are tailored to the
specific requirements of the CMMC rule. One comment recommended rule
edits to address this perceived ambiguity. One comment requested
clarification and examples of differences between CUI Basic and
Specialized CUI.
Response: Federal Contract Information is defined in FAR clause
52.204-21, which also provides the security requirements applicable for
basic safeguarding of such information. The DoD has no authority to
modify definitions established in the FAR for application to all
executive branch agencies. This rule makes no change to the definition
or handling of CUI.
c. Marking Requirements
Comment: Twenty-three comments expressed concern with or requested
clarification regarding CUI marking. Twelve comments specifically noted
concern with CUI markings being applied to too many documents, in part
because CUI was an ambiguous concept. They requested the DoD encourage
personnel to mark documents as CUI only when appropriate and provide
better guidance for managing flow-down clauses. Another comment noted
that many small businesses are currently subject to NIST SP 800-171
requirements through DFARS contract clause flow-down and cannot say
with certainty that they have CUI in their possession. The comment
further noted that small businesses regularly receive mismarked data.
One comment stated there is an increased use of automatic CUI marking
on DoD communications, seemingly without regard to content. One comment
stated that the rule fails to outline a mechanism for reporting
government mishandling, and that contractors should use a reporting
system to minimize their own risk and liability. One comment requested
the rule be edited to prevent Program Managers or requesting activities
from assigning a CMMC Level 3 requirement unless they have high
confidence that 80+ percent of CUI and/or FCI under the relevant
contract has complete CUI markings. Another comment stated that the
Federal government should develop a marking schema to communicate
information safeguarding requirements, while yet another stated that
DoD must publish a training module for contracting officers so that
they are properly classifying documents prior to finalization of this
rule.
One comment stated CUI across the DoD is diverse and what may be
CUI for one system may not be for another. The comment then questioned
how this proposed rule and SPRS would accommodate these facts without
assuming and mandating that all defense contractor information systems
meet the same architecture, security, and cybersecurity standards.
Response: The CMMC Program will not provide CUI guidance materials
to industry as it is outside the scope of this CMMC rule. Relevant
information regarding what to do when there are questions regarding
appropriate marking of CUI may be found at 32 CFR 2002.50--Challenges
to designation of information as CUI. The DoD declined to incorporate
suggested edits to the CMMC Level 3 requirements regarding confidence
in proper CUI and/or FCI markings.
The DoD's role as data owner is documented in the CUI Program
implementing policies and the requirements of 32 CFR part 2002. DoDI
5200.48, states: The authorized holder of a document or material is
responsible for determining, at the time of creation, whether
information in a document or material falls into a CUI category. If so,
the authorized holder is responsible for applying CUI markings and
dissemination instructions accordingly. DoD Manual 5200.01 outlines
DoD's Information Security Program and includes Volume 2, Marking of
Information. The DoD declines to incorporate by reference those
[[Page 83105]]
documents describing the Department's data governance role because the
content is beyond the scope of CMMC requirements. The DoD issued policy
guidance to its program managers regarding programmatic indicators to
consider when selecting CMMC requirements. Program managers have a
vested interested in knowing whether a contractor can comply with these
existing requirements to adequately safeguard CUI.
The DoD elected not to make any recommended edits to the CMMC
Program related to FCI or CUI marking requirements or provide
clarifying examples of the differences between Basic CUI and Specified
CUI, as these are beyond the scope of this rule. Mishandling of
information by the government is beyond the scope of this rule. DCMA
DIBCAC processes, stores, and transmits all data on DoD-approved
networks. DoD's adherence to NARA's CUI Program policies is beyond the
scope of this rule.
d. Applicability and Governance of CUI Requirements
Comment: In addition, one utilities sector representative submitted
a lengthy analysis of data types often generated by electric or other
utilities, with regulatory references and rationale for why such data
would not likely be subject to DoD's CUI safeguarding requirements or
CMMC compliance assessments. Such rationale included the fact that some
Government-Private CUI categories, such as DoD Critical Infrastructure
Information, require explicit designation in that category which
(according to the commenter) has not occurred in the electricity
subsector. One contractor requested that CMMC clarify requirements
around U.S. persons and foreign dissemination of CUI for both
contractors, subcontractors' employees, and contingent workers. Two
comments suggested it would be appropriate to reference data governance
in Sec. 170.1 and the DoD's role as the data owner of FCI and CUI
across the ecosystem. Another comment stated the classification efforts
must themselves be audited.
Response: The quantity of FCI and CUI a defense contractor
possesses, including copies of the same material, is irrelevant to the
CMMC assessment required. All copies of FCI or CUI related to the DoD
contract must be safeguarded. The CMMC Program is not intended to
validate compliance with cybersecurity requirements of non-DoD
agencies' contracts. The requirements for sharing of CUI with non-US
persons is beyond the scope of this rule.
The CMMC program provides a mechanism to assess contractor
compliance with applicable security requirements for the safeguarding
of FCI or CUI. CMMC program requirements make no change to existing
policies for information security requirements implemented by DoD.
Policies for CUI and creation of program documentation, to include
Security Classification Guides, are separate from this rule. Discussion
in this rule regarding DoD programs providing CUI training and the
implementation of E.O. 13556 are beyond the scope of this rule.
CMMC program requirements are applicable when DoD requires
processing, storing, or transmitting of either FCI or CUI on a non-
Federal contractor owned information system in the performance of a
contract between DoD and the contractor. The DoD does not manage nor is
it involved in data exchanges between contractors and subcontractors.
3. Other DoD Policies and Programs
Many comments dealt with DoD policies and programs that, while
relevant for understanding CMMC requirements, are still entirely
separate programs or policies that are not within the scope of the CMMC
program. However, several commenters recommended that the rule be
revised to address them. Key topics among such comments include:
a. Adaptive Acquisition Framework
Comment: One commenter misunderstood CMMC program purpose and
thought the requirements applied to systems and capabilities acquired
or developed for DoD's use, using formal policies of the Defense
Acquisition System. Based on this misinterpretation, this commenter
made dozens of recommendations related to integration of CMMC
assessment and program requirements with other existing DoD acquisition
frameworks and suggested relying on the assessors that complete TRAs,
in place of implementing the CMMC program. One of their comments also
proposed establishing a single responsible office for CUI and SCRM,
hosting CUI material within a single, separate secure and existing
cloud-based data warehouse and including hardware and software
approving authorities as part of the proposed rule for GFE. The
commentor also stated the role of the Office of Small Business Programs
(OSBP) needs to flow down to the Small Business Administration military
service offices. The commentor also asked how to reconcile CMMC against
the DoDI 8582.01 requirement stating a DoD Component should not specify
the content and format of plans of action that address deficiencies or
specifying the parameters of security controls.
This commenter also recommended creation of a MIL-Standard in lieu
of aligning cybersecurity requirements to existing NIST standards, and
linkage of CMMC requirements to procedures related to Approval to
Operate (which applies to DoD systems. This commenter suggested that
the CMMC PMO be made responsible to provide system scans to check for
Software Bills of Material as part of DoD's response to Executive Order
14028 regarding Supply Chain Risk Management. The commenter further
requested a DoD-level working group outline how DoD program offices
might identify which components are mission or safety critical or which
associated production processes should be identified as CTI. That
commenter recommended this rule be held in abeyance until AT&L [sic]
has reviewed and provided their insight into the impacts of CMMC on
existing DoD acquisition documentation and deliverables. Yet another
comment recommended that ``this proposed DFARS ruling'' be vetted
through ``AT&L, ASD and OUSD'' [sic] as a minimum to determine if
changes would be required in the Program Protection Improvement Plan
and System Security Plan. Lastly, this commenter recommended the DoD
engage with NDIA and ISO/IEC to develop alternate standards for
securing data and supply chains.
Response: CMMC Program requirements apply to contractor-owned
information systems that process, store, or transmit FCI and CUI and do
not apply to systems developed or acquired for DoD through the formal
Defense Acquisition System (DAS). Therefore, integrating the CMMC
assessment process and internal DAS processes (including technical
reviews prior to RFP development) is not appropriate and is beyond the
scope of this rule. Note that CMMC applicability is broader than just
the Major Defense Acquisition Programs.
DoD's organizational alignment of responsibilities (between OSBP
and SBA military offices) for assisting small businesses or
establishing new offices within OSD is beyond the scope of this rule.
Due to national security concerns, DoD declines the recommendation to
further delay implementation of the CMMC Program. Each passing day in
delay of implementing the security requirements for safeguarding DoD
FCI and CUI increases the risk for exfiltration of non-public
information on unsecured nonfederal systems that
[[Page 83106]]
may result in the loss of DoD's technological advantages in its
warfighting capabilities and programs.
Discussions regarding acquisition strategies and frameworks are
beyond the scope of this CMMC rule. The CMMC Program does not alleviate
or supersede any existing requirements of the Adaptive Acquisition
Framework, nor does it alter any statutory or regulatory requirement
for acquisition program documentation or deliverables. Note that CMMC
Program requirements do not apply to systems delivered to DoD. DoD
Instructions for required acquisition program documentation are beyond
the scope of this rule. CMMC assessment certifications are not
integrated into System Security Plans (SSPs).
The role of System Engineering and associated processes within the
DoD acquisition process is beyond the scope of this rule. ITRA
assessments provide a view of program technical risk and are not well-
suited to the assessment of contractor owned information systems
against standards for safeguarding CUI. CMMC Program requirements do
not clash with Program Office responsibilities, but instead provide
Program Manager's with a mechanism for validating that contractors are
compliant with the rules for protecting DoD CUI.
b. FedRAMP Program and FedRAMP Equivalency
Comment: Many commenters took issue with the requirements for
FedRAMP Moderate Equivalency, as referenced in DFARS clause 252.204-
7012 and defined in a separate DoD policy memo. Some merely highlighted
discrepancies or highlighted concerns about their ability to meet the
FedRAMP Moderate Equivalency requirements. Others recommended revisions
to that policy, or to the DFARS clause 252.204-7012 clause, or both.
Some recommended the FedRAMP Moderate Equivalency policy memo be
incorporated into the DFARS clause 252.204-7012 clause. Other
suggestions ranged from eliminating equivalency to meet requirements,
allowing 3PAO attestation to equivalency, requiring all FedRAMP
Moderate Equivalency candidates to be assessed by the same C3PAO or
allowing equivalency to be established through other industry
certifications or third-party security assessments, i.e., SOC, ISO/IEC
27001. One commenter requested that applications hosted on a FedRAMP
Moderate environment only need to meet the CMMC level of the data the
application will process. Another suggested that all Cloud Service
Providers be required to meet the same CMMC requirement as the OSCs
they support. One commenter recommended expanding the scope of CMMC
Program to include assessing other security requirements in DFARS
clause 252.204-7012, to include the use of FedRAMP Moderate cloud
environment. Comments also expressed that it is unreasonable to expect
any cloud provider to share security documentation with a customer or
C3PAO since they limit dissemination of this information due to
operational security needs. Another commenter noted that the proposed
rule does not cover all types of information that contractors may
handle, such as classified information, export-controlled information,
or proprietary information and they recommended the DoD clarify
applicability of the CMMC program for these types of information.
Response: Although some commercially based Cloud Service Offerings
(CSOs) may experience limitations in trying to support the Defense
Industrial Base with the FedRAMP Moderate equivalent requirement, the
DoD is not willing to assume all the risk of non-FedRAMP Moderate
Equivalent CSOs when the CSO is used to process, store, or transmit
CUI. If the offering does not process, store, or transmit CUI, then
FedRAMP certification is not required. Although the DoD considered
acceptance of the ISO/IEC 27001 certification, it chose the NIST
cybersecurity requirement to meet FedRAMP Moderate baseline equivalency
standard to stay aligned with the FedRAMP Moderate baseline which is
based on NIST standards versus ISO/IEC standards.
The rule was updated to require FedRAMP moderate or FedRAMP
moderate equivalency in accordance with DoD Policy. CMMC Program
Requirements make no change to existing policies for information
security requirements implemented by DoD. Comments related to
applications hosted on a FedRAMP Moderate environment are outside the
scope of this rule.
The requirements for CSPs that process, store, or transmit CUI are
set by DFARS clause 252.204-7012 and the DoD CIO policy memo on FedRAMP
Moderate equivalency. These requirements are beyond the scope of this
rule. ESPs that are not CSPs will be required to meet the CMMC
requirements and be assessed as part of the scope of an acquiring OSA.
ESPs that are not a CSP may voluntarily request a C3PAO assessment if
they decide it would be to their advantage.
c. Other DoD Programs and Policies
Comment: One commenter expressed dissatisfaction with results
obtained from previously submitted FOIA requests related to development
of the CMMC program.
Two commenters asked if there was a mechanism to update FAR clause
52.204-21 to address evolving threats and recommended the Department
specifically identify the frequency and identify accountable parties to
review and update FAR security requirements. Another commenter cited
responses visible on the DoD CIO's Frequently Asked Questions (FAQ)
website and criticized both the utility of the information (given that
does not constitute formal policy) and the frequency with which the
information is updated. Similarly, one commenter asked for more
frequent updates to FAQs on the DoD Procurement Toolbox URL.
One commenter asserted that the Federal Government sometimes
contracts for support to perform sensitive tasks and permits access to
``highly classified'' information that should only be accessed by
Federal employees.
One commenter requested NIST develop a simplified inspection
standard for organizations with less than 20 employees.
One commenter asked about the transfer of CMMC Program oversight
from OUSD(A&S) to DoD CIO.
A comment cited the utility of free cybersecurity related services
that DoD agencies offer, such as security alerts and vulnerability
scanning, and encouraged expansion of those programs.
One person suggested that DoD's Zero-Trust approach would provide a
higher level of security for CUI data than the CMMC program.
One commenter stated the Department should develop clear, flexible
guidelines and alternative pathways for global companies to achieve
CMMC compliance without relying on enclave architectures and
recommended that this approach rely on Zero Trust principals.
One comment noted that under FAR clause 52.204-21, FCI does not
include simple transactional information (STI) and asked if certain
data would be considered STI and therefore not subject to CMMC.
One comment stated that conflicting regulatory guidance exists
between the content of E.O. 15028, NIST SP 800-218, NIST SP 800-171 R2,
and NIST SP 800-171 Revision 3.
Response: One comment lacked clarity and failed to clearly
articulate
[[Page 83107]]
any relevance to the content of this rule, so no response can be
provided.
SPRS will be used for reporting CMMC Status of all contractors,
regardless of which service issued the contract. Publication of this
rule follows completion of OMB's formal rulemaking process, which
includes both DoD internal coordination (including the USD(A&S) and
USD(R&E)) and Interagency coordination.
CMMC is consistent with Section 3.4 of DoDI 8582.01, Validation and
Compliance. CMMC does not specify the content and format of plans of
action beyond what is specified in NIST SP 800-171 R2, which is
required under DoDI 8582.01.
Clinger Cohen Act requirements, which apply to DoD's IT
investments, are not relevant to CMMC Program requirements, which apply
to contractor-owned information systems. The classification marking of
existing DoD documentation is beyond the scope of this rule, as is
engagement with INCOSE and ISO/IEC certification organizations.
Executive Orders state mandatory requirements for the Executive
Branch and have the effect of law. E.O. 14028--``Improving the Nation's
Cybersecurity'' (issued May 12, 2021) requires agencies to enhance
cybersecurity and software supply chain integrity. NIST SP 800-171 R2
and NIST SP 800-218 are guidelines, not regulations. NIST SP 800-171
Revision 3 is not currently applicable to this rule.
Recommendations to add or modify requirements specified in NIST
documentation should be submitted in response to NIST requests for
public comment on the applicable guidelines. Federal and DoD
requirements for delivery of software bills of material of secure
software development are beyond the scope of this rule, which is
limited to the assessment of compliance with requirements for adequate
protection of FCI and CUI. Federal Contract Information is defined in
FAR clause 52.204-21, which also provides the security requirements
applicable for basic safeguarding of such information. The Department
has no authority to modify definitions established in the FAR for
application to all executive branch agencies. Any data that meets the
definition of FCI, is subject to CMMC Level 1. It is beyond the scope
of the CMMC rule to render decisions on specific elements of data.
The OUSD(A&S) was not replaced by the DoD CIO, rather, CMMC Program
management oversight has been realigned from the OUSD(A&S) to the
Office of the DoD CIO for better integration with the Department's
other DIB cybersecurity related initiatives. Comments pertaining to
DoD's organizational structure are not relevant to the content of this
rule. DoD's processing of FOIA requests is also not within the scope of
this rule. The DoD declines to respond to speculative or editorial
comments about private citizens or outside entities, all of which are
beyond the scope of this rule. Likewise, the DoD will not comment here
on other DoD cybersecurity related programs, such as Zero Trust.
Some comments expressed appreciation for cybersecurity related
services that DoD provides free of charge, including protected DNS,
vulnerability scanning, and security alerts, but these programs are
outside the CMMC program. The government cannot comment on specific
implementation or documentation choices of an OSA. Comments on
alternate risk mitigation strategies such as product monitoring or
software testing are not within the scope of this rule text.
d. DoD Policies Supporting CMMC Implementation
Comment: Some comments addressed the DoD's internal policies and
training efforts to prepare the Government workforce for CMMC program
implementation. For example, some commenters opined that the rule's
focus on contactor responsibilities misses the true risk that lies
further up obscure supply chains. Another commenter recommended DoD
work with contractors in each sector to provide clear guidance on the
types of data that the Department would consider CTI. One commenter
requested DoD acknowledge that human factors influence DIB
cybersecurity while another stated DoD should provide uniform web-based
training at no cost to ensure applicable training requirements are
satisfactorily met. Another asked whether DoD PMs would receive CMMC
related training prior to implementation. Another comment asked whether
specific risk mitigating approaches, such as product monitoring or
software testing might suffice to manage supply chain risk considering
lack of visibility into the origins of 3rd and 4th tier components.
One commenter perceived the CMMC requirement for Program Managers
to identify the level of assessment requirement appropriate for a
solicitation as removing the contract award decision from the USD(A&S).
One commenter stated more information about procedures for implementing
CMMC into government-wide contracts is needed. Another commenter
expressed a need to use a basic contract that is unclassified, and any
CUI would be contained in a separate appendix to allow sub-contractors
to plan with their Prime to access the information on the Prime's
network and avoid requirements for their own CMMC certification.
Another comment recommended revisions to describe that medium
assurance certificates for incident reporting are a DFARS clause
252.204-7012 requirement, independent of CMMC program requirements.
Two commenters criticized the DFARS clause 252.204-7020 requirement
to allow ``full access'' to contractor facilities, systems, and
personnel for the purposes of DIBCAC assessment, or for damage
assessment following incident, and recommended that the CMMC program
not include or rely on this authority.
Another commenter recommended that, prior to issuing a final rule
on CMMC, DoD work with other relevant agencies to integrate and
harmonize the numerous regulatory changes that impact contractors'
capacity to safeguard data and systems. One commenter suggested rule
publication be delayed until DoD articulates the benefit expected from
contractor compliance with the rule.
Response: All recommendations to revise other Government-wide or
DoD policies and programs are beyond the scope of the CMMC rule.
CMMC Program Requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides and FedRAMP equivalency are separate from this
rule. Relevant policies include DoDI 5200.48 ``Controlled Unclassified
Information'' and DoD Manual 5200.45 ``Instructions for Developing
Security Classification Guides'' for example.\23\ Some comments
received lacked relevance to the rule's content, which is limited to
specific CMMC program requirements. Changes to FAR and DFARS
requirements are beyond the scope of this rule, as are the contents and
updating of DoD's FAQ and Procurement Toolbox web pages.
---------------------------------------------------------------------------
\23\ DoD Issuances (www.esd.whs.mil/DD/DoD-Issuances).
---------------------------------------------------------------------------
CMMC program requirements do not result in any change to which DoD
organization makes the contract award. Recommendations to adopt
standard DoD contracting procedures (i.e., to exclude CUI information
in the basic award) are not within the scope of this rule, which
outlines program requirements. The DoD limits the
[[Page 83108]]
burden of CMMC compliance by requiring annual affirmations rather than
annual assessments. Affirmations required for the CMMC program indicate
that a DoD contractor has achieved and intends to maintain compliance
with the applicable DoD information security requirements.
The CMMC program is designed only to validate implementation of the
information security standards in FAR clause 52.204-21, NIST SP 800-171
R2, and a selected subset of NIST SP 800-172 Feb2021. This rule does
not address the other DFARS clause 252.204-7012 requirements for cyber
incident reporting. The CMMC assessment framework will not alter,
alleviate, or replace the cyber incident reporting aspects of DFARS
clause 252.204-7012, which will remain effective where applicable.
Classified information is managed differently from CUI, and different
safeguarding regulations apply to these different categories of
information (each of which are defined in 32 CFR part 2002). CMMC
Program requirements are aligned to the requirements for safeguarding
of CUI and are unrelated to the requirements for safeguarding
classified information. ``Export Controlled'' is a category of CUI. To
the extent that a company generates information it considers
proprietary, but which is explicitly excluded from the definition of
CUI (see 32 CFR part 2002), no CMMC requirements would apply.
As the CMMC program requirements make no change to existing
policies for information security requirements implemented by DoD,
dialogues with industry to identify CUI is outside the scope of this 32
CFR part 170 CMMC Program rule. Several existing requirements directly
address the human factors of cybersecurity, particularly those in the
Awareness and Training, Personnel Security, and Physical Protection
domains. Additional training and education on the topics of CUI
safeguarding requirements, cybersecurity hygiene, and other useful
topics may be found at:
www.archives.gov/cui/training.html
https://securityawareness.usalearning.gov/
https://business.defense.gov/Resources/Be-Cyber-Smart/
OSAs may develop their own policies to validate completion of
training. Developing and providing cyber security awareness training is
not within the scope of the CMMC Program. DoD program managers will
receive training.
In support of 32 CFR part 170 CMMC Program final rule, DoD issued
guidance to reiterate the most appropriate information safeguarding
requirements for DoD information and the associated CMMC assessment
requirement for any given solicitation. Irrespective of CMMC Program
assessment requirements, when CUI is processed, stored, or transmitted
on contractor owned information systems, those systems are subject to
the security requirements of NIST SP 800-171, due to the applicability
of DFARS clause 252.204-7012. Program Managers have a vested interested
in knowing whether a contractor can comply with these existing
requirements to adequately safeguard DoD CUI.
Applicability of and compliance with DFARS clause 252.204-7020 is
beyond the scope of the CMMC Program. Implementation of the CMMC
Program does not require or rely upon DFARS clause 252.204-7020. The
existing assessments described in DFARS clause 252.204-7020 are
entirely different than those described in this rule. This rule
contains no cyber incident reporting requirements. Concerns related to
a CISA rule pertaining to cyber incident reporting are beyond the scope
of this rule and should have been submitted instead to the relevant
docket for that rule. The DoD has declined the recommendation to
address certificate requirements for the cyber incident reporting
requirements of DFARS clause 252.204-7012 in this rule. The DoD is
unable to comment on, balance with, or modify contractual or regulatory
requirements to comply with any other agency's future requirements.
The preamble of this rule articulates how contractor compliance
with CMMC will contribute to counteracting the cyber security threat.
Implementation of the CMMC Program will help protect DoD's FCI and CUI
that is processed, stored, and transmitted on non-Federal information
systems of defense contractors and subcontractors. Adequately securing
that information as required, down to the smallest, most vulnerable
innovative companies, helps mitigate the security risks that result
from the significant loss of FCI and CUI, including intellectual
property and proprietary data. Hence the implementation of the DoD CMMC
Program is vital, practical, and in the public interest. Working with
NIST and other regulatory authorities to align standards is beyond the
scope of this rule.
4. DFARS Requirements
Comment: Two commenters recommended the DoD fully implement CMMC
requirements to standardize contract requirements to avoid
proliferation of unique contract clauses across the Department. One
comment suggested the rule should state explicitly that CMMC
requirements do not apply to other agencies and advise DoD contractors
to seek legal guidance before complying with CMMC requirements if other
agency requirements also apply.
In addition, several commenters thought the 32 CFR part 170 CMMC
Program rule requirements lacked sufficient information about the
associated 48 CFR part 204 CMMC Acquisition rule requirements to
implement them. One person erroneously identified the DFARS clause
252.204-7021 as part of the 32 CFR part 170 CMMC Program rule, and one
person asked what additional rulemaking is needed to implement CMMC
requirements. Another person recommended close coordination and
synchronization between the two rules. One comment recommended the
contract clauses be simplified to be ``stand alone'', rather than
requiring cognizance of the 32 CFR part 170 CMMC Program rule content.
One commenter asked whether contractors must meet CMMC requirements
during the solicitation phase, or to view RFPs that contain CUI.
Another asked how DoD plans to integrate CMMC requirements into DoD's
Adaptive Acquisition Framework. One contractor disagreed with CMMC's
pre-award approach, and worried it could create a need to become
compliant in anticipation of future solicitations. This commenter
posited that any information designated as CUI after contract award
will create a ``chicken and egg'' dilemma for CMMC compliance. Other
comments asked whether conditional certifications would be weighted
differently than final certifications in the proposal evaluation and
award process and suggested that DoD provide 6 months advance notice
for all solicitations containing a CMMC requirement.
Some comments urged the DoD to describe how DoD will identify CUI
in solicitations and when CUI markings should apply in CSP or ESP
scenarios. They also requested modification of DoD contracting
procedures to provide criteria for identifying CUI information in each
contract award along with the corresponding CMMC assessment level. One
commenter inquired about the difference between implementing security
requirements and assessing compliance. Some comments pertained to other
DFARS contractual requirements, rather than CMMC requirements. For
example, some recommended changing DFARS clause 252.204-7012 to remove
the definition
[[Page 83109]]
of Covered Defense Information and to deviate from a requirement to
comply with the NIST SP 800-171 version current at the time of
solicitation. In addition, they asked about cost allowability for time
and materials or cost type contracts. Some comments posited that costs
for reassessment or recertification should be explicitly identified as
reimbursable in the 48 CFR part 204 CMMC Acquisition rule, while one
similar comment suggested that CMMC level 3 certification costs should
be allowable when CMMC level 3 requirements are initially implemented.
One comment addressed cyber incident reporting timelines for cloud
service providers and recommended that the DoD's FedRAMP moderate
equivalency policy be revised to align with DFARS clause 252.204-7012
timelines. Another asked whether the rule inadvertently omitted
requirements to assess compliance with DFARS clause 252.204-7012 cyber
incident requirements.
Other commenters asked for the CMMC contract clause verbiage, as
was subsequently published in the related 48 CFR part 204 CMMC
Acquisition rule. For example, some people asked whether CMMC
requirements would be levied in ID/IQ contract awards versus task order
awards, and GSA schedules. They asserted that adding CMMC clauses in
GSA schedules might inadvertently allow contracting officers to include
them in non-DoD issued task orders. Another opined that ID/IQ
contracting procedures might necessitate changing the CMMC level needed
for the base contract after its initial award, based on the needs of a
task order. One commenter incorrectly inferred that a single Program
Manager would make the CMMC level and type determination for every task
order issued against an ID/IQ. In addition, two comments suggested that
the DoD communicate with every current DoD contractor to identify which
CMMC level would apply to their existing contracts.
One company identified their specific DoD contract and asked
whether it would be cancelled absent CMMC compliance. Another asked
whether a current DFARS clause 252.204-7020 self-assessment score could
be submitted to meet a CMMC level 2 self-assessment requirement. They
also recommended elimination of the DFARS clause 252.204-7020
requirements when CMMC is implemented.
One commenter speculated about whether DoD's CMMC contract clauses
can be applied to DoD contractors that also make and sell the same
product to other US Government agencies. They noted that export
licenses do not restrict companies from providing product data to other
parties and posited that this might conflict with CMMC requirements.
One person asked about the potential for conflicts between CMMC clauses
and the Berry amendment and suggested that Berry amendment compliance
take precedence over CMMC clauses.
Response: Some comments received lacked relevance to the rule's
content, which is limited to specific CMMC program requirements.
Changes to FAR and DFARS requirements are out of scope of the 32 CFR
part 170 CMMC Program rule, as contractual changes would occur under
the 48 CFR part 204 CMMC Acquisition rule. This rule does not discuss
the Berry Amendment. The rule does not address recovery of assessment
costs because it does not make any change to 48 CFR 31.201-2.
This 32 CFR part 170 CMMC Program rule is not an acquisition
regulation, however, a CMMC Conditional Certification meets the CMMC
program certification requirements. Any comments related to contract
requirements should be directed to the related 48 CFR part 204 CMMC
Acquisition rule.
CMMC requirements apply to contracts that include FAR clause
52.204-21 or DFARS clause 252.204-7012 and result in processing,
storing, or transmitting of FCI or CUI on a contractor owned
information system. The CMMC program is not a verification program for
compliance with all requirements of DFARS clause 252.204-7012, rather,
its purpose is to ensure compliance with FAR clause 52.204-21, NIST SP
800-171 R2, and NIST 800-172 Feb2021 when applicable. The DoD does not
provide detailed instruction on how to implement specific solutions to
meet security requirements identified in the FAR clause or applicable
NIST requirements, which is determined by the OSA. Any deviation from
or change to the DFARS clause 252.204-7012 clause is beyond the scope
of this rule.
Each of the teams responsible for developing these two CMMC rules
has reviewed both documents.
There are no CMMC requirements for reviewing FCI or CUI
solicitation material. Recommendations to adopt standard contracting
procedures for award of DoD contracts (i.e., to exclude CUI information
in the basic award) are out the scope of this 32 CFR part 170 CMMC
Program rule. In support of the 32 CFR part 170 CMMC Program final
rule, DoD issued policy guidance to its program managers and
acquisition workforce to identify the appropriate CMMC requirement in
solicitations and contracts. The CMMC assessment level required does
not change based on acquisition lifecycle phase and is based on whether
FCI and CUI are processed, stored, or transmitted on contractor owned
information systems used in the performance of a contract.
Discussion of DoD's willingness to provide advance notice of CMMC
requirements or to remove the PM's discretion to include the CMMC level
that best suits program requirements is a 48 CFR part 204 CMMC
Acquisition rule matter and outside the scope of this rule. The CMMC
Level will be identified in the solicitation. Once attained, a CMMC
self-assessment or certification can be used in support of any number
of proposals and solicitations.
5. Litigation and False Claims
Comment: Some commenters expressed concern that CMMC implementation
would result in increased litigation by DIB companies or pursuit of
False Claims Act penalties by DoD against DIB companies. One commenter
erroneously believed that Mexico would participate in oversight of the
CMMC ecosystem, and that ``a flood of litigation'' may result from DIB
companies losing contracts due to non-compliance with CMMC
requirements. One commenter suggested that DoD should absolve
contractors from False Claims Act prosecution when differences are
found between C3PAO assessment results and a previously submitted
contractor self-assessment, due to potentially valid reasons for the
differing outcomes. Another suggested that DoD establish protections
from regulatory and legal liability related to cyber incidents when the
affected contractor has complied with relevant CMMC Program
requirements.
Response: The DoD lacks the authority to change the False Claims
Act, which is a Federal law that imposes liability persons and
companies who defraud or knowingly submit false claims to the
government. Comments related to Safe Harbor provisions are outside the
scope of this rule.
Comments about potential industry litigation are also beyond the
scope of the final rule and the recommendations provided were not
appropriate for inclusion in this rule. Nothing in the rule prevents
frivolous private lawsuits, but the rule does provide that the CMMC AB
maintain an appeals process. The DoD has faithfully followed the formal
rulemaking process, to include completion of the public comment period.
Implementation of the CMMC program will be carried out objectively and
in accordance with the tenets of the
[[Page 83110]]
final rule. No foreign actors have any role in DoD's administration of
the program.
6. DoD Metrics
Comment: Several commenters inquired about the types of metrics the
DoD plans to use to monitor progress toward the DIB cybersecurity
objectives that the CMMC program was designed to meet. One asked
whether DoD's metrics would include testing, and another recommended
they capture changes in the population of DoD contractors caused by
cost impacts of CMMC implementation. Others referenced a December 2021
GAO Report that critiqued DoD's earlier attempts to implement the CMMC
program. Specifically, they cited the GAO's finding that, at that time,
DoD had not defined how it would analyze data to measure performance.
A comment recommended the DoD identify responses to other GAO
findings, which dealt with improvements to communications with industry
and metrics for program management. Another comment asked whether
management alignment within OSD, budget, and staffing of the CMMC
program office are adequate.
Two comments asked how many current contract awardees had received
notification or identification of CUI to be provided in performance of
their contracts, and asked which CMMC level would theoretically apply
to those contracts. Another asked the DoD to provide DIBCAC assessment
results data as a more relevant justification for the CMMC program than
the 2019 DoDIG report on DIB Cybersecurity.
Response: DoD's response to the referenced GAO and DoD IG reports
are beyond the scope of this rule. Likewise, the DoD does not comment
on analysis methods supporting the DoD IG's conclusions. Publishing
DIBCAC assessments results is also beyond the scope of this rule, as
are CMMC Program effectiveness metrics and return on investment
calculations. The DoD is establishing CMMC assessment requirements as
part of a comprehensive effort to verify that underlying information
security requirements are met, as required, for all contractor owned
information systems that process, store, or transmit CUI or FCI in the
performance of a DoD Contract. DoD's calculation of ROI for the
security controls that CMMC will assess, and cost elasticity of the DIB
are also beyond the scope of this rule.
7. Phased Implementation of the Program
Comment: Many comments asked for additional explanation of DoD's
expected start and progression through phases of the CMMC
implementation plan. Several asked that the phase-in plan be extended.
One commenter asked whether contracts that would otherwise be
associated with CMMC Level 3 would include a CMMC Level 2 requirement
if issued prior to Phase 4 of the plan. Another misread the phase-in
plan to mean that self-assessments would no longer be permitted at Full
Implementation. One comment asked if the USG would be revisiting
acquisition timelines to add more time for due diligence to ensure all
entities meet CMMC requirements or have a POA&M in place.
Some commenters observed that DoD's intended dates for CMMC
implementation, as published in an earlier 48 CFR CMMC interim final
rule, are unachievable and must be changed via another CMMC DFARS rule.
Some commenters were confused by the differences between the dates of
implementation phases in the rule, and the seven years described in
cost estimates as necessary to complete implementation. Another
commenter asked why the rule only applies to DoD.
Some commenters suggested changes to prioritize different kinds of
contracts, programs, or companies earlier or later in the
implementation plan, rather than basing the phase-in on assessment
type. For example, one suggested capping the number of contracts with
CMMC requirements each year. Another suggested phasing in by increasing
the numerical assessment score required for compliance, with additional
time permitted for POA&M close-out beyond the current limit of 180
days. Another suggested reversing the phase-in to begin with CMMC Level
3. Several commenters requested extension of the phase-in plan to allow
more time. One speculated that ``tens of thousands'' of contractors
would require certification in less than 18 months. One commenter
suggested the DoD modify the timing of implementation for CMMC levels 2
and 3, and that DoD consider allowing sufficient time to develop a
robust CMMC ecosystem and demonstrate the CMMC model before full
implementation.
Flexibility in the implementation plan that allows Program Managers
and requiring activities to include CMMC requirements earlier in the
plan than will be mandated by policy also generated questions and
comments. Some commenters asked whether this could result in the DoD
applying CMMC requirements to previously awarded contracts or asked
that the rule specify they will apply only to new contracts. Another
asked about opportunities to renegotiate the contract ceiling price if
CMMC assessments are required for option period exercise. One commenter
asked that the rule be revised to exclude these flexibilities to result
in an ``on/off'' approach to implementation.
Another commenter asked what mechanisms the DoD would have to
change the pace of implementation or monitor the contracts that include
CMMC requirements.
Response: The DoD lacks the authority to implement CMMC as a
Federal-wide program. The 48 CFR part 204 CMMC Acquisition rule for
CMMC will be updated to align with this 32 CFR part 170 CMMC Program
rule and will modify DFARS clause 252.204-7021. CMMC Phase 1
implementation will commence when both the 32 CFR part 170 CMMC Program
rule and the 48 CFR part 204 CMMC Acquisition rule are in effect. Some
commenters may have overlooked that Sec. 170.3(e) states Phase 1
begins on the effective date of this 32 CFR part 170 CMMC Program rule
or the complementary 48 CFR part 204 CMMC Acquisition rule, whichever
occurs later. The implementation plan describes when CMMC level
requirements will appear in solicitations, it does not define a
timeframe by which all contractors must be certified. During the first
phases of the plan, a majority of CMMC requirements will be for self-
assessment.
In response to public comments, the DoD has updated the rule to
extend Phase 1 by 6 months, with appropriate adjustments to later
phases. DoD is not conducting Pilots in the updated CMMC implementation
plan. The phased implementation plan described in Sec. 170.3(e) is
intended to address ramp-up issues, provide time to train the necessary
number of assessors, and allow companies the time needed to understand
and implement CMMC requirements. DoD has updated the rule to add an
additional six months to the Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1.
The DoD's objective timeline to begin implementing the CMMC
requirements has been, and remains, FY2025. The implementation period
will consist of four (4) phases, 1 through 4, and is intended to
address any CMMC assessment ramp-up issues, provide the time needed to
train the necessary number of assessors, and to allow companies time to
understand and implement CMMC requirements. It is estimated that full
implementation of
[[Page 83111]]
CMMC by all defense contractors will occur over seven years, given the
number of DoD solicitations contractors respond to and are awarded each
year.
The four phases add CMMC level requirements incrementally, starting
in Phase 1 with Level 1 and Level 2 Self-assessments, and ending with
Phase 4 for Full Implementation, as addressed in Sec. 170.3(e)(4). By
Phase 3, all CMMC Levels 1, 2, and 3 will be included in some DoD
solicitations and contracts, but Level 3 requirements may be identified
for implementation as option period requirements rather than for
initial contract award. In Phase 4, DoD will include CMMC requirements
in all applicable DoD contracts and option periods on contracts awarded
after the beginning of Phase 4. As addressed in Sec. 170.18(a),
receipt of a CMMC Level 2 Final CMMC Status for information systems
within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC
Level 3 certification assessment.
CMMC self-assessment requirements build on the existing DFARS
clause 252.204-7020 requirement for basic safeguarding of CUI. CMMC
Level 3 requires advanced implementation, and the phase-in period
provides additional time for OSC to achieve the higher standard. In
phase 4, which is full implementation, CMMC requirements must apply to
new contracts and option year awards. The DoD may choose to negotiate
modifications adding CMMC requirements to contracts awarded prior to
CMMC implementation, as needed. No changes to this rule are needed to
reflect existing contract administration processes. Questions on
specific contracting matters, including contract costs and funding, are
outside of the scope of this rule.
With the implementation of the final 32 CFR part 170 CMMC Program
rule and 48 CFR part 204 CMMC Acquisition rule, prospective DoD
contractors and subcontractors should be actively preparing for DoD
contract opportunities that will include CMMC Program requirements when
performance will require the contractor or subcontractor to process,
store, or transmit FCI or CUI. The respective phases of the
implementation plan provide adequate time to complete CMMC requirements
and DoD program requirements and timelines will dictate the programs
that may warrant CMMC Level 3 requirements during the phased
implementation of CMMC.
DoD considered many alternatives before deciding upon the current
CMMC implementation plan. The phased implementation plan is based on
CMMC assessment level and type, which DoD believes to be a fair
approach for all prospective offerors. Defining the phase-in based on
contract type, company size standard, or other potential bases could
lead to unfair advantage. Program Managers will have discretion to
include CMMC Status requirements or rely upon existing DFARS clause
252.204-7012 requirements, in accordance with DoD policy. The DoD will
monitor the Program Managers' exercise of this discretion to ensure a
smooth phase-in period. The decision to rely upon CMMC self-assessment
in lieu of certification assessment is a Government risk-based decision
based upon the nature of the effort to be performed and CUI to be
shared. Note that section Sec. 170.20 Standards acceptance states OSCs
that completed a DCMA DIBCAC High Assessment with a score of 110 and
aligned with CMMC Level 2 Scoping, will receive Final CMMC Status for a
Level 2 certification assessment.
As noted by one commenter, self-assessments against NIST SP 800-171
are already required, and verifying compliance with applicable security
requirements is necessary for the protection of DoD CUI. For all CMMC
independent assessments (i.e., Level 2 or 3), DoD policy guides Program
Managers in appropriately including these requirements in DoD
solicitations. DoD systems that support the procurement process can
identify the number of contracts issued that include any specific
clause. Such metrics for the CMMC Program are not within the scope of
this rule.
The seven-year timespan reflects the DoD's estimate for all defense
contractors to achieve CMMC compliance. The implementation plan ramps
up CMMC assessment requirements over 4 phases, such that the ecosystem
will reach maximum capacity by year four. One commenter referenced the
response to a specific comment to the 2020 CMMC rule. Those earlier
questions about the 2020 rule publication are no longer relevant due to
changes made in the more recent 2023 rule publication. DoD estimates
acknowledge that contractors with existing contracts may not receive
another contract award or even submit another proposal immediately.
The DoD has developed CMMC to increase consistency of
implementation of NIST SP 800-171 R2 and NIST SP 800-172 Feb2021.
Specifically, this rule provides extensive information on scoring
methodology, in an effort to improve self-assessments. The use of
independent C3PAOs further enforces consistency for those companies
that need to meet a CMMC Level 2 certification requirement. The DoD has
considered the suggestions and declines to modify the phase-in periods
based on total score required, or other criteria, which would not
provide the desired improvements in DIB cybersecurity.
The DoD notes the commenter's concern that self-assessments go away
after Phase 4. Requirements from earlier phases continue as each
additional phase is implemented. When applicable, self-assessments will
still be allowed, as appropriate, in Phase 4. This rule describes flow
down requirements to subcontractors. This rule makes no change to 48
CFR 252.204-7008.
8. Commercially Available Off-the-Shelf (COTS) Procurements
Comment: One comment suggested the definition of COTS should be
more explicitly defined or the model outlined in Sec. 170.2 should
encompass COTS products. Two comments questioned the exemption of CMMC
requirements for contracts or subcontracts exclusively for commercial
off-the-shelf (COTS) items. Others questioned applicability of CMMC
requirements to COTS procurements and/or purchases at or below the
micro-purchase threshold. Finally, one commenter questioned the
validity of a COTS exclusion, stating that no COTS components are
exempt from DoD's certification requirements from DISA or NSA.
Response: The term Commercially available off-the-shelf (COTS) is
defined in FAR part 2.101. Some comments pertained to content of the 48
CFR part 204 CMMC Acquisition rule, including applicability of CMMC
clauses to COTS procurements and/or those below the micro-purchase
threshold. Such comments are not within the scope of this CMMC 32 CFR
part 170 CMMC Program rule, which outlines program requirements and not
acquisition procedures. CMMC requirements do not apply to contracts and
subcontracts that are exclusively for the delivery of COTS products to
a DoD buyer. The exemption does not apply to a contractor's use of COTS
products within its information systems that process, store, or
transmit CUI. CMMC assessments are conducted on contractor owned
information systems to ascertain compliance with the designated FAR,
DFARS, and NIST requirements.
9. Specific Product Recommendations
Comment: One managed service provider expressed concern that the
specific tools they use to provide services might be considered
Security Protection Assets or generate Security Protection Data in the
context of CMMC assessment requirements, which might
[[Page 83112]]
result in clients electing to use their own tools and products in lieu
of the managed service provider. This commenter attached a list of more
than a dozen commercial product and tools they use as examples
associated with this concern. One commenter used their public comment
submission to submit materials marketing services their company can
provide, while another commenter suggested the rule direct readers to a
website listing all software, tools, and applications deemed ``safe and
cost effective'' by virtue of CMMC assessment.
Another commenter asserted that all companies need access to
cybersecurity solutions from DHS/CISA and grants to assist them in
buying Zero Trust technologies to protect CUI. Similarly, some
commenters recommended various other cybersecurity tools, programs, or
technologies that could be used to meet CMMC security requirement and
provide threat intelligence to DIB companies. Such recommendations
included portals used in conjunction with perimeter and privileged
access management systems. One commenter proposed delaying
implementation of the CMMC rule until all DoD contractors' system
architectures could be analyzed for possible implementation of Virtual
Machines, or Blockchain for secure data transmission, or hosting of all
CUI on DoD hosted platforms.
Response: The government cannot comment on specific products or
vendors, including marketing materials submitted via public comment.
However, companies that act as ESPs should note this rule does not
require CMMC assessment or certification of ESPs that do not process,
store, or transmit CUI. Services provided by an ESP are in the OSA's
assessment scope.
Comments pertaining to solutions available from other Federal
agencies or expressing a desire for grants to obtain Zero Trust
solutions or other cybersecurity solutions are also beyond the scope of
the CMMC rule. A wide range of technologies may be used to implement
CMMC requirements. DoD will not comment on specific OSA technology
choices. The Department declines the recommendation to review the
system architectures of all DoD contractors. The DoD did not modify the
rule to identify a repository of ``safe and cost effective'' software,
applications, and tools because a CMMC assessment does not evaluate
commercial products or services for those characteristics and the
government does not provide product endorsements.
10. Applicability
a. Systems Operated on Behalf of DoD and National Security Systems
Comment: The DoD received questions about whether CMMC requirements
apply to information systems that are designated as National Security
Systems, Defense Business Systems, or systems operated on the DoD's
behalf. In concert with those questions, one person recommended adding
NIST SP 800-53 R5 requirements to the rule for such systems. The
commenter further recommended expanding applicability of the rule to
include contractor-owned systems that directly affect DoD NSS. Two
commenters recommend edits to clarify that CMMC requirements do not
apply to NSS or to government systems operated by contractors on the
DoD's behalf.
One commenter asked if a Cloud Service Provider that stores CUI
would have to be at Impact Level 4 in accordance with the DISA Cloud
Computing Security Requirements Guide.
Response: The CMMC assessment requirements apply in conjunction
with FAR clause 52.204-21 and DFARS clause 252.204-7012 requirements
and provide a mechanism for verifying compliance with the security
requirements for safeguarding FCI or CUI (e.g., NIST SP 800-171) levied
by those clauses.
The CMMC Program does not alter any additional security
requirements that may be applicable to contractor-owned information
systems that may also meet the criteria for designation as NSS.
There is no conflict between the CMMC rule and the DISA Cloud SRG,
which applies to contractor information systems that are part of
Information Technology (IT) services or systems operated on behalf of
the Government. The CMMC rule does not apply to those systems (Sec.
170.3(b)). The DoD declines to modify the rule because the
applicability section already states this rule applies to contractor-
owned information systems.
b. Infrastructure Entities
Comment: Many commenters had concerns about CMMC's potential impact
to the energy and electric industries, internet Service Providers
(ISPs) and small, disadvantaged businesses looking to contract with the
DoD, especially given dependencies on appropriate marking of Controlled
Unclassified Information (CUI).
Another commenter referenced Executive Order 13175, ``Consultation
and Coordination with Indian Tribal Governments'' and requested
information on CMMC impact to and potential exemptions for Native
American and small disadvantaged contractors. Another commenter stated
that some small businesses may stop providing cost estimating services
to Federal agencies due to ``threatened penalties'' under CMMC
requirements.
One commenter recommended adding the definition of the defense
industrial base (DIB), and referenced the Cybersecurity and
Infrastructure Security Agency definition, which explicitly excludes
commercial infrastructure providers from their definition of the
Defense Industrial Base Sector. One commenter stated the lack of
clarity around requirements for electric cooperatives under the CMMC
framework is causing concern about unanticipated cost impacts for these
smaller entities. The commenter requested that DoD provide contractors
the ability to recover unanticipated costs incurred to achieve CMMC
certification.
Another commenter asked about potential CMMC exemptions for
telecommunications providers, specifically for end user encryption. The
commenter stated the DoD needs to impose CUI encryption requirements on
the relevant contractors and not telecommunications network providers,
who have no control over whether a user encrypts information it sends
over those networks. The commenter also noted that definitions of
``common carrier'' vary across Federal Government and suggested the DoD
should create a blanket exemption for contracts involving commercial
communications networks that are not ``purpose-built'' to transmit
sensitive government data. Another commenter suggested the CMMC Rule
should further clarify that encryption must be configured such that the
common carrier does not have access to the decryption key(s).
Several commenters requested clarity around CUI, citing general
confusion among industry about which CUI is subject to the CMMC
Program. Some commenters interpreted the rule as proposing to apply to
all CUI information, rather than just information handled by the
contractor ``in support of a defense contract'' and asserted that this
would be an expansion beyond the current DFARS clause 252.204-7012
requirements. They further suggested this broad definition could result
in companies applying costly controls to all apparent CUI, regardless
of its association with DoD, to avoid penalties under the False Claims
Act. They recommended clearly
[[Page 83113]]
stating that CUI provided to contractors by non-DoD agencies should be
subject to the requirements of those agencies and not the CMMC Program.
A commenter said the electric industry will experience increased
costs as electric utilities comb through vast amounts of data across
the electric grid to determine all potential CUI, even if that CUI is
not specifically subject to a DoD contract. One commenter stated that
guidance DoD has provided for electric utilities to identify CUI in the
past is insufficient and suggested that use of Security Classifications
Guides could help by minimizing the need for CMMC compliance. In
addition, they speculated that inclusion of CMMC requirements could
create requirements after award which might require adjustments to
contract price. Another commenter stated energy companies servicing
military customers must develop governance programs around data
protection years in advance, with significant investments. The
commenter is concerned that CMMC requires these companies to make these
large investments prior to knowing if a proposed contract may contain
CUI and without adequate guidance about what data is considered CUI.
Response: This rule has no disproportionate impact on Native
American-owned businesses. Once identified as a requirement, the CMMC
Level will apply uniformly to all prospective competitors. DoD must
enforce safeguarding requirements uniformly across the Defense
Industrial Base for all contractors and subcontractors who process,
store, or transmit CUI. The value of information (and impact of its
loss) does not diminish when the information moves to DoD contractors
and DoD subcontractors, regardless of their status as Native American
or small disadvantaged businesses.
The CMMC Program rule does not include ``threatened penalties.'' If
a requirement of a DoD contract is not met, then standard contractual
and other remedies applicable to that contract may apply.
CMMC Program requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides, are separate from this rule.
Section 170.4(b) of the rule states Defense Industrial Base (DIB)
is defined in 32 CFR part 236, which addresses DoD and DIB Cyber
Security Activities. Section 236.2 includes the DoD approved definition
for DIB.
The CMMC Program applies only to DoD contracts that include the
DFARS clause 252.204-7021 and under which FCI or CUI is processed,
stored, or transmitted on contractor information systems.
This includes CUI outside the category of the Defense
Organizational Index Group. Contracts for the provision of electricity
or other utilities which do not contain FAR clause 52.204-21 or DFARS
clause 252.204-7012 and which do not require the processing, storing,
or transmitting of FCI or CUI on contractor owned information systems
will not require CMMC assessment. The CMMC rule makes no change to FAR
cost allowability or cost accounting standards. The 32 CFR part 170
CMMC Program rule has been updated to add ``in performance of the DoD
contract'' to Sec. 170.3, and the 48 CFR part 204 CMMC Acquisition
rule will provide the contractual direction.
A common carrier's information system is not within the
contractor's CMMC Assessment Scope if CUI is properly encrypted during
transport across the common carrier's information system. A common
carrier who is a DoD contractor or subcontractor is responsible for
complying with the CMMC requirements in their contracts. CUI encryption
requirements already apply to the OSA, not the telecommunications
network provider. The lack of adequate encryption on the part of the
OSA would not trigger application of CMMC requirements to the common
carrier's network. The term ``common carrier'' appears in the comment
section to a previous rule making process. Its definition and use are
taken from CNSSI 4009. Efforts to define it or related terms by other
agencies are outside the scope of the CMMC Program. Commenter scenarios
where a common carrier would be privy to an OSA's encryption keys are
unrealistic. DoD declines to provide additional guidance.
CMMC Program requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides, are separate from this rule. Relevant policies
include DoDI 5200.48 ``Controlled Unclassified Information'' and DoD
Manual 5200.45 ``Instructions for Developing Security Classification
Guides''. CMMC Program requirements will be identified as solicitation
requirements. Contractors will be required to meet the stated CMMC
requirements, when applicable, at or above the level identified. For
this reason, it is up to each DIB organization to determine which CMMC
level they should attain.
Questions regarding specific contractual matters are outside of the
scope of this rule and may be addressed by the 48 CFR part 204 CMMC
Acquisition rule. The CMMC program will be implemented as a pre-award
requirement.
c. Joint Ventures
Comment: Two commenters requested clarification as to whether CMMC
requirements will apply to companies engaged in Joint Ventures.
Response: CMMC program requirements are applicable when DoD
requires processing, storing, or transmitting of either FCI or CUI in
the performance of a contract between DoD and the respective
contractor. CMMC Program requirements will apply to information systems
associated with contract efforts that process, store, or transmit FCI
or CUI, and to any information system that provides security
protections for such systems, or information systems not logically or
physically isolated from all such systems. The identity of an offeror
or contractor as a joint venture does not in and of itself define the
scope of the network to be assessed.
d. Fundamental Research Efforts
Comment: One commenter recommended that both the sharing of CUI and
the decision to apply a CMMC compliance assessment should only be
considered for contracts of sufficient contract value and performance
period to make the expense of safeguarding CUI worthwhile. This
commenter asserted that small businesses are selected for SBIR contract
award not based on ability to protect information, but instead on the
unique product or service they offer.
Some commenters expressed concern that CMMC could result in state-
funded universities incurring costs to comply with CMMC level 2, while
even the costs for implementing required FCI safeguarding requirements
is a significant financial burden. These commenters speculated that
applying FCI or CUI markings to fundamental research information
negatively impact academic institutions by requiring them to remove
such data from the public domain. This commenter cited DFARS clause
252.204-7000 as rationale to modify the CMMC rule to exclude
fundamental research.
One commenter requested that when contracting for fundamental
research, the Government include a CMMC requirement based only on
whether information shared is currently FCI or
[[Page 83114]]
CUI, and not whether the effort might lead to development of FCI or
CUI. Another commenter requested that DoD issue policies clearly
describing how to recognize or identify circumstances that could result
in fundamental research becoming FCI or CUI such that it would require
being processed, stored, or transmitted on CMMC compliant information
systems. The commenter expressed concern that absent such policies,
research institutions may house all DoD-related project activities in
CUI enclaves ``out of an abundance of caution'', thereby unnecessarily
expanding CUI applicability at significant cost. They asked that DoD
Instruction 5200.48, ``Controlled Unclassified Information,'' and a
related DoD policy memorandum ``Clarifying Guidance for Marking and
Handling Controlled Technical Information in accordance with Department
of Defense Instruction 5200.48, `Controlled Unclassified Information''
be incorporated into the rule by reference.
One commenter questioned whether and how CMMC requirements may
apply to non-contract efforts, including grants, or efforts conducted
under Other Transactional Authorities.
Response: One of the main purposes of the CMMC Program is to ensure
that DoD contracts that require contractors to safeguard CUI will be
awarded to contractors with the ability to protect that information.
All contractor-owned information systems that process, store, or
transmit CUI are subject to the requirements of NIST SP 800-171 when
DFARS clause 252.204-7012 is included in the contract. This is the case
whether or not the contractor is engaged in fundamental research.
To the extent that universities are solely engaged in fundamental
research that only includes information intended for public release and
does not include FCI or CUI, no CMMC requirement is likely to apply.
When a research institution does process, store, or transmit FCI, the
information should be adequately safeguarded in accordance with the FAR
clause 52.204-21, if applied. When a research institution does process,
store, or transmit CUI, the information should be adequately
safeguarded in accordance with the DFARS clause 252.204-7012, if
applied. That clause makes the contractor owned information system
subject to NIST SP 800-171, which includes requirements for Awareness
and Training (AT) and Physical Protection (PE). The CMMC Program
provides a means to verify compliance.
DoD's CUI program policies already address responsibilities for
identifying and marking information, including procedures for changing
markings. The DoD declined to incorporate all the references associated
with marking and handling CUI. The DoD instructions and policy guidance
are authoritative and incorporating them into the CMMC regulation is
beyond the scope of this rule. DoD declines to update the preamble to
exclude the possibility that information may be designated CUI over the
course of time. According to A&S memo dated 31 March 2021, titled
Clarifying Guidance for Marking and Handling Controlled Technical
Information in accordance with Department of Defense Instruction
5200.48, ``Controlled Unclassified Information,'' ``Information related
to RDT&E-funded research efforts, other than fundamental research, do
not always qualify as CUI.'' This implies that some DoD fundamental
research may qualify as CUI. When the DoD does determine that research
meets the definition of CUI, safeguarding requirements of DFARS clause
252.204-7012 will apply regardless of whether the contractor's work is
fundamental research. In such instances, CMMC assessment requirements
may also be applied. Contractors should work closely with Government
Program Managers to ensure a proper understanding of the data being
developed and the appropriate markings and safeguarding.
Questions regarding the application of CMMC requirements to
specific transactions, including grants and OTAs, are outside of the
scope of this 32 CFR part 170 CMMC Program rule.
e. DoD Waiver of CMMC Applicability
Comment: Several questions were submitted about waiver procedures
for CMMC requirements. For example, someone asked which DoD person or
office has authority to approve waiver requests. Others also requested
insight to the specific criteria for waiver approval. One commenter
submitted preferred rewording of the rule section that describes
waivers while another suggested self-assessment should be required even
when certification is waived.
Response: DoD internal policies, procedures, and approval
requirements will govern the process for DoD to waive inclusion of the
CMMC requirement in the solicitation. Once applicable to a
solicitation, there is no process for OSAs to seek waivers of CMMC
requirements from the DoD CIO. In accordance with Sec. 170.5(d), a
limited waiver authority is provided to the Acquisition Executive with
acquisition oversight for the program in question. These officials may
issue supplemental guidance dictating specific coordination
requirements for waiver requests. Recommended administrative changes
have been incorporated into Sec. 170.5(d) to add clarity.
11. Determination of Applicable Assessment Type
a. Process for Level Determination
Comment: Multiple comments asked how DoD will determine the CMMC
level to include in solicitations. Multiple comments inquired about the
criteria DoD will use to determine when to require a CMMC Level 2 self-
assessment, CMMC Level 2 certification, or CMMC Level 3 certification
assessment. Multiple comments asked specifically about when CMMC Level
2 self-assessment will be required versus CMMC Level 2 Certification.
One comment requested more information on which companies may ``self-
attest''.
One comment requested Sec. 170.5(a) be modified to prevent CMMC
level 2 or 3 being assigned for contracts where only FCI is exchanged.
One comment emphasized that requirement(s) for Contractor certification
levels must be the same as stated throughout this proposed ruling. Two
comments recommended providing contracting officers with interim
guidance to ensure consistency in applying CMMC requirements. One
comment requested the detailed guidance ensure CMMC requirements are
selected based on risk, and that certification is not required by
default.
Some commenters objected to the wording of one criterion for level
selection as ``potential for and impacts from exploitation of
information security deficiencies''. One asserted this equates to a
sub-CONFIDENTIAL security classification. One comment expressed that
all information systems that process CUI should have the same level of
``program criticality, information sensitivity, and the severity of
cyber threat'' since CUI is Unclassified Information which is a
``handling caveat''.
Multiple comments requested a clearer description of what contracts
require CMMC Level 3 Certification, one of which requested a definition
of what constitutes a ``priority program'' that might require CMMC
Level 3. One comment requested that acquisition processes first analyze
the CUI for a proposed effort using published factors for aligning CUI
to high value assets before setting CMMC levels. They asserted use of
such published factors would improve accuracy of CUI marking.
[[Page 83115]]
Response: Pre-award contracting procedures and processes for CMMC
assessment requirements will be addressed in the 48 CFR part 204 CMMC
Acquisition rule. CMMC is a pre-award requirement. As stated in the
Applicability section summary of the CMMC rule (Sec. 170.3), once CMMC
is implemented in the 48 CFR part 204 CMMC Acquisition rule, DoD will
specify the required CMMC Level in the solicitation and the resulting
contract.
DoD's policies and procedures for the length of time allowed for
proposal submission in response to any solicitation are beyond the
scope of this rule. PMs typically consider the totality of the
requirement when deciding how much time to allow for proposal
submission or whether to seek industry input through Request for
Information to inform solicitation details. Note that once attained,
companies may reference a CMMC Status as part of any number of
proposals to various solicitations with that level of CMMC requirement
if the same assessment scope is used.
The type and sensitivity of information to be utilized during the
contract, FCI or CUI, determines the requirements in the solicitation,
which then informs the CMMC level required. CMMC level 1 requirements
are designed to be applied when FAR clause 52.204-21 security
requirements apply to the contract, whereas CMMC level 2 and 3
requirements are designed for the protection of CUI information, and to
be applied when DFARS clause 252.204-7012 also applies.
When CMMC Program requirements are effective, the DoD will begin
including CMMC assessment requirements in solicitations as described in
Sec. 170.3 Applicability. DoD solicitations will specify which
requirements will apply to the contract award. Prior to issuance of a
solicitation, DoD will determine the appropriate CMMC level and type of
assessment needed to ensure adequate safeguarding of the DoD program
information to be shared in performance of the contract. Identification
of the CMMC level and assessment type will be part of the DoD's
requirement definition process. As addressed in Sec. 170.18(a) of this
rule, a CMMC Level 2 Final CMMC Status is a prerequisite for CMMC Level
3 assessment and must be achieved for information systems within the
Level 3 Assessment Scope.
Identification of priority programs is a function of the
requirements definition process for any DoD effort. The DoD will issue
policy guidance to Program Managers to clarify which programmatic
indicators should be considered for selecting the most appropriate
information safeguarding requirement and associated CMMC assessment
requirement for any given solicitation. Once identified as a
requirement, the CMMC Status required will apply uniformly to all
prospective competitors.
b. Who Determines the CMMC Level
Comment: Two comments asked who, within the Department, determines
the CMMC level required for a contract. One comment suggested that DoD
should require senior-level approval to include CMMC Level 3
Certification requirements in solicitations to limit unnecessary
application. One comment inquired about when and how CMMC levels change
during the program office's Agile Acquisition Framework lifecycle.
Response: Based on DoD decision criteria that include the type and
sensitivity of program information to be shared, Program Managers will
identify and coordinate as appropriate the CMMC requirement in the
solicitation. Internal policies for implementation of CMMC requirements
by DoD's acquisition community have been developed, and work will
continue as needed to integrate CMMC policies into relevant acquisition
policies, guidebooks, and training materials. The DoD intends that
requiring activities will determine when compliance should be assessed
through CMMC Level 3 as part of the ordinary acquisition planning and
requirements generation process.
The CMMC assessment level required does not change based on
acquisition lifecycle phase, but based on whether FCI and CUI are
processed, stored, or transmitted on contractor owned information
systems. All contractor-owned information systems that process, store,
or transmit CUI are subject to the requirements of NIST SP 800-171 when
DFARS clause 252.204-7012 is included in the contract.
c. CMMC Level 3 Determination
Comment: Multiple comments requested further clarification about
which types or categories of CUI require enhanced protection against
Advanced Persistent Threats (APTs) at CMMC Level 3 and whether the CMMC
level would be based on the Program or the data. Two comments expressed
concern or asked how DoD Components will avoid assigning CMMC Level 3
requirements to too many contracts. One comment recommended that DoD
modify its criteria for CMMC Level 3 to consider factors such as
Acquisition Program Category.
Response: CMMC levels do not correspond to CUI levels as the CMMC
Program requirements make changes to neither the CUI Program,
categories of CUI, nor existing DoD policies for information security
requirements. The CMMC Flow down requirement is defined in Sec.
170.23.
The Requiring Activity knows the type and sensitivity of
information that will be shared with or developed by the awarded
contractor and selects the CMMC Level required to protect the
information according to DoD guidance.
The DoD declines to modify CMMC Level 3 selection criteria as
described in the commenters recommended alternatives, which have no
bearing on DoD's need for increased confidence in a contractor's
ability to safeguard certain CUI against Advanced Persistent Threats.
The value of information, and impact of its loss, does not diminish
based on the total number or dollar value of contracts held by the
awardee, or acquisition program category. The DoD reserves the right to
decide when compliance should be assessed by the Government through
CMMC Level 3 certification. The DoD defines the work requirements to be
solicited for any given program contract.
d. Environments Processing Both FCI and CUI
Comment: Two commentors recommended the elimination of separate
assessments when the FCI and CUI environments are the same. One of
these comments requested clarification regarding the scenario of an OSC
having one assessment scope environment for both FCI and CUI that meets
Level 2 requirements.
Response: CMMC Level 2 is required when CUI will be processed,
stored, or transmitted on contractor information systems. Successful
completion of a CMMC Level 2 self-assessment or CMMC Level 2
certification assessment will suffice to meet the CMMC Level 1
requirement for FCI if/when the scope is identical. The CMMC Level 2
Scoping Guide reflects this language.
e. Recommendations and Scenarios
Comment: One comment recommended removing CMMC Level 2 self-
assessment, changing the CUI Program, or creating a new type of CUI to
distinguish between CMMC Level 2 self-assessment and CMMC Level 2
Certification. Another comment noted that the requirements for CMMC
Level 2 certification assessment are almost identical to requirements
for CMMC Level 2 self-assessment. One comment expressed concern that
DoD's designation of CMMC Level 2 self-
[[Page 83116]]
assessment and certification assessment runs contrary to FCI (FAR
requirements) and the CUI Program. One comment asked if the designation
of information as FCI or CUI changes the scope of CMMC.
One comment asked for clarification on which contracts will have
sensitive unclassified DoD information but will not require CMMC
assessment. One comment recommended removing the option for CMMC Level
2 self-assessments to reduce complexity. One comment posed multiple
questions about what DoD will do if contracting officers assign CMMC
Level 2 or CMMC Level 3 Certification requirements at a rate
substantially higher than projected.
Response: The DoD CIO looked at CUI from a risk-based perspective
and determined that different approaches to assessments could be
implemented to address risk and help lower the burden for the DIB. The
security requirements for a CMMC Level 2 self-assessment and a CMMC
Level 2 certification assessment are the same, the only difference in
these assessments is whether it is performed by the OSA or by an
independent C3PAO.
The decision to rely upon self-assessment in lieu of certification
assessment is a Government risk-based decision based upon the nature of
the effort to be performed and CUI to be shared. The size of the
company with access to the CUI is not a basis for this determination.
The value of information (and impact of its loss) does not diminish
when the information moves to contractors of smaller size. The DoD
declines to modify the rule to include its internal decision process.
To select a CMMC Level for a procurement, Program Managers and
requiring activities will identify the applicable CMMC Level using the
factors included in Sec. 170.5(b)(1) through (5). The DoD did agree
with one comment to rephrase Sec. 170.5(b)(4) to delete a reference to
the ``potential for'' impact from exploitation of information security
deficiencies, which likely cannot be effectively determined. The DoD
does not agree that the wording equates to a sub-CONFIDENTIAL
classification and declines to delete that criterion. Sec. 170.5(b)(3)
is appropriately worded in that it states Program Managers will
consider the listed criteria in selecting a CMMC requirement level. It
does not have the effect of ``transforming FCI into CUI''. The DoD
reserves the right to define the criteria for selection of the CMMC
assessment requirement, just as it defines all other requirements for
inclusion in a solicitation.
The Department remains committed to implementing the CMMC program
to require compliance assessment against applicable security
requirements in all DoD contracts involving FCI or CUI. Some such
contracts will require only a CMMC self-assessment, while others will
require a certification assessment. The commenter misinterprets that
some contracts that do require processing of FCI or CUI will not
require CMMC assessment of either kind, without approval of a waiver.
The DoD declines to remove self-assessments from the rule. Self-
assessments allow the acquiring organization to balance the cost and
complexity of assessment with the risk to the information being shared
with the OSA.
Supporting guidance for CMMC implementation will be updated, as
necessary. DoD has options to mitigate implementation issues such as
waivers and other contractual remedies. DoD's estimate for the number
of contractor's requiring CMMC Level 1 and cost estimates represent
derived estimates based on internal expertise and public feedback in
accordance with OMB Circular A-4.
12. Flow-Down/Applicability to Sub Contractors
a. Applicability and Compliance
Comment: Several comments requested clarification about the
applicability of CMMC requirements to subcontractors and how to
correctly flow down requirements. Some asked whether prime contractors
would have flexibility to flow down a lower CMMC level than required
for the prime contract. Three comments expressed confusion about the
type of Level 2 assessment required for subcontractors when supporting
a prime that is required to meet CMMC Level 3 requirements. Two asked
about the impact to flow-down when contractors hold multiple contracts.
A couple comments requested clarity on how to determine the correct
CMMC level to flow down.
Some comments asked what factors would result in flow-down of a
particular CMMC requirement level, or whether affirmations submitted by
primes would require knowledge of subcontractor compliance status.
Other comments asked what tools would be available to assist
contractors in checking subcontractor compliance with CMMC requirements
or suggested that SPRS should be made available for this purpose. One
suggested that without this transparency, CMMC compliance would become
a meaningless effort to ``check the box'' without actual steps to
secure their systems. Another simply asked if they would have their own
SPRS and eMASS access, or access through their prime. Some asked what
action meets the rule's requirement to ``require subcontractor
compliance'', i.e., does simply including the CMMC clause in
subcontracts meet that requirement.
One comment objected to the definition of subcontractor used in the
rule, which they stated was overly broad and would result in
application of CMMC requirements to too many businesses. Some comments
suggested the flow-down requirement apply only to one sub-tier, while
another requested advance notice of solicitations that plan to include
CMMC requirements. One comment suggested that CUI be treated more like
classified information, meaning to limit sharing of CUI with
subcontractors. Some comments asked whether prime contractors are
responsible for verifying subcontractor compliance with DFARS clause
252.204-7012, as C3PAOs do during an assessment. Two comments
recommended rephrasing the flow-down section, with one specifically
asking to clarify it is required only when FCI or CUI will be
processed, stored, or transmitted in the performance of any particular
prime contract. Another suggested edits for clarity or for consistency
with DFARS clause 252.204-7012.
Response: It is up to each OSA to protect FCI and CUI and to
determine the assessment boundary, policies, and procedures necessary
to do that. Section 170.23 specifically addresses the CMMC requirements
that apply to subcontractors that will process, store, or transmit FCI
or CUI. Section 170.23 addresses flow down of CMMC requirements from
the prime contractor to the subcontractors in the supply chain. Prime
contractors are responsible for complying with contract terms and
conditions, including the requirement to flow down applicable CMMC
requirements to subcontractors. The DoD modified Sec. 170.23(a)(3) to
clarify that when a subcontractor will process, store, or transmit CUI
in performance of the subcontract and the Prime contractor has, for the
associated prime contract, a requirement of Level 2 certification
assessment, then CMMC Level 2 certification assessment is the minimum
requirement for the subcontractor. Requirements for External Service
Providers are defined in Sec. 170.4; not all companies that provide
services to an OSA are considered ESPs.
[[Page 83117]]
As in other contexts, the Government may specify additional
guidance in the solicitation. CMMC assessments will be identified as
pre-award requirements. Subcontractors at each tier are responsible for
submitting their own assessment and affirmation information in SPRS.
CMMC self-assessments and certifications will be reflected in SPRS,
including an indicator of the currency of the credentials. Contracting
Officers and Program Managers need not review any assessment artifacts,
only the resulting scores and certificate validity period.
Work arrangements between the prime and subcontractor are beyond
the scope of this rule, however, if CUI is flowed down and will be
processed, stored, or transmitted on subcontractor information systems
in the performance of a DoD contract then CMMC requirements also flow
down as described in Sec. 170.23. The DoD will not track progress
toward certification but will implement CMMC as a pre-award
requirement. An OSA's pursuit of a C3PAO assessment is a business
decision to be made by each contractor considering the contract
opportunities it wishes to pursue.
The DoD disagrees with one commenter's assertion that CMMC
requirement will flow down ``regardless of what work they do'', because
it does not acknowledge the point that flow-down requirements are for
subcontractors who process, store, or transmit CUI. The text of Sec.
170.23, clearly conditions the flow-down to those cases when a
subcontractor will process, store, or transmit FCI or CUI. The prime
contractor's responsibility is to flow down CMMC assessment
requirements as described in Sec. 170.23 and to ensure that FCI and
CUI are not further disseminated to subcontractors that do not meet the
CMMC requirement indicated in Sec. 170.23. Likewise, subcontractors
must also flow down CMMC requirements and ensure that FCI and CUI are
not further disseminated to subcontractors that do not meet the CMMC
requirement indicated in Sec. 170.23. Section 170.23 has been revised
to make this clearer. DoD declines to accept the recommendation to
treat CUI like classified data. Classified information is managed
differently from CUI, and different safeguarding regulations apply to
these different categories of information (each of which are defined in
32 CFR part 2002).
This rule makes no change to CUI policies for marking of data, and
CMMC levels are not CUI categories in the DoD CUI registry. Primes and
their subcontractors must understand flow-down requirements based on
Sec. 170.23, which clearly identifies requirements that apply when
subcontractors will process, store, or transmit CUI in performance of
the subcontract and the Prime contractor has a requirement of Level 3
certification assessment (i.e., CMMC Level 2 certification assessment
is the minimum requirement for the subcontractor). In addition, the
rule has been revised to make clear that the requirement applies in the
performance of a subcontract when the relevant prime contract has a
CMMC requirement. The rationale for the minimum level 2 certification
flow-down requirement is that the DoD made a risk-based decision not to
mandate flow down of the level 3 requirement unless explicit guidance
is provided to do so. As stated in Sec. 170.23(a)(3), when a Prime
contractor has a requirement of Level 2 certification, any CUI that is
flowed down for a subcontractor to process, store, or transmit in
performance of the subcontract will also carry a minimum requirement of
Level 2 certification assessment.
CMMC Program requirements will be identified as solicitation and
contract requirements, and contractors will be required to meet the
stated CMMC requirements, when applicable, at or above the level
identified. One commenter misinterpreted a response to a prior public
comment. The quoted content says that contractors and subcontractors
each must verify (through CMMC assessment) that all applicable security
requirements of NIST SP 800-171 required via DFARS clause 252.204-7012
have been implemented. Contractors are not required to assess
subcontractor implementation of the requirements of NIST SP 800-171.
The prime contractor's responsibility is to flow down CMMC assessment
requirements as described in Sec. 170.23 and also to refrain from
disseminating FCI or CUI to subcontractors that have not indicated
meeting the CMMC level described in that section for the type of
information to be shared. Likewise, subcontractors must also flow down
CMMC requirements or refrain from disseminating FCI or CUI. The DoD
does not provide SPRS access or other tools for contractors to identify
the CMMC status or other companies. The DoD expects that defense
contractors will share information about CMMC status with other DIB
members to facilitate effective teaming arrangements when bidding for
DoD contracts.
Prime contractors will not be granted access to subcontractor's
information in SPRS. However, prime contractors should communicate
early and often with prospective subcontractors to confirm current CMMC
status, including whether the level matches that required. This
interaction does not involve the government and is beyond the scope of
this rule.
This rule follows the format and includes all sections required in
OMB guidelines for formal rulemaking. The DoD lacks authority to modify
the template or omit required sections, which results in some
repetition.
DIB contractors are responsible for submitting their Level 1 and
Level 2 self-assessments and will access SPRS to enter the results. DIB
contractors do not have access to CMMC eMASS, as that system is used to
support certification assessments only.
CMMC Program requirements are designed to require completion of an
assessment and an annual affirmation. The purpose of the annual
affirmation addressed in Sec. 170.22 is to validate to the DoD that
the contractor is actively maintaining its CMMC level status, which is
more than a checkbox exercise.
One commenter misinterpreted the quoted definition of
subcontractor, which makes clear that term includes only those entities
providing supplies, materials, equipment, or services under a
subcontract in connection with the prime contract. DFARS clause
252.204-7012 and FAR clause 52.204-21 also flow-down the requirement to
safeguard information. CMMC program requirements will be flowed down
similarly, therefore there is no anticipated expansion of scope. The
cost estimates included in the published rule include costs for both
existing DIB members and new entrants (or newly covered entities).
The DoD modified the Overview summary of CMMC 2.0 to read ``The
DFARS clause 252.204-7012 also requires defense contractors to include
this clause in all subcontracts that will require the subcontractor to
process, store, or transmit CUI.'' The DoD declined additional edits in
this location that requested reframing the criteria Program Managers
will use select CMMC requirements to address Levels 2 and 3 only. The
DoD may apply CMMC Level 2 or 3 requirements when there is anticipation
of the need for the contactor or subcontractors to process, store, or
transmit CUI during the performance of a contract.
b. Prime and Subcontractor Relationships
Comment: Many requested specific examples of when a prime
contractor should flow down its CMMC requirements to a subcontractor or
ESP, and how to determine the appropriate CMMC level to flow down. For
example,
[[Page 83118]]
one comment asked whether the subcontract document would require
safeguarding, necessitating flow-down of the CMMC requirement. Some
comments expressed concern that flow-down requirements are not
sufficiently clear to prevent prime contractors from unnecessarily
sharing CUI and applying CMMC requirements to lower tier suppliers.
Another thought that the flow-down requirements will drastically expand
the scope of the program and drive cost increases for the DIB.
Several comments suggested strategies for minimizing the burden of
security implementation on lower tier subcontractors, such as requiring
prime contractors to provide access to CUI on prime contractor systems,
or prohibiting prime contractors from unnecessarily sharing CUI
information that would necessitate a CMMC requirement. One asked
whether the prime contractor has a responsibility to check which CMMC
level the subcontractor has flowed down to the next tier. One comment
referenced industry activities aimed at gauging subcontractor
preparedness for CMMC and expressed concern with anecdotal evidence
that primes will not issue orders until the subcontractor has submitted
CMMC scores into SPRS.
Response: One commentor correctly interpreted Sec. 170.23(a)(3) as
meaning that CMMC level 2 Certification requirements (not self-
assessments) flow down for subcontractors that will handle CUI when the
Prime contract specifies a CMMC Level 2 Certification requirement.
At the time of award, the DoD may have no visibility into whether
the awardee will choose to further disseminate DoD's CUI, but DFARS
clause 252.204-7012 and DFARS clause 252.204-7021 require that the
prime contractor flow down the information security requirement to any
subcontractor with which the CUI will be shared. Decisions regarding
the DoD information that must be shared to support completion of
subcontractor tasks, will take place between the prime contractor and
the subcontractors chosen to complete the specific tasks. The DoD
encourages prime contractors to work with its subcontractors to flow
down CUI with the required security and the least burden. The DoD
declines to revise the rule to address responsibilities for derivative
marking of CUI because this rule makes no change to DFARS clause
252.204-7012 or DoD's CUI policies regarding marking of CUI, including
creation of information.
The specific contractual language is part of the 48 CFR part 204
CMMC Acquisition rule and beyond the scope of this 32 CFR part 170 CMMC
Program rule. This rule describes DoD's intent for CMMC Program
requirements, which include that all prime and subcontractors at all
tiers that process, store, or transmit CUI in the performance of a DoD
contract (or sub-contract) are required to demonstrate compliance with
the contract requirements (i.e., FAR clause 52.204-21 or DFARS clause
252.204-7012) for adequately safeguarding FCI or CUI.
CMMC flow-down requirements are designed to apply consistent
assessment requirements to all subcontractors, regardless of company
size, who are required to adequately safeguard CUI. The DoD cannot
dictate DIB business practices and encourages prime contractors to
carefully consider the necessity of sharing CUI information and work
with subcontractors to flow down CUI only when deemed appropriate.
Likewise, the criteria by which contractors select CSPs for support
or the availability of GFE for any particular contract are beyond the
scope of this rule. The DoD declines to limit CMMC program requirements
to the first-tier subcontractor, as suggested by the commenter. When a
contractor or subcontractor responds to multiple solicitations, that
contractor should complete the highest assessment level among them for
the assessment scope defined for use in performance of the contracts.
The contractor may also elect to structure its environment to meet
differing CMMC requirements based on the contract(s) in question.
Contractual remedies for non-compliance are a 48 CFR part 204 CMMC
Acquisition rule matter and beyond the scope of this rule.
c. Requirements
Comment: Some comments objected to CMMC Level 2 certification
assessment being identified as the minimum flow-down from prime
contractors with a CMMC Level 3 requirement. They asked how the more
sensitive data associated with a Level 3 requirement would be tracked.
Three asked whether CMMC Level 2 certification assessment must be
flowed down as the CMMC requirement when the prime contract requires a
higher level, and the subcontract is for limited scope. One comment
complained that the rule does not actively encourage primes to flow
down Level 2 self-assessment requirements instead of certification
requirements.
One comment suggested the Department is impermissibly attempting to
make sensitivity determinations of other agencies' CUI and FCI through
the implementation of this rule.
Another comment requested affirmation that contractors remain
responsible for determining whether information that they create
(derived from CUI) retains its CUI identity when sharing that
information with lower tier suppliers, and for determining any
associated CMMC flow-down requirement.
Response: DoD will issue guidance to Program Managers to reiterate
the most appropriate information safeguarding requirements for DoD
information and the associated CMMC assessment requirement for any
given solicitation. CMMC program requirements will be identified in the
solicitation, and contractors will be required to meet the stated CMMC
requirements, when applicable, at or above the level identified by the
time of contract award. CMMC requirements flow down from primes to
subcontractors, as described in section Sec. 170.23.
The DoD declined to provide forecasts of upcoming DoD solicitations
with CMMC assessment requirements. Given that FAR clause 52.204-21 was
effective in 2016 and DFARS clause 252.204-7012 was effective in 2017,
OSAs have had over seven years to implement NIST SP 800-171 R2
requirements and close out POA&Ms. DoD contracts that require OSAs to
process, store, or transmit CUI and include DFARS clause 252.204-7020,
also require a minimum of a self-assessment against NIST SP 800-171
requirements. That self-assessment includes the same requirements as
the CMMC Level 1 and CMMC Level 2 self-assessments.
DoD must enforce CMMC requirements uniformly for all defense
contractors and subcontractors, regardless of size, who process, store,
or transmit FCI, and CUI, regardless of size. The value of DoD
information (and impact of its loss) does not diminish when the
information moves to contractors and subcontractors. The DoD cannot
dictate business practices but encourages prime contractors to work
with its subcontractors to limit the flow down of FCI and CUI. The DoD
declines to base CUI safeguarding requirements on contract ceiling
value.
This DoD 32 CFR part 170 CMMC Program rule does not impact or
supersede 32 CFR part 2002 (the CUI Program) or make exceptions for the
categories of CUI or the Designating Agency for the CUI. CMMC
requirements apply to DoD contracts that will involve processing,
storing, or transmitting of FCI or CUI on any non-Federal information
system.
[[Page 83119]]
13. The CMMC Ecosystem Roles, Responsibilities and Requirements
a. Government
Comment: Some comments asked how the Department plans to address
complaints and concerns from ecosystem stakeholders and the process by
which disputes between OSCs and C3PAOs or the CMMC AB are resolved. Two
comments wanted the CMMC PMO to document a process for ecosystem
stakeholders to register complaints or use of Service Level Agreements
to hold the Department accountable to respond.
Some asked whether the DoD could be subject to litigation
challenging DoD's reliance on the CMMC AB's appeals process to resolve
disputes between OSCs and C3PAOs. The commenters asserted resolving
such disputes may be an inherently governmental function. One commenter
noted that transactions between OSCs and C3PAOs for initiating an
assessment are beyond the DoD's authority to regulate, since the DoD is
not a party to the transaction. They perceived DoD's indirect oversight
of C3PAOs through the CMMC AB as creating conflicts of interest and
potential legal liabilities. One commenter requested the DoD modify the
rule to state the CMMC PMO is responsible for the assessment and
monitoring of the CMMC AB, as well as the CMMC AB's performance of its
roles.
One commenter noted the ISO/IEC 17011:2017(E) requirements that the
CMMC AB must meet and asked why the rule identifies a timeline for
compliance instead of requiring immediate accreditation.
One commenter referenced a CMMC-related Request for Information
issued prior to CMMC program development to gauge industry's capability
to provide the necessary ecosystem accreditation and management
functions. They asserted no response was provided to their RFI
response.
One comment suggested the CMMC PMO should develop a process to act
as the authoritative source for assessment interpretations to ensure
consistency. One person asked which DoD office authored the rule.
Another noted the realignment of the CMMC PMO from OUSD(A&S) to DoD CIO
and asked whether this indicated a lack of OUSD(A&S) involvement in the
program. One commenter noted that DoD Program Managers and requiring
activities have a role in the CMMC Program and suggested that their
responsibilities for marking and managing CUI be added to the rule.
One commenter wanted to require DIBCAC assessors to complete CCP
and CCA training and certification exams through a CAICO approved
licensed training provider.
Response: DoD agreed with the commenter that the government does
not have authority over transactions between the OSC and C3PAO. The
roles and responsibilities of the government are set forth in Sec.
170.6. The interaction between the CMMC Accreditation Body and C3PAOs
is governed by the requirements of this rule in Sec. Sec. 170.8 and
170.9, including Conflict of Interest, Code of Professional Conduct,
and Ethics policies, as well as ISO/IEC standards.
All DCMA DIBCAC assessors comply with DoD regulations regarding the
cybersecurity workforce, to include DoD Directives 8140 and 8570 and
other internal training standards. DCMA DIBCAC assessors' credentials
for CMMC Levels 2 and 3 exceed the training that CCPs and CCAs complete
through Approved Training Providers and include industry certification
and a security clearance. Additionally, DCMA DIBCAC assessors must take
the CMMC certification examinations.
DoD's contract with the CMMC AB assigned places responsibility for
Level 2 assessment interpretation to the CMMC Accreditation Body. The
CMMC Accreditation Body publishes assessment procedures and guidance
for C3PAO's conducting CMMC Level 2 Certification Assessments. The CMMC
AB is required to provide the CMMC PMO with all plans or changes
related to its own activities and activities within the CMMC Ecosystem
for review prior to implementation and publication. The DCMA DIBCAC is
responsible for CMMC Level 3 assessment interpretation and will use the
same process that is used for DIBCAC High Assessments.
Management oversight of the CMMC Program was realigned from the
OUSD(A&S) to the Office of the DoD CIO for better integration with the
Department's other DIB cybersecurity related initiatives. Comments
pertaining to DoD's organizational structure are not relevant to the
content of this rule. The DoD CIO is responsible for all matters
relating to the DoD information enterprise, including network policy
and standards and cybersecurity. In this capacity, the DoD CIO
prescribes IT standards, including network and cybersecurity standards.
The DoD CIO oversees programs to enhance and supplement DIB company
capabilities to safeguard DoD information that resides on or transits
DIB unclassified information systems.
The DoD reviewed and assessed whitepapers that were submitted by
RFI respondents and determined that no single respondent could meet all
the broad facets required to serve as the CMMC Accreditation Body.
Sec. Sec. 170.8, 170.9, and 170.10 document the roles of the CMMC
AB and the CAICO in managing a complaints/appeals process for CCAs,
CCPs, and C3PAOs. OSCs concerned about the results of a Level 2 or
Level 3 Certification assessment have a route of appeal documented in
Sec. 170.9. DoD, as the contracting entity, is not subject to service
level agreements. Vendors and prospective vendors can voice concerns
with the relevant contracting officer. External organizations may
utilize existing DoD procedures to file complaints or concerns against
any DoD organization.
This rule establishes requirements for the conduct of assessments,
as well as the requirements for handling of disputes, to include an
appeals process. In the roles established by this rule, C3PAOs and the
CMMC AB execute program requirements as codified in the 32 CFR part 170
CMMC Program rule, with appropriate DoD oversight. For ISO/IEC
17020:2012(E) and ISO/IEC 17011:2017(E) compliance, an appeals process
is required. Appeals are addressed in Sec. Sec. 170.8(b)(16) and
170.9(b)(9), (14), (20), and (21).
The DoD declines to update the rule content of Sec. 170.6 to
include a new subsection on DoD PMs and requesting activities and their
responsibilities regarding marking CUI as that subject matter is
already addressed for the DoD. DoD Instruction 5200.48 on CUI
establishes policy, assigns responsibilities, and prescribes procedures
for CUI throughout the DoD in accordance with 32 CFR part 2002, CFR for
CUI to include 32 CFR 2002.20 Marking CUI; and 48 CFR 252.204-7008 and
DFARS clause 252.204-7012. The CMMC Program requirements make no change
to existing policies for information security implemented by the DoD.
The DoD declined to modify the rule to further define the existing
CMMC PMO oversight responsibilities, identified in Sec. 170.6, which
includes the CMMC AB and all other aspects of the program.
b. CMMC-AB
Comment: There were multiple comments regarding the CMMC
Accreditation Body (AB). Ten comments were not relevant to the rule
text. Multiple commenters asked about mechanisms to monitor the CMMC AB
and how the DoD provides oversight. Seven comments provided valuable
editorial recommendations that
[[Page 83120]]
enhanced the existing rule text. Seven comments also raised concerns
and asked for clarification about certification of the CMMC AB, its
standing with international accreditation bodies and the effects of
that standing on the C3PAOs. Two comments sought clarity on the CMMC
AB's responsibilities and what resources they will provide to the CMMC
ecosystem. One comment suggested incorporation by reference of specific
CMMC AB generated artifacts. One comment requested clarity on terms and
definitions regarding the CMMC AB.
Response: Some comments received lacked relevance to the rule's
content, including the establishment of outside entities. The DoD
declines to respond to speculative or editorial comments about private
citizens or entities, which are outside the scope of this rule. The DoD
declines to respond to requests for documents related to the CMMC AB
and the CAICO that lack relevance to the CMMC rule.
The term CMMC Accreditation Body is a generic term for whichever
accreditation body is supporting the DoD at a given time. The rule has
been updated to remove reference to any specific accreditation body.
There is only one Accreditation Body for the DoD CMMC Program at any
given time, and its primary mission is to authorize and accredit the
C3PAOs. The Accreditation Body does not issue certifications. The
current CMMC AB is under a no-cost contract that has followed normal
DoD contracting procedures. The DoD declines to delete the section
outlining requirements for the CMMC AB, which are enduring and apply
irrespective of which entity the DoD has currently approved to serve in
that capacity.
This rule identifies the requirements for the Accreditation Body's
role in the CMMC Ecosystem. The DoD has a variety of options available
to address the commenter's concern should the current CMMC AB not be
able to fulfill this role. These include but are not limited to,
contracting with a new/replacement Accreditation Body. And authorized
and accredited C3PAOs would be able to continue conducting CMMC
assessments.
Sec. 170.8(b)(6) requires the CMMC AB to complete a CMMC Level 2
assessment conducted by DCMA DIBCAC that must meet all CMMC Final Level
2 certification assessment requirements and will not result in a CMMC
Level 2 certification. This requirement for an assessment is based on
the potential compilation of sensitive information on the CMMC AB's
information systems. After the CMMC AB's successful completion of this
Level 2 assessment, the DoD reserves the right to send CUI to the CMMC
AB, as appropriate.
Requirements for the CMMC AB, detailed in Sec. 170.8(b) of this
rule, include DoD requirements to comply with Conflict of Interest,
Code of Professional Conduct and Ethics policies as set forth in the
DoD contract with the AB. Sec. 170.8(b)(3) details the ISO/IEC
requirements the CMMC AB must meet and the timeline for meeting them.
Sec. 170.8(b)(3)(i) and (ii) further detail the requirements for the
CMMC AB to authorize and accredit C3PAOs. The CMMC AB is under contract
with the DoD and must fully comply with the contract requirements.
The CMMC rule was updated to clarify that the CMMC AB must be a
U.S.-based signatory to the International Laboratory Accreditation
Cooperation Mutual Recognition Arrangement within 24 months of DoD
approval and must operate in accordance with ISO/IEC 17011:2017(E). The
rule was also updated to clarify that a disqualifying eligibility
determination may result in the CMMC AB losing its authorization or
accreditation under the CMMC Program.
All CMMC ecosystem members are required to abide by the appropriate
ethics and conflicts of interest policies established by the CMMC AB
and CAICO. Rule content pertaining to ethics, quality assurance
functions, record keeping, data encryption, security, etc. functions
across the ecosystem are tailored to reflect the role each entity fills
in the ecosystem. The CMMC AB is not an agency of the Federal
government; it is a private sector organization operating under
contract with the DoD. As described in Sec. 170.6(a), the Office of
the Department of Defense Chief Information Officer (DoD CIO) provides
oversight of the CMMC Program and is responsible for establishing CMMC
assessment, accreditation, and training requirements as well as
developing and updating CMMC Program implementing guidance. The
Accreditation Body must be under contract with the DoD. The rule has
been modified to include additional CMMC AB oversight responsibilities
for the CMMC PMO. The Department declines to incorporate CMMC AB
generated artifacts into the rule by reference. The responsibilities of
the DoD CIO and CMMC PMO are outlined in Sec. 170.6 and the
responsibilities of the Accreditation Body are outlined in Sec. 170.8.
The DoD acknowledges that the CMMC AB may not offer both
accreditation services and certification services. DoD declines to make
edits to these sections as they are in alignment with the roles and
responsibilities of the CMMC AB. The DoD has revised Sec.
170.8(b)(17)(i)(C) in the rule to clarify that the ``CMMC activities''
which former Accreditation Body members are prohibited from include any
or all responsibilities described in Subpart C of this rule.
The rule was updated to indicate that C3PAOs must also meet
administrative requirements as determined by the CMMC AB. It was also
updated to clarify that the term ``independent assessor staff'' in
Sec. 170.8(b)(4) refers to independent CMMC Certified Assessor staff,
and to clarify the meaning of the term ``members'' at Sec.
170.8(b)(17)(i)(B). DoD declines to modify Sec. 170.8(b)(15) to
include the phrase ``technical accuracy and alignment with all
applicable legal, regulatory, and policy requirements'', as this does
not result in a substantive change to the requirements as currently
specified.
c. C3PAOs
Comment: Clarification was requested regarding C3PAOs' timelines
for accreditation and their dependencies on the CMMC AB accreditation
process. Some commenters requested additional time. Clarification was
also requested on the current disposition of authorized C3PAOs. A few
comments asked for simplification and clarification of the difference
between the terms ``authorized'' and ``accredited'' with the
establishment of C3PAOs. One comment requested that the rule be edited
to require full compliance before C3PAOs can conduct certifications,
and that duplicative language relating to ethics, record keeping, etc.,
be moved to a central location in the rule. One commentor questioned
whether Sec. 170.9(b)(16), which states ``Ensure that all CMMC
assessment activities are performed on the information system within
the CMMC Assessment Scope'', applies to all C3PAO personnel or just
those involved in the Quality Assurance process.
Other comments objected to the requirement that C3PAOs obtain a
CMMC Level 2 certification assessment because the assessment does not
result in a Level 2 certification. They asked whether this would
require two separate assessments every three years for C3PAOs that also
conduct contractor work for DoD. Two comments requested clarification
on determining the scope for a CMMC Level 2 assessment of a C3PAO to be
used by DIBCAC, and if or when they would be required to obtain a
FedRAMP Moderate certification. Also, clarification was requested on
whether a C3PAO is permitted to
[[Page 83121]]
possess OSC CUI and other artifacts during the assessment so long as
they are destroyed upon completion of the assessment. One comment
suggested that all information collected by the C3PAO be encrypted.
Three comments asked for clarification on what constitutes a C3PAO
assessment team and whether it can consist of solely a Lead CCA. One
commentor asked whether entities accredited under ISO 17020:2012(E) by
another accreditation body, rather than the CMMC AB, meets CMMC C3PAO
requirements. A couple of comments asked for clarification on whether a
C3PAO could be foreign owned and participate in the current CMMC AB
Marketplace.
Response: One commenter misinterpreted several sections of the CMMC
rule. By defining the requirements in this rule to become a C3PAO, and
defining a scoring methodology, the DoD is providing the authority and
guidance necessary for C3PAOs to conduct assessments.
DoD considered many alternatives before deciding upon the current
CMMC structure. The DoD has established requirements for a CMMC
Accreditation Body, and this accreditation body will administer the
CMMC Ecosystem. The appeals process is defined in Sec. Sec.
170.8(b)(16) and 170.9(b)(9), (14), (20), and (21). The DoD will not
assume the workload of directly managing the CMMC ecosystem or the
other alternatives suggested. DoD must treat all potential defense
contractors and subcontractors fairly. DoD cannot inadvertently create
a pathway to a free assessment for an organization by virtue of its
dual-purpose as a C3PAO and separately as a defense contractor.
Therefore, DoD assesses C3PAOs free of charge, but the assessment does
not result in a Certificate of CMMC Status. The C3PAOs determine the
people, processes, and technologies that are in-scope for their DIBCAC
assessment to become a C3PAO. The need to protect the assessment
information is independent of its status as FCI or CUI. Assessment
information, such as which requirements are MET or not, as well as the
evidence and analysis leading to that result, would provide valuable
insights to an adversary if not protected. A C3PAO is not a CSP and
therefore would not require a FedRAMP moderate assessment to be a
C3PAO. However, if they use a CSP to process, store, or transmit
assessment information, then the CSP would require a FedRAMP Moderate,
or equivalent, assessment. The CSP assessment results and CRM would be
in scope for the C3PAO assessment.
The requirements in Sec. 170.9 apply to both authorized and
accredited C3PAOs. The only difference between authorization and
accreditation is the status of the CMMC Accreditation Body. Prior to
the CMMC AB achieving its full ISO/IEC 17011:2017(E) compliance, the
interim term ``authorized'' is used for C3PAOs. As stated in Sec. Sec.
170.8(b)(3)(i) and 170.9(b)(1) and (2), currently authorized C3PAOs
must achieve and maintain compliance with ISO/IEC 17020:2012(E) within
27 months of authorization. As stated in Sec. 170.9(b)(6), C3PAOs must
obtain a Level 2 certification assessment, but this does not result in
a CMMC Level 2 certificate. The DoD declines to modify the rule text
related to C3PAO requirements as it does not make a substantive change.
Requirements are specified in the rule for each entity within the CMMC
ecosystem.
A C3PAO may start preparing for compliance with ISO/IEC
17020:2012(E) before the Accreditation Body achieves compliance with
ISO/IEC 17011:2017(E). The 27-month timeline for a C3PAO to achieve and
maintain compliance with ISO/IEC 17020:2012(E) begins on the date that
the C3PAO is authorized by the Accreditation Body, as addressed in
Sec. 170.9(b)(2) C3PAOs authorized by the CMMC AB prior to becoming
compliant with ISO/IEC 17020:2012(E) must be accredited by the CMMC AB
within 27 months of the C3PAO's initial authorization to meet CMMC
program requirements. The accreditation process is not tied to, nor is
it impacted by, the DoD's appropriations period.
The rule has been updated to add ``authorized'' to the definition
of a C3PAO. Authorized is defined in Sec. 170.4.
DoD disagrees with the suggestion that certain C3PAO requirements
are not needed or redundant. C3PAO's must follow specific requirements
for CMMC assessment record retention and disposition, audits, personal
information, and CMMC Assessment Scope. Each paragraph number is
independent, dependent sub-paragraphs are numbered with lower case
Roman numerals. The requirement in Sec. 170.9(b)(16) applies to all
C3PAO company personnel participating in the CMMC assessment process.
The size of a C3PAO assessment team is variable based on factors
including the scope of the assessment and the arrangements between the
OSC and C3PAO. The rule has been updated in Sec. 170.9(b)(12) to
clarify that, at a minimum, the assessment team must have a Lead CCA,
as defined in Sec. 170.11(b)(10), and one other CCA. A C3PAO is
permitted to possess OSC CUI and artifacts during an assessment. CMMC
Certified Assessors must use the C3PAO's information technology which
has received a CMMC Level 2 certification assessment as stated in Sec.
170.11(b)(7) and any copies of the OSC's original artifacts must be
destroyed when the assessment is complete as defined in Sec. 170.9(1).
The DoD has considered the recommendation to require encryption of
all information and declines to revise the rule text, since the C3PAO
is required in Sec. 170.9(b)(6) to obtain a Level 2 certification
assessment conducted by DCMA DIBCAC.
Several foreign or international companies submitted comments
expressing interest in the rule section pertaining to C3PAO
requirements (Sec. 170.9(b)) and correctly noted that this section
does not preclude otherwise qualified foreign companies from achieving
C3PAO accreditation. Also, the DoD does permit C3PAO personnel who are
not eligible to obtain a Tier 3 background investigation to meet the
equivalent of a favorably adjudicated Tier 3 background investigation.
DoD will determine the Tier 3 background investigation equivalence for
use with the CMMC Program only.
d. CAICO
Comment: Numerous comments requested correction of perceived
misstatements, oversights, or erroneous paragraph references in the
CAICO responsibilities section. One commenter suggested the level of
detail in Sec. 170.10(b) is more appropriate for a statement of work
and some paragraphs could be deleted from the rule. They offered
preferred rewording to clarify that the CAICO must also comply with AB
and ISO/IEC requirements, and further recommended deleting the
requirement to provide all documentation in English. In addition, they
recommended deleting separation of duties as a requirement, because it
is already required under ISO/IEC certification. One commenter
conflated CAICO subcontractors with DIB subcontractors and suggested
deletion of the rule's restrictions on releasing CMMC-related
information. One comment asked whether the Cyber AB and CAICO have
documented processes for regular review and updates to their compliance
documentation. Lastly, one comment requested duplicative language
relating to ethics, record keeping, etc. be moved to a central location
in the rule.
A few commenters suggested preferred edits to improve the role of
the CAICO. One comment noted that the
[[Page 83122]]
accreditor for certifying the CAICO should be a U.S.-based signatory to
ILAC or relevant International Accreditation Forum (IAF) in addition to
complying with ISO/IEC 17011:2017(E). Two comments noted concerns that
having only one CAICO would create an untenable bottleneck should
something happen to the single CAICO. One commenter asserted that the
CMMC Certified Instructor (CCI) certification requirement is redundant
and not cost-effective since instructors will need to be certified as
CCPs or CCAs to teach those courses. One comment suggested a grace
period of 18-24 months from final rule publication, to allow update of
training and examinations, before implementing the CCP and CCA
certification requirements. Three comments recommended that Approved
Publishing Partner (APP) and Approved Training Providers (ATP) sections
be added to Subpart C of the rule. One commenter asked for
clarification on what constitutes a CAICO subcontractor and if this
includes LTPs and LPPs, and asked why an authorization process for LTPs
and LPPs is not included in the rule.
One commenter appreciated that CAICO responsibilities include
compliance with relevant ISO/IEC standards, as those are
internationally recognized standards.
One commenter provided an attachment containing an image of an
article published in the February 2024 issue of National Defense
Magazine. The commentor did not provide specific questions or comments
regarding the article, they simply submitted an article. DoD declines
to comment on the reposting of information being reported in the media.
Response: The DoD declines to comment on the reposting of
information being reported in the media. This rule identifies
requirements for the CAICO role in the ecosystem. The DoD has a variety
of options available to address issues with reliance on a single CAICO.
These include but are not limited to working with the CMMC AB to
identify a new/replacement CAICO.
The final rule includes a requirement for the Accreditation Body,
CAICO, and C3PAOs to adhere to appropriate ISO/IEC standards, which
include the current version of the standard for conformity assessment
(ISO/IEC 17024:2012(E) located at ISO website: www.iso.org/standard/52993.html).
All CMMC ecosystem members are required inter alia to abide by the
appropriate ethics and conflicts of interest policies established by
the CMMC AB and CAICO. Rule content pertaining to ethics, quality
assurance functions, record keeping, data encryption, security, etc.
functions across the ecosystem are tailored to reflect the role each
entity fills in the ecosystem. Repeating this content in the section of
each ecosystem role serves to emphasize the importance of adherence to
these requirements.
DoD disagrees with the commenter's suggestion that certain CAICO
requirements are not needed or are redundant. The DoD requirement for
documentation in English refers to official information provided to the
Accreditation Body or the DoD. The commenter's preferred rewording of
Sec. 170.10(b)(3) is unnecessary because there is a separate
requirement for the CAICO to meet ISO/IEC standards, and this rule does
not codify non-DoD requirements. The DoD declines to remove the
requirement in Sec. 170.10(b)(10) to provide status information to the
CMMC AB because it is necessary for program management. The rule
retains the separation of duties requirement at Sec. 170.10(b)(11),
which is more specific than the management of impartiality required
under ISO/IEC 17024:2012(E).
The DoD declines to delete certification requirements for CCI.
Having the technical background as a CCP or CCA does not ensure all the
instructor-unique qualifications necessary to be a CCI are met. The DoD
also declines to remove the reference to Sec. 170.10 from Sec.
170.12(b)(1) since it is accurate that the CAICO certifies CCIs.
Section Sec. 170.10(b)(13) ensures that personal information is
encrypted and protected in all CAICO information systems and databases
and those of any CAICO training support service providers. DoD
disagrees with the commentor's statement that training support service
providers of the CAICO be allowed to disclose information about CCAs
and/or CCPs. Sec. 170.10 references the CAICO requirements. Entities
providing training support services to the CAICO are not a part of the
assessment process in the ecosystem. It is not up to them to release
data on certified persons in the ecosystem. Any metrics regarding
certifications will come from the CAICO.
DoD declines to add Approved Publishing Partner (APP) and Approved
Training Providers (ATP), or sections to the rule. The CMMC Program
defines the requirements for the ecosystem. Specific requirements for
publishing and training guidelines are determined by the CAICO and do
not require the oversight of the DoD. The CMMC Rule does not use the
term Licensed Training Provider (LTP), as the LTPs are not required to
be licensed. The acronym ATP means Approved Training Provider which
encompasses the same role in the CMMC Ecosystem. The DoD does not
intend to further delay implementation of CMMC to provide an 18 to 24-
month grace period from the official release of the rule to build
curriculum.
The DoD has reviewed commenter recommendations and revised the rule
as follows:
The CMMC rule has been updated to state that the CAICO must be
accredited by a U.S. based signatory to ILAC or other relevant IAF
mutual recognition arrangements and operate in accordance with ISO/IEC
17011:2017(E). The DoD has removed the term ``practitioner'' from Sec.
170.10(b)(8) for clarity and changed the term subcontractor to training
service support provider.
e. CCPs and CCAs
Comment: Some comments requested DoD's response to speculations
about market forces, competitiveness of the CMMC Certified Professional
(CCP) and CMMC Certified Assessment (CCA) roles and career
opportunities, assessor burnout, complexity of CMMC ecosystem, and a
limited assessor pool.
Several comments identified administrative changes or preferred
rewording or reordering of the CCP and CCA sections of the ecosystem
requirements. For example, two commenters objected to repeating the
requirement to meet CoPC and COI requirements for each Ecosystem member
in Sec. 170.8. Another comment requested deletion of the requirement
for all documentation and records to be provided in English.
One commenter recommended revising proficiency and experience
requirements for CCPs, CCAs, and Lead CCAs. Another requested
clarification on what requirements govern the certification of a CCA
and requested the rule allow the CAICO to establish the certification
validity period. One comment recommended all additional assessor
certification requirements in Sec. 170.11(b)(6)(ii) be removed from
the rule, so that only those prerequisite training requirements
identified by the CAICO would apply.
Another comment suggested that a requirement prohibiting assessors
from use of personally owned IT that is contained in the CCA section at
Sec. 170.11 also be added to the C3PAO requirements section at Sec.
170.9. Two commenters objected to the restrictions on CCAs sharing
information with people outside the assessment team.
[[Page 83123]]
One comment questioned the requirement for a Tier 3 background
investigation for CCPs and another suggested the validity period of CCP
certification should be determined by the CAICO. Yet another comment
suggested changing certification periods from 3 to 4 years for those
certified prior to the rule becoming effective. One comment suggested
there is insufficient clarity regarding the role CCPs may play in an
assessment and another asked whether a CCPs was allowed to review more
than just Level 1 requirements. Two other comments recommended updating
CCP training to include Level 2 practices. Another comment noted that
assessor cannot be robotic and that they must be allowed to evaluate
the situation as it pertains to the company being evaluated.
One comment asked for clarification on Lead CCA requirements and
requested a reduction in the management experience to 2 years. Two
other comments recommended adding IT and cybersecurity experience as
relevant skills. One comment also recommended that Lead CCAs have
industry-specific knowledge of the industry in which the OSC being
assessed participates. Another comment requested clarification whether
years of experience are cumulative for the Lead CCA. One comment
recommended changing the name of Lead CCA and adding roles and
responsibilities requirements. One stated that the rule's CCA
prerequisites is too low a skill set and recommended increasing the
requirements for both CCAs and Lead CCAs. While another comment noted
the rule referenced both DoD Manual 8570 and DoD Manual 8140.03 and one
or the either should be used.
One commenter suggested that should sufficient assessors not be
available to meet demand, the DoD should provide a delay or ``grace
period'' to meet certification requirements.
Response: The CMMC rule provides detail on anticipated impacts on
the DIB in the Impact and Cost Analysis summary of the preamble.
Speculation on market forces on roles in the CMMC ecosystem such as
CCPs and CCAs are outside of the scope of the CMMC program rulemaking.
Likewise, limitations on career opportunities and associated issues
such as burn-out or job satisfaction are beyond the scope of the
program.
The DoD updated the rule to clarify that CCAs must meet all the
requirements set forth in Sec. 170.11(b) and modified the rule in
Sec. 170.10(b)(10) to include CMMC Certified Professionals (CCPs).
Sec. 170.13(b)(6) was changed to conform to rule text in Sec.
170.11(b)(9) and to clarify with whom information may be shared.
The DoD determined the certification requirements specified in
Sec. 170.11(b)(6) meet the needs of ensuring certified assessors have
the required depth of cybersecurity knowledge and experience that is
beyond what the CMMC-specific training provides.
The DoD disagreed with the comment that the CAICO should determine
the length of time a CCP certification is valid. DoD has a significant
interest in ensuring the quality of assessors in the CMMC ecosystem and
the currency of their training. The DoD does not agree with the
assertion that managerial, and personnel related skills are most
relevant for success as a Lead Assessor. As written, Sec. 170.11 of
the rule requires Lead Assessors to have a balance of technical and
managerial expertise. A Lead Assessor also requires assessment or audit
experience. The DoD views these skills as the minimum required to
adequately provide the technical guidance and managerial oversight of
the assessment team. The DoD declined to revise the rule to specify IT
and/or Cybersecurity for the required audit experience.
The DoD also disagreed with a recommendation to require Lead CCAs
to have industry-specific knowledge of the industry in which the OSC
being assessed participates. The DoD found that this requirement would
unreasonably restrict C3PAOs from participating in a broad range of
assessments and could have a negative effect on the ability of the DIB
to schedule CMMC Level 2 certification assessments. The OSC can select
a C3PAO with the experience it considers valuable.
The DoD declined a commentor's request to modify the rule to allow
the CAICO to determine the requirement for the frequency of CCA/CCP
certification. The DoD considers the 3 years certification period a key
CMMC program requirement that will be enacted and managed by the CAICO.
The DoD also declined to change the rule to extend the certification
timeline to 4 years for those earning a certification prior to
completion of rulemaking. Additionally, the DoD did not accept the
recommendation to remove the requirement for providing documentation in
the English language, which applies to all official information that
would be provided to the CAICO, CMMC AB, or the DoD.
The DoD disagreed with a commenter's recommendation to remove the
second sentence in Sec. 170.11(b)(7) that prohibits individual
assessors from using any IT other than that provided to them by the
C3PAO that has been contracted to perform that OSA's assessment. This
sentence is required to eliminate ambiguity, particularly for C3PAOs
that may have implemented a BYOD program or that allow some work roles
to use personal devices. The DoD updated the rule to provide additional
clarity.
The DoD does not concur with the comment calling for a DoD Manual
8140.03 requirement on CCAs. Assessment teams are required to have a
Lead Assessor who must meet the higher level of the DoDM 8140.03
requirements. The rule has been updated to remove reference to DoD
Manual 8570.
The experience requirements referenced for the Lead CCA are
cumulative. The rule has been updated to move Lead CCA requirements to
the end of Sec. 170.11, but not to create a new section.
The DoD disagreed with the commenter's assertion that Assessors are
robotic. Assessors will go through CMMC training and will assess each
unique CMMC Assessment Scope, as defined by the OSA, against the
security requirements. As specified in Sec. 170.13(a) CCPs can
participate on CMMC Level 2 certification assessments with CCA
oversight where the CCA makes all final decisions. Updates to training
are beyond the scope of this rule. Statements made in training
materials produced prior to final adoption of the CMMC rule are beyond
the scope of CMMC rulemaking. DoD disagrees with the comment that Sec.
170.13 does not provide sufficient detail regarding the role CCPs may
play in an assessment. The requirement in the rule that ``with CCA
oversight where the CCA makes all final determinations'' provides
sufficient flexibility to adapt to a wide variety of assessments while
ensuring the responsibility for assessment findings rests with the CCA
and Lead CCA.
The rule restates COI and CoPC requirements in each ecosystem
section because all CMMC ecosystem members are required to abide by the
appropriate ethics and conflicts of interest policies established by
the CMMC AB and the CAICO. Rule content pertaining to ethics, quality
assurance functions, record keeping, data encryption, security, and
other functions across the ecosystem are tailored to reflect the role
each entity fills in the ecosystem.
DoD CIO, in coordination with OUSD/I&S, evaluated the requirements
for the CMMC Ecosystem. Based on the access to sensitive unclassified
information, a Tier 3 background investigation that results in
determination of national
[[Page 83124]]
security eligibility is required. Sec. 170.13(a) states that a CCP is
eligible to participate in Level 2 certification assessment with CCA
oversight and is eligible to become a CCA and will receive additional
training and testing per the requirements in Sec. 170.11.
The phased implementation plan described in Sec. 170.3(e) is
intended to address ramp-up issues and provide time to train the
necessary number of assessors. DoD has updated the rule to add an
additional six months to the Phase 1 timeline.
e. CCI
1. Training and Training Materials
Comment: One comment mistook the requirement to ``provide all
documentation and records in English'' as applying to training
materials. Four comments expressed concerns about the requirements for
confidentiality surrounding training records. These concerns arose
primarily from a misinterpretation of the requirement to ``keep
confidential all information obtained during the performance of CMMC
training activities'' to mean a requirement to keep the training
materials themselves confidential, rather than keeping student records
confidential.
Response: The requirement to ``provide all documentation and
records in English'' refers to official information that would be
provided to the CMMC Assessor and Instructor Certification Organization
(CAICO) or the DoD. The terms do not pertain to all materials used in
the delivery of a course. The DoD disagreed with the recommendation to
delete the Sec. 170.12(b)(7) requirement for keeping CMMC training
records and information confidential. ``Training activities'' do not
include course material. The example in Sec. 170.12(b)(7) (student
records) makes clear the type of data covered by the rule.
2. Time Limits and Other Constraints
Comment: One comment recommended that the CAICO, instead of the
DoD, determine the frequency of CMMC Certified Instructor (CCI)
certification. Another requested clarification on the length of time
that a CCI may not provide consulting services. One comment recommended
changing the rule to require CCIs to provide updates to the CAICO and
the CMMC AB no less than annually, in lieu of ``most up to date''.
Two comments expressed concern that CCIs are not allowed to provide
consulting services to OSCs; one of the comments asserted this would
result in reduced quality of training for CMMC Certified Professionals
(CCP) and CMMC Certified Assessors (CCA). One comment expressed
disagreement with the requirement prohibiting CCIs from exam
development and exam proctoring. Another comment recommended a rule
update indicating CCIs can teach both CCA and CMMC Certified
Professional (CCP) candidates.
Response: The DoD declined a commenter's request to modify the rule
to allow the CAICO to determine the requirement for validity period of
a CCI certification. The DoD considers the 3-year certification period
for CCIs as a key CMMC program requirement that is to be enforced by
the CAICO.
The DoD modified Sec. 170.12(b)(4) to read ``annually'' instead of
``most up to date'' to clarify the reporting requirement.
All CMMC ecosystem members are required to abide by the appropriate
ethics and conflicts of interest (COI) policies established by the CMMC
AB and CAICO. Rule content pertaining to ethics, quality assurance
functions, record keeping, data encryption, security, and other
functions across the ecosystem are tailored to reflect the role each
entity fills in the ecosystem. The DoD defined COI requirements to
reduce the possibility that a CMMC Ecosystem member acting in one
capacity may bias, or be biased by, clients that are paying them to
perform another CMMC related service. CCIs are not permitted to develop
or proctor exams to avoid participating in any activity, practice, or
transaction that could result in an actual or perceived conflict of
interest.
3. Relationship to CAICO and Other Ecosystem Members
Comment: One comment asked why the rule does not include
requirements for LTPs, and another requested additional rule text to
clarify the relationship between an ATP and the CAICO in administrative
matters of students. One comment recommended not requiring CCIs to
provide qualification and training information to the CAICO.
One comment recommended a method for reducing a perceived
redundancy in the rule text between ecosystem-related sections. Two
comments asserted that a CCI certification is redundant because
individuals attempting to become CCIs are already certified as CCPs or
CCAs.
One comment asked that a new requirement be added to the rule under
Sec. 170.12 to address the transition of Provisional Instructors to
CCIs.
Response: The CMMC rule does not use the term Licensed Training
Provider (LTP), as training providers are not required to be licensed.
The correct term for CMMC training providers is Approved Training
Provider (ATP). The CMMC rule contains the requirements to create the
training for the CMMC Program. Sec. 170.10 contains the requirements
for the CAICO to ensure compliance with ISO/IEC 17024:2012(E) and to
ensure all training products, instruction, and testing materials are of
high quality.
DoD disagreed with a comment to delete a requirement in the rule
for CCIs to update the CAICO regarding qualification, training
experience, and other information relating to their competency to teach
within the CMMC ecosystem. Viewing and verifying CCI qualifications is
an important element of quality assurance in the CAICO's role of
training, testing, authorizing, certifying, and recertifying CMMC
assessors, instructors, and related individuals.
Sec. 170.12(b) in the rule was updated to add the requirement for
a CCI to be certified at or above the level of training they are
delivering. The DoD also modified Sec. 170.12(a)(11) to add CMMC
Certified Professional (CCP) candidates.
The DoD declined to remove the certification requirement for CCIs.
Although CMMC Certified Assessors have the technical background, that
does not imply that they meet all the instructor-unique qualifications
necessary to be a CCI.
The DoD modified Sec. 170.12 to include requirements for
Provisional Instructors prior to their transition to a CMMC Certified
Instructor. Any Provisional Instructor (PI) will be required to achieve
certification under the CMMC Certified Instructor (CCI) program within
18 months of the final rule publication. The PI designation ends 18
months after the effective date of the rule.
f. Conflicts of Interest and Code of Professional Conduct
Comment: Many commenters had questions about existing CMMC conflict
of interest (CoI) requirements and had suggestions for further
protecting the impartiality of the CMMC Program. One commenter
requested the Department develop a mechanism to prevent third-party
assessment organizations from delaying re-evaluation of NOT MET
requirements to create a pipeline of future assessment work. The
commenter recommended removing the 10-day re-evaluation deadline
requirement currently in the CMMC Rule to prevent any conflicts of
interest. Another commenter stated that allowing a
[[Page 83125]]
commercial entity to manage the CMMC `ecosystem' creates a scenario
`fox watching the henhouse'' condition and that fraud and abuse will be
rampant.
Some commenters questioned the legality of the current CMMC AB's
establishment and alleged unethical behavior by its Board of Directors.
They cited the number of resignations among its Board of Directors as
evidence of internal politics, conflicts of interests, or ethics
concerns. One commenter suggested the 6-month ``cooling off period''
between an employee leaving the CMMC AB and supporting other CMMC roles
be extended to one year to ensure impartiality within the CMMC Program.
Another commenter claimed an informational newsletter offered by the
CMMC AB to ecosystem members violates the conflicts of interest
requirements. In addition, commenters alleged that the CMMC AB's
progress (prior to final rule publication) toward ISO/IEC compliance
violates the terms of its contract with DoD, which the DoD should
terminate.
Commenters also stated that DoD's no-cost contract with the current
CMMC AB has forced them to focus on generating revenue instead of
building a CMMC Assessor cadre. One commenter cited publicly available
tax filings of the current CMMC AB to substantiate that view. Another
commenter noted concerns that the rule permits a timeline for meeting
the ISO/IEC requirements, rather than requiring immediate compliance,
and suggested that it would be more advantageous to cite different ISO/
IEC requirements (for conformity assessment) than those identified in
the rule.
One commenter wrote that significant delays in CMMC implementation
this far beyond the Department's earlier objectives of 2020 constitute
fraud and claimed that DoD representatives directed companies to comply
with requirements that have become irrelevant due to changes in program
requirements that occurred during rulemaking.
Many commenters stated the Department needs to further clarify
existing CoI requirements for CCIs, CCAs, and CCPs in the CMMC Rule
text. Specifically, commenters suggested the DoD:
--Revise Sec. 170.12(b)(5) to state that CCIs may serve on an
assessment team for a student's company, provided the CCI does not
provide consulting to an OSC during delivery of the CMMC Instruction or
breach other conflict of interest rules, and add that the CCI must
``[b]e a currently certified CCA and conduct at least one certified or
mock assessment under the direction of a C3PAO annually.''
--Revise Sec. 170.12(b)(6) to allow CCIs to craft exam objectives and
content, as CCIs are the ``most in tune with issues faced by candidate
CCPs and CCAs.''
--Strike Sec. 170.12 altogether, because potential CoIs will be rare
and can be ``managed by existing conflicts of interest mechanisms'';
clarify that ``while serving as a CMMC instructor'' means ``limited
only to while actively teaching or any time while the person holds the
CCI certification''; and that CoI concerns could be addressed by the
addition of an Instructor Code of Conduct. One commenter also suggested
this section would significantly decrease the available pool of CMMC
instructors, as they would be forced to choose between instructing and
consulting, which may be a more lucrative option. They also claimed it
prevented CCIs who teach CCP/CCA courses at night from providing
consulting services during the day.
--Impose a three- or four-year prohibition on ecosystem members from
participating in the CMMC assessment process for an assessment in which
they previously served as a consultant or ``since the OSC last obtained
CMMC certification, whichever is most recent.''
--Add language to Sec. Sec. 170.11 and 170.13 to clarify if an
individual consults with a defense industrial base company, they are
prohibited from participating as a CMMC assessor for that same company.
--Update Sec. 170.8(b)(ii)(17)(ii)(G) and add a time limit to this
requirement to ensure a consultant can perform assessments, given an
appropriate amount of time has passed.
--Revise Sec. 170.8(b)(17)(ii)(G) to say, ``Prohibit CMMC Ecosystem
members from participating in the CMMC assessment process for a CMMC
assessment in which they previously served as an employee or consultant
to prepare the organization for any CMMC assessment,'' as both an OSC
employee and a CCPA/CCP serving as a consultant would face identical
CoI.
--Provide more detail on the scope of CCA and CCP conflict of interest
disclosure required, particularly around the definition of ``process,
store, or transmit'' in Sec. 170.4(b).
--More narrowly tailor the CoI requirement in Sec. 170.8(b)(17)(i)(D)
and more expressly identify the ``perceived conflicts of interest''
scenarios to help ecosystem members avoid legal risk.
--Rewrite Sec. 170.8(b)(17)(iii)(C) to clarify what constitutes a
``satisfactory record of integrity and business ethics.''
--Provide more detail in Sec. 170.10(b)(11) on the term ``separation
of duties,'' so CCAs know whether they can volunteer to develop test
questions or provide training.
Response Summary: Some comments received lacked relevance to the
rule's content, which is limited to specific CMMC Program requirements.
The DoD declines to respond to speculative or editorial comments about
private citizens or entities, all of which are not within the scope of
this rule. Personnel actions taken by the CMMC AB and comments
regarding filing of IRS forms are not within the scope of this rule.
Sec. 170.8(b) of this final rule provides requirements of the CMMC
AB. CMMC Program requirements as described in this rule requires the
CMMC Accreditation Body and the CAICO to have and abide by ethics and
conflicts of interest rules and to have and maintain a Code of
Professional Conduct (CoPC). Sec. 170.8(b)(3) describes the ISO/IEC
requirements and the timeline in which the CMMC AB needs to meet those
requirements. The DoD declines to comment on business decisions made by
the current CMMC AB in the performance of its CMMC related roles,
responsibilities, and requirements. Based on information currently
known to DoD, the CMMC AB is currently performing as defined in this
final rule and the terms of the contract. The ANSI National
Accreditation Body is performing the function of accrediting the CAICO,
which is appropriate given its status as a subsidiary of the CMMC AB.
The DoD defined CMMC Conflict of Interest requirements to reduce
the possibility that a member of the CMMC Ecosystem acting in one
capacity may bias, or be biased by, clients that are paying them to
perform another CMMC related service. The rule text includes ethics
requirements for members of the CMMC ecosystem, to include the CMMC AB
(Sec. 170.8). The DoD concurred with some comments and has increased
the cooling off period from six months to one year in Sec.
170.8(b)(17)(i)(C).
DoD considered many alternatives before deciding upon the current
CMMC structure. The DoD has established requirements for a CMMC
Accreditation Body, and this accreditation body will administer the
CMMC Ecosystem. The phased CMMC implementation plan provides time to
train the necessary number of assessors and, the rule has been updated
to add an additional six months to the Phase 1 timeline.
[[Page 83126]]
The DoD requires that the Accreditation Body must achieve and
maintain compliance with the ISO/IEC 17011:2017(E) standard (the
international benchmark used in demonstrating an accreditation body's
impartiality, technical competency, and resources) and the requirements
set forth in Sec. 170.8. The CMMC Proposed rule also requires
compliance with ISO/IEC 17020:2012(E) for conformity assessments. Sec.
170.12(b)(5) was revised to indicate that a CMMC instructor, subject to
the Code of Professional Ethics and Conflict of Interest policies, may
serve on an assessment team but cannot consult. CCIs are not permitted
to develop or proctor exams to avoid participating in any activity,
practice, or transaction that could result in an actual or perceived
conflict of interest.
The CAICO is responsible to ensure the separation of duties for
individuals volunteering to assist with testing, training, and
certification activities. An example of separation of duties is shown
in Sec. 170.12(b)(6), which specifies that a CCI cannot be involved in
examination activities.
DoD modified Sec. 170.8(b)(17)(ii)(G) to add that a consultant is
only limited from participation in the assessment process for 36
months. CMMC Ecosystem members do not participate in an assessor
capacity on DIBCAC assessments. The DoD declined to add explicit
requirements prohibiting ecosystem members from participating in an
assessment of an OSC by whom they were previously employed (directly or
as a consultant), because the scenario is already covered under Sec.
170.8(b)(17)(ii)(G).
DoD disagreed with the comments that a CMMC Ecosystem member is
unable to avoid perceived conflicts of interest. The Accreditation Body
is required to provide a CoI policy in Sec. 170.8(b)(17) for CMMC
Ecosystem members. The Department expects that a reasonable person
subject to the CoI policy should understand how to avoid the appearance
of conflicts of interest and, if unsure, seek clarity from the
Accreditation Body. Details of the disclosure requirements are in the
Accreditation Body conflict of interest policy.
A satisfactory record of integrity and business ethics is a record
that does not indicate derogatory behavior in relation to professional
conduct or conflict of interest.
The DoD declined to remove the 10-day re-evaluation deadline in
Sec. Sec. 170.17(c)(2) and 170.18(c)(2) to ensure consistency in the
assessment process. The OSC may utilize the appeals process, as
necessary. The DoD is required to codify CMMC program requirements
through a prescribed and formal rulemaking process. The timeline for
CMMC implementation changed due in part to DoD's decision to pause and
assess the program, seek opportunities to streamline and ease the
burden of its implementation, and respond to public comments. The DoD
declines to respond to speculative or editorial comments regarding the
actions of private citizens, which are not within the scope of this
rule.
g. Ecosystem Eligibility
1. Foreign Ownership
Comment: Two comments noted the rule does not include Foreign
Ownership, Control, or Influence (FOCI) requirements for the CAICO. One
comment recommended the rule incorporate the definition of the
``national technology and industrial base'' and exclude those companies
from FOCI requirements. The NTIB includes organizations from the United
States, the United Kingdom of Great Britain and Northern Ireland,
Australia, New Zealand, and Canada that are engaged in research,
development, production, integration, services, or information
technology activities.
Response: The CAICO has no FOCI requirement because they do not
have knowledge of the OSC's network or potential vulnerabilities
identified in the assessment process. Per Sec. 170.9(b)(5), the CMMC
Program implements the FOCI program that is managed by DCSA. Potential
FOCI exemptions are outside the scope of this 32 CFR part 170 CMMC
Program rule and must be addressed through international arrangements
or agreements.
2. Personnel Security
Comment: There were numerous comments regarding the Tier 3
Personnel Security requirements. Several comments recommended editorial
clarification. Multiple comments requested clarification on what ``not
eligible'' meant and what is the ``equivalent process''. One comment
recommended the Tier 3 background investigation be required for all
authorized personnel while two comments recommended eliminating the
Tier 3 background investigation requirement. Two other comments
requested clarification on why a Tier 3 investigation is required when
no secret information is handled and there is no clearance granted.
Another comment requested clarification on the Tier 3 process. Three
comments requested clarity on the citizenship requirements and how the
Tier 3 requirement will be enforced for international C3PAO's.
Another comment recommended adding a requirement for CMMC
Instructors and Assessors to report to the CAICO within 30 days of
conviction, or guilty pleas to certain crimes.
Response: In coordination with the OUSD/I&S, the DoD CIO evaluated
requirements for the CMMC Ecosystem. Based on the access to sensitive
unclassified information, a Tier 3 background investigation that
results in determination of national security eligibility is required
as specified in this rule. The concept of ``not eligible'' in Sec.
170.9(b)(4) is intended to cover those applicants who do not meet the
entrance requirements for a DCSA Tier 3 background investigation, it is
not an alternative for applicants who do not pass its Tier 3 background
investigation. The DCSA maintains a record of all background
investigation information in the Personnel Vetting Records system of
records, DUSDI 02-DoD, as published in the Federal Register. The
details of the Tier 3 background investigation are included in this
rule to inform the public of the CMMC requirement and that the
investigation will not result in a clearance. The DoD declines to
remove reference to the Standard Form 86 from the rule. All
documentation and records for the background investigation process must
be provided in English; rulemaking as a Federal regulation requires
this level of detail to ensure clarity of understanding and
interpretation. Details about background investigation equivalency is
available from DCSA at www.dcsa.mil/Industrial-Security/International-Programs/Security-Assurances-for-Personnel-Facilities/. As stated in
the 32 CFR part 170 CMMC Program rule, C3PAOs must meet the criteria
defined in section Sec. 170.9. If a non-U.S. organization, and its
employees, meet all the requirements in Sec. 170.9 and Sec. 170.11,
it would not be prohibited from operating as a C3PAO within the U.S. or
abroad. The DoD declined to make recommended administrative changes to
Sec. 170.9(b)(3), because they did not result in a substantive change.
While a C3PAO may use its own employees to staff an assessment, it
also may leverage CCAs and CCPS who are independent contractors, rather
than employees of a specific C3PAO. Because these independent CCAs and
CCPs may not be covered by the C3PAO's background check requirement,
CMMC requires CCAs and CCPs to have their own Type 3 background checks
or equivalent.
Section 170.10 has been updated to specify the CAICO must require
CMMC
[[Page 83127]]
Ecosystem members to report to the CAICO, within 30 days, if they are
convicted, plead guilty, or plead no contest for certain specified
legal matters or criminal activities.
h. ISO/IEC Standards
Comment: Several comments addressed ISO/IEC standards referenced in
the proposed rule. Most of these were related to ISO/IEC 17020:2012(E).
One commenter wanted to know what the proposed rule meant by ``out-of-
cycle from ISO/IEC 17020:2012(E).'' Another felt the section outlining
CMMC AB responsibilities should clarify that the CMMC PMO must approve
all C3PAO accreditation requirements established by the Accreditation
Body under ISO/IEC 17020:2012(E). One person felt the rule should give
C3PAOs more time to achieve compliance with ISO/IEC 17020:2012(E) and
one commenter asserted that including a revocation process in the CMMC
PMO roles and responsibilities section was inconsistent with ISO/IEC
17020:2012(E) standards because the C3PAO was the certification body.
One comment asserted the requirement in the rule for the CMMC AB to
complete the ILAC Peer Review prior to accrediting C3PAOs is too
onerous and not consistent with the ISO/IEC process for gaining
international recognition as an accreditation body in accordance with
ISO/IEC 17011:2017(E).
Response: The rule was updated in Sec. 170.8(a) to clarify
responsibilities of the Accreditation Body. DoD agreed with the comment
that the requirement to complete the Peer Review prior to accrediting
C3PAOs was too onerous and inconsistent with the ISO/IEC process under
ISO/IEC 17011:2017(E). The rule has been updated for clarity.
Using the terms of the ISO/IEC 17020:2012(E), the activity of the
C3PAO is an ``inspection'', rather than a ``certification''. The C3PAO
is an inspection body, not a certification body, and is responsible for
conducting the Level 2 certification assessment [Inspection]. The rule
was revised to delete terms related to granting or revoking
certification assessment status. The DoD reserves the right to conduct
a DCMA DIBCAC assessment of the OSA, as provided for under the DFARS
clause 252.204-7012 and DFARS clause 252.204-7020. DoD declines to
extend the period for C3PAOs to achieve compliance with ISO/IEC
17020:2012(E). The Department has determined that 27 months is
reasonable and sufficient for a C3PAO to achieve compliance. The rule
was also updated in Sec. 170.9(b)(11) to clarify that audit
information must be provided upon request.
14. Ecosystem Capacity
Comment: Commenters expressed concern that the demand for third-
party assessments amongst the defense industrial base will exceed the
capacity of available Certified CMMC Assessors and Certified CMMC
Professionals and government assessors which may prevent timely and
affordable audits or cause businesses to lose out on DoD contracts. To
mitigate the concerns, one commenter suggested delaying phase-in of
certification assessment by two years, by relying on self-assessment.
One commenter warned of solicitation protests if companies are kept out
of a competitive procurement due to a slow CMMC assessment process.
Another suggested that insufficient assessors may shrink the market for
DoD contractors and compromise assessment quality. Commenters were
apprehensive that DoD projections for certification demand didn't
factor in all subcontractors and that the CMMC Accreditation Body lacks
a strategy for scaling to meet increased C3PAO demand.
Additionally, one commenter pointed out that the rule indicates
companies can pursue a certification assessment at any time after the
rule is published, which could tie up already limited C3PAO resources
and impede assessment opportunities for other companies bidding on an
upcoming contract. Another expressed concern that often-extensive
travel times required for assessors to reach rural-based companies like
electric cooperatives will disincentivize assessors from prioritizing
these companies and prevent their timely assessment.
Commenters suggested several actions the Department could take to
mitigate capacity-related risks, including: extending the phase-in of
Level 2 certification requirements; prioritizing companies for Level 2
phase-in; allowing C3PAOs to issue interim or conditional
certifications when unable to timely complete contractor assessments;
and waiving requirements for OSCs that are in the assessment process
but not yet certified. Some asked that DoD forecast the volume and
timing of Level 3 certification requirements and clearly communicate
those assessment requirements with contractors. Another requested
forecasts of both Level 2 and Level 3 assessment capacity against
various demand scenarios for each certification level.
Several commenters suggested that CMMC assessment requirements for
External Service Providers (ESPs) will also impede CMMC implementation,
as ESPs (1) must be CMMC certified before an OSC can include them in
their CMMC certification assessment scope and (2) will be competing
with DIB companies for scarce C3PAO assessors. Commenters suggested
ways to reduce burden on ESPs, which included: allowing use of non-
compliant ESPs until Phase 3 and prioritizing certification assessments
for ESPs ahead of other assessments.
Several commenters expressed concern about CCA and CCP roles, based
on perceived scarcity of candidates in the job market compared with
demand for similar services. Concerns included the potential for CCA
and CCP burnout from overwork, dissatisfaction with repetitive
assessments tasks, limited career path in the roles, and the complexity
of operating within the CMMC ecosystem. One commenter compared CCA and
CCP roles with those of Certified Public Accountants and Certified
Information System Auditors, who have access to more varied
opportunities and industries.
Response: DoD received numerous comments about the use of ESPs
which do not process, store, or transmit CUI. In response, the DoD
revised the rule to reduce the assessment burden for ESPs. ESP
assessment, certification, and authorization requirements in 32
CFR[thinsp]170.19(c)(2) and (d)(2) have been updated. ESPs that are not
CSPs and do NOT process, store, or transmit CUI, do not require CMMC
assessment or certification. Services provided by an ESP are in the
OSA's assessment scope. The phased implementation plan described in
Sec. 170.3(e) is intended to address ramp-up issues, provide time to
train the necessary number of assessors, and allow companies time to
understand and implement CMMC requirements. The DoD has updated the
rule to add an additional six months to the Phase 1 timeline. Phase 2
will start one calendar year after the start of Phase 1. It is beyond
the scope of this rule for DoD to determine the order in which
organizations are assessed.
The DoD declined to delete text stating that OSAs may elect to
complete a self-assessment or pursue CMMC certification assessment to
distinguish themselves as competitive because the recommendation did
not result in a substantive change. CMMC rule describes anticipated
impacts on the DIB in the Impact and Cost Analysis section. Speculation
on market forces affecting the DIB is outside of the scope of the CMMC
program. Speculation on market forces affecting CMMC
[[Page 83128]]
ecosystem CCP and CCA roles are also outside of the scope of the CMMC
program. Likewise, limitations on career opportunities and associated
issues such as burn-out or job satisfaction are beyond the scope of the
program.
The DoD declines to comment on external market factors impacting
CMMC compliance. The seven-year timespan reflects the DoD's estimate
for all DIB members to achieve CMMC compliance. The implementation plan
ramps up CMMC assessment requirements over 4 phases, such that the
ecosystem will reach maximum capacity by year four. The DoD does not
agree with commenter assertions that 70,000 or more entities will
require CMMC Level 2 assessment by October 1, 2026. Table 6 of the
Impact and Cost Analysis of CMMC 2.0 section provides the DoD's
estimate of CMMC assessment numbers by year and level.
DoD considered many alternatives before deciding upon the current
CMMC structure. By design, the CMMC program depends on the supply and
demand dynamics of the free market, enabling it to naturally scale and
adapt to capacity requirements. Planned changes to DCMA staffing levels
have been considered with regard to implementation of CMMC Level 3 and
C3PAO assessments as described in this rule. The DIBCAC will
communicate extensively with contractors about the conduct of a Level 3
assessment during the pre-assessment planning phase.
15. Assessments
a. Level 1 and Mapping of 15 Level 1 to 17 Level 2 Requirements
Comment: A few questions were submitted about CMMC level 1
requirements, on topics such as whether DoD intended affirmations for
CMMC level 1 be required annually versus triennially, and whether
specific policies and procedures documentation is required for Level 1
self-assessments. One commenter asked about limits on deficiency
remediation and re-accomplishing an assessment in the event a company
fails a CMMC Level 1 self-assessment. Another commenter asked for the
specific wording to reflect a CMMC Level 1 assessment score in SPRS.
One commenter objected to CMMC level 1 annual affirmation, which
they considered an unwarranted expansion of CUI safeguarding
requirements to information systems that process only FCI. One
commenter recommended revisions to explicitly indicate that OSAs may
choose to engage the services of a C3PAO to inform the OSA's Level 1
self-assessment submission. Another commenter recommended editorial
revisions to avoid use of the term ``CMMC security requirements'' based
on the observation that CMMC requirements are aligned directly to those
identified in FAR clause 52.204-21 or NIST publications.
One commenter asked for explanation of perceived differences
between tables in the published rule that map CMMC Level 1 Security
Requirements to NIST SP 800-171A Jun2018, as compared with prior
versions of the document.
One commenter asked for the rationale associated with mapping 15
requirements for CMMC level 1 to 17 requirements in CMMC level 2. Two
commenters asked if systems that process FCI (and require CMMC level 1)
are considered within scope for CMMC level 2 or 3 assessments, and if
so, how they should be documented.
Response: When applicable, the DoD does require an annual CMMC
Level 1 self-assessment against the 15 safeguarding requirements
aligned with FAR clause 52.204-21. Annual affirmations are required at
every CMMC level. There are no explicit documentation requirements for
a CMMC Level 1 Self-Assessment. The DoD modified the Level 1 Scoping
Guide to provide clarity.
An OSA may complete as many self-assessments as desired, and there
is no required timeframe between Level 1 self-assessments and updating
CMMC Status in SPRS. The entry in SPRS for CMMC Level 1 is a binary
selection between Yes and No based on meeting all Level 1 security
requirements.
The CMMC Program verifies implementation of security requirements
for FCI in accordance with FAR clause 52.204-21. The DoD has elected to
use the CMMC Status postings and attestations in SPRS as the mechanism
to verify compliance with applicable CMMC requirements.
An OSA engaging an authorized C3PAO to perform the Level 1 self-
assessment and then using the resulting CMMC Status when ``self-
assessing'' is permissible. The OSA however retains all the
responsibilities and liabilities of the affirmation. No revisions to
the rule were necessary.
Writing style recommendations were not incorporated and no
responses were provided to those comments based on comparison of pre-
publication draft versions with those officially published for public
comment. DoD aligned the security requirements for Level 1 exactly with
those in FAR clause 52.204-21 and aligned the security requirements in
Level 2 exactly with those in NIST SP 800-171 R2. The 15 security
requirements in FAR clause 52.204-21, which make up CMMC Level 1, were
mapped by NIST into 17 security requirements in NIST SP 800-171 R2.
This was accomplished by splitting 1 requirement into 3 parts, while
the other 14 align. Table 2 to Sec. 170.15(c)(1)(ii) provides a
mapping.
Meeting the CMMC Level 2 self-assessment (Sec. 170.16) or CMMC
Level 2 certification assessment (Sec. 170.17) requirements also
satisfies the CMMC Level 1 self-assessment requirements detailed in
Sec. 170.15 for the same CMMC Assessment Scope.
b. Level 2
Comment: Commenters provided a number of very specific Level 2
assessment scenarios and asked for rule interpretation for each
scenario. Scenarios included differing scores for self-assessment and
third-party assessment; assessment timing; conditional assessment
expiration; and CUI enclaves.
One commenter stated the language describing certificates of
assessment lacked clarity and seems to allow an OSC to be issued a
certificate of assessment but not be certified. Two comments stated
that wording describing the expiration of a Conditional Level 2 self-
assessment or certification could be interpreted to mean that the OSA/
OSC would be permanently barred from seeking further contracts using
information systems within that CMMC Assessment Scope. One comment said
it was not clearly stated that a Level 2 third party assessment would
satisfy contractual requirements for a Level 2 self-assessment. One
comment stated that the rule does not clearly indicate whether a Level
2 assessment checks for more than just proper implementation of the 110
requirements in NIST SP 800-171 R2 and includes paragraphs--(c) through
(g) of DFARS clause 252.204-7012. This commenter advocated that those
requirements be assessed only during DIBCAC assessments.
Response: The rule has been updated to clarify that meeting the
requirements for a CMMC Level 2 certification assessment satisfies a
CMMC Level 2 self-assessment requirement for the same CMMC Assessment
Scope.
The term ``certificate of assessment'' has been replaced with the
term ``Certificate of CMMC Status'' in the final rule. When an OSC has
met all the requirements for a Level 2 certification assessment, a
Certificate of CMMC Status is obtained from the C3PAO conducting the
assessment. See Sec. 170.9. Under CMMC, OSCs are not certified;
rather, the assessed network receives a
[[Page 83129]]
Certificate of CMMC Status for the CMMC Assessment Scope if the network
meets all applicable certification requirements. No rule edit is
necessary because Sec. 170.19 is clear on this point.
The phrase ``until such time as a valid CMMC Level 2 self-
assessment is achieved'' is added to the rule in the event a
Conditional Level 2 self-assessment or Conditional Level 3 expires [see
sections Sec. Sec. 170.16(a)(1)(ii)(B)) and 170.17(a)(1)(ii)(B)].
The CMMC program does not assess paragraph (c) through (g) of DFARS
clause 252.204-7012. The CMMC Program assesses the security
requirements set forth in the FAR clause 52.204-21; National Institute
of Standards and Technology (NIST) Special Publication (SP) 800-171 R2;
and selected requirements from the NIST SP 800-172 Feb2021, as
applicable (see table 1 to Sec. 170.14(c)(4) CMMC Level 3
Requirements).
If the contract requires a Level 2 self-assessment (i.e., a CMMC
Status of ``Conditional/Final Level 2 (Self)''), then the Level 2 self-
assessment score with a current affirmation is valid for that contract
but not for a contract with a Level 2 certification assessment
requirement. The DoD does not consider it realistic or likely that
C3PAOs will purposefully ``slow roll'' completion of assessments for
which they have been engaged by an OSC. However, the OSA's CMMC Status
is based on final results of an assessment and a valid affirmation. A
POA&M Close-out assessment need only re-assess those requirements that
were assessed as NOT MET in the original assessment as addressed in
Sec. 170.21(b). The OSA status is based on the results of this POA&M
Close-out assessment with a valid affirmation. If the subcontractor
will process, store, or transmit CUI, then the flow down requirement
for a Prime contract that specifies CMMC Level 3 certification
assessment is, at a minimum, CMMC Level 2 certification assessment
(i.e., a CMMC Status of ``Conditional/Final Level 2 (C3PAO)'').
A POA&M closeout applies to all NOT-MET requirements so if one
practice is not remediated within the 180-day time limit, the
conditional certification will expire. Scope cannot be changed in the
middle of an assessment, so the conditional certification will expire.
If the scope is changed, a new assessment is required.
The assessment is performed based on the defined CMMC Assessment
Scope. The OSA is only approved to process, store, or transmit FCI and
CUI within the CMMC Assessment Scope defined.
If the conditional assessment certification expires due to
exceeding the 180-day limit, a new full certification assessment is
required. Contracting officers can utilize standard contract remedies
during any period under which the OSA is not in compliance with CMMC
requirements. If an OSC closed out their POA&M 32 months ago, that
Level 2 Conditional certification assessment would have closed and the
OSC would have received a Level 2 Final certification assessment for
the remainder of the 3-year validity period. If after completing the
Level 2 Final certification assessment, the OSC is reassessed and does
not achieve a score of 110, then the OSC will either get a new
Conditional Level 2 (C3PAO) CMMC Status certificate (if they meet the
associated POA&M requirements), or the OSC will not receive a new
certificate.
c. Level 3
Comment: Several comments addressed CMMC Level 3 assessment
requirements and the relationship of Level 3 assessments to Level 2
assessments. One comment noted that a final version of the Level 3
assessment guidance was not available at the same time as other CMMC
assessment guides. Another recommended the DoD first pilot
implementation of CMMC Level 3 security requirements and clearly
identify (in advance) the data or programs that will be subject to
them. One commenter asked how DoD will maintain Level 3 requirements to
align with NIST's guidance since Level 3 includes only a subset of
NIST's SP 800-172 Feb2021 requirements.
Another asked about validating compliance for assets that changed
asset categories when transitioning from Level 2 certification to Level
3 certification. One comment said it was that Level 2 certification is
not clearly identified as a prerequisite for Level 3 certification, and
that organizations might try to bypass Level 2. One comment asked
whether those entities that would need a CMMC level 3 assessment could
seek a combined Level 2 and Level 3 certification from the DIBCAC to
reduce cost to the OSC.
One comment sought clarification of how long an OSC would be
prohibited from seeking additional contract awards if a Level 3
certification expired. Two comments were concerned about the DIBCAC's
ability to terminate a Level 3 assessment if the review identifies a
Level 2 requirement that is not met.
Response: For CMMC Level 3, the DoD selected a subset of NIST SP
800-172 Feb2021 requirements for enhanced safeguarding. The CMMC Level
3 supplemental documents were not finalized prior to publication of the
Proposed Rule. DoD's final determination of the specific subset of NIST
SP 800-172 Feb2021 requirements is included in this final rule, which
defines the ODPs for Level 3 in table 1 to Sec. 170.14(c)(4). DoD will
update the rule when required to change the security requirements, to
include CMMC Level 3.
DoD has reviewed and declined the recommendation to conduct a pilot
prior to phasing in CMMC Level 3 requirements. Given the evolving
cybersecurity threat, DoD's best interests are served by ensuring that
the selected CMMC Level 3 NIST SP 800-172 Feb2021 security requirements
are in place to provide enhanced protections for sensitive DoD CUI.
In those cases when DCMA DIBCAC identifies that a Level 2 security
requirement is NOT MET, DCMA DIBCAC may allow for remediation, place
the assessment process on hold, or may immediately terminate the Level
3 assessment, depending on significance of the NOT MET security
requirement(s) and the nature of the required remediation. The
determination of whether a NOT MET requirement is significant is
reserved for the judgment of the DCMA DIBCAC.
The rule has been updated to clarify that DCMA DIBCAC has the
responsibility to validate compliance of all assets that changed asset
category (i.e., CRMA to CUI Asset) or assessment requirements (i.e.,
Specialized Assets) between the Level 2 and Level 3 assessments. As
addressed in Sec. 170.18, a condition to request a Level 3
certification assessment from DCMA DIBCAC is the receipt of a Final
Level 2 (C3PAO) CMMC Status. The DoD considered, but declined, the
recommendation to allow OSAs to simultaneously pursue Level 2 and Level
3 in one assessment. DoD must enforce CMMC requirements uniformly
across the Defense Industrial Base for all contractors and
subcontractors who process, store, or transmit CUI, regardless of an
OSA's intended CMMC level. Permitting OSCs to seek combined CMMC Level
2 and 3 assessments would unfairly benefit only a subset of OSCs that
were identified to meet CMMC Level 3 requirements.
The rule has been updated to clarify that the OSC will be
ineligible for additional contract awards that require a CMMC Level 3
certification assessment until such time as a valid (Conditional or
Final) CMMC Level 3 (DIBCAC) CMMC Status is achieved for the
information systems within the CMMC Assessment Scope.
[[Page 83130]]
d. Scoring Methodology
1. CMMC Point Value System
Comment: Multiple comments were received concerning the point
values assigned to CMMC security requirements, their association to
other frameworks, consistency between CMMC levels, and their use in
POA&M eligibility determination. Numerous comments recommended that the
CMMC Level 2 weighted point system where security requirements are
valued as 1, 3, or 5 be modeled after the one point per requirement
used in CMMC Level 3 scoring. Some also questioned why the CMMC Level 2
scoring structure was the same as the NIST SP 800-171 DoD Assessment
Methodology (DODAM). Four comments recommended changes to the criteria
for adding unimplemented security requirements to an Assessment POA&M.
One comment noted that temporary deficiencies which are appropriately
addressed in plans of action should be assessed as implemented. Some of
the comments recommended not assigning point values to determine POA&M
eligibility. Two other comments recommended dropping the NIST Basic and
Derived security requirement designations and disassociating them from
CMMC point values.
Response: Recommendations to assign a point value of 1 to all CMMC
Level 2 security requirements were not accepted. CMMC adopted the
scoring as included in the NIST SP 800-171 DoD Assessment Methodology
(DoDAM) used by the DCMA DIBCAC and referenced in DFARS clause 252.204-
7020. As addressed in Sec. 170.20(a) in this rule, there is qualified
standards acceptance between a DCMA DIBCAC High Assessment and CMMC
Level 2 certification assessment. Revisions to the CMMC Scoring
Methodology will be made concurrently with changes to the DoDAM. The
variable point values of 1, 3, and 5 are linked to the NIST
determination of Basic Security Requirements and Derived Security
Requirements as described in Sec. [thinsp]170.24. The DoD has updated
the rule text at Sec. [thinsp]170.24 to clarify which requirements may
be included on a POA&M. CMMC Level 2 security requirement SC.L2-3.13.11
can be partially effective and may be included on a POA&M if encryption
is employed and is not FIPS-validated.
The DoD added a definition for enduring exceptions and temporary
deficiencies to the rule. Sec. 170.21 addresses POA&Ms for
assessments. Security requirement CA.L2-3.12.2 allows for the
development and implementation of an operational plans of action
designed to correct deficiencies and reduce or eliminate
vulnerabilities in organizational systems. These operational plans of
action are different from POA&Ms permitted under Conditional
assessment. The rule has been updated to make this distinction clear.
The CMMC rule does not prohibit the use of an operational plan of
action to address necessary information system updates, patches, or
reconfiguration as threats evolve.
2. NIST SP 800-171A Jun2018 Assessment Objectives
Comment: Multiple comments questioned the role of NIST SP 800-171A
Jun2018 Assessment Objectives within the CMMC assessment process. Three
comments asked whether all assessment objectives needed to be met to
score a security requirement as MET. Two comments questioned the need
to report assessment results at the assessment objective level within
the CMMC instantiation of eMASS for CMMC Level 2 and CMMC Level 3
certification assessments. Some comments suggested that the DoD allow
for contractors to take a more risk-based approach to include
compensating controls instead of a strict security requirement-based
model.
Response: DoD must enforce CMMC requirements uniformly for all
defense contractors and subcontractors who process, store, or transmit
CUI. Each assessment objective in NIST SP 800-171A Jun2018 must yield a
finding of MET or NOT APPLICABLE for the overall security requirement
to be scored as MET. Assessors exercise judgment, within CMMC
guidelines, in determining when sufficient and adequate evidence has
been presented to make an assessment finding. A security requirement
can be applicable, even with assessment objectives that are N/A. The
security requirement is NOT MET when one or more applicable assessment
objectives is NOT MET. CMMC assessments are conducted at the security
requirement objective level, and the results are captured at the
security requirement objective level. Assessment results are entered
into the CMMC instantiation of eMASS at the NIST SP 800-171A Jun2018
assessment objective level of detail to provide metrics on which
assessment objectives are proving difficult to implement and to
indicate where additional assessor training and guidance may be
warranted.
The DoD declines to change requirements to allow additional
organization-specific risk-based approaches. National Institute of
Standards and Technology (NIST) determined the appropriate
characteristics and considered the appropriate attack vectors when NIST
SP 800-171 R2 was created, and tailored the security requirements to
protect the confidentiality of CUI. Questions and comments related to
NIST SP 800-171 R2 background, development and scenarios are outside
the scope of the CMMC rule.
3. Other Scoring Comments
Comment: Three comments were received concerning the use of
operational plans of action to document security requirements which are
not fully implemented due to limitations beyond the ability of an OSA
to address. The use of temporary deficiencies and enduring exceptions
were suggested along with the recommendation that these items be scored
as MET.
The scoring of FIPS-validated modules was questioned in four
comments. An error in the point value for encryption (1 and 3 points vs
the correct 3 and 5 points) was identified. Clarification on full
credit for incomplete implementation of FIPS encryption was also
requested.
Two comments were received about the relationship between CMMC
Level 2 and CMMC Level 3 scoring asking if the point values in each
assessment were cumulative and how the 80% eligibility for an
assessment POA&M and Conditional certification would be calculated.
Three comments requested clarification around the use of N/A in
security requirements, assessment objectives, and in matters pertaining
to previously granted DoD CIO variances. One comment questioned what
types of artifacts are required to substantiate a determination of N/A
for a security requirement or assessment objective. Three comments
addressed the need for a System Security Plan, its point value, if any,
and the need for an SSP as a prerequisite for assessment as it exists
in the DIBCAC DODAM.
Response: The government cannot comment on the suitability of
specific implementations or products to meet CMMC security requirements
and is aware that FIPS module validation can exceed the 180-day CMMC
assessment POA&M threshold. Guidance regarding FIPS implementation on
Windows 11 is not appropriate for inclusion in the rule text and DoD
declines to make an update. Limitations of the FIPS-validated module
process do not impact the implementation status of FIPS cryptography.
The rule has been updated to include enduring exceptions and temporary
deficiencies. Vendor
[[Page 83131]]
limitations with respect to FIPS validation could be considered
enduring exceptions or temporary deficiencies and should be addressed
in an OSA's operational plan of action.
Several requirements within NIST SP 800-171 R2 specify the use of
encryption without consideration of the processing, storage, or
transmission of CUI. Requirement 3.13.11 requires that the encryption
used be a FIPS-validated module if the encryption is used to protect
the confidentiality of CUI. The scoring in Sec.
170.24(c)(2)(i)(B)(4)(ii) is based on the use of encryption and whether
the encryption uses a FIPS-validated module. There is no consideration
for multiple layers of encryption so specific guidance to assessors
regarding layers of encryption is not needed and DoD declines to make
the suggested addition. OSAs may choose how they implement security
requirements and C3PAOs will assess based on the stated
implementations. CCAs are trained in the correct process to assess
security requirements. The DoD has updated the rule text at Sec.
[thinsp]170.24(c) to clarify which requirements may be included on a
POA&M, which addresses the error in the point value for encryption.
The scoring for CMMC Level 3 is separate from the scoring for CMMC
Level 2. As stated in Sec. 170.24(c)(3), the CMMC Level 3 assessment
score is equal to the number of CMMC Level 3 security requirements that
are assessed as MET. There are twenty-four CMMC Level 3 security
requirements, identified in table 1 to Sec. 170.14(c)(4). CMMC Level 3
POA&M eligibility is based on the number of CMMC Level 3 security
requirements and does NOT include the 110 CMMC Level 2 requirements.
``Not applicable'' was removed from Sec. 170.24(c)(9) for the case
where the DoD CIO previously approved a variance. The rule has been
updated to reflect the language of DFARS clause 252.204-7012 and the
DoDAM, including nonapplicable or to have an alternative, but equally
effective, security measure. Regarding the comment on N/A objectives,
Sec. 170.23 is clear that MET means all applicable objectives for the
requirement and that if an objective does not apply, then it is
equivalent to being MET. A security requirement can be applicable, even
with one or more objectives that are N/A. The overall requirement is
only NOT MET when one or more applicable objectives is not satisfied.
The determination of assessment findings is made by an Assessor
following the assessment methodology. In the case of a self-assessment,
the Assessor is from the OSA. In the case of a certification
assessment, the Assessor is from the C3PAO or DIBCAC. An assessment
finding of NOT APPLICABLE (N/A) means a security requirement (or
assessment objective) does not apply at the time of the CMMC
assessment. For each assessment objective or security requirement
marked N/A, the Certified Assessor includes a statement that explains
why it does not apply to the contractor. The OSC should document in its
SSP why the security requirement does not apply and provide
justification. There is no standard set of artifacts required to
justify a finding of N/A.
A System Security Plan as described in security requirement CA.L2-
3.12.4 is required to conduct an assessment. The rule has been updated
at Sec. 170.24(c)(2)(i)(B)(6) for clarity. Security requirement CA.L2-
3.12.4 does not have an associated point value. The OSA will not
receive a -1 for a missing or incomplete SSP. The absence of an up-to-
date system security plan at the time of the assessment would result in
a finding that `an assessment could not be completed due to incomplete
information and noncompliance with DFARS clause 252.204-7012.' The rule
has been updated in Sec. 170.24(c)(6) to clarify this.
e. Artifacts
Comment: Several comments and requests for clarification dealt with
artifacts that are reviewed or created during a CMMC assessment, or as
part of compliance with other contractual requirements, including DFARS
clause 252.204-7012. Some commenters asked whether standardized SSP and
POA&M templates would be provided to assist with compliance. Other
templates requested included pre-assessment planning materials, final
assessment reports, and the resulting Certificate of CMMC Status.
Others expressed concern that sharing certain artifacts during the
assessment process or permitting assessors to retain them would create
vulnerability. In addition, commenters asked whether security
protections are required for documents held due to the artifact
retention requirements. One commenter asked how CMMC assessment scores,
or affirmation information will be protected, and whether the CMMC
program office will share this information outside of DoD. Another
suggested that C3PAOs should not be required to retain any OSC provided
materials.
One commenter misinterpreted the supplemental hashing guide as
requiring use of the MS PowerShell script with the SHA256 algorithm.
The commenter also stated it would be more efficient to specify a
single hash be provided for combined artifacts rather than requiring
separate hash values for each artifact. They recommended deletion of
the hashing requirement. Another commenter suggested requiring OSCs to
generate hashes for artifacts as part of a Level 2 self-assessment. One
comment also asked whether hashing is required for Level 3 artifacts.
One comment asked how long OSAs must retain artifacts following an
assessment.
Some comments expressed concern that C3PAOs that receive or retain
OSA artifacts identified as CUI would be required to undergo assessment
by both the DIBCAC and another C3PAO. Four commenters objected to the
6-year artifact retention requirement for C3PAOs and requested
reduction to 1 year. Three commenters asked whether self-assessors at
level 1 or level 2 must also retain supporting artifacts for 6 years.
Two commenters recommended revised wording of CMMC Level 3 requirements
to provide greater clarity about artifact retention and integrity.
One commenter requested edits to the description of SSP content,
advocating for deletion of references to organizational policies and
procedures in place to comply with NIST SP 800-171 R2. The recommended
edits also changed attribution of the requirement to create an SSP to
reflect DFARS clause 252.204-7020 rather than DFARS clause 252.204-
7012. This commenter also suggested additional wording to specify that
the OSA need not define roles and responsibilities of security
personnel in the SSP but may do so in ancillary documents.
Response: This rule retains the reference to DFARS clause 252.204-
7012 that implements NIST SP 800-171 as the basis for the requirement
to create and update an SSP. The DoD has considered the recommended
changes to the rule regarding the SSP content and declines to make the
revision. The NIST SP 800-171 R2 requirement for an SSP is foundational
to performing a NIST SP 800-171 R2 self-assessment and its purpose is
to provide critical information for performing the assessment. The SSP
should detail the policies and procedures that support ``. . . how
security requirements are implemented . . .'' for all NIST SP 800-171
R2 controls. DoD declines to establish a specific SSP format, as OSAs
should define the best format for their organizations. The Overview
section of the rule has been updated to remove the statement indicating
SSPs will outline the roles and responsibilities of security personnel.
DoD does not plan to provide document templates for SSPs and POA&Ms, as
they are already available
[[Page 83132]]
in existing NIST guidance. Templates and schemas for the pre-assessment
and assessment results documents are available to authorized CMMC eMASS
users at https://cmmc.emass.apps.mil.
Commenter concerns about artifact retention reflect
misunderstanding of the assessment process. Assessors and C3PAOs do not
retain OSC artifacts, they only retain the hash value captured during
the assessment process. Assessors will retain documents created during
the assessment such as their notes and the Assessment Findings Reports.
To facilitate the protection of these documents, authorized C3PAOs are
required to go through a DIBCAC conducted CMMC Level 2 assessment and
CMMC Assessors are only authorized to use C3PAO issued equipment that
was within the scope of the DIBCAC assessment. Separately, the DIBCAC
processes, stores, and transmits its assessment related data on DoD
networks. Assessment Reports are submitted to DoD via eMASS, which is a
government-owned, secured database. Sharing of this information is
subject to DoD policies.
The OSC is responsible for maintaining and hashing all artifacts
that supported the assessment. The rule has been modified to clarify
C3PAOs do not maintain artifacts from the OSC. The OSCs artifacts must
be hashed, and the value provided to the assessor for submission into
CMMC eMASS. That hash value contains no sensitive information. An OSC's
System Security Plan (SSP) will be reviewed as part of a CMMC
certification assessment, but not shared outside of the OSC. Assessors
will not retain copies of the SSP or any other proprietary OSC
information. Assessors will retain the name, date, and version of the
SSP for uploading in SPRS or eMASS, as appropriate for the level of
assessment. Assessors will upload assessment information (e.g., list of
artifacts, hash of artifacts, and hashing algorithm used) into CMMC
eMASS as addressed in Sec. 170.9(b)(17), and the OSC will retain its
assessment documentation as addressed in Sec. 170.17(c)(4) and Sec.
170.18(c)(4)
CMMC Level 2 self-assessments procedures as described in Sec.
170.16(c)(1) require assessment in accordance with NIST SP 800-171A
Jun2018, which if conducted properly will generate evidence. The rule
has been modified to incorporate data retention requirements for self-
assessments into Sec. Sec. 170.15 and 170.16. OSAs are not required to
generate hashes for self-assessment artifacts. Hashing is only required
for Level 2 or Level 3 assessments by C3PAOs and DCMA DIBCAC. The rule
and Hashing Guide have been updated to add clarity that only a single
hash is required, and that artifact retention is for six years. The use
of SHA256 algorithm is not mandatory and therefore, the name of the
hash algorithm needs to be stored in eMASS.
There are no additional requirements for artifact storage and
retention beyond those identified in the rule. It is up to the OSA to
determine the best way to ensure artifact availability during the six-
year retention period. The rule has been updated in Sec. Sec. 170.15
through 170.18 to clarify artifact retention requirements.
DoD declines to reduce the artifact retention period from six years
to one year. The rule has been updated to clarify that all OSAs and
Assessors are required to retain their respective assessment data for
six years. The requirement for an artifact retention period of six
years is a result of the Department of Justice's input to the proposed
rule.
f. POA&Ms
Comment: Over forty comments were received about POA&Ms seeking
clarification or revision to the rule content on that topic.
Several commenters misinterpreted the requirement to remediate or
close POA&M items within 180 days as eliminating acceptability of
operational plans of action for normal corrective actions such as
patching or other routine maintenance activities, thus making the
achievement of 100% compliance impossible. Some commenters requested
rule revisions to describe operational plans of action in more detail.
One commenter asked that the concept of Enduring Exceptions be added to
the rule to address special circumstances when remediation and full
compliance with CMMC security requirements is not feasible as described
in the NIST SP 800-171A Jun2018 assessment methodology.
Several commenters expressed concern with the 180-day timeline to
close out POA&Ms or limits on which practices can be placed on them.
Recommendations for changing the POA&M timeline ranged from completely
deleting the time limit to extending it by 1 to 3 years. One variation
was to permit more than 180 days for closeout only during an initial
one-year ``ramp-up'' period. One commenter encouraged DoD to reduce
POA&M restrictions to facilitate contractors' genuine attempts to meet
requirements and mitigate information security risks. Three commenters
also thought the rule should allow contractors to request approval to
delay POA&M close-out when meeting the original timeline is
impracticable, while another commenter suggested defining the close-out
timeline in the contract, allowing negotiation of extension or renewal
of POA&Ms through the contracting officer. Two commenters asked when
the 180-day timeline begins and one asked what actions occur if the
POA&M is not closed out within that period.
Four commenters noted that the number of security requirements
explicitly precluded from POA&Ms makes CMMC challenging and requested
greater flexibility in how many, and which practices may be included.
Three commenters recommended that companies be allowed to have any
number of failed practices reassessed for up to six-months after an
assessment without having to complete and pay for a new full
assessment. Three other commenters recommended that the DoD allow for
risk informed POA&Ms, while one stated that the rule should not specify
which requirements must be met. One commenter requested clarification
on how many items of each point value may be included on a POA&M for
CMMC Level 2 conditional certification. One commenter also asked DoD to
consider abandoning controls with high failure rates, lowering score
requirements based on evidence of sufficient mitigation.
Several comments expressed concern that CMMC conditional
certification does not allow higher weighted practices on a POA&M and
recommended the rule reduce those restrictions to allow more security
practices. One commenter also recommended eliminating weighting
altogether, permitting any requirement to be part of the POA&M. As
rationale, one commenter referenced DFARS clause 252.204-7012 verbiage
that permits contractors to request DoD CIO approval to vary from NIST
SP 800-171 requirements, saying that since all approved variances are
considered as ``Not Applicable'', all requirements should be POA&M
eligible.
Two commenters asked where POA&Ms are maintained, who is
responsible for validating close-out, and whether affirmation is
required after each assessment (including POA&M close-out). One
commenter asked about applicability of the 180-day POA&M close-out
requirement to Critical, High, Medium, or Low findings against Service
Level Agreements.
One commenter recommended that a description of appropriate POA&M
entries to be added to the rule and
[[Page 83133]]
provided other recommended edits to the POA&M section, including
addition of terms of art such as ``assessment-related'' and ``non-
assessment-related'', and deletion of the words ``as applicable.''
Response: The CMMC Program allows the use of POA&Ms. Section 170.21
delineates the requirements that may be addressed as part of an
assessment with a POA&M, that must be closed out by a POA&M closeout
assessment within 180 days of the initial assessment to achieve the
assessment requirement for Final certification. At Level 1, the OSA
must affirm annually that it has reassessed its environment. Security
requirement CA.L2-3.12.2 allows for the development and implementation
of an operational plans of action designed to correct deficiencies and
reduce or eliminate vulnerabilities in organizational systems. The CMMC
rule does not prohibit an OSA from using an operational plan of action
at any CMMC level to address necessary information system updates,
patches, or reconfiguration as threats evolve. These are different from
POA&Ms permitted under a Conditional certification assessment. The DoD
has updated the rule to make this distinction clear. The Department
also updated the rule to include a definition and clarity for enduring
exceptions. The DoD CIO option for variances in DFARS clause 252.204-
7012 is beyond the scope of this rule.
Operational plans of action are the appropriate mechanism to handle
CSPs, ESPs (not a CSP) and third-party vendors that are no longer
compliant with a CMMC requirement. Operational plans of action may be
necessary when the relevant security requirement or control was fully
implemented, but a vulnerability or deficiency is discovered after
gaining a CMMC final compliance status, such as, but not limited to,
routine updates, patches, or updates to CMMC compliance status. For
purposes of CMMC compliance, operational plans of action are acceptable
and are not subject to the 180-day timetable established for initial
assessment. In addition, the rule has been modified to include a
definition for Enduring Exceptions.
The DoD does not accept the recommendation to change the criteria
for POA&Ms or the timeline allowed to remediate open POA&M items. The
180-day period allowed for POA&Ms and the determination of which
weighted practices can be placed on a POA&M was a risk-based decision.
The determination considers the relative risk DoD is willing to accept
when a particular practice is not met and the amount of risk the DoD is
willing to accept for those security practices that go ``NOT MET'' for
an extended period. The DoD declined to edit the rule regarding the
closeout of security requirements that are not allowed on the POA&M as
stated in Sec. 170.21. The decision in this scenario is a business
decision between the applicable C3PAO and the OSC.
Given the evolving cybersecurity threat, DoD's best interests are
served by ensuring that POA&Ms remain open for no longer than 180 days,
regardless of which controls are included or the plan for remediation.
The 180-day period starts when the CMMC assessment results are
finalized and submitted to SPRS or eMASS, as appropriate. As addressed
in Sec. Sec. 170.17(a)(1)(ii)(B) and 170.18(a)(1)(ii)(B), if the POA&M
is not closed out within the 180-day timeframe, the Conditional
Certification will expire. If the Conditional Certification expires
within the period of performance of a contract, standard contractual
remedies will apply, and the OSC will be ineligible for additional
awards with CMMC Level 2 or 3 requirements for the information systems
within the same CMMC Assessment Scope. The scoring methodology created
by the DoD reflects the relative risk to DoD information when a
security requirement is NOT MET. As defined in Sec. 170.17(c)(2), a
security requirement that is NOT MET may be re-evaluated during the
Level 2 certification assessment and for 10 business days following the
active assessment period under certain conditions. Likewise, when an
OSC executes a contract with a C3PAO it may account for the timeliness
of any re-assessments. The language in DFARS clause 252.204-7012
describing the DoD CIO's authority to approve variances is beyond the
scope of this rule.
A POA&M for CMMC Level 2 can include up to 22 security requirements
that have a value of 1, excluding those in Sec. 170.21(a)(2)(iii), or
may include non-FIPS-validated encryption and up to 19 security
requirements that have a value of 1.
The OSA is responsible for maintaining the POA&M that resulted from
a CMMC assessment; however, those security requirements that were NOT
MET and placed on a POA&M are recorded in eMASS. The OSA is responsible
for validating the close-out of the security requirements on the POA&M
within 180 days of a self-assessment. The C3PAO or DCMA (as applicable)
must perform the POA&M Close-out Assessment for a Final certification
assessment. An affirmation of compliance is required upon the
completion of any assessment--Conditional, Close-out, or Final--and
annually after the completion of a Final assessment. The requirement
outlined in Sec. 170.21 for POA&M close out does not apply to Service
Level Agreement (SLA) severity levels.
The Department declines to include recommended POA&M examples in
the rule, as they are already available in existing NIST guidance, or
make other word changes to Sec. 170.21. This section of the CMMC rule
has been updated to add clarity when discussing the POA&M regarding
security requirements that were assessed as NOT MET during a CMMC
assessment. These POA&Ms are distinct from an operational plan of
action.
g. Assessment Activities and Reporting
1. Data Entry
Comment: One comment requested the rule state that records in SPRS
must be updated within six months of the rule's effective date or when
the functionality is in place, whichever is longer. Two comments asked
for mitigations for assessment delays that could impact the timeliness
of certification. One comment asked for more information about
assessment frequency guidelines, and one asked which date would be used
to determine timing of CMMC Level 2 triennial assessments, where this
date is maintained, and who is responsible for ensuring contractors
meet all applicable security requirements.
Response: To be eligible for a contract with a CMMC Level 1 self-
assessment requirement, the OSA must perform a Level 1 self-assessment,
input the result into SPRS, and submit an affirmation. The timeline for
initiating and reporting a self- assessment is a business decision to
be made by each contractor considering contract opportunities it wishes
to pursue. Because the OSA can fully control timelines for completion
of self-assessments and plan for changes within the assessment scope,
and because CMMC certification assessments occur on a standard 3-year
cycle, the DoD expects that companies will plan assessments well in
advance of need. The required assessment frequency is every year for
CMMC Level 1, and every 3 years for CMMC Levels 2 and 3, or when
changes within the CMMC Assessment Scope invalidate the assessment.
Certification dates for CMMC levels 2 and 3 are set to the date the
certification assessment results are entered into SPRS for self-
assessments or the date the Certificate of CMMC Status is
[[Page 83134]]
entered into eMASS for third-party assessments. The triennial
requirement renews on that date; there is no grace period. Each OSA's
annual affirmation attests that they have implemented, and are
maintaining their implementation of, the security requirements.
2. Supplier Risk Performance System and eMASS
Comment: Three commenters viewed CMMC's intent to store CMMC
related data in an existing DoD system, SPRS, as an indication that
SPRS would replace other DoD risk tracking systems or the risk
monitoring responsibilities of other agencies. One commenter asked
whether other Services would have their own systems, as the SPRS
Program Office is within the Navy. Another comment stated CMMC and SPRS
should not be tasked with the responsibility of addressing Supply Chain
Risk Management (SCRM). One comment asked if the DoD intended to make
CMMC Level 2 and 3 certification information available to other
agencies, which could reduce the cost burden of compliance with
assessment/certification programs adopted by other agencies. One
comment asked how PII would be protected in SPRS. Another comment asked
for SPRS to be redesigned to list assessment results for each security
requirement instead of the aggregate level. One comment asked for a
CMMC-specific process for entering data into SPRS to make it easier for
small businesses and another comment asked for vendor visibility into a
potential sub-contractor's SPRS score.
Several comments asked about the CAGE code requirement and noted a
perception that businesses outside the U.S are unable to obtain a CAGE
or become a member of PIEE and therefore unable to access SPRS. One
comment asked whether each contract would require a new SPRS entry.
One comment asked if OSCs that already have an eMASS account would
be able to access the CMMC instantiation of eMASS and one comment
questioned the cost/benefit of entering pre-assessment data into eMASS.
Another comment asked for clarification on the roles and
responsibilities of DoD Program Managers regarding the data uploaded
into eMASS. One commenter suggested that eMASS be modified to permit
tracking of self-assessment, in addition to certification assessments.
Response: SPRS is used to provide CMMC Status, score results, and
affirmation status to contracting officers and program managers as part
of the contract award process. It does not supersede other DoD program
office risk register systems. SPRS will be used for reporting CMMC
Status of all contractors, regardless of which service issued the
contract. Although the SPRS program is managed by the Department of the
Navy, its use spans across the Department. There is no role for other
agencies associated with this CMMC rule, which applies only to DoD
contractors that process, store, or transmit FCI or CUI. The CMMC PMO
has no current agreements with other Federal agencies to share CMMC
assessment results. There is nothing that prevents an OSA from sharing
their CMMC Status with other entities.
SPRS is an existing DoD database that is compliant with DoD
regulations, which includes meeting Privacy requirements. DoD suppliers
are already required to use SPRS to record NIST SP 800-171 self-
assessment scores, as referenced in DFARS clause 252.204-7020. The CMMC
rule expands the use of SPRS to include CMMC Status, certification
assessment scores, and affirmations.
SPRS is the tool that the DoD acquisition workforce will use to
verify companies meet CMMC requirements to be eligible for contract
award. SPRS data entry does not make available to Contracting Officers
scoring of individual security requirements.
The DoD does not concur with granting prime contractors access to
view the CMMC scores or Certificates of CMMC Status for potential
subcontractors in SPRS. Subcontractors may voluntarily share their CMMC
Status, assessment scores, or certificates to facilitate business
teaming arrangements. Changing access to PIEE and SPRS is outside the
scope of this rule.
CMMC eMASS is a tailored, stand-alone instantiation of eMASS for
use by authorized representatives from C3PAOs, the DCMA DIBCAC, and the
CMMC PMO. Individuals from each C3PAO will have access to CMMC eMASS to
upload Level 2 assessment data. DCMA DIBCAC personnel will have access
to CMMC eMASS to upload Level 3 assessment data. OSAs will not have
access to CMMC eMASS. Authorized personnel from OSAs may access SPRS,
which will host assessment certification and self-assessment data, and
will be able to upload and view scores only for their OSA.
The DOD declines to add requirements for submitting self-
assessments in eMASS. The requirement is for the OSA to enter scores
into SPRS. There is value to the DoD in having the pre-assessment
information in CMMC eMASS for overall program management and oversight.
The information indicates that an assessment is either scheduled or in-
process. The CMMC PMO seeks to track CMMC program adoption, and pre-
assessment information allows reporting on upcoming assessments. Based
on the DoD cost analysis, the effort to upload pre-assessment material
is minimal.
DoD Program Managers are not responsible for uploading data into
eMASS, nor do they have any responsibility regarding the data uploaded
to eMASS by DCMA. An ESP, OSA, or OSC seeking CMMC assessment will need
a CAGE code and an account in SPRS to complete the annual attestation
required of all CMMC certified or CMMC compliant organizations.
An OSA/OSC must obtain a CAGE code via https://sam.gov before
registering in PIEE. Step by Step instructions for how to obtain an
account can be found on the PIEE Vendor Account website: https://piee.eb.mil/xhtml/unauth/web/homepage/vendorGettingStartedHelp.xhtml.
CAGE codes (or NCAGE codes for non-US-based companies) are also
required. US-based contractors obtain a Commercial and Government
Entity (CAGE) code from https://cage.dla.mil/Home/UsageAgree.
Businesses outside of the US must obtain a NATO Commercial and
Government Entity (NCAGE) code from https://eportal.nspa.nato.int/Codification/CageTool/home.
As specified in Sec. Sec. 170.15 and 170.16, SPRS inputs include
the industry CAGE codes(s) associated with the information system(s)
addressed by the CMMC Assessment Scope. For each new information system
used to support a DoD contract with FCI or CUI, a new SPRS entry is
required. If the contractor or subcontractor will use an information
system associated with a CAGE code already recorded in SPRS then a new
entry is not required.
3. Assessors and Certificates
Comment: One commenter asked if an assessor is prohibited from
interacting with OSA IT tools such as MS Office 365 or cloud based GRC
tools. One commenter requested the CMMC rule require C3PAOs to clearly
indicate the CMMC Assessment Scope on the CMMC Certificate of CMMC
Status, to include CAGE codes, that could be shared with trusted
partners.
Response: The rule text in Sec. 170.11(b)(7) does not prohibit
collecting assessment evidence within the OSC environment using the
OSC's IT. This section applies only to IT used
[[Page 83135]]
by the assessors to process, store, or transmit assessment-related
information once it leaves the OSC environment. The rule has been
modified to list the minimum required information to be included on the
Certificate of CMMC Status, including CAGE code.
h. Reassessment
Comment: Some commenters interpreted the end of a CMMC assessment
validity period (and need for new assessment) as having the same
significance or meaning as a ``reassessment'', which the rule describes
as potentially necessary only in rare circumstances when cybersecurity
risks, threats, or awareness have changed.
Another commenter asked for examples of circumstances that might
prompt a re-assessment and description of the process for completing
one. Four commenters expressed concern that re-assessments might be
frequent, costly, and time-consuming. These commenters sought
confirmation that relatively common system maintenance activities would
not require a new assessment or prevent annual affirmation.
One commenter questioned the rationale for differences between
validity periods for CMMC Level 1 versus Levels 2 and 3 assessment and
recommended standardization on either a 1-year or 3-year frequency for
all levels. Other commenters asserted that annual affirmations would
drive a need for annual assessments at levels 2 or 3 and requested
deletion of the affirmation requirement.
One commenter asked whether system changes within an assessment
scope would require notification to the contracting agency. Another
asked for guidance on remediation of POA&M items and asked whether
systems that fall out of compliance must be identified to the
contracting agency.
Response: The DoD considered duration of assessment validity
periods and has chosen to require self-assessment of the basic Level 1
requirements every year, rather than every three years. Levels 2 and 3
require implementation of a significantly larger number of more complex
security requirements, which require more time and attention to assess.
The DoD also declines to delete the annual affirmation requirement
and does not agree that it equates to an annual assessment. The rule
was modified to clarify that reassessments may be required based on
post-assessment indicators of cybersecurity issues or non-compliance
and are different from new assessments that occur when an assessment
validity period expires. Reassessment is expected to be infrequent,
conducted by the DoD, and necessary when cybersecurity risks, threats,
or awareness have changed, or indicators of cybersecurity deficiencies
and/or non-compliance are present. When required, DCMA DIBCAC will
initiate the re-assessment process using established procedures. The
rule has been further updated to add this DCMA DIBCAC responsibility in
Sec. 170.7. OSCs seeking confirmation upon CMMC Level 2 POA&M close-
out may undergo POA&M close-out assessment by a C3PAO, which is
different from reassessment.
Self-assessments and certification assessments are valid for a
defined CMMC Assessment Scope as outlined in Sec. 170.19 CMMC Scoping.
A new assessment is required if there are significant architectural or
boundary changes to the previous CMMC Assessment Scope. Examples
include, but are not limited to, expansions of networks or mergers and
acquisitions. Operational changes within a CMMC Assessment Scope, such
as adding or subtracting resources within the existing assessment
boundary that follow the existing SSP do not require a new assessment,
but rather are covered by the annual affirmations to the continuing
compliance with requirements. The CMMC rule does not prohibit an OSA
from using an operational plan of action at any CMMC Level to address
necessary information system updates, patches, or reconfiguration as
threats evolve.
If the CMMC Assessment Scope changes, then the current assessment
is no longer valid and a new assessment is required. Requirements to
notify the contracting agency of compliance changes are described in
the 48 CFR part 204 CMMC Acquisition rule. An annual affirmation is
required at each CMMC level.
16. CMMC Assessment Scoping Policy
Comment: One comment asked whether the requirements of DFARS clause
252.204-7012 apply to the entire contractor-owned information system,
or only those components of the system that process, store, or transmit
the CUI. Another questioned whether assets that process both FCI and
CUI require CMMC Level 1 assessment.
One comment asserted that assessments described in DFARS provision
252.204-7019 and 7020 are scoped differently than CMMC assessments, and
requested the rule be revised to avoid duplication with those
assessments, where applicable. Another recommended that DoD determine
scoping, boundaries, standards, and assessments based on CUI data
rather than by systems.
One comment suggested that the rule be modified to address CMMC
applicability to service providers that only provide temporary
services, such as penetration testing, cyber incident response, or
forensic analysis.
Response: OSAs determine the CMMC Assessment Scope based on how and
where they will process, store, and transmit FCI and CUI. DoD has
reviewed the suggested changes and declines to make any updates.
Additional information for CMMC Scoping (Sec. 170.19) can be found in
the relevant scoping guides. The applicability of DFARS clause 252.204-
7012 requirements is not within the scope of this rule.
Meeting CMMC Level 2 self-assessment or certification assessment
requirements also satisfies CMMC Level 1 self-assessment requirements
for the same CMMC Assessment Scope. One commenter incorrectly assumes
that CMMC asset categories drive a change to the assessment scope from
what exists in DFARS clause 252.204-7012, which implements NIST SP 800-
171 R2. No conflicts exist between the DFARS clause 252.204-7012
requirements and the CMMC requirements in this rule.
The DoD declines to change the rule to base scoping, boundaries,
standards, or assessments solely on CUI data rather than on systems.
The purpose of the CMMC Program is for contractors and subcontractors
to demonstrate that FCI and CUI is adequately safeguarded through the
methodology provided in the rule. The decision on what CMMC level is
required for a contract is made by the Government after considering the
nature of the planned effort, associated risks, and CUI to be shared.
OSAs determine the CMMC Assessment Scope based on how and where they
will process, store, and transmit FCI and CUI.
Service providers who only need temporary access to perform
services such as penetration testing, cyber incident response, or
forensic analysis do not meet the definition of an ESP in Sec. 170.4
and do not process, store, or transmit CUI. Therefore, they are not
within scope and the DoD declines to modify the rule to include them.
17. CMMC Assessment Scope for ESPs
a. CMMC Applicability to ESPs
Comment: DoD received numerous comments about the implications of
using an ESP while seeking to comply with CMMC requirements. Many
comments were concerns that the ESP
[[Page 83136]]
assessment requirements expanded the scope and cost of the CMMC
program. Additionally, some comments described overarching concerns
about applicability of CMMC requirements to an ESP when it only
provided a Security Protection Asset or processed Security Protection
Data. In general, commenters requested to narrow the rule while
providing more clarity and definition related to CMMC requirements for
ESPs and CSPs. Many comments gave either hypothetical or actual
scenarios and asked whether the ESP in that scenario would be required
to complete a CMMC assessment at the level required for the OSA being
supported.
One comment suggested that ESPs should be treated the same as Risk
Managed Assets. Another comment suggested that they be treated as
Specialized Assets. Two comments proposed that DoD restrict DoD
contractors to the use of an ESP/MSP/MSSP that is ISO/IEC 27001:2022(E)
certified. Two comments suggest that OSA's be allowed to use non-
certified or some form of conditionally certified ESPs if they retain
the appropriate artifacts for review.
Response: The DoD has revised the rule to reduce the assessment
burden on External Service Providers (ESP). ESP assessment,
certification, and authorization requirements in Sec. Sec.
[thinsp]170.19(c)(2) and (d)(2) have been updated. The use of an ESP,
its relationship to the OSA, and the services provided need to be
documented in the OSA's SSP and described in the ESP's service
description and customer responsibility matrix (CRM), which describes
the responsibilities of the OSA and ESP with respect to the services
provided.
ESPs that are CSPs, and process, store, or transmit CUI, must meet
the FedRAMP requirements in DFARS clause 252.204-7012. ESPs that are
CSPs and do NOT process, store, or transmit CUI, are not required to
meet FedRAMP requirements in DFARS clause 252.204-7012. Services
provided by the CSP are in the OSA's scope.
When ESPs that are not CSPs, process, store, or transmit CUI, a
CMMC assessment is required to verify compliance with requirements for
safeguarding CUI. Any ESP services used to meet OSA requirements are
within the scope of the OSA's CMMC assessment.
When ESPs that are not CSPs do NOT process, store, or transmit CUI,
they do not require CMMC assessment or certification, however, services
they provide are in the OSA's assessment scope. There is nothing in the
rule that precludes an ESP, that is not a CSP, from voluntarily
requesting a C3PAO assessment. A C3PAO may perform such an assessment
if the ESP makes that business decision.
ESPs can be part of the same corporate/organizational structure but
still be external to the OSA such as a centralized Security Operations
Center (SOC) or Network Operations Center (NOC) which supports multiple
business units. The same requirements apply and are based on whether
the ESP provides cloud services and whether the ESP processes, stores,
or transmits CUI on their systems.
An ESP that is used as on-site staff augmentation only, i.e., the
OSA provides all processes, technology, and facilities, does not need
CMMC assessment. When ESPs are assessed as part of an OSA's assessment,
the assessment type is dictated by the OSA's DoD contract CMMC
requirement. The DoD declines to make any other suggested changes to
the assessment of ESPs.
b. Definitions
Comment: Multiple comments state that the definition of CSP in the
rule is overly broad and overlaps with the definition of ESP. One
comment questioned whether a C3PAO is also a Security Protection Asset
and by extension an ESP. Two comments requested change to the
definition of Out-of-Scope Assets to stipulate that SPD is Out-of-
Scope.
Response: Several comments requested clarification on when an ESP
would be considered a CSP. CSPs, MSPs, and MSSPs are always considered
ESPs. The DoD has updated the rule to narrow the definition of Cloud
Service Provider based on the definition for cloud computing from NIST
SP 800-145 Sept2011. An ESP would be considered a CSP when it provides
its own cloud services based on a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable
computing that can be rapidly provisioned and released with minimal
management effort or service provider interaction on the part of the
OSA.
An ESP (not a CSP) that provides technical support services to its
clients would be considered an MSP. It does not host its own cloud
platform offering. An ESP may utilize cloud offerings to deliver
services to clients without being a CSP. An ESP that manages a third-
party cloud service on behalf of an OSA would not be considered a CSP.
C3PAOs need not ``receive'' security protection data as part of an
assessment; they view the security protection data while on premises at
the OSC for the assessment. A C3PAO is not an ESP or security
protection asset and is therefore not within the OSA assessment
boundary. DoD declines to delete the phrase ``except for assets that
provide security protection for a CUI asset'' from the definition of
Out-of-Scope Assets. Assets that provide security protection for CUI
are not Out-of-Scope Assets. A CMMC definition for Security Protection
Data has been added to the rule.
c. OSA Relationship to ESP
Comment: Several comments request clarification related to use of
an ESP that is internal to the OSA. One comment requested that DoD
require CSPs grant the US Government, as part of the contract between
the OSA and the CSP, access to any CUI that is subject to CMMC
requirements in the event of contractual failures, criminal actions or
other legal situations that warrant seizure of CUI data. Some comments
also asked whether the DoD has standing or authority to require C3PAO
assessment or conduct CMMC level 3 assessments of ESPs, given that the
ESP's direct contractual relationship is not with the Government but
with the OSA. Two comments suggest that ESPs will be covered by the
subcontractor flow down requirements from an OSA.
Response: DoD agrees with the need for added clarity around
internal ESPs and the rule was modified to remove the term internal
ESP. An ESP that provides staff augmentation, where the OSA provides
all processes, technology, and facilities, does not need CMMC
assessment. Alternatively, an ESP can be part of the same
organizational structure but still be external to the OSA, such as a
centralized SOC or NOC which supports multiple business units. The CMMC
requirements apply and are based on whether the ESP provides cloud
services and whether the ESP processes, stores, or transmits CUI on
their systems.
The OSA's contractual rights with its CSP are beyond the scope of
this rule.
The rule states requirements for the OSA, not the ESP. The rule
requires OSAs that process, store, or transmit FCI and CUI to protect
that data. If those OSAs elect to use an ESP, and that ESP processes,
stores, or transmits FCI or CUI from the OSA, then the OSA must require
that the ESP protect the FCI and CUI and the ESP will be assessed as
part of the OSA's assessment or require FedRAMP Moderate or equivalent.
Specifically for Level 3, if an OSC is seeking Level 3
certification and uses an ESP that is not a CSP and that DOES process,
store, or transmit CUI, then the ESP will need to be assessed by DIBCAC
[[Page 83137]]
against the same Level 3 requirements as the OSC as part of the OSC's
assessment unless the ESP voluntarily seeks a DIBCAC Assessment. If an
OSC is seeking Level 3 certification and uses an ESP that DOES NOT
process, store, or transmit CUI, then the ESP will NOT need to be
assessed by DIBCAC against the same Level 3 requirements as the OSC.
ESPs provide a service that meets the requirements specified by the
OSA, and therefore ESPs are not subcontractors on a DoD contract and
are not bound by subcontractor flow down requirements.
d. Assessment of ESPs
Comment: There were multiple comments regarding the assessment of
an ESP. One comment recommends the rule be revised to identify the
specific assessment requirements that would be considered NOT MET by
the OSA when using a non-compliant ESP, and to further require C3PAOs
to validate the OSCs use of compliant ESPs during a CMMC Level 2
assessment. One comment asks if an ESP, when assessed, will require a
CAGE code, and enter scores into SPRS. Another comment asked whether
CMMC certification would be required when offering full IT management
and online storage, including CUI, if the MSP policies prevent
employees from accessing customer data.
One comment asks for clarification on the contents of the System
Security Plan when documenting the use of an ESP. Two comments ask how
to assess an OSA that is using a CSP to store CUI that does not meet
the FedRAMP requirements. One comment asks how C3PAOs can check on the
assessment status of an ESP. Three comments ask how to avoid redundant
assessments of ESPs. One comment asks to clarify how to handle ESPs at
Level 3 with respect to requirement AC.L3-3.1.2e that restricts access
to systems that are owned, provisioned, or issued by the organization.
One comment recommends DoD exempt CSPs that provide service with end-
to-end encryption from CMMC requirements, similar to a common carrier.
Several comments inquired about guidelines and practices for
obtaining Customer Responsibility Matrices (CRM) from CSPs and suggest
the rule be modified to also require them from ESPs. One comment asks
about how to obtain a CSP's System Security Plan.
Response: Implications for OSAs and C3PAOs for using non-compliant
ESPs are adequately addressed in the rule. The CMMC compliance of an
ESP, including a CSP, falls under the OSA's assessment. If an ESP is
used to meet any of the CMMC requirements for the OSA, then the ESP is
part of the scope of the OSA's assessment, and the compliance of the
ESP will be verified.
An ESP that is seeking CMMC assessment will need to obtain a CAGE
code and an account in SPRS to enable the reporting of its assessment
results via CMMC eMASS. A SPRS account is required to complete the CMMC
annual affirmation requirement included in DoD contracts that include a
CMMC certification requirement.
An ESP that processes, stores, or transmits CUI, is an extension of
the OSA's environment. As part of that environment, the ESP will be
assessed against all requirements and accountable for all users who
have access to CUI as part of the ESP's service, not just OSA
employees. The government cannot comment on specific implementation or
documentation choices of an OSA, including the use of an ESP.
The C3PAO can only give credit to a FedRAMP Moderate Authorized or
equivalent CSP. Any requirements dependent on contributions from a CSP
in any other stage of compliance are considered NOT MET. The
requirements in the rule for FedRAMP Moderate equivalency have been
updated to reflect DoD policy. OSAs can consider CSPs in the FedRAMP
process for equivalency if they meet the requirements in DoD policy.
An ESP that is a CSP will be listed on the FedRAMP Marketplace. An
ESP that is not a CSP and processes, stores, or transmits CUI will be
within the OSA's assessment scope. An ESP can also volunteer to have a
C3PAO assessment and could make that information available to the OSA.
ESPs that are not CSPs may request voluntary CMMC assessments of
their environment and use that as a business discriminator. The
marketplace for ESP services will adjust to find the efficient manner
for ESPs to support OSA assessments that may include their services.
With respect to requirement AC.L3-3.1.2e, when an OSA adds an ESP's
services to its network, the ESP is considered to be provisioned by the
OSA. It is subject to the requirements for the use of an ESP.
A common carrier's information system is not within the
contractor's CMMC Assessment Scope if CUI is properly encrypted during
transport across the common carrier's information system.
In a cloud model, the end-to-end encryption would apply when
transmitting between OSA CUI assets and a cloud service. Once within
the security boundary of the CSP, the common carrier's system no longer
contributes to the handling of the CUI and the CSP's security practices
apply. If an OSA chooses to use a CSP to process, store, or transmit
CUI, FedRAMP Moderate or equivalency requirements apply.
The rule has been updated to include the use of a Customer
Responsibility Matrix by all ESPs, not just CSPs. Obtaining a copy of a
CSP's SSP is not required for a CSP that is FedRAMP Authorized.
Documentation on the services provided by the CSP and a CRM will be
required.
e. Capacity for Assessment of ESPs
Comment: Some comments questioned whether the CMMC ecosystem would
be adequate to provide the number of CMMC assessments necessary for
ESPs. In response, some comments recommend ESPs be given priority for
completing assessments. Others recommend different phasing or forms of
assessment and certification during ramp up.
Response: DoD declines to make suggested changes to the ramp up and
phasing of assessments for ESPs. DoD considered many alternatives
before deciding upon the current CMMC assessment structure. By design,
the CMMC program depends on the supply and demand dynamics of the free
market, enabling it to naturally scale and adapt to capacity
requirements. DoD declines to set priorities for the assessment
marketplace. The DoD has utilized a phased implementation approach to
reduce implementation risk. DoD expects that the public has utilized
the lead-time prior to the publication of this rule to prepare for CMMC
implementation and buy-down risk. CMMC Program requirements make no
changes to existing policies for information security requirements
implemented by the DoD. It is beyond the scope of this rule for DoD to
determine the order in which organizations are assessed.
f. Remote Access by ESPs
Comment: Two comments ask for clarification on requirements for
remote access by an ESP to an OSA, whether with OSA provided equipment
or a VPN.
Response: The assessment of remote access may fall into several
categories and is dependent on the specific architecture used and how
the OSA creates its assessment environment. When an ESP is providing
staff augmentation to the OSA and the OSA is providing all the systems
used for remote access, then the OSA's policies and procedures apply
and the ESP is not
[[Page 83138]]
considered to be processing, storing, or transmitting CUI. When the ESP
is using a Virtual Desktop solution, then the endpoint client device
will be considered out of scope when it is configured to prevent
storage, processing, or transmission of CUI on the end client beyond
the Keyboard, Video, Mouse input that is part of the Virtual Desktop
Infrastructure (VDI) solution.
Establishing a VPN connection with MSP equipment brings that
equipment into the OSA's assessment scope. The equipment must meet the
OSA's requirements for external access and connection to the network.
Depending on the processing performed by the ESP with the VPN
connection, other requirements may apply.
18. CMMC Assessment Scope for Security Protection Assets and Data
a. Scope and Authority
Comment: Multiple comments asserted that the use of Security
Protection Data and Security Protection Assets increases the scope and
cost of CMMC assessments and recommend changes to the costs or removing
SPD and SPA from the rule. One comment presented the increased scope as
an inconsistency between NARA and NIST SP 800-171A Jun2018. A few
comments asked what authority DoD uses to include SPD as part of CMMC
assessment.
Response: The commenter misread the rule's application to ESPs and
SPA/SPD. Security Protection Assets are specified in NIST SP 800-171 R2
Sec 1.1 which states: ``The requirements apply only to components of
nonfederal systems that process, store, or transmit CUI, or that
provide security protection for such components.'' The rule has been
updated in table 3 to Sec. 170.19(c)(1) and table 5 to Sec.
170.19(d)(1) to change the definition and requirements of Security
Protection Assets. The phrase ``irrespective of whether or not these
assets process, store, or transmit CUI'' has been removed from the SPA
description and the CMMC assessment requirements have been changed to
read ``Assess against CMMC security requirements that are relevant to
the capabilities provided.'' Similar changes were made to the guidance
documents. In order to clarify and address concerns about the perceived
``expansion'' of requirements, the rule was revised to reflect that
ESPs that only store SPD or provide an SPA and do not process, store,
or transmit CUI do not require CMMC assessment or certification.
b. Definition and Requirements
Comment: Numerous comments requested that the DoD provide a
definition for Security Protection Data (SPD) and configuration data,
as well as requirements for SPD to help understand the scope of SPD and
how that impacts the scope of Security Protection Assets and the
assessment requirements of ESPs. One comment recommended the removal of
the definition and use of SPD.
Multiple comments requested more information on the definition and
scoping of Security Protection Assets, their relationship to CUI, and
their requirements. Some comments suggested that the definition narrow
the scope of Security Protection Assets and/or their security and
assessment requirements. Other comments recommended eliminating the
concept of SPA. Additional comments recommended changing the assessment
requirements for SPAs to be the same as CRMAs Specialized Assets
applicable NIST SP 800-171 R2 requirements, commensurate with the level
of involvement with the security of CUI or to only assess the
requirements provided by the SPA. Two comments recommended that the
phrase'' irrespective of whether these assets process, store, or
transmit CUI'' be removed from the definition of SPA.
Two comments asked for clarification on the requirements for CSPs
that only handle SPD.
Two comments recommended different security and assessment
requirements for ESPs that host SPD but do not process, store, or
transmit CUI.
Response: DoD added a CMMC definition for Security Protection Data
to the rule. The DoD considered the NIST definitions for System
Information and Security Relevant Information in the development of the
CMMC definition for SPD.
This rule does not regulate OSA Security Protection Data, but
instead implements existing regulatory requirements for the
safeguarding of CUI, as defined in 32 CFR 2002.14(h)(2) and implemented
by DFARS clause 252.204-7012. This clause requires protection of
security protection assets and security protection data through its
specification of NIST SP 800-171.
DoD does not agree with the commentor's statement that the
definition of Security Protection Assets ``is an exceedingly dangerous
adjustment to the NIST SP 800-171 Revision 2 Paragraph 1.1 Scope of
Applicability.'' Security Protection Assets provide security to the
entirety of an OSA's assessment scope which includes CUI Assets and
other in-scope assets.
The SPD definition also defines configuration data as data required
to operate a security protection asset. This limits the possible
interpretations of configuration data. Further, the rule has been
updated to reflect that ESPs that do NOT process, store, or transmit
CUI do not require CMMC assessment or certification.
All assets within an OSA defined CMMC Level 2 or 3 assessment
boundary have access to CUI and can process, store, or transmit CUI.
They are therefore subject to DFARS clause 252.204-7012 and required to
meet NIST SP 800-171 requirements. This is the authority for including
Contractor Risk Managed Assets (CRMAs) within CMMC assessments. For
Level 2, DoD has decided to assume some risk and lessen the assurance
burden for a class of these assets called Contractor Risk Managed
Assets, as specified in table 3 to Sec. 170.19(c)(1). DoD does not
assume this risk at Level 3. CRMAs are subject to assessment against
all CMMC requirements as specified in table 5 to Sec. 170.19(d)(1).
19. CMMC Assessment Scope and FedRAMP Moderate Equivalency Requirements
Comment: Several commenters identified inconsistencies between rule
content and a separate DoD policy memo that defines requirements Cloud
Service Providers (CSPs) must meet to be considered FedRAMP moderate
``equivalent'' in the context of DFARS clause 252.204-7012. One
commenter requested administrative changes to the rule for consistency,
while others requested more substantive changes to deconflict the rule
with DoD's policies. Differences between the two documents left some
commenters unclear about when a CSP would be considered within a CMMC
assessment scope or required to meet CMMC requirements. They also noted
that some CSPs refuse to provide clients with Customer Responsibility
Matrices (CRMs), which could impede an OSAs ability to meet CMMC
requirements. One commenter asked for specific instances when a
FedRAMP-moderate-authorized CSP would not be accepted as meeting CMMC
requirements or which requirements such a CSP could not meet.
Another commenter stated the FedRAMP moderate equivalency
requirements for CSPs in this rule will create confusion because they
address only the NIST SP 800-171 requirements and do not include the
additional cyber incident reporting requirements
[[Page 83139]]
identified in DFARS clause 252.204-7012. One comment suggested that any
expectation for CSPs to meet the DFARS clause 252.204-7012 requirements
for cyber incident reporting or completion of a System Security Plan
should be referenced in this CMMC rule. Another commenter suggested
that all DoD contracts with CUI should include clauses and provisions
for CSPs to meet Federal requirements, including a self-assessment and
certification of their systems.
One commenter asked whether it is sufficient for MSP/MSSPs to have
FedRAMP certification instead of CMMC certification. Another
interpreted the rule's wording related to security protection assets
and data as expanding requirements levied on CSPs.
One commenter interpreted CMMC Level 3 assessment requirements as
meaning all parts of an OSCs infrastructure are within scope for CMMC
assessment if the OSC uses a CSP, and recommended the rule specify that
security requirements from the CRM must be documented in the SSP.
Another asked whether OSCs must track all FedRAMP controls in their SSP
or only those relevant to NIST SP 800-171 R2.
Response: Requirements associated with the use of cloud service
providers (CSPs) are covered under section (b)(2)(ii)(D) of DFARS
clause 252.204-7012. When a CSP is used, it must meet the requirements
of the FedRAMP moderate baseline or the equivalent. The rule was
updated for consistency with those requirements, and now requires
FedRAMP moderate or FedRAMP moderate equivalency as defined in DoD
Policy.
Sec. Sec. 170.16(c)(2), 170.17(c)(5), 170.18(c)(5) address CMMC
requirements for CSPs. The CMMC rule does not add new requirements on
the use of CSPs, which are found in DFARS clause 252.204-7012. A CSP
must be assessed against the FedRAMP moderate baseline when the CSP
processes, stores, or transmits CUI. The CMMC rule does not oppose or
contradict the requirements of DFARS clause 252.204-7012, nor does this
rule relieve a CSP from any requirement defined in DFARS clause
252.204-7012.
Sec. 170.17(c)(5)(iii) and the corresponding requirement in Sec.
170.18(c)(5)(iii) only apply to CSPs used to process, store, or
transmit CUI in the execution of the contract or subcontract requiring
CMMC assessment. It does not expand to any cloud provider outside the
scope of the assessment. Interactions between DoD contractors and their
service providers are beyond the scope of the rule.
CMMC Level 2 self-assessment and affirmation requirements described
in Sec. 170.16 make clear that an OSA using a FedRAMP Authorized CSP
(at the FedRAMP Moderate or higher baseline) is not responsible for the
CSP's compliance. The OSA needs to document in its SSP how the OSA
meets its requirements assigned in the CSP's CRM. When using a CSP that
is not FedRAMP Authorized, the OSA is responsible for determining if
the CSP meets the requirements for FedRAMP Moderate equivalency as
specified in DoD policy. In this case, the OSA also needs to document
in its SSP how the OSA meets the requirements assigned to it in the
CSP's CRM.
The rule has been updated to include verbiage from the DFARS clause
252.204-7012 ``in the performance of a contract'' for consistency. Use
of the term CUI in this rule is deliberate because DoD intends to
assess compliance with NIST SP 800-171 R2 for all CUI. The DoD declines
to replace the word CUI with the word CDI, as the term CUI more clearly
conveys that NIST SP 800-171 is the requirement for all CUI
information, as described in 32 CFR 2002.14.
DoD received numerous comments about the use of ESPs which do not
process, store, or transmit CUI. In response to comments, the DoD has
reduced the assessment burden on ESPs. ESP assessment, certification,
and authorization requirements in Sec. Sec. [thinsp]170.19(c)(2) and
(d)(2) have been updated.
20. CMMC Assessment Scope for Devices and Asset Categorization
a. Asset Categorization
Comment: There were many comments regarding the scoping and
treatment of assets when using table 3 to Sec. 170.19(c)(1) and table
5 to Sec. 170.19(d)(1). Several comments asked about when asset
categorization occurs, who approves it and how to document it. Two
comments questioned the applicability of using NIST SP 800-171 R2 for
Specialized Assets. Two comments suggested modifying the definition of
Out-of-Scope assets by removing the last bullet or discussing the use
of encryption. One commenter suggested adding more detailed definitions
of the asset categories to the rule. One comment recommended removing
asset categories from the rule.
Many comments requested scoping and categorization of specific
scenarios, such as ERP systems, MRP systems, quantum computing systems,
data diodes, asset isolation, and encrypted CUI. Numerous additional
comments requested clarification on scoping and categorization of
various security product classes.
Response: The OSA performs asset categorization and documents it in
their SSP. The OSA may choose the format and content of its SSP. Table
3 to Sec. 170.19(c)(1) requires that all asset categories, including
Specialized Assets, be included in the asset inventory. There is no
requirement to embed every asset in the SSP. In the SSP for Level 2,
the OSA must show how Specialized Assets are managed using the
contractor's risk-based security policies, procedures, and practices.
Prior to the conduct of an assessment, the OSC engages with the C3PAO
assessor. It is during this time that the classification of assets
should be agreed upon, and the results of these discussions are
documented in pre-planning materials. This is an example of the pre-
assessment and planning material submitted by the C3PAO as required in
Sec. 170.9(b)(8) and the CMMC Assessment Scope submitted to eMASS as
required in Sec. 170.17(a)(i)(D). It is beyond the scope of this rule
to address DoD review of specific Specialized Assets for individual
contractors.
DoD does not agree with a commentor's statement that Specialized
Assets are not actually assessed against CMMC security requirements. As
documented in Sec. 170.19, Specialized Assets are identified by the
OSC. Assessment requirements of Specialized Assets differ between CMMC
Level 2 and CMMC Level 3. If Specialized Assets are part of a CMMC
Level 2 assessment, the OSA must document them in the asset inventory,
document them in the SSP, and show how these assets are managed using
the contractor's risk-based security policies, procedures, and
practices. If Specialized Assets are part of a CMMC Level 3 assessment,
they must be assessed against all CMMC Level 2 security requirements
and CMMC Level 3 security requirements, identified in Sec.
170.14(c)(4).
DoD agrees with one comment that even if NIST SP 800-171 R2 cannot
be implemented, that does not mean the Specialized Assets cannot be
secured. CMMC requirements are defined to align directly to NIST SP
800-171 R2 and NIST SP 800-172 Feb2021 requirements. For additional
ease of burden, at Level 1, IoT and OT are not in scope, at Level 2
there are reduced requirements, but they become in-scope at Level 3,
unless they are physically or logically isolated.
DoD has reviewed the text and declines to change the definition of
Out-of-scope assets because CUI should not
[[Page 83140]]
be transmitted via clear-text per NIST SP 800-171 R2. The DoD has
reviewed the suggested changes to asset categories and scoping tables
and declines to make an update. The asset categories in the rule help
the OSA understand the requirements of various asset types that might
be found within the assessment boundary.
OSAs determine the asset categories and assessment scope based on
how and where they will process, store, and transmit FCI and CUI. DoD
cannot comment on the suitability of any specific approach or
technology to successfully implement CMMC security requirements.
b. Virtual Desktop Infrastructure
Comment: Several comments requested clarification on the use of
Virtual Desktop Infrastructures and how to scope its components.
Response: The rule has been updated in table 3 to Sec.
170.19(c)(1) and table 5 to Sec. 170.19(d)(1) to state that an
endpoint hosting a VDI client configured to not allow any processing,
storage, or transmission of FCI and CUI beyond the Keyboard/Video/Mouse
sent to the VDI client is considered out of scope.
c. Contractor Risk Managed Assets
Comment: There were numerous comments regarding Contractor Risk
Managed Assets. Several comments perceived conflicts in the changes
between the current rule and previous intermediate documents regarding
CRMA requirements. Multiple comments recommended additional details
explaining risk-based management of assets. Two comments requested
additional details on the limited checks that are permitted during
assessment of CRMAs. Multiple comments requested clarification on CRMA
requirements at Level 3 for the OSA and ESP. One comment requested
clarification about the documentation requirements for CRMAs.
One comment asserted that the rule co-mingled CRMAs with assets of
an ESP. One comment questioned why CRMAs were being included as in-
scope assets subject to CMMC security requirements. One comment asked
for clarification between the security requirements and assessment
requirements for CRMAs.
Response: There was confusion and concern over conflicts from
commenters regarding responses to comments on a previous version of the
rule, other documentation, and the current rule. The DoD did not find
any conflicting language around CRMAs. There is no conflict between
CRMAs and the requirements for logical or physical boundaries. CRMAs
are only applicable within the CMMC Assessment Scope. DoD does not
agree with the statement that the wording change around Contractor Risk
Managed Asset (CRMA) effectively makes the asset category moot.
The CRMA category was created to ease the assessment burden, based
on the Department's risk tolerance. It is not intended to reduce the
level of protection and the CMMC security requirements which apply to
the assets. Despite the wording changes identified by the commentor,
the CMMC security requirements and the assessor's ability to conduct a
limited check to identify deficiencies as addressed in table 3 to Sec.
170.19(c)(1) are unchanged.
Contractor Risk Managed Assets (CRMA) should be prepared to be
assessed against CMMC security requirements at Level 2, and included in
the SSP, asset inventory, and network diagrams.
Table 3 to Sec. 170.19(c)(1) clearly addresses the assessment
requirements for Contractor Risk Managed Assets. All CMMC security
requirements must be MET when the OSA chooses to designate certain
assets as Contractor Risk Managed Assets.
Eight guidance documents for the CMMC Program are listed in
Appendix A to Part 170--Guidance. These documents provide additional
guidance for the CMMC model, assessments, scoping, and hashing. Use of
the guidance documents is optional.
The OSA is responsible for determining its CMMC Assessment Scope
and its relationship to security domains. Assets are out-of-scope when
they are physically or logically separated from the assessment scope.
Contractor Risk Managed Assets are only applicable within the OSA's
assessment scope. Table 3 to Sec. 170.19(c)(1) is used to identify the
asset categories within the assessment scope and the associated
requirements for each asset category. Contractor's risk-based security
policies, procedures, and practices are not used to define the scope of
the assessment, they are descriptive of the types of documents an
assessor will use to meet the CMMC assessment requirements.
It is beyond the scope of the CMMC rule to provide a detailed
explanation of the usage of ``risk-based'' terminology when
implementing or assessing CMMC requirements. DoD declines to speculate
and clarify the relationship between any NIST SP 800-171 R2 definitions
and any pending NIST SP 800-171 Revision 3 definitions.
The DoD has defined the effort allowed during a limited check in
table 1 to 170.19(c)(1). A limited check may require submission of
evidence.
The DoD cannot anticipate how an OSC will scope its CMMC Level 3
assessment with respect to its CMMC Level 2 environment. As specified
in table 5 to Sec. 170.19(d)(1), Level 2 Contractor Risk Managed
Assets are categorized as CUI Assets at Level 3.
The rule has been updated to clarify that ESPs do not require a
Level 3 certification unless they process, store, or transmit CUI in
the performance of a contract with a CMMC Level 3 requirement.
3 As stated in table 1 to Sec. 170.19(c)(1), CRMA assets must be
prepared to be assessed against CMMC requirements. The SSP must provide
sufficient documentation describing how security requirements are met
to allow the assessor to follow the instruction in table 1 to not
assess against other requirements. The assessor will then decide if a
limited spot check is warranted. The results of the limited spot check
can result in a requirement being scored as NOT MET.
The rule does not create two classes of Contractor Risk Managed
Assets as one commenter asserts. Contractor Risk Managed Assets are
only those assets that are owned by the OSC and within the assessment
scope. ESP assets are subject to the ESP requirements of the rule.
All assets within the OSA defined assessment boundary have access
to CUI and can process, store, or transmit CUI, and are therefore
subject to DFARS clause 252.204-7012 and required to meet NIST SP 800-
171 requirements. This is the authority for including CRMAs within CMMC
assessments. For Level 2, DoD has decided to assume some risk and
lessen the assurance burden for a class of these assets called
Contractor Risk Managed Assets, as specified in table 3 to Sec.
170.19(c)(1). DoD does not assume this risk at Level 3. Contractor Risk
Managed Assets are subject to assessment against all CMMC requirements
as specified in table 5 to Sec. 170.19(d)(1).
At CMMC Level 2, Contractor Risk Managed Assets and Specialized
Assets are assessed differently. Both types of assets must be
documented in the SSPs; Specialized Assets will not, however, be
assessed by the C3PAO while limited checks may be performed on
Contractor Risk Managed Assets. OSCs should be prepared for assessment
of Contractor Risk Managed Assets because a deeper assessment will be
done if the assessor's evaluation of the OSC's policies and procedures
raise questions. However, at
[[Page 83141]]
Level 3, Contractor Risk Managed Assets and Specialized Assets are
assessed, like CUI assets, against all CMMC security requirements, so
no additional explanation is required.
d. Specialized Assets
Comment: There were numerous comments regarding Specialized Assets.
Several comments discuss the use of enduring exceptions for Specialized
Assets and the use of the term in NIST SP 800-171 R2. Two comments
confuse the current rule with responses to a previous version of the
rule. A comment requests clarification why specialized assets are not
CUI assets. Another comment asks about the difference in assessment
requirements between CRMAs and Specialized assets. One comment
requested processes and best practices for evaluation of specialized
assets.
Two comments recommend that the Specialized asset requirements for
Level 3 remain the same as Level 2 due to the difficulty of meeting the
Level 3 requirements in a manufacturing environment. Two comments
request additional clarification on the Level 2 assessment of
Specialized assets when the assessment is a precursor to a Level 3
assessment.
Response: Definitions for enduring exceptions and temporary
deficiencies have been added to the rule. Specialized Assets are a type
of enduring exception and cover a broad range of circumstances and
system types that may not be able to be fully secured as described in
NIST SP 800-171 R2. It does not give an OSA the flexibility to broadly
categorize assets as Specialized Assets.
The OSA would be expected to address asset categorization with a
C3PAO during the initial scoping discussion to avoid disagreements
during the assessment process.
In one example provided, a single asset which is unable to meet a
single security requirement would be a temporary deficiency and be
addressed using an operational plan of action, describing the cause
with appropriate mitigation and remediation identified.
The sentence ``NIST SP 800-171 Rev 2 uses the term ``enduring
exceptions'' to describe how to handle exceptions for Specialized
Assets'' appears in answers to public comments on a previous version of
the rule, which responded to the initial CMMC Program requirements,
therefore the inclusion of the sentence is not relevant to the rule.
One commenter has misinterpreted the answer to a public comment on
a previous version of the rule, which responded to the initial CMMC
Program requirements. Specialized Assets are not evaluated at Level 1.
Specialized Assets at Level 2 need to be documented in the SSP and
included in the asset inventory and network diagrams. They also are to
be managed using the contractor's risk-based security policies,
procedures, and practices.
At Level 2, Specialized Assets do not need to be assessed against
other CMMC security requirements. At Level 3, Specialized Assets should
be prepared to be assessed against CMMC security requirements. CMMC
also provides for the use of intermediary devices to safeguard OT and
IOT devices that otherwise would be difficult or expensive to protect.
The phrase ``or information systems not logically or physically
isolated from all such systems'' only appears in answers to public
comments on the original 48 CFR CMMC interim final rule publication,
therefore the inclusion of the phrase is not relevant to the rule.
Specialized Assets span a broad spectrum of components and have
different limitations on the application of security controls.
Processes and practices to implement and assess security requirements
on these devices are outside the scope of the CMMC rule.
The Level 3 assessment is designed to provide additional safeguards
to protect the most sensitive CUI against advanced persistent threats
(APTs). DoD estimates that only one percent of defense contractors will
require a CMMC Level 3 assessment. DoD has judged that the risks
associated with the exposure of this CUI are sufficient to justify the
increased cost of a Level 3 assessment on the small percentage of the
DIB that is processing, storing, or transmitting this type of data.
CMMC also provides for the use of intermediary devices to safeguard
OT and IOT devices that otherwise would be difficult or expensive to
protect. This difference between how a Specialized Asset is assessed at
Level 2 and Level 3 is risk-based and affords a reduction in cost for a
Level 2 certification. The CMMC Assessment Scope for a CMMC Level 2
certification assessment is discussed between the OSC and the C3PAO. If
the OSC has a goal to undergo a CMMC Level 3 certification assessment
for the same assessment scope, it may be good business practice for the
OSC to disclose this information to the C3PAO and be assessed based on
the Level 3 scoping, however this is not required.
e. Intermediary Devices
Comment: One comment asks for additional information on
intermediary devices as referenced in table 5 to Sec. 170.19(d)(1).
Another comment asks for direction in situations where the comment
asserts intermediary devices are not practical.
Response: An intermediary device is used in conjunction with a
specialized asset to provide the capability to meet one or more of the
CMMC security requirements. For example, such a device could be a
boundary device or a proxy, depending on which requirements are being
met. The rule is agnostic as to how many requirements are met and what
technology is used to meet them. Implementation guidance for OT/IOT/
IIOT is outside the scope of the CMMC rule.
21. CMMC Assessment Scope for Enterprise Versus Segmented Environments
Comment: Two commenters sought guidance for segmented networks that
inherit some controls from an enterprise network that has a valid CMMC
certification, and asked whether certification assessments may be
shared between the networks.
Response: Sec. 170.19 states that prior to a CMMC assessment, the
OSA must define the CMMC Assessment Scope for the assessment,
representing the boundary with which the CMMC assessment will be
associated. Any CMMC certification granted applies only to the assessed
CMMC Assessment Scope. An enclave may be able to leverage some elements
of the enterprise assessment by inheriting some requirements from the
enterprise network, but it cannot inherit the enterprise certification.
Enclaves beyond the certified CMMC Assessment Scope must be assessed
separately based on their own CMMC Assessment Scope.
There is no established metric for inherited implementations from
an enterprise to any defined enclaves. The OSA determines the
architecture that best meets its business needs and complies with CMMC
requirements. Within the enclave, the OSA determines which requirements
are implemented and which requirements are inherited; all requirements
must be MET. If a process, policy, tool, or technology within the
enclave would invalidate an implementation at the Enterprise level,
that requirement cannot be inherited and the OSA must demonstrate that
it is MET by implementation in some other way. Additional guidance
related to assessments and enclaves has been added to the CMMC Scoping
Guide Level 2 and Level 3.
22. Revocations and Appeals Process
Comment: One comment asked for more clarification regarding the
granting
[[Page 83142]]
and revoking of interim validity status for a CMMC assessment. Several
comments requested an appeal and remediation process if a CMMC
assessment status is revoked by the DoD. One comment requested that the
revocation process not be arbitrary or capricious and provide for due
process. And one comment recommended removing the word ``maintained''
from the criteria for revocation of the validity status because
maintenance is part of ongoing operations as specified in the security
requirement for Risk Assessments and Continuous Monitoring (CA.L2-
3.12.2). One commenter asked whether SPRS reporting is the only
mechanism in place to ensure that OSAs maintain the SSP and conduct
self-assessments correctly.
Three comments recommended that the DoD or CMMC PMO have a role in
the assessment appeals process. Of these, one cited the DFARS clause
252.204-7012 clause as precedent for DoD CIO to render final decisions.
Some commenters suggested the CMMC AB relationship to C3PAOs would bias
any decisions they may make, and that final appeal authority is an
inherently governmental risk acceptance decision. One comment suggested
that the DIBCAC or other DoD entity render final appeals decisions or
take responsibility for certifying OSCs. They also asked for the C3PAOs
to be released from liability for reasonable assessment judgments. Two
comments asked whether the only means to appeal a CMMC AB final
decision is through litigation. Another comment asked who could
escalate an appeal to the CMMC AB. One comment requested the rule
include more requirements for the C3PAO appeals process, including that
the process be time bound and address disputes related to perceived
assessor errors, malfeasance, and unethical conduct, while another
comment requested a simpler appeals process. One comment requested
clarification as to how the OSC interfaces with the C3PAO for appeals
purposes. One comment asked if there was a process to challenge C3PAOs'
findings of non-compliance if additional requirements are applied from
an assessment guide that are not included in the source standard. One
comment asked how to dispute the specific CMMC level included in a
solicitation.
Response: Requirements for CMMC Conditional certification
assessments for each level are defined in Sec. Sec. 170.16 through
170.18. Section 170.6(e) describes indications that may trigger
investigative evaluations of an OSA's CMMC Status. The DoD has revised
the rule throughout to delete the term ``revocation'' and to clarify
that the DoD reserves its right to conduct a DCMA DIBCAC assessment of
the OSA, as permitted under DFARS clause 252.204-7012 and DFARS clause
252.204-7020. If the results of a subsequent DIBCAC assessment show
that adherence to provisions of this rule have not been achieved or
maintained, the DIBCAC results take precedence over any pre-existing
CMMC self-assessment(s) or Final certification assessment(s) and will
result in SPRS reflecting that the OSA is not in compliance (i.e.,
lacks a current Certificate of CMMC Status). There are no additional
requirements or checks on self-assessments to ensure that OSAs maintain
the SSP and conduct self-assessments correctly, beyond those identified
in the rule.
One commenter misunderstood the meaning of 'maintained' with
respect to the Level 1, 2, and 3 provisions. An operational plan of
action can be created without risk to the certification validity
period. If a security event generates risk for the protection of FCI or
CUI, the associated security requirements should be readdressed
expeditiously. If one or more of the requirements can't be remediated,
the OSA should create an operational plan of action and resolve it in a
time frame that continues to provide protection to FCI or CUI.
The Accreditation Body must have its own appeals process, as
required under ISO/IEC 17011:2017(E). Each C3PAO is required to have an
appeals process which involves elevation to the CMMC Accreditation Body
for resolution. The appeals process is derived from and consistent with
ISO/IEC 17020:2012(E) and ISO/IEC 17011:2017(E). The appeals process is
addressed in Sec. Sec. 170.7(b), 170.8(b)(16), and 170.9(b)(13), (19),
and (20). An OSC, the CMMC AB, or a C3PAO may appeal the outcome of its
DCMA DIBCAC conducted assessment within 21 days of the assessment by
submitting a written basis for appeal that include the requirements in
question for DCMA DIBCAC consideration. An OSC, the CMMC AB, or a C3PAO
should visit www.dcma.mil/DIBCAC to obtain the latest for contact
information for submitting appeals. A DCMA DIBCAC Quality Assurance
Review Team will respond to acknowledge receipt of the appeal and may
request additional supporting documentation.
By defining the requirements in this rule to become a C3PAO, and
defining a scoring methodology, the DoD is providing the authority and
guidance necessary for C3PAOs to conduct assessments. The CMMC
Accreditation Body will administer the CMMC Ecosystem. The DoD will not
assume the workload of directly managing the CMMC ecosystem or the
other alternatives suggested. DoD declines to give the PMO
responsibility to render the final decision on all CMMC Level 2
assessment appeals as this role is properly aligned to the CMMC
Accreditation Body. The CMMC AB is under contract with the Department
of Defense to execute defined roles and responsibilities for the DoD
CMMC Program as outlined in Sec. 170.8. The specified CMMC AB
requirements were selected and approved by the DoD. They include
Conflict of Interest, Code of Professional Conduct, and Ethics policies
as set forth in the DoD contract.
For ISO/IEC 17020:2012(E) and ISO/IEC 17011:2017(E) compliance, an
appeals process is required. CMMC-specific requirements for appeals are
addressed in Sec. Sec. 170.8(b)(16) and 170.9(b)(13), (19), and (20).
The DoD expects the process to be managed efficiently, however setting
a specific timeline is not appropriate as the time may vary based on
the complexity of the issue.
Responsibility for final appeals determination rests with the CMMC
AB. The DoD declines to mandate that the CMMC AB consult with the CMMC
PMO or DIBCAC prior to rendering a decision. The CMMC PMO will serve in
the oversight role for the entire CMMC program.
OSCs may submit any appeal arising from CMMC Level 2 assessment
activities to C3PAOs as addressed in Sec. 170.9(b)(19). OSCs may
request a copy of the process from their C3PAO. The rule has been
revised to reflect that any dispute over assessment findings which
cannot be resolved by the C3PAO may be escalated to the CMMC AB by
either the C3PAO or the OSC. The decision rendered by the CMMC AB will
be final as stated in Sec. 170.8(b)(16). Appeals pertaining to an
assessor's professional conduct that is not resolved with the C3PAO
will also be escalated and resolved by the CMMC AB.
As addressed in Sec. 170.9(b)(13), the C3PAO will have a quality
assurance individual responsible for managing the appeals process in
accordance with ISO/IEC 17020:2012(E) and ISO/IEC 17011:2017(E).
Identification of the C3PAO staff that an OSC should interface with is
beyond the scope of this rule. It is a business decision that may vary
by C3PAO and should be addressed between the OSC and C3PAO prior to
conduct of an assessment.
The supplemental documents listed in Appendix A provide additional
guidance to aid in CMMC
[[Page 83143]]
implementation and are not authoritative. In the event of conflicts
with the security requirements incorporated by reference, this rule and
NIST SP 800-171A Jun2018 or NIST SP 800-172A Mar2022 guidance will
always take precedence. Disputes regarding the CMMC level specified in
a contract solicitation should be addressed with the contracting
officer using normal pre-award or post-award communications processes.
No revision to the rule is required. Selection of the CMMC level is a
DoD risk-based decision made by the Program Manager or Requiring
Activity.
23. CMMC Cybersecurity Requirements
a. NIST SP 800-171 R2 Requirements
Comment: Several comments were received regarding FIPS-validated
cryptography. Some recommended mitigating delays with FIPS validation
testing and reducing the risk of CMMC assessment failures by allowing
FIPS POA&Ms or POA&M extensions, waivers, or making encryption an
organizationally defined parameter (ODP). Similarly, some recommended
the DoD accept alternate FIPS solutions such as commercially viable
modules with FIPS-approved protocols or FIPS-compliant--as opposed to
FIPS-validated--protocols. One comment recommended that DoD collaborate
with NIST to either improve the processing of FIPS validation testing
and/or to define the encryption ODP for NIST SP 800-171 Revision 3. One
comment recommended DoD work with NIST to align NIST ODPs in NIST SP
800-171 Revision 3 to DoD ODPs defined in the CMMC Rule for CMMC Level
3 to ensure consistency. Another commenter asked if FIPS 140-3 was an
acceptable FIPS implementation.
Multiple comments addressed NIST requirements. One comment stated
the NIST cybersecurity standards and guidelines are not legal
requirements. The commenter recommended edits to the CMMC rule to
require contractors implement requirements ``derived'' from NIST SP
800-171 R2 with measurable specifications to protect CUI. Two
commentors felt the body of the proposed rule should have included a
list of the NIST requirements to be assessed at each CMMC level. One
comment suggested clarifying when a Systems Security Plan is required
for each level. And, one asked if the CMMC Assessment Scope and
attestation requirements included Non-Federal Organization (NFO)
controls or the flow-down and reporting requirements from DFARS clause
252.204-7012.
Some comments were speculative in nature and outside the scope of
the rule. One commenter was concerned that a CMMC assessment would not
address the risk of insider threats and national security problems
driven by political divisions within Congress.
Response: DoD is aware of industry concerns regarding FIPS
validation required in NIST SP 800-171 R2 requirement 3.13.11. Because
this is a NIST requirement, changing it is beyond the scope of the CMMC
rule. As stated in Sec. 170.5(3), the CMMC Program does not alter any
separately applicable requirements to protect FCI or CUI, including the
requirement to use FIPS-validated cryptography which comes from NIST SP
800-171 as required by DFARS clause 252.204-7012. Limitations of the
FIPS-validated module process do not impact the implementation status
of FIPS cryptography. However, the rule has been updated to allow for
Enduring Exceptions and temporary deficiencies, which may apply to the
implementation of FIPS.
DoD declined to update the rule to include ``FIPS-compliant''
encryption as opposed to ``FIPS-validated'' encryption. NIST SP 800-171
R2 requires the use of validated modules in specific conditions.
Comments on the specific security requirements contained in NIST
documentation are beyond the scope of this rule and should be directed
to NIST. Collaboration between DoD and NIST about the NIST
cryptographic module validation program, or to define cryptography
related ODPs in NIST SP 800-171 Revision 3, is also beyond the scope of
the rule. Recommendations for desired changes in NIST documentation
should be directed to NIST.
The NIST Cryptographic Module Validation Program website provides a
list of approved solutions and their timelines: https://csrc.nist.gov/projects/cryptographic-module-validation-program.
NIST SP 800-171 information security requirements were codified in
32 CFR part 2002 in response to guidance (in E.O. 13556) to standardize
Federal agency policies for safeguarding CUI. The DoD has elected to
use FAR clause 52.204-21, NIST SP 800-171 R2, and a subset of NIST SP
800-172 Feb2021 as the basis for the security requirements in this
rule.
As stated in Sec. 170.14(c), CMMC Level 1 requirements are found
in FAR clause 52.204-21, CMMC Level 2 requirements are found in NIST SP
800-171 R2, and CMMC Level 3 requirements are a selected subset of NIST
SP 800-172 Feb2021 requirements as specified in the 32 CFR part 170
CMMC Program rule in table 1 of Sec. 170.14.
NIST SP 800-171A Jun2018 provides authoritative procedures for
assessing NIST SP 800-171 R2 security requirements and the CMMC Level 2
Assessment Guide provides additional guidance for assessing CMMC Level
2 security requirements. Both documents are referenced in the 32 CFR
part 170 CMMC Program rule, at Sec. Sec. 170.16(c) and 170.17(c).
It is recommended that an OSA develop a SSP as a best practice at
Level 1, however, it is not required for a CMMC Level 1 self-
assessment. A CMMC assessment does not include Non-Federal Organization
(NFO) controls from table E in NIST SP 800-171 R2 nor the DFARS clause
252.204-7021 flow down and reporting requirements.
DoD concurs that CMMC provides no mechanism for addressing insider
threats posed by political divisions in Congress. However, insider
threat in general is addressed in the following CMMC security
requirements: AT.L2-3.2.3--Insider Threat Awareness; AC.L2-3.1.7--
Privileged Functions; PS.L3-3.9.2e-Adverse Information.
b. Transition to Future NIST Requirements
Comment: Many commenters raised concerns about the CMMC Proposed
Rule's citation of a specific version of a relevant baseline document,
i.e., NIST SP 800-171 R2. The expressed concerns focused mainly on a
perceived potential for a timing conflict between the NIST revision
requirements based on DFARS clause 252.204-7012 (revision in effect at
time of solicitation) and this CMMC Program rule which specifies NIST
SP 800-171 R2. Commentors provided a variety of differing suggestions
to address these concerns. Some commenters recommended that no revision
number be included, while others recommended citing Revision 3 rather
than Revision 2. Others recommended delaying the CMMC Program. Some
recommended changing DFARS clause 252.204-7012 or issuing a class
deviation to address differences between the NIST revisions cited.
Those that recommended citing to Revision 3 noted that to do otherwise
could delay compliance with Revision 3 beyond NIST's anticipated
finalization of that publication. Commenters noted that the criteria
defined in guidance explaining how to assess against NIST requirements
(i.e., NIST SP 800-171A Jun2018) does not identify a revision number
for the NIST SP 800-171 requirements to which they apply. In addition
to the comments about NIST
[[Page 83144]]
SP 800-171 R2 and NIST SP 800-171 Revision 3, some commenters
questioned how DoD would implement or how long the DoD would allow for
transitioning to each future version of NIST standards once approved.
One commenter recommended defining a waiver process to manage the
transition for each new NIST revision. Another commenter asked whether
contract work stoppages are expected during such transitions and if
industry would be afforded time to understand the impacts of new
requirements to existing systems. One commenter suggested that CMMC
affirmations should indicate continued compliance to the NIST SP 800-
171 version that applied to the corresponding self-assessment or
certification assessment.
Two commenters recommended changing the incorporation by reference
version of NIST 800-53 that is cited in this rule be changed from
Revision 5 to Revision 4, to better align with the incorporation of
NIST SP 800-171 R2. Another commenter noted that both NIST SP 800-171
R2 and NIST SP 800-172 Feb2021 include Organizationally Defined
Parameters (ODP), the latter of which are defined in this rule. The
commenter advised against defining ODP for either reference, and
recommended deletion of specific rule text that does so.
Response: DoD is aware of the differences between the language of
DFARS clause 252.204-7012 and the proposed rule. 1 CFR part 51, which
governs drafting of this rule, requires the specification of a revision
to a standard. Specifying a revision benefits the CMMC Ecosystem by
ensuring it moves forward from one NIST standard to the next in an
organized manner. The DoD cites NIST SP 800-171 R2 in this final rule
for a variety of reasons, including the time needed for industry
preparation to implement the requirements and the time needed to
prepare the CMMC Ecosystem to perform assessments against subsequent
revisions. DoD is unable to incorporate suggestions that CMMC
assessments be aligned to whichever NIST revision is current at the
time of solicitation and declines to respond to speculation about the
release timing of other publications. In May 2024, NIST published SP
800-171 Revision 3, Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations, after these comments were
received. DoD will issue future amendments to this rule to incorporate
the current version at that time. Comments on the content of the NIST
SP 800-171 Revision 3 publication or future NIST SP 800-171 revisions
should be directed to NIST.
The final rule has been updated to specify the use of NIST SP 800-
171A Jun2018, Assessing Security Requirements for Controlled
Unclassified Information, and NIST SP 800-172A Mar2022, Assessing
Enhanced Security Requirements for Controlled Unclassified Information.
The DoD has included the numbering scheme in the rule because the
numbering scheme is a key element of the model. The CMMC numbering
scheme for security requirements must pull together the independent
numbering schemes of FAR clause 52.204-21 (for Level 1), NIST SP 800-
171 R2 (for Level 2), and NIST SP 800-172 Feb2021 (for Level 3); it
must also identify the domain and CMMC level of the security
requirement. DoD developed the least complicated scheme that met all
these criteria.
The CMMC Program Office is unable to respond to comments proposing
changes to the DFARS, which is subject to separate rulemaking
procedures. One commenter described a hypothetical scenario wherein a
solicitation is issued such that DFARS clause 252.204-7012 would
require compliance with NIST SP 800-171 Revision 3, but the CMMC
requirement identified is for assessment against NIST SP 800-171 R2. In
this hypothetical scenario, it is possible that the bidder may meet the
CMMC requirement by citing a valid CMMC assessment against NIST SP 800-
171 R2, while also availing themselves of the flexibilities provided in
DFARS clause 252.204-7012 (2)(ii)(B) to submit a written request to the
Contracting Officer to vary from the current version of NIST SP 800-
171.
Recommendations for modification to or deviation from DFARS clause
252.204-7012 are beyond the scope of this rule. The DoD has evaluated
the potential interaction between the CMMC program requirements and the
existing requirements in DFARS clause 252.204-7012 and believes that
potential conflicts have been resolved.
NIST SP 800-53 R5 is incorporated by reference only for applicable
definitions because DoD chose to use the latest definitions available.
While it is also true that NIST SP 800-171 R2 was based on NIST SP 800-
53 Revision 4, the origination of NIST SP 800-171 R2 is beyond the
scope of this rule.
Contractors and subcontractors will not be expected to stop work
while they implement changing standards. Implementation of this rule
will be introduced as a pre-award requirement in new DoD solicitations,
as described in the timeline at Sec. 170.3(e).
Any substantive change to CMMC security requirements must go
through rulemaking, and its associated timeline, which may include
public comment. The new rule may include a transition period for
implementation of the new security requirements.
The commenter correctly identifies that the programmatic intent of
this rule is for affirmations to signify systems in question remain
compliant as indicated by the assessment that was conducted.
Assessments are conducted against the specified NIST publication
versions or the requirements in FAR clause 52.204-21. The 48 CFR part
204 CMMC Acquisition rule also reinforces this thought by providing
specific wording of the affirmation.
c. NIST SP 800-172 Feb2021 Requirements
Comment: Multiple comments recommended adding all the omitted
requirements from NIST SP 800-172 Feb2021 or a subset including Network
Intrusion Detection System, Deception and Unpredictability, arguing
that they are necessary for protecting CUI and to defend against
advanced persistent threats.
Two comments inferred that the requirement to restrict access to
systems owned, provisioned or issued by the OSC means that the OSC must
provide all equipment used to access the system, which they asserted is
impossible because outside entities using GFE, to include DoD, may need
access. One commenter also asked if DIB Furnished Equipment would be
required, and one commenter argued for an exception for GFE, even
though it is not owned, provisioned, or issued by the OSC.
Three comments stated that Organizationally Defined Parameters
(ODP) values need to be set by OSAs, not DoD. One commenter argued this
will be necessary because of the emerging ODPs at Level 2 associated
with NIST SP 800-171 Revision 3. One commenter argued this is critical
for uniformity across the Federal enterprise as many contractors
support multiple Federal agencies. The commenter further offered that
allowing ODP values to be set by OSAs could be limited to contractor
systems not operated on behalf of the DoD. One commenter suggested that
ODP values set by OSAs may require approval by the contracting officer.
One comment stated that the ODPs are too detailed for the 32 CFR part
170 CMMC Program rule, and table 1 to Sec. 170.14 should be moved to
the Level 3 Assessment Guide.
One comment argued that removal or quarantine of components to
facilitate patching or re-configuration, as specified in table 1 to
Sec. 170.14(c)(4) CM.L3-3.4.2e, is a disruptive and
[[Page 83145]]
possibly a destructive operational constraint affecting business
operations. They asserted that patching and reconfiguration are
standard day-to-day IT administrative activity, and components do not
need to be removed or quarantined.
One comment asserted that CMMC should be based on NIST SP 800-53 R5
requirements (linked to the associated NIST SP 800-172 Feb2021
requirements) due to additional labor required to create NIST SP 800-53
R5 solutions and benefits to be gained from NIST SP 800-53 R5 overlays.
Two comments argued that IA:L3-3.5.3e regarding 'the prohibition of
system components from connecting to organizational systems unless
certain conditions are met' is essentially the same requirement as
CM:L2-3.4.7 'restricting, disabling, or preventing the use of
nonessential programs, functions, ports, protocols, and services'.
Response: DoD considered many alternatives before deciding which
NIST SP 800-172 Feb2021 requirements to include as part of CMMC Level
3. NIST SP 800-172 Feb2021 notes that ``There is no expectation that
all of the enhanced security requirements will be selected by Federal
agencies implementing this guidance.'' For a variety of reasons,
including DoD's estimation of cybersecurity maturity and complexity
across the DIB, and potential cost of certain Level 3 requirements
compared with the benefit, the DoD has included a limited set of NIST
SP 800-172 Feb2021 requirements. On a contract-by-contract basis,
additional requirements may be added. OSAs are at liberty to implement
additional requirements.
The intent of AC.L3-3.1.2e, which requires restricted access to
systems and system components, is not that DIB companies issue laptops
to external users wishing to access Level 3 enclaves. While laptop
issuance is one solution, other options are available. The important
concept in this requirement is ``comply to connect'', and it applies to
all users, both within the OSA and externally, equally. In complying
with this requirement, GFE may be considered provisioned by the OSC and
therefore is not restricted under that requirement.
DoD defines the ODPs for NIST SP 800-172 Feb2021 included in CMMC
Level 3. This eliminates the risk of different parameters being set for
different DoD programs. Rulemaking requirements dictate that table 1 to
170.14(c)(4) be codified in the rule. The Assessment Guide is an
optional document.
DoD declines to accept the risk of removing security requirement
CM.L3-3.4.2e. The Assessment Guide has been updated to include
additional discussion on this security requirement. Feedback on
individual security requirements should be direct to NIST.
Any relationship to the NIST SP 800-53 R5 controls is for
information only. The requirements that must be implemented for CMMC
Level 3 are defined in the rule table 1 to Sec. 170.14(c)(4).
IA:L3-3.5.3e and CM:L2-3.4.7 are different requirements. The L2
requirement is about functionality, and the L3 requirement is about
trust. Feedback on individual security requirements should be direct to
NIST.
24. CMMC Annual Affirmation Requirements
Comment: One commenter recommended the affirmation statement
include a statement confirming the scope has not changed and requested
the rule be modified to identify types of changes that would constitute
a change of system scope. Another commenter recommended removing any
requirement for affirmation after assessment certificate issuance or
else revising the rule to identify any benefits the affirmation
provides that conducting an independent assessment does not already
provide. Another commenter recommended the DoD clarify that out-of-
cycle affirmations are not needed.
Three comments said the affirmation language needs revision because
maintaining perfect scores is not possible and asking individuals to
affirm continuous compliance is unreasonable. One commenter voiced
apprehension that signing the affirmation statement would make a person
criminally liable under the False Claims Act, due to the need for
system maintenance to fix things that break. One commenter expressed
concern that continuous monitoring by contractors increases cost and
burden to stay in compliance and opens companies up to False Claims Act
liabilities. One of these commenters recommended DoD rely on
representation and self-assessment in lieu of affirmations to indicate
that the offeror meets the requirements of the CMMC level required by
the solicitation. Two commenters requested clarification on what
affirmation entails. Another commenter requested modification to
clarify that the Affirming Official will attest only that the
requirements are implemented as of the certification date, or proposal
submission date, and requested removal of affirmation references to
continuous compliance.
Two commenters urged the Department to align the annual affirmation
timeline with the 3-year assessment timeline to ensure consistency and
reduce potential False Claims Act liability. One commenter also
incorrectly believed a prime contractor affirmation would be made on
behalf of its entire supply chain.
Another commenter asked DoD to clarify that an organization may
obtain from C3PAOs a limited review of changes made since the last
assessment in support of required affirmations and noted that the DoD
or CMMC AB may wish to clarify what supporting evidence is required for
annual affirmations. Additionally, the commenter recommended that DoD
reconsider the requirements for CMMC Level 1 since these are covered by
System for Award Management (SAM).
One commenter asked, in reference to POA&M closeout affirmations,
if there was no longer an expectation that a C3PAO will confirm the
close out of a POA&M. One commenter provided a recommendation to
include an executive summary in the affirmation that includes POA&M
related metrics as an indicator of an OSA's effective O&M, security,
and continuous monitoring activities.
Response: As described in Sec. 170.22(a)(2)(ii), the CMMC
affirmation shall include a statement to the effect that the OSA has
implemented and will maintain implementation ``within the relevant
assessment scope'', which adequately addresses the commenters
suggestion. No change to the rule text was therefore required. Annual
affirmations ensure OSAs conduct periodic checks and verify to the
Department that changes to their networks have not taken them out of
compliance during the certification period. The annual affirmation
requirement enables DoD to permit 3 years between CMMC Level 2 or 3
assessments, rather than requiring annual assessments. The DoD does not
agree with the comment that following the procedures in Sec. 170.22
creates an additional burden. The DoD does not concur with removing the
terms ``continuing'' or ``continuous ``as it relates to an OSA's
affirmation. Continuing compliance means that the contractor system in
question remains in compliance and that the OSA intends to maintain
compliance over time, not that the OSA cannot have an operational plan
of action. Any changes to the information system beyond use of
operational plans of action require a new assessment and a new
affirmation. Operational plans of action as described in CA.L2-3.12.2
are part of normal
[[Page 83146]]
maintenance of a system and do not require a separate out-of-cycle
affirmation. The DoD declines to address specific cases when
affirmations are not required. DoD's use of the term OSA within the
affirmations section is deliberate and conveys that each organization
is responsible for affirmations pertaining to their own assessments. An
Affirming Official definition was added to the rule and provides that
clarification.
The rule delineates which requirements may be addressed with a
POA&M for up to 180 days to achieve Final CMMC Status. As stated in
Sec. 170.22, an Affirming Official attests the organization is
satisfying and will maintain its specified cybersecurity requirements.
An OSA may complete a self-assessment and submit a new affirmation at
any time. POA&Ms associated with conditional assessments are closed-out
by C3PAOs for Level 2 final certification assessments and by DCMA
DIBCAC for Level 3 final certification assessments. OSAs must affirm
results in SPRS for all assessments.
If an OSA makes significant changes within the CMMC Assessment
Scope, a new assessment and affirmation are required. The rule does not
preclude OSAs from contacting a C3PAO for a review prior to an annual
affirmation, however this is not required. No supporting evidence is
required for an annual affirmation. Annual representations and
certifications submitted in the System for Award Management (SAM) serve
a different purpose from the CMMC affirmation requirement completed in
SPRS. Furthermore, given the sensitivity of an OSA's cyber security
status, the DoD has elected not to use SAM, a public website.
Details for completion of the annual affirmation, including wording
of the affirmation statement, are addressed in the 48 CFR part 204 CMMC
Acquisition rule. The affirmation signifies the requirements were
implemented as of the date of the self-assessment or certification, and
that the OSA has and intends to maintain the system as assessed. The
DoD declines to require the use of an executive summary or the
publication of metrics in the affirmation statement as part of the
affirmation because that is not consistent with the purpose of the
affirmation requirement.
Regarding the alignment of assessments and affirmation timelines,
the DoD declines to adopt recommended changes which would allow up to 3
years to elapse before DIB companies would be required to assess the
status of their cybersecurity compliance.
25. CMMC Acceptance of Alternate Standards
a. CMMC and Other Agency Standards or Acceptance of CMMC Assessments
Comment: Several commenters asked for additional detail about Sec.
170.20 Standards Acceptance. One commenter described discussions from
various DoD industry engagements and suggested the rule is inconsistent
with information provided at those information exchange events.
Some commenters observed the rule does not describe DoD efforts to
coordinate with other agencies regarding any additional cybersecurity
requirements they choose to implement, which could conflict or add
burden for companies that must also comply CMMC requirements. One
comment suggested implementing the CMMC program government wide. An
industry association submitted several comments regarding perceived
duplication between this rule and cybersecurity requirements of other
Federal agencies and foreign governments. They also recommended the DoD
modify the rule to reflect other agency standards, such as TSA and CISA
security directives requiring cyber incident reporting for natural gas
utilities.
Several commenters thought the rule did not adequately explain
potential portability of CMMC assessments, referring to whether other
agencies might recognize CMMC compliance as meeting or partially
meeting their requirements. One specifically suggested CMMC
affirmations could be accepted as evidence of compliance with any
similar cybersecurity requirements other agencies may implement. One
comment suggested that by assessing compliance of all applicable
security requirements, the CMMC program will impede efforts to
establish DoD information sharing agreements with other non-DoD
organizations, including other agencies and foreign governments.
Response: Some comments received lacked relevance to the rule's
content, which is limited to specific CMMC Program requirements. The
DoD declines to respond to speculative or editorial comments about
private citizens or entities, all of which are not within the scope of
this rule.
Similar data security requirements are already applied to
contractors across all Federal agencies, due to the applicability of
FAR clause 52.204-21, and 32 CFR part 2002. All executive agencies are
required to comply with the same standards for protection of FCI and
CUI in those regulations. Once attained, a current CMMC certification
may be presented for consideration by any entity (including other
government agencies) as an indicator that the security requirements
associated with the certificate level (e.g., CMMC Level 2) have in fact
been implemented.
CMMC Program requirements are designed to ensure compliance with
existing standards for protection of FCI and CUI and align directly to
NIST guidelines (e.g., NIST SP 800-171 R2) and the basic safeguarding
requirements of FAR clause 52.204-21 that apply to all executive
agencies. Regulations issued by any executive agency must be aligned to
these overarching requirements, therefore CMMC Program requirements
will not conflict with any FCI or CUI safeguarding regulations that may
be issued by other agencies as cited by the commenter. All executive
agencies are permitted to submit and review comments as part of the
formal rulemaking process, and additional coordination is not required.
This rule provides a consistent way of verifying contractors'
compliance with the referenced FAR and NIST requirements, in addition
to those from NIST SP 800-172 Feb2021 where applicable.
b. Requests To Recognize Alternate Standards
Comment: Several commenters requested the rule be modified to
accept or recognize alternate standards for the purpose of meeting CMMC
assessment requirements. Some small to medium businesses recommended
acceptance of healthcare relevant standards or other recognized
certification frameworks as a substitute for CMMC and FedRAMP
Equivalency.
Another comment cited verbiage in the DFARS clause 252.204-7012
clause that references DoD CIO approval to ``vary'' from NIST SP 800-
171 requirements as rationale for revising the CMMC rule to permit
acceptance of other standards such as the NERC Critical Infrastructure
Protection standards which apply to North America's Bulk Electric
System (BES).
Some comments expressed concern that absent greater acceptance of
the standards required by other agencies, companies complying with CMMC
would be at a competitive disadvantage due to the perceived costs of
complying with CMMC standards. Another comment expressed a similar
concern but cited the need for acceptance of foreign C3PAOs to
effectively scale CMMC to include assessment of foreign OSCs.
[[Page 83147]]
Response: CMMC Program requirements apply to those contractors that
seek to bid for DoD work which requires processing, storing, or
transmitting FCI or CUI in a contractor owned information system.
Section 170.20 addresses Standards Acceptance and delineates the only
existing bases for accepting alternate standards in this rule. The DoD
does not currently have standards acceptance with other Federal
entities in lieu of the CMMC requirement.
DoD's harmonization of requirements with other agencies is achieved
through compliance with NIST standards. DoD's recognition of the
standards of other nations occurs through negotiation of international
arrangements and agreements, which is beyond the scope of this rule.
The CMMC Program has aligned requirements with NIST standards, and many
foreign nations are adopting NIST standards as well. In developing this
rule, the DoD worked with standards bodies, removed unique
requirements, and aligned new requirements directly with NIST SP 800-
171 R2 and select NIST SP 800-172 Feb2021 requirements to reduce and
streamline cybersecurity burden across the industry. CMMC Program
requirements make no change to existing policies for limits on
dissemination of CUI. Comments on information sharing between other
agencies or foreign entities are beyond the scope of this rule. The
requirement to comply with NIST SP 800-171 was mandated in DFARS clause
252.204-7012. Granting alternatives to that standard is beyond the
scope of this rule.
Several foreign or international companies submitted comments
expressing interest in the rule section pertaining to C3PAO
requirements (Sec. 170.9(b)) and correctly noted that this section
does not preclude otherwise qualified foreign companies from achieving
C3PAO accreditation. Note that the DoD does permit C3PAO personnel who
are not eligible to obtain a Tier 3 background investigation to meet
the equivalent of a favorably adjudicated Tier 3 background
investigation. DoD will determine the Tier 3 background investigation
equivalence for use with the CMMC Program only.
c. CMMC Acceptance of Other DIBCAC Assessments
Comment: Some commenters either did not understand or objected to
the fact that standards acceptance requirements for DIBCAC High
Assessments require a score of 110 without POA&Ms. Other comments
requested clarity regarding standards acceptance of DIBCAC High
Assessments at CMMC Levels 2 and 3. One comment inquired about the
programmatic details of DCMA's Joint Surveillance Program.
Another comment expressed concerns over disparities between how
CMMC C3PAOs and DIBCAC assess, given the fact that DIBCAC assessors are
empowered to make risk acceptance decisions on behalf of the
Government, whereas C3PAO assessors are not. One commenter questioned
the use of the NIST SP 800-171 R2 Cybersecurity FAQs as published in
the DoD Procurement Toolbox. Another commenter asked whether C3PAOs
assess for compliance with DFARS clause 252.204-7012, paragraphs c-g,
as DCMA DIBCAC does in their assessments of OSAs. One commenter
suggested that the DIBCAC is not certified to conduct Level 3
assessments and that training requirements for CMMC Level 2 C3PAO
assessors should also apply to DIBCAC assessors, or else Level 3
assessments should be conducted by C3PAOs.
Response: There is qualified standards acceptance between DCMA
DIBCAC High Assessment and CMMC Level 2 Certification Assessment as
described in Sec. 170.20(a). There is no standards acceptance between
DCMA DIBCAC High Assessment and CMMC Level 3. To be eligible for
standards acceptance resulting in a CMMC certification, an OSC must
achieve a perfect 110 score on the Joint Surveillance assessment
without any open POA&Ms at the time of assessment. If the Joint
Surveillance assessment results in POA&M actions, any POA&M must be
closed prior to standards acceptance.
Completion of a prior DCMA DIBCAC High Assessment does not
necessarily indicate the likelihood of a future CMMC Level 3
requirement. DIBCAC High assessments are currently conducted against
the NIST SP 800-171 R2 requirements, whereas the DoD will identify the
need for a CMMC Level 3 assessment when its internal policies indicate
the added protections of NIST SP 800-172 Feb2021 are necessary to
adequately safeguard DoD information.
Acceptance of a small number of DIBCAC High or Joint Surveillance
Program assessments to meet future CMMC Level 2 assessment requirements
will reduce the initial demand for C3PAO assessment. Only those DIBCAC
High Assessments completed prior to the effective date of the rule are
eligible for standards acceptance to meet CMMC Level 2 Certification
requirements. The DoD will enter CMMC Level 2 Certifications into eMASS
for suitable DIBCAC High Assessments, with a validity period of 3 years
from the date of the original High Assessment. A CMMC Final Level 2
certification assessment is entered into eMASS by the C3PAO following a
successful (i.e., perfect score with no POA&Ms) joint surveillance
assessment against NIST SP 800-171 R2. It is not the result of a CMMC
Level 3 assessment but can be provided as evidence that an OSC is ready
to initiate a CMMC Level 3 assessment.
Although Joint Surveillance is listed as standards acceptance in
170.20(a)(1), the details of this DCMA program and any changes to it
are beyond the scope of this rule. A Joint surveillance is a DCMA
DIBCAC assessment and falls under their purview. The CMMC office
understands that there is disparity between what is assessed by a C3PAO
and the DIBCAC and that the guidance information in the DoD Procurement
Toolbox is the driving factor. Since the Procurement Toolbox is outside
of the scope of the 32 CFR part 170 CMMC Program rule, it cannot be
properly addressed here or in the rule. With CMMC the DoD utilizes a
risk-based approach in its allowance for POA&Ms, gradient scoring for
certain controls (e.g., FIPS and MFA), temporary deficiencies, and
enduring exceptions.
DCMA DIBCAC assessors are trained and qualified to conduct
assessment against NIST SP 800-171 R2 for the DoD. DoD determined that
C3PAOs conducting assessments on other C3PAOs introduced a significant
conflict of interest. Given the sensitivity of the programs requiring
Level 3 assessments, the DoD determined that those assessments must be
completed by a DoD entity. The DoD declines to respond to speculative
or editorial comments regarding DCMA DIBCAC assessments.
The CMMC model (Sec. 170.14) only incorporates requirements from
FAR clause 52.204-21, NIST SP 800-171 R2, and NIST SP 800-172 Feb2021.
C3PAOs are only responsible for assessing the requirements of Sec.
170.17. DCMA DIBCAC operates under different authorities and can
address all the requirements of DFARS clause 252.204-7012.
d. Validity Period for Standards Acceptance
Comment: Two comments asked how SPRS would be updated to reflect
CMMC Level 2 certification when based on standards acceptance. One
asked whether that update would be automatic. One comment asked whether
CMMC standards acceptance for
[[Page 83148]]
DIBCAC joint surveillance assessments would result in certifications
being issued to the OSA by the C3PAO or by DIBCAC.
Some comments, including those from three industry associations,
objected to the start date for the 3-year validity of CMMC
certification based on standards acceptance of prior DIBCAC
assessments. Those comments requested the validity period begin with
the effective date of the 32 CFR part 170 CMMC Program rule. Along
these lines, another commenter asked whether C3PAOs may certify an OSA
based on evidence of a perfect 110-scored DIBCAC High Assessment. One
comment requested a 1-year extension of the validity period to 4 years.
Response: The DoD has considered the recommendation to modify the
validity period for certifications resulting from standards acceptance
and declines to revise the rule text. It is important that contractors
maintain security compliance for systems that process, store, or
transmit DoD CUI. Given the evolving cybersecurity threat, DoD's best
interests are served by ensuring that CMMC Level 2 assessments remain
valid for no longer than a 3-year period, regardless of who performs
the assessment.
A C3PAO may not simply read the DIBCAC assessment score in SPRS and
grant a completed CMMC Level 2 certification assessment. C3PAOs may
only submit certification assessment results based on having conducted
a certification assessment. An OSA is free to seek a C3PAO
certification assessment, but this would be unnecessary, because a
valid DIBCAC High assessment with a 110 score will automatically be
converted in SPRS to reflect a CMMC Final Level 2 certification
assessment provided all requirements of Sec. 170.20(a)(1) are met. A
DIBCAC High assessment conducted after the rule is effective is not
eligible for standards acceptance.
26. CMMC Requirements and International Entities
a. Applicability to International Entities
Comment: Several public commenters asked whether and how the CMMC
rule content would apply to foreign based or international companies,
either as companies seeking to comply with assessment requirements or
as companies seeking to participate in the CMMC Ecosystem.
Some questions asked for interpretation of requirements for
specific scenarios, such as how CMMC requirements might affect Status
of Forces Agreements for DoD installations overseas. Others asked about
application of flow-down requirements to foreign subcontractors,
including in circumstances when DFARS clauses do not apply or when
international agreements supersede application of DFARS clause 252.204-
7012. A few comments asked how foreign or multinational corporations
with facilities abroad can attain CAGE codes, access SPRS, or meet
other aspects of CMMC requirements. Some asserted that specific systems
contractors need to access, such as SPRS and PIEE, are not designed to
accommodate foreign address formats and requested modifications or
alternative options to facilitate submission of CMMC affirmations. One
commenter suggested that assessment of foreign contractor information
systems should only be conducted by the host country, and asked whether
foreign contractors should be partially exempted from CMMC
requirements.
Response: CMMC Program requirements are applicable when DoD
requires processing, storing, or transmitting of either FCI or CUI
during performance of a DoD contract. CMMC Program requirements would
not apply to a DoD Installation's communication with a Host Nation
government on matters related to the Installation. CMMC program
requirements apply to all DoD contractors alike when contract
performance will require processing, storing, or transmitting of FCI or
CUI on contractor-owned information systems. This 32 CFR part 170 CMMC
Program rule does not permit partial exemption of assessment
requirements for foreign contractors. Any discussion of exemptions or
deviations for foreign businesses are outside the scope of the 32 CFR
part 170 CMMC Program rule and must be addressed through government-to-
government international arrangements or agreements. Pathways and
timelines for achieving these agreements are outside the scope of this
rule.
CMMC requirements apply to both domestic and international primes
and flow down to subcontractors throughout the supply chain if their
information systems process, store, or transmit FCI or CUI. CMMC
requirements are based upon the type of information processed and
shared, regardless of where the company is headquartered or operates.
Certification requirements for subcontractors are addressed in Sec.
170.23(a)(1) through (4). For additional information about flow-down of
contractual requirements, see the 48 CFR part 204 CMMC Acquisition
rule. The CMMC process is the same for international and domestic
contractors and subcontractors. International sub-contractors must
undergo a CMMC assessment at the appropriate level to demonstrate
compliance with NIST SP 800-171 R2 requirements. All OSAs must register
in https://sam.gov, which has instructions for obtaining applicable
CAGE or NATO CAGE codes (NCAGE codes).
Address data is not a required SPRS data input for CMMC purposes.
Contractor address information is required to obtain a CAGE code that,
along with a Unique Entity ID, is required to register in SAM. SPRS
currently receives assessment information from domestic and
international entities. International organizations get CAGE codes in
the same manner that US organizations do, including in some instances
NCAGE codes. CAGE codes are required for a contractor to register for a
user account in Procurement Integrated Enterprise Environment (PIEE)
that provides contractors access to SPRS and other applications as
necessary for DoD contracts.
b. International Agreements
Comment: Several commenters asked about procedures for establishing
recognition of other nations' cybersecurity standards or assessment
programs as acceptable alternatives to CMMC program requirements.
Another commenter noted the rule provides no explicit recognition of
existing agreements between the DoD and other nations related to
information sharing and defense procurement. They and other commenters
asked that the rule identify a specific process for reaching agreements
related to CMMC program requirements. Some of these commenters
identified specific foreign cybersecurity programs and requested that
the DoD work toward reciprocal recognition of their underlying
standards. One of these commenters requested that DoD identify
timelines for establishing bilateral agreements.
In particular, the Canadian counterpart for the CMMC program
expressed concern that Canadian companies could be disadvantaged in
seeking CMMC certification and requested the DoD consider establishing
a unified accreditation body for Canadian and US C3PAOs.
Response: While the rule does address application to foreign
contractors and ecosystem participants throughout, these requirements
may be superseded by the terms and conditions of applicable
international arrangements or agreements.
CMMC validates cybersecurity requirements, as defined in FAR clause
[[Page 83149]]
52.204-21, NIST SP 800-171 R2, and a selected subset of NIST SP 800-172
Feb2021, where applicable. These cybersecurity requirements apply to
international and domestic companies when included in a DoD contract.
The Department cannot speculate about the arrangements of any
international agreement and how it may or may not impact international
partners, as these arrangements are beyond the scope of this 32 CFR
part 170 CMMC Program rule.
The DoD has designed CMMC Program requirements to apply to those
contractors that bid for DoD work which will require access to process,
store, or transmit FCI or CUI in a contractor owned information system.
A CMMC certification assessment is portable in the sense that it
provides confidence that the holder has been assessed by an authorized
third party for compliance with the applicable security standards
(e.g., NIST SP 800-171 R2 or NIST SP 800-172 Feb2021). Once attained,
CMMC certification assessment status may be presented for consideration
by any entity as an indicator that they have implemented security
requirements associated with the certificate level (e.g., NIST SP 800-
171 R2 or NIST SP 800-172 Feb2021). Section 170.20 delineates the only
existing bases for accepting alternate standards in this rule.- It is
beyond the scope of this rule to provide a specific set of directions
or guidance on recognition for alternate cybersecurity standards.
Deviations from DFARS clauses are also beyond the scope of this rule.
Section 170.20 has been modified to state that an OSC with a
perfect score from a prior DCMA DIBCAC High Assessment aligned with the
same CMMC Level 2 Scoping may meet CMMC Final Level 2 certification
assessment requirements via acceptance of the prior DIBCAC assessment
in lieu of a C3PAO assessment. Standards Acceptance does not refer to
international standards acceptance, which is not described within the
rule.
c. C3PAO, CCP, and CCA Requirements
Comment: In addition to the interest in international agreements,
some commenters expressed concern about CMMC ecosystem capacity to meet
demand for Level 2 certification. They advocated support for
accreditation of non-U.S. based C3PAOs. One commenter suggested that
FOCI requirements be deleted from the rule and managed via DoD's
oversight of the CMMC AB. One commenter speculated the phased CMMC
implementation plan would require all non-U.S. firms to comply
simultaneously and recommended that foreign contractors be allowed
additional time to comply. Another recommended that foreign companies
be permitted to simply self-assess in lieu of obtaining a CMMC Level 2
certification assessment.
Several commenters asked about foreign nationals participating in
the CMMC ecosystem and noted discrepancies between qualifications
identified in the rule and content on the CMMC AB's website at the time
of rule publication. These commenters expressed interest in the ability
for foreign citizens to become CCAs, CCPs, and LTPs (a term no longer
used in the rule).
One commenter presumed that only U.S.-based Cloud Service Providers
(CSPs) may become FedRAMP authorized, and asserted a need to authorize
or accredit foreign-based CSPs that foreign DIB contractors might use
while still achieving CMMC compliance. Another asked how foreign small
businesses can comply with CMMC without access to U.S. approved CSPs.
One commenter asked for guidance on how to get foreign products and
services, such as encryption and decryption mechanisms, approved for
use in information systems that require CMMC assessment. One commenter
suggested that the CMMC program permit assessment by C3PAOs and
assessors accredited in accordance with other ISO/IEC standards than
those identified in this rule. They cited ISO/IEC 27001 or 9901 as
suitable alternate ISO/IEC standards.
Response: The DoD declines to delay CMMC Program implementation for
non-U.S. organizations. International businesses will not receive
special accommodations because the CMMC Program's phased implementation
will impact both U.S. and non-U.S. defense contractors equally. The
implementation plan described in the rule does not promote or
prioritize certification assessments of any contractor over any other
contractor. All companies, regardless of location or nationality, will
have access to any authorized C3PAO. The rule does not preclude non-
U.S. citizens or foreign-owned C3PAOs from operating in the U.S.
Additionally, U.S. owned C3PAOs may operate in a foreign nation.
As stated in the rule, C3PAOs must meet the criteria in Sec.
170.9. Non-U.S. organizations and employees that meet all the
requirements in Sec. Sec. 170.9 and 170.11 will not be prohibited from
operating as a C3PAO within the U.S. or abroad. A list of authorized
C3PAOs is available on the current CMMC AB marketplace. DoD does not
concur with the recommendation to delete Sec. 170.9(b)(5) content
identifying FOCI requirements. Those details for complying with FOCI
are necessary for understanding the requirement.
Some commenters noted differences between the rule content and
information on the CMMC AB website. The CMMC AB is part of the public
and had no access to advance information prior to publication of the
proposed rule. The rule takes precedence in the event of any
discrepancy with CMMC AB materials.
The document `Career Pathway Certified Assessor 612', dated 2020,
has been replaced by a regularly updated DoD Cyberspace Workforce
Framework which may be found at https://public.cyber.mil/dcwf-work-role/security-control-assessor/. Intermediate and Advanced Foundational
Qualification Options in the DoD Cyberspace Workforce Framework's
Security Control Assessor (612) Work Role are available to foreign
nationals. The rule has been updated to reflect this reference update.
A domestic or international business seeking a contract that
contains DFARS clause 252.204-7012, and using a cloud service provider
to process, store, or transmit covered defense information in
performance of that DoD contract, must ensure that the CSP meets
FedRAMP authorization or equivalency requirements. As the FedRAMP
program and FedRAMP equivalency are available to international
organizations, foreign entities do not need to develop their own
FedRAMP program. FedRAMP authorization or equivalency is also available
to small businesses. The DoD leverages the FedRAMP program to implement
requirements for the adoption of secure cloud services across the
Federal Government and provide a standardized approach to security and
risk assessment for cloud technologies. Export controlled goods and
ITAR are outside the scope of the 32 CFR part 170 CMMC Program rule.
The process for identifying specific products or services that may
meet NIST security requirements is beyond the scope of this rule. CMMC
program requirements are unrelated to evaluation or approval of
encryption or decryption products manufactured by foreign information
security companies.
DoD considered many alternatives before deciding upon the current
CMMC structure. Alternative methods of assessment have proven
inadequate and necessitated the establishment of CMMC. DoD declines to
accept the recommendation of an alternate path to C3PAO accreditation.
[[Page 83150]]
27. Impact to Small Businesses
a. Funding the CMMC Program
Comment: One comment asserted that the rule does not address CMMC
program funding, affordability, and sustainability. They recommended
the DoD conduct and publish a comprehensive cost assessment for each
level of CMMC certification and explore ways to reduce the financial
burden on contractors.
Response: DoD included an analysis of costs to meet CMMC
requirements in the regulatory impact analysis for this rule.
As described in the estimate included with the rule, the major cost
categories for compliance with CMMC requirements are anticipated to
include costs for completing a self-assessment (e.g., Level 1 or 2);
costs to prepare for and undergo C3PAO assessment (Level 2); costs
required to implement the Level 3 security requirements and for
preparing to undergo DCMA DIBCAC assessment (Level 3). All of these
except the market costs of a C3PAO are controlled by the organization
seeking assessment. Market forces of supply and demand will determine
C3PAO pricing for CMMC Level 2 certification assessments.
Analysis of costs to meet CMMC requirements is provided in the
regulatory impact analysis for this rule. The CMMC rule does not make
any change to cost allowability as defined in the FAR 31.201-2
Determining Allowability. Verifying compliance with applicable security
requirements may increase cost and is necessary for the protection of
DoD CUI. With the revised CMMC, the DoD has streamlined requirements to
align directly to NIST guidelines and has eliminated unique security
practices to ease the burden on smaller companies. DoD must enforce
CMMC requirements uniformly across the Defense Industrial Base for all
contractors and subcontractors who process, store, or transmit CUI. The
value of information (and impact of its loss) does not diminish when
the information moves to contractors and subcontractors. The DoD
declines to speculate about how OSCs and C3PAOs negotiate mutually
acceptable terms and conditions for assessment agreements. The DoD
declined to modify the estimates, which are intended to be
representative and to inform rulemaking.
b. Disproportionate Cost Burden
Comment: Many comments emphasized the importance of small business
to the DoD contracting environment and expressed the concern that
increased cost burden on small companies will result in an anti-
competitive barrier to entry. Specifically, commenters state the lack
of in-house security resources, inability to amortize costs, upfront
costs to comply with CMMC Level 1 and 2 without guaranteed contracts,
keeping pace with requirements changes, paying market rates for C3PAO
assessments, and obtaining ``perfect'' compliance with requirement or
assessment objectives may not be affordable or may cause unacceptable
enterprise disruption. One comment asserted that the DoD is not
considering additional costs to small- and medium-sized businesses
(SMBs) for ongoing compliance. One comment stated the cost of entry for
a new SMB may be insurmountable even with cost recovery. One comment
suggested ``right-sizing'' CMMC by tailoring security requirements
based on business size and number of employees. Additionally, one
comment asserted that small businesses would be unfairly punished while
large, legacy primes would lobby and get waivers.
Two comments noted that CMMC will increase costs, perhaps doubling
annual IT and security spending, ultimately passing the cost to
customers, the government and the taxpayer and asked how the DoD plans
to deal with price increases from subcontractors and primes. One
comment suggested the DoD pay contractor employees to learn to cyber
defend rather than pay auditor assessment costs.
Response: The DoD concurs with commenters' assessment of the
importance of small businesses to the DoD. The DoD has streamlined CMMC
requirements to align directly to NIST guidelines and has eliminated
unique security practices to ease the burden on smaller companies. In
recognition of the cyber threat both to DoD and to the DIB, CMMC
Program requirements are designed to ensure compliance with existing
standards for protection of FCI and CUI. These cybersecurity
requirements align directly to NIST guidelines (i.e., NIST SP 800-171
R2 and NIST SP 800-172 Feb2021) and the basic safeguarding requirements
(FAR clause 52.204-21) that apply to all executive agencies.
The analysis of costs to meet CMMC Level 1 and 2 requirements are
provided in the Regulatory Impact Analysis published with this rule.
Note that certification is never required for CMMC Level 1, which is a
self-assessment requirement. CMMC Level 2 may either be met via self-
assessment, or via certification following a C3PAO assessment,
depending on the specific requirement cited in the solicitation. Some
comments appeared to reference costs to meet the requirements of
existing DFARS clause 252.204-7012. Please refer to 81 FR 72990,
October 21, 2016, for DoD's final rule implementing the DoD's
requirement that ``contractors shall implement NIST SP 800-171 as soon
as practical, but not later than December 31, 2017.''
The cost estimates for SMBs represent average derived estimates
based on internal expertise and public feedback in accordance with OMB
Circular A-4. The size and complexity of the network within scope of
the assessment impacts the estimates as well.
The DoD has streamlined CMMC requirements to align directly to NIST
guidelines and has eliminated unique security practices to ease the
burden on smaller companies. In addition, CMMC Level 1 and select CMMC
Level 2 requirements are now met via self-assessment, which reduces
burden to small businesses.
The CMMC program incorporates flexibility with the use of self-
assessment, POA&Ms, and waivers. Since December 2017, DFARS clause
252.204-7012 has required contractors to implement the NIST SP 800-171
security requirements to provide adequate security applicable for
processing, storing, or transmitting CUI in support of the performance
of a DoD contract. OSAs that are currently attesting that they meet
DFARS clause 252.204-7012 should not have difficulty successfully
achieving a Level 2 self-assessment.
Some comments received lacked relevance to the rule's content,
which is limited to specific CMMC Program requirements. The DoD
declines to address speculation about lobbying activities. Verifying
compliance with applicable security requirements may increase financial
cost to the DoD due to increased contract costs but it is necessary for
the protection of DoD CUI. The cost of lost technological advantage
over potential adversaries is greater than the costs of such
enforcement. The value of information (and impact of its loss) does not
diminish when the information moves to contractors.
The trade-off is between protecting sensitive information from our
nation's adversaries and accepting the fact that security costs
increase for numerous reasons. Many of those cost-drivers are
completely independent of CMMC. While CMMC compliance adds to an
organization's cost, no member of the DIB can assume the status-quo in
today's ever-changing cyber security environment. Increasing costs to
protect the nation's data and industries from
[[Page 83151]]
emerging threats is simply a component of doing business anywhere in
the world. Processing, storing, or transmitting sensitive Government
information comes with a handling cost that needs to be built into each
organization's business model.
Some comments included suggestions about how workflow should occur
between prime and subcontractors to decrease or eliminate the transfer
of CUI to subcontractors. The DoD cannot dictate these business
practices but encourages prime contractors to work with its
subcontractors to flow down CUI with the required security and the
least burden. Questions regarding what to mark as CUI are out of scope
of this rule. At the time of award, the DoD may have no visibility into
whether the awardee will choose to further disseminate DoD's CUI, but
DFARS clause 252.204-7012 and DFARS clause 252.204-7021 require that
the prime contractor to flow down the information security requirement
to any subcontractor with which the CUI will be shared. Decisions
regarding which DoD information must be shared to support completion of
which subcontractor tasks takes place between the prime contractor and
the subcontractors chosen to complete the specific tasks.
c. Phasing the Cost To Comply
Comment: Two comments suggested a phased compliance would help
offset financial burden while working toward full compliance. One
comment expressed concern that Managed Service Providers (MSPs), many
of which are small businesses, will not have time to achieve Level 2
certification before their OSA and OSC customers need them to be
certified and recommended extending the phased timeline.
Several comments stated that recouping compliance costs could take
years, forcing SMBs into financial debt, contract termination, and
exclusion from the market for DoD contracts. One commenter expressed
concern about implementation of CMMC as a condition of contract award
and the implication that compliance costs are incurred prior to
receiving a DoD contract.
Response: DoD declined to implement a small entity specific
``phased compliance''. Since December 2017, DFARS clause 252.204-7012
has required contractors to implement the NIST SP 800-171 security
requirements to provide adequate security applicable for processing,
storing, or transmitting CUI in support of the performance of a DoD
contract.
DoD received numerous comments about the use of ESPs, including
MSPs, which do not process, store, or transmit CUI. In response to
comments, the DoD has reduced the assessment burden on External Service
Providers (ESPs). ESP assessment, certification, and authorization
requirements in Sec. Sec. [thinsp]170.19(c)(2) and (d)(2) have been
updated. ESPs that are not CSPs and do NOT process, store, or transmit
CUI, do not require CMMC assessment or certification. Services provided
by an ESP are in the OSA's assessment scope.
CMMC has taken several steps to keep the cost of compliance with
the rule commensurate with the risk to the DoD's information. Level 1
only requires self-assessment, and many contracts with CUI will only
require a Level 2 self-assessment. Companies that currently attest that
they meet DFARS clause 252.204-7012 should not have difficulty
completing a Level 2 self-assessment. In accordance with the rulemaking
process, this rule was reviewed by both DoD cost analysts and OMB
economists for realism and completeness.
This is a 32 CFR part 170 CMMC Program rule, not an acquisition
rule. The 48 CFR part 204 CMMC Acquisition rule will address
implementation of CMMC as it pertains to DoD contracts.
d. Detailed Cost Analysis
Comment: A few comments suggested a detailed cost analysis should
consider SMBs of various sizes, types, and challenges to ensure
compliance is sustainable. One comment asked whether a profit margin
analysis was performed, while another asserted that other third-party
assessments are less expensive than the estimates for CMMC assessment.
Another stated CMMC Level 3 cost estimates are too low and suggested
using costs associated with SECRET-level networks for calculation.
Response: The DoD provided an analysis of costs to meet CMMC Level
1 and 2 requirements in the regulatory impact analysis for this rule.
The cost estimates provided for this rule represent average costs for
companies to comply with CMMC requirements, including the need for
self-assessment or independent assessment against the specified
standards. Comparing costs with other third-party security audits
presumes that the security and assessment requirements are identical,
and DoD disagrees with that assumption.
The DoD declined to produce another cost estimate for CMMC
assessment and certification. As required by the Rulemaking Guidance,
the DoD provided cost estimates and impact analyses in the proposed
rule. The analysis included estimated costs for each level and type of
assessment or certification for different sized contractor businesses.
The cost estimates did not include an analysis of profit margins, which
is not required. This rule also does not provide the cost analysis for
all actions, personnel, and security measures required to protect CUI
information, data, systems, and technical products through the life
cycle of the work and data generated. The cost estimates represent
derived estimates based on internal expertise and public feedback in
accordance with OMB Circular A-4.
Market forces of supply and demand will determine C3PAO pricing for
CMMC Level 2 certification assessments. The size and complexity of the
network within scope of the assessment impacts the costs as well. CMMC
Level 3 assessments against the NIST SP 800-172 Feb2021 baseline are
performed free of cost by DoD assessors, which reduces the cost of CMMC
Level 3.
The costs associated with a government-owned SECRET-level network
are not relevant to the CMMC Program which ensures protection of FCI
and CUI.
e. Assistance Programs or Other Relief
Comment: Several commenters proposed that financial assistance,
contract incentives, direct reimbursement of assessment costs (in whole
or in part), and market rate price caps be considered to lessen
financial burden and decrease the entry barrier for SMBs. Several
comments also inquired about DoD SMB grant programs to help SMBs cover
the cost of CMMC Level 2 certification assessments.
Multiple comments suggested DOD provide actionable guidance through
outreach support and assistance along with free or reduced cost
cybersecurity services to SMBs, with two referencing the DoD Office of
Small Business Programs and one the DoD Procurement Toolbox. One
comment, from a large business with SMB suppliers, requested clearer
guidance and support for flow down to sub-tier suppliers and SMB supply
chains.
One comment stated firms who receive a low number of CUI documents
(30 docs in 3-years on 10 computers) do not justify the cost of
becoming CMMC compliant, and added the cost is nearly as much as
protection for classified documents. One commenter suggested NIST SP
800-171 R2 security requirements would not apply to their specific
characteristics, i.e., a very small
[[Page 83152]]
business with minimal internet connectivity, no remote access, no
public access, no mobile devices, no remote work, and no known
cybersecurity issues. The comment asserted that the company posed
minimal risk to CUI and should be excused from adhering to CMMC program
requirements based on cost burden.
One comment proposed eliminating third party assessment costs and
relying only on self-certification to address the cost burdens. One
comment noted that free market pricing and a short supply of C3PAOs
combined with excessive waiting times may result in SMB attrition.
Response: It is not within in scope of this rule to address how
companies recover assessment costs. The CMMC rule makes no change to
the cost allowability parameters described in FAR 31.201-2 Determining
Allowability.
Contractors are required to comply with all terms and conditions of
DoD contracts, to include terms and conditions relating to
cybersecurity protections and assessment requirements, as implemented
by this rule. This holds true when a contract clause is flowed down to
subcontractors.
Several of the commenters' recommendations have potential benefit
for the contractor and sub-contractor communities; however, they are
beyond the scope of the rule. These recommendations included creation
or expansion of:
grants and assistance programs, financial support for small
business, the DoD [Procurement] Toolbox, the DoD Office of Small
Business Programs, contract incentives and free or reduced cost DoD
cybersecurity services.
DoD understands the burden on small business. Nonetheless, DoD must
enforce CMMC requirements uniformly across the Defense Industrial Base
for all contractors who process, store, or transmit CUI. The
requirements necessary to protect a single document are the same as to
protect many documents, therefore scaling by amount of CUI expected is
not a viable approach.
Solicitations for DoD contracts that will involve the processing,
storing, or transmitting of FCI or CUI on any nonfederal system,
regardless of the size or configuration of the nonfederal system, will
specify the required CMMC Level (1, 2 or 3) and assessment type (self-
assessment or independent third-party assessment). That requirement
applies, regardless of the number of computers or components in a
nonfederal information system.
DoD's original implementation of security requirements for adequate
safeguarding of CUI relied upon self-attestation by contractors. Since
that time, the DoD Inspector General and DCMA found that contractors
did not consistently implement mandated system security requirements
for safeguarding CUI and recommended that DoD take steps to assess a
contractor's ability to protect this information.
All contactors or sub-contractors with access to CUI need to be
capable of protecting that information to the standard specified in 32
CFR part 2002. If a small business cannot comply with DFARS clause
252.204-7012 and NIST SP 800-171 R2, then that business should not be
processing, storing, or transmitting CUI. DoD's programs, technological
superiority, and best interests are not served if CUI is not
consistently safeguarded by all who process, store, or transmit it.
28. Perceived Cost of CMMC Program
Comment: Several comments expressed disagreement with assumptions
supporting the cost estimate, namely that implementation costs to
comply with the requirements of FAR clause 52.204-21 and DFARS clause
252.204-7012 predate and are not included as CMMC costs. These comments
assert that the cost of CMMC compliance should include those costs, and
therefore dwarfs the cost of CMMC certification. They further assert
that DoD's position does not account for those contractors who have
only recently joined the DIB marketplace or those that aspire to do so.
The concern expressed in the comments is that the cost of standing up
an infrastructure to achieve and maintain DoD cybersecurity
requirements regarding the protection of FCI and CUI, combined with
CMMC assessment costs, is prohibitive and will create a lack of diverse
suppliers.
Two commenters asserted the CMMC Program expanded application of
DFARS clause 252.204-7012 requirements due to a perceived extension of
those requirements to additional organizations, such as External
Service Providers (ESPs). One of the commenters further speculated that
CMMC requirements may decrease the availability of ESPs that are
available and suitable to support DIB members as needed to comply with
CMMC requirements. Another commenter stated that this scope expansion
increases direct implementation and compliance costs above and beyond
the CMMC Program's estimated assessment costs. The comment cites the
introduction of the terms ``Security Protection Assets'' and ``Security
Protection Data'' as extending applicability of those requirements and
incurring the additional direct implementation and compliance costs.
Lastly, the comment notes these changes will drive costs to ``rip and
replace'' existing tools and likely purchase more expensive FedRAMP or
CMMC-certified tools.
One comment indicated that, while compliance with NIST SP 800-171
was required by December 31, 2017, compliance with NIST SP 800-171A
Jun2018 increases requirements and cost because NIST SP 800-171A
Jun2018 emphasizes process and documentation in addition to the intent
of the security requirement.
Two comments pointed out that some contractors may need to
accelerate remediation efforts and close out POA&Ms under existing DoD
contracts that are subject to DFARS clause 252.204-7012 to meet CMMC
requirements. These comments requested that since these contractors
will now be faced with accelerating close-out of their POA&Ms, which
will incur additional costs, that DoD account for those costs in the
estimate and potentially allow for recovery of those costs.
One comment asserts that CMMC assessment failures, remediation
implementation, and subsequent reassessments will be very costly in
both time and money.
Response: 81 FR 72990, October 21, 2016 implemented the DoD's
requirement that ``contractors shall implement NIST SP 800-171 as soon
as practical, but not later than December 31, 2017.'' Public comments
related to costs for implementation were published with that final
rule, along with DoD's responses. CMMC cost estimates are derived
estimates based on internal expertise and public feedback in accordance
with OMB Circular A-4 and are representative of average assessment
efforts not actual prices of C3PAO services available in the
marketplace. Market forces of supply and demand will determine C3PAO
pricing for CMMC Level 2 certification assessments and how C3PAOs
choose to distinguish their service offerings from other C3PAOs,
including the timely availability of an assessment team, or re-
assessments after an assessment failure. The size and complexity of the
network within the scope of the assessment impacts the costs as well.
The DoD declines to speculate about how OSCs and C3PAOs negotiate
mutually
[[Page 83153]]
acceptable terms and conditions for assessment agreements.
OSA implementation of the requirements of FAR clause 52.204-21 and
DFARS clause 252.204-7012 long predate CMMC and are not included in
CMMC cost estimates, since those requirements are not driven by or
attributable to CMMC, even for new or aspiring defense contractors, and
have been in force since 2017 on DoD contracts that include the
processing, storing, or transmitting of FCI or CUI in the performance
of a DoD contract. The DoD has taken measures to make a self-assessment
as straight forward as possible and provided guidance to mitigate any
variance in assessment scores. Additionally, the DoD has streamlined
CMMC requirements to align directly to NIST guidelines and has
eliminated unique security practices to ease the burden on smaller
companies. DoD must enforce CMMC requirements uniformly across the
Defense Industrial Base for all contractors and subcontractors who
process, store, or transmit CUI. Creation of a grants and assistance
programs are beyond the scope of this rule. DFARS clause 252.204-7012
requires protection of security protection assets and security
protection data. Section 1.1 of NIST SP 800-171 R2 states: ``The
requirements apply only to components of nonfederal systems that
process, store, or transmit CUI, or that provide security protection
for such components.'' There is therefore no increase in the scope as
described in the rule.
Security protection data requires protection commensurate with the
CUI it protects and is based on how and where the security protection
data is stored. The FedRAMP requirements for handling security
protection data is therefore the same as that for handling CUI. Any
impact to the cost of serving Government customers across the DoD is
beyond the scope of this rule.
As NIST states in NIST SP 800-171A Jun2018, ``The assessment
procedures are flexible and can be customized to the needs of the
organizations and the assessors conducting the assessments. Security
assessments can be conducted as self-assessments; independent, third-
party assessments; or government-sponsored assessments and can be
applied with various degrees of rigor, based on customer-defined depth
and coverage attributes.'' CMMC Program requirements are designed to
ensure compliance with existing standards for protection of FCI and CUI
and align directly to NIST guidelines (i.e., NIST SP 800-171 R2 and
NIST SP 800-172 Feb2021) and the basic safeguarding requirements (of
FAR clause 52.204-21) that apply to all executive agencies. The rule
accounts for costs associated with assessment via NIST SP 800-171A
Jun2018.
Within the limitations of section Sec. 170.21 Plan of Action and
Milestones Requirements, offerors may bid on a contract while
continuing to work towards full CMMC compliance. DoD rejects the notion
that organizations must ``accelerate'' to meet a requirement in place
since 2017. DoD did not intend nor expect that POA&Ms would remain
open-ended and unimplemented for years.
The DoD provided an analysis of costs to meet CMMC Level 1 and 2
requirements in the regulatory impact analysis for this rule.
Certification is never required for CMMC Level 1, which is a self-
assessment requirement. CMMC Level 2 may either be met via self-
assessment, or via a C3PAO assessment, depending on the specific
requirement cited in the solicitation. It is not within in scope of
this rule to address the way companies recover assessment costs.
Verifying compliance with applicable security requirements may
increase cost and is necessary for the protection of DoD FCI and CUI.
The cost of lost technological advantage over potential adversaries is
greater than the costs of such enforcement.
29. CMMC Benefits and Cost Estimates
a. Cost Estimate Assumptions
Comment: Some comments proposed the DoD directly assume the costs
for industrial base compliance, increase contract award prices, offer
grants and loans, or provide tax credits to offset the costs associated
with compliance. One asked for clarification regarding allowable versus
unallowable costs. One comment stated the cost estimate was a good
guesstimate of the total cost to the USG, but the flow down costs and
the price of doing business will be at the Program Office level. The
commenter requested the DoD provide a table of Program Office funding
requirements to aid Program Managers in reflecting CMMC costs in an
Acquisition Strategy and Cost Analysis Requirements Document (CARD).
A few comments asked about the assumptions used to estimate numbers
of assessments by category and stated the labor rates for ESPs and
C3PAOs were too low, and costs associated with small entities were
incorrect. Two comments also suggested the number of hours estimated
for self-assessment are too low, and three questioned the accuracy of
small and medium sized business labor rates and asserted that the
assessment costs for small businesses were not sustainable. One comment
suggested that cost data in existing/past contracts should be used as a
part of CMMC cost analysis and Section H costs should apply to the
current CMMC cost estimate.
One comment claimed it is cost prohibitive for individuals to
obtain a CCP or CCA certification, which will hamper the CMMC Program's
scalability.
One comment requested the government elaborate on how the estimated
417.83 hours per response was derived for table 39, C3PAOs Level 1
Certification and Assessment, in section Sec. 170.17(a). Another
comment asserted that assessments conducted by Defense Technical Risk
Assessment Methodology (DTRAM) assessment teams require more manhours
than are anticipated for CMMC certification assessments.
One comment stated that while DoD included an estimate for annual
senior official affirmations in the Regulatory Impact Analysis, it
assumed a minimal number of hours will be required to complete this
task which may not be adequate to complete a full compliance review.
One comment stated the DoD self-assessment resource allocations for
an ESP for both CMMC Level 1 and Level 2 are estimated 125% to 175% too
low based on the belief that a self-assessment should have more rigor
than a gap analysis. Specifically, the commenter posed questions on
what inputs from potential OSAs were used and identifying the rigor a
Certifying Official would require for attestation. Recommendations
include that the DoD clearly state its assumptions regarding self-
assessment rigor, have OSA legal counsel review assumptions and cost
factors, and identify a representative cross-section of stakeholders to
determine appropriate rigor assumptions for company's ESPs and new to
CMMC self-assessments.
One comment stated that the DoD's assumptions for the level of
effort expressed as Director and staff IT specialist hours are too low.
Although there are continuous monitoring requirements of NIST 800-171
R2, those requirements do not invoke the level of effort necessary for
an executive to make an attestation corresponding to the level of
personal risk and corporate liability incurred under the False Claims
Act. The comment asserted that DoD's assumptions failed to account for
an SMB to acquire and manage technical tools or manage the
reaffirmation or an enterprise change management effort.
[[Page 83154]]
The comment included several questions regarding the inputs used to
determine lack of ongoing management resource requirements for
reaffirmation, a risk management application, and inputs across the DIB
regarding the level of assurance needed for affirmations to address
liability concerns with the False Claims Act. Another recommendation
suggested the DoD clearly state the degree of rigor an OSA should
assume and revisit the cost assumptions involved to provide the Entity
official with assurance for reaffirmation.
One commenter reviewed the CMMC AB's draft CMMC Assessment Process
(CAP) document and agreed that 120 hours for a C3PAO's three-person
team inclusive of Phases 1, 2 and 3 is appropriate for smaller
companies and should be considered a lower bound for C3PAOs deployed
resources but suggested the 156 ESP assessment hours should be
decreased.
One comment highlighted the following rule text, ``The total
estimated Public (large and small entities) and Government costs
associated with this rule, calculated in over a 20-year horizon in 2023
dollars at a 7 percent discount rate and a 3 percent discount rate are
provided as follows,'' and asked how an organization could become
eligible for the 7% discount.
One comment proposed DOD remove CMMC Level 1, or defer CMMC Level 1
implementation for several years, since it does not involve CUI. The
comment stated CMMC Level 1 cost estimations and burden of compliance
in the rule were greatly understated, that few companies subject to
this CMMC level have any idea what is expected of them, and most will
struggle with financial, technical, and human resources. Though FAR
clause 52.204-21 is widely used in Federal contracts, it has not been
successfully communicated that NIST SP 800-171A Jun2018 will be used.
The comment concludes stating CMMC Level 1 does not include CUI,
therefore making cost and compliance an excessive demand.
Response: Subsidizing costs for the defense industrial base
compliance is not within the scope of this rule. The rule has taken
several steps to keep the cost of compliance with the rule commensurate
with the risk to the DoD's information. In addition, Level 1 only
requires self-assessment, and many contracts with CUI will only require
a Level 2 self-assessment. Companies that are currently and validly
attesting that they meet DFARS clause 252.204-7012 should not have
difficulty passing a Level 2 self-assessment.
Cost estimates provided in this rule were based on internal
expertise, compliant with OMB Circular A-4, and informed by public
feedback. Certain elements of the estimated costs will be influenced by
market forces of supply and demand, which will determine C3PAO pricing
for CMMC Level 2 certification assessments.
The number of assessments over the phase-in period were estimated
using data from the Electronic Data Access system for the contracts
containing DFARS clause 252.204-7012 in fiscal years 2019, 2020, and
2021, as well as data calculated for the initial CMMC Program. This
data was used in combination with an expected growth factor to estimate
DoD contracts and orders in the future. Data also showed the number of
awards that were made to small entities and other than small entities.
The resulting estimate was phased in over 7 years to allow the
ecosystem to grow and accommodate an increasing number of assessments.
The assumptions and analysis of costs are provided in the
regulatory impact analysis for this rule and are explained in depth.
One of the assumptions is that Non-Small Entities have a team of full-
time cybersecurity professionals on staff while Small Entities do not.
The assumptions reflect Small Entities will likely obtain support from
External Service Providers and have a staff member submit affirmations
and SPRS scores for self-assessments (when applicable).
DoD included an analysis of costs to meet CMMC requirements in the
regulatory impact analysis for this rule. As described in the estimate
included with the rule, the major cost categories for compliance with
CMMC requirements are anticipated to include costs for completing a
self-assessment (e.g., Level 1 or 2); costs to prepare for and undergo
C3PAO assessment (Level 2); costs required to implement the Level 3
security requirements and for preparing to undergo DCMA DIBCAC
assessment (Level 3). Market forces of supply and demand will determine
C3PAO pricing for CMMC Level 2 certification assessments. The CMMC rule
does not make any change to cost allowability as defined in the FAR
31.201-2, Determining Allowability.
As addressed in the Assumptions section of the Regulatory Impact
Analysis (RIA), the cost estimates for CMMC Levels 1 and 2 are based
only on the assessment, certification, and affirmation activities that
a defense contractor, subcontractor, or ecosystem member must take to
allow DoD to verify implementation of the relevant underlying security
requirements. For CMMC Level 3, cost estimates to implement applicable
security requirements are included as they are a new addition to
current security protection requirements. Section H costs of existing/
past contracts do not apply.
CCP and CCA certification costs are set by the CAICO and are market
driven. The hours used in the cost estimations are based on estimates
by subject matter experts. The 417.83 hours per response questioned by
the commentor ties to C3PAO reporting and recordkeeping requirements
for Level 2 certification assessment on small entities as identified in
table 36, not Level 1 or table 39 as stated in the comment.
In response to public comments received in the initial 48 CFR CMMC
interim final rule public comment period, DoD streamlined the CMMC
model to ease the assessment burden. At the same time, estimates were
increased for the time and cost of self-assessment based on industry
and DIBCAC input. DoD estimates are based on defendable assumptions and
documented labor rates. Therefore, DoD declines to modify the self-
assessment estimates.
The DoD has streamlined CMMC requirements to align directly to NIST
guidelines and eliminated unique security practices to ease the burden
on smaller companies, included an analysis of costs to meet CMMC
requirements in the regulatory impact analysis for this rule. The DoD
declined to modify the estimates, which are intended to be
representative and to inform rulemaking.
Verifying compliance with applicable security requirements may
increase cost and is necessary for the protection of DoD CUI. The cost
of lost technological advantage over potential adversaries is greater
than the costs of such enforcement. The value of information (and
impact of its loss) does not diminish when the information moves to
contractors.
DoD rejected the recommendation to adjust the annual requirement
for senior affirmations to a triennial requirement to decrease senior
affirmation costs. The requirement for annual affirmations is to ensure
the Affirming Official responsible for CMMC requirements are monitoring
compliance with the requirements. If compliance is being maintained as
required, this should not require more time or cost than provided in
the estimates. Further, DFARS clause 252.204-7012 already requires NIST
SP 800-171 continuous monitoring via requirement 3.12.3. DoD also
declined to make the recommended edits to further delineate a company's
internal review of self-assessments and reaffirmations in the cost
assumptions.
The cost estimates provided for this rule represent average costs
for
[[Page 83155]]
companies to comply with the CMMC requirement, including the need for
self-assessment or independent assessment against the specified
standards. Whether the OSA elects to satisfy those requirements
themselves, or by using one ESP for many requirements, or by using
several ESPs for individual requirements, is a decision to be made by
the OSA. That decision does not change DoDs estimate of average costs
to meet CMMC requirements. The DoD declined to recalculate cost
estimates using lower costs for ESP assessments.
The 7% discount rate is not a discount for organizations. The
discount rate is a part of a formula used in a business impact analysis
calculation. When calculating 20 years in the future, a discount rate
is used to determine the net present value of money. Discount rates are
explained in step seven of OMB Circular A-4: Regulatory Impact
Analysis: A Primer. The DoD does not agree with the commenter's
assertion that the cost estimates greatly understate the costs and
burden to Level 1 compliance. The 15 FAR security requirements that
comprise CMMC Level 1 should already have the requirements implemented
if an OSA network processes, stores, or transmits FCI. In addition to
NIST SP 800-171A Jun2018, the CMMC Level 1 Assessment Guide provides
supplemental information to help facilitate implementation and
assessment of the Level 1 security requirements.
b. Economic Impact
Comment: One comment suggested the government evaluate the economic
impact of implementing the rule's reporting requirements at scale.
Another comment expressed the notion that the cost impact analysis does
not account for the free market response, referring to the associated
cost increases and schedule delays that directly impact the warfighter
and taxpayer. The commentor suggested the cost could dwarf both the
cost of implementing compliance and achieving certification.
One comment stated the CMMC Level 2 and Level 3 cost burdens for
companies that were historically never subjected to such requirements
may be disproportionate to the risk their operations pose to the
inadvertent disclosure of CUI or FCI. It suggested ensuring
requirements be proportional to the subcontractor's activity and risk
levels. The comment further mentioned that costs may be passed on to
the prime contractor, and DoD should consider providing recovery costs
in the price of implementation.
One comment stated the 100% compliance to CMMC Level 2
certification may be financially unachievable and suggests if a risk
assessment shows the likelihood of harm is comparatively low, the DoD
should direct CMMC Program assessors to use their professional
judgments and not require seeking maximum evidence of compliance where
there is evidence of sufficiency.
Response: The DoD has already evaluated the reporting requirements
and the analysis of the costs is provided in the Regulatory Impact
Analysis published with this rule. The DoD declined to respond to
speculative or editorial comments about downstream impacts of the
market's reaction to CMMC, all of which are beyond the scope of this
rule.
The DoD declined the recommendation to restructure CMMC to be
proportional to the subcontractor's activity and risk levels. DoD must
enforce CMMC requirements uniformly across the Defense Industrial Base
for all contractors and subcontractors who process, store, or transmit
CUI. The value of information (and impact of its loss) does not
diminish when the information moves to contractors and subcontractors.
Assessors exercise judgment in determining when sufficient and
adequate evidence has been presented to make an assessment finding.
This is consistent with current DIBCAC High Assessments and assessments
conducted under the Joint Surveillance Voluntary Assessment (JSVA)
program. Furthermore, to reduce burden to small businesses, the CMMC
program has implemented flexibility with self-assessment, POA&Ms, and
waivers.
c. Cross-Functional Requirements and Artifacts
Comment: Multiple comments maintained that DoD underestimated the
cross-functional (Human Resources, Physical Security, Training, etc.)
manhours and associated cost to collect artifacts and evidence in
preparation for a C3PAO assessment. One comment stated the DoD's
overestimation of CMMC Level 1 requirements would correspond to an
underestimation of compliance costs. The comment referred to current
NIST requirements and asserted that potential revisions would force
changes to POA&Ms causing additional costs beyond those included in the
estimates. The comment suggested the DoD should determine the range of
potential compliance timelines, the use and value of existing and
planned POA&Ms, and true certification costs, both for initial
compliance as well as ongoing maintenance and oversight.
One commentor claimed too much funding was expended over the past 5
years for the CMMC database system.
Response: OSCs prepare for C3PAO assessments based upon NIST
guidelines as addressed in Sec. 170.17. The cost and time estimates
represent the time to gather the evidence to address all assessment
objectives are derived averages based on internal expertise and public
feedback in accordance with OMB Circular A-4 Regulatory Impact
Analysis: A Primer. The size and complexity of the network within scope
of the assessment impacts the costs as well.
The time estimates represent average derived estimates based on
internal expertise and public feedback in accordance with OMB Circular
A-4. The size and complexity of the network within scope of the
assessment impacts the time estimates as well. The DoD does not concur
with the commenter's claim that too much funding has been spent to
develop the DoD's database for the CMMC Program.
d. Duplication or Overlap
Comment: One comment asserted CMMC requirements may be duplicative
or conflict with existing utility industry compliance requirements that
address CUI, since utility companies will not require CMMC Level 3
certification. They proposed the utilities and the DoD collaborate to
harmonize requirements to limit the financial burden.
One comment highlighted a concern that cost for companies that have
multiple contracts, each requiring different CMMC Program requirements.
Concerns were specifically based on the increased costs from CMMC Level
2 to CMMC Level 3 compliancy and assuming costs would be borne by
contractors. They expressed similar concerns about costs for FedRAMP
certification, given a purported backlog in FedRAMP authorizations.
Response: Addressing the harmonization between the DoD,
contractors, and subcontractors is beyond the scope of this rule. These
are functions of the DIB Sector Coordinating Council and the DIB
Government Coordinating Council. Additionally, non-DoD programs are
outside the control and scope of the 32 CFR part 170 CMMC Program rule.
The DoD encourages prime contractors to work with its subcontractors to
flow down CUI with the required security and the least burden.
DoD is aware organizations may receive multiple contracts that may
require different CMMC levels based upon programmatic data security
needs. It is beyond the scope of this rule to
[[Page 83156]]
dictate how OSAs manage varying contract requirements. Contractors that
have achieved a CMMC Level 2 or Level 3 certification automatically
meet a stated requirement of a lower CMMC level if the same system/
assessment scope will be used in performance of the contract.
30. Alternatives
a. Alternate Programs
Comment: Many comment submissions included lengthy proposals for
alternatives to the CMMC program purported to alleviate specific
concerns with aspects of CMMC program requirements. In some cases, the
concerns were based on a misreading of the rule's content. The DoD has
addressed some valid concerns through rule revisions that differ from
the recommendations.
One commenter suggested eliminating compliance assessments in favor
of establishing a DoD office to conduct penetration testing of each DIB
company's network every two years. Other commenters also recommended
the DoD establish a secure portal and share CUI with contractors only
through that portal, as a way for the DIB to avoid the cost of securing
their information systems. One commenter suggested the DoD monitor use
of waivers and utilize this secure portal approach when CMMC waivers
apply. Similar recommendations included sharing CUI only through
password encrypted files or requiring contractors to store CUI in
restricted access folders. In similar suggestions, several commenters
thought the DoD should provide its contractors with training, GFE and
other tools necessary to secure the contractor owned information
systems being used to process or store CUI. One such commenter stated
that the Government should appropriate funding for secure solutions
rather than phasing in compliance assessments. One commenter suggested
the DoD consider industry's application of alternate security
mechanisms in lieu of CMMC Levels 2 and 3. Another recommended the DoD
stand up a voluntary DIB Cyber Protection Program to improve real-time
monitoring of the DIB, improve cybersecurity for firms that cannot
afford the needed professional staff, and offer data and legal
protections to DIB firms. Another such commenter suggested that DoD
fund securing the DIB through contract incentives.
One commenter recommended mandating DIB use of the DoD CIO's DIB CS
Program or other DoD cybersecurity related services as alternatives to
the CMMC program. That comment suggested reassigning Government
personnel to provide training for all assessors, to reduce training
cost and ensure enough assessors to meet demand. Another commenter made
similar recommendations about CISA cybersecurity service offerings.
Response: Many comments included lengthy proposals for alternate
approaches to the CMMC program which would alleviate specific concerns
with aspects of CMMC program requirements. In some cases, the
suggestions were based on a misreading of the rule's content. The DoD
has addressed some valid concerns via rule revisions that differ from
commenter recommendations.
The DoD notes with interest one commenter's reference to
initiatives described in a report to Congress about the breadth of
cybersecurity related initiatives within the Department. While the CMMC
is an important initiative, it is by no means the Department's only
effort to improve DIB cybersecurity. The CMMC Program addresses
adequate safeguarding of contractor owned information systems which
process, store, or transmit FCI or CUI. Other DoD initiatives related
to secure cloud or software development environments are beyond the
scope of the CMMC Program.
The DoD did not adopt suggested alternatives, such as policy-based
solutions that lack a rigorous assessment component. The DoD determined
that sharing CUI only through DoD-hosted secure platforms, in lieu of
implementing the CMMC Program, was not a scalable or cost-effective
solution. Although the DoD expanded the availability of resources
through the DIB Collaborative Information Sharing Environment (DCISE)
program, the DoD also declines to rely only on training in lieu of
assessment.
The purpose of CMMC is to require defense contractors and
subcontractors to undergo an assessment to verify the implementation of
prescribed cybersecurity standards. The security requirements are
already specified in existing regulations (32 CFR part 2002, DFARS
clause 252.204-7012, and FAR clause 52.204-21).
Comments which suggest that enrollment in the DoD's DIB CS Program
can be an alternative means of meeting the objectives of CMMC
misinterpret the services that the DIB CS Program provides. The DIB CS
Program does not provide any mechanism for verifying whether those
participants have secured their contractor owned information systems to
the standards required by DFARS clause 252.204-7012. Likewise, the
recommended NSA cybersecurity offerings also do not provide the same
verification mechanism that CMMC will provide. CMMC Program
requirements apply to contractor-owned information systems that
process, store, or transmit FCI and CUI. Hardware and software
approving authorities for GFE are not relevant to this CMMC rule. The
DoD declined to adopt the recommendation to provide GFE to DIB
contractors to maintain security, ownership of data and support
Clinger-Cohen Act compliance.
Some comments received reflect a misinterpretation of the cost
estimates that accompany this rule, which are intended to inform the
rulemaking process. The cost estimates are not indicative of a funded
budget line which could be reprogrammed to fund a new agency to meet
the objectives of the CMMC Program. Comments recommending that funding
be appropriated (by Congress) to provide the DIB with security
solutions are beyond the scope of this rule.
b. Alternate Standards
Comment: One commenter recommended aligning requirements to DoD
policies rather than to NIST standards and relying on FISMA compliance
assessments in lieu of the CMMC model. Another commenter recommended
the DoD and NIST work with other international standards organizations
to incorporate CMMC requirements (really NIST standards) into existing
ISO/IEC and CMMI standards. In general, these commenters recommended
DoD accept alternate assessments conducted against alternate standards
by assessors with alternate training and qualifications. They further
recommended that DoD issue an RFI seeking recommendation of alternate
third-party assessment schemes. One commenter recommended the rule be
modified to require that contracts with a CMMC level 3 requirement also
require use of a FedRAMP moderate or higher CSP, and that contracts
with a CMMC level 2 requirement permit use of CSPs with either FedRAMP
Moderate authorization (or higher) or CMMC level 2 or 3 certification
assessment.
Response: CMMC is based on the executive branch's CUI Program as
the authoritative source, as codified in 32 CFR part 2002. The
definition of CUI and general requirements for its safeguarding are
included in 32 CFR 2002.4 and 2002.14, respectively. 32 CFR
2002.14(h)(2) specifically requires that ``Agencies must use NIST SP
800-171 when establishing security requirements to protect CUI's
confidentiality on non-Federal information systems . . .'' The CMMC
[[Page 83157]]
Program makes no change to the CUI program or its implementing
policies. Contractually, DFARS clause 252.204-7012, effective since
December 2017, requires contractors to implement the NIST SP 800-171
security requirements to provide adequate security applicable for
processing, storing, or transmitting CUI in support of the performance
of a DoD contract. That requirement applies, regardless of the number
of computers or components in a non-Federal information system.
The CMMC Program provides an assessment mechanism to verify that
prospective offerors comply with the applicable information security
requirements. All executive agencies are required to follow the
policies described in 32 CFR 2002.14. DoD aligned CMMC requirements
with NIST SP 800-171 R2 because it is enterprise focused and is already
required in DoD contracts when DFARS clause 252.204-7012 is applicable.
DFARS clause 252.204-7012 and NIST SP 800-171 R2 provide the
cybersecurity requirements, whereas CMMC validates implementation of
those requirements. CMMC does not duplicate these documents.
The DoD publishes Security Technical Implementation Guides (STIGs)
for specific products, primarily to guide secure implementation in DoD
systems. The OSA is responsible for creating the implementation
guidance they will use to meet the CMMC security requirements. OSAs are
free to use the DoD STIGS if they feel they are appropriate. The DoD
does not want to limit the choices available to the OSA for
implementation guidance. In addition, the DoD declines to create STIGs
for all products that might be used in the OSA's environment. Some
comments lacked relevance to the rule's content, which is limited to
specific CMMC program requirements.
Changes to DFARS clause 252.204-7012 are outside the scope of this
rule. DoD declines to modify CMMC Level 2 or Level 3 requirements
related to use of Cloud Service Providers (CSP). A CSP is assessed
against the FedRAMP Moderate baseline. This is required when a CSP,
regardless of the component or type of CSP, processes, stores, or
transmits CUI.
The DoD declines to align CMMC requirements to alternate standards
or accept compliance with alternate standards in lieu of the NIST SP
800-171 standard mandated by 32 CFR part 2002 for the protection of
CUI. CMMI is focused on improving the software development process,
while CMMC is focused on verifying the proper implementation of DIB
cybersecurity requirements. Incorporating requirements into new or
other existing standards would unacceptably delay action to improve DIB
cybersecurity. The DoD must take action to improve DIB cybersecurity,
regardless of the global state of cybersecurity. DoD's publication of
this rule follows completion of OMB's formal rulemaking process, which
includes both DoD internal coordination and Interagency coordination.
The recommendation for the DoD to establish a voluntary DIB Cyber
Protection Program is beyond the scope of this rule.
One commenter recommended administrative edits to identify CMMC
levels at a particular place in the pre-amble description of the
program. The preamble is not part of the official regulation. In
addition to background and overview information about the proposed or
final rule, the preamble includes responses to all comments received
during the public comment period on the proposed rule. The
certification requirements are in subpart D, Sec. Sec. 170.15 through
170.18.
c. Alternate Implementation Timelines
Comment: Several commenters suggested that DoD abandon CMMC
requirements in favor of simply continuing to rely upon self-
assessments, or else allowing contractors to comply with DFARS clause
252.204-7012 requirements absent any assessment (self-conducted or
third-party). Of those recommending self-assessment, two commenters
limited the suggestion only to companies that self-certified as small
businesses and one further recommended that DoD pay for certification
assessment of all small businesses. One such commenter based their
opinion on an interpretation that text in NIST SP 800-171 R2 identifies
the requirements as a model for self-assessment. Another commenter made
no suggestion to change assessment requirements, other than to
implement them post-award, rather than pre-award.
One comment expressed doubt in the ability of the ecosystem to
scale sufficiently to meet the demand for C3PAO assessments and
assessor training.
One commenter suggested the rule be revised to eliminate POA&Ms but
expand the period during which deficiencies can be reassessed from
within 10 days of initial assessment to 60 days for those prospective
contractors. Another commenter suggested varying timelines for POA&Ms
based on a variety of criteria, including how many DoD contracts are
held.
Response: The DoD declined to accept the risk associated with
implementing CMMC solely as a post-award requirement. When contracts
require contractors to process, store, or transmit CUI, DoD requires
that they be compliant with DFARS clause 252.204-7012 and competent to
adequately safeguard CUI from the beginning of the period of
performance. DoD declines the recommendation to require primes to
assume the cost of CMMC for their subcontractors. Arrangements between
contractors and subcontractors are negotiated directly between those
parties. The DoD does not accept the recommendation to eliminate or
change the criteria for POA&Ms or the timeline allowed to remediate
open POA&M items. The 180-day period allowed for POA&Ms and the
determination of which weighted practices can be placed on a POA&M was
a risk-based decision. The determination considers the relative risk
DoD is willing to accept when a particular practice is not met and the
amount of risk the DoD is willing to accept for those security
practices that go ``NOT MET'' for an extended period.
The Department declines to adopt the recommendation to allow DIB
members to assist in designing the DoD's mechanism for assessing DIB
compliance with DoD's contractual requirements. In developing the CMMC
program, the DoD sought and considered DIB input. DoD disagrees with
the comment that there is a lack of scalability in the CMMC program.
The phased implementation plan described in Sec. 170.3(e) is intended
to address any CMMC Ecosystem ramp-up issues, provide time to train the
necessary number of assessors, and allow companies the time needed to
understand and implement CMMC requirements. The rule has been updated
to add an additional six months to the Phase 1 timeline. As with all
its programs, the Department intends to effectively oversee the CMMC
Program and act as needed to manage its effective implementation.
Although the full extent of DoD's oversight process is beyond the scope
of this rule, the rule text addresses DoD's authority to waive the
application of CMMC requirements when warranted in accordance with all
applicable policies, procedures, and approval requirements.
DoD has utilized a phased approach to the rollout to reduce
implementation risk. CMMC Program requirements make no changes to
existing policies for information security requirements implemented by
the DoD. It is beyond the scope of this rule for DoD to determine the
order in which organizations are assessed.
[[Page 83158]]
d. Alternate Assessors or Assessments (Including Self-Assessment Only)
Comment: One commenter submitted numerous recommendations based on
an opinion that skills required for conducting CMMC compliance
assessments are like those required for conducting Independent
Technical Risk Assessments (ITRAs) on Major Defense Acquisition
Programs (MDAPs). Such assessments are conducted by the Office of the
Undersecretary of Defense for Research & Engineering (OUSD(R&E)) in
accordance with Defense Technical Risk Assessment Methodology (DTRAM)
criteria. These criteria extend beyond compliance with cybersecurity
requirements and include characteristics such as modular open systems
architecture, software, manufacturing, reliability, availability,
maintainability, and others. This commenter noted the DoD's Adaptive
Acquisition Framework applies to both Information Systems and National
Security Systems and suggested that existing acquisition requirements
pertaining to ITRA and DTRAM should suffice in lieu of CMMC
assessments. The commenter recommended that DoD use existing ITRA teams
to perform compliance assessments of contractor-owned information
systems. In addition, they recommended aligning requirements to DoD
policies rather than to NIST standards. Other comments made similar
suggestions to synchronize cybersecurity requirements with DoD policies
rather than NIST standards but cited FISMA compliance assessments as
the appropriate model rather than the DTRAM.
One comment suggested that C3PAOs be permitted to conduct partial
assessments of ESPs, MSPs, and MSSPs. Multiple comments expressed
concern with CMMC assessment requirements for OSAs that use ESPs,
stating that OSAs would be unlikely to know which components of the
services they purchased were covered by a required CMMC Level 2
assessment. This commenter recommended the creation of a separate type
of CMMC assessment specifically for ESPs, which they further
recommended should be highlighted on the CMMC AB marketplace to assist
OSAs in selecting an appropriately vetted ESP. These comments provided
an extended description of the specific scoping guidance that should be
adding to existing CMMC supplemental documentation, as well as several
sample scenarios explaining how requirements for this new type of
assessment should be applied. Two comments highlighted that the rule's
preamble does not include details of assessment and implementation
requirements.
Several commenters recommended the DoD abandon the CMMC ecosystem
model and conduct all cybersecurity compliance assessments using DIBCAC
assessors, which would reduce cost to the DIB. One such commenter
suggested that DIBCAC assessment of C3PAOs, as part of the
accreditation process, detracts from DIBCAC's capacity to perform CMMC
level 2 assessments for the DIB. Another noted that as Government
employees, DIBCAC assessors could exercise judgement to make risk-
tolerance decisions that non-Government C3PAOs cannot, including
possible acceptance of partial non-compliance.
Response: DoD must enforce CMMC requirements uniformly across the
Defense Industrial Base for all contractors and subcontractors who
process, store, or transmit CUI. The value of information and impact of
its loss does not diminish when the information moves to contractors
and subcontractors. The DoD has considered the recommendation and
declines to revise the rule text to rely solely on self-assessment or
eliminate the 3-year validity period to rely on a one-time
certification. It is important that contractors maintain security
compliance for systems that process, store, or transmit DoD CUI. Given
the evolving cybersecurity threat, DoD's best interests are served by
ensuring that CMMC Level 2 assessments remain valid for no longer than
a 3-year period, regardless of who performs the assessment.
CMMC Program requirements in this rule are designed to improve
compliance with requirements for safeguarding of FCI and CUI. DoD has
privity of contract to enforce these requirements and CISA does not.
OSAs are free to choose CISA services as part of their implementation
of DoD requirements. FISMA is for Federal systems that are used by
Government personnel or the public and is therefore an unsuitable
surrogate for CMMC requirements. If a contractor provides outsourced IT
services to a Federal agency, the system is considered a Federal system
and FISMA applies. In contrast, CMMC requirements apply to nonfederal
systems that are used internally by contractor personnel.
The DoD disagreed with the commenter's assertions about NIST SP
800-171 R2 and the available assessment methods. DoD's DIBCAC currently
performs assessments using the procedures in NIST SP 800-171A Jun2018,
and these documents explicitly identify the target audience to include
individuals with security assessment responsibilities, such as
auditors, assessors, and ``independent verifiers''. The aggregated SPRS
reporting and scoring is CUI. The DoD does not wish to make this
information public, which might aid adversaries in coordinating their
attacks.
The CMMC Program does not alleviate or supersede any existing
requirements of the Adaptive Acquisition Framework, nor does CMMC alter
any statutory or regulatory requirement for acquisition program
documentation or deliverables.
One commenter referenced assessments required during the
acquisition process for DoD systems. DoD's policies governing
acquisition programs require that Independent Technical Risk
Assessments be conducted on Major Defense Acquisition Programs. These
assessments provide a view of program technical risk and are not well-
suited to the assessment of contractor owned information systems
against standards for safeguarding CUI. CMMC assessments are conducted
on contractor owned information systems to gauge compliance with FAR
and DFARS requirements for safeguarding FCI and CUI that is processed,
stored, or transmitted within those contractor-owned information
systems. One commenter incorrectly asserts that the CMMC Scoring
Methodology does not parallel existing scoring methods, however the
CMMC methodology is based on the DoDAM.
The DoD declined to accept the recommended alternative of self-
assessment with the potential to require DIBCAC assessment for a
sampling of DoD contractors, which is essentially the status quo. Both
GAO reporting and other DoD analysis have shown that the DIB has not
consistently implemented the NIST SP 800-171 requirements needed to
comply with DFARS clause 252.204-7012, even though DoD's objective was
for the contactor to implement NIST SP 800-171 as soon as practical,
but not later than December 31, 2017.
The DoD reserves the right to decide when reliance on self-
assessment will suffice, and when compliance should be assessed through
CMMC certification. Based on DoD decision criteria that includes a risk
assessment of the type and sensitivity of program information to be
shared, Program Managers will identify the appropriate CMMC requirement
(e.g., CMMC Level 2 self-assessment or Level 2 certification) in the
solicitation.
The government does not have the capacity in house to adequately
assess
[[Page 83159]]
the 220,00+ companies in the DIB. The DoD cannot assume the workload of
directly assessing every DIB contractor. With this final rule, DoD
established a scalable way to verify, through assessment, that
contractors have implemented required security measures necessary to
safeguard DoD information. The DIBCAC's mission is derived from DoD
priorities and the Department is actively working to ensure that the
DIBCAC is adequately resourced to effectively execute its mission
areas. Planned changes to DCMA staffing levels have been considered and
are necessary to implement the elements of the CMMC program described
in this rule (i.e., Level 3 and C3PAO assessments).
By design, the CMMC Program depends on the supply and demand
dynamics of the free market, enabling it to naturally scale and adapt
to capacity requirements. The DoD established requirements for each
part of the CMMC ecosystem to support a robust compliance assessment
mechanism for DoD's contractual requirements to safeguard CUI that is
processed, stored, or transmitted in contractor owned information
systems. The DoD cannot assume the workload of directly assessing every
DIB contractor.
One commenter provided numerous comments expressing concern that
OSAs that use ESPs will be unlikely to know which ESP services require
CMMC assessment within the OSAs boundary or scope. This commenter
recommended an alternate type of CMMC assessment specifically for ESPs.
In lieu of adopting that recommendation, the DoD has updated the rule
in Sec. Sec. [thinsp]170.19(c)(2) and (d)(2) to reduce the assessment
burden on ESPs. DoD declined to allow partial CMMC Assessments. ESPs
may request voluntary CMMC assessments of their environment and use
that as a business discriminator. The marketplace for ESP services will
adjust to find the efficient manner for ESPs to support OSA
assessments.
e. Alternate Governance
Comment: Rather than abandon the CMMC ecosystem model entirely,
some commenters recommended only that DoD revise the CMMC Accreditation
Body's roles and responsibilities. Three recommended the DoD eliminate
the CMMC AB and take on its responsibilities; of these, one further
suggested the DoD publish detailed Security Technical Implementation
Guides describing how to implement the applicable NIST requirements.
One commenter questioned the reasons for creating a CMMC AB rather than
accepting another existing accreditation body or multiple accreditation
bodies. One comment expressed doubt in the ability of the ecosystem to
scale sufficiently to meet the demand for C3PAO assessments and
assessor training.
Multiple comments called for organizations other than the current
CMMC AB to run the CMMC ecosystem such as a CMMC Advisory Council or a
Civilian Cybersecurity Corps comprised of government and private sector
staff. One such comment requested that, unlike the current CMMC AB, the
proposed body would be funded and managed by the government. Two
commenters recommended the DoD consider accepting other types of
conformance assessment such as ISO/IEC 27001:2022(E) and Health
Information Trust Alliance (HITRUST) certification. One noted this
would require guidance to describe how to address the gaps between
standards those assessments are aligned to and those that CMMC are
aligned to (e.g., NIST SP 800-171 R2 for CMMC Level 2). This commenter
further suggested that DoD accept alternate industry certifications in
lieu of the training requirements identified for CMMC Assessors. One
commenter suggested the DoD accept FedRAMP authorization to meet CMMC
assessment requirements.
Response: DoD considered many alternatives before deciding upon the
current CMMC structure. The DoD established requirements for a CMMC
Accreditation Body, and this accreditation body will administer the
CMMC Ecosystem. The DoD reviewed and assessed the whitepapers that were
submitted by RFI respondents and determined that no single respondents
could meet all the broad facets required to serve as the CMMC
Accreditation Body. Based on this assessment, the DoD published notice
of a planned meeting in November 2019 to allow the respondents and
other members of the public to hear the senior DoD leadership address
DoD perspectives regarding the notional CMMC implementation flow; the
notional program structure; the notional CMMC Accreditation Body
activities, structure, and relationship with the DoD; and the notional
CMMC implementation schedule. The DoD also provided information
regarding the Department's planned way forward. The result of the
November 2019 meeting was the establishment of the current CMMC
Accreditation Body. The relationship between the current CMMC
Accreditation Body and the DoD was formalized through a Memorandum of
Understanding and then a No-Cost Contract. The DoD cannot assume the
risk or the workload of directly managing the CMMC Ecosystem or the
other alternatives suggested. The current CMMC Accreditation Body is
aligned to the DoD through contractual arrangements.
31. Rulemaking Process
Comment: Some comments were submitted to identify problems with
using the Federal eRulemaking Portal (at www.regulations.gov) or the
Federal Register website and did not address content of the proposed
rule. One commenter was confused by the identification of the rule as
``Proposed'' rather than final. Another asked whether the rule could be
republished with page numbers.
Many comments critiqued the format, heading and section numbering,
use of incorporation by reference, or sections contained within the
rule, rather than the substance of the content. For example, some
comments described the CMMC rule as overly repetitive or containing
duplicative sections. Some comments recommended deleting specific
sections to shorten or simplify the rule, including ``History of the
Program''. Some commenters perceived the preamble to the rule as
unnecessary and recommended deleting or shortening that section. In
addition, one commenter noted that responses to public comments
received against an earlier CMMC rule publication ought to be published
with the 48 CFR part 204 CMMC Acquisition rule rather than this 32 CFR
part 170 CMMC Program rule. Several commenters simply thought the rule
text too verbose and recommended rewriting the content with fewer words
and simpler language or using tables to shorten the content. One
comment criticized the organization of the documents.
Several comments addressed references to documents outside the
rule, or those that are incorporated by reference. One commenter asked
how the DoD will recognize when revisions to documents incorporated by
reference cause them to be misaligned requirements identified in this
rule. Other comments requested that additional documents be
incorporated by reference, such as DoD Instructions on CUI and the DISA
Cloud Security Technical Reference Architecture. Some commenters
complained that the page count of the rule and documents incorporated
by reference was too high and asked whether contractors are expected to
read them all. Two commenters objected to certain terms in the
definitions section pointing to other documents as the source of the
[[Page 83160]]
definition. One further suggested that such definitions be revised to
simply point to the URL of the source definition.
Some comments recommended moving content from the new 32 CFR part
170 CMMC Program rule to the CMMC supplemental documents or changing
citations to reference them rather than the NIST documents that are
incorporated by reference. Another asked why the scoring methodology
was incorporated into the rule, rather than incorporated by reference.
One comment questioned whether the supplemental documents are truly
optional, rather than required for compliance with CMMC program
requirements. One comment stated a public comment period should be
required for all supplemental guidance prior to final publication.
One commenter asked what precipitated implementation of the CFR,
which the DoD interpreted as a question about codification of the CMMC
program in the CFR. One commenter asked whether the rulemaking process
had afforded a certain group the opportunity to coordinate or comment
on the rule. Another referenced the separate 48 CFR part 204 CMMC
Acquisition rulemaking effort needed to implement the content of this
rule and urged the DoD to consider public comments of both rules prior
to their publication as final.
One comment specifically suggested the CMMC program be implemented
Government-wide. One commenter simply submitted a copy of a CMMC-
related article from the February 2024 issue of National Defense
Magazine and quoted or extracted from it rather than providing any
specific comment or question.
Response: The process for creating Federal regulations generally
has three main phases: initiating rulemaking actions, developing
proposed rules, and developing final rules. A proposed rule is
published for public comment prior to developing the final rule. A
final rule must identify its effective date and be published 60 days
prior to that date. The structure and formatting requirements for
proposed and final rules and the process for submitting public comments
are prescribed by the Office of the Federal Register and OMB,
respectively, and are outside of DoD's control.
OMB approved publishing the CMMC rule as a Proposed Rule. It has
undergone a required notice-and-comment process to give the public an
opportunity to submit comments. The Proposed Rule and the comments
received informed the final rule. Issues with the Federal Register or
www.regulations.gov functionality for submitting comments via
attachment of pdf or other file type were raised with the appropriate
help desk and resolved before conclusion of the public comment period.
The public comment period for this rule permitted review and feedback
from any member of the public.
This rule follows the format and includes all sections required in
OMB guidelines for formal rulemaking. The length of this rule is
necessary to ensure all affected parties have sufficient information to
understand and comply with the rule. Federal Register page numbers are
visible when viewing the PDF version of the rule published Tuesday,
December 26, 2023 (88 FR 89058; www.govinfo.gov/content/pkg/FR-2023-12-26/pdf/2023-27280.pdf).
Material published in the Federal Register contains numerous
sections, including portions that do not amend the CFR. Specifically,
the preamble for this rule, is written in a summary format and is not
intended to provide the detailed information that is in the regulatory
text.
DoD declines to delete reserved sections because the editorial
standard for orderly codification is that for every (a) there must be
at least a (b), and for every (1) there must be at least a (2), etc.
``Reserved'' meets this standard when there is no additional text
required. The DoD declined to make other administrative changes,
because the recommendations did not result in a substantive change.
One commenter correctly identified that the initial 32 CFR part 170
CMMC Program proposed rule included discussion and analysis of comments
made against prior publication of a 48 CFR CMMC interim final rule. The
decision to include that material was made for the public's convenience
and to facilitate greater understanding of the 32 CFR part 170 CMMC
Program proposed rule and the CMMC Program. Codification of the CMMC
Program requires publication of both the 32 CFR part 170 CMMC Program
final rule and the 48 CFR part 204 CMMC Acquisition final rule. Each of
those final rules will include a discussion and analysis of public
comments received during their respective comment periods. The DoD CIO
worked in conjunction with OUSD(A&S) to ensure that the 32 CFR part 170
CMMC Program rule and the 48 CFR part 204 CMMC Acquisition rule are in
sync.
The preamble is not regulatory text. The preamble includes a
response to the significant, relevant issues raised in previous public
comments on the original CMMC program. DoD declines to adopt
recommendations to move content from the 32 CFR part 170 CMMC Program
rule to the supplemental documents, which are not codified. As such,
the supplemental documents are provided for optional use, and the
regulatory text takes precedence. The CMMC Assessment Process (CAP)
guidance is a product of the Accreditation Body and is not codified in
the CFR as part of the CMMC rule, and the regulatory text in part 170
takes precedence.
Comments on the CMMC Supplemental Guidance were received as part of
the public comment period review. Final versions of these documents
were published with this rule. Other supplemental materials published
by the Accreditation Body do not convey government direction and are
therefore do not require rulemaking. Supplemental documents (e.g., CMMC
assessment and scoping guides) are not codified in the CFR as part of
the regulatory text. To codify CMMC program requirements, content must
be included in the 32 CFR part 170 CMMC Program rule text. DoD
developed the CMMC Assessment Guides to provide supplemental
information to the public offering added clarity on the intent of the
NIST SP 800-171A Jun2018 and NIST SP 800-172A Mar2022 guides. The CMMC
Assessment Guides are particularly important for security requirements
with organization-defined parameters (ODPs) (e.g., CMMC Level 3). There
is no requirement to use the supplemental guidance documents.
Office of the Federal Register (OFR) regulations, at 1 CFR part 51,
govern the IBR process. IBR is only available if the applicable
regulations are published in the Federal Register and codified in the
CFR. When incorporated by reference, this material has the force and
effect of law, as do all regulations published in the Federal Register
and codified in the CFR. 1 CFR part 51 requires the specification of a
revision to a standard, for example NIST SP 800-171, Protecting
Controlled Unclassified Information in Nonfederal Systems and
Organizations, Revision 2, February 2020 (includes updates as of
January 28, 2021), which is incorporated by reference in this rule. The
DoD will determine when to update this rule after documents
incorporated by reference have been revised. Per OFR guidance, Sec.
170.4 points to other sections of part 170 where applicable and repeats
definitions for terms incorporated by reference.
Contractors complying with CMMC requirements need to be familiar
with those documents that are incorporated
[[Page 83161]]
by reference. The definition of subcontractor is not incorporated by
reference, but rather points to a definition codified in 48 CFR 3.502-
1, as recommended in OMB guidelines for formal rulemaking. DoD has
determined that the Defense Information Systems Agency's Cloud Security
Technical Reference Architecture does not meet the criteria for
approved IBR material. However, the rule has been updated to use a
different definition for Cloud Service Provider. The requirements of
NARA's CUI program (32 CFR part 2002) and DoD's implementing policies
for identifying and managing CUI are beyond the scope of the CMMC rule.
The CFR is the codification of the Federal Government's rules and
regulations published in the Federal Register. The CFR was created with
the passage of the Federal Register Act and amended in 1937 to provide
a ``codification'' of all regulations at least once a year. The CFR
reflects the tenet that the Federal Government must follow an open
public process when rulemaking.
Due to the broad application of CMMC requirements for DoD
acquisition support by the defense industrial base, the Department
determined that codifying the CMMC Program and its associated
requirements in 32 CFR part 170 CMMC Program rule (for national defense
and security) was needed in conjunction with the corresponding DFARS
contractual requirements codified in 48 CFR part 204 CMMC Acquisition
rule.
The DoD has no authority to make CMMC a Federal-wide program. The
notice of the required CMMC level is provided at time of solicitation.
This does not prohibit contractors from pursuing CMMC assessments prior
to receipt of a solicitation.
DoD declines to comment on the reposting of information being
reported in the media.
32. Administrative Changes to Terms, References and Notations
Comment: Over 160 comments asked for clarification of terminology
or the addition, removal, or modification of a definition. Most
requests focused on Security Protection Data and Assets, Senior
Officials, Information System, External Service Providers, Cloud
Service Providers, Managed Support Providers, Internet of Things, CMMC
Security Requirements, Organization Seeking Assessment, and
Organization Seeking Certification. Numerous comments recommended the
following terms could be clarified, expanded, or defined: ``Defense
Industrial Base'', ``personal information'', ``contractor'', ``sub-
contractor'', ``Prime Contractor'', ``equipment'', ``contractor
information system'', ``Information System'', ``system'' ``Information
Resource'', ``CMMC Approved Training Materials (CATM)'', ``CMMC
Certified Instructor (CCI)'', ``Provisional Instructor (PI)'', ``cyber
incident'', ``Accreditation Body'', ``Assessment Findings Report'',
``Organizationally-Defined'', ``Organizationally-Defined Parameter
(ODP)'', ``Periodically'', ``Risk Assessment'', ``Risk Analysis'',
Supervisory Control'', Data Acquisition'', ``Operationally Critical
Support'', ``System Security Plan (SSP)'', ``TTP'', ``CMMC'', ``COTS'',
``NARA'',''C3PAO'' ``IS'', NSS'', ``Technology Asset'', ``Personnel
Assets'', ``Asset Categories'', ``DIBCAC High'', and ``Enterprise''.
Response: All requests for changes to terminology definitions,
references, and usage have been reviewed. In response, many terms were
updated in Sec. 170.4 Acronyms and definitions. The DoD determined
those terms that were not changed to be sufficiently defined and
appropriately referenced, and the requested administrative changes
would not have resulted in a substantive change.
a. SPA/SPD/Asset
Comment: Numerous comments asked the DoD to expand on the
definition, explanation, and guidance for Security Protection Data
(SPD) and Security Protection Assets (SPA). Several other comments
requested that the rule and supplemental documents add or expand
definitions for ``Asset'', including various specific types of assets
like ``Technology Assets'', ``Personnel Assets'', ``Organizational
Assets'' ``Specialized Assets''. Some comments asked to modify the
definition for ``Security Protection Asset'', ``CUI Asset'', ``FCI
Asset'', and ``Out-of-Scope Assets''.
Response: The DoD modified the rule to add a definition for
``Security Protection Data (SPD).'' The DoD considered the NIST
definitions for ``System Information'' and ``Security Relevant
Information'' in the development of the new SPD definition. CMMC does
not regulate the OSA's SPD, but instead implements existing regulatory
requirements for the safeguarding of CUI. The DoD does not agree with
the statement that the ESP definition conflates SPA with CUI assets.
The definition of Security Protection Assets is consistent with its
application in the NIST SP 800-171 R2 abstract. The phrase ``FCI Assets
are part of the Level 1 CMMC Assessment Scope and are assessed against
all CMMC Level 1 requirements'' was removed from the rule. The DoD
declined to rephrase the term ``CUI Assets.'' The DoD reviewed the
recommended edit and declined to make an update to ``Out-of-Scope
Assets.'' The definition, as written, provides a clear distinction with
Security Protection Assets (SPAs).
b. Senior Official
Comment: Several comments asked for additional definition or
guidance about the Senior Official role.
Response: The DoD modified the rule to replace all references to
the ``Senior Official'' with ``Affirming Official'' and provided
additional clarity on this term. It is beyond the purview of the DoD to
define technical qualifications for an OSA Affirming Official.
c. ESP/CSP/MSP
Comment: Some comments asked for additional clarification of the
terms related to External Service Providers (ESPs) and Cloud Service
Providers (CSPs). Two comments requested the rule add a definition and
acronym for ``Managed Service Provider''.
Response: The DoD received numerous comments about the use of ESPs
which do not process, store, or transmit CUI. In response to these
comments, the DoD modified the rule to reduce the assessment burden on
ESPs. An ESP that utilizes staff augmentation, where the OSA provides
all processes, technology, and facilities, does not require a CMMC
assessment. The rule was also updated to add a definition of ``CSP''
that is based on the NIST SP 800-145 Sept2011 definition of cloud
computing. The term ``Managed Service Provider'' is not used in the
rule; therefore, the acronym was removed from Sec. 170.4.
d. IoT/OT/ICS
Comment: Several comments recommended DoD clarify the definition of
IoT, OT, and ICS. Regarding IoT, one comment requested the rule specify
that the exchange of data and information between devices occurs over
the internet.
Response: As specified in the rule, IoT, IIoT, and OT, are
Specialized Assets, and all requirements associated with Specialized
Assets apply to any equipment that processes, stores, or transmits CUI
but is unable to be fully secured. The description of Internet of
Things (IoT) in the level 2 and level 3 Scoping Guides is consistent
with the definition of IOT in Sec. 170.4 and is defined in NIST SP
800-172A Mar2022. Scoping Guide text also provides examples to help
clarify what types of devices may be IoT. The definition of
[[Page 83162]]
OT is from NIST SP 800-60 V2R1 and the definition of ICS is from NIST
SP 800-82r3. Requests for revisions to these definitions should be
addressed to NIST. OSAs determine the asset categories and assessment
scope based on how and where they will process, store, and transmit FCI
and CUI. The DoD declined to comment on individual use cases included
in the comments.
e. Program and Security Requirements
Comment: Two comments asked for a definition of ``Security
Requirements'' while another asked for the DoD to define the term
``CMMC Program requirements'' in the rule. Three comments addressed
concerns with the CMMC security practices numbering scheme in
Sec. Sec. 170.14(c)(i). One comment requested clarification on what
constitutes a ``priority'' program. Another commenter stated the term
``all applicable CMMC security requirements'' is ambiguous and many
OSAs will only attest to fulfilling the FAR 52.204-21 or NIST SP 800-
171 R2 security requirements. The commenter felt this could lead to a
significant disconnect at CMMC Level 2 since Level 2 includes security
requirements associated with the use of ESPs, as defined in DFARS
clause 252.204-7012 paragraphs (e.g., para (b)(2)(ii)(D)) and the DoD
CIO FedRAMP Equivalency memorandum.
Response: CMMC Program requirements are all the requirements
codified in the 32 CFR part 170 CMMC Program rule. The term ``CMMC
Security Requirements'' is defined in Sec. 170.14(c). The CMMC
supplemental guidance documents add clarity; however, they are not
authoritative and the rule itself takes precedence. The CMMC numbering
scheme in the rule is a key element of the model that must pull
together the independent numbering schemes of FAR clause 52.204-21 (for
Level 1), NIST SP 800-171 R2 (for Level 2), and NIST SP 800-172 Feb2021
(for Level 3). For the CMMC Program, the numbering scheme must also
identify the domain and CMMC Level of each security requirement. The
term ``priority program'' is not used in the rule; therefore, no
definition of this term is needed. A commenter incorrectly associated
CMMC Program requirements as CMMC security requirements. To address
potential confusion, the rule was updated to define ``CMMC security
requirements'' as the 15 Level 1 FAR requirements, the 110 NIST SP 800-
171 R2 requirements, and the 24 selected NIST SP 800-172 Feb2021
requirements.
f. OSA and OSC
Comment: Several comments requested clarification of the terms OSA
and OSC. One recommended combining them into a single term.
Response: The definitions of Organization Seeking Assessment (OSA)
and Organization Seeking Certification (OSC) are provided in Sec.
170.4. It is important to note that OSC is a sub-set of OSA.
g. Process, Store, or Transmit
Comment: Several comments asked about use of the term, ``Process,
store or transmit''. One asked about its application to a turnkey cloud
based CMMC solution and whether the intent was to consider ``access'' a
subset of ``process''. Another recommended using the term ``Handle'' in
lieu of this term and noted that this would also require amendments to
DFARS clause 252-204-7012. Another comment recommended rephrasing the
definition to provide clarity while another asked that the definition
of ``Process, store, or transmit'' (Sec. 170.4(b)) explicitly include
residence of data in memory, which has not previously been identified
in this context and could raise interpretation issues.
Response: The phrase ``process, store, or transmit'' is more
specific than the term ``handle'' and is consistent with DoD contract
requirements for Non-Federal Information systems as specified in DFARS
clause 252.204-7012. The DoD intended ``Access'' to be included in the
``Process, store, or transmit definition as written in Sec. 170.4(b).
An organization offering a turnkey cloud based CMMC solution would be
considered an ESP by this rule, and the rule was updated to address
assessment and certification requirements of ESPs. The rule definitions
are provided for additional clarity of the terms included in the rule
and does not nor cannot include every potential instance of the term's
application to a contractor's information systems.
h. Clarification of Definitions for FCI and CUI
Comment: Three comments requested clarification of and noted
inconsistency between the terms ``FCI'' and ``CUI''. One perceived
``[FCI]'' and ``[CUI]'' as new acronyms and asked why this rule
includes them. One comment noted the inconsistent use of the terms
``CUI and FCI'' and ``sensitive unclassified information'' and
recommended selecting one term for use throughout the rule. Another
comment requested definitions for CMMC be distinguished with formatting
or another notation.
Response: FCI is defined in FAR clause 52.204-21. The definition of
CUI and general requirements for its safeguarding are included in 32
CFR 2002.4 and 2002.14, respectively. CUI is not a new acronym. The
notation ``[FCI]'' is identified in table 2 to Sec. 170.15(c)(1)(ii)
to reflect its alignment to the requirements of FAR clause 52.204-21
for basic safeguarding of information. Similarly, ``[CUI]'' has been
added to reflect the use of those requirements for CMMC Level 2, which
is designed to protect CUI, not FCI. The DoD amended the rule such that
``sensitive unclassified information'' will consistently be replaced
with ``FCI and/or CUI'' as appropriate.
i. Use of Terms Information and Data
Comment: One comment noted the terms ``data'', ``technical data'',
and ``information'' are used synonymously throughout the rule and
supplemental documents. They also noted that neither NARA's CUI
Registry nor the NIST SP 800-171 R2 define the word ``information'' and
asserted this was a major oversight by NARA ISOO, the CUI Program
Executive Agent. The commenter requested this rule adopt the term
``Information'' throughout the rule and only use ``data'' when
specifically intended based on its definition. Another commenter
requested the term ``Technical Data'' be replaced with the term
``Information''.
Response: As a commenter stated, both the CUI program and NIST use
the term ``information''. Suggestions that the DoD work with NARA or
NIST to define this term are outside the scope of this rule. Within
this rule, data generally refers to individual facts, such as those
submitted to eMASS or SPRS; however, data and information may be used
interchangeably. DoD declined to make requested administrative edits
because they would not result in a substantive change.
j. Source Materials Incorporated by Reference
Comment: Four comments asked for clarification of those documents
incorporated by reference, or the specific versions of documents
referenced in the rule.
Response: The DoD declined to incorporate by reference the
Department's role as data owner. NIST SP 800-53 R5 was incorporated by
reference only for use with applicable definitions because it provided
the latest definitions available.
The OSA is responsible for determining its CMMC Assessment Scope
and its relationship to security domains. Assets are out-of-scope when
[[Page 83163]]
they are physically or logically separated from the assessment scope.
Contractor Risk Managed Assets are only applicable within the OSA's
assessment scope. Table 3 to Sec. 170.19(c)(1) is used to identify the
asset categories within the assessment scope and the associated
requirements for each asset category. Contractor's risk-based security
policies, procedures, and practices are not used to define the scope of
the assessment, they are descriptive of the types of documents an
assessor will use to meet the CMMC assessment requirements.
To ensure the source of every definition is accounted for, the
terms in Sec. 170.4 either cite a reference or are designated as CMMC-
custom using the notation ``(CMMC-custom term).'' The rule has been
updated to eliminate the CNSS Glossary definitions and replaced them
with appropriate NIST definitions.
k. Miscellaneous Other Terms, References and Notations
Comment: Three comments asked about references to the DoD Manual
8570, ``Information Assurance Workforce Improvement Program,'' and one
asked if the references should be replaced by the newer DoD Manual
8140.
One commenter suggested DoD add an enhanced definition of
``Security Domain'' domain to the glossary.
One questioned use of the CNSSI-4009 Glossary instead of the NIST
Glossary of Terms. One comment requested a change to text quoted from
another source. One commenter asserted that the rule includes no
reference to ``existing FAR, DFARS, or DoD authoritative sources'' and
recommended that they be added in instead referencing NIST publications
only.
One comment asked if it is necessary to read and understand all
FIPS, NIST SP 800, CNSSI, and ISO/IEC documents incorporated by
referenced in Sec. 170.2. One comment requested the references for
CMMC Assessment Guides in Appendix A be changed to NIST SP 800-171A
Jun2018 and NIST SP 800-172A Mar2022. Two comments noted version
numbers are not always provided for two specific document sources.
Another comment requested references for supporting information,
resources, and training for the DIB.
A commenter asked if the term ``Government Information Systems''
was equivalent to the term ``Federal Information Systems'' while
another expressed that the term, ``CMMC Level 2 Final Certification
Assessment was confusing given that ``Assessment'' and
``Certification'' are two separate and distinct terms. Another comment
noted that the Summary Information section states there is a difference
between a POA and a POA&M but recommended both terms be defined for
clarity.
One comment stated the ``CMMC Certified Assessor (CCA)'' definition
and acronym are not used consistently in the rule and the current CMMC
AB's website. Another comment noted that the term, ``related
practitioners'' under the definition of CAICO in Sec. 170.4 could be
confused with the term ``Registered Practitioners (RP)'' used by the
CMMC AB as their designation for consultants.
One comment stated that the DoD must be deliberate in its use of
certain terms, especially the words ``must'' and ``shall'', which
connote legal requirements, versus words like ``will'', ``expected'',
``can'', ``may'', ``should'', etc., which are permissive (i.e.,
optional)
One commenter noted the word ``practice'' was replaced multiple
times based on a comparison of pre-publication drafts with the formal
drafts that were published for public comment.
Another comment asserted that the DoD is falsely describing the
CMMC program as addressing ``basic'' cybersecurity requirements when
this is the most demanding cybersecurity standard ever produced.
One commenter objected to the CMMC Level 1, 2, and 3 Assessment
definitions in Sec. 170.4 referring to the content of corresponding
rule sections and suggested that the definitions be deleted from Sec.
170.4 unless they can be succinctly defined without doing so.
Response: The rule has been updated to reference DoD Manual 8140
``Cyberspace Workforce Qualification and Management Program'' which
replaced DoD Manual 8570, ``Information Assurance Workforce Improvement
Program.'' DOD Manual 8140.03 is available at: https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf.
No changes were made to quotations from sources outside the rule. A
definition cited from a source must exactly match the source, it cannot
be altered. To address a commenter's misperception that the rule does
not reference ``existing FAR/DFARS, or other DoD authoritative
sources,'' it should be noted that the CMMC proposed rule includes 54
mentions each of FAR clause 52.204-21 and DFARS clause 252.204-7012.
The DFARS clause 252.204-7012 is added to DoD contracts to implement
the requirements of NIST SP 800-171, which is the authoritative
reference for adequate safeguarding of CUI.
Contractors complying with CMMC need to be familiar with those
documents that are incorporated by reference, which address
requirement-related topics. NIST SP 800-53 R5 is incorporated by
reference only for applicable definitions because DoD chose to use the
latest definitions available. The purpose of a reference listed in
Sec. 170.2 should be interpreted based on the context in which it is
used. For example, the references provided in Sec. 170.4 specify the
source of the definition. The references for the CMMC Assessments
Guides listed in Appendix A have been updated. These guides are largely
derived from NIST SP 800-171 R2, NIST SP 800-171A Jun2018, NIST SP 800-
172 Feb2021, and NIST SP 800-172A Mar2022.
The DoD has updated Sec. 170.3 to align with the FAR terminology
and now reflects ``Federal Information System'' instead of ``Government
Information System''.
The DoD updated the rule to reference the latest version of ``Cloud
Security Technical Reference Architecture'' and, where appropriate, to
identify a revision number for NIST SP 800-171. Specific details of
cybersecurity-related resources and training developed to support the
DIB are outside the scope of this rule. As it becomes available,
supporting resources and training information will be disseminated.
Currently, multiple public resources are available to help educate
companies on NIST and CMMC requirements.
The DoD declined to respond to comments based on comparison of pre-
publication draft versions of the supplemental guidance documents.
A commenter's claim that DoD views the CMMC program as only
addressing ``basic cybersecurity'' is incorrect. Throughout the rule,
references to ``basic safeguarding'' mean the requirements of CMMC
Level 1, which align directly to the requirements of FAR clause 52.204-
21. That FAR clause is titled ``Basic Safeguarding of Covered
Contractor Information Systems''. Similarly, the CMMC program
establishes a CMMC Level 3 requirement to comply with a subset of
requirements from NIST SP 800-172 Feb2021, titled, ``Enhanced Security
Requirements for Protecting Controlled Unclassified Information.''
Section 170.4 includes acronyms and definitions used in the rule
text. Terms from other authoritative sources are listed in Sec. 170.4
and are properly sourced. 1 CFR part 51 governs drafting of this rule.
The DoD updated the rule throughout to reflect new terminology
better differentiating between the activity of
[[Page 83164]]
undergoing an assessment and the CMMC Status that may result from that
activity. An OSA undergoes one of the following: Level 1 self-
assessment; Level 2 self-assessment; Level 2 certification assessment;
or Level 3 certification assessment. The result of that assessment
activity is either failure to meet minimum requirements or one of the
following CMMC Statuses: Final Level 1 (Self); Conditional Level 2
(Self); Final Level 2 (Self); Conditional Level 2 (C3PAO); Final Level
2 (C3PAO); Conditional Level 3 (DIBCAC); or Final Level 3 (DIBCAC).
The official DoD acronym for CCA is ``CMMC Certified Assessor,'' as
addressed in Sec. 170.4. All CMMC terms and definitions provided in
this 32 CFR part 170 CMMC Program rule are codified and therefore take
precedence over definitions and acronym usage from the CMMC website or
other sources.
To avoid confusion in the ecosystem with the term ``practitioner'',
the DoD modified the definition in Sec. 170.4 to replace the word
``practitioners'' with ``professionals.''
While ``must'' is a more commonly used term than ``shall'', both
terms impose a requirement as defined in FAR 2.101 Definitions.
33. Rule Text Modifications
a. Changes to the Preamble
Comment: One commenter recommended that the supplemental Assessment
Guides be consolidated with and cross referenced to requirements for
the CMMC Levels in the same document. Eighty-three comments requested
changes to the preamble section of the rule text. Of those, 17 were
incorporated and are summarized below.
Writing Style: Multiple commenters wanted shorter, simpler, and
more focused wording starting with changes to the first sentence in the
Summary section.
Word Choices: In the ``CMMC 2.0 Overview as Proposed by this Rule''
section several comments objected to the description of FAR clause
52.204-21 requirements as ``elementary'' or ``basic''. One comment
asserted that ``may'' is not the correct verb for ``Defense contracts .
. . may include applicable requirements . . . ,''. One comment
suggested the preamble sentence ``Once CMMC is implemented, the
required CMMC level for contractors will be specified in the
solicitation,'' be revised to use wording that is more consistent with
other parts of the preamble and rule text. One commenter proposed edits
to remove passive voice from a sentence in the preamble description of
Key Changes Incorporated in the Revised CMMC Program. One commenter
requested a change to reference the relevant DFARS clause 252.204-7012,
rather than the DFARS subpart 204.73.
Clarifications: Two comments asserted that the description of
affirmations requirement could be mis-interpreted as suggesting that
primes and subcontractors all submit a single affirmation or that one
contractor must affirm another's continuing compliance. One comment
requested clarification about FedRAMP requirements for Cloud Service
Providers. Some comments asked whether POA&Ms must be documented in the
System Security Plan. One comment recommended punctuation and
grammatical edits and asked for clarification of rule text that
discusses the impact of not logically or physically separating
contractor-owned information systems that process, store, or transmit
FCI (or CUI) from those that do not.
Response: This rule follows the format and includes all sections
required in OMB guidelines for formal rulemaking. The DoD lacks
authority to modify the template or omit required sections, as
requested by some commenters. In addition, one commenter recommended
that the supplemental Assessment Guides be consolidated with and cross
referenced to requirements for the CMMC Levels in the same document.
The DoD interpreted this recommendation as a request to integrate all
information in the supplemental guidance into the rule text, which does
not align with rulemaking guidelines (1 CFR part 51). No changes were
made to consolidate or integrate the supplemental guidance documents,
which are not codified and are provided as optional resources to assist
OSAs. The regulatory content in the 32 CFR part 170 CMMC Program rule
takes precedence.
Some commenters criticized the preamble summary paragraph, and one
submitted a preferred rewrite that oversimplified the content so far as
to alter the intended meaning. For that reason, the specific revisions
were not incorporated. However, the DoD has revised the final rule to
begin with a simplified statement of its purpose, as follows: ``With
this final rule, DoD establishes a scalable way to verify, through
assessment, that contractors have implemented required security
measures necessary to safeguard DoD's Federal Contract Information
(FCI) and Controlled Unclassified Information (CUI)''.
The DoD strove to streamline the writing style. Note that the
preamble is not part of the regulatory text, however, it is a required
part of the rulemaking template. The DoD made the following changes to
the preamble based on requests for text modifications.
The preamble is updated to change the verb ``will'' to ``should'',
where appropriate. The preamble and regulatory text have been updated
to clarify that a Plan of Action need not be part of the System
Security Plan. The sentence in the preamble overview about FAR clause
52.204-21 requirements has been rewritten to describe them as ``the
minimum necessary'' to receive FCI, rather than describing them as
``elementary'' for ``basic'' cybersecurity. Note that the title of the
FAR clause 52.204-21 clause is Basic Safeguarding Requirements.
A preamble overview paragraph about Affirming Officials is revised
to clarify that CMMC affirmations shall be submitted by the OSA and
apply only to the information systems of that organization. DoD's use
of the term OSA within the affirmations section is deliberate and
conveys that each organization is responsible for affirmations
pertaining to their own assessments. A preamble overview paragraph
about Cloud Service Providers has been aligned to DFARS clause 252.204-
7012 language and specifies that defense contractors must confirm that
any CSPs they use to handle CUI must meet FedRAMP Moderate Baseline
standards. Wording in the preamble overview of the rule has been edited
from ``may include'' to ``require'', to clarify a statement about when
DFARS clause 252.204-7012 applies. One sentence in the preamble about
the regulatory impact of CMMC Requirements has been edited into two
sentences to make clear that solicitations identify CMMC contract
requirements, rather than ``for contractors'', and that only
contractors handling FCI or CUI must meet the specified CMMC
requirements.
The DoD has incorporated a suggested re-wording to simplify the
description of CMMC Level 2 assessments in the preamble paragraph
describing Key Changes Incorporated in the Revised CMMC Program.
b. Changes to the Regulatory Text
Comment: Of the 52 comments that requested changes to the
regulatory text (Sec. Sec. 170.1 through 170.24), the nine which DoD
incorporated are summarized below.
Word choices: In Sec. 170.1(b), two comments posited that the word
``enhance'' is inaccurate in the phrase
[[Page 83165]]
``The CMMC Program is designed to enhance protection of FCI and CUI . .
.''. In Sec. 170.9(a) one comment noted that C3PAOs do not ``grant''
assessments, they ``conduct'' them. Another asked why, in table 3 to
Sec. 170.19(c)(1), the CUI Asset category needs to be assessed against
``CMMC security requirements'' but in table 5 to Sec. 170.19(d)(1),
the same category is assessed against ``all CMMC security
requirements.'' For Sec. 170.4(b) One comment requested appending
``and to the DoD'' to the definition of Assessment Findings Report.
Paragraph Organization: For Applicability, a comment recommended
changing the order of paragraphs in Sec. 170.3 and other text changes
to improve clarity.
Reference: One comment noted that the Sec. 170.6(b) phrase ``as
provided for under DFARS clauses 252.204-7012 and 7020 . . .'' is in
error because the section describes CMMC PMO responsibilities and only
DFARS clause 252.204-7020 references DIBCAC assessments of OSAs.
Redundancy: One comment asserted that Sec. 170.9(b)(9) and Sec.
170.9(b)(20) are redundant as both describe that assessment appeals and
results are entered into eMASS.
Consistency: One comment pointed out an inconsistency between the
text in Sec. 170.18(c)(1)(i) and the Scoping Guide related to whether
a CMMC Level 3 Assessment Scope must be the same as, or may be a subset
of, the Assessment Scope of the prerequisite CMMC Level 2
certification.
Clarifications: One comment asked whether the stipulation that CCIs
must not disclose CMMC data or metrics applies to all data or only
``non-public'' data.
Consistency: One commenter asked for clarification regarding
templates and formats required for information uploaded into the CMMC
instantiation of eMASS.
Response: The DoD has incorporated a request to delete the word
``enhance'' from Sec. 170.1(b), and the purpose of the CMMC Program
now reads that the CMMC Program is designed as a compliance assessment
to assist in DoD's enforcement of information safeguarding
requirements. Lower level paragraphs in Sec. 170.3 have been reordered
for added clarity.
The words ``and to the DoD via CMMC eMASS'' have been added to the
end of the Assessment Findings Report definition in Sec. 170.4(b). In
addition, Sec. 170.9(b)(17) has been rephrased to stipulate that all
assessment data and information uploaded into the CMMC instantiation of
eMASS must be compliant with the data standard provided in the eMASS
CMMC Assessment Import Templates available on the CMMC eMASS website.
The DoD replaced the word ``granting'' with the word ``conducting''
in the description of C3PAO assessments in Sec. 170.9(a). Sections
170.9(b)(9) and (b)(20) have been modified to eliminate redundancy
between the two paragraphs, however the DoD did not concur that
Sec. Sec. 170.9(b)(17) and (18) are redundant and made no change.
Section 170.18(c)(1)(i) was revised to clarify that the CMMC
Assessment Scope for Level 3 must be equal to or a subset of the CMMC
Assessment Scope for the Level 2 certification assessment of the system
in question. Section 170.19 was revised to clarify that, for CMMC Level
2, OSAs will be assessed against all Level 2 requirements. For CMMC
Level 3, OSAs will be assessed against all Level 2 and Level 3
requirements.
Section 170.1 has been revised to correct punctuation and improve
grammar. The section now conveys more clearly that the CMMC Program is
designed as a compliance assessment to assist in DoD's enforcement of
information safeguarding requirements. No changes were made regarding
use of ``not logically or physically isolated from all such CUI
systems''. Specifying a CMMC Assessment Scope is a necessary
preparatory step for a CMMC assessment. Assessment requirements are
specified in Sec. 170.19. At Levels 2 and 3, logical or physical
isolation is the primary mechanism used to separate in-scope from out-
of-scope assets. CRMA and Specialized Asset categories only apply to
assets that are within the Assessment Scope or boundary.
Sec. 170.6(b) has been revised to reference DFARS clause 252.204-
7020 rather than DFARS clause 252.204-7012. In addition, Sec. 170.05
was revised to reference DFARS clause 252.204-7012, rather than DFARS
204.73, for consistency and clarity.
The title of Sec. 170.16(c)(1) has been updated to specify self-
assessment of the OSA. DoD declined to make other administrative
changes because they would not result in a substantive change.
Sec. 170.12(b)(8) has been revised to clarify that CCIs must not
disclose CMMC data or metrics that are PPI, FCI, or CUI without prior
coordination with and approval from DoD.
c. Changes Recommended but Not Incorporated
Comment: Many comments addressed non-substantive administrative
changes or writing style and were not incorporated. Many comments
requested substantive changes that were not incorporated, and which are
described more fully in the response below.
Response: In addition, thirty-eight other recommendations were not
incorporated because they did not result in substantive changes. The
DoD declines to delete references or convert narrative text
explanations into tables, bullets, or other truncated formats because
the intent is to facilitate reader understanding of complex
requirements. Other recommended administrative changes which did not
result in a substantive change were also not incorporated.
Other changes were not incorporated because the revisions would
result in unintended or inaccurate meaning of the text. The following
explanation is provided for those unincorporated but substantive
recommendations.
The DoD did not change content in the Discussion of Public Comments
section that addressed responses to the original 48 CFR CMMC interim
final rule, because intervening rule changes made in response to public
comments received about the more recent proposed rule(s) supersede text
of the earlier rule.
Section 170.3(a)(1) applies to contract awardees. While the rule
may impact External Service Providers and Cloud Service providers, the
rule is not directly applicable to them. CMMC requirements apply at the
time of contract award and thereafter.
DoD declined to change the program name as it is well known in the
community, and the tiered approach to the model still embodies a
concept of cybersecurity maturity. OSA responsibilities for complying
with CMMC are provided throughout the rule and do not need to be
repeated.
CMMC is a program that validates implementation via assessment, the
rule does not prescribe how to implement.
In the first sentence of the Summary, this rule describes that the
CMMC assessment mechanism will cover both existing security
requirements for CUI, and new security requirements for certain
programs. No additional reference is necessary in the introductory
summary because the specific NIST reference documents are mentioned
shortly after the summary and throughout the rule text.
DoD declined to revise Sec. 170.2 to use the word ``competent''
because ``competence'' is the word included in the referenced ISO/IEC
17011:2017(E) Abstract.
[[Page 83166]]
The rule retains requirements to provide all documentation and
records in English because it is necessary for adequate program
management and specifying this requirement is required to ensure
clarity of interpretation.
The DoD has reviewed Sec. 170.17(c)(2)(ii) and does not agree that
a noun is missing. The lead-in paragraph provides the noun, and it is
not necessary to repeat the phrase. The DoD disagrees that portions of
Sec. 170.18(c)(1) are redundant and therefore did not delete the lower
level paragraphs, however revisions were made to clarify that a Level 2
certification assessment is needed prior to Level 3 certification
assessment.
Recommended edits to Sec. 170.24(9) that would change the meaning
were not accepted. During the assessment process, the Lead Assessor/
Assessor must view any prior DoD CIO adjudication of proposed variances
to security requirements in the system security plan to ensure correct
implementation and render a determination of MET if there have been no
changes in the environment.
The DoD did not modify Sec. 170.10 to permit CCAs, CCPs, and CCIs
to retrain ``or'' recertify, instead of both, upon significant change
to DoD's CMMC Program requirements under this rule. The DoD disagreed
with one commenter's assertion that the summary within the preamble to
the rule implies CMMC assessments address all DFARS clause 252.204-7012
requirements, therefore no edits were necessary. The rule indicates
that the applicable CMMC Level 2 security requirements are those in
NIST SP 800-171 R2 as implemented in DFARS clause 252.204-7012.
Revisions suggesting that all objectives identified in NIST SP 800-
171A Jun2018 need not be met are not accurate and not incorporated.
Each assessment objective in NIST SP 800-171A Jun2018 must yield a
finding of MET or NOT APPLICABLE for the overall security requirement
to be scored as MET. Assessors exercise judgment in determining when
sufficient and adequate evidence has been presented to make an
assessment finding. This is consistent with current DIBCAC High
Assessments and assessments conducted under the Joint Surveillance
Voluntary Assessment Program (JSVAP). A security requirement can be
applicable, even with assessment objectives that are N/A. The security
requirement is NOT MET when one or more applicable assessment
objectives is NOT MET.
Recommendations to address specific contractual matters were not
addressed, because this is a 32 CFR part 170 CMMC Program rule and not
an acquisition regulation. Any comments related to contract
requirements should be provided in response to the 48 CFR part 204 CMMC
Acquisition rule.
The CMMC rule does not specify the number of POA&Ms that may be
used to address one or more CMMC security requirement that were NOT MET
during a CMMC assessment. The OSA may choose to use a single POA&M or
multiple POA&Ms.
No edits were made to reference CCAs in Sec. 170.7, which covers
responsibilities for only the DIBCAC, and not CCAs. Sec. 170.11 covers
responsibilities for CCAs. DoD declined to add verbiage to address the
potential revision or cancellation of an ISO/IEC standard because Sec.
170.8 adequately reflects that the Accreditation Body shall achieve
full compliance with revised ISO/IEC 17011:2017(E) standards. Standards
are not effective until published as final.
The DoD declined to adopt one commenter's suggestion to submit all
appeals investigation materials with the final decision into eMASS,
however, an updated assessment result, if any, will be input into
eMASS. In addition, C3PAOs are required to retain assessment artifacts
for 6 years.
DoD did not agree with one commenter's assertion that the preamble
description of the CMMC Program is incomplete or inaccurate, or that
the rule makes implicit changes to DFARS clause 252.204-7010 reporting
requirements for activities subject to the U.S.-International Atomic
Energy Agency Additional Protocol. The referenced paragraph, which
appears both in the preamble background section and in an overview
paragraph of the supplemental documents, accurately portrays the CMMC
Program as a compliance assessment model to assist in DoD's enforcement
of FCI and CUI safeguarding requirements. No change has been made in
either location.
The DoD also declines to specify in the rule the DoD offices that
review Tier 3 background investigations or equivalency determinations.
No language related to Cloud Service Offerings (CSO) was added in Sec.
170.19 column two. Assets that process, store, or transmit CUI are
handled the same way regardless of whether they are from a CSO or
otherwise. Therefore, there is no need to call out CSOs in the table.
The DoD minimized use of the passive voice to an extent in this
final rule; however, in some places the passive voice is used to
emphasize the action occurring rather than the individual or entity
performing the action.
There is no version number in the title of the CMMC Program. Terms
such as versions 1.0 or 2.0 have previously been used in DoD's public
engagements as a colloquial way to communicate differences in content
as the program has evolved. This final rule codifies the program and
does include changes from the proposed rule. Only those public comments
received during the 60-day comment period following the December 26,
2023 publication (88 FR 89058) are addressed in this final rule.
34. Error Corrections
Comment: Numerous administrative comments were received that
addressed formatting grammar, punctuation, and typographical errors as
well as word usage and acronym errors: Wording discrepancies,
redundancies, and inaccuracies were also reported by multiple comments.
Several comments identified inconsistencies between FedRAMP
equivalency as stated Sec. 170.16(c)(2)(ii) and as described in the
DOD CIO's December 21, 2023, Federal Risk and Authorization Management
Program Moderate Equivalency for Cloud Service Provider's Cloud Service
Offerings memorandum. One comment requested moving the phrase ``in
accordance with all applicable policies, procedures, and requirements''
in Sec. 170.5(d) to an earlier part of the sentence to be
grammatically correct.
One comment noted that DFARS provision 252.204-7019 does not
stipulate assessments must be a ``self-assessment'' as stated in the
CMMC 2.0 Overview as Proposed by this Rule section. Also in the same
section, one comment indicated the SSP description should not direct
the user to explain how each requirement is implemented, monitored, and
enforced.
One comment asked if the reference to NIST SP 900-171A refers to
the current version or if a version number should be specified. Three
comments indicated issues using embedded links to websites. One comment
noted that ``inspection activities'' should be changed to ``assessment
activities'' in 170.9(b)(10). One comment asserted that in 170.17(a)(1)
the word ``obtaining'' should be deleted in the phrase ``. . . the OSC
must achieve either CMMC Level 2 Conditional Certification or Final
Certification through obtaining a CMMC Level 2 Certification Assessment
. . .''
Response:
Typographical, Grammatical, and Punctuation Errors, and Formatting
The DOD reviewed all reported grammatical, punctuation,
[[Page 83167]]
typographical, and acronym-related errors and the preamble, RIA, and
rule have been updated to address all confirmed errors. Additionally,
the formatting errors in the CMMC Level 2 Asset Categories and
Associated Requirements row of table 1 of Sec. 170.19(c)(1), have been
corrected. The final rule has been revised to correct document titles
as needed.
A commenter provided feedback on the PRA and identified incorrect
markings in information collection samples. DoD will work with DISA to
ensure the final versions of the eMASS templates contain the proper
markings. An OSA's CMMC certification assessment results will be
ingested into DoD's CMMC instance using the eMASS CMMC Assessment
Import Templates published at https://cmmc.emass.apps.mil. The
requirements for C3PAOs and DCMA DIBCAC and what is submitted into CMMC
eMASS is described in Sec. Sec. 170.7, 170. 9, 170.17(a)(1)(i),
170.18(a)(1)(i), and 170.19. The documents accompanying the PRA were
intended to serve as samples. The comment also contained an incorrect
assumption that commercial privileged information ``is not CUI because
it is incidental to the performance of the contract.'' The commenter
has confused CDI with CUI and is incorrect in the assumption that
commercial privileged information is not CUI because of it being
incidental to the performance of the contract.
Word Usage
Incorrect uses of ``tri-annually'' have been corrected. Where
appropriate the wording has been changed to ``every three years'' for
clarity. In the preamble to the rule, the statement ``. . . and
triennial affirmation . . .'' has been corrected to indicate the
affirmations are an ``annual'' requirement.--DoD has updated the
preamble to the rule to the correct certification assessment
terminology.
The link on the Federal Register website has been corrected and now
resolves to the website indicated.
Incorrect or Incomplete References
Several incorrect or incomplete references have also been
corrected. Sec. 170.9(b)(1) has been corrected to refer to the
authorization in Sec. 170.8(a). One comment asserted that there is no
section (c) associated with the reference ``Sec. 170.17(a)(1) and
(c)'' which is in Sec. 170.9(b)(6). The section ``Sec. 170.17(c)
Procedures'' does exist and addresses the procedures associated with a
CMMC Level 2 Certification Assessment. Section 170.17(a)(1) addresses
the Level 2 Certification Assessment requirements for an OSC. The rule
has been updated in Sec. 170.9(b)(6) for clarity.
Commenters accurately noted that Sec. 170.17(a)(1) should refer to
the Level 2 requirements in Sec. 170.14(c)(3), and this has been
corrected. The reference in Sec. 170.18(c)(5)(ii) has been updated to
say, ``that maps to the NIST SP 800-171 R2 and a subset of the NIST SP
800-172 Feb2021 requirements''. The rule is updated to replace the
instruction ``(insert references L1-3)'' with ``Sec. 170.19 CMMC
scoping.''
Wording Discrepancies, Redundancies, and Inaccuracies
To address a discrepancy between the rule and scoping guidance, the
Level 2 Scoping Guide has been updated for clarity and alignment with
Sec. 170.16(a) which states that meeting the CMMC Level 2 Self-
Assessment requirements also satisfies the CMMC Level 1 Self-Assessment
requirements for the same CMMC Assessment Scope. Additionally, the
preamble to this rule has been updated to clarify that not all
affirmations will occur prior to contract award because POA&M closeout
affirmations may occur after contract award.
To address a discrepancy about Level 1 scoring, in Sec. 170.24 the
phrase ``; therefore, no score is calculated, and no scoring
methodology is needed,'' has been deleted.
The regulatory text was updated to require FedRAMP moderate or
FedRAMP moderate equivalency in accordance with DoD Policy. CMMC
Program Requirements make no change to existing policies for
information security requirements implemented by DoD. The preamble was
modified to indicate DFARS provision 252.204-7019 requires an
assessment (basic, medium, or high) and not just a self-assessment
(basic).
The data input at Sec. 170.17(a)(1)(i)(F) for CMMC eMASS is
redundant so it has been removed. In the preamble, the DoD has also
removed the inaccurate phrase, ``certified by DoD'', from the statement
``Under CMMC, compliance will be checked by independent third-party
assessors certified by DoD.''
DoD has updated language in Sec. 170.18(a)(1)(i)(B) to reflect for
each DCMA DIBCAC Assessor conducting the assessment, ``name and
government organization information'' will be required for the CMMC
instantiation of eMASS.
The DoD has considered the recommendation to change the description
of what an SSP should contain and declines to revise the rule text. The
NIST SP 800-171 R2 requirement states that an SSP must describe ``. . .
how security requirements are implemented . . .'' which is equivalent
to going ``. . . through each NIST SP 800-171 security requirement and
explain how the requirement is implemented, monitored, and enforced.''
Perceived Errors
DoD declines to make the edit to change ``shall'' to ``will'' in
Sec. 170.9(b). The existing language is consistent with standard
rulemaking usage. The title for NIST SP 800-171A Jun2018 is the current
title used by NIST and does not have a version number, so no change was
needed. While not used in the rule text, the term enterprise is used in
the description of the CMMC Program in the preamble's Statement of Need
for This Rule section: Defense contractors can achieve a specific CMMC
Level for its entire enterprise network or an enclave(s), depending
upon where the information to protected is processed, stored, or
transmitted, therefore enterprise remains in the definitions list.
DoD verified links by clicking on them in the PDF and by copying
and pasting the links into a web browser. In both cases links resolved
correctly.
The DoD has changed ``all personnel involved in inspection
activities'' to ``all personnel involved in assessment activities'' in
Sec. 170.9(b)(9).
A comment asserted that there was a rulemaking formatting error in
Sec. 170.4(b). DoD is following the Office of the Federal Register
standards for this section. In sections or paragraphs containing only
definitions, paragraph designations are not used, and the terms are
listed in alphabetical order. The definition paragraph begins with the
term being defined. If a definition contains subordinate paragraphs,
these paragraphs are numbered with paragraph designations beginning
with the next appropriate level based on the dedicated definitions
section.
The 2nd sentence of Sec. 170.17(a)(1) includes the word
``obtaining'' for clarity.
35. Comments in Favor of the CMMC Program
Comment: Some commenters expressed favorable opinions about the
CMMC program as a viable long-term solution to ensure cybersecurity
controls are in place. Others commented about specific content of the
32 CFR part 170 CMMC Program proposed rule and the supplemental
documents. For example, two commenters specifically complimented the
inclusion of an Affirmation requirement and another supported CMMC
implementation as a
[[Page 83168]]
pre-award requirement. Another commenter appreciated the regulatory
text which ``encourages'' contractors to consult with the Government
for additional guidance if or when unsure of appropriate CMMC Level to
assign a subcontract solicitation. Two commenters applauded the use of
already established workforce qualifications while another concurred
with the regulatory text permitting CMMC Certified Professionals (CCPs)
to participate in assessments with oversight of a CMMC Certified
Assessor (CCA). A commenter also expressed appreciation for the
regulatory text's alignment to a specific version of the guidelines
(i.e., NIST SP 800-171 R2). One commenter appreciated the video that
DoD published to accompany and explain the proposed rule. Several
comments cited the longstanding requirements of DFARS clause 252.204-
7012 and cybersecurity risks of not implementing NIST SP 800-171 R2 as
reasons that the 32 CFR part 170 CMMC Program final rule should be
implemented as soon as possible.
Response: The Department appreciates that several commenters
expressed agreement to and encouragement for the CMMC Program
requirement and its associated specific rule text. The DoD recognizes
that not all entities impacted by these regulations hold the same view
of its requirements and appreciates those that took the time to express
both positive and constructive feedback.
Applicability
Once CMMC is implemented in the 48 CFR part 204 CMMC Acquisition
rule, the CMMC Program will require DoD to identify the CMMC Level and
assessment type as a solicitation requirement and in the resulting
contract for any effort that will cause a contractor or subcontractor
to process, store, or transmit FCI or CUI on its unclassified
information system(s). Once CMMC is implemented in the 48 CFR part 204
CMMC Acquisition rule, contractors handling FCI or CUI will be required
to meet the CMMC Level and assessment type specified in the
solicitation and resulting contract.
Summary of Program Changes: DFARS Case 2019-D041 implemented DoD's
original model for assessing contractor information security
protections. The initial CMMC Program was comprised of five
progressively advanced levels of cybersecurity standards and required
defense contractors and subcontractors to undergo a certification
process to demonstrate compliance with the cybersecurity standards
associated with a given CMMC Level.
In March 2021, the Department initiated an internal review of
CMMC's implementation that engaged DoD's cybersecurity and acquisition
leaders to refine policy and program implementation, focusing on the
need to reduce costs for small businesses and align cybersecurity
requirements to other Federal standards and guidelines. This review
resulted in the revised CMMC Program, which streamlines assessment and
certification requirements and improves implementation of the CMMC
Program. These changes include:
Eliminating Levels 2 and 4, and renaming the remaining
three CMMC Levels as follows:
Level 1 will remain the same as the initial CMMC Program
Level 1;
Level 2 will be similar to the initial CMMC Program Level
3;
Level 3 will be similar to the initial CMMC Program Level
5.
Removing CMMC-unique requirements and maturity processes
from all levels;
For CMMC Level 1, allowing annual self-assessments with an
annual affirmation by company leadership;
Allowing a subset of companies at Level 2 to demonstrate
compliance through self-assessment rather than C3PAO assessment.
For CMMC Level 3, requiring Department-conducted
assessments; and
Developing a time-bound and enforceable POA&M process.
In December 2023, the Department published a proposed rule to amend
32 CFR part 170 in the Federal Register (Docket ID DOD-2023-OS-0063, 88
FR 89058), which implemented the DoD's vision for the revised CMMC
Program outlined in November 2021. The comment period for the proposed
rule concluded on February 26, 2024. Changes have been made to the CMMC
Program based on public comment. Significant changes include:
The Implementation Phase 1 has been extended by an
additional six months.
A new taxonomy was created differentiating the level and
type of assessment conducted from the CMMC Status achieved as a result.
Clarification was added regarding the DoD's role in
achievement or loss of CMMC Statuses.
CMMC Status will be automatically updated in SPRS for OSAs
who have met standards acceptance.
Requirements regarding conflict of interest were updated
to expand the cooling-off period for the CMMC Accreditation Body to one
year and bounded the timeframe between consulting and assessing for the
CMMC Ecosystem to three years.
A requirement was added for the CMMC Ecosystem members to
report adverse information to the CAICO.
A Provisional Instructor role was added to cover the
transitional period that ends 18 months after the effective date of
this rule.
A CCI requirement was added to clarify that a CCI must be
certified at the same or higher level than the classes they are
instructing.
A requirement for artifact retention was added to Level 1
self-assessments and Level 2 self-assessments.
The assessment requirements for ESPs have been reduced.
The definition of CSP has been narrowed and is now based
on NIST SP 800-145 Sept2011.
The assessment requirements for Security Protection Assets
and Security Protection Data have been reduced.
References to FedRAMP equivalency have been tied to DoD
policy.
Clarified the requirements for CSPs for an OSC seeking a
CMMC Status of Level 3 (DIBCAC).
Clarified that DCMA DIBCAC has the authority to perform
limited checks of compliance of assets that changed asset category or
changed assessment requirements between the Level 2 and Level 3
certification assessment.
Clarification was added around the use of VDI clients.
Provided clarification to distinguish between Plan of
Action & Milestones (POA&Ms) and operational plan of action.
Definitions have been added for: Affirming Official,
Assessment objective, Asset, CMMC security requirement, CMMC Status,
DoD Assessment Methodology, Enduring Exception, Operational plan of
action, Personally Identifiable Information, Security Protection Data
(SPD), and Temporary deficiency. Some definitions were also changed to
source from NIST documentation instead of Committee on National
Security Systems (CNSS) Instruction No. 4009.
Background
A. Statement of Need for This Rule
The Department of Defense (DoD) requires defense contractors to
protect FCI and CUI. To verify contractor and subcontractor
implementation of DoD's cybersecurity information protection
requirements, the Department developed the Cybersecurity Maturity Model
Certification (CMMC) Program as a means of assessing and verifying
[[Page 83169]]
adequate protection of contractor information systems that process,
store, or transmit either FCI or CUI.
The CMMC Program is intended to: (1) align cybersecurity
requirements to the sensitivity of unclassified information to be
protected, (2) add a self-assessment element to affirm implementation
of applicable cybersecurity requirements, (3) add a certification
element to verify implementation of cybersecurity requirements, and (4)
add an affirmation to attest to continued compliance with assessed
requirements. As part of the program, DoD also intends to provide
supporting resources and training to the DIB, to help support companies
who are working to achieve the required CMMC Status. The CMMC Program
provides for assessment at three levels, starting with basic
safeguarding of FCI at CMMC Level 1, moving to the broad protection of
CUI at CMMC Level 2, and culminating with higher-level protection of
CUI against risk from Advanced Persistent Threats (APTs) at CMMC Level
3.
The CMMC Program addresses DoD's need to protect FCI and CUI during
the acquisition and sustainment of products and services from the DIB.
This effort is instrumental in establishing cybersecurity as a
foundation for DoD acquisitions.
Although DoD contract requirements to provide adequate security for
covered defense information (reflected in DFARS clause 252.204-7012)
predate CMMC by many years, a verification requirement for the handling
of CUI to assess a contractor or subcontractor's implementation of
those required information security controls is new with the CMMC
Program.
The theft of intellectual property and sensitive information from
all U.S. industrial sectors from malicious cyber activity threatens
economic security and national security. The Council of Economic
Advisers estimates that malicious cyber activity cost the U.S. economy
between $57 billion and $109 billion in 2016.\24\ The Center for
Strategic and International Studies estimates that the total global
cost of cybercrime was as high as $600 billion in 2017.\25\
---------------------------------------------------------------------------
\24\ Based on information from the Council of Economic Advisors
report: The Cost of Malicious Cyber Activity to the U.S. Economy,
2018.
\25\ Based on information from the Center for Strategic and
International Studies report on the Economic Impact of Cybercrime;
www.csis.org/analysis/economic-impact-cybercrime.
---------------------------------------------------------------------------
Malicious cyber actors have targeted and continue to target defense
contractors and the DoD supply chain. These attacks not only focus on
the large prime contractors, but also target subcontractors that make
up the lower tiers of the DoD supply chain. Many of these
subcontractors are small entities that provide critical support and
innovation. Overall, the DIB sector consists of over 220,000 companies
\26\ that process, store, or transmit CUI or FCI in support of the
warfighter and contribute towards the research, engineering,
development, acquisition, production, delivery, sustainment, and
operations of DoD systems, networks, installations, capabilities, and
services. The aggregate loss of intellectual property and controlled
unclassified information from the DoD supply chain can undercut U.S.
technical advantages and innovation, as well as significantly increase
the risk to national security. As part of multiple lines of effort
focused on the security and resiliency of the DIB, the Department is
working with industry to enhance the protection of FCI and CUI within
the DoD supply chain. Toward this end, DoD has developed the CMMC
Program.
---------------------------------------------------------------------------
\26\ Based on information from the Federal Procurement Data
System, the average number of unique prime contractors is
approximately 212,650 and the number of known unique subcontractors
is approximately 8,300. (FPDS from FY18-FY21).
---------------------------------------------------------------------------
Cybersecurity Maturity Model Certification Program
The CMMC Program provides a comprehensive and scalable
certification approach to verify the implementation of requirements
associated with the achievement of a cybersecurity level. CMMC is
designed to provide increased assurance to the Department that defense
contractors can adequately protect FCI and CUI at a level commensurate
with the risk, accounting for information flow down to its
subcontractors in a multi-tier supply chain. Defense contractors can
achieve a specific CMMC Status for their entire enterprise network or
an enclave(s), depending upon where the information to be protected is
processed, stored, or transmitted.
The CMMC Program assesses implementation of cybersecurity
requirements. The CMMC requirements for safeguarding and security are
the same as those required by FAR Subpart 4.19 and DFARS clause
252.204-7012, as well as selected NIST SP 800-172 Feb201 requirements.
CMMC Level 1 requires implementation of the safeguarding requirements
set forth in FAR clause 52.204-21. CMMC Level 2 requires implementation
of the security requirements in NIST SP 800-171 R2. CMMC Level 3
requires implementation of the security requirements in NIST SP 800-171
R2 as well as selected NIST SP 800-172 Feb2021 requirements, with DoD
specified parameters. The CMMC security requirements for all three
Levels are provided in Sec. 170.14. In general, CMMC assessments do
not duplicate efforts from existing DoD assessments. In rare
circumstances a re-assessment may be necessary when cybersecurity
risks, threats, or awareness have changed.
Under the CMMC Program, CMMC contract requirements include self-
assessments and third-party assessments for CMMC Level 2, predicated on
program criticality, information sensitivity, and the severity of cyber
threat. Based on the type and sensitivity of the information to be
protected, a defense contractor must achieve the appropriate CMMC
Status and demonstrate implementation of the associated set of
information protection requirements.
If the CMMC Status of Level 1 (Self) or Level 2 (Self) is a
contract requirement, the defense contractor will be required to self-
assess its compliance with the CMMC Level 1 or Level 2 security
requirements and submit both the self-assessment results and an
affirmation of conformance in SPRS. Level 1 self-assessment and
associated affirmation is required annually. Level 2 self-assessment is
required every three years with an affirmation following the self-
assessment and annually after the Final CMMC Status Date.
If the CMMC Status of Level 2 (C3PAO) is a contract requirement,
the Level 2 certification assessment must be performed by an authorized
or accredited CMMC Third Party Assessment Organization (C3PAO). When
the CMMC Status of Level 3 (DIBCAC) is a contract requirement, the
Level 3 certification assessment by DCMA DIBCAC is required following
the achievement of the CMMC Status of Final Level 2 (C3PAO). Upon
achievement of the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC),
the offeror will be issued a Certificate of CMMC Status. The assessment
results are documented in SPRS to enable contracting officers to verify
the CMMC Status and CMMC Status Date (i.e., not more than three years
old) of an offeror prior to contract award. The offeror must also
submit an affirmation of conformance in SPRS following the assessment
and annually after the Final CMMC Status Date.
CMMC allows the use of a Plan of Action and Milestones (POA&Ms) for
specified CMMC Level 2 and Level 3 security requirements. Each POA&M
must be closed (i.e., all requirements completed), within 180 days of
the initial assessment.
[[Page 83170]]
The details of the requirements for self-assessment, certification
assessment, and affirmation for each CMMC Level, are provided in
Sec. Sec. 170.15 through 170.18. POA&M requirements and affirmation
requirements are provided in Sec. Sec. 170.21 and 170.22.
DoD's phased implementation of the CMMC Status requirements is
described in Sec. 170.3(e). Once CMMC requirements have been
implemented in the DFARS, the solicitation and resulting contract will
identify the specific CMMC Status required for that procurement.
Selection of a CMMC Status will be based upon careful consideration of
market research and the likelihood of a robust competitive market of
prospective offerors capable of meeting the requirement. In some
scenarios, DoD may elect to waive application of CMMC Status
requirements to a particular procurement. In such cases, the
solicitation will not include a CMMC Status requirement. Such waivers
may be requested and approved by the Department in accordance with
DoD's internal policies and procedures. For a DoD solicitation or
contract that does include CMMC requirements, including those for the
acquisition of commercial items (except those exclusively COTS items)
valued at greater than the micro-purchase threshold, contracting
officers will not make award, or exercise an option on a contract, if
the offeror or contractor does not meet the requirements for the
required CMMC Status. Furthermore, CMMC requirements are required to
flow down to subcontractors as prescribed in the solicitation and
resulting contract at all tiers, commensurate with the sensitivity of
the unclassified information flowed down to each subcontractor.
B. Legal Authority
5 U.S.C. 301 authorizes the head of an Executive department or
military department to prescribe regulations for the government of his
or her department, the conduct of its employees, the distribution and
performance of its business, and the custody, use, and preservation of
its records, papers, and property (www.govinfo.gov/content/pkg/USCODE-2009-title5/pdf/USCODE-2009-title5-partI-chap3-sec301.pdf).
Section 1648 of the National Defense Authorization Act for Fiscal
Year 2020 (Pub. L. 116-92) \27\ directs the Secretary of Defense to
develop a consistent, comprehensive framework to enhance cybersecurity
for the U.S. Defense Industrial Base (DIB). The CMMC Program is an
important part of this framework.
---------------------------------------------------------------------------
\27\ www.govinfo.gov/content/pkg/PLAW-116publ92/pdf/PLAW-116publ92.pdf.
---------------------------------------------------------------------------
C. Community Impact
This final rule impacts all prospective and actual DoD contractors
and subcontractors that are handling or will handle DoD information
that meets the standards for FCI or CUI on a contractor information
system during performance of the DoD contract or subcontract. This
final rule also impacts all companies who are performing or will
perform accreditation, training, certification, or assessment functions
in connection with implementation of the CMMC Program.
D. Regulatory History
The CMMC Program verifies defense contractor compliance with DoD's
cybersecurity information protection requirements. It is designed to
protect FCI and CUI that is shared by the Department with, or generated
by, its contractors and subcontractors. The cybersecurity standards
required by the program are the same as those set forth in FAR clause
52.204-21 (CMMC Level 1), the NIST SP 800-171 R2 guidelines, which is
presently required by DFARS clause 252.204-7012 (CMMC Level 2), and
additional selected requirements from the NIST SP 800-172 Feb2021
guidelines (CMMC Level 3). The program adds a robust assessment element
and provides the Department increased assurance that contractors and
subcontractors are meeting these requirements.
In September 2020, the DoD published the 48 CFR CMMC interim final
rule to the DFARS in the Federal Register (DFARS Case 2019-D041, 85 FR
48513, September 9, 2020), which implemented the DoD's vision for the
initial CMMC Program and outlined the basic features of the program
(tiered model, required assessments, and implementation through
contracts). The 48 CFR CMMC interim final rule became effective on
November 30, 2020, establishing a five-year phase-in period.
In March 2021, the Department initiated an internal review of
CMMC's implementation, informed by more than 750 CMMC-related public
comments in response to the 48 CFR CMMC interim final rule. This
comprehensive, programmatic assessment engaged cybersecurity and
acquisition leaders within DoD to refine policy and program
implementation.
In November 2021, the Department announced plans for a revised CMMC
Program, which incorporates an updated program structure and
requirements designed to achieve the primary goals of an internal DoD
review of the CMMC Program. With the implementation of the CMMC
Program, the Department introduced several key changes that build on
and refine the original program requirements. These include:
Streamlining the model from five to three certification
levels;
Allowing all companies at Level 1 and a subset of
companies at Level 2 to demonstrate compliance through self-
assessments;
Increased oversight of professional and ethical standards
of third-party assessors; and
Allowing companies, under certain limited circumstances,
to make POA&Ms to achieve certification.
In December 2023, the Department published a proposed rule to amend
32 CFR part 170 in the Federal Register (Docket ID 2023-OS-0063, 88 FR
89058, December 26, 2023), which implemented the DoD's vision for the
revised CMMC Program outlined in November 2021. The comment period for
the proposed rule concluded on February 26, 2024.
The CMMC requirements established pursuant to DFARS Case 2019-D041
have not been revised as of the date of publication of this final rule.
However, the CMMC Program requirements in this final rule will be
implemented in the DFARS, as needed, which may result in changes to the
current DFARS text, solicitation provisions, and contract clauses
relating to DoD's cybersecurity protection requirements, including
DFARS subpart 204.75 and DFARS clause 252.204-7021, Cybersecurity
Maturity Model Certification (CMMC) Requirements.
Context of the CMMC Program in Light of Other DoD-Related Work
At present, and prior to the DFARS CMMC Acquisition rule becoming
effective, the Department is using the DCMA DIBCAC to conduct CMMC
Level 2-like assessments. To date, the DCMA DIBCAC has assessed 357
entities including DoD's major prime contractors. The CMMC Program's
assessment phase-in plan, as described in Sec. 170.3 Applicability,
does not preclude entities from immediately and voluntarily seeking a
CMMC certification assessment prior to the DFARS CMMC Acquisition rule
being finalized and the clause being added to new or existing DoD
contracts.
The Department estimates 8,350 medium and large entities will
require CMMC Level 2 certification assessments. Once the CMMC DFARS
coverage is effective, the Department will contractually mandate CMMC
Level
[[Page 83171]]
2 certification assessments on these entities. It is estimated that 135
CMMC Third-Party Assessment Organization (C3PAO)-led assessments will
be completed in the first year. The Department estimates 673 C3PAO-led
assessments in year 2 followed by 2,252 C3PAO-led assessments in year
3. During the fourth year, the Department estimates,4,452 C3PAO-led
assessments will be completed. The DCMA DIBCAC will perform assessments
upon DoD's request.
Additionally, the Department may include CMMC Level 2 certification
requirements on contracts awarded prior to the CMMC DFARS coverage
becoming effective, but doing so will require bilateral contract
modification after negotiations.
The CMMC Program has been incorporated in the Department's 2024
Defense Industrial Base Cybersecurity Strategy.\28\ The strategy
requires the Department to coordinate and collaborate across components
to identify and close gaps in protecting DoD networks, supply chains,
and other critical resources. Other prongs of the Department's
cybersecurity strategy are described in the Department's National
Industrial Security Program Operating Manual (NISPOM) which address
implementation of the Security Executive Agent Directive (SEAD) 3,\29\
including clarifications on procedures for the protection and
reproduction of classified information; controlled unclassified
information (CUI); National Interest Determination (NID) requirements
for cleared contractors operating under a Special Security Agreement
for Foreign Ownership, Control, or Influence; and eligibility
determinations for personnel security clearance processes and
requirements.\30\
---------------------------------------------------------------------------
\28\ https://media.defense.gov/2024/Mar/28/2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_DSD_SIGNED_20240325.PDF.
\29\ www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf.
\30\ www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/.
---------------------------------------------------------------------------
In addition, DCMA DIBCAC is responsible for leading the
Department's contractor cybersecurity risk mitigation efforts. As part
of this work, the DIBCAC assesses the defense industrial base companies
to ensure they are meeting contractually required cybersecurity
standards. The DIBCAC team ensures contractors have the ability to
protect controlled unclassified information for government contracts
they are awarded. DIBCAC conducts NIST SP 800-171 assessments in
support of DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, and DFARS clause 204.204-
7020, NIST SP 800-171 DoD Assessment Requirements. The DFARS 204.204-
7020 DIBCAC prioritization process is designed to adjust as DoD's cyber
priorities evolve based on ongoing threats. DIBCAC analysts collect and
analyze data on DoD contractors to include:
Mission critical programs, technologies, and
infrastructure and the contractors (prime or lower tier) that support
DoD capabilities.
Cyber threats, vulnerabilities, or incidents.
DoD Leadership requests.
Regulatory Impact Analysis
FAR Subpart 4.19 and DFARS clause 252.204-7012 address safeguarding
of FCI and CUI in contractor information systems and prescribe contract
clauses requiring protection of FCI and CUI within the supply chain.
The FAR and DFARS requirements for safeguarding FCI and CUI predate the
CMMC Program by many years, and baseline costs for their implementation
are assumed to vary widely based on factors including, but not limited
to, company size and complexity of the information systems to be
secured. FAR clause 52.204-21 is prescribed at FAR section 4.1903 for
use in solicitations and contracts when the contractor or subcontractor
at any tier may have FCI residing in or transiting through its
information system. This clause requires contractors and subcontractors
to apply basic safeguarding requirements and procedures to protect
applicable contractor information systems that process, store, or
transmit FCI. In addition, DFARS clause 252.204-7012, Safeguarding
Covered Defense Information and Cyber Incident Reporting, is prescribed
at DFARS section 204.7304(c) for use by DoD in all solicitations and
contracts, including solicitations and contracts using FAR part 12
procedures for the acquisition of commercial items, except for
solicitations and contracts solely for the acquisition of commercially
available off-the-shelf items. This clause applies when a contractor
information system processes, stores, or transmits covered defense
information and requires contractors and subcontractors to provide
``adequate security'' to safeguard that information when it resides on
or transits through a contractor information system, and to report
cyber incidents that affect that system or network. The clause states
that to provide adequate security, the contractor shall implement, at a
minimum, the security requirements in National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171 R2, Protecting
CUI in Nonfederal Systems and Organizations. Contractors are also
required to flow down DFARS clause 252.204-7012 to all subcontracts for
operationally critical support or for which subcontractor performance
will involve covered defense information.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012
provide for DoD assessment of a contractor's implementation of the
information protection requirements required by those clauses. The
Department developed the CMMC Program to verify implementation of
cybersecurity requirements in DoD contracts and subcontracts, by
assessing adequacy of contractor information system security compliance
prior to award and during performance of the contract. With limited
exceptions, the Department intends to require compliance with CMMC as a
condition of contract award. Once CMMC is implemented, the required
CMMC Status will be specified in the solicitation and resulting
contract. Contractors handling FCI or CUI will be required to meet the
CMMC Status specified in the contract.
There are three different levels of CMMC assessment, starting with
basic safeguarding of FCI at Level 1, moving to the broad protection of
CUI at Level 2, and culminating with higher level protection of CUI
against risk from Advanced Persistent Threats (APTs) at Level 3. The
benefits and costs associated with implementing this final rule, as
well as alternative approaches considered, are as follows:
Costs
A Regulatory Impact Analysis (RIA) that includes a detailed
discussion and explanation about the assumptions and methodology used
to estimate the cost of this regulatory action follows and is available
at www.regulations.gov (search for ``DoD-2023-OS-0063,'' click ``Open
Docket,'' and view ``Supporting Documents'').
Background
The Department of Defense (DoD or Department) requires a secure and
resilient supply chain to ensure the development, production, and
sustainment of capabilities critical to national security. The DoD
supply chain is targeted by adversaries with increasing frequency and
sophistication, and to devastating effect. Therefore, implementation of
cybersecurity standards and enforcement mechanisms are critically
important. Executive Order (E.O.) 14028, ``Improving the Nation's
[[Page 83172]]
Cybersecurity,'' emphasizes the need to strengthen cybersecurity
protections for both the Federal Government and the private sector.
Nation-state adversaries attack the U.S. supply chain for a myriad
of reasons, including exfiltration of valuable technical data (a form
of industrial espionage); disruption to control systems used for
critical infrastructure, manufacturing, and weapons systems; corruption
of quality and assurance across a broad range of product types and
categories; and manipulation of software to achieve unauthorized access
to connected systems and to degrade the integrity of system operations.
For example, since September 2020, major cyber-attacks such as the
SolarWinds,\31\ Colonial Pipeline, Hafnium,\32\ and Kaseya \33\
attacks, have been spearheaded or influenced by nation-state actors
\34\ and resulted in significant failures and disruption. In context of
this threat, the size and complexity of defense procurement activities
provide numerous pathways for adversaries to access DoD's sensitive
systems and information. Moreover, adversaries continue to evolve their
tactics, techniques, and procedures. For example, on April 28, 2022,
CISA and the FBI issued an advisory on destructive ``wiperware,'' a
form of malware which can destroy valuable information \35\. Protection
of FCI and CUI is critically important, and the DoD needs assurance
that contactor information systems are adequately secured to protect
such information when it resides on or transits those systems.
---------------------------------------------------------------------------
\31\ www.gao.gov/assets/gao-22-104746.pdf.
\32\ www.ic3.gov/Media/News/2021/210310.pdf.
\33\ www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa.
\34\ www.mitre.org/sites/default/files/publications/pr-18-2417-deliver-uncompromised-MITRE-study-26AUG2019.pdf.
\35\ www.cisa.gov/uscert/ncas/alerts/aa22-057a.
---------------------------------------------------------------------------
The Department is committed to working with defense contractors to
protect FCI and CUI.
Federal Contract Information (FCI): As defined in section
4.1901 of the FAR, FCI means information, not intended for public
release, that is provided by or generated for the Government under a
contract to develop or deliver a product or service to the Government,
but not including information provided by the Government to the public,
such as that on public websites, or simple transactional information,
such as that necessary to process payments.
Controlled Unclassified Information (CUI): 32 CFR
2002.4(h) defines CUI, in part, as information the Government creates
or possesses, or that an entity creates or possesses for or on behalf
of the Government, that a law, regulation, or Government-wide policy
requires or permits an agency to handle using safeguarding or
dissemination controls, including FCI.
In September 2020, the DoD published 48 CFR CMMC interim final rule
(DFARS Case 2019-D041, 85 FR 48513, September 9, 2020), which
implemented DoD's vision for the initial Cybersecurity Maturity Model
Certification (CMMC) Program and outlined basic program features, to
include: 5-level tiered model, CMMC Certified Third Party Assessment
Organization (C3PAO) assessments in support of contractor and
subcontractor certification, with no allowance for a Plan of Action and
Milestones (POA&Ms), and implementation of all security requirements by
the time of a contract award. A total of 750 comments were received on
the 48 CFR CMMC interim final rule during the public comment period
that ended on November 30, 2020. These comments highlighted a variety
of industry concerns including concerns relating to the costs for a
C3PAO certification, and the costs and burden associated with
implementing, prior to award, the required process maturity and 20
additional cybersecurity practices that were included in the initial
CMMC Program. The Small Business Administration Office of Advocacy also
raised similar concerns on the impact the rule would have on small
businesses in the DIB.
Pursuant to DFARS clause 252.204-7012, DoD has required certain
defense contractors and subcontractors to implement the security
protections set forth in the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171 R2 to provide
adequate security for CUI that is processed, stored, or transmitted on
contractor information systems. The CMMC Program provides the
Department the mechanism needed to verify that a defense contractor or
subcontractor has implemented the security requirements at each CMMC
Level and is maintaining that status across the contract period of
performance, as required.
In calendar year (CY) 2021 DoD paused the planned CMMC rollout to
conduct an internal review of the CMMC Program. The internal review
resulted in a refined and streamlined set of requirements that
addressed many of the concerns identified in the public comments
received relating to the initial CMMC Program. These changes have been
incorporated into the revised CMMC Program structure and policies. In
July 2022, the CMMC PMO met with the Office of Advocacy for the United
States Small Business Administration (SBA) to address the revisions
planned to the CMMC Program that are responsive to prior SBA concerns.
The CMMC Program will enhance the ability of the DoD to safely
share FCI and CUI with defense contractors and know the information
will be suitably safeguarded. Once fully implemented, CMMC will
incorporate a set of cybersecurity requirements into acquisition
contracts to provide verification that applicable cyber protections
have been implemented. Under the CMMC Program, defense contractors and
subcontractors will be required to implement certain cybersecurity
protection requirements tied to a designated CMMC level and either
perform a self-assessment or obtain an independent assessment from
either a C3PAO or DCMA DIBCAC as a condition of a DoD contract award.
CMMC is designed to validate the protection of FCI and CUI that is
shared with and generated by the Department's contractors and
subcontractors. Through protection of information by adherence to the
requirements verified in the revised CMMC Program, the Department and
its contractors will prevent disruption in service and the loss of
intellectual property and assets, and thwart access to FCI and CUI by
the nation's adversaries.
The CMMC Program is intended to: (1) align cybersecurity
requirements to the sensitivity of unclassified information to be
protected, and (2) add a certification element, where appropriate, to
verify implementation of cybersecurity requirements. As part of the
program, DoD also intends to provide supporting resources and training
to defense contractors to help support companies who are working to
achieve the required CMMC Status. The CMMC Program provides for
assessment at three levels: basic safeguarding of FCI at CMMC Level 1,
broad protection of CUI at CMMC Level 2, and enhanced protection of CUI
against risk from Advanced Persistent Threats (APTs) at CMMC Level 3.
The CMMC Program is designed to provide increased assurance to the
Department that a defense contractor can adequately protect FCI and CUI
in accordance with prescribed security requirements, accounting for
information flow down to its subcontractors in a multi-tier supply
chain.
The CMMC Program addresses DoD's need to protect FCI and CUI during
the acquisition and sustainment of products
[[Page 83173]]
and services from the DIB. This effort is instrumental in establishing
cybersecurity as a foundation for future DoD acquisition.
Although DoD contract requirements to provide adequate security for
covered defense information (reflected in DFARS clause 252.204-7012)
predate CMMC by many years, a certification requirement for the
handling of CUI to assess a contractor or subcontractor's compliance of
those required information security controls is new with the CMMC
Program. Findings from DoD Inspector General report \36\ indicate that
DoD contractors did not consistently implement mandated system security
requirements for safeguarding CUI and recommended that DoD take steps
to assess a contractor's ability to protect this information. The
report emphasizes that malicious actors can exploit the vulnerabilities
of contractors' networks and systems and exfiltrate information related
to some of the Nation's most valuable advanced defense technologies.
---------------------------------------------------------------------------
\36\ DODIG-2019-105 ``Audit of Protection of DoD CUI on
Contractor-Owned Networks and Systems.''
---------------------------------------------------------------------------
Currently, the FAR and DFARS prescribe contract clauses intended to
protect FCI and CUI. Specifically, the clause at FAR 52.204-21, Basic
Safeguarding of Covered Contractor Information Systems, is prescribed
at FAR 4.1903 for use in Government solicitations and contracts when
the contractor or a subcontractor at any tier may have FCI residing in
or transiting through its information system(s). This clause requires
contractors and subcontractors to implement basic safeguarding
requirements and procedures to protect FCI being processed, stored, or
transmitted on contractor information systems. In addition, DFARS
clause 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting, is prescribed at DFARS 204.7304(c) for use in all
solicitations and contracts except for solicitations and contracts
solely for the acquisition of commercially available off-the-shelf
(COTS) items. This clause requires contractors and subcontractors to
provide ``adequate security'' to process, store or transmit covered
defense information when it resides on or transits a contractor
information system, and to report cyber incidents that affect that
system or network. The clause states that to provide adequate security,
the contractor shall implement, at a minimum, the security requirements
in NIST Special Publication (SP) 800-171 R2, Protecting CUI in
Nonfederal Systems and Organizations. Contractors are also required to
flow down DFARS clause 252.204-7012 to all subcontracts that require
processing, storing, or transmitting of covered defense information.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012
provide for DoD verification of a contractor's implementation of the
basic safeguarding requirements specified in FAR clause 52.204-21 nor
the security requirements specified in NIST SP 800-171 R2,
implementation of which is required by DFARS clause 252.204-7012, prior
to contract award. As part of multiple lines of effort focused on the
security and resilience of the DIB, the Department is working with
industry to enhance the protection of FCI and CUI within the DoD supply
chain. Toward this end, DoD has developed the CMMC Program.
Revised CMMC Program Requirements
The CMMC Program requirements will be implemented through the DoD
acquisition and contracting process. With limited exceptions, the
Department intends to require compliance with CMMC as a condition of
contract award. Once CMMC is implemented, the required CMMC Status will
be specified in the solicitation and resulting contract. Contractors
handling FCI or CUI will be required to meet the CMMC Status specified
in the contract. In accordance with the implementation plan described
in Sec. 170.3(e), CMMC Status requirements will apply to new DoD
solicitations and contracts, and shall flow down to subcontractors,
based on the sensitivity of the FCI and CUI to be processed, stored or
transmitted to or by the subcontractor. Before contract award, the
offeror must achieve the specified CMMC Status for the contractor
information system (e.g., enterprise network, network enclave) that
will process, store, or transmit the information to be protected. The
contractor or subcontractor will also submit affirmations in the
Supplier Performance Risk System (SPRS). An overview of requirements at
each level is shown:
Level 1 Self-Assessment
Level 1 self-assessment requires compliance with basic
safeguarding requirements to protect FCI are set forth in FAR clause
52.204-21. CMMC Level 1 does not add any additional security
requirements to those identified in FAR clause 52.204-21.
OSAs will submit the following information in SPRS:
1. the results of a self-assessment of the OSA's implementation of
the basic safeguarding requirements set forth in Sec. 170.15
associated with the contractor information system(s) used in
performance of the contract; and
2. an initial affirmation of compliance, and then annually
thereafter, an affirmation of continued compliance as set forth in
Sec. 170.22.
3. the Level 1 self-assessment cost burden will be addressed as
part of the 48 CFR part 204 CMMC Acquisition final rule.
Level 2 Self-Assessment
Level 2 self-assessment requires compliance with the
security requirements set forth in NIST SP 800-171 R2 to protect CUI.
CMMC Level 2 does not add any additional security requirements to those
identified in NIST SP 800-171 R2.
OSAs will submit the following information in SPRS:
1. the results of a self-assessment of the OSA's implementation of
the NIST SP 800-171 R2 requirements set forth in Sec. 170.16
associated with the covered contractor information system(s) used in
performance of the applicable contract.
2. an initial affirmation of compliance, and, if applicable, a
POA&M closeout affirmation, and then annually thereafter, an
affirmation of continued compliance set forth in Sec. 170.22.
3. the Level 2 self-assessment cost burden will be addressed as
part of the 48 CFR part 204 CMMC Acquisition final rule.
Level 2 Certification Assessment
Level 2 certification assessment requires compliance with
the security requirements set forth in in Sec. 170.17 to protect CUI.
CMMC Level 2 does not add any additional security requirements to those
selected in NIST SP 800-171 R2.
A Level 2 certification assessment of the applicable
contractor information system(s) provided by an authorized or
accredited C3PAO is required to validate implementation of the NIST SP
800-171 R2 security requirements prior to award of any prime contract
or subcontract and exercise of option.
The C3PAO will upload the Level 2 certification assessment
results in the CMMC instantiation of eMASS which will feed the
information into SPRS.
OSCs will submit in SPRS an initial affirmation of
compliance, and, if necessary, a POA&M closeout affirmation, and then
annually following the Final CMMC Status Date, an affirmation of
continued compliance as set forth in Sec. 170.22.
The Level 2 certification assessment cost burdens are included in
this part
[[Page 83174]]
with the exception of the requirement for the OSC to upload the
affirmation in SPRS that is included in the 48 CFR part 204 CMMC
Acquisition final rule and an update to DFARS collection approved under
OMB Control Number 0750-0004, Assessing Contractor Implementation of
Cybersecurity Requirements. Additionally, the information collection
reporting requirements for the CMMC instantiation of eMASS are included
in a separate ICR for this part and cover only those requirements
pertaining to the CMMC process.
Level 3 Certification Assessment
Level 3 certification assessment requires the CMMC Status
of Final Level 2 (C3PAO) and compliance with the security requirements
set forth in Sec. 170.18 to protect CUI. CMMC Level 3 adds additional
security requirements to those required by existing acquisition
regulations as specified in this rule.
A Level 3 certification assessment of the applicable
contractor information system(s) provided by the DCMA Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) is required to
validate implementation of the DoD-defined selected security
requirements set forth in NIST SP 800-172 Feb2021. A CMMC Status of
Final Level 2 (C3PAO) is a prerequisite to schedule a DCMA DIBCAC Level
3 certification assessment.
DCMA DIBCAC will upload the Level 3 certification
assessment results into the CMMC instantiation of eMASS, which will
feed the information into SPRS.
OSCs will submit in SPRS an initial affirmation of
compliance, and, if necessary, a POA&M closeout affirmation, and then
annually following the Final CMMC Status Date, an affirmation of
continued compliance as set forth in Sec. 170.22.
The Level 3 certification assessment cost burdens are included in
this part with the exception of the requirement for the OSC to upload
the affirmation in SPRS that is included in the 48 CFR part 204 CMMC
Acquisition rule and an update to DFARS collection approved under OMB
Control Number 0750-0004, Assessing Contractor Implementation of
Cybersecurity Requirements. Additionally, the information collection
reporting requirements for the CMMC instantiation of eMASS are included
in a separate ICR for this part and cover only those requirements
pertaining to the CMMC process. As described, the CMMC Program couples
an affirmation of compliance with certification assessment requirements
to verify OSA implementation of cybersecurity requirements, as
applicable.
The CMMC Program addresses DoD's need to protect FCI and CUI during
the acquisition and sustainment of products and services from the DIB.
This effort is instrumental in ensuring cybersecurity is the foundation
of future DoD acquisitions.
Policy Problems Addressed by the Revised CMMC Program
Implementation of the CMMC Program is intended to solve the
following policy problems:
Lack of Verification of Contractor Compliance With Cybersecurity
Requirements
Neither FAR clause 52.204-21 nor DFARS clause 252.204-7012 provide
for DoD assessment of a defense contractor or subcontractor's
implementation of the information protection requirements within those
clauses. Defense contractors represent that they will implement the
requirements in NIST SP 800-171 R2 upon submission of their offer.
Findings from DoD Inspector General report (DODIG-2019-105 ``Audit of
Protection of DoD Controlled Unclassified Information on Contractor-
Owned Networks and Systems'') indicate that DoD contractors did not
consistently implement mandated system security requirements for
safeguarding CUI and recommended that DoD take steps to assess a
contractor's ability to protect this information. CMMC adds new
assessment requirements for contractor implementation of underlying
information security requirements, to allow DoD to assess a defense
contractor's cybersecurity posture using authorized or accredited
C3PAOs. The contractor and subcontractor must achieve the required CMMC
Level as a condition of contract award.
Inadequate Implementation of Cybersecurity Requirements
Under DFARS clause 252.204-7012 and DFARS clause 252.204-7020,
defense contractors and subcontractors must document implementation of
the security requirements in NIST SP 800-171 R2 in a system security
plan and may use a plan of action to describe how and when any
unimplemented security requirements will be met. For the CMMC Program,
the solicitation and resulting contract, will specify the required CMMC
Status, which will be determined considering program criticality,
information sensitivity, and severity of cyber threat. Although the
security requirements in NIST SP 800-171 R2 address a range of threats,
additional requirements are needed to significantly reduce the risk
posed by APTs. An APT is an adversary that possesses sophisticated
levels of expertise and significant resources that allow it to create
opportunities to achieve its objectives by using multiple attack
vectors (e.g., cyber, physical, and deception). CMMC Level 3 requires
implementation of selected security requirements from NIST SP 800-172
Feb2021 to reduce the risk of APT threats.
The CMMC Program will require prime contractors to flow the
appropriate CMMC Status requirement down throughout the entire supply
chain relevant to a particular contract. Defense contractors or
subcontractors that handle FCI, must meet the requirements for CMMC
Level 1. Defense contractors that handle CUI must meet the requirements
for CMMC Level 2 or higher, depending on the sensitivity of the
information associated with a program or technology being developed.
Insufficient Scale and Depth of Resources To Verify Compliance
Today, DoD prime contractors must include DFARS clause 252.204-7012
in subcontracts for which performance will involve covered defense
information, but this does not provide the Department with sufficient
insights with respect to the cybersecurity posture of all members of a
multi-tier supply chain for any given program or technology development
effort. The revised CMMC Program requires prime contractors to flow
down appropriate CMMC Status requirements, as applicable, to
subcontractors throughout their supply chain(s).
Given the size and scale of the DIB, the Department cannot scale
its existing cybersecurity assessment capability to conduct on-site
assessments of approximately 220,000 DoD contractors and subcontractors
every three years. The Department's existing assessment capability is
best suited for conducting targeted assessments for the relatively
small subset of DoD contractors and subcontractors that support
designated high-priority programs involving CUI.
CMMC addresses the Department's scaling challenges by utilizing a
private-sector accreditation structure. A DoD-authorized Accreditation
Body will authorize, accredit, and provide oversight of C3PAOs which in
turn will conduct Level 2 certification assessments of actual and
prospective DoD contractors and subcontractors. Defense contractors
will directly contract with an authorized or accredited C3PAO to obtain
a Level 2
[[Page 83175]]
certification assessment. The cost of Level 2 certification assessment
activities is driven by multiple factors, including market forces that
govern availability of C3PAOs and the size and complexity of the
enterprise or enclave under assessment. The Government will perform
Level 3 certification assessments. Government resource limitations may
affect schedule availability.
Reduces Duplicate or Respective Assessments of Our Industry Partners
CMMC assessment results will be posted in SPRS, DoD's authoritative
source for supplier and product performance information. Posting CMMC
assessment results in SPRS precludes the need to validate CMMC
implementation on a contract-by-contract basis. This enables DoD to
identify whether the CMMC requirements have been met for relevant
contractor information systems, avoids duplicative assessments, and
eliminates the need for program level assessments, all of which
decreases costs to both DoD and industry.
Revised CMMC Program Implementation
The DoD is implementing a phased implementation for the revised
CMMC Program and intends to introduce CMMC Status requirements in
solicitations over a three-year period to provide appropriate ramp-up
time. This phased implementation is intended to minimize the financial
impacts to defense contractors, especially small businesses, and
disruption to the existing DoD supply chain. After CMMC is implemented
in acquisition regulation, DoD will include CMMC self-assessment
requirements in solicitations and resulting contracts when warranted by
the type of information that will be handled by the contractor of
subcontractor(s). CMMC Status requirements for Levels 1, 2, and 3 will
be included in solicitations and resulting contracts issued after the
phase-in period when warranted by any FCI and/or CUI information
protection requirements for the contract effort. In the intervening
period, Government Program Managers will have discretion to include
CMMC Status requirements or exclude them and rely upon existing DFARS
clause 252.204-7012 requirements, in accordance with DoD policy. As
stated in Sec. 170.20(a), there is qualified standards acceptance
between DCMA DIBCAC High Assessment and the CMMC Status of Level
2(C3PAO), which will result in staggering of the dates for new Level 2
certification assessments. The implementation period will consist of
four (4) phases as set forth in Sec. 170.3(e), during which time the
Government will include CMMC requirements in certain solicitations and
contracts. During the CMMC phase-in period, program managers and
requiring activities will be required to include CMMC Status
requirements in certain solicitations and contracts and will have
discretion to include in others.
A purpose of the phased implementation is to ensure adequate
availability of authorized or accredited C3PAOs and assessors to meet
the demand.
Revised CMMC Program Flow Down
CMMC Level requirements will be flowed down to subcontractors at
all tiers as set forth in Sec. 170.23; however, the specific CMMC
Status required for a subcontractor will be based on the type of
unclassified information and the priority of the acquisition program
and/or technology being developed.
Key Changes Incorporated in the Revised CMMC Program
In November 2021, the Department announced the revised CMMC
Program, which is an updated program structure with revised
requirements. In the revised CMMC Program, the Department has
introduced several key changes that build on and refine the original
program requirements. These include:
Streamlining the model from five levels to three levels.
Exclusively implementing National Institute of Standards
and Technology (NIST) cybersecurity standards and guidelines.
Allowing all companies subject to Level 1, and a subset of
companies subject to Level 2 to demonstrate compliance through self-
assessments.
Increased oversight of professional and ethical standards
of CMMC third-party assessors.
Allowing Plans of Action & Milestones (POA&M) under
limited circumstances to achieve conditional certification.
As a result of the alignment of the revised CMMC Program to NIST
guidelines, the Department's requirements will continue to evolve as
changes are made to the underlying NIST SP 800-171 R2, NIST SP 800-171A
Jun2018, NIST SP 800-172 Feb2021, and NIST SP 800-172A Mar2022
requirements.
CMMC Assessment
Assessment Criteria
CMMC requires that defense contractors and subcontractors entrusted
with FCI and CUI implement cybersecurity standards at progressively
more secure levels, depending on the type and sensitivity of the
information.
Level 1 Self-Assessment
An annual Level 1 self-assessment and annual affirmation asserts
that an OSA has implemented all the basic safeguarding requirements to
protect FCI as set forth in Sec. 170.14(c)(2).
An OSA can choose to perform the annual self-assessment internally
or engage a third-party to assist with evaluating its Level 1
compliance. Use of a third party to assist with the assessment process
is still considered a self-assessment and results in a CMMC Status of
Final Level 1 (Self). An OSA achieve the CMMC Status of Level 1 (Self)
for an entire enterprise network or for a particular enclave(s),
depending upon where the FCI is or will be processed, stored, or
transmitted.
Level 2 Self-Assessment
A Level 2 self-assessment and annual affirmation attests that an
OSA has implemented all the security requirements to protect CUI as
specified in Sec. 170.14(c)(3).
Level 2 Certification Assessment
A Level 2 certification assessment, conducted by a C3PAO, verifies
that an OSC is conforming to the security requirements to protect CUI
as specified in Sec. 170.14(c)(3). Each OSC information system that
will process, store, or transmit CUI in the execution of the contract
is subject to the corresponding CMMC Status requirements set forth in
the contract.
Level 3 Certification Assessment
Achievement of the CMMC Status of Final Level 2 (C3PAO) for
information systems within the Level 3 CMMC Assessment Scope is a
prerequisite for initiating a Level 3 certification assessment. A Level
3 certification assessment, conducted by DCMA Defense Industrial Base
Cybersecurity Assessment Center (DIBCAC), verifies that an OSC has
implemented the CMMC Level 3 security requirements to protect CUI as
specified in Sec. 170.14(c)(4). A Level 3 certification assessment
must be conducted for each OSC information system that will be used in
the execution of the contract that will process, store, or transmit
CUI.
Impact and Cost Analysis of the Revised CMMC Program
Summary of Impact
Public comment feedback on the initial CMMC Program indicated that
cost estimates were too low. The revised
[[Page 83176]]
CMMC Program cost estimates account for that feedback with the
following improvements:
Allowance for outsourced IT services
Increased total time for the contractor to prepare for the
assessment, including limited time for learning the reporting and
affirmation processes
Allowance for use of consulting firms to assist with the
assessment process
Time for a senior level manager to review the assessment
and affirmation before submitting the results in SPRS
Updated government and contractor labor rates that include
applicable burden costs
As a result, some costs of the revised CMMC Program may be higher
than those included in the initial CMMC Program.
The revised CMMC Program impact analysis includes estimated costs
for implementation of the revised CMMC Program requirements across
Level 1, Level 2, and Level 3 for the Public (small and other than
small entities, including the CMMC Ecosystem as set forth in 32 CFR
subpart C) and the Government. In summary, the total estimated Public
and Government costs associated with this rule, calculated for a 20-
year horizon in 2023 dollars at a 7 percent discount rate and a 3
percent discount rate are provided as follows:
[GRAPHIC] [TIFF OMITTED] TR15OC24.002
[GRAPHIC] [TIFF OMITTED] TR15OC24.001
Estimating the number of CMMC assessments for unique entities per
level per year is complicated by the fact that companies may serve as a
prime contractor on one effort but a subcontractor on others, and may
also enter into subcontract agreements with more than one prime
contractor for various opportunities.
In addition, the CMMC Program relies upon free market influences of
supply and demand to propel implementation. Specifically, the
Department does not control which defense contractors aspire to compete
for which business opportunities, nor does it control access to the
assessment services offered by C3PAOs. OSAs may elect to complete a
self-assessment or pursue a certification assessment at any time after
issuance of the rule, in an effort to distinguish-themselves as
competitive for efforts that require an ability to adequately protect
CUI. For that reason, the number of CMMC assessments for unique
entities per level per year may vary significantly from the assumptions
used in generating the cost estimate. The estimates represent the best
estimates at this time based on internal expertise and public feedback.
DoD utilized historical metrics gathered for the initial CMMC
Program and subject matter expertise from Defense Pricing and
Contracting (DPC) and DCMA DIBCAC to estimate the number of entities by
type and by assessment level for this analysis. The following table
summarizes the estimated profile used in this analysis.
[GRAPHIC] [TIFF OMITTED] TR15OC24.003
[[Page 83177]]
DoD is planning for a phased roll-out of each assessment level
across 7 years with the entity numbers reaching a maximum by Year 4 as
shown in the tables. The target of Year 4 was selected based on the
projected capacity of the CMMC Ecosystem to grow to efficiently support
the entities in the pipeline. For modeling efficiency, a similar roll-
out is assumed regardless of entity size or assessment level. It is
assumed that by year 7 the maximum number of entities is reached.
Beyond year 7, the number of entities entering and exiting are expected
to net to zero. The following tables reflect the number of new entities
in each year and for each level.
[GRAPHIC] [TIFF OMITTED] TR15OC24.004
[GRAPHIC] [TIFF OMITTED] TR15OC24.005
[GRAPHIC] [TIFF OMITTED] TR15OC24.006
[[Page 83178]]
Public Costs
Summary of Impacted Awardee Entities
According to data available in the Electronic Data Access system
for fiscal years (FYs) 2019, 2020, and 2021, DoD awards an average of
1,366,262 contracts and orders per year that contain DFARS clause
252.204-7012, to 31,338 unique awardees, of which 683,718 awards (50%)
are made to 23,475 small entities (75%).\37\
---------------------------------------------------------------------------
\37\ The number of unique awardees impacted each year is \1/3\
of the average number of annual awardees according to the Electronic
Data Access system (31,338/3 = 10,446). This estimate does not
address new entrants or awardees who discontinue doing business with
DoD.
---------------------------------------------------------------------------
Public Cost Analysis
The following is a summary of the estimated Public costs the
revised CMMC Program for other than small \38\ entities, per assessment
of a contractor information system, at the required periodicity for
each CMMC level.
---------------------------------------------------------------------------
\38\ Includes all businesses with the exception of those defined
under the small business criteria and size standards provided in 13
CFR 121.201 (See FAR Part 19.102)
\39\ The Level I self-assessment and Level 2 self- assessment
information collection reporting and recordkeeping requirements will
be included in a modification of an existing DFARS collection
approved under OBM Control Number 0750-0004, Assessing Contractor
Implementation of Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
\40\ The Level 1 self-assessment and Level 2 self-assessment
information collection reporting and recordkeeping requirements will
be included in a modification of an existing DFARS collection
approved under OBM Control Number 0750-0004, Assessing Contractor
Implementation of Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
[GRAPHIC] [TIFF OMITTED] TR15OC24.007
The following is a summary of the estimated Public costs of the
revised CMMC Program for Small Entities, per assessment of each
contractor information system, estimated at one per entity, at the
required periodicity for each CMMC level.
[GRAPHIC] [TIFF OMITTED] TR15OC24.008
[[Page 83179]]
The total estimated Public (large and small entities) costs
associated with this rule, calculated for a 20-year horizon in 2023
dollars at a 7 percent and 3 percent discount rate, per OMB guidance,
is provided as follows:
[GRAPHIC] [TIFF OMITTED] TR15OC24.009
Assumptions
In estimating the Public costs, DoD considered applicable
nonrecurring engineering costs, recurring engineering costs,\41\
assessment costs, and affirmation costs for each CMMC Level. For CMMC
Levels 1 and 2, the cost estimates are based only upon the self-
assessment, certification assessment, and affirmation activities that a
defense contractor, subcontractor, or ecosystem member must take to
allow DoD to verify implementation of the relevant underlying security
requirements, i.e., for CMMC Level 1, the security requirements set
forth in FAR clause 52.204-21, and for CMMC Level 2, the security
requirements set forth in NIST SP 800-171 R2. DoD did not consider the
cost of implementing the security requirements themselves because
implementation is already required by FAR clause 52.204-21, effective
June 15, 2016, and by DFARS clause 252.204-7012, requiring
implementation by Dec. 31, 2017, respectively; therefore, the costs of
implementing the security requirements for CMMC Levels 1 and 2 should
already have been incurred and are not attributed to this rule. As
such, the nonrecurring engineering and recurring engineering costs to
implement the security requirements defined for CMMC Level 1 and Level
2 are not included in this economic analysis. However, cost estimates
to implement CMMC Level 3, are included, as that CMMC level will
require defense contractors and subcontractors, as applicable, to
implement a DoD-defined subset of the security requirements set forth
in NIST SP 800-172 Feb2021, a new addition to current security
protection requirements.
---------------------------------------------------------------------------
\41\ The terms nonrecurring engineering costs and recurring
engineering costs are terms of art and do not only encompass actual
engineering costs.
---------------------------------------------------------------------------
In estimating the public cost for a defense contractor small entity
to comply with CMMC Program requirements for each CMMC level, DoD
considered non-recurring engineering costs, recurring engineering
costs, assessment costs, and affirmation costs for each CMMC Level.
These costs include labor and consulting.
Estimates include size and complexity assumptions to account for
typical organizational differences between small entities and other
than small entities with respect to the handling of Information
Technology (IT) and cybersecurity:
small entities are likely to have a less complex, less
expansive operating environment and IT/Cybersecurity infrastructure
compared to larger defense contractors
small entities are likely to outsource IT and
cybersecurity to an External Service Provider (ESP)
entities (small and other than small) pursuing Level 2
self-assessment are likely to seek consulting or implementation
assistance from an ESP to either help them prepare for the assessment
technically or participate in the assessment with the C3PAOs.
Estimates do not include the cost to implement (Non-recurring
Engineering Costs (NRE)) or maintenance costs (Recurring Engineering
(RE)) associated with the security requirements prescribed in current
regulations.
For CMMC Levels 1 and 2, cost estimates are based upon assessment,
reporting, and affirmation activities that a contractor or
subcontractor will need to take to verify implementation of existing
security requirements set forth in FAR clause 52.204-21, effective June
15, 2016, to protect FCI, and DFARS clause 252.204-7012 which required
implementation of NIST SP 800-171 requirements not later than December
31, 2017, to protect CUI. As such, cost estimates are not included for
an entity to implement the CMMC Level 1 or 2 security requirements,
maintain implementation of these existing security requirements, or
remediate a plan of action for unimplemented requirements.
For CMMC Level 3, the cost estimates factor in the assessment,
reporting, and affirmation activities in addition to estimates for NRE
and RE to implement and maintain CMMC Level 3 security requirements. In
addition to implementing the CMMC Level 2 security requirements, CMMC
Level 3 requires implementing selected security requirement set forth
in NIST SP 800-172 Feb2021 as described in Sec. 170.14(c)(4) which are
not currently required through other regulations. CMMC Level 3 is
expected to apply only to a small subset of defense contractors and
subcontractors.
The Cost Categories used for each CMMC Level are described:
1. Nonrecurring Engineering Costs: Estimates consist of hardware,
software, and the associated labor to implement the same. Costs
associated with implementing the requirements set forth in FAR clause
52.204-21 and NIST SP 800-171 R2 are assumed to have been already
implemented and, therefore, are not accounted for in this cost
estimate. As such, these costs only appear in CMMC Level 3. If
nonrecurring engineering costs are referenced, they are only accounted
for as a one-time occurrence and are reflected in the year of the
initial assessment.
2. Recurring Engineering Costs: Estimates consist of annually
recurring fees and associated labor for technology refresh. Costs
associated with implementing the requirements set forth in FAR clause
52.204-21 and NIST SP 800-171 R2 are assumed to have been already
implemented and, therefore, are not accounted for in this cost
estimate. As such, these costs only appear in CMMC Level 3.
3. Assessment Costs: Estimates consist of activities for pre-
assessment preparations (which includes gathering and/or developing
evidence that the assessment objectives for each requirement have been
satisfied), conducting and/or participating in the actual assessment,
and completion of any post-assessment work. Assessment costs are
represented by notional phases. Assessment costs assume the OSA passes
the assessment on the first attempt (conditional--with an allowable
POA&M or final). Each phase includes an estimate of hours to conduct
the assessment activities including:
(a) Labor hour estimates for a company (and any ESP support) to prepare
for and participate in the assessment.
[[Page 83180]]
(b) C3PAO cost estimates for companies pursuing a certification
labor hour estimates for authorized or certified assessors to
work with the business to conduct the actual assessment
Assessment Costs broken down into phases
Phase 1: Planning and preparing for the assessment
Phase 2: Conducting the assessment (self or C3PAO)
Phase 3: Reporting of Assessment Results
Phase 4: POA&M Closeout (for CMMC Level 3 only, if
applicable and allowed)
CMMC allows a limited open Plan of Action and Milestones
(POA&M) for a period of 180 days to remediate the POA&M, see Sec.
170.21.
4. Affirmations: Estimates consist of costs for an OSA to submit to
SPRS an initial and, as applicable, any subsequent affirmations of
compliance that the contractor information system is compliant with and
will maintain compliance with the security requirements of the
applicable CMMC Level. If POA&Ms are allowed, an affirmation must be
submitted with the POA&M closeout. With the exception of Small Entities
for Level 1 and Level 2, it is assumed the task requires the same labor
categories and estimated hours as the final reporting phase of the
assessment.
---------------------------------------------------------------------------
\42\ IT = Information Technology, MGMT = Management.
\43\ IT and MGMT rates represent an estimate for in-house labor
and includes the labor rate plus fringe and employee-related
expenses.
\44\ Background assumes a Bachelor's degree as the minimum
education level, additional requirements are noted including
required years of experience. A Master's degree may reduce the
required years of experience as noted.
\45\ The ESP/C3PAO rate represents an estimate for outsourced
labor and includes the labor rate, overhead expense, G&A expense,
and profit.
---------------------------------------------------------------------------
The categories and rates used for estimating purposes were compiled
by subject matter experts based on current data available from within
the DoD contractor database for comparable labor categories. A factor
estimate of 30 percent was added to the labor rate per hour to include
but are not limited to company-sponsored benefits (fringe) and limited
employee-related expenses such as training and certifications. This
estimate is based on labor performed by indirect personnel (i.e.,
personnel who are part of overhead expense); therefore, the 30 percent
factor represents an estimate for fringe expense and G&A expenses
versus full overhead expense. The categories and rates inclusive of the
labor cost plus the additional factor are defined in the table.
[GRAPHIC] [TIFF OMITTED] TR15OC24.010
[GRAPHIC] [TIFF OMITTED] TR15OC24.011
[[Page 83181]]
CMMC Level 1 Self-Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
1, since it is assumed that the contractor or subcontractor has already
implemented the applicable security requirements.\46\
---------------------------------------------------------------------------
\46\ CMMC Level 1 consists of the same 15 basic safeguarding
requirements specified in FAR clause 52.204-21. This cost analysis
assumes that defense contractors and subcontractors already have
contracts with FAR clause 52.204-21 and, therefore, have already
implemented the 15 basic safeguarding requirements.
---------------------------------------------------------------------------
Assessments Costs: It is estimated that the cost to
support a CMMC Level 1 self-assessment and affirmation is *$4,042 (as
summarized in 4.1.2, table 9). A Level 1 self-assessment is conducted
annually, and is based on the assumptions detailed:
Phase 1: Planning and preparing for the self-assessment:
$1,146
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
Phase 2: Conducting the self-assessment: $1,728
A director (MGMT5) for 6 hours ($190.52/hr x 6hrs =
$1,143)
A staff IT specialist (IT4) for 6 hours ($97.49/hrs x 6hrs
= $585)
Phase 3: Reporting of self-assessment results into SPRS: $584
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4) for 2.08 hours ($97.49/hrs x
2.08hrs = $203)
Affirmations: It is estimated that the costs to perform an
initial and annual affirmation of compliance with CMMC Level 1 for an
``other than small'' entity is $584
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4) for 2.08 hours ($97.49/hrs x
2.08hrs = $203)
The Level 1 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for Level 1 self-assessments and
affirmations over a ten-year period: (Example calculation, Year 1:
*$4,042 per entity x 246 entities (cumulative) = $994,233)
[GRAPHIC] [TIFF OMITTED] TR15OC24.012
Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
1 since it is assumed the contractor or subcontractor has implemented
the applicable security requirements.\47\
---------------------------------------------------------------------------
\47\ Again, it is assumed that that defense contractors and
subcontractors have already implemented the 15 basic safeguarding
requirements in FAR clause 52.204-21.
---------------------------------------------------------------------------
Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 1 self-assessment and
affirmation is *$5,977 (as summarized in 4.1.2, table 10). A Level 1
self-assessment is conducted annually, and is based on the assumptions
detailed:
Phase 1: Planning and preparing for the self-assessment:
$1,803
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An external service provider (ESP) for 4 hours ($260.28 x
4hrs = $1,041)
Phase 2: Conducting the self-assessment: $2,705
A director (MGMT5) for 6 hours ($190.52/hr x 6hrs =
$1,143)
An external service provider (ESP) for 6 hours ($260.28 x
6hrs = $1,562)
Phase 3: Reporting of assessment results into SPRS: $909
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
An external service provider (ESP) for 2 hours ($260.28/hr
* 2hrs = $521)
A staff IT specialist (IT4-SB) for 0.08 hours \48\
($86.24/hr x 0.08hrs = $7)
Affirmation: initial affirmation post assessment: $ 560
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level 1 annually for a small entity is $560
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4-SB) for 2.08 hours ($86.24/hr x
2.08hrs = $179)
The Level 1 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
---------------------------------------------------------------------------
\48\ A person needs to enter the information into SPRS, which
should only take five minutes.
---------------------------------------------------------------------------
Summary: The following is the annual small entities total
cost summary
[[Page 83182]]
for Level 1 self-assessments and affirmations over a ten-year period:
(Example calculation, Year 1: *$5,977 per entity x 699 entities
(cumulative) = $4,177,845)
[GRAPHIC] [TIFF OMITTED] TR15OC24.013
All Entities Summary
The following is a summary of the combined costs for both small and
other than small entities for Level 1 self-assessments and affirmations
over a ten-year period:
[GRAPHIC] [TIFF OMITTED] TR15OC24.014
CMMC Level 2 Self-Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and Recurring Engineering Costs: There are no
nonrecurring or recurring engineering costs associated with Level 2
self-assessment since it is assumed the contractor or subcontractor has
implemented the NIST SP 800-171 R2 security requirements.
Self-Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a Level 2 self-assessment and
affirmation is *$43,403. The three-year cost is $48,827 (as summarized
in 4.1.2, table 9), which includes the triennial assessment +
affirmation, and two additional annual affirmations ($43,403 + $2,712 +
$2,712).
Phase 1: Planning and preparing for the self-assessment:
$18,015
A director (MGMT5) for 30 hours
[[Page 83183]]
($190.52/hr x 30hrs = $5,716)
A manager (MGMT2) for 40 hours ($95.96/hr x 40hrs =
$3,838)
A staff IT specialist (IT4) for 46 hours ($97.49/hr x
46hrs = $4,485)
A senior IT specialist (IT3) for 26 hours ($81.96/hr x
26hrs = $2,131)
An IT specialist (IT2) for 34 hours ($54.27/hr x 34hrs =
$1,845)
Phase 2: Conducting the self-assessment: $19,964
A director (MGMT5) for 24 hours ($190.52/hr x 24hrs =
$4,572)
A manager (MGMT2) for 24 hours ($95.96/hr x 24hrs =
$2,303)
A staff IT specialist (IT4) for 56 hours ($97.49/hr x
56hrs = $5,460)
A senior IT specialist (IT3) for 56 hours ($81.96/hr x
56hrs = $4,590)
An IT specialist (IT2) for 56 hours ($54.27/hr x 56hrs =
$3,039)
Phase 3: Reporting of self-assessment results into SPRS:
$2,712
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
Affirmation: initial affirmation post assessment: $ 2,712
Reaffirmations: It is estimated that the cost to perform an
annual affirmation for CMMC Level 2 self-assessment is $2,712 (three-
year cost is $8,136, or $2,712 x 3):
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
The Level 2 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for CMMC Level 2 self-assessments and
affirmations over a ten-year period: (Example calculation, Year 2:
(*$43,403 assessment per entity x 35 entities) + ($2,712 annual
affirmation per entity x 7 entities) = $1,538,092
[GRAPHIC] [TIFF OMITTED] TR15OC24.015
Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with Level 2
self-assessment since it is assumed the contractor or subcontractor has
implemented the NIST SP 800-171 R2 security requirements.
Self-Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a Level 2 self-assessment and
affirmation for a small entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2, table 10), which includes the
triennial assessment + affirmation, plus two additional annual
affirmations ($34,277 + $1,459 + $1,459).
Phase 1: Planning and preparing for the self-assessment:
$14,426
A director (MGMT5) for 32 hours ($190.52/hr x* 32hrs =
$6,097)
An external service provider (ESP) for 32 hours ($260.28/
hr x 32hrs = $8,329)
Phase 2: Conducting the self-assessment: $15,542
A director (MGMT5) for 16 hours ($190.52/hr x 16hrs =
$3,048)
An external service provider (ESP) for 48 hours ($260.28/
hr x 48hrs = $12,493)
Phase 3: Reporting of self-assessment results into SPRS:
$2,851
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An external service provider (ESP) for 8 hours ($260.28/hr
x 8hrs = $2,082)
A staff IT specialist (IT4-SB) for 0.08 hours ($86.24/hr x
0.08hrs = $7)
Affirmation: initial affirmation post assessment: $ 1,459
Reaffirmations: It is estimated that the costs to reaffirm a
Level 2 self-assessment annually is $1,459 (three-year costs to
reaffirm a Level 2 self-assessment annually is $4,377, or $1,459 x 3):
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A staff IT specialist (IT4-SB) for 8.08 hours ($86.24/hr x
8.08hrs =
[[Page 83184]]
$697)
The Level 2 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
Summary: The following is the annual small entities total
cost summary for Level 2 self-assessments and affirmations over a ten-
year period: (Example calculation, Year 2: (*$34,277 self-assessment
per entity x 101 entities) + ($1,459 annual affirmation per entity x 20
entities) = $3,491,193)
[GRAPHIC] [TIFF OMITTED] TR15OC24.016
All Entities Summary
The following is a summary of the cost to all entities regardless
of size for Level 2 self-assessments and affirmations over a ten-year
period:
[GRAPHIC] [TIFF OMITTED] TR15OC24.017
[[Page 83185]]
CMMC Level 2 Certification Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with Level 2
certification assessment since it is assumed the contractor or
subcontractor has implemented the NIST SP 800-171 R2 security
requirements.
Assessment and Initial Affirmation Costs: It is estimated
that the cost to support a Level 2 certification assessment and annual
affirmation for an ``other than small'' entity is *$112,345. The three-
year cost is $117,768 (as summarized in 4.1.2, table 9), and includes a
triennial assessment + affirmation, plus two additional annual
affirmations ($112,345 + $2,712 + $2,712, with a minor rounding
difference.)
