32 CFR Part 170: Difference between revisions

← Older edit Newer edit →

VisualWikitext

Revision as of 23:06, 2 March 2025

Source of Reference: The official Cybersecurity Maturity Model Certification (CMMC) Program final rule.

For inquiries and reporting errors on this wiki, please contact us. Thank you.

PART 170—CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM

Subpart A—General Information

Sec.

170.1 Purpose.
170.2 Incorporation by reference.
170.3 Applicability.
170.4 Acronyms and definitions.
170.5 Policy.

Subpart B—Government Roles and Responsibilities

170.6 CMMC PMO.
170.7 DCMA DIBCAC.

Subpart C—CMMC Assessment and Certification Ecosystem

170.8 Accreditation Body.
170.9 CMMC Third-Party Assessment Organizations (C3PAOs).
170.10 CMMC Assessor and Instructor Certification Organization (CAICO).
170.11 CMMC Certified Assessor (CCA).
170.12 CMMC Instructor.
170.13 CMMC Certified Professional (CCP).

Subpart D—Key Elements of the CMMC Program

170.14 CMMC Model.
170.15 CMMC Level 1 self-assessment and affirmation requirements.
170.16 CMMC Level 2 self-assessment and affirmation requirements.
170.17 CMMC Level 2 certification assessment and affirmation requirements.
170.18 CMMC Level 3 certification assessment and affirmation requirements.
170.19 CMMC scoping.
170.20 Standards acceptance.
170.21 Plan of Action and Milestones requirements.
170.22 Affirmation.
170.23 Application to subcontractors.
170.24 CMMC Scoring Methodology.
Appendix A to Part 170—Guidance

Authority: 5 U.S.C. 301; Sec. 1648, Pub. L. 116–92, 133 Stat. 1198.

Subpart A - General Information.

§ 170.1 Purpose.

(a) This part describes the Cybersecurity Maturity Model Certification (CMMC) Program of the Department of Defense (DoD) and establishes requirements for defense contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This part (the CMMC Program) also establishes requirements for conducting an assessment of compliance with the applicable prescribed cybersecurity standard for contractor information systems that: process, store, or transmit FCI or CUI; provide security protections for systems which process, store, or transmit CUI; or are not logically or physically isolated from systems which process, store, or transmit CUI.

(b) The CMMC Program provides DoD with a viable means of conducting the volume of assessments necessary to verify contractor and subcontractor implementation of required cybersecurity requirements.

(c) The CMMC Program is designed to ensure defense contractors are properly safeguarding FCI and CUI that is processed, stored, or transmitted on defense contractor information systems. FCI and CUI must be protected to meet evolving threats and safeguard nonpublic, unclassified information that supports and enables the warfighter. The CMMC Program provides a consistent methodology to assess a defense contractor’s implementation of required cybersecurity requirements. The CMMC Program utilizes the security standards set forth in the 48 CFR 52.204–21; National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, Basic Safeguarding of Covered Contractor Information Systems, Revision 2, February 2020 (includes updates as of January 28, 2021) (NIST SP 800–171 R2); and selected requirements from the NIST SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, February 2021 (NIST SP 800–172 Feb2021), as applicable (see table 1 to § 170.14(c)(4) for requirements, see § 170.2 for availability of NIST publications).

(d) The CMMC Program balances the need to safeguard FCI and CUI and the requirement to share information appropriately with defense contractors in order to develop capabilities for the DoD. The CMMC Program is designed to ensure implementation of cybersecurity practices for defense contractors and to provide DoD with increased assurance that FCI and CUI information will be adequately safeguarded when residing on or transiting contractor information systems.

(e) The CMMC Program creates no right or benefit, substantive or procedural, enforceable by law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.

§ 170.2 Incorporation by reference.

Certain material is incorporated by reference into this part with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. Material approved for incorporation by reference (IBR) is available for inspection at the Department of Defense (DoD) and at the National Archives and Records Administration (NARA). Contact DoD online: https://DoDcio.defense.gov/CMMC/; email: osd.mc-alex.DoD-cio.mbx.cmmc-rule@mail.mil; or phone: (202) 770–9100. For information on the availability of this material at NARA, visit: www.archives.gov/federal-register/ cfr/ibr-locations or email: fr.inspection@nara.gov. The material may be obtained from the following sources:

(a) National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899; phone: (301) 975–8443; website: https://csrc.nist.gov/ publications/.

(1) FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 (FIPS PUB 200 Mar2006); IBR approved for § 170.4(b).

(2) FIPS PUB 201–3, Personal Identity Verification (PIV) of Federal Employees and Contractors, January 2022 (FIPS PUB 201–3 Jan2022); IBR approved for § 170.4(b).

(3) SP 800–37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Revision 2, December 2018 (NIST SP 800–37 R2); IBR approved for § 170.4(b).

(4) SP 800–39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011 (NIST SP 800–39 Mar2011); IBR approved for § 170.4(b).

(5) SP 800–53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, September 2020 (includes updates as of December 10, 2020) (NIST SP 800–53 R5); IBR approved for § 170.4(b).

(6) SP 800–82r3, Guide to Operational Technology (OT) Security, September 2023 (NIST SP 800–82r3); IBR approved for § 170.4(b).

(7) SP 800–115, Technical Guide to Information Security Testing and Assessment, September 2008 (NIST SP 800–115 Sept2008); IBR approved for § 170.4(b).

(8) SP 800–160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Revision 1, December 2021 (NIST SP 800–160 V2R1); IBR approved for § 170.4(b).

(9) SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 2, February 2020 (includes updates as of January 28, 2021), (NIST SP 800–171 R2); IBR approved for §§ 170.4(b) and 170.14(a) through (c).

(10) SP 800–171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018 (NIST SP 800–171A Jun2018); IBR approved for §§ 170.11(a), 170.14(d), 170.15(c), 170.16(c), 170.17(c), and 170.18(c).

(11) SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, February 2021 (NIST SP 800–172 Feb2021); IBR approved for §§ 170.4(b), 170.5(a), and 170.14(a) and (c).

(12) SP 800–172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, March 2022 (NIST SP 800–172A Mar2022); IBR approved for §§ 170.4(b), 170.14(d), and 170.18(c).

(b) International Organization for Standardization (ISO) Chemin de Blandonnet 8, CP 401—1214 Vernier, Geneva, Switzerland; phone: +41 22 749 01 11; website: www.iso.org/popular- standards.html.

(1) ISO/IEC 17011:2017(E), Conformity assessment—Requirements for accreditation bodies accrediting conformity assessment bodies, Second edition, November 2017 (ISO/IEC 17011:2017(E)); IBR approved for §§ 170.8(b)(3), 170.9(b)(13), and 170.10(b)(4).

(2) ISO/IEC 17020:2012(E), Conformity assessment—Requirement for the operation of various types of bodies performing inspection, Second edition, March 1, 2012 (ISO/IEC 17020:2012(E)); IBR approved for §§ 170.8(a), (b)(1), (b)(3) and 170.9(b)(2) and (b)(13).

(3) ISO/IEC 17024:2012(E), Conformity assessment—General requirements for bodies operating certification of persons, second edition, July 1, 2012 (ISO/IEC 17024:2012(E)); IBR approved for §§ 170.8(b)(2) and 170.10(a) and (b)(4), (7), and (8).

Note 1 to paragraph (b): The ISO/IEC standards incorporated by reference in this part may be viewed at no cost in ‘‘read only’’ format at https://ibr.ansi.org.

§ 170.3 Applicability.

(a) The requirements of this part apply to:

(1) All DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems; and,

(2) Private-sector businesses or other entities comprising the CMMC Assessment and Certification Ecosystem, as specified in subpart C of this part.

(b) The requirements of this part do not apply to Federal information systems operated by contractors or subcontractors on behalf of the Government.

(c) CMMC Program requirements apply to all DoD solicitations and contracts pursuant to which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on unclassified contractor information systems, including those for the acquisition of commercial items (except those exclusively for COTS items) valued at greater than the micro- purchase threshold except under the following circumstances:

(1) The procurement occurs during Implementation Phase 1, 2, or 3 as described in paragraph (e) of this section, in which case CMMC Program requirements apply in accordance with the requirements for the relevant phase- in period; or

(2) Application of CMMC Program requirements to a procurement or class of procurements may be waived in advance of the solicitation at the discretion of DoD in accordance with all applicable policies, procedures, and approval requirements.

(d) DoD Program Managers or requiring activities are responsible for selecting the CMMC Status that will apply for a particular procurement or contract based upon the type of information, FCI or CUI, that will be processed on, stored on, or transmitted through a contractor information system. Application of the CMMC Status for subcontractors will be determined in accordance with § 170.23.

(e) DoD is utilizing a phased approach for the inclusion of CMMC Program requirements in solicitations and contracts. Implementation of CMMC Program requirements will occur over four (4) phases:

(1) Phase 1. Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.

(2) Phase 2. Begins one calendar year following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts.

(3) Phase 3. Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. DoD intends to include the requirement for CMMC Status of Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 3 (DIBCAC) to an option period instead of as a condition of contract award.

(4) Phase 4, full implementation. Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.

§ 170.4 Acronyms and definitions.

(a) Acronyms. Unless otherwise noted, the following acronyms and their terms are for the purposes of this part.

AC—Access Control APT—Advanced Persistent Threat AT—Awareness and Training C3PAO—CMMC Third-Party Assessment Organization CA—Security Assessment CAICO—CMMC Assessors and Instructors Certification Organization CAGE—Commercial and Government Entity CCA—CMMC-Certified Assessor CCI—CMMC-Certified Instructor CCP—CMMC-Certified Professional CFR—Code of Federal Regulations CIO—Chief Information Officer CM—Configuration Management CMMC—Cybersecurity Maturity Model Certification CMMC PMO—CMMC Program Management Office CNC—Computerized Numerical Control CoPC—Code of Professional Conduct CSP—Cloud Service Provider CUI—Controlled Unclassified Information DCMA—Defense Contract Management Agency DD—Represents any two-character CMMC Domain acronym DFARS—Defense Federal Acquisition Regulation Supplement DIB—Defense Industrial Base DIBCAC—DCMA’s Defense Industrial Base Cybersecurity Assessment Center DoD—Department of Defense DoDI—Department of Defense Instruction eMASS—Enterprise Mission Assurance Support Service ESP—External Service Provider FAR—Federal Acquisition Regulation FCI—Federal Contract Information FedRAMP—Federal Risk and Authorization Management Program GFE—Government Furnished Equipment IA—Identification and Authentication ICS—Industrial Control System IIoT—Industrial Internet of Things IoT—Internet of Things IR—Incident Response IS—Information System IEC—International Electrotechnical Commission ISO/IEC—International Organization for Standardization/International Electrotechnical Commission IT—Information Technology L#—CMMC Level Number MA—Maintenance MP—Media Protection MSSP—Managed Security Service Provider NARA—National Archives and Records Administration NAICS—North American Industry Classification System NIST—National Institute of Standards and Technology N/A—Not Applicable ODP—Organization-Defined Parameter OSA—Organization Seeking Assessment OSC—Organization Seeking Certification OT—Operational Technology PI—Provisional Instructor PIEE—Procurement Integrated Enterprise Environment PII—Personally Identifiable Information PLC—Programmable Logic Controller POA&M—Plan of Action and Milestones PRA—Paperwork Reduction Act RM—Risk Management SAM—System of Award Management SC—System and Communications Protection SCADA—Supervisory Control and Data Acquisition SI—System and Information Integrity SIEM—Security Information and Event Management SP—Special Publication SPD—Security Protection Data SPRS—Supplier Performance Risk System SSP—System Security Plan

(b) Definitions. Unless otherwise noted, these terms and their definitions are for the purposes of this part.

Access Control (AC) means the process of granting or denying specific requests to obtain and use information and related information processing services; and/or entry to specific physical facilities (e.g., Federal buildings, military establishments, or border crossing entrances), as defined in FIPS PUB 201–3 Jan2002 (incorporated by reference, see § 170.2).

Accreditation means a status pursuant to which a CMMC Assessment and Certification Ecosystem member (person or organization), having met all criteria for the specific role they perform including required ISO/IEC accreditations, may act in that role as set forth in § 170.8 for the Accreditation Body and § 170.9 for C3PAOs. (CMMC- custom term)

Accreditation Body is defined in § 170.8 and means the one organization DoD contracts with to be responsible for authorizing and accrediting members of the CMMC Assessment and Certification Ecosystem, as required. The Accreditation Body must be approved by DoD. At any given point in time, there will be only one Accreditation Body for the DoD CMMC Program. (CMMC-custom term)

Advanced Persistent Threat (APT) means an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period-of-time, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives, as is defined in NIST SP 800–39 Mar2011 (incorporated by reference, see § 170.2).

Affirming Official means the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations. (CMMC-custom term)

Assessment means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in §§ 170.15 through 170.18. (CMMC-custom term)

(i) Level 1 self-assessment is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 1 (Self).

(ii) Level 2 self-assessment is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 2 (Self).

(iii) Level 2 certification assessment is the term for the activity performed by a C3PAO to evaluate the information system of an OSC when seeking a CMMC Status of Level 2 (C3PAO).

(iv) Level 3 certification assessment is the term for the activity performed by the DCMA DIBCAC to evaluate the information system of an OSC when seeking a CMMC Status of Level 3 (DIBCAC).

(v) POA&M closeout self-assessment is the term for the activity performed by an OSA to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).

(vi) POA&M closeout certification assessment is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.

Assessment Findings Report means the final written assessment results by the third-party or government assessment team. The Assessment Findings Report is submitted to the OSC and to the DoD via CMMC eMASS. (CMMC-custom term)

Assessment objective means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) or NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2). (CMMC-custom term)

Assessment Team means participants in the Level 2 certification assessment (CMMC Certified Assessors and CMMC Certified Professionals) or the Level 3 certification assessment (DCMA DIBCAC assessors). This does not include the OSC participants preparing for or participating in the assessment. (CMMC-custom term)

Asset means an item of value to stakeholders. An asset may be tangible (e.g., a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (e.g., humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns, as defined in NIST SP 800–160 V2R1 (incorporated by reference, see § 170.2).

Asset Categories means a grouping of assets that process, store or transmit information of similar designation, or provide security protection to those assets. (CMMC-custom term)

Authentication is defined in FIPS PUB 200 Mar2006 (incorporated by reference, see § 170.2).

Authorized means an interim status during which a CMMC Ecosystem member (person or organization), having met all criteria for the specific role they perform other than the required ISO/IEC accreditations, may act in that role for a specified time as set forth in § 170.8 for the Accreditation Body and § 170.9 for C3PAOs. (CMMC-custom term)

Capability means a combination of mutually reinforcing controls implemented by technical means, physical means, and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose, as defined in NIST SP 800–37 R2 (incorporated by reference, see § 170.2).

Cloud Service Provider (CSP) means an external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition is based on the definition for cloud computing in NIST SP 800–145 Sept2011. (CMMC-custom term)

CMMC Assessment and Certification Ecosystem means the people and organizations described in subpart C of this part. This term is sometimes shortened to CMMC Ecosystem. (CMMC-custom term)

CMMC Assessment Scope means the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements. (CMMC-custom term)

CMMC Assessor and Instructor Certification Organization (CAICO) is defined in § 170.10 and means the organization responsible for training, testing, authorizing, certifying, and recertifying CMMC certified assessors, certified instructors, and certified professionals. (CMMC-custom term)

CMMC Instantiation of eMASS means a CMMC instance of the Enterprise Mission Assurance Support Service (eMASS), a government owned and operated system. (CMMC-custom term)

CMMC Security Requirements means the 15 Level 1 requirements listed in the 48 CFR 52.204–21(b)(1), the 110 Level 2 requirements from NIST SP 800–171 R2 (incorporated by reference, see § 170.2), and the 24 Level 3 requirements selected from NIST SP 800–172 Feb2021 (incorporated by reference, see § 170.2).

CMMC Status is the result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally presented on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC. The potential CMMC Statuses are outlined in the paragraphs that follow. (CMMC-custom term)

(i) Final Level 1 (Self) is defined in § 170.15(a)(1) and (c)(1). (CMMC-custom term)

(ii) Conditional Level 2 (Self) is defined in § 170.16(a)(1)(ii). (CMMC- custom term)

(iii) Final Level 2 (Self) is defined in § 170.16(a)(1)(iii). (CMMC-custom term)

(iv) Conditional Level 2 (C3PAO) is defined in § 170.17(a)(1)(ii). (CMMC- custom term)

(v) Final Level 2 (C3PAO) is defined in § 170.17(a)(1)(iii). (CMMC-custom term)

(vi) Conditional Level 3 (DIBCAC) is defined in § 170.18(a)(1)(ii). (CMMC- custom term)

(vii) Final Level 3 (DIBCAC) is defined in § 170.18(a)(1)(iii). (CMMC-custom term)

CMMC Status Date means the date that the CMMC Status results are submitted to SPRS or the CMMC instantiation of eMASS, as appropriate. The date of the Conditional CMMC Status will remain as the CMMC Status Date after a successful POA&M closeout. A new date is not set for a Final that follows a Conditional. (CMMC-custom term)

CMMC Third-Party Assessment Organization (C3PAO) means an organization that has been authorized or accredited by the Accreditation Body to conduct Level 2 certification assessments and has the roles and responsibilities identified in § 170.9. (CMMC-custom term)

Contractor is defined in 48 CFR 3.502–1.

Contractor Risk Managed Assets are defined in table 3 to § 170.19(c)(1). (CMMC-custom term)

Controlled Unclassified Information (CUI) is defined in 32 CFR 2002.4(h).

Controlled Unclassified Information (CUI) Assets means assets that can process, store, or transmit CUI. (CMMC- custom term)

DCMA DIBCAC High Assessment means an assessment that is conducted by Government personnel in accordance with NIST SP 800–171A Jun2018 and leveraging specific guidance in the DoD Assessment Methodology that:

(i) Consists of: (A) A review of a contractor’s Basic Assessment;

(B) A thorough document review;

(C) Verification, examination, and demonstration of a contractor’s system security plan to validate that NIST SP 800–171 R2 security requirements have been implemented as described in the contractor’s system security plan; and

(D) Discussions with the contractor to obtain additional information or clarification, as needed; and

(ii) Results in a confidence level of ‘‘High’’ in the resulting score. (Source: 48 CFR 252.204–7020).

Defense Industrial Base (DIB) is defined in 32 CFR 236.2.

DoD Assessment Methodology (DoDAM) documents a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800–171 R2, a requirement for compliance with 48 CFR 252.204–7012. (Source: DoDAM Version 1.2.1)

Enduring Exception means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be enduring exceptions. (CMMC-custom term)

Enterprise means an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (e.g., budgets), human resources, security, and information systems, information and mission management, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).

External Service Provider (ESP) means external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (e.g., log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)

Federal Contract Information (FCI) is defined in 48 CFR 4.1901.

Government Furnished Equipment (GFE) has the same meaning as ‘‘government-furnished property’’ as defined in 48 CFR 45.101.

Industrial Control Systems (ICS) means a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations that are often found in the industrial sectors and critical infrastructures, such as Programmable Logic Controllers (PLC). An ICS consists of combinations of control components (e.g., electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (e.g., manufacturing, transportation of matter or energy), as defined in NIST SP 800–82r3 (incorporated by reference, see § 170.2).

Information System (IS) is defined in NIST SP 800–171 R2 (incorporated by reference, see § 170.2).

Internet of Things (IoT) means the network of devices that contain the hardware, software, firmware, and actuators which allow the devices to connect, interact, and freely exchange data and information, as defined in NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2).

Operational plan of action as used in security requirement CA.L2–3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies (e.g., necessary information system updates, patches, or reconfiguration as threats evolve) in implementation of requirements and documents how they will be mitigated, corrected, or eliminated. The OSA defines the format (e.g., document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action does not identify a timeline for remediation and is not the same as a POA&M, which is associated with an assessment for remediation of deficiencies that must be completed within 180 days. (CMMC- custom term)

Operational Technology (OT) means programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms, as defined in NIST SP 800–160 V2R1 (incorporated by reference, see § 170.2).

Organization-defined means as determined by the OSA except as defined in the case of Organization- Defined Parameter (ODP). (CMMC- custom term)

Organization-Defined Parameters (ODPs) means selected enhanced security requirements contain selection and assignment operations to give organizations flexibility in defining variable parts of those requirements, as defined in NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2).

Note 1 to ODPs: The organization defining the parameters is the DoD.

Organization Seeking Assessment (OSA) means the entity seeking to undergo a self-assessment or certification assessment for a given information system for the purposes of achieving and maintaining any CMMC Status. The term OSA includes all Organizations Seeking Certification (OSCs). (CMMC-custom term)

Organization Seeking Certification (OSC) means the entity seeking to undergo a certification assessment for a given information system for the purposes of achieving and maintaining the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC). An OSC is also an OSA. (CMMC-custom term)

Out-of-Scope Assets means assets that cannot process, store, or transmit CUI because they are physically or logically separated from information systems that do process, store, or transmit CUI, or are inherently unable to do so; except for assets that provide security protection for a CUI asset (see the definition for Security Protection Assets). (CMMC- custom term)

Periodically means occurring at a regular interval as determined by the OSA that may not exceed one year. (CMMC-custom term)

Personally Identifiable Information means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).

Plan of Action and Milestones (POA&M) means a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones, as defined in NIST SP 800–115 Sept2008 (incorporated by reference, see § 170.2).

Prime Contractor is defined in 48 CFR 3.502–1.

Process, store, or transmit means data can be used by an asset (e.g., accessed, entered, edited, generated, manipulated, or printed); data is inactive or at rest on an asset (e.g., located on electronic media, in system component memory, or in physical format such as paper documents); or data is being transferred from one asset to another asset (e.g., data in transit using physical or digital transport methods). (CMMC-custom term)

Restricted Information Systems means systems (and associated IT components comprising the system) that are configured based on government requirements (e.g., connected to something that was required to support a functional requirement) and are used to support a contract (e.g., fielded systems, obsolete systems, and product deliverable replicas). (CMMC-custom term)

Risk means a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:

(i) The adverse impacts that would arise if the circumstance or event occurs; and

(ii) The likelihood of occurrence, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).

Risk Assessment means the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Risk Assessment is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis, as defined in NIST SP 800–39 Mar2011 (incorporated by reference, see § 170.2).

Security Protection Assets (SPA) means assets providing security functions or capabilities for the OSA’s CMMC Assessment Scope. (CMMC- custom term)

Security Protection Data (SPD) means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC’s assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (CMMC-custom term)

Specialized Assets means types of assets considered specialized assets for CMMC: Government Furnished Equipment, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT), Restricted Information Systems, and Test Equipment. (CMMC-custom term)

Subcontractor is defined in 48 CFR 3.502–1.

Supervisory Control and Data Acquisition (SCADA) means a generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (e.g., delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated, as defined in NIST SP 800– 82r3 (incorporated by reference, see § 170.2).

System Security Plan (SSP) means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).

Temporary deficiency means a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency. (CMMC-custom term)

Test Equipment means hardware and/ or associated IT components used in the testing of products, system components, and contract deliverables. (CMMC- custom term)

User means an individual, or (system) process acting on behalf of an individual, authorized to access a system, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).

§ 170.5 Policy.

(a) Protection of FCI and CUI on contractor information systems is of paramount importance to the DoD and can directly impact its ability to successfully conduct essential missions and functions. It is DoD policy that defense contractors and subcontractors shall be required to safeguard FCI and CUI that is processed, stored, or transmitted on contractor information systems by applying specified security requirements. In addition, defense contractors and subcontractors may be required to implement additional safeguards defined in NIST SP 800–172 Feb2021 (incorporated by reference, see § 170.2), implementing DoD specified parameters to meet CMMC Level 3 security requirements (see table 1 to § 170.14(c)(4)). These additional requirements are necessary to protect CUI being processed, stored, or transmitted in contractor information systems, when designated by a requirement for CMMC Status of Level 3 (DIBCAC) as defined by a DoD program manager or requiring activity. In general, the Department will identify a requirement for a CMMC Status of Level 3 (DIBCAC) for solicitations and resulting contracts supporting its most critical programs and technologies.

(b) Program managers and requiring activities are responsible for identifying the CMMC Status that will apply to a procurement. Selection of the applicable CMMC Status will be based on factors including but not limited to:

(1) Criticality of the associated mission capability;

(2) Type of acquisition program or technology;

(3) Threat of loss of the FCI or CUI to be shared or generated in relation to the effort;

(4) Impacts from exploitation of information security deficiencies; and

(5) Other relevant policies and factors, including Milestone Decision Authority guidance.

(c) In accordance with the implementation plan described in § 170.3, CMMC Program requirements will apply to new DoD solicitations and contracts, and shall flow down to subcontractors who will process, store, or transmit FCI or CUI in performance of the subcontract, as described in § 170.23.

(d) In very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive or Component Acquisition Executive in the DoD, or as delegated, may elect to waive inclusion of CMMC Program requirements in a solicitation or contract. In such cases, contractors and subcontractors will remain obligated to comply with all applicable cybersecurity and information security requirements.

(e) The CMMC Program does not alter any separately applicable requirements to protect FCI or CUI, including those requirements in accordance with 48 CFR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, or covered defense information in accordance with 48 CFR 252.204– 7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, or any other applicable information protection requirements. The CMMC Program provides a means of verifying implementation of the security requirements set forth in 48 CFR 52.204–21, NIST SP 800–171 R2, and NIST SP 800–172 Feb2021, as applicable.

Subpart B—Government Roles and Responsibilities.

§ 170.6 CMMC PMO.

(a) The Office of the Department of Defense Chief Information Officer (DoD CIO) Office of the Deputy CIO for Cybersecurity (DoD CIO(CS)) provides oversight of the CMMC Program and is responsible for establishing CMMC assessment, accreditation, and training requirements as well as developing and updating CMMC Program policies and implementing guidance.

(b) The CMMC PMO is responsible for monitoring the CMMC AB’s performance of roles assigned in this rule and acting as necessary to address problems pertaining to effective performance.

(c) The CMMC PMO retains, on behalf of the DoD CIO(CS), the prerogative to review decisions of the CMMC Accreditation Body as part of its oversight of the CMMC program and evaluate any alleged conflicts of interest purported to influence the CMMC Accreditation Body’s objectivity.

(d) The CMMC PMO is responsible for sponsoring necessary DCSA activities including FOCI risk assessment and Tier 3 security background investigations for the CMMC Ecosystem members as specified in §§ 170.8(b)(4) and (5), 170.9(b)(3) through (5), 170.11(b)(3) and (4), and 170.13(b)(3) and (4).

(e) The CMMC PMO is responsible for investigating and acting upon indications that an active CMMC Status has been called into question. Indications that may trigger investigative evaluations include, but are not limited to, reports from the CMMC Accreditation Body, a C3PAO, or anyone knowledgeable of the security processes and activities of the OSA. Investigative evaluations include, but are not limited to, reviewing pertinent assessment information, and exercising the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR 252.204–7020.

(f) If a subsequent DCMA DIBCAC assessment shows that adherence to the provisions of this rule and the required CMMC Status have not been achieved or maintained, the DIBCAC results will take precedence over any pre-existing CMMC Status recorded in SPRS, or its successor capability. The DoD will update SPRS to reflect that the OSA is out of compliance and does not meet DoD CMMC requirements. If the OSA is working on an active contract requiring CMMC compliance, then standard contractual remedies will apply.

§ 170.7 DCMA DIBCAC.

(a) DCMA DIBCAC assessors in support of the CMMC Program will:

(1) Complete CMMC Level 2 and Level 3 training.

(2) Conduct Level 3 certification assessments and upload assessment results into the CMMC instantiation of eMASS, or its successor capability.

(3) Issue Certificates of CMMC Status resulting from Level 3 certification assessments.

(4) Conduct Level 2 certification assessments of the Accreditation Body and prospective C3PAOs’ information systems that process, store, and/or transmit CUI.

(5) Create and maintain a process for assessors to collect the list of assessment artifacts to include artifact names, their return value of the hashing algorithm, the hashing algorithm used, and upload that data into the CMMC instantiation of eMASS.

(6) As authorized and in accordance with all legal requirements, enter and track, OSC appeals and updated results arising from Level 3 certification assessment activities into the CMMC instantiation of eMASS.

(7) Retain all records in accordance with DCMA–MAN 4501–04.

(8) Conduct an assessment of the OSA, when requested by the CMMC PMO per §§ 170.6(e) and (f), as provided for under the 48 CFR 252.204–7019 and 48 CFR 252.204–7020.

(9) Identify assessments that meet the criteria in § 170.20 and verify that SPRS accurately reflects the CMMC Status.

(b) An OSC, the CMMC AB, or a C3PAO may appeal the outcome of its DCMA DIBCAC conducted assessment within 21 days by submitting a written basis for appeal with the requirements in question for DCMA DIBCAC consideration. Appeals may be submitted for review by visiting www.dcma.mil/DIBCAC for contact information, and a DCMA DIBCAC Quality Assurance Review Team will provide a written response or request additional supporting documentation.

Subpart C—CMMC Assessment and Certification Ecosystem.

§ 170.8 Accreditation Body.

(a) Roles and responsibilities. The

Accreditation Body is responsible for authorizing and ensuring the accreditation of CMMC Third-Party Assessment Organizations (C3PAOs) in accordance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) and all applicable authorization and accreditation requirements set forth. The Accreditation Body is responsible for establishing the C3PAO authorization requirements and the C3PAO Accreditation Scheme and submitting both for approval by the CMMC PMO. At any given point in time, there will be only one Accreditation Body for the DoD CMMC Program.

(b) Requirements. The CMMC

Accreditation Body shall:

(1) Be US-based and be and remain a

member in good standing of the Inter- American Accreditation Cooperation (IAAC) and become an International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition

Arrangement (MRA) signatory, with a signatory status scope of ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2).

(2) Be and remain a member in good

standing of the International Accreditation Forum (IAF) with mutual recognition arrangement signatory status scope of ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2).

(3) Achieve and maintain full

compliance with ISO/IEC 17011:2017(E) (incorporated by reference, see § 170.2) and complete a peer assessment by other ILAC signatories for competence in accrediting conformity assessment bodies to ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2), both within 24 months of DoD approval.

(i) Prior to achieving full compliance

as set forth in this paragraph (b)(3), the Accreditation Body shall:

(A) Authorize C3PAOs who meet all

requirements set forth in § 170.9 as well as administrative requirements as determined by the Accreditation Body to conduct Level 2 certification assessments and issue Certificates of CMMC Status to OSCs based on the assessment results.

(B) Require all C3PAOs to achieve and

maintain the ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) requirements within 27 months of authorization.

(ii) The Accreditation Body shall

accredit C3PAOs, in accordance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2), who meet all requirements set forth in § 170.9 to conduct Level 2 certification assessments and issue Certificates of CMMC Status to OSCs based on the results.

(4) Ensure that the Accreditation

Body’s Board of Directors, professional staff, Information Technology (IT) staff, accreditation staff, and independent CMMC Certified Assessor staff complete a Tier 3 background investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) 86 (www.gsa.gov/ reference/forms/questionnaire-for- national-security-positions) and submitted by DoD CIO Security to Washington Headquarters Services (WHS) for coordination for processing by the Defense Counterintelligence and Security Agency (DCSA). These positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and (d) and the

investigative requirements of 5 CFR 731.106(c)(2).

(5) Comply with Foreign Ownership,

Control or Influence (FOCI) by:

(i) Completing the Standard Form (SF)

328 (www.gsa.gov/reference/forms/ certificate-pertaining-to-foreign- interests), Certificate Pertaining to Foreign Interests, and submit it directly to Defense Counterintelligence and Security Agency (DCSA) and undergo a National Security Review with regards to the protection of controlled unclassified information based on the factors identified in 32 CFR 117.11(b) using the procedures outlined in 32 CFR 117.11(c). The Accreditation Body must receive a non-disqualifying eligibility determination by the CMMC PMO to be recognized by the Department of Defense.

(ii) Reporting any change to the

information provided on its SF 328 by resubmitting the SF 328 to DCSA within 15 business days of the change being effective. A disqualifying eligibility determination, based on the results of the change, will result in the Accreditation Body losing its authorization or accreditation under the CMMC Program.

(iii) Identifying all prospective

C3PAOs to the CMMC PMO. The CMMC PMO will sponsor the prospective C3PAO for a FOCI risk assessment conducted by the DCSA using the SF 328 as part of the authorization and accreditation processes.

(iv) Notifying prospective C3PAOs of

the CMMC PMO’s eligibility determination resulting from the FOCI risk assessment.

(6) Obtain a Level 2 certification

assessment in accordance with the procedures specified in § 170.17(a)(1) and (c). This assessment, conducted by DCMA DIBCAC, shall meet all requirements for a Final Level 2 (C3PAO) but will not result in a CMMC Status of Level 2 (C3PAO). The Level 2 certification assessment process must be performed every three years.

(7) Provide all documentation and

records in English.

(8) Establish, maintain, and manage

an up-to-date list of authorized and accredited C3PAOs on a single publicly accessible website and provide the list of these entities and their status to the DoD through submission in the CMMC instantiation of eMASS.

(9) Provide the CMMC PMO with

current data on C3PAOs, including authorization and accreditation records and status in the CMMC instantiation of eMASS. This data shall include the dates associated with the authorization and accreditation of each C3PAO.

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00131

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83222 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

(10) Provide the DoD with

information about aggregate statistics pertaining to operations of the CMMC Ecosystem to include the authorization and accreditation status of C3PAOs or other information as requested.

(11) Provide inputs for assessor

supplemental guidance to the CMMC PMO. Participate and support coordination of these and other inputs through DoD-led Working Groups.

(12) Ensure that all information about

individuals is encrypted and protected in all Accreditation Body information systems and databases.

(13) Provide all plans that are related

to potential sources of revenue, to include but not limited to: fees, licensing, processes, membership, and/ or partnerships to the Department’s CMMC PMO.

(14) Ensure that the CMMC Assessors

and Instructors Certification Organization (CAICO) is compliant with ISO/IEC 17024:2012(E)

(15) Ensure all training products,

instruction, and testing materials are of high quality and subject to CAICO quality control policies and procedures, to include technical accuracy and alignment with all applicable legal, regulatory, and policy requirements.

(16) Develop and maintain an internal

appeals process, as required by ISO/IEC 17020:2017(E), and render a final decision on all elevated appeals.

(17) Develop and maintain a

comprehensive plan and schedule to comply with all ISO/IEC 17011:2017(E), and DoD requirements for Conflict of Interest, Code of Professional Conduct, and Ethics policies as set forth in the DoD contract. All policies shall apply to the Accreditation Body, and other individuals, entities, and groups within the CMMC Ecosystem who provide Level 2 certification assessments, CMMC instruction, CMMC training materials, or Certificates of CMMC Status on behalf of the Accreditation Body. All policies in this section must be approved by the CMMC PMO prior to effectivity in accordance with the following requirements.

(i) Conflict of Interest (CoI) policy.

The CoI policy shall:

(A) Include a detailed risk mitigation

plan for all potential conflicts of interest that may pose a risk to compliance with ISO/IEC 17011:2017(E).

(B) Require employees, Board

directors, and members of any accreditation committees or appeals adjudication committees to disclose to the CMMC PMO, in writing, as soon as it is known or reasonably should be known, any actual, potential, or perceived conflict of interest with sufficient detail to allow for assessment.

(C) Require employees, Board

directors, and members of any accreditation committees or appeals adjudication committees who leave the board or organization to enter a ‘‘cooling off period’’ of one (1) year whereby they are prohibited from working with the Accreditation Body or participating in any and all CMMC activities described in Subpart C.

(D) Require CMMC Ecosystem

members to actively avoid participating in any activity, practice, or transaction that could result in an actual or perceived conflict of interest.

(E) Require CMMC Ecosystem

members to disclose to Accreditation Body leadership, in writing, any actual or potential conflict of interest as soon as it is known, or reasonably should be known.

(ii) Code of Professional Conduct

(CoPC) policy. The CoPC policy shall:

(A) Describe the performance

standards by which the members of the CMMC Ecosystem will be held accountable and the procedures for addressing violations of those performance standards.

(B) Require the Accreditation Body to

investigate and resolve any potential violations that are reported or are identified by the DoD.

(C) Require the Accreditation Body to

inform the DoD in writing of new investigations within 72 hours.

(D) Require the Accreditation Body to

report to the DoD in writing the outcome of completed investigations within 15 business days.

(E) Require CMMC Ecosystem

members to represent themselves and their companies accurately; to include not misrepresenting any professional credentials or status, including CMMC authorization or CMMC Status, nor exaggerating the services that they or their company are capable or authorized to deliver.

(F) Require CMMC Ecosystem

members to be honest and factual in all CMMC-related activities with colleagues, clients, trainees, and others with whom they interact.

(G) Prohibit CMMC Ecosystem

members from participating in the Level 2 certification assessment process for an assessment in which they previously served as a consultant to prepare the organization for any CMMC assessment within 3 years.

(H) Require CMMC Ecosystem

members to maintain the confidentiality of customer and government data to preclude unauthorized disclosure.

(I) Require CMMC Ecosystem

members to report results and data from Level 2 certification assessments and

training objectively, completely, clearly, and accurately.

(J) Prohibit CMMC Ecosystem

members from cheating, assisting another in cheating, or allowing cheating on CMMC examinations.

(K) Require CMMC Ecosystem

members to utilize official training content developed by a CMMC training organization approved by the CAICO in all CMMC certification courses.

(iii) Ethics policy. The Ethics policy

shall:

(A) Require CMMC Ecosystem

members to report to the Accreditation Body within 30 days of convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not in connection with activities that relate to carrying out their role in the CMMC Ecosystem.

(B) Prohibit harassment or

discrimination by CMMC Ecosystem members in all interactions with individuals whom they encounter in connection with their roles in the CMMC Ecosystem.

(C) Require CMMC Ecosystem

members to have and maintain a satisfactory record of integrity and business ethics.

§ 170.9

'CMMC Third-Party Assessment '

'Organizations (C3PAOs). '

(a) Roles and responsibilities. C3PAOs

are organizations that are responsible for conducting Level 2 certification assessments and issuing Certificates of CMMC Status to OSCs based on the results. C3PAOs must be accredited or authorized by the Accreditation Body in accordance with the requirements set forth.

(b) Requirements. C3PAOs shall: (1) Obtain authorization or

accreditation from the Accreditation Body in accordance with § 170.8(b)(3)(i) and (ii).

(2) Comply with the Accreditation

Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17); and achieve and maintain compliance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) within 27 months of authorization.

(3) Require all C3PAO company

personnel participating in the Level 2 certification assessment process to complete a Tier 3 background investigation resulting in a determination of national security eligibility. This includes the CMMC Assessment Team and the quality

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00132

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83223 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

assurance individual. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) 86 ( www.gsa.gov/ reference/forms/questionnaire-for- national-security-positions). These positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and (d) and the investigative requirements of 5 CFR 731.106(c)(2).

(4) Require all C3PAO company

personnel participating in the Level 2 certification assessment process who are not eligible to obtain a Tier 3 background investigation to meet the equivalent of a favorably adjudicated Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.

(5) Comply with Foreign Ownership,

Control or Influence (FOCI) by:

(i) Completing and submitting

Standard Form (SF) 328 (www.gsa.gov/ reference/forms/certificate-pertaining- to-foreign-interests), Certificate Pertaining to Foreign Interests, upon request from DCSA and undergo a National Security Review with regards to the protection of controlled unclassified information based on the factors identified in 32 CFR 117.11(b) using the procedures outlined in 32 CFR 117.11(c).

(ii) Receiving a non-disqualifying

eligibility determination from the CMMC PMO resulting from the FOCI risk assessment in order to proceed to a DCMA DIBCAC CMMC Level 2 assessment, as part of the authorization and accreditation process set forth in paragraph (b)(6) of this section.

(iii) Reporting any change to the

information provided on its SF 328 by resubmitting the SF 328 to DCSA within 15 business days of the change being effective. A disqualifying eligibility determination, based on the results of the change, will result in the C3PAO losing its authorization or accreditation.

(6) Undergo a Level 2 certification

assessment meeting all requirements for a Final Level 2 (C3PAO) in accordance with the procedures specified in § 170.17(a)(1) and (c), with the following exceptions:

(i) The assessment will be conducted

by DCMA DIBCAC.

(ii) The assessment will not result in

a CMMC Status of Level 2 (C3PAO) nor receive a Certificate of CMMC Status.

(7) Provide all documentation and

records in English.

(8) Submit pre-assessment and

planning material, final assessment reports, and CMMC certificates of assessment into the CMMC instantiation of eMASS.

(9) Unless disposition is otherwise

authorized by the CMMC PMO, maintain all assessment related records for a period of six (6) years. Such records include any materials generated by the C3PAO in the course of an assessment, any working papers generated from Level 2 certification assessments; and materials relating to monitoring, education, training, technical knowledge, skills, experience, and authorization of all personnel involved in assessment activities; contractual agreements with OSCs; and organizations for whom consulting services were provided.

(10) Provide any requested audit

information, including any out-of-cycle from ISO/IEC 17020:2012(E) requirements, to the Accreditation Body.

(11) Ensure that all personally

identifiable information (PII) is encrypted and protected in all C3PAO information systems and databases.

(12) Meet the requirements for

Assessment Team composition. An Assessment Team must include at least two people: a Lead CCA, as defined in § 170.11(b)(10), and at least one other CCA. Additional CCAs and CCPs may also participate on an Assessment Team.

(13) Implement a quality assurance

function that ensures the accuracy and completeness of assessment data prior to upload into the CMMC instantiation of eMASS. Any individual fulfilling the quality assurance function must be a CCA and cannot be a member of an Assessment Team for which they are performing a quality assurance role. A quality assurance individual shall manage the C3PAO’s quality assurance reviews as defined in paragraph (b)(14) of this section and the appeals process as required by paragraphs (b)(19) and (20) of this section and in accordance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) and ISO/IEC 17011:2017(E) (incorporated by reference, see § 170.2).

(14) Conduct quality assurance

reviews for each assessment, including observations of the Assessment Team’s conduct and management of CMMC assessment processes.

(15) Ensure that all Level 2

certification assessment activities are performed on the information system within the CMMC Assessment Scope.

(16) Maintain all facilities, personnel,

and equipment involved in CMMC activities that are in scope of their Level 2 certification assessment and comply

with all security requirements and procedures as prescribed by the Accreditation Body.

(17) Ensure that all assessment data

and information uploaded into the CMMC instantiation of eMASS assessment data is compliant with the CMMC assessment data standard as set forth in eMASS CMMC Assessment Import Templates on the CMMC eMASS website: https://cmmc.emass.apps.mil. This system is accessible only to authorized users.

(18) Issue Certificates of CMMC Status

to OSCs in accordance with the Level 2 certification assessment requirements set forth in § 170.17, that include, at a minimum, all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope, the C3PAO name, assessment unique identifier, the OSC name, and the CMMC Status date and level.

(19) Address all OSC appeals arising

from Level 2 certification assessment activities. If the OSC or C3PAO is not satisfied with the result of the appeal either the OSC or the C3PAO can elevate the matter to the Accreditation Body for final determination.

(20) Submit assessment appeals,

review records, and decision results of assessment appeals to DoD using the CMMC instantiation of eMASS.

§ 170.10

'CMMC Assessor and Instructor '

'Certification Organization (CAICO). '

(a) Roles and responsibilities. The

CAICO is responsible for training, testing, authorizing, certifying, and recertifying CMMC assessors, instructors, and related professionals. Only the CAICO may make decisions relating to examination certifications, including the granting, maintaining, recertifying, expanding, and reducing the scope of certification, and suspending or withdrawing certification in accordance with current ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2). At any given point in time, there will be only one CAICO for the DoD CMMC Program.

(b) Requirements. The CAICO shall: (1) Comply with the Accreditation

Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17); and achieve and maintain ISO/IEC 17024(E) accreditation within 12 months of December 16, 2024.

(2) Provide all documentation and

records in English.

(3) Train, test, and designate PIs in

accordance with the requirements of this section. Train, test, certify, and recertify CCPs, CCAs, and CCIs in accordance with the requirements of this section.

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00133

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83224 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

(4) Ensure the instructor and assessor

certification examinations are certified under ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2), by a recognized US-based accreditor who is not a member of the CMMC Accreditation Body. The US-based accreditor must be a signatory to International Laboratory Accreditation Cooperation (ILAC) or relevant International Accreditation Forum (IAF) Mutual Recognition Arrangement (MRA) and must operate in accordance with ISO/IEC 17011:2017(E) (incorporated by reference, see § 170.2).

(5) Establish quality control policies

and procedures for the generation of training products, instruction, and testing materials.

(6) Oversee development,

administration, and management pertaining to the quality of training and examination materials for CMMC assessor and instructor certification and recertification.

(7) Establish and publish an

authorization and certification appeals process to receive, evaluate, and make decisions on complaints and appeals in accordance with ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2).

(8) Address all appeals arising from

the CCA, CCI, and CCP authorizations and certifications process through use of internal processes in accordance with ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2).

(9) Maintain records for a period of

six (6) years of all procedures, processes, and actions related to fulfillment of the requirements set forth in this section and provide the Accreditation Body access to those records.

(10) Provide the Accreditation Body

information about the authorization and accreditation status of assessors, instructors, training community, and publishing partners.

(11) Ensure separation of duties

between individuals involved in testing activities, training activities, and certification activities.

(12) Safeguard and require any CAICO

training support service providers, as applicable, to safeguard the confidentiality of applicant, candidate, and certificate-holder information and ensure the overall security of the certification process.

(13) Ensure that all PII is encrypted

and protected in all CAICO information systems and databases and those of any CAICO training support service providers.

(14) Ensure the security of assessor

and instructor examinations and the fair and credible administration of examinations.

(15) Neither disclose nor allow any

CAICO training support service providers, as applicable, to disclose CMMC data or metrics related to authorization or certification activities to any entity other than the Accreditation Body and DoD, except as required by law.

(16) Require retraining and

redesignation of PIs upon significant change to DoD’s CMMC Program requirements. Require retraining and recertification of CCPs, CCAs, and CCIs upon significant change to DoD’s CMMC Program requirements, as determined by the DoD or the CAICO.

(17) Require CMMC Ecosystem

members to report to the CAICO within 30 days of convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not in connection with activities that relate to carrying out their role in the CMMC Ecosystem.

§ 170.11

'CMMC Certified Assessor (CCA). '

(a) Roles and responsibilities. CCAs,

in support of a C3PAO, conduct Level 2 certification assessments of OSCs in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2), the assessment processes defined in § 170.17, and the scoping requirements defined in § 170.19(c). CCAs must meet all of the requirements set forth in paragraph (b) of this section. A CCA may conduct Level 2 certification assessments and participate on a C3PAO Assessment Team.

(b) Requirements. CCAs shall: (1) Obtain and maintain certification

from the CAICO in accordance with the requirements set forth in § 170.10. Certification is valid for 3 years from the date of issuance.

(2) Comply with the Accreditation

Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17).

(3) Complete a Tier 3 background

investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) 86 (www.gsa.gov/reference/forms/ questionnaire-for-national-security- positions). These positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and

(d) and the investigative requirements of 5 CFR 731.106(c)(2).

(4) Meet the equivalent of a favorably

adjudicated Tier 3 background investigation when not eligible for a Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.

(5) Provide all documentation and

records in English.

(6) Be a CCP who has at least 3 years

of cybersecurity experience, at least 1 year of assessment or audit experience, and at least one foundational qualification, aligned to at least the Intermediate Proficiency Level of the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) Work Role, from DoD Manual 8140.03, Cyberspace Workforce Qualification and Management Program (https://dodcio.defense.gov/Portals/0/ Documents/Library/DoDM-8140-03.pdf). Information on the Work Role 612 can be found at https://public.cyber.mil/ dcwf-work-role/security-control- assessor/.

(7) Only use IT, cloud, cybersecurity

services, and end-point devices provided by the authorized/accredited C3PAO that has been engaged to perform that OSA’s Level 2 certification assessment and which has undergone a Level 2 certification assessment by DCMA DIBCAC (or higher) for all assessment activities. Individual assessors are prohibited from using any other IT, including IT that is personally owned, to include internal and external cloud services and end-point devices, to process, store, or transmit CMMC assessment reports or any other CMMC assessment-related information. The evaluation of assessment evidence within the OSC environment, using OSC tools, is permitted.

(8) Immediately notify the responsible

C3PAO of any breach or potential breach of security to any CMMC-related assessment materials under the assessors’ purview.

(9) Not share any information about

an OSC obtained during CMMC pre- assessment and assessment activities with any person not involved with that specific assessment, except as otherwise required by law.

(10) Qualify as a Lead CCA by having

at least 5 years of cybersecurity experience, 5 years of management experience, 3 years of assessment or audit experience, and at least one foundational qualification aligned to Advanced Proficiency Level of the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) Work Role, from DoD Manual 8140.03, Cyberspace Workforce Qualification and

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00134

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83225 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

Management Program (https://dodcio.defense.gov/Portals/0/ Documents/Library/DoDM-8140-03.pdf). Information on the Work Role 612 can be found at https://public.cyber.mil/ dcwf-work-role/security-control- assessor/.

§ 170.12

'CMMC Instructor. '

(a) CMMC Provisional Instructor (PI)

roles and responsibilities. A CMMC Provisional Instructor (PI) teaches CCA and CCP candidates during the transitional period that ends 18 months after December 16, 2024. A PI is trained, tested, and designated to perform CMMC instructional duties by the CAICO to teach CCP and CCA candidates. PIs are designated by the CAICO after successful completion of the PI training and testing requirements set forth by the CAICO. A PI with a valid CCP certification may instruct CCP candidates, while a PI with a valid CCA certification may instruct CCP and CCA candidates. PIs are required to meet requirements in (c) of this section.

(b) CMMC Certified Instructor (CCI)

roles and responsibilities. A CMMC Certified Instructor (CCI) teaches CCP, CCA, and CCI candidates and performs CMMC instructional duties. Candidate CCIs are certified by the CAICO after successful completion of the CCI training and testing requirements. A CCI is required to obtain and maintain assessor and instructor certifications from the CAICO in accordance with the requirements set forth in § 170.10 and in paragraph (c) of this section. A CCI with a valid CCP certification may instruct CCP candidates, while a CCI with a valid CCA certification may instruct CCP, CCA, and CCI candidates. Certifications are valid for 3 years from the date of issuance. CCIs are required to meet requirements in paragraph (c) of this section.

(c) Requirements. CMMC Instructors

shall:

(1) Obtain and maintain instructor

designation or certification, as appropriate, from the CAICO in accordance with the requirements set forth in § 170.10.

(2) Obtain and maintain CCP or CCA

certification to deliver CCP training.

(3) Obtain and maintain a CCA

certification to deliver CCA training.

(4) Comply with the Accreditation

Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17).

(5) Provide all documentation and

records in English.

(6) Provide the Accreditation Body

and the CAICO annually with accurate information detailing their qualifications, training experience,

professional affiliations, and certifications, and, upon reasonable request, submit documentation verifying this information.

(7) Not provide CMMC consulting

services while serving as a CMMC instructor; however, subject to the Code of Professional Conduct and Conflict of Interest policies, can serve on an assessment team.

(8) Not participate in the development

of exam objectives and/or exam content or act as an exam proctor while at the same time serving as a CCI.

(9) Keep confidential all information

obtained or created during the performance of CMMC training activities, including trainee records, except as required by law.

(10) Not disclose any CMMC-related

data or metrics that is PII, FCI, or CUI to anyone without prior coordination with and approval from DoD.

(11) Notify the Accreditation Body or

the CAICO if required by law or authorized by contractual commitments to release confidential information.

(12) Not share with anyone any

CMMC training-related information not previously publicly disclosed.

§ 170.13

'CMMC Certified Professional '

'(CCP). '

(a) Roles and responsibilities. A

CMMC Certified Professional (CCP) completes rigorous training on CMMC and the assessment process to provide advice, consulting, and recommendations to their OSA clients. Candidate CCPs are certified by the CAICO after successful completion of the CCP training and testing requirements set forth in paragraph (b) of this section. CCPs are eligible to become CMMC Certified Assessors and can participate as a CCP on Level 2 certification assessments with CCA oversight where the CCA makes all final determinations.

(b) Requirements. CCPs shall: (1) Obtain and maintain certification

from the CAICO in accordance with the requirements set forth in § 170.10. Certification is valid for 3 years from the date of issuance.

(2) Comply with the Accreditation

Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics as set forth in § 170.8(b)(17).

(3) Complete a Tier 3 background

investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) 86 (www.gsa.gov/reference/forms/

questionnaire-for-national-security- positions). These positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and (d) and the investigative requirements of 5 CFR 731.106(c)(2).

(4) Meet the equivalent of a favorably

adjudicated Tier 3 background investigation when not eligible to obtain a Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.

(5) Provide all documentation and

records in English.

(6) Not share any information about

an OSC obtained during CMMC pre- assessment and assessment activities with any person not involved with that specific assessment, except as otherwise required by law.

'Subpart D—Key Elements of the CMMC Program '

§ 170.14

'CMMC Model. '

(a) Overview. The CMMC Model

incorporates the security requirements from:

(1) 48 CFR 52.204–21, Basic

Safeguarding of Covered Contractor Information Systems;

(2) NIST SP 800–171 R2, Protecting

Controlled Unclassified Information in Nonfederal Systems and Organizations (incorporated by reference, see § 170.2); and

(3) Selected security requirements

from NIST SP 800–172 Feb2021, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171 (incorporated by reference, see § 170.2).

(b) CMMC domains. The CMMC

Model consists of domains that map to the Security Requirement Families defined in NIST SP 800–171 R2 (incorporated by reference, see § 170.2).

(c) CMMC level requirements. CMMC

Levels 1–3 utilize the safeguarding requirements and security requirements specified in 48 CFR 52.204–21 (for Level 1), NIST SP 800–171 R2 (incorporated by reference, see § 170.2) (for Level 2), and selected security requirements from NIST SP 800–172 Feb2021 (incorporated by reference, see § 170.2) (for Level 3). This paragraph discusses the numbering scheme and the security requirements for each level.

(1) Numbering. Each security

requirement has an identification number in the format—DD.L#-REQ— where:

(i) DD is the two-letter domain

abbreviation;

(ii) L# is the CMMC level number; and

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00135

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83226 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

(iii) REQ is the 48 CFR 52.204–21

paragraph number, NIST SP 800–171 R2 requirement number, or NIST SP 800– 172 Feb2021 requirement number.

(2) CMMC Level 1 security

requirements. The security requirements in CMMC Level 1 are those set forth in 48 CFR 52.204–21(b)(1)(i) through (xv).

(3) CMMC Level 2 security

requirements. The security requirements in CMMC Level 2 are identical to the requirements in NIST SP 800–171 R2.

(4) CMMC Level 3 security

requirements. The security requirements in CMMC Level 3 are selected from NIST SP 800–172 Feb2021, and where

applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to this paragraph identifies the selected requirements and applicable ODPs that represent the CMMC Level 3 security requirements. ODPs for the NIST SP 800–172 Feb2021 requirements are italicized, where applicable:

TABLE 1 TO § 170.14(c)(4)

Security requirement No.*

CMMC Level 3 security requirements

(selected NIST SP 800–172 Feb2021 security requirement with DoD ODPs italicized)

(i) AC.L3–3.1.2e .......................

Restrict access to systems and system components to only those information resources that are owned,

provisioned, or issued by the organization.

(ii) AC.L3–3.1.3e ......................

Employ secure information transfer solutions to control information flows between security domains on con-

nected systems.

(iii) AT.L3–3.2.1e .....................

Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused

on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training at least annually or when there are significant changes to the threat.

(iv) AT.L3–3.2.2e .....................

Include practical exercises in awareness training for all users, tailored by roles, to include general users, users

with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feed-back to individuals involved in the training and their supervisors.

(v) CM.L3–3.4.1e .....................

Establish and maintain an authoritative source and repository to provide a trusted source and accountability for

approved and implemented system components.

(vi) CM.L3–3.4.2e ....................

Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection,

remove the components or place the components in a quarantine or remediation network to facilitate patching, re-configuration, or other mitigations.

(vii) CM.L3–3.4.3e ...................

Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily

available inventory of system components.

(viii) IA.L3–3.5.1e .....................

Identify and authenticate systems and system components, where possible, before establishing a network con-

nection using bidirectional authentication that is cryptographically based and replay resistant.

(ix) IA.L3–3.5.3e ......................

Employ automated or manual/procedural mechanisms to prohibit system components from connecting to orga-

nizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.

(x) IR.L3–3.6.1e .......................

Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-

call staff.

(xi) IR.L3–3.6.2e ......................

Establish and maintain a cyber-incident response team that can be deployed by the organization within 24

hours.

(xii) PS.L3–3.9.2e ....................

Ensure that organizational systems are protected if adverse information develops or is obtained about individ-

uals with access to CUI.

(xiii) RA.L3–3.11.1e .................

Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as

part of a risk assessment to guide and inform the development of organizational systems, security architec-tures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.

(xiv) RA.L3–3.11.2e .................

Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search

for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade exist-ing controls.

(xv) RA.L3–3.11.3e ..................

Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to or-

ganizations, systems, and system components.

(xvi) RA.L3–3.11.4e .................

Document or reference in the system security plan the security solution selected, the rationale for the security

solution, and the risk determination.

(xvii) RA.L3–3.11.5e ................

Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat informa-

tion, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.

(xviii) RA.L3–3.11.6e ...............

Assess, respond to, and monitor supply chain risks associated with organizational systems and system compo-

nents.

(xix) RA.L3–3.11.7e .................

Develop a plan for managing supply chain risks associated with organizational systems and system compo-

nents; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident.

(xx) CA.L3–3.12.1e ..................

Conduct penetration testing at least annually or when significant security changes are made to the system,

leveraging automated scanning tools and ad hoc tests using subject matter experts.

(xxi) SC.L3–3.13.4e .................

Employ physical isolation techniques or logical isolation techniques or both in organizational systems and sys-

tem components.

(xxii) SI.L3–3.14.1e ..................

Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic

signatures.

(xxiii) SI.L3–3.14.3e .................

Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems, and test equip-

ment are included in the scope of the specified enhanced security requirements or are segregated in pur-pose-specific networks.

(xxiv) SI.L3–3.14.6e .................

Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial

sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.

Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming

convention for the requirement.

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00136

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83227 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

(d) Implementation. Assessment of

security requirements is prescribed by NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2). Descriptive text in these documents support OSA implementation of the security requirements and use the terms organization-defined and periodically. Except where referring to Organization- Defined Parameters (ODPs), organization-defined means as determined by the OSA. Periodically means occurring at regular intervals. As used in many requirements within CMMC, the interval length is organization-defined to provided contractor flexibility, with an interval length of no more than one year.

§ 170.15

'CMMC Level 1 self-assessment '

'and affirmation requirements. '

(a) Level 1 self-assessment. To comply

with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).

(1) Level 1 self-assessment

requirements. The OSA must complete

and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self- assessment on an annual basis and submit the results in SPRS, or its successor capability.

(i) Inputs to SPRS. The Level 1 self-

assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:

(A) CMMC Level. (B) CMMC Status Date. (C) CMMC Assessment Scope. (D) All industry CAGE code(s)

associated with the information system(s) addressed by the CMMC Assessment Scope.

(E) Compliance result. (ii) [Reserved] (2) Affirmation. Affirmation of the

Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.

(b) Contract eligibility. Prior to award

of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.

(c) Procedures—(1) Level 1 self-

assessment. The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:

(i) The Level 1 self-assessment must

be performed using the objectives defined in NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.

(ii) Mapping table for CMMC Level 1

security requirements to the NIST SP 800–171A Jun2018 objectives.

TABLE 2 TO § 170.15(c)(1)(ii)—CMMC LEVEL 1 SECURITY REQUIREMENTS MAPPED TO NIST SP 800–171A JUN2018

CMMC Level 1 security requirements as set forth in § 170.14(c)(2)

NIST SP 800–171A Jun2018

AC.L1–b.1.i ..................................................................................................................................................................

3.1.1

AC.L1–b.1.ii .................................................................................................................................................................

3.1.2

AC.L1–b.1.iii .................................................................................................................................................................

3.1.20

AC.L1–b.1.iv ................................................................................................................................................................

3.1.22

IA.L1–b.1.v ...................................................................................................................................................................

3.5.1

IA.L1–b.1.vi ..................................................................................................................................................................

3.5.2

MP.L1–b.1.vii ...............................................................................................................................................................

3.8.3

PE.L1–b.1.viii ...............................................................................................................................................................

3.10.1

First phrase of PE.L1–b.1.ix (FAR b.1.ix *) .................................................................................................................

3.10.3

Second phrase of PE.L1–b.1.ix (FAR b.1.ix *) ............................................................................................................

3.10.4

Third phrase of PE.L1–b.1.ix (FAR b.1.ix *) ................................................................................................................

3.10.5

SC.L1–b.1.x .................................................................................................................................................................

3.13.1

SC.L1–b.1.xi ................................................................................................................................................................

3.13.5

SI.L1–b.1.xii .................................................................................................................................................................

3.14.1

SI.L1–b.1.xiii ................................................................................................................................................................

3.14.2

SI.L1–b.1.xiv ................................................................................................................................................................

3.14.4

SI.L1–b.1.xv .................................................................................................................................................................

3.14.5

Three of the 48 CFR 52.204–21 requirements were broken apart by ‘‘phrase’’ when NIST SP 800–171 R2 was developed.

(iii) Additional guidance can be found

in the guidance document listed in paragraph (b) of appendix A to this part.

(2) Artifact retention. The artifacts

used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.

§ 170.16

'CMMC Level 2 self-assessment '

'and affirmation requirements. '

(a) Level 2 self-assessment. To comply

with Level 2 self-assessment

requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 2 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (Self). Achieving a CMMC Status of Level 2 (Self) also satisfies the requirements for a CMMC Status of Level 1 (Self) detailed

in § 170.15 for the same CMMC Assessment Scope.

(1) Level 2 self-assessment

requirements. The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (Self). The OSA must conduct a self- assessment in accordance with the procedures set forth in paragraph (c)(1) of this section and submit assessment

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00137

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83228 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

results in Supplier Performance Risk System (SPRS). To maintain compliance with the requirements for a CMMC Status of Level 2 (Self), the OSA must conduct a Level 2 self-assessment every three years and submit the results in SPRS, within three years of the CMMC Status Date associated with the Conditional Level 2 (Self).

(i) Inputs to SPRS. The Level 2 self-

assessment results in the SPRS shall include, at minimum, the following information:

(A) CMMC Level. (B) CMMC Status Date. (C) CMMC Assessment Scope. (D) All industry CAGE code(s)

associated with the information system(s) addressed by the CMMC Assessment Scope.

(E) Overall Level 2 self-assessment

score (e.g., 105 out of 110).

(F) POA&M usage and compliance

status, if applicable.

(ii) Conditional Level 2 (Self). The

OSA has achieved the CMMC Status of Conditional Level 2 (Self) if the Level 2 self-assessment results in a POA&M and the POA&M meets all the CMMC Level 2 POA&M requirements listed in § 170.21(a)(2).

(A) Plan of Action and Milestones. A

Level 2 POA&M is allowed only in accordance with the CMMC POA&M requirements listed in § 170.21.

(B) POA&M closeout. The OSA must

remediate any NOT MET requirements, must perform a POA&M closeout self- assessment, and must post compliance results to SPRS within 180 days of the CMMC Status Date associated with the Conditional Level 2 (Self). If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (Self) CMMC Status for the information system will expire. If Conditional Level 2 (Self) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSA will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

(iii) Final Level 2 (Self). The OSA has

achieved the CMMC Status of Final Level 2 (Self) if the Level 2 self- assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial self-assessment or as the result of a POA&M closeout self- assessment, as applicable.

(iv) CMMC Status investigation. The

DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR

252.204–7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSA will be ineligible for additional awards with CMMC Status requirement of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

(2) Affirmation. Affirmation of the

Level 2 (Self) CMMC Status is required for all Level 2 self-assessments at the time of each assessment, and annually thereafter. Affirmation procedures are set forth in § 170.22.

(b) Contract eligibility. Prior to award

of any contract or subcontract with requirement for CMMC Status of Level 2 (Self), the following two requirements must be met:

(1) The OSA must achieve, as

specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (Self) or Final Level 2 (Self).

(2) The OSA must submit an

affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.

(c) Procedures—(1) Level 2 self-

assessment of the OSA. The OSA must conduct a Level 2 self-assessment in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in §§ 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 self-assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the OSA must upload the results into SPRS. If a POA&M exists, a POA&M closeout self-assessment must be performed by the OSA when all NOT MET requirements have been remediated. The POA&M closeout self- assessment must be performed within 180-days of the Conditional CMMC Status Date. Additional guidance can be found in the guidance document listed in paragraph (c) of appendix A to this part.

(2) Level 2 self-assessment with the

use of Cloud Service Provider (CSP). An OSA may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (Self) under the following circumstances:

(i) The CSP product or service offering

is FedRAMP Authorized at the

FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or

(ii) The CSP product or service

offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. FedRAMP Moderate or FedRAMP Moderate equivalent is in accordance with DoD Policy.

(iii) In accordance with § 170.19(c)(2),

the OSA’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the Customer Responsibility Matrix (CRM) must be documented or referred to in the OSA’s System Security Plan (SSP).

(3) Level 2 self-assessment with the

use of an External Service Provider (ESP), not a CSP. An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (Self) under the following circumstances:

(i) The use of the ESP, its relationship

to the OSA, and the services provided are documented in the OSA’s SSP and described in the ESP’s service description and CRM.

(ii) The ESP services used to meet

OSA requirements are assessed within the scope of the OSA’s assessment against all Level 2 security requirements.

(iii) In accordance with § 170.19(c)(2),

the OSA’s on-premises infrastructure connecting to the ESP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA’s SSP.

(4) Artifact retention. The artifacts

used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.

§ 170.17

'CMMC Level 2 certification '

'assessment and affirmation requirements. '

(a) Level 2 certification assessment.

To comply with Level 2 certification assessment requirements, the OSC must meet the requirements set forth in paragraphs (a)(1) and (2) of this section. An OSC undergoes a Level 2 certification assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (C3PAO). Achieving a CMMC Status of Level 2 (C3PAO) also

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00138

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83229 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

satisfies the requirements for a CMMC Statuses of Level 1 (Self) and Level 2 (Self) set forth in §§ 170.15 and 170.16 respectively for the same CMMC Assessment Scope.

(1) Level 2 certification assessment

requirements. The OSC must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (C3PAO). The OSC must obtain a Level 2 certification assessment from an authorized or accredited C3PAO following the procedures outlined in paragraph (c) of this section. The C3PAO must submit the Level 2 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. To maintain compliance with the requirements for a CMMC Status of Level 2 (C3PAO), the Level 2 certification assessment must be completed within three years of the CMMC Status Date associated with the Conditional Level 2 (C3PAO).

(i) Inputs into the CMMC instantiation

of eMASS. The Level 2 certification assessment results input into the CMMC instantiation of eMASS shall include, at minimum, the following information:

(A) Date and level of the assessment. (B) C3PAO name. (C) Assessment unique identifier. (D) For each Assessor conducting the

assessment, name and business contact information.

(E) All industry CAGE codes

associated with the information systems addressed by the CMMC Assessment Scope.

(F) The name, date, and version of the

SSP.

(G) CMMC Status Date. (H) Assessment result for each

requirement objective.

(I) POA&M usage and compliance, as

applicable.

(J) List of the artifact names, the

return value of the hashing algorithm, and the hashing algorithm used.

(ii) Conditional Level 2 (C3PAO). The

OSC has achieved the CMMC Status of Conditional Level 2 (C3PAO) if the Level 2 certification assessment results in a POA&M and the POA&M meets all CMMC Level 2 POA&M requirements listed in § 170.21(a)(2).

(A) Plan of Action and Milestones. A

Level 2 POA&M is allowed only in accordance with the CMMC POA&M requirements listed in § 170.21.

(B) POA&M closeout. The OSC must

remediate any NOT MET requirements, must undergo a POA&M closeout certification assessment from a C3PAO, and the C3PAO must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC

Status Date associated with the Conditional Level 2 (C3PAO). If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (C3PAO) CMMC Status for the information system will expire. If Conditional Level 2 (C3PAO) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (C3PAO), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

(iii) Final Level 2 (C3PAO). The OSC

has achieved the CMMC Status of Final Level 2 (C3PAO) if the Level 2 certification assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial certification assessment or as the result of a POA&M closeout certification assessment, as applicable.

(iv) CMMC Status investigation. The

DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSC, as provided for under the 48 CFR 252.204–7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSC will be ineligible for additional awards with CMMC Status requirement of Level 2 (C3PAO), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

(2) Affirmation. Affirmation of the

Level 2 (C3PAO) CMMC Status is required for all Level 2 certification assessments at the time of each assessment, and annually thereafter. Affirmation procedures are provided in § 170.22.

(b) Contract eligibility. Prior to award

of any contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO), the following two requirements must be met:

(1) The OSC must achieve, as

specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO).

(2) The OSC must submit an

affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.

(c) Procedures—(1) Level 2

certification assessment of the OSC. An authorized or accredited C3PAO must

perform a Level 2 certification assessment in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in § 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 certification assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the C3PAO must upload the results into the CMMC instantiation of eMASS. Final results are communicated to the OSC through a CMMC Assessment Findings Report.

(2) Security requirement re-

evaluation. A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 2 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist:

(i) Additional evidence is available to

demonstrate the security requirement has been MET;

(ii) Cannot change or limit the

effectiveness of other requirements that have been scored MET; and

(iii) The CMMC Assessment Findings

Report has not been delivered.

(3) POA&M. If a POA&M exists, a

POA&M closeout certification assessment must be performed by a C3PAO within 180-days of the Conditional CMMC Status Date. Additional guidance can be found in § 170.21 and in the guidance document listed in paragraph (c) of appendix A to this part.

(4) Artifact retention and integrity.

The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. To ensure that the artifacts have not been altered, the OSC must hash the artifact files using a NIST-approved hashing algorithm. The OSC must provide the C3PAO with a list of the artifact names, the return value of the hashing algorithm, and the hashing algorithm for upload into the CMMC instantiation of eMASS. Additional guidance for hashing artifacts can be found in the guidance document listed in paragraph (h) of appendix A to this part.

(5) Level 2 certification assessment

with the use of Cloud Service Provider (CSP). An OSC may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:

(i) The CSP product or service offering

is FedRAMP Authorized at the

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00139

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83230 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or

(ii) The CSP product or service

offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. FedRAMP Moderate or FedRAMP Moderate equivalent is in accordance with DoD Policy.

(iii) In accordance with § 170.19(c)(2),

the OSC’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.

(6) Level 2 certification assessment

with the use of an External Service Provider (ESP), not a CSP. An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:

(i) The use of the ESP, its relationship

to the OSA, and the services provided are documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix.

(ii) The ESP services used to meet

OSA requirements are assessed within the scope of the OSA’s assessment against all Level 2 security requirements.

(iii) In accordance with § 170.19(c)(2),

the OSA’s on-premises infrastructure connecting to the ESP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA’s SSP.

§ 170.18

'CMMC Level 3 certification '

'assessment and affirmation requirements. '

(a) Level 3 certification assessment.

To comply with Level 3 certification assessment requirements, the OSC must meet the requirements set forth in paragraphs (a)(1) and (2) of this section. An OSC undergoes a Level 3 certification assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 3 (DIBCAC). A CMMC Status of Final Level 2 (C3PAO) for information systems within the Level 3 CMMC Assessment Scope is a prerequisite to undergo a Level 3 certification assessment. CMMC Level 3 recertification also has a prerequisite for

a new CMMC Level 2 assessment. Achieving a CMMC Status of Level 3 (DIBCAC) also satisfies the requirements for CMMC Statuses of Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO) set forth in §§ 170.15 through 170.17 respectively for the same CMMC Assessment Scope.

(1) Level 3 certification assessment

requirements. The OSC must achieve a CMMC Status of Final Level 2 (C3PAO) on the Level 3 CMMC Assessment Scope, as defined in § 170.19(d), prior to initiating a Level 3 certification assessment, which will be performed by DCMA DIBCAC ( www.dcma.mil/ DIBCAC) on behalf of the DoD. The OSC must complete and achieve a MET result for all security requirements specified in table 1 to § 170.14(c)(4) to achieve the CMMC Status of Level 3 (DIBCAC). DCMA DIBCAC will submit the Level 3 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. To maintain compliance with the requirements for a CMMC Status of Level 3 (DIBCAC), the Level 3 certification assessment must be performed every three years for all information systems within the Level 3 CMMC Assessment Scope. In addition, given that compliance with Level 2 requirements is a prerequisite for applying for CMMC Level 3, a Level 2 (C3PAO) certification assessment must also be conducted every three years to maintain CMMC Level 3 (DIBCAC) status. Level 3 certification assessment must be completed within three years of the CMMC Status Date associated with the Final Level 3 (DIBCAC) or, if there was a POA&M, then within three years of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC).

(i) Inputs into the CMMC instantiation

of eMASS. The Level 3 certification assessment results input into the CMMC instantiation of eMASS shall include, at minimum, the following items:

(A) Date and level of the assessment. (B) For each Assessor(s) conducting

the assessment, name and government organization information.

(C) All industry CAGE code(s)

associated with the information system(s) addressed by the CMMC Assessment Scope.

(D) The name, date, and version of the

system security plan(s) (SSP).

(E) CMMC Status Date. (F) Result for each security

requirement objective.

(G) POA&M usage and compliance, as

applicable.

(H) List of the artifact names, the

return value of the hashing algorithm, and the hashing algorithm used.

(ii) Conditional Level 3 (DIBCAC). The

OSC has achieved the CMMC Status of Conditional Level 3 (DIBCAC) if the Level 3 certification assessment results in a POA&M and the POA&M meets all CMMC Level 3 POA&M requirements listed in § 170.21(a)(3).

(A) Plan of Action and Milestones. A

Level 3 POA&M is allowed only in accordance with the CMMC POA&M requirements listed in § 170.21.

(B) POA&M closeout. The OSC must

remediate any NOT MET requirements, must undergo a POA&M closeout certification assessment from DCMA DIBCAC, and DCMA DIBCAC must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC). If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional Level 3 (DIBAC) CMMC Status for the information system will expire. If Conditional Level 3 (DIBCAC) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status of Level 3 (DIBCAC) for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

(iii) Final Level 3 (DIBCAC). The OSC

has achieved the CMMC Status of Final Level 3 (DIBCAC) if the Level 3 certification assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial certification assessment or as the result of a POA&M closeout certification assessment, as applicable.

(iv) CMMC Status investigation. The

DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSC, as provided for under the 48 CFR 252.204–7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSC will be ineligible for additional awards with CMMC Status requirement of Level 3 (DIBCAC) for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.

(2) Affirmation. Affirmation of the

Level 3 (DIBCAC) CMMC Status is required for all Level 3 certification assessments at the time of each assessment, and annually thereafter. Affirmation procedures are provided in § 170.22.

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00140

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83231 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

(b) Contract eligibility. Prior to award

of any contract or subcontract with requirement for CMMC Status of Level 3 (DIBCAC), the following two requirements must be met:

(1) The OSC must achieve, as

specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC).

(2) The OSC must submit an

affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.

(c) Procedures—(1) Level 3

certification assessment of the OSC. The CMMC Level 3 certification assessment process includes:

(i) Final Level 2 (C3PAO). The OSC

must achieve a CMMC Status of Final Level 2 (C3PAO) for information systems within the Level 3 CMMC Assessment Scope prior to the CMMC Level 3 certification assessment. The CMMC Assessment Scope for the Level 3 certification assessment must be equal to, or a subset of, the CMMC Assessment Scope associated with the OSC’s Final Level 2 (C3PAO). Asset requirements differ for each CMMC Level. Scoping differences are set forth in § 170.19.

(ii) Initiating the Final Level 3

(DIBCAC). The OSC (including ESPs that voluntarily elect to undergo a Level 3 certification assessment) initiates a Level 3 certification assessment by emailing a request to DCMA DIBCAC point of contact found at www.dcma.mil/DIBCAC. The request must include the Level 2 certification assessment unique identifier. DCMA DIBCAC will validate the OSC has achieved a CMMC Status of Level 2 (C3PAO) and will contact the OSC to schedule their Level 3 certification assessment.

(iii) Conducting the Final Level 3

(DIBCAC). DCMA DIBCAC will perform a Level 3 certification assessment in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2) and the CMMC Level 3 scoping requirements set forth in § 170.19(d) for the information systems within the CMMC Assessment Scope. The Level 3 certification assessment will be scored in accordance with the CMMC Scoring Methodology set forth in § 170.24 and DCMA DIBCAC will upload the results into the CMMC instantiation of eMASS. Final results are communicated to the OSC through a CMMC Assessment Findings Report. For assets that changed asset category (i.e., CRMA to CUI Asset) or assessment requirements (i.e., Specialized Assets) between the Level 2 and Level 3 certification assessments,

DCMA DIBCAC will perform limited checks of Level 2 security requirements. If the OSC had these upgraded asset categories included in their Level 2 certification assessment, then DCMA DIBCAC may still perform limited checks for compliance. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process may be paused to allow for remediation, placed on hold, or immediately terminated.

(2) Security requirement re-

evaluation. A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 3 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist:

(i) Additional evidence is available to

demonstrate the security requirement has been MET;

(ii) The additional evidence does not

materially impact previously assessed security requirements; and

(iii) The CMMC Assessment Findings

Report has not been delivered.

(3) POA&M. If a POA&M exists, a

POA&M closeout certification assessment will be performed by DCMA DIBCAC within 180-days of the Conditional CMMC Status Date. Additional guidance is located in § 170.21 and in the guidance document listed in paragraph (d) of appendix A to this part.

(4) Artifact retention and integrity.

The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. To ensure that the artifacts have not been altered, the OSC must hash the artifact files using a NIST-approved hashing algorithm. Assessors will collect the list of the artifact names, the return value of the hashing algorithm, and the hashing algorithm used and upload that data into the CMMC instantiation of eMASS. Additional guidance for hashing artifacts can be found in the guidance document listed in paragraph (h) of appendix A to this part.

(5) Level 3 certification assessment

with the use of Cloud Service Provider (CSP). An OSC may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 3 (DIBCAC) under the following circumstances:

(i) The OSC may utilize a CSP product

or service offering that meets the FedRAMP Moderate (or higher)

baseline. If the CSP’s product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline, the product or service offering must meet security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline in accordance with DoD Policy.

(ii) Use of a CSP does not relieve an

OSC of its obligation to implement the 24 Level 3 security requirements. These 24 requirements apply to every environment where the CUI data is processed, stored, or transmitted, when Level 3 (DIBCAC) is the designated CMMC Status. If any of these 24 requirements are inherited from a CSP, the OSC must demonstrate that protection during a Level 3 certification assessment via a Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM) and associated Body of Evidence (BOE). The BOE must clearly indicate whether the OSC or the CSP is responsible for meeting each requirement and which requirements are implemented by the OSC versus inherited from the CSP.

(iii) In accordance with § 170.19(d)(2),

the OSC’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.

(6) Level 3 certification assessment

with the use of an ESP, not a CSP. An OSC may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 3 (DIBCAC) under the following circumstances:

(i) The use of the ESP, its relationship

to the OSC, and the services provided are documented in the OSC’s SSP and described in the ESP’s service description and customer responsibility matrix.

(ii) The ESP services used to meet

OSC requirements are assessed within the scope of the OSC’s assessment against all Level 2 and Level 3 security requirements.

(iii) In accordance with § 170.19(d)(2),

the OSC’s on-premises infrastructure connecting to the ESP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.

§ 170.19

'CMMC scoping. '

(a) Scoping requirement. (1) The

CMMC Assessment Scope must be specified prior to assessment in

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00141

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83232 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

accordance with the requirements of this section. The CMMC Assessment Scope is the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.

(2) The requirements for defining the

CMMC Assessment Scope for CMMC Levels 1, 2, and 3 are set forth in this section. Additional guidance regarding scoping can be found in the guidance documents listed in paragraphs (e) through (g) of appendix A to this part.

(b) CMMC Level 1 scoping. Prior to

performing a Level 1 self-assessment, the OSA must specify the CMMC Assessment Scope.

(1) Assets in scope for Level 1 self-

assessment. OSA information systems which process, store, or transmit FCI are in scope for CMMC Level 1 and must be self-assessed against applicable CMMC security requirements.

(2) Assets not in scope for Level 1 self-

assessment—(i) Out-of-Scope Assets. OSA information systems which do not process, store, or transmit FCI are outside the scope for CMMC Level 1. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of FCI beyond the Keyboard/Video/Mouse sent to the VDI client is considered out-of-scope. There are no documentation requirements for out-of-scope assets.

(ii) Specialized Assets. Specialized

Assets are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 CMMC Assessment

Scope and are not assessed against CMMC security requirements.

(3) Level 1 self-assessment scoping

considerations. To scope a Level 1 self- assessment, OSAs should consider the people, technology, facilities, and External Service Providers (ESP) within its environment that process, store, or transmit FCI.

(c) CMMC Level 2 Scoping. Prior to

performing a Level 2 self-assessment or Level 2 certification assessment, the OSA must specify the CMMC Assessment Scope.

(1) The CMMC Assessment Scope for

CMMC Level 2 is based on the specification of asset categories and their respective requirements as defined in table 3 to this paragraph (c)(1). Additional information is available in the guidance document listed in paragraph (f) of appendix A to this part.

TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS

Asset category

Asset description

OSA requirements

CMMC assessment requirements

'Assets that are in the Level 2 CMMC Assessment Scope '

Controlled Unclassified Informa-

tion (CUI) Assets.

• Assets that process, store, or transmit

CUI.

• Document in the asset inventory ...........

• Document asset treatment in the Sys-

tem Security Plan (SSP).

• Document in the network diagram of

the CMMC Assessment Scope.

• Prepare to be assessed against CMMC

Level 2 security requirements.

• Assess against all Level 2 security re-

quirements.

Security Protection Assets ........

• Assets that provide security functions

or capabilities to the OSA’s CMMC As-sessment Scope.

• Document in the asset inventory ...........

• Document asset treatment in SSP.

• Document in the network diagram of

the CMMC Assessment Scope.

• Prepare to be assessed against CMMC

Level 2 security requirements.

• Assess against Level 2 security re-

quirements that are relevant to the ca-pabilities provided.

Contractor Risk Managed As-

sets.

• Assets that can, but are not intended

to, process, store, or transmit CUI be-cause of security policy, procedures, and practices in place.

• Assets are not required to be physically

or logically separated from CUI assets.

• Document in the asset inventory ...........

• Document asset treatment in the SSP.

• Document in the network diagram of

the CMMC Assessment Scope.

• Prepare to be assessed against CMMC

Level 2 security requirements.

• Review the SSP:

• If sufficiently documented, do not

assess against other CMMC secu-rity requirements, except as noted.

• If OSA’s risk-based security poli-

cies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.

• The limited check(s) shall not ma-

terially increase the assessment duration nor the assessment cost.

• The limited check(s) will be as-

sessed against CMMC security re-quirements.

Specialized Assets ....................

• Assets that can process, store, or

transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Fur-nished Equipment (GFE), Restricted In-formation Systems, and Test Equip-ment.

• Document in the asset inventory ...........

• Document asset treatment in the SSP.

• Show these assets are managed using

the contractor’s risk-based security poli-cies, procedures, and practices.

• Document in the network diagram of

the CMMC Assessment Scope.

• Review the SSP.

• Do not assess against other CMMC se-

curity requirements.

'Assets that are not in the Level 2 CMMC Assessment Scope '

Out-of-Scope Assets .................

• Assets that cannot process, store, or

transmit CUI; and do not provide secu-rity protections for CUI Assets.

• Prepare to justify the inability of an Out-

of-Scope Asset to process, store, or transmit CUI.

• None.

• Assets that are physically or logically

separated from CUI assets.

• Assets that fall into any in-scope asset

category cannot be considered an Out- of-Scope Asset.

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00142

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83233 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued

Asset category

Asset description

OSA requirements

CMMC assessment requirements

• An endpoint hosting a VDI client config-

ured to not allow any processing, stor-age, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.

(2)(i) Table 4 to this paragraph (c)(2)(i)

defines the requirements to be met when utilizing an External Service

Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP

processes, stores, or transmits CUI and/ or Security Protection Data (SPD).

TABLE 4 TO § 170.19(c)(2)(i)—ESP SCOPING REQUIREMENTS

When the ESP processes, stores, or transmits:

When utilizing an ESP that is:

A CSP

Not a CSP

CUI (with or without SPD) ..

The CSP shall meet the FedRAMP requirements in 48

CFR 252.204–7012.

The services provided by the ESP are in the OSA’s as-

sessment scope and shall be assessed as part of the OSA’s assessment.

SPD (without CUI) ..............

The services provided by the CSP are in the OSA’s as-

sessment scope and shall be assessed as Security Protection Assets.

The services provided by the ESP are in the OSA’s as-

sessment scope and shall be assessed as Security Protection Assets.

Neither CUI nor SPD ..........

A service provider that does not process CUI or SPD

does not meet the CMMC definition of an ESP.

A service provider that does not process CUI or SPD

does not meet the CMMC definition of an ESP.

(ii) The use of an ESP, its relationship

to the OSA, and the services provided need to be documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSA and ESP with respect to the services provided. Note that the ESP may voluntarily

undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment. The minimum assessment type for the ESP is dictated by the OSA’s DoD contract requirement.

(d) CMMC Level 3 scoping. Prior to

performing a Level 3 certification assessment, the CMMC Assessment Scope must be specified.

(1) The CMMC Assessment Scope for

Level 3 is based on the specification of asset categories and their respective requirements as set forth in table 5 to this paragraph (d)(1). Additional information is available in the guidance document listed in paragraph (g) of appendix A to this part.

TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS

Asset category

Asset description

OSC requirements

CMMC assessment requirements

'Assets that are in the Level 3 CMMC Assessment Scope '

Controlled Unclassified Informa-

tion (CUI) Assets.

• Assets that process, store, or transmit

CUI.

• Assets that can, but are not intended

to, process, store, or transmit CUI (de-fined as Contractor Risk Managed As-sets in table 1 to paragraph (c)(1) of this section CMMC Scoping).

• Document in the asset inventory ...........

• Document asset treatment in the Sys-

tem Security Plan (SSP).

• Document in the network diagram of

the CMMC Assessment Scope.

• Prepare to be assessed against CMMC

Level 2 and Level 3 security require-ments.

• Limited check against Level 2 and as-

sess against all Level 3 CMMC security requirements.

Security Protection Assets ........

• Assets that provide security functions

or capabilities to the OSC’s CMMC As-sessment Scope, irrespective of wheth-er or not these assets process, store, or transmit CUI.

• Document in the asset inventory ...........

• Document asset treatment in the SSP.

• Document in the network diagram of

the CMMC Assessment Scope.

• Prepare to be assessed against CMMC

Level 2 and Level 3 security require-ments.

• Limited check against Level 2 and as-

sess against all Level 3 CMMC security requirements that are relevant to the capabilities provided.

Specialized Assets ....................

• Assets that can process, store, or

transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Fur-nished Equipment (GFE), Restricted In-formation Systems, and Test Equip-ment.

• Document in the asset inventory ...........

• Document asset treatment in the SSP.

• Document in the network diagram of

the CMMC Assessment Scope.

• Prepare to be assessed against CMMC

Level 2 and Level 3 security require-ments.

• Limited check against Level 2 and as-

sess against all Level 3 CMMC security requirements.

• Intermediary devices are permitted to

provide the capability for the special-ized asset to meet one or more CMMC security requirements.

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00143

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83234 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued

Asset category

Asset description

OSC requirements

CMMC assessment requirements

'Assets that are not in the Level 3 CMMC Assessment Scope '

Out-of-Scope Assets .................

• Assets that cannot process, store, or

transmit CUI; and do not provide secu-rity protections for CUI Assets.

• Prepare to justify the inability of an Out-

of-Scope Asset to process, store, or transmit CUI.

• None.

• Assets that are physically or logically

separated from CUI assets.

• Assets that fall into any in-scope asset

category cannot be considered an Out- of-Scope Asset.

• An endpoint hosting a VDI client config-

ured to not allow any processing, stor-age, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.

(2)(i) Table 6 to this paragraph

(d)(2)(i) defines the requirements to be met when utilizing an External Service

Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP

processes, stores, or transmits CUI and/ or Security Protection Data (SPD).

TABLE 6 TO § 170.19(d)(2)(i)—ESP SCOPING REQUIREMENTS

When the ESP processes, stores, or transmits:

When utilizing an ESP that is:

A CSP

Not a CSP

CUI (with or without SPD) ..

The CSP shall meet the FedRAMP requirements in 48

CFR 252.204–7012.

The services provided by the ESP are in the OSA’s as-

sessment scope and shall be assessed as part of the OSA’s assessment.

SPD (without CUI) ..............

The services provided by the CSP are in the OSA’s as-

sessment scope and shall be assessed as Security Protection Assets.

The services provided by the ESP are in the OSA’s as-

sessment scope and shall be assessed as Security Protection Assets.

Neither CUI nor SPD ..........

A service provider that does not process CUI or SPD

does not meet the CMMC definition of an ESP.

A service provider that does not process CUI or SPD

does not meet the CMMC definition of an ESP.

(ii) The use of an ESP, its relationship

to the OSC, and the services provided need to be documented in the OSC’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSC and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment. The minimum. The minimum assessment type for the ESP is dictated by the OSC’s DoD contract requirement.

(e) Relationship between Level 2 and

Level 3 CMMC Assessment Scope. The Level 3 CMMC Assessment Scope must be equal to or a subset of the Level 2 CMMC Assessment Scope in accordance with § 170.18(a) (e.g., a Level 3 data enclave with greater restrictions and protections within a Level 2 data enclave). Any Level 2 POA&M items must be closed prior to the initiation of the Level 3 certification assessment. DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process

may be paused to allow for remediation, placed on hold, or immediately terminated. For further information regarding scoping of CMMC Level 3 assessments please contact DCMA DIBCAC at www.dcma.mil/DIBCAC/.

§ 170.20

'Standards acceptance. '

(a) NIST SP 800–171 R2 DoD

assessments. In order to avoid duplication of efforts, thereby reducing the aggregate cost to industry and the Department, OSCs that have completed a DCMA DIBCAC High Assessment aligned with CMMC Level 2 Scoping will be given the CMMC Status of Final Level 2 (C3PAO) under the following conditions:

(1) DCMA DIBCAC High Assessment.

An OSC that achieved a perfect score with no open POA&M from a DCMA DIBCAC High Assessment conducted prior to the effective date of this rule, will be given a CMMC Status of Level 2 Final (C3PAO) with a validity period of three (3) years from the date of the original DCMA DIBCAC High Assessment. DCMA DIBCAC will identify assessments that meet these criteria and verify that SPRS accurately reflects the CMMC Status. Eligible

DCMA DIBCAC High Assessments include ones conducted with Joint Surveillance in accordance with the DCMA Manual 2302–01 Surveillance. The scope of the Level 2 certification assessment is identical to the scope of the DCMA DIBCAC High Assessment. In accordance with § 170.17(a)(2), the OSC must also submit an affirmation in SPRS and annually thereafter to achieve contractual eligibility.

(2) [Reserved]. (b) [Reserved].

§ 170.21

'Plan of Action and Milestones '

'requirements. '

(a) POA&M. For purposes of achieving

a Conditional CMMC Status, an OSA is only permitted to have a POA&M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:

(1) Level 1 self-assessment. A POA&M

is not permitted at any time for Level 1 self-assessments.

(2) Level 2 self-assessment and Level

2 certification assessment. An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00144

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83235 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

(i) The assessment score divided by

the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;

(ii) None of the security requirements

included in the POA&M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2–3.13.11 CUI Encryption may be included on a POA&M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and

(iii) None of the following security

requirements are included in the POA&M:

(A) AC.L2–3.1.20 External

Connections (CUI Data).

(B) AC.L2–3.1.22 Control Public

Information (CUI Data).

(C) CA.L2–3.12.4 System Security

Plan.

(D) PE.L2–3.10.3 Escort Visitors (CUI

Data).

(E) PE.L2–3.10.4 Physical Access Logs

(CUI Data).

(F) PE.L2–3.10.5 Manage Physical

Access (CUI Data).

(3) Level 3 certification assessment.

An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:

(i) The assessment score divided by

the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and

(ii) The POA&M does not include any

of following security requirements:

(A) IR.L3–3.6.1e Security Operations

Center.

(B) IR.L3–3.6.2e Cyber Incident

Response Team.

(C) RA.L3–3.11.1e Threat-Informed

Risk Assessment.

(D) RA.L3–3.11.6e Supply Chain Risk

Response.

(E) RA.L3–3.11.7e Supply Chain Risk

Plan.

(F) RA.L3–3.11.4e Security Solution

Rationale.

(G) SI.L3–3.14.3e Specialized Asset

Security.

(b) POA&M closeout assessment. A

POA&M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&M in the initial assessment. The closing of a POA&M must be confirmed by a POA&M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.

(1) Level 2 self-assessment. For a

Level 2 self-assessment, the POA&M closeout self-assessment shall be

performed by the OSA in the same manner as the initial self-assessment.

(2) Level 2 certification assessment.

For Level 2 certification assessment, the POA&M closeout certification assessment must be performed by an authorized or accredited C3PAO.

(3) Level 3 certification assessment.

For Level 3 certification assessment, DCMA DIBCAC will perform the POA&M closeout certification assessment.

§ 170.22

'Affirmation. '

(a) General. The OSA must affirm

continuing compliance with the appropriate level self-assessment or certification assessment. An Affirming Official from each OSA, whether a prime or subcontractor, must affirm the continuing compliance of their respective organizations with the specified security requirement after every assessment, including POA&M closeout, and annually thereafter. Affirmations are entered electronically in SPRS. The affirmation shall be submitted in accordance with the following requirements:

(1) Affirming Official. The Affirming

Official is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations.

(2) Affirmation content. Each CMMC

affirmation shall include the following information:

(i) Name, title, and contact

information for the Affirming Official; and

(ii) Affirmation statement attesting

that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC Status for all information systems within the relevant CMMC Assessment Scope.

(3) Affirmation submission. The

Affirming Official shall submit a CMMC affirmation in the following instances:

(i) Upon achievement of a Conditional

CMMC Status, as applicable;

(ii) Upon achievement of a Final

CMMC Status;

(iii) Annually following a Final

CMMC Status Date; and

(iv) Following a POA&M closeout

assessment, as applicable.

(b) Submission procedures. All

affirmations shall be completed in SPRS. The Department will verify submission of the affirmation in SPRS to ensure compliance with CMMC solicitation or contract requirements.

(1) Level 1 self-assessment. At the

completion of a Level 1 self-assessment and annually thereafter, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 1 (Self).

(2) Level 2 self-assessment. At the

completion of a Level 2 self-assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self). An affirmation shall also be submitted at the completion of a POA&M closeout self-assessment.

(3) Level 2 certification assessment. At

the completion of a Level 2 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (C3PAO). An affirmation shall also be submitted at the completion of a POA&M closeout certification assessment.

(4) Level 3 certification assessment. At

the completion of a Level 3 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 3 (DIBCAC). Because C3PAOs and DCMA DIBCAC check for compliance with different requirements in their respective assessments, OSCs must annually affirm their CMMC Status of Level 2 (C3PAO) in addition to their CMMC Status of Level 3 (DIBCAC) to maintain eligibility for contracts requiring compliance with Level 3. An affirmation shall also be submitted at the completion of a POA&M closeout certification assessment.

§ 170.23

'Application to subcontractors. '

(a) CMMC requirements apply to

prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract. Prime contractors shall comply and shall require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers with the applicable CMMC level and assessment type for each subcontract as follows:

(1) If a subcontractor will only

process, store, or transmit FCI (and not CUI) in performance of the subcontract,

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00145

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83236 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

then a CMMC Status of Level 1 (Self) is required for the subcontractor.

(2) If a subcontractor will process,

store, or transmit CUI in performance of the subcontract, then a CMMC Status of Level 2 (Self) is the minimum requirement for the subcontractor.

(3) If a subcontractor will process,

store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for a CMMC Status of Level 2 (C3PAO), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.

(4) If a subcontractor will process,

store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for the CMMC Status of Level 3 (DIBCAC), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.

(b) As with any solicitation or

contract, the DoD may provide specific guidance pertaining to flow-down.

§ 170.24

'CMMC Scoring Methodology. '

(a) General. This scoring methodology

is designed to provide a measurement of an OSA’s implementation status of the NIST SP 800–171 R2 security requirements (incorporated by reference elsewhere in this part, see § 170.2) and the selected NIST SP 800–172 Feb2021 security requirements (incorporated by reference elsewhere in this part, see § 170.2). The CMMC Scoring Methodology is designed to credit partial implementation only in limited cases (e.g., multi-factor authentication IA.L2–3.5.3).

(b) Assessment findings. Each security

requirement assessed under the CMMC Scoring Methodology must result in one of three possible assessment findings, as follows:

(1) Met. All applicable objectives for

the security requirement are satisfied based on evidence. All evidence must be in final form and not draft. Unacceptable forms of evidence include but are not limited to working papers, drafts, and unofficial or unapproved policies.

(i) Enduring exceptions when

described, along with any mitigations, in the system security plan shall be assessed as MET.

(ii) Temporary deficiencies that are

appropriately addressed in operational plans of action (i.e., include deficiency reviews and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.

(2) Not Met. One or more applicable

objectives for the security requirement is not satisfied. During an assessment,

for each security requirement objective marked NOT MET, the assessor will document why the evidence does not conform.

(3) Not Applicable (N/A). A security

requirement and/or objective does not apply at the time of the CMMC assessment. For example, Public-Access System Separation (SC.L2–3.13.5) might be N/A if there are no publicly accessible systems within the CMMC Assessment Scope. During an assessment, an assessment objective assessed as N/A is equivalent to the same assessment objective being assessed as MET.

(c) Scoring. At each CMMC Level,

security requirements are scored as follows:

(1) CMMC Level 1. All CMMC Level

1 security requirements must be fully implemented to be considered MET. No POA&M is permitted for CMMC Level 1, and self-assessment results are scored as MET or NOT MET in their entirety.

(2) CMMC Level 2 Scoring

Methodology. The maximum score achievable for a Level 2 self-assessment or Level 2 certification assessment is equal to the total number of CMMC Level 2 security requirements. If all CMMC Level 2 security requirements are MET, OSAs are awarded the maximum score. For each requirement NOT MET, the associated value of the security requirement is subtracted from the maximum score, which may result in a negative score.

(i) Procedures. (A) Scoring

methodology for Level 2 self-assessment and Level 2 certification assessment is based on all CMMC Level 2 security requirement objectives, including those NOT MET.

(B) In the CMMC Level 2 Scoring

Methodology, each security requirement has a value (e.g., 1, 3 or 5), which is related to the designation by NIST as basic or derived security requirements. Per NIST SP 800–171 R2, the basic security requirements are obtained from FIPS PUB 200 Mar2006, which provides the high-level and fundamental security requirements for Federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST SP 800–53 R5.

(1) For NIST SP 800–171 R2 basic and

derived security requirements that, if not implemented, could lead to significant exploitation of the network, or exfiltration of CUI, five (5) points are subtracted from the maximum score. The basic and derived security requirements with a value of five (5) points include:

(i) Basic security requirements.

AC.L2–3.1.1, AC.L2–3.1.2, AT.L2–3.2.1, AT.L2–3.2.2, AU.L2–3.3.1, CM.L2–3.4.1, CM.L2–3.4.2, IA–L2–3.5.1, IA–L2–3.5.2, IR.L2–3.6.1, IR.L2–3.6.2, MA.L2–3.7.2, MP.L2–3.8.3, PS.L2–3.9.2, PE.L2–3.10.1, PE.L2–3.10.2, CA.L2–3.12.1, CA.L2– 3.12.3, SC.L2–3.13.1, SC.L2–3.13.2, SI.L2–3.14.1, SI.L2–3.14.2, and SI.L2– 3.14.3.

(ii) Derived security requirements.

AC.L2–3.1.12, AC.L2–3.1.13, AC.L2– 3.1.16, AC.L2–3.1.17, AC.L2–3.1.18, AU.L2–3.3.5, CM.L2–3.4.5, CM.L2– 3.4.6, CM.L2–3.4.7, CM.L2–3.4.8, IA.L2– 3.5.10, MA.L2–3.7.5, MP.L2–3.8.7, RA.L2–3.11.2, SC.L2–3.13.5, SC.L2– 3.13.6, SC.L2–3.13.15, SI.L2–3.14.4, and SI.L2–3.14.6.

(2) For basic and derived security

requirements that, if not implemented, have a specific and confined effect on the security of the network and its data, three (3) points are subtracted from the maximum score. The basic and derived security requirements with a value of three (3) points include:

(i) Basic security requirements.

AU.L2–3.3.2, MA.L2–3.7.1, MP.L2– 3.8.1, MP.L2–3.8.2, PS.L2–3.9.1, RA.L2– 3.11.1, and CA.L2–3.12.2.

(ii) Derived security requirements.

AC.L2–3.1.5, AC.L2- 3.1.19, MA.L2– 3.7.4, MP.L2–3.8.8, SC.L2–3.13.8, SI.L2– 3.14.5, and SI.L2–3.14.7.

(3) All remaining derived security

requirements, other than the exceptions noted, if not implemented, have a limited or indirect effect on the security of the network and its data. For these, 1 point is subtracted from the maximum score.

(4) Two derived security

requirements, IA.L2–3.5.3 and SC.L2– 3.13.11, can be partially effective even if not completely or properly implemented, and the points deducted may be adjusted depending on how the security requirement is implemented.

(i) Multi-factor authentication (MFA)

(CMMC Level 2 security requirement IA.L2–3.5.3) is typically implemented first for remote and privileged users (since these users are both limited in number and more critical) and then for the general user, so three (3) points are subtracted from the maximum score if MFA is implemented only for remote and privileged users. Five (5) points are subtracted from the maximum score if MFA is not implemented for any users.

(ii) FIPS-validated encryption (CMMC

Level 2 security requirement SC.L2– 3.13.11) is required to protect the confidentiality of CUI. If encryption is employed, but is not FIPS-validated, three (3) points are subtracted from the maximum score; if encryption is not

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00146

Fmt 4701

Sfmt 4700

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

'83237 '

'Federal Register '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations

employed; five (5) points are subtracted from the maximum score.

(5) OSAs must have a System Security

Plan (SSP) (CMMC security requirement CA.L2–3.12.4) in place at the time of assessment to describe each information system within the CMMC Assessment Scope. The absence of an up to date SSP at the time of the assessment would result in a finding that ‘an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204– 7012.’

(6) For each NOT MET security

requirement the OSA must have a POA&M in place. A POA&M addressing

NOT MET security requirements is not a substitute for a completed requirement. Security requirements not implemented, whether described in a POA&M or not, is assessed as ‘NOT MET.’

(7) Specialized Assets must be

evaluated for their asset category per the CMMC scoping guidance for the level in question and handled accordingly as set forth in § 170.19.

(8) If an OSC previously received a

favorable adjudication from the DoD CIO indicating that a security requirement is not applicable or that an alternative security measure is equally effective (in accordance with 48 CFR

252.204–7008 or 48 CFR 252.204–7012), the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. A security requirement for which implemented security measures have been adjudicated by the DoD CIO as equally effective is assessed as MET if there have been no changes in the environment.

(ii) CMMC Level 2 Scoring Table.

CMMC Level 2 scoring has been assigned based on the methodology set forth in table 1 to this paragraph (c)(2)(ii).

TABLE 7 TO § 170.24(c)(2)(ii)—CMMC LEVEL 2 SCORING TABLE

CMMC Level 2 requirement categories

Point value

subtracted from

maximum score

Basic Security Requirements:

If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................

5

If not implemented, has specific and confined effect on the security of the network and its data .......................................

3

Derived Security Requirements:

If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................

5

If not completely or properly implemented, could be partially effective and points adjusted depending on how the secu-

rity requirement is implemented: ........................................................................................................................................

3 or 5

—Partially effective implementation—3 points. —Non-effective (not implemented at all)—5 points.

If not implemented, has specific and confined effect on the security of the network and its data .......................................

3

If not implemented, has a limited or indirect effect on the security of the network and its data ..........................................

1

(3) CMMC Level 3 assessment scoring

methodology. CMMC Level 3 scoring does not utilize varying values like the scoring for CMMC Level 2. All CMMC Level 3 security requirements use a value of one (1) point for each security requirement. As a result, the maximum score achievable for a Level 3 certification assessment is equivalent to the total number of the selected subset of NIST SP 800–172 Feb2021 security requirements for CMMC Level 3, see § 170.14(c)(4). The maximum score is reduced by one (1) point for each security requirement NOT MET. The CMMC Level 3 scoring methodology reflects the fact that all CMMC Level 2 security requirements must already be MET (for the Level 3 CMMC Assessment

Scope). A maximum score on the Level 2 certification assessment is required to be eligible to initiate a Level 3 certification assessment. The Level 3 certification assessment score is equal to the number of CMMC Level 3 security requirements that are assessed as MET.

'Appendix A to Part 170—Guidance '

Guidance documents include: (a) ‘‘CMMC Model Overview’’ available at

https://DoDcio.defense.gov/CMMC/.

(b) ‘‘CMMC Assessment Guide—Level 1’’

available at https://DoDcio.defense.gov/ CMMC/.

(c) ‘‘CMMC Assessment Guide—Level 2’’

available at https://DoDcio.defense.gov/ CMMC/.

(d) ‘‘CMMC Assessment Guide—Level 3’’

available at https://DoDcio.defense.gov/ CMMC/.

(e) ‘‘CMMC Scoping Guide—Level 1’’

available at https://DoDcio.defense.gov/ CMMC/.

(f) ‘‘CMMC Scoping Guide—Level 2’’

available at https://DoDcio.defense.gov/ CMMC/.

(g) ‘‘CMMC Scoping Guide—Level 3’’

available at https://DoDcio.defense.gov/ CMMC/.

(h) ‘‘CMMC Hashing Guide’’ available at

https://DoDcio.defense.gov/CMMC/.

Dated: September 30, 2024.

Patricia L. Toppings, OSD Federal Register Liaison Officer, Department of Defense. [FR Doc. 2024–22905 Filed 10–11–24; 8:45 am]

'BILLING CODE 6001–FR–P '

VerDate Sep<11>2014

18:51 Oct 11, 2024

Jkt 265001

PO 00000

Frm 00147

Fmt 4701

Sfmt 9990

E:\FR\FM\15OCR2.SGM

15OCR2

khammond on DSKJM1Z7X2PROD with RULES2

Original source: https://www.govinfo.gov/content/pkg/FR-2024-10-15/pdf/2024-22905.pdf

32 CFR Part 170: Difference between revisions

Revision as of 23:06, 2 March 2025

Contents

PART 170—CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM

Subpart A—General Information

Subpart B—Government Roles and Responsibilities

Subpart C—CMMC Assessment and Certification Ecosystem

Subpart D—Key Elements of the CMMC Program

Subpart A - General Information.

§ 170.1 Purpose.

§ 170.2 Incorporation by reference.

§ 170.3 Applicability.

§ 170.4 Acronyms and definitions.

§ 170.5 Policy.

Subpart B—Government Roles and Responsibilities.

§ 170.6 CMMC PMO.

§ 170.7 DCMA DIBCAC.

Subpart C—CMMC Assessment and Certification Ecosystem.

§ 170.8 Accreditation Body.

Navigation menu

@@ Line 41: / Line 41: @@
 '''Authority''': 5 U.S.C. 301; Sec. 1648, Pub. L. 116–92, 133 Stat. 1198.
-== Subpart A—General Information. ==
+== Subpart A - General Information. ==
 === § 170.1 Purpose. ===
-(a) This part describes the
+(a) This part describes the Cybersecurity Maturity Model Certification (CMMC) Program of the Department of Defense (DoD) and establishes requirements for defense contractors and subcontractors to implement prescribed cybersecurity standards for safeguarding Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). This part (the CMMC Program) also establishes requirements for conducting an assessment of compliance with the applicable prescribed cybersecurity standard for contractor information systems that: process, store, or transmit FCI or CUI; provide security protections for systems which process, store, or transmit CUI; or are not logically or physically isolated from systems which process, store, or transmit CUI.
-Cybersecurity Maturity Model <br />
+(b) The CMMC Program provides DoD with a viable means of conducting the volume of assessments necessary to verify contractor and subcontractor implementation of required cybersecurity requirements.
-Certification (CMMC) Program of the <br />
-Department of Defense (DoD) and <br />
-establishes requirements for defense <br />
-contractors and subcontractors to <br />
-implement prescribed cybersecurity <br />
-standards for safeguarding Federal <br />
-Contract Information (FCI) and <br />
-Controlled Unclassified Information <br />
-(CUI). This part (the CMMC Program) <br />
-also establishes requirements for <br />
-conducting an assessment of <br />
-compliance with the applicable <br />
-prescribed cybersecurity standard for <br />
-contractor information systems that: <br />
-process, store, or transmit FCI or CUI; <br />
-provide security protections for systems <br />
-which process, store, or transmit CUI; or
-VerDate Sep&lt;11&gt;2014
+(c) The CMMC Program is designed to ensure defense contractors are properly safeguarding FCI and CUI that is processed, stored, or transmitted on defense contractor information systems. FCI and CUI must be protected to meet evolving threats and safeguard nonpublic, unclassified information that supports and enables the warfighter. The CMMC Program provides a consistent methodology to assess a defense contractor’s implementation of required cybersecurity requirements. The CMMC Program utilizes the security standards set forth in the 48 CFR 52.204–21; National Institute of Standards and Technology (NIST) Special Publication (SP) 800–171, ''Basic Safeguarding of Covered Contractor Information Systems, ''Revision 2, February 2020 (includes updates as of January 28, 2021) (NIST SP 800–171 R2); and selected requirements from the NIST SP 800–172, ''Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, ''February 2021 (NIST SP 800–172 Feb2021), as applicable (see table 1 to § 170.14(c)(4) for requirements, see § 170.2 for availability of NIST publications).
-:51 Oct 11, 2024
+(d) The CMMC Program balances the need to safeguard FCI and CUI and the requirement to share information appropriately with defense contractors in order to develop capabilities for the DoD. The CMMC Program is designed to ensure implementation of cybersecurity practices for defense contractors and to provide DoD with increased assurance that FCI and CUI information will be adequately safeguarded when residing on or transiting contractor information systems.
-Jkt 265001
+(e) The CMMC Program creates no right or benefit, substantive or procedural, enforceable by law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person.
-PO 00000
+=== § 170.2 Incorporation by reference. ===
-Frm 00124
+Certain material is incorporated by reference into this part with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. Material approved for incorporation by reference (IBR) is available for inspection at the Department of Defense (DoD) and at the National Archives and Records Administration (NARA). Contact DoD online: ''https://DoDcio.defense.gov/CMMC/''; email: ''osd.mc-alex.DoD-cio.mbx.cmmc-rule@mail.mil''; or phone: (202) 770–9100. For information on the availability of this material at NARA, visit: ''www.archives.gov/federal-register/ cfr/ibr-locations'' or email: ''fr.inspection@nara.gov''. The material may be obtained from the following sources:
-Fmt 4701
+(a) National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899; phone: (301) 975–8443; website: ''https://csrc.nist.gov/ publications/''.
-Sfmt 4700
+(1) FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 (FIPS PUB 200 Mar2006); IBR approved for § 170.4(b).
-E:\FR\FM\15OCR2.SGM
+(2) FIPS PUB 201–3, Personal Identity Verification (PIV) of Federal Employees and Contractors, January 2022 (FIPS PUB 201–3 Jan2022); IBR approved for § 170.4(b).
-OCR2
+(3) SP 800–37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Revision 2, December 2018 (NIST SP 800–37 R2); IBR approved for § 170.4(b).
-khammond on DSKJM1Z7X2PROD with RULES2
+(4) SP 800–39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011 (NIST SP 800–39 Mar2011); IBR approved for § 170.4(b).
+(5) SP 800–53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, September 2020 (includes updates as of December 10, 2020) (NIST SP 800–53 R5); IBR approved for § 170.4(b).
+(6) SP 800–82r3, Guide to Operational Technology (OT) Security, September 2023 (NIST SP 800–82r3); IBR approved for § 170.4(b).
+(7) SP 800–115, Technical Guide to Information Security Testing and Assessment, September 2008 (NIST SP 800–115 Sept2008); IBR approved for § 170.4(b).
+(8) SP 800–160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Revision 1, December 2021 (NIST SP 800–160 V2R1); IBR approved for § 170.4(b).
+(9) SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 2, February 2020 (includes updates as of January 28, 2021), (NIST SP 800–171 R2); IBR approved for §§ 170.4(b) and 170.14(a) through (c).
+(10) SP 800–171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018 (NIST SP 800–171A Jun2018); IBR approved for §§ 170.11(a), 170.14(d), 170.15(c), 170.16(c), 170.17(c), and 170.18(c).
-'''83215 '''
+(11) SP 800–172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171, February 2021 (NIST SP 800–172 Feb2021); IBR approved for §§ 170.4(b), 170.5(a), and 170.14(a) and (c).
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+(12) SP 800–172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, March 2022 (NIST SP 800–172A Mar2022); IBR approved for §§ 170.4(b), 170.14(d), and 170.18(c).
-are not logically or physically isolated <br />
+(b) International Organization for Standardization (ISO) Chemin de Blandonnet 8, CP 401—1214 Vernier, Geneva, Switzerland; phone: +41 22 749 01 11; website: ''www.iso.org/popular- standards.html''.
-from systems which process, store, or <br />
-transmit CUI.
-(b) The CMMC Program provides DoD
+(1) ISO/IEC 17011:2017(E), Conformity assessment—Requirements for accreditation bodies accrediting conformity assessment bodies, Second edition, November 2017 (ISO/IEC 17011:2017(E)); IBR approved for §§ 170.8(b)(3), 170.9(b)(13), and 170.10(b)(4).
-with a viable means of conducting the <br />
+(2) ISO/IEC 17020:2012(E), Conformity assessment—Requirement for the operation of various types of bodies performing inspection, Second edition, March 1, 2012 (ISO/IEC 17020:2012(E)); IBR approved for §§ 170.8(a), (b)(1), (b)(3) and 170.9(b)(2) and (b)(13).
-volume of assessments necessary to <br />
-verify contractor and subcontractor <br />
-implementation of required <br />
-cybersecurity requirements.
-(c) The CMMC Program is designed to
+(3) ISO/IEC 17024:2012(E), Conformity assessment—General requirements for bodies operating certification of persons, second edition, July 1, 2012 (ISO/IEC 17024:2012(E)); IBR approved for §§ 170.8(b)(2) and 170.10(a) and (b)(4), (7), and (8).
-ensure defense contractors are properly <br />
+'''Note 1 to paragraph (b):''' The ISO/IEC standards incorporated by reference in this part may be viewed at no cost in ‘‘read only’’ format at ''https://ibr.ansi.org''.
-safeguarding FCI and CUI that is <br />
-processed, stored, or transmitted on <br />
-defense contractor information systems. <br />
-FCI and CUI must be protected to meet <br />
-evolving threats and safeguard <br />
-nonpublic, unclassified information that <br />
-supports and enables the warfighter. <br />
-The CMMC Program provides a <br />
-consistent methodology to assess a <br />
-defense contractor’s implementation of <br />
-required cybersecurity requirements. <br />
-The CMMC Program utilizes the <br />
-security standards set forth in the 48 <br />
-CFR 52.204–21; National Institute of <br />
-Standards and Technology (NIST) <br />
-Special Publication (SP) 800–171, ''Basic <br />
-Safeguarding of Covered Contractor <br />
-Information Systems, ''Revision 2, <br />
-February 2020 (includes updates as of <br />
-January 28, 2021) (NIST SP 800–171 <br />
-R2); and selected requirements from the <br />
-NIST SP 800–172, ''Enhanced Security <br />
-Requirements for Protecting Controlled <br />
-Unclassified Information: A Supplement <br />
-to NIST Special Publication 800–171, <br />
-''February 2021 (NIST SP 800–172 <br />
-Feb2021), as applicable (see table 1 to <br />
-§ 170.14(c)(4) for requirements, see <br />
-§ 170.2 for availability of NIST <br />
-publications).
-(d) The CMMC Program balances the
+=== § 170.3 Applicability. ===
-need to safeguard FCI and CUI and the <br />
+(a) The requirements of this part apply to:
-requirement to share information <br />
-appropriately with defense contractors <br />
-in order to develop capabilities for the <br />
-DoD. The CMMC Program is designed to <br />
-ensure implementation of cybersecurity <br />
-practices for defense contractors and to <br />
-provide DoD with increased assurance <br />
-that FCI and CUI information will be <br />
-adequately safeguarded when residing <br />
-on or transiting contractor information <br />
-systems.
-(e) The CMMC Program creates no
+(1) All DoD contract and subcontract awardees that will process, store, or transmit information, in performance of the DoD contract, that meets the standards for FCI or CUI on contractor information systems; and,
-right or benefit, substantive or <br />
+(2) Private-sector businesses or other entities comprising the CMMC Assessment and Certification Ecosystem, as specified in subpart C of this part.
-procedural, enforceable by law or in <br />
-equity by any party against the United <br />
-States, its departments, agencies, or <br />
-entities, its officers, employees, or <br />
-agents, or any other person.
-'''§ 170.2'''
+(b) The requirements of this part do not apply to Federal information systems operated by contractors or subcontractors on behalf of the Government.
-'''Incorporation by reference. '''
+(c) CMMC Program requirements apply to all DoD solicitations and contracts pursuant to which a defense contractor or subcontractor will process, store, or transmit FCI or CUI on unclassified contractor information systems, including those for the acquisition of commercial items (except those exclusively for COTS items) valued at greater than the micro- purchase threshold except under the following circumstances:
-Certain material is incorporated by
+(1) The procurement occurs during Implementation Phase 1, 2, or 3 as described in paragraph (e) of this section, in which case CMMC Program requirements apply in accordance with the requirements for the relevant phase- in period; or
-reference into this part with the <br />
+(2) Application of CMMC Program requirements to a procurement or class of procurements may be waived in advance of the solicitation at the discretion of DoD in accordance with all applicable policies, procedures, and approval requirements.
-approval of the Director of the Federal <br />
-Register under 5 U.S.C. 552(a) and 1 <br />
-CFR part 51. Material approved for <br />
-incorporation by reference (IBR) is
-available for inspection at the <br />
+(d) DoD Program Managers or requiring activities are responsible for selecting the CMMC Status that will apply for a particular procurement or contract based upon the type of information, FCI or CUI, that will be processed on, stored on, or transmitted through a contractor information system. Application of the CMMC Status for subcontractors will be determined in accordance with § 170.23.
-Department of Defense (DoD) and at the <br />
-National Archives and Records <br />
-Administration (NARA). Contact DoD <br />
-[https://DoDcio.defense.gov/CMMC/ online: ''https://DoDcio.defense.gov/ <br />
-CMMC/''; email: ][mailto:osd.mc-alex.DoD-cio.mbx.cmmc-rule@mail.mil ''osd.mc-alex.DoD- <br />
-cio.mbx.cmmc-rule@mail.mil''; or phone: <br />
-](202) 770–9100. For information on the <br />
-availability of this material at NARA, <br />
-[http://www.archives.gov/federal-register/cfr/ibr-locations visit: ''www.archives.gov/federal-register/ <br />
-cfr/ibr-locations '']or email: [mailto:fr.inspection@nara.gov ''fr.inspection@<br />
-nara.gov''. The material may be obtained <br />
-]from the following sources:
-(a) National Institute of Standards and
+(e) DoD is utilizing a phased approach for the inclusion of CMMC Program requirements in solicitations and contracts. Implementation of CMMC Program requirements will occur over four (4) phases:
-Technology, U.S. Department of <br />
+(1) ''Phase 1.'' Begins on the effective date of the complementary 48 CFR part 204 CMMC Acquisition final rule. DoD intends to include the requirement for CMMC Statuses of Level 1 (Self) or Level 2 (Self) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, include the requirement for CMMC Status of Level 1 (Self) or Level 2 (Self) for applicable DoD solicitations and contracts as a condition to exercise an option period on a contract awarded prior to the effective date. DoD may also, at its discretion, include the requirement for CMMC Status of Level 2 (C3PAO) in place of the Level 2 (Self) CMMC Status for applicable DoD solicitations and contracts.
-Commerce, 100 Bureau Drive, <br />
-Gaithersburg, MD 20899; phone: (301) <br />
-[https://csrc.nist.gov/publications/ 975–8443; website: ''https://csrc.nist.gov/ <br />
-publications/''. ]
-(1) FIPS PUB 200, Minimum Security
+(2) ''Phase 2.'' Begins one calendar year following the start date of Phase 1. In addition to Phase 1 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 2 (C3PAO) to an option period instead of as a condition of contract award. DoD may also, at its discretion, include the requirement for CMMC Status of Level 3 (DIBCAC) for applicable DoD solicitations and contracts.
-Requirements for Federal Information <br />
+(3) ''Phase 3.'' Begins one calendar year following the start date of Phase 2. In addition to Phase 1 and 2 requirements, DoD intends to include the requirement for CMMC Status of Level 2 (C3PAO) for all applicable DoD solicitations and contracts as a condition of contract award and as a condition to exercise an option period on a contract awarded after the effective date. DoD intends to include the requirement for CMMC Status of Level 3 (DIBCAC) for all applicable DoD solicitations and contracts as a condition of contract award. DoD may, at its discretion, delay the inclusion of requirement for CMMC Status of Level 3 (DIBCAC) to an option period instead of as a condition of contract award.
-and Information Systems, March 2006 <br />
-(FIPS PUB 200 Mar2006); IBR approved <br />
-for § 170.4(b).
-(2) FIPS PUB 201–3, Personal Identity
+(4) ''Phase 4, full implementation.'' Begins one calendar year following the start date of Phase 3. DoD will include CMMC Program requirements in all applicable DoD solicitations and contracts including option periods on contracts awarded prior to the beginning of Phase 4.
-Verification (PIV) of Federal Employees <br />
+=== § 170.4 Acronyms and definitions. ===
-and Contractors, January 2022 (FIPS <br />
-PUB 201–3 Jan2022); IBR approved for <br />
-§ 170.4(b).
-(3) SP 800–37, Risk Management
+(a) ''Acronyms. ''Unless otherwise noted, the following acronyms and their terms are for the purposes of this part.
-Framework for Information Systems and <br />
+AC—Access Control
-Organizations: A System Life Cycle <br />
+APT—Advanced Persistent Threat
-Approach for Security and Privacy, <br />
+AT—Awareness and Training
-Revision 2, December 2018 (NIST SP <br />
+C3PAO—CMMC Third-Party Assessment Organization
-–37 R2); IBR approved for § 170.4(b).
+CA—Security Assessment CAICO—CMMC Assessors and Instructors Certification Organization
+CAGE—Commercial and Government Entity
+CCA—CMMC-Certified Assessor
+CCI—CMMC-Certified Instructor
+CCP—CMMC-Certified Professional
+CFR—Code of Federal Regulations
+CIO—Chief Information Officer
+CM—Configuration Management CMMC—Cybersecurity Maturity Model Certification
+CMMC PMO—CMMC Program Management Office
+CNC—Computerized Numerical Control
+CoPC—Code of Professional Conduct CSP—Cloud Service Provider CUI—Controlled Unclassified Information
+DCMA—Defense Contract Management Agency
+DD—Represents any two-character CMMC Domain acronym
+DFARS—Defense Federal Acquisition Regulation Supplement
+DIB—Defense Industrial Base DIBCAC—DCMA’s Defense Industrial Base Cybersecurity Assessment Center
+DoD—Department of Defense DoDI—Department of Defense Instruction
+eMASS—Enterprise Mission Assurance Support Service
+ESP—External Service Provider
+FAR—Federal Acquisition Regulation
+FCI—Federal Contract Information
+FedRAMP—Federal Risk and Authorization Management Program
+GFE—Government Furnished Equipment
+IA—Identification and Authentication
+ICS—Industrial Control System
+IIoT—Industrial Internet of Things
+IoT—Internet of Things
+IR—Incident Response
+IS—Information System
+IEC—International Electrotechnical Commission
+ISO/IEC—International Organization for Standardization/International Electrotechnical Commission
+IT—Information Technology
+L#—CMMC Level Number
+MA—Maintenance
+MP—Media Protection
+MSSP—Managed Security Service Provider
+NARA—National Archives and Records Administration
+NAICS—North American Industry Classification System
+NIST—National Institute of Standards and Technology
+N/A—Not Applicable
+ODP—Organization-Defined Parameter
+OSA—Organization Seeking Assessment
+OSC—Organization Seeking Certification
+OT—Operational Technology
+PI—Provisional Instructor
+PIEE—Procurement Integrated Enterprise Environment
+PII—Personally Identifiable Information
+PLC—Programmable Logic Controller
+POA&M—Plan of Action and Milestones
+PRA—Paperwork Reduction Act
+RM—Risk Management
+SAM—System of Award Management
+SC—System and Communications Protection
+SCADA—Supervisory Control and Data Acquisition
+SI—System and Information Integrity
+SIEM—Security Information and Event Management
+SP—Special Publication
+SPD—Security Protection Data
+SPRS—Supplier Performance Risk System
+SSP—System Security Plan
-(4) SP 800–39, Managing Information
+(b) ''Definitions.'' Unless otherwise noted, these terms and their definitions are for the purposes of this part.
-Security Risk: Organization, Mission, <br />
+''Access Control (AC)'' means the process of granting or denying specific requests to obtain and use information and related information processing services; and/or entry to specific physical facilities (''e.g., ''Federal buildings, military establishments, or border crossing entrances), as defined in FIPS PUB 201–3 Jan2002 (incorporated by reference, see § 170.2).
-and Information System View, March <br />
-(NIST SP 800–39 Mar2011); IBR <br />
-approved for § 170.4(b).
-(5) SP 800–53, Security and Privacy
+''Accreditation'' means a status pursuant to which a CMMC Assessment and Certification Ecosystem member (person or organization), having met all criteria for the specific role they perform including required ISO/IEC accreditations, may act in that role as set forth in § 170.8 for the Accreditation Body and § 170.9 for C3PAOs. (CMMC- custom term)
-Controls for Information Systems and <br />
+''Accreditation Body'' is defined in § 170.8 and means the one organization DoD contracts with to be responsible for authorizing and accrediting members of the CMMC Assessment and Certification Ecosystem, as required. The Accreditation Body must be approved by DoD. At any given point in time, there will be only one Accreditation Body for the DoD CMMC Program. (CMMC-custom term)
-Organizations, Revision 5, September <br />
-(includes updates as of December <br />
-, 2020) (NIST SP 800–53 R5); IBR <br />
-approved for § 170.4(b).
-(6) SP 800–82r3, Guide to Operational
+''Advanced Persistent Threat (APT)'' means an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (''e.g.,'' cyber, physical, and deception). These objectives typically include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating information, undermining or impeding critical aspects of a mission, program, or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat pursues its objectives repeatedly over an extended period-of-time, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives, as is defined in NIST SP 800–39 Mar2011 (incorporated by reference, see § 170.2).
-Technology (OT) Security, September <br />
+''Affirming Official'' means the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations. (CMMC-custom term)
-(NIST SP 800–82r3); IBR approved <br />
-for § 170.4(b).
-(7) SP 800–115, Technical Guide to
+''Assessment'' means the testing or evaluation of security controls to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for an information system or organization, as defined in §§ 170.15 through 170.18. (CMMC-custom term)
-Information Security Testing and <br />
+(i)'' Level 1 self-assessment'' is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 1 (Self).
-Assessment, September 2008 (NIST SP <br />
-–115 Sept2008); IBR approved for <br />
-§ 170.4(b).
-(8) SP 800–160, Volume 2, Developing
+(ii)'' Level 2 self-assessment'' is the term for the activity performed by an OSA to evaluate its own information system when seeking a CMMC Status of Level 2 (Self).
-Cyber-Resilient Systems: A Systems <br />
+(iii)'' Level 2 certification assessment'' is the term for the activity performed by a C3PAO to evaluate the information system of an OSC when seeking a CMMC Status of Level 2 (C3PAO).
-Security Engineering Approach, <br />
-Revision 1, December 2021 (NIST SP <br />
-–160 V2R1); IBR approved for <br />
-§ 170.4(b).
-(9) SP 800–171, Protecting Controlled
+(iv)'' Level 3 certification assessment'' is the term for the activity performed by the DCMA DIBCAC to evaluate the information system of an OSC when seeking a CMMC Status of Level 3 (DIBCAC).
-Unclassified Information in Nonfederal <br />
+(v)'' POA&M closeout self-assessment'' is the term for the activity performed by an OSA to evaluate only the NOT MET requirements that were identified with POA&amp;M during the initial assessment, when seeking a CMMC Status of Final Level 2 (Self).
-Systems and Organizations, Revision 2, <br />
-February 2020 (includes updates as of <br />
-January 28, 2021), (NIST SP 800–171 <br />
-R2); IBR approved for §§ 170.4(b) and <br />
-.14(a) through (c).
-(10) SP 800–171A, Assessing Security
+(vi)'' POA&M closeout certification assessment'' is the term for the activity performed by a C3PAO or DCMA DIBCAC to evaluate only the NOT MET requirements that were identified with POA&amp;M during the initial assessment, when seeking a CMMC Status of Final Level 2 (C3PAO) or Final Level 3 (DIBCAC) respectively.
-Requirements for Controlled <br />
+''Assessment Findings Report'' means the final written assessment results by the third-party or government assessment team. The Assessment Findings Report is submitted to the OSC and to the DoD via CMMC eMASS. (CMMC-custom term)
-Unclassified Information, June 2018 <br />
-(NIST SP 800–171A Jun2018); IBR <br />
-approved for §§ 170.11(a), 170.14(d), <br />
-.15(c), 170.16(c), 170.17(c), and <br />
-.18(c).
-(11) SP 800–172, Enhanced Security
+''Assessment objective'' means a set of determination statements that, taken together, expresses the desired outcome for the assessment of a security requirement. Successful implementation of the corresponding CMMC security requirement requires meeting all applicable assessment objectives defined in NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) or NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2). (CMMC-custom term)
-Requirements for Protecting Controlled <br />
+''Assessment Team'' means participants in the Level 2 certification assessment (CMMC Certified Assessors and CMMC Certified Professionals) or the Level 3 certification assessment (DCMA DIBCAC assessors). This does not include the OSC participants preparing for or participating in the assessment. (CMMC-custom term)
-Unclassified Information: A Supplement <br />
-to NIST Special Publication 800–171, <br />
-February 2021 (NIST SP 800–172 <br />
-Feb2021); IBR approved for §§ 170.4(b), <br />
-.5(a), and 170.14(a) and (c).
-(12) SP 800–172A, Assessing
+''Asset'' means an item of value to stakeholders. An asset may be tangible (''e.g.,'' a physical item such as hardware, firmware, computing platform, network device, or other technology component) or intangible (''e.g.,'' humans, data, information, software, capability, function, service, trademark, copyright, patent, intellectual property, image, or reputation). The value of an asset is determined by stakeholders in consideration of loss concerns across the entire system life cycle. Such concerns include but are not limited to business or mission concerns, as defined in NIST SP 800–160 V2R1 (incorporated by reference, see § 170.2).
-Enhanced Security Requirements for <br />
+''Asset Categories'' means a grouping of assets that process, store or transmit information of similar designation, or provide security protection to those assets. (CMMC-custom term)
-Controlled Unclassified Information, <br />
-March 2022 (NIST SP 800–172A <br />
-Mar2022); IBR approved for §§ 170.4(b), <br />
-.14(d), and 170.18(c).
-(b) International Organization for
+''Authentication'' is defined in FIPS PUB 200 Mar2006 (incorporated by reference, see § 170.2).
-Standardization (ISO) Chemin de <br />
+''Authorized'' means an interim status during which a CMMC Ecosystem member (person or organization), having met all criteria for the specific role they perform other than the required ISO/IEC accreditations, may act in that role for a specified time as set forth in § 170.8 for the Accreditation Body and § 170.9 for C3PAOs. (CMMC-custom term)
-Blandonnet 8, CP 401—1214 Vernier, <br />
-Geneva, Switzerland; phone: +41 22 749 <br />
-[http://www.iso.org/popular-standards.html 01 11; website: ''www.iso.org/popular- <br />
-standards.html''. ]
-(1) ISO/IEC 17011:2017(E),
+''Capability'' means a combination of mutually reinforcing controls implemented by technical means, physical means, and procedural means. Such controls are typically selected to achieve a common information security or privacy purpose, as defined in NIST SP 800–37 R2 (incorporated by reference, see § 170.2).
-Conformity assessment—Requirements <br />
+''Cloud Service Provider (CSP)'' means an external company that provides cloud services based on cloud computing. Cloud computing is a model for enabling ubiquitous, convenient, on- demand network access to a shared pool of configurable computing resources (''e.g.,'' networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This definition is based on the definition for cloud computing in NIST SP 800–145 Sept2011. (CMMC-custom term)
-for accreditation bodies accrediting <br />
-conformity assessment bodies, Second <br />
-edition, November 2017 (ISO/IEC <br />
-:2017(E)); IBR approved for <br />
-§§ 170.8(b)(3), 170.9(b)(13), and <br />
-.10(b)(4).
-(2) ISO/IEC 17020:2012(E),
+''CMMC Assessment and Certification Ecosystem'' means the people and organizations described in subpart C of this part. This term is sometimes shortened to CMMC Ecosystem. (CMMC-custom term)
-Conformity assessment—Requirement <br />
+''CMMC Assessment Scope'' means the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements. (CMMC-custom term)
-for the operation of various types of <br />
-bodies performing inspection, Second <br />
-edition, March 1, 2012 (ISO/IEC <br />
-:2012(E)); IBR approved for <br />
-§§ 170.8(a), (b)(1), (b)(3) and 170.9(b)(2) <br />
-and (b)(13).
-(3) ISO/IEC 17024:2012(E),
+''CMMC Assessor and Instructor Certification Organization (CAICO)'' is defined in § 170.10 and means the organization responsible for training, testing, authorizing, certifying, and recertifying CMMC certified assessors, certified instructors, and certified professionals. (CMMC-custom term)
-Conformity assessment—General <br />
+''CMMC Instantiation of eMASS'' means a CMMC instance of the Enterprise Mission Assurance Support Service (eMASS), a government owned and operated system. (CMMC-custom term)
-requirements for bodies operating <br />
-certification of persons, second edition, <br />
-July 1, 2012 (ISO/IEC 17024:2012(E)); <br />
-IBR approved for §§ 170.8(b)(2) and <br />
-.10(a) and (b)(4), (7), and (8).
-'''Note 1 to paragraph (b): '''The ISO/IEC
+''CMMC Security Requirements'' means the 15 Level 1 requirements listed in the 48 CFR 52.204–21(b)(1), the 110 Level 2 requirements from NIST SP 800–171 R2 (incorporated by reference, see § 170.2), and the 24 Level 3 requirements selected from NIST SP 800–172 Feb2021 (incorporated by reference, see § 170.2).
-standards incorporated by reference in this <br />
+''CMMC Status'' is the result of meeting or exceeding the minimum required score for the corresponding assessment. The CMMC Status of an OSA information system is officially stored in SPRS and additionally presented on a Certificate of CMMC Status, if the assessment was conducted by a C3PAO or DCMA DIBCAC. The potential CMMC Statuses are outlined in the paragraphs that follow. (CMMC-custom term)
-part may be viewed at no cost in ‘‘read only’’ <br />
-[https://ibr.ansi.org format at ''https://ibr.ansi.org''. ]
-'''§ 170.3'''
+(i)'' Final Level 1 (Self)'' is defined in § 170.15(a)(1) and (c)(1). (CMMC-custom term)
-'''Applicability. '''
+(ii)'' Conditional Level 2 (Self)'' is defined in § 170.16(a)(1)(ii). (CMMC- custom term)
-(a) The requirements of this part
+(iii)'' Final Level 2 (Self)'' is defined in § 170.16(a)(1)(iii). (CMMC-custom term)
-apply to:
+(iv)'' Conditional Level 2 (C3PAO)'' is defined in § 170.17(a)(1)(ii). (CMMC- custom term)
-(1) All DoD contract and subcontract
+(v)'' Final Level 2 (C3PAO)'' is defined in § 170.17(a)(1)(iii). (CMMC-custom term)
-awardees that will process, store, or <br />
+(vi)'' Conditional Level 3 (DIBCAC)'' is defined in § 170.18(a)(1)(ii). (CMMC- custom term)
-transmit information, in performance of <br />
-the DoD contract, that meets the <br />
-standards for FCI or CUI on contractor <br />
-information systems; and,
-(2) Private-sector businesses or other
+(vii)'' Final Level 3 (DIBCAC)'' is defined in § 170.18(a)(1)(iii). (CMMC-custom term)
-entities comprising the CMMC <br />
+''CMMC Status Date'' means the date that the CMMC Status results are submitted to SPRS or the CMMC instantiation of eMASS, as appropriate. The date of the Conditional CMMC Status will remain as the CMMC Status Date after a successful POA&amp;M closeout. A new date is not set for a Final that follows a Conditional. (CMMC-custom term)
-Assessment and Certification <br />
-Ecosystem, as specified in subpart C of <br />
-this part.
-VerDate Sep&lt;11&gt;2014
+''CMMC Third-Party Assessment Organization (C3PAO)'' means an organization that has been authorized or accredited by the Accreditation Body to conduct Level 2 certification assessments and has the roles and responsibilities identified in § 170.9. (CMMC-custom term)
-:51 Oct 11, 2024
+''Contractor'' is defined in 48 CFR 3.502–1.
-Jkt 265001
+''Contractor Risk Managed Assets'' are defined in table 3 to § 170.19(c)(1). (CMMC-custom term)
-PO 00000
+''Controlled Unclassified Information (CUI)'' is defined in 32 CFR 2002.4(h).
-Frm 00125
+''Controlled Unclassified Information (CUI) Assets'' means assets that can process, store, or transmit CUI. (CMMC- custom term)
-Fmt 4701
+''DCMA DIBCAC High Assessment'' means an assessment that is conducted by Government personnel in accordance with NIST SP 800–171A Jun2018 and leveraging specific guidance in the DoD Assessment Methodology that:
-Sfmt 4700
+(i) Consists of: (A) A review of a contractor’s Basic Assessment;
-E:\FR\FM\15OCR2.SGM
+(B) A thorough document review;
-OCR2
+(C) Verification, examination, and demonstration of a contractor’s system security plan to validate that NIST SP 800–171 R2 security requirements have been implemented as described in the contractor’s system security plan; and
-khammond on DSKJM1Z7X2PROD with RULES2
+(D) Discussions with the contractor to obtain additional information or clarification, as needed; and
+(ii) Results in a confidence level of ‘‘High’’ in the resulting score. (Source: 48 CFR 252.204–7020).
+''Defense Industrial Base (DIB)'' is defined in 32 CFR 236.2.
+''DoD Assessment Methodology (DoDAM)'' documents a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800–171 R2, a requirement for compliance with 48 CFR 252.204–7012. (Source: DoDAM Version 1.2.1)
+''Enduring Exception'' means a special circumstance or system where remediation and full compliance with CMMC security requirements is not feasible. Examples include systems required to replicate the configuration of ‘fielded’ systems, medical devices, test equipment, OT, and IoT. No operational plan of action is required but the circumstance must be documented within a system security plan. Specialized Assets and GFE may be enduring exceptions. (CMMC-custom term)
+''Enterprise'' means an organization with a defined mission/goal and a defined boundary, using information systems to execute that mission, and with responsibility for managing its own risks and performance. An enterprise may consist of all or some of the following business aspects: acquisition, program management, financial management (''e.g.,'' budgets), human resources, security, and information systems, information and mission management, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).
+''External Service Provider (ESP)'' means external people, technology, or facilities that an organization utilizes for provision and management of IT and/or cybersecurity services on behalf of the organization. In the CMMC Program, CUI or Security Protection Data (''e.g.,'' log data, configuration data), must be processed, stored, or transmitted on the ESP assets to be considered an ESP. (CMMC-custom term)
-'''83216 '''
+''Federal Contract Information (FCI)'' is defined in 48 CFR 4.1901.
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+''Government Furnished Equipment (GFE)'' has the same meaning as ‘‘government-furnished property’’ as defined in 48 CFR 45.101.
-(b) The requirements of this part do
+''Industrial Control Systems (ICS)'' means a general term that encompasses several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system configurations that are often found in the industrial sectors and critical infrastructures, such as Programmable Logic Controllers (PLC). An ICS consists of combinations of control components (''e.g.,'' electrical, mechanical, hydraulic, pneumatic) that act together to achieve an industrial objective (''e.g.,'' manufacturing, transportation of matter or energy), as defined in NIST SP 800–82r3 (incorporated by reference, see § 170.2).
-not apply to Federal information <br />
+''Information System (IS)'' is defined in NIST SP 800–171 R2 (incorporated by reference, see § 170.2).
-systems operated by contractors or <br />
-subcontractors on behalf of the <br />
-Government.
-(c) CMMC Program requirements
+''Internet of Things (IoT)'' means the network of devices that contain the hardware, software, firmware, and actuators which allow the devices to connect, interact, and freely exchange data and information, as defined in NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2).
-apply to all DoD solicitations and <br />
+''Operational plan of action'' as used in security requirement CA.L2–3.12.2, means the formal artifact which identifies temporary vulnerabilities and temporary deficiencies (''e.g.,'' necessary information system updates, patches, or reconfiguration as threats evolve) in implementation of requirements and documents how they will be mitigated, corrected, or eliminated. The OSA defines the format (''e.g.,'' document, spreadsheet, database) and specific content of its operational plan of action. An operational plan of action does not identify a timeline for remediation and is not the same as a POA&amp;M, which is associated with an assessment for remediation of deficiencies that must be completed within 180 days. (CMMC- custom term)
-contracts pursuant to which a defense <br />
-contractor or subcontractor will process, <br />
-store, or transmit FCI or CUI on <br />
-unclassified contractor information <br />
-systems, including those for the <br />
-acquisition of commercial items (except <br />
-those exclusively for COTS items) <br />
-valued at greater than the micro- <br />
-purchase threshold except under the <br />
-following circumstances:
-(1) The procurement occurs during
+''Operational Technology (OT)'' means programmable systems or devices that interact with the physical environment (or manage devices that interact with the physical environment). These systems or devices detect or cause a direct change through the monitoring or control of devices, processes, and events. Examples include industrial control systems, building management systems, fire control systems, and physical access control mechanisms, as defined in NIST SP 800–160 V2R1 (incorporated by reference, see § 170.2).
-Implementation Phase 1, 2, or 3 as <br />
+''Organization-defined'' means as determined by the OSA except as defined in the case of Organization- Defined Parameter (ODP). (CMMC- custom term)
-described in paragraph (e) of this <br />
-section, in which case CMMC Program <br />
-requirements apply in accordance with <br />
-the requirements for the relevant phase- <br />
-in period; or
-(2) Application of CMMC Program
+''Organization-Defined Parameters (ODPs)'' means selected enhanced security requirements contain selection and assignment operations to give organizations flexibility in defining variable parts of those requirements, as defined in NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2).
-requirements to a procurement or class <br />
+''Note 1 to ODPs:'' The organization defining the parameters is the DoD.
-of procurements may be waived in <br />
-advance of the solicitation at the <br />
-discretion of DoD in accordance with all <br />
-applicable policies, procedures, and <br />
-approval requirements.
-(d) DoD Program Managers or
+''Organization Seeking Assessment (OSA)'' means the entity seeking to undergo a self-assessment or certification assessment for a given information system for the purposes of achieving and maintaining any CMMC Status. The term OSA includes all Organizations Seeking Certification (OSCs). (CMMC-custom term)
-requiring activities are responsible for <br />
+''Organization Seeking Certification (OSC)'' means the entity seeking to undergo a certification assessment for a given information system for the purposes of achieving and maintaining the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC). An OSC is also an OSA. (CMMC-custom term)
-selecting the CMMC Status that will <br />
-apply for a particular procurement or <br />
-contract based upon the type of <br />
-information, FCI or CUI, that will be <br />
-processed on, stored on, or transmitted <br />
-through a contractor information <br />
-system. Application of the CMMC <br />
-Status for subcontractors will be <br />
-determined in accordance with § 170.23.
-(e) DoD is utilizing a phased approach
+''Out-of-Scope Assets'' means assets that cannot process, store, or transmit CUI because they are physically or logically separated from information systems that do process, store, or transmit CUI, or are inherently unable to do so; except for assets that provide security protection for a CUI asset (see the definition for ''Security Protection Assets''). (CMMC- custom term)
-for the inclusion of CMMC Program <br />
+''Periodically'' means occurring at a regular interval as determined by the OSA that may not exceed one year. (CMMC-custom term)
-requirements in solicitations and <br />
-contracts. Implementation of CMMC <br />
-Program requirements will occur over <br />
-four (4) phases:
-(1) ''Phase 1. ''Begins on the effective
+''Personally Identifiable Information'' means information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).
-date of the complementary 48 CFR part <br />
+''Plan of Action and Milestones (POA&M)'' means a document that identifies tasks needing to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones, as defined in NIST SP 800–115 Sept2008 (incorporated by reference, see § 170.2).
-CMMC Acquisition final rule. DoD <br />
-intends to include the requirement for <br />
-CMMC Statuses of Level 1 (Self) or <br />
-Level 2 (Self) for all applicable DoD <br />
-solicitations and contracts as a <br />
-condition of contract award. DoD may, <br />
-at its discretion, include the <br />
-requirement for CMMC Status of Level <br />
-(Self) or Level 2 (Self) for applicable <br />
-DoD solicitations and contracts as a <br />
-condition to exercise an option period <br />
-on a contract awarded prior to the <br />
-effective date. DoD may also, at its <br />
-discretion, include the requirement for <br />
-CMMC Status of Level 2 (C3PAO) in <br />
-place of the Level 2 (Self) CMMC Status <br />
-for applicable DoD solicitations and <br />
-contracts.
-(2) ''Phase 2. ''Begins one calendar year
+''Prime Contractor'' is defined in 48 CFR 3.502–1.
-following the start date of Phase 1. In <br />
+''Process, store, or transmit'' means data can be used by an asset (''e.g.,'' accessed, entered, edited, generated, manipulated, or printed); data is inactive or at rest on an asset (''e.g.,'' located on electronic media, in system component memory, or in physical format such as paper documents); or data is being transferred from one asset to another asset (''e.g.,'' data in transit using physical or digital transport methods). (CMMC-custom term)
-addition to Phase 1 requirements, DoD <br />
-intends to include the requirement for <br />
-CMMC Status of Level 2 (C3PAO) for <br />
-applicable DoD solicitations and <br />
-contracts as a condition of contract <br />
-award. DoD may, at its discretion, delay <br />
-the inclusion of requirement for CMMC <br />
-Status of Level 2 (C3PAO) to an option <br />
-period instead of as a condition of <br />
-contract award. DoD may also, at its <br />
-discretion, include the requirement for <br />
-CMMC Status of Level 3 (DIBCAC) for <br />
-applicable DoD solicitations and <br />
-contracts.
-(3) ''Phase 3. ''Begins one calendar year
+''Restricted Information Systems'' means systems (and associated IT components comprising the system) that are configured based on government requirements (''e.g.,'' connected to something that was required to support a functional requirement) and are used to support a contract (''e.g.,'' fielded systems, obsolete systems, and product deliverable replicas). (CMMC-custom term)
-following the start date of Phase 2. In <br />
+''Risk'' means a measure of the extent to which an entity is threatened by a potential circumstance or event, and is typically a function of:
-addition to Phase 1 and 2 requirements, <br />
-DoD intends to include the requirement <br />
-for CMMC Status of Level 2 (C3PAO) for <br />
-all applicable DoD solicitations and <br />
-contracts as a condition of contract <br />
-award and as a condition to exercise an <br />
-option period on a contract awarded <br />
-after the effective date. DoD intends to <br />
-include the requirement for CMMC <br />
-Status of Level 3 (DIBCAC) for all <br />
-applicable DoD solicitations and <br />
-contracts as a condition of contract <br />
-award. DoD may, at its discretion, delay <br />
-the inclusion of requirement for CMMC <br />
-Status of Level 3 (DIBCAC) to an option <br />
-period instead of as a condition of <br />
-contract award.
-(4) ''Phase 4, full implementation. ''
+(i) The adverse impacts that would arise if the circumstance or event occurs; and
-Begins one calendar year following the <br />
+(ii) The likelihood of occurrence, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).
-start date of Phase 3. DoD will include <br />
-CMMC Program requirements in all <br />
-applicable DoD solicitations and <br />
-contracts including option periods on <br />
-contracts awarded prior to the beginning <br />
-of Phase 4.
-'''§ 170.4'''
+''Risk Assessment'' means the process of identifying risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of a system. Risk Assessment is part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. Synonymous with risk analysis, as defined in NIST SP 800–39 Mar2011 (incorporated by reference, see § 170.2).
-'''Acronyms and definitions. '''
+''Security Protection Assets (SPA)'' means assets providing security functions or capabilities for the OSA’s CMMC Assessment Scope. (CMMC- custom term)
-(a) ''Acronyms. ''Unless otherwise
+''Security Protection Data (SPD)'' means data stored or processed by Security Protection Assets (SPA) that are used to protect an OSC’s assessed environment. SPD is security relevant information and includes but is not limited to: configuration data required to operate an SPA, log files generated by or ingested by an SPA, data related to the configuration or vulnerability status of in-scope assets, and passwords that grant access to the in-scope environment. (CMMC-custom term)
-noted, the following acronyms and their <br />
+''Specialized Assets'' means types of assets considered specialized assets for CMMC: Government Furnished Equipment, Internet of Things (IoT) or Industrial Internet of Things (IIoT), Operational Technology (OT), Restricted Information Systems, and Test Equipment. (CMMC-custom term)
-terms are for the purposes of this part. <br />
-AC—Access Control <br />
-APT—Advanced Persistent Threat <br />
-AT—Awareness and Training <br />
-C3PAO—CMMC Third-Party
-Assessment Organization
+''Subcontractor'' is defined in 48 CFR 3.502–1.
-CA—Security Assessment <br />
+''Supervisory Control and Data Acquisition (SCADA)'' means a generic name for a computerized system that is capable of gathering and processing data and applying operational controls over long distances. Typical uses include power transmission and distribution and pipeline systems. SCADA was designed for the unique communication challenges (''e.g.,'' delays, data integrity) posed by the various media that must be used, such as phone lines, microwave, and satellite. Usually shared rather than dedicated, as defined in NIST SP 800– 82r3 (incorporated by reference, see § 170.2).
-CAICO—CMMC Assessors and
-Instructors Certification Organization
+''System Security Plan (SSP)'' means the formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. The system security plan describes the system components that are included within the system, the environment in which the system operates, how the security requirements are implemented, and the relationships with or connections to other systems, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).
-CAGE—Commercial and Government
+''Temporary deficiency'' means a condition where remediation of a discovered deficiency is feasible, and a known fix is available or is in process. The deficiency must be documented in an operational plan of action. A temporary deficiency is not based on an ‘in progress’ initial implementation of a CMMC security requirement but arises after implementation. A temporary deficiency may apply during the initial implementation of a security requirement if, during roll-out, specific issues with a very limited subset of equipment is discovered that must be separately addressed. There is no standard duration for which a temporary deficiency may be active. For example, FIPS-validated cryptography that requires a patch and the patched version is no longer the validated version may be a temporary deficiency. (CMMC-custom term)
-Entity
+''Test Equipment'' means hardware and/ or associated IT components used in the testing of products, system components, and contract deliverables. (CMMC- custom term)
-CCA—CMMC-Certified Assessor <br />
+''User'' means an individual, or (system) process acting on behalf of an individual, authorized to access a system, as defined in NIST SP 800–53 R5 (incorporated by reference, see § 170.2).
-CCI—CMMC-Certified Instructor <br />
-CCP—CMMC-Certified Professional <br />
-CFR—Code of Federal Regulations <br />
-CIO—Chief Information Officer <br />
-CM—Configuration Management <br />
-CMMC—Cybersecurity Maturity Model
-Certification
+=== § 170.5 Policy. ===
-CMMC PMO—CMMC Program
+(a) Protection of FCI and CUI on contractor information systems is of paramount importance to the DoD and can directly impact its ability to successfully conduct essential missions and functions. It is DoD policy that defense contractors and subcontractors shall be required to safeguard FCI and CUI that is processed, stored, or transmitted on contractor information systems by applying specified security requirements. In addition, defense contractors and subcontractors may be required to implement additional safeguards defined in NIST SP 800–172 Feb2021 (incorporated by reference, see § 170.2), implementing DoD specified parameters to meet CMMC Level 3 security requirements (see table 1 to § 170.14(c)(4)). These additional requirements are necessary to protect CUI being processed, stored, or transmitted in contractor information systems, when designated by a requirement for CMMC Status of Level 3 (DIBCAC) as defined by a DoD program manager or requiring activity. In general, the Department will identify a requirement for a CMMC Status of Level 3 (DIBCAC) for solicitations and resulting contracts supporting its most critical programs and technologies.
-Management Office
+(b) Program managers and requiring activities are responsible for identifying the CMMC Status that will apply to a procurement. Selection of the applicable CMMC Status will be based on factors including but not limited to:
-CNC—Computerized Numerical Control
+(1) Criticality of the associated mission capability;
-CoPC—Code of Professional Conduct <br />
+(2) Type of acquisition program or technology;
-CSP—Cloud Service Provider <br />
-CUI—Controlled Unclassified
-Information
+(3) Threat of loss of the FCI or CUI to be shared or generated in relation to the effort;
-DCMA—Defense Contract Management
+(4) Impacts from exploitation of information security deficiencies; and
-Agency
+(5) Other relevant policies and factors, including Milestone Decision Authority guidance.
-DD—Represents any two-character
+(c) In accordance with the implementation plan described in § 170.3, CMMC Program requirements will apply to new DoD solicitations and contracts, and shall flow down to subcontractors who will process, store, or transmit FCI or CUI in performance of the subcontract, as described in § 170.23.
-CMMC Domain acronym
+(d) In very limited circumstances, and in accordance with all applicable policies, procedures, and requirements, a Service Acquisition Executive or Component Acquisition Executive in the DoD, or as delegated, may elect to waive inclusion of CMMC Program requirements in a solicitation or contract. In such cases, contractors and subcontractors will remain obligated to comply with all applicable cybersecurity and information security requirements.
-DFARS—Defense Federal Acquisition
+(e) The CMMC Program does not alter any separately applicable requirements to protect FCI or CUI, including those requirements in accordance with 48 CFR 52.204–21,'' Basic Safeguarding of Covered Contractor Information Systems,'' or covered defense information in accordance with 48 CFR 252.204– 7012,'' Safeguarding Covered Defense Information and Cyber Incident Reporting,'' or any other applicable information protection requirements. The CMMC Program provides a means of verifying implementation of the security requirements set forth in 48 CFR 52.204–21, NIST SP 800–171 R2, and NIST SP 800–172 Feb2021, as applicable.
-Regulation Supplement
+== Subpart B—Government Roles and Responsibilities. ==
+=== § 170.6 CMMC PMO. ===
-DIB—Defense Industrial Base <br />
+(a) The Office of the Department of Defense Chief Information Officer (DoD CIO) Office of the Deputy CIO for Cybersecurity (DoD CIO(CS)) provides oversight of the CMMC Program and is responsible for establishing CMMC assessment, accreditation, and training requirements as well as developing and updating CMMC Program policies and implementing guidance.
-DIBCAC—DCMA’s Defense Industrial
-Base Cybersecurity Assessment Center
+(b) The CMMC PMO is responsible for monitoring the CMMC AB’s performance of roles assigned in this rule and acting as necessary to address problems pertaining to effective performance.
-DoD—Department of Defense <br />
+(c) The CMMC PMO retains, on behalf of the DoD CIO(CS), the prerogative to review decisions of the CMMC Accreditation Body as part of its oversight of the CMMC program and evaluate any alleged conflicts of interest purported to influence the CMMC Accreditation Body’s objectivity.
-DoDI—Department of Defense
-Instruction
+(d) The CMMC PMO is responsible for sponsoring necessary DCSA activities including FOCI risk assessment and Tier 3 security background investigations for the CMMC Ecosystem members as specified in §§ 170.8(b)(4) and (5), 170.9(b)(3) through (5), 170.11(b)(3) and (4), and 170.13(b)(3) and (4).
-eMASS—Enterprise Mission Assurance
+(e) The CMMC PMO is responsible for investigating and acting upon indications that an active CMMC Status has been called into question. Indications that may trigger investigative evaluations include, but are not limited to, reports from the CMMC Accreditation Body, a C3PAO, or anyone knowledgeable of the security processes and activities of the OSA. Investigative evaluations include, but are not limited to, reviewing pertinent assessment information, and exercising the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR 252.204–7020.
-Support Service
+(f) If a subsequent DCMA DIBCAC assessment shows that adherence to the provisions of this rule and the required CMMC Status have not been achieved or maintained, the DIBCAC results will take precedence over any pre-existing CMMC Status recorded in SPRS, or its successor capability. The DoD will update SPRS to reflect that the OSA is out of compliance and does not meet DoD CMMC requirements. If the OSA is working on an active contract requiring CMMC compliance, then standard contractual remedies will apply.
-ESP—External Service Provider <br />
+=== § 170.7 DCMA DIBCAC. ===
-FAR—Federal Acquisition Regulation <br />
-FCI—Federal Contract Information <br />
-FedRAMP—Federal Risk and
-Authorization Management Program
+(a) DCMA DIBCAC assessors in support of the CMMC Program will:
-GFE—Government Furnished
+(1) Complete CMMC Level 2 and Level 3 training.
-Equipment
+(2) Conduct Level 3 certification assessments and upload assessment results into the CMMC instantiation of eMASS, or its successor capability.
-IA—Identification and Authentication <br />
+(3) Issue Certificates of CMMC Status resulting from Level 3 certification assessments.
-ICS—Industrial Control System <br />
-IIoT—Industrial Internet of Things <br />
-IoT—Internet of Things <br />
-IR—Incident Response <br />
-IS—Information System <br />
-IEC—International Electrotechnical
-Commission
+(4) Conduct Level 2 certification assessments of the Accreditation Body and prospective C3PAOs’ information systems that process, store, and/or transmit CUI.
-ISO/IEC—International Organization for
+(5) Create and maintain a process for assessors to collect the list of assessment artifacts to include artifact names, their return value of the hashing algorithm, the hashing algorithm used, and upload that data into the CMMC instantiation of eMASS.
-Standardization/International <br />
+(6) As authorized and in accordance with all legal requirements, enter and track, OSC appeals and updated results arising from Level 3 certification assessment activities into the CMMC instantiation of eMASS.
-Electrotechnical Commission
-IT—Information Technology <br />
+(7) Retain all records in accordance with DCMA–MAN 4501–04.
-L#—CMMC Level Number <br />
-MA—Maintenance <br />
-MP—Media Protection <br />
-MSSP—Managed Security Service
-Provider
+(8) Conduct an assessment of the OSA, when requested by the CMMC PMO per §§ 170.6(e) and (f), as provided for under the 48 CFR 252.204–7019 and 48 CFR 252.204–7020.
-NARA—National Archives and Records
+(9) Identify assessments that meet the criteria in § 170.20 and verify that SPRS accurately reflects the CMMC Status.
-Administration
+(b) An OSC, the CMMC AB, or a C3PAO may appeal the outcome of its DCMA DIBCAC conducted assessment within 21 days by submitting a written basis for appeal with the requirements in question for DCMA DIBCAC consideration. Appeals may be submitted for review by visiting ''www.dcma.mil/DIBCAC'' for contact information, and a DCMA DIBCAC Quality Assurance Review Team will provide a written response or request additional supporting documentation.
-NAICS—North American Industry
+== Subpart C—CMMC Assessment and Certification Ecosystem. ==
+=== § 170.8 Accreditation Body. ===
-Classification System
+(a)'' Roles and responsibilities.'' The
-NIST—National Institute of Standards
+Accreditation Body is responsible for authorizing and ensuring the accreditation of CMMC Third-Party Assessment Organizations (C3PAOs) in accordance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) and all applicable authorization and accreditation requirements set forth. The Accreditation Body is responsible for establishing the C3PAO authorization requirements and the C3PAO Accreditation Scheme and submitting both for approval by the CMMC PMO. At any given point in time, there will be only one Accreditation Body for the DoD CMMC Program.
-and Technology
+(b)'' Requirements.'' The CMMC
-N/A—Not Applicable <br />
+Accreditation Body shall:
-ODP—Organization-Defined Parameter <br />
-OSA—Organization Seeking Assessment <br />
-OSC—Organization Seeking
-Certification
+(1) Be US-based and be and remain a
-OT—Operational Technology <br />
+member in good standing of the Inter- American Accreditation Cooperation (IAAC) and become an International Laboratory Accreditation Cooperation (ILAC) Mutual Recognition
-PI—Provisional Instructor <br />
-PIEE—Procurement Integrated
-Enterprise Environment
+Arrangement (MRA) signatory, with a signatory status scope of ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2).
-PII—Personally Identifiable Information <br />
+(2) Be and remain a member in good
-PLC—Programmable Logic Controller <br />
-POA&amp;M—Plan of Action and Milestones <br />
-PRA—Paperwork Reduction Act <br />
-RM—Risk Management <br />
-SAM—System of Award Management <br />
-SC—System and Communications
-Protection
+standing of the International Accreditation Forum (IAF) with mutual recognition arrangement signatory status scope of ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2).
-SCADA—Supervisory Control and Data
+(3) Achieve and maintain full
-Acquisition
+compliance with ISO/IEC 17011:2017(E) (incorporated by reference, see § 170.2) and complete a peer assessment by other ILAC signatories for competence in accrediting conformity assessment bodies to ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2), both within 24 months of DoD approval.
-SI—System and Information Integrity <br />
+(i) Prior to achieving full compliance
-SIEM—Security Information and Event
-Management
+as set forth in this paragraph (b)(3), the Accreditation Body shall:
-VerDate Sep&lt;11&gt;2014
+(A) Authorize C3PAOs who meet all
-:51 Oct 11, 2024
+requirements set forth in § 170.9 as well as administrative requirements as determined by the Accreditation Body to conduct Level 2 certification assessments and issue Certificates of CMMC Status to OSCs based on the assessment results.
-Jkt 265001
+(B) Require all C3PAOs to achieve and
-PO 00000
+maintain the ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) requirements within 27 months of authorization.
-Frm 00126
+(ii) The Accreditation Body shall
-Fmt 4701
+accredit C3PAOs, in accordance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2), who meet all requirements set forth in § 170.9 to conduct Level 2 certification assessments and issue Certificates of CMMC Status to OSCs based on the results.
-Sfmt 4700
+(4) Ensure that the Accreditation
-E:\FR\FM\15OCR2.SGM
+Body’s Board of Directors, professional staff, Information Technology (IT) staff, accreditation staff, and independent CMMC Certified Assessor staff complete a Tier 3 background investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the [http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions Standard Form (SF) 86 (''www.gsa.gov/ reference/forms/questionnaire-for- national-security-positions'') and ]submitted by DoD CIO Security to Washington Headquarters Services (WHS) for coordination for processing by the Defense Counterintelligence and Security Agency (DCSA). These positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and (d) and the
-OCR2
+investigative requirements of 5 CFR 731.106(c)(2).
-khammond on DSKJM1Z7X2PROD with RULES2
+(5) Comply with Foreign Ownership,
+Control or Influence (FOCI) by:
+(i) Completing the Standard Form (SF)
+[http://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests 328 (''www.gsa.gov/reference/forms/ certificate-pertaining-to-foreign- interests''), ]''Certificate Pertaining to Foreign Interests,'' and submit it directly to Defense Counterintelligence and Security Agency (DCSA) and undergo a National Security Review with regards to the protection of controlled unclassified information based on the factors identified in 32 CFR 117.11(b) using the procedures outlined in 32 CFR 117.11(c). The Accreditation Body must receive a non-disqualifying eligibility determination by the CMMC PMO to be recognized by the Department of Defense.
+(ii) Reporting any change to the
+information provided on its SF 328 by resubmitting the SF 328 to DCSA within 15 business days of the change being effective. A disqualifying eligibility determination, based on the results of the change, will result in the Accreditation Body losing its authorization or accreditation under the CMMC Program.
+(iii) Identifying all prospective
-'''83217 '''
+C3PAOs to the CMMC PMO. The CMMC PMO will sponsor the prospective C3PAO for a FOCI risk assessment conducted by the DCSA using the SF 328 as part of the authorization and accreditation processes.
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+(iv) Notifying prospective C3PAOs of
-SP—Special Publication <br />
+the CMMC PMO’s eligibility determination resulting from the FOCI risk assessment.
-SPD—Security Protection Data <br />
-SPRS—Supplier Performance Risk
-System
+(6) Obtain a Level 2 certification
-SSP—System Security Plan
+assessment in accordance with the procedures specified in § 170.17(a)(1) and (c). This assessment, conducted by DCMA DIBCAC, shall meet all requirements for a Final Level 2 (C3PAO) but will not result in a CMMC Status of Level 2 (C3PAO). The Level 2 certification assessment process must be performed every three years.
-(b) ''Definitions. ''Unless otherwise
+(7) Provide all documentation and
-noted, these terms and their definitions <br />
+records in English.
-are for the purposes of this part.
-''Access Control (AC) ''means the
+(8) Establish, maintain, and manage
-process of granting or denying specific <br />
+an up-to-date list of authorized and accredited C3PAOs on a single publicly accessible website and provide the list of these entities and their status to the DoD through submission in the CMMC instantiation of eMASS.
-requests to obtain and use information <br />
-and related information processing <br />
-services; and/or entry to specific <br />
-physical facilities (''e.g., ''Federal <br />
-buildings, military establishments, or <br />
-border crossing entrances), as defined in <br />
-FIPS PUB 201–3 Jan2002 (incorporated <br />
-by reference, see § 170.2).
-''Accreditation ''means a status pursuant
+(9) Provide the CMMC PMO with
-to which a CMMC Assessment and <br />
+current data on C3PAOs, including authorization and accreditation records and status in the CMMC instantiation of eMASS. This data shall include the dates associated with the authorization and accreditation of each C3PAO.
-Certification Ecosystem member (person <br />
-or organization), having met all criteria <br />
-for the specific role they perform <br />
-including required ISO/IEC <br />
-accreditations, may act in that role as set <br />
-forth in § 170.8 for the Accreditation <br />
-Body and § 170.9 for C3PAOs. (CMMC- <br />
-custom term)
-''Accreditation Body ''is defined in
+VerDate Sep&lt;11&gt;2014
-§ 170.8 and means the one organization <br />
+:51 Oct 11, 2024
-DoD contracts with to be responsible for <br />
-authorizing and accrediting members of <br />
-the CMMC Assessment and Certification <br />
-Ecosystem, as required. The <br />
-Accreditation Body must be approved <br />
-by DoD. At any given point in time, <br />
-there will be only one Accreditation <br />
-Body for the DoD CMMC Program. <br />
-(CMMC-custom term)
-''Advanced Persistent Threat (APT) ''
+Jkt 265001
-means an adversary that possesses <br />
+PO 00000
-sophisticated levels of expertise and <br />
-significant resources that allow it to <br />
-create opportunities to achieve its <br />
-objectives by using multiple attack <br />
-vectors (''e.g., ''cyber, physical, and <br />
-deception). These objectives typically <br />
-include establishing and extending <br />
-footholds within the information <br />
-technology infrastructure of the targeted <br />
-organizations for purposes of exfiltrating <br />
-information, undermining or impeding <br />
-critical aspects of a mission, program, or <br />
-organization; or positioning itself to <br />
-carry out these objectives in the future. <br />
-The advanced persistent threat pursues <br />
-its objectives repeatedly over an <br />
-extended period-of-time, adapts to <br />
-defenders’ efforts to resist it, and is <br />
-determined to maintain the level of <br />
-interaction needed to execute its <br />
-objectives, as is defined in NIST SP <br />
-–39 Mar2011 (incorporated by <br />
-reference, see § 170.2).
-''Affirming Official ''means the senior
+Frm 00131
-level representative from within each <br />
+Fmt 4701
-Organization Seeking Assessment (OSA) <br />
-who is responsible for ensuring the
-OSA’s compliance with the CMMC <br />
+Sfmt 4700
-Program requirements and has the <br />
-authority to affirm the OSA’s continuing <br />
-compliance with the specified security <br />
-requirements for their respective <br />
-organizations. (CMMC-custom term)
-''Assessment ''means the testing or
+E:\FR\FM\15OCR2.SGM
-evaluation of security controls to <br />
+OCR2
-determine the extent to which the <br />
-controls are implemented correctly, <br />
-operating as intended, and producing <br />
-the desired outcome with respect to <br />
-meeting the security requirements for an <br />
-information system or organization, as <br />
-defined in §§ 170.15 through 170.18. <br />
-(CMMC-custom term)
-(i) ''Level 1 self-assessment ''is the term
+khammond on DSKJM1Z7X2PROD with RULES2
-for the activity performed by an OSA to <br />
-evaluate its own information system <br />
-when seeking a CMMC Status of Level <br />
-(Self).
-(ii) ''Level 2 self-assessment ''is the term
-for the activity performed by an OSA to <br />
-evaluate its own information system <br />
-when seeking a CMMC Status of Level <br />
-(Self).
-(iii) ''Level 2 certification assessment ''is
-the term for the activity performed by a <br />
-C3PAO to evaluate the information <br />
-system of an OSC when seeking a <br />
-CMMC Status of Level 2 (C3PAO).
-(iv) ''Level 3 certification assessment ''is
-the term for the activity performed by <br />
+'''83222'' '
-the DCMA DIBCAC to evaluate the <br />
-information system of an OSC when <br />
-seeking a CMMC Status of Level 3 <br />
-(DIBCAC).
-(v) ''POA&amp;M closeout self-assessment ''
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-is the term for the activity performed by <br />
+(10) Provide the DoD with
-an OSA to evaluate only the NOT MET <br />
-requirements that were identified with <br />
-POA&amp;M during the initial assessment, <br />
-when seeking a CMMC Status of Final <br />
-Level 2 (Self).
-(vi) ''POA&amp;M closeout certification ''
+information about aggregate statistics pertaining to operations of the CMMC Ecosystem to include the authorization and accreditation status of C3PAOs or other information as requested.
-''assessment ''is the term for the activity <br />
+(11) Provide inputs for assessor
-performed by a C3PAO or DCMA <br />
-DIBCAC to evaluate only the NOT MET <br />
-requirements that were identified with <br />
-POA&amp;M during the initial assessment, <br />
-when seeking a CMMC Status of Final <br />
-Level 2 (C3PAO) or Final Level 3 <br />
-(DIBCAC) respectively.
-''Assessment Findings Report ''means
+supplemental guidance to the CMMC PMO. Participate and support coordination of these and other inputs through DoD-led Working Groups.
-the final written assessment results by <br />
+(12) Ensure that all information about
-the third-party or government <br />
-assessment team. The Assessment <br />
-Findings Report is submitted to the OSC <br />
-and to the DoD via CMMC eMASS. <br />
-(CMMC-custom term)
-''Assessment objective ''means a set of
+individuals is encrypted and protected in all Accreditation Body information systems and databases.
-determination statements that, taken <br />
+(13) Provide all plans that are related
-together, expresses the desired outcome <br />
-for the assessment of a security <br />
-requirement. Successful implementation <br />
-of the corresponding CMMC security <br />
-requirement requires meeting all <br />
-applicable assessment objectives <br />
-defined in NIST SP 800–171A Jun2018
-(incorporated by reference, see § 170.2) <br />
+to potential sources of revenue, to include but not limited to: fees, licensing, processes, membership, and/ or partnerships to the Department’s CMMC PMO.
-or NIST SP 800–172A Mar2022 <br />
-(incorporated by reference, see § 170.2). <br />
-(CMMC-custom term)
-''Assessment Team ''means participants
+(14) Ensure that the CMMC Assessors
-in the Level 2 certification assessment <br />
+and Instructors Certification Organization (CAICO) is compliant with ISO/IEC 17024:2012(E)
-(CMMC Certified Assessors and CMMC <br />
-Certified Professionals) or the Level 3 <br />
-certification assessment (DCMA <br />
-DIBCAC assessors). This does not <br />
-include the OSC participants preparing <br />
-for or participating in the assessment. <br />
-(CMMC-custom term)
-''Asset ''means an item of value to
+(15) Ensure all training products,
-stakeholders. An asset may be tangible <br />
+instruction, and testing materials are of high quality and subject to CAICO quality control policies and procedures, to include technical accuracy and alignment with all applicable legal, regulatory, and policy requirements.
-(''e.g., ''a physical item such as hardware, <br />
-firmware, computing platform, network <br />
-device, or other technology component) <br />
-or intangible (''e.g., ''humans, data, <br />
-information, software, capability, <br />
-function, service, trademark, copyright, <br />
-patent, intellectual property, image, or <br />
-reputation). The value of an asset is <br />
-determined by stakeholders in <br />
-consideration of loss concerns across <br />
-the entire system life cycle. Such <br />
-concerns include but are not limited to <br />
-business or mission concerns, as <br />
-defined in NIST SP 800–160 V2R1 <br />
-(incorporated by reference, see § 170.2).
-''Asset Categories ''means a grouping of
+(16) Develop and maintain an internal
-assets that process, store or transmit <br />
+appeals process, as required by ISO/IEC 17020:2017(E), and render a final decision on all elevated appeals.
-information of similar designation, or <br />
-provide security protection to those <br />
-assets. (CMMC-custom term)
-''Authentication ''is defined in FIPS
+(17) Develop and maintain a
-PUB 200 Mar2006 (incorporated by <br />
+comprehensive plan and schedule to comply with all ISO/IEC 17011:2017(E), and DoD requirements for Conflict of Interest, Code of Professional Conduct, and Ethics policies as set forth in the DoD contract. All policies shall apply to the Accreditation Body, and other individuals, entities, and groups within the CMMC Ecosystem who provide Level 2 certification assessments, CMMC instruction, CMMC training materials, or Certificates of CMMC Status on behalf of the Accreditation Body. All policies in this section must be approved by the CMMC PMO prior to effectivity in accordance with the following requirements.
-reference, see § 170.2).
-''Authorized ''means an interim status
+(i)'' Conflict of Interest (CoI) policy.''
-during which a CMMC Ecosystem <br />
+The CoI policy shall:
-member (person or organization), having <br />
-met all criteria for the specific role they <br />
-perform other than the required ISO/IEC <br />
-accreditations, may act in that role for <br />
-a specified time as set forth in § 170.8 <br />
-for the Accreditation Body and § 170.9 <br />
-for C3PAOs. (CMMC-custom term)
-''Capability ''means a combination of
+(A) Include a detailed risk mitigation
-mutually reinforcing controls <br />
+plan for all potential conflicts of interest that may pose a risk to compliance with ISO/IEC 17011:2017(E).
-implemented by technical means, <br />
-physical means, and procedural means. <br />
-Such controls are typically selected to <br />
-achieve a common information security <br />
-or privacy purpose, as defined in NIST <br />
-SP 800–37 R2 (incorporated by <br />
-reference, see § 170.2).
-''Cloud Service Provider (CSP) ''means
+(B) Require employees, Board
-an external company that provides <br />
+directors, and members of any accreditation committees or appeals adjudication committees to disclose to the CMMC PMO, in writing, as soon as it is known or reasonably should be known, any actual, potential, or perceived conflict of interest with sufficient detail to allow for assessment.
-cloud services based on cloud <br />
-computing. Cloud computing is a model <br />
-for enabling ubiquitous, convenient, on- <br />
-demand network access to a shared pool <br />
-of configurable computing resources <br />
-(''e.g., ''networks, servers, storage, <br />
-applications, and services) that can be <br />
-rapidly provisioned and released with <br />
-minimal management effort or service <br />
-provider interaction. This definition is <br />
-based on the definition for cloud
-VerDate Sep&lt;11&gt;2014
+(C) Require employees, Board
-:51 Oct 11, 2024
+directors, and members of any accreditation committees or appeals adjudication committees who leave the board or organization to enter a ‘‘cooling off period’’ of one (1) year whereby they are prohibited from working with the Accreditation Body or participating in any and all CMMC activities described in Subpart C.
-Jkt 265001
+(D) Require CMMC Ecosystem
-PO 00000
+members to actively avoid participating in any activity, practice, or transaction that could result in an actual or perceived conflict of interest.
-Frm 00127
+(E) Require CMMC Ecosystem
-Fmt 4701
+members to disclose to Accreditation Body leadership, in writing, any actual or potential conflict of interest as soon as it is known, or reasonably should be known.
-Sfmt 4700
+(ii)'' Code of Professional Conduct''
-E:\FR\FM\15OCR2.SGM
+''(CoPC) policy.'' The CoPC policy shall:
-OCR2
+(A) Describe the performance
-khammond on DSKJM1Z7X2PROD with RULES2
+standards by which the members of the CMMC Ecosystem will be held accountable and the procedures for addressing violations of those performance standards.
+(B) Require the Accreditation Body to
+investigate and resolve any potential violations that are reported or are identified by the DoD.
+(C) Require the Accreditation Body to
+inform the DoD in writing of new investigations within 72 hours.
+(D) Require the Accreditation Body to
+report to the DoD in writing the outcome of completed investigations within 15 business days.
-'''83218 '''
+(E) Require CMMC Ecosystem
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+members to represent themselves and their companies accurately; to include not misrepresenting any professional credentials or status, including CMMC authorization or CMMC Status, nor exaggerating the services that they or their company are capable or authorized to deliver.
-computing in NIST SP 800–145 <br />
+(F) Require CMMC Ecosystem
-Sept2011. (CMMC-custom term)
-''CMMC Assessment and Certification ''
+members to be honest and factual in all CMMC-related activities with colleagues, clients, trainees, and others with whom they interact.
-''Ecosystem ''means the people and <br />
+(G) Prohibit CMMC Ecosystem
-organizations described in subpart C of <br />
-this part. This term is sometimes <br />
-shortened to CMMC Ecosystem. <br />
-(CMMC-custom term)
-''CMMC Assessment Scope ''means the
+members from participating in the Level 2 certification assessment process for an assessment in which they previously served as a consultant to prepare the organization for any CMMC assessment within 3 years.
-set of all assets in the OSA’s <br />
+(H) Require CMMC Ecosystem
-environment that will be assessed <br />
-against CMMC security requirements. <br />
-(CMMC-custom term)
-''CMMC Assessor and Instructor ''
+members to maintain the confidentiality of customer and government data to preclude unauthorized disclosure.
-''Certification Organization (CAICO) ''is <br />
+(I) Require CMMC Ecosystem
-defined in § 170.10 and means the <br />
-organization responsible for training, <br />
-testing, authorizing, certifying, and <br />
-recertifying CMMC certified assessors, <br />
-certified instructors, and certified <br />
-professionals. (CMMC-custom term)
-''CMMC Instantiation of eMASS ''means
+members to report results and data from Level 2 certification assessments and
-a CMMC instance of the Enterprise <br />
+training objectively, completely, clearly, and accurately.
-Mission Assurance Support Service <br />
-(eMASS), a government owned and <br />
-operated system. (CMMC-custom term)
-''CMMC Security Requirements ''means
+(J) Prohibit CMMC Ecosystem
-the 15 Level 1 requirements listed in the <br />
+members from cheating, assisting another in cheating, or allowing cheating on CMMC examinations.
-CFR 52.204–21(b)(1), the 110 Level 2 <br />
-requirements from NIST SP 800–171 R2 <br />
-(incorporated by reference, see § 170.2), <br />
-and the 24 Level 3 requirements <br />
-selected from NIST SP 800–172 Feb2021 <br />
-(incorporated by reference, see § 170.2).
-''CMMC Status ''is the result of meeting
+(K) Require CMMC Ecosystem
-or exceeding the minimum required <br />
+members to utilize official training content developed by a CMMC training organization approved by the CAICO in all CMMC certification courses.
-score for the corresponding assessment. <br />
-The CMMC Status of an OSA <br />
-information system is officially stored in <br />
-SPRS and additionally presented on a <br />
-Certificate of CMMC Status, if the <br />
-assessment was conducted by a C3PAO <br />
-or DCMA DIBCAC. The potential CMMC <br />
-Statuses are outlined in the paragraphs <br />
-that follow. (CMMC-custom term)
-(i) ''Final Level 1 (Self) ''is defined in
+(iii)'' Ethics policy.'' The Ethics policy
-§ 170.15(a)(1) and (c)(1). (CMMC-custom <br />
+shall:
-term)
-(ii) ''Conditional Level 2 (Self) ''is
+(A) Require CMMC Ecosystem
-defined in § 170.16(a)(1)(ii). (CMMC- <br />
+members to report to the Accreditation Body within 30 days of convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not in connection with activities that relate to carrying out their role in the CMMC Ecosystem.
-custom term)
-(iii) ''Final Level 2 (Self) ''is defined in
+(B) Prohibit harassment or
-§ 170.16(a)(1)(iii). (CMMC-custom term)
+discrimination by CMMC Ecosystem members in all interactions with individuals whom they encounter in connection with their roles in the CMMC Ecosystem.
-(iv) ''Conditional Level 2 (C3PAO) ''is
+(C) Require CMMC Ecosystem
-defined in § 170.17(a)(1)(ii). (CMMC- <br />
+members to have and maintain a satisfactory record of integrity and business ethics.
-custom term)
-(v) ''Final Level 2 (C3PAO) ''is defined
+'''§ 170.9'''
-in § 170.17(a)(1)(iii). (CMMC-custom <br />
+'''CMMC Third-Party Assessment'' '
-term)
-(vi) ''Conditional Level 3 (DIBCAC) ''is
+'''Organizations (C3PAOs).'' '
-defined in § 170.18(a)(1)(ii). (CMMC- <br />
+(a)'' Roles and responsibilities.'' C3PAOs
-custom term)
-(vii) ''Final Level 3 (DIBCAC) ''is defined
+are organizations that are responsible for conducting Level 2 certification assessments and issuing Certificates of CMMC Status to OSCs based on the results. C3PAOs must be accredited or authorized by the Accreditation Body in accordance with the requirements set forth.
-in § 170.18(a)(1)(iii). (CMMC-custom <br />
+(b)'' Requirements.'' C3PAOs shall: (1) Obtain authorization or
-term)
-''CMMC Status Date ''means the date
+accreditation from the Accreditation Body in accordance with § 170.8(b)(3)(i) and (ii).
-that the CMMC Status results are <br />
+(2) Comply with the Accreditation
-submitted to SPRS or the CMMC <br />
-instantiation of eMASS, as appropriate.
-The date of the Conditional CMMC <br />
+Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17); and achieve and maintain compliance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) within 27 months of authorization.
-Status will remain as the CMMC Status <br />
-Date after a successful POA&amp;M closeout. <br />
-A new date is not set for a Final that <br />
-follows a Conditional. (CMMC-custom <br />
-term)
-''CMMC Third-Party Assessment ''
+(3) Require all C3PAO company
-''Organization (C3PAO) ''means an <br />
+personnel participating in the Level 2 certification assessment process to complete a Tier 3 background investigation resulting in a determination of national security eligibility. This includes the CMMC Assessment Team and the quality
-organization that has been authorized or <br />
-accredited by the Accreditation Body to <br />
-conduct Level 2 certification <br />
-assessments and has the roles and <br />
-responsibilities identified in § 170.9. <br />
-(CMMC-custom term)
-''Contractor ''is defined in 48 CFR
+VerDate Sep&lt;11&gt;2014
-.502–1.
+:51 Oct 11, 2024
-''Contractor Risk Managed Assets ''are
+Jkt 265001
-defined in table 3 to § 170.19(c)(1). <br />
+PO 00000
-(CMMC-custom term)
-''Controlled Unclassified Information ''
+Frm 00132
-''(CUI) ''is defined in 32 CFR 2002.4(h).
+Fmt 4701
-''Controlled Unclassified Information ''
+Sfmt 4700
-''(CUI) Assets ''means assets that can <br />
+E:\FR\FM\15OCR2.SGM
-process, store, or transmit CUI. (CMMC- <br />
-custom term)
-''DCMA DIBCAC High Assessment ''
+OCR2
-means an assessment that is conducted <br />
+khammond on DSKJM1Z7X2PROD with RULES2
-by Government personnel in accordance <br />
-with NIST SP 800–171A Jun2018 and <br />
-leveraging specific guidance in the DoD <br />
-Assessment Methodology that:
-(i) Consists of: <br />
-(A) A review of a contractor’s Basic
-Assessment;
-(B) A thorough document review; <br />
-(C) Verification, examination, and
-demonstration of a contractor’s system <br />
-security plan to validate that NIST SP <br />
-–171 R2 security requirements have <br />
-been implemented as described in the <br />
-contractor’s system security plan; and
-(D) Discussions with the contractor to
-obtain additional information or <br />
-clarification, as needed; and
-(ii) Results in a confidence level of
+'''83223'' '
-‘‘High’’ in the resulting score. (Source: <br />
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-CFR 252.204–7020).
-''Defense Industrial Base (DIB) ''is
+assurance individual. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) 86 ([http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions'' www.gsa.gov/ reference/forms/questionnaire-for- national-security-positions''). These ]positions are designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and (d) and the investigative requirements of 5 CFR 731.106(c)(2).
-defined in 32 CFR 236.2.
+(4) Require all C3PAO company
-''DoD Assessment Methodology ''
+personnel participating in the Level 2 certification assessment process who are not eligible to obtain a Tier 3 background investigation to meet the equivalent of a favorably adjudicated Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.
-''(DoDAM) ''documents a standard <br />
+(5) Comply with Foreign Ownership,
-methodology that enables a strategic <br />
-assessment of a contractor’s <br />
-implementation of NIST SP 800–171 R2, <br />
-a requirement for compliance with 48 <br />
-CFR 252.204–7012. (Source: DoDAM <br />
-Version 1.2.1)
-''Enduring Exception ''means a special
+Control or Influence (FOCI) by:
-circumstance or system where <br />
+(i) Completing and submitting
-remediation and full compliance with <br />
-CMMC ''s''ecurity ''r''equirements is not <br />
-feasible. Examples include systems <br />
-required to replicate the configuration of <br />
-‘fielded’ systems, medical devices, test <br />
-equipment, OT, and IoT. No operational <br />
-plan of action is required but the <br />
-circumstance must be documented <br />
-within a system security plan. <br />
-Specialized Assets and GFE may be
-enduring exceptions. (CMMC-custom <br />
+[http://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests Standard Form (SF) 328 (''www.gsa.gov/ reference/forms/certificate-pertaining- to-foreign-interests''),'' Certificate'' ]''Pertaining to Foreign Interests,'' upon request from DCSA and undergo a National Security Review with regards to the protection of controlled unclassified information based on the factors identified in 32 CFR 117.11(b) using the procedures outlined in 32 CFR 117.11(c).
-term)
-''Enterprise ''means an organization
+(ii) Receiving a non-disqualifying
-with a defined mission/goal and a <br />
+eligibility determination from the CMMC PMO resulting from the FOCI risk assessment in order to proceed to a DCMA DIBCAC CMMC Level 2 assessment, as part of the authorization and accreditation process set forth in paragraph (b)(6) of this section.
-defined boundary, using information <br />
-systems to execute that mission, and <br />
-with responsibility for managing its own <br />
-risks and performance. An enterprise <br />
-may consist of all or some of the <br />
-following business aspects: acquisition, <br />
-program management, financial <br />
-management (''e.g., ''budgets), human <br />
-resources, security, and information <br />
-systems, information and mission <br />
-management, as defined in NIST SP <br />
-–53 R5 (incorporated by reference, <br />
-see § 170.2).
-''External Service Provider (ESP) ''means
+(iii) Reporting any change to the
-external people, technology, or facilities <br />
+information provided on its SF 328 by resubmitting the SF 328 to DCSA within 15 business days of the change being effective. A disqualifying eligibility determination, based on the results of the change, will result in the C3PAO losing its authorization or accreditation.
-that an organization utilizes for <br />
-provision and management of IT and/or <br />
-cybersecurity services on behalf of the <br />
-organization. In the CMMC Program, <br />
-CUI or Security Protection Data (''e.g., ''log <br />
-data, configuration data), must be <br />
-processed, stored, or transmitted on the <br />
-ESP assets to be considered an ESP. <br />
-(CMMC-custom term)
-''Federal Contract Information (FCI) ''is
+(6) Undergo a Level 2 certification
-defined in 48 CFR 4.1901.
+assessment meeting all requirements for a Final Level 2 (C3PAO) in accordance with the procedures specified in § 170.17(a)(1) and (c), with the following exceptions:
-''Government Furnished Equipment ''
+(i) The assessment will be conducted
-''(GFE) ''has the same meaning as <br />
+by DCMA DIBCAC.
-‘‘government-furnished property’’ as <br />
-defined in 48 CFR 45.101.
-''Industrial Control Systems (ICS) ''
+(ii) The assessment will not result in
-means a general term that encompasses <br />
+a CMMC Status of Level 2 (C3PAO) nor receive a Certificate of CMMC Status.
-several types of control systems, <br />
-including supervisory control and data <br />
-acquisition (SCADA) systems, <br />
-distributed control systems (DCS), and <br />
-other control system configurations that <br />
-are often found in the industrial sectors <br />
-and critical infrastructures, such as <br />
-Programmable Logic Controllers (PLC). <br />
-An ICS consists of combinations of <br />
-control components (''e.g., ''electrical, <br />
-mechanical, hydraulic, pneumatic) that <br />
-act together to achieve an industrial <br />
-objective (''e.g., ''manufacturing, <br />
-transportation of matter or energy), as <br />
-defined in NIST SP 800–82r3 <br />
-(incorporated by reference, see § 170.2).
-''Information System (IS) ''is defined in
+(7) Provide all documentation and
-NIST SP 800–171 R2 (incorporated by <br />
+records in English.
-reference, see § 170.2).
-''Internet of Things (IoT) ''means the
+(8) Submit pre-assessment and
-network of devices that contain the <br />
+planning material, final assessment reports, and CMMC certificates of assessment into the CMMC instantiation of eMASS.
-hardware, software, firmware, and <br />
-actuators which allow the devices to <br />
-connect, interact, and freely exchange <br />
-data and information, as defined in <br />
-NIST SP 800–172A Mar2022 <br />
-(incorporated by reference, see § 170.2).
-''Operational plan of action ''as used in
+(9) Unless disposition is otherwise
-security requirement CA.L2–3.12.2, <br />
+authorized by the CMMC PMO, maintain all assessment related records for a period of six (6) years. Such records include any materials generated by the C3PAO in the course of an assessment, any working papers generated from Level 2 certification assessments; and materials relating to monitoring, education, training, technical knowledge, skills, experience, and authorization of all personnel involved in assessment activities; contractual agreements with OSCs; and organizations for whom consulting services were provided.
-means the formal artifact which <br />
-identifies temporary vulnerabilities and <br />
-temporary deficiencies (''e.g., ''necessary <br />
-information system updates, patches, or
-VerDate Sep&lt;11&gt;2014
+(10) Provide any requested audit
-:51 Oct 11, 2024
+information, including any out-of-cycle from ISO/IEC 17020:2012(E) requirements, to the Accreditation Body.
-Jkt 265001
+(11) Ensure that all personally
-PO 00000
+identifiable information (PII) is encrypted and protected in all C3PAO information systems and databases.
-Frm 00128
+(12) Meet the requirements for
-Fmt 4701
+Assessment Team composition. An Assessment Team must include at least two people: a Lead CCA, as defined in § 170.11(b)(10), and at least one other CCA. Additional CCAs and CCPs may also participate on an Assessment Team.
-Sfmt 4700
+(13) Implement a quality assurance
-E:\FR\FM\15OCR2.SGM
+function that ensures the accuracy and completeness of assessment data prior to upload into the CMMC instantiation of eMASS. Any individual fulfilling the quality assurance function must be a CCA and cannot be a member of an Assessment Team for which they are performing a quality assurance role. A quality assurance individual shall manage the C3PAO’s quality assurance reviews as defined in paragraph (b)(14) of this section and the appeals process as required by paragraphs (b)(19) and (20) of this section and in accordance with ISO/IEC 17020:2012(E) (incorporated by reference, see § 170.2) and ISO/IEC 17011:2017(E) (incorporated by reference, see § 170.2).
-OCR2
+(14) Conduct quality assurance
-khammond on DSKJM1Z7X2PROD with RULES2
+reviews for each assessment, including observations of the Assessment Team’s conduct and management of CMMC assessment processes.
+(15) Ensure that all Level 2
+certification assessment activities are performed on the information system within the CMMC Assessment Scope.
+(16) Maintain all facilities, personnel,
+and equipment involved in CMMC activities that are in scope of their Level 2 certification assessment and comply
+with all security requirements and procedures as prescribed by the Accreditation Body.
+(17) Ensure that all assessment data
-'''83219 '''
+and information uploaded into the CMMC instantiation of eMASS assessment data is compliant with the CMMC assessment data standard as set forth in eMASS CMMC Assessment Import Templates on the CMMC eMASS [https://cmmc.emass.apps.mil website:'' https://cmmc.emass.apps.mil''. ]This system is accessible only to authorized users.
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+(18) Issue Certificates of CMMC Status
-reconfiguration as threats evolve) in <br />
+to OSCs in accordance with the Level 2 certification assessment requirements set forth in § 170.17, that include, at a minimum, all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope, the C3PAO name, assessment unique identifier, the OSC name, and the CMMC Status date and level.
-implementation of requirements and <br />
-documents how they will be mitigated, <br />
-corrected, or eliminated. The OSA <br />
-defines the format (''e.g., ''document, <br />
-spreadsheet, database) and specific <br />
-content of its operational plan of action. <br />
-An operational plan of action does not <br />
-identify a timeline for remediation and <br />
-is not the same as a POA&amp;M, which is <br />
-associated with an assessment for <br />
-remediation of deficiencies that must be <br />
-completed within 180 days. (CMMC- <br />
-custom term)
-''Operational Technology (OT) ''means
+(19) Address all OSC appeals arising
-programmable systems or devices that <br />
+from Level 2 certification assessment activities. If the OSC or C3PAO is not satisfied with the result of the appeal either the OSC or the C3PAO can elevate the matter to the Accreditation Body for final determination.
-interact with the physical environment <br />
-(or manage devices that interact with <br />
-the physical environment). These <br />
-systems or devices detect or cause a <br />
-direct change through the monitoring or <br />
-control of devices, processes, and <br />
-events. Examples include industrial <br />
-control systems, building management <br />
-systems, fire control systems, and <br />
-physical access control mechanisms, as <br />
-defined in NIST SP 800–160 V2R1 <br />
-(incorporated by reference, see § 170.2).
-''Organization-defined ''means as
+(20) Submit assessment appeals,
-determined by the OSA except as <br />
+review records, and decision results of assessment appeals to DoD using the CMMC instantiation of eMASS.
-defined in the case of Organization- <br />
-Defined Parameter (ODP). (CMMC- <br />
-custom term)
-''Organization-Defined Parameters ''
+'''§ 170.10'''
-''(ODPs) ''means selected enhanced <br />
+'''CMMC Assessor and Instructor'' '
-security requirements contain selection <br />
-and assignment operations to give <br />
-organizations flexibility in defining <br />
-variable parts of those requirements, as <br />
-defined in NIST SP 800–172A Mar2022 <br />
-(incorporated by reference, see § 170.2).
-''Note 1 to ODPs: ''The organization
+'''Certification Organization (CAICO).'' '
-defining the parameters is the DoD.
+(a)'' Roles and responsibilities.'' The
-''Organization Seeking Assessment ''
+CAICO is responsible for training, testing, authorizing, certifying, and recertifying CMMC assessors, instructors, and related professionals. Only the CAICO may make decisions relating to examination certifications, including the granting, maintaining, recertifying, expanding, and reducing the scope of certification, and suspending or withdrawing certification in accordance with current ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2). At any given point in time, there will be only one CAICO for the DoD CMMC Program.
-''(OSA) ''means the entity seeking to <br />
+(b)'' Requirements.'' The CAICO shall: (1) Comply with the Accreditation
-undergo a self-assessment or <br />
-certification assessment for a given <br />
-information system for the purposes of <br />
-achieving and maintaining any CMMC <br />
-Status. The term OSA includes all <br />
-Organizations Seeking Certification <br />
-(OSCs). (CMMC-custom term)
-''Organization Seeking Certification ''
+Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17); and achieve and maintain ISO/IEC 17024(E) accreditation within 12 months of December 16, 2024.
-''(OSC) ''means the entity seeking to <br />
+(2) Provide all documentation and
-undergo a certification assessment for a <br />
-given information system for the <br />
-purposes of achieving and maintaining <br />
-the CMMC Status of Level 2 (C3PAO) or <br />
-Level 3 (DIBCAC). An OSC is also an <br />
-OSA. (CMMC-custom term)
-''Out-of-Scope Assets ''means assets that
+records in English.
-cannot process, store, or transmit CUI <br />
+(3) Train, test, and designate PIs in
-because they are physically or logically <br />
-separated from information systems that <br />
-do process, store, or transmit CUI, or are <br />
-inherently unable to do so; except for <br />
-assets that provide security protection <br />
-for a CUI asset (see the definition for
-''Security Protection Assets''). (CMMC- <br />
+accordance with the requirements of this section. Train, test, certify, and recertify CCPs, CCAs, and CCIs in accordance with the requirements of this section.
-custom term)
-''Periodically ''means occurring at a
+VerDate Sep&lt;11&gt;2014
-regular interval as determined by the <br />
+:51 Oct 11, 2024
-OSA that may not exceed one year. <br />
-(CMMC-custom term)
-''Personally Identifiable Information ''
+Jkt 265001
-means information that can be used to <br />
+PO 00000
-distinguish or trace an individual’s <br />
-identity, either alone or when combined <br />
-with other information that is linked or <br />
-linkable to a specific individual, as <br />
-defined in NIST SP 800–53 R5 <br />
-(incorporated by reference, see § 170.2).
-''Plan of Action and Milestones ''
+Frm 00133
-''(POA&amp;M) ''means a document that <br />
+Fmt 4701
-identifies tasks needing to be <br />
-accomplished. It details resources <br />
-required to accomplish the elements of <br />
-the plan, any milestones in meeting the <br />
-tasks, and scheduled completion dates <br />
-for the milestones, as defined in NIST <br />
-SP 800–115 Sept2008 (incorporated by <br />
-reference, see § 170.2).
-''Prime Contractor ''is defined in 48 CFR
+Sfmt 4700
-.502–1.
+E:\FR\FM\15OCR2.SGM
-''Process, store, or transmit ''means data
+OCR2
-can be used by an asset (''e.g., ''accessed, <br />
+khammond on DSKJM1Z7X2PROD with RULES2
-entered, edited, generated, manipulated, <br />
-or printed); data is inactive or at rest on <br />
-an asset (''e.g., ''located on electronic <br />
-media, in system component memory, <br />
-or in physical format such as paper <br />
-documents); or data is being transferred <br />
-from one asset to another asset (''e.g., <br />
-''data in transit using physical or digital <br />
-transport methods). (CMMC-custom <br />
-term)
-''Restricted Information Systems ''means
-systems (and associated IT components <br />
-comprising the system) that are <br />
-configured based on government <br />
-requirements (''e.g., ''connected to <br />
-something that was required to support <br />
-a functional requirement) and are used <br />
-to support a contract (''e.g., ''fielded <br />
-systems, obsolete systems, and product <br />
-deliverable replicas). (CMMC-custom <br />
-term)
-''Risk ''means a measure of the extent to
-which an entity is threatened by a <br />
-potential circumstance or event, and is <br />
-typically a function of:
-(i) The adverse impacts that would
-arise if the circumstance or event <br />
-occurs; and
-(ii) The likelihood of occurrence, as
+'''83224'' '
-defined in NIST SP 800–53 R5 <br />
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-(incorporated by reference, see § 170.2).
-''Risk Assessment ''means the process of
+(4) Ensure the instructor and assessor
-identifying risks to organizational <br />
+certification examinations are certified under ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2), by a recognized US-based accreditor who is not a member of the CMMC Accreditation Body. The US-based accreditor must be a signatory to International Laboratory Accreditation Cooperation (ILAC) or relevant International Accreditation Forum (IAF) Mutual Recognition Arrangement (MRA) and must operate in accordance with ISO/IEC 17011:2017(E) (incorporated by reference, see § 170.2).
-operations (including mission, <br />
-functions, image, reputation), <br />
-organizational assets, individuals, other <br />
-organizations, and the Nation, resulting <br />
-from the operation of a system. Risk <br />
-Assessment is part of risk management, <br />
-incorporates threat and vulnerability <br />
-analyses, and considers mitigations
-provided by security controls planned <br />
+(5) Establish quality control policies
-or in place. Synonymous with risk <br />
-analysis, as defined in NIST SP 800–39 <br />
-Mar2011 (incorporated by reference, see <br />
-§ 170.2).
-''Security Protection Assets (SPA) ''
+and procedures for the generation of training products, instruction, and testing materials.
-means assets providing security <br />
+(6) Oversee development,
-functions or capabilities for the OSA’s <br />
-CMMC Assessment Scope. (CMMC- <br />
-custom term)
-''Security Protection Data (SPD) ''means
+administration, and management pertaining to the quality of training and examination materials for CMMC assessor and instructor certification and recertification.
-data stored or processed by Security <br />
+(7) Establish and publish an
-Protection Assets (SPA) that are used to <br />
-protect an OSC’s assessed environment. <br />
-SPD is security relevant information and <br />
-includes but is not limited to: <br />
-configuration data required to operate <br />
-an SPA, log files generated by or <br />
-ingested by an SPA, data related to the <br />
-configuration or vulnerability status of <br />
-in-scope assets, and passwords that <br />
-grant access to the in-scope <br />
-environment. (CMMC-custom term)
-''Specialized Assets ''means types of
+authorization and certification appeals process to receive, evaluate, and make decisions on complaints and appeals in accordance with ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2).
-assets considered specialized assets for <br />
+(8) Address all appeals arising from
-CMMC: Government Furnished <br />
-Equipment, Internet of Things (IoT) or <br />
-Industrial Internet of Things (IIoT), <br />
-Operational Technology (OT), Restricted <br />
-Information Systems, and Test <br />
-Equipment. (CMMC-custom term)
-''Subcontractor ''is defined in 48 CFR
+the CCA, CCI, and CCP authorizations and certifications process through use of internal processes in accordance with ISO/IEC 17024:2012(E) (incorporated by reference, see § 170.2).
-.502–1.
+(9) Maintain records for a period of
-''Supervisory Control and Data ''
+six (6) years of all procedures, processes, and actions related to fulfillment of the requirements set forth in this section and provide the Accreditation Body access to those records.
-''Acquisition (SCADA) ''means a generic <br />
+(10) Provide the Accreditation Body
-name for a computerized system that is <br />
-capable of gathering and processing data <br />
-and applying operational controls over <br />
-long distances. Typical uses include <br />
-power transmission and distribution <br />
-and pipeline systems. SCADA was <br />
-designed for the unique communication <br />
-challenges (''e.g., ''delays, data integrity) <br />
-posed by the various media that must be <br />
-used, such as phone lines, microwave, <br />
-and satellite. Usually shared rather than <br />
-dedicated, as defined in NIST SP 800– <br />
-r3 (incorporated by reference, see <br />
-§ 170.2).
-''System Security Plan (SSP) ''means the
+information about the authorization and accreditation status of assessors, instructors, training community, and publishing partners.
-formal document that provides an <br />
+(11) Ensure separation of duties
-overview of the security requirements <br />
-for an information system or an <br />
-information security program and <br />
-describes the security controls in place <br />
-or planned for meeting those <br />
-requirements. The system security plan <br />
-describes the system components that <br />
-are included within the system, the <br />
-environment in which the system <br />
-operates, how the security requirements <br />
-are implemented, and the relationships <br />
-with or connections to other systems, as <br />
-defined in NIST SP 800–53 R5 <br />
-(incorporated by reference, see § 170.2).
-''Temporary deficiency ''means a
+between individuals involved in testing activities, training activities, and certification activities.
-condition where remediation of a <br />
+(12) Safeguard and require any CAICO
-discovered deficiency is feasible, and a <br />
-known fix is available or is in process.
-VerDate Sep&lt;11&gt;2014
+training support service providers, as applicable, to safeguard the confidentiality of applicant, candidate, and certificate-holder information and ensure the overall security of the certification process.
-:51 Oct 11, 2024
+(13) Ensure that all PII is encrypted
-Jkt 265001
+and protected in all CAICO information systems and databases and those of any CAICO training support service providers.
-PO 00000
+(14) Ensure the security of assessor
-Frm 00129
+and instructor examinations and the fair and credible administration of examinations.
-Fmt 4701
+(15) Neither disclose nor allow any
-Sfmt 4700
+CAICO training support service providers, as applicable, to disclose CMMC data or metrics related to authorization or certification activities to any entity other than the Accreditation Body and DoD, except as required by law.
-E:\FR\FM\15OCR2.SGM
+(16) Require retraining and
-OCR2
+redesignation of PIs upon significant change to DoD’s CMMC Program requirements. Require retraining and recertification of CCPs, CCAs, and CCIs upon significant change to DoD’s CMMC Program requirements, as determined by the DoD or the CAICO.
-khammond on DSKJM1Z7X2PROD with RULES2
+(17) Require CMMC Ecosystem
+members to report to the CAICO within 30 days of convictions, guilty pleas, or no contest pleas to crimes of fraud, larceny, embezzlement, misappropriation of funds, misrepresentation, perjury, false swearing, conspiracy to conceal, or a similar offense in any legal proceeding, civil or criminal, whether or not in connection with activities that relate to carrying out their role in the CMMC Ecosystem.
+'''§ 170.11'''
+'''CMMC Certified Assessor (CCA).'' '
+(a)'' Roles and responsibilities.'' CCAs,
+in support of a C3PAO, conduct Level 2 certification assessments of OSCs in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2), the assessment processes defined in § 170.17, and the scoping requirements defined in § 170.19(c). CCAs must meet all of the requirements set forth in paragraph (b) of this section. A CCA may conduct Level 2 certification assessments and participate on a C3PAO Assessment Team.
+(b)'' Requirements.'' CCAs shall: (1) Obtain and maintain certification
-'''83220 '''
+from the CAICO in accordance with the requirements set forth in § 170.10. Certification is valid for 3 years from the date of issuance.
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+(2) Comply with the Accreditation
-The deficiency must be documented in <br />
+Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17).
-an operational plan of action. A <br />
-temporary deficiency is not based on an <br />
-‘in progress’ initial implementation of a <br />
-CMMC security requirement but arises <br />
-after implementation. A temporary <br />
-deficiency may apply during the initial <br />
-implementation of a security <br />
-requirement if, during roll-out, specific <br />
-issues with a very limited subset of <br />
-equipment is discovered that must be <br />
-separately addressed. There is no <br />
-standard duration for which a <br />
-temporary deficiency may be active. For <br />
-example, FIPS-validated cryptography <br />
-that requires a patch and the patched <br />
-version is no longer the validated <br />
-version may be a temporary deficiency. <br />
-(CMMC-custom term)
-''Test Equipment ''means hardware and/
+(3) Complete a Tier 3 background
-or associated IT components used in the <br />
+investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) [http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions 86 (''www.gsa.gov/reference/forms/ questionnaire-for-national-security- positions''). These positions are ]designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and
-testing of products, system components, <br />
-and contract deliverables. (CMMC- <br />
-custom term)
-''User ''means an individual, or (system)
+(d) and the investigative requirements of 5 CFR 731.106(c)(2).
-process acting on behalf of an <br />
+(4) Meet the equivalent of a favorably
-individual, authorized to access a <br />
-system, as defined in NIST SP 800–53 <br />
-R5 (incorporated by reference, see <br />
-§ 170.2).
-'''§ 170.5'''
+adjudicated Tier 3 background investigation when not eligible for a Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.
-'''Policy. '''
+(5) Provide all documentation and
-(a) Protection of FCI and CUI on
+records in English.
-contractor information systems is of <br />
+(6) Be a CCP who has at least 3 years
-paramount importance to the DoD and <br />
-can directly impact its ability to <br />
-successfully conduct essential missions <br />
-and functions. It is DoD policy that <br />
-defense contractors and subcontractors <br />
-shall be required to safeguard FCI and <br />
-CUI that is processed, stored, or <br />
-transmitted on contractor information <br />
-systems by applying specified security <br />
-requirements. In addition, defense <br />
-contractors and subcontractors may be <br />
-required to implement additional <br />
-safeguards defined in NIST SP 800–172 <br />
-Feb2021 (incorporated by reference, see <br />
-§ 170.2), implementing DoD specified <br />
-parameters to meet CMMC Level 3 <br />
-security requirements (see table 1 to <br />
-§ 170.14(c)(4)). These additional <br />
-requirements are necessary to protect <br />
-CUI being processed, stored, or <br />
-transmitted in contractor information <br />
-systems, when designated by a <br />
-requirement for CMMC Status of Level <br />
-(DIBCAC) as defined by a DoD <br />
-program manager or requiring activity. <br />
-In general, the Department will identify <br />
-a requirement for a CMMC Status of <br />
-Level 3 (DIBCAC) for solicitations and <br />
-resulting contracts supporting its most <br />
-critical programs and technologies.
-(b) Program managers and requiring
+of cybersecurity experience, at least 1 year of assessment or audit experience, and at least one foundational qualification, aligned to at least the Intermediate Proficiency Level of the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) Work Role, from DoD Manual 8140.03,'' Cyberspace Workforce Qualification and Management Program'' [https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf (''https://dodcio.defense.gov/Portals/0/ Documents/Library/DoDM-8140-03.pdf''). ]Information on the Work Role 612 can [https://public.cyber.mil/dcwf-work-role/security-control-assessor/ be found at'' https://public.cyber.mil/ dcwf-work-role/security-control- assessor/''. ]
-activities are responsible for identifying <br />
+(7) Only use IT, cloud, cybersecurity
-the CMMC Status that will apply to a <br />
-procurement. Selection of the applicable
-CMMC Status will be based on factors <br />
+services, and end-point devices provided by the authorized/accredited C3PAO that has been engaged to perform that OSA’s Level 2 certification assessment and which has undergone a Level 2 certification assessment by DCMA DIBCAC (or higher) for all assessment activities. Individual assessors are prohibited from using any other IT, including IT that is personally owned, to include internal and external cloud services and end-point devices, to process, store, or transmit CMMC assessment reports or any other CMMC assessment-related information. The evaluation of assessment evidence within the OSC environment, using OSC tools, is permitted.
-including but not limited to:
-(1) Criticality of the associated
+(8) Immediately notify the responsible
-mission capability;
+C3PAO of any breach or potential breach of security to any CMMC-related assessment materials under the assessors’ purview.
-(2) Type of acquisition program or
+(9) Not share any information about
-technology;
+an OSC obtained during CMMC pre- assessment and assessment activities with any person not involved with that specific assessment, except as otherwise required by law.
-(3) Threat of loss of the FCI or CUI to
+(10) Qualify as a Lead CCA by having
-be shared or generated in relation to the <br />
+at least 5 years of cybersecurity experience, 5 years of management experience, 3 years of assessment or audit experience, and at least one foundational qualification aligned to Advanced Proficiency Level of the DoD Cyberspace Workforce Framework’s Security Control Assessor (612) Work Role, from DoD Manual 8140.03,'' Cyberspace Workforce Qualification and''
-effort;
-(4) Impacts from exploitation of
+VerDate Sep&lt;11&gt;2014
-information security deficiencies; and
+:51 Oct 11, 2024
-(5) Other relevant policies and factors,
+Jkt 265001
-including Milestone Decision Authority <br />
+PO 00000
-guidance.
-(c) In accordance with the
+Frm 00134
-implementation plan described in <br />
+Fmt 4701
-§ 170.3, CMMC Program requirements <br />
-will apply to new DoD solicitations and <br />
-contracts, and shall flow down to <br />
-subcontractors who will process, store, <br />
-or transmit FCI or CUI in performance <br />
-of the subcontract, as described in <br />
-§ 170.23.
-(d) In very limited circumstances, and
+Sfmt 4700
-in accordance with all applicable <br />
+E:\FR\FM\15OCR2.SGM
-policies, procedures, and requirements, <br />
-a Service Acquisition Executive or <br />
-Component Acquisition Executive in <br />
-the DoD, or as delegated, may elect to <br />
-waive inclusion of CMMC Program <br />
-requirements in a solicitation or <br />
-contract. In such cases, contractors and <br />
-subcontractors will remain obligated to <br />
-comply with all applicable <br />
-cybersecurity and information security <br />
-requirements.
-(e) The CMMC Program does not alter
+OCR2
-any separately applicable requirements <br />
+khammond on DSKJM1Z7X2PROD with RULES2
-to protect FCI or CUI, including those <br />
-requirements in accordance with 48 <br />
-CFR 52.204–21, ''Basic Safeguarding of <br />
-Covered Contractor Information <br />
-Systems, ''or covered defense information <br />
-in accordance with 48 CFR 252.204– <br />
-, ''Safeguarding Covered Defense <br />
-Information and Cyber Incident <br />
-Reporting, ''or any other applicable <br />
-information protection requirements. <br />
-The CMMC Program provides a means <br />
-of verifying implementation of the <br />
-security requirements set forth in 48 <br />
-CFR 52.204–21, NIST SP 800–171 R2, <br />
-and NIST SP 800–172 Feb2021, as <br />
-applicable.
-'''Subpart B—Government Roles and <br />
-Responsibilities. '''
-'''§ 170.6'''
-'''CMMC PMO. '''
-(a) The Office of the Department of
-Defense Chief Information Officer (DoD <br />
-CIO) Office of the Deputy CIO for <br />
-Cybersecurity (DoD CIO(CS)) provides <br />
-oversight of the CMMC Program and is <br />
-responsible for establishing CMMC <br />
-assessment, accreditation, and training <br />
-requirements as well as developing and <br />
-updating CMMC Program policies and <br />
-implementing guidance.
-(b) The CMMC PMO is responsible for
-monitoring the CMMC AB’s <br />
+'''83225'' '
-performance of roles assigned in this <br />
-rule and acting as necessary to address <br />
-problems pertaining to effective <br />
-performance.
-(c) The CMMC PMO retains, on behalf
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-of the DoD CIO(CS), the prerogative to <br />
+''Management Program'' [https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf (''https://dodcio.defense.gov/Portals/0/ Documents/Library/DoDM-8140-03.pdf''). ]Information on the Work Role 612 can [https://public.cyber.mil/dcwf-work-role/security-control-assessor/ be found at'' https://public.cyber.mil/ dcwf-work-role/security-control- assessor/.'' ]
-review decisions of the CMMC <br />
-Accreditation Body as part of its <br />
-oversight of the CMMC program and <br />
-evaluate any alleged conflicts of interest <br />
-purported to influence the CMMC <br />
-Accreditation Body’s objectivity.
-(d) The CMMC PMO is responsible for
+'''§ 170.12'''
-sponsoring necessary DCSA activities <br />
+'''CMMC Instructor.'' '
-including FOCI risk assessment and Tier <br />
-security background investigations for <br />
-the CMMC Ecosystem members as <br />
-specified in §§ 170.8(b)(4) and (5), <br />
-.9(b)(3) through (5), 170.11(b)(3) and <br />
-(4), and 170.13(b)(3) and (4).
-(e) The CMMC PMO is responsible for
+(a)'' CMMC Provisional Instructor (PI)''
-investigating and acting upon <br />
+''roles and responsibilities.'' A CMMC Provisional Instructor (PI) teaches CCA and CCP candidates during the transitional period that ends 18 months after December 16, 2024. A PI is trained, tested, and designated to perform CMMC instructional duties by the CAICO to teach CCP and CCA candidates. PIs are designated by the CAICO after successful completion of the PI training and testing requirements set forth by the CAICO. A PI with a valid CCP certification may instruct CCP candidates, while a PI with a valid CCA certification may instruct CCP and CCA candidates. PIs are required to meet requirements in (c) of this section.
-indications that an active CMMC Status <br />
-has been called into question. <br />
-Indications that may trigger <br />
-investigative evaluations include, but <br />
-are not limited to, reports from the <br />
-CMMC Accreditation Body, a C3PAO, or <br />
-anyone knowledgeable of the security <br />
-processes and activities of the OSA. <br />
-Investigative evaluations include, but <br />
-are not limited to, reviewing pertinent <br />
-assessment information, and exercising <br />
-the right to conduct a DCMA DIBCAC <br />
-assessment of the OSA, as provided for <br />
-under the 48 CFR 252.204–7020.
-(f) If a subsequent DCMA DIBCAC
+(b)'' CMMC Certified Instructor (CCI)''
-assessment shows that adherence to the <br />
+''roles and responsibilities.'' A CMMC Certified Instructor (CCI) teaches CCP, CCA, and CCI candidates and performs CMMC instructional duties. Candidate CCIs are certified by the CAICO after successful completion of the CCI training and testing requirements. A CCI is required to obtain and maintain assessor and instructor certifications from the CAICO in accordance with the requirements set forth in § 170.10 and in paragraph (c) of this section. A CCI with a valid CCP certification may instruct CCP candidates, while a CCI with a valid CCA certification may instruct CCP, CCA, and CCI candidates. Certifications are valid for 3 years from the date of issuance. CCIs are required to meet requirements in paragraph (c) of this section.
-provisions of this rule and the required <br />
-CMMC Status have not been achieved or <br />
-maintained, the DIBCAC results will <br />
-take precedence over any pre-existing <br />
-CMMC Status recorded in SPRS, or its <br />
-successor capability. The DoD will <br />
-update SPRS to reflect that the OSA is <br />
-out of compliance and does not meet <br />
-DoD CMMC requirements. If the OSA is <br />
-working on an active contract requiring <br />
-CMMC compliance, then standard <br />
-contractual remedies will apply.
-'''§ 170.7'''
+(c)'' Requirements.'' CMMC Instructors
-'''DCMA DIBCAC. '''
+shall:
-(a) DCMA DIBCAC assessors in
+(1) Obtain and maintain instructor
-support of the CMMC Program will:
+designation or certification, as appropriate, from the CAICO in accordance with the requirements set forth in § 170.10.
-(1) Complete CMMC Level 2 and
+(2) Obtain and maintain CCP or CCA
-Level 3 training.
+certification to deliver CCP training.
-(2) Conduct Level 3 certification
+(3) Obtain and maintain a CCA
-assessments and upload assessment <br />
+certification to deliver CCA training.
-results into the CMMC instantiation of <br />
-eMASS, or its successor capability.
-(3) Issue Certificates of CMMC Status
+(4) Comply with the Accreditation
-resulting from Level 3 certification <br />
+Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics set forth in § 170.8(b)(17).
-assessments.
-(4) Conduct Level 2 certification
+(5) Provide all documentation and
-assessments of the Accreditation Body <br />
+records in English.
-and prospective C3PAOs’ information
-VerDate Sep&lt;11&gt;2014
+(6) Provide the Accreditation Body
-:51 Oct 11, 2024
+and the CAICO annually with accurate information detailing their qualifications, training experience,
-Jkt 265001
+professional affiliations, and certifications, and, upon reasonable request, submit documentation verifying this information.
-PO 00000
+(7) Not provide CMMC consulting
-Frm 00130
+services while serving as a CMMC instructor; however, subject to the Code of Professional Conduct and Conflict of Interest policies, can serve on an assessment team.
-Fmt 4701
+(8) Not participate in the development
-Sfmt 4700
+of exam objectives and/or exam content or act as an exam proctor while at the same time serving as a CCI.
-E:\FR\FM\15OCR2.SGM
+(9) Keep confidential all information
-OCR2
+obtained or created during the performance of CMMC training activities, including trainee records, except as required by law.
-khammond on DSKJM1Z7X2PROD with RULES2
+(10) Not disclose any CMMC-related
+data or metrics that is PII, FCI, or CUI to anyone without prior coordination with and approval from DoD.
+(11) Notify the Accreditation Body or
+the CAICO if required by law or authorized by contractual commitments to release confidential information.
+(12) Not share with anyone any
+CMMC training-related information not previously publicly disclosed.
+'''§ 170.13'''
-'''83221 '''
+'''CMMC Certified Professional'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''(CCP).'' '
-systems that process, store, and/or <br />
+(a)'' Roles and responsibilities.'' A
-transmit CUI.
-(5) Create and maintain a process for
+CMMC Certified Professional (CCP) completes rigorous training on CMMC and the assessment process to provide advice, consulting, and recommendations to their OSA clients. Candidate CCPs are certified by the CAICO after successful completion of the CCP training and testing requirements set forth in paragraph (b) of this section. CCPs are eligible to become CMMC Certified Assessors and can participate as a CCP on Level 2 certification assessments with CCA oversight where the CCA makes all final determinations.
-assessors to collect the list of assessment <br />
+(b)'' Requirements.'' CCPs shall: (1) Obtain and maintain certification
-artifacts to include artifact names, their <br />
-return value of the hashing algorithm, <br />
-the hashing algorithm used, and upload <br />
-that data into the CMMC instantiation of <br />
-eMASS.
-(6) As authorized and in accordance
+from the CAICO in accordance with the requirements set forth in § 170.10. Certification is valid for 3 years from the date of issuance.
-with all legal requirements, enter and <br />
+(2) Comply with the Accreditation
-track, OSC appeals and updated results <br />
-arising from Level 3 certification <br />
-assessment activities into the CMMC <br />
-instantiation of eMASS.
-(7) Retain all records in accordance
+Body policies for Conflict of Interest, Code of Professional Conduct, and Ethics as set forth in § 170.8(b)(17).
-with DCMA–MAN 4501–04.
+(3) Complete a Tier 3 background
-(8) Conduct an assessment of the
+investigation resulting in a determination of national security eligibility. This Tier 3 background investigation will not result in a security clearance and is not being executed for the purpose of government employment. The Tier 3 background investigation is initiated using the Standard Form (SF) [http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions 86 (''www.gsa.gov/reference/forms/'' ]
-OSA, when requested by the CMMC <br />
+[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions'' questionnaire-for-national-security- positions''). These positions are ]designated as non-critical sensitive with a risk designation of ‘‘Moderate Risk’’ in accordance with 5 CFR 1400.201(b) and (d) and the investigative requirements of 5 CFR 731.106(c)(2).
-PMO per §§ 170.6(e) and (f), as provided <br />
-for under the 48 CFR 252.204–7019 and <br />
-CFR 252.204–7020.
-(9) Identify assessments that meet the
+(4) Meet the equivalent of a favorably
-criteria in § 170.20 and verify that SPRS <br />
+adjudicated Tier 3 background investigation when not eligible to obtain a Tier 3 background investigation. DoD will determine the Tier 3 background investigation equivalence for use with the CMMC Program only.
-accurately reflects the CMMC Status.
-(b) An OSC, the CMMC AB, or a
+(5) Provide all documentation and
-C3PAO may appeal the outcome of its <br />
+records in English.
-DCMA DIBCAC conducted assessment <br />
-within 21 days by submitting a written <br />
-basis for appeal with the requirements <br />
-in question for DCMA DIBCAC <br />
-consideration. Appeals may be <br />
-submitted for review by visiting <br />
-[http://www.dcma.mil/DIBCAC ''www.dcma.mil/DIBCAC '']for contact <br />
-information, and a DCMA DIBCAC <br />
-Quality Assurance Review Team will <br />
-provide a written response or request <br />
-additional supporting documentation.
-'''Subpart C—CMMC Assessment and <br />
+(6) Not share any information about
-Certification Ecosystem. '''
-'''§ 170.8'''
+an OSC obtained during CMMC pre- assessment and assessment activities with any person not involved with that specific assessment, except as otherwise required by law.
-'''Accreditation Body. '''
+'''Subpart D—Key Elements of the CMMC Program'' '
-(a) ''Roles and responsibilities. ''The
+'''§ 170.14'''
-Accreditation Body is responsible for <br />
+'''CMMC Model.'' '
-authorizing and ensuring the <br />
-accreditation of CMMC Third-Party <br />
-Assessment Organizations (C3PAOs) in <br />
-accordance with ISO/IEC 17020:2012(E) <br />
-(incorporated by reference, see § 170.2) <br />
-and all applicable authorization and <br />
-accreditation requirements set forth. <br />
-The Accreditation Body is responsible <br />
-for establishing the C3PAO <br />
-authorization requirements and the <br />
-C3PAO Accreditation Scheme and <br />
-submitting both for approval by the <br />
-CMMC PMO. At any given point in <br />
-time, there will be only one <br />
-Accreditation Body for the DoD CMMC <br />
-Program.
-(b) ''Requirements. ''The CMMC
+(a)'' Overview.'' The CMMC Model
-Accreditation Body shall:
+incorporates the security requirements from:
-(1) Be US-based and be and remain a
+(1) 48 CFR 52.204–21,'' Basic''
-member in good standing of the Inter- <br />
+''Safeguarding of Covered Contractor Information Systems;''
-American Accreditation Cooperation <br />
-(IAAC) and become an International <br />
-Laboratory Accreditation Cooperation <br />
-(ILAC) Mutual Recognition
-Arrangement (MRA) signatory, with a <br />
+(2) NIST SP 800–171 R2,'' Protecting''
-signatory status scope of ISO/IEC <br />
-:2012(E) (incorporated by <br />
-reference, see § 170.2).
-(2) Be and remain a member in good
+''Controlled Unclassified Information in Nonfederal Systems and Organizations'' (incorporated by reference, see § 170.2); and
-standing of the International <br />
+(3) Selected security requirements
-Accreditation Forum (IAF) with mutual <br />
-recognition arrangement signatory status <br />
-scope of ISO/IEC 17024:2012(E) <br />
-(incorporated by reference, see § 170.2).
-(3) Achieve and maintain full
+from NIST SP 800–172 Feb2021,'' Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800–171'' (incorporated by reference, see § 170.2).
-compliance with ISO/IEC 17011:2017(E) <br />
+(b)'' CMMC domains.'' The CMMC
-(incorporated by reference, see § 170.2) <br />
-and complete a peer assessment by <br />
-other ILAC signatories for competence <br />
-in accrediting conformity assessment <br />
-bodies to ISO/IEC 17020:2012(E) <br />
-(incorporated by reference, see § 170.2), <br />
-both within 24 months of DoD approval.
-(i) Prior to achieving full compliance
+Model consists of domains that map to the Security Requirement Families defined in NIST SP 800–171 R2 (incorporated by reference, see § 170.2).
-as set forth in this paragraph (b)(3), the <br />
+(c)'' CMMC level requirements.'' CMMC
-Accreditation Body shall:
-(A) Authorize C3PAOs who meet all
+Levels 1–3 utilize the safeguarding requirements and security requirements specified in 48 CFR 52.204–21 (for Level 1), NIST SP 800–171 R2 (incorporated by reference, see § 170.2) (for Level 2), and selected security requirements from NIST SP 800–172 Feb2021 (incorporated by reference, see § 170.2) (for Level 3). This paragraph discusses the numbering scheme and the security requirements for each level.
-requirements set forth in § 170.9 as well <br />
+(1)'' Numbering.'' Each security
-as administrative requirements as <br />
-determined by the Accreditation Body <br />
-to conduct Level 2 certification <br />
-assessments and issue Certificates of <br />
-CMMC Status to OSCs based on the <br />
-assessment results.
-(B) Require all C3PAOs to achieve and
+requirement has an identification number in the format—DD.L#-REQ— where:
-maintain the ISO/IEC 17020:2012(E) <br />
+(i) DD is the two-letter domain
-(incorporated by reference, see § 170.2) <br />
-requirements within 27 months of <br />
-authorization.
-(ii) The Accreditation Body shall
+abbreviation;
-accredit C3PAOs, in accordance with <br />
+(ii) L# is the CMMC level number; and
-ISO/IEC 17020:2012(E) (incorporated by <br />
-reference, see § 170.2), who meet all <br />
-requirements set forth in § 170.9 to <br />
-conduct Level 2 certification <br />
-assessments and issue Certificates of <br />
-CMMC Status to OSCs based on the <br />
-results.
-(4) Ensure that the Accreditation
+VerDate Sep&lt;11&gt;2014
-Body’s Board of Directors, professional <br />
+:51 Oct 11, 2024
-staff, Information Technology (IT) staff, <br />
-accreditation staff, and independent <br />
-CMMC Certified Assessor staff complete <br />
-a Tier 3 background investigation <br />
-resulting in a determination of national <br />
-security eligibility. This Tier 3 <br />
-background investigation will not result <br />
-in a security clearance and is not being <br />
-executed for the purpose of government <br />
-employment. The Tier 3 background <br />
-investigation is initiated using the <br />
-[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions Standard Form (SF) 86 (''www.gsa.gov/ <br />
-reference/forms/questionnaire-for- <br />
-national-security-positions'') and <br />
-]submitted by DoD CIO Security to <br />
-Washington Headquarters Services <br />
-(WHS) for coordination for processing <br />
-by the Defense Counterintelligence and <br />
-Security Agency (DCSA). These <br />
-positions are designated as non-critical <br />
-sensitive with a risk designation of <br />
-‘‘Moderate Risk’’ in accordance with 5 <br />
-CFR 1400.201(b) and (d) and the
-investigative requirements of 5 CFR <br />
+Jkt 265001
-.106(c)(2).
-(5) Comply with Foreign Ownership,
+PO 00000
-Control or Influence (FOCI) by:
+Frm 00135
-(i) Completing the Standard Form (SF)
+Fmt 4701
-[http://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests 328 (''www.gsa.gov/reference/forms/ <br />
+Sfmt 4700
-certificate-pertaining-to-foreign- <br />
-interests''), ]''Certificate Pertaining to <br />
-Foreign Interests, ''and submit it directly <br />
-to Defense Counterintelligence and <br />
-Security Agency (DCSA) and undergo a <br />
-National Security Review with regards <br />
-to the protection of controlled <br />
-unclassified information based on the <br />
-factors identified in 32 CFR 117.11(b) <br />
-using the procedures outlined in 32 CFR <br />
-.11(c). The Accreditation Body must <br />
-receive a non-disqualifying eligibility <br />
-determination by the CMMC PMO to be <br />
-recognized by the Department of <br />
-Defense.
-(ii) Reporting any change to the
+E:\FR\FM\15OCR2.SGM
-information provided on its SF 328 by <br />
+OCR2
-resubmitting the SF 328 to DCSA within <br />
-business days of the change being <br />
-effective. A disqualifying eligibility <br />
-determination, based on the results of <br />
-the change, will result in the <br />
-Accreditation Body losing its <br />
-authorization or accreditation under the <br />
-CMMC Program.
-(iii) Identifying all prospective
+khammond on DSKJM1Z7X2PROD with RULES2
-C3PAOs to the CMMC PMO. The CMMC <br />
-PMO will sponsor the prospective <br />
-C3PAO for a FOCI risk assessment <br />
-conducted by the DCSA using the SF <br />
-as part of the authorization and <br />
-accreditation processes.
-(iv) Notifying prospective C3PAOs of
-the CMMC PMO’s eligibility <br />
-determination resulting from the FOCI <br />
-risk assessment.
-(6) Obtain a Level 2 certification
-assessment in accordance with the <br />
-procedures specified in § 170.17(a)(1) <br />
-and (c). This assessment, conducted by <br />
-DCMA DIBCAC, shall meet all <br />
-requirements for a Final Level 2 <br />
-(C3PAO) but will not result in a CMMC <br />
-Status of Level 2 (C3PAO). The Level 2 <br />
-certification assessment process must be <br />
-performed every three years.
-(7) Provide all documentation and
-records in English.
+'''83226'' '
-(8) Establish, maintain, and manage
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-an up-to-date list of authorized and <br />
+(iii) REQ is the 48 CFR 52.204–21
-accredited C3PAOs on a single publicly <br />
-accessible website and provide the list <br />
-of these entities and their status to the <br />
-DoD through submission in the CMMC <br />
-instantiation of eMASS.
-(9) Provide the CMMC PMO with
+paragraph number, NIST SP 800–171 R2 requirement number, or NIST SP 800– 172 Feb2021 requirement number.
-current data on C3PAOs, including <br />
+(2)'' CMMC Level 1 security''
-authorization and accreditation records <br />
-and status in the CMMC instantiation of <br />
-eMASS. This data shall include the <br />
-dates associated with the authorization <br />
-and accreditation of each C3PAO.
-VerDate Sep&lt;11&gt;2014
+''requirements.'' The security requirements in CMMC Level 1 are those set forth in 48 CFR 52.204–21(b)(1)(i) through (xv).
-:51 Oct 11, 2024
+(3)'' CMMC Level 2 security''
-Jkt 265001
+''requirements.'' The security requirements in CMMC Level 2 are identical to the requirements in NIST SP 800–171 R2.
-PO 00000
+(4)'' CMMC Level 3 security''
-Frm 00131
+''requirements.'' The security requirements in CMMC Level 3 are selected from NIST SP 800–172 Feb2021, and where
-Fmt 4701
+applicable, Organization-Defined Parameters (ODPs) are assigned. Table 1 to this paragraph identifies the selected requirements and applicable ODPs that represent the CMMC Level 3 security requirements. ODPs for the NIST SP 800–172 Feb2021 requirements are italicized, where applicable:
-Sfmt 4700
+TABLE 1 TO § 170.14(c)(4)
-E:\FR\FM\15OCR2.SGM
+Security requirement No.*
-OCR2
+CMMC Level 3 security requirements
-khammond on DSKJM1Z7X2PROD with RULES2
+(selected NIST SP 800–172 Feb2021 security requirement with DoD ODPs italicized)
+(i) AC.L3–3.1.2e .......................
+Restrict access to systems and system components to only those information resources that are owned,
+provisioned, or issued by the organization.
+(ii) AC.L3–3.1.3e ......................
+Employ'' secure information transfer solutions'' to control information flows between security domains on con-
+nected systems.
-'''83222 '''
+(iii) AT.L3–3.2.1e .....................
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+Provide awareness training'' upon initial hire, following a significant cyber event, and at least annually,'' focused
-(10) Provide the DoD with
+on recognizing and responding to threats from social engineering, advanced persistent threat actors, breaches, and suspicious behaviors; update the training'' at least annually'' or when there are significant changes to the threat.
-information about aggregate statistics <br />
+(iv) AT.L3–3.2.2e .....................
-pertaining to operations of the CMMC <br />
-Ecosystem to include the authorization <br />
-and accreditation status of C3PAOs or <br />
-other information as requested.
-(11) Provide inputs for assessor
+Include practical exercises in awareness training for'' all users, tailored by roles, to include general users, users''
-supplemental guidance to the CMMC <br />
+''with specialized roles, and privileged users,'' that are aligned with current threat scenarios and provide feed-back to individuals involved in the training and their supervisors.
-PMO. Participate and support <br />
-coordination of these and other inputs <br />
-through DoD-led Working Groups.
-(12) Ensure that all information about
+(v) CM.L3–3.4.1e .....................
-individuals is encrypted and protected <br />
+Establish and maintain an authoritative source and repository to provide a trusted source and accountability for
-in all Accreditation Body information <br />
-systems and databases.
-(13) Provide all plans that are related
+approved and implemented system components.
-to potential sources of revenue, to <br />
+(vi) CM.L3–3.4.2e ....................
-include but not limited to: fees, <br />
-licensing, processes, membership, and/ <br />
-or partnerships to the Department’s <br />
-CMMC PMO.
-(14) Ensure that the CMMC Assessors
+Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection,
-and Instructors Certification <br />
+''remove the components or place the components in a quarantine or remediation network'' to facilitate patching, re-configuration, or other mitigations.
-Organization (CAICO) is compliant with <br />
-ISO/IEC 17024:2012(E)
-(15) Ensure all training products,
+(vii) CM.L3–3.4.3e ...................
-instruction, and testing materials are of <br />
+Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily
-high quality and subject to CAICO <br />
-quality control policies and procedures, <br />
-to include technical accuracy and <br />
-alignment with all applicable legal, <br />
-regulatory, and policy requirements.
-(16) Develop and maintain an internal
+available inventory of system components.
-appeals process, as required by ISO/IEC <br />
+(viii) IA.L3–3.5.1e .....................
-:2017(E), and render a final <br />
-decision on all elevated appeals.
-(17) Develop and maintain a
+Identify and authenticate'' systems and system components, where possible,'' before establishing a network con-
-comprehensive plan and schedule to <br />
+nection using bidirectional authentication that is cryptographically based and replay resistant.
-comply with all ISO/IEC 17011:2017(E), <br />
-and DoD requirements for Conflict of <br />
-Interest, Code of Professional Conduct, <br />
-and Ethics policies as set forth in the <br />
-DoD contract. All policies shall apply to <br />
-the Accreditation Body, and other <br />
-individuals, entities, and groups within <br />
-the CMMC Ecosystem who provide <br />
-Level 2 certification assessments, <br />
-CMMC instruction, CMMC training <br />
-materials, or Certificates of CMMC <br />
-Status on behalf of the Accreditation <br />
-Body. All policies in this section must <br />
-be approved by the CMMC PMO prior <br />
-to effectivity in accordance with the <br />
-following requirements.
-(i) ''Conflict of Interest (CoI) policy. ''
+(ix) IA.L3–3.5.3e ......................
-The CoI policy shall:
+Employ automated or manual/procedural mechanisms to prohibit system components from connecting to orga-
-(A) Include a detailed risk mitigation
+nizational systems unless the components are known, authenticated, in a properly configured state, or in a trust profile.
-plan for all potential conflicts of interest <br />
+(x) IR.L3–3.6.1e .......................
-that may pose a risk to compliance with <br />
-ISO/IEC 17011:2017(E).
-(B) Require employees, Board
+Establish and maintain a security operations center capability that operates'' 24/7, with allowance for remote/on-''
-directors, and members of any <br />
+''call staff.''
-accreditation committees or appeals <br />
-adjudication committees to disclose to <br />
-the CMMC PMO, in writing, as soon as <br />
-it is known or reasonably should be <br />
-known, any actual, potential, or <br />
-perceived conflict of interest with <br />
-sufficient detail to allow for assessment.
-(C) Require employees, Board
+(xi) IR.L3–3.6.2e ......................
-directors, and members of any <br />
+Establish and maintain a cyber-incident response team that can be deployed by the organization within'' 24''
-accreditation committees or appeals <br />
-adjudication committees who leave the <br />
-board or organization to enter a ‘‘cooling <br />
-off period’’ of one (1) year whereby they <br />
-are prohibited from working with the <br />
-Accreditation Body or participating in <br />
-any and all CMMC activities described <br />
-in Subpart C.
-(D) Require CMMC Ecosystem
+''hours.''
-members to actively avoid participating <br />
+(xii) PS.L3–3.9.2e ....................
-in any activity, practice, or transaction <br />
-that could result in an actual or <br />
-perceived conflict of interest.
-(E) Require CMMC Ecosystem
+Ensure that organizational systems are protected if adverse information develops or is obtained about individ-
-members to disclose to Accreditation <br />
+uals with access to CUI.
-Body leadership, in writing, any actual <br />
-or potential conflict of interest as soon <br />
-as it is known, or reasonably should be <br />
-known.
-(ii) ''Code of Professional Conduct ''
+(xiii) RA.L3–3.11.1e .................
-''(CoPC) policy. ''The CoPC policy shall:
+Employ'' threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources,'' as
-(A) Describe the performance
+part of a risk assessment to guide and inform the development of organizational systems, security architec-tures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
-standards by which the members of the <br />
+(xiv) RA.L3–3.11.2e .................
-CMMC Ecosystem will be held <br />
-accountable and the procedures for <br />
-addressing violations of those <br />
-performance standards.
-(B) Require the Accreditation Body to
+Conduct cyber threat hunting activities'' on an on-going aperiodic basis or when indications warrant,'' to search
-investigate and resolve any potential <br />
+for indicators of compromise in'' organizational systems'' and detect, track, and disrupt threats that evade exist-ing controls.
-violations that are reported or are <br />
-identified by the DoD.
-(C) Require the Accreditation Body to
+(xv) RA.L3–3.11.3e ..................
-inform the DoD in writing of new <br />
+Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to or-
-investigations within 72 hours.
-(D) Require the Accreditation Body to
+ganizations, systems, and system components.
-report to the DoD in writing the <br />
+(xvi) RA.L3–3.11.4e .................
-outcome of completed investigations <br />
-within 15 business days.
-(E) Require CMMC Ecosystem
+Document or reference in the system security plan the security solution selected, the rationale for the security
-members to represent themselves and <br />
+solution, and the risk determination.
-their companies accurately; to include <br />
-not misrepresenting any professional <br />
-credentials or status, including CMMC <br />
-authorization or CMMC Status, nor <br />
-exaggerating the services that they or <br />
-their company are capable or authorized <br />
-to deliver.
-(F) Require CMMC Ecosystem
+(xvii) RA.L3–3.11.5e ................
-members to be honest and factual in all <br />
+Assess the effectiveness of security solutions'' at least annually or upon receipt of relevant cyber threat informa-''
-CMMC-related activities with <br />
-colleagues, clients, trainees, and others <br />
-with whom they interact.
-(G) Prohibit CMMC Ecosystem
+''tion, or in response to a relevant cyber incident,'' to address anticipated risk to organizational systems and the organization based on current and accumulated threat intelligence.
-members from participating in the Level <br />
+(xviii) RA.L3–3.11.6e ...............
-certification assessment process for an <br />
-assessment in which they previously <br />
-served as a consultant to prepare the <br />
-organization for any CMMC assessment <br />
-within 3 years.
-(H) Require CMMC Ecosystem
+Assess, respond to, and monitor supply chain risks associated with organizational systems and system compo-
-members to maintain the confidentiality <br />
+nents.
-of customer and government data to <br />
-preclude unauthorized disclosure.
-(I) Require CMMC Ecosystem
+(xix) RA.L3–3.11.7e .................
-members to report results and data from <br />
+Develop a plan for managing supply chain risks associated with organizational systems and system compo-
-Level 2 certification assessments and
-training objectively, completely, clearly, <br />
+nents; update the plan'' at least annually, and upon receipt of relevant cyber threat information, or in response to a relevant cyber incident.''
-and accurately.
-(J) Prohibit CMMC Ecosystem
+(xx) CA.L3–3.12.1e ..................
-members from cheating, assisting <br />
+Conduct penetration testing'' at least annually or when significant security changes are made to the system,''
-another in cheating, or allowing <br />
-cheating on CMMC examinations.
-(K) Require CMMC Ecosystem
+leveraging automated scanning tools and ad hoc tests using subject matter experts.
-members to utilize official training <br />
+(xxi) SC.L3–3.13.4e .................
-content developed by a CMMC training <br />
-organization approved by the CAICO in <br />
-all CMMC certification courses.
-(iii) ''Ethics policy. ''The Ethics policy
+Employ'' physical isolation techniques or logical isolation techniques or both'' in organizational systems and sys-
-shall:
+tem components.
-(A) Require CMMC Ecosystem
+(xxii) SI.L3–3.14.1e ..................
-members to report to the Accreditation <br />
-Body within 30 days of convictions, <br />
-guilty pleas, or no contest pleas to <br />
-crimes of fraud, larceny, embezzlement, <br />
-misappropriation of funds, <br />
-misrepresentation, perjury, false <br />
-swearing, conspiracy to conceal, or a <br />
-similar offense in any legal proceeding, <br />
-civil or criminal, whether or not in <br />
-connection with activities that relate to <br />
-carrying out their role in the CMMC <br />
-Ecosystem.
-(B) Prohibit harassment or
+Verify the integrity of'' security critical and essential software'' using root of trust mechanisms or cryptographic
-discrimination by CMMC Ecosystem <br />
+signatures.
-members in all interactions with <br />
-individuals whom they encounter in <br />
-connection with their roles in the <br />
-CMMC Ecosystem.
-(C) Require CMMC Ecosystem
+(xxiii) SI.L3–3.14.3e .................
-members to have and maintain a <br />
-satisfactory record of integrity and <br />
-business ethics.
-'''§ 170.9'''
+Ensure that'' specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems, and test equip-''
-'''CMMC Third-Party Assessment '''
+''ment'' are included in the scope of the specified enhanced security requirements or are segregated in pur-pose-specific networks.
-'''Organizations (C3PAOs). '''
+(xxiv) SI.L3–3.14.6e .................
-(a) ''Roles and responsibilities. ''C3PAOs
+Use threat indicator information and effective mitigations obtained from,'' at a minimum, open or commercial''
-are organizations that are responsible for <br />
+''sources, and any DoD-provided sources,'' to guide and inform intrusion detection and threat hunting.
-conducting Level 2 certification <br />
-assessments and issuing Certificates of <br />
-CMMC Status to OSCs based on the <br />
-results. C3PAOs must be accredited or <br />
-authorized by the Accreditation Body in <br />
-accordance with the requirements set <br />
-forth.
-(b) ''Requirements. ''C3PAOs shall: <br />
+* Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming
-(1) Obtain authorization or
-accreditation from the Accreditation <br />
-Body in accordance with § 170.8(b)(3)(i) <br />
-and (ii).
-(2) Comply with the Accreditation
-Body policies for Conflict of Interest, <br />
-Code of Professional Conduct, and <br />
-Ethics set forth in § 170.8(b)(17); and <br />
-achieve and maintain compliance with <br />
-ISO/IEC 17020:2012(E) (incorporated by <br />
-reference, see § 170.2) within 27 months <br />
-of authorization.
-(3) Require all C3PAO company
-personnel participating in the Level 2 <br />
+convention for the requirement.
-certification assessment process to <br />
-complete a Tier 3 background <br />
-investigation resulting in a <br />
-determination of national security <br />
-eligibility. This includes the CMMC <br />
-Assessment Team and the quality
 VerDate Sep&lt;11&gt;2014
@@ Line 2,446: / Line 1,341: @@
 PO 00000
-Frm 00132
+Frm 00136
 Fmt 4701
@@ Line 2,464: / Line 1,359: @@
-'''83223 '''
+'''83227'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-assurance individual. This Tier 3 <br />
+(d)'' Implementation.'' Assessment of
-background investigation will not result <br />
-in a security clearance and is not being <br />
-executed for the purpose of government <br />
-employment. The Tier 3 background <br />
-investigation is initiated using the <br />
-Standard Form (SF) 86 ([http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions ''www.gsa.gov/ <br />
-reference/forms/questionnaire-for- <br />
-national-security-positions''). These <br />
-]positions are designated as non-critical <br />
-sensitive with a risk designation of <br />
-‘‘Moderate Risk’’ in accordance with 5 <br />
-CFR 1400.201(b) and (d) and the <br />
-investigative requirements of 5 CFR <br />
-.106(c)(2).
-(4) Require all C3PAO company
+security requirements is prescribed by NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2). Descriptive text in these documents support OSA implementation of the security requirements and use the terms organization-defined and periodically. Except where referring to Organization- Defined Parameters (ODPs), organization-defined means as determined by the OSA. Periodically means occurring at regular intervals. As used in many requirements within CMMC, the interval length is organization-defined to provided contractor flexibility, with an interval length of no more than one year.
-personnel participating in the Level 2 <br />
+'''§ 170.15'''
-certification assessment process who are <br />
-not eligible to obtain a Tier 3 <br />
-background investigation to meet the <br />
-equivalent of a favorably adjudicated <br />
-Tier 3 background investigation. DoD <br />
-will determine the Tier 3 background <br />
-investigation equivalence for use with <br />
-the CMMC Program only.
-(5) Comply with Foreign Ownership,
+'''CMMC Level 1 self-assessment'' '
-Control or Influence (FOCI) by:
+'''and affirmation requirements.'' '
-(i) Completing and submitting
+(a)'' Level 1 self-assessment.'' To comply
-[http://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests Standard Form (SF) 328 (''www.gsa.gov/ <br />
+with CMMC Level 1 self-assessment requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 1 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of Final Level 1 (Self).
-reference/forms/certificate-pertaining- <br />
-to-foreign-interests''), ''Certificate <br />
-'']''Pertaining to Foreign Interests, ''upon <br />
-request from DCSA and undergo a <br />
-National Security Review with regards <br />
-to the protection of controlled <br />
-unclassified information based on the <br />
-factors identified in 32 CFR 117.11(b) <br />
-using the procedures outlined in 32 CFR <br />
-.11(c).
-(ii) Receiving a non-disqualifying
+(1)'' Level 1 self-assessment''
-eligibility determination from the <br />
+''requirements.'' The OSA must complete
-CMMC PMO resulting from the FOCI <br />
-risk assessment in order to proceed to a <br />
-DCMA DIBCAC CMMC Level 2 <br />
-assessment, as part of the authorization <br />
-and accreditation process set forth in <br />
-paragraph (b)(6) of this section.
-(iii) Reporting any change to the
+and achieve a MET result for all security requirements specified in § 170.14(c)(2) to achieve the CMMC Status of Final Level 1 (Self). No POA&amp;Ms are permitted for CMMC Level 1. The OSA must conduct a self-assessment in accordance with the procedures set forth in § 170.15(c)(1) and submit assessment results in SPRS. To maintain compliance with the requirements for the CMMC Status of Final Level 1 (Self), the OSA must conduct a Level 1 self- assessment on an annual basis and submit the results in SPRS, or its successor capability.
-information provided on its SF 328 by <br />
+(i)'' Inputs to SPRS.'' The Level 1 self-
-resubmitting the SF 328 to DCSA within <br />
-business days of the change being <br />
-effective. A disqualifying eligibility <br />
-determination, based on the results of <br />
-the change, will result in the C3PAO <br />
-losing its authorization or accreditation.
-(6) Undergo a Level 2 certification
+assessment results in the Supplier Performance Risk System (SPRS) shall include, at minimum, the following items:
-assessment meeting all requirements for <br />
+(A) CMMC Level. (B) CMMC Status Date. (C) CMMC Assessment Scope. (D) All industry CAGE code(s)
-a Final Level 2 (C3PAO) in accordance <br />
-with the procedures specified in <br />
-§ 170.17(a)(1) and (c), with the following <br />
-exceptions:
-(i) The assessment will be conducted
+associated with the information system(s) addressed by the CMMC Assessment Scope.
-by DCMA DIBCAC.
+(E) Compliance result. (ii) [Reserved] (2)'' Affirmation.'' Affirmation of the
-(ii) The assessment will not result in
+Level 1 (Self) CMMC Status is required for all Level 1 self-assessments. Affirmation procedures are set forth in § 170.22.
-a CMMC Status of Level 2 (C3PAO) nor <br />
+(b)'' Contract eligibility.'' Prior to award
-receive a Certificate of CMMC Status.
-(7) Provide all documentation and
+of any contract or subcontract with a requirement for the CMMC Status of Level 1 (Self), OSAs must both achieve a CMMC Status of Level 1 (Self) and have submitted an affirmation of compliance into SPRS for all information systems within the CMMC Assessment Scope.
-records in English.
+(c)'' Procedures''—(1)'' Level 1 self-''
-(8) Submit pre-assessment and
+''assessment.'' The OSA must conduct a Level 1 self-assessment scored in accordance with the CMMC Scoring Methodology described in § 170.24. The Level 1 self-assessment must be performed in accordance with the CMMC Level 1 scope requirements set forth in § 170.19(a) and (b) and the following:
-planning material, final assessment <br />
+(i) The Level 1 self-assessment must
-reports, and CMMC certificates of <br />
-assessment into the CMMC instantiation <br />
-of eMASS.
-(9) Unless disposition is otherwise
+be performed using the objectives defined in NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) for the security requirement that maps to the CMMC Level 1 security requirement as specified in table 1 to paragraph (c)(1)(ii) of this section. In any case where an objective addresses CUI, FCI should be substituted for CUI in the objective.
-authorized by the CMMC PMO, <br />
+(ii) Mapping table for CMMC Level 1
-maintain all assessment related records <br />
-for a period of six (6) years. Such <br />
-records include any materials generated <br />
-by the C3PAO in the course of an <br />
-assessment, any working papers <br />
-generated from Level 2 certification <br />
-assessments; and materials relating to <br />
-monitoring, education, training, <br />
-technical knowledge, skills, experience, <br />
-and authorization of all personnel <br />
-involved in assessment activities; <br />
-contractual agreements with OSCs; and <br />
-organizations for whom consulting <br />
-services were provided.
-(10) Provide any requested audit
+security requirements to the NIST SP 800–171A Jun2018 objectives.
-information, including any out-of-cycle <br />
+TABLE 2 TO § 170.15(c)(1)(ii)—CMMC LEVEL 1 SECURITY REQUIREMENTS MAPPED TO NIST SP 800–171A JUN2018
-from ISO/IEC 17020:2012(E) <br />
-requirements, to the Accreditation <br />
-Body.
-(11) Ensure that all personally
+CMMC Level 1 security requirements as set forth in § 170.14(c)(2)
-identifiable information (PII) is <br />
+NIST SP 800–171A Jun2018
-encrypted and protected in all C3PAO <br />
-information systems and databases.
-(12) Meet the requirements for
+AC.L1–b.1.i ..................................................................................................................................................................
-Assessment Team composition. An <br />
+.1.1
-Assessment Team must include at least <br />
-two people: a Lead CCA, as defined in <br />
-§ 170.11(b)(10), and at least one other <br />
-CCA. Additional CCAs and CCPs may <br />
-also participate on an Assessment Team.
-(13) Implement a quality assurance
+AC.L1–b.1.ii .................................................................................................................................................................
-function that ensures the accuracy and <br />
+.1.2
-completeness of assessment data prior <br />
-to upload into the CMMC instantiation <br />
-of eMASS. Any individual fulfilling the <br />
-quality assurance function must be a <br />
-CCA and cannot be a member of an <br />
-Assessment Team for which they are <br />
-performing a quality assurance role. A <br />
-quality assurance individual shall <br />
-manage the C3PAO’s quality assurance <br />
-reviews as defined in paragraph (b)(14) <br />
-of this section and the appeals process <br />
-as required by paragraphs (b)(19) and <br />
-(20) of this section and in accordance <br />
-with ISO/IEC 17020:2012(E) <br />
-(incorporated by reference, see § 170.2) <br />
-and ISO/IEC 17011:2017(E) <br />
-(incorporated by reference, see § 170.2).
-(14) Conduct quality assurance
+AC.L1–b.1.iii .................................................................................................................................................................
-reviews for each assessment, including <br />
+.1.20
-observations of the Assessment Team’s <br />
-conduct and management of CMMC <br />
-assessment processes.
-(15) Ensure that all Level 2
+AC.L1–b.1.iv ................................................................................................................................................................
-certification assessment activities are <br />
+.1.22
-performed on the information system <br />
-within the CMMC Assessment Scope.
-(16) Maintain all facilities, personnel,
+IA.L1–b.1.v ...................................................................................................................................................................
-and equipment involved in CMMC <br />
+.5.1
-activities that are in scope of their Level <br />
-certification assessment and comply
-with all security requirements and <br />
+IA.L1–b.1.vi ..................................................................................................................................................................
-procedures as prescribed by the <br />
-Accreditation Body.
-(17) Ensure that all assessment data
+.5.2
-and information uploaded into the <br />
+MP.L1–b.1.vii ...............................................................................................................................................................
-CMMC instantiation of eMASS <br />
-assessment data is compliant with the <br />
-CMMC assessment data standard as set <br />
-forth in eMASS CMMC Assessment <br />
-Import Templates on the CMMC eMASS <br />
-[https://cmmc.emass.apps.mil website: ''https://cmmc.emass.apps.mil''. <br />
-]This system is accessible only to <br />
-authorized users.
-(18) Issue Certificates of CMMC Status
+.8.3
-to OSCs in accordance with the Level 2 <br />
+PE.L1–b.1.viii ...............................................................................................................................................................
-certification assessment requirements <br />
-set forth in § 170.17, that include, at a <br />
-minimum, all industry CAGE codes <br />
-associated with the information systems <br />
-addressed by the CMMC Assessment <br />
-Scope, the C3PAO name, assessment <br />
-unique identifier, the OSC name, and <br />
-the CMMC Status date and level.
-(19) Address all OSC appeals arising
+.10.1
-from Level 2 certification assessment <br />
+First phrase of PE.L1–b.1.ix (FAR b.1.ix *) .................................................................................................................
-activities. If the OSC or C3PAO is not <br />
-satisfied with the result of the appeal <br />
-either the OSC or the C3PAO can <br />
-elevate the matter to the Accreditation <br />
-Body for final determination.
-(20) Submit assessment appeals,
+.10.3
-review records, and decision results of <br />
+Second phrase of PE.L1–b.1.ix (FAR b.1.ix *) ............................................................................................................
-assessment appeals to DoD using the <br />
-CMMC instantiation of eMASS.
-'''§ 170.10'''
+.10.4
-'''CMMC Assessor and Instructor '''
+Third phrase of PE.L1–b.1.ix (FAR b.1.ix *) ................................................................................................................
-'''Certification Organization (CAICO). '''
+.10.5
-(a) ''Roles and responsibilities. ''The
+SC.L1–b.1.x .................................................................................................................................................................
-CAICO is responsible for training, <br />
+.13.1
-testing, authorizing, certifying, and <br />
-recertifying CMMC assessors, <br />
-instructors, and related professionals. <br />
-Only the CAICO may make decisions <br />
-relating to examination certifications, <br />
-including the granting, maintaining, <br />
-recertifying, expanding, and reducing <br />
-the scope of certification, and <br />
-suspending or withdrawing certification <br />
-in accordance with current ISO/IEC <br />
-:2012(E) (incorporated by <br />
-reference, see § 170.2). At any given <br />
-point in time, there will be only one <br />
-CAICO for the DoD CMMC Program.
-(b) ''Requirements. ''The CAICO shall: <br />
+SC.L1–b.1.xi ................................................................................................................................................................
-(1) Comply with the Accreditation
-Body policies for Conflict of Interest, <br />
+.13.5
-Code of Professional Conduct, and <br />
-Ethics set forth in § 170.8(b)(17); and <br />
-achieve and maintain ISO/IEC 17024(E) <br />
-accreditation within 12 months of <br />
-December 16, 2024.
-(2) Provide all documentation and
+SI.L1–b.1.xii .................................................................................................................................................................
-records in English.
+.14.1
-(3) Train, test, and designate PIs in
+SI.L1–b.1.xiii ................................................................................................................................................................
-accordance with the requirements of <br />
+.14.2
-this section. Train, test, certify, and <br />
-recertify CCPs, CCAs, and CCIs in <br />
-accordance with the requirements of <br />
-this section.
-VerDate Sep&lt;11&gt;2014
+SI.L1–b.1.xiv ................................................................................................................................................................
+.14.4
+SI.L1–b.1.xv .................................................................................................................................................................
+.14.5
+* Three of the 48 CFR 52.204–21 requirements were broken apart by ‘‘phrase’’ when NIST SP 800–171 R2 was developed.
+(iii) Additional guidance can be found
+in the guidance document listed in paragraph (b) of appendix A to this part.
+(2)'' Artifact retention.'' The artifacts
+used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.
+'''§ 170.16'''
+'''CMMC Level 2 self-assessment'' '
+'''and affirmation requirements.'' '
+(a)'' Level 2 self-assessment.'' To comply
+with Level 2 self-assessment
+requirements, the OSA must meet the requirements detailed in paragraphs (a)(1) and (2) of this section. An OSA conducts a Level 2 self-assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (Self). Achieving a CMMC Status of Level 2 (Self) also satisfies the requirements for a CMMC Status of Level 1 (Self) detailed
+in § 170.15 for the same CMMC Assessment Scope.
+(1)'' Level 2 self-assessment''
+''requirements.'' The OSA must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (Self). The OSA must conduct a self- assessment in accordance with the procedures set forth in paragraph (c)(1) of this section and submit assessment
+VerDate Sep&lt;11&gt;2014
 :51 Oct 11, 2024
@@ Line 2,739: / Line 1,521: @@
 PO 00000
-Frm 00133
+Frm 00137
 Fmt 4701
@@ Line 2,757: / Line 1,539: @@
-'''83224 '''
+'''83228'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-(4) Ensure the instructor and assessor
+results in Supplier Performance Risk System (SPRS). To maintain compliance with the requirements for a CMMC Status of Level 2 (Self), the OSA must conduct a Level 2 self-assessment every three years and submit the results in SPRS, within three years of the CMMC Status Date associated with the Conditional Level 2 (Self).
-certification examinations are certified <br />
+(i)'' Inputs to SPRS.'' The Level 2 self-
-under ISO/IEC 17024:2012(E) <br />
-(incorporated by reference, see § 170.2), <br />
-by a recognized US-based accreditor <br />
-who is not a member of the CMMC <br />
-Accreditation Body. The US-based <br />
-accreditor must be a signatory to <br />
-International Laboratory Accreditation <br />
-Cooperation (ILAC) or relevant <br />
-International Accreditation Forum (IAF) <br />
-Mutual Recognition Arrangement <br />
-(MRA) and must operate in accordance <br />
-with ISO/IEC 17011:2017(E) <br />
-(incorporated by reference, see § 170.2).
-(5) Establish quality control policies
+assessment results in the SPRS shall include, at minimum, the following information:
-and procedures for the generation of <br />
+(A) CMMC Level. (B) CMMC Status Date. (C) CMMC Assessment Scope. (D) All industry CAGE code(s)
-training products, instruction, and <br />
-testing materials.
-(6) Oversee development,
+associated with the information system(s) addressed by the CMMC Assessment Scope.
-administration, and management <br />
+(E) Overall Level 2 self-assessment
-pertaining to the quality of training and <br />
-examination materials for CMMC <br />
-assessor and instructor certification and <br />
-recertification.
-(7) Establish and publish an
+score (''e.g.,'' 105 out of 110).
-authorization and certification appeals <br />
+(F) POA&amp;M usage and compliance
-process to receive, evaluate, and make <br />
-decisions on complaints and appeals in <br />
-accordance with ISO/IEC 17024:2012(E) <br />
-(incorporated by reference, see § 170.2).
-(8) Address all appeals arising from
+status, if applicable.
+(ii)'' Conditional Level 2 (Self).'' The
-the CCA, CCI, and CCP authorizations <br />
+OSA has achieved the CMMC Status of Conditional Level 2 (Self) if the Level 2 self-assessment results in a POA&amp;M and the POA&amp;M meets all the CMMC Level 2 POA&amp;M requirements listed in § 170.21(a)(2).
-and certifications process through use of <br />
-internal processes in accordance with <br />
-ISO/IEC 17024:2012(E) (incorporated by <br />
-reference, see § 170.2).
-(9) Maintain records for a period of
+(A)'' Plan of Action and Milestones.'' A
-six (6) years of all procedures, <br />
+Level 2 POA&amp;M is allowed only in accordance with the CMMC POA&amp;M requirements listed in § 170.21.
-processes, and actions related to <br />
-fulfillment of the requirements set forth <br />
-in this section and provide the <br />
-Accreditation Body access to those <br />
-records.
-(10) Provide the Accreditation Body
+(B)'' POA&amp;M closeout.'' The OSA must
-information about the authorization and <br />
+remediate any NOT MET requirements, must perform a POA&amp;M closeout self- assessment, and must post compliance results to SPRS within 180 days of the CMMC Status Date associated with the Conditional Level 2 (Self). If the POA&amp;M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (Self) CMMC Status for the information system will expire. If Conditional Level 2 (Self) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSA will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
-accreditation status of assessors, <br />
-instructors, training community, and <br />
-publishing partners.
-(11) Ensure separation of duties
+(iii)'' Final Level 2 (Self).'' The OSA has
-between individuals involved in testing <br />
+achieved the CMMC Status of Final Level 2 (Self) if the Level 2 self- assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial self-assessment or as the result of a POA&amp;M closeout self- assessment, as applicable.
-activities, training activities, and <br />
-certification activities.
-(12) Safeguard and require any CAICO
+(iv)'' CMMC Status investigation.'' The
-training support service providers, as <br />
+DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR
-applicable, to safeguard the <br />
-confidentiality of applicant, candidate, <br />
-and certificate-holder information and <br />
-ensure the overall security of the <br />
-certification process.
-(13) Ensure that all PII is encrypted
+.204–7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSA will be ineligible for additional awards with CMMC Status requirement of Level 2 (Self), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
-and protected in all CAICO information <br />
+(2)'' Affirmation.'' Affirmation of the
-systems and databases and those of any <br />
-CAICO training support service <br />
-providers.
-(14) Ensure the security of assessor
+Level 2 (Self) CMMC Status is required for all Level 2 self-assessments at the time of each assessment, and annually thereafter. Affirmation procedures are set forth in § 170.22.
-and instructor examinations and the fair <br />
+(b)'' Contract eligibility.'' Prior to award
-and credible administration of <br />
-examinations.
-(15) Neither disclose nor allow any
+of any contract or subcontract with requirement for CMMC Status of Level 2 (Self), the following two requirements must be met:
-CAICO training support service <br />
+(1) The OSA must achieve, as
-providers, as applicable, to disclose <br />
-CMMC data or metrics related to <br />
-authorization or certification activities <br />
-to any entity other than the <br />
-Accreditation Body and DoD, except as <br />
-required by law.
-(16) Require retraining and
+specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (Self) or Final Level 2 (Self).
-redesignation of PIs upon significant <br />
+(2) The OSA must submit an
-change to DoD’s CMMC Program <br />
-requirements. Require retraining and <br />
-recertification of CCPs, CCAs, and CCIs <br />
-upon significant change to DoD’s CMMC <br />
-Program requirements, as determined by <br />
-the DoD or the CAICO.
-(17) Require CMMC Ecosystem
+affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.
-members to report to the CAICO within <br />
+(c)'' Procedures''—(1)'' Level 2 self-''
-days of convictions, guilty pleas, or <br />
-no contest pleas to crimes of fraud, <br />
-larceny, embezzlement, <br />
-misappropriation of funds, <br />
-misrepresentation, perjury, false <br />
-swearing, conspiracy to conceal, or a <br />
-similar offense in any legal proceeding, <br />
-civil or criminal, whether or not in <br />
-connection with activities that relate to <br />
-carrying out their role in the CMMC <br />
-Ecosystem.
-'''§ 170.11'''
+''assessment of the OSA.'' The OSA must conduct a Level 2 self-assessment in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in §§ 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 self-assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the OSA must upload the results into SPRS. If a POA&amp;M exists, a POA&amp;M closeout self-assessment must be performed by the OSA when all NOT MET requirements have been remediated. The POA&amp;M closeout self- assessment must be performed within 180-days of the Conditional CMMC Status Date. Additional guidance can be found in the guidance document listed in paragraph (c) of appendix A to this part.
-'''CMMC Certified Assessor (CCA). '''
+(2)'' Level 2 self-assessment with the''
-(a) ''Roles and responsibilities. ''CCAs,
+''use of Cloud Service Provider (CSP).'' An OSA may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (Self) under the following circumstances:
-in support of a C3PAO, conduct Level <br />
+(i) The CSP product or service offering
-certification assessments of OSCs in <br />
-accordance with NIST SP 800–171A <br />
-Jun2018 (incorporated by reference, see <br />
-§ 170.2), the assessment processes <br />
-defined in § 170.17, and the scoping <br />
-requirements defined in § 170.19(c). <br />
-CCAs must meet all of the requirements <br />
-set forth in paragraph (b) of this section. <br />
-A CCA may conduct Level 2 <br />
-certification assessments and participate <br />
-on a C3PAO Assessment Team.
-(b) ''Requirements. ''CCAs shall: <br />
+is FedRAMP Authorized at the
-(1) Obtain and maintain certification
-from the CAICO in accordance with the <br />
+FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or
-requirements set forth in § 170.10. <br />
-Certification is valid for 3 years from the <br />
-date of issuance.
-(2) Comply with the Accreditation
+(ii) The CSP product or service
-Body policies for Conflict of Interest, <br />
+offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. FedRAMP Moderate or FedRAMP Moderate equivalent is in accordance with DoD Policy.
-Code of Professional Conduct, and <br />
-Ethics set forth in § 170.8(b)(17).
-(3) Complete a Tier 3 background
+(iii) In accordance with § 170.19(c)(2),
-investigation resulting in a <br />
+the OSA’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the Customer Responsibility Matrix (CRM) must be documented or referred to in the OSA’s System Security Plan (SSP).
-determination of national security <br />
-eligibility. This Tier 3 background <br />
-investigation will not result in a security <br />
-clearance and is not being executed for <br />
-the purpose of government employment. <br />
-The Tier 3 background investigation is <br />
-initiated using the Standard Form (SF) <br />
-[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions 86 (''www.gsa.gov/reference/forms/ <br />
-questionnaire-for-national-security- <br />
-positions''). These positions are <br />
-]designated as non-critical sensitive with <br />
-a risk designation of ‘‘Moderate Risk’’ in <br />
-accordance with 5 CFR 1400.201(b) and
-(d) and the investigative requirements of <br />
+(3)'' Level 2 self-assessment with the''
-CFR 731.106(c)(2).
-(4) Meet the equivalent of a favorably
+''use of an External Service Provider (ESP), not a CSP.'' An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (Self) under the following circumstances:
-adjudicated Tier 3 background <br />
+(i) The use of the ESP, its relationship
-investigation when not eligible for a <br />
-Tier 3 background investigation. DoD <br />
-will determine the Tier 3 background <br />
-investigation equivalence for use with <br />
-the CMMC Program only.
-(5) Provide all documentation and
+to the OSA, and the services provided are documented in the OSA’s SSP and described in the ESP’s service description and CRM.
-records in English.
+(ii) The ESP services used to meet
-(6) Be a CCP who has at least 3 years
+OSA requirements are assessed within the scope of the OSA’s assessment against all Level 2 security requirements.
-of cybersecurity experience, at least 1 <br />
+(iii) In accordance with § 170.19(c)(2),
-year of assessment or audit experience, <br />
-and at least one foundational <br />
-qualification, aligned to at least the <br />
-Intermediate Proficiency Level of the <br />
-DoD Cyberspace Workforce <br />
-Framework’s Security Control Assessor <br />
-(612) Work Role, from DoD Manual <br />
-.03, ''Cyberspace Workforce <br />
-Qualification and Management Program <br />
-''[https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf (''https://dodcio.defense.gov/Portals/0/ <br />
-Documents/Library/DoDM-8140-03.pdf''). <br />
-]Information on the Work Role 612 can <br />
-[https://public.cyber.mil/dcwf-work-role/security-control-assessor/ be found at ''https://public.cyber.mil/ <br />
-dcwf-work-role/security-control- <br />
-assessor/''. ]
-(7) Only use IT, cloud, cybersecurity
+the OSA’s on-premises infrastructure connecting to the ESP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA’s SSP.
-services, and end-point devices <br />
+(4)'' Artifact retention.'' The artifacts
-provided by the authorized/accredited <br />
-C3PAO that has been engaged to <br />
-perform that OSA’s Level 2 certification <br />
-assessment and which has undergone a <br />
-Level 2 certification assessment by <br />
-DCMA DIBCAC (or higher) for all <br />
-assessment activities. Individual <br />
-assessors are prohibited from using any <br />
-other IT, including IT that is personally <br />
-owned, to include internal and external <br />
-cloud services and end-point devices, to <br />
-process, store, or transmit CMMC <br />
-assessment reports or any other CMMC <br />
-assessment-related information. The <br />
-evaluation of assessment evidence <br />
-within the OSC environment, using OSC <br />
-tools, is permitted.
-(8) Immediately notify the responsible
+used as evidence for the assessment must be retained by the OSA for six (6) years from the CMMC Status Date.
-C3PAO of any breach or potential <br />
+'''§ 170.17'''
-breach of security to any CMMC-related <br />
-assessment materials under the <br />
-assessors’ purview.
-(9) Not share any information about
+'''CMMC Level 2 certification'' '
-an OSC obtained during CMMC pre- <br />
+'''assessment and affirmation requirements.'' '
-assessment and assessment activities <br />
-with any person not involved with that <br />
-specific assessment, except as otherwise <br />
-required by law.
-(10) Qualify as a Lead CCA by having
+(a)'' Level 2 certification assessment.''
-at least 5 years of cybersecurity <br />
+To comply with Level 2 certification assessment requirements, the OSC must meet the requirements set forth in paragraphs (a)(1) and (2) of this section. An OSC undergoes a Level 2 certification assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 2 (C3PAO). Achieving a CMMC Status of Level 2 (C3PAO) also
-experience, 5 years of management <br />
-experience, 3 years of assessment or <br />
-audit experience, and at least one <br />
-foundational qualification aligned to <br />
-Advanced Proficiency Level of the DoD <br />
-Cyberspace Workforce Framework’s <br />
-Security Control Assessor (612) Work <br />
-Role, from DoD Manual 8140.03, <br />
-''Cyberspace Workforce Qualification and ''
 VerDate Sep&lt;11&gt;2014
@@ Line 3,029: / Line 1,659: @@
 PO 00000
-Frm 00134
+Frm 00138
 Fmt 4701
@@ Line 3,047: / Line 1,677: @@
-'''83225 '''
+'''83229'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-''Management Program ''[https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf (''https://<br />
+satisfies the requirements for a CMMC Statuses of Level 1 (Self) and Level 2 (Self) set forth in §§ 170.15 and 170.16 respectively for the same CMMC Assessment Scope.
-dodcio.defense.gov/Portals/0/ <br />
-Documents/Library/DoDM-8140-03.pdf''). <br />
-]Information on the Work Role 612 can <br />
-[https://public.cyber.mil/dcwf-work-role/security-control-assessor/ be found at ''https://public.cyber.mil/ <br />
-dcwf-work-role/security-control- <br />
-assessor/. '']
-'''§ 170.12'''
+(1)'' Level 2 certification assessment''
-'''CMMC Instructor. '''
+''requirements.'' The OSC must complete and achieve a MET result for all security requirements specified in § 170.14(c)(3) to achieve the CMMC Status of Level 2 (C3PAO). The OSC must obtain a Level 2 certification assessment from an authorized or accredited C3PAO following the procedures outlined in paragraph (c) of this section. The C3PAO must submit the Level 2 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. To maintain compliance with the requirements for a CMMC Status of Level 2 (C3PAO), the Level 2 certification assessment must be completed within three years of the CMMC Status Date associated with the Conditional Level 2 (C3PAO).
-(a) ''CMMC Provisional Instructor (PI) ''
+(i)'' Inputs into the CMMC instantiation''
-''roles and responsibilities. ''A CMMC <br />
+''of eMASS.'' The Level 2 certification assessment results input into the CMMC instantiation of eMASS shall include, at minimum, the following information:
-Provisional Instructor (PI) teaches CCA <br />
-and CCP candidates during the <br />
-transitional period that ends 18 months <br />
-after December 16, 2024. A PI is trained, <br />
-tested, and designated to perform <br />
-CMMC instructional duties by the <br />
-CAICO to teach CCP and CCA <br />
-candidates. PIs are designated by the <br />
-CAICO after successful completion of <br />
-the PI training and testing requirements <br />
-set forth by the CAICO. A PI with a <br />
-valid CCP certification may instruct CCP <br />
-candidates, while a PI with a valid CCA <br />
-certification may instruct CCP and CCA <br />
-candidates. PIs are required to meet <br />
-requirements in (c) of this section.
-(b) ''CMMC Certified Instructor (CCI) ''
+(A) Date and level of the assessment. (B) C3PAO name. (C) Assessment unique identifier. (D) For each Assessor conducting the
-''roles and responsibilities. ''A CMMC <br />
+assessment, name and business contact information.
-Certified Instructor (CCI) teaches CCP, <br />
-CCA, and CCI candidates and performs <br />
-CMMC instructional duties. Candidate <br />
-CCIs are certified by the CAICO after <br />
-successful completion of the CCI <br />
-training and testing requirements. A CCI <br />
-is required to obtain and maintain <br />
-assessor and instructor certifications <br />
-from the CAICO in accordance with the <br />
-requirements set forth in § 170.10 and in <br />
-paragraph (c) of this section. A CCI with <br />
-a valid CCP certification may instruct <br />
-CCP candidates, while a CCI with a <br />
-valid CCA certification may instruct <br />
-CCP, CCA, and CCI candidates. <br />
-Certifications are valid for 3 years from <br />
-the date of issuance. CCIs are required <br />
-to meet requirements in paragraph (c) of <br />
-this section.
-(c) ''Requirements. ''CMMC Instructors
+(E) All industry CAGE codes
-shall:
+associated with the information systems addressed by the CMMC Assessment Scope.
-(1) Obtain and maintain instructor
+(F) The name, date, and version of the
-designation or certification, as <br />
+SSP.
-appropriate, from the CAICO in <br />
-accordance with the requirements set <br />
-forth in § 170.10.
-(2) Obtain and maintain CCP or CCA
+(G) CMMC Status Date. (H) Assessment result for each
-certification to deliver CCP training.
+requirement objective.
-(3) Obtain and maintain a CCA
+(I) POA&amp;M usage and compliance, as
-certification to deliver CCA training.
+applicable.
-(4) Comply with the Accreditation
+(J) List of the artifact names, the
-Body policies for Conflict of Interest, <br />
+return value of the hashing algorithm, and the hashing algorithm used.
-Code of Professional Conduct, and <br />
-Ethics set forth in § 170.8(b)(17).
-(5) Provide all documentation and
+(ii)'' Conditional Level 2 (C3PAO).'' The
-records in English.
+OSC has achieved the CMMC Status of Conditional Level 2 (C3PAO) if the Level 2 certification assessment results in a POA&amp;M and the POA&amp;M meets all CMMC Level 2 POA&amp;M requirements listed in § 170.21(a)(2).
-(6) Provide the Accreditation Body
+(A)'' Plan of Action and Milestones.'' A
-and the CAICO annually with accurate <br />
+Level 2 POA&amp;M is allowed only in accordance with the CMMC POA&amp;M requirements listed in § 170.21.
-information detailing their <br />
-qualifications, training experience,
-professional affiliations, and <br />
+(B)'' POA&amp;M closeout.'' The OSC must
-certifications, and, upon reasonable <br />
-request, submit documentation verifying <br />
-this information.
-(7) Not provide CMMC consulting
+remediate any NOT MET requirements, must undergo a POA&amp;M closeout certification assessment from a C3PAO, and the C3PAO must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC
-services while serving as a CMMC <br />
+Status Date associated with the Conditional Level 2 (C3PAO). If the POA&amp;M is not successfully closed out within the 180-day timeframe, the Conditional Level 2 (C3PAO) CMMC Status for the information system will expire. If Conditional Level 2 (C3PAO) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status of Level 2 (C3PAO), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
-instructor; however, subject to the Code <br />
-of Professional Conduct and Conflict of <br />
-Interest policies, can serve on an <br />
-assessment team.
-(8) Not participate in the development
+(iii)'' Final Level 2 (C3PAO).'' The OSC
-of exam objectives and/or exam content <br />
+has achieved the CMMC Status of Final Level 2 (C3PAO) if the Level 2 certification assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial certification assessment or as the result of a POA&amp;M closeout certification assessment, as applicable.
-or act as an exam proctor while at the <br />
-same time serving as a CCI.
-(9) Keep confidential all information
+(iv)'' CMMC Status investigation.'' The
-obtained or created during the <br />
+DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSC, as provided for under the 48 CFR 252.204–7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSC will be ineligible for additional awards with CMMC Status requirement of Level 2 (C3PAO), or higher requirement, for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
-performance of CMMC training <br />
-activities, including trainee records, <br />
-except as required by law.
-(10) Not disclose any CMMC-related
+(2)'' Affirmation.'' Affirmation of the
-data or metrics that is PII, FCI, or CUI <br />
+Level 2 (C3PAO) CMMC Status is required for all Level 2 certification assessments at the time of each assessment, and annually thereafter. Affirmation procedures are provided in § 170.22.
-to anyone without prior coordination <br />
-with and approval from DoD.
-(11) Notify the Accreditation Body or
+(b)'' Contract eligibility.'' Prior to award
-the CAICO if required by law or <br />
+of any contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO), the following two requirements must be met:
-authorized by contractual commitments <br />
-to release confidential information.
-(12) Not share with anyone any
+(1) The OSC must achieve, as
-CMMC training-related information not <br />
+specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO).
-previously publicly disclosed.
-'''§ 170.13'''
+(2) The OSC must submit an
-'''CMMC Certified Professional '''
+affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.
-'''(CCP). '''
+(c)'' Procedures''—(1)'' Level 2''
-(a) ''Roles and responsibilities. ''A
+''certification assessment of the OSC.'' An authorized or accredited C3PAO must
-CMMC Certified Professional (CCP) <br />
+perform a Level 2 certification assessment in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and the CMMC Level 2 scoping requirements set forth in § 170.19(a) and (c) for the information systems within the CMMC Assessment Scope. The Level 2 certification assessment must be scored in accordance with the CMMC Scoring Methodology described in § 170.24 and the C3PAO must upload the results into the CMMC instantiation of eMASS. Final results are communicated to the OSC through a CMMC Assessment Findings Report.
-completes rigorous training on CMMC <br />
-and the assessment process to provide <br />
-advice, consulting, and <br />
-recommendations to their OSA clients. <br />
-Candidate CCPs are certified by the <br />
-CAICO after successful completion of <br />
-the CCP training and testing <br />
-requirements set forth in paragraph (b) <br />
-of this section. CCPs are eligible to <br />
-become CMMC Certified Assessors and <br />
-can participate as a CCP on Level 2 <br />
-certification assessments with CCA <br />
-oversight where the CCA makes all final <br />
-determinations.
-(b) ''Requirements. ''CCPs shall: <br />
+(2)'' Security requirement re-''
-(1) Obtain and maintain certification
-from the CAICO in accordance with the <br />
+''evaluation.'' A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 2 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist:
-requirements set forth in § 170.10. <br />
-Certification is valid for 3 years from the <br />
-date of issuance.
-(2) Comply with the Accreditation
+(i) Additional evidence is available to
-Body policies for Conflict of Interest, <br />
+demonstrate the security requirement has been MET;
-Code of Professional Conduct, and <br />
-Ethics as set forth in § 170.8(b)(17).
-(3) Complete a Tier 3 background
+(ii) Cannot change or limit the
-investigation resulting in a <br />
+effectiveness of other requirements that have been scored MET; and
-determination of national security <br />
-eligibility. This Tier 3 background <br />
-investigation will not result in a security <br />
-clearance and is not being executed for <br />
-the purpose of government employment. <br />
-The Tier 3 background investigation is <br />
-initiated using the Standard Form (SF) <br />
-[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions 86 (''www.gsa.gov/reference/forms/ '']
-[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions ''questionnaire-for-national-security- <br />
+(iii) The CMMC Assessment Findings
-positions''). These positions are <br />
-]designated as non-critical sensitive with <br />
-a risk designation of ‘‘Moderate Risk’’ in <br />
-accordance with 5 CFR 1400.201(b) and <br />
-(d) and the investigative requirements of <br />
-CFR 731.106(c)(2).
-(4) Meet the equivalent of a favorably
+Report has not been delivered.
-adjudicated Tier 3 background <br />
+(3)'' POA&amp;M.'' If a POA&amp;M exists, a
-investigation when not eligible to obtain <br />
-a Tier 3 background investigation. DoD <br />
-will determine the Tier 3 background <br />
-investigation equivalence for use with <br />
-the CMMC Program only.
-(5) Provide all documentation and
+POA&amp;M closeout certification assessment must be performed by a C3PAO within 180-days of the Conditional CMMC Status Date. Additional guidance can be found in § 170.21 and in the guidance document listed in paragraph (c) of appendix A to this part.
-records in English.
+(4)'' Artifact retention and integrity.''
-(6) Not share any information about
+The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. To ensure that the artifacts have not been altered, the OSC must hash the artifact files using a NIST-approved hashing algorithm. The OSC must provide the C3PAO with a list of the artifact names, the return value of the hashing algorithm, and the hashing algorithm for upload into the CMMC instantiation of eMASS. Additional guidance for hashing artifacts can be found in the guidance document listed in paragraph (h) of appendix A to this part.
-an OSC obtained during CMMC pre- <br />
+(5)'' Level 2 certification assessment''
-assessment and assessment activities <br />
-with any person not involved with that <br />
-specific assessment, except as otherwise <br />
-required by law.
-'''Subpart D—Key Elements of the <br />
+''with the use of Cloud Service Provider (CSP).'' An OSC may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:
-CMMC Program '''
-'''§ 170.14'''
+(i) The CSP product or service offering
-'''CMMC Model. '''
+is FedRAMP Authorized at the
-(a) ''Overview. ''The CMMC Model
+VerDate Sep&lt;11&gt;2014
-incorporates the security requirements <br />
+:51 Oct 11, 2024
-from:
-(1) 48 CFR 52.204–21, ''Basic ''
+Jkt 265001
-''Safeguarding of Covered Contractor <br />
+PO 00000
-Information Systems; ''
-(2) NIST SP 800–171 R2, ''Protecting ''
+Frm 00139
-''Controlled Unclassified Information in <br />
+Fmt 4701
-Nonfederal Systems and Organizations <br />
-''(incorporated by reference, see § 170.2); <br />
-and
-(3) Selected security requirements
+Sfmt 4700
-from NIST SP 800–172 Feb2021, <br />
+E:\FR\FM\15OCR2.SGM
-''Enhanced Security Requirements for <br />
-Protecting Controlled Unclassified <br />
-Information: A Supplement to NIST <br />
-Special Publication 800–171 <br />
-''(incorporated by reference, see § 170.2).
-(b) ''CMMC domains. ''The CMMC
+OCR2
-Model consists of domains that map to <br />
+khammond on DSKJM1Z7X2PROD with RULES2
-the Security Requirement Families <br />
-defined in NIST SP 800–171 R2 <br />
-(incorporated by reference, see § 170.2).
-(c) ''CMMC level requirements. ''CMMC
-Levels 1–3 utilize the safeguarding <br />
-requirements and security requirements <br />
-specified in 48 CFR 52.204–21 (for Level <br />
-), NIST SP 800–171 R2 (incorporated <br />
-by reference, see § 170.2) (for Level 2), <br />
-and selected security requirements from <br />
-NIST SP 800–172 Feb2021 <br />
-(incorporated by reference, see § 170.2) <br />
-(for Level 3). This paragraph discusses <br />
-the numbering scheme and the security <br />
-requirements for each level.
-(1) ''Numbering. ''Each security
-requirement has an identification <br />
-number in the format—DD.L#-REQ— <br />
-where:
-(i) DD is the two-letter domain
-abbreviation;
-(ii) L# is the CMMC level number; and
+'''83230'' '
-VerDate Sep&lt;11&gt;2014
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-:51 Oct 11, 2024
+FedRAMP Moderate (or higher) baseline in accordance with the FedRAMP Marketplace; or
-Jkt 265001
+(ii) The CSP product or service
-PO 00000
+offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline but meets security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline. FedRAMP Moderate or FedRAMP Moderate equivalent is in accordance with DoD Policy.
-Frm 00135
+(iii) In accordance with § 170.19(c)(2),
-Fmt 4701
+the OSC’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.
-Sfmt 4700
+(6)'' Level 2 certification assessment''
-E:\FR\FM\15OCR2.SGM
+''with the use of an External Service Provider (ESP), not a CSP.'' An OSA may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 2 (C3PAO) under the following circumstances:
-OCR2
+(i) The use of the ESP, its relationship
-khammond on DSKJM1Z7X2PROD with RULES2
+to the OSA, and the services provided are documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix.
+(ii) The ESP services used to meet
+OSA requirements are assessed within the scope of the OSA’s assessment against all Level 2 security requirements.
+(iii) In accordance with § 170.19(c)(2),
+the OSA’s on-premises infrastructure connecting to the ESP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSA’s SSP.
+'''§ 170.18'''
+'''CMMC Level 3 certification'' '
-'''83226 '''
+'''assessment and affirmation requirements.'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+(a)'' Level 3 certification assessment.''
-(iii) REQ is the 48 CFR 52.204–21
+To comply with Level 3 certification assessment requirements, the OSC must meet the requirements set forth in paragraphs (a)(1) and (2) of this section. An OSC undergoes a Level 3 certification assessment as detailed in paragraph (c) of this section to achieve a CMMC Status of either Conditional or Final Level 3 (DIBCAC). A CMMC Status of Final Level 2 (C3PAO) for information systems within the Level 3 CMMC Assessment Scope is a prerequisite to undergo a Level 3 certification assessment. CMMC Level 3 recertification also has a prerequisite for
-paragraph number, NIST SP 800–171 R2 <br />
+a new CMMC Level 2 assessment. Achieving a CMMC Status of Level 3 (DIBCAC) also satisfies the requirements for CMMC Statuses of Level 1 (Self), Level 2 (Self), and Level 2 (C3PAO) set forth in §§ 170.15 through 170.17 respectively for the same CMMC Assessment Scope.
-requirement number, or NIST SP 800– <br />
-Feb2021 requirement number.
-(2) ''CMMC Level 1 security ''
+(1)'' Level 3 certification assessment''
-''requirements. ''The security requirements <br />
+''requirements.'' The OSC must achieve a CMMC Status of Final Level 2 (C3PAO) on the Level 3 CMMC Assessment Scope, as defined in § 170.19(d), prior to initiating a Level 3 certification assessment, which will be performed by DCMA DIBCAC ([http://www.dcma.mil/DIBCAC'' www.dcma.mil/ DIBCAC'') on behalf of the DoD. The OSC ]must complete and achieve a MET result for all security requirements specified in table 1 to § 170.14(c)(4) to achieve the CMMC Status of Level 3 (DIBCAC). DCMA DIBCAC will submit the Level 3 certification assessment results into the CMMC instantiation of eMASS, which then provides automated transmission to SPRS. To maintain compliance with the requirements for a CMMC Status of Level 3 (DIBCAC), the Level 3 certification assessment must be performed every three years for all information systems within the Level 3 CMMC Assessment Scope. In addition, given that compliance with Level 2 requirements is a prerequisite for applying for CMMC Level 3, a Level 2 (C3PAO) certification assessment must also be conducted every three years to maintain CMMC Level 3 (DIBCAC) status. Level 3 certification assessment must be completed within three years of the CMMC Status Date associated with the Final Level 3 (DIBCAC) or, if there was a POA&amp;M, then within three years of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC).
-in CMMC Level 1 are those set forth in <br />
-CFR 52.204–21(b)(1)(i) through (xv).
-(3) ''CMMC Level 2 security ''
+(i)'' Inputs into the CMMC instantiation''
-''requirements. ''The security requirements <br />
+''of eMASS.'' The Level 3 certification assessment results input into the CMMC instantiation of eMASS shall include, at minimum, the following items:
-in CMMC Level 2 are identical to the <br />
-requirements in NIST SP 800–171 R2.
-(4) ''CMMC Level 3 security ''
+(A) Date and level of the assessment. (B) For each Assessor(s) conducting
-''requirements. ''The security requirements <br />
+the assessment, name and government organization information.
-in CMMC Level 3 are selected from <br />
-NIST SP 800–172 Feb2021, and where
-applicable, Organization-Defined <br />
+(C) All industry CAGE code(s)
-Parameters (ODPs) are assigned. Table 1 <br />
-to this paragraph identifies the selected <br />
-requirements and applicable ODPs that <br />
-represent the CMMC Level 3 security <br />
-requirements. ODPs for the NIST SP <br />
-–172 Feb2021 requirements are <br />
-italicized, where applicable:
-TABLE 1 TO § 170.14(c)(4)
+associated with the information system(s) addressed by the CMMC Assessment Scope.
-Security requirement No.*
+(D) The name, date, and version of the
-CMMC Level 3 security requirements
+system security plan(s) (SSP).
-(selected NIST SP 800–172 Feb2021 security requirement with DoD ODPs italicized)
+(E) CMMC Status Date. (F) Result for each security
-(i) AC.L3–3.1.2e .......................
+requirement objective.
-Restrict access to systems and system components to only those information resources that are owned,
+(G) POA&amp;M usage and compliance, as
-provisioned, or issued by the organization.
+applicable.
-(ii) AC.L3–3.1.3e ......................
+(H) List of the artifact names, the
-Employ ''secure information transfer solutions ''to control information flows between security domains on con-
+return value of the hashing algorithm, and the hashing algorithm used.
-nected systems.
+(ii)'' Conditional Level 3 (DIBCAC).'' The
-(iii) AT.L3–3.2.1e .....................
+OSC has achieved the CMMC Status of Conditional Level 3 (DIBCAC) if the Level 3 certification assessment results in a POA&amp;M and the POA&amp;M meets all CMMC Level 3 POA&amp;M requirements listed in § 170.21(a)(3).
-Provide awareness training ''upon initial hire, following a significant cyber event, and at least annually, ''focused
+(A)'' Plan of Action and Milestones.'' A
-on recognizing and responding to threats from social engineering, advanced persistent threat actors, <br />
+Level 3 POA&amp;M is allowed only in accordance with the CMMC POA&amp;M requirements listed in § 170.21.
-breaches, and suspicious behaviors; update the training ''at least annually ''or when there are significant <br />
-changes to the threat.
-(iv) AT.L3–3.2.2e .....................
+(B)'' POA&amp;M closeout.'' The OSC must
-Include practical exercises in awareness training for ''all users, tailored by roles, to include general users, users ''
+remediate any NOT MET requirements, must undergo a POA&amp;M closeout certification assessment from DCMA DIBCAC, and DCMA DIBCAC must post compliance results into the CMMC instantiation of eMASS within 180 days of the CMMC Status Date associated with the Conditional Level 3 (DIBCAC). If the POA&amp;M is not successfully closed out within the 180-day timeframe, the Conditional Level 3 (DIBAC) CMMC Status for the information system will expire. If Conditional Level 3 (DIBCAC) CMMC Status expires within the period of performance of a contract, standard contractual remedies will apply, and the OSC will be ineligible for additional awards with a requirement for the CMMC Status of Level 3 (DIBCAC) for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
-''with specialized roles, and privileged users, ''that are aligned with current threat scenarios and provide feed-<br />
+(iii)'' Final Level 3 (DIBCAC).'' The OSC
-back to individuals involved in the training and their supervisors.
-(v) CM.L3–3.4.1e .....................
+has achieved the CMMC Status of Final Level 3 (DIBCAC) if the Level 3 certification assessment results in a passing score as defined in § 170.24. This score may be achieved upon initial certification assessment or as the result of a POA&amp;M closeout certification assessment, as applicable.
-Establish and maintain an authoritative source and repository to provide a trusted source and accountability for
+(iv)'' CMMC Status investigation.'' The
-approved and implemented system components.
+DoD reserves the right to conduct a DCMA DIBCAC assessment of the OSC, as provided for under the 48 CFR 252.204–7020. If the investigative results of a subsequent DCMA DIBCAC assessment show that adherence to the provisions of this part have not been achieved or maintained, these DCMA DIBCAC results will take precedence over any pre-existing CMMC Status. At that time, standard contractual remedies will be available and the OSC will be ineligible for additional awards with CMMC Status requirement of Level 3 (DIBCAC) for the information system within the CMMC Assessment Scope until such time as a new CMMC Status is achieved.
-(vi) CM.L3–3.4.2e ....................
+(2)'' Affirmation.'' Affirmation of the
-Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection,
+Level 3 (DIBCAC) CMMC Status is required for all Level 3 certification assessments at the time of each assessment, and annually thereafter. Affirmation procedures are provided in § 170.22.
-''remove the components or place the components in a quarantine or remediation network ''to facilitate <br />
+VerDate Sep&lt;11&gt;2014
-patching, re-configuration, or other mitigations.
-(vii) CM.L3–3.4.3e ...................
+:51 Oct 11, 2024
-Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily
+Jkt 265001
-available inventory of system components.
+PO 00000
-(viii) IA.L3–3.5.1e .....................
+Frm 00140
-Identify and authenticate ''systems and system components, where possible, ''before establishing a network con-
+Fmt 4701
-nection using bidirectional authentication that is cryptographically based and replay resistant.
+Sfmt 4700
-(ix) IA.L3–3.5.3e ......................
+E:\FR\FM\15OCR2.SGM
-Employ automated or manual/procedural mechanisms to prohibit system components from connecting to orga-
+OCR2
-nizational systems unless the components are known, authenticated, in a properly configured state, or in a <br />
+khammond on DSKJM1Z7X2PROD with RULES2
-trust profile.
-(x) IR.L3–3.6.1e .......................
-Establish and maintain a security operations center capability that operates ''24/7, with allowance for remote/on- ''
-''call staff. ''
-(xi) IR.L3–3.6.2e ......................
-Establish and maintain a cyber-incident response team that can be deployed by the organization within ''24 ''
-''hours. ''
-(xii) PS.L3–3.9.2e ....................
+'''83231'' '
-Ensure that organizational systems are protected if adverse information develops or is obtained about individ-
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-uals with access to CUI.
+(b)'' Contract eligibility.'' Prior to award
-(xiii) RA.L3–3.11.1e .................
+of any contract or subcontract with requirement for CMMC Status of Level 3 (DIBCAC), the following two requirements must be met:
-Employ ''threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, ''as
+(1) The OSC must achieve, as
-part of a risk assessment to guide and inform the development of organizational systems, security architec-<br />
+specified in paragraph (a)(1) of this section, a CMMC Status of either Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC).
-tures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
-(xiv) RA.L3–3.11.2e .................
+(2) The OSC must submit an
-Conduct cyber threat hunting activities ''on an on-going aperiodic basis or when indications warrant, ''to search
+affirmation of compliance into SPRS, as specified in paragraph (a)(2) of this section.
-for indicators of compromise in ''organizational systems ''and detect, track, and disrupt threats that evade exist-<br />
+(c)'' Procedures''—(1)'' Level 3''
-ing controls.
-(xv) RA.L3–3.11.3e ..................
+''certification assessment of the OSC.'' The CMMC Level 3 certification assessment process includes:
-Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to or-
+(i)'' Final Level 2 (C3PAO).'' The OSC
-ganizations, systems, and system components.
+must achieve a CMMC Status of Final Level 2 (C3PAO) for information systems within the Level 3 CMMC Assessment Scope prior to the CMMC Level 3 certification assessment. The CMMC Assessment Scope for the Level 3 certification assessment must be equal to, or a subset of, the CMMC Assessment Scope associated with the OSC’s Final Level 2 (C3PAO). Asset requirements differ for each CMMC Level. Scoping differences are set forth in § 170.19.
-(xvi) RA.L3–3.11.4e .................
+(ii)'' Initiating the Final Level 3''
-Document or reference in the system security plan the security solution selected, the rationale for the security
+''(DIBCAC).'' The OSC (including ESPs that voluntarily elect to undergo a Level 3 certification assessment) initiates a Level 3 certification assessment by emailing a request to DCMA DIBCAC point of contact found at [http://www.dcma.mil/DIBCAC'' www.dcma.mil/DIBCAC''. The request ]must include the Level 2 certification assessment unique identifier. DCMA DIBCAC will validate the OSC has achieved a CMMC Status of Level 2 (C3PAO) and will contact the OSC to schedule their Level 3 certification assessment.
-solution, and the risk determination.
+(iii)'' Conducting the Final Level 3''
-(xvii) RA.L3–3.11.5e ................
+''(DIBCAC).'' DCMA DIBCAC will perform a Level 3 certification assessment in accordance with NIST SP 800–171A Jun2018 (incorporated by reference, see § 170.2) and NIST SP 800–172A Mar2022 (incorporated by reference, see § 170.2) and the CMMC Level 3 scoping requirements set forth in § 170.19(d) for the information systems within the CMMC Assessment Scope. The Level 3 certification assessment will be scored in accordance with the CMMC Scoring Methodology set forth in § 170.24 and DCMA DIBCAC will upload the results into the CMMC instantiation of eMASS. Final results are communicated to the OSC through a CMMC Assessment Findings Report. For assets that changed asset category (''i.e.,'' CRMA to CUI Asset) or assessment requirements (''i.e.,'' Specialized Assets) between the Level 2 and Level 3 certification assessments,
-Assess the effectiveness of security solutions ''at least annually or upon receipt of relevant cyber threat informa-''
+DCMA DIBCAC will perform limited checks of Level 2 security requirements. If the OSC had these upgraded asset categories included in their Level 2 certification assessment, then DCMA DIBCAC may still perform limited checks for compliance. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process may be paused to allow for remediation, placed on hold, or immediately terminated.
-''tion, or in response to a relevant cyber incident, ''to address anticipated risk to organizational systems and the <br />
+(2)'' Security requirement re-''
-organization based on current and accumulated threat intelligence.
-(xviii) RA.L3–3.11.6e ...............
+''evaluation.'' A security requirement that is NOT MET (as defined in § 170.24) may be re-evaluated during the course of the Level 3 certification assessment and for 10 business days following the active assessment period if all of the following conditions exist:
-Assess, respond to, and monitor supply chain risks associated with organizational systems and system compo-
+(i) Additional evidence is available to
-nents.
+demonstrate the security requirement has been MET;
-(xix) RA.L3–3.11.7e .................
+(ii) The additional evidence does not
-Develop a plan for managing supply chain risks associated with organizational systems and system compo-
+materially impact previously assessed security requirements; and
-nents; update the plan ''at least annually, and upon receipt of relevant cyber threat information, or in response <br />
+(iii) The CMMC Assessment Findings
-to a relevant cyber incident. ''
-(xx) CA.L3–3.12.1e ..................
+Report has not been delivered.
-Conduct penetration testing ''at least annually or when significant security changes are made to the system, ''
+(3)'' POA&amp;M.'' If a POA&amp;M exists, a
-leveraging automated scanning tools and ad hoc tests using subject matter experts.
+POA&amp;M closeout certification assessment will be performed by DCMA DIBCAC within 180-days of the Conditional CMMC Status Date. Additional guidance is located in § 170.21 and in the guidance document listed in paragraph (d) of appendix A to this part.
-(xxi) SC.L3–3.13.4e .................
+(4)'' Artifact retention and integrity.''
-Employ ''physical isolation techniques or logical isolation techniques or both ''in organizational systems and sys-
+The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. The hashed artifacts used as evidence for the assessment must be retained by the OSC for six (6) years from the CMMC Status Date. To ensure that the artifacts have not been altered, the OSC must hash the artifact files using a NIST-approved hashing algorithm. Assessors will collect the list of the artifact names, the return value of the hashing algorithm, and the hashing algorithm used and upload that data into the CMMC instantiation of eMASS. Additional guidance for hashing artifacts can be found in the guidance document listed in paragraph (h) of appendix A to this part.
-tem components.
+(5)'' Level 3 certification assessment''
-(xxii) SI.L3–3.14.1e ..................
+''with the use of Cloud Service Provider (CSP).'' An OSC may use a cloud environment to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 3 (DIBCAC) under the following circumstances:
-Verify the integrity of ''security critical and essential software ''using root of trust mechanisms or cryptographic
+(i) The OSC may utilize a CSP product
-signatures.
+or service offering that meets the FedRAMP Moderate (or higher)
-(xxiii) SI.L3–3.14.3e .................
+baseline. If the CSP’s product or service offering is not FedRAMP Authorized at the FedRAMP Moderate (or higher) baseline, the product or service offering must meet security requirements equivalent to those established by the FedRAMP Moderate (or higher) baseline in accordance with DoD Policy.
-Ensure that ''specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems, and test equip-''
+(ii) Use of a CSP does not relieve an
-''ment ''are included in the scope of the specified enhanced security requirements or are segregated in pur-<br />
+OSC of its obligation to implement the 24 Level 3 security requirements. These 24 requirements apply to every environment where the CUI data is processed, stored, or transmitted, when Level 3 (DIBCAC) is the designated CMMC Status. If any of these 24 requirements are inherited from a CSP, the OSC must demonstrate that protection during a Level 3 certification assessment via a Customer Implementation Summary/Customer Responsibility Matrix (CIS/CRM) and associated Body of Evidence (BOE). The BOE must clearly indicate whether the OSC or the CSP is responsible for meeting each requirement and which requirements are implemented by the OSC versus inherited from the CSP.
-pose-specific networks.
-(xxiv) SI.L3–3.14.6e .................
+(iii) In accordance with § 170.19(d)(2),
-Use threat indicator information and effective mitigations obtained from, ''at a minimum, open or commercial ''
+the OSC’s on-premises infrastructure connecting to the CSP’s product or service offering is part of the CMMC Assessment Scope. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.
-''sources, and any DoD-provided sources, ''to guide and inform intrusion detection and threat hunting.
+(6)'' Level 3 certification assessment''
-* Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming
+''with the use of an ESP, not a CSP.'' An OSC may use an ESP that is not a CSP to process, store, or transmit CUI in performance of a contract or subcontract with a requirement for the CMMC Status of Level 3 (DIBCAC) under the following circumstances:
-convention for the requirement.
+(i) The use of the ESP, its relationship
-VerDate Sep&lt;11&gt;2014
+to the OSC, and the services provided are documented in the OSC’s SSP and described in the ESP’s service description and customer responsibility matrix.
+(ii) The ESP services used to meet
+OSC requirements are assessed within the scope of the OSC’s assessment against all Level 2 and Level 3 security requirements.
+(iii) In accordance with § 170.19(d)(2),
+the OSC’s on-premises infrastructure connecting to the ESP’s product or service offering is part of the CMMC Assessment Scope, which will also be assessed. As such, the security requirements from the CRM must be documented or referred to in the OSC’s SSP.
+'''§ 170.19'''
+'''CMMC scoping.'' '
+(a)'' Scoping requirement.'' (1) The
+CMMC Assessment Scope must be specified prior to assessment in
+VerDate Sep&lt;11&gt;2014
 :51 Oct 11, 2024
@@ Line 3,566: / Line 2,049: @@
 PO 00000
-Frm 00136
+Frm 00141
 Fmt 4701
@@ Line 3,584: / Line 2,067: @@
-'''83227 '''
+'''83232'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-(d) ''Implementation. ''Assessment of
+accordance with the requirements of this section. The CMMC Assessment Scope is the set of all assets in the OSA’s environment that will be assessed against CMMC security requirements.
-security requirements is prescribed by <br />
+(2) The requirements for defining the
-NIST SP 800–171A Jun2018 <br />
-(incorporated by reference, see § 170.2) <br />
-and NIST SP 800–172A Mar2022 <br />
-(incorporated by reference, see § 170.2). <br />
-Descriptive text in these documents <br />
-support OSA implementation of the <br />
-security requirements and use the terms <br />
-organization-defined and periodically. <br />
-Except where referring to Organization- <br />
-Defined Parameters (ODPs), <br />
-organization-defined means as <br />
-determined by the OSA. Periodically <br />
-means occurring at regular intervals. As <br />
-used in many requirements within <br />
-CMMC, the interval length is <br />
-organization-defined to provided <br />
-contractor flexibility, with an interval <br />
-length of no more than one year.
-'''§ 170.15'''
+CMMC Assessment Scope for CMMC Levels 1, 2, and 3 are set forth in this section. Additional guidance regarding scoping can be found in the guidance documents listed in paragraphs (e) through (g) of appendix A to this part.
-'''CMMC Level 1 self-assessment '''
+(b)'' CMMC Level 1 scoping.'' Prior to
-'''and affirmation requirements. '''
+performing a Level 1 self-assessment, the OSA must specify the CMMC Assessment Scope.
-(a) ''Level 1 self-assessment. ''To comply
+(1)'' Assets in scope for Level 1 self-''
-with CMMC Level 1 self-assessment <br />
+''assessment.'' OSA information systems which process, store, or transmit FCI are in scope for CMMC Level 1 and must be self-assessed against applicable CMMC security requirements.
-requirements, the OSA must meet the <br />
-requirements detailed in paragraphs <br />
-(a)(1) and (2) of this section. An OSA <br />
-conducts a Level 1 self-assessment as <br />
-detailed in paragraph (c) of this section <br />
-to achieve a CMMC Status of Final Level <br />
-(Self).
-(1) ''Level 1 self-assessment ''
+(2)'' Assets not in scope for Level 1 self-''
-''requirements. ''The OSA must complete
+''assessment''—(i)'' Out-of-Scope Assets.'' OSA information systems which do not process, store, or transmit FCI are outside the scope for CMMC Level 1. An endpoint hosting a VDI client configured to not allow any processing, storage, or transmission of FCI beyond the Keyboard/Video/Mouse sent to the VDI client is considered out-of-scope. There are no documentation requirements for out-of-scope assets.
-and achieve a MET result for all security <br />
+(ii)'' Specialized Assets.'' Specialized
-requirements specified in § 170.14(c)(2) <br />
-to achieve the CMMC Status of Final <br />
-Level 1 (Self). No POA&amp;Ms are <br />
-permitted for CMMC Level 1. The OSA <br />
-must conduct a self-assessment in <br />
-accordance with the procedures set <br />
-forth in § 170.15(c)(1) and submit <br />
-assessment results in SPRS. To maintain <br />
-compliance with the requirements for <br />
-the CMMC Status of Final Level 1 (Self), <br />
-the OSA must conduct a Level 1 self- <br />
-assessment on an annual basis and <br />
-submit the results in SPRS, or its <br />
-successor capability.
-(i) ''Inputs to SPRS. ''The Level 1 self-
+Assets are those assets that can process, store, or transmit FCI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Furnished Equipment (GFE), Restricted Information Systems, and Test Equipment. Specialized Assets are not part of the Level 1 CMMC Assessment
-assessment results in the Supplier <br />
+Scope and are not assessed against CMMC security requirements.
-Performance Risk System (SPRS) shall <br />
-include, at minimum, the following <br />
-items:
-(A) CMMC Level. <br />
+(3)'' Level 1 self-assessment scoping''
-(B) CMMC Status Date. <br />
-(C) CMMC Assessment Scope. <br />
-(D) All industry CAGE code(s)
-associated with the information <br />
+''considerations.'' To scope a Level 1 self- assessment, OSAs should consider the people, technology, facilities, and External Service Providers (ESP) within its environment that process, store, or transmit FCI.
-system(s) addressed by the CMMC <br />
-Assessment Scope.
-(E) Compliance result. <br />
+(c)'' CMMC Level 2 Scoping.'' Prior to
-(ii) [Reserved] <br />
-(2) ''Affirmation. ''Affirmation of the
-Level 1 (Self) CMMC Status is required <br />
+performing a Level 2 self-assessment or Level 2 certification assessment, the OSA must specify the CMMC Assessment Scope.
-for all Level 1 self-assessments. <br />
-Affirmation procedures are set forth in <br />
-§ 170.22.
-(b) ''Contract eligibility. ''Prior to award
+(1) The CMMC Assessment Scope for
-of any contract or subcontract with a <br />
+CMMC Level 2 is based on the specification of asset categories and their respective requirements as defined in table 3 to this paragraph (c)(1). Additional information is available in the guidance document listed in paragraph (f) of appendix A to this part.
-requirement for the CMMC Status of <br />
-Level 1 (Self), OSAs must both achieve <br />
-a CMMC Status of Level 1 (Self) and <br />
-have submitted an affirmation of <br />
-compliance into SPRS for all <br />
-information systems within the CMMC <br />
-Assessment Scope.
-(c) ''Procedures''—(1) ''Level 1 self- ''
+TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
-''assessment. ''The OSA must conduct a <br />
+Asset category
-Level 1 self-assessment scored in <br />
-accordance with the CMMC Scoring <br />
-Methodology described in § 170.24. The <br />
-Level 1 self-assessment must be <br />
-performed in accordance with the <br />
-CMMC Level 1 scope requirements set <br />
-forth in § 170.19(a) and (b) and the <br />
-following:
-(i) The Level 1 self-assessment must
+Asset description
-be performed using the objectives <br />
+OSA requirements
-defined in NIST SP 800–171A Jun2018 <br />
-(incorporated by reference, see § 170.2) <br />
-for the security requirement that maps <br />
-to the CMMC Level 1 security <br />
-requirement as specified in table 1 to <br />
-paragraph (c)(1)(ii) of this section. In <br />
-any case where an objective addresses <br />
-CUI, FCI should be substituted for CUI <br />
-in the objective.
-(ii) Mapping table for CMMC Level 1
+CMMC assessment requirements
-security requirements to the NIST SP <br />
+'''Assets that are in the Level 2 CMMC Assessment Scope'' '
-–171A Jun2018 objectives.
-TABLE 2 TO § 170.15(c)(1)(ii)—CMMC LEVEL 1 SECURITY REQUIREMENTS MAPPED TO NIST SP 800–171A JUN2018
+Controlled Unclassified Informa-
-CMMC Level 1 security requirements as set forth in § 170.14(c)(2)
+tion (CUI) Assets.
-NIST SP 800–171A Jun2018
+• Assets that process, store, or transmit
-AC.L1–b.1.i ..................................................................................................................................................................
+CUI.
-.1.1
+• Document in the asset inventory ...........
-AC.L1–b.1.ii .................................................................................................................................................................
+• Document asset treatment in the Sys-
-.1.2
+tem Security Plan (SSP).
-AC.L1–b.1.iii .................................................................................................................................................................
+• Document in the network diagram of
-.1.20
+the CMMC Assessment Scope.
-AC.L1–b.1.iv ................................................................................................................................................................
+• Prepare to be assessed against CMMC
-.1.22
+Level 2 security requirements.
-IA.L1–b.1.v ...................................................................................................................................................................
+• Assess against all Level 2 security re-
-.5.1
+quirements.
-IA.L1–b.1.vi ..................................................................................................................................................................
+Security Protection Assets ........
-.5.2
+• Assets that provide security functions
-MP.L1–b.1.vii ...............................................................................................................................................................
+or capabilities to the OSA’s CMMC As-sessment Scope.
-.8.3
+• Document in the asset inventory ...........
-PE.L1–b.1.viii ...............................................................................................................................................................
+• Document asset treatment in SSP.
-.10.1
+• Document in the network diagram of
-First phrase of PE.L1–b.1.ix (FAR b.1.ix *) .................................................................................................................
+the CMMC Assessment Scope.
-.10.3
+• Prepare to be assessed against CMMC
-Second phrase of PE.L1–b.1.ix (FAR b.1.ix *) ............................................................................................................
+Level 2 security requirements.
-.10.4
+• Assess against Level 2 security re-
-Third phrase of PE.L1–b.1.ix (FAR b.1.ix *) ................................................................................................................
+quirements that are relevant to the ca-pabilities provided.
-.10.5
+Contractor Risk Managed As-
-SC.L1–b.1.x .................................................................................................................................................................
+sets.
-.13.1
+• Assets that can, but are not intended
-SC.L1–b.1.xi ................................................................................................................................................................
+to, process, store, or transmit CUI be-cause of security policy, procedures, and practices in place.
-.13.5
+• Assets are not required to be physically
-SI.L1–b.1.xii .................................................................................................................................................................
+or logically separated from CUI assets.
-.14.1
+• Document in the asset inventory ...........
-SI.L1–b.1.xiii ................................................................................................................................................................
+• Document asset treatment in the SSP.
-.14.2
+• Document in the network diagram of
-SI.L1–b.1.xiv ................................................................................................................................................................
+the CMMC Assessment Scope.
-.14.4
+• Prepare to be assessed against CMMC
-SI.L1–b.1.xv .................................................................................................................................................................
+Level 2 security requirements.
-.14.5
+• Review the SSP:
-* Three of the 48 CFR 52.204–21 requirements were broken apart by ‘‘phrase’’ when NIST SP 800–171 R2 was developed.
+• If sufficiently documented, do not
-(iii) Additional guidance can be found
+assess against other CMMC secu-rity requirements, except as noted.
-in the guidance document listed in <br />
+• If OSA’s risk-based security poli-
-paragraph (b) of appendix A to this part.
-(2) ''Artifact retention. ''The artifacts
+cies, procedures, and practices documentation or other findings raise questions about these assets, the assessor can conduct a limited check to identify deficiencies.
-used as evidence for the assessment <br />
+• The limited check(s) shall not ma-
-must be retained by the OSA for six (6) <br />
-years from the CMMC Status Date.
-'''§ 170.16'''
+terially increase the assessment duration nor the assessment cost.
-'''CMMC Level 2 self-assessment '''
+• The limited check(s) will be as-
-'''and affirmation requirements. '''
+sessed against CMMC security re-quirements.
-(a) ''Level 2 self-assessment. ''To comply
+Specialized Assets ....................
-with Level 2 self-assessment
+• Assets that can process, store, or
-requirements, the OSA must meet the <br />
+transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Fur-nished Equipment (GFE), Restricted In-formation Systems, and Test Equip-ment.
-requirements detailed in paragraphs <br />
-(a)(1) and (2) of this section. An OSA <br />
-conducts a Level 2 self-assessment as <br />
-detailed in paragraph (c) of this section <br />
-to achieve a CMMC Status of either <br />
-Conditional or Final Level 2 (Self). <br />
-Achieving a CMMC Status of Level 2 <br />
-(Self) also satisfies the requirements for <br />
-a CMMC Status of Level 1 (Self) detailed
-in § 170.15 for the same CMMC <br />
+• Document in the asset inventory ...........
-Assessment Scope.
-(1) ''Level 2 self-assessment ''
+• Document asset treatment in the SSP.
-''requirements. ''The OSA must complete <br />
+• Show these assets are managed using
-and achieve a MET result for all security <br />
-requirements specified in § 170.14(c)(3) <br />
-to achieve the CMMC Status of Level 2 <br />
-(Self). The OSA must conduct a self- <br />
-assessment in accordance with the <br />
-procedures set forth in paragraph (c)(1) <br />
-of this section and submit assessment
-VerDate Sep&lt;11&gt;2014
+the contractor’s risk-based security poli-cies, procedures, and practices.
-:51 Oct 11, 2024
+• Document in the network diagram of
-Jkt 265001
+the CMMC Assessment Scope.
-PO 00000
+• Review the SSP.
-Frm 00137
+• Do not assess against other CMMC se-
-Fmt 4701
+curity requirements.
-Sfmt 4700
+'''Assets that are not in the Level 2 CMMC Assessment Scope'' '
-E:\FR\FM\15OCR2.SGM
+Out-of-Scope Assets .................
-OCR2
+• Assets that cannot process, store, or
-khammond on DSKJM1Z7X2PROD with RULES2
+transmit CUI; and do not provide secu-rity protections for CUI Assets.
+• Prepare to justify the inability of an Out-
+of-Scope Asset to process, store, or transmit CUI.
+• None.
+• Assets that are physically or logically
+separated from CUI assets.
+• Assets that fall into any in-scope asset
-'''83228 '''
+category cannot be considered an Out- of-Scope Asset.
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+VerDate Sep&lt;11&gt;2014
-results in Supplier Performance Risk <br />
+:51 Oct 11, 2024
-System (SPRS). To maintain compliance <br />
-with the requirements for a CMMC <br />
-Status of Level 2 (Self), the OSA must <br />
-conduct a Level 2 self-assessment every <br />
-three years and submit the results in <br />
-SPRS, within three years of the CMMC <br />
-Status Date associated with the <br />
-Conditional Level 2 (Self).
-(i) ''Inputs to SPRS. ''The Level 2 self-
+Jkt 265001
-assessment results in the SPRS shall <br />
+PO 00000
-include, at minimum, the following <br />
-information:
-(A) CMMC Level. <br />
+Frm 00142
-(B) CMMC Status Date. <br />
-(C) CMMC Assessment Scope. <br />
-(D) All industry CAGE code(s)
-associated with the information <br />
+Fmt 4701
-system(s) addressed by the CMMC <br />
-Assessment Scope.
-(E) Overall Level 2 self-assessment
+Sfmt 4700
-score (''e.g., ''105 out of 110).
+E:\FR\FM\15OCR2.SGM
-(F) POA&amp;M usage and compliance
+OCR2
-status, if applicable.
+khammond on DSKJM1Z7X2PROD with RULES2
-(ii) ''Conditional Level 2 (Self). ''The
-OSA has achieved the CMMC Status of <br />
-Conditional Level 2 (Self) if the Level 2 <br />
-self-assessment results in a POA&amp;M and <br />
-the POA&amp;M meets all the CMMC Level <br />
-POA&amp;M requirements listed in <br />
-§ 170.21(a)(2).
-(A) ''Plan of Action and Milestones. ''A
-Level 2 POA&amp;M is allowed only in <br />
-accordance with the CMMC POA&amp;M <br />
-requirements listed in § 170.21.
-(B) ''POA&amp;M closeout. ''The OSA must
-remediate any NOT MET requirements, <br />
-must perform a POA&amp;M closeout self- <br />
-assessment, and must post compliance <br />
-results to SPRS within 180 days of the <br />
-CMMC Status Date associated with the <br />
-Conditional Level 2 (Self). If the <br />
-POA&amp;M is not successfully closed out <br />
-within the 180-day timeframe, the <br />
-Conditional Level 2 (Self) CMMC Status <br />
-for the information system will expire. <br />
-If Conditional Level 2 (Self) CMMC <br />
-Status expires within the period of <br />
-performance of a contract, standard <br />
-contractual remedies will apply, and the <br />
-OSA will be ineligible for additional <br />
-awards with a requirement for the <br />
-CMMC Status of Level 2 (Self), or higher <br />
-requirement, for the information system <br />
-within the CMMC Assessment Scope <br />
-until such time as a new CMMC Status <br />
-is achieved.
-(iii) ''Final Level 2 (Self). ''The OSA has
+'''83233'' '
-achieved the CMMC Status of Final <br />
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-Level 2 (Self) if the Level 2 self- <br />
-assessment results in a passing score as <br />
-defined in § 170.24. This score may be <br />
-achieved upon initial self-assessment or <br />
-as the result of a POA&amp;M closeout self- <br />
-assessment, as applicable.
-(iv) ''CMMC Status investigation. ''The
+TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
-DoD reserves the right to conduct a <br />
+Asset category
-DCMA DIBCAC assessment of the OSA, <br />
-as provided for under the 48 CFR
-.204–7020. If the investigative <br />
+Asset description
-results of a subsequent DCMA DIBCAC <br />
-assessment show that adherence to the <br />
-provisions of this part have not been <br />
-achieved or maintained, these DCMA <br />
-DIBCAC results will take precedence <br />
-over any pre-existing CMMC Status. At <br />
-that time, standard contractual remedies <br />
-will be available and the OSA will be <br />
-ineligible for additional awards with <br />
-CMMC Status requirement of Level 2 <br />
-(Self), or higher requirement, for the <br />
-information system within the CMMC <br />
-Assessment Scope until such time as a <br />
-new CMMC Status is achieved.
-(2) ''Affirmation. ''Affirmation of the
+OSA requirements
-Level 2 (Self) CMMC Status is required <br />
+CMMC assessment requirements
-for all Level 2 self-assessments at the <br />
-time of each assessment, and annually <br />
-thereafter. Affirmation procedures are <br />
-set forth in § 170.22.
-(b) ''Contract eligibility. ''Prior to award
+• An endpoint hosting a VDI client config-
-of any contract or subcontract with <br />
+ured to not allow any processing, stor-age, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.
-requirement for CMMC Status of Level <br />
-(Self), the following two requirements <br />
-must be met:
-(1) The OSA must achieve, as
+(2)(i) Table 4 to this paragraph (c)(2)(i)
-specified in paragraph (a)(1) of this <br />
+defines the requirements to be met when utilizing an External Service
-section, a CMMC Status of either <br />
-Conditional Level 2 (Self) or Final Level <br />
-(Self).
-(2) The OSA must submit an
+Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP
-affirmation of compliance into SPRS, as <br />
+processes, stores, or transmits CUI and/ or Security Protection Data (SPD).
-specified in paragraph (a)(2) of this <br />
-section.
-(c) ''Procedures''—(1) ''Level 2 self- ''
+TABLE 4 TO § 170.19(c)(2)(i)—ESP SCOPING REQUIREMENTS
-''assessment of the OSA. ''The OSA must <br />
+When the ESP processes, stores, or transmits:
-conduct a Level 2 self-assessment in <br />
-accordance with NIST SP 800–171A <br />
-Jun2018 (incorporated by reference, see <br />
-§ 170.2) and the CMMC Level 2 scoping <br />
-requirements set forth in §§ 170.19(a) <br />
-and (c) for the information systems <br />
-within the CMMC Assessment Scope. <br />
-The Level 2 self-assessment must be <br />
-scored in accordance with the CMMC <br />
-Scoring Methodology described in <br />
-§ 170.24 and the OSA must upload the <br />
-results into SPRS. If a POA&amp;M exists, a <br />
-POA&amp;M closeout self-assessment must <br />
-be performed by the OSA when all NOT <br />
-MET requirements have been <br />
-remediated. The POA&amp;M closeout self- <br />
-assessment must be performed within <br />
--days of the Conditional CMMC <br />
-Status Date. Additional guidance can be <br />
-found in the guidance document listed <br />
-in paragraph (c) of appendix A to this <br />
-part.
-(2) ''Level 2 self-assessment with the ''
+When utilizing an ESP that is:
-''use of Cloud Service Provider (CSP). ''An <br />
+A CSP
-OSA may use a cloud environment to <br />
-process, store, or transmit CUI in <br />
-performance of a contract or subcontract <br />
-with a requirement for the CMMC Status <br />
-of Level 2 (Self) under the following <br />
-circumstances:
-(i) The CSP product or service offering
+Not a CSP
-is FedRAMP Authorized at the
+CUI (with or without SPD) ..
-FedRAMP Moderate (or higher) baseline <br />
+The CSP shall meet the FedRAMP requirements in 48
-in accordance with the FedRAMP <br />
-Marketplace; or
-(ii) The CSP product or service
+CFR 252.204–7012.
-offering is not FedRAMP Authorized at <br />
+The services provided by the ESP are in the OSA’s as-
-the FedRAMP Moderate (or higher) <br />
-baseline but meets security <br />
-requirements equivalent to those <br />
-established by the FedRAMP Moderate <br />
-(or higher) baseline. FedRAMP <br />
-Moderate or FedRAMP Moderate <br />
-equivalent is in accordance with DoD <br />
-Policy.
-(iii) In accordance with § 170.19(c)(2),
+sessment scope and shall be assessed as part of the OSA’s assessment.
-the OSA’s on-premises infrastructure <br />
+SPD (without CUI) ..............
-connecting to the CSP’s product or <br />
-service offering is part of the CMMC <br />
-Assessment Scope, which will also be <br />
-assessed. As such, the security <br />
-requirements from the Customer <br />
-Responsibility Matrix (CRM) must be <br />
-documented or referred to in the OSA’s <br />
-System Security Plan (SSP).
-(3) ''Level 2 self-assessment with the ''
+The services provided by the CSP are in the OSA’s as-
-''use of an External Service Provider <br />
+sessment scope and shall be assessed as Security Protection Assets.
-(ESP), not a CSP. ''An OSA may use an <br />
-ESP that is not a CSP to process, store, <br />
-or transmit CUI in performance of a <br />
-contract or subcontract with a <br />
-requirement for the CMMC Status of <br />
-Level 2 (Self) under the following <br />
-circumstances:
-(i) The use of the ESP, its relationship
+The services provided by the ESP are in the OSA’s as-
-to the OSA, and the services provided <br />
+sessment scope and shall be assessed as Security Protection Assets.
-are documented in the OSA’s SSP and <br />
-described in the ESP’s service <br />
-description and CRM.
-(ii) The ESP services used to meet
+Neither CUI nor SPD ..........
-OSA requirements are assessed within <br />
+A service provider that does not process CUI or SPD
-the scope of the OSA’s assessment <br />
-against all Level 2 security <br />
-requirements.
-(iii) In accordance with § 170.19(c)(2),
+does not meet the CMMC definition of an ESP.
-the OSA’s on-premises infrastructure <br />
+A service provider that does not process CUI or SPD
-connecting to the ESP’s product or <br />
-service offering is part of the CMMC <br />
-Assessment Scope, which will also be <br />
-assessed. As such, the security <br />
-requirements from the CRM must be <br />
-documented or referred to in the OSA’s <br />
-SSP.
-(4) ''Artifact retention. ''The artifacts
+does not meet the CMMC definition of an ESP.
-used as evidence for the assessment <br />
+(ii) The use of an ESP, its relationship
-must be retained by the OSA for six (6) <br />
-years from the CMMC Status Date.
-'''§ 170.17'''
+to the OSA, and the services provided need to be documented in the OSA’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSA and ESP with respect to the services provided. Note that the ESP may voluntarily
-'''CMMC Level 2 certification '''
+undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment. The minimum assessment type for the ESP is dictated by the OSA’s DoD contract requirement.
-'''assessment and affirmation requirements. '''
+(d)'' CMMC Level 3 scoping.'' Prior to
-(a) ''Level 2 certification assessment. ''
+performing a Level 3 certification assessment, the CMMC Assessment Scope must be specified.
-To comply with Level 2 certification <br />
+(1) The CMMC Assessment Scope for
-assessment requirements, the OSC must <br />
-meet the requirements set forth in <br />
-paragraphs (a)(1) and (2) of this section. <br />
-An OSC undergoes a Level 2 <br />
-certification assessment as detailed in <br />
-paragraph (c) of this section to achieve <br />
-a CMMC Status of either Conditional or <br />
-Final Level 2 (C3PAO). Achieving a <br />
-CMMC Status of Level 2 (C3PAO) also
-VerDate Sep&lt;11&gt;2014
+Level 3 is based on the specification of asset categories and their respective requirements as set forth in table 5 to this paragraph (d)(1). Additional information is available in the guidance document listed in paragraph (g) of appendix A to this part.
-:51 Oct 11, 2024
+TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
-Jkt 265001
+Asset category
-PO 00000
+Asset description
-Frm 00138
+OSC requirements
-Fmt 4701
+CMMC assessment requirements
-Sfmt 4700
+'''Assets that are in the Level 3 CMMC Assessment Scope'' '
-E:\FR\FM\15OCR2.SGM
+Controlled Unclassified Informa-
-OCR2
+tion (CUI) Assets.
-khammond on DSKJM1Z7X2PROD with RULES2
+• Assets that process, store, or transmit
+CUI.
+• Assets that can, but are not intended
+to, process, store, or transmit CUI (de-fined as Contractor Risk Managed As-sets in table 1 to paragraph (c)(1) of this section CMMC Scoping).
+• Document in the asset inventory ...........
+• Document asset treatment in the Sys-
+tem Security Plan (SSP).
-'''83229 '''
+• Document in the network diagram of
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+the CMMC Assessment Scope.
-satisfies the requirements for a CMMC <br />
+• Prepare to be assessed against CMMC
-Statuses of Level 1 (Self) and Level 2 <br />
-(Self) set forth in §§ 170.15 and 170.16 <br />
-respectively for the same CMMC <br />
-Assessment Scope.
-(1) ''Level 2 certification assessment ''
+Level 2 and Level 3 security require-ments.
-''requirements. ''The OSC must complete <br />
+• Limited check against Level 2 and as-
-and achieve a MET result for all security <br />
-requirements specified in § 170.14(c)(3) <br />
-to achieve the CMMC Status of Level 2 <br />
-(C3PAO). The OSC must obtain a Level <br />
-certification assessment from an <br />
-authorized or accredited C3PAO <br />
-following the procedures outlined in <br />
-paragraph (c) of this section. The <br />
-C3PAO must submit the Level 2 <br />
-certification assessment results into the <br />
-CMMC instantiation of eMASS, which <br />
-then provides automated transmission <br />
-to SPRS. To maintain compliance with <br />
-the requirements for a CMMC Status of <br />
-Level 2 (C3PAO), the Level 2 <br />
-certification assessment must be <br />
-completed within three years of the <br />
-CMMC Status Date associated with the <br />
-Conditional Level 2 (C3PAO).
-(i) ''Inputs into the CMMC instantiation ''
+sess against all Level 3 CMMC security requirements.
-''of eMASS. ''The Level 2 certification <br />
+Security Protection Assets ........
-assessment results input into the CMMC <br />
-instantiation of eMASS shall include, at <br />
-minimum, the following information:
-(A) Date and level of the assessment. <br />
+• Assets that provide security functions
-(B) C3PAO name. <br />
-(C) Assessment unique identifier. <br />
-(D) For each Assessor conducting the
-assessment, name and business contact <br />
+or capabilities to the OSC’s CMMC As-sessment Scope, irrespective of wheth-er or not these assets process, store, or transmit CUI.
-information.
-(E) All industry CAGE codes
+• Document in the asset inventory ...........
-associated with the information systems <br />
+• Document asset treatment in the SSP.
-addressed by the CMMC Assessment <br />
-Scope.
-(F) The name, date, and version of the
+• Document in the network diagram of
-SSP.
+the CMMC Assessment Scope.
-(G) CMMC Status Date. <br />
+• Prepare to be assessed against CMMC
-(H) Assessment result for each
-requirement objective.
+Level 2 and Level 3 security require-ments.
-(I) POA&amp;M usage and compliance, as
+• Limited check against Level 2 and as-
-applicable.
+sess against all Level 3 CMMC security requirements that are relevant to the capabilities provided.
-(J) List of the artifact names, the
+Specialized Assets ....................
-return value of the hashing algorithm, <br />
+• Assets that can process, store, or
-and the hashing algorithm used.
-(ii) ''Conditional Level 2 (C3PAO). ''The
+transmit CUI but are unable to be fully secured, including: Internet of Things (IoT) devices, Industrial Internet of Things (IIoT) devices, Operational Technology (OT), Government Fur-nished Equipment (GFE), Restricted In-formation Systems, and Test Equip-ment.
-OSC has achieved the CMMC Status of <br />
+• Document in the asset inventory ...........
-Conditional Level 2 (C3PAO) if the <br />
-Level 2 certification assessment results <br />
-in a POA&amp;M and the POA&amp;M meets all <br />
-CMMC Level 2 POA&amp;M requirements <br />
-listed in § 170.21(a)(2).
-(A) ''Plan of Action and Milestones. ''A
+• Document asset treatment in the SSP.
-Level 2 POA&amp;M is allowed only in <br />
+• Document in the network diagram of
-accordance with the CMMC POA&amp;M <br />
-requirements listed in § 170.21.
-(B) ''POA&amp;M closeout. ''The OSC must
+the CMMC Assessment Scope.
-remediate any NOT MET requirements, <br />
+• Prepare to be assessed against CMMC
-must undergo a POA&amp;M closeout <br />
-certification assessment from a C3PAO, <br />
-and the C3PAO must post compliance <br />
-results into the CMMC instantiation of <br />
-eMASS within 180 days of the CMMC
-Status Date associated with the <br />
+Level 2 and Level 3 security require-ments.
-Conditional Level 2 (C3PAO). If the <br />
-POA&amp;M is not successfully closed out <br />
-within the 180-day timeframe, the <br />
-Conditional Level 2 (C3PAO) CMMC <br />
-Status for the information system will <br />
-expire. If Conditional Level 2 (C3PAO) <br />
-CMMC Status expires within the period <br />
-of performance of a contract, standard <br />
-contractual remedies will apply, and the <br />
-OSC will be ineligible for additional <br />
-awards with a requirement for the <br />
-CMMC Status of Level 2 (C3PAO), or <br />
-higher requirement, for the information <br />
-system within the CMMC Assessment <br />
-Scope until such time as a new CMMC <br />
-Status is achieved.
-(iii) ''Final Level 2 (C3PAO). ''The OSC
+• Limited check against Level 2 and as-
-has achieved the CMMC Status of Final <br />
+sess against all Level 3 CMMC security requirements.
-Level 2 (C3PAO) if the Level 2 <br />
-certification assessment results in a <br />
-passing score as defined in § 170.24. <br />
-This score may be achieved upon initial <br />
-certification assessment or as the result <br />
-of a POA&amp;M closeout certification <br />
-assessment, as applicable.
-(iv) ''CMMC Status investigation. ''The
+• Intermediary devices are permitted to
-DoD reserves the right to conduct a <br />
+provide the capability for the special-ized asset to meet one or more CMMC security requirements.
-DCMA DIBCAC assessment of the OSC, <br />
-as provided for under the 48 CFR <br />
-.204–7020. If the investigative <br />
-results of a subsequent DCMA DIBCAC <br />
-assessment show that adherence to the <br />
-provisions of this part have not been <br />
-achieved or maintained, these DCMA <br />
-DIBCAC results will take precedence <br />
-over any pre-existing CMMC Status. At <br />
-that time, standard contractual remedies <br />
-will be available and the OSC will be <br />
-ineligible for additional awards with <br />
-CMMC Status requirement of Level 2 <br />
-(C3PAO), or higher requirement, for the <br />
-information system within the CMMC <br />
-Assessment Scope until such time as a <br />
-new CMMC Status is achieved.
-(2) ''Affirmation. ''Affirmation of the
+VerDate Sep&lt;11&gt;2014
-Level 2 (C3PAO) CMMC Status is <br />
+:51 Oct 11, 2024
-required for all Level 2 certification <br />
-assessments at the time of each <br />
-assessment, and annually thereafter. <br />
-Affirmation procedures are provided in <br />
-§ 170.22.
-(b) ''Contract eligibility. ''Prior to award
+Jkt 265001
-of any contract or subcontract with a <br />
+PO 00000
-requirement for the CMMC Status of <br />
-Level 2 (C3PAO), the following two <br />
-requirements must be met:
-(1) The OSC must achieve, as
+Frm 00143
-specified in paragraph (a)(1) of this <br />
+Fmt 4701
-section, a CMMC Status of either <br />
-Conditional Level 2 (C3PAO) or Final <br />
-Level 2 (C3PAO).
-(2) The OSC must submit an
+Sfmt 4700
-affirmation of compliance into SPRS, as <br />
+E:\FR\FM\15OCR2.SGM
-specified in paragraph (a)(2) of this <br />
-section.
-(c) ''Procedures''—(1) ''Level 2 ''
+OCR2
-''certification assessment of the OSC. ''An <br />
+khammond on DSKJM1Z7X2PROD with RULES2
-authorized or accredited C3PAO must
-perform a Level 2 certification <br />
-assessment in accordance with NIST SP <br />
-–171A Jun2018 (incorporated by <br />
-reference, see § 170.2) and the CMMC <br />
-Level 2 scoping requirements set forth <br />
-in § 170.19(a) and (c) for the information <br />
-systems within the CMMC Assessment <br />
-Scope. The Level 2 certification <br />
-assessment must be scored in <br />
-accordance with the CMMC Scoring <br />
-Methodology described in § 170.24 and <br />
-the C3PAO must upload the results into <br />
-the CMMC instantiation of eMASS. <br />
-Final results are communicated to the <br />
-OSC through a CMMC Assessment <br />
-Findings Report.
-(2) ''Security requirement re- ''
-''evaluation. ''A security requirement that <br />
-is NOT MET (as defined in § 170.24) <br />
-may be re-evaluated during the course <br />
-of the Level 2 certification assessment <br />
-and for 10 business days following the <br />
-active assessment period if all of the <br />
-following conditions exist:
-(i) Additional evidence is available to
-demonstrate the security requirement <br />
-has been MET;
-(ii) Cannot change or limit the
-effectiveness of other requirements that <br />
+'''83234'' '
-have been scored MET; and
-(iii) The CMMC Assessment Findings
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-Report has not been delivered.
+TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
-(3) ''POA&amp;M. ''If a POA&amp;M exists, a
+Asset category
-POA&amp;M closeout certification <br />
+Asset description
-assessment must be performed by a <br />
-C3PAO within 180-days of the <br />
-Conditional CMMC Status Date. <br />
-Additional guidance can be found in <br />
-§ 170.21 and in the guidance document <br />
-listed in paragraph (c) of appendix A to <br />
-this part.
-(4) ''Artifact retention and integrity. ''
+OSC requirements
-The hashed artifacts used as evidence <br />
+CMMC assessment requirements
-for the assessment must be retained by <br />
-the OSC for six (6) years from the <br />
-CMMC Status Date. To ensure that the <br />
-artifacts have not been altered, the OSC <br />
-must hash the artifact files using a <br />
-NIST-approved hashing algorithm. The <br />
-OSC must provide the C3PAO with a <br />
-list of the artifact names, the return <br />
-value of the hashing algorithm, and the <br />
-hashing algorithm for upload into the <br />
-CMMC instantiation of eMASS. <br />
-Additional guidance for hashing <br />
-artifacts can be found in the guidance <br />
-document listed in paragraph (h) of <br />
-appendix A to this part.
-(5) ''Level 2 certification assessment ''
+'''Assets that are not in the Level 3 CMMC Assessment Scope'' '
-''with the use of Cloud Service Provider <br />
+Out-of-Scope Assets .................
-(CSP). ''An OSC may use a cloud <br />
-environment to process, store, or <br />
-transmit CUI in performance of a <br />
-contract or subcontract with a <br />
-requirement for the CMMC Status of <br />
-Level 2 (C3PAO) under the following <br />
-circumstances:
-(i) The CSP product or service offering
+• Assets that cannot process, store, or
-is FedRAMP Authorized at the
+transmit CUI; and do not provide secu-rity protections for CUI Assets.
-VerDate Sep&lt;11&gt;2014
+• Prepare to justify the inability of an Out-
-:51 Oct 11, 2024
+of-Scope Asset to process, store, or transmit CUI.
-Jkt 265001
+• None.
-PO 00000
+• Assets that are physically or logically
-Frm 00139
+separated from CUI assets.
-Fmt 4701
+• Assets that fall into any in-scope asset
-Sfmt 4700
+category cannot be considered an Out- of-Scope Asset.
-E:\FR\FM\15OCR2.SGM
+• An endpoint hosting a VDI client config-
-OCR2
+ured to not allow any processing, stor-age, or transmission of CUI beyond the Keyboard/Video/Mouse sent to the VDI client is considered an Out-of-Scope Asset.
-khammond on DSKJM1Z7X2PROD with RULES2
+(2)(i) Table 6 to this paragraph
+(d)(2)(i) defines the requirements to be met when utilizing an External Service
+Provider (ESP). The OSA must consider whether the ESP is a Cloud Service Provider (CSP) and whether the ESP
+processes, stores, or transmits CUI and/ or Security Protection Data (SPD).
+TABLE 6 TO § 170.19(d)(2)(i)—ESP SCOPING REQUIREMENTS
+When the ESP processes, stores, or transmits:
+When utilizing an ESP that is:
-'''83230 '''
+A CSP
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+Not a CSP
-FedRAMP Moderate (or higher) baseline <br />
+CUI (with or without SPD) ..
-in accordance with the FedRAMP <br />
-Marketplace; or
-(ii) The CSP product or service
+The CSP shall meet the FedRAMP requirements in 48
-offering is not FedRAMP Authorized at <br />
+CFR 252.204–7012.
-the FedRAMP Moderate (or higher) <br />
-baseline but meets security <br />
-requirements equivalent to those <br />
-established by the FedRAMP Moderate <br />
-(or higher) baseline. FedRAMP <br />
-Moderate or FedRAMP Moderate <br />
-equivalent is in accordance with DoD <br />
-Policy.
-(iii) In accordance with § 170.19(c)(2),
+The services provided by the ESP are in the OSA’s as-
-the OSC’s on-premises infrastructure <br />
+sessment scope and shall be assessed as part of the OSA’s assessment.
-connecting to the CSP’s product or <br />
-service offering is part of the CMMC <br />
-Assessment Scope. As such, the security <br />
-requirements from the CRM must be <br />
-documented or referred to in the OSC’s <br />
-SSP.
-(6) ''Level 2 certification assessment ''
+SPD (without CUI) ..............
-''with the use of an External Service <br />
+The services provided by the CSP are in the OSA’s as-
-Provider (ESP), not a CSP. ''An OSA may <br />
-use an ESP that is not a CSP to process, <br />
-store, or transmit CUI in performance of <br />
-a contract or subcontract with a <br />
-requirement for the CMMC Status of <br />
-Level 2 (C3PAO) under the following <br />
-circumstances:
-(i) The use of the ESP, its relationship
+sessment scope and shall be assessed as Security Protection Assets.
-to the OSA, and the services provided <br />
+The services provided by the ESP are in the OSA’s as-
-are documented in the OSA’s SSP and <br />
-described in the ESP’s service <br />
-description and customer responsibility <br />
-matrix.
-(ii) The ESP services used to meet
+sessment scope and shall be assessed as Security Protection Assets.
-OSA requirements are assessed within <br />
-the scope of the OSA’s assessment <br />
-against all Level 2 security <br />
-requirements.
-(iii) In accordance with § 170.19(c)(2),
-the OSA’s on-premises infrastructure <br />
-connecting to the ESP’s product or <br />
-service offering is part of the CMMC <br />
-Assessment Scope, which will also be <br />
-assessed. As such, the security <br />
-requirements from the CRM must be <br />
-documented or referred to in the OSA’s <br />
-SSP.
-'''§ 170.18'''
-'''CMMC Level 3 certification '''
-'''assessment and affirmation requirements. '''
-(a) ''Level 3 certification assessment. ''
-To comply with Level 3 certification <br />
-assessment requirements, the OSC must <br />
-meet the requirements set forth in <br />
-paragraphs (a)(1) and (2) of this section. <br />
-An OSC undergoes a Level 3 <br />
-certification assessment as detailed in <br />
-paragraph (c) of this section to achieve <br />
-a CMMC Status of either Conditional or <br />
-Final Level 3 (DIBCAC). A CMMC <br />
-Status of Final Level 2 (C3PAO) for <br />
-information systems within the Level 3 <br />
-CMMC Assessment Scope is a <br />
-prerequisite to undergo a Level 3 <br />
-certification assessment. CMMC Level 3 <br />
-recertification also has a prerequisite for
-a new CMMC Level 2 assessment. <br />
-Achieving a CMMC Status of Level 3 <br />
-(DIBCAC) also satisfies the requirements <br />
-for CMMC Statuses of Level 1 (Self), <br />
-Level 2 (Self), and Level 2 (C3PAO) set <br />
-forth in §§ 170.15 through 170.17 <br />
-respectively for the same CMMC <br />
-Assessment Scope.
-(1) ''Level 3 certification assessment ''
-''requirements. ''The OSC must achieve a <br />
-CMMC Status of Final Level 2 (C3PAO) <br />
-on the Level 3 CMMC Assessment <br />
-Scope, as defined in § 170.19(d), prior to <br />
-initiating a Level 3 certification <br />
-assessment, which will be performed by <br />
-DCMA DIBCAC ([http://www.dcma.mil/DIBCAC ''www.dcma.mil/ <br />
-DIBCAC'') on behalf of the DoD. The OSC <br />
-]must complete and achieve a MET <br />
-result for all security requirements <br />
-specified in table 1 to § 170.14(c)(4) to <br />
-achieve the CMMC Status of Level 3 <br />
-(DIBCAC). DCMA DIBCAC will submit <br />
-the Level 3 certification assessment <br />
-results into the CMMC instantiation of <br />
-eMASS, which then provides automated <br />
-transmission to SPRS. To maintain <br />
-compliance with the requirements for a <br />
-CMMC Status of Level 3 (DIBCAC), the <br />
-Level 3 certification assessment must be <br />
-performed every three years for all <br />
-information systems within the Level 3 <br />
-CMMC Assessment Scope. In addition, <br />
-given that compliance with Level 2 <br />
-requirements is a prerequisite for <br />
-applying for CMMC Level 3, a Level 2 <br />
-(C3PAO) certification assessment must <br />
-also be conducted every three years to <br />
-maintain CMMC Level 3 (DIBCAC) <br />
-status. Level 3 certification assessment <br />
-must be completed within three years of <br />
-the CMMC Status Date associated with <br />
-the Final Level 3 (DIBCAC) or, if there <br />
-was a POA&amp;M, then within three years <br />
-of the CMMC Status Date associated <br />
-with the Conditional Level 3 (DIBCAC).
-(i) ''Inputs into the CMMC instantiation ''
-''of eMASS. ''The Level 3 certification <br />
-assessment results input into the CMMC <br />
-instantiation of eMASS shall include, at <br />
-minimum, the following items:
-(A) Date and level of the assessment. <br />
-(B) For each Assessor(s) conducting
-the assessment, name and government <br />
-organization information.
-(C) All industry CAGE code(s)
-associated with the information <br />
-system(s) addressed by the CMMC <br />
-Assessment Scope.
-(D) The name, date, and version of the
-system security plan(s) (SSP).
-(E) CMMC Status Date. <br />
-(F) Result for each security
-requirement objective.
-(G) POA&amp;M usage and compliance, as
-applicable.
-(H) List of the artifact names, the
-return value of the hashing algorithm, <br />
-and the hashing algorithm used.
-(ii) ''Conditional Level 3 (DIBCAC). ''The
-OSC has achieved the CMMC Status of <br />
-Conditional Level 3 (DIBCAC) if the <br />
-Level 3 certification assessment results <br />
-in a POA&amp;M and the POA&amp;M meets all <br />
-CMMC Level 3 POA&amp;M requirements <br />
-listed in § 170.21(a)(3).
-(A) ''Plan of Action and Milestones. ''A
-Level 3 POA&amp;M is allowed only in <br />
-accordance with the CMMC POA&amp;M <br />
-requirements listed in § 170.21.
-(B) ''POA&amp;M closeout. ''The OSC must
-remediate any NOT MET requirements, <br />
-must undergo a POA&amp;M closeout <br />
-certification assessment from DCMA <br />
-DIBCAC, and DCMA DIBCAC must post <br />
-compliance results into the CMMC <br />
-instantiation of eMASS within 180 days <br />
-of the CMMC Status Date associated <br />
-with the Conditional Level 3 (DIBCAC). <br />
-If the POA&amp;M is not successfully closed <br />
-out within the 180-day timeframe, the <br />
-Conditional Level 3 (DIBAC) CMMC <br />
-Status for the information system will <br />
-expire. If Conditional Level 3 (DIBCAC) <br />
-CMMC Status expires within the period <br />
-of performance of a contract, standard <br />
-contractual remedies will apply, and the <br />
-OSC will be ineligible for additional <br />
-awards with a requirement for the <br />
-CMMC Status of Level 3 (DIBCAC) for <br />
-the information system within the <br />
-CMMC Assessment Scope until such <br />
-time as a new CMMC Status is achieved.
-(iii) ''Final Level 3 (DIBCAC). ''The OSC
-has achieved the CMMC Status of Final <br />
-Level 3 (DIBCAC) if the Level 3 <br />
-certification assessment results in a <br />
-passing score as defined in § 170.24. <br />
-This score may be achieved upon initial <br />
-certification assessment or as the result <br />
-of a POA&amp;M closeout certification <br />
-assessment, as applicable.
-(iv) ''CMMC Status investigation. ''The
-DoD reserves the right to conduct a <br />
-DCMA DIBCAC assessment of the OSC, <br />
-as provided for under the 48 CFR <br />
-.204–7020. If the investigative <br />
-results of a subsequent DCMA DIBCAC <br />
-assessment show that adherence to the <br />
-provisions of this part have not been <br />
-achieved or maintained, these DCMA <br />
-DIBCAC results will take precedence <br />
-over any pre-existing CMMC Status. At <br />
-that time, standard contractual remedies <br />
-will be available and the OSC will be <br />
-ineligible for additional awards with <br />
-CMMC Status requirement of Level 3 <br />
-(DIBCAC) for the information system <br />
-within the CMMC Assessment Scope <br />
-until such time as a new CMMC Status <br />
-is achieved.
-(2) ''Affirmation. ''Affirmation of the
-Level 3 (DIBCAC) CMMC Status is <br />
-required for all Level 3 certification <br />
-assessments at the time of each <br />
-assessment, and annually thereafter. <br />
-Affirmation procedures are provided in <br />
-§ 170.22.
-VerDate Sep&lt;11&gt;2014
-:51 Oct 11, 2024
-Jkt 265001
-PO 00000
-Frm 00140
-Fmt 4701
-Sfmt 4700
-E:\FR\FM\15OCR2.SGM
-OCR2
-khammond on DSKJM1Z7X2PROD with RULES2
-'''83231 '''
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-(b) ''Contract eligibility. ''Prior to award
-of any contract or subcontract with <br />
-requirement for CMMC Status of Level <br />
-(DIBCAC), the following two <br />
-requirements must be met:
-(1) The OSC must achieve, as
-specified in paragraph (a)(1) of this <br />
-section, a CMMC Status of either <br />
-Conditional Level 3 (DIBCAC) or Final <br />
-Level 3 (DIBCAC).
-(2) The OSC must submit an
-affirmation of compliance into SPRS, as <br />
-specified in paragraph (a)(2) of this <br />
-section.
-(c) ''Procedures''—(1) ''Level 3 ''
-''certification assessment of the OSC. ''The <br />
-CMMC Level 3 certification assessment <br />
-process includes:
-(i) ''Final Level 2 (C3PAO). ''The OSC
-must achieve a CMMC Status of Final <br />
-Level 2 (C3PAO) for information <br />
-systems within the Level 3 CMMC <br />
-Assessment Scope prior to the CMMC <br />
-Level 3 certification assessment. The <br />
-CMMC Assessment Scope for the Level <br />
-certification assessment must be equal <br />
-to, or a subset of, the CMMC Assessment <br />
-Scope associated with the OSC’s Final <br />
-Level 2 (C3PAO). Asset requirements <br />
-differ for each CMMC Level. Scoping <br />
-differences are set forth in § 170.19.
-(ii) ''Initiating the Final Level 3 ''
-''(DIBCAC). ''The OSC (including ESPs <br />
-that voluntarily elect to undergo a Level <br />
-certification assessment) initiates a <br />
-Level 3 certification assessment by <br />
-emailing a request to DCMA DIBCAC <br />
-point of contact found at <br />
-[http://www.dcma.mil/DIBCAC ''www.dcma.mil/DIBCAC''. The request <br />
-]must include the Level 2 certification <br />
-assessment unique identifier. DCMA <br />
-DIBCAC will validate the OSC has <br />
-achieved a CMMC Status of Level 2 <br />
-(C3PAO) and will contact the OSC to <br />
-schedule their Level 3 certification <br />
-assessment.
-(iii) ''Conducting the Final Level 3 ''
-''(DIBCAC). ''DCMA DIBCAC will perform <br />
-a Level 3 certification assessment in <br />
-accordance with NIST SP 800–171A <br />
-Jun2018 (incorporated by reference, see <br />
-§ 170.2) and NIST SP 800–172A <br />
-Mar2022 (incorporated by reference, see <br />
-§ 170.2) and the CMMC Level 3 scoping <br />
-requirements set forth in § 170.19(d) for <br />
-the information systems within the <br />
-CMMC Assessment Scope. The Level 3 <br />
-certification assessment will be scored <br />
-in accordance with the CMMC Scoring <br />
-Methodology set forth in § 170.24 and <br />
-DCMA DIBCAC will upload the results <br />
-into the CMMC instantiation of eMASS. <br />
-Final results are communicated to the <br />
-OSC through a CMMC Assessment <br />
-Findings Report. For assets that changed <br />
-asset category (''i.e., ''CRMA to CUI Asset) <br />
-or assessment requirements (''i.e., <br />
-''Specialized Assets) between the Level 2 <br />
-and Level 3 certification assessments,
-DCMA DIBCAC will perform limited <br />
-checks of Level 2 security requirements. <br />
-If the OSC had these upgraded asset <br />
-categories included in their Level 2 <br />
-certification assessment, then DCMA <br />
-DIBCAC may still perform limited <br />
-checks for compliance. If DCMA <br />
-DIBCAC identifies that a Level 2 <br />
-security requirement is NOT MET, the <br />
-Level 3 assessment process may be <br />
-paused to allow for remediation, placed <br />
-on hold, or immediately terminated.
-(2) ''Security requirement re- ''
-''evaluation. ''A security requirement that <br />
-is NOT MET (as defined in § 170.24) <br />
-may be re-evaluated during the course <br />
-of the Level 3 certification assessment <br />
-and for 10 business days following the <br />
-active assessment period if all of the <br />
-following conditions exist:
-(i) Additional evidence is available to
-demonstrate the security requirement <br />
-has been MET;
-(ii) The additional evidence does not
-materially impact previously assessed <br />
-security requirements; and
-(iii) The CMMC Assessment Findings
-Report has not been delivered.
-(3) ''POA&amp;M. ''If a POA&amp;M exists, a
-POA&amp;M closeout certification <br />
-assessment will be performed by DCMA <br />
-DIBCAC within 180-days of the <br />
-Conditional CMMC Status Date. <br />
-Additional guidance is located in <br />
-§ 170.21 and in the guidance document <br />
-listed in paragraph (d) of appendix A to <br />
-this part.
-(4) ''Artifact retention and integrity. ''
-The hashed artifacts used as evidence <br />
-for the assessment must be retained by <br />
-the OSC for six (6) years from the <br />
-CMMC Status Date. The hashed artifacts <br />
-used as evidence for the assessment <br />
-must be retained by the OSC for six (6) <br />
-years from the CMMC Status Date. To <br />
-ensure that the artifacts have not been <br />
-altered, the OSC must hash the artifact <br />
-files using a NIST-approved hashing <br />
-algorithm. Assessors will collect the list <br />
-of the artifact names, the return value of <br />
-the hashing algorithm, and the hashing <br />
-algorithm used and upload that data <br />
-into the CMMC instantiation of eMASS. <br />
-Additional guidance for hashing <br />
-artifacts can be found in the guidance <br />
-document listed in paragraph (h) of <br />
-appendix A to this part.
-(5) ''Level 3 certification assessment ''
-''with the use of Cloud Service Provider <br />
-(CSP). ''An OSC may use a cloud <br />
-environment to process, store, or <br />
-transmit CUI in performance of a <br />
-contract or subcontract with a <br />
-requirement for the CMMC Status of <br />
-Level 3 (DIBCAC) under the following <br />
-circumstances:
-(i) The OSC may utilize a CSP product
-or service offering that meets the <br />
-FedRAMP Moderate (or higher)
-baseline. If the CSP’s product or service <br />
-offering is not FedRAMP Authorized at <br />
-the FedRAMP Moderate (or higher) <br />
-baseline, the product or service offering <br />
-must meet security requirements <br />
-equivalent to those established by the <br />
-FedRAMP Moderate (or higher) baseline <br />
-in accordance with DoD Policy.
-(ii) Use of a CSP does not relieve an
-OSC of its obligation to implement the <br />
-Level 3 security requirements. These <br />
-requirements apply to every <br />
-environment where the CUI data is <br />
-processed, stored, or transmitted, when <br />
-Level 3 (DIBCAC) is the designated <br />
-CMMC Status. If any of these 24 <br />
-requirements are inherited from a CSP, <br />
-the OSC must demonstrate that <br />
-protection during a Level 3 certification <br />
-assessment via a Customer <br />
-Implementation Summary/Customer <br />
-Responsibility Matrix (CIS/CRM) and <br />
-associated Body of Evidence (BOE). The <br />
-BOE must clearly indicate whether the <br />
-OSC or the CSP is responsible for <br />
-meeting each requirement and which <br />
-requirements are implemented by the <br />
-OSC versus inherited from the CSP.
-(iii) In accordance with § 170.19(d)(2),
-the OSC’s on-premises infrastructure <br />
-connecting to the CSP’s product or <br />
-service offering is part of the CMMC <br />
-Assessment Scope. As such, the security <br />
-requirements from the CRM must be <br />
-documented or referred to in the OSC’s <br />
-SSP.
-(6) ''Level 3 certification assessment ''
-''with the use of an ESP, not a CSP. ''An <br />
-OSC may use an ESP that is not a CSP <br />
-to process, store, or transmit CUI in <br />
-performance of a contract or subcontract <br />
-with a requirement for the CMMC Status <br />
-of Level 3 (DIBCAC) under the following <br />
-circumstances:
-(i) The use of the ESP, its relationship
-to the OSC, and the services provided <br />
-are documented in the OSC’s SSP and <br />
-described in the ESP’s service <br />
-description and customer responsibility <br />
-matrix.
-(ii) The ESP services used to meet
-OSC requirements are assessed within <br />
-the scope of the OSC’s assessment <br />
-against all Level 2 and Level 3 security <br />
-requirements.
-(iii) In accordance with § 170.19(d)(2),
-the OSC’s on-premises infrastructure <br />
-connecting to the ESP’s product or <br />
-service offering is part of the CMMC <br />
-Assessment Scope, which will also be <br />
-assessed. As such, the security <br />
-requirements from the CRM must be <br />
-documented or referred to in the OSC’s <br />
-SSP.
-'''§ 170.19'''
-'''CMMC scoping. '''
-(a) ''Scoping requirement. ''(1) The
-CMMC Assessment Scope must be <br />
-specified prior to assessment in
-VerDate Sep&lt;11&gt;2014
-:51 Oct 11, 2024
-Jkt 265001
-PO 00000
-Frm 00141
-Fmt 4701
-Sfmt 4700
-E:\FR\FM\15OCR2.SGM
-OCR2
-khammond on DSKJM1Z7X2PROD with RULES2
-'''83232 '''
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-accordance with the requirements of <br />
-this section. The CMMC Assessment <br />
-Scope is the set of all assets in the <br />
-OSA’s environment that will be <br />
-assessed against CMMC security <br />
-requirements.
-(2) The requirements for defining the
-CMMC Assessment Scope for CMMC <br />
-Levels 1, 2, and 3 are set forth in this <br />
-section. Additional guidance regarding <br />
-scoping can be found in the guidance <br />
-documents listed in paragraphs (e) <br />
-through (g) of appendix A to this part.
-(b) ''CMMC Level 1 scoping. ''Prior to
-performing a Level 1 self-assessment, <br />
-the OSA must specify the CMMC <br />
-Assessment Scope.
-(1) ''Assets in scope for Level 1 self- ''
-''assessment. ''OSA information systems <br />
-which process, store, or transmit FCI are <br />
-in scope for CMMC Level 1 and must be <br />
-self-assessed against applicable CMMC <br />
-security requirements.
-(2) ''Assets not in scope for Level 1 self- ''
-''assessment''—(i) ''Out-of-Scope Assets. <br />
-''OSA information systems which do not <br />
-process, store, or transmit FCI are <br />
-outside the scope for CMMC Level 1. An <br />
-endpoint hosting a VDI client <br />
-configured to not allow any processing, <br />
-storage, or transmission of FCI beyond <br />
-the Keyboard/Video/Mouse sent to the <br />
-VDI client is considered out-of-scope. <br />
-There are no documentation <br />
-requirements for out-of-scope assets.
-(ii) ''Specialized Assets. ''Specialized
-Assets are those assets that can process, <br />
-store, or transmit FCI but are unable to <br />
-be fully secured, including: Internet of <br />
-Things (IoT) devices, Industrial Internet <br />
-of Things (IIoT) devices, Operational <br />
-Technology (OT), Government <br />
-Furnished Equipment (GFE), Restricted <br />
-Information Systems, and Test <br />
-Equipment. Specialized Assets are not <br />
-part of the Level 1 CMMC Assessment
-Scope and are not assessed against <br />
-CMMC security requirements.
-(3) ''Level 1 self-assessment scoping ''
-''considerations. ''To scope a Level 1 self- <br />
-assessment, OSAs should consider the <br />
-people, technology, facilities, and <br />
-External Service Providers (ESP) within <br />
-its environment that process, store, or <br />
-transmit FCI.
-(c) ''CMMC Level 2 Scoping. ''Prior to
-performing a Level 2 self-assessment or <br />
-Level 2 certification assessment, the <br />
-OSA must specify the CMMC <br />
-Assessment Scope.
-(1) The CMMC Assessment Scope for
-CMMC Level 2 is based on the <br />
-specification of asset categories and <br />
-their respective requirements as defined <br />
-in table 3 to this paragraph (c)(1). <br />
-Additional information is available in <br />
-the guidance document listed in <br />
-paragraph (f) of appendix A to this part.
-TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
-Asset category
-Asset description
-OSA requirements
-CMMC assessment requirements
-'''Assets that are in the Level 2 CMMC Assessment Scope '''
-Controlled Unclassified Informa-
-tion (CUI) Assets.
-• Assets that process, store, or transmit
-CUI.
-• Document in the asset inventory ...........
-• Document asset treatment in the Sys-
-tem Security Plan (SSP).
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Prepare to be assessed against CMMC
-Level 2 security requirements.
-• Assess against all Level 2 security re-
-quirements.
-Security Protection Assets ........
-• Assets that provide security functions
-or capabilities to the OSA’s CMMC As-<br />
-sessment Scope.
-• Document in the asset inventory ...........
-• Document asset treatment in SSP.
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Prepare to be assessed against CMMC
-Level 2 security requirements.
-• Assess against Level 2 security re-
-quirements that are relevant to the ca-<br />
-pabilities provided.
-Contractor Risk Managed As-
-sets.
-• Assets that can, but are not intended
-to, process, store, or transmit CUI be-<br />
-cause of security policy, procedures, <br />
-and practices in place.
-• Assets are not required to be physically
-or logically separated from CUI assets.
-• Document in the asset inventory ...........
-• Document asset treatment in the SSP.
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Prepare to be assessed against CMMC
-Level 2 security requirements.
-• Review the SSP:
-• If sufficiently documented, do not
-assess against other CMMC secu-<br />
-rity requirements, except as noted.
-• If OSA’s risk-based security poli-
-cies, procedures, and practices <br />
-documentation or other findings <br />
-raise questions about these assets, <br />
-the assessor can conduct a limited <br />
-check to identify deficiencies.
-• The limited check(s) shall not ma-
-terially increase the assessment <br />
-duration nor the assessment cost.
-• The limited check(s) will be as-
-sessed against CMMC security re-<br />
-quirements.
-Specialized Assets ....................
-• Assets that can process, store, or
-transmit CUI but are unable to be fully <br />
-secured, including: Internet of Things <br />
-(IoT) devices, Industrial Internet of <br />
-Things (IIoT) devices, Operational <br />
-Technology (OT), Government Fur-<br />
-nished Equipment (GFE), Restricted In-<br />
-formation Systems, and Test Equip-<br />
-ment.
-• Document in the asset inventory ...........
-• Document asset treatment in the SSP.
-• Show these assets are managed using
-the contractor’s risk-based security poli-<br />
-cies, procedures, and practices.
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Review the SSP.
-• Do not assess against other CMMC se-
-curity requirements.
-'''Assets that are not in the Level 2 CMMC Assessment Scope '''
-Out-of-Scope Assets .................
-• Assets that cannot process, store, or
-transmit CUI; and do not provide secu-<br />
-rity protections for CUI Assets.
-• Prepare to justify the inability of an Out-
-of-Scope Asset to process, store, or <br />
-transmit CUI.
-• None.
-• Assets that are physically or logically
-separated from CUI assets.
-• Assets that fall into any in-scope asset
-category cannot be considered an Out- <br />
-of-Scope Asset.
-VerDate Sep&lt;11&gt;2014
-:51 Oct 11, 2024
-Jkt 265001
-PO 00000
-Frm 00142
-Fmt 4701
-Sfmt 4700
-E:\FR\FM\15OCR2.SGM
-OCR2
-khammond on DSKJM1Z7X2PROD with RULES2
-'''83233 '''
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
-Asset category
-Asset description
-OSA requirements
-CMMC assessment requirements
-• An endpoint hosting a VDI client config-
-ured to not allow any processing, stor-<br />
-age, or transmission of CUI beyond the <br />
-Keyboard/Video/Mouse sent to the VDI <br />
-client is considered an Out-of-Scope <br />
-Asset.
-(2)(i) Table 4 to this paragraph (c)(2)(i)
-defines the requirements to be met <br />
-when utilizing an External Service
-Provider (ESP). The OSA must consider <br />
-whether the ESP is a Cloud Service <br />
-Provider (CSP) and whether the ESP
-processes, stores, or transmits CUI and/ <br />
-or Security Protection Data (SPD).
-TABLE 4 TO § 170.19(c)(2)(i)—ESP SCOPING REQUIREMENTS
-When the ESP processes, <br />
-stores, or transmits:
-When utilizing an ESP that is:
-A CSP
-Not a CSP
-CUI (with or without SPD) ..
-The CSP shall meet the FedRAMP requirements in 48
-CFR 252.204–7012.
-The services provided by the ESP are in the OSA’s as-
-sessment scope and shall be assessed as part of the <br />
-OSA’s assessment.
-SPD (without CUI) ..............
-The services provided by the CSP are in the OSA’s as-
-sessment scope and shall be assessed as Security <br />
-Protection Assets.
-The services provided by the ESP are in the OSA’s as-
-sessment scope and shall be assessed as Security <br />
-Protection Assets.
-Neither CUI nor SPD ..........
-A service provider that does not process CUI or SPD
-does not meet the CMMC definition of an ESP.
-A service provider that does not process CUI or SPD
-does not meet the CMMC definition of an ESP.
-(ii) The use of an ESP, its relationship
-to the OSA, and the services provided <br />
-need to be documented in the OSA’s <br />
-SSP and described in the ESP’s service <br />
-description and customer responsibility <br />
-matrix (CRM), which describes the <br />
-responsibilities of the OSA and ESP <br />
-with respect to the services provided. <br />
-Note that the ESP may voluntarily
-undergo a CMMC certification <br />
-assessment to reduce the ESP’s effort <br />
-required during the OSA’s assessment. <br />
-The minimum assessment type for the <br />
-ESP is dictated by the OSA’s DoD <br />
-contract requirement.
-(d) ''CMMC Level 3 scoping. ''Prior to
-performing a Level 3 certification <br />
-assessment, the CMMC Assessment <br />
-Scope must be specified.
-(1) The CMMC Assessment Scope for
-Level 3 is based on the specification of <br />
-asset categories and their respective <br />
-requirements as set forth in table 5 to <br />
-this paragraph (d)(1). Additional <br />
-information is available in the guidance <br />
-document listed in paragraph (g) of <br />
-appendix A to this part.
-TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
-Asset category
-Asset description
-OSC requirements
-CMMC assessment requirements
-'''Assets that are in the Level 3 CMMC Assessment Scope '''
-Controlled Unclassified Informa-
-tion (CUI) Assets.
-• Assets that process, store, or transmit
-CUI.
-• Assets that can, but are not intended
-to, process, store, or transmit CUI (de-<br />
-fined as Contractor Risk Managed As-<br />
-sets in table 1 to paragraph (c)(1) of <br />
-this section CMMC Scoping).
-• Document in the asset inventory ...........
-• Document asset treatment in the Sys-
-tem Security Plan (SSP).
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Prepare to be assessed against CMMC
-Level 2 and Level 3 security require-<br />
-ments.
-• Limited check against Level 2 and as-
-sess against all Level 3 CMMC security <br />
-requirements.
-Security Protection Assets ........
-• Assets that provide security functions
-or capabilities to the OSC’s CMMC As-<br />
-sessment Scope, irrespective of wheth-<br />
-er or not these assets process, store, <br />
-or transmit CUI.
-• Document in the asset inventory ...........
-• Document asset treatment in the SSP.
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Prepare to be assessed against CMMC
-Level 2 and Level 3 security require-<br />
-ments.
-• Limited check against Level 2 and as-
-sess against all Level 3 CMMC security <br />
-requirements that are relevant to the <br />
-capabilities provided.
-Specialized Assets ....................
-• Assets that can process, store, or
-transmit CUI but are unable to be fully <br />
-secured, including: Internet of Things <br />
-(IoT) devices, Industrial Internet of <br />
-Things (IIoT) devices, Operational <br />
-Technology (OT), Government Fur-<br />
-nished Equipment (GFE), Restricted In-<br />
-formation Systems, and Test Equip-<br />
-ment.
-• Document in the asset inventory ...........
-• Document asset treatment in the SSP.
-• Document in the network diagram of
-the CMMC Assessment Scope.
-• Prepare to be assessed against CMMC
-Level 2 and Level 3 security require-<br />
-ments.
-• Limited check against Level 2 and as-
-sess against all Level 3 CMMC security <br />
-requirements.
-• Intermediary devices are permitted to
-provide the capability for the special-<br />
-ized asset to meet one or more CMMC <br />
-security requirements.
-VerDate Sep&lt;11&gt;2014
-:51 Oct 11, 2024
-Jkt 265001
-PO 00000
-Frm 00143
-Fmt 4701
-Sfmt 4700
-E:\FR\FM\15OCR2.SGM
-OCR2
-khammond on DSKJM1Z7X2PROD with RULES2
-'''83234 '''
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
-Asset category
-Asset description
-OSC requirements
-CMMC assessment requirements
-'''Assets that are not in the Level 3 CMMC Assessment Scope '''
-Out-of-Scope Assets .................
-• Assets that cannot process, store, or
-transmit CUI; and do not provide secu-<br />
-rity protections for CUI Assets.
-• Prepare to justify the inability of an Out-
-of-Scope Asset to process, store, or <br />
-transmit CUI.
-• None.
-• Assets that are physically or logically
-separated from CUI assets.
-• Assets that fall into any in-scope asset
-category cannot be considered an Out- <br />
-of-Scope Asset.
-• An endpoint hosting a VDI client config-
-ured to not allow any processing, stor-<br />
-age, or transmission of CUI beyond the <br />
-Keyboard/Video/Mouse sent to the VDI <br />
-client is considered an Out-of-Scope <br />
-Asset.
-(2)(i) Table 6 to this paragraph
-(d)(2)(i) defines the requirements to be <br />
-met when utilizing an External Service
-Provider (ESP). The OSA must consider <br />
-whether the ESP is a Cloud Service <br />
-Provider (CSP) and whether the ESP
-processes, stores, or transmits CUI and/ <br />
-or Security Protection Data (SPD).
-TABLE 6 TO § 170.19(d)(2)(i)—ESP SCOPING REQUIREMENTS
-When the ESP processes, <br />
-stores, or transmits:
-When utilizing an ESP that is:
-A CSP
-Not a CSP
-CUI (with or without SPD) ..
-The CSP shall meet the FedRAMP requirements in 48
-CFR 252.204–7012.
-The services provided by the ESP are in the OSA’s as-
-sessment scope and shall be assessed as part of the <br />
-OSA’s assessment.
-SPD (without CUI) ..............
-The services provided by the CSP are in the OSA’s as-
-sessment scope and shall be assessed as Security <br />
-Protection Assets.
-The services provided by the ESP are in the OSA’s as-
-sessment scope and shall be assessed as Security <br />
-Protection Assets.
 Neither CUI nor SPD ..........
@@ Line 5,649: / Line 2,563: @@
 A service provider that does not process CUI or SPD
 does not meet the CMMC definition of an ESP.
 (ii) The use of an ESP, its relationship
-to the OSC, and the services provided <br />
+to the OSC, and the services provided need to be documented in the OSC’s SSP and described in the ESP’s service description and customer responsibility matrix (CRM), which describes the responsibilities of the OSC and ESP with respect to the services provided. Note that the ESP may voluntarily undergo a CMMC certification assessment to reduce the ESP’s effort required during the OSA’s assessment. The minimum. The minimum assessment type for the ESP is dictated by the OSC’s DoD contract requirement.
-need to be documented in the OSC’s <br />
-SSP and described in the ESP’s service <br />
-description and customer responsibility <br />
-matrix (CRM), which describes the <br />
-responsibilities of the OSC and ESP <br />
-with respect to the services provided. <br />
-Note that the ESP may voluntarily <br />
-undergo a CMMC certification <br />
-assessment to reduce the ESP’s effort <br />
-required during the OSA’s assessment. <br />
-The minimum. The minimum <br />
-assessment type for the ESP is dictated <br />
-by the OSC’s DoD contract requirement.
-(e) ''Relationship between Level 2 and ''
+(e)'' Relationship between Level 2 and''
-''Level 3 CMMC Assessment Scope. ''The <br />
+''Level 3 CMMC Assessment Scope.'' The Level 3 CMMC Assessment Scope must be equal to or a subset of the Level 2 CMMC Assessment Scope in accordance with § 170.18(a) (''e.g.,'' a Level 3 data enclave with greater restrictions and protections within a Level 2 data enclave). Any Level 2 POA&amp;M items must be closed prior to the initiation of the Level 3 certification assessment. DCMA DIBCAC may check any Level 2 security requirement of any in-scope asset. If DCMA DIBCAC identifies that a Level 2 security requirement is NOT MET, the Level 3 assessment process
-Level 3 CMMC Assessment Scope must <br />
-be equal to or a subset of the Level 2 <br />
-CMMC Assessment Scope in accordance <br />
-with § 170.18(a) (''e.g., ''a Level 3 data <br />
-enclave with greater restrictions and <br />
-protections within a Level 2 data <br />
-enclave). Any Level 2 POA&amp;M items <br />
-must be closed prior to the initiation of <br />
-the Level 3 certification assessment. <br />
-DCMA DIBCAC may check any Level 2 <br />
-security requirement of any in-scope <br />
-asset. If DCMA DIBCAC identifies that <br />
-a Level 2 security requirement is NOT <br />
-MET, the Level 3 assessment process
-may be paused to allow for remediation, <br />
+may be paused to allow for remediation, placed on hold, or immediately terminated. For further information regarding scoping of CMMC Level 3 assessments please contact DCMA [http://www.dcma.mil/DIBCAC/ DIBCAC at'' www.dcma.mil/DIBCAC/''. ]
-placed on hold, or immediately <br />
-terminated. For further information <br />
-regarding scoping of CMMC Level 3 <br />
-assessments please contact DCMA <br />
-[http://www.dcma.mil/DIBCAC/ DIBCAC at ''www.dcma.mil/DIBCAC/''. ]
 '''§ 170.20'''
-'''Standards acceptance. '''
+'''Standards acceptance.'' '
-(a) ''NIST SP 800–171 R2 DoD ''
+(a)'' NIST SP 800–171 R2 DoD''
-''assessments. ''In order to avoid <br />
+''assessments.'' In order to avoid duplication of efforts, thereby reducing the aggregate cost to industry and the Department, OSCs that have completed a DCMA DIBCAC High Assessment aligned with CMMC Level 2 Scoping will be given the CMMC Status of Final Level 2 (C3PAO) under the following conditions:
-duplication of efforts, thereby reducing <br />
-the aggregate cost to industry and the <br />
-Department, OSCs that have completed <br />
-a DCMA DIBCAC High Assessment <br />
-aligned with CMMC Level 2 Scoping <br />
-will be given the CMMC Status of Final <br />
-Level 2 (C3PAO) under the following <br />
-conditions:
-(1) ''DCMA DIBCAC High Assessment. ''
+(1)'' DCMA DIBCAC High Assessment.''
-An OSC that achieved a perfect score <br />
+An OSC that achieved a perfect score with no open POA&amp;M from a DCMA DIBCAC High Assessment conducted prior to the effective date of this rule, will be given a CMMC Status of Level 2 Final (C3PAO) with a validity period of three (3) years from the date of the original DCMA DIBCAC High Assessment. DCMA DIBCAC will identify assessments that meet these criteria and verify that SPRS accurately reflects the CMMC Status. Eligible
-with no open POA&amp;M from a DCMA <br />
-DIBCAC High Assessment conducted <br />
-prior to the effective date of this rule, <br />
-will be given a CMMC Status of Level <br />
-Final (C3PAO) with a validity period <br />
-of three (3) years from the date of the <br />
-original DCMA DIBCAC High <br />
-Assessment. DCMA DIBCAC will <br />
-identify assessments that meet these <br />
-criteria and verify that SPRS accurately <br />
-reflects the CMMC Status. Eligible
-DCMA DIBCAC High Assessments <br />
+DCMA DIBCAC High Assessments include ones conducted with Joint Surveillance in accordance with the DCMA Manual 2302–01 Surveillance. The scope of the Level 2 certification assessment is identical to the scope of the DCMA DIBCAC High Assessment. In accordance with § 170.17(a)(2), the OSC must also submit an affirmation in SPRS and annually thereafter to achieve contractual eligibility.
-include ones conducted with Joint <br />
-Surveillance in accordance with the <br />
-DCMA Manual 2302–01 Surveillance. <br />
-The scope of the Level 2 certification <br />
-assessment is identical to the scope of <br />
-the DCMA DIBCAC High Assessment. In <br />
-accordance with § 170.17(a)(2), the OSC <br />
-must also submit an affirmation in SPRS <br />
-and annually thereafter to achieve <br />
-contractual eligibility.
-(2) [Reserved]. <br />
+(2) [Reserved]. (b) [Reserved].
-(b) [Reserved].
 '''§ 170.21'''
-'''Plan of Action and Milestones '''
+'''Plan of Action and Milestones'' '
-'''requirements. '''
+'''requirements.'' '
-(a) ''POA&amp;M. ''For purposes of achieving
+(a)'' POA&amp;M.'' For purposes of achieving
-a Conditional CMMC Status, an OSA is <br />
+a Conditional CMMC Status, an OSA is only permitted to have a POA&amp;M for select requirements scored as NOT MET during the CMMC assessment and only under the following conditions:
-only permitted to have a POA&amp;M for <br />
-select requirements scored as NOT MET <br />
-during the CMMC assessment and only <br />
-under the following conditions:
-(1) ''Level 1 self-assessment. ''A POA&amp;M
+(1)'' Level 1 self-assessment.'' A POA&amp;M
-is not permitted at any time for Level 1 <br />
+is not permitted at any time for Level 1 self-assessments.
-self-assessments.
-(2) ''Level 2 self-assessment and Level ''
+(2)'' Level 2 self-assessment and Level''
-''2 certification assessment. ''An OSA is <br />
+''2 certification assessment.'' An OSA is only permitted to achieve the CMMC Status of Conditional Level 2 (Self) or Conditional Level 2 (C3PAO), as appropriate, if all the following conditions are met:
-only permitted to achieve the CMMC <br />
-Status of Conditional Level 2 (Self) or <br />
-Conditional Level 2 (C3PAO), as <br />
-appropriate, if all the following <br />
-conditions are met:
 VerDate Sep&lt;11&gt;2014
@@ Line 5,793: / Line 2,635: @@
-'''83235 '''
+'''83235'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
 (i) The assessment score divided by
-the total number of CMMC Level 2 <br />
+the total number of CMMC Level 2 security requirements is greater than or equal to 0.8;
-security requirements is greater than or <br />
-equal to 0.8;
 (ii) None of the security requirements
-included in the POA&amp;M have a point <br />
+included in the POA&amp;M have a point value of greater than 1 as specified in the CMMC Scoring Methodology set forth in § 170.24, except SC.L2–3.13.11 CUI Encryption may be included on a POA&amp;M if encryption is employed but it is not FIPS-validated, which would result in a point value of 3; and
-value of greater than 1 as specified in <br />
-the CMMC Scoring Methodology set <br />
-forth in § 170.24, except SC.L2–3.13.11 <br />
-CUI Encryption may be included on a <br />
-POA&amp;M if encryption is employed but <br />
-it is not FIPS-validated, which would <br />
-result in a point value of 3; and
 (iii) None of the following security
-requirements are included in the <br />
+requirements are included in the POA&amp;M:
-POA&amp;M:
 (A) AC.L2–3.1.20 External
 Connections (CUI Data).
 (B) AC.L2–3.1.22 Control Public
 Information (CUI Data).
 (C) CA.L2–3.12.4 System Security
 Plan.
 (D) PE.L2–3.10.3 Escort Visitors (CUI
 Data).
 (E) PE.L2–3.10.4 Physical Access Logs
 (CUI Data).
 (F) PE.L2–3.10.5 Manage Physical
 Access (CUI Data).
-(3) ''Level 3 certification assessment. ''
+(3)'' Level 3 certification assessment.''
-An OSC is only permitted to achieve the <br />
+An OSC is only permitted to achieve the CMMC Status of Conditional Level 3 (DIBCAC) if all the following conditions are met:
-CMMC Status of Conditional Level 3 <br />
-(DIBCAC) if all the following conditions <br />
-are met:
 (i) The assessment score divided by
-the total number of CMMC Level 3 <br />
+the total number of CMMC Level 3 security requirements is greater than or equal to 0.8; and
-security requirements is greater than or <br />
-equal to 0.8; and
 (ii) The POA&amp;M does not include any
@@ Line 5,862: / Line 2,689: @@
 (A) IR.L3–3.6.1e Security Operations
 Center.
 (B) IR.L3–3.6.2e Cyber Incident
 Response Team.
 (C) RA.L3–3.11.1e Threat-Informed
 Risk Assessment.
 (D) RA.L3–3.11.6e Supply Chain Risk
 Response.
 (E) RA.L3–3.11.7e Supply Chain Risk
 Plan.
 (F) RA.L3–3.11.4e Security Solution
 Rationale.
 (G) SI.L3–3.14.3e Specialized Asset
 Security.
-(b) ''POA&amp;M closeout assessment. ''A
+(b)'' POA&amp;M closeout assessment.'' A
-POA&amp;M closeout assessment is a CMMC <br />
+POA&amp;M closeout assessment is a CMMC assessment that assesses only the NOT MET requirements that were identified with POA&amp;M in the initial assessment. The closing of a POA&amp;M must be confirmed by a POA&amp;M closeout assessment within 180-days of the Conditional CMMC Status Date. If the POA&amp;M is not successfully closed out within the 180-day timeframe, the Conditional CMMC Status for the information system will expire.
-assessment that assesses only the NOT <br />
-MET requirements that were identified <br />
-with POA&amp;M in the initial assessment. <br />
-The closing of a POA&amp;M must be <br />
-confirmed by a POA&amp;M closeout <br />
-assessment within 180-days of the <br />
-Conditional CMMC Status Date. If the <br />
-POA&amp;M is not successfully closed out <br />
-within the 180-day timeframe, the <br />
-Conditional CMMC Status for the <br />
-information system will expire.
-(1) ''Level 2 self-assessment. ''For a
+(1)'' Level 2 self-assessment.'' For a
-Level 2 self-assessment, the POA&amp;M <br />
+Level 2 self-assessment, the POA&amp;M closeout self-assessment shall be
-closeout self-assessment shall be
-performed by the OSA in the same <br />
+performed by the OSA in the same manner as the initial self-assessment.
-manner as the initial self-assessment.
-(2) ''Level 2 certification assessment. ''
+(2)'' Level 2 certification assessment.''
-For Level 2 certification assessment, the <br />
+For Level 2 certification assessment, the POA&amp;M closeout certification assessment must be performed by an authorized or accredited C3PAO.
-POA&amp;M closeout certification <br />
-assessment must be performed by an <br />
-authorized or accredited C3PAO.
-(3) ''Level 3 certification assessment. ''
+(3)'' Level 3 certification assessment.''
-For Level 3 certification assessment, <br />
+For Level 3 certification assessment, DCMA DIBCAC will perform the POA&amp;M closeout certification assessment.
-DCMA DIBCAC will perform the <br />
-POA&amp;M closeout certification <br />
-assessment.
 '''§ 170.22'''
-'''Affirmation. '''
+'''Affirmation.'' '
-(a) ''General. ''The OSA must affirm
+(a)'' General.'' The OSA must affirm
-continuing compliance with the <br />
+continuing compliance with the appropriate level self-assessment or certification assessment. An Affirming Official from each OSA, whether a prime or subcontractor, must affirm the continuing compliance of their respective organizations with the specified security requirement after every assessment, including POA&amp;M closeout, and annually thereafter. Affirmations are entered electronically in SPRS. The affirmation shall be submitted in accordance with the following requirements:
-appropriate level self-assessment or <br />
-certification assessment. An Affirming <br />
-Official from each OSA, whether a <br />
-prime or subcontractor, must affirm the <br />
-continuing compliance of their <br />
-respective organizations with the <br />
-specified security requirement after <br />
-every assessment, including POA&amp;M <br />
-closeout, and annually thereafter. <br />
-Affirmations are entered electronically <br />
-in SPRS. The affirmation shall be <br />
-submitted in accordance with the <br />
-following requirements:
-(1) ''Affirming Official. ''The Affirming
+(1)'' Affirming Official.'' The Affirming
-Official is the senior level representative <br />
+Official is the senior level representative from within each Organization Seeking Assessment (OSA) who is responsible for ensuring the OSA’s compliance with the CMMC Program requirements and has the authority to affirm the OSA’s continuing compliance with the specified security requirements for their respective organizations.
-from within each Organization Seeking <br />
-Assessment (OSA) who is responsible <br />
-for ensuring the OSA’s compliance with <br />
-the CMMC Program requirements and <br />
-has the authority to affirm the OSA’s <br />
-continuing compliance with the <br />
-specified security requirements for their <br />
-respective organizations.
-(2) ''Affirmation content. ''Each CMMC
+(2)'' Affirmation content.'' Each CMMC
-affirmation shall include the following <br />
+affirmation shall include the following information:
-information:
 (i) Name, title, and contact
-information for the Affirming Official; <br />
+information for the Affirming Official; and
-and
 (ii) Affirmation statement attesting
-that the OSA has implemented and will <br />
+that the OSA has implemented and will maintain implementation of all applicable CMMC security requirements to their CMMC Status for all information systems within the relevant CMMC Assessment Scope.
-maintain implementation of all <br />
-applicable CMMC security requirements <br />
-to their CMMC Status for all information <br />
-systems within the relevant CMMC <br />
-Assessment Scope.
-(3) ''Affirmation submission. ''The
+(3)'' Affirmation submission.'' The
-Affirming Official shall submit a CMMC <br />
+Affirming Official shall submit a CMMC affirmation in the following instances:
-affirmation in the following instances:
 (i) Upon achievement of a Conditional
@@ Line 5,996: / Line 2,775: @@
 (iv) Following a POA&amp;M closeout
 assessment, as applicable.
-(b) ''Submission procedures. ''All
+(b)'' Submission procedures.'' All
-affirmations shall be completed in <br />
+affirmations shall be completed in SPRS. The Department will verify submission of the affirmation in SPRS to ensure compliance with CMMC solicitation or contract requirements.
-SPRS. The Department will verify <br />
-submission of the affirmation in SPRS to <br />
-ensure compliance with CMMC <br />
-solicitation or contract requirements.
-(1) ''Level 1 self-assessment. ''At the
+(1)'' Level 1 self-assessment.'' At the
-completion of a Level 1 self-assessment <br />
+completion of a Level 1 self-assessment and annually thereafter, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 1 (Self).
-and annually thereafter, the Affirming <br />
-Official shall submit a CMMC <br />
-affirmation attesting to continuing <br />
-compliance with all requirements of the <br />
-CMMC Status Level 1 (Self).
-(2) ''Level 2 self-assessment. ''At the
+(2)'' Level 2 self-assessment.'' At the
-completion of a Level 2 self-assessment <br />
+completion of a Level 2 self-assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (Self). An affirmation shall also be submitted at the completion of a POA&amp;M closeout self-assessment.
-and annually following a Final CMMC <br />
-Status Date, the Affirming Official shall <br />
-submit a CMMC affirmation attesting to <br />
-continuing compliance with all <br />
-requirements of the CMMC Status Level <br />
-(Self). An affirmation shall also be <br />
-submitted at the completion of a <br />
-POA&amp;M closeout self-assessment.
-(3) ''Level 2 certification assessment. ''At
+(3)'' Level 2 certification assessment.'' At
-the completion of a Level 2 certification <br />
+the completion of a Level 2 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 2 (C3PAO). An affirmation shall also be submitted at the completion of a POA&amp;M closeout certification assessment.
-assessment and annually following a <br />
-Final CMMC Status Date, the Affirming <br />
-Official shall submit a CMMC <br />
-affirmation attesting to continuing <br />
-compliance with all requirements of the <br />
-CMMC Status Level 2 (C3PAO). An <br />
-affirmation shall also be submitted at <br />
-the completion of a POA&amp;M closeout <br />
-certification assessment.
-(4) ''Level 3 certification assessment. ''At
+(4)'' Level 3 certification assessment.'' At
-the completion of a Level 3 certification <br />
+the completion of a Level 3 certification assessment and annually following a Final CMMC Status Date, the Affirming Official shall submit a CMMC affirmation attesting to continuing compliance with all requirements of the CMMC Status Level 3 (DIBCAC). Because C3PAOs and DCMA DIBCAC check for compliance with different requirements in their respective assessments, OSCs must annually affirm their CMMC Status of Level 2 (C3PAO) in addition to their CMMC Status of Level 3 (DIBCAC) to maintain eligibility for contracts requiring compliance with Level 3. An affirmation shall also be submitted at the completion of a POA&amp;M closeout certification assessment.
-assessment and annually following a <br />
-Final CMMC Status Date, the Affirming <br />
-Official shall submit a CMMC <br />
-affirmation attesting to continuing <br />
-compliance with all requirements of the <br />
-CMMC Status Level 3 (DIBCAC). <br />
-Because C3PAOs and DCMA DIBCAC <br />
-check for compliance with different <br />
-requirements in their respective <br />
-assessments, OSCs must annually affirm <br />
-their CMMC Status of Level 2 (C3PAO) <br />
-in addition to their CMMC Status of <br />
-Level 3 (DIBCAC) to maintain eligibility <br />
-for contracts requiring compliance with <br />
-Level 3. An affirmation shall also be <br />
-submitted at the completion of a <br />
-POA&amp;M closeout certification <br />
-assessment.
 '''§ 170.23'''
-'''Application to subcontractors. '''
+'''Application to subcontractors.'' '
 (a) CMMC requirements apply to
-prime contractors and subcontractors <br />
+prime contractors and subcontractors throughout the supply chain at all tiers that will process, store, or transmit any FCI or CUI on contractor information systems in the performance of the DoD contract or subcontract. Prime contractors shall comply and shall require subcontractors to comply with and to flow down CMMC requirements, such that compliance will be required throughout the supply chain at all tiers with the applicable CMMC level and assessment type for each subcontract as follows:
-throughout the supply chain at all tiers <br />
-that will process, store, or transmit any <br />
-FCI or CUI on contractor information <br />
-systems in the performance of the DoD <br />
-contract or subcontract. Prime <br />
-contractors shall comply and shall <br />
-require subcontractors to comply with <br />
-and to flow down CMMC requirements, <br />
-such that compliance will be required <br />
-throughout the supply chain at all tiers <br />
-with the applicable CMMC level and <br />
-assessment type for each subcontract as <br />
-follows:
 (1) If a subcontractor will only
-process, store, or transmit FCI (and not <br />
+process, store, or transmit FCI (and not CUI) in performance of the subcontract,
-CUI) in performance of the subcontract,
 VerDate Sep&lt;11&gt;2014
@@ Line 6,114: / Line 2,835: @@
-'''83236 '''
+'''83236'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-then a CMMC Status of Level 1 (Self) is <br />
+then a CMMC Status of Level 1 (Self) is required for the subcontractor.
-required for the subcontractor.
 (2) If a subcontractor will process,
-store, or transmit CUI in performance of <br />
+store, or transmit CUI in performance of the subcontract, then a CMMC Status of Level 2 (Self) is the minimum requirement for the subcontractor.
-the subcontract, then a CMMC Status of <br />
-Level 2 (Self) is the minimum <br />
-requirement for the subcontractor.
 (3) If a subcontractor will process,
-store, or transmit CUI in performance of <br />
+store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for a CMMC Status of Level 2 (C3PAO), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.
-the subcontract and the associated <br />
-prime contract has a requirement for a <br />
-CMMC Status of Level 2 (C3PAO), then <br />
-the CMMC Status of Level 2 (C3PAO) is <br />
-the minimum requirement for the <br />
-subcontractor.
 (4) If a subcontractor will process,
-store, or transmit CUI in performance of <br />
+store, or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for the CMMC Status of Level 3 (DIBCAC), then the CMMC Status of Level 2 (C3PAO) is the minimum requirement for the subcontractor.
-the subcontract and the associated <br />
-prime contract has a requirement for the <br />
-CMMC Status of Level 3 (DIBCAC), then <br />
-the CMMC Status of Level 2 (C3PAO) is <br />
-the minimum requirement for the <br />
-subcontractor.
 (b) As with any solicitation or
-contract, the DoD may provide specific <br />
+contract, the DoD may provide specific guidance pertaining to flow-down.
-guidance pertaining to flow-down.
 '''§ 170.24'''
-'''CMMC Scoring Methodology. '''
+'''CMMC Scoring Methodology.'' '
-(a) ''General. ''This scoring methodology
+(a)'' General.'' This scoring methodology
-is designed to provide a measurement of <br />
+is designed to provide a measurement of an OSA’s implementation status of the NIST SP 800–171 R2 security requirements (incorporated by reference elsewhere in this part, see § 170.2) and the selected NIST SP 800–172 Feb2021 security requirements (incorporated by reference elsewhere in this part, see § 170.2). The CMMC Scoring Methodology is designed to credit partial implementation only in limited cases (''e.g.,'' multi-factor authentication IA.L2–3.5.3).
-an OSA’s implementation status of the <br />
-NIST SP 800–171 R2 security <br />
-requirements (incorporated by reference <br />
-elsewhere in this part, see § 170.2) and <br />
-the selected NIST SP 800–172 Feb2021 <br />
-security requirements (incorporated by <br />
-reference elsewhere in this part, see <br />
-§ 170.2). The CMMC Scoring <br />
-Methodology is designed to credit <br />
-partial implementation only in limited <br />
-cases (''e.g., ''multi-factor authentication <br />
-IA.L2–3.5.3).
-(b) ''Assessment findings. ''Each security
+(b)'' Assessment findings.'' Each security
-requirement assessed under the CMMC <br />
+requirement assessed under the CMMC Scoring Methodology must result in one of three possible assessment findings, as follows:
-Scoring Methodology must result in one <br />
-of three possible assessment findings, as <br />
-follows:
-(1) ''Met. ''All applicable objectives for
+(1)'' Met.'' All applicable objectives for
-the security requirement are satisfied <br />
+the security requirement are satisfied based on evidence. All evidence must be in final form and not draft. Unacceptable forms of evidence include but are not limited to working papers, drafts, and unofficial or unapproved policies.
-based on evidence. All evidence must <br />
-be in final form and not draft. <br />
-Unacceptable forms of evidence include <br />
-but are not limited to working papers, <br />
-drafts, and unofficial or unapproved <br />
-policies.
 (i) Enduring exceptions when
-described, along with any mitigations, <br />
+described, along with any mitigations, in the system security plan shall be assessed as MET.
-in the system security plan shall be <br />
-assessed as MET.
 (ii) Temporary deficiencies that are
-appropriately addressed in operational <br />
+appropriately addressed in operational plans of action (''i.e.,'' include deficiency reviews and show progress towards the implementation of corrections to reduce or eliminate identified vulnerabilities) shall be assessed as MET.
-plans of action (''i.e., ''include deficiency <br />
-reviews and show progress towards the <br />
-implementation of corrections to reduce <br />
-or eliminate identified vulnerabilities) <br />
-shall be assessed as MET.
-(2) ''Not Met. ''One or more applicable
+(2)'' Not Met.'' One or more applicable
-objectives for the security requirement <br />
+objectives for the security requirement is not satisfied. During an assessment,
-is not satisfied. During an assessment,
-for each security requirement objective <br />
+for each security requirement objective marked NOT MET, the assessor will document why the evidence does not conform.
-marked NOT MET, the assessor will <br />
-document why the evidence does not <br />
-conform.
-(3) ''Not Applicable (N/A). ''A security
+(3)'' Not Applicable (N/A).'' A security
-requirement and/or objective does not <br />
+requirement and/or objective does not apply at the time of the CMMC assessment. For example, Public-Access System Separation (SC.L2–3.13.5) might be N/A if there are no publicly accessible systems within the CMMC Assessment Scope. During an assessment, an assessment objective assessed as N/A is equivalent to the same assessment objective being assessed as MET.
-apply at the time of the CMMC <br />
-assessment. For example, Public-Access <br />
-System Separation (SC.L2–3.13.5) might <br />
-be N/A if there are no publicly <br />
-accessible systems within the CMMC <br />
-Assessment Scope. During an <br />
-assessment, an assessment objective <br />
-assessed as N/A is equivalent to the <br />
-same assessment objective being <br />
-assessed as MET.
-(c) ''Scoring. ''At each CMMC Level,
+(c)'' Scoring.'' At each CMMC Level,
-security requirements are scored as <br />
+security requirements are scored as follows:
-follows:
-(1) ''CMMC Level 1. ''All CMMC Level
+(1)'' CMMC Level 1.'' All CMMC Level
-security requirements must be fully <br />
+security requirements must be fully implemented to be considered MET. No POA&amp;M is permitted for CMMC Level 1, and self-assessment results are scored as MET or NOT MET in their entirety.
-implemented to be considered MET. No <br />
-POA&amp;M is permitted for CMMC Level 1, <br />
-and self-assessment results are scored as <br />
-MET or NOT MET in their entirety.
-(2) ''CMMC Level 2 Scoring ''
+(2)'' CMMC Level 2 Scoring''
-''Methodology. ''The maximum score <br />
+''Methodology.'' The maximum score achievable for a Level 2 self-assessment or Level 2 certification assessment is equal to the total number of CMMC Level 2 security requirements. If all CMMC Level 2 security requirements are MET, OSAs are awarded the maximum score. For each requirement NOT MET, the associated value of the security requirement is subtracted from the maximum score, which may result in a negative score.
-achievable for a Level 2 self-assessment <br />
-or Level 2 certification assessment is <br />
-equal to the total number of CMMC <br />
-Level 2 security requirements. If all <br />
-CMMC Level 2 security requirements <br />
-are MET, OSAs are awarded the <br />
-maximum score. For each requirement <br />
-NOT MET, the associated value of the <br />
-security requirement is subtracted from <br />
-the maximum score, which may result <br />
-in a negative score.
-(i) ''Procedures. ''(A) Scoring
+(i)'' Procedures.'' (A) Scoring
-methodology for Level 2 self-assessment <br />
+methodology for Level 2 self-assessment and Level 2 certification assessment is based on all CMMC Level 2 security requirement objectives, including those NOT MET.
-and Level 2 certification assessment is <br />
-based on all CMMC Level 2 security <br />
-requirement objectives, including those <br />
-NOT MET.
 (B) In the CMMC Level 2 Scoring
-Methodology, each security requirement <br />
+Methodology, each security requirement has a value (''e.g.,'' 1, 3 or 5), which is related to the designation by NIST as basic or derived security requirements. Per NIST SP 800–171 R2, the basic security requirements are obtained from FIPS PUB 200 Mar2006, which provides the high-level and fundamental security requirements for Federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST SP 800–53 R5.
-has a value (''e.g., ''1, 3 or 5), which is <br />
-related to the designation by NIST as <br />
-basic or derived security requirements. <br />
-Per NIST SP 800–171 R2, the basic <br />
-security requirements are obtained from <br />
-FIPS PUB 200 Mar2006, which provides <br />
-the high-level and fundamental security <br />
-requirements for Federal information <br />
-and systems. The derived security <br />
-requirements, which supplement the <br />
-basic security requirements, are taken <br />
-from the security controls in NIST SP <br />
-–53 R5.
 (''1'') For NIST SP 800–171 R2 basic and
-derived security requirements that, if <br />
+derived security requirements that, if not implemented, could lead to significant exploitation of the network, or exfiltration of CUI, five (5) points are subtracted from the maximum score. The basic and derived security requirements with a value of five (5) points include:
-not implemented, could lead to <br />
-significant exploitation of the network, <br />
-or exfiltration of CUI, five (5) points are <br />
-subtracted from the maximum score. <br />
-The basic and derived security <br />
-requirements with a value of five (5) <br />
-points include:
-(''i'') ''Basic security requirements. ''
+(''i'')'' Basic security requirements.''
-AC.L2–3.1.1, AC.L2–3.1.2, AT.L2–3.2.1, <br />
+AC.L2–3.1.1, AC.L2–3.1.2, AT.L2–3.2.1, AT.L2–3.2.2, AU.L2–3.3.1, CM.L2–3.4.1, CM.L2–3.4.2, IA–L2–3.5.1, IA–L2–3.5.2, IR.L2–3.6.1, IR.L2–3.6.2, MA.L2–3.7.2, MP.L2–3.8.3, PS.L2–3.9.2, PE.L2–3.10.1, PE.L2–3.10.2, CA.L2–3.12.1, CA.L2– 3.12.3, SC.L2–3.13.1, SC.L2–3.13.2, SI.L2–3.14.1, SI.L2–3.14.2, and SI.L2– 3.14.3.
-AT.L2–3.2.2, AU.L2–3.3.1, CM.L2–3.4.1, <br />
-CM.L2–3.4.2, IA–L2–3.5.1, IA–L2–3.5.2, <br />
-IR.L2–3.6.1, IR.L2–3.6.2, MA.L2–3.7.2, <br />
-MP.L2–3.8.3, PS.L2–3.9.2, PE.L2–3.10.1, <br />
-PE.L2–3.10.2, CA.L2–3.12.1, CA.L2– <br />
-.12.3, SC.L2–3.13.1, SC.L2–3.13.2, <br />
-SI.L2–3.14.1, SI.L2–3.14.2, and SI.L2– <br />
-.14.3.
-(''ii'') ''Derived security requirements. ''
+(''ii'')'' Derived security requirements.''
-AC.L2–3.1.12, AC.L2–3.1.13, AC.L2– <br />
+AC.L2–3.1.12, AC.L2–3.1.13, AC.L2– 3.1.16, AC.L2–3.1.17, AC.L2–3.1.18, AU.L2–3.3.5, CM.L2–3.4.5, CM.L2– 3.4.6, CM.L2–3.4.7, CM.L2–3.4.8, IA.L2– 3.5.10, MA.L2–3.7.5, MP.L2–3.8.7, RA.L2–3.11.2, SC.L2–3.13.5, SC.L2– 3.13.6, SC.L2–3.13.15, SI.L2–3.14.4, and SI.L2–3.14.6.
-.1.16, AC.L2–3.1.17, AC.L2–3.1.18, <br />
-AU.L2–3.3.5, CM.L2–3.4.5, CM.L2– <br />
-.4.6, CM.L2–3.4.7, CM.L2–3.4.8, IA.L2– <br />
-.5.10, MA.L2–3.7.5, MP.L2–3.8.7, <br />
-RA.L2–3.11.2, SC.L2–3.13.5, SC.L2– <br />
-.13.6, SC.L2–3.13.15, SI.L2–3.14.4, and <br />
-SI.L2–3.14.6.
 (''2'') For basic and derived security
-requirements that, if not implemented, <br />
+requirements that, if not implemented, have a specific and confined effect on the security of the network and its data, three (3) points are subtracted from the maximum score. The basic and derived security requirements with a value of three (3) points include:
-have a specific and confined effect on <br />
-the security of the network and its data, <br />
-three (3) points are subtracted from the <br />
-maximum score. The basic and derived <br />
-security requirements with a value of <br />
-three (3) points include:
-(''i'') ''Basic security requirements. ''
+(''i'')'' Basic security requirements.''
-AU.L2–3.3.2, MA.L2–3.7.1, MP.L2– <br />
+AU.L2–3.3.2, MA.L2–3.7.1, MP.L2– 3.8.1, MP.L2–3.8.2, PS.L2–3.9.1, RA.L2– 3.11.1, and CA.L2–3.12.2.
-.8.1, MP.L2–3.8.2, PS.L2–3.9.1, RA.L2– <br />
-.11.1, and CA.L2–3.12.2.
-(''ii'') ''Derived security requirements. ''
+(''ii'')'' Derived security requirements.''
-AC.L2–3.1.5, AC.L2- 3.1.19, MA.L2– <br />
+AC.L2–3.1.5, AC.L2- 3.1.19, MA.L2– 3.7.4, MP.L2–3.8.8, SC.L2–3.13.8, SI.L2– 3.14.5, and SI.L2–3.14.7.
-.7.4, MP.L2–3.8.8, SC.L2–3.13.8, SI.L2– <br />
-.14.5, and SI.L2–3.14.7.
 (''3'') All remaining derived security
-requirements, other than the exceptions <br />
+requirements, other than the exceptions noted, if not implemented, have a limited or indirect effect on the security of the network and its data. For these, 1 point is subtracted from the maximum score.
-noted, if not implemented, have a <br />
-limited or indirect effect on the security <br />
-of the network and its data. For these, <br />
-point is subtracted from the maximum <br />
-score.
 (''4'') Two derived security
-requirements, IA.L2–3.5.3 and SC.L2– <br />
+requirements, IA.L2–3.5.3 and SC.L2– 3.13.11, can be partially effective even if not completely or properly implemented, and the points deducted may be adjusted depending on how the security requirement is implemented.
-.13.11, can be partially effective even <br />
-if not completely or properly <br />
-implemented, and the points deducted <br />
-may be adjusted depending on how the <br />
-security requirement is implemented.
 (''i'') Multi-factor authentication (MFA)
-(CMMC Level 2 security requirement <br />
+(CMMC Level 2 security requirement IA.L2–3.5.3) is typically implemented first for remote and privileged users (since these users are both limited in number and more critical) and then for the general user, so three (3) points are subtracted from the maximum score if MFA is implemented only for remote and privileged users. Five (5) points are subtracted from the maximum score if MFA is not implemented for any users.
-IA.L2–3.5.3) is typically implemented <br />
-first for remote and privileged users <br />
-(since these users are both limited in <br />
-number and more critical) and then for <br />
-the general user, so three (3) points are <br />
-subtracted from the maximum score if <br />
-MFA is implemented only for remote <br />
-and privileged users. Five (5) points are <br />
-subtracted from the maximum score if <br />
-MFA is not implemented for any users.
 (''ii'') FIPS-validated encryption (CMMC
-Level 2 security requirement SC.L2– <br />
+Level 2 security requirement SC.L2– 3.13.11) is required to protect the confidentiality of CUI. If encryption is employed, but is not FIPS-validated, three (3) points are subtracted from the maximum score; if encryption is not
-.13.11) is required to protect the <br />
-confidentiality of CUI. If encryption is <br />
-employed, but is not FIPS-validated, <br />
-three (3) points are subtracted from the <br />
-maximum score; if encryption is not
 VerDate Sep&lt;11&gt;2014
@@ Line 6,405: / Line 2,977: @@
-'''83237 '''
+'''83237'' '
-'''Federal Register '''/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
+'''Federal Register'' '/ Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
-employed; five (5) points are subtracted <br />
+employed; five (5) points are subtracted from the maximum score.
-from the maximum score.
 (''5'') OSAs must have a System Security
-Plan (SSP) (CMMC security requirement <br />
+Plan (SSP) (CMMC security requirement CA.L2–3.12.4) in place at the time of assessment to describe each information system within the CMMC Assessment Scope. The absence of an up to date SSP at the time of the assessment would result in a finding that ‘''an assessment could not be completed due to incomplete information and noncompliance with 48 CFR 252.204– 7012.''’
-CA.L2–3.12.4) in place at the time of <br />
-assessment to describe each information <br />
-system within the CMMC Assessment <br />
-Scope. The absence of an up to date SSP <br />
-at the time of the assessment would <br />
-result in a finding that ‘''an assessment <br />
-could not be completed due to <br />
-incomplete information and <br />
-noncompliance with 48 CFR 252.204– <br />
-.''’
 (''6'') For each NOT MET security
-requirement the OSA must have a <br />
+requirement the OSA must have a POA&amp;M in place. A POA&amp;M addressing
-POA&amp;M in place. A POA&amp;M addressing
-NOT MET security requirements is not <br />
+NOT MET security requirements is not a substitute for a completed requirement. Security requirements not implemented, whether described in a POA&amp;M or not, is assessed as ‘NOT MET.’
-a substitute for a completed <br />
-requirement. Security requirements not <br />
-implemented, whether described in a <br />
-POA&amp;M or not, is assessed as ‘NOT <br />
-MET.’
 (''7'') Specialized Assets must be
-evaluated for their asset category per the <br />
+evaluated for their asset category per the CMMC scoping guidance for the level in question and handled accordingly as set forth in § 170.19.
-CMMC scoping guidance for the level in <br />
-question and handled accordingly as set <br />
-forth in § 170.19.
 (''8'') If an OSC previously received a
-favorable adjudication from the DoD <br />
+favorable adjudication from the DoD CIO indicating that a security requirement is not applicable or that an alternative security measure is equally effective (in accordance with 48 CFR
-CIO indicating that a security <br />
-requirement is not applicable or that an <br />
-alternative security measure is equally <br />
-effective (in accordance with 48 CFR
-.204–7008 or 48 CFR 252.204–7012), <br />
+.204–7008 or 48 CFR 252.204–7012), the DoD CIO adjudication must be included in the system security plan to receive consideration during an assessment. A security requirement for which implemented security measures have been adjudicated by the DoD CIO as equally effective is assessed as MET if there have been no changes in the environment.
-the DoD CIO adjudication must be <br />
-included in the system security plan to <br />
-receive consideration during an <br />
-assessment. A security requirement for <br />
-which implemented security measures <br />
-have been adjudicated by the DoD CIO <br />
-as equally effective is assessed as MET <br />
-if there have been no changes in the <br />
-environment.
-(ii) ''CMMC Level 2 Scoring Table. ''
+(ii)'' CMMC Level 2 Scoring Table.''
-CMMC Level 2 scoring has been <br />
+CMMC Level 2 scoring has been assigned based on the methodology set forth in table 1 to this paragraph (c)(2)(ii).
-assigned based on the methodology set <br />
-forth in table 1 to this paragraph <br />
-(c)(2)(ii).
 TABLE 7 TO § 170.24(c)(2)(ii)—CMMC LEVEL 2 SCORING TABLE
@@ Line 6,481: / Line 3,017: @@
 maximum score
-''Basic Security Requirements: ''
+''Basic Security Requirements:''
 If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................
@@ Line 6,491: / Line 3,027: @@
-''Derived Security Requirements: ''
+''Derived Security Requirements:''
 If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................
@@ Line 6,503: / Line 3,039: @@
 or 5
-—Partially effective implementation—3 points. <br />
+—Partially effective implementation—3 points. —Non-effective (not implemented at all)—5 points.
-—Non-effective (not implemented at all)—5 points.
 If not implemented, has specific and confined effect on the security of the network and its data .......................................
@@ Line 6,514: / Line 3,049: @@
-(3) ''CMMC Level 3 assessment scoring ''
+(3)'' CMMC Level 3 assessment scoring''
-''methodology. ''CMMC Level 3 scoring <br />
+''methodology.'' CMMC Level 3 scoring does not utilize varying values like the scoring for CMMC Level 2. All CMMC Level 3 security requirements use a value of one (1) point for each security requirement. As a result, the maximum score achievable for a Level 3 certification assessment is equivalent to the total number of the selected subset of NIST SP 800–172 Feb2021 security requirements for CMMC Level 3, see § 170.14(c)(4). The maximum score is reduced by one (1) point for each security requirement NOT MET. The CMMC Level 3 scoring methodology reflects the fact that all CMMC Level 2 security requirements must already be MET (for the Level 3 CMMC Assessment
-does not utilize varying values like the <br />
-scoring for CMMC Level 2. All CMMC <br />
-Level 3 security requirements use a <br />
-value of one (1) point for each security <br />
-requirement. As a result, the maximum <br />
-score achievable for a Level 3 <br />
-certification assessment is equivalent to <br />
-the total number of the selected subset <br />
-of NIST SP 800–172 Feb2021 security <br />
-requirements for CMMC Level 3, see <br />
-§ 170.14(c)(4). The maximum score is <br />
-reduced by one (1) point for each <br />
-security requirement NOT MET. The <br />
-CMMC Level 3 scoring methodology <br />
-reflects the fact that all CMMC Level 2 <br />
-security requirements must already be <br />
-MET (for the Level 3 CMMC Assessment
-Scope). A maximum score on the Level <br />
+Scope). A maximum score on the Level 2 certification assessment is required to be eligible to initiate a Level 3 certification assessment. The Level 3 certification assessment score is equal to the number of CMMC Level 3 security requirements that are assessed as MET.
-certification assessment is required to <br />
-be eligible to initiate a Level 3 <br />
-certification assessment. The Level 3 <br />
-certification assessment score is equal to <br />
-the number of CMMC Level 3 security <br />
-requirements that are assessed as MET.
-'''Appendix A to Part 170—Guidance '''
+'''Appendix A to Part 170—Guidance'' '
-Guidance documents include: <br />
+Guidance documents include: (a) ‘‘CMMC Model Overview’’ available at
-(a) ‘‘CMMC Model Overview’’ available at
-[https://DoDcio.defense.gov/CMMC/ ''https://DoDcio.defense.gov/CMMC/''. ]
+[https://DoDcio.defense.gov/CMMC/'' https://DoDcio.defense.gov/CMMC/''. ]
 (b) ‘‘CMMC Assessment Guide—Level 1’’
-available at [https://DoDcio.defense.gov/CMMC/ ''https://DoDcio.defense.gov/ <br />
+available at [https://DoDcio.defense.gov/CMMC/'' https://DoDcio.defense.gov/ CMMC/''. ]
-CMMC/''. ]
 (c) ‘‘CMMC Assessment Guide—Level 2’’
-available at [https://DoDcio.defense.gov/CMMC/ ''https://DoDcio.defense.gov/ <br />
+available at [https://DoDcio.defense.gov/CMMC/'' https://DoDcio.defense.gov/ CMMC/''. ]
-CMMC/''. ]
 (d) ‘‘CMMC Assessment Guide—Level 3’’
-available at [https://DoDcio.defense.gov/CMMC/ ''https://DoDcio.defense.gov/ <br />
+available at [https://DoDcio.defense.gov/CMMC/'' https://DoDcio.defense.gov/ CMMC/''. ]
-CMMC/''. ]
 (e) ‘‘CMMC Scoping Guide—Level 1’’
-[https://DoDcio.defense.gov/CMMC/ available at ''https://DoDcio.defense.gov/ <br />
+[https://DoDcio.defense.gov/CMMC/ available at'' https://DoDcio.defense.gov/ CMMC/''. ]
-CMMC/''. ]
 (f) ‘‘CMMC Scoping Guide—Level 2’’
-[https://DoDcio.defense.gov/CMMC/ available at ''https://DoDcio.defense.gov/ <br />
+[https://DoDcio.defense.gov/CMMC/ available at'' https://DoDcio.defense.gov/ CMMC/''. ]
-CMMC/''. ]
 (g) ‘‘CMMC Scoping Guide—Level 3’’
-[https://DoDcio.defense.gov/CMMC/ available at ''https://DoDcio.defense.gov/ <br />
+[https://DoDcio.defense.gov/CMMC/ available at'' https://DoDcio.defense.gov/ CMMC/''. ]
-CMMC/''. ]
 (h) ‘‘CMMC Hashing Guide’’ available at
-[https://DoDcio.defense.gov/CMMC/ ''https://DoDcio.defense.gov/CMMC/. '']
+[https://DoDcio.defense.gov/CMMC/'' https://DoDcio.defense.gov/CMMC/.'' ]
 Dated: September 30, 2024.
-'''Patricia L. Toppings, <br />
+'''Patricia L. Toppings,'' '''OSD Federal Register Liaison Officer, Department of Defense.'' [FR Doc. 2024–22905 Filed 10–11–24; 8:45 am]
-'''''OSD Federal Register Liaison Officer, <br />
-Department of Defense. <br />
-''[FR Doc. 2024–22905 Filed 10–11–24; 8:45 am]
-'''BILLING CODE 6001–FR–P '''
+'''BILLING CODE 6001–FR–P'' '
 VerDate Sep&lt;11&gt;2014

32 CFR Part 170: Difference between revisions

Revision as of 23:06, 2 March 2025

PART 170—CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM

Subpart A—General Information

Subpart B—Government Roles and Responsibilities

Subpart C—CMMC Assessment and Certification Ecosystem

Subpart D—Key Elements of the CMMC Program

Subpart A - General Information.

§ 170.1 Purpose.

§ 170.2 Incorporation by reference.

§ 170.3 Applicability.

§ 170.4 Acronyms and definitions.

§ 170.5 Policy.

Subpart B—Government Roles and Responsibilities.

§ 170.6 CMMC PMO.

§ 170.7 DCMA DIBCAC.

Subpart C—CMMC Assessment and Certification Ecosystem.

§ 170.8 Accreditation Body.

Navigation menu

Search