32 CFR Part 170
83092
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
1
www.federalregister.gov/citation/75-FR-68675
(November 4, 2010).
2
www.federalregister.gov/citation/75-FR-707
(December 29, 2009).
3
www.govinfo.gov/link/uscode/42/2011, et seq.
4
www.federalregister.gov/documents/2020/09/
[http://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of 29/2020-21123/defense-federal-acquisition-
regulation-supplement-assessing-contractor-
implementation-of. ]
5
www.federalregister.gov/documents/2024/08/
[http://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of 15/2024-18110/defense-federal-acquisition-
regulation-supplement-assessing-contractor-
implementation-of. ]
6
www.sprs.csd.disa.mil/ under OMB control
number 0750–0004.
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 170
[Docket ID: DoD–2023–OS–0063]
RIN 0790–AL49
Cybersecurity Maturity Model
Certification (CMMC) Program
AGENCY
:
Office of the Department of
Defense Chief Information Officer (CIO),
Department of Defense (DoD).
ACTION
:
Final rule.
SUMMARY
:
With this final rule, DoD
establishes the Cybersecurity Maturity
Model Certification (CMMC) Program in
order to verify contractors have
implemented required security
measures necessary to safeguard Federal
Contract Information (FCI) and
Controlled Unclassified Information
(CUI). The mechanisms discussed in
this rule will allow the Department to
confirm a defense contractor or
subcontractor has implemented the
security requirements for a specified
CMMC level and is maintaining that
status (meaning level and assessment
type) across the contract period of
performance. This rule will be updated
as needed, using the appropriate
rulemaking process, to address evolving
cybersecurity standards, requirements,
threats, and other relevant changes.
DATES
:
This rule is effective December
16, 2024. The incorporation by reference
of certain material listed in this rule is
approved by the Director of the Federal
Register as of December 16, 2024.
FOR FURTHER INFORMATION CONTACT
:
Ms.
Diane Knight, Office of the DoD CIO at
[mailto:osd.pentagon.dod-cio.mbx.cmmc-inquiries@mail.mil osd.pentagon.dod-cio.mbx.cmmc-
inquiries@mail.mil ]or 202–770–9100.
SUPPLEMENTARY INFORMATION
:
History of the Program
The beginnings of CMMC start with
the November 2010, Executive Order
(E.O.) 13556,1 Controlled Unclassified
Information. The intent of this Order
was to ‘‘establish an open and uniform
program for managing [unclassified]
information that requires safeguarding
or dissemination controls.’’ Prior to this
E.O., more than 100 different markings
for this information existed across the
executive branch. This ad hoc, agency-
specific approach created inefficiency
and confusion, led to a patchwork
system that failed to adequately
safeguard information requiring
protection, and unnecessarily restricted
information-sharing.
As a result, the E.O. established the
CUI Program to standardize the way the
executive branch handles information
requiring safeguarding or dissemination
controls (excluding information that is
classified under E.O. 13526, Classified
National Security Information 2 or any
predecessor or successor order; or the
Atomic Energy Act of 1954,3 as
amended).
In 2019, DoD announced the
development of CMMC in order to move
away from a ‘‘self-attestation’’ model of
security. It was first conceived by the
Office of the Under Secretary of Defense
for Acquisition and Sustainment
(OUSD(A&S)) to secure the Defense
Industrial Base (DIB) sector against
evolving cybersecurity threats. In
September 2020, DoD published the 48
CFR CMMC interim final rule, Defense
Federal Acquisition Regulation
Supplement (DFARS): Assessing
Contractor Implementation of
Cybersecurity Requirements (DFARS
Case 2019–D041 85 FR 48513,
September 9, 2020),4 which
implemented the DoD’s vision for the
initial CMMC Program and outlined the
basic features of the framework (tiered
model of practices and processes,
required assessments, and
implementation through contracts) to
protect FCI and CUI. The 48 CFR CMMC
interim final rule became effective on 30
November 2020, establishing a five-year
phase-in period. In response to
approximately 750 public comments on
the 48 CFR CMMC interim final rule, in
March 2021, the Department initiated an
internal review of CMMC’s
implementation.
In November 2021, the Department
announced the revised CMMC Program,
an updated program structure and
requirements designed to achieve the
primary goals of the internal review:
• Safeguard sensitive information to
enable and protect the warfighter
• Enforce DIB cybersecurity standards
to meet evolving threats
• Ensure accountability while
minimizing barriers to compliance
with DoD requirements
• Perpetuate a collaborative culture of
cybersecurity and cyber resilience
• Maintain public trust through high
professional and ethical standards
The revised CMMC Program has three
key features:
• Tiered Model: CMMC requires
companies entrusted with Federal
contract information and controlled
unclassified information to implement
cybersecurity standards at progressively
advanced levels, depending on the type
and sensitivity of the information. The
program also describes the process for
requiring protection of information
flowed down to subcontractors.
• Assessment Requirement: CMMC
assessments allow the Department to
verify the implementation of clear
cybersecurity standards.
• Phased Implementation: Once
CMMC rules become effective, certain
DoD contractors handling FCI and CUI
will be required to achieve a particular
CMMC level as a condition of contract
award. CMMC requirements will be
implemented using a 4-phase
implementation plan over a three-year
period.
Current Status of the CMMC Program
Separate from this rulemaking, DoD
has a proposed acquisition rule (48 CFR
part 204 CMMC Acquisition rule) to
amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to
address procurement related
considerations and requirements related
to this program rule (32 CFR part 170
CMMC Program rule). The 48 CFR part
204 CMMC Acquisition rule also
partially implements a section of the
National Defense Authorization Act for
Fiscal Year 2020 directing the Secretary
of Defense to develop a consistent,
comprehensive framework to enhance
cybersecurity for the U.S. defense
industrial base.5 The 48 CFR part 204
CMMC Acquisition rule, when
finalized, will allow DoD to require a
specific CMMC level in a solicitation or
contract. When CMMC requirements are
applied to a solicitation, Contracting
officers will not make award, exercise
an option, or extend the period of
performance on a contract, if the offeror
or contractor does not have the passing
results of a current certification
assessment or self-assessment for the
required CMMC level, and an
affirmation of continuous compliance
with the security requirements in the
Supplier Performance Risk System
(SPRS) 6 for all information systems that
process, store, or transmit FCI or CUI
during contract performance.
Furthermore, the appropriate CMMC
certification requirements will flow
down to subcontractors at all tiers when
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00002
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83093
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
7
www.acquisition.gov/dfars/252.204-7012-
[http://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting safeguarding-covered-defense-information-and-
cyber-incident-reporting. ]
8
www.acquisition.gov/dfars/252.204-7020-nist-
sp-800-171dod-assessment-requirements.
9
Required since November 2016, NIST SP 800–
171 R2 security requirement 3.12.4 states
organizations must ‘‘develop, document, and
periodically update system security plans that
describe system boundaries, system environments
of operation, how security requirements are
implemented, and the relationships with or
connections to other systems.’’
10
https://media.defense.gov/2024/Mar/28/
the subcontractor processes, stores, or
transmits FCI or CUI. It should be noted
the Department may include CMMC
requirements on contracts awarded
prior to 48 CFR part 204 CMMC
Acquisition rule becoming effective, but
doing so will require bilateral contract
modification after negotiations.
To date, the DoD has relied on offeror
representation that the security
requirements of National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171,
‘‘Protecting Controlled Unclassified
Information in Nonfederal Systems and
Organizations’’ have been met, as
described by 48 CFR 252.204–7008. In
some instances, the DoD has verified
contractor implementation of NIST SP
800–171 through assessment by the
Defense Contract Management Agency
(DCMA) Defense Industrial Base
Cybersecurity Assessment Center
(DIBCAC). As part of this responsibility,
DCMA DIBCAC assesses DIB companies
to ensure they are meeting contractually
required cybersecurity standards and to
ensure contractors have the ability to
protect CUI for government contracts
they are awarded. DCMA DIBCAC
conducts NIST SP 800–171 assessments
in support of 48 CFR 252.204–7012
(DFARS clause 252.204–7012),
Safeguarding Covered Defense
Information and Cyber Incident
Reporting,7 and 48 CFR 252.204–7020
(DFARS clause 252.204–7020), NIST SP
800–171 DoD Assessment
Requirements.8 The DCMA DIBCAC
prioritization process is designed to
adjust as DoD’s cyber priorities evolve
based on ongoing threats. DCMA
DIBCAC collects and analyzes data on
DoD contractors to include:
• Mission critical programs,
technologies, and infrastructure and the
contractors (prime or lower tier) that
support DoD capabilities.
• Cyber threats, vulnerabilities, or
incidents.
• DoD Leadership requests.
To date, DCMA DIBCAC has assessed
357 entities including DoD’s major
prime contractors. In accordance with
NIST SP 800–171, titled ‘‘Protecting
Controlled Unclassified Information in
Nonfederal Systems and
Organizations,’’ Revision 2, February
2020 (includes updates as of January 28,
2021) (NIST SP 800–171 R2),
contractors must describe in a System
Security Plan (SSP) 9 how the security
requirements are met or how the
organizations plan to meet the
requirements and address known and
anticipated threats. In the event
companies cannot establish full
compliance, they must develop plans of
action that describe how
unimplemented security requirements
will be met and how any planned
mitigations will be implemented.
Although an explicit time limit for
mitigation is not specified in NIST SP
800–171 R2, contractors that fail to
reasonably comply with applicable
requirements may be subject to standard
contractual remedies. The CMMC
Program’s assessment phase-in plan, as
described in § 170.3, does not preclude
entities from immediately seeking a
CMMC certification assessment prior to
the 48 CFR part 204 CMMC Acquisition
rule being finalized and the clause being
added to new or existing DoD contracts.
The Department estimates 8350
medium and large entities will be
required to meet CMMC Level 2 C3PAO
assessment requirements as a condition
of contract award. CMMC Level 2
requirements will apply to all
contractors that process, store, or
transmit CUI, and will provide DoD
with a means to assess that CUI
safeguarding requirements prescribed in
32 CFR part 2002 have been met. DoD
estimates 135 CMMC Third-Party
Assessment Organization (C3PAO)-led
certification assessments will be
completed in the first year, 673 C3PAO
certification assessments in year 2,
2,252 C3PAO certification assessments
in year 3, and 4,452 C3PAO certification
assessments in year four.
Any DoD component can request
DCMA DIBCAC to initiate an
assessment and these requests will take
priority in the assessment scheduling
process. Once identified for assessment,
DCMA DIBCAC determines the
assessment date and notifies the
company to begin the pre-assessment
process. Typically, planning and
scheduling takes place 3 to 6 months in
advance of a DCMA DIBCAC assessment
to allow DCMA DIBCAC and the DIB
company time to prepare, however,
DoD’s identified priorities may expedite
the execution of an assessment. As
discussed in more detail in the
regulatory text, assessment results are
reported to DoD, including key
stakeholders via SPRS and made
available to the DIB company. Please see
the DCMA DIBCAC website at
www.dcma.mil/DIBCAC/ that includes
links to the pre-assessment documents;
a publicly releasable version of the
assessment database; FAQs; an
informational video; a link to
Procurement Integrated Enterprise
Environment (PIEE), the primary
enterprise procure-to-pay application
for the DoD; a link to SPRS where
assessment scores are posted; and links
to other reference materials.
As discussed in more detail later in
the regulatory text, all requirements that
are scored as NOT MET are identified in
a Plan of Action and Milestones
(POA&M) to meet the CMMC
requirement. Organizations Seeking
Assessment (OSAs) satisfy the CMMC
requirements needed for contract award
by successfully meeting all 110 security
requirements of NIST SP 800–171 R2 or
by receiving a Conditional CMMC
Status when achieving the minimum
passing score of 80 percent and only
including permittable NOT MET
requirements as described in § 170.21
on the POA&M. All requirements that
were scored ‘‘NOT MET’’ and placed on
the POA&M must be remedied within
180 days of receiving their Conditional
CMMC Status. Proper implementation
of these requirements must be verified
by a second assessment, called a
POA&M closeout assessment. If the
POA&M closeout assessment finds that
all requirements have been met, then
the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2
(C3PAO) as applicable. However, if the
POA&M closeout assessment does not
validate all requirements have been met
by the end of the 180 days, then the
CMMC Status of Conditional Level 2
(Self) or Conditional Level 2 (C3PAO)
will expire and at this point, standard
contractual remedies will apply for any
current contract.
DoD has created a series of guidance
documents to assist organizations in
better understanding the CMMC
Program and the assessment process and
scope for each CMMC level. These
guidance documents are available on
[https://dodcio.defense.gov/CMMC/Documentation/ the DoD CMMC website at https://
dodcio.defense.gov/CMMC/
Documentation/ ]and on the DoD Open
Government website at [https://open.defense.gov/Regulatory-Program/Guidance-Documents/ https://
open.defense.gov/Regulatory-Program/
Guidance-Documents/. ]The CMMC
Program has also been incorporated in
the Department’s 2024 Defense
Industrial Base Cybersecurity Strategy.10
The strategy requires the Department to
coordinate and collaborate across
components to identify and close gaps
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00003
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83094
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
11
www.govinfo.gov/content/pkg/FR-2020-12-21/
12
www.dcsa.mil/Industrial-Security/National-
[http://www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/ Industrial-Security-Program-Oversight/32-CFR-Part-
117-NISPOM-Rule/. ]
13
www.acquisition.gov/far/52.204-21.
14
www.acquisition.gov/dfars/252.204-7012-
[http://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting safeguarding-covered-defense-information-and-
cyber-incident-reporting. ]
15
Required since November 2016, NIST SP 800–
171 R2 security requirement 3.12.4 states
organizations must ‘‘develop, document, and
periodically update system security plans that
describe system boundaries, system environments
of operation, how security requirements are
implemented, and the relationships with or
connections to other systems.’’
16
www.sprs.csd.disa.mil/ under OMB control
number 0750–0004.
17
The plan of action requirement described under
DFARS clause 252.204–7020 is different from a
Plan of Action and Milestones (POA&M)
requirement in CMMC as plans of action do not
require milestones.
18
www.federalregister.gov/documents/2020/09/
[http://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of 29/2020-21123/defense-federal-acquisition-
regulation-supplement-assessing-contractor-
implementation-of. ]
19
www.acq.osd.mil/asda/dpc/cp/cyber/docs/
[http://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf safeguarding/NIST-SP-800-171-Assessment-
Methodology-Version-1.2.1-6.24.2020.pdf. ]
in protecting DoD networks, supply
chains, and other critical resources.
Other prongs of the Department’s
cybersecurity strategy are described in
the Department’s National Industrial
Security Program Operating Manual
(NISPOM) which address
implementation of the Security
Executive Agent Directive (SEAD) 3 11
procedures for the protection and
reproduction of classified information;
controlled unclassified information
(CUI); National Interest Determination
(NID) requirements for cleared
contractors operating under a Special
Security Agreement for Foreign
Ownership, Control, or Influence; and
eligibility determinations for personnel
security clearance processes and
requirements.12
Overview of Revised CMMC Program
Current Requirements for Defense
Contractors and Subcontractors
Currently, Federal contracts
(including defense contracts) involving
the transfer of FCI to a non-Government
organization follow the requirements
specified in 48 CFR 52.204–21 (Federal
Acquisition Regulation (FAR) clause
52.204–21), Basic Safeguarding of
Covered Contractor Information
Systems.13 FAR clause 52.204–21
requires compliance with 15 security
requirements, FAR clause 52.204–21
(b)(1), items (i) through (xv). These
requirements are the minimum
necessary for any entity wishing to
receive FCI from the US Government
(USG).
Defense contracts involving the
development or transfer of CUI to a non-
Government organization require
applicable requirements of DFARS
clause 252.204–7012.14 This clause
requires defense contractors to provide
adequate security on all covered
contractor information systems by
implementing the 110 security
requirements specified in NIST SP 800–
171. This clause includes additional
requirements; for example, defense
contractors must confirm that any Cloud
Service Providers (CSPs) used by the
contractor to handle CUI meet Federal
Risk and Authorization Management
Program (FedRAMP) Moderate Baseline
or the equivalent requirements. It also
requires defense contractors to flow
down all the requirements to their
subcontractors who process, store, or
transmit CUI. The CMMC Program
currently does not include any
requirements for contractors operating
systems on behalf of the DoD.
To comply with DFARS clause
252.204–7012, contractors are required
to develop a SSP 15 detailing the policies
and procedures their organization has in
place to comply with NIST SP 800–171.
The SSP serves as a foundational
document for the required NIST SP
800–171 self-assessment. To comply
with 48 CFR 252.204–7019 (DFARS
provision 252.204–7019) and DFARS
clause 252.204–7020, self-assessment
scores must be submitted.16 The highest
score is 110, meaning all 110 NIST SP
800–171 security requirements have
been fully implemented. If a contractor’s
Supplier Performance Risk System
(SPRS) score is less than 110, indicating
security gaps exist, then the contractor
must create a plan of action 17
identifying security tasks that still need
to be accomplished. In essence, an SSP
describes the cybersecurity plan the
contractor has in place to protect CUI.
The SSP needs to address each NIST SP
800–171 security requirement and
explain how the requirement is
implemented. This can be through
policy, technology, or a combination of
both.
In November 2020, the DoD released
its 48 CFR CMMC interim final rule, the
Defense Federal Acquisition Regulation
Supplement: Assessing Contractor
Implementation of Cybersecurity
Requirements 18 (DFARS Case 2019–
D041, 85 FR 61505, November 30,
2020). The goal of this rule was to
increase compliance with its
cybersecurity regulations and improve
security throughout the DIB. This rule
introduced one new provision and two
new clauses—DFARS provision
252.204–7019, DFARS clause 252.204–
7020, and 48 CFR 252.204–7021
(DFARS clause 252.204–7021).
• DFARS provision 252.204–7019
complements DFARS clause 252.204–
7012 by requiring contractors to have a
NIST SP 800–171 assessment (basic,
medium, or high) according to NIST SP
800–171 DoD Assessment
Methodology.19 Assessment scores must
be reported to the Department via SPRS.
SPRS scores must be submitted by the
time of contract award and not be more
than three years old.
• DFARS clause 252.204–7020
notifies contractors that DoD reserves
the right to conduct a higher-level
assessment of contractors’ cybersecurity
compliance, and contractors must give
DoD assessors full access to their
facilities, systems, and personnel.
Further, DFARS clause 252.204–7020
complements DFARS clause 252.204–
7012’s flow down requirements by
holding contractors responsible for
confirming their subcontractors have
SPRS scores on file prior to awarding
them contracts.
• DFARS clause 252.204–7021 paves
the way for rollout of the CMMC
Program. Once CMMC is implemented,
the required CMMC Level and
assessment type will be specified in the
solicitation and resulting contract.
Contractors handling FCI or CUI will be
required to meet the CMMC requirement
specified in the contract. DFARS clause
252.204–7021 also stipulates contractors
will be responsible for flowing down the
CMMC requirements to their
subcontractors.
CFR Part 170
Additional
Requirements for Defense Contractors
and Subcontractors Discussed in This
Final Rule
When this 32 CFR part 170 CMMC
Program rule and the complementary 48
CFR part 204 CMMC Acquisition rule
are finalized and following a phased
implementation plan, solicitations and
resulting defense contracts involving the
processing, storing, or transmitting of
FCI or CUI on a non-Federal system
will, unless waived, have a CMMC level
and assessment type requirement that a
contractor must meet to be eligible for
a contract award. The four phases of the
implementation plan add CMMC level
requirements incrementally, starting in
Phase 1 with self-assessments, and
ending in Phase 4, which represents full
implementation of program
requirements. The DoD elected to base
the phase-in plan on the level and type
of assessment to provide time to train
the necessary number of assessors, and
to allow companies time to understand
and implement CMMC requirements.
Details of each phase are addressed in
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00004
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83095
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
§ 170.3(e). In Phases 2 and 3, DoD will
implement CMMC Level 2 and Level 3
certification requirements, respectively.
At full implementation (Phase 4), DoD
will include CMMC requirements in all
applicable DoD contracts and option
periods on contracts awarded after the
beginning of Phase 4.
Table 1 defines the requirements for
each CMMC level and assessment type.
TABLE 1—CMMC LEVEL AND ASSESSMENT REQUIREMENTS
CMMC status
Source & number of security
reqts.
Assessment reqts.
Plan of action & milestones
(POA&M) reqts.
Affirmation reqts.
Level 1 (Self) ...
• 15 required by FAR clause
52.204–21.
• Conducted by Organization Seeking As-
sessment (OSA) annually.
• Results entered into SPRS (or its suc-
cessor capability).
• Not permitted ........................ • After each assessment.
• Entered into SPRS.
Level 2 (Self) ...
• 110 NIST SP 800–171 R2 re-
quired by DFARS clause
252.204–7012.
• Conducted by OSA every 3 years ............
• Results entered into SPRS (or its suc-
cessor capability).
• CMMC Status will be valid for three years
from the CMMC Status Date as defined in
§ 170.4.
• Permitted as defined in
§ 170.21(a)(2) and must be
closed out within 180 days.
• Final CMMC Status will be
valid for three years from the
Conditional CMMC Status
Date.
• After each assessment and
annually thereafter.
• Assessment will lapse upon
failure to annually affirm.
• Entered into SPRS (or its
successor capability).
Level 2
(C3PAO).
• 110 NIST SP 800–171 R2 re-
quired by DFARS clause
252.204–7012.
• Conducted by C3PAO every 3 years ........
• Results entered into CMMC Enterprise
Mission Assurance Support Service
(eMASS) (or its successor capability).
• CMMC Status will be valid for three years
from the CMMC Status Date as defined in
§ 170.4.
• Permitted as defined in
§ 170.21(a)(2) and must be
closed out within 180 days.
• Final CMMC Status will be
valid for three years from the
Conditional CMMC Status
Date.
• After each assessment and
annually thereafter.
• Assessment will lapse upon
failure to annually affirm.
• Entered into SPRS (or its
successor capability).
Level 3
(DIBCAC).
• 110 NIST SP 800–171 R2 re-
quired by DFARS clause
252.204–7012.
• 24 selected from NIST SP
800–172 Feb2021, as de-
tailed in table 1 to
§ 170.14(c)(4).
• Pre-requisite CMMC Status of Level 2
(C3PAO) for the same CMMC Assess-
ment Scope, for each Level 3 certification
assessment.
• Conducted by Defense Contract Manage-
ment Agency (DCMA) Defense Industrial
Base Cybersecurity Assessment Center
(DIBCAC) every 3 years.
• Results entered into CMMC eMASS (or its
successor capability).
• CMMC Status will be valid for three years
from the CMMC Status Date as defined in
§ 170.4.
• Permitted as defined in
§ 170.21(a)(3) and must be
closed out within 180 days.
• Final CMMC Status will be
valid for three years from the
Conditional CMMC Status
Date.
• After each assessment and
annually thereafter.
• Assessment will lapse upon
failure to annually affirm.
• Level 2 (C3PAO) affirmation
must also continue to be
completed annually.
• Entered into SPRS (or its
successor capability).
Program Walkthrough—Contractor
Perspective
This section will provide a simplified
walkthrough of the CMMC Program
from the perspective of an Organization
Seeking Assessment (OSA) seeking to
comply with program requirements.
CMMC Level Selection
An OSA will select the CMMC level
it desires to attain. Once the CMMC
Program is implemented, a DoD
solicitation will specify the minimum
CMMC Status required to be eligible for
award. One of four CMMC Statuses will
be specified:
• Level 1 (Self) is a self-assessment to
secure FCI processed, stored, or
transmitted in the course of fulfilling
the contract. The OSA must comply
with the 15 security requirements set by
FAR clause 52.204–21. All 15
requirements must be met in full—no
exceptions are allowed.
• Level 2 (Self) is a self-assessment to
secure CUI processed, stored, or
transmitted in the course of fulfilling
the contract. The OSA must comply
with the 110 Level 2 security
requirements derived from NIST SP
800–171 R2.
• Level 2 (C3PAO) differs from Level
2 (Self) in the method of verifying
compliance. OSAs must hire a C3PAO
to conduct an assessment of the OSA’s
compliance with the 110 security
requirements of NIST SP 800–171 R2.
OSAs can shop for C3PAOs on the
CMMC Accreditation Body (AB)
Marketplace.
• Level 3 (DIBCAC) is a government
assessment of 24 additional
requirements derived from NIST SP
800–172, titled ‘‘Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement
to NIST Special Publication 800–171,’’
February 2021 (NIST SP 800–172
Feb2021). The OSA must ensure that
they have already achieved a CMMC
Status of Final Level 2 (C3PAO) before
seeking CMMC Status of Final Level 3
(DIBCAC). Once this is done, an OSA
should then initiate a Level 3
certification assessment by emailing a
request to Defense Contract
Management Agency (DCMA) Defense
Industrial Base Cybersecurity
Assessment Center (DIBCAC) point of
[http://www.dcma.mil/DIBCAC contact found at www.dcma.mil/
DIBCAC, being sure to include the Level
]2 (C3PAO) certification unique
identifier in the email.
Scoping
In order to achieve a specified CMMC
Status, OSAs must first identify which
information systems, including systems
or services provided by External Service
Providers (ESPs), will process, store, or
transmit FCI, for Level 1 (Self), and CUI
for all other CMMC Statuses. These
information systems constitute the
scope of the assessment.
Within these information systems, for
Level 2 and Level 3 the assets should be
further broken down into asset
categories: Contractor Risk Managed
Assets (Level 2), Security Protection
Assets (Level 2 and 3), and Specialized
Assets (Level 2 and 3). For Level 1 all
assets, with the exclusion of Specialized
Assets, are simply identified as either
in-scope or out-of-scope based on
whether they process, store, or transmit
FCI. Definitions and treatment of these
categories as they relate to assessment
scoping, treatment of ESPs, and
treatment of assets which cannot be
secured due to their inherent design,
can be found at § 170.19.
Assessment and Affirmation
a. OSAs that meet all 15 Level 1
requirements have achieved CMMC
Status of Final Level 1 (Self). The OSA
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00005
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83096
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
must submit an affirmation of
compliance with FAR clause 52.204–21
requirements in SPRS. At this point,
OSAs have satisfied the CMMC
requirements needed for award of
contracts requiring a CMMC Status of
Final Level 1 (Self). To maintain a
CMMC Status of Final Level 1 (Self),
this entire process must be repeated in
full on an annual basis, including both
self-assessment and affirmation.
b. For Level 2 assessments, if all 110
requirements are satisfied, the
assessment score will be 110 and the
OSA will have achieved a CMMC Status
of Final Level 2 (Self) or Final Level 2
(C3PAO) as applicable and is eligible for
contract award as long as all other
contractual requirements are met.
Not all requirements must
immediately be MET to be eligible for
contract award. If the minimum score is
achieved on the assessment (equal to
80% of the maximum score) and certain
critical requirements are met, OSAs will
achieve a CMMC Status of Conditional
Level 2 (Self) or Conditional Level 2
(C3PAO) as applicable. All NOT MET
requirements must be noted in an
assessment Plan of Action and
Milestones (POA&M). At this point the
OSA will have satisfied the CMMC
requirements needed for contract award
OSAs must have met all 110 security
requirements of NIST SP 800–171 R2
within 180 days of receiving their
Conditional CMMC Status, which must
be verified with a second assessment,
called a POA&M closeout assessment. If
the POA&M closeout assessment finds
that all requirements have been met,
then the OSA will achieve a CMMC
Status of Final Level 2 (Self) or Final
Level 2 (C3PAO) as applicable.
However, if a POA&M closeout
assessment does not find that all
requirements have been met by the end
of 180 days, then the CMMC Status of
Conditional Level 2 (Self) or
Conditional Level 2 (C3PAO) will
expire. At this point, standard
contractual remedies will apply.
The OSA should submit an
affirmation into SPRS after achieving a
CMMC Status of Conditional Level 2
(Self) or CMMC Status of Conditional
Level 2 (C3PAO) as applicable. OSAs
should submit an affirmation once a
CMMC Status of Final Level 2 (Self) or
Final Level 2 (C3PAO) as applicable is
achieved. Being eligible for contracts
subject to CMMC Level 2 (Self) also
indicates eligibility for contracts subject
to Level 1 (Self), and being eligible for
contracts subject to CMMC Level 2
(C3PAO) also indicates eligibility for
contracts subject to Level 1 (Self) and
Level 2 (Self), assuming all other
contractual requirements are met. OSAs
must reaffirm in SPRS their compliance
with CMMC Level 2 requirements
annually but need only conduct a new
assessment every three years. These
deadlines are based on the CMMC
Status Date of the Conditional Status if
a POA&M was required or the Final
Status if the assessment resulted in a
score of 110. CMMC Status date is not
based on the date of a POA&M closeout
assessment.
c. For Level 3 assessments, OSAs
should note that asset categories are
assessed against security requirements
differently than they are at Level 2. In
particular, Contractor Risk Managed
Assets identified in a Level 2 scope are
treated as CUI Assets if they reside
within a Level 3 scope. Definitions and
treatment of these assets at Level 3 as
they relate to scoping of the assessment,
in addition to treatment of ESPs, are
described in § 170.19(d).
During the course of assessment,
DCMA DIBCAC will focus on assessing
compliance with all 24 selected
requirements derived from NIST SP
800–172 Feb2021, but limited checks
may be performed on the 110
requirements from NIST SP 800–171 R2.
If DCMA DIBCAC identifies that all 24
requirements from NIST SP 800–172
Feb2021 are satisfied, the OSA will have
achieved a CMMC Status of Final Level
3 (DIBCAC) and is eligible for contract
award as long as all other contractual
requirements are met. Not all
requirements must immediately be MET
to be eligible for contract award. If the
minimum score is achieved on the
assessment (equal to 80% of the
maximum score of 24) and certain
critical requirements are met, OSAs will
achieve a CMMC Status of Conditional
Level 3 (DIBCAC), and all NOT MET
requirements must be noted in a
POA&M. At this point the OSA will
have satisfied the CMMC requirements
needed for contract award.
OSAs must have met all 24 selected
security requirements of NIST SP 800–
172 Feb2021 within 180 days of
receiving their Conditional CMMC
Status, which must be verified with a
POA&M closeout assessment by DCMA
DIBCAC. If the POA&M closeout
assessment finds that all requirements
have been met, then the OSA will
achieve a CMMC Status of Final Level
3 (DIBCAC). However, if a POA&M
closeout assessment does not find that
all requirements have been met by the
end of 180 days, then the CMMC Status
of Conditional Level 3 (DIBCAC) will
expire. At this point, standard
contractual remedies will apply.
The OSA should submit an
affirmation into SPRS after achieving a
CMMC Status of Conditional Level 3
(DIBCAC) if applicable and once a
CMMC Status of Final Level 3 (DIBCAC)
is achieved. Being eligible for contracts
subject to CMMC Level 3 (DIBCAC) also
indicates eligibility for contracts subject
to Level 1 (Self), Level 2 (Self), and
Level 2 (C3PAO), assuming all other
contractual requirements are met. To
maintain CMMC Level 3 (DIBCAC)
status, an OSA must undergo both a
Level 2 certification assessment and a
Level 3 certification assessment every
three years and separately affirm
compliance with Level 2 and Level 3
requirements in SPRS annually. These
deadlines are based on the CMMC
Status Date of the Conditional
certification if applicable or the CMMC
Status Date of the Final determination.
CMMC Status Date is not based on the
date of a POA&M closeout assessment.
Flow-Down
If the OSA employs subcontractors to
fulfill the contract, those subcontractors
must also have a minimum CMMC
Status as shown in table 2.
TABLE 2—MINIMUM FLOW-DOWN REQUIREMENTS
Prime contractor requirement
Minimum subcontractor requirement
If the subcontractor will process, store, or transmit
FCI CUI
Level 1 (Self) ......................................................
Level 1 (Self) ....................................................
N/A.
Level 2 (Self) ......................................................
Level 1 (Self) ....................................................
Level 2 (Self).
Level 2 (C3PAO) ................................................
Level 1 (Self) ....................................................
Level 2 (C3PAO).
Level 3 (DIBCAC) ...............................................
Level 1 (Self) ....................................................
Level 2 (C3PAO).
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00006
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83097
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Summary of Provisions Contained in
This Rule
Section 170.1
Purpose
Section 170.1 addresses the purpose
of this rule. It describes the CMMC
Program and establishes policy for
requiring the protection of FCI and CUI
that is processed, stored, or transmitted
on defense contractor and subcontractor
information systems. The security
standards utilized in the CMMC
Program are from the FAR clause
52.204–21; DFARS clause 252.204–7012
that implements NIST SP 800–171 R2;
and selected requirements from the
NIST SP 800–172 Feb2021, as
applicable. The purpose of the CMMC
Program is for contractors and
subcontractors to demonstrate that FCI
and CUI being processed, stored, or
transmitted is adequately safeguarded
through the methodology provided in
the rule.
Section 170.2
Incorporation by
Reference
Section 170.2 addresses the standards
and guidelines that are incorporated by
reference. The Director of the Federal
Register under 5 U.S.C. 552(a) and 1
CFR part 51 approves any materials that
are incorporated by reference. Materials
that are incorporated by reference in
this rule are reasonably available.
Information on how to access the
documents is detailed in § 170.2.
Materials that are incorporated by
reference in this rule are from the NIST
(see § 170.2(a)), the Committee on
National Security Systems (see
§ 170.2(b)), and the International
Organization for Standardization/
International Electrotechnical
Commission (ISO/IEC) (see § 170.2(c))
which may require payment of a fee.
Note: While the ISO/IEC standards are
issued jointly, they are available from the ISO
Secretariat (see § 170.2(c)).
The American National Standards
Institute (ANSI) IBR Portal provides
access to standards that have been
incorporated by reference in the U.S.
Code of Federal Regulations at [https://ibr.ansi.org https://
ibr.ansi.org. These standards
]incorporated by the U.S. government in
rulemakings are offered at no cost in
‘‘read only’’ format and are presented
for online reading. There are no print or
download options. All users will be
required to install the FileOpen plug-in
and accept an online end user license
agreement prior to accessing any
standards.
The materials that are incorporated by
reference are summarized below.
(a) Federal Information Processing
Standard (FIPS) Publication (PUB) 200
(FIPS PUB 200), titled ‘‘Minimum
Security Requirements for Federal
Information and Information Systems,’’
is the second of two security standards
mandated by the Federal Information
Security Management Act (FISMA). It
specifies minimum security
requirements for information and
information systems supporting the
executive agencies of the Federal
government and a risk-based process for
selecting the security controls necessary
to satisfy the minimum-security
requirements. This standard promotes
the development, implementation, and
operation of more secure information
systems within the Federal Government
by establishing minimum levels of due
diligence for information security and
facilitating a more consistent,
comparable, and repeatable approach
for selecting and specifying security
controls for information systems that
meet minimum security requirements.
This document is incorporated by
reference as a source for definitions.
(b) FIPS PUB 201–3, titled ‘‘Personal
Identity Verification (PIV) of Federal
Employees and Contractors,’’ establishes
a standard for a PIV system that meets
the control and security objectives of
Homeland Security Presidential
Directive-12. It is based on secure and
reliable forms of identity credentials
issued by the Federal Government to its
employees and contractors. These
credentials are used by mechanisms that
authenticate individuals who require
access to federally controlled facilities,
information systems, and applications.
This Standard addresses requirements
for initial identity proofing,
infrastructure to support
interoperability of identity credentials,
and accreditation of organizations and
processes issuing PIV credentials. This
document is incorporated by reference
as a source for definitions.
(c) NIST SP 800–37, titled ‘‘Risk
Management Framework for Information
Systems and Organizations: A System
Life Cycle Approach for Security and
Privacy,’’ Revision 2 (NIST SP 800–37
R2), describes the Risk Management
Framework (RMF) and provides
guidelines for applying the RMF to
information systems and organizations.
The RMF provides a disciplined,
structured, and flexible process for
managing security and privacy risk that
includes information security
categorization; control selection,
implementation, and assessment;
system and common control
authorizations; and continuous
monitoring. The RMF includes activities
to prepare organizations to execute the
framework at appropriate risk
management levels. The RMF also
promotes near real-time risk
management and ongoing information
system and common control
authorization through the
implementation of continuous
monitoring processes; provides senior
leaders and executives with the
necessary information to make efficient,
cost-effective, risk management
decisions about the systems supporting
their missions and business functions;
and incorporates security and privacy
into the system development life cycle.
Executing the RMF tasks links essential
risk management processes at the
system level to risk management
processes at the organization level. In
addition, it establishes responsibility
and accountability for the controls
implemented within an organization’s
information systems and inherited by
those systems. This document is
incorporated by reference as a source for
definitions.
(d) NIST SP 800–39, titled ‘‘Managing
Information Security Risk: Organization,
Mission, and Information System
View,’’ March 2011 (NIST SP 800–39
Mar2011), provides guidance for an
integrated, organization-wide program
for managing information security risk
to organizational operations (i.e.,
mission, functions, image, and
reputation), organizational assets,
individuals, other organizations, and the
Nation resulting from the operation and
use of Federal information systems.
NIST SP 800–39 Mar2011 provides a
structured, yet flexible approach for
managing risk that is intentionally
broad-based, with the specific details of
assessing, responding to, and
monitoring risk on an ongoing basis
provided by other supporting NIST
security standards and guidelines. The
guidance provided in this publication is
not intended to replace or subsume
other risk-related activities, programs,
processes, or approaches that
organizations have implemented or
intend to implement addressing areas of
risk management covered by other
legislation, directives, policies,
programmatic initiatives, or mission/
business requirements. Rather, the risk
management guidance described herein
is complementary to and should be used
as part of a more comprehensive
Enterprise Risk Management (ERM)
program. This document is incorporated
by reference as a source for definitions.
(e) NIST SP 800–53, titled ‘‘Security
and Privacy Controls for Information
Systems and Organizations,’’ Revision 5
(NIST SP 800–53 R5), provides a catalog
of security and privacy controls for
information systems and organizations
to protect organizational operations and
assets, individuals, other organizations,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00007
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83098
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and the Nation from a diverse set of
threats and risks, including hostile
attacks, human errors, natural disasters,
structural failures, foreign intelligence
entities, and privacy risks. The controls
are flexible and customizable and
implemented as part of an organization-
wide process to manage risk. The
controls address diverse requirements
derived from mission and business
needs, laws, executive orders,
directives, regulations, policies,
standards, and guidelines. Finally, the
consolidated control catalog addresses
security and privacy from a
functionality perspective (i.e., the
strength of functions and mechanisms
provided by the controls) and from an
assurance perspective (i.e., the measure
of confidence in the security or privacy
capability provided by the controls).
Addressing functionality and assurance
helps to ensure that information
technology products and the systems
that rely on those products are
sufficiently trustworthy. This document
is incorporated by reference as a source
for definitions.
(f) NIST SP 800–82r3, titled ‘‘Guide to
Operational Technology (OT) Security,’’
September 2023 (NIST SP 800–82r3),
provides guidance on how to secure
ICS, including Supervisory Control and
Data Acquisition (SCADA) systems,
Distributed Control Systems (DCS), and
other control system configurations
such as Programmable Logic Controllers
(PLC), while addressing their unique
performance, reliability, and safety
requirements. The document provides
an overview of ICS and typical system
topologies, identifies typical threats and
vulnerabilities to these systems, and
provides recommended security
countermeasures to mitigate the
associated risks. This document is
incorporated by reference as a source for
definitions.
(g) NIST SP 800–115, titled
‘‘Technical Guide to Information
Security Testing and Assessment,’’
September 2008 (NIST SP 800–115
Sept2008), assists organizations in
planning and conducting technical
information security tests and
examinations, analyzing findings, and
developing mitigation strategies. The
guide provides practical
recommendations for designing,
implementing, and maintaining
technical information security test and
examination processes and procedures.
These can be used for several purposes,
such as finding vulnerabilities in a
system or network and verifying
compliance with a policy or other
requirements. The guide is not intended
to present a comprehensive information
security testing and examination
program but rather an overview of key
elements of technical security testing
and examination, with an emphasis on
specific technical techniques, the
benefits and limitations of each, and
recommendations for their use. This
document is incorporated by reference
as a source for definitions.
(h) NIST SP 800–160, Volume 2, titled
‘‘Developing Cyber-Resilient Systems: A
Systems Security Engineering
Approach,’’ Revision 1, December 2021
(NIST SP 800–160 V2R1), focuses on
cyber resiliency engineering—an
emerging specialty systems engineering
discipline applied in conjunction with
systems security engineering and
resilience engineering to develop
survivable, trustworthy secure systems.
Cyber resiliency engineering intends to
architect, design, develop, implement,
maintain, and sustain the
trustworthiness of systems with the
capability to anticipate, withstand,
recover from, and adapt to adverse
conditions, stresses, attacks, or
compromises that use or are enabled by
cyber resources. From a risk
management perspective, cyber
resiliency is intended to help reduce the
mission, business, organizational,
enterprise, or sector risk of depending
on cyber resources. This document is
incorporated by reference as a source for
definitions.
(i) NIST SP 800–171, titled
‘‘Protecting Controlled Unclassified
Information in Nonfederal Systems and
Organizations,’’ Revision 2, February
2020 (includes updates as of January 28,
2021) (NIST SP 800–171 R2), provides
agencies with recommended security
requirements for protecting the
confidentiality of CUI when the
information is resident in nonfederal
systems and organizations; when the
nonfederal organization is not collecting
or maintaining information on behalf of
a Federal agency or using or operating
a system on behalf of an agency; and
where there are no specific safeguarding
requirements for protecting the
confidentiality of CUI prescribed by the
authorizing law, regulation, or
governmentwide policy for the CUI
category listed in the CUI Registry. The
requirements apply to all components of
nonfederal systems and organizations
that process, store, and/or transmit CUI,
or that provide protection for such
components. The security requirements
are intended for use by Federal agencies
in contractual vehicles or other
agreements established between those
agencies and nonfederal organizations.
This document is incorporated by
reference as a foundational source for
definitions and security requirements.
(j) NIST SP 800–171A, titled
‘‘Assessing Security Requirements for
Controlled Unclassified Information,’’
June 2018 (NIST SP 800–171A Jun2018),
provides Federal and non-Federal
organizations with assessment
procedures and a methodology that can
be employed to conduct assessments of
the CUI security requirements in NIST
SP 800–171 R2. The assessment
procedures are flexible and can be
customized to the needs of the
organizations and the assessors
conducting the assessments. Security
assessments can be conducted as self-
assessments; independent, third-party
assessments; or government-sponsored
assessments and can be applied with
various degrees of rigor, based on
customer-defined depth and coverage
attributes. The findings and evidence
produced during the security
assessments can facilitate risk-based
decisions by organizations related to the
CUI requirements. This document is
incorporated by reference as a
foundational source for definitions and
assessment.
(k) NIST SP 800–172, titled
‘‘Enhanced Security Requirements for
Protecting Controlled Unclassified
Information: A Supplement to NIST
Special Publication 800–171,’’ February
2021 (NIST SP 800–172 Feb2021),
provides Federal agencies with
recommended enhanced security
requirements for protecting the
confidentiality of CUI: (1) when the
information is resident in nonfederal
systems and organizations; (2) when the
nonfederal organization is not collecting
or maintaining information on behalf of
a Federal agency or using or operating
a system on behalf of an agency; and (3)
where there are no specific safeguarding
requirements for protecting the
confidentiality of CUI prescribed by the
authorizing law, regulation, or
government-wide policy for the CUI
category listed in the CUI Registry. The
enhanced requirements apply only to
components of nonfederal systems that
process, store, or transmit CUI or that
provide security protection for such
components when the designated CUI is
associated with a critical program or
high value asset. The enhanced
requirements supplement the basic and
derived security requirements in NIST
SP 800–171 R2 and are intended for use
by Federal agencies in contractual
vehicles or other agreements established
between those agencies and nonfederal
organizations. This document is
incorporated by reference as a
foundational source for security
requirements.
(l) NIST SP 800–172A, titled
‘‘Assessing Enhanced Security
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00008
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83099
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Requirements for Controlled
Unclassified Information,’’ March 2022
(NIST SP 800–172A Mar2022), provides
Federal agencies and nonfederal
organizations with assessment
procedures that can be used to carry out
assessments of the requirements in NIST
SP 800–172 Feb2021. The assessment
procedures are flexible and can be
tailored to the needs of organizations
and assessors. Assessments can be
conducted as (1) self-assessments; (2)
independent, third-party assessments;
or (3) government-sponsored
assessments. The assessments can be
conducted with varying degrees of rigor
based on customer-defined depth and
coverage attributes. The findings and
evidence produced during the
assessments can be used to facilitate
risk-based decisions by organizations
related to the CUI enhanced security
requirements. This document is
incorporated by reference as a
foundational source for definitions and
assessment.
(m) ISO/IEC 17011:2017(E), titled
‘‘Conformity assessment—Requirements
for accreditation bodies accrediting
conformity assessment bodies,’’ Second
edition, November 2017 (ISO/IEC
17011:2017(E)), specifies requirements
for the competence, consistent operation
and impartiality of accreditation bodies
assessing and accrediting conformity
assessment bodies. This document is
incorporated by reference as a source for
requirements on the CMMC Ecosystem.
(n) ISO/IEC 17020:2012(E), titled
‘‘Conformity assessment—Requirement
for the operation of various types of
bodies performing inspection,’’ Second
edition, March 1, 2012 (ISO/IEC
17020:2012(E)), specifies requirements
for the competence of bodies performing
inspection and for the impartiality and
consistency of their inspection
activities. It applies to inspection bodies
of type A, B or C, as defined in ISO/IEC
17020:2012(E), and it applies to any
stage of inspection.’’ This document is
incorporated by reference as a source for
requirements on the CMMC Ecosystem.
(o) ISO/IEC 17024:2012(E), titled
‘‘Conformity assessment—General
requirements for bodies operating
certification of persons,’’ Second
edition, July 1, 2012 (ISO/IEC
17024:2012(E)), contains principles and
requirements for a body certifying
persons against specific requirements
and includes the development and
maintenance of a certification scheme
for persons.’’ This document is
incorporated by reference as a source for
requirements on the CMMC Ecosystem.
Section 170.3
Applicability
Section 170.3 identifies entities to
which the rule applies and how the
Department intends to implement the
rule. The rule applies to defense
contractors and subcontractors that will
process, store, or transmit FCI or CUI in
performance of a DoD contract, and
private-sector businesses or other
entities that are specified in Subpart C.
This rule does not apply to Federal
information systems operated by
contractors and subcontractors in
support of the Government. CMMC
Program requirements apply to DoD
solicitations and contracts requiring
defense contractors and subcontractors
to process, store, or transmit FCI or CUI.
Exceptions to the applicability of this
rule are addressed in § 170.3(c)(1) and
(2). Department Program Managers or
requiring activities will determine
which CMMC Level and assessment
type will apply to a contract or
procurement. Applicability of the
required CMMC Level and assessment
type to subcontractors is addressed in
§ 170.23.
Section 170.3 addresses the four-
phased implementation plan of the
CMMC Program requirements in
solicitations and contracts. Phase 1
begins on the effective date of this
CMMC 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part
204 CMMC Acquisition rule, whichever
occurs later. More information regarding
Phase 1 can be found in § 170.3(e)(1).
Phase 2 begins one calendar year after
the start date of Phase 1. More
information regarding Phase 2 can be
found in § 170.3(e)(2). Phase 3 begins
one calendar year after the start date of
Phase 2. More information regarding
Phase 3 can be found in § 170.3(e)(3).
Phase 4, or full implementation, begins
one calendar year after the start date of
Phase 3. More information regarding
Phase 4 can be found in § 170.3(e)(4).
Section 170.4
Acronyms and
Definitions
Section 170.4 includes acronyms and
definitions used in the rule text and can
be used as a reference while reading the
text and tables. CMMC introduces new
terms and associated definitions, and
customizes definitions for existing
terms, as applied to the CMMC Program.
CMMC-custom terms and definitions are
clearly marked to distinguish from
terms sourced externally. CMMC also
utilizes terms created by other
authoritative sources, including NIST.
Terms from other authoritative sources
are also listed in § 170.4 and are
properly sourced.
The Department developed the
following CMMC-custom terms to
enhance understanding of the
requirements and elements of the
CMMC Program:
• Accreditation
• Accreditation Body
• Affirming Official
• Assessment
• Level 1 self-assessment
• Level 2 self-assessment
• Level 2 certification assessment
• Level 3 certification assessment
• POA&M closeout self-assessment
• POA&M closeout certification
assessment
• Assessment Findings Report
• Assessment Team
• Asset Categories
• Authorized
• Cloud Service Provider
• CMMC Assessment and Certification
Ecosystem
• CMMC Assessment Scope
• CMMC Assessor and Instructor
Certification Organization (CAICO)
• CMMC instantiation of eMASS
• CMMC Status
• Final Level 1 (Self)
• Conditional Level 2 (Self)
• Final Level 2 (Self)
• Conditional Level 2 (C3PAO)
• Final Level 2 (C3PAO)
• Conditional Level 3 (DIBCAC)
• Final Level 3 (DIBCAC)
• CMMC Status Date
• CMMC Third-Party Assessment
Organization (C3PAO)
• Contractor Risk Managed Assets
• Controlled Unclassified Information
(CUI) Assets
• Enduring Exception
• External Service Provider (ESP)
• Operational plan of action
• Organization-defined
• Organization Seeking Assessment
(OSA)
• Organization Seeking Certification
(OSC)
• Out-of-Scope Assets
• Periodically
• Process, store, or transmit
• Restricted Information Systems
• Security Protection Assets
• Security Protection Data
• Specialized Assets
• Temporary Deficiency
• Test Equipment.
Section 170.5
Policy
Section 170.5 addresses the policy
underlying the rule. The protection of
FCI and CUI on defense contractor
information systems is crucial to the
continuity of the missions and functions
of the DoD. To that end, this rule
requires that contractors and
subcontractors implement the specified
security requirements for the applicable
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00009
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83100
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
20
www.iso.org/standard/67198.html.
21
www.iso.org/standard/52993.html.
22
This system is accessible only to authorized
users.
CMMC Level. For CMMC Level 3, the
selected security requirements are
defined in NIST SP 800–172 Feb2021
with the applicable DoD Organization-
Defined Parameters (ODPs) defined in
table 1 to § 170.14(c)(4).
Program Managers and requiring
activities identify the applicable CMMC
Level and assessment type. Factors used
to determine which CMMC Level and
assessment type will be applied are
included but not limited to the list
found in § 170.5(b)(1–5). CMMC
Program requirements will flow down to
subcontractors, as applicable (see
§ 170.23). A DoD Service Acquisition
Executive or a Component Acquisition
Executive may elect to waive inclusion
of CMMC Program requirements in a
solicitation or contract.
Section 170.5 addresses that the
CMMC Program does not alter the
requirements imposed on contractors
and subcontractors in FAR clause
52.204–21, DFARS clause 252.204–
7012, or any other applicable
safeguarding of information
requirement. The CMMC Program
verifies implementation of security
requirements in FAR clause 52.204–21,
NIST SP 800–171 R2, and selected
security requirements in NIST SP 800–
172 Feb2021, as applicable.
Section 170.6
CMMC PMO
Section 170.6 addresses the CMMC
Program Management Office (PMO)
functions that are performed within the
Department of Defense Chief
Information Officer (DoD CIO).
Section 170.7
DCMA DIBCAC
Section 170.7 addresses how DCMA
DIBCAC will support the CMMC
Program by conducting CMMC Level 2
certification assessments of the
Accreditation Body and C3PAOs;
conducting CMMC Level 3 certification
assessments for OSCs; and recording
results, issuing certificates, tracking
appeals, and retaining records as
required.
Section 170.8
Accreditation Body
Section 170.8 addresses the roles and
responsibilities of the Accreditation
Body, as well as requirements that the
Accreditation Body must meet. The
Accreditation Body must be US-based
and be and remain a member in good
standing with the Inter-American
Accreditation Cooperation (IAAC) and
become an International Laboratory
Accreditation Cooperation (ILAC)
Mutual Recognition Arrangement
(MRA) signatory, with a signatory status
scope of ISO/IEC 17020:2012(E) and be
compliant with ISO/IEC
17011:2017(E) 20. There is only one
Accreditation Body for the DoD CMMC
Program at any given time, and its
primary mission is to authorize and
accredit the C3PAOs. The Accreditation
Body authorizes and accredits C3PAOs
in accordance with the requirements in
section 170.8(b).
The Accreditation Body also oversees
the CAICO to ensure compliance with
ISO/IEC 17024:2012(E) 21 and to ensure
all training products, instruction, and
testing materials are of high quality.
Section 170.8 addresses specific
requirements for the Accreditation Body
with regards to national security
background checks, foreign ownership,
reporting, information protection, and
appeals. The Accreditation Body will
also develop policies for Conflict of
Interest (CoI), Code of Professional
Conduct (CoPC), and Ethics that comply
with all ISO/IEC 17011:2017(E) and DoD
requirements. These policies will apply
to the Accreditation Body as well as to
all other individuals, entities, and
groups within the CMMC Ecosystem.
The information systems used by the
Accreditation Body to process CMMC
information have to meet all of the
security requirements for CMMC Level
2 and will be assessed by DCMA’s
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC).
Section 170.9
CMMC Third-Party
Assessment Organizations (C3PAOs)
Section 170.9 addresses the roles,
responsibilities, and requirements for
C3PAOs, which are the organizations
that perform CMMC Level 2 certification
assessments for OSCs. The C3PAOs will
submit assessment data into the CMMC
instantiation of government owned and
operated system called eMASS,22 a
CMMC instance of the Enterprise
Mission Assurance Support Service.
C3PAOs issue Certificates of CMMC
Status, in accordance with the
requirements in § 170.17 of this part.
Section 170.9 addresses detailed
requirements for C3PAOs with regards
to national security background checks,
foreign ownership, reporting, records
management, information protection,
quality assurance, and appeals. The
information systems used by C3PAOs to
process Level 2 certification assessment
information have to meet all of the
security requirements for CMMC Level
2 and will be assessed by DCMA
DIBCAC. C3PAOs need to comply with
ISO/IEC 17020:2012(E), as well as with
the Accreditation Body’s policies for
CoI, CoPC, and Ethics.
Prior to a C3PAO being compliant
with ISO/IEC 17020:2012(E), the C3PAO
may be authorized but not accredited.
After a C3PAO is compliant with ISO/
IEC 17020:2012(E), the C3PAO may be
accredited.
Section 170.10
CMMC Assessor and
Instructor Certification Organization
(CAICO)
Section 170.10 addresses the roles,
responsibilities, and requirements for
the CAICO, the organization that trains,
tests, designates Provisional Instructors
(PIs), and certifies CMMC Certified
Professionals (CCPs), CMMC Certified
Assessors (CCAs), CMMC Certified
Instructors (CCIs). There is only one
CAICO for the DoD CMMC Program at
any given time. The CAICO must
comply with ISO/IEC 17024:2012(E), as
well as with the Accreditation Body’s
policies for CoI, CoPC, and Ethics.
Section 170.10 addresses detailed
requirements for the CAICO with
regards to certification examinations,
quality assurance, appeals, records
management, reporting, separation of
duties, and information protection.
Section 170.11
CMMC Certified
Assessor (CCA)
Section 170.11 addresses the roles
and responsibilities of a CMMC
Certified Assessor (CCA) who conduct
Level 2 certification assessments. In
order to be a CCA, a candidate must first
be a CCP, must adhere to the
requirements set forth in § 170.10,
§ 170.8(b)(17), and complete a Tier 3
background investigation or equivalent.
The required cybersecurity experience
for different CCA roles is addressed in
§ 170.11(b)(6) and (10). Section 170.11
addresses CCA requirements with
respect to security breaches; completion
of a Tier 3 background investigation or
equivalent; reporting; sharing
assessment information; and permitted
use of C3PAO equipment, devices, and
services.
Section 170.12
CMMC Instructor
Section 170.12 addresses the roles
and responsibilities of a CMMC
Provisional Instructor (PI) and CMMC
Certified Instructor (CCI) to teach
CMMC assessor candidates. Candidate
PIs and CCIs are trained and tested per
the requirements set forth in § 170.12(c).
Section 170.12(c) also provides
candidate PIs and CCIs with the
requirements to obtain and maintain
designation or certification (as
applicable), compliance with
Accreditation Body policies, work
activity exclusions, confidentiality
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00010
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83101
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
expectations, non-disclosure clause,
non-public training related information,
forbidden consulting services, and
reporting requirements.
Section 170.13
CMMC Certified
Professional (CCP)
Section 170.13 addresses the roles
and responsibilities of a CMMC
Certified Professional (CCP) required to
provide advice, consulting, and
recommendations to clients. The CAICO
trains and tests candidate CCPs per the
requirements set forth in § 170.13(b)
with CCP certification issued upon
successful completion. A CCP can
participate on CMMC Level 2
certification assessments with CCA
oversight, however CCAs are
responsible for making final assessment
determinations for a CMMC Status of
Conditional or Final Level 2 (C3PAO). A
list of CCP requirements is provided for
obtaining and maintaining certification,
compliance with Accreditation Body
policies, completion of a Tier 3
background investigation or equivalent,
sharing assessment specific information,
and reporting requirements.
Section 170.14
CMMC Model
Section 170.14 addresses the
structure, security requirement contents,
organization, sourcing, and numbering
of the security requirements that
comprise the CMMC Model. It also
provides an overview of the assessment
process. The CMMC Model consists of
three (3) levels, each containing security
requirements taken directly from
existing regulations and guidelines.
Firstly, § 170.14(2) defines CMMC Level
1 as the 15 security requirements listed
in the FAR clause 52.204–21(b)(1).
Secondly, § 170.14(3) defines CMMC
Level 2 as the 110 security requirements
from the NIST SP 800–171 R2. Lastly,
§ 170.14(4) defines CMMC Level 3 as 24
selected security requirements from the
NIST SP 800–172 Feb2021.
The CMMC security requirements are
organized into domains following the
approach taken in NIST SP 800–171 R2.
The numbering of the CMMC security
requirements, addressed in
§ 170.14(c)(1), is of the form DD.L#-REQ
where the ‘DD’ is the two-letter domain
abbreviation, the ‘L#’ is the CMMC
Level, and the ‘REQ’ is based directly on
the numbering in the source.
Assessment criteria for these security
requirements, as described in
§ 170.14(d), is based on security
requirement assessment guidance
provided in NIST SP 800–171A Jun2018
and NIST SP 800–172A Mar2022.
Section 170.15
CMMC Level 1 Self-
Assessment and Affirmation
Requirements
Section 170.15 addresses how an OSA
will achieve and maintain compliance
with the CMMC Status of Level 1 (Self).
The OSA must successfully implement
the security requirements listed in
§ 170.14(c)(2) within their Level 1
CMMC Assessment Scope as described
in § 170.19(b). Successful
implementation requires meeting all
objectives defined in NIST SP 800–171A
Jun2018 for the corresponding CMMC
Level 1 security requirements as
outlined in the mapping table 1 to
§ 170.15(c)(1)(i).
After implementation, the OSA must
perform a Level 1 self-assessment to
verify the implementation and score
themselves using the scoring
methodology provided in § 170.24. All
objectives must be met in order for a
security requirement to be considered
fully implemented; no security
requirements may be placed on a
POA&M for Level 1. The OSA must then
input their results into SPRS as
described in § 170.15(a)(1)(i) and submit
an affirmation as described in § 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 1 (Self), the OSA must have
achieved a CMMC Status of Final Level
1 (Self) and have submitted an
affirmation. These activities must be
completed annually.
Section 170.16
CMMC Level 2 Self-
Assessment and Affirmation
Requirements
Section 170.16 addresses how an OSA
will achieve and maintain compliance
with the CMMC Status of Level 2 (Self).
The OSA must successfully implement
the security requirements listed in
§ 170.14(c)(3) within its Level 2 CMMC
Assessment Scope as described in
§ 170.19(c). Successful implementation
requires meeting all objectives defined
in NIST SP 800–171A Jun2018 for the
corresponding CMMC Level 2 security
requirements. Requirements for ESPs
and CSPs that process, store, transmit
CUI are provided in § 170.16(c)(2) and
(3).
After implementation, the OSA must
perform a Level 2 self-assessment to
verify the implementation and score
themselves using the scoring
methodology provided in § 170.24. All
objectives must be met in order for a
security requirement to be considered
fully implemented; in some cases, if not
all objectives are met, some security
requirements may be placed on a
POA&M as provided for in § 170.21. If
the minimum score has been achieved
and some security requirements are in a
POA&M, the OSA has achieved the
CMMC Status of Conditional Level 2
(Self); if all requirements are MET as
defined in § 170.24(b), the OSA has
achieved a CMMC Status of Final Level
2 (Self). For Conditional Level 2 (Self),
a POA&M closeout must be conducted
within 180 days as described in
§ 170.21(b) or the Conditional Level 2
(Self) CMMC Status will expire.
After a Level 2 self-assessment, as
well as after a POA&M closeout, the
OSA must input their results into SPRS
as described in § 170.16(a)(1)(i) and
submit an affirmation as described in
§ 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 2 (Self), the OSA must have
achieved the CMMC Status of either
Conditional Level 2 (Self) or Final Level
2 (Self) and have submitted an
affirmation. The Level 2 self-assessment
must be completed every three years
and the affirmation must be completed
annually following the Final CMMC
Status Date.
Section 170.17
CMMC Level 2
Certification Assessment and
Affirmation Requirements
Section 170.17 addresses how an OSC
will achieve and maintain compliance
with the CMMC Status of Level 2
(C3PAO). The OSC must successfully
implement the security requirements
listed in § 170.14(c)(3) within its Level
2 CMMC Assessment Scope as
described in § 170.19(c). Successful
implementation requires meeting all
objectives defined in NIST SP 800–171A
Jun2018 for the corresponding CMMC
Level 2 security requirements.
Requirements for ESPs and CSPs that
process, store, transmit CUI are
provided in § 170.17(c)(5) and (6).
After implementation, the OSC must
hire a C3PAO to perform an assessment
to verify the implementation. The
C3PAO will score the OSC using the
scoring methodology provided in
§ 170.24. All objectives must be met in
order for a security requirement to be
considered fully implemented; in some
cases, if not all objectives are met, some
security requirements may be placed on
a POA&M as defined in § 170.21. If the
minimum score has been achieved and
some security requirements are in a
POA&M, the OSC has achieved the
CMMC Status of Conditional Level 2
(C3PAO); if all requirements are MET as
defined in § 170.24(b), the OSC has
achieved the CMMC Status of Final
Level 2 (C3PAO). For Conditional Level
2 (C3PAO), a POA&M closeout must be
conducted within 180 days as described
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00011
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83102
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
in § 170.21(b) or the Conditional Level
2 (C3PAO) CMMC Status will expire.
After a Level 2 certification
assessment, as well as after a POA&M
closeout, the C3PAO will input the
OSC’s results into the CMMC
instantiation of eMASS as described in
§ 170.17(a)(1)(i). After a Level 2
certification assessment, as well as after
a POA&M closeout, the OSC must
submit an affirmation as described in
§ 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 2 (C3PAO), the OSC must have
achieved the CMMC Status of either
Conditional Level 2 (C3PAO) or Final
Level 2 (C3PAO) and have submitted an
affirmation. The Level 2 certification
assessment must be completed every
three years and the affirmation must be
completed annually following the Final
CMMC Status Date.
Section 170.18
CMMC Level 3
Certification Assessment and
Affirmation Requirements
Section 170.18 addresses how an OSC
will achieve and maintain compliance
with the CMMC Status of Level 3
(DIBCAC). The OSC must have achieved
the CMMC Status of Final Level 2
(C3PAO) for information systems within
the Level 3 CMMC Assessment Scope as
a prerequisite to undergo a Level 3
certification assessment. The OSC must
successfully
implement the security requirements
listed in § 170.14(c)(4) and table 1 to
§ 170.14(c)(4) within its Level 3 CMMC
Assessment Scope as described in
§ 170.19(d). Successful implementation
requires meeting all objectives defined
in NIST SP 800–172A Mar2022 for the
corresponding CMMC Level 3 security
requirements. Requirements for ESPs
and CSPs that process, store, transmit
CUI are provided in § 170.18(c)(5) and
(6).
After implementation, the OSC must
contact DCMA DIBCAC to perform an
assessment to verify the
implementation. DCMA DIBCAC will
score the OSC using the scoring
methodology provided in § 170.24. All
objectives must be met in order for a
security requirement to be considered
fully implemented; in some cases, if not
all objectives are met, some security
requirements may be placed on a
POA&M as defined in § 170.21. If the
minimum score has been achieved and
some security requirements are in a
POA&M, the OSC has achieved the
CMMC Status of Conditional Level 3
(DIBCAC); if all requirements are MET
as defined in § 170.24(b), the OSC has
achieved the CMMC Status of Final
Level 3 (DIBCAC). For Conditional
Level 3 (DIBCAC), a POA&M closeout
must be conducted within 180 days as
described in § 170.21(b) or the
Conditional Level 3 (DIBCAC) CMMC
Status will expire.
After a Level 3 certification
assessment, as well as after a POA&M
closeout, DCMA DIBCAC will input the
OSC’s results into the CMMC
instantiation of eMASS as described in
§ 170.18(a)(1)(i). After a Level 3
certification assessment, as well as after
a POA&M closeout, the OSC must
submit an affirmation as described in
§ 170.22.
In order to be eligible for a contract
with a requirement for the CMMC Status
of Level 3 (DIBCAC), the OSC must have
achieved the CMMC Status of either
Conditional Level 3 (DIBCAC) or Final
Level 3 (DIBCAC) and have submitted
an affirmation. The Level 3 certification
assessment must be completed every
three years and the affirmation must be
completed annually following the Final
CMMC Status Date.
Section 170.19
CMMC Scoping
Section 170.19 addresses the
requirements for the scoping of each
CMMC Level and determines which
assets are included in a given
assessment and the degree to which
each is assessed. The CMMC
Assessment Scope is specified prior to
any CMMC assessment, based on the
CMMC Level being assessed. The Level
2 CMMC Assessment Scope may also be
affected by any intent to achieve a
CMMC Level 3 Certification
Assessment, as detailed in § 170.19(e).
Scoping for CMMC Level 1, as
detailed in § 170.19(b), consists of all
assets that process, store, or transmit
FCI. These assets are fully assessed
against the applicable CMMC security
requirements identified in § 170.14(c)(2)
and following the procedures in
§ 170.15(c). All other assets are out-of-
scope and are not considered in the
assessment.
Scoping for CMMC Level 2, as
detailed in § 170.19(c), consists of all
assets that process, store, or transmit
CUI, and all assets that provide security
protections for these assets. These assets
are fully assessed against the applicable
CMMC security requirements identified
in § 170.14(c)(3) and following the Level
2 self-assessment procedures in
§ 170.16(c) or the Level 2 certification
assessment procedures in § 170.17(c). In
addition, Contractor Risk Managed
Assets, which are assets that can, but are
not intended to, process, store, or
transmit CUI because of security policy,
procedures, and practices in place, are
documented and are subject to a limited
check that may result in the
identification of a deficiency, as
addressed in table 3 to § 170.19(c)(1).
Finally, Specialized Assets, which are
assets that can process, store, or
transmit CUI but are unable to be fully
secured, including: Internet of Things
(IoT) devices, Industrial Internet of
Things (IIoT) devices, Operational
Technology (OT), Government
Furnished Equipment (GFE), Restricted
Information Systems, and Test
Equipment, are documented but are not
assessed against other CMMC security
requirements, as addressed in table 3 to
§ 170.19(c)(1). All other assets are out-
of-scope and are not considered in the
assessment.
Scoping for CMMC Level 3, as
detailed in § 170.19(d), consists of all
assets that can (whether intended to or
not) or do process, store, or transmit
CUI, and all assets that provide security
protections for these assets. The CMMC
Level 3 Assessment Scope also includes
all Specialized Assets but allows an
intermediary device to provide the
capability for the Specialized Asset to
meet one or more CMMC security
requirements, as needed. These assets
(or the applicable intermediary device,
in the case of Specialized Assets) are
fully assessed against the applicable
CMMC security requirements identified
in § 170.14(c)(4) and following the
procedures in § 170.18(c). All other
assets are out-of-scope and are not
considered in the assessment.
If an OSA utilizes an ESP, including
a Cloud Service Provider (CSP), that
does not process, store, or transmit CUI,
the ESP does not require its own CMMC
assessment. The services provided by
the ESP are assessed as part of the OSC’s
assessment as Security Protection
Assets.
Section 170.20
Standards Acceptance
Section 170.20 addresses how OSCs
that, prior to the effective date of this
rule, have achieved a perfect score on a
DCMA DIBCAC High Assessment with
the same scope as a Level 2 CMMC
Assessment Scope, will be given a
CMMC Status of Level 2 (C3PAO).
Section 170.21
Plan of Action and
Milestones Requirements
Section 170.21 addresses rules for
having a POA&M for the purposes of a
CMMC assessment and satisfying
contract eligibility requirements for
CMMC. All POA&Ms must be closed
within 180 days of the Conditional
CMMC Status Date. To satisfy CMMC
Level 1 requirements, a POA&M is not
allowed. To satisfy CMMC Level 2
requirements, a POA&M is allowed.
Section 170.21 details the overall
minimum score that must be achieved
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00012
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83103
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and identifies the Level 2 security
requirements that cannot have a
POA&M and must be fully met at the
time of the assessment. To satisfy
CMMC Level 3 requirements, a POA&M
is allowed. Section 170.21 details the
overall minimum score that must be
achieved and identifies the Level 3
security requirements that cannot have
a POA&M and must be fully met at the
time of the assessment. Section 170.21
also established rules for closing
POA&Ms.
Section 170.22
Affirmation
Section 170.22 addresses that the
OSA’s Affirming Official must affirm, in
SPRS, compliance with the CMMC
Status: upon completion of any self-
assessment, certification assessment, or
POA&M closeout assessment (as
applicable), and annually following a
Final CMMC Status Date.
Section 170.23
Application to
Subcontractors
Section 170.23 addresses flow down
of CMMC requirements from the prime
contractor to the subcontractors in the
supply chain. Prime contractors shall
comply and shall require subcontractor
compliance throughout the supply
chain at all tiers with the applicable
CMMC Level for each subcontract as
addressed in § 170.23(a).
Section 170.24
CMMC Scoring
Methodology
Section 170.24 addresses the
assessment finding types MET, NOT
MET, and NOT APPLICABLE (N/A) in
the context of CMMC assessments, and
the CMMC Scoring Methodology used to
measure the implementation status of
security requirements for CMMC Level
2 and CMMC Level 3. Scoring is not
calculated for CMMC Level 1 since all
requirements must be MET at the time
of assessment.
For CMMC Level 2, the maximum
score is the total number of Level 2
security requirements and is the starting
value for assessment scoring. Any
security requirement that has one or
more NOT MET objectives reduces the
current score by the value of the specific
security requirement. Values for each
CMMC Level 2 requirement are
enumerated in § 170.24(c)(2)(i)(B).
For CMMC Level 3, the maximum
score is the total number of Level 3
security requirements and is the starting
value for assessment scoring. Any
security requirement that has one or
more NOT MET objectives reduces the
current score by the value of the specific
security requirement. CMMC Level 3
does not use varying values; the value
for each requirement is one (1), as
described in § 170.24(c)(3).
Appendix A to Part 170: Guidance
Appendix A lists the guidance
documents that are available to support
defense contractors and the CMMC
Ecosystem in the implementation and
assessment of CMMC requirements.
Discussion of Public Comments and
Resulting Changes
The Department of Defense published
the proposed rule, on December 26,
2023 (88 FR 89058). Approximately 361
public submissions were received in
response to the publication. Some
comments were beyond the scope of the
CMMC Program and are described but
not addressed in this final rule. The
majority of comments received were
relevant and are summarized in the
discussion and analysis section here.
Additional comments were received in
response to the CMMC supplemental
documents published concurrently with
the rule; the discussion and analysis of
those comments is located at
[http://www.regulations.gov www.regulations.gov. Some comments
]received lacked relevance to the rule’s
content, which is limited to specific
CMMC program requirements codified
in the 32 CFR part 170 CMMC Program
rule, responses for those comments are
not provided.
Any contractual requirements related
to the CMMC Program rule will be
implemented in the DFARS, as needed,
which may result in revisions to the
DFARS clause 252.204–7021, CMMC
Requirements. DoD will address
comments regarding the DFARS clause
252.204–7021 in a separate 48 CFR part
204CMMC Acquisition rulemaking.
1. Extension of the Public Comment
Period
Comment: DoD received requests from
industry associations for an extension of
the 60-day public comment period on
the CMMC Proposed Rule that the
Office of the Federal Register published
on 26 December 2023. The length of
extensions requested ranged from 30–60
days. Commenters argued that the
proposed rule was initially published
following a holiday, or more time was
needed for associations to fully review
member comments about the CMMC
Proposed Rule prior to submitting. In
addition, they argued that other rules
pertaining to cyber incident reporting
obligations and security of Federal
Information Systems had also been
published for public comment, which
created a need for additional review
time.
Response: The DoD CIO denied
requests for an extension of the 60-day
public comment period. The DoD
provided regular communication to the
public through the DoD CMMC website
and updates in the semiannual Unified
Agenda in preparation for publication of
the CMMC Proposed Rule to initiate the
60-day public comment period. The
Department has an urgent need to
improve DIB cybersecurity by further
enforcing compliance with security
requirements that were to be
implemented by the DIB ‘‘as soon as
possible but not later than December
2017.’’
2. The CUI Program
a. CUI Program Guidance
Comment: Many comments were
submitted related to the NARA CUI
policies or the DoD CUI Program, and
while relevant for understanding CMMC
requirements, those are separate policies
or programs beyond the scope of the
CMMC program or this rule. However,
several comments recommended that
the CMMC rule be revised to address
them.
Twenty-two comments requested the
government provide more guidance,
preferably within RFPs or contracts, to
better identify what will be considered
CUI for that contract, and how it should
be appropriately marked. One comment
specifically noted a need for contractual
instructions on whether data created in
performance of a contract rises to the
level of CUI. Another person asked
when is does information created or
possessed by a contractor become CUI.
One comment asked whether digital or
physical items derived from CUI are
treated as CUI while another asked what
specific information qualifies as CUI for
OT and IoT assets. Another comment
asked whether FCI and or CUI created
or provided under a non-DoD agency
contract, but which is also used in
support of a DoD contract, would be
subject to the applicable CMMC level
requirement. Another comment noted
that DoD focuses too narrowly on data
security aspects of major system
acquisition and largely fails to address
securing data generated by operational
and/or maintenance operations, such as
invoices and bills of lading for
operational support purchases.
One comment stated there was a need
for CUI policy guidance for the entire
Federal Government. Another comment
inferred, incorrectly, that the CMMC
Accreditation Body makes
determinations about what is and what
is not CUI and stated that the
Government should make those
determinations. Another comment
stated that to better address the needs of
contractors tasked with safeguarding
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00013
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83104
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CUI, NARA should initiate a public
comment period to reevaluate its CUI
Registry. The comment also noted that
NARA should identify when a CUI
designation automatically applies to
contractor-created information and
revise the CUI Registry to stipulate that
a specific basis in statute (or a contract)
is required for information to be
considered CUI. Another comment
recommended a study be conducted on
protections for systems and data at
Confidential and higher classification
levels and should assess whether
NARA’s CUI protection requirements
(32 CFR part 2002) have yielded any
real benefits in protecting critical data.
Another comment stated that the CUI
program is a costly proposition whose
security value is questionable given data
can still be compromised, even over
systems with a CMMC assessment. The
comment stated that if data is to be
controlled for Critical Items, then the
existing system used for
CONFIDENTIAL information should
suffice. Finally, another comment
suggested that CUI information should
be under the control of the Federal
Government and access granted only to
appropriately trained, and qualified
contractors through a portal.
Response: Neither the CUI program
(established in E.O. 13556) nor the
safeguarding requirements codified in
its implementing directives are changed
by virtue of the compliance assessment
framework established by this rule.
CMMC requirements apply to prime
contractors and subcontractors
throughout the supply chain at all tiers
that will process, store, or transmit any
FCI or CUI on contractor information
systems in the performance of the DoD
contract or subcontract, irrespective of
the origin of the information.
The executive branch’s CUI Program
is codified in 32 CFR part 2002 and
establishes policy for designating,
handling, and decontrolling information
that qualifies as CUI. The definition of
CUI and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14, respectively. 32
CFR 2002.14(h)(2) specifically requires
agencies to use NIST SP 800–171 when
establishing security requirements to
protect CUI’s confidentiality on non-
Federal information systems. At the
time of award, the DoD may have no
visibility into whether the awardee will
choose to further disseminate DoD’s
CUI, but DFARS clause 252.204–7012
and DFARS clause 252.204–7021
require the prime contractor to flow
down the information security
requirement to any subcontractor with
which the CUI will be shared. Decisions
regarding which DoD information must
be shared to support completion of
subcontractor tasks is between the
prime contractor and the subcontractors.
The DoD encourages prime contractors
to work with subcontractors to lessen
the burden of flowing down CUI. The
DoD declines to adopt alternatives such
as policy-based solutions that lack a
rigorous assessment component or
require sharing CUI only through DoD-
hosted secure platforms. Suggested
alternatives to implementing NIST SP
800–171 and identifying what data is
CUI are beyond the scope of the CMMC
Program and this rule.
b. FCI and CUI Definitions
Comment: Five comments stated that
what DoD considers CUI is not well
defined. Another comment stated that
companies should be provided a
reference list of what the DoD considers
CUI. Another recommended DoD use
existing mechanisms like the DD Form
254 architecture to clearly define the
scope of CUI on a contract-by-contract
basis. Seven comments recommended
the CMMC rule mandate a Security
Classification Guide (SCG) or similar
document.
Nine comments stated there was too
much confusion and ambiguity
regarding FCI and CUI and that the
government needed to provide clear and
standardized FCI and CUI definitions
that are tailored to the specific
requirements of the CMMC rule. One
comment recommended rule edits to
address this perceived ambiguity. One
comment requested clarification and
examples of differences between CUI
Basic and Specialized CUI.
Response: Federal Contract
Information is defined in FAR clause
52.204–21, which also provides the
security requirements applicable for
basic safeguarding of such information.
The DoD has no authority to modify
definitions established in the FAR for
application to all executive branch
agencies. This rule makes no change to
the definition or handling of CUI.
c. Marking Requirements
Comment: Twenty-three comments
expressed concern with or requested
clarification regarding CUI marking.
Twelve comments specifically noted
concern with CUI markings being
applied to too many documents, in part
because CUI was an ambiguous concept.
They requested the DoD encourage
personnel to mark documents as CUI
only when appropriate and provide
better guidance for managing flow-down
clauses. Another comment noted that
many small businesses are currently
subject to NIST SP 800–171
requirements through DFARS contract
clause flow-down and cannot say with
certainty that they have CUI in their
possession. The comment further noted
that small businesses regularly receive
mismarked data. One comment stated
there is an increased use of automatic
CUI marking on DoD communications,
seemingly without regard to content.
One comment stated that the rule fails
to outline a mechanism for reporting
government mishandling, and that
contractors should use a reporting
system to minimize their own risk and
liability. One comment requested the
rule be edited to prevent Program
Managers or requesting activities from
assigning a CMMC Level 3 requirement
unless they have high confidence that
80+ percent of CUI and/or FCI under the
relevant contract has complete CUI
markings. Another comment stated that
the Federal government should develop
a marking schema to communicate
information safeguarding requirements,
while yet another stated that DoD must
publish a training module for
contracting officers so that they are
properly classifying documents prior to
finalization of this rule.
One comment stated CUI across the
DoD is diverse and what may be CUI for
one system may not be for another. The
comment then questioned how this
proposed rule and SPRS would
accommodate these facts without
assuming and mandating that all
defense contractor information systems
meet the same architecture, security,
and cybersecurity standards.
Response: The CMMC Program will
not provide CUI guidance materials to
industry as it is outside the scope of this
CMMC rule. Relevant information
regarding what to do when there are
questions regarding appropriate marking
of CUI may be found at 32 CFR
2002.50—Challenges to designation of
information as CUI. The DoD declined
to incorporate suggested edits to the
CMMC Level 3 requirements regarding
confidence in proper CUI and/or FCI
markings.
The DoD’s role as data owner is
documented in the CUI Program
implementing policies and the
requirements of 32 CFR part 2002. DoDI
5200.48, states: The authorized holder
of a document or material is responsible
for determining, at the time of creation,
whether information in a document or
material falls into a CUI category. If so,
the authorized holder is responsible for
applying CUI markings and
dissemination instructions accordingly.
DoD Manual 5200.01 outlines DoD’s
Information Security Program and
includes Volume 2, Marking of
Information. The DoD declines to
incorporate by reference those
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00014
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83105
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
documents describing the Department’s
data governance role because the
content is beyond the scope of CMMC
requirements. The DoD issued policy
guidance to its program managers
regarding programmatic indicators to
consider when selecting CMMC
requirements. Program managers have a
vested interested in knowing whether a
contractor can comply with these
existing requirements to adequately
safeguard CUI.
The DoD elected not to make any
recommended edits to the CMMC
Program related to FCI or CUI marking
requirements or provide clarifying
examples of the differences between
Basic CUI and Specified CUI, as these
are beyond the scope of this rule.
Mishandling of information by the
government is beyond the scope of this
rule. DCMA DIBCAC processes, stores,
and transmits all data on DoD-approved
networks. DoD’s adherence to NARA’s
CUI Program policies is beyond the
scope of this rule.
d. Applicability and Governance of CUI
Requirements
Comment: In addition, one utilities
sector representative submitted a
lengthy analysis of data types often
generated by electric or other utilities,
with regulatory references and rationale
for why such data would not likely be
subject to DoD’s CUI safeguarding
requirements or CMMC compliance
assessments. Such rationale included
the fact that some Government-Private
CUI categories, such as DoD Critical
Infrastructure Information, require
explicit designation in that category
which (according to the commenter) has
not occurred in the electricity subsector.
One contractor requested that CMMC
clarify requirements around U.S.
persons and foreign dissemination of
CUI for both contractors, subcontractors’
employees, and contingent workers.
Two comments suggested it would be
appropriate to reference data
governance in § 170.1 and the DoD’s
role as the data owner of FCI and CUI
across the ecosystem. Another comment
stated the classification efforts must
themselves be audited.
Response: The quantity of FCI and
CUI a defense contractor possesses,
including copies of the same material, is
irrelevant to the CMMC assessment
required. All copies of FCI or CUI
related to the DoD contract must be
safeguarded. The CMMC Program is not
intended to validate compliance with
cybersecurity requirements of non-DoD
agencies’ contracts. The requirements
for sharing of CUI with non-US persons
is beyond the scope of this rule.
The CMMC program provides a
mechanism to assess contractor
compliance with applicable security
requirements for the safeguarding of FCI
or CUI. CMMC program requirements
make no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides, are separate from this rule.
Discussion in this rule regarding DoD
programs providing CUI training and
the implementation of E.O. 13556 are
beyond the scope of this rule.
CMMC program requirements are
applicable when DoD requires
processing, storing, or transmitting of
either FCI or CUI on a non-Federal
contractor owned information system in
the performance of a contract between
DoD and the contractor. The DoD does
not manage nor is it involved in data
exchanges between contractors and
subcontractors.
3. Other DoD Policies and Programs
Many comments dealt with DoD
policies and programs that, while
relevant for understanding CMMC
requirements, are still entirely separate
programs or policies that are not within
the scope of the CMMC program.
However, several commenters
recommended that the rule be revised to
address them. Key topics among such
comments include:
a. Adaptive Acquisition Framework
Comment: One commenter
misunderstood CMMC program purpose
and thought the requirements applied to
systems and capabilities acquired or
developed for DoD’s use, using formal
policies of the Defense Acquisition
System. Based on this misinterpretation,
this commenter made dozens of
recommendations related to integration
of CMMC assessment and program
requirements with other existing DoD
acquisition frameworks and suggested
relying on the assessors that complete
TRAs, in place of implementing the
CMMC program. One of their comments
also proposed establishing a single
responsible office for CUI and SCRM,
hosting CUI material within a single,
separate secure and existing cloud-
based data warehouse and including
hardware and software approving
authorities as part of the proposed rule
for GFE. The commentor also stated the
role of the Office of Small Business
Programs (OSBP) needs to flow down to
the Small Business Administration
military service offices. The commentor
also asked how to reconcile CMMC
against the DoDI 8582.01 requirement
stating a DoD Component should not
specify the content and format of plans
of action that address deficiencies or
specifying the parameters of security
controls.
This commenter also recommended
creation of a MIL-Standard in lieu of
aligning cybersecurity requirements to
existing NIST standards, and linkage of
CMMC requirements to procedures
related to Approval to Operate (which
applies to DoD systems. This
commenter suggested that the CMMC
PMO be made responsible to provide
system scans to check for Software Bills
of Material as part of DoD’s response to
Executive Order 14028 regarding
Supply Chain Risk Management. The
commenter further requested a DoD-
level working group outline how DoD
program offices might identify which
components are mission or safety
critical or which associated production
processes should be identified as CTI.
That commenter recommended this rule
be held in abeyance until AT&L [sic] has
reviewed and provided their insight into
the impacts of CMMC on existing DoD
acquisition documentation and
deliverables. Yet another comment
recommended that ‘‘this proposed
DFARS ruling’’ be vetted through
‘‘AT&L, ASD and OUSD’’ [sic] as a
minimum to determine if changes
would be required in the Program
Protection Improvement Plan and
System Security Plan. Lastly, this
commenter recommended the DoD
engage with NDIA and ISO/IEC to
develop alternate standards for securing
data and supply chains.
Response: CMMC Program
requirements apply to contractor-owned
information systems that process, store,
or transmit FCI and CUI and do not
apply to systems developed or acquired
for DoD through the formal Defense
Acquisition System (DAS). Therefore,
integrating the CMMC assessment
process and internal DAS processes
(including technical reviews prior to
RFP development) is not appropriate
and is beyond the scope of this rule.
Note that CMMC applicability is broader
than just the Major Defense Acquisition
Programs.
DoD’s organizational alignment of
responsibilities (between OSBP and
SBA military offices) for assisting small
businesses or establishing new offices
within OSD is beyond the scope of this
rule. Due to national security concerns,
DoD declines the recommendation to
further delay implementation of the
CMMC Program. Each passing day in
delay of implementing the security
requirements for safeguarding DoD FCI
and CUI increases the risk for
exfiltration of non-public information
on unsecured nonfederal systems that
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00015
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83106
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
may result in the loss of DoD’s
technological advantages in its
warfighting capabilities and programs.
Discussions regarding acquisition
strategies and frameworks are beyond
the scope of this CMMC rule. The
CMMC Program does not alleviate or
supersede any existing requirements of
the Adaptive Acquisition Framework,
nor does it alter any statutory or
regulatory requirement for acquisition
program documentation or deliverables.
Note that CMMC Program requirements
do not apply to systems delivered to
DoD. DoD Instructions for required
acquisition program documentation are
beyond the scope of this rule. CMMC
assessment certifications are not
integrated into System Security Plans
(SSPs).
The role of System Engineering and
associated processes within the DoD
acquisition process is beyond the scope
of this rule. ITRA assessments provide
a view of program technical risk and are
not well-suited to the assessment of
contractor owned information systems
against standards for safeguarding CUI.
CMMC Program requirements do not
clash with Program Office
responsibilities, but instead provide
Program Manager’s with a mechanism
for validating that contractors are
compliant with the rules for protecting
DoD CUI.
b. FedRAMP Program and FedRAMP
Equivalency
Comment: Many commenters took
issue with the requirements for
FedRAMP Moderate Equivalency, as
referenced in DFARS clause 252.204–
7012 and defined in a separate DoD
policy memo. Some merely highlighted
discrepancies or highlighted concerns
about their ability to meet the FedRAMP
Moderate Equivalency requirements.
Others recommended revisions to that
policy, or to the DFARS clause 252.204–
7012 clause, or both. Some
recommended the FedRAMP Moderate
Equivalency policy memo be
incorporated into the DFARS clause
252.204–7012 clause. Other suggestions
ranged from eliminating equivalency to
meet requirements, allowing 3PAO
attestation to equivalency, requiring all
FedRAMP Moderate Equivalency
candidates to be assessed by the same
C3PAO or allowing equivalency to be
established through other industry
certifications or third-party security
assessments, i.e., SOC, ISO/IEC 27001.
One commenter requested that
applications hosted on a FedRAMP
Moderate environment only need to
meet the CMMC level of the data the
application will process. Another
suggested that all Cloud Service
Providers be required to meet the same
CMMC requirement as the OSCs they
support. One commenter recommended
expanding the scope of CMMC Program
to include assessing other security
requirements in DFARS clause 252.204–
7012, to include the use of FedRAMP
Moderate cloud environment.
Comments also expressed that it is
unreasonable to expect any cloud
provider to share security
documentation with a customer or
C3PAO since they limit dissemination
of this information due to operational
security needs. Another commenter
noted that the proposed rule does not
cover all types of information that
contractors may handle, such as
classified information, export-controlled
information, or proprietary information
and they recommended the DoD clarify
applicability of the CMMC program for
these types of information.
Response: Although some
commercially based Cloud Service
Offerings (CSOs) may experience
limitations in trying to support the
Defense Industrial Base with the
FedRAMP Moderate equivalent
requirement, the DoD is not willing to
assume all the risk of non-FedRAMP
Moderate Equivalent CSOs when the
CSO is used to process, store, or
transmit CUI. If the offering does not
process, store, or transmit CUI, then
FedRAMP certification is not required.
Although the DoD considered
acceptance of the ISO/IEC 27001
certification, it chose the NIST
cybersecurity requirement to meet
FedRAMP Moderate baseline
equivalency standard to stay aligned
with the FedRAMP Moderate baseline
which is based on NIST standards
versus ISO/IEC standards.
The rule was updated to require
FedRAMP moderate or FedRAMP
moderate equivalency in accordance
with DoD Policy. CMMC Program
Requirements make no change to
existing policies for information
security requirements implemented by
DoD. Comments related to applications
hosted on a FedRAMP Moderate
environment are outside the scope of
this rule.
The requirements for CSPs that
process, store, or transmit CUI are set by
DFARS clause 252.204–7012 and the
DoD CIO policy memo on FedRAMP
Moderate equivalency. These
requirements are beyond the scope of
this rule. ESPs that are not CSPs will be
required to meet the CMMC
requirements and be assessed as part of
the scope of an acquiring OSA. ESPs
that are not a CSP may voluntarily
request a C3PAO assessment if they
decide it would be to their advantage.
c. Other DoD Programs and Policies
Comment: One commenter expressed
dissatisfaction with results obtained
from previously submitted FOIA
requests related to development of the
CMMC program.
Two commenters asked if there was a
mechanism to update FAR clause
52.204–21 to address evolving threats
and recommended the Department
specifically identify the frequency and
identify accountable parties to review
and update FAR security requirements.
Another commenter cited responses
visible on the DoD CIO’s Frequently
Asked Questions (FAQ) website and
criticized both the utility of the
information (given that does not
constitute formal policy) and the
frequency with which the information is
updated. Similarly, one commenter
asked for more frequent updates to
FAQs on the DoD Procurement Toolbox
URL.
One commenter asserted that the
Federal Government sometimes
contracts for support to perform
sensitive tasks and permits access to
‘‘highly classified’’ information that
should only be accessed by Federal
employees.
One commenter requested NIST
develop a simplified inspection
standard for organizations with less
than 20 employees.
One commenter asked about the
transfer of CMMC Program oversight
from OUSD(A&S) to DoD CIO.
A comment cited the utility of free
cybersecurity related services that DoD
agencies offer, such as security alerts
and vulnerability scanning, and
encouraged expansion of those
programs.
One person suggested that DoD’s
Zero-Trust approach would provide a
higher level of security for CUI data
than the CMMC program.
One commenter stated the
Department should develop clear,
flexible guidelines and alternative
pathways for global companies to
achieve CMMC compliance without
relying on enclave architectures and
recommended that this approach rely on
Zero Trust principals.
One comment noted that under FAR
clause 52.204–21, FCI does not include
simple transactional information (STI)
and asked if certain data would be
considered STI and therefore not subject
to CMMC.
One comment stated that conflicting
regulatory guidance exists between the
content of E.O. 15028, NIST SP 800–
218, NIST SP 800–171 R2, and NIST SP
800–171 Revision 3.
Response: One comment lacked
clarity and failed to clearly articulate
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00016
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83107
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
23
DoD Issuances (www.esd.whs.mil/DD/DoD-
any relevance to the content of this rule,
so no response can be provided.
SPRS will be used for reporting
CMMC Status of all contractors,
regardless of which service issued the
contract. Publication of this rule follows
completion of OMB’s formal rulemaking
process, which includes both DoD
internal coordination (including the
USD(A&S) and USD(R&E)) and
Interagency coordination.
CMMC is consistent with Section 3.4
of DoDI 8582.01, Validation and
Compliance. CMMC does not specify
the content and format of plans of action
beyond what is specified in NIST SP
800–171 R2, which is required under
DoDI 8582.01.
Clinger Cohen Act requirements,
which apply to DoD’s IT investments,
are not relevant to CMMC Program
requirements, which apply to
contractor-owned information systems.
The classification marking of existing
DoD documentation is beyond the scope
of this rule, as is engagement with
INCOSE and ISO/IEC certification
organizations.
Executive Orders state mandatory
requirements for the Executive Branch
and have the effect of law. E.O. 14028—
‘‘Improving the Nation’s Cybersecurity’’
(issued May 12, 2021) requires agencies
to enhance cybersecurity and software
supply chain integrity. NIST SP 800–
171 R2 and NIST SP 800–218 are
guidelines, not regulations. NIST SP
800–171 Revision 3 is not currently
applicable to this rule.
Recommendations to add or modify
requirements specified in NIST
documentation should be submitted in
response to NIST requests for public
comment on the applicable guidelines.
Federal and DoD requirements for
delivery of software bills of material of
secure software development are
beyond the scope of this rule, which is
limited to the assessment of compliance
with requirements for adequate
protection of FCI and CUI. Federal
Contract Information is defined in FAR
clause 52.204–21, which also provides
the security requirements applicable for
basic safeguarding of such information.
The Department has no authority to
modify definitions established in the
FAR for application to all executive
branch agencies. Any data that meets
the definition of FCI, is subject to
CMMC Level 1. It is beyond the scope
of the CMMC rule to render decisions
on specific elements of data.
The OUSD(A&S) was not replaced by
the DoD CIO, rather, CMMC Program
management oversight has been
realigned from the OUSD(A&S) to the
Office of the DoD CIO for better
integration with the Department’s other
DIB cybersecurity related initiatives.
Comments pertaining to DoD’s
organizational structure are not relevant
to the content of this rule. DoD’s
processing of FOIA requests is also not
within the scope of this rule. The DoD
declines to respond to speculative or
editorial comments about private
citizens or outside entities, all of which
are beyond the scope of this rule.
Likewise, the DoD will not comment
here on other DoD cybersecurity related
programs, such as Zero Trust.
Some comments expressed
appreciation for cybersecurity related
services that DoD provides free of
charge, including protected DNS,
vulnerability scanning, and security
alerts, but these programs are outside
the CMMC program. The government
cannot comment on specific
implementation or documentation
choices of an OSA. Comments on
alternate risk mitigation strategies such
as product monitoring or software
testing are not within the scope of this
rule text.
d. DoD Policies Supporting CMMC
Implementation
Comment: Some comments addressed
the DoD’s internal policies and training
efforts to prepare the Government
workforce for CMMC program
implementation. For example, some
commenters opined that the rule’s focus
on contactor responsibilities misses the
true risk that lies further up obscure
supply chains. Another commenter
recommended DoD work with
contractors in each sector to provide
clear guidance on the types of data that
the Department would consider CTI.
One commenter requested DoD
acknowledge that human factors
influence DIB cybersecurity while
another stated DoD should provide
uniform web-based training at no cost to
ensure applicable training requirements
are satisfactorily met. Another asked
whether DoD PMs would receive CMMC
related training prior to implementation.
Another comment asked whether
specific risk mitigating approaches,
such as product monitoring or software
testing might suffice to manage supply
chain risk considering lack of visibility
into the origins of 3rd and 4th tier
components.
One commenter perceived the CMMC
requirement for Program Managers to
identify the level of assessment
requirement appropriate for a
solicitation as removing the contract
award decision from the USD(A&S).
One commenter stated more information
about procedures for implementing
CMMC into government-wide contracts
is needed. Another commenter
expressed a need to use a basic contract
that is unclassified, and any CUI would
be contained in a separate appendix to
allow sub-contractors to plan with their
Prime to access the information on the
Prime’s network and avoid requirements
for their own CMMC certification.
Another comment recommended
revisions to describe that medium
assurance certificates for incident
reporting are a DFARS clause 252.204–
7012 requirement, independent of
CMMC program requirements.
Two commenters criticized the
DFARS clause 252.204–7020
requirement to allow ‘‘full access’’ to
contractor facilities, systems, and
personnel for the purposes of DIBCAC
assessment, or for damage assessment
following incident, and recommended
that the CMMC program not include or
rely on this authority.
Another commenter recommended
that, prior to issuing a final rule on
CMMC, DoD work with other relevant
agencies to integrate and harmonize the
numerous regulatory changes that
impact contractors’ capacity to
safeguard data and systems. One
commenter suggested rule publication
be delayed until DoD articulates the
benefit expected from contractor
compliance with the rule.
Response: All recommendations to
revise other Government-wide or DoD
policies and programs are beyond the
scope of the CMMC rule.
CMMC Program Requirements make
no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides and FedRAMP equivalency are
separate from this rule. Relevant
policies include DoDI 5200.48
‘‘Controlled Unclassified Information’’
and DoD Manual 5200.45 ‘‘Instructions
for Developing Security Classification
Guides’’ for example.23 Some comments
received lacked relevance to the rule’s
content, which is limited to specific
CMMC program requirements. Changes
to FAR and DFARS requirements are
beyond the scope of this rule, as are the
contents and updating of DoD’s FAQ
and Procurement Toolbox web pages.
CMMC program requirements do not
result in any change to which DoD
organization makes the contract award.
Recommendations to adopt standard
DoD contracting procedures (i.e., to
exclude CUI information in the basic
award) are not within the scope of this
rule, which outlines program
requirements. The DoD limits the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00017
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83108
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
burden of CMMC compliance by
requiring annual affirmations rather
than annual assessments. Affirmations
required for the CMMC program
indicate that a DoD contractor has
achieved and intends to maintain
compliance with the applicable DoD
information security requirements.
The CMMC program is designed only
to validate implementation of the
information security standards in FAR
clause 52.204–21, NIST SP 800–171 R2,
and a selected subset of NIST SP 800–
172 Feb2021. This rule does not address
the other DFARS clause 252.204–7012
requirements for cyber incident
reporting. The CMMC assessment
framework will not alter, alleviate, or
replace the cyber incident reporting
aspects of DFARS clause 252.204–7012,
which will remain effective where
applicable. Classified information is
managed differently from CUI, and
different safeguarding regulations apply
to these different categories of
information (each of which are defined
in 32 CFR part 2002). CMMC Program
requirements are aligned to the
requirements for safeguarding of CUI
and are unrelated to the requirements
for safeguarding classified information.
‘‘Export Controlled’’ is a category of
CUI. To the extent that a company
generates information it considers
proprietary, but which is explicitly
excluded from the definition of CUI (see
32 CFR part 2002), no CMMC
requirements would apply.
As the CMMC program requirements
make no change to existing policies for
information security requirements
implemented by DoD, dialogues with
industry to identify CUI is outside the
scope of this 32 CFR part 170 CMMC
Program rule. Several existing
requirements directly address the
human factors of cybersecurity,
particularly those in the Awareness and
Training, Personnel Security, and
Physical Protection domains. Additional
training and education on the topics of
CUI safeguarding requirements,
cybersecurity hygiene, and other useful
topics may be found at:
[https://www.archives.gov/cui/training.html www.archives.gov/cui/training.html
]https://securityawareness.
https://business.defense.gov/Resources/
[https://business.defense.gov/Resources/Be-Cyber-Smart/ Be-Cyber-Smart/
]OSAs may develop their own policies
to validate completion of training.
Developing and providing cyber
security awareness training is not
within the scope of the CMMC Program.
DoD program managers will receive
training.
In support of 32 CFR part 170 CMMC
Program final rule, DoD issued guidance
to reiterate the most appropriate
information safeguarding requirements
for DoD information and the associated
CMMC assessment requirement for any
given solicitation. Irrespective of CMMC
Program assessment requirements, when
CUI is processed, stored, or transmitted
on contractor owned information
systems, those systems are subject to the
security requirements of NIST SP 800–
171, due to the applicability of DFARS
clause 252.204–7012. Program Managers
have a vested interested in knowing
whether a contractor can comply with
these existing requirements to
adequately safeguard DoD CUI.
Applicability of and compliance with
DFARS clause 252.204–7020 is beyond
the scope of the CMMC Program.
Implementation of the CMMC Program
does not require or rely upon DFARS
clause 252.204–7020. The existing
assessments described in DFARS clause
252.204–7020 are entirely different than
those described in this rule. This rule
contains no cyber incident reporting
requirements. Concerns related to a
CISA rule pertaining to cyber incident
reporting are beyond the scope of this
rule and should have been submitted
instead to the relevant docket for that
rule. The DoD has declined the
recommendation to address certificate
requirements for the cyber incident
reporting requirements of DFARS clause
252.204–7012 in this rule. The DoD is
unable to comment on, balance with, or
modify contractual or regulatory
requirements to comply with any other
agency’s future requirements.
The preamble of this rule articulates
how contractor compliance with CMMC
will contribute to counteracting the
cyber security threat. Implementation of
the CMMC Program will help protect
DoD’s FCI and CUI that is processed,
stored, and transmitted on non-Federal
information systems of defense
contractors and subcontractors.
Adequately securing that information as
required, down to the smallest, most
vulnerable innovative companies, helps
mitigate the security risks that result
from the significant loss of FCI and CUI,
including intellectual property and
proprietary data. Hence the
implementation of the DoD CMMC
Program is vital, practical, and in the
public interest. Working with NIST and
other regulatory authorities to align
standards is beyond the scope of this
rule.
4. DFARS Requirements
Comment: Two commenters
recommended the DoD fully implement
CMMC requirements to standardize
contract requirements to avoid
proliferation of unique contract clauses
across the Department. One comment
suggested the rule should state
explicitly that CMMC requirements do
not apply to other agencies and advise
DoD contractors to seek legal guidance
before complying with CMMC
requirements if other agency
requirements also apply.
In addition, several commenters
thought the 32 CFR part 170 CMMC
Program rule requirements lacked
sufficient information about the
associated 48 CFR part 204 CMMC
Acquisition rule requirements to
implement them. One person
erroneously identified the DFARS
clause 252.204–7021 as part of the 32
CFR part 170 CMMC Program rule, and
one person asked what additional
rulemaking is needed to implement
CMMC requirements. Another person
recommended close coordination and
synchronization between the two rules.
One comment recommended the
contract clauses be simplified to be
‘‘stand alone’’, rather than requiring
cognizance of the 32 CFR part 170
CMMC Program rule content.
One commenter asked whether
contractors must meet CMMC
requirements during the solicitation
phase, or to view RFPs that contain CUI.
Another asked how DoD plans to
integrate CMMC requirements into
DoD’s Adaptive Acquisition Framework.
One contractor disagreed with CMMC’s
pre-award approach, and worried it
could create a need to become
compliant in anticipation of future
solicitations. This commenter posited
that any information designated as CUI
after contract award will create a
‘‘chicken and egg’’ dilemma for CMMC
compliance. Other comments asked
whether conditional certifications
would be weighted differently than final
certifications in the proposal evaluation
and award process and suggested that
DoD provide 6 months advance notice
for all solicitations containing a CMMC
requirement.
Some comments urged the DoD to
describe how DoD will identify CUI in
solicitations and when CUI markings
should apply in CSP or ESP scenarios.
They also requested modification of
DoD contracting procedures to provide
criteria for identifying CUI information
in each contract award along with the
corresponding CMMC assessment level.
One commenter inquired about the
difference between implementing
security requirements and assessing
compliance. Some comments pertained
to other DFARS contractual
requirements, rather than CMMC
requirements. For example, some
recommended changing DFARS clause
252.204–7012 to remove the definition
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00018
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83109
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
of Covered Defense Information and to
deviate from a requirement to comply
with the NIST SP 800–171 version
current at the time of solicitation. In
addition, they asked about cost
allowability for time and materials or
cost type contracts. Some comments
posited that costs for reassessment or
recertification should be explicitly
identified as reimbursable in the 48 CFR
part 204 CMMC Acquisition rule, while
one similar comment suggested that
CMMC level 3 certification costs should
be allowable when CMMC level 3
requirements are initially implemented.
One comment addressed cyber
incident reporting timelines for cloud
service providers and recommended
that the DoD’s FedRAMP moderate
equivalency policy be revised to align
with DFARS clause 252.204–7012
timelines. Another asked whether the
rule inadvertently omitted requirements
to assess compliance with DFARS
clause 252.204–7012 cyber incident
requirements.
Other commenters asked for the
CMMC contract clause verbiage, as was
subsequently published in the related
48 CFR part 204 CMMC Acquisition
rule. For example, some people asked
whether CMMC requirements would be
levied in ID/IQ contract awards versus
task order awards, and GSA schedules.
They asserted that adding CMMC
clauses in GSA schedules might
inadvertently allow contracting officers
to include them in non-DoD issued task
orders. Another opined that ID/IQ
contracting procedures might
necessitate changing the CMMC level
needed for the base contract after its
initial award, based on the needs of a
task order. One commenter incorrectly
inferred that a single Program Manager
would make the CMMC level and type
determination for every task order
issued against an ID/IQ. In addition, two
comments suggested that the DoD
communicate with every current DoD
contractor to identify which CMMC
level would apply to their existing
contracts.
One company identified their specific
DoD contract and asked whether it
would be cancelled absent CMMC
compliance. Another asked whether a
current DFARS clause 252.204–7020
self-assessment score could be
submitted to meet a CMMC level 2 self-
assessment requirement. They also
recommended elimination of the
DFARS clause 252.204–7020
requirements when CMMC is
implemented.
One commenter speculated about
whether DoD’s CMMC contract clauses
can be applied to DoD contractors that
also make and sell the same product to
other US Government agencies. They
noted that export licenses do not restrict
companies from providing product data
to other parties and posited that this
might conflict with CMMC
requirements. One person asked about
the potential for conflicts between
CMMC clauses and the Berry
amendment and suggested that Berry
amendment compliance take
precedence over CMMC clauses.
Response: Some comments received
lacked relevance to the rule’s content,
which is limited to specific CMMC
program requirements. Changes to FAR
and DFARS requirements are out of
scope of the 32 CFR part 170 CMMC
Program rule, as contractual changes
would occur under the 48 CFR part 204
CMMC Acquisition rule. This rule does
not discuss the Berry Amendment. The
rule does not address recovery of
assessment costs because it does not
make any change to 48 CFR 31.201–2.
This 32 CFR part 170 CMMC Program
rule is not an acquisition regulation,
however, a CMMC Conditional
Certification meets the CMMC program
certification requirements. Any
comments related to contract
requirements should be directed to the
related 48 CFR part 204 CMMC
Acquisition rule.
CMMC requirements apply to
contracts that include FAR clause
52.204–21 or DFARS clause 252.204–
7012 and result in processing, storing,
or transmitting of FCI or CUI on a
contractor owned information system.
The CMMC program is not a verification
program for compliance with all
requirements of DFARS clause 252.204–
7012, rather, its purpose is to ensure
compliance with FAR clause 52.204–21,
NIST SP 800–171 R2, and NIST 800–172
Feb2021 when applicable. The DoD
does not provide detailed instruction on
how to implement specific solutions to
meet security requirements identified in
the FAR clause or applicable NIST
requirements, which is determined by
the OSA. Any deviation from or change
to the DFARS clause 252.204–7012
clause is beyond the scope of this rule.
Each of the teams responsible for
developing these two CMMC rules has
reviewed both documents.
There are no CMMC requirements for
reviewing FCI or CUI solicitation
material. Recommendations to adopt
standard contracting procedures for
award of DoD contracts (i.e., to exclude
CUI information in the basic award) are
out the scope of this 32 CFR part 170
CMMC Program rule. In support of the
32 CFR part 170 CMMC Program final
rule, DoD issued policy guidance to its
program managers and acquisition
workforce to identify the appropriate
CMMC requirement in solicitations and
contracts. The CMMC assessment level
required does not change based on
acquisition lifecycle phase and is based
on whether FCI and CUI are processed,
stored, or transmitted on contractor
owned information systems used in the
performance of a contract.
Discussion of DoD’s willingness to
provide advance notice of CMMC
requirements or to remove the PM’s
discretion to include the CMMC level
that best suits program requirements is
a 48 CFR part 204 CMMC Acquisition
rule matter and outside the scope of this
rule. The CMMC Level will be identified
in the solicitation. Once attained, a
CMMC self-assessment or certification
can be used in support of any number
of proposals and solicitations.
5. Litigation and False Claims
Comment: Some commenters
expressed concern that CMMC
implementation would result in
increased litigation by DIB companies or
pursuit of False Claims Act penalties by
DoD against DIB companies. One
commenter erroneously believed that
Mexico would participate in oversight
of the CMMC ecosystem, and that ‘‘a
flood of litigation’’ may result from DIB
companies losing contracts due to non-
compliance with CMMC requirements.
One commenter suggested that DoD
should absolve contractors from False
Claims Act prosecution when
differences are found between C3PAO
assessment results and a previously
submitted contractor self-assessment,
due to potentially valid reasons for the
differing outcomes. Another suggested
that DoD establish protections from
regulatory and legal liability related to
cyber incidents when the affected
contractor has complied with relevant
CMMC Program requirements.
Response: The DoD lacks the
authority to change the False Claims
Act, which is a Federal law that imposes
liability persons and companies who
defraud or knowingly submit false
claims to the government. Comments
related to Safe Harbor provisions are
outside the scope of this rule.
Comments about potential industry
litigation are also beyond the scope of
the final rule and the recommendations
provided were not appropriate for
inclusion in this rule. Nothing in the
rule prevents frivolous private lawsuits,
but the rule does provide that the
CMMC AB maintain an appeals process.
The DoD has faithfully followed the
formal rulemaking process, to include
completion of the public comment
period. Implementation of the CMMC
program will be carried out objectively
and in accordance with the tenets of the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00019
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83110
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
final rule. No foreign actors have any
role in DoD’s administration of the
program.
6. DoD Metrics
Comment: Several commenters
inquired about the types of metrics the
DoD plans to use to monitor progress
toward the DIB cybersecurity objectives
that the CMMC program was designed
to meet. One asked whether DoD’s
metrics would include testing, and
another recommended they capture
changes in the population of DoD
contractors caused by cost impacts of
CMMC implementation. Others
referenced a December 2021 GAO
Report that critiqued DoD’s earlier
attempts to implement the CMMC
program. Specifically, they cited the
GAO’s finding that, at that time, DoD
had not defined how it would analyze
data to measure performance.
A comment recommended the DoD
identify responses to other GAO
findings, which dealt with
improvements to communications with
industry and metrics for program
management. Another comment asked
whether management alignment within
OSD, budget, and staffing of the CMMC
program office are adequate.
Two comments asked how many
current contract awardees had received
notification or identification of CUI to
be provided in performance of their
contracts, and asked which CMMC level
would theoretically apply to those
contracts. Another asked the DoD to
provide DIBCAC assessment results data
as a more relevant justification for the
CMMC program than the 2019 DoDIG
report on DIB Cybersecurity.
Response: DoD’s response to the
referenced GAO and DoD IG reports are
beyond the scope of this rule. Likewise,
the DoD does not comment on analysis
methods supporting the DoD IG’s
conclusions. Publishing DIBCAC
assessments results is also beyond the
scope of this rule, as are CMMC Program
effectiveness metrics and return on
investment calculations. The DoD is
establishing CMMC assessment
requirements as part of a comprehensive
effort to verify that underlying
information security requirements are
met, as required, for all contractor
owned information systems that
process, store, or transmit CUI or FCI in
the performance of a DoD Contract.
DoD’s calculation of ROI for the security
controls that CMMC will assess, and
cost elasticity of the DIB are also beyond
the scope of this rule.
7. Phased Implementation of the
Program
Comment: Many comments asked for
additional explanation of DoD’s
expected start and progression through
phases of the CMMC implementation
plan. Several asked that the phase-in
plan be extended. One commenter asked
whether contracts that would otherwise
be associated with CMMC Level 3
would include a CMMC Level 2
requirement if issued prior to Phase 4 of
the plan. Another misread the phase-in
plan to mean that self-assessments
would no longer be permitted at Full
Implementation. One comment asked if
the USG would be revisiting acquisition
timelines to add more time for due
diligence to ensure all entities meet
CMMC requirements or have a POA&M
in place.
Some commenters observed that
DoD’s intended dates for CMMC
implementation, as published in an
earlier 48 CFR CMMC interim final rule,
are unachievable and must be changed
via another CMMC DFARS rule. Some
commenters were confused by the
differences between the dates of
implementation phases in the rule, and
the seven years described in cost
estimates as necessary to complete
implementation. Another commenter
asked why the rule only applies to DoD.
Some commenters suggested changes
to prioritize different kinds of contracts,
programs, or companies earlier or later
in the implementation plan, rather than
basing the phase-in on assessment type.
For example, one suggested capping the
number of contracts with CMMC
requirements each year. Another
suggested phasing in by increasing the
numerical assessment score required for
compliance, with additional time
permitted for POA&M close-out beyond
the current limit of 180 days. Another
suggested reversing the phase-in to
begin with CMMC Level 3. Several
commenters requested extension of the
phase-in plan to allow more time. One
speculated that ‘‘tens of thousands’’ of
contractors would require certification
in less than 18 months. One commenter
suggested the DoD modify the timing of
implementation for CMMC levels 2 and
3, and that DoD consider allowing
sufficient time to develop a robust
CMMC ecosystem and demonstrate the
CMMC model before full
implementation.
Flexibility in the implementation plan
that allows Program Managers and
requiring activities to include CMMC
requirements earlier in the plan than
will be mandated by policy also
generated questions and comments.
Some commenters asked whether this
could result in the DoD applying CMMC
requirements to previously awarded
contracts or asked that the rule specify
they will apply only to new contracts.
Another asked about opportunities to
renegotiate the contract ceiling price if
CMMC assessments are required for
option period exercise. One commenter
asked that the rule be revised to exclude
these flexibilities to result in an ‘‘on/
off’’ approach to implementation.
Another commenter asked what
mechanisms the DoD would have to
change the pace of implementation or
monitor the contracts that include
CMMC requirements.
Response: The DoD lacks the
authority to implement CMMC as a
Federal-wide program. The 48 CFR part
204 CMMC Acquisition rule for CMMC
will be updated to align with this 32
CFR part 170 CMMC Program rule and
will modify DFARS clause 252.204–
7021. CMMC Phase 1 implementation
will commence when both the 32 CFR
part 170 CMMC Program rule and the 48
CFR part 204 CMMC Acquisition rule
are in effect. Some commenters may
have overlooked that § 170.3(e) states
Phase 1 begins on the effective date of
this 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part
204 CMMC Acquisition rule, whichever
occurs later. The implementation plan
describes when CMMC level
requirements will appear in
solicitations, it does not define a
timeframe by which all contractors must
be certified. During the first phases of
the plan, a majority of CMMC
requirements will be for self-assessment.
In response to public comments, the
DoD has updated the rule to extend
Phase 1 by 6 months, with appropriate
adjustments to later phases. DoD is not
conducting Pilots in the updated CMMC
implementation plan. The phased
implementation plan described in
§ 170.3(e) is intended to address ramp-
up issues, provide time to train the
necessary number of assessors, and
allow companies the time needed to
understand and implement CMMC
requirements. DoD has updated the rule
to add an additional six months to the
Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1.
The DoD’s objective timeline to begin
implementing the CMMC requirements
has been, and remains, FY2025. The
implementation period will consist of
four (4) phases, 1 through 4, and is
intended to address any CMMC
assessment ramp-up issues, provide the
time needed to train the necessary
number of assessors, and to allow
companies time to understand and
implement CMMC requirements. It is
estimated that full implementation of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00020
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83111
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC by all defense contractors will
occur over seven years, given the
number of DoD solicitations contractors
respond to and are awarded each year.
The four phases add CMMC level
requirements incrementally, starting in
Phase 1 with Level 1 and Level 2 Self-
assessments, and ending with Phase 4
for Full Implementation, as addressed in
§ 170.3(e)(4). By Phase 3, all CMMC
Levels 1, 2, and 3 will be included in
some DoD solicitations and contracts,
but Level 3 requirements may be
identified for implementation as option
period requirements rather than for
initial contract award. In Phase 4, DoD
will include CMMC requirements in all
applicable DoD contracts and option
periods on contracts awarded after the
beginning of Phase 4. As addressed in
§ 170.18(a), receipt of a CMMC Level 2
Final CMMC Status for information
systems within the Level 3 CMMC
Assessment Scope is a prerequisite for
a CMMC Level 3 certification
assessment.
CMMC self-assessment requirements
build on the existing DFARS clause
252.204–7020 requirement for basic
safeguarding of CUI. CMMC Level 3
requires advanced implementation, and
the phase-in period provides additional
time for OSC to achieve the higher
standard. In phase 4, which is full
implementation, CMMC requirements
must apply to new contracts and option
year awards. The DoD may choose to
negotiate modifications adding CMMC
requirements to contracts awarded prior
to CMMC implementation, as needed.
No changes to this rule are needed to
reflect existing contract administration
processes. Questions on specific
contracting matters, including contract
costs and funding, are outside of the
scope of this rule.
With the implementation of the final
32 CFR part 170 CMMC Program rule
and 48 CFR part 204 CMMC Acquisition
rule, prospective DoD contractors and
subcontractors should be actively
preparing for DoD contract
opportunities that will include CMMC
Program requirements when
performance will require the contractor
or subcontractor to process, store, or
transmit FCI or CUI. The respective
phases of the implementation plan
provide adequate time to complete
CMMC requirements and DoD program
requirements and timelines will dictate
the programs that may warrant CMMC
Level 3 requirements during the phased
implementation of CMMC.
DoD considered many alternatives
before deciding upon the current CMMC
implementation plan. The phased
implementation plan is based on CMMC
assessment level and type, which DoD
believes to be a fair approach for all
prospective offerors. Defining the phase-
in based on contract type, company size
standard, or other potential bases could
lead to unfair advantage. Program
Managers will have discretion to
include CMMC Status requirements or
rely upon existing DFARS clause
252.204–7012 requirements, in
accordance with DoD policy. The DoD
will monitor the Program Managers’
exercise of this discretion to ensure a
smooth phase-in period. The decision to
rely upon CMMC self-assessment in lieu
of certification assessment is a
Government risk-based decision based
upon the nature of the effort to be
performed and CUI to be shared. Note
that section § 170.20 Standards
acceptance states OSCs that completed
a DCMA DIBCAC High Assessment with
a score of 110 and aligned with CMMC
Level 2 Scoping, will receive Final
CMMC Status for a Level 2 certification
assessment.
As noted by one commenter, self-
assessments against NIST SP 800–171
are already required, and verifying
compliance with applicable security
requirements is necessary for the
protection of DoD CUI. For all CMMC
independent assessments (i.e., Level 2
or 3), DoD policy guides Program
Managers in appropriately including
these requirements in DoD solicitations.
DoD systems that support the
procurement process can identify the
number of contracts issued that include
any specific clause. Such metrics for the
CMMC Program are not within the
scope of this rule.
The seven-year timespan reflects the
DoD’s estimate for all defense
contractors to achieve CMMC
compliance. The implementation plan
ramps up CMMC assessment
requirements over 4 phases, such that
the ecosystem will reach maximum
capacity by year four. One commenter
referenced the response to a specific
comment to the 2020 CMMC rule. Those
earlier questions about the 2020 rule
publication are no longer relevant due
to changes made in the more recent
2023 rule publication. DoD estimates
acknowledge that contractors with
existing contracts may not receive
another contract award or even submit
another proposal immediately.
The DoD has developed CMMC to
increase consistency of implementation
of NIST SP 800–171 R2 and NIST SP
800–172 Feb2021. Specifically, this rule
provides extensive information on
scoring methodology, in an effort to
improve self-assessments. The use of
independent C3PAOs further enforces
consistency for those companies that
need to meet a CMMC Level 2
certification requirement. The DoD has
considered the suggestions and declines
to modify the phase-in periods based on
total score required, or other criteria,
which would not provide the desired
improvements in DIB cybersecurity.
The DoD notes the commenter’s
concern that self-assessments go away
after Phase 4. Requirements from earlier
phases continue as each additional
phase is implemented. When
applicable, self-assessments will still be
allowed, as appropriate, in Phase 4. This
rule describes flow down requirements
to subcontractors. This rule makes no
change to 48 CFR 252.204–7008.
8. Commercially Available Off-the-Shelf
(COTS) Procurements
Comment: One comment suggested
the definition of COTS should be more
explicitly defined or the model outlined
in § 170.2 should encompass COTS
products. Two comments questioned
the exemption of CMMC requirements
for contracts or subcontracts exclusively
for commercial off-the-shelf (COTS)
items. Others questioned applicability
of CMMC requirements to COTS
procurements and/or purchases at or
below the micro-purchase threshold.
Finally, one commenter questioned the
validity of a COTS exclusion, stating
that no COTS components are exempt
from DoD’s certification requirements
from DISA or NSA.
Response: The term Commercially
available off-the-shelf (COTS) is defined
in FAR part 2.101. Some comments
pertained to content of the 48 CFR part
204 CMMC Acquisition rule, including
applicability of CMMC clauses to COTS
procurements and/or those below the
micro-purchase threshold. Such
comments are not within the scope of
this CMMC 32 CFR part 170 CMMC
Program rule, which outlines program
requirements and not acquisition
procedures. CMMC requirements do not
apply to contracts and subcontracts that
are exclusively for the delivery of COTS
products to a DoD buyer. The exemption
does not apply to a contractor’s use of
COTS products within its information
systems that process, store, or transmit
CUI. CMMC assessments are conducted
on contractor owned information
systems to ascertain compliance with
the designated FAR, DFARS, and NIST
requirements.
9. Specific Product Recommendations
Comment: One managed service
provider expressed concern that the
specific tools they use to provide
services might be considered Security
Protection Assets or generate Security
Protection Data in the context of CMMC
assessment requirements, which might
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00021
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83112
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
result in clients electing to use their
own tools and products in lieu of the
managed service provider. This
commenter attached a list of more than
a dozen commercial product and tools
they use as examples associated with
this concern. One commenter used their
public comment submission to submit
materials marketing services their
company can provide, while another
commenter suggested the rule direct
readers to a website listing all software,
tools, and applications deemed ‘‘safe
and cost effective’’ by virtue of CMMC
assessment.
Another commenter asserted that all
companies need access to cybersecurity
solutions from DHS/CISA and grants to
assist them in buying Zero Trust
technologies to protect CUI. Similarly,
some commenters recommended
various other cybersecurity tools,
programs, or technologies that could be
used to meet CMMC security
requirement and provide threat
intelligence to DIB companies. Such
recommendations included portals used
in conjunction with perimeter and
privileged access management systems.
One commenter proposed delaying
implementation of the CMMC rule until
all DoD contractors’ system
architectures could be analyzed for
possible implementation of Virtual
Machines, or Blockchain for secure data
transmission, or hosting of all CUI on
DoD hosted platforms.
Response: The government cannot
comment on specific products or
vendors, including marketing materials
submitted via public comment.
However, companies that act as ESPs
should note this rule does not require
CMMC assessment or certification of
ESPs that do not process, store, or
transmit CUI. Services provided by an
ESP are in the OSA’s assessment scope.
Comments pertaining to solutions
available from other Federal agencies or
expressing a desire for grants to obtain
Zero Trust solutions or other
cybersecurity solutions are also beyond
the scope of the CMMC rule. A wide
range of technologies may be used to
implement CMMC requirements. DoD
will not comment on specific OSA
technology choices. The Department
declines the recommendation to review
the system architectures of all DoD
contractors. The DoD did not modify the
rule to identify a repository of ‘‘safe and
cost effective’’ software, applications,
and tools because a CMMC assessment
does not evaluate commercial products
or services for those characteristics and
the government does not provide
product endorsements.
10. Applicability
a. Systems Operated on Behalf of DoD
and National Security Systems
Comment: The DoD received
questions about whether CMMC
requirements apply to information
systems that are designated as National
Security Systems, Defense Business
Systems, or systems operated on the
DoD’s behalf. In concert with those
questions, one person recommended
adding NIST SP 800–53 R5
requirements to the rule for such
systems. The commenter further
recommended expanding applicability
of the rule to include contractor-owned
systems that directly affect DoD NSS.
Two commenters recommend edits to
clarify that CMMC requirements do not
apply to NSS or to government systems
operated by contractors on the DoD’s
behalf.
One commenter asked if a Cloud
Service Provider that stores CUI would
have to be at Impact Level 4 in
accordance with the DISA Cloud
Computing Security Requirements
Guide.
Response: The CMMC assessment
requirements apply in conjunction with
FAR clause 52.204–21 and DFARS
clause 252.204–7012 requirements and
provide a mechanism for verifying
compliance with the security
requirements for safeguarding FCI or
CUI (e.g., NIST SP 800–171) levied by
those clauses.
The CMMC Program does not alter
any additional security requirements
that may be applicable to contractor-
owned information systems that may
also meet the criteria for designation as
NSS.
There is no conflict between the
CMMC rule and the DISA Cloud SRG,
which applies to contractor information
systems that are part of Information
Technology (IT) services or systems
operated on behalf of the Government.
The CMMC rule does not apply to those
systems (§ 170.3(b)). The DoD declines
to modify the rule because the
applicability section already states this
rule applies to contractor-owned
information systems.
b. Infrastructure Entities
Comment: Many commenters had
concerns about CMMC’s potential
impact to the energy and electric
industries, internet Service Providers
(ISPs) and small, disadvantaged
businesses looking to contract with the
DoD, especially given dependencies on
appropriate marking of Controlled
Unclassified Information (CUI).
Another commenter referenced
Executive Order 13175, ‘‘Consultation
and Coordination with Indian Tribal
Governments’’ and requested
information on CMMC impact to and
potential exemptions for Native
American and small disadvantaged
contractors. Another commenter stated
that some small businesses may stop
providing cost estimating services to
Federal agencies due to ‘‘threatened
penalties’’ under CMMC requirements.
One commenter recommended adding
the definition of the defense industrial
base (DIB), and referenced the
Cybersecurity and Infrastructure
Security Agency definition, which
explicitly excludes commercial
infrastructure providers from their
definition of the Defense Industrial Base
Sector. One commenter stated the lack
of clarity around requirements for
electric cooperatives under the CMMC
framework is causing concern about
unanticipated cost impacts for these
smaller entities. The commenter
requested that DoD provide contractors
the ability to recover unanticipated
costs incurred to achieve CMMC
certification.
Another commenter asked about
potential CMMC exemptions for
telecommunications providers,
specifically for end user encryption. The
commenter stated the DoD needs to
impose CUI encryption requirements on
the relevant contractors and not
telecommunications network providers,
who have no control over whether a
user encrypts information it sends over
those networks. The commenter also
noted that definitions of ‘‘common
carrier’’ vary across Federal Government
and suggested the DoD should create a
blanket exemption for contracts
involving commercial communications
networks that are not ‘‘purpose-built’’ to
transmit sensitive government data.
Another commenter suggested the
CMMC Rule should further clarify that
encryption must be configured such that
the common carrier does not have
access to the decryption key(s).
Several commenters requested clarity
around CUI, citing general confusion
among industry about which CUI is
subject to the CMMC Program. Some
commenters interpreted the rule as
proposing to apply to all CUI
information, rather than just
information handled by the contractor
‘‘in support of a defense contract’’ and
asserted that this would be an
expansion beyond the current DFARS
clause 252.204–7012 requirements.
They further suggested this broad
definition could result in companies
applying costly controls to all apparent
CUI, regardless of its association with
DoD, to avoid penalties under the False
Claims Act. They recommended clearly
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00022
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83113
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
stating that CUI provided to contractors
by non-DoD agencies should be subject
to the requirements of those agencies
and not the CMMC Program.
A commenter said the electric
industry will experience increased costs
as electric utilities comb through vast
amounts of data across the electric grid
to determine all potential CUI, even if
that CUI is not specifically subject to a
DoD contract. One commenter stated
that guidance DoD has provided for
electric utilities to identify CUI in the
past is insufficient and suggested that
use of Security Classifications Guides
could help by minimizing the need for
CMMC compliance. In addition, they
speculated that inclusion of CMMC
requirements could create requirements
after award which might require
adjustments to contract price. Another
commenter stated energy companies
servicing military customers must
develop governance programs around
data protection years in advance, with
significant investments. The commenter
is concerned that CMMC requires these
companies to make these large
investments prior to knowing if a
proposed contract may contain CUI and
without adequate guidance about what
data is considered CUI.
Response: This rule has no
disproportionate impact on Native
American-owned businesses. Once
identified as a requirement, the CMMC
Level will apply uniformly to all
prospective competitors. DoD must
enforce safeguarding requirements
uniformly across the Defense Industrial
Base for all contractors and
subcontractors who process, store, or
transmit CUI. The value of information
(and impact of its loss) does not
diminish when the information moves
to DoD contractors and DoD
subcontractors, regardless of their status
as Native American or small
disadvantaged businesses.
The CMMC Program rule does not
include ‘‘threatened penalties.’’ If a
requirement of a DoD contract is not
met, then standard contractual and
other remedies applicable to that
contract may apply.
CMMC Program requirements make
no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides, are separate from this rule.
Section 170.4(b) of the rule states
Defense Industrial Base (DIB) is defined
in 32 CFR part 236, which addresses
DoD and DIB Cyber Security Activities.
Section 236.2 includes the DoD
approved definition for DIB.
The CMMC Program applies only to
DoD contracts that include the DFARS
clause 252.204–7021 and under which
FCI or CUI is processed, stored, or
transmitted on contractor information
systems.
This includes CUI outside the
category of the Defense Organizational
Index Group. Contracts for the provision
of electricity or other utilities which do
not contain FAR clause 52.204–21 or
DFARS clause 252.204–7012 and which
do not require the processing, storing, or
transmitting of FCI or CUI on contractor
owned information systems will not
require CMMC assessment. The CMMC
rule makes no change to FAR cost
allowability or cost accounting
standards. The 32 CFR part 170 CMMC
Program rule has been updated to add
‘‘in performance of the DoD contract’’ to
§ 170.3, and the 48 CFR part 204 CMMC
Acquisition rule will provide the
contractual direction.
A common carrier’s information
system is not within the contractor’s
CMMC Assessment Scope if CUI is
properly encrypted during transport
across the common carrier’s information
system. A common carrier who is a DoD
contractor or subcontractor is
responsible for complying with the
CMMC requirements in their contracts.
CUI encryption requirements already
apply to the OSA, not the
telecommunications network provider.
The lack of adequate encryption on the
part of the OSA would not trigger
application of CMMC requirements to
the common carrier’s network. The term
‘‘common carrier’’ appears in the
comment section to a previous rule
making process. Its definition and use
are taken from CNSSI 4009. Efforts to
define it or related terms by other
agencies are outside the scope of the
CMMC Program. Commenter scenarios
where a common carrier would be privy
to an OSA’s encryption keys are
unrealistic. DoD declines to provide
additional guidance.
CMMC Program requirements make
no change to existing policies for
information security requirements
implemented by DoD. Policies for CUI
and creation of program documentation,
to include Security Classification
Guides, are separate from this rule.
Relevant policies include DoDI 5200.48
‘‘Controlled Unclassified Information’’
and DoD Manual 5200.45 ‘‘Instructions
for Developing Security Classification
Guides’’. CMMC Program requirements
will be identified as solicitation
requirements. Contractors will be
required to meet the stated CMMC
requirements, when applicable, at or
above the level identified. For this
reason, it is up to each DIB organization
to determine which CMMC level they
should attain.
Questions regarding specific
contractual matters are outside of the
scope of this rule and may be addressed
by the 48 CFR part 204 CMMC
Acquisition rule. The CMMC program
will be implemented as a pre-award
requirement.
c. Joint Ventures
Comment: Two commenters requested
clarification as to whether CMMC
requirements will apply to companies
engaged in Joint Ventures.
Response: CMMC program
requirements are applicable when DoD
requires processing, storing, or
transmitting of either FCI or CUI in the
performance of a contract between DoD
and the respective contractor. CMMC
Program requirements will apply to
information systems associated with
contract efforts that process, store, or
transmit FCI or CUI, and to any
information system that provides
security protections for such systems, or
information systems not logically or
physically isolated from all such
systems. The identity of an offeror or
contractor as a joint venture does not in
and of itself define the scope of the
network to be assessed.
d. Fundamental Research Efforts
Comment: One commenter
recommended that both the sharing of
CUI and the decision to apply a CMMC
compliance assessment should only be
considered for contracts of sufficient
contract value and performance period
to make the expense of safeguarding CUI
worthwhile. This commenter asserted
that small businesses are selected for
SBIR contract award not based on
ability to protect information, but
instead on the unique product or service
they offer.
Some commenters expressed concern
that CMMC could result in state-funded
universities incurring costs to comply
with CMMC level 2, while even the
costs for implementing required FCI
safeguarding requirements is a
significant financial burden. These
commenters speculated that applying
FCI or CUI markings to fundamental
research information negatively impact
academic institutions by requiring them
to remove such data from the public
domain. This commenter cited DFARS
clause 252.204–7000 as rationale to
modify the CMMC rule to exclude
fundamental research.
One commenter requested that when
contracting for fundamental research,
the Government include a CMMC
requirement based only on whether
information shared is currently FCI or
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00023
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83114
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CUI, and not whether the effort might
lead to development of FCI or CUI.
Another commenter requested that DoD
issue policies clearly describing how to
recognize or identify circumstances that
could result in fundamental research
becoming FCI or CUI such that it would
require being processed, stored, or
transmitted on CMMC compliant
information systems. The commenter
expressed concern that absent such
policies, research institutions may
house all DoD-related project activities
in CUI enclaves ‘‘out of an abundance
of caution’’, thereby unnecessarily
expanding CUI applicability at
significant cost. They asked that DoD
Instruction 5200.48, ‘‘Controlled
Unclassified Information,’’ and a related
DoD policy memorandum ‘‘Clarifying
Guidance for Marking and Handling
Controlled Technical Information in
accordance with Department of Defense
Instruction 5200.48, ‘Controlled
Unclassified Information’’ be
incorporated into the rule by reference.
One commenter questioned whether
and how CMMC requirements may
apply to non-contract efforts, including
grants, or efforts conducted under Other
Transactional Authorities.
Response: One of the main purposes
of the CMMC Program is to ensure that
DoD contracts that require contractors to
safeguard CUI will be awarded to
contractors with the ability to protect
that information. All contractor-owned
information systems that process, store,
or transmit CUI are subject to the
requirements of NIST SP 800–171 when
DFARS clause 252.204–7012 is included
in the contract. This is the case whether
or not the contractor is engaged in
fundamental research.
To the extent that universities are
solely engaged in fundamental research
that only includes information intended
for public release and does not include
FCI or CUI, no CMMC requirement is
likely to apply. When a research
institution does process, store, or
transmit FCI, the information should be
adequately safeguarded in accordance
with the FAR clause 52.204–21, if
applied. When a research institution
does process, store, or transmit CUI, the
information should be adequately
safeguarded in accordance with the
DFARS clause 252.204–7012, if applied.
That clause makes the contractor owned
information system subject to NIST SP
800–171, which includes requirements
for Awareness and Training (AT) and
Physical Protection (PE). The CMMC
Program provides a means to verify
compliance.
DoD’s CUI program policies already
address responsibilities for identifying
and marking information, including
procedures for changing markings. The
DoD declined to incorporate all the
references associated with marking and
handling CUI. The DoD instructions and
policy guidance are authoritative and
incorporating them into the CMMC
regulation is beyond the scope of this
rule. DoD declines to update the
preamble to exclude the possibility that
information may be designated CUI over
the course of time. According to A&S
memo dated 31 March 2021, titled
Clarifying Guidance for Marking and
Handling Controlled Technical
Information in accordance with
Department of Defense Instruction
5200.48, ‘‘Controlled Unclassified
Information,’’ ‘‘Information related to
RDT&E-funded research efforts, other
than fundamental research, do not
always qualify as CUI.’’ This implies
that some DoD fundamental research
may qualify as CUI. When the DoD does
determine that research meets the
definition of CUI, safeguarding
requirements of DFARS clause 252.204–
7012 will apply regardless of whether
the contractor’s work is fundamental
research. In such instances, CMMC
assessment requirements may also be
applied. Contractors should work
closely with Government Program
Managers to ensure a proper
understanding of the data being
developed and the appropriate markings
and safeguarding.
Questions regarding the application of
CMMC requirements to specific
transactions, including grants and
OTAs, are outside of the scope of this
32 CFR part 170 CMMC Program rule.
e. DoD Waiver of CMMC Applicability
Comment: Several questions were
submitted about waiver procedures for
CMMC requirements. For example,
someone asked which DoD person or
office has authority to approve waiver
requests. Others also requested insight
to the specific criteria for waiver
approval. One commenter submitted
preferred rewording of the rule section
that describes waivers while another
suggested self-assessment should be
required even when certification is
waived.
Response: DoD internal policies,
procedures, and approval requirements
will govern the process for DoD to waive
inclusion of the CMMC requirement in
the solicitation. Once applicable to a
solicitation, there is no process for
OSAs to seek waivers of CMMC
requirements from the DoD CIO. In
accordance with § 170.5(d), a limited
waiver authority is provided to the
Acquisition Executive with acquisition
oversight for the program in question.
These officials may issue supplemental
guidance dictating specific coordination
requirements for waiver requests.
Recommended administrative changes
have been incorporated into § 170.5(d)
to add clarity.
11. Determination of Applicable
Assessment Type
a. Process for Level Determination
Comment: Multiple comments asked
how DoD will determine the CMMC
level to include in solicitations.
Multiple comments inquired about the
criteria DoD will use to determine when
to require a CMMC Level 2 self-
assessment, CMMC Level 2 certification,
or CMMC Level 3 certification
assessment. Multiple comments asked
specifically about when CMMC Level 2
self-assessment will be required versus
CMMC Level 2 Certification. One
comment requested more information
on which companies may ‘‘self-attest’’.
One comment requested § 170.5(a) be
modified to prevent CMMC level 2 or 3
being assigned for contracts where only
FCI is exchanged. One comment
emphasized that requirement(s) for
Contractor certification levels must be
the same as stated throughout this
proposed ruling. Two comments
recommended providing contracting
officers with interim guidance to ensure
consistency in applying CMMC
requirements. One comment requested
the detailed guidance ensure CMMC
requirements are selected based on risk,
and that certification is not required by
default.
Some commenters objected to the
wording of one criterion for level
selection as ‘‘potential for and impacts
from exploitation of information
security deficiencies’’. One asserted this
equates to a sub-CONFIDENTIAL
security classification. One comment
expressed that all information systems
that process CUI should have the same
level of ‘‘program criticality,
information sensitivity, and the severity
of cyber threat’’ since CUI is
Unclassified Information which is a
‘‘handling caveat’’.
Multiple comments requested a
clearer description of what contracts
require CMMC Level 3 Certification, one
of which requested a definition of what
constitutes a ‘‘priority program’’ that
might require CMMC Level 3. One
comment requested that acquisition
processes first analyze the CUI for a
proposed effort using published factors
for aligning CUI to high value assets
before setting CMMC levels. They
asserted use of such published factors
would improve accuracy of CUI
marking.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00024
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83115
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Response: Pre-award contracting
procedures and processes for CMMC
assessment requirements will be
addressed in the 48 CFR part 204
CMMC Acquisition rule. CMMC is a
pre-award requirement. As stated in the
Applicability section summary of the
CMMC rule (§ 170.3), once CMMC is
implemented in the 48 CFR part 204
CMMC Acquisition rule, DoD will
specify the required CMMC Level in the
solicitation and the resulting contract.
DoD’s policies and procedures for the
length of time allowed for proposal
submission in response to any
solicitation are beyond the scope of this
rule. PMs typically consider the totality
of the requirement when deciding how
much time to allow for proposal
submission or whether to seek industry
input through Request for Information
to inform solicitation details. Note that
once attained, companies may reference
a CMMC Status as part of any number
of proposals to various solicitations
with that level of CMMC requirement if
the same assessment scope is used.
The type and sensitivity of
information to be utilized during the
contract, FCI or CUI, determines the
requirements in the solicitation, which
then informs the CMMC level required.
CMMC level 1 requirements are
designed to be applied when FAR
clause 52.204–21 security requirements
apply to the contract, whereas CMMC
level 2 and 3 requirements are designed
for the protection of CUI information,
and to be applied when DFARS clause
252.204–7012 also applies.
When CMMC Program requirements
are effective, the DoD will begin
including CMMC assessment
requirements in solicitations as
described in § 170.3 Applicability. DoD
solicitations will specify which
requirements will apply to the contract
award. Prior to issuance of a
solicitation, DoD will determine the
appropriate CMMC level and type of
assessment needed to ensure adequate
safeguarding of the DoD program
information to be shared in performance
of the contract. Identification of the
CMMC level and assessment type will
be part of the DoD’s requirement
definition process. As addressed in
§ 170.18(a) of this rule, a CMMC Level
2 Final CMMC Status is a prerequisite
for CMMC Level 3 assessment and must
be achieved for information systems
within the Level 3 Assessment Scope.
Identification of priority programs is a
function of the requirements definition
process for any DoD effort. The DoD will
issue policy guidance to Program
Managers to clarify which programmatic
indicators should be considered for
selecting the most appropriate
information safeguarding requirement
and associated CMMC assessment
requirement for any given solicitation.
Once identified as a requirement, the
CMMC Status required will apply
uniformly to all prospective
competitors.
b. Who Determines the CMMC Level
Comment: Two comments asked who,
within the Department, determines the
CMMC level required for a contract. One
comment suggested that DoD should
require senior-level approval to include
CMMC Level 3 Certification
requirements in solicitations to limit
unnecessary application. One comment
inquired about when and how CMMC
levels change during the program
office’s Agile Acquisition Framework
lifecycle.
Response: Based on DoD decision
criteria that include the type and
sensitivity of program information to be
shared, Program Managers will identify
and coordinate as appropriate the
CMMC requirement in the solicitation.
Internal policies for implementation of
CMMC requirements by DoD’s
acquisition community have been
developed, and work will continue as
needed to integrate CMMC policies into
relevant acquisition policies,
guidebooks, and training materials. The
DoD intends that requiring activities
will determine when compliance should
be assessed through CMMC Level 3 as
part of the ordinary acquisition
planning and requirements generation
process.
The CMMC assessment level required
does not change based on acquisition
lifecycle phase, but based on whether
FCI and CUI are processed, stored, or
transmitted on contractor owned
information systems. All contractor-
owned information systems that
process, store, or transmit CUI are
subject to the requirements of NIST SP
800–171 when DFARS clause 252.204–
7012 is included in the contract.
c. CMMC Level 3 Determination
Comment: Multiple comments
requested further clarification about
which types or categories of CUI require
enhanced protection against Advanced
Persistent Threats (APTs) at CMMC
Level 3 and whether the CMMC level
would be based on the Program or the
data. Two comments expressed concern
or asked how DoD Components will
avoid assigning CMMC Level 3
requirements to too many contracts. One
comment recommended that DoD
modify its criteria for CMMC Level 3 to
consider factors such as Acquisition
Program Category.
Response: CMMC levels do not
correspond to CUI levels as the CMMC
Program requirements make changes to
neither the CUI Program, categories of
CUI, nor existing DoD policies for
information security requirements. The
CMMC Flow down requirement is
defined in § 170.23.
The Requiring Activity knows the
type and sensitivity of information that
will be shared with or developed by the
awarded contractor and selects the
CMMC Level required to protect the
information according to DoD guidance.
The DoD declines to modify CMMC
Level 3 selection criteria as described in
the commenters recommended
alternatives, which have no bearing on
DoD’s need for increased confidence in
a contractor’s ability to safeguard certain
CUI against Advanced Persistent
Threats. The value of information, and
impact of its loss, does not diminish
based on the total number or dollar
value of contracts held by the awardee,
or acquisition program category. The
DoD reserves the right to decide when
compliance should be assessed by the
Government through CMMC Level 3
certification. The DoD defines the work
requirements to be solicited for any
given program contract.
d. Environments Processing Both FCI
and CUI
Comment: Two commentors
recommended the elimination of
separate assessments when the FCI and
CUI environments are the same. One of
these comments requested clarification
regarding the scenario of an OSC having
one assessment scope environment for
both FCI and CUI that meets Level 2
requirements.
Response: CMMC Level 2 is required
when CUI will be processed, stored, or
transmitted on contractor information
systems. Successful completion of a
CMMC Level 2 self-assessment or
CMMC Level 2 certification assessment
will suffice to meet the CMMC Level 1
requirement for FCI if/when the scope is
identical. The CMMC Level 2 Scoping
Guide reflects this language.
e. Recommendations and Scenarios
Comment: One comment
recommended removing CMMC Level 2
self-assessment, changing the CUI
Program, or creating a new type of CUI
to distinguish between CMMC Level 2
self-assessment and CMMC Level 2
Certification. Another comment noted
that the requirements for CMMC Level
2 certification assessment are almost
identical to requirements for CMMC
Level 2 self-assessment. One comment
expressed concern that DoD’s
designation of CMMC Level 2 self-
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00025
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83116
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
assessment and certification assessment
runs contrary to FCI (FAR requirements)
and the CUI Program. One comment
asked if the designation of information
as FCI or CUI changes the scope of
CMMC.
One comment asked for clarification
on which contracts will have sensitive
unclassified DoD information but will
not require CMMC assessment. One
comment recommended removing the
option for CMMC Level 2 self-
assessments to reduce complexity. One
comment posed multiple questions
about what DoD will do if contracting
officers assign CMMC Level 2 or CMMC
Level 3 Certification requirements at a
rate substantially higher than projected.
Response: The DoD CIO looked at CUI
from a risk-based perspective and
determined that different approaches to
assessments could be implemented to
address risk and help lower the burden
for the DIB. The security requirements
for a CMMC Level 2 self-assessment and
a CMMC Level 2 certification
assessment are the same, the only
difference in these assessments is
whether it is performed by the OSA or
by an independent C3PAO.
The decision to rely upon self-
assessment in lieu of certification
assessment is a Government risk-based
decision based upon the nature of the
effort to be performed and CUI to be
shared. The size of the company with
access to the CUI is not a basis for this
determination. The value of information
(and impact of its loss) does not
diminish when the information moves
to contractors of smaller size. The DoD
declines to modify the rule to include
its internal decision process.
To select a CMMC Level for a
procurement, Program Managers and
requiring activities will identify the
applicable CMMC Level using the
factors included in § 170.5(b)(1) through
(5). The DoD did agree with one
comment to rephrase § 170.5(b)(4) to
delete a reference to the ‘‘potential for’’
impact from exploitation of information
security deficiencies, which likely
cannot be effectively determined. The
DoD does not agree that the wording
equates to a sub-CONFIDENTIAL
classification and declines to delete that
criterion. § 170.5(b)(3) is appropriately
worded in that it states Program
Managers will consider the listed
criteria in selecting a CMMC
requirement level. It does not have the
effect of ‘‘transforming FCI into CUI’’.
The DoD reserves the right to define the
criteria for selection of the CMMC
assessment requirement, just as it
defines all other requirements for
inclusion in a solicitation.
The Department remains committed
to implementing the CMMC program to
require compliance assessment against
applicable security requirements in all
DoD contracts involving FCI or CUI.
Some such contracts will require only a
CMMC self-assessment, while others
will require a certification assessment.
The commenter misinterprets that some
contracts that do require processing of
FCI or CUI will not require CMMC
assessment of either kind, without
approval of a waiver.
The DoD declines to remove self-
assessments from the rule. Self-
assessments allow the acquiring
organization to balance the cost and
complexity of assessment with the risk
to the information being shared with the
OSA.
Supporting guidance for CMMC
implementation will be updated, as
necessary. DoD has options to mitigate
implementation issues such as waivers
and other contractual remedies. DoD’s
estimate for the number of contractor’s
requiring CMMC Level 1 and cost
estimates represent derived estimates
based on internal expertise and public
feedback in accordance with OMB
Circular A–4.
12. Flow-Down/Applicability to Sub
Contractors
a. Applicability and Compliance
Comment: Several comments
requested clarification about the
applicability of CMMC requirements to
subcontractors and how to correctly
flow down requirements. Some asked
whether prime contractors would have
flexibility to flow down a lower CMMC
level than required for the prime
contract. Three comments expressed
confusion about the type of Level 2
assessment required for subcontractors
when supporting a prime that is
required to meet CMMC Level 3
requirements. Two asked about the
impact to flow-down when contractors
hold multiple contracts. A couple
comments requested clarity on how to
determine the correct CMMC level to
flow down.
Some comments asked what factors
would result in flow-down of a
particular CMMC requirement level, or
whether affirmations submitted by
primes would require knowledge of
subcontractor compliance status.
Other comments asked what tools
would be available to assist contractors
in checking subcontractor compliance
with CMMC requirements or suggested
that SPRS should be made available for
this purpose. One suggested that
without this transparency, CMMC
compliance would become a
meaningless effort to ‘‘check the box’’
without actual steps to secure their
systems. Another simply asked if they
would have their own SPRS and eMASS
access, or access through their prime.
Some asked what action meets the rule’s
requirement to ‘‘require subcontractor
compliance’’, i.e., does simply including
the CMMC clause in subcontracts meet
that requirement.
One comment objected to the
definition of subcontractor used in the
rule, which they stated was overly broad
and would result in application of
CMMC requirements to too many
businesses. Some comments suggested
the flow-down requirement apply only
to one sub-tier, while another requested
advance notice of solicitations that plan
to include CMMC requirements. One
comment suggested that CUI be treated
more like classified information,
meaning to limit sharing of CUI with
subcontractors. Some comments asked
whether prime contractors are
responsible for verifying subcontractor
compliance with DFARS clause
252.204–7012, as C3PAOs do during an
assessment. Two comments
recommended rephrasing the flow-
down section, with one specifically
asking to clarify it is required only when
FCI or CUI will be processed, stored, or
transmitted in the performance of any
particular prime contract. Another
suggested edits for clarity or for
consistency with DFARS clause
252.204–7012.
Response: It is up to each OSA to
protect FCI and CUI and to determine
the assessment boundary, policies, and
procedures necessary to do that. Section
170.23 specifically addresses the CMMC
requirements that apply to
subcontractors that will process, store,
or transmit FCI or CUI. Section 170.23
addresses flow down of CMMC
requirements from the prime contractor
to the subcontractors in the supply
chain. Prime contractors are responsible
for complying with contract terms and
conditions, including the requirement to
flow down applicable CMMC
requirements to subcontractors. The
DoD modified § 170.23(a)(3) to clarify
that when a subcontractor will process,
store, or transmit CUI in performance of
the subcontract and the Prime
contractor has, for the associated prime
contract, a requirement of Level 2
certification assessment, then CMMC
Level 2 certification assessment is the
minimum requirement for the
subcontractor. Requirements for
External Service Providers are defined
in § 170.4; not all companies that
provide services to an OSA are
considered ESPs.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00026
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83117
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
As in other contexts, the Government
may specify additional guidance in the
solicitation. CMMC assessments will be
identified as pre-award requirements.
Subcontractors at each tier are
responsible for submitting their own
assessment and affirmation information
in SPRS. CMMC self-assessments and
certifications will be reflected in SPRS,
including an indicator of the currency of
the credentials. Contracting Officers and
Program Managers need not review any
assessment artifacts, only the resulting
scores and certificate validity period.
Work arrangements between the
prime and subcontractor are beyond the
scope of this rule, however, if CUI is
flowed down and will be processed,
stored, or transmitted on subcontractor
information systems in the performance
of a DoD contract then CMMC
requirements also flow down as
described in § 170.23. The DoD will not
track progress toward certification but
will implement CMMC as a pre-award
requirement. An OSA’s pursuit of a
C3PAO assessment is a business
decision to be made by each contractor
considering the contract opportunities it
wishes to pursue.
The DoD disagrees with one
commenter’s assertion that CMMC
requirement will flow down ‘‘regardless
of what work they do’’, because it does
not acknowledge the point that flow-
down requirements are for
subcontractors who process, store, or
transmit CUI. The text of § 170.23,
clearly conditions the flow-down to
those cases when a subcontractor will
process, store, or transmit FCI or CUI.
The prime contractor’s responsibility is
to flow down CMMC assessment
requirements as described in § 170.23
and to ensure that FCI and CUI are not
further disseminated to subcontractors
that do not meet the CMMC requirement
indicated in § 170.23. Likewise,
subcontractors must also flow down
CMMC requirements and ensure that
FCI and CUI are not further
disseminated to subcontractors that do
not meet the CMMC requirement
indicated in § 170.23. Section 170.23
has been revised to make this clearer.
DoD declines to accept the
recommendation to treat CUI like
classified data. Classified information is
managed differently from CUI, and
different safeguarding regulations apply
to these different categories of
information (each of which are defined
in 32 CFR part 2002).
This rule makes no change to CUI
policies for marking of data, and CMMC
levels are not CUI categories in the DoD
CUI registry. Primes and their
subcontractors must understand flow-
down requirements based on § 170.23,
which clearly identifies requirements
that apply when subcontractors will
process, store, or transmit CUI in
performance of the subcontract and the
Prime contractor has a requirement of
Level 3 certification assessment (i.e.,
CMMC Level 2 certification assessment
is the minimum requirement for the
subcontractor). In addition, the rule has
been revised to make clear that the
requirement applies in the performance
of a subcontract when the relevant
prime contract has a CMMC
requirement. The rationale for the
minimum level 2 certification flow-
down requirement is that the DoD made
a risk-based decision not to mandate
flow down of the level 3 requirement
unless explicit guidance is provided to
do so. As stated in § 170.23(a)(3), when
a Prime contractor has a requirement of
Level 2 certification, any CUI that is
flowed down for a subcontractor to
process, store, or transmit in
performance of the subcontract will also
carry a minimum requirement of Level
2 certification assessment.
CMMC Program requirements will be
identified as solicitation and contract
requirements, and contractors will be
required to meet the stated CMMC
requirements, when applicable, at or
above the level identified. One
commenter misinterpreted a response to
a prior public comment. The quoted
content says that contractors and
subcontractors each must verify
(through CMMC assessment) that all
applicable security requirements of
NIST SP 800–171 required via DFARS
clause 252.204–7012 have been
implemented. Contractors are not
required to assess subcontractor
implementation of the requirements of
NIST SP 800–171. The prime
contractor’s responsibility is to flow
down CMMC assessment requirements
as described in § 170.23 and also to
refrain from disseminating FCI or CUI to
subcontractors that have not indicated
meeting the CMMC level described in
that section for the type of information
to be shared. Likewise, subcontractors
must also flow down CMMC
requirements or refrain from
disseminating FCI or CUI. The DoD does
not provide SPRS access or other tools
for contractors to identify the CMMC
status or other companies. The DoD
expects that defense contractors will
share information about CMMC status
with other DIB members to facilitate
effective teaming arrangements when
bidding for DoD contracts.
Prime contractors will not be granted
access to subcontractor’s information in
SPRS. However, prime contractors
should communicate early and often
with prospective subcontractors to
confirm current CMMC status, including
whether the level matches that required.
This interaction does not involve the
government and is beyond the scope of
this rule.
This rule follows the format and
includes all sections required in OMB
guidelines for formal rulemaking. The
DoD lacks authority to modify the
template or omit required sections,
which results in some repetition.
DIB contractors are responsible for
submitting their Level 1 and Level 2
self-assessments and will access SPRS
to enter the results. DIB contractors do
not have access to CMMC eMASS, as
that system is used to support
certification assessments only.
CMMC Program requirements are
designed to require completion of an
assessment and an annual affirmation.
The purpose of the annual affirmation
addressed in § 170.22 is to validate to
the DoD that the contractor is actively
maintaining its CMMC level status,
which is more than a checkbox exercise.
One commenter misinterpreted the
quoted definition of subcontractor,
which makes clear that term includes
only those entities providing supplies,
materials, equipment, or services under
a subcontract in connection with the
prime contract. DFARS clause 252.204–
7012 and FAR clause 52.204–21 also
flow-down the requirement to safeguard
information. CMMC program
requirements will be flowed down
similarly, therefore there is no
anticipated expansion of scope. The cost
estimates included in the published rule
include costs for both existing DIB
members and new entrants (or newly
covered entities).
The DoD modified the Overview
summary of CMMC 2.0 to read ‘‘The
DFARS clause 252.204–7012 also
requires defense contractors to include
this clause in all subcontracts that will
require the subcontractor to process,
store, or transmit CUI.’’ The DoD
declined additional edits in this
location that requested reframing the
criteria Program Managers will use
select CMMC requirements to address
Levels 2 and 3 only. The DoD may apply
CMMC Level 2 or 3 requirements when
there is anticipation of the need for the
contactor or subcontractors to process,
store, or transmit CUI during the
performance of a contract.
b. Prime and Subcontractor
Relationships
Comment: Many requested specific
examples of when a prime contractor
should flow down its CMMC
requirements to a subcontractor or ESP,
and how to determine the appropriate
CMMC level to flow down. For example,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00027
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83118
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
one comment asked whether the
subcontract document would require
safeguarding, necessitating flow-down
of the CMMC requirement. Some
comments expressed concern that flow-
down requirements are not sufficiently
clear to prevent prime contractors from
unnecessarily sharing CUI and applying
CMMC requirements to lower tier
suppliers. Another thought that the
flow-down requirements will drastically
expand the scope of the program and
drive cost increases for the DIB.
Several comments suggested strategies
for minimizing the burden of security
implementation on lower tier
subcontractors, such as requiring prime
contractors to provide access to CUI on
prime contractor systems, or prohibiting
prime contractors from unnecessarily
sharing CUI information that would
necessitate a CMMC requirement. One
asked whether the prime contractor has
a responsibility to check which CMMC
level the subcontractor has flowed down
to the next tier. One comment
referenced industry activities aimed at
gauging subcontractor preparedness for
CMMC and expressed concern with
anecdotal evidence that primes will not
issue orders until the subcontractor has
submitted CMMC scores into SPRS.
Response: One commentor correctly
interpreted § 170.23(a)(3) as meaning
that CMMC level 2 Certification
requirements (not self-assessments) flow
down for subcontractors that will
handle CUI when the Prime contract
specifies a CMMC Level 2 Certification
requirement.
At the time of award, the DoD may
have no visibility into whether the
awardee will choose to further
disseminate DoD’s CUI, but DFARS
clause 252.204–7012 and DFARS clause
252.204–7021 require that the prime
contractor flow down the information
security requirement to any
subcontractor with which the CUI will
be shared. Decisions regarding the DoD
information that must be shared to
support completion of subcontractor
tasks, will take place between the prime
contractor and the subcontractors
chosen to complete the specific tasks.
The DoD encourages prime contractors
to work with its subcontractors to flow
down CUI with the required security
and the least burden. The DoD declines
to revise the rule to address
responsibilities for derivative marking
of CUI because this rule makes no
change to DFARS clause 252.204–7012
or DoD’s CUI policies regarding marking
of CUI, including creation of
information.
The specific contractual language is
part of the 48 CFR part 204 CMMC
Acquisition rule and beyond the scope
of this 32 CFR part 170 CMMC Program
rule. This rule describes DoD’s intent for
CMMC Program requirements, which
include that all prime and
subcontractors at all tiers that process,
store, or transmit CUI in the
performance of a DoD contract (or sub-
contract) are required to demonstrate
compliance with the contract
requirements (i.e., FAR clause 52.204–
21 or DFARS clause 252.204–7012) for
adequately safeguarding FCI or CUI.
CMMC flow-down requirements are
designed to apply consistent assessment
requirements to all subcontractors,
regardless of company size, who are
required to adequately safeguard CUI.
The DoD cannot dictate DIB business
practices and encourages prime
contractors to carefully consider the
necessity of sharing CUI information
and work with subcontractors to flow
down CUI only when deemed
appropriate.
Likewise, the criteria by which
contractors select CSPs for support or
the availability of GFE for any particular
contract are beyond the scope of this
rule. The DoD declines to limit CMMC
program requirements to the first-tier
subcontractor, as suggested by the
commenter. When a contractor or
subcontractor responds to multiple
solicitations, that contractor should
complete the highest assessment level
among them for the assessment scope
defined for use in performance of the
contracts. The contractor may also elect
to structure its environment to meet
differing CMMC requirements based on
the contract(s) in question.
Contractual remedies for non-
compliance are a 48 CFR part 204
CMMC Acquisition rule matter and
beyond the scope of this rule.
c. Requirements
Comment: Some comments objected
to CMMC Level 2 certification
assessment being identified as the
minimum flow-down from prime
contractors with a CMMC Level 3
requirement. They asked how the more
sensitive data associated with a Level 3
requirement would be tracked. Three
asked whether CMMC Level 2
certification assessment must be flowed
down as the CMMC requirement when
the prime contract requires a higher
level, and the subcontract is for limited
scope. One comment complained that
the rule does not actively encourage
primes to flow down Level 2 self-
assessment requirements instead of
certification requirements.
One comment suggested the
Department is impermissibly attempting
to make sensitivity determinations of
other agencies’ CUI and FCI through the
implementation of this rule.
Another comment requested
affirmation that contractors remain
responsible for determining whether
information that they create (derived
from CUI) retains its CUI identity when
sharing that information with lower tier
suppliers, and for determining any
associated CMMC flow-down
requirement.
Response: DoD will issue guidance to
Program Managers to reiterate the most
appropriate information safeguarding
requirements for DoD information and
the associated CMMC assessment
requirement for any given solicitation.
CMMC program requirements will be
identified in the solicitation, and
contractors will be required to meet the
stated CMMC requirements, when
applicable, at or above the level
identified by the time of contract award.
CMMC requirements flow down from
primes to subcontractors, as described
in section § 170.23.
The DoD declined to provide forecasts
of upcoming DoD solicitations with
CMMC assessment requirements. Given
that FAR clause 52.204–21 was effective
in 2016 and DFARS clause 252.204–
7012 was effective in 2017, OSAs have
had over seven years to implement NIST
SP 800–171 R2 requirements and close
out POA&Ms. DoD contracts that require
OSAs to process, store, or transmit CUI
and include DFARS clause 252.204–
7020, also require a minimum of a self-
assessment against NIST SP 800–171
requirements. That self-assessment
includes the same requirements as the
CMMC Level 1 and CMMC Level 2 self-
assessments.
DoD must enforce CMMC
requirements uniformly for all defense
contractors and subcontractors,
regardless of size, who process, store, or
transmit FCI, and CUI, regardless of
size. The value of DoD information (and
impact of its loss) does not diminish
when the information moves to
contractors and subcontractors. The
DoD cannot dictate business practices
but encourages prime contractors to
work with its subcontractors to limit the
flow down of FCI and CUI. The DoD
declines to base CUI safeguarding
requirements on contract ceiling value.
This DoD 32 CFR part 170 CMMC
Program rule does not impact or
supersede 32 CFR part 2002 (the CUI
Program) or make exceptions for the
categories of CUI or the Designating
Agency for the CUI. CMMC
requirements apply to DoD contracts
that will involve processing, storing, or
transmitting of FCI or CUI on any non-
Federal information system.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00028
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83119
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
13. The CMMC Ecosystem Roles,
Responsibilities and Requirements
a. Government
Comment: Some comments asked
how the Department plans to address
complaints and concerns from
ecosystem stakeholders and the process
by which disputes between OSCs and
C3PAOs or the CMMC AB are resolved.
Two comments wanted the CMMC PMO
to document a process for ecosystem
stakeholders to register complaints or
use of Service Level Agreements to hold
the Department accountable to respond.
Some asked whether the DoD could
be subject to litigation challenging
DoD’s reliance on the CMMC AB’s
appeals process to resolve disputes
between OSCs and C3PAOs. The
commenters asserted resolving such
disputes may be an inherently
governmental function. One commenter
noted that transactions between OSCs
and C3PAOs for initiating an assessment
are beyond the DoD’s authority to
regulate, since the DoD is not a party to
the transaction. They perceived DoD’s
indirect oversight of C3PAOs through
the CMMC AB as creating conflicts of
interest and potential legal liabilities.
One commenter requested the DoD
modify the rule to state the CMMC PMO
is responsible for the assessment and
monitoring of the CMMC AB, as well as
the CMMC AB’s performance of its
roles.
One commenter noted the ISO/IEC
17011:2017(E) requirements that the
CMMC AB must meet and asked why
the rule identifies a timeline for
compliance instead of requiring
immediate accreditation.
One commenter referenced a CMMC-
related Request for Information issued
prior to CMMC program development to
gauge industry’s capability to provide
the necessary ecosystem accreditation
and management functions. They
asserted no response was provided to
their RFI response.
One comment suggested the CMMC
PMO should develop a process to act as
the authoritative source for assessment
interpretations to ensure consistency.
One person asked which DoD office
authored the rule. Another noted the
realignment of the CMMC PMO from
OUSD(A&S) to DoD CIO and asked
whether this indicated a lack of
OUSD(A&S) involvement in the
program. One commenter noted that
DoD Program Managers and requiring
activities have a role in the CMMC
Program and suggested that their
responsibilities for marking and
managing CUI be added to the rule.
One commenter wanted to require
DIBCAC assessors to complete CCP and
CCA training and certification exams
through a CAICO approved licensed
training provider.
Response: DoD agreed with the
commenter that the government does
not have authority over transactions
between the OSC and C3PAO. The roles
and responsibilities of the government
are set forth in § 170.6. The interaction
between the CMMC Accreditation Body
and C3PAOs is governed by the
requirements of this rule in §§ 170.8 and
170.9, including Conflict of Interest,
Code of Professional Conduct, and
Ethics policies, as well as ISO/IEC
standards.
All DCMA DIBCAC assessors comply
with DoD regulations regarding the
cybersecurity workforce, to include DoD
Directives 8140 and 8570 and other
internal training standards. DCMA
DIBCAC assessors’ credentials for
CMMC Levels 2 and 3 exceed the
training that CCPs and CCAs complete
through Approved Training Providers
and include industry certification and a
security clearance. Additionally, DCMA
DIBCAC assessors must take the CMMC
certification examinations.
DoD’s contract with the CMMC AB
assigned places responsibility for Level
2 assessment interpretation to the
CMMC Accreditation Body. The CMMC
Accreditation Body publishes
assessment procedures and guidance for
C3PAO’s conducting CMMC Level 2
Certification Assessments. The CMMC
AB is required to provide the CMMC
PMO with all plans or changes related
to its own activities and activities
within the CMMC Ecosystem for review
prior to implementation and
publication. The DCMA DIBCAC is
responsible for CMMC Level 3
assessment interpretation and will use
the same process that is used for
DIBCAC High Assessments.
Management oversight of the CMMC
Program was realigned from the
OUSD(A&S) to the Office of the DoD
CIO for better integration with the
Department’s other DIB cybersecurity
related initiatives. Comments pertaining
to DoD’s organizational structure are not
relevant to the content of this rule. The
DoD CIO is responsible for all matters
relating to the DoD information
enterprise, including network policy
and standards and cybersecurity. In this
capacity, the DoD CIO prescribes IT
standards, including network and
cybersecurity standards. The DoD CIO
oversees programs to enhance and
supplement DIB company capabilities to
safeguard DoD information that resides
on or transits DIB unclassified
information systems.
The DoD reviewed and assessed
whitepapers that were submitted by RFI
respondents and determined that no
single respondent could meet all the
broad facets required to serve as the
CMMC Accreditation Body.
§§ 170.8, 170.9, and 170.10 document
the roles of the CMMC AB and the
CAICO in managing a complaints/
appeals process for CCAs, CCPs, and
C3PAOs. OSCs concerned about the
results of a Level 2 or Level 3
Certification assessment have a route of
appeal documented in § 170.9. DoD, as
the contracting entity, is not subject to
service level agreements. Vendors and
prospective vendors can voice concerns
with the relevant contracting officer.
External organizations may utilize
existing DoD procedures to file
complaints or concerns against any DoD
organization.
This rule establishes requirements for
the conduct of assessments, as well as
the requirements for handling of
disputes, to include an appeals process.
In the roles established by this rule,
C3PAOs and the CMMC AB execute
program requirements as codified in the
32 CFR part 170 CMMC Program rule,
with appropriate DoD oversight. For
ISO/IEC 17020:2012(E) and ISO/IEC
17011:2017(E) compliance, an appeals
process is required. Appeals are
addressed in §§ 170.8(b)(16) and
170.9(b)(9), (14), (20), and (21).
The DoD declines to update the rule
content of § 170.6 to include a new
subsection on DoD PMs and requesting
activities and their responsibilities
regarding marking CUI as that subject
matter is already addressed for the DoD.
DoD Instruction 5200.48 on CUI
establishes policy, assigns
responsibilities, and prescribes
procedures for CUI throughout the DoD
in accordance with 32 CFR part 2002,
CFR for CUI to include 32 CFR 2002.20
Marking CUI; and 48 CFR 252.204–7008
and DFARS clause 252.204–7012. The
CMMC Program requirements make no
change to existing policies for
information security implemented by
the DoD.
The DoD declined to modify the rule
to further define the existing CMMC
PMO oversight responsibilities,
identified in § 170.6, which includes the
CMMC AB and all other aspects of the
program.
b. CMMC-AB
Comment: There were multiple
comments regarding the CMMC
Accreditation Body (AB). Ten comments
were not relevant to the rule text.
Multiple commenters asked about
mechanisms to monitor the CMMC AB
and how the DoD provides oversight.
Seven comments provided valuable
editorial recommendations that
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00029
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83120
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
enhanced the existing rule text. Seven
comments also raised concerns and
asked for clarification about certification
of the CMMC AB, its standing with
international accreditation bodies and
the effects of that standing on the
C3PAOs. Two comments sought clarity
on the CMMC AB’s responsibilities and
what resources they will provide to the
CMMC ecosystem. One comment
suggested incorporation by reference of
specific CMMC AB generated artifacts.
One comment requested clarity on terms
and definitions regarding the CMMC
AB.
Response: Some comments received
lacked relevance to the rule’s content,
including the establishment of outside
entities. The DoD declines to respond to
speculative or editorial comments about
private citizens or entities, which are
outside the scope of this rule. The DoD
declines to respond to requests for
documents related to the CMMC AB and
the CAICO that lack relevance to the
CMMC rule.
The term CMMC Accreditation Body
is a generic term for whichever
accreditation body is supporting the
DoD at a given time. The rule has been
updated to remove reference to any
specific accreditation body. There is
only one Accreditation Body for the
DoD CMMC Program at any given time,
and its primary mission is to authorize
and accredit the C3PAOs. The
Accreditation Body does not issue
certifications. The current CMMC AB is
under a no-cost contract that has
followed normal DoD contracting
procedures. The DoD declines to delete
the section outlining requirements for
the CMMC AB, which are enduring and
apply irrespective of which entity the
DoD has currently approved to serve in
that capacity.
This rule identifies the requirements
for the Accreditation Body’s role in the
CMMC Ecosystem. The DoD has a
variety of options available to address
the commenter’s concern should the
current CMMC AB not be able to fulfill
this role. These include but are not
limited to, contracting with a new/
replacement Accreditation Body. And
authorized and accredited C3PAOs
would be able to continue conducting
CMMC assessments.
§ 170.8(b)(6) requires the CMMC AB
to complete a CMMC Level 2 assessment
conducted by DCMA DIBCAC that must
meet all CMMC Final Level 2
certification assessment requirements
and will not result in a CMMC Level 2
certification. This requirement for an
assessment is based on the potential
compilation of sensitive information on
the CMMC AB’s information systems.
After the CMMC AB’s successful
completion of this Level 2 assessment,
the DoD reserves the right to send CUI
to the CMMC AB, as appropriate.
Requirements for the CMMC AB,
detailed in § 170.8(b) of this rule,
include DoD requirements to comply
with Conflict of Interest, Code of
Professional Conduct and Ethics
policies as set forth in the DoD contract
with the AB. § 170.8(b)(3) details the
ISO/IEC requirements the CMMC AB
must meet and the timeline for meeting
them. § 170.8(b)(3)(i) and (ii) further
detail the requirements for the CMMC
AB to authorize and accredit C3PAOs.
The CMMC AB is under contract with
the DoD and must fully comply with the
contract requirements.
The CMMC rule was updated to
clarify that the CMMC AB must be a
U.S.-based signatory to the International
Laboratory Accreditation Cooperation
Mutual Recognition Arrangement
within 24 months of DoD approval and
must operate in accordance with ISO/
IEC 17011:2017(E). The rule was also
updated to clarify that a disqualifying
eligibility determination may result in
the CMMC AB losing its authorization
or accreditation under the CMMC
Program.
All CMMC ecosystem members are
required to abide by the appropriate
ethics and conflicts of interest policies
established by the CMMC AB and
CAICO. Rule content pertaining to
ethics, quality assurance functions,
record keeping, data encryption,
security, etc. functions across the
ecosystem are tailored to reflect the role
each entity fills in the ecosystem. The
CMMC AB is not an agency of the
Federal government; it is a private
sector organization operating under
contract with the DoD. As described in
§ 170.6(a), the Office of the Department
of Defense Chief Information Officer
(DoD CIO) provides oversight of the
CMMC Program and is responsible for
establishing CMMC assessment,
accreditation, and training requirements
as well as developing and updating
CMMC Program implementing
guidance. The Accreditation Body must
be under contract with the DoD. The
rule has been modified to include
additional CMMC AB oversight
responsibilities for the CMMC PMO.
The Department declines to incorporate
CMMC AB generated artifacts into the
rule by reference. The responsibilities of
the DoD CIO and CMMC PMO are
outlined in § 170.6 and the
responsibilities of the Accreditation
Body are outlined in § 170.8.
The DoD acknowledges that the
CMMC AB may not offer both
accreditation services and certification
services. DoD declines to make edits to
these sections as they are in alignment
with the roles and responsibilities of the
CMMC AB. The DoD has revised
§ 170.8(b)(17)(i)(C) in the rule to clarify
that the ‘‘CMMC activities’’ which
former Accreditation Body members are
prohibited from include any or all
responsibilities described in Subpart C
of this rule.
The rule was updated to indicate that
C3PAOs must also meet administrative
requirements as determined by the
CMMC AB. It was also updated to
clarify that the term ‘‘independent
assessor staff’’ in § 170.8(b)(4) refers to
independent CMMC Certified Assessor
staff, and to clarify the meaning of the
term ‘‘members’’ at § 170.8(b)(17)(i)(B).
DoD declines to modify § 170.8(b)(15) to
include the phrase ‘‘technical accuracy
and alignment with all applicable legal,
regulatory, and policy requirements’’, as
this does not result in a substantive
change to the requirements as currently
specified.
c. C3PAOs
Comment: Clarification was requested
regarding C3PAOs’ timelines for
accreditation and their dependencies on
the CMMC AB accreditation process.
Some commenters requested additional
time. Clarification was also requested on
the current disposition of authorized
C3PAOs. A few comments asked for
simplification and clarification of the
difference between the terms
‘‘authorized’’ and ‘‘accredited’’ with the
establishment of C3PAOs. One comment
requested that the rule be edited to
require full compliance before C3PAOs
can conduct certifications, and that
duplicative language relating to ethics,
record keeping, etc., be moved to a
central location in the rule. One
commentor questioned whether
§ 170.9(b)(16), which states ‘‘Ensure that
all CMMC assessment activities are
performed on the information system
within the CMMC Assessment Scope’’,
applies to all C3PAO personnel or just
those involved in the Quality Assurance
process.
Other comments objected to the
requirement that C3PAOs obtain a
CMMC Level 2 certification assessment
because the assessment does not result
in a Level 2 certification. They asked
whether this would require two separate
assessments every three years for
C3PAOs that also conduct contractor
work for DoD. Two comments requested
clarification on determining the scope
for a CMMC Level 2 assessment of a
C3PAO to be used by DIBCAC, and if or
when they would be required to obtain
a FedRAMP Moderate certification.
Also, clarification was requested on
whether a C3PAO is permitted to
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00030
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83121
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
possess OSC CUI and other artifacts
during the assessment so long as they
are destroyed upon completion of the
assessment. One comment suggested
that all information collected by the
C3PAO be encrypted.
Three comments asked for
clarification on what constitutes a
C3PAO assessment team and whether it
can consist of solely a Lead CCA. One
commentor asked whether entities
accredited under ISO 17020:2012(E) by
another accreditation body, rather than
the CMMC AB, meets CMMC C3PAO
requirements. A couple of comments
asked for clarification on whether a
C3PAO could be foreign owned and
participate in the current CMMC AB
Marketplace.
Response: One commenter
misinterpreted several sections of the
CMMC rule. By defining the
requirements in this rule to become a
C3PAO, and defining a scoring
methodology, the DoD is providing the
authority and guidance necessary for
C3PAOs to conduct assessments.
DoD considered many alternatives
before deciding upon the current CMMC
structure. The DoD has established
requirements for a CMMC Accreditation
Body, and this accreditation body will
administer the CMMC Ecosystem. The
appeals process is defined in
§§ 170.8(b)(16) and 170.9(b)(9), (14),
(20), and (21). The DoD will not assume
the workload of directly managing the
CMMC ecosystem or the other
alternatives suggested. DoD must treat
all potential defense contractors and
subcontractors fairly. DoD cannot
inadvertently create a pathway to a free
assessment for an organization by virtue
of its dual-purpose as a C3PAO and
separately as a defense contractor.
Therefore, DoD assesses C3PAOs free of
charge, but the assessment does not
result in a Certificate of CMMC Status.
The C3PAOs determine the people,
processes, and technologies that are in-
scope for their DIBCAC assessment to
become a C3PAO. The need to protect
the assessment information is
independent of its status as FCI or CUI.
Assessment information, such as which
requirements are MET or not, as well as
the evidence and analysis leading to
that result, would provide valuable
insights to an adversary if not protected.
A C3PAO is not a CSP and therefore
would not require a FedRAMP moderate
assessment to be a C3PAO. However, if
they use a CSP to process, store, or
transmit assessment information, then
the CSP would require a FedRAMP
Moderate, or equivalent, assessment.
The CSP assessment results and CRM
would be in scope for the C3PAO
assessment.
The requirements in § 170.9 apply to
both authorized and accredited
C3PAOs. The only difference between
authorization and accreditation is the
status of the CMMC Accreditation Body.
Prior to the CMMC AB achieving its full
ISO/IEC 17011:2017(E) compliance, the
interim term ‘‘authorized’’ is used for
C3PAOs. As stated in §§ 170.8(b)(3)(i)
and 170.9(b)(1) and (2), currently
authorized C3PAOs must achieve and
maintain compliance with ISO/IEC
17020:2012(E) within 27 months of
authorization. As stated in § 170.9(b)(6),
C3PAOs must obtain a Level 2
certification assessment, but this does
not result in a CMMC Level 2 certificate.
The DoD declines to modify the rule
text related to C3PAO requirements as it
does not make a substantive change.
Requirements are specified in the rule
for each entity within the CMMC
ecosystem.
A C3PAO may start preparing for
compliance with ISO/IEC 17020:2012(E)
before the Accreditation Body achieves
compliance with ISO/IEC
17011:2017(E). The 27-month timeline
for a C3PAO to achieve and maintain
compliance with ISO/IEC 17020:2012(E)
begins on the date that the C3PAO is
authorized by the Accreditation Body,
as addressed in § 170.9(b)(2) C3PAOs
authorized by the CMMC AB prior to
becoming compliant with ISO/IEC
17020:2012(E) must be accredited by the
CMMC AB within 27 months of the
C3PAO’s initial authorization to meet
CMMC program requirements. The
accreditation process is not tied to, nor
is it impacted by, the DoD’s
appropriations period.
The rule has been updated to add
‘‘authorized’’ to the definition of a
C3PAO. Authorized is defined in
§ 170.4.
DoD disagrees with the suggestion
that certain C3PAO requirements are not
needed or redundant. C3PAO’s must
follow specific requirements for CMMC
assessment record retention and
disposition, audits, personal
information, and CMMC Assessment
Scope. Each paragraph number is
independent, dependent sub-paragraphs
are numbered with lower case Roman
numerals. The requirement in
§ 170.9(b)(16) applies to all C3PAO
company personnel participating in the
CMMC assessment process.
The size of a C3PAO assessment team
is variable based on factors including
the scope of the assessment and the
arrangements between the OSC and
C3PAO. The rule has been updated in
§ 170.9(b)(12) to clarify that, at a
minimum, the assessment team must
have a Lead CCA, as defined in
§ 170.11(b)(10), and one other CCA. A
C3PAO is permitted to possess OSC CUI
and artifacts during an assessment.
CMMC Certified Assessors must use the
C3PAO’s information technology which
has received a CMMC Level 2
certification assessment as stated in
§ 170.11(b)(7) and any copies of the
OSC’s original artifacts must be
destroyed when the assessment is
complete as defined in § 170.9(1).
The DoD has considered the
recommendation to require encryption
of all information and declines to revise
the rule text, since the C3PAO is
required in § 170.9(b)(6) to obtain a
Level 2 certification assessment
conducted by DCMA DIBCAC.
Several foreign or international
companies submitted comments
expressing interest in the rule section
pertaining to C3PAO requirements
(§ 170.9(b)) and correctly noted that this
section does not preclude otherwise
qualified foreign companies from
achieving C3PAO accreditation. Also,
the DoD does permit C3PAO personnel
who are not eligible to obtain a Tier 3
background investigation to meet the
equivalent of a favorably adjudicated
Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
d. CAICO
Comment: Numerous comments
requested correction of perceived
misstatements, oversights, or erroneous
paragraph references in the CAICO
responsibilities section. One commenter
suggested the level of detail in
§ 170.10(b) is more appropriate for a
statement of work and some paragraphs
could be deleted from the rule. They
offered preferred rewording to clarify
that the CAICO must also comply with
AB and ISO/IEC requirements, and
further recommended deleting the
requirement to provide all
documentation in English. In addition,
they recommended deleting separation
of duties as a requirement, because it is
already required under ISO/IEC
certification. One commenter conflated
CAICO subcontractors with DIB
subcontractors and suggested deletion of
the rule’s restrictions on releasing
CMMC-related information. One
comment asked whether the Cyber AB
and CAICO have documented processes
for regular review and updates to their
compliance documentation. Lastly, one
comment requested duplicative
language relating to ethics, record
keeping, etc. be moved to a central
location in the rule.
A few commenters suggested
preferred edits to improve the role of the
CAICO. One comment noted that the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00031
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83122
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
accreditor for certifying the CAICO
should be a U.S.-based signatory to
ILAC or relevant International
Accreditation Forum (IAF) in addition
to complying with ISO/IEC
17011:2017(E). Two comments noted
concerns that having only one CAICO
would create an untenable bottleneck
should something happen to the single
CAICO. One commenter asserted that
the CMMC Certified Instructor (CCI)
certification requirement is redundant
and not cost-effective since instructors
will need to be certified as CCPs or
CCAs to teach those courses. One
comment suggested a grace period of
18–24 months from final rule
publication, to allow update of training
and examinations, before implementing
the CCP and CCA certification
requirements. Three comments
recommended that Approved
Publishing Partner (APP) and Approved
Training Providers (ATP) sections be
added to Subpart C of the rule. One
commenter asked for clarification on
what constitutes a CAICO subcontractor
and if this includes LTPs and LPPs, and
asked why an authorization process for
LTPs and LPPs is not included in the
rule.
One commenter appreciated that
CAICO responsibilities include
compliance with relevant ISO/IEC
standards, as those are internationally
recognized standards.
One commenter provided an
attachment containing an image of an
article published in the February 2024
issue of National Defense Magazine. The
commentor did not provide specific
questions or comments regarding the
article, they simply submitted an article.
DoD declines to comment on the
reposting of information being reported
in the media.
Response: The DoD declines to
comment on the reposting of
information being reported in the
media. This rule identifies requirements
for the CAICO role in the ecosystem.
The DoD has a variety of options
available to address issues with reliance
on a single CAICO. These include but
are not limited to working with the
CMMC AB to identify a new/
replacement CAICO.
The final rule includes a requirement
for the Accreditation Body, CAICO, and
C3PAOs to adhere to appropriate ISO/
IEC standards, which include the
current version of the standard for
conformity assessment (ISO/IEC
17024:2012(E) located at ISO website:
www.iso.org/standard/52993.html).
All CMMC ecosystem members are
required inter alia to abide by the
appropriate ethics and conflicts of
interest policies established by the
CMMC AB and CAICO. Rule content
pertaining to ethics, quality assurance
functions, record keeping, data
encryption, security, etc. functions
across the ecosystem are tailored to
reflect the role each entity fills in the
ecosystem. Repeating this content in the
section of each ecosystem role serves to
emphasize the importance of adherence
to these requirements.
DoD disagrees with the commenter’s
suggestion that certain CAICO
requirements are not needed or are
redundant. The DoD requirement for
documentation in English refers to
official information provided to the
Accreditation Body or the DoD. The
commenter’s preferred rewording of
§ 170.10(b)(3) is unnecessary because
there is a separate requirement for the
CAICO to meet ISO/IEC standards, and
this rule does not codify non-DoD
requirements. The DoD declines to
remove the requirement in
§ 170.10(b)(10) to provide status
information to the CMMC AB because it
is necessary for program management.
The rule retains the separation of duties
requirement at § 170.10(b)(11), which is
more specific than the management of
impartiality required under ISO/IEC
17024:2012(E).
The DoD declines to delete
certification requirements for CCI.
Having the technical background as a
CCP or CCA does not ensure all the
instructor-unique qualifications
necessary to be a CCI are met. The DoD
also declines to remove the reference to
§ 170.10 from § 170.12(b)(1) since it is
accurate that the CAICO certifies CCIs.
Section § 170.10(b)(13) ensures that
personal information is encrypted and
protected in all CAICO information
systems and databases and those of any
CAICO training support service
providers. DoD disagrees with the
commentor’s statement that training
support service providers of the CAICO
be allowed to disclose information
about CCAs and/or CCPs. § 170.10
references the CAICO requirements.
Entities providing training support
services to the CAICO are not a part of
the assessment process in the
ecosystem. It is not up to them to release
data on certified persons in the
ecosystem. Any metrics regarding
certifications will come from the
CAICO.
DoD declines to add Approved
Publishing Partner (APP) and Approved
Training Providers (ATP), or sections to
the rule. The CMMC Program defines
the requirements for the ecosystem.
Specific requirements for publishing
and training guidelines are determined
by the CAICO and do not require the
oversight of the DoD. The CMMC Rule
does not use the term Licensed Training
Provider (LTP), as the LTPs are not
required to be licensed. The acronym
ATP means Approved Training Provider
which encompasses the same role in the
CMMC Ecosystem. The DoD does not
intend to further delay implementation
of CMMC to provide an 18 to 24-month
grace period from the official release of
the rule to build curriculum.
The DoD has reviewed commenter
recommendations and revised the rule
as follows:
The CMMC rule has been updated to
state that the CAICO must be accredited
by a U.S. based signatory to ILAC or
other relevant IAF mutual recognition
arrangements and operate in accordance
with ISO/IEC 17011:2017(E). The DoD
has removed the term ‘‘practitioner’’
from § 170.10(b)(8) for clarity and
changed the term subcontractor to
training service support provider.
e. CCPs and CCAs
Comment: Some comments requested
DoD’s response to speculations about
market forces, competitiveness of the
CMMC Certified Professional (CCP) and
CMMC Certified Assessment (CCA)
roles and career opportunities, assessor
burnout, complexity of CMMC
ecosystem, and a limited assessor pool.
Several comments identified
administrative changes or preferred
rewording or reordering of the CCP and
CCA sections of the ecosystem
requirements. For example, two
commenters objected to repeating the
requirement to meet CoPC and COI
requirements for each Ecosystem
member in § 170.8. Another comment
requested deletion of the requirement
for all documentation and records to be
provided in English.
One commenter recommended
revising proficiency and experience
requirements for CCPs, CCAs, and Lead
CCAs. Another requested clarification
on what requirements govern the
certification of a CCA and requested the
rule allow the CAICO to establish the
certification validity period. One
comment recommended all additional
assessor certification requirements in
§ 170.11(b)(6)(ii) be removed from the
rule, so that only those prerequisite
training requirements identified by the
CAICO would apply.
Another comment suggested that a
requirement prohibiting assessors from
use of personally owned IT that is
contained in the CCA section at § 170.11
also be added to the C3PAO
requirements section at § 170.9. Two
commenters objected to the restrictions
on CCAs sharing information with
people outside the assessment team.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00032
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83123
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
One comment questioned the
requirement for a Tier 3 background
investigation for CCPs and another
suggested the validity period of CCP
certification should be determined by
the CAICO. Yet another comment
suggested changing certification periods
from 3 to 4 years for those certified prior
to the rule becoming effective. One
comment suggested there is insufficient
clarity regarding the role CCPs may play
in an assessment and another asked
whether a CCPs was allowed to review
more than just Level 1 requirements.
Two other comments recommended
updating CCP training to include Level
2 practices. Another comment noted
that assessor cannot be robotic and that
they must be allowed to evaluate the
situation as it pertains to the company
being evaluated.
One comment asked for clarification
on Lead CCA requirements and
requested a reduction in the
management experience to 2 years. Two
other comments recommended adding
IT and cybersecurity experience as
relevant skills. One comment also
recommended that Lead CCAs have
industry-specific knowledge of the
industry in which the OSC being
assessed participates. Another comment
requested clarification whether years of
experience are cumulative for the Lead
CCA. One comment recommended
changing the name of Lead CCA and
adding roles and responsibilities
requirements. One stated that the rule’s
CCA prerequisites is too low a skill set
and recommended increasing the
requirements for both CCAs and Lead
CCAs. While another comment noted
the rule referenced both DoD Manual
8570 and DoD Manual 8140.03 and one
or the either should be used.
One commenter suggested that should
sufficient assessors not be available to
meet demand, the DoD should provide
a delay or ‘‘grace period’’ to meet
certification requirements.
Response: The CMMC rule provides
detail on anticipated impacts on the DIB
in the Impact and Cost Analysis
summary of the preamble. Speculation
on market forces on roles in the CMMC
ecosystem such as CCPs and CCAs are
outside of the scope of the CMMC
program rulemaking. Likewise,
limitations on career opportunities and
associated issues such as burn-out or job
satisfaction are beyond the scope of the
program.
The DoD updated the rule to clarify
that CCAs must meet all the
requirements set forth in § 170.11(b) and
modified the rule in § 170.10(b)(10) to
include CMMC Certified Professionals
(CCPs). § 170.13(b)(6) was changed to
conform to rule text in § 170.11(b)(9)
and to clarify with whom information
may be shared.
The DoD determined the certification
requirements specified in § 170.11(b)(6)
meet the needs of ensuring certified
assessors have the required depth of
cybersecurity knowledge and
experience that is beyond what the
CMMC-specific training provides.
The DoD disagreed with the comment
that the CAICO should determine the
length of time a CCP certification is
valid. DoD has a significant interest in
ensuring the quality of assessors in the
CMMC ecosystem and the currency of
their training. The DoD does not agree
with the assertion that managerial, and
personnel related skills are most
relevant for success as a Lead Assessor.
As written, § 170.11 of the rule requires
Lead Assessors to have a balance of
technical and managerial expertise. A
Lead Assessor also requires assessment
or audit experience. The DoD views
these skills as the minimum required to
adequately provide the technical
guidance and managerial oversight of
the assessment team. The DoD declined
to revise the rule to specify IT and/or
Cybersecurity for the required audit
experience.
The DoD also disagreed with a
recommendation to require Lead CCAs
to have industry-specific knowledge of
the industry in which the OSC being
assessed participates. The DoD found
that this requirement would
unreasonably restrict C3PAOs from
participating in a broad range of
assessments and could have a negative
effect on the ability of the DIB to
schedule CMMC Level 2 certification
assessments. The OSC can select a
C3PAO with the experience it considers
valuable.
The DoD declined a commentor’s
request to modify the rule to allow the
CAICO to determine the requirement for
the frequency of CCA/CCP certification.
The DoD considers the 3 years
certification period a key CMMC
program requirement that will be
enacted and managed by the CAICO.
The DoD also declined to change the
rule to extend the certification timeline
to 4 years for those earning a
certification prior to completion of
rulemaking. Additionally, the DoD did
not accept the recommendation to
remove the requirement for providing
documentation in the English language,
which applies to all official information
that would be provided to the CAICO,
CMMC AB, or the DoD.
The DoD disagreed with a
commenter’s recommendation to
remove the second sentence in
§ 170.11(b)(7) that prohibits individual
assessors from using any IT other than
that provided to them by the C3PAO
that has been contracted to perform that
OSA’s assessment. This sentence is
required to eliminate ambiguity,
particularly for C3PAOs that may have
implemented a BYOD program or that
allow some work roles to use personal
devices. The DoD updated the rule to
provide additional clarity.
The DoD does not concur with the
comment calling for a DoD Manual
8140.03 requirement on CCAs.
Assessment teams are required to have
a Lead Assessor who must meet the
higher level of the DoDM 8140.03
requirements. The rule has been
updated to remove reference to DoD
Manual 8570.
The experience requirements
referenced for the Lead CCA are
cumulative. The rule has been updated
to move Lead CCA requirements to the
end of § 170.11, but not to create a new
section.
The DoD disagreed with the
commenter’s assertion that Assessors
are robotic. Assessors will go through
CMMC training and will assess each
unique CMMC Assessment Scope, as
defined by the OSA, against the security
requirements. As specified in
§ 170.13(a) CCPs can participate on
CMMC Level 2 certification assessments
with CCA oversight where the CCA
makes all final decisions. Updates to
training are beyond the scope of this
rule. Statements made in training
materials produced prior to final
adoption of the CMMC rule are beyond
the scope of CMMC rulemaking. DoD
disagrees with the comment that
§ 170.13 does not provide sufficient
detail regarding the role CCPs may play
in an assessment. The requirement in
the rule that ‘‘with CCA oversight where
the CCA makes all final determinations’’
provides sufficient flexibility to adapt to
a wide variety of assessments while
ensuring the responsibility for
assessment findings rests with the CCA
and Lead CCA.
The rule restates COI and CoPC
requirements in each ecosystem section
because all CMMC ecosystem members
are required to abide by the appropriate
ethics and conflicts of interest policies
established by the CMMC AB and the
CAICO. Rule content pertaining to
ethics, quality assurance functions,
record keeping, data encryption,
security, and other functions across the
ecosystem are tailored to reflect the role
each entity fills in the ecosystem.
DoD CIO, in coordination with OUSD/
I&S, evaluated the requirements for the
CMMC Ecosystem. Based on the access
to sensitive unclassified information, a
Tier 3 background investigation that
results in determination of national
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00033
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83124
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
security eligibility is required.
§ 170.13(a) states that a CCP is eligible
to participate in Level 2 certification
assessment with CCA oversight and is
eligible to become a CCA and will
receive additional training and testing
per the requirements in § 170.11.
The phased implementation plan
described in § 170.3(e) is intended to
address ramp-up issues and provide
time to train the necessary number of
assessors. DoD has updated the rule to
add an additional six months to the
Phase 1 timeline.
e. CCI
1. Training and Training Materials
Comment: One comment mistook the
requirement to ‘‘provide all
documentation and records in English’’
as applying to training materials. Four
comments expressed concerns about the
requirements for confidentiality
surrounding training records. These
concerns arose primarily from a
misinterpretation of the requirement to
‘‘keep confidential all information
obtained during the performance of
CMMC training activities’’ to mean a
requirement to keep the training
materials themselves confidential,
rather than keeping student records
confidential.
Response: The requirement to
‘‘provide all documentation and records
in English’’ refers to official information
that would be provided to the CMMC
Assessor and Instructor Certification
Organization (CAICO) or the DoD. The
terms do not pertain to all materials
used in the delivery of a course. The
DoD disagreed with the
recommendation to delete the
§ 170.12(b)(7) requirement for keeping
CMMC training records and information
confidential. ‘‘Training activities’’ do
not include course material. The
example in § 170.12(b)(7) (student
records) makes clear the type of data
covered by the rule.
2. Time Limits and Other Constraints
Comment: One comment
recommended that the CAICO, instead
of the DoD, determine the frequency of
CMMC Certified Instructor (CCI)
certification. Another requested
clarification on the length of time that
a CCI may not provide consulting
services. One comment recommended
changing the rule to require CCIs to
provide updates to the CAICO and the
CMMC AB no less than annually, in lieu
of ‘‘most up to date’’.
Two comments expressed concern
that CCIs are not allowed to provide
consulting services to OSCs; one of the
comments asserted this would result in
reduced quality of training for CMMC
Certified Professionals (CCP) and
CMMC Certified Assessors (CCA). One
comment expressed disagreement with
the requirement prohibiting CCIs from
exam development and exam
proctoring. Another comment
recommended a rule update indicating
CCIs can teach both CCA and CMMC
Certified Professional (CCP) candidates.
Response: The DoD declined a
commenter’s request to modify the rule
to allow the CAICO to determine the
requirement for validity period of a CCI
certification. The DoD considers the 3-
year certification period for CCIs as a
key CMMC program requirement that is
to be enforced by the CAICO.
The DoD modified § 170.12(b)(4) to
read ‘‘annually’’ instead of ‘‘most up to
date’’ to clarify the reporting
requirement.
All CMMC ecosystem members are
required to abide by the appropriate
ethics and conflicts of interest (COI)
policies established by the CMMC AB
and CAICO. Rule content pertaining to
ethics, quality assurance functions,
record keeping, data encryption,
security, and other functions across the
ecosystem are tailored to reflect the role
each entity fills in the ecosystem. The
DoD defined COI requirements to
reduce the possibility that a CMMC
Ecosystem member acting in one
capacity may bias, or be biased by,
clients that are paying them to perform
another CMMC related service. CCIs are
not permitted to develop or proctor
exams to avoid participating in any
activity, practice, or transaction that
could result in an actual or perceived
conflict of interest.
3. Relationship to CAICO and Other
Ecosystem Members
Comment: One comment asked why
the rule does not include requirements
for LTPs, and another requested
additional rule text to clarify the
relationship between an ATP and the
CAICO in administrative matters of
students. One comment recommended
not requiring CCIs to provide
qualification and training information to
the CAICO.
One comment recommended a
method for reducing a perceived
redundancy in the rule text between
ecosystem-related sections. Two
comments asserted that a CCI
certification is redundant because
individuals attempting to become CCIs
are already certified as CCPs or CCAs.
One comment asked that a new
requirement be added to the rule under
§ 170.12 to address the transition of
Provisional Instructors to CCIs.
Response: The CMMC rule does not
use the term Licensed Training Provider
(LTP), as training providers are not
required to be licensed. The correct term
for CMMC training providers is
Approved Training Provider (ATP). The
CMMC rule contains the requirements
to create the training for the CMMC
Program. § 170.10 contains the
requirements for the CAICO to ensure
compliance with ISO/IEC 17024:2012(E)
and to ensure all training products,
instruction, and testing materials are of
high quality.
DoD disagreed with a comment to
delete a requirement in the rule for CCIs
to update the CAICO regarding
qualification, training experience, and
other information relating to their
competency to teach within the CMMC
ecosystem. Viewing and verifying CCI
qualifications is an important element of
quality assurance in the CAICO’s role of
training, testing, authorizing, certifying,
and recertifying CMMC assessors,
instructors, and related individuals.
§ 170.12(b) in the rule was updated to
add the requirement for a CCI to be
certified at or above the level of training
they are delivering. The DoD also
modified § 170.12(a)(11) to add CMMC
Certified Professional (CCP) candidates.
The DoD declined to remove the
certification requirement for CCIs.
Although CMMC Certified Assessors
have the technical background, that
does not imply that they meet all the
instructor-unique qualifications
necessary to be a CCI.
The DoD modified § 170.12 to include
requirements for Provisional Instructors
prior to their transition to a CMMC
Certified Instructor. Any Provisional
Instructor (PI) will be required to
achieve certification under the CMMC
Certified Instructor (CCI) program
within 18 months of the final rule
publication. The PI designation ends 18
months after the effective date of the
rule.
f. Conflicts of Interest and Code of
Professional Conduct
Comment: Many commenters had
questions about existing CMMC conflict
of interest (CoI) requirements and had
suggestions for further protecting the
impartiality of the CMMC Program. One
commenter requested the Department
develop a mechanism to prevent third-
party assessment organizations from
delaying re-evaluation of NOT MET
requirements to create a pipeline of
future assessment work. The commenter
recommended removing the 10-day re-
evaluation deadline requirement
currently in the CMMC Rule to prevent
any conflicts of interest. Another
commenter stated that allowing a
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00034
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83125
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
commercial entity to manage the CMMC
‘ecosystem’ creates a scenario ‘fox
watching the henhouse’’ condition and
that fraud and abuse will be rampant.
Some commenters questioned the
legality of the current CMMC AB’s
establishment and alleged unethical
behavior by its Board of Directors. They
cited the number of resignations among
its Board of Directors as evidence of
internal politics, conflicts of interests, or
ethics concerns. One commenter
suggested the 6-month ‘‘cooling off
period’’ between an employee leaving
the CMMC AB and supporting other
CMMC roles be extended to one year to
ensure impartiality within the CMMC
Program. Another commenter claimed
an informational newsletter offered by
the CMMC AB to ecosystem members
violates the conflicts of interest
requirements. In addition, commenters
alleged that the CMMC AB’s progress
(prior to final rule publication) toward
ISO/IEC compliance violates the terms
of its contract with DoD, which the DoD
should terminate.
Commenters also stated that DoD’s
no-cost contract with the current CMMC
AB has forced them to focus on
generating revenue instead of building a
CMMC Assessor cadre. One commenter
cited publicly available tax filings of the
current CMMC AB to substantiate that
view. Another commenter noted
concerns that the rule permits a timeline
for meeting the ISO/IEC requirements,
rather than requiring immediate
compliance, and suggested that it would
be more advantageous to cite different
ISO/IEC requirements (for conformity
assessment) than those identified in the
rule.
One commenter wrote that significant
delays in CMMC implementation this
far beyond the Department’s earlier
objectives of 2020 constitute fraud and
claimed that DoD representatives
directed companies to comply with
requirements that have become
irrelevant due to changes in program
requirements that occurred during
rulemaking.
Many commenters stated the
Department needs to further clarify
existing CoI requirements for CCIs,
CCAs, and CCPs in the CMMC Rule text.
Specifically, commenters suggested the
DoD:
—Revise § 170.12(b)(5) to state that CCIs
may serve on an assessment team for
a student’s company, provided the
CCI does not provide consulting to an
OSC during delivery of the CMMC
Instruction or breach other conflict of
interest rules, and add that the CCI
must ‘‘[b]e a currently certified CCA
and conduct at least one certified or
mock assessment under the direction
of a C3PAO annually.’’
—Revise § 170.12(b)(6) to allow CCIs to
craft exam objectives and content, as
CCIs are the ‘‘most in tune with issues
faced by candidate CCPs and CCAs.’’
—Strike § 170.12 altogether, because
potential CoIs will be rare and can be
‘‘managed by existing conflicts of
interest mechanisms’’; clarify that
‘‘while serving as a CMMC instructor’’
means ‘‘limited only to while actively
teaching or any time while the person
holds the CCI certification’’; and that
CoI concerns could be addressed by
the addition of an Instructor Code of
Conduct. One commenter also
suggested this section would
significantly decrease the available
pool of CMMC instructors, as they
would be forced to choose between
instructing and consulting, which
may be a more lucrative option. They
also claimed it prevented CCIs who
teach CCP/CCA courses at night from
providing consulting services during
the day.
—Impose a three- or four-year
prohibition on ecosystem members
from participating in the CMMC
assessment process for an assessment
in which they previously served as a
consultant or ‘‘since the OSC last
obtained CMMC certification,
whichever is most recent.’’
—Add language to §§ 170.11 and 170.13
to clarify if an individual consults
with a defense industrial base
company, they are prohibited from
participating as a CMMC assessor for
that same company.
—Update § 170.8(b)(ii)(17)(ii)(G) and
add a time limit to this requirement
to ensure a consultant can perform
assessments, given an appropriate
amount of time has passed.
—Revise § 170.8(b)(17)(ii)(G) to say,
‘‘Prohibit CMMC Ecosystem members
from participating in the CMMC
assessment process for a CMMC
assessment in which they previously
served as an employee or consultant
to prepare the organization for any
CMMC assessment,’’ as both an OSC
employee and a CCPA/CCP serving as
a consultant would face identical CoI.
—Provide more detail on the scope of
CCA and CCP conflict of interest
disclosure required, particularly
around the definition of ‘‘process,
store, or transmit’’ in § 170.4(b).
—More narrowly tailor the CoI
requirement in § 170.8(b)(17)(i)(D)
and more expressly identify the
‘‘perceived conflicts of interest’’
scenarios to help ecosystem members
avoid legal risk.
—Rewrite § 170.8(b)(17)(iii)(C) to clarify
what constitutes a ‘‘satisfactory record
of integrity and business ethics.’’
—Provide more detail in § 170.10(b)(11)
on the term ‘‘separation of duties,’’ so
CCAs know whether they can
volunteer to develop test questions or
provide training.
Response Summary: Some comments
received lacked relevance to the rule’s
content, which is limited to specific
CMMC Program requirements. The DoD
declines to respond to speculative or
editorial comments about private
citizens or entities, all of which are not
within the scope of this rule. Personnel
actions taken by the CMMC AB and
comments regarding filing of IRS forms
are not within the scope of this rule.
§ 170.8(b) of this final rule provides
requirements of the CMMC AB. CMMC
Program requirements as described in
this rule requires the CMMC
Accreditation Body and the CAICO to
have and abide by ethics and conflicts
of interest rules and to have and
maintain a Code of Professional
Conduct (CoPC). § 170.8(b)(3) describes
the ISO/IEC requirements and the
timeline in which the CMMC AB needs
to meet those requirements. The DoD
declines to comment on business
decisions made by the current CMMC
AB in the performance of its CMMC
related roles, responsibilities, and
requirements. Based on information
currently known to DoD, the CMMC AB
is currently performing as defined in
this final rule and the terms of the
contract. The ANSI National
Accreditation Body is performing the
function of accrediting the CAICO,
which is appropriate given its status as
a subsidiary of the CMMC AB.
The DoD defined CMMC Conflict of
Interest requirements to reduce the
possibility that a member of the CMMC
Ecosystem acting in one capacity may
bias, or be biased by, clients that are
paying them to perform another CMMC
related service. The rule text includes
ethics requirements for members of the
CMMC ecosystem, to include the CMMC
AB (§ 170.8). The DoD concurred with
some comments and has increased the
cooling off period from six months to
one year in § 170.8(b)(17)(i)(C).
DoD considered many alternatives
before deciding upon the current CMMC
structure. The DoD has established
requirements for a CMMC Accreditation
Body, and this accreditation body will
administer the CMMC Ecosystem. The
phased CMMC implementation plan
provides time to train the necessary
number of assessors and, the rule has
been updated to add an additional six
months to the Phase 1 timeline.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00035
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83126
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The DoD requires that the
Accreditation Body must achieve and
maintain compliance with the ISO/IEC
17011:2017(E) standard (the
international benchmark used in
demonstrating an accreditation body’s
impartiality, technical competency, and
resources) and the requirements set
forth in § 170.8. The CMMC Proposed
rule also requires compliance with ISO/
IEC 17020:2012(E) for conformity
assessments. § 170.12(b)(5) was revised
to indicate that a CMMC instructor,
subject to the Code of Professional
Ethics and Conflict of Interest policies,
may serve on an assessment team but
cannot consult. CCIs are not permitted
to develop or proctor exams to avoid
participating in any activity, practice, or
transaction that could result in an actual
or perceived conflict of interest.
The CAICO is responsible to ensure
the separation of duties for individuals
volunteering to assist with testing,
training, and certification activities. An
example of separation of duties is
shown in § 170.12(b)(6), which specifies
that a CCI cannot be involved in
examination activities.
DoD modified § 170.8(b)(17)(ii)(G) to
add that a consultant is only limited
from participation in the assessment
process for 36 months. CMMC
Ecosystem members do not participate
in an assessor capacity on DIBCAC
assessments. The DoD declined to add
explicit requirements prohibiting
ecosystem members from participating
in an assessment of an OSC by whom
they were previously employed (directly
or as a consultant), because the scenario
is already covered under
§ 170.8(b)(17)(ii)(G).
DoD disagreed with the comments
that a CMMC Ecosystem member is
unable to avoid perceived conflicts of
interest. The Accreditation Body is
required to provide a CoI policy in
§ 170.8(b)(17) for CMMC Ecosystem
members. The Department expects that
a reasonable person subject to the CoI
policy should understand how to avoid
the appearance of conflicts of interest
and, if unsure, seek clarity from the
Accreditation Body. Details of the
disclosure requirements are in the
Accreditation Body conflict of interest
policy.
A satisfactory record of integrity and
business ethics is a record that does not
indicate derogatory behavior in relation
to professional conduct or conflict of
interest.
The DoD declined to remove the 10-
day re-evaluation deadline in
§§ 170.17(c)(2) and 170.18(c)(2) to
ensure consistency in the assessment
process. The OSC may utilize the
appeals process, as necessary. The DoD
is required to codify CMMC program
requirements through a prescribed and
formal rulemaking process. The timeline
for CMMC implementation changed due
in part to DoD’s decision to pause and
assess the program, seek opportunities
to streamline and ease the burden of its
implementation, and respond to public
comments. The DoD declines to respond
to speculative or editorial comments
regarding the actions of private citizens,
which are not within the scope of this
rule.
g. Ecosystem Eligibility
1. Foreign Ownership
Comment: Two comments noted the
rule does not include Foreign
Ownership, Control, or Influence (FOCI)
requirements for the CAICO. One
comment recommended the rule
incorporate the definition of the
‘‘national technology and industrial
base’’ and exclude those companies
from FOCI requirements. The NTIB
includes organizations from the United
States, the United Kingdom of Great
Britain and Northern Ireland, Australia,
New Zealand, and Canada that are
engaged in research, development,
production, integration, services, or
information technology activities.
Response: The CAICO has no FOCI
requirement because they do not have
knowledge of the OSC’s network or
potential vulnerabilities identified in
the assessment process. Per
§ 170.9(b)(5), the CMMC Program
implements the FOCI program that is
managed by DCSA. Potential FOCI
exemptions are outside the scope of this
32 CFR part 170 CMMC Program rule
and must be addressed through
international arrangements or
agreements.
2. Personnel Security
Comment: There were numerous
comments regarding the Tier 3
Personnel Security requirements.
Several comments recommended
editorial clarification. Multiple
comments requested clarification on
what ‘‘not eligible’’ meant and what is
the ‘‘equivalent process’’. One comment
recommended the Tier 3 background
investigation be required for all
authorized personnel while two
comments recommended eliminating
the Tier 3 background investigation
requirement. Two other comments
requested clarification on why a Tier 3
investigation is required when no secret
information is handled and there is no
clearance granted. Another comment
requested clarification on the Tier 3
process. Three comments requested
clarity on the citizenship requirements
and how the Tier 3 requirement will be
enforced for international C3PAO’s.
Another comment recommended
adding a requirement for CMMC
Instructors and Assessors to report to
the CAICO within 30 days of conviction,
or guilty pleas to certain crimes.
Response: In coordination with the
OUSD/I&S, the DoD CIO evaluated
requirements for the CMMC Ecosystem.
Based on the access to sensitive
unclassified information, a Tier 3
background investigation that results in
determination of national security
eligibility is required as specified in this
rule. The concept of ‘‘not eligible’’ in
§ 170.9(b)(4) is intended to cover those
applicants who do not meet the
entrance requirements for a DCSA Tier
3 background investigation, it is not an
alternative for applicants who do not
pass its Tier 3 background investigation.
The DCSA maintains a record of all
background investigation information in
the Personnel Vetting Records system of
records, DUSDI 02-DoD, as published in
the Federal Register. The details of the
Tier 3 background investigation are
included in this rule to inform the
public of the CMMC requirement and
that the investigation will not result in
a clearance. The DoD declines to remove
reference to the Standard Form 86 from
the rule. All documentation and records
for the background investigation process
must be provided in English;
rulemaking as a Federal regulation
requires this level of detail to ensure
clarity of understanding and
interpretation. Details about background
investigation equivalency is available
from DCSA at [http://www.dcsa.mil/Industrial-Security/International-Programs/Security-Assurances-for-Personnel-Facilities/ www.dcsa.mil/Industrial-
Security/International-Programs/
Security-Assurances-for-Personnel-
Facilities/. As stated in the 32 CFR part
]170 CMMC Program rule, C3PAOs must
meet the criteria defined in section
§ 170.9. If a non-U.S. organization, and
its employees, meet all the requirements
in § 170.9 and § 170.11, it would not be
prohibited from operating as a C3PAO
within the U.S. or abroad. The DoD
declined to make recommended
administrative changes to § 170.9(b)(3),
because they did not result in a
substantive change.
While a C3PAO may use its own
employees to staff an assessment, it also
may leverage CCAs and CCPS who are
independent contractors, rather than
employees of a specific C3PAO. Because
these independent CCAs and CCPs may
not be covered by the C3PAO’s
background check requirement, CMMC
requires CCAs and CCPs to have their
own Type 3 background checks or
equivalent.
Section 170.10 has been updated to
specify the CAICO must require CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00036
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83127
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Ecosystem members to report to the
CAICO, within 30 days, if they are
convicted, plead guilty, or plead no
contest for certain specified legal
matters or criminal activities.
h. ISO/IEC Standards
Comment: Several comments
addressed ISO/IEC standards referenced
in the proposed rule. Most of these were
related to ISO/IEC 17020:2012(E). One
commenter wanted to know what the
proposed rule meant by ‘‘out-of-cycle
from ISO/IEC 17020:2012(E).’’ Another
felt the section outlining CMMC AB
responsibilities should clarify that the
CMMC PMO must approve all C3PAO
accreditation requirements established
by the Accreditation Body under ISO/
IEC 17020:2012(E). One person felt the
rule should give C3PAOs more time to
achieve compliance with ISO/IEC
17020:2012(E) and one commenter
asserted that including a revocation
process in the CMMC PMO roles and
responsibilities section was inconsistent
with ISO/IEC 17020:2012(E) standards
because the C3PAO was the certification
body.
One comment asserted the
requirement in the rule for the CMMC
AB to complete the ILAC Peer Review
prior to accrediting C3PAOs is too
onerous and not consistent with the
ISO/IEC process for gaining
international recognition as an
accreditation body in accordance with
ISO/IEC 17011:2017(E).
Response: The rule was updated in
§ 170.8(a) to clarify responsibilities of
the Accreditation Body. DoD agreed
with the comment that the requirement
to complete the Peer Review prior to
accrediting C3PAOs was too onerous
and inconsistent with the ISO/IEC
process under ISO/IEC 17011:2017(E).
The rule has been updated for clarity.
Using the terms of the ISO/IEC
17020:2012(E), the activity of the
C3PAO is an ‘‘inspection’’, rather than
a ‘‘certification’’. The C3PAO is an
inspection body, not a certification
body, and is responsible for conducting
the Level 2 certification assessment
[Inspection]. The rule was revised to
delete terms related to granting or
revoking certification assessment status.
The DoD reserves the right to conduct
a DCMA DIBCAC assessment of the
OSA, as provided for under the DFARS
clause 252.204–7012 and DFARS clause
252.204–7020. DoD declines to extend
the period for C3PAOs to achieve
compliance with ISO/IEC
17020:2012(E). The Department has
determined that 27 months is reasonable
and sufficient for a C3PAO to achieve
compliance. The rule was also updated
in § 170.9(b)(11) to clarify that audit
information must be provided upon
request.
14. Ecosystem Capacity
Comment: Commenters expressed
concern that the demand for third-party
assessments amongst the defense
industrial base will exceed the capacity
of available Certified CMMC Assessors
and Certified CMMC Professionals and
government assessors which may
prevent timely and affordable audits or
cause businesses to lose out on DoD
contracts. To mitigate the concerns, one
commenter suggested delaying phase-in
of certification assessment by two years,
by relying on self-assessment. One
commenter warned of solicitation
protests if companies are kept out of a
competitive procurement due to a slow
CMMC assessment process. Another
suggested that insufficient assessors
may shrink the market for DoD
contractors and compromise assessment
quality. Commenters were apprehensive
that DoD projections for certification
demand didn’t factor in all
subcontractors and that the CMMC
Accreditation Body lacks a strategy for
scaling to meet increased C3PAO
demand.
Additionally, one commenter pointed
out that the rule indicates companies
can pursue a certification assessment at
any time after the rule is published,
which could tie up already limited
C3PAO resources and impede
assessment opportunities for other
companies bidding on an upcoming
contract. Another expressed concern
that often-extensive travel times
required for assessors to reach rural-
based companies like electric
cooperatives will disincentivize
assessors from prioritizing these
companies and prevent their timely
assessment.
Commenters suggested several actions
the Department could take to mitigate
capacity-related risks, including:
extending the phase-in of Level 2
certification requirements; prioritizing
companies for Level 2 phase-in;
allowing C3PAOs to issue interim or
conditional certifications when unable
to timely complete contractor
assessments; and waiving requirements
for OSCs that are in the assessment
process but not yet certified. Some
asked that DoD forecast the volume and
timing of Level 3 certification
requirements and clearly communicate
those assessment requirements with
contractors. Another requested forecasts
of both Level 2 and Level 3 assessment
capacity against various demand
scenarios for each certification level.
Several commenters suggested that
CMMC assessment requirements for
External Service Providers (ESPs) will
also impede CMMC implementation, as
ESPs (1) must be CMMC certified before
an OSC can include them in their
CMMC certification assessment scope
and (2) will be competing with DIB
companies for scarce C3PAO assessors.
Commenters suggested ways to reduce
burden on ESPs, which included:
allowing use of non-compliant ESPs
until Phase 3 and prioritizing
certification assessments for ESPs ahead
of other assessments.
Several commenters expressed
concern about CCA and CCP roles,
based on perceived scarcity of
candidates in the job market compared
with demand for similar services.
Concerns included the potential for
CCA and CCP burnout from overwork,
dissatisfaction with repetitive
assessments tasks, limited career path in
the roles, and the complexity of
operating within the CMMC ecosystem.
One commenter compared CCA and
CCP roles with those of Certified Public
Accountants and Certified Information
System Auditors, who have access to
more varied opportunities and
industries.
Response: DoD received numerous
comments about the use of ESPs which
do not process, store, or transmit CUI.
In response, the DoD revised the rule to
reduce the assessment burden for ESPs.
ESP assessment, certification, and
authorization requirements in 32
CFR 170.19(c)(2) and (d)(2) have been
updated. ESPs that are not CSPs and do
NOT process, store, or transmit CUI, do
not require CMMC assessment or
certification. Services provided by an
ESP are in the OSA’s assessment scope.
The phased implementation plan
described in § 170.3(e) is intended to
address ramp-up issues, provide time to
train the necessary number of assessors,
and allow companies time to
understand and implement CMMC
requirements. The DoD has updated the
rule to add an additional six months to
the Phase 1 timeline. Phase 2 will start
one calendar year after the start of Phase
1. It is beyond the scope of this rule for
DoD to determine the order in which
organizations are assessed.
The DoD declined to delete text
stating that OSAs may elect to complete
a self-assessment or pursue CMMC
certification assessment to distinguish
themselves as competitive because the
recommendation did not result in a
substantive change. CMMC rule
describes anticipated impacts on the
DIB in the Impact and Cost Analysis
section. Speculation on market forces
affecting the DIB is outside of the scope
of the CMMC program. Speculation on
market forces affecting CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00037
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83128
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
ecosystem CCP and CCA roles are also
outside of the scope of the CMMC
program. Likewise, limitations on career
opportunities and associated issues
such as burn-out or job satisfaction are
beyond the scope of the program.
The DoD declines to comment on
external market factors impacting
CMMC compliance. The seven-year
timespan reflects the DoD’s estimate for
all DIB members to achieve CMMC
compliance. The implementation plan
ramps up CMMC assessment
requirements over 4 phases, such that
the ecosystem will reach maximum
capacity by year four. The DoD does not
agree with commenter assertions that
70,000 or more entities will require
CMMC Level 2 assessment by October 1,
2026. Table 6 of the Impact and Cost
Analysis of CMMC 2.0 section provides
the DoD’s estimate of CMMC assessment
numbers by year and level.
DoD considered many alternatives
before deciding upon the current CMMC
structure. By design, the CMMC
program depends on the supply and
demand dynamics of the free market,
enabling it to naturally scale and adapt
to capacity requirements. Planned
changes to DCMA staffing levels have
been considered with regard to
implementation of CMMC Level 3 and
C3PAO assessments as described in this
rule. The DIBCAC will communicate
extensively with contractors about the
conduct of a Level 3 assessment during
the pre-assessment planning phase.
15. Assessments
a. Level 1 and Mapping of 15 Level 1 to
17 Level 2 Requirements
Comment: A few questions were
submitted about CMMC level 1
requirements, on topics such as whether
DoD intended affirmations for CMMC
level 1 be required annually versus
triennially, and whether specific
policies and procedures documentation
is required for Level 1 self-assessments.
One commenter asked about limits on
deficiency remediation and re-
accomplishing an assessment in the
event a company fails a CMMC Level 1
self-assessment. Another commenter
asked for the specific wording to reflect
a CMMC Level 1 assessment score in
SPRS.
One commenter objected to CMMC
level 1 annual affirmation, which they
considered an unwarranted expansion
of CUI safeguarding requirements to
information systems that process only
FCI. One commenter recommended
revisions to explicitly indicate that
OSAs may choose to engage the services
of a C3PAO to inform the OSA’s Level
1 self-assessment submission. Another
commenter recommended editorial
revisions to avoid use of the term
‘‘CMMC security requirements’’ based
on the observation that CMMC
requirements are aligned directly to
those identified in FAR clause 52.204–
21 or NIST publications.
One commenter asked for explanation
of perceived differences between tables
in the published rule that map CMMC
Level 1 Security Requirements to NIST
SP 800–171A Jun2018, as compared
with prior versions of the document.
One commenter asked for the
rationale associated with mapping 15
requirements for CMMC level 1 to 17
requirements in CMMC level 2. Two
commenters asked if systems that
process FCI (and require CMMC level 1)
are considered within scope for CMMC
level 2 or 3 assessments, and if so, how
they should be documented.
Response: When applicable, the DoD
does require an annual CMMC Level 1
self-assessment against the 15
safeguarding requirements aligned with
FAR clause 52.204–21. Annual
affirmations are required at every
CMMC level. There are no explicit
documentation requirements for a
CMMC Level 1 Self-Assessment. The
DoD modified the Level 1 Scoping
Guide to provide clarity.
An OSA may complete as many self-
assessments as desired, and there is no
required timeframe between Level 1
self-assessments and updating CMMC
Status in SPRS. The entry in SPRS for
CMMC Level 1 is a binary selection
between Yes and No based on meeting
all Level 1 security requirements.
The CMMC Program verifies
implementation of security
requirements for FCI in accordance with
FAR clause 52.204–21. The DoD has
elected to use the CMMC Status
postings and attestations in SPRS as the
mechanism to verify compliance with
applicable CMMC requirements.
An OSA engaging an authorized
C3PAO to perform the Level 1 self-
assessment and then using the resulting
CMMC Status when ‘‘self-assessing’’ is
permissible. The OSA however retains
all the responsibilities and liabilities of
the affirmation. No revisions to the rule
were necessary.
Writing style recommendations were
not incorporated and no responses were
provided to those comments based on
comparison of pre-publication draft
versions with those officially published
for public comment. DoD aligned the
security requirements for Level 1
exactly with those in FAR clause
52.204–21 and aligned the security
requirements in Level 2 exactly with
those in NIST SP 800–171 R2. The 15
security requirements in FAR clause
52.204–21, which make up CMMC Level
1, were mapped by NIST into 17
security requirements in NIST SP 800–
171 R2. This was accomplished by
splitting 1 requirement into 3 parts,
while the other 14 align. Table 2 to
§ 170.15(c)(1)(ii) provides a mapping.
Meeting the CMMC Level 2 self-
assessment (§ 170.16) or CMMC Level 2
certification assessment (§ 170.17)
requirements also satisfies the CMMC
Level 1 self-assessment requirements
detailed in § 170.15 for the same CMMC
Assessment Scope.
b. Level 2
Comment: Commenters provided a
number of very specific Level 2
assessment scenarios and asked for rule
interpretation for each scenario.
Scenarios included differing scores for
self-assessment and third-party
assessment; assessment timing;
conditional assessment expiration; and
CUI enclaves.
One commenter stated the language
describing certificates of assessment
lacked clarity and seems to allow an
OSC to be issued a certificate of
assessment but not be certified. Two
comments stated that wording
describing the expiration of a
Conditional Level 2 self-assessment or
certification could be interpreted to
mean that the OSA/OSC would be
permanently barred from seeking further
contracts using information systems
within that CMMC Assessment Scope.
One comment said it was not clearly
stated that a Level 2 third party
assessment would satisfy contractual
requirements for a Level 2 self-
assessment. One comment stated that
the rule does not clearly indicate
whether a Level 2 assessment checks for
more than just proper implementation
of the 110 requirements in NIST SP
800–171 R2 and includes paragraphs—
(c) through (g) of DFARS clause
252.204–7012. This commenter
advocated that those requirements be
assessed only during DIBCAC
assessments.
Response: The rule has been updated
to clarify that meeting the requirements
for a CMMC Level 2 certification
assessment satisfies a CMMC Level 2
self-assessment requirement for the
same CMMC Assessment Scope.
The term ‘‘certificate of assessment’’
has been replaced with the term
‘‘Certificate of CMMC Status’’ in the
final rule. When an OSC has met all the
requirements for a Level 2 certification
assessment, a Certificate of CMMC
Status is obtained from the C3PAO
conducting the assessment. See § 170.9.
Under CMMC, OSCs are not certified;
rather, the assessed network receives a
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00038
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83129
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Certificate of CMMC Status for the
CMMC Assessment Scope if the network
meets all applicable certification
requirements. No rule edit is necessary
because § 170.19 is clear on this point.
The phrase ‘‘until such time as a valid
CMMC Level 2 self-assessment is
achieved’’ is added to the rule in the
event a Conditional Level 2 self-
assessment or Conditional Level 3
expires [see sections
§§ 170.16(a)(1)(ii)(B)) and
170.17(a)(1)(ii)(B)].
The CMMC program does not assess
paragraph (c) through (g) of DFARS
clause 252.204–7012. The CMMC
Program assesses the security
requirements set forth in the FAR clause
52.204–21; National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171 R2;
and selected requirements from the
NIST SP 800–172 Feb2021, as
applicable (see table 1 to § 170.14(c)(4)
CMMC Level 3 Requirements).
If the contract requires a Level 2 self-
assessment (i.e., a CMMC Status of
‘‘Conditional/Final Level 2 (Self)’’), then
the Level 2 self-assessment score with a
current affirmation is valid for that
contract but not for a contract with a
Level 2 certification assessment
requirement. The DoD does not consider
it realistic or likely that C3PAOs will
purposefully ‘‘slow roll’’ completion of
assessments for which they have been
engaged by an OSC. However, the OSA’s
CMMC Status is based on final results
of an assessment and a valid
affirmation. A POA&M Close-out
assessment need only re-assess those
requirements that were assessed as NOT
MET in the original assessment as
addressed in § 170.21(b). The OSA
status is based on the results of this
POA&M Close-out assessment with a
valid affirmation. If the subcontractor
will process, store, or transmit CUI, then
the flow down requirement for a Prime
contract that specifies CMMC Level 3
certification assessment is, at a
minimum, CMMC Level 2 certification
assessment (i.e., a CMMC Status of
‘‘Conditional/Final Level 2 (C3PAO)’’).
A POA&M closeout applies to all
NOT–MET requirements so if one
practice is not remediated within the
180-day time limit, the conditional
certification will expire. Scope cannot
be changed in the middle of an
assessment, so the conditional
certification will expire. If the scope is
changed, a new assessment is required.
The assessment is performed based on
the defined CMMC Assessment Scope.
The OSA is only approved to process,
store, or transmit FCI and CUI within
the CMMC Assessment Scope defined.
If the conditional assessment
certification expires due to exceeding
the 180-day limit, a new full
certification assessment is required.
Contracting officers can utilize standard
contract remedies during any period
under which the OSA is not in
compliance with CMMC requirements.
If an OSC closed out their POA&M 32
months ago, that Level 2 Conditional
certification assessment would have
closed and the OSC would have
received a Level 2 Final certification
assessment for the remainder of the 3-
year validity period. If after completing
the Level 2 Final certification
assessment, the OSC is reassessed and
does not achieve a score of 110, then the
OSC will either get a new Conditional
Level 2 (C3PAO) CMMC Status
certificate (if they meet the associated
POA&M requirements), or the OSC will
not receive a new certificate.
c. Level 3
Comment: Several comments
addressed CMMC Level 3 assessment
requirements and the relationship of
Level 3 assessments to Level 2
assessments. One comment noted that a
final version of the Level 3 assessment
guidance was not available at the same
time as other CMMC assessment guides.
Another recommended the DoD first
pilot implementation of CMMC Level 3
security requirements and clearly
identify (in advance) the data or
programs that will be subject to them.
One commenter asked how DoD will
maintain Level 3 requirements to align
with NIST’s guidance since Level 3
includes only a subset of NIST’s SP
800–172 Feb2021 requirements.
Another asked about validating
compliance for assets that changed asset
categories when transitioning from
Level 2 certification to Level 3
certification. One comment said it was
that Level 2 certification is not clearly
identified as a prerequisite for Level 3
certification, and that organizations
might try to bypass Level 2. One
comment asked whether those entities
that would need a CMMC level 3
assessment could seek a combined Level
2 and Level 3 certification from the
DIBCAC to reduce cost to the OSC.
One comment sought clarification of
how long an OSC would be prohibited
from seeking additional contract awards
if a Level 3 certification expired. Two
comments were concerned about the
DIBCAC’s ability to terminate a Level 3
assessment if the review identifies a
Level 2 requirement that is not met.
Response: For CMMC Level 3, the
DoD selected a subset of NIST SP 800–
172 Feb2021 requirements for enhanced
safeguarding. The CMMC Level 3
supplemental documents were not
finalized prior to publication of the
Proposed Rule. DoD’s final
determination of the specific subset of
NIST SP 800–172 Feb2021 requirements
is included in this final rule, which
defines the ODPs for Level 3 in table 1
to § 170.14(c)(4). DoD will update the
rule when required to change the
security requirements, to include
CMMC Level 3.
DoD has reviewed and declined the
recommendation to conduct a pilot
prior to phasing in CMMC Level 3
requirements. Given the evolving
cybersecurity threat, DoD’s best interests
are served by ensuring that the selected
CMMC Level 3 NIST SP 800–172
Feb2021 security requirements are in
place to provide enhanced protections
for sensitive DoD CUI.
In those cases when DCMA DIBCAC
identifies that a Level 2 security
requirement is NOT MET, DCMA
DIBCAC may allow for remediation,
place the assessment process on hold, or
may immediately terminate the Level 3
assessment, depending on significance
of the NOT MET security requirement(s)
and the nature of the required
remediation. The determination of
whether a NOT MET requirement is
significant is reserved for the judgment
of the DCMA DIBCAC.
The rule has been updated to clarify
that DCMA DIBCAC has the
responsibility to validate compliance of
all assets that changed asset category
(i.e., CRMA to CUI Asset) or assessment
requirements (i.e., Specialized Assets)
between the Level 2 and Level 3
assessments. As addressed in § 170.18, a
condition to request a Level 3
certification assessment from DCMA
DIBCAC is the receipt of a Final Level
2 (C3PAO) CMMC Status. The DoD
considered, but declined, the
recommendation to allow OSAs to
simultaneously pursue Level 2 and
Level 3 in one assessment. DoD must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI,
regardless of an OSA’s intended CMMC
level. Permitting OSCs to seek combined
CMMC Level 2 and 3 assessments
would unfairly benefit only a subset of
OSCs that were identified to meet
CMMC Level 3 requirements.
The rule has been updated to clarify
that the OSC will be ineligible for
additional contract awards that require
a CMMC Level 3 certification
assessment until such time as a valid
(Conditional or Final) CMMC Level 3
(DIBCAC) CMMC Status is achieved for
the information systems within the
CMMC Assessment Scope.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00039
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83130
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
d. Scoring Methodology
1. CMMC Point Value System
Comment: Multiple comments were
received concerning the point values
assigned to CMMC security
requirements, their association to other
frameworks, consistency between
CMMC levels, and their use in POA&M
eligibility determination. Numerous
comments recommended that the
CMMC Level 2 weighted point system
where security requirements are valued
as 1, 3, or 5 be modeled after the one
point per requirement used in CMMC
Level 3 scoring. Some also questioned
why the CMMC Level 2 scoring
structure was the same as the NIST SP
800–171 DoD Assessment Methodology
(DODAM). Four comments
recommended changes to the criteria for
adding unimplemented security
requirements to an Assessment POA&M.
One comment noted that temporary
deficiencies which are appropriately
addressed in plans of action should be
assessed as implemented. Some of the
comments recommended not assigning
point values to determine POA&M
eligibility. Two other comments
recommended dropping the NIST Basic
and Derived security requirement
designations and disassociating them
from CMMC point values.
Response: Recommendations to assign
a point value of 1 to all CMMC Level 2
security requirements were not
accepted. CMMC adopted the scoring as
included in the NIST SP 800–171 DoD
Assessment Methodology (DoDAM)
used by the DCMA DIBCAC and
referenced in DFARS clause 252.204–
7020. As addressed in § 170.20(a) in this
rule, there is qualified standards
acceptance between a DCMA DIBCAC
High Assessment and CMMC Level 2
certification assessment. Revisions to
the CMMC Scoring Methodology will be
made concurrently with changes to the
DoDAM. The variable point values of 1,
3, and 5 are linked to the NIST
determination of Basic Security
Requirements and Derived Security
Requirements as described in § 170.24.
The DoD has updated the rule text at
§ 170.24 to clarify which requirements
may be included on a POA&M. CMMC
Level 2 security requirement SC.L2–
3.13.11 can be partially effective and
may be included on a POA&M if
encryption is employed and is not FIPS-
validated.
The DoD added a definition for
enduring exceptions and temporary
deficiencies to the rule. § 170.21
addresses POA&Ms for assessments.
Security requirement CA.L2–3.12.2
allows for the development and
implementation of an operational plans
of action designed to correct
deficiencies and reduce or eliminate
vulnerabilities in organizational
systems. These operational plans of
action are different from POA&Ms
permitted under Conditional
assessment. The rule has been updated
to make this distinction clear. The
CMMC rule does not prohibit the use of
an operational plan of action to address
necessary information system updates,
patches, or reconfiguration as threats
evolve.
2. NIST SP 800–171A Jun2018
Assessment Objectives
Comment: Multiple comments
questioned the role of NIST SP 800–
171A Jun2018 Assessment Objectives
within the CMMC assessment process.
Three comments asked whether all
assessment objectives needed to be met
to score a security requirement as MET.
Two comments questioned the need to
report assessment results at the
assessment objective level within the
CMMC instantiation of eMASS for
CMMC Level 2 and CMMC Level 3
certification assessments. Some
comments suggested that the DoD allow
for contractors to take a more risk-based
approach to include compensating
controls instead of a strict security
requirement-based model.
Response: DoD must enforce CMMC
requirements uniformly for all defense
contractors and subcontractors who
process, store, or transmit CUI. Each
assessment objective in NIST SP 800–
171A Jun2018 must yield a finding of
MET or NOT APPLICABLE for the
overall security requirement to be
scored as MET. Assessors exercise
judgment, within CMMC guidelines, in
determining when sufficient and
adequate evidence has been presented
to make an assessment finding. A
security requirement can be applicable,
even with assessment objectives that are
N/A. The security requirement is NOT
MET when one or more applicable
assessment objectives is NOT MET.
CMMC assessments are conducted at the
security requirement objective level,
and the results are captured at the
security requirement objective level.
Assessment results are entered into the
CMMC instantiation of eMASS at the
NIST SP 800–171A Jun2018 assessment
objective level of detail to provide
metrics on which assessment objectives
are proving difficult to implement and
to indicate where additional assessor
training and guidance may be
warranted.
The DoD declines to change
requirements to allow additional
organization-specific risk-based
approaches. National Institute of
Standards and Technology (NIST)
determined the appropriate
characteristics and considered the
appropriate attack vectors when NIST
SP 800–171 R2 was created, and tailored
the security requirements to protect the
confidentiality of CUI. Questions and
comments related to NIST SP 800–171
R2 background, development and
scenarios are outside the scope of the
CMMC rule.
3. Other Scoring Comments
Comment: Three comments were
received concerning the use of
operational plans of action to document
security requirements which are not
fully implemented due to limitations
beyond the ability of an OSA to address.
The use of temporary deficiencies and
enduring exceptions were suggested
along with the recommendation that
these items be scored as MET.
The scoring of FIPS-validated
modules was questioned in four
comments. An error in the point value
for encryption (1 and 3 points vs the
correct 3 and 5 points) was identified.
Clarification on full credit for
incomplete implementation of FIPS
encryption was also requested.
Two comments were received about
the relationship between CMMC Level 2
and CMMC Level 3 scoring asking if the
point values in each assessment were
cumulative and how the 80% eligibility
for an assessment POA&M and
Conditional certification would be
calculated.
Three comments requested
clarification around the use of N/A in
security requirements, assessment
objectives, and in matters pertaining to
previously granted DoD CIO variances.
One comment questioned what types of
artifacts are required to substantiate a
determination of N/A for a security
requirement or assessment objective.
Three comments addressed the need for
a System Security Plan, its point value,
if any, and the need for an SSP as a
prerequisite for assessment as it exists
in the DIBCAC DODAM.
Response: The government cannot
comment on the suitability of specific
implementations or products to meet
CMMC security requirements and is
aware that FIPS module validation can
exceed the 180-day CMMC assessment
POA&M threshold. Guidance regarding
FIPS implementation on Windows 11 is
not appropriate for inclusion in the rule
text and DoD declines to make an
update. Limitations of the FIPS-
validated module process do not impact
the implementation status of FIPS
cryptography. The rule has been
updated to include enduring exceptions
and temporary deficiencies. Vendor
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00040
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83131
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
limitations with respect to FIPS
validation could be considered enduring
exceptions or temporary deficiencies
and should be addressed in an OSA’s
operational plan of action.
Several requirements within NIST SP
800–171 R2 specify the use of
encryption without consideration of the
processing, storage, or transmission of
CUI. Requirement 3.13.11 requires that
the encryption used be a FIPS-validated
module if the encryption is used to
protect the confidentiality of CUI. The
scoring in § 170.24(c)(2)(i)(B)(4)(ii) is
based on the use of encryption and
whether the encryption uses a FIPS-
validated module. There is no
consideration for multiple layers of
encryption so specific guidance to
assessors regarding layers of encryption
is not needed and DoD declines to make
the suggested addition. OSAs may
choose how they implement security
requirements and C3PAOs will assess
based on the stated implementations.
CCAs are trained in the correct process
to assess security requirements. The
DoD has updated the rule text at
§ 170.24(c) to clarify which
requirements may be included on a
POA&M, which addresses the error in
the point value for encryption.
The scoring for CMMC Level 3 is
separate from the scoring for CMMC
Level 2. As stated in § 170.24(c)(3), the
CMMC Level 3 assessment score is
equal to the number of CMMC Level 3
security requirements that are assessed
as MET. There are twenty-four CMMC
Level 3 security requirements, identified
in table 1 to § 170.14(c)(4). CMMC Level
3 POA&M eligibility is based on the
number of CMMC Level 3 security
requirements and does NOT include the
110 CMMC Level 2 requirements.
‘‘Not applicable’’ was removed from
§ 170.24(c)(9) for the case where the
DoD CIO previously approved a
variance. The rule has been updated to
reflect the language of DFARS clause
252.204–7012 and the DoDAM,
including nonapplicable or to have an
alternative, but equally effective,
security measure. Regarding the
comment on N/A objectives, § 170.23 is
clear that MET means all applicable
objectives for the requirement and that
if an objective does not apply, then it is
equivalent to being MET. A security
requirement can be applicable, even
with one or more objectives that are N/
A. The overall requirement is only NOT
MET when one or more applicable
objectives is not satisfied. The
determination of assessment findings is
made by an Assessor following the
assessment methodology. In the case of
a self-assessment, the Assessor is from
the OSA. In the case of a certification
assessment, the Assessor is from the
C3PAO or DIBCAC. An assessment
finding of NOT APPLICABLE (N/A)
means a security requirement (or
assessment objective) does not apply at
the time of the CMMC assessment. For
each assessment objective or security
requirement marked N/A, the Certified
Assessor includes a statement that
explains why it does not apply to the
contractor. The OSC should document
in its SSP why the security requirement
does not apply and provide justification.
There is no standard set of artifacts
required to justify a finding of N/A.
A System Security Plan as described
in security requirement CA.L2–3.12.4 is
required to conduct an assessment. The
rule has been updated at
§ 170.24(c)(2)(i)(B)(6) for clarity.
Security requirement CA.L2–3.12.4 does
not have an associated point value. The
OSA will not receive a -1 for a missing
or incomplete SSP. The absence of an
up-to-date system security plan at the
time of the assessment would result in
a finding that ‘an assessment could not
be completed due to incomplete
information and noncompliance with
DFARS clause 252.204–7012.’ The rule
has been updated in § 170.24(c)(6) to
clarify this.
e. Artifacts
Comment: Several comments and
requests for clarification dealt with
artifacts that are reviewed or created
during a CMMC assessment, or as part
of compliance with other contractual
requirements, including DFARS clause
252.204–7012. Some commenters asked
whether standardized SSP and POA&M
templates would be provided to assist
with compliance. Other templates
requested included pre-assessment
planning materials, final assessment
reports, and the resulting Certificate of
CMMC Status.
Others expressed concern that sharing
certain artifacts during the assessment
process or permitting assessors to retain
them would create vulnerability. In
addition, commenters asked whether
security protections are required for
documents held due to the artifact
retention requirements. One commenter
asked how CMMC assessment scores, or
affirmation information will be
protected, and whether the CMMC
program office will share this
information outside of DoD. Another
suggested that C3PAOs should not be
required to retain any OSC provided
materials.
One commenter misinterpreted the
supplemental hashing guide as
requiring use of the MS PowerShell
script with the SHA256 algorithm. The
commenter also stated it would be more
efficient to specify a single hash be
provided for combined artifacts rather
than requiring separate hash values for
each artifact. They recommended
deletion of the hashing requirement.
Another commenter suggested requiring
OSCs to generate hashes for artifacts as
part of a Level 2 self-assessment. One
comment also asked whether hashing is
required for Level 3 artifacts. One
comment asked how long OSAs must
retain artifacts following an assessment.
Some comments expressed concern
that C3PAOs that receive or retain OSA
artifacts identified as CUI would be
required to undergo assessment by both
the DIBCAC and another C3PAO. Four
commenters objected to the 6-year
artifact retention requirement for
C3PAOs and requested reduction to 1
year. Three commenters asked whether
self-assessors at level 1 or level 2 must
also retain supporting artifacts for 6
years. Two commenters recommended
revised wording of CMMC Level 3
requirements to provide greater clarity
about artifact retention and integrity.
One commenter requested edits to the
description of SSP content, advocating
for deletion of references to
organizational policies and procedures
in place to comply with NIST SP 800–
171 R2. The recommended edits also
changed attribution of the requirement
to create an SSP to reflect DFARS clause
252.204–7020 rather than DFARS clause
252.204–7012. This commenter also
suggested additional wording to specify
that the OSA need not define roles and
responsibilities of security personnel in
the SSP but may do so in ancillary
documents.
Response: This rule retains the
reference to DFARS clause 252.204–
7012 that implements NIST SP 800–171
as the basis for the requirement to create
and update an SSP. The DoD has
considered the recommended changes
to the rule regarding the SSP content
and declines to make the revision. The
NIST SP 800–171 R2 requirement for an
SSP is foundational to performing a
NIST SP 800–171 R2 self-assessment
and its purpose is to provide critical
information for performing the
assessment. The SSP should detail the
policies and procedures that support
‘‘. . . how security requirements are
implemented . . .’’ for all NIST SP 800–
171 R2 controls. DoD declines to
establish a specific SSP format, as OSAs
should define the best format for their
organizations. The Overview section of
the rule has been updated to remove the
statement indicating SSPs will outline
the roles and responsibilities of security
personnel. DoD does not plan to provide
document templates for SSPs and
POA&Ms, as they are already available
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00041
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83132
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
in existing NIST guidance. Templates
and schemas for the pre-assessment and
assessment results documents are
available to authorized CMMC eMASS
users at https://cmmc.emass.apps.mil.
Commenter concerns about artifact
retention reflect misunderstanding of
the assessment process. Assessors and
C3PAOs do not retain OSC artifacts,
they only retain the hash value captured
during the assessment process.
Assessors will retain documents created
during the assessment such as their
notes and the Assessment Findings
Reports. To facilitate the protection of
these documents, authorized C3PAOs
are required to go through a DIBCAC
conducted CMMC Level 2 assessment
and CMMC Assessors are only
authorized to use C3PAO issued
equipment that was within the scope of
the DIBCAC assessment. Separately, the
DIBCAC processes, stores, and transmits
its assessment related data on DoD
networks. Assessment Reports are
submitted to DoD via eMASS, which is
a government-owned, secured database.
Sharing of this information is subject to
DoD policies.
The OSC is responsible for
maintaining and hashing all artifacts
that supported the assessment. The rule
has been modified to clarify C3PAOs do
not maintain artifacts from the OSC. The
OSCs artifacts must be hashed, and the
value provided to the assessor for
submission into CMMC eMASS. That
hash value contains no sensitive
information. An OSC’s System Security
Plan (SSP) will be reviewed as part of
a CMMC certification assessment, but
not shared outside of the OSC.
Assessors will not retain copies of the
SSP or any other proprietary OSC
information. Assessors will retain the
name, date, and version of the SSP for
uploading in SPRS or eMASS, as
appropriate for the level of assessment.
Assessors will upload assessment
information (e.g., list of artifacts, hash of
artifacts, and hashing algorithm used)
into CMMC eMASS as addressed in
§ 170.9(b)(17), and the OSC will retain
its assessment documentation as
addressed in § 170.17(c)(4) and
§ 170.18(c)(4)
CMMC Level 2 self-assessments
procedures as described in
§ 170.16(c)(1) require assessment in
accordance with NIST SP 800–171A
Jun2018, which if conducted properly
will generate evidence. The rule has
been modified to incorporate data
retention requirements for self-
assessments into §§ 170.15 and 170.16.
OSAs are not required to generate
hashes for self-assessment artifacts.
Hashing is only required for Level 2 or
Level 3 assessments by C3PAOs and
DCMA DIBCAC. The rule and Hashing
Guide have been updated to add clarity
that only a single hash is required, and
that artifact retention is for six years.
The use of SHA256 algorithm is not
mandatory and therefore, the name of
the hash algorithm needs to be stored in
eMASS.
There are no additional requirements
for artifact storage and retention beyond
those identified in the rule. It is up to
the OSA to determine the best way to
ensure artifact availability during the
six-year retention period. The rule has
been updated in §§ 170.15 through
170.18 to clarify artifact retention
requirements.
DoD declines to reduce the artifact
retention period from six years to one
year. The rule has been updated to
clarify that all OSAs and Assessors are
required to retain their respective
assessment data for six years. The
requirement for an artifact retention
period of six years is a result of the
Department of Justice’s input to the
proposed rule.
f. POA&Ms
Comment: Over forty comments were
received about POA&Ms seeking
clarification or revision to the rule
content on that topic.
Several commenters misinterpreted
the requirement to remediate or close
POA&M items within 180 days as
eliminating acceptability of operational
plans of action for normal corrective
actions such as patching or other
routine maintenance activities, thus
making the achievement of 100%
compliance impossible. Some
commenters requested rule revisions to
describe operational plans of action in
more detail. One commenter asked that
the concept of Enduring Exceptions be
added to the rule to address special
circumstances when remediation and
full compliance with CMMC security
requirements is not feasible as described
in the NIST SP 800–171A Jun2018
assessment methodology.
Several commenters expressed
concern with the 180-day timeline to
close out POA&Ms or limits on which
practices can be placed on them.
Recommendations for changing the
POA&M timeline ranged from
completely deleting the time limit to
extending it by 1 to 3 years. One
variation was to permit more than 180
days for closeout only during an initial
one-year ‘‘ramp-up’’ period. One
commenter encouraged DoD to reduce
POA&M restrictions to facilitate
contractors’ genuine attempts to meet
requirements and mitigate information
security risks. Three commenters also
thought the rule should allow
contractors to request approval to delay
POA&M close-out when meeting the
original timeline is impracticable, while
another commenter suggested defining
the close-out timeline in the contract,
allowing negotiation of extension or
renewal of POA&Ms through the
contracting officer. Two commenters
asked when the 180-day timeline begins
and one asked what actions occur if the
POA&M is not closed out within that
period.
Four commenters noted that the
number of security requirements
explicitly precluded from POA&Ms
makes CMMC challenging and
requested greater flexibility in how
many, and which practices may be
included. Three commenters
recommended that companies be
allowed to have any number of failed
practices reassessed for up to six-
months after an assessment without
having to complete and pay for a new
full assessment. Three other
commenters recommended that the DoD
allow for risk informed POA&Ms, while
one stated that the rule should not
specify which requirements must be
met. One commenter requested
clarification on how many items of each
point value may be included on a
POA&M for CMMC Level 2 conditional
certification. One commenter also asked
DoD to consider abandoning controls
with high failure rates, lowering score
requirements based on evidence of
sufficient mitigation.
Several comments expressed concern
that CMMC conditional certification
does not allow higher weighted
practices on a POA&M and
recommended the rule reduce those
restrictions to allow more security
practices. One commenter also
recommended eliminating weighting
altogether, permitting any requirement
to be part of the POA&M. As rationale,
one commenter referenced DFARS
clause 252.204–7012 verbiage that
permits contractors to request DoD CIO
approval to vary from NIST SP 800–171
requirements, saying that since all
approved variances are considered as
‘‘Not Applicable’’, all requirements
should be POA&M eligible.
Two commenters asked where
POA&Ms are maintained, who is
responsible for validating close-out, and
whether affirmation is required after
each assessment (including POA&M
close-out). One commenter asked about
applicability of the 180-day POA&M
close-out requirement to Critical, High,
Medium, or Low findings against
Service Level Agreements.
One commenter recommended that a
description of appropriate POA&M
entries to be added to the rule and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00042
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83133
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
provided other recommended edits to
the POA&M section, including addition
of terms of art such as ‘‘assessment-
related’’ and ‘‘non-assessment-related’’,
and deletion of the words ‘‘as
applicable.’’
Response: The CMMC Program allows
the use of POA&Ms. Section 170.21
delineates the requirements that may be
addressed as part of an assessment with
a POA&M, that must be closed out by
a POA&M closeout assessment within
180 days of the initial assessment to
achieve the assessment requirement for
Final certification. At Level 1, the OSA
must affirm annually that it has
reassessed its environment. Security
requirement CA.L2–3.12.2 allows for the
development and implementation of an
operational plans of action designed to
correct deficiencies and reduce or
eliminate vulnerabilities in
organizational systems. The CMMC rule
does not prohibit an OSA from using an
operational plan of action at any CMMC
level to address necessary information
system updates, patches, or
reconfiguration as threats evolve. These
are different from POA&Ms permitted
under a Conditional certification
assessment. The DoD has updated the
rule to make this distinction clear. The
Department also updated the rule to
include a definition and clarity for
enduring exceptions. The DoD CIO
option for variances in DFARS clause
252.204–7012 is beyond the scope of
this rule.
Operational plans of action are the
appropriate mechanism to handle CSPs,
ESPs (not a CSP) and third-party
vendors that are no longer compliant
with a CMMC requirement. Operational
plans of action may be necessary when
the relevant security requirement or
control was fully implemented, but a
vulnerability or deficiency is discovered
after gaining a CMMC final compliance
status, such as, but not limited to,
routine updates, patches, or updates to
CMMC compliance status. For purposes
of CMMC compliance, operational plans
of action are acceptable and are not
subject to the 180-day timetable
established for initial assessment. In
addition, the rule has been modified to
include a definition for Enduring
Exceptions.
The DoD does not accept the
recommendation to change the criteria
for POA&Ms or the timeline allowed to
remediate open POA&M items. The 180-
day period allowed for POA&Ms and the
determination of which weighted
practices can be placed on a POA&M
was a risk-based decision. The
determination considers the relative risk
DoD is willing to accept when a
particular practice is not met and the
amount of risk the DoD is willing to
accept for those security practices that
go ‘‘NOT MET’’ for an extended period.
The DoD declined to edit the rule
regarding the closeout of security
requirements that are not allowed on the
POA&M as stated in § 170.21. The
decision in this scenario is a business
decision between the applicable C3PAO
and the OSC.
Given the evolving cybersecurity
threat, DoD’s best interests are served by
ensuring that POA&Ms remain open for
no longer than 180 days, regardless of
which controls are included or the plan
for remediation.
The 180-day period starts when the
CMMC assessment results are finalized
and submitted to SPRS or eMASS, as
appropriate. As addressed in
§§ 170.17(a)(1)(ii)(B) and
170.18(a)(1)(ii)(B), if the POA&M is not
closed out within the 180-day
timeframe, the Conditional Certification
will expire. If the Conditional
Certification expires within the period
of performance of a contract, standard
contractual remedies will apply, and the
OSC will be ineligible for additional
awards with CMMC Level 2 or 3
requirements for the information
systems within the same CMMC
Assessment Scope. The scoring
methodology created by the DoD reflects
the relative risk to DoD information
when a security requirement is NOT
MET. As defined in § 170.17(c)(2), a
security requirement that is NOT MET
may be re-evaluated during the Level 2
certification assessment and for 10
business days following the active
assessment period under certain
conditions. Likewise, when an OSC
executes a contract with a C3PAO it
may account for the timeliness of any
re-assessments. The language in DFARS
clause 252.204–7012 describing the DoD
CIO’s authority to approve variances is
beyond the scope of this rule.
A POA&M for CMMC Level 2 can
include up to 22 security requirements
that have a value of 1, excluding those
in § 170.21(a)(2)(iii), or may include
non-FIPS-validated encryption and up
to 19 security requirements that have a
value of 1.
The OSA is responsible for
maintaining the POA&M that resulted
from a CMMC assessment; however,
those security requirements that were
NOT MET and placed on a POA&M are
recorded in eMASS. The OSA is
responsible for validating the close-out
of the security requirements on the
POA&M within 180 days of a self-
assessment. The C3PAO or DCMA (as
applicable) must perform the POA&M
Close-out Assessment for a Final
certification assessment. An affirmation
of compliance is required upon the
completion of any assessment—
Conditional, Close-out, or Final—and
annually after the completion of a Final
assessment. The requirement outlined
in § 170.21 for POA&M close out does
not apply to Service Level Agreement
(SLA) severity levels.
The Department declines to include
recommended POA&M examples in the
rule, as they are already available in
existing NIST guidance, or make other
word changes to § 170.21. This section
of the CMMC rule has been updated to
add clarity when discussing the POA&M
regarding security requirements that
were assessed as NOT MET during a
CMMC assessment. These POA&Ms are
distinct from an operational plan of
action.
g. Assessment Activities and Reporting
1. Data Entry
Comment: One comment requested
the rule state that records in SPRS must
be updated within six months of the
rule’s effective date or when the
functionality is in place, whichever is
longer. Two comments asked for
mitigations for assessment delays that
could impact the timeliness of
certification. One comment asked for
more information about assessment
frequency guidelines, and one asked
which date would be used to determine
timing of CMMC Level 2 triennial
assessments, where this date is
maintained, and who is responsible for
ensuring contractors meet all applicable
security requirements.
Response: To be eligible for a contract
with a CMMC Level 1 self-assessment
requirement, the OSA must perform a
Level 1 self-assessment, input the result
into SPRS, and submit an affirmation.
The timeline for initiating and reporting
a self- assessment is a business decision
to be made by each contractor
considering contract opportunities it
wishes to pursue. Because the OSA can
fully control timelines for completion of
self-assessments and plan for changes
within the assessment scope, and
because CMMC certification
assessments occur on a standard 3-year
cycle, the DoD expects that companies
will plan assessments well in advance
of need. The required assessment
frequency is every year for CMMC Level
1, and every 3 years for CMMC Levels
2 and 3, or when changes within the
CMMC Assessment Scope invalidate the
assessment.
Certification dates for CMMC levels 2
and 3 are set to the date the certification
assessment results are entered into
SPRS for self-assessments or the date
the Certificate of CMMC Status is
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00043
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83134
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
entered into eMASS for third-party
assessments. The triennial requirement
renews on that date; there is no grace
period. Each OSA’s annual affirmation
attests that they have implemented, and
are maintaining their implementation
of, the security requirements.
2. Supplier Risk Performance System
and eMASS
Comment: Three commenters viewed
CMMC’s intent to store CMMC related
data in an existing DoD system, SPRS,
as an indication that SPRS would
replace other DoD risk tracking systems
or the risk monitoring responsibilities of
other agencies. One commenter asked
whether other Services would have their
own systems, as the SPRS Program
Office is within the Navy. Another
comment stated CMMC and SPRS
should not be tasked with the
responsibility of addressing Supply
Chain Risk Management (SCRM). One
comment asked if the DoD intended to
make CMMC Level 2 and 3 certification
information available to other agencies,
which could reduce the cost burden of
compliance with assessment/
certification programs adopted by other
agencies. One comment asked how PII
would be protected in SPRS. Another
comment asked for SPRS to be
redesigned to list assessment results for
each security requirement instead of the
aggregate level. One comment asked for
a CMMC-specific process for entering
data into SPRS to make it easier for
small businesses and another comment
asked for vendor visibility into a
potential sub-contractor’s SPRS score.
Several comments asked about the
CAGE code requirement and noted a
perception that businesses outside the
U.S are unable to obtain a CAGE or
become a member of PIEE and therefore
unable to access SPRS. One comment
asked whether each contract would
require a new SPRS entry.
One comment asked if OSCs that
already have an eMASS account would
be able to access the CMMC
instantiation of eMASS and one
comment questioned the cost/benefit of
entering pre-assessment data into
eMASS. Another comment asked for
clarification on the roles and
responsibilities of DoD Program
Managers regarding the data uploaded
into eMASS. One commenter suggested
that eMASS be modified to permit
tracking of self-assessment, in addition
to certification assessments.
Response: SPRS is used to provide
CMMC Status, score results, and
affirmation status to contracting officers
and program managers as part of the
contract award process. It does not
supersede other DoD program office risk
register systems. SPRS will be used for
reporting CMMC Status of all
contractors, regardless of which service
issued the contract. Although the SPRS
program is managed by the Department
of the Navy, its use spans across the
Department. There is no role for other
agencies associated with this CMMC
rule, which applies only to DoD
contractors that process, store, or
transmit FCI or CUI. The CMMC PMO
has no current agreements with other
Federal agencies to share CMMC
assessment results. There is nothing that
prevents an OSA from sharing their
CMMC Status with other entities.
SPRS is an existing DoD database that
is compliant with DoD regulations,
which includes meeting Privacy
requirements. DoD suppliers are already
required to use SPRS to record NIST SP
800–171 self-assessment scores, as
referenced in DFARS clause 252.204–
7020. The CMMC rule expands the use
of SPRS to include CMMC Status,
certification assessment scores, and
affirmations.
SPRS is the tool that the DoD
acquisition workforce will use to verify
companies meet CMMC requirements to
be eligible for contract award. SPRS data
entry does not make available to
Contracting Officers scoring of
individual security requirements.
The DoD does not concur with
granting prime contractors access to
view the CMMC scores or Certificates of
CMMC Status for potential
subcontractors in SPRS. Subcontractors
may voluntarily share their CMMC
Status, assessment scores, or certificates
to facilitate business teaming
arrangements. Changing access to PIEE
and SPRS is outside the scope of this
rule.
CMMC eMASS is a tailored, stand-
alone instantiation of eMASS for use by
authorized representatives from
C3PAOs, the DCMA DIBCAC, and the
CMMC PMO. Individuals from each
C3PAO will have access to CMMC
eMASS to upload Level 2 assessment
data. DCMA DIBCAC personnel will
have access to CMMC eMASS to upload
Level 3 assessment data. OSAs will not
have access to CMMC eMASS.
Authorized personnel from OSAs may
access SPRS, which will host
assessment certification and self-
assessment data, and will be able to
upload and view scores only for their
OSA.
The DOD declines to add
requirements for submitting self-
assessments in eMASS. The
requirement is for the OSA to enter
scores into SPRS. There is value to the
DoD in having the pre-assessment
information in CMMC eMASS for
overall program management and
oversight. The information indicates
that an assessment is either scheduled
or in-process. The CMMC PMO seeks to
track CMMC program adoption, and pre-
assessment information allows reporting
on upcoming assessments. Based on the
DoD cost analysis, the effort to upload
pre-assessment material is minimal.
DoD Program Managers are not
responsible for uploading data into
eMASS, nor do they have any
responsibility regarding the data
uploaded to eMASS by DCMA. An ESP,
OSA, or OSC seeking CMMC assessment
will need a CAGE code and an account
in SPRS to complete the annual
attestation required of all CMMC
certified or CMMC compliant
organizations.
An OSA/OSC must obtain a CAGE
code via https://sam.gov before
registering in PIEE. Step by Step
instructions for how to obtain an
account can be found on the PIEE
Vendor Account website: [https://piee.eb.mil/xhtml/unauth/web/homepage/vendorGettingStartedHelp.xhtml https://
piee.eb.mil/xhtml/unauth/web/
homepage/vendorGettingStartedHelp.
xhtml. ]
CAGE codes (or NCAGE codes for
non-US-based companies) are also
required. US-based contractors obtain a
Commercial and Government Entity
(CAGE) code from [https://cage.dla.mil/Home/UsageAgree https://cage.dla.mil/
Home/UsageAgree. Businesses outside
]of the US must obtain a NATO
Commercial and Government Entity
[https://eportal.nspa.nato.int/Codification/CageTool/home (NCAGE) code from https://
eportal.nspa.nato.int/Codification/
CageTool/home. ]
As specified in §§ 170.15 and 170.16,
SPRS inputs include the industry CAGE
codes(s) associated with the information
system(s) addressed by the CMMC
Assessment Scope. For each new
information system used to support a
DoD contract with FCI or CUI, a new
SPRS entry is required. If the contractor
or subcontractor will use an information
system associated with a CAGE code
already recorded in SPRS then a new
entry is not required.
3. Assessors and Certificates
Comment: One commenter asked if an
assessor is prohibited from interacting
with OSA IT tools such as MS Office
365 or cloud based GRC tools. One
commenter requested the CMMC rule
require C3PAOs to clearly indicate the
CMMC Assessment Scope on the CMMC
Certificate of CMMC Status, to include
CAGE codes, that could be shared with
trusted partners.
Response: The rule text in
§ 170.11(b)(7) does not prohibit
collecting assessment evidence within
the OSC environment using the OSC’s
IT. This section applies only to IT used
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00044
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83135
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
by the assessors to process, store, or
transmit assessment-related information
once it leaves the OSC environment.
The rule has been modified to list the
minimum required information to be
included on the Certificate of CMMC
Status, including CAGE code.
h. Reassessment
Comment: Some commenters
interpreted the end of a CMMC
assessment validity period (and need for
new assessment) as having the same
significance or meaning as a
‘‘reassessment’’, which the rule
describes as potentially necessary only
in rare circumstances when
cybersecurity risks, threats, or
awareness have changed.
Another commenter asked for
examples of circumstances that might
prompt a re-assessment and description
of the process for completing one. Four
commenters expressed concern that re-
assessments might be frequent, costly,
and time-consuming. These commenters
sought confirmation that relatively
common system maintenance activities
would not require a new assessment or
prevent annual affirmation.
One commenter questioned the
rationale for differences between
validity periods for CMMC Level 1
versus Levels 2 and 3 assessment and
recommended standardization on either
a 1-year or 3-year frequency for all
levels. Other commenters asserted that
annual affirmations would drive a need
for annual assessments at levels 2 or 3
and requested deletion of the
affirmation requirement.
One commenter asked whether
system changes within an assessment
scope would require notification to the
contracting agency. Another asked for
guidance on remediation of POA&M
items and asked whether systems that
fall out of compliance must be
identified to the contracting agency.
Response: The DoD considered
duration of assessment validity periods
and has chosen to require self-
assessment of the basic Level 1
requirements every year, rather than
every three years. Levels 2 and 3 require
implementation of a significantly larger
number of more complex security
requirements, which require more time
and attention to assess.
The DoD also declines to delete the
annual affirmation requirement and
does not agree that it equates to an
annual assessment. The rule was
modified to clarify that reassessments
may be required based on post-
assessment indicators of cybersecurity
issues or non-compliance and are
different from new assessments that
occur when an assessment validity
period expires. Reassessment is
expected to be infrequent, conducted by
the DoD, and necessary when
cybersecurity risks, threats, or
awareness have changed, or indicators
of cybersecurity deficiencies and/or
non-compliance are present. When
required, DCMA DIBCAC will initiate
the re-assessment process using
established procedures. The rule has
been further updated to add this DCMA
DIBCAC responsibility in § 170.7. OSCs
seeking confirmation upon CMMC Level
2 POA&M close-out may undergo
POA&M close-out assessment by a
C3PAO, which is different from
reassessment.
Self-assessments and certification
assessments are valid for a defined
CMMC Assessment Scope as outlined in
§ 170.19 CMMC Scoping. A new
assessment is required if there are
significant architectural or boundary
changes to the previous CMMC
Assessment Scope. Examples include,
but are not limited to, expansions of
networks or mergers and acquisitions.
Operational changes within a CMMC
Assessment Scope, such as adding or
subtracting resources within the existing
assessment boundary that follow the
existing SSP do not require a new
assessment, but rather are covered by
the annual affirmations to the
continuing compliance with
requirements. The CMMC rule does not
prohibit an OSA from using an
operational plan of action at any CMMC
Level to address necessary information
system updates, patches, or
reconfiguration as threats evolve.
If the CMMC Assessment Scope
changes, then the current assessment is
no longer valid and a new assessment is
required. Requirements to notify the
contracting agency of compliance
changes are described in the 48 CFR
part 204 CMMC Acquisition rule. An
annual affirmation is required at each
CMMC level.
16. CMMC Assessment Scoping Policy
Comment: One comment asked
whether the requirements of DFARS
clause 252.204–7012 apply to the entire
contractor-owned information system,
or only those components of the system
that process, store, or transmit the CUI.
Another questioned whether assets that
process both FCI and CUI require
CMMC Level 1 assessment.
One comment asserted that
assessments described in DFARS
provision 252.204–7019 and 7020 are
scoped differently than CMMC
assessments, and requested the rule be
revised to avoid duplication with those
assessments, where applicable. Another
recommended that DoD determine
scoping, boundaries, standards, and
assessments based on CUI data rather
than by systems.
One comment suggested that the rule
be modified to address CMMC
applicability to service providers that
only provide temporary services, such
as penetration testing, cyber incident
response, or forensic analysis.
Response: OSAs determine the CMMC
Assessment Scope based on how and
where they will process, store, and
transmit FCI and CUI. DoD has reviewed
the suggested changes and declines to
make any updates. Additional
information for CMMC Scoping
(§ 170.19) can be found in the relevant
scoping guides. The applicability of
DFARS clause 252.204–7012
requirements is not within the scope of
this rule.
Meeting CMMC Level 2 self-
assessment or certification assessment
requirements also satisfies CMMC Level
1 self-assessment requirements for the
same CMMC Assessment Scope. One
commenter incorrectly assumes that
CMMC asset categories drive a change to
the assessment scope from what exists
in DFARS clause 252.204–7012, which
implements NIST SP 800–171 R2. No
conflicts exist between the DFARS
clause 252.204–7012 requirements and
the CMMC requirements in this rule.
The DoD declines to change the rule
to base scoping, boundaries, standards,
or assessments solely on CUI data rather
than on systems. The purpose of the
CMMC Program is for contractors and
subcontractors to demonstrate that FCI
and CUI is adequately safeguarded
through the methodology provided in
the rule. The decision on what CMMC
level is required for a contract is made
by the Government after considering the
nature of the planned effort, associated
risks, and CUI to be shared. OSAs
determine the CMMC Assessment Scope
based on how and where they will
process, store, and transmit FCI and
CUI.
Service providers who only need
temporary access to perform services
such as penetration testing, cyber
incident response, or forensic analysis
do not meet the definition of an ESP in
§ 170.4 and do not process, store, or
transmit CUI. Therefore, they are not
within scope and the DoD declines to
modify the rule to include them.
17. CMMC Assessment Scope for ESPs
a. CMMC Applicability to ESPs
Comment: DoD received numerous
comments about the implications of
using an ESP while seeking to comply
with CMMC requirements. Many
comments were concerns that the ESP
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00045
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83136
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
assessment requirements expanded the
scope and cost of the CMMC program.
Additionally, some comments described
overarching concerns about
applicability of CMMC requirements to
an ESP when it only provided a Security
Protection Asset or processed Security
Protection Data. In general, commenters
requested to narrow the rule while
providing more clarity and definition
related to CMMC requirements for ESPs
and CSPs. Many comments gave either
hypothetical or actual scenarios and
asked whether the ESP in that scenario
would be required to complete a CMMC
assessment at the level required for the
OSA being supported.
One comment suggested that ESPs
should be treated the same as Risk
Managed Assets. Another comment
suggested that they be treated as
Specialized Assets. Two comments
proposed that DoD restrict DoD
contractors to the use of an ESP/MSP/
MSSP that is ISO/IEC 27001:2022(E)
certified. Two comments suggest that
OSA’s be allowed to use non-certified or
some form of conditionally certified
ESPs if they retain the appropriate
artifacts for review.
Response: The DoD has revised the
rule to reduce the assessment burden on
External Service Providers (ESP). ESP
assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2) have been
updated. The use of an ESP, its
relationship to the OSA, and the
services provided need to be
documented in the OSA’s SSP and
described in the ESP’s service
description and customer responsibility
matrix (CRM), which describes the
responsibilities of the OSA and ESP
with respect to the services provided.
ESPs that are CSPs, and process, store,
or transmit CUI, must meet the
FedRAMP requirements in DFARS
clause 252.204–7012. ESPs that are
CSPs and do NOT process, store, or
transmit CUI, are not required to meet
FedRAMP requirements in DFARS
clause 252.204–7012. Services provided
by the CSP are in the OSA’s scope.
When ESPs that are not CSPs, process,
store, or transmit CUI, a CMMC
assessment is required to verify
compliance with requirements for
safeguarding CUI. Any ESP services
used to meet OSA requirements are
within the scope of the OSA’s CMMC
assessment.
When ESPs that are not CSPs do NOT
process, store, or transmit CUI, they do
not require CMMC assessment or
certification, however, services they
provide are in the OSA’s assessment
scope. There is nothing in the rule that
precludes an ESP, that is not a CSP,
from voluntarily requesting a C3PAO
assessment. A C3PAO may perform
such an assessment if the ESP makes
that business decision.
ESPs can be part of the same
corporate/organizational structure but
still be external to the OSA such as a
centralized Security Operations Center
(SOC) or Network Operations Center
(NOC) which supports multiple
business units. The same requirements
apply and are based on whether the ESP
provides cloud services and whether the
ESP processes, stores, or transmits CUI
on their systems.
An ESP that is used as on-site staff
augmentation only, i.e., the OSA
provides all processes, technology, and
facilities, does not need CMMC
assessment. When ESPs are assessed as
part of an OSA’s assessment, the
assessment type is dictated by the
OSA’s DoD contract CMMC
requirement. The DoD declines to make
any other suggested changes to the
assessment of ESPs.
b. Definitions
Comment: Multiple comments state
that the definition of CSP in the rule is
overly broad and overlaps with the
definition of ESP. One comment
questioned whether a C3PAO is also a
Security Protection Asset and by
extension an ESP. Two comments
requested change to the definition of
Out-of-Scope Assets to stipulate that
SPD is Out-of-Scope.
Response: Several comments
requested clarification on when an ESP
would be considered a CSP. CSPs,
MSPs, and MSSPs are always
considered ESPs. The DoD has updated
the rule to narrow the definition of
Cloud Service Provider based on the
definition for cloud computing from
NIST SP 800–145 Sept2011. An ESP
would be considered a CSP when it
provides its own cloud services based
on a model for enabling ubiquitous,
convenient, on-demand network access
to a shared pool of configurable
computing that can be rapidly
provisioned and released with minimal
management effort or service provider
interaction on the part of the OSA.
An ESP (not a CSP) that provides
technical support services to its clients
would be considered an MSP. It does
not host its own cloud platform offering.
An ESP may utilize cloud offerings to
deliver services to clients without being
a CSP. An ESP that manages a third-
party cloud service on behalf of an OSA
would not be considered a CSP.
C3PAOs need not ‘‘receive’’ security
protection data as part of an assessment;
they view the security protection data
while on premises at the OSC for the
assessment. A C3PAO is not an ESP or
security protection asset and is therefore
not within the OSA assessment
boundary. DoD declines to delete the
phrase ‘‘except for assets that provide
security protection for a CUI asset’’ from
the definition of Out-of-Scope Assets.
Assets that provide security protection
for CUI are not Out-of-Scope Assets. A
CMMC definition for Security
Protection Data has been added to the
rule.
c. OSA Relationship to ESP
Comment: Several comments request
clarification related to use of an ESP
that is internal to the OSA. One
comment requested that DoD require
CSPs grant the US Government, as part
of the contract between the OSA and the
CSP, access to any CUI that is subject to
CMMC requirements in the event of
contractual failures, criminal actions or
other legal situations that warrant
seizure of CUI data. Some comments
also asked whether the DoD has
standing or authority to require C3PAO
assessment or conduct CMMC level 3
assessments of ESPs, given that the
ESP’s direct contractual relationship is
not with the Government but with the
OSA. Two comments suggest that ESPs
will be covered by the subcontractor
flow down requirements from an OSA.
Response: DoD agrees with the need
for added clarity around internal ESPs
and the rule was modified to remove the
term internal ESP. An ESP that provides
staff augmentation, where the OSA
provides all processes, technology, and
facilities, does not need CMMC
assessment. Alternatively, an ESP can
be part of the same organizational
structure but still be external to the
OSA, such as a centralized SOC or NOC
which supports multiple business units.
The CMMC requirements apply and are
based on whether the ESP provides
cloud services and whether the ESP
processes, stores, or transmits CUI on
their systems.
The OSA’s contractual rights with its
CSP are beyond the scope of this rule.
The rule states requirements for the
OSA, not the ESP. The rule requires
OSAs that process, store, or transmit FCI
and CUI to protect that data. If those
OSAs elect to use an ESP, and that ESP
processes, stores, or transmits FCI or
CUI from the OSA, then the OSA must
require that the ESP protect the FCI and
CUI and the ESP will be assessed as part
of the OSA’s assessment or require
FedRAMP Moderate or equivalent.
Specifically for Level 3, if an OSC is
seeking Level 3 certification and uses an
ESP that is not a CSP and that DOES
process, store, or transmit CUI, then the
ESP will need to be assessed by DIBCAC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00046
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83137
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
against the same Level 3 requirements
as the OSC as part of the OSC’s
assessment unless the ESP voluntarily
seeks a DIBCAC Assessment. If an OSC
is seeking Level 3 certification and uses
an ESP that DOES NOT process, store,
or transmit CUI, then the ESP will NOT
need to be assessed by DIBCAC against
the same Level 3 requirements as the
OSC. ESPs provide a service that meets
the requirements specified by the OSA,
and therefore ESPs are not
subcontractors on a DoD contract and
are not bound by subcontractor flow
down requirements.
d. Assessment of ESPs
Comment: There were multiple
comments regarding the assessment of
an ESP. One comment recommends the
rule be revised to identify the specific
assessment requirements that would be
considered NOT MET by the OSA when
using a non-compliant ESP, and to
further require C3PAOs to validate the
OSCs use of compliant ESPs during a
CMMC Level 2 assessment. One
comment asks if an ESP, when assessed,
will require a CAGE code, and enter
scores into SPRS. Another comment
asked whether CMMC certification
would be required when offering full IT
management and online storage,
including CUI, if the MSP policies
prevent employees from accessing
customer data.
One comment asks for clarification on
the contents of the System Security Plan
when documenting the use of an ESP.
Two comments ask how to assess an
OSA that is using a CSP to store CUI
that does not meet the FedRAMP
requirements. One comment asks how
C3PAOs can check on the assessment
status of an ESP. Three comments ask
how to avoid redundant assessments of
ESPs. One comment asks to clarify how
to handle ESPs at Level 3 with respect
to requirement AC.L3–3.1.2e that
restricts access to systems that are
owned, provisioned, or issued by the
organization. One comment
recommends DoD exempt CSPs that
provide service with end-to-end
encryption from CMMC requirements,
similar to a common carrier.
Several comments inquired about
guidelines and practices for obtaining
Customer Responsibility Matrices
(CRM) from CSPs and suggest the rule
be modified to also require them from
ESPs. One comment asks about how to
obtain a CSP’s System Security Plan.
Response: Implications for OSAs and
C3PAOs for using non-compliant ESPs
are adequately addressed in the rule.
The CMMC compliance of an ESP,
including a CSP, falls under the OSA’s
assessment. If an ESP is used to meet
any of the CMMC requirements for the
OSA, then the ESP is part of the scope
of the OSA’s assessment, and the
compliance of the ESP will be verified.
An ESP that is seeking CMMC
assessment will need to obtain a CAGE
code and an account in SPRS to enable
the reporting of its assessment results
via CMMC eMASS. A SPRS account is
required to complete the CMMC annual
affirmation requirement included in
DoD contracts that include a CMMC
certification requirement.
An ESP that processes, stores, or
transmits CUI, is an extension of the
OSA’s environment. As part of that
environment, the ESP will be assessed
against all requirements and
accountable for all users who have
access to CUI as part of the ESP’s
service, not just OSA employees. The
government cannot comment on specific
implementation or documentation
choices of an OSA, including the use of
an ESP.
The C3PAO can only give credit to a
FedRAMP Moderate Authorized or
equivalent CSP. Any requirements
dependent on contributions from a CSP
in any other stage of compliance are
considered NOT MET. The
requirements in the rule for FedRAMP
Moderate equivalency have been
updated to reflect DoD policy. OSAs can
consider CSPs in the FedRAMP process
for equivalency if they meet the
requirements in DoD policy.
An ESP that is a CSP will be listed on
the FedRAMP Marketplace. An ESP that
is not a CSP and processes, stores, or
transmits CUI will be within the OSA’s
assessment scope. An ESP can also
volunteer to have a C3PAO assessment
and could make that information
available to the OSA.
ESPs that are not CSPs may request
voluntary CMMC assessments of their
environment and use that as a business
discriminator. The marketplace for ESP
services will adjust to find the efficient
manner for ESPs to support OSA
assessments that may include their
services. With respect to requirement
AC.L3–3.1.2e, when an OSA adds an
ESP’s services to its network, the ESP is
considered to be provisioned by the
OSA. It is subject to the requirements
for the use of an ESP.
A common carrier’s information
system is not within the contractor’s
CMMC Assessment Scope if CUI is
properly encrypted during transport
across the common carrier’s information
system.
In a cloud model, the end-to-end
encryption would apply when
transmitting between OSA CUI assets
and a cloud service. Once within the
security boundary of the CSP, the
common carrier’s system no longer
contributes to the handling of the CUI
and the CSP’s security practices apply.
If an OSA chooses to use a CSP to
process, store, or transmit CUI,
FedRAMP Moderate or equivalency
requirements apply.
The rule has been updated to include
the use of a Customer Responsibility
Matrix by all ESPs, not just CSPs.
Obtaining a copy of a CSP’s SSP is not
required for a CSP that is FedRAMP
Authorized. Documentation on the
services provided by the CSP and a
CRM will be required.
e. Capacity for Assessment of ESPs
Comment: Some comments
questioned whether the CMMC
ecosystem would be adequate to provide
the number of CMMC assessments
necessary for ESPs. In response, some
comments recommend ESPs be given
priority for completing assessments.
Others recommend different phasing or
forms of assessment and certification
during ramp up.
Response: DoD declines to make
suggested changes to the ramp up and
phasing of assessments for ESPs. DoD
considered many alternatives before
deciding upon the current CMMC
assessment structure. By design, the
CMMC program depends on the supply
and demand dynamics of the free
market, enabling it to naturally scale
and adapt to capacity requirements.
DoD declines to set priorities for the
assessment marketplace. The DoD has
utilized a phased implementation
approach to reduce implementation
risk. DoD expects that the public has
utilized the lead-time prior to the
publication of this rule to prepare for
CMMC implementation and buy-down
risk. CMMC Program requirements make
no changes to existing policies for
information security requirements
implemented by the DoD. It is beyond
the scope of this rule for DoD to
determine the order in which
organizations are assessed.
f. Remote Access by ESPs
Comment: Two comments ask for
clarification on requirements for remote
access by an ESP to an OSA, whether
with OSA provided equipment or a
VPN.
Response: The assessment of remote
access may fall into several categories
and is dependent on the specific
architecture used and how the OSA
creates its assessment environment.
When an ESP is providing staff
augmentation to the OSA and the OSA
is providing all the systems used for
remote access, then the OSA’s policies
and procedures apply and the ESP is not
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00047
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83138
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
considered to be processing, storing, or
transmitting CUI. When the ESP is using
a Virtual Desktop solution, then the
endpoint client device will be
considered out of scope when it is
configured to prevent storage,
processing, or transmission of CUI on
the end client beyond the Keyboard,
Video, Mouse input that is part of the
Virtual Desktop Infrastructure (VDI)
solution.
Establishing a VPN connection with
MSP equipment brings that equipment
into the OSA’s assessment scope. The
equipment must meet the OSA’s
requirements for external access and
connection to the network. Depending
on the processing performed by the ESP
with the VPN connection, other
requirements may apply.
18. CMMC Assessment Scope for
Security Protection Assets and Data
a. Scope and Authority
Comment: Multiple comments
asserted that the use of Security
Protection Data and Security Protection
Assets increases the scope and cost of
CMMC assessments and recommend
changes to the costs or removing SPD
and SPA from the rule. One comment
presented the increased scope as an
inconsistency between NARA and NIST
SP 800–171A Jun2018. A few comments
asked what authority DoD uses to
include SPD as part of CMMC
assessment.
Response: The commenter misread
the rule’s application to ESPs and SPA/
SPD. Security Protection Assets are
specified in NIST SP 800–171 R2 Sec
1.1 which states: ‘‘The requirements
apply only to components of nonfederal
systems that process, store, or transmit
CUI, or that provide security protection
for such components.’’ The rule has
been updated in table 3 to § 170.19(c)(1)
and table 5 to § 170.19(d)(1) to change
the definition and requirements of
Security Protection Assets. The phrase
‘‘irrespective of whether or not these
assets process, store, or transmit CUI’’
has been removed from the SPA
description and the CMMC assessment
requirements have been changed to read
‘‘Assess against CMMC security
requirements that are relevant to the
capabilities provided.’’ Similar changes
were made to the guidance documents.
In order to clarify and address concerns
about the perceived ‘‘expansion’’ of
requirements, the rule was revised to
reflect that ESPs that only store SPD or
provide an SPA and do not process,
store, or transmit CUI do not require
CMMC assessment or certification.
b. Definition and Requirements
Comment: Numerous comments
requested that the DoD provide a
definition for Security Protection Data
(SPD) and configuration data, as well as
requirements for SPD to help
understand the scope of SPD and how
that impacts the scope of Security
Protection Assets and the assessment
requirements of ESPs. One comment
recommended the removal of the
definition and use of SPD.
Multiple comments requested more
information on the definition and
scoping of Security Protection Assets,
their relationship to CUI, and their
requirements. Some comments
suggested that the definition narrow the
scope of Security Protection Assets and/
or their security and assessment
requirements. Other comments
recommended eliminating the concept
of SPA. Additional comments
recommended changing the assessment
requirements for SPAs to be the same as
CRMAs Specialized Assets applicable
NIST SP 800–171 R2 requirements,
commensurate with the level of
involvement with the security of CUI or
to only assess the requirements
provided by the SPA. Two comments
recommended that the phrase’’
irrespective of whether these assets
process, store, or transmit CUI’’ be
removed from the definition of SPA.
Two comments asked for clarification
on the requirements for CSPs that only
handle SPD.
Two comments recommended
different security and assessment
requirements for ESPs that host SPD but
do not process, store, or transmit CUI.
Response: DoD added a CMMC
definition for Security Protection Data
to the rule. The DoD considered the
NIST definitions for System Information
and Security Relevant Information in
the development of the CMMC
definition for SPD.
This rule does not regulate OSA
Security Protection Data, but instead
implements existing regulatory
requirements for the safeguarding of
CUI, as defined in 32 CFR 2002.14(h)(2)
and implemented by DFARS clause
252.204–7012. This clause requires
protection of security protection assets
and security protection data through its
specification of NIST SP 800–171.
DoD does not agree with the
commentor’s statement that the
definition of Security Protection Assets
‘‘is an exceedingly dangerous
adjustment to the NIST SP 800–171
Revision 2 Paragraph 1.1 Scope of
Applicability.’’ Security Protection
Assets provide security to the entirety of
an OSA’s assessment scope which
includes CUI Assets and other in-scope
assets.
The SPD definition also defines
configuration data as data required to
operate a security protection asset. This
limits the possible interpretations of
configuration data. Further, the rule has
been updated to reflect that ESPs that do
NOT process, store, or transmit CUI do
not require CMMC assessment or
certification.
All assets within an OSA defined
CMMC Level 2 or 3 assessment
boundary have access to CUI and can
process, store, or transmit CUI. They are
therefore subject to DFARS clause
252.204–7012 and required to meet
NIST SP 800–171 requirements. This is
the authority for including Contractor
Risk Managed Assets (CRMAs) within
CMMC assessments. For Level 2, DoD
has decided to assume some risk and
lessen the assurance burden for a class
of these assets called Contractor Risk
Managed Assets, as specified in table 3
to § 170.19(c)(1). DoD does not assume
this risk at Level 3. CRMAs are subject
to assessment against all CMMC
requirements as specified in table 5 to
§ 170.19(d)(1).
19. CMMC Assessment Scope and
FedRAMP Moderate Equivalency
Requirements
Comment: Several commenters
identified inconsistencies between rule
content and a separate DoD policy
memo that defines requirements Cloud
Service Providers (CSPs) must meet to
be considered FedRAMP moderate
‘‘equivalent’’ in the context of DFARS
clause 252.204–7012. One commenter
requested administrative changes to the
rule for consistency, while others
requested more substantive changes to
deconflict the rule with DoD’s policies.
Differences between the two documents
left some commenters unclear about
when a CSP would be considered
within a CMMC assessment scope or
required to meet CMMC requirements.
They also noted that some CSPs refuse
to provide clients with Customer
Responsibility Matrices (CRMs), which
could impede an OSAs ability to meet
CMMC requirements. One commenter
asked for specific instances when a
FedRAMP-moderate-authorized CSP
would not be accepted as meeting
CMMC requirements or which
requirements such a CSP could not
meet.
Another commenter stated the
FedRAMP moderate equivalency
requirements for CSPs in this rule will
create confusion because they address
only the NIST SP 800–171 requirements
and do not include the additional cyber
incident reporting requirements
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00048
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83139
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
identified in DFARS clause 252.204–
7012. One comment suggested that any
expectation for CSPs to meet the DFARS
clause 252.204–7012 requirements for
cyber incident reporting or completion
of a System Security Plan should be
referenced in this CMMC rule. Another
commenter suggested that all DoD
contracts with CUI should include
clauses and provisions for CSPs to meet
Federal requirements, including a self-
assessment and certification of their
systems.
One commenter asked whether it is
sufficient for MSP/MSSPs to have
FedRAMP certification instead of
CMMC certification. Another
interpreted the rule’s wording related to
security protection assets and data as
expanding requirements levied on CSPs.
One commenter interpreted CMMC
Level 3 assessment requirements as
meaning all parts of an OSCs
infrastructure are within scope for
CMMC assessment if the OSC uses a
CSP, and recommended the rule specify
that security requirements from the
CRM must be documented in the SSP.
Another asked whether OSCs must track
all FedRAMP controls in their SSP or
only those relevant to NIST SP 800–171
R2.
Response: Requirements associated
with the use of cloud service providers
(CSPs) are covered under section
(b)(2)(ii)(D) of DFARS clause 252.204–
7012. When a CSP is used, it must meet
the requirements of the FedRAMP
moderate baseline or the equivalent.
The rule was updated for consistency
with those requirements, and now
requires FedRAMP moderate or
FedRAMP moderate equivalency as
defined in DoD Policy.
§§ 170.16(c)(2), 170.17(c)(5),
170.18(c)(5) address CMMC
requirements for CSPs. The CMMC rule
does not add new requirements on the
use of CSPs, which are found in DFARS
clause 252.204–7012. A CSP must be
assessed against the FedRAMP moderate
baseline when the CSP processes, stores,
or transmits CUI. The CMMC rule does
not oppose or contradict the
requirements of DFARS clause 252.204–
7012, nor does this rule relieve a CSP
from any requirement defined in DFARS
clause 252.204–7012.
§ 170.17(c)(5)(iii) and the
corresponding requirement in
§ 170.18(c)(5)(iii) only apply to CSPs
used to process, store, or transmit CUI
in the execution of the contract or
subcontract requiring CMMC
assessment. It does not expand to any
cloud provider outside the scope of the
assessment. Interactions between DoD
contractors and their service providers
are beyond the scope of the rule.
CMMC Level 2 self-assessment and
affirmation requirements described in
§ 170.16 make clear that an OSA using
a FedRAMP Authorized CSP (at the
FedRAMP Moderate or higher baseline)
is not responsible for the CSP’s
compliance. The OSA needs to
document in its SSP how the OSA
meets its requirements assigned in the
CSP’s CRM. When using a CSP that is
not FedRAMP Authorized, the OSA is
responsible for determining if the CSP
meets the requirements for FedRAMP
Moderate equivalency as specified in
DoD policy. In this case, the OSA also
needs to document in its SSP how the
OSA meets the requirements assigned to
it in the CSP’s CRM.
The rule has been updated to include
verbiage from the DFARS clause
252.204–7012 ‘‘in the performance of a
contract’’ for consistency. Use of the
term CUI in this rule is deliberate
because DoD intends to assess
compliance with NIST SP 800–171 R2
for all CUI. The DoD declines to replace
the word CUI with the word CDI, as the
term CUI more clearly conveys that
NIST SP 800–171 is the requirement for
all CUI information, as described in 32
CFR 2002.14.
DoD received numerous comments
about the use of ESPs which do not
process, store, or transmit CUI. In
response to comments, the DoD has
reduced the assessment burden on ESPs.
ESP assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2) have been
updated.
20. CMMC Assessment Scope for
Devices and Asset Categorization
a. Asset Categorization
Comment: There were many
comments regarding the scoping and
treatment of assets when using table 3
to § 170.19(c)(1) and table 5 to
§ 170.19(d)(1). Several comments asked
about when asset categorization occurs,
who approves it and how to document
it. Two comments questioned the
applicability of using NIST SP 800–171
R2 for Specialized Assets. Two
comments suggested modifying the
definition of Out-of-Scope assets by
removing the last bullet or discussing
the use of encryption. One commenter
suggested adding more detailed
definitions of the asset categories to the
rule. One comment recommended
removing asset categories from the rule.
Many comments requested scoping
and categorization of specific scenarios,
such as ERP systems, MRP systems,
quantum computing systems, data
diodes, asset isolation, and encrypted
CUI. Numerous additional comments
requested clarification on scoping and
categorization of various security
product classes.
Response: The OSA performs asset
categorization and documents it in their
SSP. The OSA may choose the format
and content of its SSP. Table 3 to
§ 170.19(c)(1) requires that all asset
categories, including Specialized Assets,
be included in the asset inventory.
There is no requirement to embed every
asset in the SSP. In the SSP for Level 2,
the OSA must show how Specialized
Assets are managed using the
contractor’s risk-based security policies,
procedures, and practices. Prior to the
conduct of an assessment, the OSC
engages with the C3PAO assessor. It is
during this time that the classification of
assets should be agreed upon, and the
results of these discussions are
documented in pre-planning materials.
This is an example of the pre-
assessment and planning material
submitted by the C3PAO as required in
§ 170.9(b)(8) and the CMMC Assessment
Scope submitted to eMASS as required
in § 170.17(a)(i)(D). It is beyond the
scope of this rule to address DoD review
of specific Specialized Assets for
individual contractors.
DoD does not agree with a
commentor’s statement that Specialized
Assets are not actually assessed against
CMMC security requirements. As
documented in § 170.19, Specialized
Assets are identified by the OSC.
Assessment requirements of Specialized
Assets differ between CMMC Level 2
and CMMC Level 3. If Specialized
Assets are part of a CMMC Level 2
assessment, the OSA must document
them in the asset inventory, document
them in the SSP, and show how these
assets are managed using the
contractor’s risk-based security policies,
procedures, and practices. If Specialized
Assets are part of a CMMC Level 3
assessment, they must be assessed
against all CMMC Level 2 security
requirements and CMMC Level 3
security requirements, identified in
§ 170.14(c)(4).
DoD agrees with one comment that
even if NIST SP 800–171 R2 cannot be
implemented, that does not mean the
Specialized Assets cannot be secured.
CMMC requirements are defined to
align directly to NIST SP 800–171 R2
and NIST SP 800–172 Feb2021
requirements. For additional ease of
burden, at Level 1, IoT and OT are not
in scope, at Level 2 there are reduced
requirements, but they become in-scope
at Level 3, unless they are physically or
logically isolated.
DoD has reviewed the text and
declines to change the definition of Out-
of-scope assets because CUI should not
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00049
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83140
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
be transmitted via clear-text per NIST
SP 800–171 R2. The DoD has reviewed
the suggested changes to asset categories
and scoping tables and declines to make
an update. The asset categories in the
rule help the OSA understand the
requirements of various asset types that
might be found within the assessment
boundary.
OSAs determine the asset categories
and assessment scope based on how and
where they will process, store, and
transmit FCI and CUI. DoD cannot
comment on the suitability of any
specific approach or technology to
successfully implement CMMC security
requirements.
b. Virtual Desktop Infrastructure
Comment: Several comments
requested clarification on the use of
Virtual Desktop Infrastructures and how
to scope its components.
Response: The rule has been updated
in table 3 to § 170.19(c)(1) and table 5
to § 170.19(d)(1) to state that an
endpoint hosting a VDI client
configured to not allow any processing,
storage, or transmission of FCI and CUI
beyond the Keyboard/Video/Mouse sent
to the VDI client is considered out of
scope.
c. Contractor Risk Managed Assets
Comment: There were numerous
comments regarding Contractor Risk
Managed Assets. Several comments
perceived conflicts in the changes
between the current rule and previous
intermediate documents regarding
CRMA requirements. Multiple
comments recommended additional
details explaining risk-based
management of assets. Two comments
requested additional details on the
limited checks that are permitted during
assessment of CRMAs. Multiple
comments requested clarification on
CRMA requirements at Level 3 for the
OSA and ESP. One comment requested
clarification about the documentation
requirements for CRMAs.
One comment asserted that the rule
co-mingled CRMAs with assets of an
ESP. One comment questioned why
CRMAs were being included as in-scope
assets subject to CMMC security
requirements. One comment asked for
clarification between the security
requirements and assessment
requirements for CRMAs.
Response: There was confusion and
concern over conflicts from commenters
regarding responses to comments on a
previous version of the rule, other
documentation, and the current rule.
The DoD did not find any conflicting
language around CRMAs. There is no
conflict between CRMAs and the
requirements for logical or physical
boundaries. CRMAs are only applicable
within the CMMC Assessment Scope.
DoD does not agree with the statement
that the wording change around
Contractor Risk Managed Asset (CRMA)
effectively makes the asset category
moot.
The CRMA category was created to
ease the assessment burden, based on
the Department’s risk tolerance. It is not
intended to reduce the level of
protection and the CMMC security
requirements which apply to the assets.
Despite the wording changes identified
by the commentor, the CMMC security
requirements and the assessor’s ability
to conduct a limited check to identify
deficiencies as addressed in table 3 to
§ 170.19(c)(1) are unchanged.
Contractor Risk Managed Assets
(CRMA) should be prepared to be
assessed against CMMC security
requirements at Level 2, and included in
the SSP, asset inventory, and network
diagrams.
Table 3 to § 170.19(c)(1) clearly
addresses the assessment requirements
for Contractor Risk Managed Assets. All
CMMC security requirements must be
MET when the OSA chooses to
designate certain assets as Contractor
Risk Managed Assets.
Eight guidance documents for the
CMMC Program are listed in Appendix
A to Part 170—Guidance. These
documents provide additional guidance
for the CMMC model, assessments,
scoping, and hashing. Use of the
guidance documents is optional.
The OSA is responsible for
determining its CMMC Assessment
Scope and its relationship to security
domains. Assets are out-of-scope when
they are physically or logically
separated from the assessment scope.
Contractor Risk Managed Assets are
only applicable within the OSA’s
assessment scope. Table 3 to
§ 170.19(c)(1) is used to identify the
asset categories within the assessment
scope and the associated requirements
for each asset category. Contractor’s
risk-based security policies, procedures,
and practices are not used to define the
scope of the assessment, they are
descriptive of the types of documents an
assessor will use to meet the CMMC
assessment requirements.
It is beyond the scope of the CMMC
rule to provide a detailed explanation of
the usage of ‘‘risk-based’’ terminology
when implementing or assessing CMMC
requirements. DoD declines to speculate
and clarify the relationship between any
NIST SP 800–171 R2 definitions and
any pending NIST SP 800–171 Revision
3 definitions.
The DoD has defined the effort
allowed during a limited check in table
1 to 170.19(c)(1). A limited check may
require submission of evidence.
The DoD cannot anticipate how an
OSC will scope its CMMC Level 3
assessment with respect to its CMMC
Level 2 environment. As specified in
table 5 to § 170.19(d)(1), Level 2
Contractor Risk Managed Assets are
categorized as CUI Assets at Level 3.
The rule has been updated to clarify
that ESPs do not require a Level 3
certification unless they process, store,
or transmit CUI in the performance of a
contract with a CMMC Level 3
requirement.
3 As stated in table 1 to § 170.19(c)(1),
CRMA assets must be prepared to be
assessed against CMMC requirements.
The SSP must provide sufficient
documentation describing how security
requirements are met to allow the
assessor to follow the instruction in
table 1 to not assess against other
requirements. The assessor will then
decide if a limited spot check is
warranted. The results of the limited
spot check can result in a requirement
being scored as NOT MET.
The rule does not create two classes
of Contractor Risk Managed Assets as
one commenter asserts. Contractor Risk
Managed Assets are only those assets
that are owned by the OSC and within
the assessment scope. ESP assets are
subject to the ESP requirements of the
rule.
All assets within the OSA defined
assessment boundary have access to CUI
and can process, store, or transmit CUI,
and are therefore subject to DFARS
clause 252.204–7012 and required to
meet NIST SP 800–171 requirements.
This is the authority for including
CRMAs within CMMC assessments. For
Level 2, DoD has decided to assume
some risk and lessen the assurance
burden for a class of these assets called
Contractor Risk Managed Assets, as
specified in table 3 to § 170.19(c)(1).
DoD does not assume this risk at Level
3. Contractor Risk Managed Assets are
subject to assessment against all CMMC
requirements as specified in table 5 to
§ 170.19(d)(1).
At CMMC Level 2, Contractor Risk
Managed Assets and Specialized Assets
are assessed differently. Both types of
assets must be documented in the SSPs;
Specialized Assets will not, however, be
assessed by the C3PAO while limited
checks may be performed on Contractor
Risk Managed Assets. OSCs should be
prepared for assessment of Contractor
Risk Managed Assets because a deeper
assessment will be done if the assessor’s
evaluation of the OSC’s policies and
procedures raise questions. However, at
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00050
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83141
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Level 3, Contractor Risk Managed Assets
and Specialized Assets are assessed, like
CUI assets, against all CMMC security
requirements, so no additional
explanation is required.
d. Specialized Assets
Comment: There were numerous
comments regarding Specialized Assets.
Several comments discuss the use of
enduring exceptions for Specialized
Assets and the use of the term in NIST
SP 800–171 R2. Two comments confuse
the current rule with responses to a
previous version of the rule. A comment
requests clarification why specialized
assets are not CUI assets. Another
comment asks about the difference in
assessment requirements between
CRMAs and Specialized assets. One
comment requested processes and best
practices for evaluation of specialized
assets.
Two comments recommend that the
Specialized asset requirements for Level
3 remain the same as Level 2 due to the
difficulty of meeting the Level 3
requirements in a manufacturing
environment. Two comments request
additional clarification on the Level 2
assessment of Specialized assets when
the assessment is a precursor to a Level
3 assessment.
Response: Definitions for enduring
exceptions and temporary deficiencies
have been added to the rule. Specialized
Assets are a type of enduring exception
and cover a broad range of
circumstances and system types that
may not be able to be fully secured as
described in NIST SP 800–171 R2. It
does not give an OSA the flexibility to
broadly categorize assets as Specialized
Assets.
The OSA would be expected to
address asset categorization with a
C3PAO during the initial scoping
discussion to avoid disagreements
during the assessment process.
In one example provided, a single
asset which is unable to meet a single
security requirement would be a
temporary deficiency and be addressed
using an operational plan of action,
describing the cause with appropriate
mitigation and remediation identified.
The sentence ‘‘NIST SP 800–171 Rev
2 uses the term ‘‘enduring exceptions’’
to describe how to handle exceptions for
Specialized Assets’’ appears in answers
to public comments on a previous
version of the rule, which responded to
the initial CMMC Program
requirements, therefore the inclusion of
the sentence is not relevant to the rule.
One commenter has misinterpreted
the answer to a public comment on a
previous version of the rule, which
responded to the initial CMMC Program
requirements. Specialized Assets are not
evaluated at Level 1. Specialized Assets
at Level 2 need to be documented in the
SSP and included in the asset inventory
and network diagrams. They also are to
be managed using the contractor’s risk-
based security policies, procedures, and
practices.
At Level 2, Specialized Assets do not
need to be assessed against other CMMC
security requirements. At Level 3,
Specialized Assets should be prepared
to be assessed against CMMC security
requirements. CMMC also provides for
the use of intermediary devices to
safeguard OT and IOT devices that
otherwise would be difficult or
expensive to protect. The phrase ‘‘or
information systems not logically or
physically isolated from all such
systems’’ only appears in answers to
public comments on the original 48 CFR
CMMC interim final rule publication,
therefore the inclusion of the phrase is
not relevant to the rule.
Specialized Assets span a broad
spectrum of components and have
different limitations on the application
of security controls. Processes and
practices to implement and assess
security requirements on these devices
are outside the scope of the CMMC rule.
The Level 3 assessment is designed to
provide additional safeguards to protect
the most sensitive CUI against advanced
persistent threats (APTs). DoD estimates
that only one percent of defense
contractors will require a CMMC Level
3 assessment. DoD has judged that the
risks associated with the exposure of
this CUI are sufficient to justify the
increased cost of a Level 3 assessment
on the small percentage of the DIB that
is processing, storing, or transmitting
this type of data.
CMMC also provides for the use of
intermediary devices to safeguard OT
and IOT devices that otherwise would
be difficult or expensive to protect. This
difference between how a Specialized
Asset is assessed at Level 2 and Level
3 is risk-based and affords a reduction
in cost for a Level 2 certification. The
CMMC Assessment Scope for a CMMC
Level 2 certification assessment is
discussed between the OSC and the
C3PAO. If the OSC has a goal to undergo
a CMMC Level 3 certification
assessment for the same assessment
scope, it may be good business practice
for the OSC to disclose this information
to the C3PAO and be assessed based on
the Level 3 scoping, however this is not
required.
e. Intermediary Devices
Comment: One comment asks for
additional information on intermediary
devices as referenced in table 5 to
§ 170.19(d)(1). Another comment asks
for direction in situations where the
comment asserts intermediary devices
are not practical.
Response: An intermediary device is
used in conjunction with a specialized
asset to provide the capability to meet
one or more of the CMMC security
requirements. For example, such a
device could be a boundary device or a
proxy, depending on which
requirements are being met. The rule is
agnostic as to how many requirements
are met and what technology is used to
meet them. Implementation guidance
for OT/IOT/IIOT is outside the scope of
the CMMC rule.
21. CMMC Assessment Scope for
Enterprise Versus Segmented
Environments
Comment: Two commenters sought
guidance for segmented networks that
inherit some controls from an enterprise
network that has a valid CMMC
certification, and asked whether
certification assessments may be shared
between the networks.
Response: § 170.19 states that prior to
a CMMC assessment, the OSA must
define the CMMC Assessment Scope for
the assessment, representing the
boundary with which the CMMC
assessment will be associated. Any
CMMC certification granted applies
only to the assessed CMMC Assessment
Scope. An enclave may be able to
leverage some elements of the enterprise
assessment by inheriting some
requirements from the enterprise
network, but it cannot inherit the
enterprise certification. Enclaves
beyond the certified CMMC Assessment
Scope must be assessed separately based
on their own CMMC Assessment Scope.
There is no established metric for
inherited implementations from an
enterprise to any defined enclaves. The
OSA determines the architecture that
best meets its business needs and
complies with CMMC requirements.
Within the enclave, the OSA determines
which requirements are implemented
and which requirements are inherited;
all requirements must be MET. If a
process, policy, tool, or technology
within the enclave would invalidate an
implementation at the Enterprise level,
that requirement cannot be inherited
and the OSA must demonstrate that it
is MET by implementation in some
other way. Additional guidance related
to assessments and enclaves has been
added to the CMMC Scoping Guide
Level 2 and Level 3.
22. Revocations and Appeals Process
Comment: One comment asked for
more clarification regarding the granting
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00051
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83142
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and revoking of interim validity status
for a CMMC assessment. Several
comments requested an appeal and
remediation process if a CMMC
assessment status is revoked by the
DoD. One comment requested that the
revocation process not be arbitrary or
capricious and provide for due process.
And one comment recommended
removing the word ‘‘maintained’’ from
the criteria for revocation of the validity
status because maintenance is part of
ongoing operations as specified in the
security requirement for Risk
Assessments and Continuous
Monitoring (CA.L2–3.12.2). One
commenter asked whether SPRS
reporting is the only mechanism in
place to ensure that OSAs maintain the
SSP and conduct self-assessments
correctly.
Three comments recommended that
the DoD or CMMC PMO have a role in
the assessment appeals process. Of
these, one cited the DFARS clause
252.204–7012 clause as precedent for
DoD CIO to render final decisions. Some
commenters suggested the CMMC AB
relationship to C3PAOs would bias any
decisions they may make, and that final
appeal authority is an inherently
governmental risk acceptance decision.
One comment suggested that the
DIBCAC or other DoD entity render final
appeals decisions or take responsibility
for certifying OSCs. They also asked for
the C3PAOs to be released from liability
for reasonable assessment judgments.
Two comments asked whether the only
means to appeal a CMMC AB final
decision is through litigation. Another
comment asked who could escalate an
appeal to the CMMC AB. One comment
requested the rule include more
requirements for the C3PAO appeals
process, including that the process be
time bound and address disputes related
to perceived assessor errors,
malfeasance, and unethical conduct,
while another comment requested a
simpler appeals process. One comment
requested clarification as to how the
OSC interfaces with the C3PAO for
appeals purposes. One comment asked
if there was a process to challenge
C3PAOs’ findings of non-compliance if
additional requirements are applied
from an assessment guide that are not
included in the source standard. One
comment asked how to dispute the
specific CMMC level included in a
solicitation.
Response: Requirements for CMMC
Conditional certification assessments for
each level are defined in §§ 170.16
through 170.18. Section 170.6(e)
describes indications that may trigger
investigative evaluations of an OSA’s
CMMC Status. The DoD has revised the
rule throughout to delete the term
‘‘revocation’’ and to clarify that the DoD
reserves its right to conduct a DCMA
DIBCAC assessment of the OSA, as
permitted under DFARS clause
252.204–7012 and DFARS clause
252.204–7020. If the results of a
subsequent DIBCAC assessment show
that adherence to provisions of this rule
have not been achieved or maintained,
the DIBCAC results take precedence
over any pre-existing CMMC self-
assessment(s) or Final certification
assessment(s) and will result in SPRS
reflecting that the OSA is not in
compliance (i.e., lacks a current
Certificate of CMMC Status). There are
no additional requirements or checks on
self-assessments to ensure that OSAs
maintain the SSP and conduct self-
assessments correctly, beyond those
identified in the rule.
One commenter misunderstood the
meaning of ’maintained’ with respect to
the Level 1, 2, and 3 provisions. An
operational plan of action can be created
without risk to the certification validity
period. If a security event generates risk
for the protection of FCI or CUI, the
associated security requirements should
be readdressed expeditiously. If one or
more of the requirements can’t be
remediated, the OSA should create an
operational plan of action and resolve it
in a time frame that continues to
provide protection to FCI or CUI.
The Accreditation Body must have its
own appeals process, as required under
ISO/IEC 17011:2017(E). Each C3PAO is
required to have an appeals process
which involves elevation to the CMMC
Accreditation Body for resolution. The
appeals process is derived from and
consistent with ISO/IEC 17020:2012(E)
and ISO/IEC 17011:2017(E). The appeals
process is addressed in §§ 170.7(b),
170.8(b)(16), and 170.9(b)(13), (19), and
(20). An OSC, the CMMC AB, or a
C3PAO may appeal the outcome of its
DCMA DIBCAC conducted assessment
within 21 days of the assessment by
submitting a written basis for appeal
that include the requirements in
question for DCMA DIBCAC
consideration. An OSC, the CMMC AB,
[http://www.dcma.mil/DIBCAC or a C3PAO should visit www.dcma.mil/
DIBCAC ]to obtain the latest for contact
information for submitting appeals. A
DCMA DIBCAC Quality Assurance
Review Team will respond to
acknowledge receipt of the appeal and
may request additional supporting
documentation.
By defining the requirements in this
rule to become a C3PAO, and defining
a scoring methodology, the DoD is
providing the authority and guidance
necessary for C3PAOs to conduct
assessments. The CMMC Accreditation
Body will administer the CMMC
Ecosystem. The DoD will not assume
the workload of directly managing the
CMMC ecosystem or the other
alternatives suggested. DoD declines to
give the PMO responsibility to render
the final decision on all CMMC Level 2
assessment appeals as this role is
properly aligned to the CMMC
Accreditation Body. The CMMC AB is
under contract with the Department of
Defense to execute defined roles and
responsibilities for the DoD CMMC
Program as outlined in § 170.8. The
specified CMMC AB requirements were
selected and approved by the DoD. They
include Conflict of Interest, Code of
Professional Conduct, and Ethics
policies as set forth in the DoD contract.
For ISO/IEC 17020:2012(E) and ISO/
IEC 17011:2017(E) compliance, an
appeals process is required. CMMC-
specific requirements for appeals are
addressed in §§ 170.8(b)(16) and
170.9(b)(13), (19), and (20). The DoD
expects the process to be managed
efficiently, however setting a specific
timeline is not appropriate as the time
may vary based on the complexity of the
issue.
Responsibility for final appeals
determination rests with the CMMC AB.
The DoD declines to mandate that the
CMMC AB consult with the CMMC
PMO or DIBCAC prior to rendering a
decision. The CMMC PMO will serve in
the oversight role for the entire CMMC
program.
OSCs may submit any appeal arising
from CMMC Level 2 assessment
activities to C3PAOs as addressed in
§ 170.9(b)(19). OSCs may request a copy
of the process from their C3PAO. The
rule has been revised to reflect that any
dispute over assessment findings which
cannot be resolved by the C3PAO may
be escalated to the CMMC AB by either
the C3PAO or the OSC. The decision
rendered by the CMMC AB will be final
as stated in § 170.8(b)(16). Appeals
pertaining to an assessor’s professional
conduct that is not resolved with the
C3PAO will also be escalated and
resolved by the CMMC AB.
As addressed in § 170.9(b)(13), the
C3PAO will have a quality assurance
individual responsible for managing the
appeals process in accordance with ISO/
IEC 17020:2012(E) and ISO/IEC
17011:2017(E). Identification of the
C3PAO staff that an OSC should
interface with is beyond the scope of
this rule. It is a business decision that
may vary by C3PAO and should be
addressed between the OSC and C3PAO
prior to conduct of an assessment.
The supplemental documents listed
in Appendix A provide additional
guidance to aid in CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00052
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83143
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
implementation and are not
authoritative. In the event of conflicts
with the security requirements
incorporated by reference, this rule and
NIST SP 800–171A Jun2018 or NIST SP
800–172A Mar2022 guidance will
always take precedence. Disputes
regarding the CMMC level specified in
a contract solicitation should be
addressed with the contracting officer
using normal pre-award or post-award
communications processes. No revision
to the rule is required. Selection of the
CMMC level is a DoD risk-based
decision made by the Program Manager
or Requiring Activity.
23. CMMC Cybersecurity Requirements
a. NIST SP 800–171 R2 Requirements
Comment: Several comments were
received regarding FIPS-validated
cryptography. Some recommended
mitigating delays with FIPS validation
testing and reducing the risk of CMMC
assessment failures by allowing FIPS
POA&Ms or POA&M extensions,
waivers, or making encryption an
organizationally defined parameter
(ODP). Similarly, some recommended
the DoD accept alternate FIPS solutions
such as commercially viable modules
with FIPS-approved protocols or FIPS-
compliant—as opposed to FIPS-
validated—protocols. One comment
recommended that DoD collaborate with
NIST to either improve the processing of
FIPS validation testing and/or to define
the encryption ODP for NIST SP 800–
171 Revision 3. One comment
recommended DoD work with NIST to
align NIST ODPs in NIST SP 800–171
Revision 3 to DoD ODPs defined in the
CMMC Rule for CMMC Level 3 to
ensure consistency. Another commenter
asked if FIPS 140–3 was an acceptable
FIPS implementation.
Multiple comments addressed NIST
requirements. One comment stated the
NIST cybersecurity standards and
guidelines are not legal requirements.
The commenter recommended edits to
the CMMC rule to require contractors
implement requirements ‘‘derived’’ from
NIST SP 800–171 R2 with measurable
specifications to protect CUI. Two
commentors felt the body of the
proposed rule should have included a
list of the NIST requirements to be
assessed at each CMMC level. One
comment suggested clarifying when a
Systems Security Plan is required for
each level. And, one asked if the CMMC
Assessment Scope and attestation
requirements included Non-Federal
Organization (NFO) controls or the flow-
down and reporting requirements from
DFARS clause 252.204–7012.
Some comments were speculative in
nature and outside the scope of the rule.
One commenter was concerned that a
CMMC assessment would not address
the risk of insider threats and national
security problems driven by political
divisions within Congress.
Response: DoD is aware of industry
concerns regarding FIPS validation
required in NIST SP 800–171 R2
requirement 3.13.11. Because this is a
NIST requirement, changing it is beyond
the scope of the CMMC rule. As stated
in § 170.5(3), the CMMC Program does
not alter any separately applicable
requirements to protect FCI or CUI,
including the requirement to use FIPS-
validated cryptography which comes
from NIST SP 800–171 as required by
DFARS clause 252.204–7012.
Limitations of the FIPS-validated
module process do not impact the
implementation status of FIPS
cryptography. However, the rule has
been updated to allow for Enduring
Exceptions and temporary deficiencies,
which may apply to the implementation
of FIPS.
DoD declined to update the rule to
include ‘‘FIPS-compliant’’ encryption as
opposed to ‘‘FIPS-validated’’
encryption. NIST SP 800–171 R2
requires the use of validated modules in
specific conditions. Comments on the
specific security requirements contained
in NIST documentation are beyond the
scope of this rule and should be
directed to NIST. Collaboration between
DoD and NIST about the NIST
cryptographic module validation
program, or to define cryptography
related ODPs in NIST SP 800–171
Revision 3, is also beyond the scope of
the rule. Recommendations for desired
changes in NIST documentation should
be directed to NIST.
The NIST Cryptographic Module
Validation Program website provides a
list of approved solutions and their
timelines: [https://csrc.nist.gov/projects/cryptographic-module-validation-program https://csrc.nist.gov/projects/
cryptographic-module-validation-
program. ]
NIST SP 800–171 information
security requirements were codified in
32 CFR part 2002 in response to
guidance (in E.O. 13556) to standardize
Federal agency policies for safeguarding
CUI. The DoD has elected to use FAR
clause 52.204–21, NIST SP 800–171 R2,
and a subset of NIST SP 800–172
Feb2021 as the basis for the security
requirements in this rule.
As stated in § 170.14(c), CMMC Level
1 requirements are found in FAR clause
52.204–21, CMMC Level 2 requirements
are found in NIST SP 800–171 R2, and
CMMC Level 3 requirements are a
selected subset of NIST SP 800–172
Feb2021 requirements as specified in
the 32 CFR part 170 CMMC Program
rule in table 1 of § 170.14.
NIST SP 800–171A Jun2018 provides
authoritative procedures for assessing
NIST SP 800–171 R2 security
requirements and the CMMC Level 2
Assessment Guide provides additional
guidance for assessing CMMC Level 2
security requirements. Both documents
are referenced in the 32 CFR part 170
CMMC Program rule, at §§ 170.16(c) and
170.17(c).
It is recommended that an OSA
develop a SSP as a best practice at Level
1, however, it is not required for a
CMMC Level 1 self-assessment. A
CMMC assessment does not include
Non-Federal Organization (NFO)
controls from table E in NIST SP 800–
171 R2 nor the DFARS clause 252.204–
7021 flow down and reporting
requirements.
DoD concurs that CMMC provides no
mechanism for addressing insider
threats posed by political divisions in
Congress. However, insider threat in
general is addressed in the following
CMMC security requirements: AT.L2–
3.2.3—Insider Threat Awareness;
AC.L2–3.1.7—Privileged Functions;
PS.L3–3.9.2e–Adverse Information.
b. Transition to Future NIST
Requirements
Comment: Many commenters raised
concerns about the CMMC Proposed
Rule’s citation of a specific version of a
relevant baseline document, i.e., NIST
SP 800–171 R2. The expressed concerns
focused mainly on a perceived potential
for a timing conflict between the NIST
revision requirements based on DFARS
clause 252.204–7012 (revision in effect
at time of solicitation) and this CMMC
Program rule which specifies NIST SP
800–171 R2. Commentors provided a
variety of differing suggestions to
address these concerns. Some
commenters recommended that no
revision number be included, while
others recommended citing Revision 3
rather than Revision 2. Others
recommended delaying the CMMC
Program. Some recommended changing
DFARS clause 252.204–7012 or issuing
a class deviation to address differences
between the NIST revisions cited. Those
that recommended citing to Revision 3
noted that to do otherwise could delay
compliance with Revision 3 beyond
NIST’s anticipated finalization of that
publication. Commenters noted that the
criteria defined in guidance explaining
how to assess against NIST
requirements (i.e., NIST SP 800–171A
Jun2018) does not identify a revision
number for the NIST SP 800–171
requirements to which they apply. In
addition to the comments about NIST
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00053
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83144
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
SP 800–171 R2 and NIST SP 800–171
Revision 3, some commenters
questioned how DoD would implement
or how long the DoD would allow for
transitioning to each future version of
NIST standards once approved.
One commenter recommended
defining a waiver process to manage the
transition for each new NIST revision.
Another commenter asked whether
contract work stoppages are expected
during such transitions and if industry
would be afforded time to understand
the impacts of new requirements to
existing systems. One commenter
suggested that CMMC affirmations
should indicate continued compliance
to the NIST SP 800–171 version that
applied to the corresponding self-
assessment or certification assessment.
Two commenters recommended
changing the incorporation by reference
version of NIST 800–53 that is cited in
this rule be changed from Revision 5 to
Revision 4, to better align with the
incorporation of NIST SP 800–171 R2.
Another commenter noted that both
NIST SP 800–171 R2 and NIST SP 800–
172 Feb2021 include Organizationally
Defined Parameters (ODP), the latter of
which are defined in this rule. The
commenter advised against defining
ODP for either reference, and
recommended deletion of specific rule
text that does so.
Response: DoD is aware of the
differences between the language of
DFARS clause 252.204–7012 and the
proposed rule. 1 CFR part 51, which
governs drafting of this rule, requires
the specification of a revision to a
standard. Specifying a revision benefits
the CMMC Ecosystem by ensuring it
moves forward from one NIST standard
to the next in an organized manner. The
DoD cites NIST SP 800–171 R2 in this
final rule for a variety of reasons,
including the time needed for industry
preparation to implement the
requirements and the time needed to
prepare the CMMC Ecosystem to
perform assessments against subsequent
revisions. DoD is unable to incorporate
suggestions that CMMC assessments be
aligned to whichever NIST revision is
current at the time of solicitation and
declines to respond to speculation about
the release timing of other publications.
In May 2024, NIST published SP 800–
171 Revision 3, Protecting Controlled
Unclassified Information in Nonfederal
Systems and Organizations, after these
comments were received. DoD will issue
future amendments to this rule to
incorporate the current version at that
time. Comments on the content of the
NIST SP 800–171 Revision 3
publication or future NIST SP 800–171
revisions should be directed to NIST.
The final rule has been updated to
specify the use of NIST SP 800–171A
Jun2018, Assessing Security
Requirements for Controlled
Unclassified Information, and NIST SP
800–172A Mar2022, Assessing
Enhanced Security Requirements for
Controlled Unclassified Information.
The DoD has included the numbering
scheme in the rule because the
numbering scheme is a key element of
the model. The CMMC numbering
scheme for security requirements must
pull together the independent
numbering schemes of FAR clause
52.204–21 (for Level 1), NIST SP 800–
171 R2 (for Level 2), and NIST SP 800–
172 Feb2021 (for Level 3); it must also
identify the domain and CMMC level of
the security requirement. DoD
developed the least complicated scheme
that met all these criteria.
The CMMC Program Office is unable
to respond to comments proposing
changes to the DFARS, which is subject
to separate rulemaking procedures. One
commenter described a hypothetical
scenario wherein a solicitation is issued
such that DFARS clause 252.204–7012
would require compliance with NIST SP
800–171 Revision 3, but the CMMC
requirement identified is for assessment
against NIST SP 800–171 R2. In this
hypothetical scenario, it is possible that
the bidder may meet the CMMC
requirement by citing a valid CMMC
assessment against NIST SP 800–171
R2, while also availing themselves of
the flexibilities provided in DFARS
clause 252.204–7012 (2)(ii)(B) to submit
a written request to the Contracting
Officer to vary from the current version
of NIST SP 800–171.
Recommendations for modification to
or deviation from DFARS clause
252.204–7012 are beyond the scope of
this rule. The DoD has evaluated the
potential interaction between the
CMMC program requirements and the
existing requirements in DFARS clause
252.204–7012 and believes that
potential conflicts have been resolved.
NIST SP 800–53 R5 is incorporated by
reference only for applicable definitions
because DoD chose to use the latest
definitions available. While it is also
true that NIST SP 800–171 R2 was based
on NIST SP 800–53 Revision 4, the
origination of NIST SP 800–171 R2 is
beyond the scope of this rule.
Contractors and subcontractors will
not be expected to stop work while they
implement changing standards.
Implementation of this rule will be
introduced as a pre-award requirement
in new DoD solicitations, as described
in the timeline at § 170.3(e).
Any substantive change to CMMC
security requirements must go through
rulemaking, and its associated timeline,
which may include public comment.
The new rule may include a transition
period for implementation of the new
security requirements.
The commenter correctly identifies
that the programmatic intent of this rule
is for affirmations to signify systems in
question remain compliant as indicated
by the assessment that was conducted.
Assessments are conducted against the
specified NIST publication versions or
the requirements in FAR clause 52.204–
21. The 48 CFR part 204 CMMC
Acquisition rule also reinforces this
thought by providing specific wording
of the affirmation.
c. NIST SP 800–172 Feb2021
Requirements
Comment: Multiple comments
recommended adding all the omitted
requirements from NIST SP 800–172
Feb2021 or a subset including Network
Intrusion Detection System, Deception
and Unpredictability, arguing that they
are necessary for protecting CUI and to
defend against advanced persistent
threats.
Two comments inferred that the
requirement to restrict access to systems
owned, provisioned or issued by the
OSC means that the OSC must provide
all equipment used to access the system,
which they asserted is impossible
because outside entities using GFE, to
include DoD, may need access. One
commenter also asked if DIB Furnished
Equipment would be required, and one
commenter argued for an exception for
GFE, even though it is not owned,
provisioned, or issued by the OSC.
Three comments stated that
Organizationally Defined Parameters
(ODP) values need to be set by OSAs,
not DoD. One commenter argued this
will be necessary because of the
emerging ODPs at Level 2 associated
with NIST SP 800–171 Revision 3. One
commenter argued this is critical for
uniformity across the Federal enterprise
as many contractors support multiple
Federal agencies. The commenter
further offered that allowing ODP values
to be set by OSAs could be limited to
contractor systems not operated on
behalf of the DoD. One commenter
suggested that ODP values set by OSAs
may require approval by the contracting
officer. One comment stated that the
ODPs are too detailed for the 32 CFR
part 170 CMMC Program rule, and table
1 to § 170.14 should be moved to the
Level 3 Assessment Guide.
One comment argued that removal or
quarantine of components to facilitate
patching or re-configuration, as
specified in table 1 to § 170.14(c)(4)
CM.L3–3.4.2e, is a disruptive and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00054
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83145
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
possibly a destructive operational
constraint affecting business operations.
They asserted that patching and
reconfiguration are standard day-to-day
IT administrative activity, and
components do not need to be removed
or quarantined.
One comment asserted that CMMC
should be based on NIST SP 800–53 R5
requirements (linked to the associated
NIST SP 800–172 Feb2021
requirements) due to additional labor
required to create NIST SP 800–53 R5
solutions and benefits to be gained from
NIST SP 800–53 R5 overlays.
Two comments argued that IA:L3–
3.5.3e regarding ’the prohibition of
system components from connecting to
organizational systems unless certain
conditions are met’ is essentially the
same requirement as CM:L2–3.4.7
’restricting, disabling, or preventing the
use of nonessential programs, functions,
ports, protocols, and services’.
Response: DoD considered many
alternatives before deciding which NIST
SP 800–172 Feb2021 requirements to
include as part of CMMC Level 3. NIST
SP 800–172 Feb2021 notes that ‘‘There
is no expectation that all of the
enhanced security requirements will be
selected by Federal agencies
implementing this guidance.’’ For a
variety of reasons, including DoD’s
estimation of cybersecurity maturity and
complexity across the DIB, and potential
cost of certain Level 3 requirements
compared with the benefit, the DoD has
included a limited set of NIST SP 800–
172 Feb2021 requirements. On a
contract-by-contract basis, additional
requirements may be added. OSAs are at
liberty to implement additional
requirements.
The intent of AC.L3–3.1.2e, which
requires restricted access to systems and
system components, is not that DIB
companies issue laptops to external
users wishing to access Level 3
enclaves. While laptop issuance is one
solution, other options are available.
The important concept in this
requirement is ‘‘comply to connect’’,
and it applies to all users, both within
the OSA and externally, equally. In
complying with this requirement, GFE
may be considered provisioned by the
OSC and therefore is not restricted
under that requirement.
DoD defines the ODPs for NIST SP
800–172 Feb2021 included in CMMC
Level 3. This eliminates the risk of
different parameters being set for
different DoD programs. Rulemaking
requirements dictate that table 1 to
170.14(c)(4) be codified in the rule. The
Assessment Guide is an optional
document.
DoD declines to accept the risk of
removing security requirement CM.L3–
3.4.2e. The Assessment Guide has been
updated to include additional
discussion on this security requirement.
Feedback on individual security
requirements should be direct to NIST.
Any relationship to the NIST SP 800–
53 R5 controls is for information only.
The requirements that must be
implemented for CMMC Level 3 are
defined in the rule table 1 to
§ 170.14(c)(4).
IA:L3–3.5.3e and CM:L2–3.4.7 are
different requirements. The L2
requirement is about functionality, and
the L3 requirement is about trust.
Feedback on individual security
requirements should be direct to NIST.
24. CMMC Annual Affirmation
Requirements
Comment: One commenter
recommended the affirmation statement
include a statement confirming the
scope has not changed and requested
the rule be modified to identify types of
changes that would constitute a change
of system scope. Another commenter
recommended removing any
requirement for affirmation after
assessment certificate issuance or else
revising the rule to identify any benefits
the affirmation provides that conducting
an independent assessment does not
already provide. Another commenter
recommended the DoD clarify that out-
of-cycle affirmations are not needed.
Three comments said the affirmation
language needs revision because
maintaining perfect scores is not
possible and asking individuals to
affirm continuous compliance is
unreasonable. One commenter voiced
apprehension that signing the
affirmation statement would make a
person criminally liable under the False
Claims Act, due to the need for system
maintenance to fix things that break.
One commenter expressed concern that
continuous monitoring by contractors
increases cost and burden to stay in
compliance and opens companies up to
False Claims Act liabilities. One of these
commenters recommended DoD rely on
representation and self-assessment in
lieu of affirmations to indicate that the
offeror meets the requirements of the
CMMC level required by the
solicitation. Two commenters requested
clarification on what affirmation entails.
Another commenter requested
modification to clarify that the
Affirming Official will attest only that
the requirements are implemented as of
the certification date, or proposal
submission date, and requested removal
of affirmation references to continuous
compliance.
Two commenters urged the
Department to align the annual
affirmation timeline with the 3-year
assessment timeline to ensure
consistency and reduce potential False
Claims Act liability. One commenter
also incorrectly believed a prime
contractor affirmation would be made
on behalf of its entire supply chain.
Another commenter asked DoD to
clarify that an organization may obtain
from C3PAOs a limited review of
changes made since the last assessment
in support of required affirmations and
noted that the DoD or CMMC AB may
wish to clarify what supporting
evidence is required for annual
affirmations. Additionally, the
commenter recommended that DoD
reconsider the requirements for CMMC
Level 1 since these are covered by
System for Award Management (SAM).
One commenter asked, in reference to
POA&M closeout affirmations, if there
was no longer an expectation that a
C3PAO will confirm the close out of a
POA&M. One commenter provided a
recommendation to include an
executive summary in the affirmation
that includes POA&M related metrics as
an indicator of an OSA’s effective O&M,
security, and continuous monitoring
activities.
Response: As described in
§ 170.22(a)(2)(ii), the CMMC affirmation
shall include a statement to the effect
that the OSA has implemented and will
maintain implementation ‘‘within the
relevant assessment scope’’, which
adequately addresses the commenters
suggestion. No change to the rule text
was therefore required. Annual
affirmations ensure OSAs conduct
periodic checks and verify to the
Department that changes to their
networks have not taken them out of
compliance during the certification
period. The annual affirmation
requirement enables DoD to permit 3
years between CMMC Level 2 or 3
assessments, rather than requiring
annual assessments. The DoD does not
agree with the comment that following
the procedures in § 170.22 creates an
additional burden. The DoD does not
concur with removing the terms
‘‘continuing’’ or ‘‘continuous ‘‘as it
relates to an OSA’s affirmation.
Continuing compliance means that the
contractor system in question remains
in compliance and that the OSA intends
to maintain compliance over time, not
that the OSA cannot have an operational
plan of action. Any changes to the
information system beyond use of
operational plans of action require a
new assessment and a new affirmation.
Operational plans of action as described
in CA.L2–3.12.2 are part of normal
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00055
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83146
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
maintenance of a system and do not
require a separate out-of-cycle
affirmation. The DoD declines to
address specific cases when affirmations
are not required. DoD’s use of the term
OSA within the affirmations section is
deliberate and conveys that each
organization is responsible for
affirmations pertaining to their own
assessments. An Affirming Official
definition was added to the rule and
provides that clarification.
The rule delineates which
requirements may be addressed with a
POA&M for up to 180 days to achieve
Final CMMC Status. As stated in
§ 170.22, an Affirming Official attests
the organization is satisfying and will
maintain its specified cybersecurity
requirements. An OSA may complete a
self-assessment and submit a new
affirmation at any time. POA&Ms
associated with conditional assessments
are closed-out by C3PAOs for Level 2
final certification assessments and by
DCMA DIBCAC for Level 3 final
certification assessments. OSAs must
affirm results in SPRS for all
assessments.
If an OSA makes significant changes
within the CMMC Assessment Scope, a
new assessment and affirmation are
required. The rule does not preclude
OSAs from contacting a C3PAO for a
review prior to an annual affirmation,
however this is not required. No
supporting evidence is required for an
annual affirmation. Annual
representations and certifications
submitted in the System for Award
Management (SAM) serve a different
purpose from the CMMC affirmation
requirement completed in SPRS.
Furthermore, given the sensitivity of an
OSA’s cyber security status, the DoD has
elected not to use SAM, a public
website.
Details for completion of the annual
affirmation, including wording of the
affirmation statement, are addressed in
the 48 CFR part 204 CMMC Acquisition
rule. The affirmation signifies the
requirements were implemented as of
the date of the self-assessment or
certification, and that the OSA has and
intends to maintain the system as
assessed. The DoD declines to require
the use of an executive summary or the
publication of metrics in the affirmation
statement as part of the affirmation
because that is not consistent with the
purpose of the affirmation requirement.
Regarding the alignment of
assessments and affirmation timelines,
the DoD declines to adopt
recommended changes which would
allow up to 3 years to elapse before DIB
companies would be required to assess
the status of their cybersecurity
compliance.
25. CMMC Acceptance of Alternate
Standards
a. CMMC and Other Agency Standards
or Acceptance of CMMC Assessments
Comment: Several commenters asked
for additional detail about § 170.20
Standards Acceptance. One commenter
described discussions from various DoD
industry engagements and suggested the
rule is inconsistent with information
provided at those information exchange
events.
Some commenters observed the rule
does not describe DoD efforts to
coordinate with other agencies
regarding any additional cybersecurity
requirements they choose to implement,
which could conflict or add burden for
companies that must also comply
CMMC requirements. One comment
suggested implementing the CMMC
program government wide. An industry
association submitted several comments
regarding perceived duplication
between this rule and cybersecurity
requirements of other Federal agencies
and foreign governments. They also
recommended the DoD modify the rule
to reflect other agency standards, such
as TSA and CISA security directives
requiring cyber incident reporting for
natural gas utilities.
Several commenters thought the rule
did not adequately explain potential
portability of CMMC assessments,
referring to whether other agencies
might recognize CMMC compliance as
meeting or partially meeting their
requirements. One specifically
suggested CMMC affirmations could be
accepted as evidence of compliance
with any similar cybersecurity
requirements other agencies may
implement. One comment suggested
that by assessing compliance of all
applicable security requirements, the
CMMC program will impede efforts to
establish DoD information sharing
agreements with other non-DoD
organizations, including other agencies
and foreign governments.
Response: Some comments received
lacked relevance to the rule’s content,
which is limited to specific CMMC
Program requirements. The DoD
declines to respond to speculative or
editorial comments about private
citizens or entities, all of which are not
within the scope of this rule.
Similar data security requirements are
already applied to contractors across all
Federal agencies, due to the
applicability of FAR clause 52.204–21,
and 32 CFR part 2002. All executive
agencies are required to comply with
the same standards for protection of FCI
and CUI in those regulations. Once
attained, a current CMMC certification
may be presented for consideration by
any entity (including other government
agencies) as an indicator that the
security requirements associated with
the certificate level (e.g., CMMC Level 2)
have in fact been implemented.
CMMC Program requirements are
designed to ensure compliance with
existing standards for protection of FCI
and CUI and align directly to NIST
guidelines (e.g., NIST SP 800–171 R2)
and the basic safeguarding requirements
of FAR clause 52.204–21 that apply to
all executive agencies. Regulations
issued by any executive agency must be
aligned to these overarching
requirements, therefore CMMC Program
requirements will not conflict with any
FCI or CUI safeguarding regulations that
may be issued by other agencies as cited
by the commenter. All executive
agencies are permitted to submit and
review comments as part of the formal
rulemaking process, and additional
coordination is not required. This rule
provides a consistent way of verifying
contractors’ compliance with the
referenced FAR and NIST requirements,
in addition to those from NIST SP 800–
172 Feb2021 where applicable.
b. Requests To Recognize Alternate
Standards
Comment: Several commenters
requested the rule be modified to accept
or recognize alternate standards for the
purpose of meeting CMMC assessment
requirements. Some small to medium
businesses recommended acceptance of
healthcare relevant standards or other
recognized certification frameworks as a
substitute for CMMC and FedRAMP
Equivalency.
Another comment cited verbiage in
the DFARS clause 252.204–7012 clause
that references DoD CIO approval to
‘‘vary’’ from NIST SP 800–171
requirements as rationale for revising
the CMMC rule to permit acceptance of
other standards such as the NERC
Critical Infrastructure Protection
standards which apply to North
America’s Bulk Electric System (BES).
Some comments expressed concern
that absent greater acceptance of the
standards required by other agencies,
companies complying with CMMC
would be at a competitive disadvantage
due to the perceived costs of complying
with CMMC standards. Another
comment expressed a similar concern
but cited the need for acceptance of
foreign C3PAOs to effectively scale
CMMC to include assessment of foreign
OSCs.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00056
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83147
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Response: CMMC Program
requirements apply to those contractors
that seek to bid for DoD work which
requires processing, storing, or
transmitting FCI or CUI in a contractor
owned information system. Section
170.20 addresses Standards Acceptance
and delineates the only existing bases
for accepting alternate standards in this
rule. The DoD does not currently have
standards acceptance with other Federal
entities in lieu of the CMMC
requirement.
DoD’s harmonization of requirements
with other agencies is achieved through
compliance with NIST standards. DoD’s
recognition of the standards of other
nations occurs through negotiation of
international arrangements and
agreements, which is beyond the scope
of this rule. The CMMC Program has
aligned requirements with NIST
standards, and many foreign nations are
adopting NIST standards as well. In
developing this rule, the DoD worked
with standards bodies, removed unique
requirements, and aligned new
requirements directly with NIST SP
800–171 R2 and select NIST SP 800–172
Feb2021 requirements to reduce and
streamline cybersecurity burden across
the industry. CMMC Program
requirements make no change to
existing policies for limits on
dissemination of CUI. Comments on
information sharing between other
agencies or foreign entities are beyond
the scope of this rule. The requirement
to comply with NIST SP 800–171 was
mandated in DFARS clause 252.204–
7012. Granting alternatives to that
standard is beyond the scope of this
rule.
Several foreign or international
companies submitted comments
expressing interest in the rule section
pertaining to C3PAO requirements
(§ 170.9(b)) and correctly noted that this
section does not preclude otherwise
qualified foreign companies from
achieving C3PAO accreditation. Note
that the DoD does permit C3PAO
personnel who are not eligible to obtain
a Tier 3 background investigation to
meet the equivalent of a favorably
adjudicated Tier 3 background
investigation. DoD will determine the
Tier 3 background investigation
equivalence for use with the CMMC
Program only.
c. CMMC Acceptance of Other DIBCAC
Assessments
Comment: Some commenters either
did not understand or objected to the
fact that standards acceptance
requirements for DIBCAC High
Assessments require a score of 110
without POA&Ms. Other comments
requested clarity regarding standards
acceptance of DIBCAC High
Assessments at CMMC Levels 2 and 3.
One comment inquired about the
programmatic details of DCMA’s Joint
Surveillance Program.
Another comment expressed concerns
over disparities between how CMMC
C3PAOs and DIBCAC assess, given the
fact that DIBCAC assessors are
empowered to make risk acceptance
decisions on behalf of the Government,
whereas C3PAO assessors are not. One
commenter questioned the use of the
NIST SP 800–171 R2 Cybersecurity
FAQs as published in the DoD
Procurement Toolbox. Another
commenter asked whether C3PAOs
assess for compliance with DFARS
clause 252.204–7012, paragraphs c–g, as
DCMA DIBCAC does in their
assessments of OSAs. One commenter
suggested that the DIBCAC is not
certified to conduct Level 3 assessments
and that training requirements for
CMMC Level 2 C3PAO assessors should
also apply to DIBCAC assessors, or else
Level 3 assessments should be
conducted by C3PAOs.
Response: There is qualified
standards acceptance between DCMA
DIBCAC High Assessment and CMMC
Level 2 Certification Assessment as
described in § 170.20(a). There is no
standards acceptance between DCMA
DIBCAC High Assessment and CMMC
Level 3. To be eligible for standards
acceptance resulting in a CMMC
certification, an OSC must achieve a
perfect 110 score on the Joint
Surveillance assessment without any
open POA&Ms at the time of
assessment. If the Joint Surveillance
assessment results in POA&M actions,
any POA&M must be closed prior to
standards acceptance.
Completion of a prior DCMA DIBCAC
High Assessment does not necessarily
indicate the likelihood of a future
CMMC Level 3 requirement. DIBCAC
High assessments are currently
conducted against the NIST SP 800–171
R2 requirements, whereas the DoD will
identify the need for a CMMC Level 3
assessment when its internal policies
indicate the added protections of NIST
SP 800–172 Feb2021 are necessary to
adequately safeguard DoD information.
Acceptance of a small number of
DIBCAC High or Joint Surveillance
Program assessments to meet future
CMMC Level 2 assessment requirements
will reduce the initial demand for
C3PAO assessment. Only those DIBCAC
High Assessments completed prior to
the effective date of the rule are eligible
for standards acceptance to meet CMMC
Level 2 Certification requirements. The
DoD will enter CMMC Level 2
Certifications into eMASS for suitable
DIBCAC High Assessments, with a
validity period of 3 years from the date
of the original High Assessment. A
CMMC Final Level 2 certification
assessment is entered into eMASS by
the C3PAO following a successful (i.e.,
perfect score with no POA&Ms) joint
surveillance assessment against NIST SP
800–171 R2. It is not the result of a
CMMC Level 3 assessment but can be
provided as evidence that an OSC is
ready to initiate a CMMC Level 3
assessment.
Although Joint Surveillance is listed
as standards acceptance in 170.20(a)(1),
the details of this DCMA program and
any changes to it are beyond the scope
of this rule. A Joint surveillance is a
DCMA DIBCAC assessment and falls
under their purview. The CMMC office
understands that there is disparity
between what is assessed by a C3PAO
and the DIBCAC and that the guidance
information in the DoD Procurement
Toolbox is the driving factor. Since the
Procurement Toolbox is outside of the
scope of the 32 CFR part 170 CMMC
Program rule, it cannot be properly
addressed here or in the rule. With
CMMC the DoD utilizes a risk-based
approach in its allowance for POA&Ms,
gradient scoring for certain controls
(e.g., FIPS and MFA), temporary
deficiencies, and enduring exceptions.
DCMA DIBCAC assessors are trained
and qualified to conduct assessment
against NIST SP 800–171 R2 for the
DoD. DoD determined that C3PAOs
conducting assessments on other
C3PAOs introduced a significant
conflict of interest. Given the sensitivity
of the programs requiring Level 3
assessments, the DoD determined that
those assessments must be completed by
a DoD entity. The DoD declines to
respond to speculative or editorial
comments regarding DCMA DIBCAC
assessments.
The CMMC model (§ 170.14) only
incorporates requirements from FAR
clause 52.204–21, NIST SP 800–171 R2,
and NIST SP 800–172 Feb2021. C3PAOs
are only responsible for assessing the
requirements of § 170.17. DCMA
DIBCAC operates under different
authorities and can address all the
requirements of DFARS clause 252.204–
7012.
d. Validity Period for Standards
Acceptance
Comment: Two comments asked how
SPRS would be updated to reflect
CMMC Level 2 certification when based
on standards acceptance. One asked
whether that update would be
automatic. One comment asked whether
CMMC standards acceptance for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00057
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83148
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
DIBCAC joint surveillance assessments
would result in certifications being
issued to the OSA by the C3PAO or by
DIBCAC.
Some comments, including those
from three industry associations,
objected to the start date for the 3-year
validity of CMMC certification based on
standards acceptance of prior DIBCAC
assessments. Those comments requested
the validity period begin with the
effective date of the 32 CFR part 170
CMMC Program rule. Along these lines,
another commenter asked whether
C3PAOs may certify an OSA based on
evidence of a perfect 110-scored
DIBCAC High Assessment. One
comment requested a 1-year extension
of the validity period to 4 years.
Response: The DoD has considered
the recommendation to modify the
validity period for certifications
resulting from standards acceptance and
declines to revise the rule text. It is
important that contractors maintain
security compliance for systems that
process, store, or transmit DoD CUI.
Given the evolving cybersecurity threat,
DoD’s best interests are served by
ensuring that CMMC Level 2
assessments remain valid for no longer
than a 3-year period, regardless of who
performs the assessment.
A C3PAO may not simply read the
DIBCAC assessment score in SPRS and
grant a completed CMMC Level 2
certification assessment. C3PAOs may
only submit certification assessment
results based on having conducted a
certification assessment. An OSA is free
to seek a C3PAO certification
assessment, but this would be
unnecessary, because a valid DIBCAC
High assessment with a 110 score will
automatically be converted in SPRS to
reflect a CMMC Final Level 2
certification assessment provided all
requirements of § 170.20(a)(1) are met. A
DIBCAC High assessment conducted
after the rule is effective is not eligible
for standards acceptance.
26. CMMC Requirements and
International Entities
a. Applicability to International Entities
Comment: Several public commenters
asked whether and how the CMMC rule
content would apply to foreign based or
international companies, either as
companies seeking to comply with
assessment requirements or as
companies seeking to participate in the
CMMC Ecosystem.
Some questions asked for
interpretation of requirements for
specific scenarios, such as how CMMC
requirements might affect Status of
Forces Agreements for DoD installations
overseas. Others asked about
application of flow-down requirements
to foreign subcontractors, including in
circumstances when DFARS clauses do
not apply or when international
agreements supersede application of
DFARS clause 252.204–7012. A few
comments asked how foreign or
multinational corporations with
facilities abroad can attain CAGE codes,
access SPRS, or meet other aspects of
CMMC requirements. Some asserted
that specific systems contractors need to
access, such as SPRS and PIEE, are not
designed to accommodate foreign
address formats and requested
modifications or alternative options to
facilitate submission of CMMC
affirmations. One commenter suggested
that assessment of foreign contractor
information systems should only be
conducted by the host country, and
asked whether foreign contractors
should be partially exempted from
CMMC requirements.
Response: CMMC Program
requirements are applicable when DoD
requires processing, storing, or
transmitting of either FCI or CUI during
performance of a DoD contract. CMMC
Program requirements would not apply
to a DoD Installation’s communication
with a Host Nation government on
matters related to the Installation.
CMMC program requirements apply to
all DoD contractors alike when contract
performance will require processing,
storing, or transmitting of FCI or CUI on
contractor-owned information systems.
This 32 CFR part 170 CMMC Program
rule does not permit partial exemption
of assessment requirements for foreign
contractors. Any discussion of
exemptions or deviations for foreign
businesses are outside the scope of the
32 CFR part 170 CMMC Program rule
and must be addressed through
government-to-government international
arrangements or agreements. Pathways
and timelines for achieving these
agreements are outside the scope of this
rule.
CMMC requirements apply to both
domestic and international primes and
flow down to subcontractors throughout
the supply chain if their information
systems process, store, or transmit FCI
or CUI. CMMC requirements are based
upon the type of information processed
and shared, regardless of where the
company is headquartered or operates.
Certification requirements for
subcontractors are addressed in
§ 170.23(a)(1) through (4). For additional
information about flow-down of
contractual requirements, see the 48
CFR part 204 CMMC Acquisition rule.
The CMMC process is the same for
international and domestic contractors
and subcontractors. International sub-
contractors must undergo a CMMC
assessment at the appropriate level to
demonstrate compliance with NIST SP
800–171 R2 requirements. All OSAs
must register in [https://sam.gov https://sam.gov, which
]has instructions for obtaining applicable
CAGE or NATO CAGE codes (NCAGE
codes).
Address data is not a required SPRS
data input for CMMC purposes.
Contractor address information is
required to obtain a CAGE code that,
along with a Unique Entity ID, is
required to register in SAM. SPRS
currently receives assessment
information from domestic and
international entities. International
organizations get CAGE codes in the
same manner that US organizations do,
including in some instances NCAGE
codes. CAGE codes are required for a
contractor to register for a user account
in Procurement Integrated Enterprise
Environment (PIEE) that provides
contractors access to SPRS and other
applications as necessary for DoD
contracts.
b. International Agreements
Comment: Several commenters asked
about procedures for establishing
recognition of other nations’
cybersecurity standards or assessment
programs as acceptable alternatives to
CMMC program requirements. Another
commenter noted the rule provides no
explicit recognition of existing
agreements between the DoD and other
nations related to information sharing
and defense procurement. They and
other commenters asked that the rule
identify a specific process for reaching
agreements related to CMMC program
requirements. Some of these
commenters identified specific foreign
cybersecurity programs and requested
that the DoD work toward reciprocal
recognition of their underlying
standards. One of these commenters
requested that DoD identify timelines
for establishing bilateral agreements.
In particular, the Canadian
counterpart for the CMMC program
expressed concern that Canadian
companies could be disadvantaged in
seeking CMMC certification and
requested the DoD consider establishing
a unified accreditation body for
Canadian and US C3PAOs.
Response: While the rule does address
application to foreign contractors and
ecosystem participants throughout,
these requirements may be superseded
by the terms and conditions of
applicable international arrangements or
agreements.
CMMC validates cybersecurity
requirements, as defined in FAR clause
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00058
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83149
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
52.204–21, NIST SP 800–171 R2, and a
selected subset of NIST SP 800–172
Feb2021, where applicable. These
cybersecurity requirements apply to
international and domestic companies
when included in a DoD contract. The
Department cannot speculate about the
arrangements of any international
agreement and how it may or may not
impact international partners, as these
arrangements are beyond the scope of
this 32 CFR part 170 CMMC Program
rule.
The DoD has designed CMMC
Program requirements to apply to those
contractors that bid for DoD work which
will require access to process, store, or
transmit FCI or CUI in a contractor
owned information system. A CMMC
certification assessment is portable in
the sense that it provides confidence
that the holder has been assessed by an
authorized third party for compliance
with the applicable security standards
(e.g., NIST SP 800–171 R2 or NIST SP
800–172 Feb2021). Once attained,
CMMC certification assessment status
may be presented for consideration by
any entity as an indicator that they have
implemented security requirements
associated with the certificate level (e.g.,
NIST SP 800–171 R2 or NIST SP 800–
172 Feb2021). Section 170.20 delineates
the only existing bases for accepting
alternate standards in this rule.- It is
beyond the scope of this rule to provide
a specific set of directions or guidance
on recognition for alternate
cybersecurity standards. Deviations
from DFARS clauses are also beyond the
scope of this rule.
Section 170.20 has been modified to
state that an OSC with a perfect score
from a prior DCMA DIBCAC High
Assessment aligned with the same
CMMC Level 2 Scoping may meet
CMMC Final Level 2 certification
assessment requirements via acceptance
of the prior DIBCAC assessment in lieu
of a C3PAO assessment. Standards
Acceptance does not refer to
international standards acceptance,
which is not described within the rule.
c. C3PAO, CCP, and CCA Requirements
Comment: In addition to the interest
in international agreements, some
commenters expressed concern about
CMMC ecosystem capacity to meet
demand for Level 2 certification. They
advocated support for accreditation of
non-U.S. based C3PAOs. One
commenter suggested that FOCI
requirements be deleted from the rule
and managed via DoD’s oversight of the
CMMC AB. One commenter speculated
the phased CMMC implementation plan
would require all non-U.S. firms to
comply simultaneously and
recommended that foreign contractors
be allowed additional time to comply.
Another recommended that foreign
companies be permitted to simply self-
assess in lieu of obtaining a CMMC
Level 2 certification assessment.
Several commenters asked about
foreign nationals participating in the
CMMC ecosystem and noted
discrepancies between qualifications
identified in the rule and content on the
CMMC AB’s website at the time of rule
publication. These commenters
expressed interest in the ability for
foreign citizens to become CCAs, CCPs,
and LTPs (a term no longer used in the
rule).
One commenter presumed that only
U.S.-based Cloud Service Providers
(CSPs) may become FedRAMP
authorized, and asserted a need to
authorize or accredit foreign-based CSPs
that foreign DIB contractors might use
while still achieving CMMC
compliance. Another asked how foreign
small businesses can comply with
CMMC without access to U.S. approved
CSPs. One commenter asked for
guidance on how to get foreign products
and services, such as encryption and
decryption mechanisms, approved for
use in information systems that require
CMMC assessment. One commenter
suggested that the CMMC program
permit assessment by C3PAOs and
assessors accredited in accordance with
other ISO/IEC standards than those
identified in this rule. They cited ISO/
IEC 27001 or 9901 as suitable alternate
ISO/IEC standards.
Response: The DoD declines to delay
CMMC Program implementation for
non-U.S. organizations. International
businesses will not receive special
accommodations because the CMMC
Program’s phased implementation will
impact both U.S. and non-U.S. defense
contractors equally. The
implementation plan described in the
rule does not promote or prioritize
certification assessments of any
contractor over any other contractor. All
companies, regardless of location or
nationality, will have access to any
authorized C3PAO. The rule does not
preclude non-U.S. citizens or foreign-
owned C3PAOs from operating in the
U.S. Additionally, U.S. owned C3PAOs
may operate in a foreign nation.
As stated in the rule, C3PAOs must
meet the criteria in § 170.9. Non-U.S.
organizations and employees that meet
all the requirements in §§ 170.9 and
170.11 will not be prohibited from
operating as a C3PAO within the U.S. or
abroad. A list of authorized C3PAOs is
available on the current CMMC AB
marketplace. DoD does not concur with
the recommendation to delete
§ 170.9(b)(5) content identifying FOCI
requirements. Those details for
complying with FOCI are necessary for
understanding the requirement.
Some commenters noted differences
between the rule content and
information on the CMMC AB website.
The CMMC AB is part of the public and
had no access to advance information
prior to publication of the proposed
rule. The rule takes precedence in the
event of any discrepancy with CMMC
AB materials.
The document ‘Career Pathway
Certified Assessor 612’, dated 2020, has
been replaced by a regularly updated
DoD Cyberspace Workforce Framework
[https://public.cyber.mil/dcwf-work-role/security-control-assessor/ which may be found at https://
public.cyber.mil/dcwf-work-role/
security-control-assessor/. Intermediate
]and Advanced Foundational
Qualification Options in the DoD
Cyberspace Workforce Framework’s
Security Control Assessor (612) Work
Role are available to foreign nationals.
The rule has been updated to reflect this
reference update.
A domestic or international business
seeking a contract that contains DFARS
clause 252.204–7012, and using a cloud
service provider to process, store, or
transmit covered defense information in
performance of that DoD contract, must
ensure that the CSP meets FedRAMP
authorization or equivalency
requirements. As the FedRAMP program
and FedRAMP equivalency are available
to international organizations, foreign
entities do not need to develop their
own FedRAMP program. FedRAMP
authorization or equivalency is also
available to small businesses. The DoD
leverages the FedRAMP program to
implement requirements for the
adoption of secure cloud services across
the Federal Government and provide a
standardized approach to security and
risk assessment for cloud technologies.
Export controlled goods and ITAR are
outside the scope of the 32 CFR part 170
CMMC Program rule.
The process for identifying specific
products or services that may meet NIST
security requirements is beyond the
scope of this rule. CMMC program
requirements are unrelated to evaluation
or approval of encryption or decryption
products manufactured by foreign
information security companies.
DoD considered many alternatives
before deciding upon the current CMMC
structure. Alternative methods of
assessment have proven inadequate and
necessitated the establishment of
CMMC. DoD declines to accept the
recommendation of an alternate path to
C3PAO accreditation.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00059
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83150
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
27. Impact to Small Businesses
a. Funding the CMMC Program
Comment: One comment asserted that
the rule does not address CMMC
program funding, affordability, and
sustainability. They recommended the
DoD conduct and publish a
comprehensive cost assessment for each
level of CMMC certification and explore
ways to reduce the financial burden on
contractors.
Response: DoD included an analysis
of costs to meet CMMC requirements in
the regulatory impact analysis for this
rule.
As described in the estimate included
with the rule, the major cost categories
for compliance with CMMC
requirements are anticipated to include
costs for completing a self-assessment
(e.g., Level 1 or 2); costs to prepare for
and undergo C3PAO assessment (Level
2); costs required to implement the
Level 3 security requirements and for
preparing to undergo DCMA DIBCAC
assessment (Level 3). All of these except
the market costs of a C3PAO are
controlled by the organization seeking
assessment. Market forces of supply and
demand will determine C3PAO pricing
for CMMC Level 2 certification
assessments.
Analysis of costs to meet CMMC
requirements is provided in the
regulatory impact analysis for this rule.
The CMMC rule does not make any
change to cost allowability as defined in
the FAR 31.201–2 Determining
Allowability. Verifying compliance with
applicable security requirements may
increase cost and is necessary for the
protection of DoD CUI. With the revised
CMMC, the DoD has streamlined
requirements to align directly to NIST
guidelines and has eliminated unique
security practices to ease the burden on
smaller companies. DoD must enforce
CMMC requirements uniformly across
the Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. The
value of information (and impact of its
loss) does not diminish when the
information moves to contractors and
subcontractors. The DoD declines to
speculate about how OSCs and C3PAOs
negotiate mutually acceptable terms and
conditions for assessment agreements.
The DoD declined to modify the
estimates, which are intended to be
representative and to inform
rulemaking.
b. Disproportionate Cost Burden
Comment: Many comments
emphasized the importance of small
business to the DoD contracting
environment and expressed the concern
that increased cost burden on small
companies will result in an anti-
competitive barrier to entry.
Specifically, commenters state the lack
of in-house security resources, inability
to amortize costs, upfront costs to
comply with CMMC Level 1 and 2
without guaranteed contracts, keeping
pace with requirements changes, paying
market rates for C3PAO assessments,
and obtaining ‘‘perfect’’ compliance
with requirement or assessment
objectives may not be affordable or may
cause unacceptable enterprise
disruption. One comment asserted that
the DoD is not considering additional
costs to small- and medium-sized
businesses (SMBs) for ongoing
compliance. One comment stated the
cost of entry for a new SMB may be
insurmountable even with cost
recovery. One comment suggested
‘‘right-sizing’’ CMMC by tailoring
security requirements based on business
size and number of employees.
Additionally, one comment asserted
that small businesses would be unfairly
punished while large, legacy primes
would lobby and get waivers.
Two comments noted that CMMC will
increase costs, perhaps doubling annual
IT and security spending, ultimately
passing the cost to customers, the
government and the taxpayer and asked
how the DoD plans to deal with price
increases from subcontractors and
primes. One comment suggested the
DoD pay contractor employees to learn
to cyber defend rather than pay auditor
assessment costs.
Response: The DoD concurs with
commenters’ assessment of the
importance of small businesses to the
DoD. The DoD has streamlined CMMC
requirements to align directly to NIST
guidelines and has eliminated unique
security practices to ease the burden on
smaller companies. In recognition of the
cyber threat both to DoD and to the DIB,
CMMC Program requirements are
designed to ensure compliance with
existing standards for protection of FCI
and CUI. These cybersecurity
requirements align directly to NIST
guidelines (i.e., NIST SP 800–171 R2
and NIST SP 800–172 Feb2021) and the
basic safeguarding requirements (FAR
clause 52.204–21) that apply to all
executive agencies.
The analysis of costs to meet CMMC
Level 1 and 2 requirements are provided
in the Regulatory Impact Analysis
published with this rule. Note that
certification is never required for CMMC
Level 1, which is a self-assessment
requirement. CMMC Level 2 may either
be met via self-assessment, or via
certification following a C3PAO
assessment, depending on the specific
requirement cited in the solicitation.
Some comments appeared to reference
costs to meet the requirements of
existing DFARS clause 252.204–7012.
Please refer to 81 FR 72990, October 21,
2016, for DoD’s final rule implementing
the DoD’s requirement that ‘‘contractors
shall implement NIST SP 800–171 as
soon as practical, but not later than
December 31, 2017.’’
The cost estimates for SMBs represent
average derived estimates based on
internal expertise and public feedback
in accordance with OMB Circular A–4.
The size and complexity of the network
within scope of the assessment impacts
the estimates as well.
The DoD has streamlined CMMC
requirements to align directly to NIST
guidelines and has eliminated unique
security practices to ease the burden on
smaller companies. In addition, CMMC
Level 1 and select CMMC Level 2
requirements are now met via self-
assessment, which reduces burden to
small businesses.
The CMMC program incorporates
flexibility with the use of self-
assessment, POA&Ms, and waivers.
Since December 2017, DFARS clause
252.204–7012 has required contractors
to implement the NIST SP 800–171
security requirements to provide
adequate security applicable for
processing, storing, or transmitting CUI
in support of the performance of a DoD
contract. OSAs that are currently
attesting that they meet DFARS clause
252.204–7012 should not have difficulty
successfully achieving a Level 2 self-
assessment.
Some comments received lacked
relevance to the rule’s content, which is
limited to specific CMMC Program
requirements. The DoD declines to
address speculation about lobbying
activities. Verifying compliance with
applicable security requirements may
increase financial cost to the DoD due
to increased contract costs but it is
necessary for the protection of DoD CUI.
The cost of lost technological advantage
over potential adversaries is greater than
the costs of such enforcement. The
value of information (and impact of its
loss) does not diminish when the
information moves to contractors.
The trade-off is between protecting
sensitive information from our nation’s
adversaries and accepting the fact that
security costs increase for numerous
reasons. Many of those cost-drivers are
completely independent of CMMC.
While CMMC compliance adds to an
organization’s cost, no member of the
DIB can assume the status-quo in
today’s ever-changing cyber security
environment. Increasing costs to protect
the nation’s data and industries from
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00060
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83151
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
emerging threats is simply a component
of doing business anywhere in the
world. Processing, storing, or
transmitting sensitive Government
information comes with a handling cost
that needs to be built into each
organization’s business model.
Some comments included suggestions
about how workflow should occur
between prime and subcontractors to
decrease or eliminate the transfer of CUI
to subcontractors. The DoD cannot
dictate these business practices but
encourages prime contractors to work
with its subcontractors to flow down
CUI with the required security and the
least burden. Questions regarding what
to mark as CUI are out of scope of this
rule. At the time of award, the DoD may
have no visibility into whether the
awardee will choose to further
disseminate DoD’s CUI, but DFARS
clause 252.204–7012 and DFARS clause
252.204–7021 require that the prime
contractor to flow down the information
security requirement to any
subcontractor with which the CUI will
be shared. Decisions regarding which
DoD information must be shared to
support completion of which
subcontractor tasks takes place between
the prime contractor and the
subcontractors chosen to complete the
specific tasks.
c. Phasing the Cost To Comply
Comment: Two comments suggested a
phased compliance would help offset
financial burden while working toward
full compliance. One comment
expressed concern that Managed Service
Providers (MSPs), many of which are
small businesses, will not have time to
achieve Level 2 certification before their
OSA and OSC customers need them to
be certified and recommended
extending the phased timeline.
Several comments stated that
recouping compliance costs could take
years, forcing SMBs into financial debt,
contract termination, and exclusion
from the market for DoD contracts. One
commenter expressed concern about
implementation of CMMC as a
condition of contract award and the
implication that compliance costs are
incurred prior to receiving a DoD
contract.
Response: DoD declined to implement
a small entity specific ‘‘phased
compliance’’. Since December 2017,
DFARS clause 252.204–7012 has
required contractors to implement the
NIST SP 800–171 security requirements
to provide adequate security applicable
for processing, storing, or transmitting
CUI in support of the performance of a
DoD contract.
DoD received numerous comments
about the use of ESPs, including MSPs,
which do not process, store, or transmit
CUI. In response to comments, the DoD
has reduced the assessment burden on
External Service Providers (ESPs). ESP
assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2) have been
updated. ESPs that are not CSPs and do
NOT process, store, or transmit CUI, do
not require CMMC assessment or
certification. Services provided by an
ESP are in the OSA’s assessment scope.
CMMC has taken several steps to keep
the cost of compliance with the rule
commensurate with the risk to the
DoD’s information. Level 1 only requires
self-assessment, and many contracts
with CUI will only require a Level 2
self-assessment. Companies that
currently attest that they meet DFARS
clause 252.204–7012 should not have
difficulty completing a Level 2 self-
assessment. In accordance with the
rulemaking process, this rule was
reviewed by both DoD cost analysts and
OMB economists for realism and
completeness.
This is a 32 CFR part 170 CMMC
Program rule, not an acquisition rule.
The 48 CFR part 204 CMMC Acquisition
rule will address implementation of
CMMC as it pertains to DoD contracts.
d. Detailed Cost Analysis
Comment: A few comments suggested
a detailed cost analysis should consider
SMBs of various sizes, types, and
challenges to ensure compliance is
sustainable. One comment asked
whether a profit margin analysis was
performed, while another asserted that
other third-party assessments are less
expensive than the estimates for CMMC
assessment. Another stated CMMC
Level 3 cost estimates are too low and
suggested using costs associated with
SECRET-level networks for calculation.
Response: The DoD provided an
analysis of costs to meet CMMC Level
1 and 2 requirements in the regulatory
impact analysis for this rule. The cost
estimates provided for this rule
represent average costs for companies to
comply with CMMC requirements,
including the need for self-assessment
or independent assessment against the
specified standards. Comparing costs
with other third-party security audits
presumes that the security and
assessment requirements are identical,
and DoD disagrees with that
assumption.
The DoD declined to produce another
cost estimate for CMMC assessment and
certification. As required by the
Rulemaking Guidance, the DoD
provided cost estimates and impact
analyses in the proposed rule. The
analysis included estimated costs for
each level and type of assessment or
certification for different sized
contractor businesses. The cost
estimates did not include an analysis of
profit margins, which is not required.
This rule also does not provide the cost
analysis for all actions, personnel, and
security measures required to protect
CUI information, data, systems, and
technical products through the life cycle
of the work and data generated. The cost
estimates represent derived estimates
based on internal expertise and public
feedback in accordance with OMB
Circular A–4.
Market forces of supply and demand
will determine C3PAO pricing for
CMMC Level 2 certification
assessments. The size and complexity of
the network within scope of the
assessment impacts the costs as well.
CMMC Level 3 assessments against the
NIST SP 800–172 Feb2021 baseline are
performed free of cost by DoD assessors,
which reduces the cost of CMMC Level
3.
The costs associated with a
government-owned SECRET-level
network are not relevant to the CMMC
Program which ensures protection of
FCI and CUI.
e. Assistance Programs or Other Relief
Comment: Several commenters
proposed that financial assistance,
contract incentives, direct
reimbursement of assessment costs (in
whole or in part), and market rate price
caps be considered to lessen financial
burden and decrease the entry barrier
for SMBs. Several comments also
inquired about DoD SMB grant
programs to help SMBs cover the cost of
CMMC Level 2 certification
assessments.
Multiple comments suggested DOD
provide actionable guidance through
outreach support and assistance along
with free or reduced cost cybersecurity
services to SMBs, with two referencing
the DoD Office of Small Business
Programs and one the DoD Procurement
Toolbox. One comment, from a large
business with SMB suppliers, requested
clearer guidance and support for flow
down to sub-tier suppliers and SMB
supply chains.
One comment stated firms who
receive a low number of CUI documents
(30 docs in 3-years on 10 computers) do
not justify the cost of becoming CMMC
compliant, and added the cost is nearly
as much as protection for classified
documents. One commenter suggested
NIST SP 800–171 R2 security
requirements would not apply to their
specific characteristics, i.e., a very small
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00061
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83152
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
business with minimal internet
connectivity, no remote access, no
public access, no mobile devices, no
remote work, and no known
cybersecurity issues. The comment
asserted that the company posed
minimal risk to CUI and should be
excused from adhering to CMMC
program requirements based on cost
burden.
One comment proposed eliminating
third party assessment costs and relying
only on self-certification to address the
cost burdens. One comment noted that
free market pricing and a short supply
of C3PAOs combined with excessive
waiting times may result in SMB
attrition.
Response: It is not within in scope of
this rule to address how companies
recover assessment costs. The CMMC
rule makes no change to the cost
allowability parameters described in
FAR 31.201–2 Determining
Allowability.
Contractors are required to comply
with all terms and conditions of DoD
contracts, to include terms and
conditions relating to cybersecurity
protections and assessment
requirements, as implemented by this
rule. This holds true when a contract
clause is flowed down to
subcontractors.
Several of the commenters’
recommendations have potential benefit
for the contractor and sub-contractor
communities; however, they are beyond
the scope of the rule. These
recommendations included creation or
expansion of:
grants and assistance programs,
financial support for small business, the
DoD [Procurement] Toolbox, the DoD
Office of Small Business Programs,
contract incentives and free or reduced
cost DoD cybersecurity services.
DoD understands the burden on small
business. Nonetheless, DoD must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors who process, store, or
transmit CUI. The requirements
necessary to protect a single document
are the same as to protect many
documents, therefore scaling by amount
of CUI expected is not a viable
approach.
Solicitations for DoD contracts that
will involve the processing, storing, or
transmitting of FCI or CUI on any
nonfederal system, regardless of the size
or configuration of the nonfederal
system, will specify the required CMMC
Level (1, 2 or 3) and assessment type
(self-assessment or independent third-
party assessment). That requirement
applies, regardless of the number of
computers or components in a
nonfederal information system.
DoD’s original implementation of
security requirements for adequate
safeguarding of CUI relied upon self-
attestation by contractors. Since that
time, the DoD Inspector General and
DCMA found that contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information.
All contactors or sub-contractors with
access to CUI need to be capable of
protecting that information to the
standard specified in 32 CFR part 2002.
If a small business cannot comply with
DFARS clause 252.204–7012 and NIST
SP 800–171 R2, then that business
should not be processing, storing, or
transmitting CUI. DoD’s programs,
technological superiority, and best
interests are not served if CUI is not
consistently safeguarded by all who
process, store, or transmit it.
28. Perceived Cost of CMMC Program
Comment: Several comments
expressed disagreement with
assumptions supporting the cost
estimate, namely that implementation
costs to comply with the requirements
of FAR clause 52.204–21 and DFARS
clause 252.204–7012 predate and are
not included as CMMC costs. These
comments assert that the cost of CMMC
compliance should include those costs,
and therefore dwarfs the cost of CMMC
certification. They further assert that
DoD’s position does not account for
those contractors who have only
recently joined the DIB marketplace or
those that aspire to do so. The concern
expressed in the comments is that the
cost of standing up an infrastructure to
achieve and maintain DoD cybersecurity
requirements regarding the protection of
FCI and CUI, combined with CMMC
assessment costs, is prohibitive and will
create a lack of diverse suppliers.
Two commenters asserted the CMMC
Program expanded application of
DFARS clause 252.204–7012
requirements due to a perceived
extension of those requirements to
additional organizations, such as
External Service Providers (ESPs). One
of the commenters further speculated
that CMMC requirements may decrease
the availability of ESPs that are
available and suitable to support DIB
members as needed to comply with
CMMC requirements. Another
commenter stated that this scope
expansion increases direct
implementation and compliance costs
above and beyond the CMMC Program’s
estimated assessment costs. The
comment cites the introduction of the
terms ‘‘Security Protection Assets’’ and
‘‘Security Protection Data’’ as extending
applicability of those requirements and
incurring the additional direct
implementation and compliance costs.
Lastly, the comment notes these changes
will drive costs to ‘‘rip and replace’’
existing tools and likely purchase more
expensive FedRAMP or CMMC-certified
tools.
One comment indicated that, while
compliance with NIST SP 800–171 was
required by December 31, 2017,
compliance with NIST SP 800–171A
Jun2018 increases requirements and
cost because NIST SP 800–171A
Jun2018 emphasizes process and
documentation in addition to the intent
of the security requirement.
Two comments pointed out that some
contractors may need to accelerate
remediation efforts and close out
POA&Ms under existing DoD contracts
that are subject to DFARS clause
252.204–7012 to meet CMMC
requirements. These comments
requested that since these contractors
will now be faced with accelerating
close-out of their POA&Ms, which will
incur additional costs, that DoD account
for those costs in the estimate and
potentially allow for recovery of those
costs.
One comment asserts that CMMC
assessment failures, remediation
implementation, and subsequent
reassessments will be very costly in
both time and money.
Response: 81 FR 72990, October 21,
2016 implemented the DoD’s
requirement that ‘‘contractors shall
implement NIST SP 800–171 as soon as
practical, but not later than December
31, 2017.’’ Public comments related to
costs for implementation were
published with that final rule, along
with DoD’s responses. CMMC cost
estimates are derived estimates based on
internal expertise and public feedback
in accordance with OMB Circular A–4
and are representative of average
assessment efforts not actual prices of
C3PAO services available in the
marketplace. Market forces of supply
and demand will determine C3PAO
pricing for CMMC Level 2 certification
assessments and how C3PAOs choose to
distinguish their service offerings from
other C3PAOs, including the timely
availability of an assessment team, or re-
assessments after an assessment failure.
The size and complexity of the network
within the scope of the assessment
impacts the costs as well. The DoD
declines to speculate about how OSCs
and C3PAOs negotiate mutually
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00062
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83153
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
acceptable terms and conditions for
assessment agreements.
OSA implementation of the
requirements of FAR clause 52.204–21
and DFARS clause 252.204–7012 long
predate CMMC and are not included in
CMMC cost estimates, since those
requirements are not driven by or
attributable to CMMC, even for new or
aspiring defense contractors, and have
been in force since 2017 on DoD
contracts that include the processing,
storing, or transmitting of FCI or CUI in
the performance of a DoD contract. The
DoD has taken measures to make a self-
assessment as straight forward as
possible and provided guidance to
mitigate any variance in assessment
scores. Additionally, the DoD has
streamlined CMMC requirements to
align directly to NIST guidelines and
has eliminated unique security practices
to ease the burden on smaller
companies. DoD must enforce CMMC
requirements uniformly across the
Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. Creation
of a grants and assistance programs are
beyond the scope of this rule. DFARS
clause 252.204–7012 requires protection
of security protection assets and
security protection data. Section 1.1 of
NIST SP 800–171 R2 states: ‘‘The
requirements apply only to components
of nonfederal systems that process,
store, or transmit CUI, or that provide
security protection for such
components.’’ There is therefore no
increase in the scope as described in the
rule.
Security protection data requires
protection commensurate with the CUI
it protects and is based on how and
where the security protection data is
stored. The FedRAMP requirements for
handling security protection data is
therefore the same as that for handling
CUI. Any impact to the cost of serving
Government customers across the DoD
is beyond the scope of this rule.
As NIST states in NIST SP 800–171A
Jun2018, ‘‘The assessment procedures
are flexible and can be customized to
the needs of the organizations and the
assessors conducting the assessments.
Security assessments can be conducted
as self-assessments; independent, third-
party assessments; or government-
sponsored assessments and can be
applied with various degrees of rigor,
based on customer-defined depth and
coverage attributes.’’ CMMC Program
requirements are designed to ensure
compliance with existing standards for
protection of FCI and CUI and align
directly to NIST guidelines (i.e., NIST
SP 800–171 R2 and NIST SP 800–172
Feb2021) and the basic safeguarding
requirements (of FAR clause 52.204–21)
that apply to all executive agencies. The
rule accounts for costs associated with
assessment via NIST SP 800–171A
Jun2018.
Within the limitations of section
§ 170.21 Plan of Action and Milestones
Requirements, offerors may bid on a
contract while continuing to work
towards full CMMC compliance. DoD
rejects the notion that organizations
must ‘‘accelerate’’ to meet a requirement
in place since 2017. DoD did not intend
nor expect that POA&Ms would remain
open-ended and unimplemented for
years.
The DoD provided an analysis of costs
to meet CMMC Level 1 and 2
requirements in the regulatory impact
analysis for this rule. Certification is
never required for CMMC Level 1,
which is a self-assessment requirement.
CMMC Level 2 may either be met via
self-assessment, or via a C3PAO
assessment, depending on the specific
requirement cited in the solicitation. It
is not within in scope of this rule to
address the way companies recover
assessment costs.
Verifying compliance with applicable
security requirements may increase cost
and is necessary for the protection of
DoD FCI and CUI. The cost of lost
technological advantage over potential
adversaries is greater than the costs of
such enforcement.
29. CMMC Benefits and Cost Estimates
a. Cost Estimate Assumptions
Comment: Some comments proposed
the DoD directly assume the costs for
industrial base compliance, increase
contract award prices, offer grants and
loans, or provide tax credits to offset the
costs associated with compliance. One
asked for clarification regarding
allowable versus unallowable costs. One
comment stated the cost estimate was a
good guesstimate of the total cost to the
USG, but the flow down costs and the
price of doing business will be at the
Program Office level. The commenter
requested the DoD provide a table of
Program Office funding requirements to
aid Program Managers in reflecting
CMMC costs in an Acquisition Strategy
and Cost Analysis Requirements
Document (CARD).
A few comments asked about the
assumptions used to estimate numbers
of assessments by category and stated
the labor rates for ESPs and C3PAOs
were too low, and costs associated with
small entities were incorrect. Two
comments also suggested the number of
hours estimated for self-assessment are
too low, and three questioned the
accuracy of small and medium sized
business labor rates and asserted that
the assessment costs for small
businesses were not sustainable. One
comment suggested that cost data in
existing/past contracts should be used
as a part of CMMC cost analysis and
Section H costs should apply to the
current CMMC cost estimate.
One comment claimed it is cost
prohibitive for individuals to obtain a
CCP or CCA certification, which will
hamper the CMMC Program’s
scalability.
One comment requested the
government elaborate on how the
estimated 417.83 hours per response
was derived for table 39, C3PAOs Level
1 Certification and Assessment, in
section § 170.17(a). Another comment
asserted that assessments conducted by
Defense Technical Risk Assessment
Methodology (DTRAM) assessment
teams require more manhours than are
anticipated for CMMC certification
assessments.
One comment stated that while DoD
included an estimate for annual senior
official affirmations in the Regulatory
Impact Analysis, it assumed a minimal
number of hours will be required to
complete this task which may not be
adequate to complete a full compliance
review.
One comment stated the DoD self-
assessment resource allocations for an
ESP for both CMMC Level 1 and Level
2 are estimated 125% to 175% too low
based on the belief that a self-
assessment should have more rigor than
a gap analysis. Specifically, the
commenter posed questions on what
inputs from potential OSAs were used
and identifying the rigor a Certifying
Official would require for attestation.
Recommendations include that the DoD
clearly state its assumptions regarding
self-assessment rigor, have OSA legal
counsel review assumptions and cost
factors, and identify a representative
cross-section of stakeholders to
determine appropriate rigor
assumptions for company’s ESPs and
new to CMMC self-assessments.
One comment stated that the DoD’s
assumptions for the level of effort
expressed as Director and staff IT
specialist hours are too low. Although
there are continuous monitoring
requirements of NIST 800–171 R2, those
requirements do not invoke the level of
effort necessary for an executive to make
an attestation corresponding to the level
of personal risk and corporate liability
incurred under the False Claims Act.
The comment asserted that DoD’s
assumptions failed to account for an
SMB to acquire and manage technical
tools or manage the reaffirmation or an
enterprise change management effort.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00063
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83154
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The comment included several
questions regarding the inputs used to
determine lack of ongoing management
resource requirements for reaffirmation,
a risk management application, and
inputs across the DIB regarding the level
of assurance needed for affirmations to
address liability concerns with the False
Claims Act. Another recommendation
suggested the DoD clearly state the
degree of rigor an OSA should assume
and revisit the cost assumptions
involved to provide the Entity official
with assurance for reaffirmation.
One commenter reviewed the CMMC
AB’s draft CMMC Assessment Process
(CAP) document and agreed that 120
hours for a C3PAO’s three-person team
inclusive of Phases 1, 2 and 3 is
appropriate for smaller companies and
should be considered a lower bound for
C3PAOs deployed resources but
suggested the 156 ESP assessment hours
should be decreased.
One comment highlighted the
following rule text, ‘‘The total estimated
Public (large and small entities) and
Government costs associated with this
rule, calculated in over a 20-year
horizon in 2023 dollars at a 7 percent
discount rate and a 3 percent discount
rate are provided as follows,’’ and asked
how an organization could become
eligible for the 7% discount.
One comment proposed DOD remove
CMMC Level 1, or defer CMMC Level 1
implementation for several years, since
it does not involve CUI. The comment
stated CMMC Level 1 cost estimations
and burden of compliance in the rule
were greatly understated, that few
companies subject to this CMMC level
have any idea what is expected of them,
and most will struggle with financial,
technical, and human resources.
Though FAR clause 52.204–21 is widely
used in Federal contracts, it has not
been successfully communicated that
NIST SP 800–171A Jun2018 will be
used. The comment concludes stating
CMMC Level 1 does not include CUI,
therefore making cost and compliance
an excessive demand.
Response: Subsidizing costs for the
defense industrial base compliance is
not within the scope of this rule. The
rule has taken several steps to keep the
cost of compliance with the rule
commensurate with the risk to the
DoD’s information. In addition, Level 1
only requires self-assessment, and many
contracts with CUI will only require a
Level 2 self-assessment. Companies that
are currently and validly attesting that
they meet DFARS clause 252.204–7012
should not have difficulty passing a
Level 2 self-assessment.
Cost estimates provided in this rule
were based on internal expertise,
compliant with OMB Circular A–4, and
informed by public feedback. Certain
elements of the estimated costs will be
influenced by market forces of supply
and demand, which will determine
C3PAO pricing for CMMC Level 2
certification assessments.
The number of assessments over the
phase-in period were estimated using
data from the Electronic Data Access
system for the contracts containing
DFARS clause 252.204–7012 in fiscal
years 2019, 2020, and 2021, as well as
data calculated for the initial CMMC
Program. This data was used in
combination with an expected growth
factor to estimate DoD contracts and
orders in the future. Data also showed
the number of awards that were made to
small entities and other than small
entities. The resulting estimate was
phased in over 7 years to allow the
ecosystem to grow and accommodate an
increasing number of assessments.
The assumptions and analysis of costs
are provided in the regulatory impact
analysis for this rule and are explained
in depth. One of the assumptions is that
Non-Small Entities have a team of full-
time cybersecurity professionals on staff
while Small Entities do not. The
assumptions reflect Small Entities will
likely obtain support from External
Service Providers and have a staff
member submit affirmations and SPRS
scores for self-assessments (when
applicable).
DoD included an analysis of costs to
meet CMMC requirements in the
regulatory impact analysis for this rule.
As described in the estimate included
with the rule, the major cost categories
for compliance with CMMC
requirements are anticipated to include
costs for completing a self-assessment
(e.g., Level 1 or 2); costs to prepare for
and undergo C3PAO assessment (Level
2); costs required to implement the
Level 3 security requirements and for
preparing to undergo DCMA DIBCAC
assessment (Level 3). Market forces of
supply and demand will determine
C3PAO pricing for CMMC Level 2
certification assessments. The CMMC
rule does not make any change to cost
allowability as defined in the FAR
31.201–2, Determining Allowability.
As addressed in the Assumptions
section of the Regulatory Impact
Analysis (RIA), the cost estimates for
CMMC Levels 1 and 2 are based only on
the assessment, certification, and
affirmation activities that a defense
contractor, subcontractor, or ecosystem
member must take to allow DoD to
verify implementation of the relevant
underlying security requirements. For
CMMC Level 3, cost estimates to
implement applicable security
requirements are included as they are a
new addition to current security
protection requirements. Section H costs
of existing/past contracts do not apply.
CCP and CCA certification costs are
set by the CAICO and are market driven.
The hours used in the cost estimations
are based on estimates by subject matter
experts. The 417.83 hours per response
questioned by the commentor ties to
C3PAO reporting and recordkeeping
requirements for Level 2 certification
assessment on small entities as
identified in table 36, not Level 1 or
table 39 as stated in the comment.
In response to public comments
received in the initial 48 CFR CMMC
interim final rule public comment
period, DoD streamlined the CMMC
model to ease the assessment burden. At
the same time, estimates were increased
for the time and cost of self-assessment
based on industry and DIBCAC input.
DoD estimates are based on defendable
assumptions and documented labor
rates. Therefore, DoD declines to modify
the self-assessment estimates.
The DoD has streamlined CMMC
requirements to align directly to NIST
guidelines and eliminated unique
security practices to ease the burden on
smaller companies, included an analysis
of costs to meet CMMC requirements in
the regulatory impact analysis for this
rule. The DoD declined to modify the
estimates, which are intended to be
representative and to inform
rulemaking.
Verifying compliance with applicable
security requirements may increase cost
and is necessary for the protection of
DoD CUI. The cost of lost technological
advantage over potential adversaries is
greater than the costs of such
enforcement. The value of information
(and impact of its loss) does not
diminish when the information moves
to contractors.
DoD rejected the recommendation to
adjust the annual requirement for senior
affirmations to a triennial requirement
to decrease senior affirmation costs. The
requirement for annual affirmations is to
ensure the Affirming Official
responsible for CMMC requirements are
monitoring compliance with the
requirements. If compliance is being
maintained as required, this should not
require more time or cost than provided
in the estimates. Further, DFARS clause
252.204–7012 already requires NIST SP
800–171 continuous monitoring via
requirement 3.12.3. DoD also declined
to make the recommended edits to
further delineate a company’s internal
review of self-assessments and
reaffirmations in the cost assumptions.
The cost estimates provided for this
rule represent average costs for
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00064
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83155
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
companies to comply with the CMMC
requirement, including the need for self-
assessment or independent assessment
against the specified standards. Whether
the OSA elects to satisfy those
requirements themselves, or by using
one ESP for many requirements, or by
using several ESPs for individual
requirements, is a decision to be made
by the OSA. That decision does not
change DoDs estimate of average costs to
meet CMMC requirements. The DoD
declined to recalculate cost estimates
using lower costs for ESP assessments.
The 7% discount rate is not a
discount for organizations. The discount
rate is a part of a formula used in a
business impact analysis calculation.
When calculating 20 years in the future,
a discount rate is used to determine the
net present value of money. Discount
rates are explained in step seven of
OMB Circular A–4: Regulatory Impact
Analysis: A Primer. The DoD does not
agree with the commenter’s assertion
that the cost estimates greatly understate
the costs and burden to Level 1
compliance. The 15 FAR security
requirements that comprise CMMC
Level 1 should already have the
requirements implemented if an OSA
network processes, stores, or transmits
FCI. In addition to NIST SP 800–171A
Jun2018, the CMMC Level 1 Assessment
Guide provides supplemental
information to help facilitate
implementation and assessment of the
Level 1 security requirements.
b. Economic Impact
Comment: One comment suggested
the government evaluate the economic
impact of implementing the rule’s
reporting requirements at scale. Another
comment expressed the notion that the
cost impact analysis does not account
for the free market response, referring to
the associated cost increases and
schedule delays that directly impact the
warfighter and taxpayer. The
commentor suggested the cost could
dwarf both the cost of implementing
compliance and achieving certification.
One comment stated the CMMC Level
2 and Level 3 cost burdens for
companies that were historically never
subjected to such requirements may be
disproportionate to the risk their
operations pose to the inadvertent
disclosure of CUI or FCI. It suggested
ensuring requirements be proportional
to the subcontractor’s activity and risk
levels. The comment further mentioned
that costs may be passed on to the prime
contractor, and DoD should consider
providing recovery costs in the price of
implementation.
One comment stated the 100%
compliance to CMMC Level 2
certification may be financially
unachievable and suggests if a risk
assessment shows the likelihood of
harm is comparatively low, the DoD
should direct CMMC Program assessors
to use their professional judgments and
not require seeking maximum evidence
of compliance where there is evidence
of sufficiency.
Response: The DoD has already
evaluated the reporting requirements
and the analysis of the costs is provided
in the Regulatory Impact Analysis
published with this rule. The DoD
declined to respond to speculative or
editorial comments about downstream
impacts of the market’s reaction to
CMMC, all of which are beyond the
scope of this rule.
The DoD declined the
recommendation to restructure CMMC
to be proportional to the subcontractor’s
activity and risk levels. DoD must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. The
value of information (and impact of its
loss) does not diminish when the
information moves to contractors and
subcontractors.
Assessors exercise judgment in
determining when sufficient and
adequate evidence has been presented
to make an assessment finding. This is
consistent with current DIBCAC High
Assessments and assessments
conducted under the Joint Surveillance
Voluntary Assessment (JSVA) program.
Furthermore, to reduce burden to small
businesses, the CMMC program has
implemented flexibility with self-
assessment, POA&Ms, and waivers.
c. Cross-Functional Requirements and
Artifacts
Comment: Multiple comments
maintained that DoD underestimated
the cross-functional (Human Resources,
Physical Security, Training, etc.)
manhours and associated cost to collect
artifacts and evidence in preparation for
a C3PAO assessment. One comment
stated the DoD’s overestimation of
CMMC Level 1 requirements would
correspond to an underestimation of
compliance costs. The comment referred
to current NIST requirements and
asserted that potential revisions would
force changes to POA&Ms causing
additional costs beyond those included
in the estimates. The comment
suggested the DoD should determine the
range of potential compliance timelines,
the use and value of existing and
planned POA&Ms, and true certification
costs, both for initial compliance as well
as ongoing maintenance and oversight.
One commentor claimed too much
funding was expended over the past 5
years for the CMMC database system.
Response: OSCs prepare for C3PAO
assessments based upon NIST
guidelines as addressed in § 170.17. The
cost and time estimates represent the
time to gather the evidence to address
all assessment objectives are derived
averages based on internal expertise and
public feedback in accordance with
OMB Circular A–4 Regulatory Impact
Analysis: A Primer. The size and
complexity of the network within scope
of the assessment impacts the costs as
well.
The time estimates represent average
derived estimates based on internal
expertise and public feedback in
accordance with OMB Circular A–4.
The size and complexity of the network
within scope of the assessment impacts
the time estimates as well. The DoD
does not concur with the commenter’s
claim that too much funding has been
spent to develop the DoD’s database for
the CMMC Program.
d. Duplication or Overlap
Comment: One comment asserted
CMMC requirements may be duplicative
or conflict with existing utility industry
compliance requirements that address
CUI, since utility companies will not
require CMMC Level 3 certification.
They proposed the utilities and the DoD
collaborate to harmonize requirements
to limit the financial burden.
One comment highlighted a concern
that cost for companies that have
multiple contracts, each requiring
different CMMC Program requirements.
Concerns were specifically based on the
increased costs from CMMC Level 2 to
CMMC Level 3 compliancy and
assuming costs would be borne by
contractors. They expressed similar
concerns about costs for FedRAMP
certification, given a purported backlog
in FedRAMP authorizations.
Response: Addressing the
harmonization between the DoD,
contractors, and subcontractors is
beyond the scope of this rule. These are
functions of the DIB Sector Coordinating
Council and the DIB Government
Coordinating Council. Additionally,
non-DoD programs are outside the
control and scope of the 32 CFR part
170 CMMC Program rule. The DoD
encourages prime contractors to work
with its subcontractors to flow down
CUI with the required security and the
least burden.
DoD is aware organizations may
receive multiple contracts that may
require different CMMC levels based
upon programmatic data security needs.
It is beyond the scope of this rule to
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00065
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83156
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
dictate how OSAs manage varying
contract requirements. Contractors that
have achieved a CMMC Level 2 or Level
3 certification automatically meet a
stated requirement of a lower CMMC
level if the same system/assessment
scope will be used in performance of the
contract.
30. Alternatives
a. Alternate Programs
Comment: Many comment
submissions included lengthy proposals
for alternatives to the CMMC program
purported to alleviate specific concerns
with aspects of CMMC program
requirements. In some cases, the
concerns were based on a misreading of
the rule’s content. The DoD has
addressed some valid concerns through
rule revisions that differ from the
recommendations.
One commenter suggested eliminating
compliance assessments in favor of
establishing a DoD office to conduct
penetration testing of each DIB
company’s network every two years.
Other commenters also recommended
the DoD establish a secure portal and
share CUI with contractors only through
that portal, as a way for the DIB to avoid
the cost of securing their information
systems. One commenter suggested the
DoD monitor use of waivers and utilize
this secure portal approach when
CMMC waivers apply. Similar
recommendations included sharing CUI
only through password encrypted files
or requiring contractors to store CUI in
restricted access folders. In similar
suggestions, several commenters
thought the DoD should provide its
contractors with training, GFE and other
tools necessary to secure the contractor
owned information systems being used
to process or store CUI. One such
commenter stated that the Government
should appropriate funding for secure
solutions rather than phasing in
compliance assessments. One
commenter suggested the DoD consider
industry’s application of alternate
security mechanisms in lieu of CMMC
Levels 2 and 3. Another recommended
the DoD stand up a voluntary DIB Cyber
Protection Program to improve real-time
monitoring of the DIB, improve
cybersecurity for firms that cannot
afford the needed professional staff, and
offer data and legal protections to DIB
firms. Another such commenter
suggested that DoD fund securing the
DIB through contract incentives.
One commenter recommended
mandating DIB use of the DoD CIO’s DIB
CS Program or other DoD cybersecurity
related services as alternatives to the
CMMC program. That comment
suggested reassigning Government
personnel to provide training for all
assessors, to reduce training cost and
ensure enough assessors to meet
demand. Another commenter made
similar recommendations about CISA
cybersecurity service offerings.
Response: Many comments included
lengthy proposals for alternate
approaches to the CMMC program
which would alleviate specific concerns
with aspects of CMMC program
requirements. In some cases, the
suggestions were based on a misreading
of the rule’s content. The DoD has
addressed some valid concerns via rule
revisions that differ from commenter
recommendations.
The DoD notes with interest one
commenter’s reference to initiatives
described in a report to Congress about
the breadth of cybersecurity related
initiatives within the Department. While
the CMMC is an important initiative, it
is by no means the Department’s only
effort to improve DIB cybersecurity. The
CMMC Program addresses adequate
safeguarding of contractor owned
information systems which process,
store, or transmit FCI or CUI. Other DoD
initiatives related to secure cloud or
software development environments are
beyond the scope of the CMMC
Program.
The DoD did not adopt suggested
alternatives, such as policy-based
solutions that lack a rigorous assessment
component. The DoD determined that
sharing CUI only through DoD-hosted
secure platforms, in lieu of
implementing the CMMC Program, was
not a scalable or cost-effective solution.
Although the DoD expanded the
availability of resources through the DIB
Collaborative Information Sharing
Environment (DCISE) program, the DoD
also declines to rely only on training in
lieu of assessment.
The purpose of CMMC is to require
defense contractors and subcontractors
to undergo an assessment to verify the
implementation of prescribed
cybersecurity standards. The security
requirements are already specified in
existing regulations (32 CFR part 2002,
DFARS clause 252.204–7012, and FAR
clause 52.204–21).
Comments which suggest that
enrollment in the DoD’s DIB CS Program
can be an alternative means of meeting
the objectives of CMMC misinterpret the
services that the DIB CS Program
provides. The DIB CS Program does not
provide any mechanism for verifying
whether those participants have secured
their contractor owned information
systems to the standards required by
DFARS clause 252.204–7012. Likewise,
the recommended NSA cybersecurity
offerings also do not provide the same
verification mechanism that CMMC will
provide. CMMC Program requirements
apply to contractor-owned information
systems that process, store, or transmit
FCI and CUI. Hardware and software
approving authorities for GFE are not
relevant to this CMMC rule. The DoD
declined to adopt the recommendation
to provide GFE to DIB contractors to
maintain security, ownership of data
and support Clinger-Cohen Act
compliance.
Some comments received reflect a
misinterpretation of the cost estimates
that accompany this rule, which are
intended to inform the rulemaking
process. The cost estimates are not
indicative of a funded budget line
which could be reprogrammed to fund
a new agency to meet the objectives of
the CMMC Program. Comments
recommending that funding be
appropriated (by Congress) to provide
the DIB with security solutions are
beyond the scope of this rule.
b. Alternate Standards
Comment: One commenter
recommended aligning requirements to
DoD policies rather than to NIST
standards and relying on FISMA
compliance assessments in lieu of the
CMMC model. Another commenter
recommended the DoD and NIST work
with other international standards
organizations to incorporate CMMC
requirements (really NIST standards)
into existing ISO/IEC and CMMI
standards. In general, these commenters
recommended DoD accept alternate
assessments conducted against alternate
standards by assessors with alternate
training and qualifications. They further
recommended that DoD issue an RFI
seeking recommendation of alternate
third-party assessment schemes. One
commenter recommended the rule be
modified to require that contracts with
a CMMC level 3 requirement also
require use of a FedRAMP moderate or
higher CSP, and that contracts with a
CMMC level 2 requirement permit use
of CSPs with either FedRAMP Moderate
authorization (or higher) or CMMC level
2 or 3 certification assessment.
Response: CMMC is based on the
executive branch’s CUI Program as the
authoritative source, as codified in 32
CFR part 2002. The definition of CUI
and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14, respectively. 32
CFR 2002.14(h)(2) specifically requires
that ‘‘Agencies must use NIST SP 800–
171 when establishing security
requirements to protect CUI’s
confidentiality on non-Federal
information systems . . .’’ The CMMC
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00066
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83157
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Program makes no change to the CUI
program or its implementing policies.
Contractually, DFARS clause 252.204–
7012, effective since December 2017,
requires contractors to implement the
NIST SP 800–171 security requirements
to provide adequate security applicable
for processing, storing, or transmitting
CUI in support of the performance of a
DoD contract. That requirement applies,
regardless of the number of computers
or components in a non-Federal
information system.
The CMMC Program provides an
assessment mechanism to verify that
prospective offerors comply with the
applicable information security
requirements. All executive agencies are
required to follow the policies described
in 32 CFR 2002.14. DoD aligned CMMC
requirements with NIST SP 800–171 R2
because it is enterprise focused and is
already required in DoD contracts when
DFARS clause 252.204–7012 is
applicable. DFARS clause 252.204–7012
and NIST SP 800–171 R2 provide the
cybersecurity requirements, whereas
CMMC validates implementation of
those requirements. CMMC does not
duplicate these documents.
The DoD publishes Security
Technical Implementation Guides
(STIGs) for specific products, primarily
to guide secure implementation in DoD
systems. The OSA is responsible for
creating the implementation guidance
they will use to meet the CMMC
security requirements. OSAs are free to
use the DoD STIGS if they feel they are
appropriate. The DoD does not want to
limit the choices available to the OSA
for implementation guidance. In
addition, the DoD declines to create
STIGs for all products that might be
used in the OSA’s environment. Some
comments lacked relevance to the rule’s
content, which is limited to specific
CMMC program requirements.
Changes to DFARS clause 252.204–
7012 are outside the scope of this rule.
DoD declines to modify CMMC Level 2
or Level 3 requirements related to use of
Cloud Service Providers (CSP). A CSP is
assessed against the FedRAMP
Moderate baseline. This is required
when a CSP, regardless of the
component or type of CSP, processes,
stores, or transmits CUI.
The DoD declines to align CMMC
requirements to alternate standards or
accept compliance with alternate
standards in lieu of the NIST SP 800–
171 standard mandated by 32 CFR part
2002 for the protection of CUI. CMMI is
focused on improving the software
development process, while CMMC is
focused on verifying the proper
implementation of DIB cybersecurity
requirements. Incorporating
requirements into new or other existing
standards would unacceptably delay
action to improve DIB cybersecurity.
The DoD must take action to improve
DIB cybersecurity, regardless of the
global state of cybersecurity. DoD’s
publication of this rule follows
completion of OMB’s formal rulemaking
process, which includes both DoD
internal coordination and Interagency
coordination. The recommendation for
the DoD to establish a voluntary DIB
Cyber Protection Program is beyond the
scope of this rule.
One commenter recommended
administrative edits to identify CMMC
levels at a particular place in the pre-
amble description of the program. The
preamble is not part of the official
regulation. In addition to background
and overview information about the
proposed or final rule, the preamble
includes responses to all comments
received during the public comment
period on the proposed rule. The
certification requirements are in subpart
D, §§ 170.15 through 170.18.
c. Alternate Implementation Timelines
Comment: Several commenters
suggested that DoD abandon CMMC
requirements in favor of simply
continuing to rely upon self-
assessments, or else allowing
contractors to comply with DFARS
clause 252.204–7012 requirements
absent any assessment (self-conducted
or third-party). Of those recommending
self-assessment, two commenters
limited the suggestion only to
companies that self-certified as small
businesses and one further
recommended that DoD pay for
certification assessment of all small
businesses. One such commenter based
their opinion on an interpretation that
text in NIST SP 800–171 R2 identifies
the requirements as a model for self-
assessment. Another commenter made
no suggestion to change assessment
requirements, other than to implement
them post-award, rather than pre-award.
One comment expressed doubt in the
ability of the ecosystem to scale
sufficiently to meet the demand for
C3PAO assessments and assessor
training.
One commenter suggested the rule be
revised to eliminate POA&Ms but
expand the period during which
deficiencies can be reassessed from
within 10 days of initial assessment to
60 days for those prospective
contractors. Another commenter
suggested varying timelines for
POA&Ms based on a variety of criteria,
including how many DoD contracts are
held.
Response: The DoD declined to accept
the risk associated with implementing
CMMC solely as a post-award
requirement. When contracts require
contractors to process, store, or transmit
CUI, DoD requires that they be
compliant with DFARS clause 252.204–
7012 and competent to adequately
safeguard CUI from the beginning of the
period of performance. DoD declines the
recommendation to require primes to
assume the cost of CMMC for their
subcontractors. Arrangements between
contractors and subcontractors are
negotiated directly between those
parties. The DoD does not accept the
recommendation to eliminate or change
the criteria for POA&Ms or the timeline
allowed to remediate open POA&M
items. The 180-day period allowed for
POA&Ms and the determination of
which weighted practices can be placed
on a POA&M was a risk-based decision.
The determination considers the relative
risk DoD is willing to accept when a
particular practice is not met and the
amount of risk the DoD is willing to
accept for those security practices that
go ‘‘NOT MET’’ for an extended period.
The Department declines to adopt the
recommendation to allow DIB members
to assist in designing the DoD’s
mechanism for assessing DIB
compliance with DoD’s contractual
requirements. In developing the CMMC
program, the DoD sought and
considered DIB input. DoD disagrees
with the comment that there is a lack of
scalability in the CMMC program. The
phased implementation plan described
in § 170.3(e) is intended to address any
CMMC Ecosystem ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. The rule has been
updated to add an additional six months
to the Phase 1 timeline. As with all its
programs, the Department intends to
effectively oversee the CMMC Program
and act as needed to manage its effective
implementation. Although the full
extent of DoD’s oversight process is
beyond the scope of this rule, the rule
text addresses DoD’s authority to waive
the application of CMMC requirements
when warranted in accordance with all
applicable policies, procedures, and
approval requirements.
DoD has utilized a phased approach
to the rollout to reduce implementation
risk. CMMC Program requirements make
no changes to existing policies for
information security requirements
implemented by the DoD. It is beyond
the scope of this rule for DoD to
determine the order in which
organizations are assessed.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00067
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83158
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
d. Alternate Assessors or Assessments
(Including Self-Assessment Only)
Comment: One commenter submitted
numerous recommendations based on
an opinion that skills required for
conducting CMMC compliance
assessments are like those required for
conducting Independent Technical Risk
Assessments (ITRAs) on Major Defense
Acquisition Programs (MDAPs). Such
assessments are conducted by the Office
of the Undersecretary of Defense for
Research & Engineering (OUSD(R&E)) in
accordance with Defense Technical Risk
Assessment Methodology (DTRAM)
criteria. These criteria extend beyond
compliance with cybersecurity
requirements and include
characteristics such as modular open
systems architecture, software,
manufacturing, reliability, availability,
maintainability, and others. This
commenter noted the DoD’s Adaptive
Acquisition Framework applies to both
Information Systems and National
Security Systems and suggested that
existing acquisition requirements
pertaining to ITRA and DTRAM should
suffice in lieu of CMMC assessments.
The commenter recommended that DoD
use existing ITRA teams to perform
compliance assessments of contractor-
owned information systems. In addition,
they recommended aligning
requirements to DoD policies rather
than to NIST standards. Other
comments made similar suggestions to
synchronize cybersecurity requirements
with DoD policies rather than NIST
standards but cited FISMA compliance
assessments as the appropriate model
rather than the DTRAM.
One comment suggested that C3PAOs
be permitted to conduct partial
assessments of ESPs, MSPs, and MSSPs.
Multiple comments expressed concern
with CMMC assessment requirements
for OSAs that use ESPs, stating that
OSAs would be unlikely to know which
components of the services they
purchased were covered by a required
CMMC Level 2 assessment. This
commenter recommended the creation
of a separate type of CMMC assessment
specifically for ESPs, which they further
recommended should be highlighted on
the CMMC AB marketplace to assist
OSAs in selecting an appropriately
vetted ESP. These comments provided
an extended description of the specific
scoping guidance that should be adding
to existing CMMC supplemental
documentation, as well as several
sample scenarios explaining how
requirements for this new type of
assessment should be applied. Two
comments highlighted that the rule’s
preamble does not include details of
assessment and implementation
requirements.
Several commenters recommended
the DoD abandon the CMMC ecosystem
model and conduct all cybersecurity
compliance assessments using DIBCAC
assessors, which would reduce cost to
the DIB. One such commenter suggested
that DIBCAC assessment of C3PAOs, as
part of the accreditation process,
detracts from DIBCAC’s capacity to
perform CMMC level 2 assessments for
the DIB. Another noted that as
Government employees, DIBCAC
assessors could exercise judgement to
make risk-tolerance decisions that non-
Government C3PAOs cannot, including
possible acceptance of partial non-
compliance.
Response: DoD must enforce CMMC
requirements uniformly across the
Defense Industrial Base for all
contractors and subcontractors who
process, store, or transmit CUI. The
value of information and impact of its
loss does not diminish when the
information moves to contractors and
subcontractors. The DoD has considered
the recommendation and declines to
revise the rule text to rely solely on self-
assessment or eliminate the 3-year
validity period to rely on a one-time
certification. It is important that
contractors maintain security
compliance for systems that process,
store, or transmit DoD CUI. Given the
evolving cybersecurity threat, DoD’s
best interests are served by ensuring that
CMMC Level 2 assessments remain
valid for no longer than a 3-year period,
regardless of who performs the
assessment.
CMMC Program requirements in this
rule are designed to improve
compliance with requirements for
safeguarding of FCI and CUI. DoD has
privity of contract to enforce these
requirements and CISA does not. OSAs
are free to choose CISA services as part
of their implementation of DoD
requirements. FISMA is for Federal
systems that are used by Government
personnel or the public and is therefore
an unsuitable surrogate for CMMC
requirements. If a contractor provides
outsourced IT services to a Federal
agency, the system is considered a
Federal system and FISMA applies. In
contrast, CMMC requirements apply to
nonfederal systems that are used
internally by contractor personnel.
The DoD disagreed with the
commenter’s assertions about NIST SP
800–171 R2 and the available
assessment methods. DoD’s DIBCAC
currently performs assessments using
the procedures in NIST SP 800–171A
Jun2018, and these documents
explicitly identify the target audience to
include individuals with security
assessment responsibilities, such as
auditors, assessors, and ‘‘independent
verifiers’’. The aggregated SPRS
reporting and scoring is CUI. The DoD
does not wish to make this information
public, which might aid adversaries in
coordinating their attacks.
The CMMC Program does not
alleviate or supersede any existing
requirements of the Adaptive
Acquisition Framework, nor does
CMMC alter any statutory or regulatory
requirement for acquisition program
documentation or deliverables.
One commenter referenced
assessments required during the
acquisition process for DoD systems.
DoD’s policies governing acquisition
programs require that Independent
Technical Risk Assessments be
conducted on Major Defense
Acquisition Programs. These
assessments provide a view of program
technical risk and are not well-suited to
the assessment of contractor owned
information systems against standards
for safeguarding CUI. CMMC
assessments are conducted on
contractor owned information systems
to gauge compliance with FAR and
DFARS requirements for safeguarding
FCI and CUI that is processed, stored, or
transmitted within those contractor-
owned information systems. One
commenter incorrectly asserts that the
CMMC Scoring Methodology does not
parallel existing scoring methods,
however the CMMC methodology is
based on the DoDAM.
The DoD declined to accept the
recommended alternative of self-
assessment with the potential to require
DIBCAC assessment for a sampling of
DoD contractors, which is essentially
the status quo. Both GAO reporting and
other DoD analysis have shown that the
DIB has not consistently implemented
the NIST SP 800–171 requirements
needed to comply with DFARS clause
252.204–7012, even though DoD’s
objective was for the contactor to
implement NIST SP 800–171 as soon as
practical, but not later than December
31, 2017.
The DoD reserves the right to decide
when reliance on self-assessment will
suffice, and when compliance should be
assessed through CMMC certification.
Based on DoD decision criteria that
includes a risk assessment of the type
and sensitivity of program information
to be shared, Program Managers will
identify the appropriate CMMC
requirement (e.g., CMMC Level 2 self-
assessment or Level 2 certification) in
the solicitation.
The government does not have the
capacity in house to adequately assess
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00068
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83159
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
the 220,00+ companies in the DIB. The
DoD cannot assume the workload of
directly assessing every DIB contractor.
With this final rule, DoD established a
scalable way to verify, through
assessment, that contractors have
implemented required security
measures necessary to safeguard DoD
information. The DIBCAC’s mission is
derived from DoD priorities and the
Department is actively working to
ensure that the DIBCAC is adequately
resourced to effectively execute its
mission areas. Planned changes to
DCMA staffing levels have been
considered and are necessary to
implement the elements of the CMMC
program described in this rule (i.e.,
Level 3 and C3PAO assessments).
By design, the CMMC Program
depends on the supply and demand
dynamics of the free market, enabling it
to naturally scale and adapt to capacity
requirements. The DoD established
requirements for each part of the CMMC
ecosystem to support a robust
compliance assessment mechanism for
DoD’s contractual requirements to
safeguard CUI that is processed, stored,
or transmitted in contractor owned
information systems. The DoD cannot
assume the workload of directly
assessing every DIB contractor.
One commenter provided numerous
comments expressing concern that
OSAs that use ESPs will be unlikely to
know which ESP services require
CMMC assessment within the OSAs
boundary or scope. This commenter
recommended an alternate type of
CMMC assessment specifically for ESPs.
In lieu of adopting that
recommendation, the DoD has updated
the rule in §§ 170.19(c)(2) and (d)(2) to
reduce the assessment burden on ESPs.
DoD declined to allow partial CMMC
Assessments. ESPs may request
voluntary CMMC assessments of their
environment and use that as a business
discriminator. The marketplace for ESP
services will adjust to find the efficient
manner for ESPs to support OSA
assessments.
e. Alternate Governance
Comment: Rather than abandon the
CMMC ecosystem model entirely, some
commenters recommended only that
DoD revise the CMMC Accreditation
Body’s roles and responsibilities. Three
recommended the DoD eliminate the
CMMC AB and take on its
responsibilities; of these, one further
suggested the DoD publish detailed
Security Technical Implementation
Guides describing how to implement
the applicable NIST requirements. One
commenter questioned the reasons for
creating a CMMC AB rather than
accepting another existing accreditation
body or multiple accreditation bodies.
One comment expressed doubt in the
ability of the ecosystem to scale
sufficiently to meet the demand for
C3PAO assessments and assessor
training.
Multiple comments called for
organizations other than the current
CMMC AB to run the CMMC ecosystem
such as a CMMC Advisory Council or a
Civilian Cybersecurity Corps comprised
of government and private sector staff.
One such comment requested that,
unlike the current CMMC AB, the
proposed body would be funded and
managed by the government. Two
commenters recommended the DoD
consider accepting other types of
conformance assessment such as ISO/
IEC 27001:2022(E) and Health
Information Trust Alliance (HITRUST)
certification. One noted this would
require guidance to describe how to
address the gaps between standards
those assessments are aligned to and
those that CMMC are aligned to (e.g.,
NIST SP 800–171 R2 for CMMC Level
2). This commenter further suggested
that DoD accept alternate industry
certifications in lieu of the training
requirements identified for CMMC
Assessors. One commenter suggested
the DoD accept FedRAMP authorization
to meet CMMC assessment
requirements.
Response: DoD considered many
alternatives before deciding upon the
current CMMC structure. The DoD
established requirements for a CMMC
Accreditation Body, and this
accreditation body will administer the
CMMC Ecosystem. The DoD reviewed
and assessed the whitepapers that were
submitted by RFI respondents and
determined that no single respondents
could meet all the broad facets required
to serve as the CMMC Accreditation
Body. Based on this assessment, the
DoD published notice of a planned
meeting in November 2019 to allow the
respondents and other members of the
public to hear the senior DoD leadership
address DoD perspectives regarding the
notional CMMC implementation flow;
the notional program structure; the
notional CMMC Accreditation Body
activities, structure, and relationship
with the DoD; and the notional CMMC
implementation schedule. The DoD also
provided information regarding the
Department’s planned way forward. The
result of the November 2019 meeting
was the establishment of the current
CMMC Accreditation Body. The
relationship between the current CMMC
Accreditation Body and the DoD was
formalized through a Memorandum of
Understanding and then a No-Cost
Contract. The DoD cannot assume the
risk or the workload of directly
managing the CMMC Ecosystem or the
other alternatives suggested. The current
CMMC Accreditation Body is aligned to
the DoD through contractual
arrangements.
31. Rulemaking Process
Comment: Some comments were
submitted to identify problems with
using the Federal eRulemaking Portal (at
www.regulations.gov) or the Federal
Register website and did not address
content of the proposed rule. One
commenter was confused by the
identification of the rule as ‘‘Proposed’’
rather than final. Another asked
whether the rule could be republished
with page numbers.
Many comments critiqued the format,
heading and section numbering, use of
incorporation by reference, or sections
contained within the rule, rather than
the substance of the content. For
example, some comments described the
CMMC rule as overly repetitive or
containing duplicative sections. Some
comments recommended deleting
specific sections to shorten or simplify
the rule, including ‘‘History of the
Program’’. Some commenters perceived
the preamble to the rule as unnecessary
and recommended deleting or
shortening that section. In addition, one
commenter noted that responses to
public comments received against an
earlier CMMC rule publication ought to
be published with the 48 CFR part 204
CMMC Acquisition rule rather than this
32 CFR part 170 CMMC Program rule.
Several commenters simply thought the
rule text too verbose and recommended
rewriting the content with fewer words
and simpler language or using tables to
shorten the content. One comment
criticized the organization of the
documents.
Several comments addressed
references to documents outside the
rule, or those that are incorporated by
reference. One commenter asked how
the DoD will recognize when revisions
to documents incorporated by reference
cause them to be misaligned
requirements identified in this rule.
Other comments requested that
additional documents be incorporated
by reference, such as DoD Instructions
on CUI and the DISA Cloud Security
Technical Reference Architecture. Some
commenters complained that the page
count of the rule and documents
incorporated by reference was too high
and asked whether contractors are
expected to read them all. Two
commenters objected to certain terms in
the definitions section pointing to other
documents as the source of the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00069
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83160
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
definition. One further suggested that
such definitions be revised to simply
point to the URL of the source
definition.
Some comments recommended
moving content from the new 32 CFR
part 170 CMMC Program rule to the
CMMC supplemental documents or
changing citations to reference them
rather than the NIST documents that are
incorporated by reference. Another
asked why the scoring methodology was
incorporated into the rule, rather than
incorporated by reference. One
comment questioned whether the
supplemental documents are truly
optional, rather than required for
compliance with CMMC program
requirements. One comment stated a
public comment period should be
required for all supplemental guidance
prior to final publication.
One commenter asked what
precipitated implementation of the CFR,
which the DoD interpreted as a question
about codification of the CMMC
program in the CFR. One commenter
asked whether the rulemaking process
had afforded a certain group the
opportunity to coordinate or comment
on the rule. Another referenced the
separate 48 CFR part 204 CMMC
Acquisition rulemaking effort needed to
implement the content of this rule and
urged the DoD to consider public
comments of both rules prior to their
publication as final.
One comment specifically suggested
the CMMC program be implemented
Government-wide. One commenter
simply submitted a copy of a CMMC-
related article from the February 2024
issue of National Defense Magazine and
quoted or extracted from it rather than
providing any specific comment or
question.
Response: The process for creating
Federal regulations generally has three
main phases: initiating rulemaking
actions, developing proposed rules, and
developing final rules. A proposed rule
is published for public comment prior
to developing the final rule. A final rule
must identify its effective date and be
published 60 days prior to that date.
The structure and formatting
requirements for proposed and final
rules and the process for submitting
public comments are prescribed by the
Office of the Federal Register and OMB,
respectively, and are outside of DoD’s
control.
OMB approved publishing the CMMC
rule as a Proposed Rule. It has
undergone a required notice-and-
comment process to give the public an
opportunity to submit comments. The
Proposed Rule and the comments
received informed the final rule. Issues
with the Federal Register or
www.regulations.gov functionality for
submitting comments via attachment of
pdf or other file type were raised with
the appropriate help desk and resolved
before conclusion of the public
comment period. The public comment
period for this rule permitted review
and feedback from any member of the
public.
This rule follows the format and
includes all sections required in OMB
guidelines for formal rulemaking. The
length of this rule is necessary to ensure
all affected parties have sufficient
information to understand and comply
with the rule. Federal Register page
numbers are visible when viewing the
PDF version of the rule published
Tuesday, December 26, 2023 (88 FR
[http://www.govinfo.gov/content/pkg/FR-2023-12-26/pdf/2023-27280.pdf 89058; www.govinfo.gov/content/pkg/
FR-2023-12-26/pdf/2023-27280.pdf). ]
Material published in the Federal
Register contains numerous sections,
including portions that do not amend
the CFR. Specifically, the preamble for
this rule, is written in a summary format
and is not intended to provide the
detailed information that is in the
regulatory text.
DoD declines to delete reserved
sections because the editorial standard
for orderly codification is that for every
(a) there must be at least a (b), and for
every (1) there must be at least a (2), etc.
‘‘Reserved’’ meets this standard when
there is no additional text required. The
DoD declined to make other
administrative changes, because the
recommendations did not result in a
substantive change.
One commenter correctly identified
that the initial 32 CFR part 170 CMMC
Program proposed rule included
discussion and analysis of comments
made against prior publication of a 48
CFR CMMC interim final rule. The
decision to include that material was
made for the public’s convenience and
to facilitate greater understanding of the
32 CFR part 170 CMMC Program
proposed rule and the CMMC Program.
Codification of the CMMC Program
requires publication of both the 32 CFR
part 170 CMMC Program final rule and
the 48 CFR part 204 CMMC Acquisition
final rule. Each of those final rules will
include a discussion and analysis of
public comments received during their
respective comment periods. The DoD
CIO worked in conjunction with
OUSD(A&S) to ensure that the 32 CFR
part 170 CMMC Program rule and the 48
CFR part 204 CMMC Acquisition rule
are in sync.
The preamble is not regulatory text.
The preamble includes a response to the
significant, relevant issues raised in
previous public comments on the
original CMMC program. DoD declines
to adopt recommendations to move
content from the 32 CFR part 170
CMMC Program rule to the
supplemental documents, which are not
codified. As such, the supplemental
documents are provided for optional
use, and the regulatory text takes
precedence. The CMMC Assessment
Process (CAP) guidance is a product of
the Accreditation Body and is not
codified in the CFR as part of the CMMC
rule, and the regulatory text in part 170
takes precedence.
Comments on the CMMC
Supplemental Guidance were received
as part of the public comment period
review. Final versions of these
documents were published with this
rule. Other supplemental materials
published by the Accreditation Body do
not convey government direction and
are therefore do not require rulemaking.
Supplemental documents (e.g., CMMC
assessment and scoping guides) are not
codified in the CFR as part of the
regulatory text. To codify CMMC
program requirements, content must be
included in the 32 CFR part 170 CMMC
Program rule text. DoD developed the
CMMC Assessment Guides to provide
supplemental information to the public
offering added clarity on the intent of
the NIST SP 800–171A Jun2018 and
NIST SP 800–172A Mar2022 guides.
The CMMC Assessment Guides are
particularly important for security
requirements with organization-defined
parameters (ODPs) (e.g., CMMC Level
3). There is no requirement to use the
supplemental guidance documents.
Office of the Federal Register (OFR)
regulations, at 1 CFR part 51, govern the
IBR process. IBR is only available if the
applicable regulations are published in
the Federal Register and codified in the
CFR. When incorporated by reference,
this material has the force and effect of
law, as do all regulations published in
the Federal Register and codified in the
CFR. 1 CFR part 51 requires the
specification of a revision to a standard,
for example NIST SP 800–171,
Protecting Controlled Unclassified
Information in Nonfederal Systems and
Organizations, Revision 2, February
2020 (includes updates as of January 28,
2021), which is incorporated by
reference in this rule. The DoD will
determine when to update this rule after
documents incorporated by reference
have been revised. Per OFR guidance,
§ 170.4 points to other sections of part
170 where applicable and repeats
definitions for terms incorporated by
reference.
Contractors complying with CMMC
requirements need to be familiar with
those documents that are incorporated
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00070
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83161
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
by reference. The definition of
subcontractor is not incorporated by
reference, but rather points to a
definition codified in 48 CFR 3.502–1,
as recommended in OMB guidelines for
formal rulemaking. DoD has determined
that the Defense Information Systems
Agency’s Cloud Security Technical
Reference Architecture does not meet
the criteria for approved IBR material.
However, the rule has been updated to
use a different definition for Cloud
Service Provider. The requirements of
NARA’s CUI program (32 CFR part
2002) and DoD’s implementing policies
for identifying and managing CUI are
beyond the scope of the CMMC rule.
The CFR is the codification of the
Federal Government’s rules and
regulations published in the Federal
Register. The CFR was created with the
passage of the Federal Register Act and
amended in 1937 to provide a
‘‘codification’’ of all regulations at least
once a year. The CFR reflects the tenet
that the Federal Government must
follow an open public process when
rulemaking.
Due to the broad application of
CMMC requirements for DoD
acquisition support by the defense
industrial base, the Department
determined that codifying the CMMC
Program and its associated requirements
in 32 CFR part 170 CMMC Program rule
(for national defense and security) was
needed in conjunction with the
corresponding DFARS contractual
requirements codified in 48 CFR part
204 CMMC Acquisition rule.
The DoD has no authority to make
CMMC a Federal-wide program. The
notice of the required CMMC level is
provided at time of solicitation. This
does not prohibit contractors from
pursuing CMMC assessments prior to
receipt of a solicitation.
DoD declines to comment on the
reposting of information being reported
in the media.
32. Administrative Changes to Terms,
References and Notations
Comment: Over 160 comments asked
for clarification of terminology or the
addition, removal, or modification of a
definition. Most requests focused on
Security Protection Data and Assets,
Senior Officials, Information System,
External Service Providers, Cloud
Service Providers, Managed Support
Providers, Internet of Things, CMMC
Security Requirements, Organization
Seeking Assessment, and Organization
Seeking Certification. Numerous
comments recommended the following
terms could be clarified, expanded, or
defined: ‘‘Defense Industrial Base’’,
‘‘personal information’’, ‘‘contractor’’,
‘‘sub-contractor’’, ‘‘Prime Contractor’’,
‘‘equipment’’, ‘‘contractor information
system’’, ‘‘Information System’’,
‘‘system’’ ‘‘Information Resource’’,
‘‘CMMC Approved Training Materials
(CATM)’’, ‘‘CMMC Certified Instructor
(CCI)’’, ‘‘Provisional Instructor (PI)’’,
‘‘cyber incident’’, ‘‘Accreditation Body’’,
‘‘Assessment Findings Report’’,
‘‘Organizationally-Defined’’,
‘‘Organizationally-Defined Parameter
(ODP)’’, ‘‘Periodically’’, ‘‘Risk
Assessment’’, ‘‘Risk Analysis’’,
Supervisory Control’’, Data
Acquisition’’, ‘‘Operationally Critical
Support’’, ‘‘System Security Plan
(SSP)’’, ‘‘TTP’’, ‘‘CMMC’’, ‘‘COTS’’,
‘‘NARA’’,’’C3PAO’’ ‘‘IS’’, NSS’’,
‘‘Technology Asset’’, ‘‘Personnel
Assets’’, ‘‘Asset Categories’’, ‘‘DIBCAC
High’’, and ‘‘Enterprise’’.
Response: All requests for changes to
terminology definitions, references, and
usage have been reviewed. In response,
many terms were updated in § 170.4
Acronyms and definitions. The DoD
determined those terms that were not
changed to be sufficiently defined and
appropriately referenced, and the
requested administrative changes would
not have resulted in a substantive
change.
a. SPA/SPD/Asset
Comment: Numerous comments asked
the DoD to expand on the definition,
explanation, and guidance for Security
Protection Data (SPD) and Security
Protection Assets (SPA). Several other
comments requested that the rule and
supplemental documents add or expand
definitions for ‘‘Asset’’, including
various specific types of assets like
‘‘Technology Assets’’, ‘‘Personnel
Assets’’, ‘‘Organizational Assets’’
‘‘Specialized Assets’’. Some comments
asked to modify the definition for
‘‘Security Protection Asset’’, ‘‘CUI
Asset’’, ‘‘FCI Asset’’, and ‘‘Out-of-Scope
Assets’’.
Response: The DoD modified the rule
to add a definition for ‘‘Security
Protection Data (SPD).’’ The DoD
considered the NIST definitions for
‘‘System Information’’ and ‘‘Security
Relevant Information’’ in the
development of the new SPD definition.
CMMC does not regulate the OSA’s
SPD, but instead implements existing
regulatory requirements for the
safeguarding of CUI. The DoD does not
agree with the statement that the ESP
definition conflates SPA with CUI
assets. The definition of Security
Protection Assets is consistent with its
application in the NIST SP 800–171 R2
abstract. The phrase ‘‘FCI Assets are part
of the Level 1 CMMC Assessment Scope
and are assessed against all CMMC
Level 1 requirements’’ was removed
from the rule. The DoD declined to
rephrase the term ‘‘CUI Assets.’’ The
DoD reviewed the recommended edit
and declined to make an update to
‘‘Out-of-Scope Assets.’’ The definition,
as written, provides a clear distinction
with Security Protection Assets (SPAs).
b. Senior Official
Comment: Several comments asked
for additional definition or guidance
about the Senior Official role.
Response: The DoD modified the rule
to replace all references to the ‘‘Senior
Official’’ with ‘‘Affirming Official’’ and
provided additional clarity on this term.
It is beyond the purview of the DoD to
define technical qualifications for an
OSA Affirming Official.
c. ESP/CSP/MSP
Comment: Some comments asked for
additional clarification of the terms
related to External Service Providers
(ESPs) and Cloud Service Providers
(CSPs). Two comments requested the
rule add a definition and acronym for
‘‘Managed Service Provider’’.
Response: The DoD received
numerous comments about the use of
ESPs which do not process, store, or
transmit CUI. In response to these
comments, the DoD modified the rule to
reduce the assessment burden on ESPs.
An ESP that utilizes staff augmentation,
where the OSA provides all processes,
technology, and facilities, does not
require a CMMC assessment. The rule
was also updated to add a definition of
‘‘CSP’’ that is based on the NIST SP
800–145 Sept2011 definition of cloud
computing. The term ‘‘Managed Service
Provider’’ is not used in the rule;
therefore, the acronym was removed
from § 170.4.
d. IoT/OT/ICS
Comment: Several comments
recommended DoD clarify the definition
of IoT, OT, and ICS. Regarding IoT, one
comment requested the rule specify that
the exchange of data and information
between devices occurs over the
internet.
Response: As specified in the rule,
IoT, IIoT, and OT, are Specialized
Assets, and all requirements associated
with Specialized Assets apply to any
equipment that processes, stores, or
transmits CUI but is unable to be fully
secured. The description of Internet of
Things (IoT) in the level 2 and level 3
Scoping Guides is consistent with the
definition of IOT in § 170.4 and is
defined in NIST SP 800–172A Mar2022.
Scoping Guide text also provides
examples to help clarify what types of
devices may be IoT. The definition of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00071
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83162
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
OT is from NIST SP 800–60 V2R1 and
the definition of ICS is from NIST SP
800–82r3. Requests for revisions to
these definitions should be addressed to
NIST. OSAs determine the asset
categories and assessment scope based
on how and where they will process,
store, and transmit FCI and CUI. The
DoD declined to comment on individual
use cases included in the comments.
e. Program and Security Requirements
Comment: Two comments asked for a
definition of ‘‘Security Requirements’’
while another asked for the DoD to
define the term ‘‘CMMC Program
requirements’’ in the rule. Three
comments addressed concerns with the
CMMC security practices numbering
scheme in §§ 170.14(c)(i). One comment
requested clarification on what
constitutes a ‘‘priority’’ program.
Another commenter stated the term ‘‘all
applicable CMMC security
requirements’’ is ambiguous and many
OSAs will only attest to fulfilling the
FAR 52.204–21 or NIST SP 800–171 R2
security requirements. The commenter
felt this could lead to a significant
disconnect at CMMC Level 2 since Level
2 includes security requirements
associated with the use of ESPs, as
defined in DFARS clause 252.204–7012
paragraphs (e.g., para (b)(2)(ii)(D)) and
the DoD CIO FedRAMP Equivalency
memorandum.
Response: CMMC Program
requirements are all the requirements
codified in the 32 CFR part 170 CMMC
Program rule. The term ‘‘CMMC
Security Requirements’’ is defined in
§ 170.14(c). The CMMC supplemental
guidance documents add clarity;
however, they are not authoritative and
the rule itself takes precedence. The
CMMC numbering scheme in the rule is
a key element of the model that must
pull together the independent
numbering schemes of FAR clause
52.204–21 (for Level 1), NIST SP 800–
171 R2 (for Level 2), and NIST SP 800–
172 Feb2021 (for Level 3). For the
CMMC Program, the numbering scheme
must also identify the domain and
CMMC Level of each security
requirement. The term ‘‘priority
program’’ is not used in the rule;
therefore, no definition of this term is
needed. A commenter incorrectly
associated CMMC Program requirements
as CMMC security requirements. To
address potential confusion, the rule
was updated to define ‘‘CMMC security
requirements’’ as the 15 Level 1 FAR
requirements, the 110 NIST SP 800–171
R2 requirements, and the 24 selected
NIST SP 800–172 Feb2021
requirements.
f. OSA and OSC
Comment: Several comments
requested clarification of the terms OSA
and OSC. One recommended combining
them into a single term.
Response: The definitions of
Organization Seeking Assessment (OSA)
and Organization Seeking Certification
(OSC) are provided in § 170.4. It is
important to note that OSC is a sub-set
of OSA.
g. Process, Store, or Transmit
Comment: Several comments asked
about use of the term, ‘‘Process, store or
transmit’’. One asked about its
application to a turnkey cloud based
CMMC solution and whether the intent
was to consider ‘‘access’’ a subset of
‘‘process’’. Another recommended using
the term ‘‘Handle’’ in lieu of this term
and noted that this would also require
amendments to DFARS clause 252–204–
7012. Another comment recommended
rephrasing the definition to provide
clarity while another asked that the
definition of ‘‘Process, store, or
transmit’’ (§ 170.4(b)) explicitly include
residence of data in memory, which has
not previously been identified in this
context and could raise interpretation
issues.
Response: The phrase ‘‘process, store,
or transmit’’ is more specific than the
term ‘‘handle’’ and is consistent with
DoD contract requirements for Non-
Federal Information systems as
specified in DFARS clause 252.204–
7012. The DoD intended ‘‘Access’’ to be
included in the ‘‘Process, store, or
transmit definition as written in
§ 170.4(b). An organization offering a
turnkey cloud based CMMC solution
would be considered an ESP by this
rule, and the rule was updated to
address assessment and certification
requirements of ESPs. The rule
definitions are provided for additional
clarity of the terms included in the rule
and does not nor cannot include every
potential instance of the term’s
application to a contractor’s information
systems.
h. Clarification of Definitions for FCI
and CUI
Comment: Three comments requested
clarification of and noted inconsistency
between the terms ‘‘FCI’’ and ‘‘CUI’’.
One perceived ‘‘[FCI]’’ and ‘‘[CUI]’’ as
new acronyms and asked why this rule
includes them. One comment noted the
inconsistent use of the terms ‘‘CUI and
FCI’’ and ‘‘sensitive unclassified
information’’ and recommended
selecting one term for use throughout
the rule. Another comment requested
definitions for CMMC be distinguished
with formatting or another notation.
Response: FCI is defined in FAR
clause 52.204–21. The definition of CUI
and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14, respectively. CUI is
not a new acronym. The notation
‘‘[FCI]’’ is identified in table 2 to
§ 170.15(c)(1)(ii) to reflect its alignment
to the requirements of FAR clause
52.204–21 for basic safeguarding of
information. Similarly, ‘‘[CUI]’’ has been
added to reflect the use of those
requirements for CMMC Level 2, which
is designed to protect CUI, not FCI. The
DoD amended the rule such that
‘‘sensitive unclassified information’’
will consistently be replaced with ‘‘FCI
and/or CUI’’ as appropriate.
i. Use of Terms Information and Data
Comment: One comment noted the
terms ‘‘data’’, ‘‘technical data’’, and
‘‘information’’ are used synonymously
throughout the rule and supplemental
documents. They also noted that neither
NARA’s CUI Registry nor the NIST SP
800–171 R2 define the word
‘‘information’’ and asserted this was a
major oversight by NARA ISOO, the CUI
Program Executive Agent. The
commenter requested this rule adopt the
term ‘‘Information’’ throughout the rule
and only use ‘‘data’’ when specifically
intended based on its definition.
Another commenter requested the term
‘‘Technical Data’’ be replaced with the
term ‘‘Information’’.
Response: As a commenter stated,
both the CUI program and NIST use the
term ‘‘information’’. Suggestions that
the DoD work with NARA or NIST to
define this term are outside the scope of
this rule. Within this rule, data
generally refers to individual facts, such
as those submitted to eMASS or SPRS;
however, data and information may be
used interchangeably. DoD declined to
make requested administrative edits
because they would not result in a
substantive change.
j. Source Materials Incorporated by
Reference
Comment: Four comments asked for
clarification of those documents
incorporated by reference, or the
specific versions of documents
referenced in the rule.
Response: The DoD declined to
incorporate by reference the
Department’s role as data owner. NIST
SP 800–53 R5 was incorporated by
reference only for use with applicable
definitions because it provided the
latest definitions available.
The OSA is responsible for
determining its CMMC Assessment
Scope and its relationship to security
domains. Assets are out-of-scope when
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00072
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83163
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
they are physically or logically
separated from the assessment scope.
Contractor Risk Managed Assets are
only applicable within the OSA’s
assessment scope. Table 3 to
§ 170.19(c)(1) is used to identify the
asset categories within the assessment
scope and the associated requirements
for each asset category. Contractor’s
risk-based security policies, procedures,
and practices are not used to define the
scope of the assessment, they are
descriptive of the types of documents an
assessor will use to meet the CMMC
assessment requirements.
To ensure the source of every
definition is accounted for, the terms in
§ 170.4 either cite a reference or are
designated as CMMC-custom using the
notation ‘‘(CMMC-custom term).’’ The
rule has been updated to eliminate the
CNSS Glossary definitions and replaced
them with appropriate NIST definitions.
k. Miscellaneous Other Terms,
References and Notations
Comment: Three comments asked
about references to the DoD Manual
8570, ‘‘Information Assurance
Workforce Improvement Program,’’ and
one asked if the references should be
replaced by the newer DoD Manual
8140.
One commenter suggested DoD add
an enhanced definition of ‘‘Security
Domain’’ domain to the glossary.
One questioned use of the CNSSI–
4009 Glossary instead of the NIST
Glossary of Terms. One comment
requested a change to text quoted from
another source. One commenter asserted
that the rule includes no reference to
‘‘existing FAR, DFARS, or DoD
authoritative sources’’ and
recommended that they be added in
instead referencing NIST publications
only.
One comment asked if it is necessary
to read and understand all FIPS, NIST
SP 800, CNSSI, and ISO/IEC documents
incorporated by referenced in § 170.2.
One comment requested the references
for CMMC Assessment Guides in
Appendix A be changed to NIST SP
800–171A Jun2018 and NIST SP 800–
172A Mar2022. Two comments noted
version numbers are not always
provided for two specific document
sources. Another comment requested
references for supporting information,
resources, and training for the DIB.
A commenter asked if the term
‘‘Government Information Systems’’ was
equivalent to the term ‘‘Federal
Information Systems’’ while another
expressed that the term, ‘‘CMMC Level
2 Final Certification Assessment was
confusing given that ‘‘Assessment’’ and
‘‘Certification’’ are two separate and
distinct terms. Another comment noted
that the Summary Information section
states there is a difference between a
POA and a POA&M but recommended
both terms be defined for clarity.
One comment stated the ‘‘CMMC
Certified Assessor (CCA)’’ definition
and acronym are not used consistently
in the rule and the current CMMC AB’s
website. Another comment noted that
the term, ‘‘related practitioners’’ under
the definition of CAICO in § 170.4 could
be confused with the term ‘‘Registered
Practitioners (RP)’’ used by the CMMC
AB as their designation for consultants.
One comment stated that the DoD
must be deliberate in its use of certain
terms, especially the words ‘‘must’’ and
‘‘shall’’, which connote legal
requirements, versus words like ‘‘will’’,
‘‘expected’’, ‘‘can’’, ‘‘may’’, ‘‘should’’,
etc., which are permissive (i.e.,
optional)
One commenter noted the word
‘‘practice’’ was replaced multiple times
based on a comparison of pre-
publication drafts with the formal drafts
that were published for public
comment.
Another comment asserted that the
DoD is falsely describing the CMMC
program as addressing ‘‘basic’’
cybersecurity requirements when this is
the most demanding cybersecurity
standard ever produced.
One commenter objected to the
CMMC Level 1, 2, and 3 Assessment
definitions in § 170.4 referring to the
content of corresponding rule sections
and suggested that the definitions be
deleted from § 170.4 unless they can be
succinctly defined without doing so.
Response: The rule has been updated
to reference DoD Manual 8140
‘‘Cyberspace Workforce Qualification
and Management Program’’ which
replaced DoD Manual 8570,
‘‘Information Assurance Workforce
Improvement Program.’’ DOD Manual
8140.03 is available at: [https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf https://
dodcio.defense.gov/Portals/0/
Documents/Library/DoDM-8140-03.pdf. ]
No changes were made to quotations
from sources outside the rule. A
definition cited from a source must
exactly match the source, it cannot be
altered. To address a commenter’s
misperception that the rule does not
reference ‘‘existing FAR/DFARS, or
other DoD authoritative sources,’’ it
should be noted that the CMMC
proposed rule includes 54 mentions
each of FAR clause 52.204–21 and
DFARS clause 252.204–7012. The
DFARS clause 252.204–7012 is added to
DoD contracts to implement the
requirements of NIST SP 800–171,
which is the authoritative reference for
adequate safeguarding of CUI.
Contractors complying with CMMC
need to be familiar with those
documents that are incorporated by
reference, which address requirement-
related topics. NIST SP 800–53 R5 is
incorporated by reference only for
applicable definitions because DoD
chose to use the latest definitions
available. The purpose of a reference
listed in § 170.2 should be interpreted
based on the context in which it is used.
For example, the references provided in
§ 170.4 specify the source of the
definition. The references for the CMMC
Assessments Guides listed in Appendix
A have been updated. These guides are
largely derived from NIST SP 800–171
R2, NIST SP 800–171A Jun2018, NIST
SP 800–172 Feb2021, and NIST SP 800–
172A Mar2022.
The DoD has updated § 170.3 to align
with the FAR terminology and now
reflects ‘‘Federal Information System’’
instead of ‘‘Government Information
System’’.
The DoD updated the rule to reference
the latest version of ‘‘Cloud Security
Technical Reference Architecture’’ and,
where appropriate, to identify a revision
number for NIST SP 800–171. Specific
details of cybersecurity-related
resources and training developed to
support the DIB are outside the scope of
this rule. As it becomes available,
supporting resources and training
information will be disseminated.
Currently, multiple public resources are
available to help educate companies on
NIST and CMMC requirements.
The DoD declined to respond to
comments based on comparison of pre-
publication draft versions of the
supplemental guidance documents.
A commenter’s claim that DoD views
the CMMC program as only addressing
‘‘basic cybersecurity’’ is incorrect.
Throughout the rule, references to
‘‘basic safeguarding’’ mean the
requirements of CMMC Level 1, which
align directly to the requirements of
FAR clause 52.204–21. That FAR clause
is titled ‘‘Basic Safeguarding of Covered
Contractor Information Systems’’.
Similarly, the CMMC program
establishes a CMMC Level 3
requirement to comply with a subset of
requirements from NIST SP 800–172
Feb2021, titled, ‘‘Enhanced Security
Requirements for Protecting Controlled
Unclassified Information.’’
Section 170.4 includes acronyms and
definitions used in the rule text. Terms
from other authoritative sources are
listed in § 170.4 and are properly
sourced. 1 CFR part 51 governs drafting
of this rule.
The DoD updated the rule throughout
to reflect new terminology better
differentiating between the activity of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00073
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83164
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
undergoing an assessment and the
CMMC Status that may result from that
activity. An OSA undergoes one of the
following: Level 1 self-assessment; Level
2 self-assessment; Level 2 certification
assessment; or Level 3 certification
assessment. The result of that
assessment activity is either failure to
meet minimum requirements or one of
the following CMMC Statuses: Final
Level 1 (Self); Conditional Level 2 (Self);
Final Level 2 (Self); Conditional Level 2
(C3PAO); Final Level 2 (C3PAO);
Conditional Level 3 (DIBCAC); or Final
Level 3 (DIBCAC).
The official DoD acronym for CCA is
‘‘CMMC Certified Assessor,’’ as
addressed in § 170.4. All CMMC terms
and definitions provided in this 32 CFR
part 170 CMMC Program rule are
codified and therefore take precedence
over definitions and acronym usage
from the CMMC website or other
sources.
To avoid confusion in the ecosystem
with the term ‘‘practitioner’’, the DoD
modified the definition in § 170.4 to
replace the word ‘‘practitioners’’ with
‘‘professionals.’’
While ‘‘must’’ is a more commonly
used term than ‘‘shall’’, both terms
impose a requirement as defined in FAR
2.101 Definitions.
33. Rule Text Modifications
a. Changes to the Preamble
Comment: One commenter
recommended that the supplemental
Assessment Guides be consolidated
with and cross referenced to
requirements for the CMMC Levels in
the same document. Eighty-three
comments requested changes to the
preamble section of the rule text. Of
those, 17 were incorporated and are
summarized below.
Writing Style: Multiple commenters
wanted shorter, simpler, and more
focused wording starting with changes
to the first sentence in the Summary
section.
Word Choices: In the ‘‘CMMC 2.0
Overview as Proposed by this Rule’’
section several comments objected to
the description of FAR clause 52.204–21
requirements as ‘‘elementary’’ or
‘‘basic’’. One comment asserted that
‘‘may’’ is not the correct verb for
‘‘Defense contracts . . . may include
applicable requirements . . . ,’’. One
comment suggested the preamble
sentence ‘‘Once CMMC is implemented,
the required CMMC level for contractors
will be specified in the solicitation,’’ be
revised to use wording that is more
consistent with other parts of the
preamble and rule text. One commenter
proposed edits to remove passive voice
from a sentence in the preamble
description of Key Changes
Incorporated in the Revised CMMC
Program. One commenter requested a
change to reference the relevant DFARS
clause 252.204–7012, rather than the
DFARS subpart 204.73.
Clarifications: Two comments
asserted that the description of
affirmations requirement could be mis-
interpreted as suggesting that primes
and subcontractors all submit a single
affirmation or that one contractor must
affirm another’s continuing compliance.
One comment requested clarification
about FedRAMP requirements for Cloud
Service Providers. Some comments
asked whether POA&Ms must be
documented in the System Security
Plan. One comment recommended
punctuation and grammatical edits and
asked for clarification of rule text that
discusses the impact of not logically or
physically separating contractor-owned
information systems that process, store,
or transmit FCI (or CUI) from those that
do not.
Response: This rule follows the
format and includes all sections
required in OMB guidelines for formal
rulemaking. The DoD lacks authority to
modify the template or omit required
sections, as requested by some
commenters. In addition, one
commenter recommended that the
supplemental Assessment Guides be
consolidated with and cross referenced
to requirements for the CMMC Levels in
the same document. The DoD
interpreted this recommendation as a
request to integrate all information in
the supplemental guidance into the rule
text, which does not align with
rulemaking guidelines (1 CFR part 51).
No changes were made to consolidate or
integrate the supplemental guidance
documents, which are not codified and
are provided as optional resources to
assist OSAs. The regulatory content in
the 32 CFR part 170 CMMC Program
rule takes precedence.
Some commenters criticized the
preamble summary paragraph, and one
submitted a preferred rewrite that
oversimplified the content so far as to
alter the intended meaning. For that
reason, the specific revisions were not
incorporated. However, the DoD has
revised the final rule to begin with a
simplified statement of its purpose, as
follows: ‘‘With this final rule, DoD
establishes a scalable way to verify,
through assessment, that contractors
have implemented required security
measures necessary to safeguard DoD’s
Federal Contract Information (FCI) and
Controlled Unclassified Information
(CUI)’’.
The DoD strove to streamline the
writing style. Note that the preamble is
not part of the regulatory text, however,
it is a required part of the rulemaking
template. The DoD made the following
changes to the preamble based on
requests for text modifications.
The preamble is updated to change
the verb ‘‘will’’ to ‘‘should’’, where
appropriate. The preamble and
regulatory text have been updated to
clarify that a Plan of Action need not be
part of the System Security Plan. The
sentence in the preamble overview
about FAR clause 52.204–21
requirements has been rewritten to
describe them as ‘‘the minimum
necessary’’ to receive FCI, rather than
describing them as ‘‘elementary’’ for
‘‘basic’’ cybersecurity. Note that the title
of the FAR clause 52.204–21 clause is
Basic Safeguarding Requirements.
A preamble overview paragraph about
Affirming Officials is revised to clarify
that CMMC affirmations shall be
submitted by the OSA and apply only
to the information systems of that
organization. DoD’s use of the term OSA
within the affirmations section is
deliberate and conveys that each
organization is responsible for
affirmations pertaining to their own
assessments. A preamble overview
paragraph about Cloud Service
Providers has been aligned to DFARS
clause 252.204–7012 language and
specifies that defense contractors must
confirm that any CSPs they use to
handle CUI must meet FedRAMP
Moderate Baseline standards. Wording
in the preamble overview of the rule has
been edited from ‘‘may include’’ to
‘‘require’’, to clarify a statement about
when DFARS clause 252.204–7012
applies. One sentence in the preamble
about the regulatory impact of CMMC
Requirements has been edited into two
sentences to make clear that
solicitations identify CMMC contract
requirements, rather than ‘‘for
contractors’’, and that only contractors
handling FCI or CUI must meet the
specified CMMC requirements.
The DoD has incorporated a suggested
re-wording to simplify the description
of CMMC Level 2 assessments in the
preamble paragraph describing Key
Changes Incorporated in the Revised
CMMC Program.
b. Changes to the Regulatory Text
Comment: Of the 52 comments that
requested changes to the regulatory text
(§§ 170.1 through 170.24), the nine
which DoD incorporated are
summarized below.
Word choices: In § 170.1(b), two
comments posited that the word
‘‘enhance’’ is inaccurate in the phrase
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00074
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83165
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
‘‘The CMMC Program is designed to
enhance protection of FCI and CUI
. . .’’. In § 170.9(a) one comment noted
that C3PAOs do not ‘‘grant’’
assessments, they ‘‘conduct’’ them.
Another asked why, in table 3 to
§ 170.19(c)(1), the CUI Asset category
needs to be assessed against ‘‘CMMC
security requirements’’ but in table 5 to
§ 170.19(d)(1), the same category is
assessed against ‘‘all CMMC security
requirements.’’ For § 170.4(b) One
comment requested appending ‘‘and to
the DoD’’ to the definition of
Assessment Findings Report.
Paragraph Organization: For
Applicability, a comment recommended
changing the order of paragraphs in
§ 170.3 and other text changes to
improve clarity.
Reference: One comment noted that
the § 170.6(b) phrase ‘‘as provided for
under DFARS clauses 252.204–7012 and
7020 . . .’’ is in error because the
section describes CMMC PMO
responsibilities and only DFARS clause
252.204–7020 references DIBCAC
assessments of OSAs.
Redundancy: One comment asserted
that § 170.9(b)(9) and § 170.9(b)(20) are
redundant as both describe that
assessment appeals and results are
entered into eMASS.
Consistency: One comment pointed
out an inconsistency between the text in
§ 170.18(c)(1)(i) and the Scoping Guide
related to whether a CMMC Level 3
Assessment Scope must be the same as,
or may be a subset of, the Assessment
Scope of the prerequisite CMMC Level
2 certification.
Clarifications: One comment asked
whether the stipulation that CCIs must
not disclose CMMC data or metrics
applies to all data or only ‘‘non-public’’
data.
Consistency: One commenter asked
for clarification regarding templates and
formats required for information
uploaded into the CMMC instantiation
of eMASS.
Response: The DoD has incorporated
a request to delete the word ‘‘enhance’’
from § 170.1(b), and the purpose of the
CMMC Program now reads that the
CMMC Program is designed as a
compliance assessment to assist in
DoD’s enforcement of information
safeguarding requirements. Lower level
paragraphs in § 170.3 have been
reordered for added clarity.
The words ‘‘and to the DoD via
CMMC eMASS’’ have been added to the
end of the Assessment Findings Report
definition in § 170.4(b). In addition,
§ 170.9(b)(17) has been rephrased to
stipulate that all assessment data and
information uploaded into the CMMC
instantiation of eMASS must be
compliant with the data standard
provided in the eMASS CMMC
Assessment Import Templates available
on the CMMC eMASS website.
The DoD replaced the word
‘‘granting’’ with the word ‘‘conducting’’
in the description of C3PAO
assessments in § 170.9(a). Sections
170.9(b)(9) and (b)(20) have been
modified to eliminate redundancy
between the two paragraphs, however
the DoD did not concur that
§§ 170.9(b)(17) and (18) are redundant
and made no change.
Section 170.18(c)(1)(i) was revised to
clarify that the CMMC Assessment
Scope for Level 3 must be equal to or
a subset of the CMMC Assessment
Scope for the Level 2 certification
assessment of the system in question.
Section 170.19 was revised to clarify
that, for CMMC Level 2, OSAs will be
assessed against all Level 2
requirements. For CMMC Level 3, OSAs
will be assessed against all Level 2 and
Level 3 requirements.
Section 170.1 has been revised to
correct punctuation and improve
grammar. The section now conveys
more clearly that the CMMC Program is
designed as a compliance assessment to
assist in DoD’s enforcement of
information safeguarding requirements.
No changes were made regarding use of
‘‘not logically or physically isolated
from all such CUI systems’’. Specifying
a CMMC Assessment Scope is a
necessary preparatory step for a CMMC
assessment. Assessment requirements
are specified in § 170.19. At Levels 2
and 3, logical or physical isolation is the
primary mechanism used to separate in-
scope from out-of-scope assets. CRMA
and Specialized Asset categories only
apply to assets that are within the
Assessment Scope or boundary.
§ 170.6(b) has been revised to
reference DFARS clause 252.204–7020
rather than DFARS clause 252.204–
7012. In addition, § 170.05 was revised
to reference DFARS clause 252.204–
7012, rather than DFARS 204.73, for
consistency and clarity.
The title of § 170.16(c)(1) has been
updated to specify self-assessment of
the OSA. DoD declined to make other
administrative changes because they
would not result in a substantive
change.
§ 170.12(b)(8) has been revised to
clarify that CCIs must not disclose
CMMC data or metrics that are PPI, FCI,
or CUI without prior coordination with
and approval from DoD.
c. Changes Recommended but Not
Incorporated
Comment: Many comments addressed
non-substantive administrative changes
or writing style and were not
incorporated. Many comments
requested substantive changes that were
not incorporated, and which are
described more fully in the response
below.
Response: In addition, thirty-eight
other recommendations were not
incorporated because they did not result
in substantive changes. The DoD
declines to delete references or convert
narrative text explanations into tables,
bullets, or other truncated formats
because the intent is to facilitate reader
understanding of complex requirements.
Other recommended administrative
changes which did not result in a
substantive change were also not
incorporated.
Other changes were not incorporated
because the revisions would result in
unintended or inaccurate meaning of
the text. The following explanation is
provided for those unincorporated but
substantive recommendations.
The DoD did not change content in
the Discussion of Public Comments
section that addressed responses to the
original 48 CFR CMMC interim final
rule, because intervening rule changes
made in response to public comments
received about the more recent
proposed rule(s) supersede text of the
earlier rule.
Section 170.3(a)(1) applies to contract
awardees. While the rule may impact
External Service Providers and Cloud
Service providers, the rule is not
directly applicable to them. CMMC
requirements apply at the time of
contract award and thereafter.
DoD declined to change the program
name as it is well known in the
community, and the tiered approach to
the model still embodies a concept of
cybersecurity maturity. OSA
responsibilities for complying with
CMMC are provided throughout the rule
and do not need to be repeated.
CMMC is a program that validates
implementation via assessment, the rule
does not prescribe how to implement.
In the first sentence of the Summary,
this rule describes that the CMMC
assessment mechanism will cover both
existing security requirements for CUI,
and new security requirements for
certain programs. No additional
reference is necessary in the
introductory summary because the
specific NIST reference documents are
mentioned shortly after the summary
and throughout the rule text.
DoD declined to revise § 170.2 to use
the word ‘‘competent’’ because
‘‘competence’’ is the word included in
the referenced ISO/IEC 17011:2017(E)
Abstract.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00075
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83166
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The rule retains requirements to
provide all documentation and records
in English because it is necessary for
adequate program management and
specifying this requirement is required
to ensure clarity of interpretation.
The DoD has reviewed
§ 170.17(c)(2)(ii) and does not agree that
a noun is missing. The lead-in
paragraph provides the noun, and it is
not necessary to repeat the phrase. The
DoD disagrees that portions of
§ 170.18(c)(1) are redundant and
therefore did not delete the lower level
paragraphs, however revisions were
made to clarify that a Level 2
certification assessment is needed prior
to Level 3 certification assessment.
Recommended edits to § 170.24(9)
that would change the meaning were
not accepted. During the assessment
process, the Lead Assessor/Assessor
must view any prior DoD CIO
adjudication of proposed variances to
security requirements in the system
security plan to ensure correct
implementation and render a
determination of MET if there have been
no changes in the environment.
The DoD did not modify § 170.10 to
permit CCAs, CCPs, and CCIs to retrain
‘‘or’’ recertify, instead of both, upon
significant change to DoD’s CMMC
Program requirements under this rule.
The DoD disagreed with one
commenter’s assertion that the summary
within the preamble to the rule implies
CMMC assessments address all DFARS
clause 252.204–7012 requirements,
therefore no edits were necessary. The
rule indicates that the applicable CMMC
Level 2 security requirements are those
in NIST SP 800–171 R2 as implemented
in DFARS clause 252.204–7012.
Revisions suggesting that all
objectives identified in NIST SP 800–
171A Jun2018 need not be met are not
accurate and not incorporated. Each
assessment objective in NIST SP 800–
171A Jun2018 must yield a finding of
MET or NOT APPLICABLE for the
overall security requirement to be
scored as MET. Assessors exercise
judgment in determining when
sufficient and adequate evidence has
been presented to make an assessment
finding. This is consistent with current
DIBCAC High Assessments and
assessments conducted under the Joint
Surveillance Voluntary Assessment
Program (JSVAP). A security
requirement can be applicable, even
with assessment objectives that are N/A.
The security requirement is NOT MET
when one or more applicable
assessment objectives is NOT MET.
Recommendations to address specific
contractual matters were not addressed,
because this is a 32 CFR part 170 CMMC
Program rule and not an acquisition
regulation. Any comments related to
contract requirements should be
provided in response to the 48 CFR part
204 CMMC Acquisition rule.
The CMMC rule does not specify the
number of POA&Ms that may be used to
address one or more CMMC security
requirement that were NOT MET during
a CMMC assessment. The OSA may
choose to use a single POA&M or
multiple POA&Ms.
No edits were made to reference CCAs
in § 170.7, which covers responsibilities
for only the DIBCAC, and not CCAs.
§ 170.11 covers responsibilities for
CCAs. DoD declined to add verbiage to
address the potential revision or
cancellation of an ISO/IEC standard
because § 170.8 adequately reflects that
the Accreditation Body shall achieve
full compliance with revised ISO/IEC
17011:2017(E) standards. Standards are
not effective until published as final.
The DoD declined to adopt one
commenter’s suggestion to submit all
appeals investigation materials with the
final decision into eMASS, however, an
updated assessment result, if any, will
be input into eMASS. In addition,
C3PAOs are required to retain
assessment artifacts for 6 years.
DoD did not agree with one
commenter’s assertion that the preamble
description of the CMMC Program is
incomplete or inaccurate, or that the
rule makes implicit changes to DFARS
clause 252.204–7010 reporting
requirements for activities subject to the
U.S.-International Atomic Energy
Agency Additional Protocol. The
referenced paragraph, which appears
both in the preamble background
section and in an overview paragraph of
the supplemental documents, accurately
portrays the CMMC Program as a
compliance assessment model to assist
in DoD’s enforcement of FCI and CUI
safeguarding requirements. No change
has been made in either location.
The DoD also declines to specify in
the rule the DoD offices that review Tier
3 background investigations or
equivalency determinations. No
language related to Cloud Service
Offerings (CSO) was added in § 170.19
column two. Assets that process, store,
or transmit CUI are handled the same
way regardless of whether they are from
a CSO or otherwise. Therefore, there is
no need to call out CSOs in the table.
The DoD minimized use of the
passive voice to an extent in this final
rule; however, in some places the
passive voice is used to emphasize the
action occurring rather than the
individual or entity performing the
action.
There is no version number in the
title of the CMMC Program. Terms such
as versions 1.0 or 2.0 have previously
been used in DoD’s public engagements
as a colloquial way to communicate
differences in content as the program
has evolved. This final rule codifies the
program and does include changes from
the proposed rule. Only those public
comments received during the 60-day
comment period following the
December 26, 2023 publication (88 FR
89058) are addressed in this final rule.
34. Error Corrections
Comment: Numerous administrative
comments were received that addressed
formatting grammar, punctuation, and
typographical errors as well as word
usage and acronym errors: Wording
discrepancies, redundancies, and
inaccuracies were also reported by
multiple comments.
Several comments identified
inconsistencies between FedRAMP
equivalency as stated § 170.16(c)(2)(ii)
and as described in the DOD CIO’s
December 21, 2023, Federal Risk and
Authorization Management Program
Moderate Equivalency for Cloud Service
Provider’s Cloud Service Offerings
memorandum. One comment requested
moving the phrase ‘‘in accordance with
all applicable policies, procedures, and
requirements’’ in § 170.5(d) to an earlier
part of the sentence to be grammatically
correct.
One comment noted that DFARS
provision 252.204–7019 does not
stipulate assessments must be a ‘‘self-
assessment’’ as stated in the CMMC 2.0
Overview as Proposed by this Rule
section. Also in the same section, one
comment indicated the SSP description
should not direct the user to explain
how each requirement is implemented,
monitored, and enforced.
One comment asked if the reference to
NIST SP 900–171A refers to the current
version or if a version number should be
specified. Three comments indicated
issues using embedded links to
websites. One comment noted that
‘‘inspection activities’’ should be
changed to ‘‘assessment activities’’ in
170.9(b)(10). One comment asserted that
in 170.17(a)(1) the word ‘‘obtaining’’
should be deleted in the phrase ‘‘. . .
the OSC must achieve either CMMC
Level 2 Conditional Certification or
Final Certification through obtaining a
CMMC Level 2 Certification Assessment
. . .’’
Response:
Typographical, Grammatical, and
Punctuation Errors, and Formatting
The DOD reviewed all reported
grammatical, punctuation,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00076
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83167
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
typographical, and acronym-related
errors and the preamble, RIA, and rule
have been updated to address all
confirmed errors. Additionally, the
formatting errors in the CMMC Level 2
Asset Categories and Associated
Requirements row of table 1 of
§ 170.19(c)(1), have been corrected. The
final rule has been revised to correct
document titles as needed.
A commenter provided feedback on
the PRA and identified incorrect
markings in information collection
samples. DoD will work with DISA to
ensure the final versions of the eMASS
templates contain the proper markings.
An OSA’s CMMC certification
assessment results will be ingested into
DoD’s CMMC instance using the eMASS
CMMC Assessment Import Templates
[https://cmmc.emass.apps.mil published at https://
cmmc.emass.apps.mil. The
]requirements for C3PAOs and DCMA
DIBCAC and what is submitted into
CMMC eMASS is described in §§ 170.7,
170. 9, 170.17(a)(1)(i), 170.18(a)(1)(i),
and 170.19. The documents
accompanying the PRA were intended
to serve as samples. The comment also
contained an incorrect assumption that
commercial privileged information ‘‘is
not CUI because it is incidental to the
performance of the contract.’’ The
commenter has confused CDI with CUI
and is incorrect in the assumption that
commercial privileged information is
not CUI because of it being incidental to
the performance of the contract.
Word Usage
Incorrect uses of ‘‘tri-annually’’ have
been corrected. Where appropriate the
wording has been changed to ‘‘every
three years’’ for clarity. In the preamble
to the rule, the statement ‘‘. . . and
triennial affirmation . . .’’ has been
corrected to indicate the affirmations are
an ‘‘annual’’ requirement.—DoD has
updated the preamble to the rule to the
correct certification assessment
terminology.
The link on the Federal Register
website has been corrected and now
resolves to the website indicated.
Incorrect or Incomplete References
Several incorrect or incomplete
references have also been corrected.
§ 170.9(b)(1) has been corrected to refer
to the authorization in § 170.8(a). One
comment asserted that there is no
section (c) associated with the reference
‘‘§ 170.17(a)(1) and (c)’’ which is in
§ 170.9(b)(6). The section ‘‘§ 170.17(c)
Procedures’’ does exist and addresses
the procedures associated with a CMMC
Level 2 Certification Assessment.
Section 170.17(a)(1) addresses the Level
2 Certification Assessment requirements
for an OSC. The rule has been updated
in § 170.9(b)(6) for clarity.
Commenters accurately noted that
§ 170.17(a)(1) should refer to the Level
2 requirements in § 170.14(c)(3), and
this has been corrected. The reference in
§ 170.18(c)(5)(ii) has been updated to
say, ‘‘that maps to the NIST SP 800–171
R2 and a subset of the NIST SP 800–172
Feb2021 requirements’’. The rule is
updated to replace the instruction
‘‘(insert references L1–3)’’ with
‘‘§ 170.19 CMMC scoping.’’
Wording Discrepancies, Redundancies,
and Inaccuracies
To address a discrepancy between the
rule and scoping guidance, the Level 2
Scoping Guide has been updated for
clarity and alignment with § 170.16(a)
which states that meeting the CMMC
Level 2 Self-Assessment requirements
also satisfies the CMMC Level 1 Self-
Assessment requirements for the same
CMMC Assessment Scope. Additionally,
the preamble to this rule has been
updated to clarify that not all
affirmations will occur prior to contract
award because POA&M closeout
affirmations may occur after contract
award.
To address a discrepancy about Level
1 scoring, in § 170.24 the phrase ‘‘;
therefore, no score is calculated, and no
scoring methodology is needed,’’ has
been deleted.
The regulatory text was updated to
require FedRAMP moderate or
FedRAMP moderate equivalency in
accordance with DoD Policy. CMMC
Program Requirements make no change
to existing policies for information
security requirements implemented by
DoD. The preamble was modified to
indicate DFARS provision 252.204–
7019 requires an assessment (basic,
medium, or high) and not just a self-
assessment (basic).
The data input at § 170.17(a)(1)(i)(F)
for CMMC eMASS is redundant so it has
been removed. In the preamble, the DoD
has also removed the inaccurate phrase,
‘‘certified by DoD’’, from the statement
‘‘Under CMMC, compliance will be
checked by independent third-party
assessors certified by DoD.’’
DoD has updated language in
§ 170.18(a)(1)(i)(B) to reflect for each
DCMA DIBCAC Assessor conducting the
assessment, ‘‘name and government
organization information’’ will be
required for the CMMC instantiation of
eMASS.
The DoD has considered the
recommendation to change the
description of what an SSP should
contain and declines to revise the rule
text. The NIST SP 800–171 R2
requirement states that an SSP must
describe ‘‘. . . how security
requirements are implemented . . .’’
which is equivalent to going ‘‘. . .
through each NIST SP 800–171 security
requirement and explain how the
requirement is implemented, monitored,
and enforced.’’
Perceived Errors
DoD declines to make the edit to
change ‘‘shall’’ to ‘‘will’’ in § 170.9(b).
The existing language is consistent with
standard rulemaking usage. The title for
NIST SP 800–171A Jun2018 is the
current title used by NIST and does not
have a version number, so no change
was needed. While not used in the rule
text, the term enterprise is used in the
description of the CMMC Program in the
preamble’s Statement of Need for This
Rule section: Defense contractors can
achieve a specific CMMC Level for its
entire enterprise network or an
enclave(s), depending upon where the
information to protected is processed,
stored, or transmitted, therefore
enterprise remains in the definitions
list.
DoD verified links by clicking on
them in the PDF and by copying and
pasting the links into a web browser. In
both cases links resolved correctly.
The DoD has changed ‘‘all personnel
involved in inspection activities’’ to ‘‘all
personnel involved in assessment
activities’’ in § 170.9(b)(9).
A comment asserted that there was a
rulemaking formatting error in
§ 170.4(b). DoD is following the Office of
the Federal Register standards for this
section. In sections or paragraphs
containing only definitions, paragraph
designations are not used, and the terms
are listed in alphabetical order. The
definition paragraph begins with the
term being defined. If a definition
contains subordinate paragraphs, these
paragraphs are numbered with
paragraph designations beginning with
the next appropriate level based on the
dedicated definitions section.
The 2nd sentence of § 170.17(a)(1)
includes the word ‘‘obtaining’’ for
clarity.
35. Comments in Favor of the CMMC
Program
Comment: Some commenters
expressed favorable opinions about the
CMMC program as a viable long-term
solution to ensure cybersecurity
controls are in place. Others commented
about specific content of the 32 CFR
part 170 CMMC Program proposed rule
and the supplemental documents. For
example, two commenters specifically
complimented the inclusion of an
Affirmation requirement and another
supported CMMC implementation as a
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00077
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83168
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
pre-award requirement. Another
commenter appreciated the regulatory
text which ‘‘encourages’’ contractors to
consult with the Government for
additional guidance if or when unsure
of appropriate CMMC Level to assign a
subcontract solicitation. Two
commenters applauded the use of
already established workforce
qualifications while another concurred
with the regulatory text permitting
CMMC Certified Professionals (CCPs) to
participate in assessments with
oversight of a CMMC Certified Assessor
(CCA). A commenter also expressed
appreciation for the regulatory text’s
alignment to a specific version of the
guidelines (i.e., NIST SP 800–171 R2).
One commenter appreciated the video
that DoD published to accompany and
explain the proposed rule. Several
comments cited the longstanding
requirements of DFARS clause 252.204–
7012 and cybersecurity risks of not
implementing NIST SP 800–171 R2 as
reasons that the 32 CFR part 170 CMMC
Program final rule should be
implemented as soon as possible.
Response: The Department
appreciates that several commenters
expressed agreement to and
encouragement for the CMMC Program
requirement and its associated specific
rule text. The DoD recognizes that not
all entities impacted by these
regulations hold the same view of its
requirements and appreciates those that
took the time to express both positive
and constructive feedback.
Applicability
Once CMMC is implemented in the 48
CFR part 204 CMMC Acquisition rule,
the CMMC Program will require DoD to
identify the CMMC Level and
assessment type as a solicitation
requirement and in the resulting
contract for any effort that will cause a
contractor or subcontractor to process,
store, or transmit FCI or CUI on its
unclassified information system(s).
Once CMMC is implemented in the 48
CFR part 204 CMMC Acquisition rule,
contractors handling FCI or CUI will be
required to meet the CMMC Level and
assessment type specified in the
solicitation and resulting contract.
Summary of Program Changes:
DFARS Case 2019–D041 implemented
DoD’s original model for assessing
contractor information security
protections. The initial CMMC Program
was comprised of five progressively
advanced levels of cybersecurity
standards and required defense
contractors and subcontractors to
undergo a certification process to
demonstrate compliance with the
cybersecurity standards associated with
a given CMMC Level.
In March 2021, the Department
initiated an internal review of CMMC’s
implementation that engaged DoD’s
cybersecurity and acquisition leaders to
refine policy and program
implementation, focusing on the need to
reduce costs for small businesses and
align cybersecurity requirements to
other Federal standards and guidelines.
This review resulted in the revised
CMMC Program, which streamlines
assessment and certification
requirements and improves
implementation of the CMMC Program.
These changes include:
• Eliminating Levels 2 and 4, and
renaming the remaining three CMMC
Levels as follows:
• Level 1 will remain the same as the
initial CMMC Program Level 1;
• Level 2 will be similar to the initial
CMMC Program Level 3;
• Level 3 will be similar to the initial
CMMC Program Level 5.
• Removing CMMC-unique
requirements and maturity processes
from all levels;
• For CMMC Level 1, allowing annual
self-assessments with an annual
affirmation by company leadership;
• Allowing a subset of companies at
Level 2 to demonstrate compliance
through self-assessment rather than
C3PAO assessment.
• For CMMC Level 3, requiring
Department-conducted assessments; and
• Developing a time-bound and
enforceable POA&M process.
In December 2023, the Department
published a proposed rule to amend 32
CFR part 170 in the Federal Register
(Docket ID DOD–2023–OS–0063, 88 FR
89058), which implemented the DoD’s
vision for the revised CMMC Program
outlined in November 2021. The
comment period for the proposed rule
concluded on February 26, 2024.
Changes have been made to the CMMC
Program based on public comment.
Significant changes include:
• The Implementation Phase 1 has
been extended by an additional six
months.
• A new taxonomy was created
differentiating the level and type of
assessment conducted from the CMMC
Status achieved as a result.
• Clarification was added regarding
the DoD’s role in achievement or loss of
CMMC Statuses.
• CMMC Status will be automatically
updated in SPRS for OSAs who have
met standards acceptance.
• Requirements regarding conflict of
interest were updated to expand the
cooling-off period for the CMMC
Accreditation Body to one year and
bounded the timeframe between
consulting and assessing for the CMMC
Ecosystem to three years.
• A requirement was added for the
CMMC Ecosystem members to report
adverse information to the CAICO.
• A Provisional Instructor role was
added to cover the transitional period
that ends 18 months after the effective
date of this rule.
• A CCI requirement was added to
clarify that a CCI must be certified at the
same or higher level than the classes
they are instructing.
• A requirement for artifact retention
was added to Level 1 self-assessments
and Level 2 self-assessments.
• The assessment requirements for
ESPs have been reduced.
• The definition of CSP has been
narrowed and is now based on NIST SP
800–145 Sept2011.
• The assessment requirements for
Security Protection Assets and Security
Protection Data have been reduced.
• References to FedRAMP
equivalency have been tied to DoD
policy.
• Clarified the requirements for CSPs
for an OSC seeking a CMMC Status of
Level 3 (DIBCAC).
• Clarified that DCMA DIBCAC has
the authority to perform limited checks
of compliance of assets that changed
asset category or changed assessment
requirements between the Level 2 and
Level 3 certification assessment.
• Clarification was added around the
use of VDI clients.
• Provided clarification to distinguish
between Plan of Action & Milestones
(POA&Ms) and operational plan of
action.
• Definitions have been added for:
Affirming Official, Assessment
objective, Asset, CMMC security
requirement, CMMC Status, DoD
Assessment Methodology, Enduring
Exception, Operational plan of action,
Personally Identifiable Information,
Security Protection Data (SPD), and
Temporary deficiency. Some definitions
were also changed to source from NIST
documentation instead of Committee on
National Security Systems (CNSS)
Instruction No. 4009.
Background
A. Statement of Need for This Rule
The Department of Defense (DoD)
requires defense contractors to protect
FCI and CUI. To verify contractor and
subcontractor implementation of DoD’s
cybersecurity information protection
requirements, the Department
developed the Cybersecurity Maturity
Model Certification (CMMC) Program as
a means of assessing and verifying
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00078
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83169
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
24
Based on information from the Council of
Economic Advisors report: The Cost of Malicious
Cyber Activity to the U.S. Economy, 2018.
25
Based on information from the Center for
Strategic and International Studies report on the
Economic Impact of Cybercrime; [http://www.csis.org/analysis/economic-impact-cybercrime www.csis.org/
analysis/economic-impact-cybercrime. ]
26
Based on information from the Federal
Procurement Data System, the average number of
unique prime contractors is approximately 212,650
and the number of known unique subcontractors is
approximately 8,300. (FPDS from FY18–FY21).
adequate protection of contractor
information systems that process, store,
or transmit either FCI or CUI.
The CMMC Program is intended to:
(1) align cybersecurity requirements to
the sensitivity of unclassified
information to be protected, (2) add a
self-assessment element to affirm
implementation of applicable
cybersecurity requirements, (3) add a
certification element to verify
implementation of cybersecurity
requirements, and (4) add an affirmation
to attest to continued compliance with
assessed requirements. As part of the
program, DoD also intends to provide
supporting resources and training to the
DIB, to help support companies who are
working to achieve the required CMMC
Status. The CMMC Program provides for
assessment at three levels, starting with
basic safeguarding of FCI at CMMC
Level 1, moving to the broad protection
of CUI at CMMC Level 2, and
culminating with higher-level
protection of CUI against risk from
Advanced Persistent Threats (APTs) at
CMMC Level 3.
The CMMC Program addresses DoD’s
need to protect FCI and CUI during the
acquisition and sustainment of products
and services from the DIB. This effort is
instrumental in establishing
cybersecurity as a foundation for DoD
acquisitions.
Although DoD contract requirements
to provide adequate security for covered
defense information (reflected in
DFARS clause 252.204–7012) predate
CMMC by many years, a verification
requirement for the handling of CUI to
assess a contractor or subcontractor’s
implementation of those required
information security controls is new
with the CMMC Program.
The theft of intellectual property and
sensitive information from all U.S.
industrial sectors from malicious cyber
activity threatens economic security and
national security. The Council of
Economic Advisers estimates that
malicious cyber activity cost the U.S.
economy between $57 billion and $109
billion in 2016.24 The Center for
Strategic and International Studies
estimates that the total global cost of
cybercrime was as high as $600 billion
in 2017.25
Malicious cyber actors have targeted
and continue to target defense
contractors and the DoD supply chain.
These attacks not only focus on the large
prime contractors, but also target
subcontractors that make up the lower
tiers of the DoD supply chain. Many of
these subcontractors are small entities
that provide critical support and
innovation. Overall, the DIB sector
consists of over 220,000 companies 26
that process, store, or transmit CUI or
FCI in support of the warfighter and
contribute towards the research,
engineering, development, acquisition,
production, delivery, sustainment, and
operations of DoD systems, networks,
installations, capabilities, and services.
The aggregate loss of intellectual
property and controlled unclassified
information from the DoD supply chain
can undercut U.S. technical advantages
and innovation, as well as significantly
increase the risk to national security. As
part of multiple lines of effort focused
on the security and resiliency of the
DIB, the Department is working with
industry to enhance the protection of
FCI and CUI within the DoD supply
chain. Toward this end, DoD has
developed the CMMC Program.
Cybersecurity Maturity Model
Certification Program
The CMMC Program provides a
comprehensive and scalable
certification approach to verify the
implementation of requirements
associated with the achievement of a
cybersecurity level. CMMC is designed
to provide increased assurance to the
Department that defense contractors can
adequately protect FCI and CUI at a
level commensurate with the risk,
accounting for information flow down
to its subcontractors in a multi-tier
supply chain. Defense contractors can
achieve a specific CMMC Status for
their entire enterprise network or an
enclave(s), depending upon where the
information to be protected is
processed, stored, or transmitted.
The CMMC Program assesses
implementation of cybersecurity
requirements. The CMMC requirements
for safeguarding and security are the
same as those required by FAR Subpart
4.19 and DFARS clause 252.204–7012,
as well as selected NIST SP 800–172
Feb201 requirements. CMMC Level 1
requires implementation of the
safeguarding requirements set forth in
FAR clause 52.204–21. CMMC Level 2
requires implementation of the security
requirements in NIST SP 800–171 R2.
CMMC Level 3 requires implementation
of the security requirements in NIST SP
800–171 R2 as well as selected NIST SP
800–172 Feb2021 requirements, with
DoD specified parameters. The CMMC
security requirements for all three
Levels are provided in § 170.14. In
general, CMMC assessments do not
duplicate efforts from existing DoD
assessments. In rare circumstances a re-
assessment may be necessary when
cybersecurity risks, threats, or
awareness have changed.
Under the CMMC Program, CMMC
contract requirements include self-
assessments and third-party assessments
for CMMC Level 2, predicated on
program criticality, information
sensitivity, and the severity of cyber
threat. Based on the type and sensitivity
of the information to be protected, a
defense contractor must achieve the
appropriate CMMC Status and
demonstrate implementation of the
associated set of information protection
requirements.
If the CMMC Status of Level 1 (Self)
or Level 2 (Self) is a contract
requirement, the defense contractor will
be required to self-assess its compliance
with the CMMC Level 1 or Level 2
security requirements and submit both
the self-assessment results and an
affirmation of conformance in SPRS.
Level 1 self-assessment and associated
affirmation is required annually. Level 2
self-assessment is required every three
years with an affirmation following the
self-assessment and annually after the
Final CMMC Status Date.
If the CMMC Status of Level 2
(C3PAO) is a contract requirement, the
Level 2 certification assessment must be
performed by an authorized or
accredited CMMC Third Party
Assessment Organization (C3PAO).
When the CMMC Status of Level 3
(DIBCAC) is a contract requirement, the
Level 3 certification assessment by
DCMA DIBCAC is required following
the achievement of the CMMC Status of
Final Level 2 (C3PAO). Upon
achievement of the CMMC Status of
Level 2 (C3PAO) or Level 3 (DIBCAC),
the offeror will be issued a Certificate of
CMMC Status. The assessment results
are documented in SPRS to enable
contracting officers to verify the CMMC
Status and CMMC Status Date (i.e., not
more than three years old) of an offeror
prior to contract award. The offeror
must also submit an affirmation of
conformance in SPRS following the
assessment and annually after the Final
CMMC Status Date.
CMMC allows the use of a Plan of
Action and Milestones (POA&Ms) for
specified CMMC Level 2 and Level 3
security requirements. Each POA&M
must be closed (i.e., all requirements
completed), within 180 days of the
initial assessment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00079
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83170
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
27
www.govinfo.gov/content/pkg/PLAW-
116publ92/pdf/PLAW-116publ92.pdf.
The details of the requirements for
self-assessment, certification
assessment, and affirmation for each
CMMC Level, are provided in §§ 170.15
through 170.18. POA&M requirements
and affirmation requirements are
provided in §§ 170.21 and 170.22.
DoD’s phased implementation of the
CMMC Status requirements is described
in § 170.3(e). Once CMMC requirements
have been implemented in the DFARS,
the solicitation and resulting contract
will identify the specific CMMC Status
required for that procurement. Selection
of a CMMC Status will be based upon
careful consideration of market research
and the likelihood of a robust
competitive market of prospective
offerors capable of meeting the
requirement. In some scenarios, DoD
may elect to waive application of
CMMC Status requirements to a
particular procurement. In such cases,
the solicitation will not include a
CMMC Status requirement. Such
waivers may be requested and approved
by the Department in accordance with
DoD’s internal policies and procedures.
For a DoD solicitation or contract that
does include CMMC requirements,
including those for the acquisition of
commercial items (except those
exclusively COTS items) valued at
greater than the micro-purchase
threshold, contracting officers will not
make award, or exercise an option on a
contract, if the offeror or contractor does
not meet the requirements for the
required CMMC Status. Furthermore,
CMMC requirements are required to
flow down to subcontractors as
prescribed in the solicitation and
resulting contract at all tiers,
commensurate with the sensitivity of
the unclassified information flowed
down to each subcontractor.
B. Legal Authority
5 U.S.C. 301 authorizes the head of an
Executive department or military
department to prescribe regulations for
the government of his or her
department, the conduct of its
employees, the distribution and
performance of its business, and the
custody, use, and preservation of its
records, papers, and property ([http://www.govinfo.gov/content/pkg/USCODE-2009-title5/pdf/USCODE-2009-title5-partI-chap3-sec301.pdf www.
govinfo.gov/content/pkg/USCODE-2009-
title5/pdf/USCODE-2009-title5-partI-
chap3-sec301.pdf). ]
Section 1648 of the National Defense
Authorization Act for Fiscal Year 2020
(Pub. L. 116–92) 27 directs the Secretary
of Defense to develop a consistent,
comprehensive framework to enhance
cybersecurity for the U.S. Defense
Industrial Base (DIB). The CMMC
Program is an important part of this
framework.
C. Community Impact
This final rule impacts all prospective
and actual DoD contractors and
subcontractors that are handling or will
handle DoD information that meets the
standards for FCI or CUI on a contractor
information system during performance
of the DoD contract or subcontract. This
final rule also impacts all companies
who are performing or will perform
accreditation, training, certification, or
assessment functions in connection
with implementation of the CMMC
Program.
D. Regulatory History
The CMMC Program verifies defense
contractor compliance with DoD’s
cybersecurity information protection
requirements. It is designed to protect
FCI and CUI that is shared by the
Department with, or generated by, its
contractors and subcontractors. The
cybersecurity standards required by the
program are the same as those set forth
in FAR clause 52.204–21 (CMMC Level
1), the NIST SP 800–171 R2 guidelines,
which is presently required by DFARS
clause 252.204–7012 (CMMC Level 2),
and additional selected requirements
from the NIST SP 800–172 Feb2021
guidelines (CMMC Level 3). The
program adds a robust assessment
element and provides the Department
increased assurance that contractors and
subcontractors are meeting these
requirements.
In September 2020, the DoD
published the 48 CFR CMMC interim
final rule to the DFARS in the Federal
Register (DFARS Case 2019–D041, 85
FR 48513, September 9, 2020), which
implemented the DoD’s vision for the
initial CMMC Program and outlined the
basic features of the program (tiered
model, required assessments, and
implementation through contracts). The
48 CFR CMMC interim final rule
became effective on November 30, 2020,
establishing a five-year phase-in period.
In March 2021, the Department
initiated an internal review of CMMC’s
implementation, informed by more than
750 CMMC-related public comments in
response to the 48 CFR CMMC interim
final rule. This comprehensive,
programmatic assessment engaged
cybersecurity and acquisition leaders
within DoD to refine policy and
program implementation.
In November 2021, the Department
announced plans for a revised CMMC
Program, which incorporates an
updated program structure and
requirements designed to achieve the
primary goals of an internal DoD review
of the CMMC Program. With the
implementation of the CMMC Program,
the Department introduced several key
changes that build on and refine the
original program requirements. These
include:
• Streamlining the model from five to
three certification levels;
• Allowing all companies at Level 1
and a subset of companies at Level 2 to
demonstrate compliance through self-
assessments;
• Increased oversight of professional
and ethical standards of third-party
assessors; and
• Allowing companies, under certain
limited circumstances, to make
POA&Ms to achieve certification.
In December 2023, the Department
published a proposed rule to amend 32
CFR part 170 in the Federal Register
(Docket ID 2023–OS–0063, 88 FR 89058,
December 26, 2023), which
implemented the DoD’s vision for the
revised CMMC Program outlined in
November 2021. The comment period
for the proposed rule concluded on
February 26, 2024.
The CMMC requirements established
pursuant to DFARS Case 2019–D041
have not been revised as of the date of
publication of this final rule. However,
the CMMC Program requirements in this
final rule will be implemented in the
DFARS, as needed, which may result in
changes to the current DFARS text,
solicitation provisions, and contract
clauses relating to DoD’s cybersecurity
protection requirements, including
DFARS subpart 204.75 and DFARS
clause 252.204–7021, Cybersecurity
Maturity Model Certification (CMMC)
Requirements.
Context of the CMMC Program in Light
of Other DoD-Related Work
At present, and prior to the DFARS
CMMC Acquisition rule becoming
effective, the Department is using the
DCMA DIBCAC to conduct CMMC Level
2-like assessments. To date, the DCMA
DIBCAC has assessed 357 entities
including DoD’s major prime
contractors. The CMMC Program’s
assessment phase-in plan, as described
in § 170.3 Applicability, does not
preclude entities from immediately and
voluntarily seeking a CMMC
certification assessment prior to the
DFARS CMMC Acquisition rule being
finalized and the clause being added to
new or existing DoD contracts.
The Department estimates 8,350
medium and large entities will require
CMMC Level 2 certification
assessments. Once the CMMC DFARS
coverage is effective, the Department
will contractually mandate CMMC Level
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00080
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83171
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
28
https://media.defense.gov/2024/Mar/28/
29
www.govinfo.gov/content/pkg/FR-2020-12-21/
30
www.dcsa.mil/Industrial-Security/National-
[http://www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/ Industrial-Security-Program-Oversight/32-CFR-Part-
117-NISPOM-Rule/. ]
2 certification assessments on these
entities. It is estimated that 135 CMMC
Third-Party Assessment Organization
(C3PAO)-led assessments will be
completed in the first year. The
Department estimates 673 C3PAO-led
assessments in year 2 followed by 2,252
C3PAO-led assessments in year 3.
During the fourth year, the Department
estimates,4,452 C3PAO-led assessments
will be completed. The DCMA DIBCAC
will perform assessments upon DoD’s
request.
Additionally, the Department may
include CMMC Level 2 certification
requirements on contracts awarded
prior to the CMMC DFARS coverage
becoming effective, but doing so will
require bilateral contract modification
after negotiations.
The CMMC Program has been
incorporated in the Department’s 2024
Defense Industrial Base Cybersecurity
Strategy.28 The strategy requires the
Department to coordinate and
collaborate across components to
identify and close gaps in protecting
DoD networks, supply chains, and other
critical resources. Other prongs of the
Department’s cybersecurity strategy are
described in the Department’s National
Industrial Security Program Operating
Manual (NISPOM) which address
implementation of the Security
Executive Agent Directive (SEAD) 3,29
including clarifications on procedures
for the protection and reproduction of
classified information; controlled
unclassified information (CUI); National
Interest Determination (NID)
requirements for cleared contractors
operating under a Special Security
Agreement for Foreign Ownership,
Control, or Influence; and eligibility
determinations for personnel security
clearance processes and requirements.30
In addition, DCMA DIBCAC is
responsible for leading the Department’s
contractor cybersecurity risk mitigation
efforts. As part of this work, the DIBCAC
assesses the defense industrial base
companies to ensure they are meeting
contractually required cybersecurity
standards. The DIBCAC team ensures
contractors have the ability to protect
controlled unclassified information for
government contracts they are awarded.
DIBCAC conducts NIST SP 800–171
assessments in support of DFARS clause
252.204–7012, Safeguarding Covered
Defense Information and Cyber Incident
Reporting, and DFARS clause 204.204–
7020, NIST SP 800–171 DoD
Assessment Requirements. The DFARS
204.204–7020 DIBCAC prioritization
process is designed to adjust as DoD’s
cyber priorities evolve based on ongoing
threats. DIBCAC analysts collect and
analyze data on DoD contractors to
include:
• Mission critical programs,
technologies, and infrastructure and the
contractors (prime or lower tier) that
support DoD capabilities.
• Cyber threats, vulnerabilities, or
incidents.
• DoD Leadership requests.
Regulatory Impact Analysis
FAR Subpart 4.19 and DFARS clause
252.204–7012 address safeguarding of
FCI and CUI in contractor information
systems and prescribe contract clauses
requiring protection of FCI and CUI
within the supply chain. The FAR and
DFARS requirements for safeguarding
FCI and CUI predate the CMMC
Program by many years, and baseline
costs for their implementation are
assumed to vary widely based on factors
including, but not limited to, company
size and complexity of the information
systems to be secured. FAR clause
52.204–21 is prescribed at FAR section
4.1903 for use in solicitations and
contracts when the contractor or
subcontractor at any tier may have FCI
residing in or transiting through its
information system. This clause requires
contractors and subcontractors to apply
basic safeguarding requirements and
procedures to protect applicable
contractor information systems that
process, store, or transmit FCI. In
addition, DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, is prescribed at DFARS
section 204.7304(c) for use by DoD in all
solicitations and contracts, including
solicitations and contracts using FAR
part 12 procedures for the acquisition of
commercial items, except for
solicitations and contracts solely for the
acquisition of commercially available
off-the-shelf items. This clause applies
when a contractor information system
processes, stores, or transmits covered
defense information and requires
contractors and subcontractors to
provide ‘‘adequate security’’ to
safeguard that information when it
resides on or transits through a
contractor information system, and to
report cyber incidents that affect that
system or network. The clause states
that to provide adequate security, the
contractor shall implement, at a
minimum, the security requirements in
National Institute of Standards and
Technology (NIST) Special Publication
(SP) 800–171 R2, Protecting CUI in
Nonfederal Systems and Organizations.
Contractors are also required to flow
down DFARS clause 252.204–7012 to
all subcontracts for operationally critical
support or for which subcontractor
performance will involve covered
defense information.
However, neither FAR clause 52.204–
21 nor DFARS clause 252.204–7012
provide for DoD assessment of a
contractor’s implementation of the
information protection requirements
required by those clauses. The
Department developed the CMMC
Program to verify implementation of
cybersecurity requirements in DoD
contracts and subcontracts, by assessing
adequacy of contractor information
system security compliance prior to
award and during performance of the
contract. With limited exceptions, the
Department intends to require
compliance with CMMC as a condition
of contract award. Once CMMC is
implemented, the required CMMC
Status will be specified in the
solicitation and resulting contract.
Contractors handling FCI or CUI will be
required to meet the CMMC Status
specified in the contract.
There are three different levels of
CMMC assessment, starting with basic
safeguarding of FCI at Level 1, moving
to the broad protection of CUI at Level
2, and culminating with higher level
protection of CUI against risk from
Advanced Persistent Threats (APTs) at
Level 3. The benefits and costs
associated with implementing this final
rule, as well as alternative approaches
considered, are as follows:
Costs
A Regulatory Impact Analysis (RIA)
that includes a detailed discussion and
explanation about the assumptions and
methodology used to estimate the cost
of this regulatory action follows and is
available at www.regulations.gov (search
for ‘‘DoD–2023–OS–0063,’’ click ‘‘Open
Docket,’’ and view ‘‘Supporting
Documents’’).
Background
The Department of Defense (DoD or
Department) requires a secure and
resilient supply chain to ensure the
development, production, and
sustainment of capabilities critical to
national security. The DoD supply chain
is targeted by adversaries with
increasing frequency and sophistication,
and to devastating effect. Therefore,
implementation of cybersecurity
standards and enforcement mechanisms
are critically important. Executive Order
(E.O.) 14028, ‘‘Improving the Nation’s
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00081
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83172
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
31
www.gao.gov/assets/gao-22-104746.pdf.
32
www.ic3.gov/Media/News/2021/210310.pdf.
33
www.cisa.gov/uscert/ncas/current-activity/
[http://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa 2021/07/04/cisa-fbi-guidance-msps-and-their-
customers-affected-kaseya-vsa. ]
34
www.mitre.org/sites/default/files/publications/
[http://www.mitre.org/sites/default/files/publications/pr-18-2417-deliver-uncompromised-MITRE-study-26AUG2019.pdf pr-18-2417-deliver-uncompromised-MITRE-study-
26AUG2019.pdf. ]
35
www.cisa.gov/uscert/ncas/alerts/aa22-057a.
Cybersecurity,’’ emphasizes the need to
strengthen cybersecurity protections for
both the Federal Government and the
private sector.
Nation-state adversaries attack the
U.S. supply chain for a myriad of
reasons, including exfiltration of
valuable technical data (a form of
industrial espionage); disruption to
control systems used for critical
infrastructure, manufacturing, and
weapons systems; corruption of quality
and assurance across a broad range of
product types and categories; and
manipulation of software to achieve
unauthorized access to connected
systems and to degrade the integrity of
system operations. For example, since
September 2020, major cyber-attacks
such as the SolarWinds,31 Colonial
Pipeline, Hafnium,32 and Kaseya 33
attacks, have been spearheaded or
influenced by nation-state actors 34 and
resulted in significant failures and
disruption. In context of this threat, the
size and complexity of defense
procurement activities provide
numerous pathways for adversaries to
access DoD’s sensitive systems and
information. Moreover, adversaries
continue to evolve their tactics,
techniques, and procedures. For
example, on April 28, 2022, CISA and
the FBI issued an advisory on
destructive ‘‘wiperware,’’ a form of
malware which can destroy valuable
information 35. Protection of FCI and
CUI is critically important, and the DoD
needs assurance that contactor
information systems are adequately
secured to protect such information
when it resides on or transits those
systems.
The Department is committed to
working with defense contractors to
protect FCI and CUI.
• Federal Contract Information (FCI):
As defined in section 4.1901 of the FAR,
FCI means information, not intended for
public release, that is provided by or
generated for the Government under a
contract to develop or deliver a product
or service to the Government, but not
including information provided by the
Government to the public, such as that
on public websites, or simple
transactional information, such as that
necessary to process payments.
• Controlled Unclassified Information
(CUI): 32 CFR 2002.4(h) defines CUI, in
part, as information the Government
creates or possesses, or that an entity
creates or possesses for or on behalf of
the Government, that a law, regulation,
or Government-wide policy requires or
permits an agency to handle using
safeguarding or dissemination controls,
including FCI.
In September 2020, the DoD
published 48 CFR CMMC interim final
rule (DFARS Case 2019–D041, 85 FR
48513, September 9, 2020), which
implemented DoD’s vision for the initial
Cybersecurity Maturity Model
Certification (CMMC) Program and
outlined basic program features, to
include: 5-level tiered model, CMMC
Certified Third Party Assessment
Organization (C3PAO) assessments in
support of contractor and subcontractor
certification, with no allowance for a
Plan of Action and Milestones
(POA&Ms), and implementation of all
security requirements by the time of a
contract award. A total of 750 comments
were received on the 48 CFR CMMC
interim final rule during the public
comment period that ended on
November 30, 2020. These comments
highlighted a variety of industry
concerns including concerns relating to
the costs for a C3PAO certification, and
the costs and burden associated with
implementing, prior to award, the
required process maturity and 20
additional cybersecurity practices that
were included in the initial CMMC
Program. The Small Business
Administration Office of Advocacy also
raised similar concerns on the impact
the rule would have on small businesses
in the DIB.
Pursuant to DFARS clause 252.204–
7012, DoD has required certain defense
contractors and subcontractors to
implement the security protections set
forth in the National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171 R2 to
provide adequate security for CUI that is
processed, stored, or transmitted on
contractor information systems. The
CMMC Program provides the
Department the mechanism needed to
verify that a defense contractor or
subcontractor has implemented the
security requirements at each CMMC
Level and is maintaining that status
across the contract period of
performance, as required.
In calendar year (CY) 2021 DoD
paused the planned CMMC rollout to
conduct an internal review of the
CMMC Program. The internal review
resulted in a refined and streamlined set
of requirements that addressed many of
the concerns identified in the public
comments received relating to the initial
CMMC Program. These changes have
been incorporated into the revised
CMMC Program structure and policies.
In July 2022, the CMMC PMO met with
the Office of Advocacy for the United
States Small Business Administration
(SBA) to address the revisions planned
to the CMMC Program that are
responsive to prior SBA concerns.
The CMMC Program will enhance the
ability of the DoD to safely share FCI
and CUI with defense contractors and
know the information will be suitably
safeguarded. Once fully implemented,
CMMC will incorporate a set of
cybersecurity requirements into
acquisition contracts to provide
verification that applicable cyber
protections have been implemented.
Under the CMMC Program, defense
contractors and subcontractors will be
required to implement certain
cybersecurity protection requirements
tied to a designated CMMC level and
either perform a self-assessment or
obtain an independent assessment from
either a C3PAO or DCMA DIBCAC as a
condition of a DoD contract award.
CMMC is designed to validate the
protection of FCI and CUI that is shared
with and generated by the Department’s
contractors and subcontractors. Through
protection of information by adherence
to the requirements verified in the
revised CMMC Program, the Department
and its contractors will prevent
disruption in service and the loss of
intellectual property and assets, and
thwart access to FCI and CUI by the
nation’s adversaries.
The CMMC Program is intended to:
(1) align cybersecurity requirements to
the sensitivity of unclassified
information to be protected, and (2) add
a certification element, where
appropriate, to verify implementation of
cybersecurity requirements. As part of
the program, DoD also intends to
provide supporting resources and
training to defense contractors to help
support companies who are working to
achieve the required CMMC Status. The
CMMC Program provides for assessment
at three levels: basic safeguarding of FCI
at CMMC Level 1, broad protection of
CUI at CMMC Level 2, and enhanced
protection of CUI against risk from
Advanced Persistent Threats (APTs) at
CMMC Level 3. The CMMC Program is
designed to provide increased assurance
to the Department that a defense
contractor can adequately protect FCI
and CUI in accordance with prescribed
security requirements, accounting for
information flow down to its
subcontractors in a multi-tier supply
chain.
The CMMC Program addresses DoD’s
need to protect FCI and CUI during the
acquisition and sustainment of products
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00082
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83173
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
36
DODIG–2019–105 ‘‘Audit of Protection of DoD
CUI on Contractor-Owned Networks and Systems.’’
and services from the DIB. This effort is
instrumental in establishing
cybersecurity as a foundation for future
DoD acquisition.
Although DoD contract requirements
to provide adequate security for covered
defense information (reflected in
DFARS clause 252.204–7012) predate
CMMC by many years, a certification
requirement for the handling of CUI to
assess a contractor or subcontractor’s
compliance of those required
information security controls is new
with the CMMC Program. Findings from
DoD Inspector General report 36 indicate
that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information. The report emphasizes that
malicious actors can exploit the
vulnerabilities of contractors’ networks
and systems and exfiltrate information
related to some of the Nation’s most
valuable advanced defense technologies.
Currently, the FAR and DFARS
prescribe contract clauses intended to
protect FCI and CUI. Specifically, the
clause at FAR 52.204–21, Basic
Safeguarding of Covered Contractor
Information Systems, is prescribed at
FAR 4.1903 for use in Government
solicitations and contracts when the
contractor or a subcontractor at any tier
may have FCI residing in or transiting
through its information system(s). This
clause requires contractors and
subcontractors to implement basic
safeguarding requirements and
procedures to protect FCI being
processed, stored, or transmitted on
contractor information systems. In
addition, DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting, is prescribed at DFARS
204.7304(c) for use in all solicitations
and contracts except for solicitations
and contracts solely for the acquisition
of commercially available off-the-shelf
(COTS) items. This clause requires
contractors and subcontractors to
provide ‘‘adequate security’’ to process,
store or transmit covered defense
information when it resides on or
transits a contractor information system,
and to report cyber incidents that affect
that system or network. The clause
states that to provide adequate security,
the contractor shall implement, at a
minimum, the security requirements in
NIST Special Publication (SP) 800–171
R2, Protecting CUI in Nonfederal
Systems and Organizations. Contractors
are also required to flow down DFARS
clause 252.204–7012 to all subcontracts
that require processing, storing, or
transmitting of covered defense
information.
However, neither FAR clause 52.204–
21 nor DFARS clause 252.204–7012
provide for DoD verification of a
contractor’s implementation of the basic
safeguarding requirements specified in
FAR clause 52.204–21 nor the security
requirements specified in NIST SP 800–
171 R2, implementation of which is
required by DFARS clause 252.204–
7012, prior to contract award. As part of
multiple lines of effort focused on the
security and resilience of the DIB, the
Department is working with industry to
enhance the protection of FCI and CUI
within the DoD supply chain. Toward
this end, DoD has developed the CMMC
Program.
Revised CMMC Program Requirements
The CMMC Program requirements
will be implemented through the DoD
acquisition and contracting process.
With limited exceptions, the
Department intends to require
compliance with CMMC as a condition
of contract award. Once CMMC is
implemented, the required CMMC
Status will be specified in the
solicitation and resulting contract.
Contractors handling FCI or CUI will be
required to meet the CMMC Status
specified in the contract. In accordance
with the implementation plan described
in § 170.3(e), CMMC Status
requirements will apply to new DoD
solicitations and contracts, and shall
flow down to subcontractors, based on
the sensitivity of the FCI and CUI to be
processed, stored or transmitted to or by
the subcontractor. Before contract
award, the offeror must achieve the
specified CMMC Status for the
contractor information system (e.g.,
enterprise network, network enclave)
that will process, store, or transmit the
information to be protected. The
contractor or subcontractor will also
submit affirmations in the Supplier
Performance Risk System (SPRS). An
overview of requirements at each level
is shown:
Level 1 Self-Assessment
• Level 1 self-assessment requires
compliance with basic safeguarding
requirements to protect FCI are set forth
in FAR clause 52.204–21. CMMC Level
1 does not add any additional security
requirements to those identified in FAR
clause 52.204–21.
• OSAs will submit the following
information in SPRS:
1. the results of a self-assessment of
the OSA’s implementation of the basic
safeguarding requirements set forth in
§ 170.15 associated with the contractor
information system(s) used in
performance of the contract; and
2. an initial affirmation of
compliance, and then annually
thereafter, an affirmation of continued
compliance as set forth in § 170.22.
3. the Level 1 self-assessment cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
final rule.
Level 2 Self-Assessment
• Level 2 self-assessment requires
compliance with the security
requirements set forth in NIST SP 800–
171 R2 to protect CUI. CMMC Level 2
does not add any additional security
requirements to those identified in NIST
SP 800–171 R2.
• OSAs will submit the following
information in SPRS:
1. the results of a self-assessment of
the OSA’s implementation of the NIST
SP 800–171 R2 requirements set forth in
§ 170.16 associated with the covered
contractor information system(s) used in
performance of the applicable contract.
2. an initial affirmation of
compliance, and, if applicable, a
POA&M closeout affirmation, and then
annually thereafter, an affirmation of
continued compliance set forth in
§ 170.22.
3. the Level 2 self-assessment cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
final rule.
Level 2 Certification Assessment
• Level 2 certification assessment
requires compliance with the security
requirements set forth in in § 170.17 to
protect CUI. CMMC Level 2 does not
add any additional security
requirements to those selected in NIST
SP 800–171 R2.
• A Level 2 certification assessment
of the applicable contractor information
system(s) provided by an authorized or
accredited C3PAO is required to
validate implementation of the NIST SP
800–171 R2 security requirements prior
to award of any prime contract or
subcontract and exercise of option.
• The C3PAO will upload the Level 2
certification assessment results in the
CMMC instantiation of eMASS which
will feed the information into SPRS.
• OSCs will submit in SPRS an initial
affirmation of compliance, and, if
necessary, a POA&M closeout
affirmation, and then annually
following the Final CMMC Status Date,
an affirmation of continued compliance
as set forth in § 170.22.
The Level 2 certification assessment
cost burdens are included in this part
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00083
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83174
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
with the exception of the requirement
for the OSC to upload the affirmation in
SPRS that is included in the 48 CFR part
204 CMMC Acquisition final rule and
an update to DFARS collection
approved under OMB Control Number
0750–0004, Assessing Contractor
Implementation of Cybersecurity
Requirements. Additionally, the
information collection reporting
requirements for the CMMC
instantiation of eMASS are included in
a separate ICR for this part and cover
only those requirements pertaining to
the CMMC process.
Level 3 Certification Assessment
• Level 3 certification assessment
requires the CMMC Status of Final Level
2 (C3PAO) and compliance with the
security requirements set forth in
§ 170.18 to protect CUI. CMMC Level 3
adds additional security requirements to
those required by existing acquisition
regulations as specified in this rule.
• A Level 3 certification assessment
of the applicable contractor information
system(s) provided by the DCMA
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC) is required
to validate implementation of the DoD-
defined selected security requirements
set forth in NIST SP 800–172 Feb2021.
A CMMC Status of Final Level 2
(C3PAO) is a prerequisite to schedule a
DCMA DIBCAC Level 3 certification
assessment.
• DCMA DIBCAC will upload the
Level 3 certification assessment results
into the CMMC instantiation of eMASS,
which will feed the information into
SPRS.
• OSCs will submit in SPRS an initial
affirmation of compliance, and, if
necessary, a POA&M closeout
affirmation, and then annually
following the Final CMMC Status Date,
an affirmation of continued compliance
as set forth in § 170.22.
The Level 3 certification assessment
cost burdens are included in this part
with the exception of the requirement
for the OSC to upload the affirmation in
SPRS that is included in the 48 CFR part
204 CMMC Acquisition rule and an
update to DFARS collection approved
under OMB Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements.
Additionally, the information collection
reporting requirements for the CMMC
instantiation of eMASS are included in
a separate ICR for this part and cover
only those requirements pertaining to
the CMMC process. As described, the
CMMC Program couples an affirmation
of compliance with certification
assessment requirements to verify OSA
implementation of cybersecurity
requirements, as applicable.
The CMMC Program addresses DoD’s
need to protect FCI and CUI during the
acquisition and sustainment of products
and services from the DIB. This effort is
instrumental in ensuring cybersecurity
is the foundation of future DoD
acquisitions.
Policy Problems Addressed by the
Revised CMMC Program
Implementation of the CMMC
Program is intended to solve the
following policy problems:
Lack of Verification of Contractor
Compliance With Cybersecurity
Requirements
Neither FAR clause 52.204–21 nor
DFARS clause 252.204–7012 provide for
DoD assessment of a defense contractor
or subcontractor’s implementation of
the information protection requirements
within those clauses. Defense
contractors represent that they will
implement the requirements in NIST SP
800–171 R2 upon submission of their
offer. Findings from DoD Inspector
General report (DODIG–2019–105
‘‘Audit of Protection of DoD Controlled
Unclassified Information on Contractor-
Owned Networks and Systems’’)
indicate that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information. CMMC adds new
assessment requirements for contractor
implementation of underlying
information security requirements, to
allow DoD to assess a defense
contractor’s cybersecurity posture using
authorized or accredited C3PAOs. The
contractor and subcontractor must
achieve the required CMMC Level as a
condition of contract award.
Inadequate Implementation of
Cybersecurity Requirements
Under DFARS clause 252.204–7012
and DFARS clause 252.204–7020,
defense contractors and subcontractors
must document implementation of the
security requirements in NIST SP 800–
171 R2 in a system security plan and
may use a plan of action to describe
how and when any unimplemented
security requirements will be met. For
the CMMC Program, the solicitation and
resulting contract, will specify the
required CMMC Status, which will be
determined considering program
criticality, information sensitivity, and
severity of cyber threat. Although the
security requirements in NIST SP 800–
171 R2 address a range of threats,
additional requirements are needed to
significantly reduce the risk posed by
APTs. An APT is an adversary that
possesses sophisticated levels of
expertise and significant resources that
allow it to create opportunities to
achieve its objectives by using multiple
attack vectors (e.g., cyber, physical, and
deception). CMMC Level 3 requires
implementation of selected security
requirements from NIST SP 800–172
Feb2021 to reduce the risk of APT
threats.
The CMMC Program will require
prime contractors to flow the
appropriate CMMC Status requirement
down throughout the entire supply
chain relevant to a particular contract.
Defense contractors or subcontractors
that handle FCI, must meet the
requirements for CMMC Level 1.
Defense contractors that handle CUI
must meet the requirements for CMMC
Level 2 or higher, depending on the
sensitivity of the information associated
with a program or technology being
developed.
Insufficient Scale and Depth of
Resources To Verify Compliance
Today, DoD prime contractors must
include DFARS clause 252.204–7012 in
subcontracts for which performance will
involve covered defense information,
but this does not provide the
Department with sufficient insights with
respect to the cybersecurity posture of
all members of a multi-tier supply chain
for any given program or technology
development effort. The revised CMMC
Program requires prime contractors to
flow down appropriate CMMC Status
requirements, as applicable, to
subcontractors throughout their supply
chain(s).
Given the size and scale of the DIB,
the Department cannot scale its existing
cybersecurity assessment capability to
conduct on-site assessments of
approximately 220,000 DoD contractors
and subcontractors every three years.
The Department’s existing assessment
capability is best suited for conducting
targeted assessments for the relatively
small subset of DoD contractors and
subcontractors that support designated
high-priority programs involving CUI.
CMMC addresses the Department’s
scaling challenges by utilizing a private-
sector accreditation structure. A DoD-
authorized Accreditation Body will
authorize, accredit, and provide
oversight of C3PAOs which in turn will
conduct Level 2 certification
assessments of actual and prospective
DoD contractors and subcontractors.
Defense contractors will directly
contract with an authorized or
accredited C3PAO to obtain a Level 2
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00084
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83175
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
certification assessment. The cost of
Level 2 certification assessment
activities is driven by multiple factors,
including market forces that govern
availability of C3PAOs and the size and
complexity of the enterprise or enclave
under assessment. The Government will
perform Level 3 certification
assessments. Government resource
limitations may affect schedule
availability.
Reduces Duplicate or Respective
Assessments of Our Industry Partners
CMMC assessment results will be
posted in SPRS, DoD’s authoritative
source for supplier and product
performance information. Posting
CMMC assessment results in SPRS
precludes the need to validate CMMC
implementation on a contract-by-
contract basis. This enables DoD to
identify whether the CMMC
requirements have been met for relevant
contractor information systems, avoids
duplicative assessments, and eliminates
the need for program level assessments,
all of which decreases costs to both DoD
and industry.
Revised CMMC Program
Implementation
The DoD is implementing a phased
implementation for the revised CMMC
Program and intends to introduce
CMMC Status requirements in
solicitations over a three-year period to
provide appropriate ramp-up time. This
phased implementation is intended to
minimize the financial impacts to
defense contractors, especially small
businesses, and disruption to the
existing DoD supply chain. After CMMC
is implemented in acquisition
regulation, DoD will include CMMC
self-assessment requirements in
solicitations and resulting contracts
when warranted by the type of
information that will be handled by the
contractor of subcontractor(s). CMMC
Status requirements for Levels 1, 2, and
3 will be included in solicitations and
resulting contracts issued after the
phase-in period when warranted by any
FCI and/or CUI information protection
requirements for the contract effort. In
the intervening period, Government
Program Managers will have discretion
to include CMMC Status requirements
or exclude them and rely upon existing
DFARS clause 252.204–7012
requirements, in accordance with DoD
policy. As stated in § 170.20(a), there is
qualified standards acceptance between
DCMA DIBCAC High Assessment and
the CMMC Status of Level 2(C3PAO),
which will result in staggering of the
dates for new Level 2 certification
assessments. The implementation
period will consist of four (4) phases as
set forth in § 170.3(e), during which
time the Government will include
CMMC requirements in certain
solicitations and contracts. During the
CMMC phase-in period, program
managers and requiring activities will
be required to include CMMC Status
requirements in certain solicitations and
contracts and will have discretion to
include in others.
A purpose of the phased
implementation is to ensure adequate
availability of authorized or accredited
C3PAOs and assessors to meet the
demand.
Revised CMMC Program Flow Down
CMMC Level requirements will be
flowed down to subcontractors at all
tiers as set forth in § 170.23; however,
the specific CMMC Status required for
a subcontractor will be based on the
type of unclassified information and the
priority of the acquisition program and/
or technology being developed.
Key Changes Incorporated in the
Revised CMMC Program
In November 2021, the Department
announced the revised CMMC Program,
which is an updated program structure
with revised requirements. In the
revised CMMC Program, the Department
has introduced several key changes that
build on and refine the original program
requirements. These include:
• Streamlining the model from five
levels to three levels.
• Exclusively implementing National
Institute of Standards and Technology
(NIST) cybersecurity standards and
guidelines.
• Allowing all companies subject to
Level 1, and a subset of companies
subject to Level 2 to demonstrate
compliance through self-assessments.
• Increased oversight of professional
and ethical standards of CMMC third-
party assessors.
• Allowing Plans of Action &
Milestones (POA&M) under limited
circumstances to achieve conditional
certification.
As a result of the alignment of the
revised CMMC Program to NIST
guidelines, the Department’s
requirements will continue to evolve as
changes are made to the underlying
NIST SP 800–171 R2, NIST SP 800–
171A Jun2018, NIST SP 800–172
Feb2021, and NIST SP 800–172A
Mar2022 requirements.
CMMC Assessment
Assessment Criteria
CMMC requires that defense
contractors and subcontractors
entrusted with FCI and CUI implement
cybersecurity standards at progressively
more secure levels, depending on the
type and sensitivity of the information.
Level 1 Self-Assessment
An annual Level 1 self-assessment
and annual affirmation asserts that an
OSA has implemented all the basic
safeguarding requirements to protect
FCI as set forth in § 170.14(c)(2).
An OSA can choose to perform the
annual self-assessment internally or
engage a third-party to assist with
evaluating its Level 1 compliance. Use
of a third party to assist with the
assessment process is still considered a
self-assessment and results in a CMMC
Status of Final Level 1 (Self). An OSA
achieve the CMMC Status of Level 1
(Self) for an entire enterprise network or
for a particular enclave(s), depending
upon where the FCI is or will be
processed, stored, or transmitted.
Level 2 Self-Assessment
A Level 2 self-assessment and annual
affirmation attests that an OSA has
implemented all the security
requirements to protect CUI as specified
in § 170.14(c)(3).
Level 2 Certification Assessment
A Level 2 certification assessment,
conducted by a C3PAO, verifies that an
OSC is conforming to the security
requirements to protect CUI as specified
in § 170.14(c)(3). Each OSC information
system that will process, store, or
transmit CUI in the execution of the
contract is subject to the corresponding
CMMC Status requirements set forth in
the contract.
Level 3 Certification Assessment
Achievement of the CMMC Status of
Final Level 2 (C3PAO) for information
systems within the Level 3 CMMC
Assessment Scope is a prerequisite for
initiating a Level 3 certification
assessment. A Level 3 certification
assessment, conducted by DCMA
Defense Industrial Base Cybersecurity
Assessment Center (DIBCAC), verifies
that an OSC has implemented the
CMMC Level 3 security requirements to
protect CUI as specified in
§ 170.14(c)(4). A Level 3 certification
assessment must be conducted for each
OSC information system that will be
used in the execution of the contract
that will process, store, or transmit CUI.
Impact and Cost Analysis of the
Revised CMMC Program
Summary of Impact
Public comment feedback on the
initial CMMC Program indicated that
cost estimates were too low. The revised
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00085
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83176
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Program cost estimates account
for that feedback with the following
improvements:
• Allowance for outsourced IT
services
• Increased total time for the
contractor to prepare for the assessment,
including limited time for learning the
reporting and affirmation processes
• Allowance for use of consulting
firms to assist with the assessment
process
• Time for a senior level manager to
review the assessment and affirmation
before submitting the results in SPRS
• Updated government and contractor
labor rates that include applicable
burden costs
As a result, some costs of the revised
CMMC Program may be higher than
those included in the initial CMMC
Program.
The revised CMMC Program impact
analysis includes estimated costs for
implementation of the revised CMMC
Program requirements across Level 1,
Level 2, and Level 3 for the Public
(small and other than small entities,
including the CMMC Ecosystem as set
forth in 32 CFR subpart C) and the
Government. In summary, the total
estimated Public and Government costs
associated with this rule, calculated for
a 20-year horizon in 2023 dollars at a 7
percent discount rate and a 3 percent
discount rate are provided as follows:
Estimating the number of CMMC
assessments for unique entities per level
per year is complicated by the fact that
companies may serve as a prime
contractor on one effort but a
subcontractor on others, and may also
enter into subcontract agreements with
more than one prime contractor for
various opportunities.
In addition, the CMMC Program relies
upon free market influences of supply
and demand to propel implementation.
Specifically, the Department does not
control which defense contractors aspire
to compete for which business
opportunities, nor does it control access
to the assessment services offered by
C3PAOs. OSAs may elect to complete a
self-assessment or pursue a certification
assessment at any time after issuance of
the rule, in an effort to distinguish-
themselves as competitive for efforts
that require an ability to adequately
protect CUI. For that reason, the number
of CMMC assessments for unique
entities per level per year may vary
significantly from the assumptions used
in generating the cost estimate. The
estimates represent the best estimates at
this time based on internal expertise
and public feedback.
DoD utilized historical metrics
gathered for the initial CMMC Program
and subject matter expertise from
Defense Pricing and Contracting (DPC)
and DCMA DIBCAC to estimate the
number of entities by type and by
assessment level for this analysis. The
following table summarizes the
estimated profile used in this analysis.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00086
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.002</GPH>
ER15OC24.001</GPH>
ER15OC24.003</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83177
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
DoD is planning for a phased roll-out
of each assessment level across 7 years
with the entity numbers reaching a
maximum by Year 4 as shown in the
tables. The target of Year 4 was selected
based on the projected capacity of the
CMMC Ecosystem to grow to efficiently
support the entities in the pipeline. For
modeling efficiency, a similar roll-out is
assumed regardless of entity size or
assessment level. It is assumed that by
year 7 the maximum number of entities
is reached. Beyond year 7, the number
of entities entering and exiting are
expected to net to zero. The following
tables reflect the number of new entities
in each year and for each level.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00087
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.004</GPH>
ER15OC24.005</GPH>
ER15OC24.006</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83178
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
37
The number of unique awardees impacted each
year is 1⁄3 of the average number of annual awardees
according to the Electronic Data Access system
(31,338/3 = 10,446). This estimate does not address
new entrants or awardees who discontinue doing
business with DoD.
38
Includes all businesses with the exception of
those defined under the small business criteria and
size standards provided in 13 CFR 121.201 (See
FAR Part 19.102)
39
The Level I self-assessment and Level 2 self-
assessment information collection reporting and
recordkeeping requirements will be included in a
modification of an existing DFARS collection
approved under OBM Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the
48 CFR part 204 CMMC Acquisition rule.
40
The Level 1 self-assessment and Level 2 self-
assessment information collection reporting and
recordkeeping requirements will be included in a
modification of an existing DFARS collection
approved under OBM Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the
48 CFR part 204 CMMC Acquisition rule.
Public Costs
Summary of Impacted Awardee Entities
According to data available in the
Electronic Data Access system for fiscal
years (FYs) 2019, 2020, and 2021, DoD
awards an average of 1,366,262
contracts and orders per year that
contain DFARS clause 252.204–7012, to
31,338 unique awardees, of which
683,718 awards (50%) are made to
23,475 small entities (75%).37
Public Cost Analysis
The following is a summary of the
estimated Public costs the revised
CMMC Program for other than small 38
entities, per assessment of a contractor
information system, at the required
periodicity for each CMMC level.
The following is a summary of the
estimated Public costs of the revised
CMMC Program for Small Entities, per
assessment of each contractor
information system, estimated at one
per entity, at the required periodicity for
each CMMC level.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00088
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.007</GPH>
ER15OC24.008</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83179
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
41
The terms nonrecurring engineering costs and
recurring engineering costs are terms of art and do
not only encompass actual engineering costs.
The total estimated Public (large and
small entities) costs associated with this
rule, calculated for a 20-year horizon in
2023 dollars at a 7 percent and 3 percent
discount rate, per OMB guidance, is
provided as follows:
Assumptions
In estimating the Public costs, DoD
considered applicable nonrecurring
engineering costs, recurring engineering
costs,41 assessment costs, and
affirmation costs for each CMMC Level.
For CMMC Levels 1 and 2, the cost
estimates are based only upon the self-
assessment, certification assessment,
and affirmation activities that a defense
contractor, subcontractor, or ecosystem
member must take to allow DoD to
verify implementation of the relevant
underlying security requirements, i.e.,
for CMMC Level 1, the security
requirements set forth in FAR clause
52.204–21, and for CMMC Level 2, the
security requirements set forth in NIST
SP 800–171 R2. DoD did not consider
the cost of implementing the security
requirements themselves because
implementation is already required by
FAR clause 52.204–21, effective June 15,
2016, and by DFARS clause 252.204–
7012, requiring implementation by Dec.
31, 2017, respectively; therefore, the
costs of implementing the security
requirements for CMMC Levels 1 and 2
should already have been incurred and
are not attributed to this rule. As such,
the nonrecurring engineering and
recurring engineering costs to
implement the security requirements
defined for CMMC Level 1 and Level 2
are not included in this economic
analysis. However, cost estimates to
implement CMMC Level 3, are
included, as that CMMC level will
require defense contractors and
subcontractors, as applicable, to
implement a DoD-defined subset of the
security requirements set forth in NIST
SP 800–172 Feb2021, a new addition to
current security protection
requirements.
In estimating the public cost for a
defense contractor small entity to
comply with CMMC Program
requirements for each CMMC level, DoD
considered non-recurring engineering
costs, recurring engineering costs,
assessment costs, and affirmation costs
for each CMMC Level. These costs
include labor and consulting.
Estimates include size and complexity
assumptions to account for typical
organizational differences between
small entities and other than small
entities with respect to the handling of
Information Technology (IT) and
cybersecurity:
• small entities are likely to have a
less complex, less expansive operating
environment and IT/Cybersecurity
infrastructure compared to larger
defense contractors
• small entities are likely to outsource
IT and cybersecurity to an External
Service Provider (ESP)
• entities (small and other than small)
pursuing Level 2 self-assessment are
likely to seek consulting or
implementation assistance from an ESP
to either help them prepare for the
assessment technically or participate in
the assessment with the C3PAOs.
Estimates do not include the cost to
implement (Non-recurring Engineering
Costs (NRE)) or maintenance costs
(Recurring Engineering (RE)) associated
with the security requirements
prescribed in current regulations.
For CMMC Levels 1 and 2, cost
estimates are based upon assessment,
reporting, and affirmation activities that
a contractor or subcontractor will need
to take to verify implementation of
existing security requirements set forth
in FAR clause 52.204–21, effective June
15, 2016, to protect FCI, and DFARS
clause 252.204–7012 which required
implementation of NIST SP 800–171
requirements not later than December
31, 2017, to protect CUI. As such, cost
estimates are not included for an entity
to implement the CMMC Level 1 or 2
security requirements, maintain
implementation of these existing
security requirements, or remediate a
plan of action for unimplemented
requirements.
For CMMC Level 3, the cost estimates
factor in the assessment, reporting, and
affirmation activities in addition to
estimates for NRE and RE to implement
and maintain CMMC Level 3 security
requirements. In addition to
implementing the CMMC Level 2
security requirements, CMMC Level 3
requires implementing selected security
requirement set forth in NIST SP 800–
172 Feb2021 as described in
§ 170.14(c)(4) which are not currently
required through other regulations.
CMMC Level 3 is expected to apply only
to a small subset of defense contractors
and subcontractors.
The Cost Categories used for each
CMMC Level are described:
1. Nonrecurring Engineering Costs:
Estimates consist of hardware, software,
and the associated labor to implement
the same. Costs associated with
implementing the requirements set forth
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
already implemented and, therefore, are
not accounted for in this cost estimate.
As such, these costs only appear in
CMMC Level 3. If nonrecurring
engineering costs are referenced, they
are only accounted for as a one-time
occurrence and are reflected in the year
of the initial assessment.
2. Recurring Engineering Costs:
Estimates consist of annually recurring
fees and associated labor for technology
refresh. Costs associated with
implementing the requirements set forth
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
already implemented and, therefore, are
not accounted for in this cost estimate.
As such, these costs only appear in
CMMC Level 3.
3. Assessment Costs: Estimates consist
of activities for pre-assessment
preparations (which includes gathering
and/or developing evidence that the
assessment objectives for each
requirement have been satisfied),
conducting and/or participating in the
actual assessment, and completion of
any post-assessment work. Assessment
costs are represented by notional
phases. Assessment costs assume the
OSA passes the assessment on the first
attempt (conditional—with an allowable
POA&M or final). Each phase includes
an estimate of hours to conduct the
assessment activities including:
(a) Labor hour estimates for a company
(and any ESP support) to prepare
for and participate in the
assessment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00089
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.009</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83180
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
42
IT = Information Technology, MGMT =
Management.
43
IT and MGMT rates represent an estimate for
in-house labor and includes the labor rate plus
fringe and employee-related expenses.
44
Background assumes a Bachelor’s degree as the
minimum education level, additional requirements
are noted including required years of experience. A
Master’s degree may reduce the required years of
experience as noted.
45
The ESP/C3PAO rate represents an estimate for
outsourced labor and includes the labor rate,
overhead expense, G&A expense, and profit.
(b) C3PAO cost estimates for companies
pursuing a certification
• labor hour estimates for authorized or
certified assessors to work with the
business to conduct the actual
assessment
• Assessment Costs broken down into
phases
• Phase 1: Planning and preparing for
the assessment
• Phase 2: Conducting the assessment
(self or C3PAO)
• Phase 3: Reporting of Assessment
Results
• Phase 4: POA&M Closeout (for
CMMC Level 3 only, if applicable
and allowed)
• CMMC allows a limited open Plan
of Action and Milestones (POA&M)
for a period of 180 days to
remediate the POA&M, see § 170.21.
4. Affirmations: Estimates consist of
costs for an OSA to submit to SPRS an
initial and, as applicable, any
subsequent affirmations of compliance
that the contractor information system is
compliant with and will maintain
compliance with the security
requirements of the applicable CMMC
Level. If POA&Ms are allowed, an
affirmation must be submitted with the
POA&M closeout. With the exception of
Small Entities for Level 1 and Level 2,
it is assumed the task requires the same
labor categories and estimated hours as
the final reporting phase of the
assessment.
The categories and rates used for
estimating purposes were compiled by
subject matter experts based on current
data available from within the DoD
contractor database for comparable labor
categories. A factor estimate of 30
percent was added to the labor rate per
hour to include but are not limited to
company-sponsored benefits (fringe)
and limited employee-related expenses
such as training and certifications. This
estimate is based on labor performed by
indirect personnel (i.e., personnel who
are part of overhead expense); therefore,
the 30 percent factor represents an
estimate for fringe expense and G&A
expenses versus full overhead expense.
The categories and rates inclusive of the
labor cost plus the additional factor are
defined in the table.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00090
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.010</GPH>
ER15OC24.011</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83181
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
46
CMMC Level 1 consists of the same 15 basic
safeguarding requirements specified in FAR clause
52.204–21. This cost analysis assumes that defense
contractors and subcontractors already have
contracts with FAR clause 52.204–21 and, therefore,
have already implemented the 15 basic
safeguarding requirements.
47
Again, it is assumed that that defense
contractors and subcontractors have already
implemented the 15 basic safeguarding
requirements in FAR clause 52.204–21.
48
A person needs to enter the information into
SPRS, which should only take five minutes.
CMMC Level 1 Self-Assessment and
Affirmation Costs
Other Than Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 1,
since it is assumed that the contractor
or subcontractor has already
implemented the applicable security
requirements.46
• Assessments Costs: It is estimated
that the cost to support a CMMC Level
1 self-assessment and affirmation is
- $4,042 (as summarized in 4.1.2, table
9). A Level 1 self-assessment is
conducted annually, and is based on the
assumptions detailed:
• Phase 1: Planning and preparing for
the self-assessment: $1,146
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• Phase 2: Conducting the self-
assessment: $1,728
• A director (MGMT5) for 6 hours
($190.52/hr
× 6hrs = $1,143)
• A staff IT specialist (IT4) for 6 hours
($97.49/hrs
× 6hrs = $585)
• Phase 3: Reporting of self-assessment
results into SPRS: $584
• A director (MGMT5) for 2 hours
($190.52/hr
× 2hrs = $381)
• A staff IT specialist (IT4) for 2.08
hours ($97.49/hrs
× 2.08hrs = $203)
• Affirmations: It is estimated that the
costs to perform an initial and
annual affirmation of compliance
with CMMC Level 1 for an ‘‘other
than small’’ entity is $584
• A director (MGMT5) for 2 hours
($190.52/hr
× 2hrs = $381)
• A staff IT specialist (IT4) for 2.08
hours ($97.49/hrs
× 2.08hrs = $203)
• The Level 1 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual other than small entities total
cost summary for Level 1 self-
assessments and affirmations over a ten-
year period: (Example calculation, Year
1: *$4,042 per entity
× 246 entities
(cumulative) = $994,233)
Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 1
since it is assumed the contractor or
subcontractor has implemented the
applicable security requirements.47
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 1 self-
assessment and affirmation is *$5,977
(as summarized in 4.1.2, table 10). A
Level 1 self-assessment is conducted
annually, and is based on the
assumptions detailed:
• Phase 1: Planning and preparing for
the self-assessment: $1,803
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• An external service provider (ESP)
for 4 hours ($260.28
× 4hrs =
$1,041)
• Phase 2: Conducting the self-
assessment: $2,705
• A director (MGMT5) for 6 hours
($190.52/hr
× 6hrs = $1,143)
• An external service provider (ESP)
for 6 hours ($260.28
× 6hrs =
$1,562)
• Phase 3: Reporting of assessment
results into SPRS: $909
• A director (MGMT5) for 2 hours
($190.52/hr
× 2hrs = $381)
• An external service provider (ESP)
for 2 hours ($260.28/hr * 2hrs =
$521)
• A staff IT specialist (IT4–SB) for
0.08 hours 48 ($86.24/hr
× 0.08hrs =
$7)
• Affirmation: initial affirmation post
assessment: $ 560
• Reaffirmations: It is estimated that the
costs to reaffirm a CMMC Level 1
annually for a small entity is $560
• A director (MGMT5) for 2 hours
($190.52/hr
× 2hrs = $381)
• A staff IT specialist (IT4–SB) for
2.08 hours ($86.24/hr
× 2.08hrs =
$179)
• The Level 1 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual small entities total cost summary
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00091
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.012</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83182
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
for Level 1 self-assessments and
affirmations over a ten-year period:
(Example calculation, Year 1: *$5,977
per entity
× 699 entities (cumulative) =
$4,177,845)
All Entities Summary
The following is a summary of the
combined costs for both small and other
than small entities for Level 1 self-
assessments and affirmations over a ten-
year period:
CMMC Level 2 Self-Assessment and
Affirmation Costs
Other Than Small Entities
• Nonrecurring and Recurring
Engineering Costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2 self-
assessment since it is assumed the
contractor or subcontractor has
implemented the NIST SP 800–171 R2
security requirements.
• Self-Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 2 self-
assessment and affirmation is *$43,403.
The three-year cost is $48,827 (as
summarized in 4.1.2, table 9), which
includes the triennial assessment +
affirmation, and two additional annual
affirmations ($43,403 + $2,712 +
$2,712).
• Phase 1: Planning and preparing for
the self-assessment: $18,015
• A director (MGMT5) for 30 hours
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00092
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.013</GPH>
ER15OC24.014</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83183
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
($190.52/hr
× 30hrs = $5,716)
• A manager (MGMT2) for 40 hours
($95.96/hr
× 40hrs = $3,838)
• A staff IT specialist (IT4) for 46
hours ($97.49/hr
× 46hrs = $4,485)
• A senior IT specialist (IT3) for 26
hours ($81.96/hr
× 26hrs = $2,131)
• An IT specialist (IT2) for 34 hours
($54.27/hr
× 34hrs = $1,845)
• Phase 2: Conducting the self-
assessment: $19,964
• A director (MGMT5) for 24 hours
($190.52/hr
× 24hrs = $4,572)
• A manager (MGMT2) for 24 hours
($95.96/hr
× 24hrs = $2,303)
• A staff IT specialist (IT4) for 56
hours ($97.49/hr
× 56hrs = $5,460)
• A senior IT specialist (IT3) for 56
hours ($81.96/hr
× 56hrs = $4,590)
• An IT specialist (IT2) for 56 hours
($54.27/hr
× 56hrs = $3,039)
• Phase 3: Reporting of self-assessment
results into SPRS: $2,712
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr
× 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr
× 0.08hrs = $7)
• Affirmation: initial affirmation post
assessment: $ 2,712
• Reaffirmations: It is estimated that the
cost to perform an annual
affirmation for CMMC Level 2 self-
assessment is $2,712 (three-year
cost is $8,136, or $2,712
× 3):
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr
× 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr
× 0.08hrs = $7)
• The Level 2 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual other than small entities total
cost summary for CMMC Level 2 self-
assessments and affirmations over a ten-
year period: (Example calculation, Year
2: (*$43,403 assessment per entity
× 35
entities) + ($2,712 annual affirmation
per entity
× 7 entities) = $1,538,092
Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2 self-
assessment since it is assumed the
contractor or subcontractor has
implemented the NIST SP 800–171 R2
security requirements.
• Self-Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 2 self-
assessment and affirmation for a small
entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2, table
10), which includes the triennial
assessment + affirmation, plus two
additional annual affirmations ($34,277
+ $1,459 + $1,459).
• Phase 1: Planning and preparing for
the self-assessment: $14,426
• A director (MGMT5) for 32 hours
($190.52/hr x* 32hrs = $6,097)
• An external service provider (ESP)
for 32 hours ($260.28/hr
× 32hrs =
$8,329)
• Phase 2: Conducting the self-
assessment: $15,542
• A director (MGMT5) for 16 hours
($190.52/hr
× 16hrs = $3,048)
• An external service provider (ESP)
for 48 hours ($260.28/hr
× 48hrs =
$12,493)
• Phase 3: Reporting of self-assessment
results into SPRS: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• An external service provider (ESP)
for 8 hours ($260.28/hr
× 8hrs =
$2,082)
• A staff IT specialist (IT4–SB) for
0.08 hours ($86.24/hr
× 0.08hrs =
$7)
• Affirmation: initial affirmation post
assessment: $ 1,459
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 2 self-
assessment annually is $1,459
(three-year costs to reaffirm a Level
2 self-assessment annually is
$4,377, or $1,459
× 3):
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A staff IT specialist (IT4–SB) for
8.08 hours ($86.24/hr
× 8.08hrs =
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00093
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.015</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83184
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
$697)
• The Level 2 self-assessment and
affirmations cost burden will be
addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
• Summary: The following is the
annual small entities total cost summary
for Level 2 self-assessments and
affirmations over a ten-year period:
(Example calculation, Year 2: (*$34,277
self-assessment per entity
× 101 entities)
+ ($1,459 annual affirmation per entity
× 20 entities) = $3,491,193)
All Entities Summary
The following is a summary of the
cost to all entities regardless of size for
Level 2 self-assessments and
affirmations over a ten-year period:
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00094
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.016</GPH>
ER15OC24.017</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83185
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level 2 Certification Assessment
and Affirmation Costs
Other Than Small Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2
certification assessment since it is
assumed the contractor or subcontractor
has implemented the NIST SP 800–171
R2 security requirements.
• Assessment and Initial Affirmation
Costs: It is estimated that the cost to
support a Level 2 certification
assessment and annual affirmation for
an ‘‘other than small’’ entity is
- $112,345. The three-year cost is
$117,768 (as summarized in 4.1.2, table
9), and includes a triennial assessment
+ affirmation, plus two additional
annual affirmations ($112,345 + $2,712
+ $2,712, with a minor rounding
difference.)
• Phase 1: Planning and preparing for
the certification assessment:
$26,264
• A director (MGMT5) for 32 hours
($190.52/hr
× 32hrs = $6,097)
• A manager (MGMT2) for 64 hours
($95.96/hr
× 64hrs = $6,141)
• A staff IT specialist (IT4) for 72
hours ($97.49/hr
× 72hrs = $7,019)
• A senior IT specialist (IT3) for 40
hours ($81.96/hr
× 40hrs = $3,278)
• An IT specialist (IT2) for 58 hours
($54.27/hr
× 58hrs = $3,148)
• An associate IT specialist (IT1) for
16 hours ($36.32/hr
× 16hrs = $581)
• Phase 2: Conducting the certification
assessment: $28,600
• A director (MGMT5) for 32 hours
($190.52/hr
× 32hrs = $6,097)
• A manager (MGMT2) for 32 hours
($95.96/hr
× 32hrs = $3,071)
• A staff IT specialist (IT4) for 72
hours ($97.49/hr
× 72hrs = $7,019)
• A senior IT specialist (IT3) for 72
hours ($81.96/hr
× 72hrs = $5,901)
• An IT specialist (IT2) for 120 hours
($54.27/hr
× 120hrs = $6,512)
• Phase 3: Reporting of certification
assessment results: $2,712
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr
× 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr
× 0.08hrs = $7)
• Affirmations: initial affirmation post
assessment: $2,712
• C3PAO Costs: C3PAO engagement
inclusive of Phases 1, 2, and 3 (5-
person team) for 200 hours
($260.28/hr
× 200hrs = $52,056)
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 2
certification assessment annually is
$2,712 (three-year cost is $8,136 or
$2,712
× 3)
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• A staff IT specialist (IT4) for 8 hours
($97.49/hr
× 8hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr
× 0.08hrs = $7)
• The Level 2 affirmations cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
rule.
• Summary: The following is the
annual other than small entities total
cost summary for Level 2 certification
assessments and affirmations over a ten-
year period: (Example calculation, Year
2: (*$112,345 assessment per entity
×
673 entities) + ($2,712 annual
affirmation per entity
× 135 entities) =
$75,974,425)
Small Entities
• Nonrecurring or recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with Level 2
certification assessment since it is
assumed the contractor or subcontractor
has implemented the NIST SP 800–171
R2 security requirements.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 2
certification assessment and affirmation
for a small entity is *$101,752. The
three-year cost is $104,670 (as
summarized in 4.1.2, table 10), and
includes the triennial assessment +
affirmation plus two additional annual
affirmations ($101,752 + $1,459 +
$1,459).
• Phase 1: Planning and preparing for
the certification assessment:
$20,699
• A director (MGMT5) for 54 hours
($190.52/hr
× 54hrs = $10,288)
• An external service provider (ESP)
for 40 hours ($260.28/hr
× 40hrs =
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00095
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.018</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83186
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
$10,411)
• Phase 2: Conducting the certification
assessment: $45,509
• A director (MGMT5) for 64 hours
($190.52/hr
× 64hrs = $12,193)
• An external service provider (ESP) for
128 hours ($260.28/hr
× 128hrs =
$33,316)
• Phase 3: Reporting of certification
assessment results: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• An ESP for 8 hours ($260.28/hr ×
8hrs = $2,082)
• A staff IT specialist (IT4–SB) for
0.08 hours ($86.24/hr
× 0.08hrs =
$7)
• Affirmations: cost to post initial
affirmation $1,459
• C3PAO Costs: C3PAO engagement
inclusive of Phases 1, 2, and 3 (3-
person team) for 120 hours
($260.28/hr
× 120hrs = $31,234)
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 2
certification assessment annually is
$1,459 (three-year cost is $4,377, or
$1,459
× 3)
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A staff IT specialist (IT4–SB) for
8.08 hours ($86.24/hr
× 8.08hrs =
$697)
• The Level 2 affirmations cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
rule.
• Summary: The following is the
annual small entities total cost summary
for Level 2 certification assessments and
affirmations over a ten-year period:
(Example calculation, Year 2:
(*$101,752 assessment per entity
×
1,926 entities) + ($1,459 annual
affirmation per entity
× 382 entities) =
$196,531,451)
All Entities Summary
The following is a summary of the
cost to all entities regardless of size for
Level 2 certification assessment and
affirmation costs over a ten-year period:
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00096
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.019</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83187
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
49
DoD utilized subject matter expertise from
Defense Pricing and Contracting (DPC) and DCMA
DIBCAC to estimate the Nonrecurring and
Recurring Engineering Costs.
50
Costs for closing out POA&Ms are included at
Level 3 because the requirement to implement a
subset of NIST SP 800–172 Feb2021 security
requirements is new with the CMMC rule. These
costs are not included at Level 2 because the
implementation of all NIST SP 800–171 R2 security
requirements are already required.
CMMC Level 3 Certification Assessment
and Affirmation Costs
An OSC pursuing Level 3 certification
assessment must have a CMMC Status of
Final Level 2 (C3PAO), and also must
demonstrate compliance with CMMC
Level 3, which includes implementation
of selected security requirements from
NIST SP 800–172 Feb2021 not required
in prior rules. Therefore, the
Nonrecurring Engineering and
Recurring Engineering cost estimates
have been included for the initial
implementation and maintenance of the
required selected NIST SP 800–172
Feb2021 security requirements. The cost
estimates account for time for an OSC to
implement these security requirements
and prepare for, support, participate in,
and closeout a Level 3 certification
assessment conducted by DCMA
DIBCAC. The OSC should keep in mind
that the total cost of a Level 3
certification assessment includes the
cost of a Level 2 certification assessment
as well as the costs to implement and
assess the security requirements specific
to Level 3. CMMC Level 3 is expected
to affect a small subset of the DIB.
Other Than Small Entities, per Entity
• Nonrecurring Engineering Costs:
$21,100,000.49
• Recurring Engineering Costs:
$4,120,000.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 3
certification assessment and affirmation
for an other than small entity is
- $39,021. The three-year cost is $44,445
(as summarized in 4.1.2, table 23), and
includes the triennial assessment +
affirmation, plus two additional annual
affirmations ($39,021 + $2,712 +
$2,712).
• Phase 1: Planning and preparing for
the certification assessment: $7,066
• A director (MGMT5) for 12 hours
($190.52/hr
× 12hrs = $2,286)
• A manager (MGMT2) for 12 hours
($95.96/hr
× 12hrs = $1,152)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr
× 16hrs = $1,560)
• A senior IT specialist (IT3) for 12
hours ($81.96/hr
× 12hrs = $984)
• An IT specialist (IT2) for 20 hours
($54.27/hr
× 20hrs = $1,085)
• Phase 2: Conducting the certification
assessment: $23,136
• A director (MGMT5) for 24 hours
($190.52/hr
× 24hrs = $4,572)
• A manager (MGMT2) for 24 hours
($95.96/hr
× 24hrs = $2,303)
• A staff IT specialist (IT4) for 64
hours ($97.49/hr
× 64hrs = $6,239)
• A senior IT specialist (IT3) for 64
hours ($81.96/hr
× 64hrs = $5,245)
• An IT specialist (IT2) for 88 hours
($54.27/hr
× 88hrs = $4,776)
• Phase 3: Reporting of certification
assessment results: $2,712
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr
× 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr
× 0.08hrs = $7)
• Phase 4: Closing out POA&Ms 50 (for
CMMC Level 3 if necessary and
allowed): $3,394
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• A senior staff IT specialist (IT5) for
16 hours ($116.87/hr
× 16hrs =
$1,870)
• Affirmations: initial affirmation
post assessment: $2,712
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 3
certification assessment annually is
$2,712 (three-year cost is $8,136, or
$2,712
× 3)
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• A manager (MGMT2) for 4 hours
($95.96/hr
× 4hrs = $384)
• A staff IT specialist (IT4) for 16
hours ($97.49/hr
× 16hrs = $1,560)
• A senior IT specialist (IT3) for 0.08
hours ($81.96/hr
× 0.08hrs = $7)
The Level 3 affirmations cost burden
will be addressed as part of the 48 CFR
part 204 CMMC Acquisition rule.
• Summary: The following is the
annual other than small entities total
cost summary for Level 3 certification
assessments and affirmations over a ten-
year period. Example calculation, Year
2 (reference per entity amounts shown):
• *($39,021 Certification per entity × 5
entities) + ($2,712 Annual
Affirmation per entity
× 1 entity) =
$197,818, and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00097
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.020</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83188
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
51
Costs for closing out POA&Ms are included at
Level 3 because the requirement to implement a
subset of NIST SP 800–172 Feb2021 security
requirements is new with the CMMC rule. These
costs are not included at Level 2 because the
implementation of all NIST SP 800–171 R2 security
requirements is already required.
• $105,500,000 Nonrecurring
Engineering cost ($21,100,000 per
entity
× 5 entities being certified),
and
• $24,720,000 Recurring Engineering
cost ($4,120,000 per entity
× 5
entities being certified) +
($4,120,000 per entity
× 1 entity
performing affirmations)
• $130,417,818 Total Cost =
Certification and Affirmation Cost
($197,818) + Nonrecurring
Engineering cost ($105,500,000) +
Recurring Engineering cost
($24,720,000), or $145,432,897.
Small Entities
• Nonrecurring Engineering Costs:
$2,700,000.
• Recurring Engineering Costs:
$490,000.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a Level 3
certification assessment for a small
entity is *$9,050 The three-year cost is
$12,802 (summarized in 4.1.2, table 10),
and includes the triennial assessment +
affirmation, plus two additional annual
affirmations ($9,050 + $1,876 + $1,876):
• Phase 1: Planning and preparing for
the certification assessment: $1,905
• A director (MGMT5) for 10 hours
($190.52/hr
× 10hrs = $1,905)
• Phase 2: Conducting the certification
assessment: $1,524
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• Phase 3: Reporting of certification
assessment results: $1,876
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• A staff IT specialist (IT4–SB) for
4.08 hours ($86.24/hr
× 4.08hrs =
$352)
• Phase 4: Closing out POA&Ms 51 (for
CMMC Level 3 if necessary and
allowed): $1,869
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• A staff IT specialist (IT4–SB) for 48
hours ($86.24/hr
× 48hrs = $345)
• Reaffirmations: It is estimated that the
costs to reaffirm a Level 3
certification assessment annually is
$1,876 (three-year cost is $5,628, or
$1,876
× 3)
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• A staff IT specialist (IT4–SB) for
4.08 hours ($86.24/hr
× 4.08hrs =
$352)
• The Level 3 affirmations cost
burden will be addressed as part of the
48 CFR part 204 CMMC Acquisition
rule.
Summary: The following is the annual
small entities total cost summary for
Level 3 certification assessments and
affirmations over a ten-year period.
Example calculation, Year 2 (reference
per entity amounts shown):
• *($9,050 Certification per entity × 45
entities) + ($1,876 Annual
Affirmation per entity
× 3 entities)
= $412,897, and
• $121,500,000 Nonrecurring
Engineering cost ($2,700,000 per
entity
× 45 entities being certified),
and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00098
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.021</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83189
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
• $23,520,000 Recurring Engineering
cost ($490,000 per entity
× 45
entities being certified) + ($490,000
per entity
× 3 entities performing
affirmations)
• $145,432,897 Total Cost =
Certification and Affirmation Cost
($412,897) + Nonrecurring
Engineering cost ($121,500,000) +
Recurring Engineering cost
($23,520,000), or $145,432,897.
All Entities Summary
The following is a summary of the
cost to all entities regardless of size for
Level 3 certification assessments and
affirmations over a ten-year period:
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00099
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.022</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83190
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
52
Nonrecurring engineering costs were first
incurred in FY20. The cost has inflation applied to
put the value in 2023 base year (BY) dollars.
53
The cost for the recurring engineering cost is
based on the costs incurred in FY20 and FY21. The
values for Year 1 (FY20) and Year 2 ((FY21) are
actual historic values that have inflation applied to
them to put them in base year 2023 dollars. Every
proceeding years’ recurring engineering cost is
based on the average of the two historic actual
values.
Government Costs
Summary of Impact
The following is a summary of the
estimated Government costs calculated
for a 20-year horizon in 2023 dollars at
a 7 percent and 3 percent discount rate.
The Government costs include
conducting Level 3 certification
assessments, uploading results into the
CMMC instantiation of eMASS, and the
CMMC PMO costs.
Government Costs (All Levels)
The estimated Government costs
utilize the entity numbers and phased
roll-out detailed in the Public cost
section. The DIBCAC estimated the
detailed hours for all activities and
other costs in a manner similar to the
details shown in the Public cost section.
Labor efforts for the Government are
focused on Level 3. For purposes of the
cost estimate, Government labor is
based on the average of step one, five,
and ten for GS–11 through GS–15 labor
elements for the Washington DC area.
The cost of labor was increased by a
factor of approximately 51 percent
which includes an estimated fringe
factor (fringe factor includes estimated
average insurance and pension benefits)
plus overhead (overhead factor
represents supervision and management
of the labor) to arrive at the estimated
labor rates. The Government labor in
this estimate is performed by DCMA,
which is a labor-intensive agency with
limited overhead expenses. Therefore,
the overall added factor of 51 percent is
appropriate versus a typical full
overhead factor of 100 percent.
CMMC Database Infrastructure Costs
The Government will develop the
operational CMMC instantiation of
eMASS. The cost analysis assumes that
the nonrecurring engineering (NRE) cost
includes the requirements development,
architecture design, security,
prototyping and testing, and approvals
or certifications.52 Nonrecurring
engineering costs is a one-time fee of
$4,631,213 and is reflected here as
incurred in the initial year of the
estimate. The Year 1 amount is based on
the actual cost incurred in FY2020 with
adjustment for inflation to arrive at base
year (BY) 1 dollars (2023).
The recurring engineering (RE) cost
includes database management, data
analysis, cybersecurity, storage and
backups, licensing, and infrastructure.53
The cost for recurring engineering in
Year 1 ($2,336,038) and Year 2
($1,804,480) are based on historical
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00100
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.023</GPH>
ER15OC24.024</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83191
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
amounts incurred for FY 2020 and FY
2021 with adjustment for inflation to
arrive at base year 1 and Year 2 dollars
(2023 and 2024). The estimated
recurring engineering for Year 3 forward
is calculated as the average of the Year
1 and Year 2 amounts (($2,336,038 +
$1,804,480)/2 = $2,070,259).
The table summarizes the
nonrecurring engineering (NRE) and
recurring engineering (RE) costs for Year
1 through Year 5:
Total Government Costs
The following is a summary of the
total Government costs over a ten-year
period:
Total Public and Government Costs
The following is a summary of the
total estimated annual Public and
Government cost associated with
implementation of the CMMC Program
over a ten-year period:
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00101
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.025</GPH>
ER15OC24.026</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83192
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
54
www.govinfo.gov/content/pkg/CHRG-
113hhrg86391/html/CHRG-113hhrg86391.htm.
55
www.nbr.org/program/commission-on-the-
theft-of-intellectual-property/.
56
57
GAO Report to Congress, Defense Contractor
Cybersecurity Stakeholder Communication and
Performance Goals Could Improve Certification
Framework, December 2021.
Alternatives
DoD considered and adopted several
alternatives during the development of
this rule that reduce the burden on
defense contractors and still meet the
objectives of the rule. These alternatives
include: (1) maintaining status quo and
leveraging only the current
requirements implemented in DFARS
provision 252.204–7019 and DFARS
clause 252.204–7020 requiring defense
contractors and offerors to self-assess
utilizing the DoD Assessment
Methodology and entering a Basic
Summary Score; (2) revising CMMC to
reduce the burden for small businesses
and contractors who do not process,
store, or transmit critical CUI by
eliminating the requirement to hire a
C3PAO and instead allow self-
assessment with affirmation to maintain
compliance at CMMC Level 1, and
allowing triennial self-assessment with
an annual affirmation to maintain
compliance for some CMMC Level 2
programs; (3) exempting contracts and
orders exclusively for the acquisition of
commercially available off-the-shelf
items; and (4) implementing a phased
implementation for CMMC.
In addition, the Department took into
consideration the timing of the
requirement to achieve a specified
CMMC Status: (1) at time of proposal or
offer submission, (2) after contract
award, (3) at the time of contract award,
or (4) permitting government Program
Managers to seek approval to waive
inclusion of CMMC Status requirements
in solicitations that involve disclosure
or creation of FCI or CUI as part of the
contract effort. Such waivers will be
requested and approved by DoD in
accordance with internal policies,
procedures, and approval requirements.
The Department ultimately adopted
alternatives 3 and 4. The drawback of
alternative 1 (at time of proposal or offer
submission) is the increased risk for
contractors since they may not have
sufficient time to achieve the required
CMMC Status after the release of the
solicitation. The drawback of alternative
2 (after contract award) is the increased
risk to the Department with respect to
the costs, program schedule, and
uncertainty in the event the contractor
is unable to achieve the required CMMC
Status in a reasonable amount of time
given their current cybersecurity
posture. This potential delay would
apply to the entire supply chain and
prevent the appropriate flow of CUI and
FCI.
Benefits
The Department of Defense expects
this final rule to protect DoD and
industry from the loss of FCI and CUI,
including intellectual property. The
theft of intellectual property and FCI
and CUI due to malicious cyber activity
threatens U.S. economic security and
national security. In 2010, the
Commander of the U.S. Cyber Command
and Director of the National Security
Agency estimated the value of U.S.
intellectual property to be $5 trillion
and that $300 billion is stolen over
networks annually.54 The 2013
Intellectual Property Commission
Report provided concurrence and noted
that the ongoing theft represents ‘‘the
greatest transfer of wealth in history.’’
The report also highlighted the
challenges of generating an exact figure
because Government and private studies
tend to understate the impacts due to
inadequate data or scope, which is
evidenced in subsequent analyses.55
The responsibility of Federal agencies
to protect FCI or CUI does not change
when such information is shared with
defense contractors. A comparable level
of protection is needed when FCI or CUI
is processed, stored, or transmitted on
contractor information systems.56 The
protection of FCI, CUI, and intellectual
property on defense contractor systems
can directly impact the ability of the
Federal Government to successfully
conduct its essential missions and
functions.57
Malicious cyber actors have targeted
and continue to target the DIB sector
that consists of approximately 220,000
small-to-large sized entities that support
the warfighter. In particular, actors
ranging from cyber criminals to nation-
states continue to attack companies and
organizations that comprise the
Department’s multi-tier supply chain
including smaller entities at the lower
tiers. From at least January 2020,
through February 2022, the Federal
Bureau of Investigation (FBI), National
Security Agency (NSA), and
Cybersecurity and Infrastructure
Security Agency (CISA) observed
regular targeting of U.S. cleared defense
contractors (CDCs) by Russian state-
sponsored cyber actors. The actors have
targeted sensitive, unclassified
information, as well as proprietary and
export-controlled technology. The
acquired information provides
significant insight into U.S. weapons
platforms development and deployment
timelines, vehicle specifications, and
plans for communications infrastructure
and IT. By acquiring proprietary
internal documents and email
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00102
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.027</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83193
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
58
www.cisa.gov/news-events/cybersecurity-
59
www.whitehouse.gov/briefing-room/statements-
[http://www.whitehouse.gov/briefing-room/statements-releases/2022/03/21/statement-by-president-biden-on-our-nations-cybersecurity/ releases/2022/03/21/statement-by-president-biden-
on-our-nations-cybersecurity/. ]
communications, adversaries may be
able to adjust their own military plans
and priorities, hasten technological
development efforts, inform foreign
policymakers of U.S. intentions, and
target potential sources for
recruitment.58
In addition to stealing intellectual
property for military gains, Russia may
conduct cyber-attacks against the U.S.
for retaliatory purposes. On March 21,
2022, the Biden-Harris Administration
stated intelligence indicates that the
Russian Government and Russian-
aligned cybercrime groups have
threatened to conduct cyber operations
in retaliation for perceived cyber
offensives against the Russian
Government or the Russian people.59
The aggregate loss of intellectual
property and CUI from the DoD supply
chain severely undercuts U.S. technical
advantage, limits and disrupts business
opportunities associated with
technological superiority, and
ultimately threatens our national
defenses and economy. By incorporating
heightened cybersecurity into
acquisition programs, the CMMC
Program provides the Department
assurance that contractors and
subcontractors are meeting DoD’s
cybersecurity requirements and
provides a key mechanism to adapt to
an evolving threat landscape. This is
critically important to the Department
because defense contractors are the
target of increasingly frequent and
complex cyberattacks by adversaries
and non-state actors. Dynamically
enhancing DIB cybersecurity to meet
these evolving threats and safeguarding
the information that supports and
enables our warfighters is a top priority
for the Department. The CMMC Program
is a key component of the Department’s
DIB cybersecurity effort.
CMMC provides uniform and
improved DoD cybersecurity
requirements in three (3) levels, using
the security requirements in NIST SP
800–171 R2 and a selected subset of
those in NIST SP 800–172 Feb2021.
With this rule, the Department is
publishing supplemental guidance
documents to assist the public and in
particular, small businesses, with
CMMC implementation, increasing the
likelihood of successful implementation
and strengthening cybersecurity across
the DIB. CMMC decreases the burden
and cost on companies protecting FCI
by allowing all companies at Level 1,
and a subset of companies at Level 2, to
demonstrate compliance through self-
assessments. CMMC allows companies,
under certain limited circumstances, to
make a Plan of Action & Milestones
(POA&M) to provide additional time to
achieve a Final CMMC Status. These
key updates to CMMC benefit the DoD
and our national interest by providing:
• improved safeguarding of
competitive advantages through
requirements flow-down to the defense
contractor supply chain and protections
for proprietary information and
capabilities, and
• increased efficiency in the economy
and private markets as a result of the
streamlining of cybersecurity
requirements, the resulting
improvements in cybersecurity, and
accountability across the supply chain.
In summary, the CMMC Program
enforces and validates implementation
of DoD’s required cyber protection
standards for companies in the DIB,
preserving U.S. technical advantage. In
addition, CMMC increases security for
the most sensitive CUI by applying
additional requirements at Level 3.
Implementation of CMMC will help
protect FCI and CUI upon which DoD
systems and critical infrastructure rely,
making it vital to national security.
CMMC is focused on securing the
Department’s supply chain, including
the smallest, most vulnerable innovative
companies. The security risks that result
from the significant loss of FCI and CUI,
including intellectual property and
proprietary data, make implementation
of the CMMC Program vital, practical,
and in the public interest.
III. Regulatory Compliance Analysis
A. Executive Order 12866, ‘‘Regulatory
Planning and Review’’ and Executive
Order 13563, ‘‘Improving Regulation
and Regulatory Review,’’ as Amended
by Executive Order 14094,
‘‘Modernizing Regulatory Review’’
These Executive Orders direct
agencies to assess all costs, benefits, and
available regulatory alternatives and, if
regulation is necessary, to select
regulatory approaches that maximize
net benefits (including potential
economic, environmental, public health,
safety effects, distributive impacts, and
equity). These Executive Orders
emphasize the importance of
quantifying both costs and benefits, of
reducing costs, of harmonizing rules,
and of promoting flexibility. The Office
of Management and Budget (OMB) has
determined this final rule is significant
as defined by Section 3(f)(1) for
purposes of Executive Order 12866, as
amended by Executive Order 14094.
B. Congressional Review Act (5 U.S.C.
801 et seq.)
As defined by 5 U.S.C. 804(2), a major
rule is a rule that the Administrator of
the Office of Information and Regulatory
Affairs of the Office of Management and
Budget finds has resulted in or is likely
to result in—(a) an annual effect on the
economy of $100,000,000 or more; (b) a
major increase in costs or prices for
consumers, individual industries,
Federal, State, or local government
agencies, or geographic regions; or (c)
significant adverse effects on
competition, employment, investment,
productivity, innovation, or on the
ability of United States-based
enterprises to compete with foreign-
based enterprises in domestic and
export markets. This rule has been
designated a major rule as it is expected
to have annual effect on the economy of
$100M dollars or more.
C. Public Law 96–354, ‘‘Regulatory
Flexibility Act’’ (5 U.S.C. 601)
The Department of Defense Chief
Information Officer certified that this
rule is subject to the Regulatory
Flexibility Act (5 U.S.C. 601) because it
would, if promulgated, have a
significant economic impact on a
substantial number of small entities.
DoD has considered previous
comments from Small Business
Administration (SBA) regarding the
impact and cost to small businesses to
implement CMMC. In July 2022, the
CMMC PMO met with the Office of
Advocacy for the U.S. SBA to address
the revisions planned in CMMC that are
responsive to prior SBA concerns, with
which the SBA was satisfied.
An Initial Regulatory Flexibility
Analysis that includes a detailed
discussion and explanation about the
assumptions and methodology used to
estimate the cost of this regulatory
action on small entities follows and is
available at www.regulations.gov (search
for ‘‘DoD–2023–OS–0063,’’ click ‘‘Open
Docket,’’ and view ‘‘Supporting
Documents’’).
This final regulatory flexibility
analysis has been prepared consistent
with 5 U.S.C. 603.
D. Final Regulatory Flexibility Analysis
This final regulatory flexibility
analysis has been prepared consistent
with 5 U.S.C. 604(a).
Reasons for the Action
This final rule is necessary to create
a secure and resilient supply chain, by
addressing threats to the U.S. economy
and national security from ongoing
malicious cyber activities and
preventing theft of hundreds of billions
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00103
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83194
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
60
www.gsa.gov/technology/it-contract-vehicles-
[http://www.gsa.gov/technology/it-contract-vehicles-and-purchasing-programs/technology-products-services/it-security/executive-order-14028 and-purchasing-programs/technology-products-
services/it-security/executive-order-14028. ]
of dollars of U.S. intellectual property.
The President’s Executive Order (E.O.)
14028, ‘‘Improving the Nation’s
Cybersecurity,’’ 60 emphasized that
industrial security needs strengthening
to ensure investments are not lost
through intellectual property theft or
among other supply chain risks.
Currently, the Federal Acquisition
Regulation (FAR) and Defense Federal
Acquisition Regulation Supplement
(DFARS) prescribe contract clauses
intended to protect Federal Contract
Information (FCI) and Controlled
Unclassified Information (CUI) within
the Department of Defense (DoD) supply
chain. Specifically, the clause at FAR
clause 52.204–21, Basic Safeguarding of
Covered Contractor Information
Systems, is prescribed at FAR 4.1903 for
use in Government solicitations and
contracts when the contractor or a
subcontractor at any tier may have FCI
residing in or transiting through its
information system. The FAR clause
focuses on ensuring a basic level of
cybersecurity hygiene and is reflective
of actions that a prudent businessperson
would employ.
In addition, DFARS clause 252.204–
7012, Safeguarding Covered Defense
Information and Cyber Incident
Reporting, is prescribed in DFARS
204.7304 (c) for use in DoD solicitations
and contracts that require processing,
storing, or transmitting of CUI in
contractor owned information systems.
DFARS clause 252.204–7012 requires
defense contractors and subcontractors
to provide ‘‘adequate security’’ to
process, store or transmit CUI on
information systems or networks, and to
report cyber incidents that affect these
systems or networks. The clause states
that to provide adequate security, the
contractor shall implement, at a
minimum, the security requirements in
‘‘National Institute of Standards and
Technology (NIST) Special Publication
(SP) 800–171 R2, Protecting CUI in
Nonfederal Systems and Organizations.’’
Contractors are also required to flow
down DFARS clause 252.204–7012 to
all subcontracts that involve CUI.
However, neither FAR clause 52.204–
21 nor DFARS clause 252.204–7012,
provide for DoD verification of a
contractor’s implementation of basic
safeguarding requirements specified in
those clauses prior to contract award.
DFARS clause 252.204–7020, NIST SP
800–171 DoD Assessment Requirements,
applies to contractor information
systems that are subject to NIST SP 800–
171 requirements pursuant to DFARS
clause 252.204–7012. DFARS provision
252.204–7019 and DFARS clause 7020
require offerors and contractors
(including subcontractors) respectively
to score their implementation of NIST
SP 800–171 requirements for each
contractor information system that is
relevant to the offer or contract and to
submit, at minimum, summary level
self-assessment scores in the Supplier
Performance Risk System (SPRS) for a
minimum of a Basic Assessment, which
is a contractor self-assessment. The
SPRS submission includes the NIST SP
800–171 version against which the
assessment was conducted, all industry
Commercial and Government Entity
(CAGE) code(s) associated with the
information system(s) addressed by the
required system security plan, the date
of assessment, the summary level score,
and the date all NIST SP 800–171 R2
requirements are expected to be
implemented based on the associated
plan(s) of action in accordance with
NIST SP 800–171 R2. Accordingly, and
upon submission of an offer, when
applicable, the contractor must verify
that a summary level score(s) of a
current NIST SP 800–171 DoD
Assessment is posted in SPRS for all
contractor information systems relevant
to the offer to signify appropriate
implementation of NIST SP 800–171 R2
requirements.
Findings from DoD Inspector General
report (DODIG–2019–105 ‘‘Audit of
Protection of DoD CUI on Contractor-
Owned Networks and Systems’’)
indicate that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI. That report included
recommendations for DoD take steps to
assess a contractor’s ability to protect
this information. The report emphasizes
that malicious actors can exploit
vulnerabilities in contractors’
information systems and exfiltrate
information related to some of the
Nation’s most valuable advanced
defense technologies. Due to these
shortcomings and the associated risks to
national security, the Department
developed the Cybersecurity Maturity
Model Certification (CMMC) Program to
assess contractor and subcontractor
implementation of DoD’s required
cybersecurity standards.
The CMMC Program verifies
compliance with DoD cyber protection
standards by defense contractors and
subcontractors and is designed to
protect FCI and CUI that is shared by
the Department with its contractors and
subcontractors, and when developed by
a contractor in the course of contract
performance but not shared. The
program incorporates a set of
cybersecurity requirements into
acquisition contracts and provides the
Department increased assurance that
contractors and subcontractors are
meeting these requirements. The CMMC
Program has three key features:
• Tiered Model: CMMC requires that
companies demonstrate, through
assessment that they have implemented
cybersecurity requirements. The type of
assessment and requirements against
which it is conducted are selected based
on the information that must be
safeguarded. The program also sets forth
the requirements for flow down of
CMMC requirements to subcontractors.
• Assessment Requirement: CMMC
assessments allow the Department to
verify the implementation of
cybersecurity requirements.
• Implementation through Contracts:
Once CMMC is fully implemented, DoD
contractors that handle FCI and CUI on
their non-Federal information systems
will be required to achieve a particular
CMMC Status as a condition of contract
award.
In September 2020, the DoD
published the 48 CFR CMMC interim
final rule in the Federal Register
(DFARS Case 2019–D041) that
implemented the DoD’s initial vision for
the CMMC Program and outlined the
key features of the program. The 48 CFR
CMMC interim final rule became
effective on November 30, 2020.
In March 2021, the Department
initiated an internal review of CMMC’s
implementation, informed by more than
750 public comments in response to the
48 CFR CMMC interim final rule. This
comprehensive, programmatic
assessment engaged cybersecurity and
acquisition leaders within DoD to refine
policy and program implementation.
In November 2021, the Department
announced an updated program
structure with revised requirements
designed to achieve the primary goals
identified by DoD’s internal review of
the CMMC Program. With the
implementation of the revised CMMC
program, the Department introduced
several key changes that build on and
refine the original program
requirements. These include:
• Streamlining the CMMC model
from five levels to three levels.
• Exclusively implementing National
Institute of Standards and Technology
(NIST) cybersecurity guidelines.
• Allowing all companies subject to
CMMC Level 1 requirements and subset
of companies subject to CMMC Level 2
requirements to demonstrate CMMC
compliance through self-assessments.
• Increased oversight of professional
and ethical standards of third-party
assessors.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00104
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83195
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
61
https://nvlpubs.nist.gov/nistpubs/
SpecialPublications/NIST.SP.800-171A.pdf.
• Allowing Plans of Action &
Milestones (POA&M) under limited
circumstances to achieve conditional
certification.
In July 2022, the CMMC Program
Management Office (PMO) met with the
Office of Advocacy for the U.S. SBA to
address the revisions planned for
CMMC and again met in July 2023 to
review the proposed 32 CFR part 170
CMMC Program rule updates that are
responsive to prior SBA concerns. As a
result of the alignment of CMMC
requirements to NIST guidelines, the
Department’s requirements continue to
evolve as changes are made to the
underlying NIST SP 800–171 R2 and
NIST SP 800–172 Feb2021
requirements. Such changes will not be
effective as CMMC requirements unless
and until made effective through
rulemaking.
Objectives of, and Legal Basis for, the
Rule
Legal Basis: 5 U.S.C. 301; Sec. 1648,
Public Law 116–92, 133 Stat. 1198.
The objective of this final CMMC
Program rule is to provide the
Department with increased assurance
that a defense contractor can adequately
protect FCI and CUI commensurate with
the risk, also accounting for information
flow down to its subcontractors in a
multi-tier supply chain. This rule meets
the objective by providing a mechanism
to assess contractor and subcontractor
implementation of DoD’s cyber security
protection requirements for FCI and
CUI. Implementation of the CMMC
Program is intended to address the
following policy issues:
(a) Verification of a Contractor’s
Cybersecurity Posture
Effective June 2016, FAR clause
52.204–21 Basic Safeguarding of
Contractor Information Systems,
requires Federal contractors and
subcontractors to implement 15 basic
safeguarding requirements, as
applicable, to protect contractor
information systems that process, store,
or transmit FCI.
December 31, 2017, was the DoD
deadline for contractors to implement,
as applicable, the cybersecurity
protection requirements set forth in
NIST SP 800–171 Re2, Protecting
Controlled Unclassified Information in
Nonfederal Systems and Organizations,
in accordance with requirements of
DFARS clause 252.204–7012,
Safeguarding Covered Defense
Information and Cyber Incident
Reporting. NIST SP 800–171A Jun2018
states, ‘‘For the CUI security
requirements in NIST Special
Publication 800–171 Rev 2, nonfederal
organizations describe in a system
security plan, how the specified
requirements are met or how
organizations plan to meet the
requirements.’’ 61 The NIST process
provides contractors with a tool to
assess their security posture and decide
if or when to mitigate the risks based
upon the organizational risk tolerance.
When the DoD implemented the NIST
SP 800–171 requirements with a not-
later-than date of December 2017, the
policy intent was to permit contractors
some flexibility to remediate lagging
NIST requirements, and document them
in plans of action, and resolve those
deficiencies within a reasonable period.
An unintended consequence of this
flexibility was that some contractors far
exceeded the intention to secure
systems that must adequately safeguard
CUI in a timely manner and instead
created open-ended plans of action with
undefined closure dates. The effect was
to delay full compliance with
safeguarding requirements for years. As
a result, the DoD’s implementation of
the NIST SP 800–171 requirements, as
mandated by 32 CFR part 2002, has not
been fully effective or validated. This
necessitates implementation of the
CMMC Program to enforce a finite
timeline for full compliance of
contractual requirements.
Findings from DoD Inspector General
report (DODIG–2019–105 ‘‘Audit of
Protection of DoD Controlled
Unclassified Information on Contractor-
Owned Networks and Systems’’)
indicated that DoD contractors did not
consistently implement mandated
system security requirements for
safeguarding CUI and recommended
that DoD take steps to assess a
contractor’s ability to protect this
information.
CMMC adds an assessment
requirement to verify defense
contractors and subcontractors have
implemented the applicable security
requirements prior to award. CMMC
also adds requirements at each CMMC
level for contractors and subcontractors
to affirm initial compliance with the
specified CMMC security requirements
and provide annual affirmations
thereafter.
(b) Comprehensive Implementation of
Cybersecurity Requirements
Although the security requirements in
NIST SP 800–171 R2 address a range of
threats, they do not sufficiently address
Advanced Persistent Threats (APTs). An
APT is an adversary that possesses
sophisticated levels of expertise and
significant resources, which allow it to
create opportunities to achieve its
objectives by using multiple attack
vectors (e.g., cyber, physical, and
deception). To address APTs, NIST has
published NIST SP 800–172 Feb2022.
CMMC Level 3 certification assessment
provides for government assessment of
a contractor’s implementation of a
defined subset of NIST SP 800–172
Feb2021 Enhanced Security
Requirements with DoD predefined
parameters and specifications.
(c) Scale and Depth
Today, DoD prime contractors must
include DFARS clause 252.204–7012 in
subcontracts for which performance will
involve covered defense information,
but this does not provide the
Department with sufficient insights with
respect to the cybersecurity posture of
all members of a multi-tier supply chain
for any given program or technology
development effort. The revised CMMC
Program requires prime contractors to
flow down CMMC requirements, as
applicable, to subcontractors throughout
their supply chain(s).
Given the size of the Defense
Industrial Base (DIB), the Department
cannot scale its existing cybersecurity
assessment workforce to conduct on-site
assessments of approximately 220,000
DoD contractors and subcontractors
every three years. The Department’s
existing assessment capability is best
suited for conducting targeted
assessments for the relatively small
subset of DoD contractors and
subcontractors that support designated
high-priority programs.
CMMC addresses the Department’s
scaling challenges by utilizing a private-
sector accreditation structure. The DoD-
recognized Accreditation Body will
authorize, accredit, and provide
oversight of CMMC Third-Party
Assessment Organizations (C3PAO)
which in turn will conduct CMMC
Level 2 certification assessments of
actual and prospective DoD contractors
and subcontractors. Organizations
Seeking Certification (OSCs) will
directly contract with an authorized or
accredited C3PAO to undergo a Level 2
certification assessment to achieve a
CMMC Status of Conditional and Final
Level 2 (C3PAO). The cost of CMMC
Level 2 activities is driven by multiple
factors, including market forces that
govern availability of C3PAOs and the
size and complexity of the enterprise or
enclave under assessment. The
Government will perform Level 3
certification assessments. Government
resource limitations may affect schedule
availability.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00105
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83196
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(d) Reduces Duplicate or Repetitive
Assessments of Our Industry Partners
CMMC assessment results and
contractor affirmations of compliance
will be posted in Supplier Performance
Risk System (SPRS), DoD’s authoritative
source for supplier and product
performance information. Posting
CMMC assessment results in SPRS
precludes the need to validate CMMC
implementation on a contract-by-
contract basis. This enables DoD to
identify whether the CMMC assessment
requirements have been met for relevant
contractor information system(s), avoids
duplicative assessments, and eliminates
the need for program level assessments,
all of which results in decreased costs
to both DoD and industry.
Significant Issues Raised by Public
Comments
The CMMC proposed rule was
published in the Federal Register on
December 26, 2023, to initiate the
mandatory 60-day public review and
comment period for this rule and the
supporting documents that ended on 26
February 2024. From the volume of
comments received on the CMMC rule
documents, from or concerning Small
Businesses, the following significant
issues were raised.
1. Cost. Some comments identified
that the proposed rule does not address
how the CMMC Program will be funded,
or how the costs of certification and
compliance will be shared between the
DoD and the contractors. This may raise
questions about the affordability and
sustainability of the CMMC program,
especially for small businesses.
Commenters suggested that the DoD
conduct and publish a comprehensive
cost assessment for each level of CMMC
certification and explore ways to reduce
the financial burden on the contractors,
such as providing incentives, subsidies,
loans, grants, tax credits or
reimbursements. Several comments
presented the opinion that the cost
estimates in the preamble/rule did not
adequately address all possible costs to
become compliant with regulations and
attain a certification i.e., ongoing
Recurring Engineering and Non-
Recurring Engineering costs. Others
commented that the mandate to comply
with requirements, attain verification of
compliance, and the inability to recoup
costs prior to completing compliance
will be barriers to entry and will drive
many small businesses out of the DoD
market. Concern was also expressed
regarding the cost of failing an
assessment and not being able to recoup
costs fast enough, through increased
Overhead and G&A [General and
Administrative] rates. Another concern
was raised that IR&D [Independent
Research and Development] spending
will be negatively impacted due to the
diversion of funds to Cybersecurity
compliance. Some shared concerns
about the potential for overmarking CUI
data, that will drive a higher than
necessary demand for CMMC
certification and create an overburdened
Ecosystem, thereby preventing timely
certification and incentivizing ‘‘price
gouging’’ by assessors. Several suggested
that the Government regulate the prices
for assessment services. Many
commenters also suggested the DoD
needed to find ways to reduce the
financial burdens on small businesses
through direct payment for compliance,
tax incentives, increased profits, or
increased flexibility to comply with
requirements, i.e., by reducing
requirements for small businesses or
providing more time to comply after
contract award. Commenters also felt
the handling of CUI by small businesses
was too difficult, and recommended
prime contractors should be responsible
for handling all CUI. If a small business
needs CUI to execute its work, the prime
or the Government should provide an
environment for the small business to
complete its work.
DoD Response. In recognition of the
pervasive cyber threat both to DoD and
to the DIB, CMMC Program
requirements are designed to ensure
compliance with existing standards for
protection of FCI and CUI. These
cybersecurity requirements align
directly to NIST guidelines (NIST SP
800–171 R2 and NIST SP 800–172
Feb2021) and the basic safeguarding
requirements in FAR clause 52.204–21
that apply to all executive agencies.
Since December 2017, DFARS clause
252.204–7012 has required contractors
to implement the NIST SP 800–171
security requirements to provide
adequate security as applicable for
processing, storing, or transmitting CUI
on non-Federal information systems, as
needed in support of the performance of
a DoD contract.
The executive branch’s CUI Program
is codified in 32 CFR part 2002 and
establishes policy for designating,
handling, and decontrolling information
that qualifies as CUI. The definition of
CUI and general requirements for its
safeguarding are included in 32 CFR
2002.4 and 2002.14. 32 CFR
2002.14(h)(2) specifically requires that
Agencies must use NIST SP 800–171
when establishing security requirements
to protect CUI’s confidentiality on non-
Federal information systems . . .’’
Contractually, DFARS clause 252.204–
7012 requires contractors to implement
the NIST SP 800–171 R2 security
requirements, and that requirement
applies, regardless of the number of
computers or components in a non-
Federal information system or the size
of the contractor or subcontractor, as
applicable. DoD’s original
implementation of security
requirements for adequate safeguarding
of CUI relied upon self-attestation by
contractors. Since that time, the DoD
Inspector General and the DCMA found
contractors did not consistently
implement mandated system security
requirements for safeguarding CUI and
recommended DoD take steps to assess
a contractor’s ability to protect this
information. The DoD has streamlined
requirements to reduce the burden of
compliance on contractors. Analysis of
costs to meet CMMC requirements is
provided in the regulatory impact
analysis for this rule. As described in
the estimate included with the rule, the
major cost categories for compliance
with CMMC requirements include costs
for completing a self-assessment (e.g.,
Level 1 or 2); costs to prepare for and
undergo Level 2 certification
assessment; and costs required to
implement the Level 3 security
requirements and for preparing to
undergo DCMA DIBCAC assessment
(Level 3). CMMC Level 3 certification
assessments against the NIST SP 800–
172 Feb2021 baseline are performed free
of cost by DoD assessors, which reduces
the overall cost of achieving CMMC
Status of Level 3 (DIBCAC). Notably,
certification is never required for CMMC
Level 1, and the requirement can be
satisfied through self-assessment. When
CMMC Level 2 requirements apply, they
may be met via self-assessment, or a
certification assessment conducted by a
C3PAO, depending on the specific
CMMC requirement cited in the
solicitation or resulting contract. When
the CMMC Program requirements are
effective, solicitations for DoD contracts
that will involve the processing, storing,
or transmitting of FCI or CUI on any
non-Federal system, notwithstanding
the size or configuration of the non-
Federal system, will specify the
required CMMC Level (1, 2 or 3) and
assessment type (self-assessment or
certification assessment). An
assumption for the cost estimates is that
Non-Small Entities have a full-time
team of cybersecurity professionals on
staff while Small Entities do not. The
assumptions, explained in the
regulatory impact analysis, reflect Small
Entities will likely obtain support from
External Service Providers and have a
staff member submit affirmations and
SPRS scores for self-assessments. All
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00106
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83197
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
these costs, except the open market cost
of a C3PAO, are directly controllable by
the organization seeking assessment.
The CMMC rule does not make any
change to cost allowability as defined in
FAR 31.201–2 Determining
Allowability. The DoD declined to
modify the estimates, which are
intended to be representative and to
inform rulemaking. The cost estimates
represent average derived estimates
based on internal expertise and public
feedback in accordance with OMB
Circular A–4 and represent average
costs for companies to comply with the
CMMC requirements. This rule does not
provide the cost analysis for all actions,
personnel, and security measures
required to protect CUI information,
data, systems, and technical products
through the life cycle of the work and
data generated. The size and complexity
of the network within scope of the
assessment impacts the costs as well. As
required by rulemaking guidance, the
DoD provided cost estimates and impact
analyses. An analysis of profit margins
is not required. Additionally, this rule
and the required cost analysis and
resulting cost estimates were reviewed
by DoD cost analysts and OMB
economists for realism and
completeness.
Some public comments received
reflect a misinterpretation of the cost
estimates that accompany this rule,
which are representative of average
assessment efforts, and do not include
actual prices of C3PAO services
available in the marketplace. Market
forces of supply and demand will
determine C3PAO pricing for CMMC
Level 2 certification assessments.
Costs associated with meeting the
requirements of existing DFARS clause
252.204–7012 are not captured in the
CMMC rule documentation. Please refer
to 81 FR 72990, October 21, 2016, for
DoD’s final rule implementing the DoD’s
requirement that ‘‘contractors shall
implement NIST SP 800–171 as soon as
practical, but not later than December
31, 2017.’’ Public comments related to
implementation costs were published
with that final rule, along with DoD’s
responses. Within the limitations of
section § 170.21 Plan of Action and
Milestones Requirements, offerors may
bid on contract opportunities while
continuing to work towards full
compliance.
Verifying compliance with applicable
security requirements may increase
costs and is necessary for the adequate
protection of DoD FCI and CUI. The cost
of lost technological advantage over
potential adversaries is far greater than
the costs of such enforcement. The
value of information and impact of its
loss does not diminish when the
information is shared with contractors.
At the time of contract award, the
DoD may not have visibility into
whether the prime contractor’s decision
to further disseminate DoD FCI and CUI.
However, FAR clause 52–204–21,
DFARS clause 252.204–7012, and
DFARS clause 252.204–7021 require the
prime contractor to flow down these
clauses and the included information
security requirement to any
subcontractor that will process, store, or
transmit FCI or CUI, as applicable.
Decisions regarding DoD’s information
that must be shared to support
completion of the contract tasks,
including those performed by
subcontractors, takes place between the
prime contractor and their
subcontractors. The DoD cannot dictate
business practices between prime
contractors and their subcontractors,
who should work together to determine
the necessary flow down of FCI and
CUI, only as needed in performance of
the contract, and ensuring compliance
with the CMMC security requirements
and in consideration of minimizing the
burden. While DoD understands the
burden on small business, it must
enforce CMMC requirements uniformly
across the Defense Industrial Base for all
contractors who process, store, or
transmit FCI and CUI. The requirements
necessary to protect a single document
are the same as to protect many
documents.
Although CMMC compliance may add
to an organization’s cost, no member of
the DIB can assume the status-quo in
today’s ever-changing cybersecurity
environment. Increasing costs to protect
the nation’s data and industries from
emerging threats is simply a component
of doing business anywhere in the
world. Processing, storing, or
transmitting sensitive Government
information comes with a handling cost
that needs to be built into each
organization’s business model. All
contractors or sub-contractors with
access to CUI need to be capable of
protecting that information to the
standards specified in 32 CFR part 2002.
If a small business cannot comply with
the requirements of DFARS clause
252.204–7012 and NIST SP 800–171 R2,
then that business should not receive
CUI or process, store, or transmit CUI.
If the DoD information flowed by the
prime to a subcontractor is only FCI,
then only a CMMC Level 1 self-
assessment is required for the
subcontractor prior to the flow of
information under contract. DoD’s
programs, technological superiority, and
best interests are not served if FCI and
CUI are not consistently and adequately
safeguarded by all who process, store, or
transmit it.
2. Cost Benefit. Some commenters
suggested it would be more cost
effective for DoD to provide an
environment or a DoD managed portal
for the handling of CUI. A significant
concern expressed was that companies
have delayed complying with DoD
cybersecurity standards until the CMMC
rule was released and they could
understand what level of compliance
they will require. Several commenters
felt DoD underestimated the costs and
should have include the
implementation cost of the requirements
in this rule as well. One commenter was
confused about how the discount rates
were applied. Another commenter
suggested that DoD provide flexibility to
allow small businesses to not meet all
the requirements and still be allowed to
handle CUI and another expressed
concerns regarding the cost of
compliance and the degradation of the
DIB that will be unable to afford
compliance.
DoD Response: The DoD declined to
adopt the alternatives suggested in the
comments, such as policy-based
solutions that lack a rigorous assessment
component or sharing CUI only through
DoD-hosted secure platforms. The
current DFARS clause 252.204–7012
requires protection of Security
Protection Assets (SPA) and Security
Protection Data (SPD). Section 1.1 of
NIST SP 800–171 R2 states: ‘‘The
requirements apply only to components
of nonfederal systems that process,
store, or transmit CUI, or that provide
security protection for such
components.’’ There is therefore no
increase in the scope because of the
CMMC Program as described in the rule.
SPD requires protection
commensurate with the CUI it protects
and is based on how and where the SPD
is stored. The FedRAMP requirements
for handling SPD are therefore the same
as that for handling CUI.
The CMMC rule made no change to
the FAR cost allowability or cost
accounting standards. The 7% discount
rate is not a discount for organizations;
it is a part of a formula used in the
regulatory impact analysis (RIA)
calculations. When calculating 20 years
in the future, a discount rate is used to
determine the net present value of
money. The cost estimate represents
derived estimates based on internal
expertise and public feedback in
accordance with OMB Circular A–4:
Regulatory Impact Analysis: A Primer.
Step 7 in the manual explains discount
rates.
As written, this rule amply provides
for the flexibility sought by the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00107
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83198
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
commenter. Rule section § 170.21
specifically addresses the flexibility to
have a Plan of Action and Milestones
(POA&M) to delay meeting certain
requirements subject to CMMC
assessment for up to 180 days.
In addition, DFARS clause 252.204–
7012 already permits contractors to
request DoD CIO permission to utilize
alternative security measures to those
prescribed by NIST SP 800–171. If an
OSC previously received a favorable
adjudication from the DoD CIO for an
alternative security measure, the DoD
CIO adjudication must be included in
the system security plan to receive
consideration during an assessment.
Implemented security measures
adjudicated by the DoD CIO as equally
effective are assessed as MET if there
have been no changes in the
environment.
3. CMMC Model. Some commenters
claimed that the requirement for all
subcontractors of Level 3 prime
contractors to be at least Level 2
certified, regardless of what work they
do, will generate more demand for Level
2 assessments than the Department is
anticipating. Since much of DoD’s
contract dollars flow through a
relatively small number of companies, it
is likely those companies will have at
least one CMMC Level 3 project. The
result would be Level 2 certification
requirements being flowed down to
nearly the entirety of the DIB. Some
commenters believed this to be an
unintended consequence of
implementing the enhanced protection
of CMMC Level 3.
DoD Response: It is possible the
commenters misunderstood § 170.23
Application to subcontractors in the
rule. § 170.23(a)(4) states: ‘‘If a
subcontractor will process, store, or
transmit CUI in performance of the
subcontract and the associated prime
contractor has a requirement for the
CMMC Status of Level 3 (DIBCAC), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.’’ The commenter’s phrase
‘‘regardless of what work they do’’ does
not acknowledge the fact that the Level
2 certification assessment is required for
subcontractors who process, store, or
transmit CUI.
It is also possible that the commenter
interpreted that a Level 2 self-
assessment is adequate for
subcontractors working with a prime
that has a contractual requirement for a
Level 3 certification assessment. In this
case, a CMMC Status of Final Level 2
(Self) is not adequate. A CMMC Status
of Final Level 3 (DIBCAC) signifies that
the prime first achieved a CMMC Status
of Final Level 2 (C3PAO) as the risk to
their CUI was deemed high enough to
require Level 2 certification assessment.
Since this same information may be
shared with subcontractors who
process, store, or transmit CUI, the
subcontractor must also achieve CMMC
Status of Final Level 2 (C3PAO).
The decision to rely upon a CMMC
Level 2 self-assessment in lieu of a
certification assessment is a
Government risk-based decision based
upon the nature of the effort to be
performed and CUI to be shared. The
size of the company with access to the
CUI is not a basis for this determination.
The value of information and impact of
its loss does not diminish when the
information moves to contractors of
smaller size.
4. Assessment. Commenters
questioned whether CMMC will accept
reciprocity with other compliance
methodologies. Another questioned
what would drive a company to seek a
reassessment of their environment.
Other commenters suggested that we
allow small businesses 365 days to close
their POA&M requirements, as well as
suggesting that pre-assessment materials
do not need to be uploaded into eMASS,
and that the hashing requirements
should be simplified. Other suggestions
made were to allow Program Managers
to relax requirements based on a risk
decision and allow assessors to make
judgement calls on what evidence
constitutes compliance with the
requirement. One commenter requested
the DoD publish an overview of the
assessment methodology that includes
the defined frequency guidelines.
Additionally, one commenter requested
that access to Procurement Integrated
Enterprise Environment (PIEE) and
Supplier Performance Risk System
(SPRS) be made easier for small
contractors.
DoD Response: CMMC requirements
apply to DoD contracts, and not to
contracts issued by other agencies. Flow
down of CMMC requirements from a
prime contractor to its subcontractors
shall apply, as addressed in § 170.23(a)
of this rule.
DoD intends to allow qualified
standards acceptance of a DIBCAC High
Assessment using NIST SP 800–171 R2
for CMMC Status of Final Level 2
(C3PAO) as addressed in § 170.20.
CMMC Level 2 self-assessment, Level
2 certification assessment, and Level 3
certification assessment are valid for a
defined CMMC Assessment Scope as
outlined in § 170.19 CMMC Scoping. A
new CMMC assessment may be required
if significant architectural or boundary
changes are made to the previous
Assessment Scope. Examples include,
but are not limited to, expansions of
networks or mergers and acquisitions.
Operational changes within an
Assessment Scope, such as adding or
subtracting resources within the existing
assessment boundary that follow the
existing SSP do not require a new
assessment, but rather are covered by
the annual affirmations to the
continuing compliance with
requirements.
The DoD did not accept the
recommendation to change the criteria
for POA&Ms or the timeline allowed to
remediate open POA&M items. The 180-
day timeline and the determination of
the weighted practices that may be
included in a POA&M were risk-based
decisions. The determination factored
the relative risk DoD is willing to accept
when a particular practice is Not Met
and the amount of risk the DoD is
willing to accept for those security
practices that remain ‘‘NOT MET’’ for
an extended period. Unlike the original
CMMC Program, the revised CMMC
Program accepts some risk with the use
of limited POA&Ms.
There is value to the DoD in having
the pre-assessment information in
CMMC eMASS for overall program
management and oversight. The
information indicates that an
assessment is either scheduled or in-
process. The CMMC PMO seeks to track
CMMC Program adoption, and the pre-
assessment information allows reporting
on upcoming assessments. Based on the
DoD’s cost analysis, the cost to upload
pre-assessment material is minimal. The
rule and Hashing Guide have been
updated to add clarity that only
reporting a single hash is required, and
the name of the hash algorithm used
needs to be stored in CMMC eMASS.
Each Assessment Objective in NIST SP
800–171A Jun2018 must yield a finding
of MET or NOT APPLICABLE for the
overall security requirement to be
scored as MET. Assessors exercise
judgment in determining when
sufficient and adequate evidence has
been presented to make an assessment
finding. This is consistent with current
DIBCAC High Assessments and
assessments conducted under the Joint
Surveillance Voluntary Assessment
(JSVA) program.
A security requirement can be
applicable, even with assessment
objectives that are N/A. The security
requirement is NOT MET when one or
more applicable assessment objectives is
NOT MET. The requirements of each
Level of the CMMC Model are defined
in sections §§ 170.15 through 170.18
and the scoring of assessments is
described in § 170.24. The assessment
frequency required is every year for a
CMMC Status of Final Level 1 (Self),
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00108
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83199
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
and every 3 years for a CMMC Statuses
of Final Level 2 (Self), Final Level 2
(C3PAO), and Final Level 3 (DIBCAC),
or when changes within the CMMC
Assessment Scope invalidate the
assessment.
The phased implementation plan for
CMMC described in § 170.3(e) is
intended to address ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. The rule has been
updated to add an additional six months
to the Phase 1 timeline. Phase 2 will
start one calendar year after the start of
Phase 1.
5. Scoping. Commenters expressed
concerns about how External Service
Providers (ESP) and SPA and SPD are
handled with regard to certification.
Another commenter expressed concern
about the lack of FedRAMP Moderate
certified capabilities in the market as
well as requesting clarification on the
definition of ‘‘Specialized Assets’’,
specifically regarding equipment in
manufacturing that may not fall under
the conventional categories of IoT, IIoT,
and OT. Another commenter expressed
concerns about how Contractor Risk
Managed Assets (CRMA) are handled,
along with concerns about available
FedRAMP certified capabilities. Other
comments identified concerns with the
responsibility of a company that adopts
an ESP and their adherence to security
requirements, and the lack of time given
in Phase 2 of the CMMC roll-out to
garner certification. A question was also
asked regarding the Department’s
assumptions on the rigor a Certifying
Officer [Affirming Official in the rule]
would require before signing an
attestation and the methodology used to
determine the resultant actions that
must be taken. Another raised a concern
regarding how sub-environments are
handled as well as end-to-end
encryption in handling CUI. Another
expressed concern regarding the
marking of data as CUI and the potential
for overmarking. Some commenters
made suggestions that all CUI be held in
a special appendix for contracts and
only be allowed to be accessed at the
prime’s facility or through a government
hosted secure portal. A commenter also
suggested that small businesses should
not be made to meet the CMMC Level
3 requirements. Another commenter
raised questions about the alternatives
that the Department considered in
developing the CMMC Program.
Another suggestion was to provide
uniform web-based training on
cybersecurity and that the definition of
CUI was unclear, and CUI should stay
under the control of the Federal
Government and be maintained in a
government owned secure portal. A
suggestion was also made that DoD
establish a Cyber Protection Program
that monitors DIB companies and
provides real time health reports on the
DIB and dynamic intelligence security
alerts and recommended actions. A
suggestion that NIST establish a special
standard for micro-organizations was
also provided. Commenters also
suggested that the rule was too
stringent, and CUI was not marked well
or flowed down to subcontractors
appropriately.
DoD Response: The Department is
committed to overseeing the CMMC
Program and will take appropriate
measures to ensure its efficient
execution. Presently, the Department
has no intention of mandating that
contracting offices adopt presumptive
measures that would reduce the number
of small contracts subject to Level 2
certification assessment, nor does it
plan to impose affirmative requirements
on prime contracts to utilize enclaves.
Prior to conduct of an assessment, the
OSC engages with the C3PAO assessor.
It is during this time that classification
of assets should be established, and the
results of these discussions documented
in pre-planning materials. This is an
example of the pre-assessment and
planning material submitted by the
C3PAO as required in § 170.9(b)(8) and
the CMMC Assessment Scope submitted
to eMASS as required in
§ 170.17(a)(1)(i)(D). The DoD considered
the NIST definitions for System
Information and Security Relevant
Information in the development of the
CMMC definition for SPD. This rule
does not regulate an OSA’s SPD, but
instead implements existing regulatory
requirements for the safeguarding of
CUI, as defined in 32 CFR 2002.14(h)(2)
and implemented by DFARS clause
252.204–7012. The DFARS clause
252.204–7012 requires protection of
security protection assets and security
protection data through its specification
of NIST SP 800–171. Section 1.1 of
NIST SP 800–171 R2 states: ‘‘The
requirements apply only to components
of nonfederal systems that process,
store, or transmit CUI, or that provide
security protection for such
components.’’ There is therefore no
increase in the scope as described in the
rule, and no revisions to cost estimates
are required.
The DoD received numerous
comments about the requirements for
CMMC when an ESP is used. In
response to these comments, the DoD
revised the rule to reduce the
assessment burden on External Service
Providers (ESPs) by updating the ESP
assessment, certification, and
authorization requirements in
§§ 170.19(c)(2) and (d)(2).
The use of an ESP, its relationship to
the OSA, and the services provided
need to be documented in the OSA’s
System Security Plan and described in
the ESP’s service description and
customer responsibility matrix (CRM),
which describes the responsibilities of
the OSA and ESP with respect to the
services provided.
An ESP is considered a Cloud Service
Provider (CSP) when it provides its own
cloud services based on a model for
enabling ubiquitous, convenient, on-
demand network access to a shared pool
of configurable computing that can be
rapidly provisioned and released with
minimal management effort or service
provider interaction on the part of the
OSA. ESPs that are CSPs, and process,
store, or transmit CUI, must meet the
FedRAMP requirements in DFARS
clause 252.204–7012. ESPs that are
CSPs and do not process, store, or
transmit CUI, are not required to meet
FedRAMP requirements in DFARS
clause 252.204–7012.
An ESP that is not an CSP and
processes, stores, or transmits CUI, is
considered an extension of the OSA’s
environment and the ESP services used
to meet OSA requirements are within
the scope of the OSA’s CMMC
assessment. As part of that environment,
the ESP will be assessed against all
applicable requirements and
accountable for all users who have
access to CUI as part of the ESP’s
service, not just OSA employees. ESPs
that are not CSPs and do NOT process,
store, or transmit CUI, do not require
CMMC assessment.
Nothing in the rule precludes an ESP,
that is not a CSP, from voluntarily
requesting a C3PAO assessment, and a
C3PAO from performing such an
assessment, if the ESP makes that
business decision. Similarly, the ESP
can request a Level 3 certification
assessment from the DCMA DIBCAC if
they have successfully met all the
requirements during a Level 2
certification assessment.
ESPs can be part of the same
corporate/organizational structure but
still be external to the OSA such as a
centralized SOC or NOC which supports
multiple business units. An ESP that is
used as staff augmentation and the OSA
provides all processes, technology, and
facilities does not need a CMMC
assessment.
An ESP (not a CSP) that provides
technical support services to its clients
would be considered an MSP, since it
does not host its own cloud platform
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00109
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83200
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
offering. An ESP may utilize cloud
offerings to deliver services to clients
without being a CSP. An ESP that
manages a third-party cloud service on
behalf of an OSA would not be
considered a CSP.
6. POA&M. Commenters expressed
concern regarding the limited nature of
POA&Ms in CMMC as well as the
timeline and lack of flexibility in
remediating the POA&Ms.
DoD Response. The DoD did not
accept the recommendation to change
the criteria in § 170.21 for POA&M
requirements or the timeline allowed to
remediate open POA&M items. The 180-
day timeline and the determination of
which weighted practices can be placed
on a POA&M were risk-based decisions.
The determination factored into account
for the relative risk DoD is willing to
accept when a particular practice is not
met and the amount of risk the DoD is
willing to accept for those security
practices that remain ‘‘NOT MET’’ for
the extended period of time. The phased
implementation plan in § 170.3(e) is
intended to address ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. DoD has updated the rule
to add an additional six months to the
Phase 1 timeline, now one year. Phase
2 will start one calendar year after the
start of Phase 1.
7. Incorporation by Reference.
Commenters expressed concern about
the confusion between the NIST 800–
171 R2 being included in the CMMC
rule and not the recently published Rev
3.
DoD Response. The Office of the
Federal Register regulations (1 CFR part
51) require the specification of a
revision to a standard. Specifying a
revision benefits the CMMC Ecosystem
by ensuring it moves forward from one
NIST standard to the next in an
organized manner. The DoD cites NIST
SP 800–171 R2 in this final rule for a
variety of reasons, including the time
needed for industry preparation to
implement and time needed to prepare
the CMMC Ecosystem to perform
assessments against subsequent
revisions. DoD is unable to incorporate
suggestions that CMMC assessments be
aligned to whichever NIST revision is
current at the time of solicitation.
Comments on the specifics on NIST SP
800–171 Revision 3 should be directed
to NIST.
8. Affirmation. Commenters expressed
confusion regarding the definition of the
Affirming Official as well as how the
affirmation process works i.e., is the
affirmation for each company or the
whole supply chain. One commenter
also expressed confusion regarding
whether an affirmation was required at
each certification level annually.
DoD Response. The rule was modified
to include a definition for Affirming
Official in § 170.4.
The DoD considered the
recommended text revisions and
modified the text for added clarity about
affirmations. DoD’s use of the term OSA
within the affirmations section is
deliberate and conveys that each
organization is responsible for
affirmations pertaining to their own
assessments. To help clarify the point in
question, § 170.22(a)(1) addresses
Affirming Official and has been revised
to clarify that CMMC affirmations shall
be submitted by the OSA and apply
only to the information systems of that
organization.
The DoD deems that the requirement
to annually affirm continuing
compliance with the CMMC
requirements at the designated CMMC
Level and following the procedures in
§ 170.22 is not a significant additional
burden. The requirement for annual
affirmations takes the place of an annual
recertification and ensures the
Affirming Official responsible for
CMMC requirements is monitoring
compliance.
9. Alternatives. Several commenters
provided suggestions for alternative
means to implement verification of
compliance with cybersecurity
standards. These suggestions included
the following:
• Provide flexibility for the CMMC
AB to allow a C3PAO partial assessment
of perspective Managed Service
Providers.
• Allow small businesses to continue
performing self-assessments and self-
certify along with increasing the support
provided to small business from DC3 to
expand paying for consultants to assist
with compliance as well as paying for
small businesses assessments,
• Integrate cybersecurity and
traditional counterintelligence
measures, establishing a secure software
development environment in a cloud
that DoD hosts, as well as providing a
secure environment in which small
businesses could operate.
• Require Prime contractors to
assume the cost of CMMC for their
supply chain.
• Only assess a sampling of the
Defense Industrial Base.
• Increase the Certification validity
time period from 3 to 10 years.
• Shift the requirement to post award.
• Re-evaluate the program to reduce
requirements to make it easier.
• Stay with only the DCMA DIBCAC
performing assessments on the DIB.
DoD Response: DoD considered many
alternatives before deciding upon the
current CMMC structure. To date,
alternative methods of assessment have
proven inadequate and necessitated the
establishment of CMMC. The DoD
determined the requirements for a
CMMC Accreditation Body, and this
accreditation body will administer the
CMMC Ecosystem.
DoD must enforce CMMC
requirements uniformly across the DIB
for all contractors and subcontractors
who process, store, or transmit CUI. The
value of information and the impact of
its loss does not diminish when the
information moves to contractors and
subcontractors.
The DoD notes with interest the
commenter’s reference to initiatives in a
report to Congress describing the
breadth of cybersecurity related
initiatives within the Department. While
the CMMC Program is an important
initiative, it is by no means the
Department’s only effort to improve DIB
cybersecurity. The CMMC Program
addresses the adequate safeguarding of
contractor owned information systems
which process, store, or transmit FCI or
CUI. Other DoD initiatives related to
secure cloud or software development
environments are beyond the scope of
the CMMC Program.
The DoD declined to accept the
recommended alternative of relying
exclusively on self-assessment with the
potential to require a DIBCAC
assessment for only a sampling of DoD
contractors, which is essentially the
status quo. Both GAO reporting and
other DoD analysis have shown that the
DIB has not consistently implemented
the NIST SP 800–171 requirements
needed to comply with DFARS clause
252.204–7012, notwithstanding DoD’s
stated objective in this clause is for
compliance ‘‘as soon as practical, but
not later than December 31, 2017.’’
The DoD declined to accept the risk
associated with implementing CMMC as
a post-award requirement. When
contracts require contractors to process,
store, or transmit CUI, DoD requires that
they be compliant with DFARS clause
252.204–7012 and competent to
adequately safeguard CUI from the
beginning of the period of performance.
DoD declined the recommendation to
require primes to assume the cost of
CMMC compliance for their
subcontractors.
The aggregated SPRS reporting and
scoring is CUI. The DoD does not plan
to make this information public at this
time, as it may aid adversaries in
coordinating their attacks.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00110
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83201
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The Department declined to adopt the
recommendation to allow DIB members
to assist in designing the DoD’s
mechanism for assessing DIB
compliance with DoD’s contractual
requirements. In developing the CMMC
program, the DoD sought and
considered DIB input.
DoD disagreed with the comment that
there is a lack of scalability in the
CMMC Program. The phased
implementation plan described in
§ 170.3(e) is intended to address ramp-
up issues within the CMMC Ecosystem,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements.
The rule was updated to add an
additional six months to the Phase 1
timeline, now one year. Further
extension of the implementation period
or other solutions may be considered in
the future to mitigate any C3PAO
capacity issues, but the Department has
no such plans at this time.
As with all DoD programs, the
Department intends to effectively
oversee the CMMC Program and take the
actions needed to manage its effective
implementation. Although the full
extent of DoD’s oversight process is
beyond the scope of this rule, the rule
text does address DoD’s authority to
waive the application of CMMC
requirements when warranted.
The DoD disagrees with commenters’
assertions about NIST SP 800–171 R2
and the available assessment methods.
The NIST SP 800–171 R2 standard was
chosen since it is enterprise focused and
already required in DoD contracts when
DFARS clause 252.204–7012 is
applicable.
DCMA DIBCAC currently performs
assessments against NIST SP 800–171
R2, which identifies the target audience
to include individuals with security
assessment responsibilities, such as
auditors, assessors, and ‘‘independent
verifiers.’’
The Department does not have the
organic capacity to adequately assess
the 220,000+ companies in the DIB. The
DoD will not assume the workload of
directly assessing every DIB contractor.
In this final rule, DoD established a
scalable way to verify, through
assessment, that contractors have
implemented required security
measures necessary to safeguard DoD’s
information.
It is important that contractors
maintain security compliance for
systems that process, store, or transmit
DoD CUI. Given the evolving
cybersecurity threat, DoD’s best interests
are served by ensuring that Level 2 self-
assessment and certification
assessments remain valid for no longer
than a 3-year period, regardless of who
performs the assessment.
10. Applicability. Commenters
expressed frustration with exempting
Commercial- Off-The-Shelf (COTS)
products and procurements under the
micro-purchase threshold from CMMC
certification, and not providing
exemptions for Native American, small,
disadvantaged businesses, and Small
Business Innovative Research contracts.
They also expressed concerns about
perceived threatened penalties and lack
of recognition of recurring costs to Level
1 assessments. A commenter also
recommended reversing the phased
approach to require Level 3
requirements be implemented first.
DoD Response: Some comments
pertain to the 48 CFR part 204 CMMC
Acquisition rule, including applicability
of the CMMC clause to COTS
procurements and those below the
micro-purchase threshold. Such
comments are not within the scope of
this 32 CFR part 170 CMMC Program
rule, which outlines program
requirements rather than contracting
procedures.
This rule has no disproportionate
impact on Native American owned
businesses. Once identified as a
requirement, the CMMC Program
requirements will apply uniformly to all
prospective contractors.
DoD must enforce safeguarding
requirements uniformly across the DIB
for all contractors and subcontractors
who process, store, or transmit CUI. The
value of information and impact of its
loss does not diminish when the
information moves to DoD contractors
and DoD subcontractors, regardless of
their status as Native American or small
disadvantaged businesses.
The purpose of the CMMC Program is
to ensure that DoD contracts that require
contractors to safeguard FCI and CUI
(i.e., contracts that include FAR clause
52.204–21 and DFARS clause 252.204–
7012) will be awarded to contractors
with the ability to protect that
information appropriately. Accordingly,
all contractor owned information
systems that process, store, or transmit
FCI or CUI in the performance of a
contract are subject to the requirements
of FAR clause 52.204–21 and NIST SP
800–171 as implemented by DFARS
clause 252.204–7012.
The CMMC Program rule does not
include ‘‘threatened penalties.’’ If a
requirement of a DoD contract is not
met, then standard contractual remedies
applicable to that contract may apply.
The phased implementation plan
described in § 170.3(e) is intended to
address ramp-up issues, provide time to
train the necessary number of assessors,
and allow companies the time needed to
understand and implement CMMC
requirements.
The self-assessment requirements
build on the existing DFARS clause
252.204–7020 requirement as part of
basic safeguarding of CUI. CMMC Level
3 requires advanced implementation,
and the phase-in period provides
additional time for an OSC to achieve
the higher standard.
11. Flow down. Commenters
expressed concern that the CMMC rule
language was not clear enough regarding
when self-assessments are allowed. One
commenter believed requiring prime
contractors to validate the compliance
of those they transmit CUI to was too
onerous and that the rule language was
not clear on how to determine what
level of CUI is being passed.
DoD Response: DoD policies guide
Program Managers to appropriately
apply CMMC Status requirements in
DoD solicitations and resulting
contracts, to include when Level 2 self-
assessment rather than Level 2
certification assessment is appropriate.
The commenter misinterprets the text
of § 170.23, which states: If a
subcontractor will process, store, or
transmit CUI in performance of the
subcontract and the associated prime
contractor has a requirement for a
CMMC Status of Level 2 (C3PAO), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.
CMMC flow down requirements are
designed to apply consistent assessment
requirements to all contractors, whether
prime or subcontractor and regardless of
company size, who are required to
adequately safeguard CUI. The DoD
cannot dictate DIB business practices
and encourages prime contractors to
carefully consider the necessity of
sharing CUI information and to work
with its subcontractors to flow down
CUI with the required security and the
least burden.
Defense contractors may share
information about their CMMC Status
with other DIB members to facilitate
effective teaming arrangements when
competing for DoD contract
opportunities.
In addition, CMMC requirements
apply for prime contractors and their
subcontractors as outlined in § 170.23.
For additional information about flow
down of contractual requirements, see
the 48 CFR part 204 CMMC Acquisition
rule, RIN 0750–AK81, Assessing
Contractor Implementation of
Cybersecurity Requirements (DFARS
Case 2019–D041).
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00111
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83202
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
12. International. Commenters
expressed concern about international
partners’ use of cloud services that do
not have FedRAMP or GovCloud
equivalency. Also concerns that the
draft language [in the proposed rule] did
not explain reciprocity of cybersecurity
standards between the U.S. and
International Partners. One commenter
recommended exempting foreign
businesses from assessment
requirements.
DoD Response: A domestic or
international business seeking a contract
that includes DFARS clause 252.204–
7012, and using a cloud service provider
to process, store, or transmit covered
defense information in performance of
that DoD contract, must meet FedRAMP
authorization or equivalency
requirements. As the FedRAMP program
and FedRAMP equivalency are available
to international organizations, foreign
partners do not need to develop their
own FedRAMP program.
The DoD leverages FedRAMP to
provide the requirements for the
adoption of secure cloud services across
the Federal Government by providing a
standardized approach to security and
risk assessment for cloud technologies
and Federal agencies.
The Implementation of CMMC
Program requirements described in
§ 170.3(e) of the rule does not promote
assessments of any contractors over any
other contractors. All companies,
regardless of size, location, or
nationality, will have access to
authorized C3PAOs for certification
assessments. The rule does not preclude
non-U.S. citizens or foreign-owned
C3PAOs from operating in the U.S.
Additionally, U.S.-owned C3PAOs may
operate in a foreign nation.
Section 170.20 states that OSCs that
have completed a DCMA DIBCAC High
Assessment aligned with CMMC Level 2
Scoping will be given the CMMC Status
of Final Level 2 (C3PAO). International
standards acceptance is not addressed
in this rule.
Any consideration of reciprocity
between foreign partner protected
information and CUI and FCI would
require a formal government to
government international arrangement
or agreement and is outside the scope of
this 32 CFR part 170 CMMC Program
rule.
Any discussion of exemptions for
foreign businesses are outside the scope
of the 32 CFR part 170 CMMC Program
rule and may be addressed through
government-to-government international
arrangements or agreements.
The Discussion of Public Comments
and Resulting Changes section in the
preamble of the final rule addresses all
public comments received during the
mandatory 60-day public comment
period for the proposed rule and
supporting documents.
Response to Comments From Chief
Counsel for Advocacy of the SBA
On December 26, 2023, the
Department of Defense (DoD) published
a proposed rule entitled Cybersecurity
Maturity Model Certification (CMMC)
Program, 88 CFR 89058. This proposed
rule intends to create a mechanism by
which the DoD can certify that
contractors and subcontractors are in
compliance with the stated
cybersecurity guidelines. The SBA
Office of Advocacy (SBA or Advocacy)
submitted the following comments and
concerns on the proposed rule in a letter
addressed to the DoD CIO within the
public comment period for the proposed
32 CFR part 170 CMMC Program rule.
‘‘Advocacy is principally concerned
with the ability for small businesses to
meet and comply with the standards
and timelines set out in the CMMC
Program without further clarification
and guidance documents from the DoD.
The current rule does not provide clear
guidance on the process to create
enclaves, which would allow more
small business subcontractors to
participate in DoD contracts without
meeting the full requirements necessary
for the prime contractor. Advocacy
seeks clarification on the role of Third-
Party Assessment Organizations
(C3PAO) and the indemnification a
C3PAO has if a contractor or
subcontractor is out of compliance.’’
‘‘Advocacy concerns also include the
process of how and if more C3PAOs can
be certified by the DoD to review the
numerous contracts that will be subject
to certifications. Advocacy urges the
DoD to provide clarification about the
enforcement mechanisms for breaches
of cybersecurity.’’
‘‘Lastly, Advocacy reminds the DoD
that this rule will impose a high cost of
compliance on small businesses and any
means to reduce the burden on small
businesses will increase the
participation of these impacted
businesses.’’
‘‘The proposed rule would give
contractual effect to NIST SP 800–171
and 172, requiring companies to meet
the three levels of compliance if the
contracts involve FCI or CUI. CMMC
attempts to redesign previous iterations
of cybersecurity models with a more
streamlined process. This proposal
would simplify previous systems to
create a more streamlined certification
system. This rule differs from previous
iterations by allowing for businesses to
create enclaves within their business
models, allowing the business to
implement the CMMC standards while
not drastically changing every aspect of
their business process.’’
‘‘SBA Comment 1: Under the
proposed rule, the CMMC Program will
require all DoD contractors and
subcontractors who handle Federal
contract information (FCI) and
Controlled Unclassified Information
(CUI) to maintain cybersecurity
protections of their systems. CMMC will
create three levels of compliance,
depending on the level of security
necessary for which the contractor has
access. Level 1 has 15 requirements
focused on logging access to potential
FCI. Level 2 includes minimum
requirements for contractors handling
CUI and adds 110 requirements. Level 3
addresses an additional 24
requirements. Each level will pose
varying challenges for small businesses
of every kind to comply with the
progressing requirements. Advocacy has
commented on previous proposals for
CMMC concerning the significant
impact this will have on small business
contractors.’’
‘‘Advocacy held outreach meetings
with diverse small business
stakeholders concerning this rule, both
in-person and virtually.—Small
businesses expressed concerns with
how to compensate the increased costs
due to implementing CMMC and asked
for clarity on aspects of the proposed
CMMC rule. Advocacy has four chief
concerns with the proposed rule.’’
‘‘Advocacy requests clear and concise
guidance for small business contractors
and subcontractors to create enclaves in
order to lessen the burden of
compliance on the businesses.’’
‘‘The proposed rule states that
different business segments or different
enclaves of a business can be assessed
or certified at different CMMC levels.
Creating and implementing enclaves
will be most effective when a large
prime contractor creates these enclaves
to ease the burden on small
subcontractors. The rule mentions the
use of enclaves but does not provide
guidance on how to implement enclaves
within a business.’’
DoD Response: The Department
acknowledges the concerns articulated
by the Small Business Administration
(SBA) and commits to enhancing
training provisions after the rule is final
and effective. Moreover, the Department
pledges to reinstate outreach endeavors
targeting the broader industry and
specifically small businesses to facilitate
familiarity with CMMC requirements
once the rule is final and effective.
However, the Department does not
intend to formulate specific directives
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00112
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83203
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
pertaining to the configuration and
segregation of corporate information
systems into enclaves. Such
determinations must be tailored to
individual companies, considering a
multitude of unique factors.
External service providers (ESPs) will
be a driving force for small businesses’
compliance with CMMC requirements.
ESPs are vendors that handle security
related data or CUI on their own assets
and software. The ability of ESPs to
create effective and economically
feasible services will allow businesses
to enclave different operations more
easily and avoid unduly costly
compliance expenses.
‘‘SBA Comment 2: Advocacy
recommends that the DoD create a
presumption to reduce the number of
small contracts that are subject to
CMMC Level 2. This can be achieved
through varying means, including a
positive requirement for prime
contractors or the ability for a prime
contractor to engage in using enclaves as
a positive value marker for their
contracts. Further, the agency
contracting officer could be required to
engage in mitigating efforts if such
CMMC related issues arise between a
subcontractor and prime contractor.’’
DoD Response: The Department is
committed to robustly supervising the
CMMC Program and will take
appropriate measures to ensure its
efficient execution. Presently, the
Department has no intention to mandate
contracting offices adopt presumptive
measures that would diminish the
number of small contracts subject to
CMMC Level 2 assessment, nor does it
plan to impose affirmative requirements
on prime contracts to utilize enclaves.
‘‘SBA Comment 3: Advocacy seeks
clarity on the role of C3PAOs and the
ability of C3PAOs to meet the demand
for CMMC.
‘‘For CMMC Level 2 compliance, a
CMMC third-party assessor (C3PAO)
will triennially inspect the businesses’
compliance with the 110 requirements
of CMMC Level 2. Stakeholders raised
concerns regarding the role C3PAOs
will play in Level 2 certification and
sought clarity on the indemnification of
issues arising from a certification.
Stakeholders raised concerns that if
there are an insufficient number of
C3PAOs to timely inspect every
contractor before the rule is effective,
then small businesses will be the last
ones to be certified. Advocacy
recommends creating a streamlined
process to provide organizations with
C3PAO certifications. This process
would meet the immediate need of
contractors to initially certify with a
C3PAO that the business meets CMMC
Level 2 requirements. Particularly, there
should be availability of C3PAOs for
small businesses and ensure small
business owners are not falling behind.’’
DoD Response: In alignment with its
standard practice across all programs,
the Department is committed to diligent
oversight of the CMMC Program and
will enact appropriate measures to
ensure its successful execution. The
phased implementation strategy
outlined in § 170.3(e) in the rule is
designed to tackle initial challenges,
facilitate assessor training, and afford
companies sufficient time to
comprehend and integrate CMMC
prerequisites.
While the Department remains open
to considering future adjustments,
including potential extensions to the
implementation timeline or alternative
solutions to address any capacity
constraints faced by C3PAOs, no such
initiatives are currently under active
consideration.
‘‘SBA Comment 4: Advocacy asks the
DoD to clarify enforcement guidelines/
mechanisms.
As proposed, Level 1 contractors
would annually attest their compliance
with the requirements. While at Level 2,
there would be attestations with C3PAO
certifications every three years.
Stakeholders raised questions about the
practical steps the DoD will take in
enforcement actions for breaches.
Further, stakeholders raised concerns
regarding the availability of remediating
steps in the instance of failure to meet
a CMMC requirement. Advocacy
recommends the agency create guidance
documents for small business
contractors to better understand the
legal effects of the CMMC.’’
DoD Response: Regarding
enforcement, as the CMMC is slated for
implementation as a precondition for
contract award consideration, non-
compliance with CMMC requirements
will result in disqualification from
contract award; or post-award, could
result in standard contractual and other
remedies for failure to timely and
satisfactorily address outstanding
POA&Ms to fully implement CMMC
requirements and meet contractual
obligations.
‘‘SBA Comment 5: Advocacy
highlights the need for DoD to create
rules that encourage and improve small
business participation in contracting
programs. Advocacy reiterates the
importance of small businesses in
Federal contracting. [Excerpt from
footnote 21: ‘‘Small businesses make up
99.9 percent of all U.S. businesses as
well as 73 percent of companies in the
defense industrial base, and last year
small businesses were awarded over 25
percent of all DoD prime contracts. As
the economic engine of our nation,
small businesses create jobs, generate
innovation, and are essential, daily
contributors to national security and the
defense mission.] Creating accessible,
commercially viable, and secure cyber
systems is critical for the future of
national security. Small businesses wish
to continue to be a powerful driver of
national defense contracting. Advocacy
heard small business stakeholders from
across the country express their strong
commitment to protecting our country
from cyber-attacks and recognize the
critical need for CMMC and other
cybersecurity measures.
‘‘Small businesses urge DoD to create
flexibilities such as using Plan of Action
and Milestones (POA&Ms) when this
rule goes into effect initially, allowing
small businesses to ramp up to full
compliance with their respective CMMC
level.’’
DoD Response: Department
acknowledges the concerns voiced by
the SBA regarding the participation of
small businesses in contracting
programs and the importance of
fostering their involvement in Federal
contracting, particularly within the
defense industrial base. Recognizing the
significant role small businesses play in
national security and defense missions,
the Department is committed to
diligently addressing these concerns.
While the Department values the
input provided by small business
stakeholders and understands the desire
for flexibilities, including the use of
POA&Ms during the initial
implementation phase, it must carefully
balance multiple factors to ensure the
effectiveness and integrity of the CMMC
Program.
‘‘SBA Comment 6: Advocacy’s chief
concerns surround a lack of clarity on
key aspects of the proposed rule.
Advocacy requests clarification from
DoD as to how to create enclaves within
businesses. Encouraging the use of ESPs
and incentivizing large prime
contractors to keep all subcontractors
from being subject to high levels of
cybersecurity will be key in keeping
small businesses engaged in DoD
contracting. Guidance documents for
small businesses (especially aimed at
the smallest of small businesses) and
ESPs will create an easier ramp for
small business compliance. Advocacy
requests clarity from DoD regarding the
role of C3PAOs and encourages the DoD
to ensure small businesses can obtain
certification from C3PAOs in a timely
manner. Further, the DoD should clarify
the enforcement and procedural
repercussions for a failure to meet
various CMMC levels. Lastly, the DoD
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00113
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83204
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
62
DoD estimates of the hours, recurring and non-
recurring costs, and labor rates are based upon
subject matter expertise from the DOD Chief
Information Office, CMMC Program Office, and
DoD/DIBCAC.
should set achievable goals as CMMC is
implemented, ensuring that current
small businesses contracting with the
agency can continue work with the
government while ensuring our nation’s
defense.’’
DoD Response: The DoD
acknowledges the SBA advocacy chief’s
concerns and will make additional
training resources available following
finalization of this rule. The DoD deems
that the level of detail on the topics
identified is appropriate for codification
in the 32 CFR part 170 CMMC Program
rule. The DoD will resume outreach
efforts with the aim of promoting
CMMC familiarization among small
businesses once the rule is final and
effective and any constraints on such
engagements no longer apply. However,
DoD caveats that providing any specific
instructions for configuring corporate
information systems into enclaves is
beyond the guidance that DoD intends
to provide, as such decisions are unique
to each company.
The role of C3PAOs is thoroughly
described in § 170.9 CMMC Third-Party
Assessment Organizations (C3PAOs)
and in the supplemental documents.
In terms of enforcement, since CMMC
will be implemented as a pre-award
requirement, the repercussions of failure
to meet CMMC requirements will
include failure to be selected for
contract award, or standard contractual
and other remedies for failure to timely
and satisfactorily close-out a POA&M
and meet or maintain the contractual
CMMC requirements.
As with all of DoD programs, the
Department intends to effectively
oversee the CMMC Program and take the
appropriate actions needed to manage
its effective implementation. The
phased implementation plan described
in § 170.3(e) was extended by six
months and is intended to address
ramp-up issues, provide time to train
the necessary number of assessors, and
allow companies the time needed to
understand and implement CMMC
requirements.
Small Business Entities Impacted
This rule will impact small businesses
that do business with the Department of
Defense, except those competing on
contracts or orders that are exclusively
for COTS items or when receiving
contracts or orders valued at or below
the micro-purchase threshold.
According to the Federal Procurement
Data System (FPDS) there is an average
of 29,260 unique small business
contractors: FY 2019 (31,189), FY 2020
(29,166) and FY 2021 (27,427).
Cost Assumptions and Analysis for
CMMC
Complete details on CMMC
requirements and associated costs,
savings, and benefits of this rule are
provided in the Regulatory Impact
Analysis referenced in the preamble.
Key Components of the model are
described in §§ 170.14 through 170.24.
(a) Assumptions for the updated CMMC
Program Cost Analysis
In estimating the public cost for a
small DIB company to achieve CMMC
compliance or certification at each
CMMC level, DoD considered non-
recurring engineering costs, recurring
engineering costs, assessment costs, and
affirmation costs for each CMMC
Level.62 These costs include labor and
consulting.
Estimates include size and complexity
assumptions to account for
organizational differences and how it
handles Information Technology (IT)
and cybersecurity:
• small entities have a less complex,
less expansive operating environment
and Information Technology (IT)/
Cybersecurity infrastructure compared
to larger DIB companies.
• small entities outsource IT and
cybersecurity to an External Service
Provider (ESP) entities (large or small)
pursuing CMMC Level 2 self-assessment
will seek consulting or
• implementation assistance from an
ESP to either help them prepare for the
assessment technically or participate in
the assessment with the C3PAOs.
Estimates do not include
implementation (Non-recurring
Engineering Costs (NRE)) or
maintenance costs (Recurring
Engineering (RE)) for requirements
prescribed in current regulations.
For CMMC Levels 1 and 2, cost
estimates are based upon assessment,
reporting and affirmation activities
which a contractor will take to validate
conformance with existing cybersecurity
requirements from the FAR clause
52.204–21 (effective June 15, 2016) to
protect FCI, and the DFARS clause
252.204–7012 which required contractor
implementation of NIST SP 800–171 not
later than December 31, 2017, to protect
CUI. As such, costs estimates are not
included for an entity to implement
security requirements, maintain existing
security requirements, or remediate a
Plan of Action for unimplemented
requirements.
For CMMC Level 3, the estimates
factor in the assessment, reporting and
affirmation activities in addition to
estimates for NRE and RE to implement
and maintain CMMC Level 3
requirements. CMMC Level 3
requirements are a subset of NIST SP
800–172 Feb2021 Enhanced Security
Requirements as described in § 170.30
of the CMMC rule and are not currently
required through other regulations.
CMMC Level 3 is expected to apply only
to a small subset of DIB contractors.
The Cost Categories used for each
CMMC Level are described below:
1. Nonrecurring Engineering Costs:
Estimates consist of hardware, software,
and the associated labor to implement
the same. Costs associated with
implementing the requirements defined
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
implemented and are therefore not
accounted for in this cost estimate. As
such, these costs only appear in CMMC
Level 3. Where nonrecurring
engineering costs are referenced, they
are only accounted for as a one-time
occurrence and are reflected in the year
of the initial assessment.
2. Recurring Engineering Costs:
Estimates consist of annually recurring
fees and associated labor for technology
refresh. Costs associated with
implementing the requirements defined
in FAR clause 52.204–21 and NIST SP
800–171 R2 are assumed to have been
implemented and are therefore not
accounted for in this cost estimate. As
such, these costs only appear in CMMC
Level 3.
Assessment Costs: Estimates consist
of activities for pre-assessment
preparations (which includes gathering
and/or developing evidence that the
assessment objectives for each
requirement have been satisfied),
conducting and/or participating in the
actual assessment, and completion of
any post-assessment work. Assessment
costs are represented by notional
phases. Assessment costs assume the
offeror/contractor passes the assessment
on the first attempt (conditional—with
an allowable POA&M or final). Each
phase includes an estimate of hours to
conduct the assessment activities
including:
(a) Labor hour estimates for a
company (and any ESP support) to
prepare for and participate in the
assessment.
(b) C3PAO cost estimates for
companies pursuing a certification.
—Labor hour estimates for certified
assessors to work with the small
business to conduct the actual
assessment.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00114
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83205
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
63
Again, it is assumed that that DIB contractors
and subcontractors have already implemented the
15 basic safeguarding requirements in FAR clause
52.204–21.
64
An external service provider is assumed to be
an ‘‘Information Assurance Specialist Level 7’’ with
an hourly rate of $260.
65
A person needs to enter the information into
SPRS, which should only take five minutes.
(c) Assessment Costs broken down
into phases.
—Phase 1: Planning and preparing for
the assessment.
—Phase 2: Conducting the assessment
(self or C3PAO).
—Phase 3: Reporting of Assessment
Results.
—Phase 4: POA&M Closeout (for CMMC
Level 3 only, where allowed, if
applicable).
• CMMC allows a limited open Plan
of Action and Milestones (POA&M) for
a period of 180 days to remediate the
POA&M, see § 170.37.
3. Affirmations: Estimates consist of
costs for a contractor to submit to SPRS
an initial and affirmation of compliance
that the covered contractor information
system is compliant with and will
maintain compliance with the
requirements of the applicable CMMC
Level. Where POA&Ms are allowed, an
affirmation must be submitted with the
POA&M closeout. Except for Small
Entities for Level 1 and Level 2, it is
assumed the task requires the same
labor categories and estimated hours as
the final reporting phase of the
assessment.
(b) Comparison to the Initial CMMC
Program Cost Analysis
Public comments on the initial CMMC
Program indicated that cost estimates
were too low. Updated CMMC Program
cost estimates account for that feedback
with the following improvements:
• Allowance for outsourced IT
services.
• Increased total time for the
contractor to prepare for the assessment,
including limited time for learning the
reporting and affirmation processes.
• Allowance for use of consulting
firms to assist with the assessment
process.
• Time for a senior level manager to
review the assessment and affirmation
before submitting the results into SPRS.
• Updated government and contractor
labor rates that include applicable
burden costs.
As a result, some cost estimates for
the updated CMMC Program may be
higher than those included in the initial
CMMC Program.
(c) Cost Analysis/Estimates by CMMC
Level
CMMC Level 1 Self-Assessment and
Affirmation Costs for Small Business
Entities
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 1
since it is assumed the contractor has
implemented basic safeguarding
requirements.63
• Self-Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 1
assessment and affirmation is * $5,977
(as summarized in table 1). A Level
1self-assessment is conducted annually,
and is based on the assumptions
detailed below:
—Phase 1: Planning and preparing for
the assessment: $1,803
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• An external service provider
(ESP) 64 for 4 hours ($260.28
× 4hrs
= $1,041)
—Phase 2: Conducting the self-
assessment: $2,705
• A director (MGMT5) for 6 hours
($190.52/hr
× 6hrs = $1,143)
• An external service provider (ESP)
for 6 hours ($260.28
× 6hrs =
$1,562)
—Phase 3: Reporting of Assessment
Results into SPRS: $909
• A director (MGMT5) for 2 hours
($190.52/hr
× 2hrs = $381)
• An external service provider (ESP)
for 2 hours ($260.28/hr * 2hrs =
$521)
• A staff IT specialist (IT4) for 0.08
hours 65 ($86.24/hr
× 0.08hrs = $7)
—Affirmation: initial affirmation post
assessment: $560
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level I
annually for a small entity is $560
—A director (MGMT5) for 2 hours
($190.52/hr
× 2hrs = $381)
—A staff IT specialist (IT4) for 2.08
hours ($86.24/hr
× 2.08hrs = $179)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 1 self-assessments and
affirmations over a ten-year period:
(Example calculation, Year 1: *$5,977
per entity (detailed above)
× 699 entities
(cumulative) = $4,177,845)
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00115
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83206
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level 2 Self-Assessment and
Affirmation Costs for Small Business
Entities
The costs below account for a CMMC
Level 2 self-assessment of the applicable
contractor information system(s) with
NIST SP 800–171 R2 requirements
based on assumptions defined above.
• Nonrecurring and recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 2
self-assessment since it is assumed the
contractor has implemented NIST SP
800–171 R2 requirements.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 2 self-
assessment and affirmation for a small
entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2 above,
table 2), which includes the triennial
assessment + affirmation, plus two
additional annual affirmations ($34,277
+ $1,459 + $1,459).
—Phase 1: Planning and preparing for
the self-assessment: $14,426
• A director (MGMT5) for 32 hours
($190.52/hr
×* 32hrs = $6,097)
• An external service provider (ESP)
for 32 hours ($260.28/hr
× 32hrs =
$8,329)
—Phase 2: Conducting the self-
assessment: $15,542
• A director (MGMT5) for 16 hours
($190.52/hr
× 16hrs = $3,048)
• An external service provider (ESP)
for 48 hours ($260.28/hr
× 48hrs =
$12,493)
—Phase 3: Reporting of assessment
results: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• An external service provider (ESP)
for 8 hours ($260.28/hr
× 8hrs =
$2,082)
• A staff IT specialist (IT4) for 0.08
hours ($86.24/hr
× 0.08hrs = $7)
—Affirmation—initial affirmation post
assessment: $1,459
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level 2
self-assessment annually is $1,459
(three-year costs to reaffirm a CMMC
Level 2 self-assessment annually is
$4,377, or $1,459
× 3):
—A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
—A staff IT specialist (IT4) for 8.08
hours ($86.24/hr
× 8.08hrs = $697)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 2 self-assessments and
Affirmations over a ten-year period:
(Example calculation, Year 2: (*$34,277
self-assessment per entity
× 101 entities)
+ ($1,459 annual affirmation per entity
× 20 entities) = $3,491,193)
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00116
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.028</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83207
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level 2 Certification and
Affirmation Costs for Small Business
Entities
The costs below account for a CMMC
Level 2 Certification assessment and
affirmation costs of the applicable
contractor information system(s) with
NIST SP 800–171 R2 requirements
based on assumptions defined above.
CMMC Level 2 certification assessments
require hiring a C3PAO to perform the
assessment.
• Nonrecurring or recurring
engineering costs: There are no
nonrecurring or recurring engineering
costs associated with CMMC Level 2
C3PAO Certification since it is assumed
the contractor has implemented NIST
SP 800–171 R2 requirements.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 2
C3PAO Certification and affirmation for
a small entity is *$101,752. The three-
year cost is $104,670 (as summarized in
section 3(b) above, table 1), and
includes the triennial assessment +
affirmation plus two additional annual
affirmations ($101,752 + $1,459 +
$1,459).
—Phase 1: Planning and preparing for
the assessment: $20,699
• A director (MGMT5) for 54 hours
($190.52/hr
× 54hrs = $10,288)
• An external service provider (ESP)
for 40 hours ($260.28/hr
× 40hrs =
$10,411)
—Phase 2: Conducting the C3PAO
assessment: $45,509
• A director (MGMT5) for 64 hours
($190.52/hr x 64hrs = $12,193)
• An external service provider (ESP)
for 128 hours ($260.28/hr
× 128hrs =
$33,316)
—Phase 3: Reporting of C3PAO
Assessment Results: $2,851
• A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
• An external service provider (ESP)
for 8 hours ($260.28/hr
× 8hrs =
$2,082)
• A staff IT specialist (IT4) for 0.08
hours ($86.24/hr
× 0.08hrs = $7)
—Affirmation—initial affirmation post
assessment: $1,459
—C3PAO Costs: C3PAO engagement
inclusive of Phases 1, 2, and 3 (3-
person team) for 120 hours
($260.28/hr
× 120hrs = $31,234)
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level 2
C3PAO Assessment annually is $1,459
(three-year cost is $4,377, or $1,459
× 3)
—A director (MGMT5) for 4 hours
($190.52/hr
× 4hrs = $762)
—A staff IT specialist (IT4) for 8.08
hours ($86.24/hr
× 8.08hrs = $697)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 2 Certifications and
Affirmations over a ten-year period:
(Example calculation, Year 2:
(*$101,752 assessment per entity
×
1,926 entities) + ($1,459 annual
affirmation per entity
× 382 entities) =
$196,531,451)
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00117
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.029</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83208
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
CMMC Level 3 Certification and
Affirmation Costs for Small Business
Entities
Contractors pursuing CMMC Level 3
certification assessment must have a
current Final CMMC Level 2
certification assessment, and
demonstrate compliance with CMMC
Level 3, which is a subset of security
requirements from NIST SP 800–172
Feb2021 that have DoD predefined
selections and parameters. CMMC Level
3 requires compliance with security
requirements not required in prior rules.
Therefore, Nonrecurring Engineering
and Recurring Engineering cost
estimates have been included for the
initial implementation and maintenance
of the required subset of NIST 800–172
Feb2021 requirements. The cost
estimates below accounts for time for a
contractor to implement the security
requirements and prepare for, support,
and participate in a CMMC Level 3
assessment conducted by DCMA
DIBCAC. The contractor should
therefore keep in mind that the cost of
a Level 3 certification will also incur the
cost of a CMMC Level 2 certification
assessment by a C3PAO in addition to
the costs to assess the requirements
specific to Level 3. Inclusion of CMMC
Level 3 certification is expected to affect
only a small subset of defense
contractors or subcontractors in the DIB.
The estimated engineering costs per
small entity is associated with the
CMMC Level 3.
• Nonrecurring Engineering Costs:
$2,700,000.
• Recurring Engineering Costs:
$490,000.
• Assessment Costs and Initial
Affirmation Costs: It is estimated that
the cost to support a CMMC Level 3
C3PAO Certification for a small entity is
- $9,050 The three-year cost is $12,802
(summarized in 4.1.2 above, table 2),
and includes the triennial assessment +
affirmation, plus two additional annual
affirmations ($9,050 + $1,876 + $1,876):
—Phase 1: Planning and preparing for
the Level 3 assessment: $1,905
• A director (MGMT5) for 10 hours
($190.52/hr
× 10hrs = $1,905)
—Phase 2: Conducting the Level 3
assessment: $1,524
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
—Phase 3: Reporting of Level 3
assessment results: $1,876
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• A staff IT specialist (IT4) for 4.08
hours ($86.24/hr
× 4.08hrs = $352)
—Phase 4: Remediation (for CMMC
Level 3 if necessary and allowed):
$1,869
• A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
• A staff IT specialist (IT4) for 48
hours ($86.24/hr
× 48hrs = $345)
• Affirmation—initial affirmation
post assessment: $1,876
• Reaffirmations: It is estimated that
the costs to reaffirm a CMMC Level 3
Assessment annually is $1,876 (three-
year cost is $5,628, or $1,876
× 3)
—A director (MGMT5) for 8 hours
($190.52/hr
× 8hrs = $1,524)
—A staff IT specialist (IT4) for 4.08
hours ($86.24/hr
× 4.08hrs = $352)
• Summary: The following is the
annual small entities total cost summary
for CMMC Level 3 Certifications and
Affirmations over a ten-year period.
Example calculation, Year 2 (reference
per entity amounts above):
—*($9,050 Certification per entity
× 45
entities) + ($1,876 Annual Affirmation
per entity
× 3 entities) = $412,897,
and
—$121,500,000 Nonrecurring
Engineering cost ($2,700,000 per
entity
× 45 entities being certified),
and
—$23,520,000 Recurring Engineering
cost ($490,000 per entity
× 45 entities
being certified) + ($490,000 per entity
× 3 entities performing affirmations)
—$145,432,897 Total Cost =
Certification and Affirmation Cost
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00118
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.030</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83209
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
66
An Organization Seeking Certification (OSC) is
an entity seeking to contract, obtain, or maintain
CMMC certification for a given information system
at a particular CMMC Level. An OSC is also an
OSA.
67
An Organization Seeking Assessment (OSA) is
an entity seeking to conduct, obtain, or maintain a
CMMC assessment for a given information system
at a particular CMMC Level. The term OSA
includes all OSCs.
($412,897) + Nonrecurring
Engineering cost ($121,500,000) +
Recurring Engineering cost
($23,520,000), or $145,432,897.
Projected Reporting, Recordkeeping,
and Compliance Requirements
The CMMC Program provides for the
assessment of contractor
implementation of cybersecurity
requirements to enhance confidence in
contactor protection of unclassified
information within the DoD supply
chain. CMMC contractual requirements
are implemented under the 48 CFR part
204 CMMC Acquisition rule, with
associated rulemaking for the CMMC
Program requirements (e.g., CMMC
Scoring Methodology, certificate
issuance, information accessibility)
under the 32 CFR part 170 CMMC
Program rule. The 32 CFR part 170
CMMC Program rule includes two
separate information collection requests
(ICR), one for the CMMC Program and
one for CMMC eMASS.
This information collection is
necessary to support the
implementation of the CMMC
assessment process for Levels 2 and 3
certification assessment, as defined in
§§ 170.17 and 170.18 respectively.
The CMMC Level 2 certification
assessment process is conducted by
Certified Assessors, employed by
CMMC Third-Party Assessment
Organizations (C3PAOs). During the
assessment process, Organizations
Seeking Certification 66 (OSCs) hire
C3PAOs to conduct the third-party
assessment required for certification.
The CMMC Level 3 certification
assessment process is conducted by the
Defense Contract Management Agency
(DCMA) Defense Industrial Base
Cybersecurity Assessment Center
(DIBCAC).
Use of the Information
Level 1 and Level 2 CMMC Self-
Assessments. Organizations Seeking
Assessment 67 (OSAs) follow procedures
as defined in §§ 170.15(a)(1) and
170.16(a)(1) to conduct CMMC Level 1
and Level 2 self-assessments on their
information systems to determine
conformance with the information
safeguarding requirements associated
with the CMMC level requirements. The
Level 1 and Level 2 self-assessment
information collection reporting and
recordkeeping requirements will be
included in a modification of an
existing Defense Federal Acquisition
Regulation Supplement (DFARS)
collection approved under OMB Control
Number 0750–0004, Assessing
Contractor Implementation of
Cybersecurity Requirements.
Modifications to this DFARS collection
will be addressed as part of the 48 CFR
part 204 CMMC Acquisition final rule.
CMMC Level 2 Certification Assessment
The Level 2 certification assessment
information collection burden for
reporting and recordkeeping
requirements are included in the 32 CFR
part 170 CMMC Program rule. The
information collection burden for the
OSCs to upload affirmations in SPRS is
included in the 48 CFR part 204 CMMC
Acquisition final rule. Additionally, the
information collection burden
requirements for the CMMC
instantiation of eMASS are addressed in
a separate 32 CFR part 170 CMMC
Program final rule information
collection request (ICR).
OSCs follow procedures as defined in
§ 170.17 to prepare for CMMC Level 2
certification assessment.
Certified Assessors assigned by
C3PAOs follow requirements and
procedures as defined in § 170.17 to
conduct CMMC assessments on defense
contractor information systems to
determine conformance with the
information safeguarding requirements
associated with CMMC Level 2. This is
an assessment to validate
implementation of the 110 security
requirements from NIST SP 800–171 R2.
Prospective C3PAOs must complete
and submit the Standard Form (SF) 328
Certificate Pertaining to Foreign
Interests (OMB control number 0704–
0579) upon request from Defense
Counterintelligence and Security
Agency (DCSA).
C3PAOs must generate and collect
pre-assessment and planning material
(contact information for the OSC,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00119
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.031</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83210
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
information about the C3PAO and
assessors conducting the assessment,
the level of assessment planned, the
CMMC Model and Assessment Guide
versions, and assessment approach),
artifact information (list of artifacts,
hash of artifacts, and hashing algorithm
used), final assessment reports,
appropriate CMMC certificates of
assessment, and assessment appeal
information. C3PAOs submit the data
they generate and collect into the
CMMC instantiation of eMASS, the
information collection required for this
submission is addressed in a separate
CMMC eMASS ICR for the 32 CFR part
170 CMMC Program rule. OSCs may
have a POA&M at CMMC Level 2 as
addressed in § 170.21. C3PAOs perform
a POA&M closeout assessment. The
C3PAO process to conduct a POA&M
Close-out Assessment, where
applicable, is the same as the initial
assessment with the same information
collection requirements.
OSCs must retain artifacts used as
evidence for the assessment for the
duration of the validity period of the
certificate of assessment, and at
minimum, for six years from the date of
certification assessment as addressed in
§ 170.17(c)(4). The OSC is responsible
for compiling relevant artifacts as
evidence and having knowledgeable
personnel available during the
assessment. The organizational artifacts
are proprietary to the OSC and will not
be retained by the assessment team
unless expressly permitted by the OSC.
To preserve the integrity of the artifacts
reviewed, the OSC creates a hash of
assessment evidence (to include a list of
the artifact names, the return values of
the hashing algorithm, and the hashing
algorithm used) and retains the artifact
information for six years. The
information obtained from the artifacts
is an information collection and is
provided to the C3PAO for uploading
into the CMMC instantiation of eMASS
(addressed in a separate CMMC eMASS
ICR for the 32 CFR part 170 CMMC
Program final rule); the artifacts
themselves are not an information
collection. The OSC process to support
a POA&M Close-out Assessment, where
applicable, is the same as the initial
assessment with the same information
collection requirements.
If an OSC does not agree with the
assessment results, it may formally
dispute the assessment and initiate an
Assessment Appeal process with the
C3PAO who conducted the assessment.
C3PAOs submit assessment appeals
using eMASS (addressed in a separate
CMMC eMASS ICR for the 32 CFR part
170 CMMC Program final rule). Appeals
are tracked in the CMMC instantiation
of eMASS and any resulting changes to
the assessment results are uploaded into
the CMMC instantiation of eMASS.
C3PAOs maintain records for a period
of six years of monitoring, education,
training, technical knowledge, skills,
experience, and authorization of each
member of its personnel involved in
inspection activities; contractual
agreements with OSCs; any working
papers generated from Level 2
certification assessments; and
organizations for whom consulting
services were provided as addressed in
§ 170.9(b)(9). The Accreditation Body
provides the CMMC PMO with current
data on C3PAOs, including
authorization and accreditation records
and status using the CMMC
instantiation of eMASS (addressed in a
separate CMMC eMASS ICR for the 32
CFR part 170 CMMC Program final
rule).
The Accreditation Body provides all
plans related to potential sources of
revenue, to include but not limited to
fees, licensing, processes, membership,
and/or partnerships to the Government’s
CMMC PMO as addressed in
§ 170.8(b)(13).
CAICOs maintain records for a period
of six years of all procedures, processes,
and actions related to fulfillment of the
requirements set forth in § 170.10(b)(9).
CMMC Level 3 Certification Assessment
The Level 3 certification assessment
information collection burden for
reporting and recordkeeping
requirements are included in the 32 CFR
part 170 CMMC Program final rule. The
information collection burden for OSCs
to upload affirmations in SPRS is
included in the 48 CFR part 204 CMMC
Acquisition final rule. Additionally, the
information collection burden
requirements for the CMMC
instantiation of eMASS are addressed in
a separate CMMC eMASS ICR for the 32
CFR part 170 CMMC Program final rule.
OSCs follow procedures as defined in
§ 170.18 to prepare for CMMC Level 3
certification assessment.
DCMA DIBCAC Assessors follow
requirements and procedures as defined
in § 170.18 to conduct CMMC
assessments on defense contractor
information systems to determine
conformance with the information
safeguarding requirements associated
with CMMC Level 3. This is an
assessment to validation the
implementation of the 24 selected
security requirements from NIST SP
800–172 Feb2021. Because DCMA
DIBCAC is a government entity, there
are no public information collection
requirements.
DCMA DIBCAC must generate and
collect pre-assessment and planning
material (contact information for the
OSC, information about the assessors
conducting the assessment, the level of
assessment planned, the CMMC Model
and Assessment Guide versions, and
assessment approach), artifact
information (list of artifacts, hash of
artifacts, and hashing algorithm used),
final assessment reports, appropriate
CMMC certificates of assessment, and
assessment appeal information. DCMA
DIBCAC submits the data it generates
and collects into the CMMC
instantiation of eMASS (addressed in a
separate CMMC eMASS ICR for the 32
CFR part 170 CMMC Program final
rule).
OSCs may have a POA&M at CMMC
Level 3 as addressed in § 170.21. DCMA
DIBCAC performs a POA&M closeout
assessment. The DCMA DIBCAC process
to conduct a POA&M close-out
assessment, where applicable, is the
same as the initial assessment with the
same information collection
requirements.
OSCs must retain artifacts used as
evidence for the assessment for the
duration of the validity period of the
certificate of assessment, and at
minimum, for six years from the date of
certification assessment as addressed in
§ 170.18(c)(4). The OSC is responsible
for compiling relevant artifacts as
evidence and having knowledgeable
personnel available during the
assessment. Assessors will not
permanently retain assessment artifacts.
To preserve the integrity of the artifacts
reviewed during the assessment, the
OSC creates a hash of assessment
evidence (to include a list of the artifact
names, the return values of the hashing
algorithm, and the hashing algorithm
used) and retains the artifact
information for six years. The
information obtained from the artifacts
is an information collection and DCMA
DIBCAC uploads the information into
the CMMC instantiation of eMASS; the
artifacts themselves are not an
information collection. The OSC process
to support a POA&M close-out
assessment, where applicable, is the
same as the initial assessment with the
same information collection
requirements.
If an OSC does not agree with the
assessment results, it may formally
dispute the assessment and initiate an
Assessment Appeal process with DCMA
DIBCAC. DCMA DIBCAC submits
assessment appeals using eMASS.
Appeals are tracked in the CMMC
instantiation of eMASS and any
resulting changes to the assessment
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00120
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83211
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
results are uploaded into CMMC
eMASS.
DCMA DIBCAC maintains records for
a period of six years of monitoring,
education, training, technical
knowledge, skills, experience, and
authorization of each member of its
personnel involved in inspection
activities and working papers generated
from Level 3 Certification Assessments.
Use of Information Technology
CMMC assessment data and results
are collected using information
technology. C3PAOs and DCMA
DIBCAC electronically upload
assessment data and results into the
CMMC instantiation of eMASS
(addressed in a separate CMMC eMASS
ICR for the 32 CFR part 170 CMMC
Program final rule). The CMMC
instantiation of eMASS electronically
transfers certification results to SPRS.
For Level 1 and 2 self-assessments,
OSAs upload their assessment data
directly into SPRS.
Use of the CMMC instantiation of
eMASS provides DoD visibility into the
cybersecurity posture of the defense
contractor supply chain and is the
mechanism to generate reports on the
health of the CMMC Ecosystem. SPRS is
DoD’s authoritative source for supplier
and product performance information.
Use of this electronic system to collect
CMMC information eliminates the need
for contractors to respond directly to
multiple DoD requiring activities. SPRS
serves as a single repository for
Government access to CMMC
assessment results. Modifications to
information collections in SPRS will be
addressed in the 48 CFR part 204
CMMC Acquisition final rule.
Non-Duplication
The information obtained through this
collection is unique and is not already
available for use or adaptation from
another cleared source.
Burden on Small Businesses
For Level 1 and 2 self-assessments,
OSAs must report annually and
triennially, respectively. Level 2 and
Level 3 certification assessments must
be conducted every three years by a
C3PAO or DCMA DIBCAC, respectively.
At all levels, an annual affirmation is
required. In all cases, the burden
applied to small business is the
minimum consistent with applicable
laws, Executive orders, regulations, and
prudent business practices.
A C3PAO, although not a defense
contractor, may also be a small business.
Efforts to minimize the burden on
C3PAOs include the electronic
collection of data using the CMMC
instantiation of eMASS and providing
Microsoft Excel spreadsheet templates.
Less Frequent Collection
CMMC certifications last up to three
years. The assessment frequency for
each level was determined by the DoD
based on the sensitivity of information
processed, stored, or transmitted by the
OSA at each level.
DoD Program Managers use the
CMMC information in SPRS to confirm
the validity status of an OSA’s CMMC
self-assessment or certification
assessment prior to contract award.
Rather than taking a contract-by-
contract approach to securing Federal
Contract Information (FCI) and
Controlled Unclassified Information
(CUI), the OSA may obtain multiple
contracts with a single CMMC self-
assessment or certification assessment,
thereby reducing the cost to both DoD
and industry.
Consultation and Public Comments
The Department consulted with
members of the DIB Sector Coordinating
Council (SCC), and government
organizations including the DCMA
DIBCAC and the Missile Defense
Agency in determining what data to
collect in the CMMC instantiation of
eMASS.
The 60-Day Federal Register notice
information is included in the preamble
of the 32 CFR part 170 CMMC Program
final rule for public comment.
The CMMC PMO is also working with
a records management point-of-contact
to ensure records produced from this
information collection are retained and
disposed of according to a NARA-
approved records retention and
disposition schedule. Records will be
treated as permanent until the
appropriate schedule is identified or
approved.
Part A & B: Respondent Burden and Its
Labor Costs
The Level 1 and Level 2 self-
assessment information collection
reporting and recordkeeping
requirements for the CMMC Program
will be included in a modification of an
existing DFARS collection approved
under OMB Control Number 0750–0004,
Assessing Contractor Implementation of
Cybersecurity Requirements.
Modifications to this DFARS collection
will be addressed as part of the 48 part
204 CMMC Acquisition final rule.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00121
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83212
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
68
Respondent is equivalent to an entity; an entity
provides one response annually.
69
Hours per Response represents the estimated
burden hours to complete the indicated assessment.
70
Hourly Rate represents a composite hourly rate
derived from the detailed type of labor and
associated rates estimated in the CMMC cost
estimate model.
71
The entity type refers to the size of the OSC as
either Small or Other Than Small; the entity type
does not refer to the size of the C3PAO.
The public burden costs associated
with Level 2 and Level 3 certification
assessment information collection
reporting and recordkeeping
requirements for the CMMC Program are
addressed here, except for the eMASS
reporting requirements which will be
addressed as part of a separate CMMC
eMASS ICR for the 32 CFR part 170
CMMC Program final rule. Respondent
burden and cost for these information
collection reporting and recordkeeping
requirements are as follows:
Respondent Costs Other Than Burden
Hour Costs
Non-Recurring and Recurring
Engineering estimated costs are
included for Level 3 certification
assessments. Non-Recurring Engineering
reflects a one-time cost consisting of
hardware, software, and the associated
labor to implement the same. Recurring
Engineering reflects annually recurring
fees and associated labor for technology
refresh. The estimated amounts below
are average annual amounts for all
entities as indicated.
Travel costs for C3PAO assessors may
represent an additional cost for
respondents.
Cost to the Federal Government
The government burden costs
associated with Level 3 certification
assessment information collection
reporting and recordkeeping
requirements for the CMMC Program are
addressed here, except for the eMASS
reporting requirements which will be
addressed as part of a separate CMMC
eMASS ICR for the 32 CFR part 170
CMMC Program rule. Respondent
burden and cost for these information
collection reporting and recordkeeping
requirements are as follows:
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00122
Fmt 4701
Sfmt 4725
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.032</GPH>
ER15OC24.033</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83213
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
72
Respondent is equivalent to an entity; an entity
provides one response annually.
73
Hours per Response represents the estimated
Government burden hours to complete the
indicated assessment.
74
The Hourly Rate represents a composite hourly
rate derived from the detailed type of Government
labor and associated rates estimated in the CMMC
cost estimate model.
75
The entity type refers to the size of the OSC as
either Small or Other Than Small; the entity type
does not refer to the size of DCMA DIBCAC.
Steps Taken To Minimize Economic
Impact
DoD took aggressive steps to minimize
the economic impact of this program by
streamlining requirements to reduce the
number of steps in the process and the
number of requirements that needed to
be met, and reduced the requirement of
100% compliance, and the number of
third-party assessments required.
To further elaborate the DoD
established a review body that evaluated
the CMMC Program to ensure it was
meeting the programmatic requirements
to secure Controlled Unclassified
Information within the non-Federal
networks of the Defense Industrial Base.
A special independent team was
established to review and provide
recommendations on improving the
program.
The DoD determined that the CMMC
program should only employ the
Cybersecurity Standards prescribed by
the NIST SP 800–171 that had been
required for defense contractors since
2017 as implemented by the DFARS
clause 252.204–7012, which resulted in
the removal of 20 requirements aligned
with cybersecurity maturity. The ESG
also recommended simplifying the
program structure to require only 3
levels of certification vice the original 5.
The program further determined that
certifications should not be required at
CMMC Level 1 and that self-assessment
with an annual affirmation was
sufficient for this level. Level 2 CMMC
was further evaluated and determined
that bifurcation of this level was
appropriate, and some CUI would only
require a Level 2 self-assessment with
annual affirmation, which further
reduced the costs for the program.
Further the ESG recommended that
Plans of Actions and Milestones
(POA&Ms) for lower-level requirements
that were not met be allowed for a
limited period of time. This rule was
updated to allow POA&Ms for no more
than 180 days to give contractors the
ability to achieve contract award
without being fully compliant with all
requirements of NIST SP 800–171 R2.
And, in another effort to minimize the
economic impact the program
developed a Phase-in approach to
incrementally implement CMMC in four
phases over 4 years, with the first year
being focused on Self-assessment and
compliance with NIST SP 800–171 R2
giving contractors more time to
implement the requirements already
required in their contracts since 2017. A
CMMC waiver process was also
included in the program which allows
DoD the discretion to waive CMMC
Program requirements to a procurement
or class of procurements in advance of
the solicitation in accordance with all
applicable policies, procedures, and
approval requirements. This waiver
would allow contract award and the
contractor would be expected to achieve
compliance and certification at a
defined time post-award.
The DoD is employing a phased
approach to the CMMC rollout to reduce
implementation risk. DoD expects that
the public has utilized the lead-time
prior to the publication of this rule to
prepare for CMMC implementation.
CMMC Program requirements make no
changes to existing policies for
information security requirements
implemented by the DoD.
The phased CMMC implementation
plan described in § 170.3(e) is intended
to address CMMC ramp-up issues,
provide time to train the necessary
number of assessors, and allow
companies the time needed to
understand and implement CMMC
requirements. DoD has updated the rule
to add an additional six months to the
Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1,
and Phase 3 will start one calendar year
after the start of Phase 2. As with all
DoD programs, the Department intends
to effectively oversee CMMC, and take
appropriate actions needed to manage
its effective implementation.
Alternatives
DoD considered and adopted several
alternatives during the development of
this rule that reduce the burden on
defense contractors and still meet the
objectives of the rule. These alternatives
include:
Maintaining status quo and leveraging
only the current requirements
implemented in DFARS provision
252.204–7019 and DFARS clause
252.204–7020 requiring defense
contractors and offerors to self-assess
compliance and utilizing the DoD
Assessment Methodology and entering a
Basic Summary Score in SPRS.
Revising CMMC to reduce the burden
for small businesses and contractors
who do not process, store, or transmit
CUI by eliminating the requirement to
hire a C3PAO and instead allow self-
assessment with affirmation to maintain
compliance at CMMC Level 1, and
allowing triennial self-assessment with
an annual affirmation to maintain
compliance for some CMMC Level 2
programs.
Exempting contracts and orders
exclusively for the acquisition of
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00123
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
ER15OC24.034</GPH>
khammond on DSKJM1Z7X2PROD with RULES2
83214
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
commercially available off-the-shelf
items; and,
Implementing a phased
implementation for CMMC.
In addition, the Department took into
consideration the timing of the
requirement to achieve a specified
CMMC level: (1) at time of proposal or
offer submission, (2) after contract
award, (3) at the time of contract award,
or (4) permitting government Program
Managers to seek approval to waive
inclusion of CMMC requirements in
solicitations and resulting contracts that
involve disclosure or creation of FCI or
CUI as part of the contract effort. Such
waivers will be requested and approved
by DoD in accordance with internal
policies, procedures, and approval
requirements.
The Department ultimately adopted
alternatives (3) and (4). The drawback of
alternative 1 (at time of proposal or offer
submission) is the increased risk for
contractors since they may not have
sufficient time to achieve the required
CMMC level after the release of the
solicitation and before contract award.
The drawback of alternative 2 (after
contract award) is the increased risk to
the Department with respect to the
costs, program schedule, and
uncertainty in the event the contractor
is unable to achieve the required CMMC
level in a reasonable amount of time
given its current cybersecurity posture.
This potential delay would apply to the
entire supply chain and prevent the
appropriate flow of CUI and FCI.
CMMC does not require
implementation of any additional
security protection requirements beyond
those identified in current FAR clause
52.204–21 and in NIST SP 800–171 R2
for CMMC Levels 1 and Level 2,
respectively. CMMC Level 3
requirements are new and based upon
NIST SP 800–172 Feb2021.
Steps Taken To Minimize Additional
Cost of Credit
The DoD is not a ‘‘covered agency’’
under 5 U.S.C. 604.
E. Public Law 96–511, ‘‘Paperwork
Reduction Act’’ (44 U.S.C. Chapter 35)
Sections of this rule contain
information collection requirements. As
required by the Paperwork Reduction
Act (44 U.S.C. Chapter 35), DoD has
submitted information collection
packages to the Office of Management
and Budget for review and approval.
The titles and proposed OMB control
numbers are as follows.
• Cybersecurity Maturity Model
Certification (CMMC) Enterprise
Mission Assurance Support-Service
(eMASS) Instantiation Information
Collection (OMB control number 0704–
0676).
• Cybersecurity Maturity Model
Certification (CMMC) Program
Reporting and Recordkeeping
Requirements Information Collection
(OMB Control Number 0704–0677).
In the proposed rule, DoD invited
comments on these information
collection requirements and the
paperwork burden associated with this
rule. Five comments were received on
the information clearance packages that
were not applicable to the information
collection requirements; however, the
comments were applicable to other
aspects of the rule, and they are
addressed in the comments section of
this preamble. There were no changes to
paperwork burden included in the
proposed rule that published December
26, 2023 (88 FR 89058) based on public
comments received. To review these
collections—including all background
materials—please visit at [https://www.reginfo.gov/public/do/PRAMain https://
www.reginfo.gov/public/do/PRAMain
]and use the search function to enter
either the title of the collection or the
OMB Control Number.
F. Executive Order 13132, ‘‘Federalism’’
Executive Order 13132 establishes
certain requirements that an agency
must meet when it promulgates a final
rule that imposes substantial direct
requirement costs on state and local
governments, preempts state law, or
otherwise has federalism implications.
This final rule will not have a
substantial effect on State and local
governments.
G. Executive Order 13175,
‘‘Consultation and Coordination With
Indian Tribal Governments’’
Executive Order 13175 establishes
certain requirements that an agency
must meet when it promulgates a final
rule that imposes substantial direct
compliance costs on one or more Indian
Tribes, preempts Tribal law, or effects
the distribution of power and
responsibilities between the Federal
Government and Indian Tribes. This
final rule will not have a substantial
effect on Indian Tribal governments.
List of Subjects in 32 CFR Part 170
Certification, CMMC, CMMC Levels,
CMMC Program, Contracts, Controlled
unclassified information, Cybersecurity,
Federal contract information,
Government procurement, Incorporation
by reference.
■
Accordingly, the Department of
Defense adds 32 CFR part 170 to read
as follows:
PART 170—CYBERSECURITY
MATURITY MODEL CERTIFICATION
(CMMC) PROGRAM
Subpart A—General Information
Sec.
170.1
Purpose.
170.2
Incorporation by reference.
170.3
Applicability.
170.4
Acronyms and definitions.
170.5
Policy.
Subpart B—Government Roles and
Responsibilities
170.6
CMMC PMO.
170.7
DCMA DIBCAC.
Subpart C—CMMC Assessment and
Certification Ecosystem
170.8
Accreditation Body.
170.9
CMMC Third-Party Assessment
Organizations (C3PAOs).
170.10
CMMC Assessor and Instructor
Certification Organization (CAICO).
170.11
CMMC Certified Assessor (CCA).
170.12
CMMC Instructor.
170.13
CMMC Certified Professional (CCP).
Subpart D—Key Elements of the CMMC
Program
170.14
CMMC Model.
170.15
CMMC Level 1 self-assessment and
affirmation requirements.
170.16
CMMC Level 2 self-assessment and
affirmation requirements.
170.17
CMMC Level 2 certification
assessment and affirmation
requirements.
170.18
CMMC Level 3 certification
assessment and affirmation
requirements.
170.19
CMMC scoping.
170.20
Standards acceptance.
170.21
Plan of Action and Milestones
requirements.
170.22
Affirmation.
170.23
Application to subcontractors.
170.24
CMMC Scoring Methodology.
Appendix A to Part 170—Guidance
Authority: 5 U.S.C. 301; Sec. 1648, Pub.
L. 116–92, 133 Stat. 1198.
Subpart A—General Information.
§ 170.1
Purpose.
(a) This part describes the
Cybersecurity Maturity Model
Certification (CMMC) Program of the
Department of Defense (DoD) and
establishes requirements for defense
contractors and subcontractors to
implement prescribed cybersecurity
standards for safeguarding Federal
Contract Information (FCI) and
Controlled Unclassified Information
(CUI). This part (the CMMC Program)
also establishes requirements for
conducting an assessment of
compliance with the applicable
prescribed cybersecurity standard for
contractor information systems that:
process, store, or transmit FCI or CUI;
provide security protections for systems
which process, store, or transmit CUI; or
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00124
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83215
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
are not logically or physically isolated
from systems which process, store, or
transmit CUI.
(b) The CMMC Program provides DoD
with a viable means of conducting the
volume of assessments necessary to
verify contractor and subcontractor
implementation of required
cybersecurity requirements.
(c) The CMMC Program is designed to
ensure defense contractors are properly
safeguarding FCI and CUI that is
processed, stored, or transmitted on
defense contractor information systems.
FCI and CUI must be protected to meet
evolving threats and safeguard
nonpublic, unclassified information that
supports and enables the warfighter.
The CMMC Program provides a
consistent methodology to assess a
defense contractor’s implementation of
required cybersecurity requirements.
The CMMC Program utilizes the
security standards set forth in the 48
CFR 52.204–21; National Institute of
Standards and Technology (NIST)
Special Publication (SP) 800–171, Basic
Safeguarding of Covered Contractor
Information Systems, Revision 2,
February 2020 (includes updates as of
January 28, 2021) (NIST SP 800–171
R2); and selected requirements from the
NIST SP 800–172, Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement
to NIST Special Publication 800–171,
February 2021 (NIST SP 800–172
Feb2021), as applicable (see table 1 to
§ 170.14(c)(4) for requirements, see
§ 170.2 for availability of NIST
publications).
(d) The CMMC Program balances the
need to safeguard FCI and CUI and the
requirement to share information
appropriately with defense contractors
in order to develop capabilities for the
DoD. The CMMC Program is designed to
ensure implementation of cybersecurity
practices for defense contractors and to
provide DoD with increased assurance
that FCI and CUI information will be
adequately safeguarded when residing
on or transiting contractor information
systems.
(e) The CMMC Program creates no
right or benefit, substantive or
procedural, enforceable by law or in
equity by any party against the United
States, its departments, agencies, or
entities, its officers, employees, or
agents, or any other person.
§ 170.2
Incorporation by reference.
Certain material is incorporated by
reference into this part with the
approval of the Director of the Federal
Register under 5 U.S.C. 552(a) and 1
CFR part 51. Material approved for
incorporation by reference (IBR) is
available for inspection at the
Department of Defense (DoD) and at the
National Archives and Records
Administration (NARA). Contact DoD
[https://DoDcio.defense.gov/CMMC/ online: https://DoDcio.defense.gov/
CMMC/; email: ][mailto:osd.mc-alex.DoD-cio.mbx.cmmc-rule@mail.mil osd.mc-alex.DoD-
cio.mbx.cmmc-rule@mail.mil; or phone:
](202) 770–9100. For information on the
availability of this material at NARA,
[http://www.archives.gov/federal-register/cfr/ibr-locations visit: www.archives.gov/federal-register/
cfr/ibr-locations ]or email: [mailto:fr.inspection@nara.gov fr.inspection@
nara.gov. The material may be obtained
]from the following sources:
(a) National Institute of Standards and
Technology, U.S. Department of
Commerce, 100 Bureau Drive,
Gaithersburg, MD 20899; phone: (301)
[https://csrc.nist.gov/publications/ 975–8443; website: https://csrc.nist.gov/
publications/. ]
(1) FIPS PUB 200, Minimum Security
Requirements for Federal Information
and Information Systems, March 2006
(FIPS PUB 200 Mar2006); IBR approved
for § 170.4(b).
(2) FIPS PUB 201–3, Personal Identity
Verification (PIV) of Federal Employees
and Contractors, January 2022 (FIPS
PUB 201–3 Jan2022); IBR approved for
§ 170.4(b).
(3) SP 800–37, Risk Management
Framework for Information Systems and
Organizations: A System Life Cycle
Approach for Security and Privacy,
Revision 2, December 2018 (NIST SP
800–37 R2); IBR approved for § 170.4(b).
(4) SP 800–39, Managing Information
Security Risk: Organization, Mission,
and Information System View, March
2011 (NIST SP 800–39 Mar2011); IBR
approved for § 170.4(b).
(5) SP 800–53, Security and Privacy
Controls for Information Systems and
Organizations, Revision 5, September
2020 (includes updates as of December
10, 2020) (NIST SP 800–53 R5); IBR
approved for § 170.4(b).
(6) SP 800–82r3, Guide to Operational
Technology (OT) Security, September
2023 (NIST SP 800–82r3); IBR approved
for § 170.4(b).
(7) SP 800–115, Technical Guide to
Information Security Testing and
Assessment, September 2008 (NIST SP
800–115 Sept2008); IBR approved for
§ 170.4(b).
(8) SP 800–160, Volume 2, Developing
Cyber-Resilient Systems: A Systems
Security Engineering Approach,
Revision 1, December 2021 (NIST SP
800–160 V2R1); IBR approved for
§ 170.4(b).
(9) SP 800–171, Protecting Controlled
Unclassified Information in Nonfederal
Systems and Organizations, Revision 2,
February 2020 (includes updates as of
January 28, 2021), (NIST SP 800–171
R2); IBR approved for §§ 170.4(b) and
170.14(a) through (c).
(10) SP 800–171A, Assessing Security
Requirements for Controlled
Unclassified Information, June 2018
(NIST SP 800–171A Jun2018); IBR
approved for §§ 170.11(a), 170.14(d),
170.15(c), 170.16(c), 170.17(c), and
170.18(c).
(11) SP 800–172, Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement
to NIST Special Publication 800–171,
February 2021 (NIST SP 800–172
Feb2021); IBR approved for §§ 170.4(b),
170.5(a), and 170.14(a) and (c).
(12) SP 800–172A, Assessing
Enhanced Security Requirements for
Controlled Unclassified Information,
March 2022 (NIST SP 800–172A
Mar2022); IBR approved for §§ 170.4(b),
170.14(d), and 170.18(c).
(b) International Organization for
Standardization (ISO) Chemin de
Blandonnet 8, CP 401—1214 Vernier,
Geneva, Switzerland; phone: +41 22 749
[http://www.iso.org/popular-standards.html 01 11; website: www.iso.org/popular-
standards.html. ]
(1) ISO/IEC 17011:2017(E),
Conformity assessment—Requirements
for accreditation bodies accrediting
conformity assessment bodies, Second
edition, November 2017 (ISO/IEC
17011:2017(E)); IBR approved for
§§ 170.8(b)(3), 170.9(b)(13), and
170.10(b)(4).
(2) ISO/IEC 17020:2012(E),
Conformity assessment—Requirement
for the operation of various types of
bodies performing inspection, Second
edition, March 1, 2012 (ISO/IEC
17020:2012(E)); IBR approved for
§§ 170.8(a), (b)(1), (b)(3) and 170.9(b)(2)
and (b)(13).
(3) ISO/IEC 17024:2012(E),
Conformity assessment—General
requirements for bodies operating
certification of persons, second edition,
July 1, 2012 (ISO/IEC 17024:2012(E));
IBR approved for §§ 170.8(b)(2) and
170.10(a) and (b)(4), (7), and (8).
Note 1 to paragraph (b): The ISO/IEC
standards incorporated by reference in this
part may be viewed at no cost in ‘‘read only’’
format at https://ibr.ansi.org.
§ 170.3
Applicability.
(a) The requirements of this part
apply to:
(1) All DoD contract and subcontract
awardees that will process, store, or
transmit information, in performance of
the DoD contract, that meets the
standards for FCI or CUI on contractor
information systems; and,
(2) Private-sector businesses or other
entities comprising the CMMC
Assessment and Certification
Ecosystem, as specified in subpart C of
this part.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00125
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83216
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(b) The requirements of this part do
not apply to Federal information
systems operated by contractors or
subcontractors on behalf of the
Government.
(c) CMMC Program requirements
apply to all DoD solicitations and
contracts pursuant to which a defense
contractor or subcontractor will process,
store, or transmit FCI or CUI on
unclassified contractor information
systems, including those for the
acquisition of commercial items (except
those exclusively for COTS items)
valued at greater than the micro-
purchase threshold except under the
following circumstances:
(1) The procurement occurs during
Implementation Phase 1, 2, or 3 as
described in paragraph (e) of this
section, in which case CMMC Program
requirements apply in accordance with
the requirements for the relevant phase-
in period; or
(2) Application of CMMC Program
requirements to a procurement or class
of procurements may be waived in
advance of the solicitation at the
discretion of DoD in accordance with all
applicable policies, procedures, and
approval requirements.
(d) DoD Program Managers or
requiring activities are responsible for
selecting the CMMC Status that will
apply for a particular procurement or
contract based upon the type of
information, FCI or CUI, that will be
processed on, stored on, or transmitted
through a contractor information
system. Application of the CMMC
Status for subcontractors will be
determined in accordance with § 170.23.
(e) DoD is utilizing a phased approach
for the inclusion of CMMC Program
requirements in solicitations and
contracts. Implementation of CMMC
Program requirements will occur over
four (4) phases:
(1) Phase 1. Begins on the effective
date of the complementary 48 CFR part
204 CMMC Acquisition final rule. DoD
intends to include the requirement for
CMMC Statuses of Level 1 (Self) or
Level 2 (Self) for all applicable DoD
solicitations and contracts as a
condition of contract award. DoD may,
at its discretion, include the
requirement for CMMC Status of Level
1 (Self) or Level 2 (Self) for applicable
DoD solicitations and contracts as a
condition to exercise an option period
on a contract awarded prior to the
effective date. DoD may also, at its
discretion, include the requirement for
CMMC Status of Level 2 (C3PAO) in
place of the Level 2 (Self) CMMC Status
for applicable DoD solicitations and
contracts.
(2) Phase 2. Begins one calendar year
following the start date of Phase 1. In
addition to Phase 1 requirements, DoD
intends to include the requirement for
CMMC Status of Level 2 (C3PAO) for
applicable DoD solicitations and
contracts as a condition of contract
award. DoD may, at its discretion, delay
the inclusion of requirement for CMMC
Status of Level 2 (C3PAO) to an option
period instead of as a condition of
contract award. DoD may also, at its
discretion, include the requirement for
CMMC Status of Level 3 (DIBCAC) for
applicable DoD solicitations and
contracts.
(3) Phase 3. Begins one calendar year
following the start date of Phase 2. In
addition to Phase 1 and 2 requirements,
DoD intends to include the requirement
for CMMC Status of Level 2 (C3PAO) for
all applicable DoD solicitations and
contracts as a condition of contract
award and as a condition to exercise an
option period on a contract awarded
after the effective date. DoD intends to
include the requirement for CMMC
Status of Level 3 (DIBCAC) for all
applicable DoD solicitations and
contracts as a condition of contract
award. DoD may, at its discretion, delay
the inclusion of requirement for CMMC
Status of Level 3 (DIBCAC) to an option
period instead of as a condition of
contract award.
(4) Phase 4, full implementation.
Begins one calendar year following the
start date of Phase 3. DoD will include
CMMC Program requirements in all
applicable DoD solicitations and
contracts including option periods on
contracts awarded prior to the beginning
of Phase 4.
§ 170.4
Acronyms and definitions.
(a) Acronyms. Unless otherwise
noted, the following acronyms and their
terms are for the purposes of this part.
AC—Access Control
APT—Advanced Persistent Threat
AT—Awareness and Training
C3PAO—CMMC Third-Party
Assessment Organization
CA—Security Assessment
CAICO—CMMC Assessors and
Instructors Certification Organization
CAGE—Commercial and Government
Entity
CCA—CMMC-Certified Assessor
CCI—CMMC-Certified Instructor
CCP—CMMC-Certified Professional
CFR—Code of Federal Regulations
CIO—Chief Information Officer
CM—Configuration Management
CMMC—Cybersecurity Maturity Model
Certification
CMMC PMO—CMMC Program
Management Office
CNC—Computerized Numerical Control
CoPC—Code of Professional Conduct
CSP—Cloud Service Provider
CUI—Controlled Unclassified
Information
DCMA—Defense Contract Management
Agency
DD—Represents any two-character
CMMC Domain acronym
DFARS—Defense Federal Acquisition
Regulation Supplement
DIB—Defense Industrial Base
DIBCAC—DCMA’s Defense Industrial
Base Cybersecurity Assessment Center
DoD—Department of Defense
DoDI—Department of Defense
Instruction
eMASS—Enterprise Mission Assurance
Support Service
ESP—External Service Provider
FAR—Federal Acquisition Regulation
FCI—Federal Contract Information
FedRAMP—Federal Risk and
Authorization Management Program
GFE—Government Furnished
Equipment
IA—Identification and Authentication
ICS—Industrial Control System
IIoT—Industrial Internet of Things
IoT—Internet of Things
IR—Incident Response
IS—Information System
IEC—International Electrotechnical
Commission
ISO/IEC—International Organization for
Standardization/International
Electrotechnical Commission
IT—Information Technology
L#—CMMC Level Number
MA—Maintenance
MP—Media Protection
MSSP—Managed Security Service
Provider
NARA—National Archives and Records
Administration
NAICS—North American Industry
Classification System
NIST—National Institute of Standards
and Technology
N/A—Not Applicable
ODP—Organization-Defined Parameter
OSA—Organization Seeking Assessment
OSC—Organization Seeking
Certification
OT—Operational Technology
PI—Provisional Instructor
PIEE—Procurement Integrated
Enterprise Environment
PII—Personally Identifiable Information
PLC—Programmable Logic Controller
POA&M—Plan of Action and Milestones
PRA—Paperwork Reduction Act
RM—Risk Management
SAM—System of Award Management
SC—System and Communications
Protection
SCADA—Supervisory Control and Data
Acquisition
SI—System and Information Integrity
SIEM—Security Information and Event
Management
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00126
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83217
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
SP—Special Publication
SPD—Security Protection Data
SPRS—Supplier Performance Risk
System
SSP—System Security Plan
(b) Definitions. Unless otherwise
noted, these terms and their definitions
are for the purposes of this part.
Access Control (AC) means the
process of granting or denying specific
requests to obtain and use information
and related information processing
services; and/or entry to specific
physical facilities (e.g., Federal
buildings, military establishments, or
border crossing entrances), as defined in
FIPS PUB 201–3 Jan2002 (incorporated
by reference, see § 170.2).
Accreditation means a status pursuant
to which a CMMC Assessment and
Certification Ecosystem member (person
or organization), having met all criteria
for the specific role they perform
including required ISO/IEC
accreditations, may act in that role as set
forth in § 170.8 for the Accreditation
Body and § 170.9 for C3PAOs. (CMMC-
custom term)
Accreditation Body is defined in
§ 170.8 and means the one organization
DoD contracts with to be responsible for
authorizing and accrediting members of
the CMMC Assessment and Certification
Ecosystem, as required. The
Accreditation Body must be approved
by DoD. At any given point in time,
there will be only one Accreditation
Body for the DoD CMMC Program.
(CMMC-custom term)
Advanced Persistent Threat (APT)
means an adversary that possesses
sophisticated levels of expertise and
significant resources that allow it to
create opportunities to achieve its
objectives by using multiple attack
vectors (e.g., cyber, physical, and
deception). These objectives typically
include establishing and extending
footholds within the information
technology infrastructure of the targeted
organizations for purposes of exfiltrating
information, undermining or impeding
critical aspects of a mission, program, or
organization; or positioning itself to
carry out these objectives in the future.
The advanced persistent threat pursues
its objectives repeatedly over an
extended period-of-time, adapts to
defenders’ efforts to resist it, and is
determined to maintain the level of
interaction needed to execute its
objectives, as is defined in NIST SP
800–39 Mar2011 (incorporated by
reference, see § 170.2).
Affirming Official means the senior
level representative from within each
Organization Seeking Assessment (OSA)
who is responsible for ensuring the
OSA’s compliance with the CMMC
Program requirements and has the
authority to affirm the OSA’s continuing
compliance with the specified security
requirements for their respective
organizations. (CMMC-custom term)
Assessment means the testing or
evaluation of security controls to
determine the extent to which the
controls are implemented correctly,
operating as intended, and producing
the desired outcome with respect to
meeting the security requirements for an
information system or organization, as
defined in §§ 170.15 through 170.18.
(CMMC-custom term)
(i) Level 1 self-assessment is the term
for the activity performed by an OSA to
evaluate its own information system
when seeking a CMMC Status of Level
1 (Self).
(ii) Level 2 self-assessment is the term
for the activity performed by an OSA to
evaluate its own information system
when seeking a CMMC Status of Level
2 (Self).
(iii) Level 2 certification assessment is
the term for the activity performed by a
C3PAO to evaluate the information
system of an OSC when seeking a
CMMC Status of Level 2 (C3PAO).
(iv) Level 3 certification assessment is
the term for the activity performed by
the DCMA DIBCAC to evaluate the
information system of an OSC when
seeking a CMMC Status of Level 3
(DIBCAC).
(v) POA&M closeout self-assessment
is the term for the activity performed by
an OSA to evaluate only the NOT MET
requirements that were identified with
POA&M during the initial assessment,
when seeking a CMMC Status of Final
Level 2 (Self).
(vi) POA&M closeout certification
assessment is the term for the activity
performed by a C3PAO or DCMA
DIBCAC to evaluate only the NOT MET
requirements that were identified with
POA&M during the initial assessment,
when seeking a CMMC Status of Final
Level 2 (C3PAO) or Final Level 3
(DIBCAC) respectively.
Assessment Findings Report means
the final written assessment results by
the third-party or government
assessment team. The Assessment
Findings Report is submitted to the OSC
and to the DoD via CMMC eMASS.
(CMMC-custom term)
Assessment objective means a set of
determination statements that, taken
together, expresses the desired outcome
for the assessment of a security
requirement. Successful implementation
of the corresponding CMMC security
requirement requires meeting all
applicable assessment objectives
defined in NIST SP 800–171A Jun2018
(incorporated by reference, see § 170.2)
or NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
(CMMC-custom term)
Assessment Team means participants
in the Level 2 certification assessment
(CMMC Certified Assessors and CMMC
Certified Professionals) or the Level 3
certification assessment (DCMA
DIBCAC assessors). This does not
include the OSC participants preparing
for or participating in the assessment.
(CMMC-custom term)
Asset means an item of value to
stakeholders. An asset may be tangible
(e.g., a physical item such as hardware,
firmware, computing platform, network
device, or other technology component)
or intangible (e.g., humans, data,
information, software, capability,
function, service, trademark, copyright,
patent, intellectual property, image, or
reputation). The value of an asset is
determined by stakeholders in
consideration of loss concerns across
the entire system life cycle. Such
concerns include but are not limited to
business or mission concerns, as
defined in NIST SP 800–160 V2R1
(incorporated by reference, see § 170.2).
Asset Categories means a grouping of
assets that process, store or transmit
information of similar designation, or
provide security protection to those
assets. (CMMC-custom term)
Authentication is defined in FIPS
PUB 200 Mar2006 (incorporated by
reference, see § 170.2).
Authorized means an interim status
during which a CMMC Ecosystem
member (person or organization), having
met all criteria for the specific role they
perform other than the required ISO/IEC
accreditations, may act in that role for
a specified time as set forth in § 170.8
for the Accreditation Body and § 170.9
for C3PAOs. (CMMC-custom term)
Capability means a combination of
mutually reinforcing controls
implemented by technical means,
physical means, and procedural means.
Such controls are typically selected to
achieve a common information security
or privacy purpose, as defined in NIST
SP 800–37 R2 (incorporated by
reference, see § 170.2).
Cloud Service Provider (CSP) means
an external company that provides
cloud services based on cloud
computing. Cloud computing is a model
for enabling ubiquitous, convenient, on-
demand network access to a shared pool
of configurable computing resources
(e.g., networks, servers, storage,
applications, and services) that can be
rapidly provisioned and released with
minimal management effort or service
provider interaction. This definition is
based on the definition for cloud
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00127
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83218
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
computing in NIST SP 800–145
Sept2011. (CMMC-custom term)
CMMC Assessment and Certification
Ecosystem means the people and
organizations described in subpart C of
this part. This term is sometimes
shortened to CMMC Ecosystem.
(CMMC-custom term)
CMMC Assessment Scope means the
set of all assets in the OSA’s
environment that will be assessed
against CMMC security requirements.
(CMMC-custom term)
CMMC Assessor and Instructor
Certification Organization (CAICO) is
defined in § 170.10 and means the
organization responsible for training,
testing, authorizing, certifying, and
recertifying CMMC certified assessors,
certified instructors, and certified
professionals. (CMMC-custom term)
CMMC Instantiation of eMASS means
a CMMC instance of the Enterprise
Mission Assurance Support Service
(eMASS), a government owned and
operated system. (CMMC-custom term)
CMMC Security Requirements means
the 15 Level 1 requirements listed in the
48 CFR 52.204–21(b)(1), the 110 Level 2
requirements from NIST SP 800–171 R2
(incorporated by reference, see § 170.2),
and the 24 Level 3 requirements
selected from NIST SP 800–172 Feb2021
(incorporated by reference, see § 170.2).
CMMC Status is the result of meeting
or exceeding the minimum required
score for the corresponding assessment.
The CMMC Status of an OSA
information system is officially stored in
SPRS and additionally presented on a
Certificate of CMMC Status, if the
assessment was conducted by a C3PAO
or DCMA DIBCAC. The potential CMMC
Statuses are outlined in the paragraphs
that follow. (CMMC-custom term)
(i) Final Level 1 (Self) is defined in
§ 170.15(a)(1) and (c)(1). (CMMC-custom
term)
(ii) Conditional Level 2 (Self) is
defined in § 170.16(a)(1)(ii). (CMMC-
custom term)
(iii) Final Level 2 (Self) is defined in
§ 170.16(a)(1)(iii). (CMMC-custom term)
(iv) Conditional Level 2 (C3PAO) is
defined in § 170.17(a)(1)(ii). (CMMC-
custom term)
(v) Final Level 2 (C3PAO) is defined
in § 170.17(a)(1)(iii). (CMMC-custom
term)
(vi) Conditional Level 3 (DIBCAC) is
defined in § 170.18(a)(1)(ii). (CMMC-
custom term)
(vii) Final Level 3 (DIBCAC) is defined
in § 170.18(a)(1)(iii). (CMMC-custom
term)
CMMC Status Date means the date
that the CMMC Status results are
submitted to SPRS or the CMMC
instantiation of eMASS, as appropriate.
The date of the Conditional CMMC
Status will remain as the CMMC Status
Date after a successful POA&M closeout.
A new date is not set for a Final that
follows a Conditional. (CMMC-custom
term)
CMMC Third-Party Assessment
Organization (C3PAO) means an
organization that has been authorized or
accredited by the Accreditation Body to
conduct Level 2 certification
assessments and has the roles and
responsibilities identified in § 170.9.
(CMMC-custom term)
Contractor is defined in 48 CFR
3.502–1.
Contractor Risk Managed Assets are
defined in table 3 to § 170.19(c)(1).
(CMMC-custom term)
Controlled Unclassified Information
(CUI) is defined in 32 CFR 2002.4(h).
Controlled Unclassified Information
(CUI) Assets means assets that can
process, store, or transmit CUI. (CMMC-
custom term)
DCMA DIBCAC High Assessment
means an assessment that is conducted
by Government personnel in accordance
with NIST SP 800–171A Jun2018 and
leveraging specific guidance in the DoD
Assessment Methodology that:
(i) Consists of:
(A) A review of a contractor’s Basic
Assessment;
(B) A thorough document review;
(C) Verification, examination, and
demonstration of a contractor’s system
security plan to validate that NIST SP
800–171 R2 security requirements have
been implemented as described in the
contractor’s system security plan; and
(D) Discussions with the contractor to
obtain additional information or
clarification, as needed; and
(ii) Results in a confidence level of
‘‘High’’ in the resulting score. (Source:
48 CFR 252.204–7020).
Defense Industrial Base (DIB) is
defined in 32 CFR 236.2.
DoD Assessment Methodology
(DoDAM) documents a standard
methodology that enables a strategic
assessment of a contractor’s
implementation of NIST SP 800–171 R2,
a requirement for compliance with 48
CFR 252.204–7012. (Source: DoDAM
Version 1.2.1)
Enduring Exception means a special
circumstance or system where
remediation and full compliance with
CMMC security requirements is not
feasible. Examples include systems
required to replicate the configuration of
‘fielded’ systems, medical devices, test
equipment, OT, and IoT. No operational
plan of action is required but the
circumstance must be documented
within a system security plan.
Specialized Assets and GFE may be
enduring exceptions. (CMMC-custom
term)
Enterprise means an organization
with a defined mission/goal and a
defined boundary, using information
systems to execute that mission, and
with responsibility for managing its own
risks and performance. An enterprise
may consist of all or some of the
following business aspects: acquisition,
program management, financial
management (e.g., budgets), human
resources, security, and information
systems, information and mission
management, as defined in NIST SP
800–53 R5 (incorporated by reference,
see § 170.2).
External Service Provider (ESP) means
external people, technology, or facilities
that an organization utilizes for
provision and management of IT and/or
cybersecurity services on behalf of the
organization. In the CMMC Program,
CUI or Security Protection Data (e.g., log
data, configuration data), must be
processed, stored, or transmitted on the
ESP assets to be considered an ESP.
(CMMC-custom term)
Federal Contract Information (FCI) is
defined in 48 CFR 4.1901.
Government Furnished Equipment
(GFE) has the same meaning as
‘‘government-furnished property’’ as
defined in 48 CFR 45.101.
Industrial Control Systems (ICS)
means a general term that encompasses
several types of control systems,
including supervisory control and data
acquisition (SCADA) systems,
distributed control systems (DCS), and
other control system configurations that
are often found in the industrial sectors
and critical infrastructures, such as
Programmable Logic Controllers (PLC).
An ICS consists of combinations of
control components (e.g., electrical,
mechanical, hydraulic, pneumatic) that
act together to achieve an industrial
objective (e.g., manufacturing,
transportation of matter or energy), as
defined in NIST SP 800–82r3
(incorporated by reference, see § 170.2).
Information System (IS) is defined in
NIST SP 800–171 R2 (incorporated by
reference, see § 170.2).
Internet of Things (IoT) means the
network of devices that contain the
hardware, software, firmware, and
actuators which allow the devices to
connect, interact, and freely exchange
data and information, as defined in
NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
Operational plan of action as used in
security requirement CA.L2–3.12.2,
means the formal artifact which
identifies temporary vulnerabilities and
temporary deficiencies (e.g., necessary
information system updates, patches, or
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00128
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83219
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
reconfiguration as threats evolve) in
implementation of requirements and
documents how they will be mitigated,
corrected, or eliminated. The OSA
defines the format (e.g., document,
spreadsheet, database) and specific
content of its operational plan of action.
An operational plan of action does not
identify a timeline for remediation and
is not the same as a POA&M, which is
associated with an assessment for
remediation of deficiencies that must be
completed within 180 days. (CMMC-
custom term)
Operational Technology (OT) means
programmable systems or devices that
interact with the physical environment
(or manage devices that interact with
the physical environment). These
systems or devices detect or cause a
direct change through the monitoring or
control of devices, processes, and
events. Examples include industrial
control systems, building management
systems, fire control systems, and
physical access control mechanisms, as
defined in NIST SP 800–160 V2R1
(incorporated by reference, see § 170.2).
Organization-defined means as
determined by the OSA except as
defined in the case of Organization-
Defined Parameter (ODP). (CMMC-
custom term)
Organization-Defined Parameters
(ODPs) means selected enhanced
security requirements contain selection
and assignment operations to give
organizations flexibility in defining
variable parts of those requirements, as
defined in NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
Note 1 to ODPs: The organization
defining the parameters is the DoD.
Organization Seeking Assessment
(OSA) means the entity seeking to
undergo a self-assessment or
certification assessment for a given
information system for the purposes of
achieving and maintaining any CMMC
Status. The term OSA includes all
Organizations Seeking Certification
(OSCs). (CMMC-custom term)
Organization Seeking Certification
(OSC) means the entity seeking to
undergo a certification assessment for a
given information system for the
purposes of achieving and maintaining
the CMMC Status of Level 2 (C3PAO) or
Level 3 (DIBCAC). An OSC is also an
OSA. (CMMC-custom term)
Out-of-Scope Assets means assets that
cannot process, store, or transmit CUI
because they are physically or logically
separated from information systems that
do process, store, or transmit CUI, or are
inherently unable to do so; except for
assets that provide security protection
for a CUI asset (see the definition for
Security Protection Assets). (CMMC-
custom term)
Periodically means occurring at a
regular interval as determined by the
OSA that may not exceed one year.
(CMMC-custom term)
Personally Identifiable Information
means information that can be used to
distinguish or trace an individual’s
identity, either alone or when combined
with other information that is linked or
linkable to a specific individual, as
defined in NIST SP 800–53 R5
(incorporated by reference, see § 170.2).
Plan of Action and Milestones
(POA&M) means a document that
identifies tasks needing to be
accomplished. It details resources
required to accomplish the elements of
the plan, any milestones in meeting the
tasks, and scheduled completion dates
for the milestones, as defined in NIST
SP 800–115 Sept2008 (incorporated by
reference, see § 170.2).
Prime Contractor is defined in 48 CFR
3.502–1.
Process, store, or transmit means data
can be used by an asset (e.g., accessed,
entered, edited, generated, manipulated,
or printed); data is inactive or at rest on
an asset (e.g., located on electronic
media, in system component memory,
or in physical format such as paper
documents); or data is being transferred
from one asset to another asset (e.g.,
data in transit using physical or digital
transport methods). (CMMC-custom
term)
Restricted Information Systems means
systems (and associated IT components
comprising the system) that are
configured based on government
requirements (e.g., connected to
something that was required to support
a functional requirement) and are used
to support a contract (e.g., fielded
systems, obsolete systems, and product
deliverable replicas). (CMMC-custom
term)
Risk means a measure of the extent to
which an entity is threatened by a
potential circumstance or event, and is
typically a function of:
(i) The adverse impacts that would
arise if the circumstance or event
occurs; and
(ii) The likelihood of occurrence, as
defined in NIST SP 800–53 R5
(incorporated by reference, see § 170.2).
Risk Assessment means the process of
identifying risks to organizational
operations (including mission,
functions, image, reputation),
organizational assets, individuals, other
organizations, and the Nation, resulting
from the operation of a system. Risk
Assessment is part of risk management,
incorporates threat and vulnerability
analyses, and considers mitigations
provided by security controls planned
or in place. Synonymous with risk
analysis, as defined in NIST SP 800–39
Mar2011 (incorporated by reference, see
§ 170.2).
Security Protection Assets (SPA)
means assets providing security
functions or capabilities for the OSA’s
CMMC Assessment Scope. (CMMC-
custom term)
Security Protection Data (SPD) means
data stored or processed by Security
Protection Assets (SPA) that are used to
protect an OSC’s assessed environment.
SPD is security relevant information and
includes but is not limited to:
configuration data required to operate
an SPA, log files generated by or
ingested by an SPA, data related to the
configuration or vulnerability status of
in-scope assets, and passwords that
grant access to the in-scope
environment. (CMMC-custom term)
Specialized Assets means types of
assets considered specialized assets for
CMMC: Government Furnished
Equipment, Internet of Things (IoT) or
Industrial Internet of Things (IIoT),
Operational Technology (OT), Restricted
Information Systems, and Test
Equipment. (CMMC-custom term)
Subcontractor is defined in 48 CFR
3.502–1.
Supervisory Control and Data
Acquisition (SCADA) means a generic
name for a computerized system that is
capable of gathering and processing data
and applying operational controls over
long distances. Typical uses include
power transmission and distribution
and pipeline systems. SCADA was
designed for the unique communication
challenges (e.g., delays, data integrity)
posed by the various media that must be
used, such as phone lines, microwave,
and satellite. Usually shared rather than
dedicated, as defined in NIST SP 800–
82r3 (incorporated by reference, see
§ 170.2).
System Security Plan (SSP) means the
formal document that provides an
overview of the security requirements
for an information system or an
information security program and
describes the security controls in place
or planned for meeting those
requirements. The system security plan
describes the system components that
are included within the system, the
environment in which the system
operates, how the security requirements
are implemented, and the relationships
with or connections to other systems, as
defined in NIST SP 800–53 R5
(incorporated by reference, see § 170.2).
Temporary deficiency means a
condition where remediation of a
discovered deficiency is feasible, and a
known fix is available or is in process.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00129
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83220
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
The deficiency must be documented in
an operational plan of action. A
temporary deficiency is not based on an
‘in progress’ initial implementation of a
CMMC security requirement but arises
after implementation. A temporary
deficiency may apply during the initial
implementation of a security
requirement if, during roll-out, specific
issues with a very limited subset of
equipment is discovered that must be
separately addressed. There is no
standard duration for which a
temporary deficiency may be active. For
example, FIPS-validated cryptography
that requires a patch and the patched
version is no longer the validated
version may be a temporary deficiency.
(CMMC-custom term)
Test Equipment means hardware and/
or associated IT components used in the
testing of products, system components,
and contract deliverables. (CMMC-
custom term)
User means an individual, or (system)
process acting on behalf of an
individual, authorized to access a
system, as defined in NIST SP 800–53
R5 (incorporated by reference, see
§ 170.2).
§ 170.5
Policy.
(a) Protection of FCI and CUI on
contractor information systems is of
paramount importance to the DoD and
can directly impact its ability to
successfully conduct essential missions
and functions. It is DoD policy that
defense contractors and subcontractors
shall be required to safeguard FCI and
CUI that is processed, stored, or
transmitted on contractor information
systems by applying specified security
requirements. In addition, defense
contractors and subcontractors may be
required to implement additional
safeguards defined in NIST SP 800–172
Feb2021 (incorporated by reference, see
§ 170.2), implementing DoD specified
parameters to meet CMMC Level 3
security requirements (see table 1 to
§ 170.14(c)(4)). These additional
requirements are necessary to protect
CUI being processed, stored, or
transmitted in contractor information
systems, when designated by a
requirement for CMMC Status of Level
3 (DIBCAC) as defined by a DoD
program manager or requiring activity.
In general, the Department will identify
a requirement for a CMMC Status of
Level 3 (DIBCAC) for solicitations and
resulting contracts supporting its most
critical programs and technologies.
(b) Program managers and requiring
activities are responsible for identifying
the CMMC Status that will apply to a
procurement. Selection of the applicable
CMMC Status will be based on factors
including but not limited to:
(1) Criticality of the associated
mission capability;
(2) Type of acquisition program or
technology;
(3) Threat of loss of the FCI or CUI to
be shared or generated in relation to the
effort;
(4) Impacts from exploitation of
information security deficiencies; and
(5) Other relevant policies and factors,
including Milestone Decision Authority
guidance.
(c) In accordance with the
implementation plan described in
§ 170.3, CMMC Program requirements
will apply to new DoD solicitations and
contracts, and shall flow down to
subcontractors who will process, store,
or transmit FCI or CUI in performance
of the subcontract, as described in
§ 170.23.
(d) In very limited circumstances, and
in accordance with all applicable
policies, procedures, and requirements,
a Service Acquisition Executive or
Component Acquisition Executive in
the DoD, or as delegated, may elect to
waive inclusion of CMMC Program
requirements in a solicitation or
contract. In such cases, contractors and
subcontractors will remain obligated to
comply with all applicable
cybersecurity and information security
requirements.
(e) The CMMC Program does not alter
any separately applicable requirements
to protect FCI or CUI, including those
requirements in accordance with 48
CFR 52.204–21, Basic Safeguarding of
Covered Contractor Information
Systems, or covered defense information
in accordance with 48 CFR 252.204–
7012, Safeguarding Covered Defense
Information and Cyber Incident
Reporting, or any other applicable
information protection requirements.
The CMMC Program provides a means
of verifying implementation of the
security requirements set forth in 48
CFR 52.204–21, NIST SP 800–171 R2,
and NIST SP 800–172 Feb2021, as
applicable.
Subpart B—Government Roles and
Responsibilities.
§ 170.6
CMMC PMO.
(a) The Office of the Department of
Defense Chief Information Officer (DoD
CIO) Office of the Deputy CIO for
Cybersecurity (DoD CIO(CS)) provides
oversight of the CMMC Program and is
responsible for establishing CMMC
assessment, accreditation, and training
requirements as well as developing and
updating CMMC Program policies and
implementing guidance.
(b) The CMMC PMO is responsible for
monitoring the CMMC AB’s
performance of roles assigned in this
rule and acting as necessary to address
problems pertaining to effective
performance.
(c) The CMMC PMO retains, on behalf
of the DoD CIO(CS), the prerogative to
review decisions of the CMMC
Accreditation Body as part of its
oversight of the CMMC program and
evaluate any alleged conflicts of interest
purported to influence the CMMC
Accreditation Body’s objectivity.
(d) The CMMC PMO is responsible for
sponsoring necessary DCSA activities
including FOCI risk assessment and Tier
3 security background investigations for
the CMMC Ecosystem members as
specified in §§ 170.8(b)(4) and (5),
170.9(b)(3) through (5), 170.11(b)(3) and
(4), and 170.13(b)(3) and (4).
(e) The CMMC PMO is responsible for
investigating and acting upon
indications that an active CMMC Status
has been called into question.
Indications that may trigger
investigative evaluations include, but
are not limited to, reports from the
CMMC Accreditation Body, a C3PAO, or
anyone knowledgeable of the security
processes and activities of the OSA.
Investigative evaluations include, but
are not limited to, reviewing pertinent
assessment information, and exercising
the right to conduct a DCMA DIBCAC
assessment of the OSA, as provided for
under the 48 CFR 252.204–7020.
(f) If a subsequent DCMA DIBCAC
assessment shows that adherence to the
provisions of this rule and the required
CMMC Status have not been achieved or
maintained, the DIBCAC results will
take precedence over any pre-existing
CMMC Status recorded in SPRS, or its
successor capability. The DoD will
update SPRS to reflect that the OSA is
out of compliance and does not meet
DoD CMMC requirements. If the OSA is
working on an active contract requiring
CMMC compliance, then standard
contractual remedies will apply.
§ 170.7
DCMA DIBCAC.
(a) DCMA DIBCAC assessors in
support of the CMMC Program will:
(1) Complete CMMC Level 2 and
Level 3 training.
(2) Conduct Level 3 certification
assessments and upload assessment
results into the CMMC instantiation of
eMASS, or its successor capability.
(3) Issue Certificates of CMMC Status
resulting from Level 3 certification
assessments.
(4) Conduct Level 2 certification
assessments of the Accreditation Body
and prospective C3PAOs’ information
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00130
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83221
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
systems that process, store, and/or
transmit CUI.
(5) Create and maintain a process for
assessors to collect the list of assessment
artifacts to include artifact names, their
return value of the hashing algorithm,
the hashing algorithm used, and upload
that data into the CMMC instantiation of
eMASS.
(6) As authorized and in accordance
with all legal requirements, enter and
track, OSC appeals and updated results
arising from Level 3 certification
assessment activities into the CMMC
instantiation of eMASS.
(7) Retain all records in accordance
with DCMA–MAN 4501–04.
(8) Conduct an assessment of the
OSA, when requested by the CMMC
PMO per §§ 170.6(e) and (f), as provided
for under the 48 CFR 252.204–7019 and
48 CFR 252.204–7020.
(9) Identify assessments that meet the
criteria in § 170.20 and verify that SPRS
accurately reflects the CMMC Status.
(b) An OSC, the CMMC AB, or a
C3PAO may appeal the outcome of its
DCMA DIBCAC conducted assessment
within 21 days by submitting a written
basis for appeal with the requirements
in question for DCMA DIBCAC
consideration. Appeals may be
submitted for review by visiting
www.dcma.mil/DIBCAC for contact
information, and a DCMA DIBCAC
Quality Assurance Review Team will
provide a written response or request
additional supporting documentation.
Subpart C—CMMC Assessment and
Certification Ecosystem.
§ 170.8
Accreditation Body.
(a) Roles and responsibilities. The
Accreditation Body is responsible for
authorizing and ensuring the
accreditation of CMMC Third-Party
Assessment Organizations (C3PAOs) in
accordance with ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2)
and all applicable authorization and
accreditation requirements set forth.
The Accreditation Body is responsible
for establishing the C3PAO
authorization requirements and the
C3PAO Accreditation Scheme and
submitting both for approval by the
CMMC PMO. At any given point in
time, there will be only one
Accreditation Body for the DoD CMMC
Program.
(b) Requirements. The CMMC
Accreditation Body shall:
(1) Be US-based and be and remain a
member in good standing of the Inter-
American Accreditation Cooperation
(IAAC) and become an International
Laboratory Accreditation Cooperation
(ILAC) Mutual Recognition
Arrangement (MRA) signatory, with a
signatory status scope of ISO/IEC
17020:2012(E) (incorporated by
reference, see § 170.2).
(2) Be and remain a member in good
standing of the International
Accreditation Forum (IAF) with mutual
recognition arrangement signatory status
scope of ISO/IEC 17024:2012(E)
(incorporated by reference, see § 170.2).
(3) Achieve and maintain full
compliance with ISO/IEC 17011:2017(E)
(incorporated by reference, see § 170.2)
and complete a peer assessment by
other ILAC signatories for competence
in accrediting conformity assessment
bodies to ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2),
both within 24 months of DoD approval.
(i) Prior to achieving full compliance
as set forth in this paragraph (b)(3), the
Accreditation Body shall:
(A) Authorize C3PAOs who meet all
requirements set forth in § 170.9 as well
as administrative requirements as
determined by the Accreditation Body
to conduct Level 2 certification
assessments and issue Certificates of
CMMC Status to OSCs based on the
assessment results.
(B) Require all C3PAOs to achieve and
maintain the ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2)
requirements within 27 months of
authorization.
(ii) The Accreditation Body shall
accredit C3PAOs, in accordance with
ISO/IEC 17020:2012(E) (incorporated by
reference, see § 170.2), who meet all
requirements set forth in § 170.9 to
conduct Level 2 certification
assessments and issue Certificates of
CMMC Status to OSCs based on the
results.
(4) Ensure that the Accreditation
Body’s Board of Directors, professional
staff, Information Technology (IT) staff,
accreditation staff, and independent
CMMC Certified Assessor staff complete
a Tier 3 background investigation
resulting in a determination of national
security eligibility. This Tier 3
background investigation will not result
in a security clearance and is not being
executed for the purpose of government
employment. The Tier 3 background
investigation is initiated using the
[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions Standard Form (SF) 86 (www.gsa.gov/
reference/forms/questionnaire-for-
national-security-positions) and
]submitted by DoD CIO Security to
Washington Headquarters Services
(WHS) for coordination for processing
by the Defense Counterintelligence and
Security Agency (DCSA). These
positions are designated as non-critical
sensitive with a risk designation of
‘‘Moderate Risk’’ in accordance with 5
CFR 1400.201(b) and (d) and the
investigative requirements of 5 CFR
731.106(c)(2).
(5) Comply with Foreign Ownership,
Control or Influence (FOCI) by:
(i) Completing the Standard Form (SF)
[http://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests 328 (www.gsa.gov/reference/forms/
certificate-pertaining-to-foreign-
interests), ]Certificate Pertaining to
Foreign Interests, and submit it directly
to Defense Counterintelligence and
Security Agency (DCSA) and undergo a
National Security Review with regards
to the protection of controlled
unclassified information based on the
factors identified in 32 CFR 117.11(b)
using the procedures outlined in 32 CFR
117.11(c). The Accreditation Body must
receive a non-disqualifying eligibility
determination by the CMMC PMO to be
recognized by the Department of
Defense.
(ii) Reporting any change to the
information provided on its SF 328 by
resubmitting the SF 328 to DCSA within
15 business days of the change being
effective. A disqualifying eligibility
determination, based on the results of
the change, will result in the
Accreditation Body losing its
authorization or accreditation under the
CMMC Program.
(iii) Identifying all prospective
C3PAOs to the CMMC PMO. The CMMC
PMO will sponsor the prospective
C3PAO for a FOCI risk assessment
conducted by the DCSA using the SF
328 as part of the authorization and
accreditation processes.
(iv) Notifying prospective C3PAOs of
the CMMC PMO’s eligibility
determination resulting from the FOCI
risk assessment.
(6) Obtain a Level 2 certification
assessment in accordance with the
procedures specified in § 170.17(a)(1)
and (c). This assessment, conducted by
DCMA DIBCAC, shall meet all
requirements for a Final Level 2
(C3PAO) but will not result in a CMMC
Status of Level 2 (C3PAO). The Level 2
certification assessment process must be
performed every three years.
(7) Provide all documentation and
records in English.
(8) Establish, maintain, and manage
an up-to-date list of authorized and
accredited C3PAOs on a single publicly
accessible website and provide the list
of these entities and their status to the
DoD through submission in the CMMC
instantiation of eMASS.
(9) Provide the CMMC PMO with
current data on C3PAOs, including
authorization and accreditation records
and status in the CMMC instantiation of
eMASS. This data shall include the
dates associated with the authorization
and accreditation of each C3PAO.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00131
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83222
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(10) Provide the DoD with
information about aggregate statistics
pertaining to operations of the CMMC
Ecosystem to include the authorization
and accreditation status of C3PAOs or
other information as requested.
(11) Provide inputs for assessor
supplemental guidance to the CMMC
PMO. Participate and support
coordination of these and other inputs
through DoD-led Working Groups.
(12) Ensure that all information about
individuals is encrypted and protected
in all Accreditation Body information
systems and databases.
(13) Provide all plans that are related
to potential sources of revenue, to
include but not limited to: fees,
licensing, processes, membership, and/
or partnerships to the Department’s
CMMC PMO.
(14) Ensure that the CMMC Assessors
and Instructors Certification
Organization (CAICO) is compliant with
ISO/IEC 17024:2012(E)
(15) Ensure all training products,
instruction, and testing materials are of
high quality and subject to CAICO
quality control policies and procedures,
to include technical accuracy and
alignment with all applicable legal,
regulatory, and policy requirements.
(16) Develop and maintain an internal
appeals process, as required by ISO/IEC
17020:2017(E), and render a final
decision on all elevated appeals.
(17) Develop and maintain a
comprehensive plan and schedule to
comply with all ISO/IEC 17011:2017(E),
and DoD requirements for Conflict of
Interest, Code of Professional Conduct,
and Ethics policies as set forth in the
DoD contract. All policies shall apply to
the Accreditation Body, and other
individuals, entities, and groups within
the CMMC Ecosystem who provide
Level 2 certification assessments,
CMMC instruction, CMMC training
materials, or Certificates of CMMC
Status on behalf of the Accreditation
Body. All policies in this section must
be approved by the CMMC PMO prior
to effectivity in accordance with the
following requirements.
(i) Conflict of Interest (CoI) policy.
The CoI policy shall:
(A) Include a detailed risk mitigation
plan for all potential conflicts of interest
that may pose a risk to compliance with
ISO/IEC 17011:2017(E).
(B) Require employees, Board
directors, and members of any
accreditation committees or appeals
adjudication committees to disclose to
the CMMC PMO, in writing, as soon as
it is known or reasonably should be
known, any actual, potential, or
perceived conflict of interest with
sufficient detail to allow for assessment.
(C) Require employees, Board
directors, and members of any
accreditation committees or appeals
adjudication committees who leave the
board or organization to enter a ‘‘cooling
off period’’ of one (1) year whereby they
are prohibited from working with the
Accreditation Body or participating in
any and all CMMC activities described
in Subpart C.
(D) Require CMMC Ecosystem
members to actively avoid participating
in any activity, practice, or transaction
that could result in an actual or
perceived conflict of interest.
(E) Require CMMC Ecosystem
members to disclose to Accreditation
Body leadership, in writing, any actual
or potential conflict of interest as soon
as it is known, or reasonably should be
known.
(ii) Code of Professional Conduct
(CoPC) policy. The CoPC policy shall:
(A) Describe the performance
standards by which the members of the
CMMC Ecosystem will be held
accountable and the procedures for
addressing violations of those
performance standards.
(B) Require the Accreditation Body to
investigate and resolve any potential
violations that are reported or are
identified by the DoD.
(C) Require the Accreditation Body to
inform the DoD in writing of new
investigations within 72 hours.
(D) Require the Accreditation Body to
report to the DoD in writing the
outcome of completed investigations
within 15 business days.
(E) Require CMMC Ecosystem
members to represent themselves and
their companies accurately; to include
not misrepresenting any professional
credentials or status, including CMMC
authorization or CMMC Status, nor
exaggerating the services that they or
their company are capable or authorized
to deliver.
(F) Require CMMC Ecosystem
members to be honest and factual in all
CMMC-related activities with
colleagues, clients, trainees, and others
with whom they interact.
(G) Prohibit CMMC Ecosystem
members from participating in the Level
2 certification assessment process for an
assessment in which they previously
served as a consultant to prepare the
organization for any CMMC assessment
within 3 years.
(H) Require CMMC Ecosystem
members to maintain the confidentiality
of customer and government data to
preclude unauthorized disclosure.
(I) Require CMMC Ecosystem
members to report results and data from
Level 2 certification assessments and
training objectively, completely, clearly,
and accurately.
(J) Prohibit CMMC Ecosystem
members from cheating, assisting
another in cheating, or allowing
cheating on CMMC examinations.
(K) Require CMMC Ecosystem
members to utilize official training
content developed by a CMMC training
organization approved by the CAICO in
all CMMC certification courses.
(iii) Ethics policy. The Ethics policy
shall:
(A) Require CMMC Ecosystem
members to report to the Accreditation
Body within 30 days of convictions,
guilty pleas, or no contest pleas to
crimes of fraud, larceny, embezzlement,
misappropriation of funds,
misrepresentation, perjury, false
swearing, conspiracy to conceal, or a
similar offense in any legal proceeding,
civil or criminal, whether or not in
connection with activities that relate to
carrying out their role in the CMMC
Ecosystem.
(B) Prohibit harassment or
discrimination by CMMC Ecosystem
members in all interactions with
individuals whom they encounter in
connection with their roles in the
CMMC Ecosystem.
(C) Require CMMC Ecosystem
members to have and maintain a
satisfactory record of integrity and
business ethics.
§ 170.9
CMMC Third-Party Assessment
Organizations (C3PAOs).
(a) Roles and responsibilities. C3PAOs
are organizations that are responsible for
conducting Level 2 certification
assessments and issuing Certificates of
CMMC Status to OSCs based on the
results. C3PAOs must be accredited or
authorized by the Accreditation Body in
accordance with the requirements set
forth.
(b) Requirements. C3PAOs shall:
(1) Obtain authorization or
accreditation from the Accreditation
Body in accordance with § 170.8(b)(3)(i)
and (ii).
(2) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17); and
achieve and maintain compliance with
ISO/IEC 17020:2012(E) (incorporated by
reference, see § 170.2) within 27 months
of authorization.
(3) Require all C3PAO company
personnel participating in the Level 2
certification assessment process to
complete a Tier 3 background
investigation resulting in a
determination of national security
eligibility. This includes the CMMC
Assessment Team and the quality
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00132
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83223
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
assurance individual. This Tier 3
background investigation will not result
in a security clearance and is not being
executed for the purpose of government
employment. The Tier 3 background
investigation is initiated using the
Standard Form (SF) 86 ([http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions www.gsa.gov/
reference/forms/questionnaire-for-
national-security-positions). These
]positions are designated as non-critical
sensitive with a risk designation of
‘‘Moderate Risk’’ in accordance with 5
CFR 1400.201(b) and (d) and the
investigative requirements of 5 CFR
731.106(c)(2).
(4) Require all C3PAO company
personnel participating in the Level 2
certification assessment process who are
not eligible to obtain a Tier 3
background investigation to meet the
equivalent of a favorably adjudicated
Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
(5) Comply with Foreign Ownership,
Control or Influence (FOCI) by:
(i) Completing and submitting
[http://www.gsa.gov/reference/forms/certificate-pertaining-to-foreign-interests Standard Form (SF) 328 (www.gsa.gov/
reference/forms/certificate-pertaining-
to-foreign-interests), Certificate
]Pertaining to Foreign Interests, upon
request from DCSA and undergo a
National Security Review with regards
to the protection of controlled
unclassified information based on the
factors identified in 32 CFR 117.11(b)
using the procedures outlined in 32 CFR
117.11(c).
(ii) Receiving a non-disqualifying
eligibility determination from the
CMMC PMO resulting from the FOCI
risk assessment in order to proceed to a
DCMA DIBCAC CMMC Level 2
assessment, as part of the authorization
and accreditation process set forth in
paragraph (b)(6) of this section.
(iii) Reporting any change to the
information provided on its SF 328 by
resubmitting the SF 328 to DCSA within
15 business days of the change being
effective. A disqualifying eligibility
determination, based on the results of
the change, will result in the C3PAO
losing its authorization or accreditation.
(6) Undergo a Level 2 certification
assessment meeting all requirements for
a Final Level 2 (C3PAO) in accordance
with the procedures specified in
§ 170.17(a)(1) and (c), with the following
exceptions:
(i) The assessment will be conducted
by DCMA DIBCAC.
(ii) The assessment will not result in
a CMMC Status of Level 2 (C3PAO) nor
receive a Certificate of CMMC Status.
(7) Provide all documentation and
records in English.
(8) Submit pre-assessment and
planning material, final assessment
reports, and CMMC certificates of
assessment into the CMMC instantiation
of eMASS.
(9) Unless disposition is otherwise
authorized by the CMMC PMO,
maintain all assessment related records
for a period of six (6) years. Such
records include any materials generated
by the C3PAO in the course of an
assessment, any working papers
generated from Level 2 certification
assessments; and materials relating to
monitoring, education, training,
technical knowledge, skills, experience,
and authorization of all personnel
involved in assessment activities;
contractual agreements with OSCs; and
organizations for whom consulting
services were provided.
(10) Provide any requested audit
information, including any out-of-cycle
from ISO/IEC 17020:2012(E)
requirements, to the Accreditation
Body.
(11) Ensure that all personally
identifiable information (PII) is
encrypted and protected in all C3PAO
information systems and databases.
(12) Meet the requirements for
Assessment Team composition. An
Assessment Team must include at least
two people: a Lead CCA, as defined in
§ 170.11(b)(10), and at least one other
CCA. Additional CCAs and CCPs may
also participate on an Assessment Team.
(13) Implement a quality assurance
function that ensures the accuracy and
completeness of assessment data prior
to upload into the CMMC instantiation
of eMASS. Any individual fulfilling the
quality assurance function must be a
CCA and cannot be a member of an
Assessment Team for which they are
performing a quality assurance role. A
quality assurance individual shall
manage the C3PAO’s quality assurance
reviews as defined in paragraph (b)(14)
of this section and the appeals process
as required by paragraphs (b)(19) and
(20) of this section and in accordance
with ISO/IEC 17020:2012(E)
(incorporated by reference, see § 170.2)
and ISO/IEC 17011:2017(E)
(incorporated by reference, see § 170.2).
(14) Conduct quality assurance
reviews for each assessment, including
observations of the Assessment Team’s
conduct and management of CMMC
assessment processes.
(15) Ensure that all Level 2
certification assessment activities are
performed on the information system
within the CMMC Assessment Scope.
(16) Maintain all facilities, personnel,
and equipment involved in CMMC
activities that are in scope of their Level
2 certification assessment and comply
with all security requirements and
procedures as prescribed by the
Accreditation Body.
(17) Ensure that all assessment data
and information uploaded into the
CMMC instantiation of eMASS
assessment data is compliant with the
CMMC assessment data standard as set
forth in eMASS CMMC Assessment
Import Templates on the CMMC eMASS
[https://cmmc.emass.apps.mil website: https://cmmc.emass.apps.mil.
]This system is accessible only to
authorized users.
(18) Issue Certificates of CMMC Status
to OSCs in accordance with the Level 2
certification assessment requirements
set forth in § 170.17, that include, at a
minimum, all industry CAGE codes
associated with the information systems
addressed by the CMMC Assessment
Scope, the C3PAO name, assessment
unique identifier, the OSC name, and
the CMMC Status date and level.
(19) Address all OSC appeals arising
from Level 2 certification assessment
activities. If the OSC or C3PAO is not
satisfied with the result of the appeal
either the OSC or the C3PAO can
elevate the matter to the Accreditation
Body for final determination.
(20) Submit assessment appeals,
review records, and decision results of
assessment appeals to DoD using the
CMMC instantiation of eMASS.
§ 170.10
CMMC Assessor and Instructor
Certification Organization (CAICO).
(a) Roles and responsibilities. The
CAICO is responsible for training,
testing, authorizing, certifying, and
recertifying CMMC assessors,
instructors, and related professionals.
Only the CAICO may make decisions
relating to examination certifications,
including the granting, maintaining,
recertifying, expanding, and reducing
the scope of certification, and
suspending or withdrawing certification
in accordance with current ISO/IEC
17024:2012(E) (incorporated by
reference, see § 170.2). At any given
point in time, there will be only one
CAICO for the DoD CMMC Program.
(b) Requirements. The CAICO shall:
(1) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17); and
achieve and maintain ISO/IEC 17024(E)
accreditation within 12 months of
December 16, 2024.
(2) Provide all documentation and
records in English.
(3) Train, test, and designate PIs in
accordance with the requirements of
this section. Train, test, certify, and
recertify CCPs, CCAs, and CCIs in
accordance with the requirements of
this section.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00133
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83224
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(4) Ensure the instructor and assessor
certification examinations are certified
under ISO/IEC 17024:2012(E)
(incorporated by reference, see § 170.2),
by a recognized US-based accreditor
who is not a member of the CMMC
Accreditation Body. The US-based
accreditor must be a signatory to
International Laboratory Accreditation
Cooperation (ILAC) or relevant
International Accreditation Forum (IAF)
Mutual Recognition Arrangement
(MRA) and must operate in accordance
with ISO/IEC 17011:2017(E)
(incorporated by reference, see § 170.2).
(5) Establish quality control policies
and procedures for the generation of
training products, instruction, and
testing materials.
(6) Oversee development,
administration, and management
pertaining to the quality of training and
examination materials for CMMC
assessor and instructor certification and
recertification.
(7) Establish and publish an
authorization and certification appeals
process to receive, evaluate, and make
decisions on complaints and appeals in
accordance with ISO/IEC 17024:2012(E)
(incorporated by reference, see § 170.2).
(8) Address all appeals arising from
the CCA, CCI, and CCP authorizations
and certifications process through use of
internal processes in accordance with
ISO/IEC 17024:2012(E) (incorporated by
reference, see § 170.2).
(9) Maintain records for a period of
six (6) years of all procedures,
processes, and actions related to
fulfillment of the requirements set forth
in this section and provide the
Accreditation Body access to those
records.
(10) Provide the Accreditation Body
information about the authorization and
accreditation status of assessors,
instructors, training community, and
publishing partners.
(11) Ensure separation of duties
between individuals involved in testing
activities, training activities, and
certification activities.
(12) Safeguard and require any CAICO
training support service providers, as
applicable, to safeguard the
confidentiality of applicant, candidate,
and certificate-holder information and
ensure the overall security of the
certification process.
(13) Ensure that all PII is encrypted
and protected in all CAICO information
systems and databases and those of any
CAICO training support service
providers.
(14) Ensure the security of assessor
and instructor examinations and the fair
and credible administration of
examinations.
(15) Neither disclose nor allow any
CAICO training support service
providers, as applicable, to disclose
CMMC data or metrics related to
authorization or certification activities
to any entity other than the
Accreditation Body and DoD, except as
required by law.
(16) Require retraining and
redesignation of PIs upon significant
change to DoD’s CMMC Program
requirements. Require retraining and
recertification of CCPs, CCAs, and CCIs
upon significant change to DoD’s CMMC
Program requirements, as determined by
the DoD or the CAICO.
(17) Require CMMC Ecosystem
members to report to the CAICO within
30 days of convictions, guilty pleas, or
no contest pleas to crimes of fraud,
larceny, embezzlement,
misappropriation of funds,
misrepresentation, perjury, false
swearing, conspiracy to conceal, or a
similar offense in any legal proceeding,
civil or criminal, whether or not in
connection with activities that relate to
carrying out their role in the CMMC
Ecosystem.
§ 170.11
CMMC Certified Assessor (CCA).
(a) Roles and responsibilities. CCAs,
in support of a C3PAO, conduct Level
2 certification assessments of OSCs in
accordance with NIST SP 800–171A
Jun2018 (incorporated by reference, see
§ 170.2), the assessment processes
defined in § 170.17, and the scoping
requirements defined in § 170.19(c).
CCAs must meet all of the requirements
set forth in paragraph (b) of this section.
A CCA may conduct Level 2
certification assessments and participate
on a C3PAO Assessment Team.
(b) Requirements. CCAs shall:
(1) Obtain and maintain certification
from the CAICO in accordance with the
requirements set forth in § 170.10.
Certification is valid for 3 years from the
date of issuance.
(2) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17).
(3) Complete a Tier 3 background
investigation resulting in a
determination of national security
eligibility. This Tier 3 background
investigation will not result in a security
clearance and is not being executed for
the purpose of government employment.
The Tier 3 background investigation is
initiated using the Standard Form (SF)
[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions 86 (www.gsa.gov/reference/forms/
questionnaire-for-national-security-
positions). These positions are
]designated as non-critical sensitive with
a risk designation of ‘‘Moderate Risk’’ in
accordance with 5 CFR 1400.201(b) and
(d) and the investigative requirements of
5 CFR 731.106(c)(2).
(4) Meet the equivalent of a favorably
adjudicated Tier 3 background
investigation when not eligible for a
Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
(5) Provide all documentation and
records in English.
(6) Be a CCP who has at least 3 years
of cybersecurity experience, at least 1
year of assessment or audit experience,
and at least one foundational
qualification, aligned to at least the
Intermediate Proficiency Level of the
DoD Cyberspace Workforce
Framework’s Security Control Assessor
(612) Work Role, from DoD Manual
8140.03, Cyberspace Workforce
Qualification and Management Program
[https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf (https://dodcio.defense.gov/Portals/0/
Documents/Library/DoDM-8140-03.pdf).
]Information on the Work Role 612 can
[https://public.cyber.mil/dcwf-work-role/security-control-assessor/ be found at https://public.cyber.mil/
dcwf-work-role/security-control-
assessor/. ]
(7) Only use IT, cloud, cybersecurity
services, and end-point devices
provided by the authorized/accredited
C3PAO that has been engaged to
perform that OSA’s Level 2 certification
assessment and which has undergone a
Level 2 certification assessment by
DCMA DIBCAC (or higher) for all
assessment activities. Individual
assessors are prohibited from using any
other IT, including IT that is personally
owned, to include internal and external
cloud services and end-point devices, to
process, store, or transmit CMMC
assessment reports or any other CMMC
assessment-related information. The
evaluation of assessment evidence
within the OSC environment, using OSC
tools, is permitted.
(8) Immediately notify the responsible
C3PAO of any breach or potential
breach of security to any CMMC-related
assessment materials under the
assessors’ purview.
(9) Not share any information about
an OSC obtained during CMMC pre-
assessment and assessment activities
with any person not involved with that
specific assessment, except as otherwise
required by law.
(10) Qualify as a Lead CCA by having
at least 5 years of cybersecurity
experience, 5 years of management
experience, 3 years of assessment or
audit experience, and at least one
foundational qualification aligned to
Advanced Proficiency Level of the DoD
Cyberspace Workforce Framework’s
Security Control Assessor (612) Work
Role, from DoD Manual 8140.03,
Cyberspace Workforce Qualification and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00134
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83225
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
Management Program [https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf (https://
dodcio.defense.gov/Portals/0/
Documents/Library/DoDM-8140-03.pdf).
]Information on the Work Role 612 can
[https://public.cyber.mil/dcwf-work-role/security-control-assessor/ be found at https://public.cyber.mil/
dcwf-work-role/security-control-
assessor/. ]
§ 170.12
CMMC Instructor.
(a) CMMC Provisional Instructor (PI)
roles and responsibilities. A CMMC
Provisional Instructor (PI) teaches CCA
and CCP candidates during the
transitional period that ends 18 months
after December 16, 2024. A PI is trained,
tested, and designated to perform
CMMC instructional duties by the
CAICO to teach CCP and CCA
candidates. PIs are designated by the
CAICO after successful completion of
the PI training and testing requirements
set forth by the CAICO. A PI with a
valid CCP certification may instruct CCP
candidates, while a PI with a valid CCA
certification may instruct CCP and CCA
candidates. PIs are required to meet
requirements in (c) of this section.
(b) CMMC Certified Instructor (CCI)
roles and responsibilities. A CMMC
Certified Instructor (CCI) teaches CCP,
CCA, and CCI candidates and performs
CMMC instructional duties. Candidate
CCIs are certified by the CAICO after
successful completion of the CCI
training and testing requirements. A CCI
is required to obtain and maintain
assessor and instructor certifications
from the CAICO in accordance with the
requirements set forth in § 170.10 and in
paragraph (c) of this section. A CCI with
a valid CCP certification may instruct
CCP candidates, while a CCI with a
valid CCA certification may instruct
CCP, CCA, and CCI candidates.
Certifications are valid for 3 years from
the date of issuance. CCIs are required
to meet requirements in paragraph (c) of
this section.
(c) Requirements. CMMC Instructors
shall:
(1) Obtain and maintain instructor
designation or certification, as
appropriate, from the CAICO in
accordance with the requirements set
forth in § 170.10.
(2) Obtain and maintain CCP or CCA
certification to deliver CCP training.
(3) Obtain and maintain a CCA
certification to deliver CCA training.
(4) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics set forth in § 170.8(b)(17).
(5) Provide all documentation and
records in English.
(6) Provide the Accreditation Body
and the CAICO annually with accurate
information detailing their
qualifications, training experience,
professional affiliations, and
certifications, and, upon reasonable
request, submit documentation verifying
this information.
(7) Not provide CMMC consulting
services while serving as a CMMC
instructor; however, subject to the Code
of Professional Conduct and Conflict of
Interest policies, can serve on an
assessment team.
(8) Not participate in the development
of exam objectives and/or exam content
or act as an exam proctor while at the
same time serving as a CCI.
(9) Keep confidential all information
obtained or created during the
performance of CMMC training
activities, including trainee records,
except as required by law.
(10) Not disclose any CMMC-related
data or metrics that is PII, FCI, or CUI
to anyone without prior coordination
with and approval from DoD.
(11) Notify the Accreditation Body or
the CAICO if required by law or
authorized by contractual commitments
to release confidential information.
(12) Not share with anyone any
CMMC training-related information not
previously publicly disclosed.
§ 170.13
CMMC Certified Professional
(CCP).
(a) Roles and responsibilities. A
CMMC Certified Professional (CCP)
completes rigorous training on CMMC
and the assessment process to provide
advice, consulting, and
recommendations to their OSA clients.
Candidate CCPs are certified by the
CAICO after successful completion of
the CCP training and testing
requirements set forth in paragraph (b)
of this section. CCPs are eligible to
become CMMC Certified Assessors and
can participate as a CCP on Level 2
certification assessments with CCA
oversight where the CCA makes all final
determinations.
(b) Requirements. CCPs shall:
(1) Obtain and maintain certification
from the CAICO in accordance with the
requirements set forth in § 170.10.
Certification is valid for 3 years from the
date of issuance.
(2) Comply with the Accreditation
Body policies for Conflict of Interest,
Code of Professional Conduct, and
Ethics as set forth in § 170.8(b)(17).
(3) Complete a Tier 3 background
investigation resulting in a
determination of national security
eligibility. This Tier 3 background
investigation will not result in a security
clearance and is not being executed for
the purpose of government employment.
The Tier 3 background investigation is
initiated using the Standard Form (SF)
86 (www.gsa.gov/reference/forms/
[http://www.gsa.gov/reference/forms/questionnaire-for-national-security-positions questionnaire-for-national-security-
positions). These positions are
]designated as non-critical sensitive with
a risk designation of ‘‘Moderate Risk’’ in
accordance with 5 CFR 1400.201(b) and
(d) and the investigative requirements of
5 CFR 731.106(c)(2).
(4) Meet the equivalent of a favorably
adjudicated Tier 3 background
investigation when not eligible to obtain
a Tier 3 background investigation. DoD
will determine the Tier 3 background
investigation equivalence for use with
the CMMC Program only.
(5) Provide all documentation and
records in English.
(6) Not share any information about
an OSC obtained during CMMC pre-
assessment and assessment activities
with any person not involved with that
specific assessment, except as otherwise
required by law.
Subpart D—Key Elements of the
CMMC Program
§ 170.14
CMMC Model.
(a) Overview. The CMMC Model
incorporates the security requirements
from:
(1) 48 CFR 52.204–21, Basic
Safeguarding of Covered Contractor
Information Systems;
(2) NIST SP 800–171 R2, Protecting
Controlled Unclassified Information in
Nonfederal Systems and Organizations
(incorporated by reference, see § 170.2);
and
(3) Selected security requirements
from NIST SP 800–172 Feb2021,
Enhanced Security Requirements for
Protecting Controlled Unclassified
Information: A Supplement to NIST
Special Publication 800–171
(incorporated by reference, see § 170.2).
(b) CMMC domains. The CMMC
Model consists of domains that map to
the Security Requirement Families
defined in NIST SP 800–171 R2
(incorporated by reference, see § 170.2).
(c) CMMC level requirements. CMMC
Levels 1–3 utilize the safeguarding
requirements and security requirements
specified in 48 CFR 52.204–21 (for Level
1), NIST SP 800–171 R2 (incorporated
by reference, see § 170.2) (for Level 2),
and selected security requirements from
NIST SP 800–172 Feb2021
(incorporated by reference, see § 170.2)
(for Level 3). This paragraph discusses
the numbering scheme and the security
requirements for each level.
(1) Numbering. Each security
requirement has an identification
number in the format—DD.L#-REQ—
where:
(i) DD is the two-letter domain
abbreviation;
(ii) L# is the CMMC level number; and
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00135
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83226
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(iii) REQ is the 48 CFR 52.204–21
paragraph number, NIST SP 800–171 R2
requirement number, or NIST SP 800–
172 Feb2021 requirement number.
(2) CMMC Level 1 security
requirements. The security requirements
in CMMC Level 1 are those set forth in
48 CFR 52.204–21(b)(1)(i) through (xv).
(3) CMMC Level 2 security
requirements. The security requirements
in CMMC Level 2 are identical to the
requirements in NIST SP 800–171 R2.
(4) CMMC Level 3 security
requirements. The security requirements
in CMMC Level 3 are selected from
NIST SP 800–172 Feb2021, and where
applicable, Organization-Defined
Parameters (ODPs) are assigned. Table 1
to this paragraph identifies the selected
requirements and applicable ODPs that
represent the CMMC Level 3 security
requirements. ODPs for the NIST SP
800–172 Feb2021 requirements are
italicized, where applicable:
TABLE 1 TO § 170.14(c)(4)
Security requirement No.*
CMMC Level 3 security requirements
(selected NIST SP 800–172 Feb2021 security requirement with DoD ODPs italicized)
(i) AC.L3–3.1.2e .......................
Restrict access to systems and system components to only those information resources that are owned,
provisioned, or issued by the organization.
(ii) AC.L3–3.1.3e ......................
Employ secure information transfer solutions to control information flows between security domains on con-
nected systems.
(iii) AT.L3–3.2.1e .....................
Provide awareness training upon initial hire, following a significant cyber event, and at least annually, focused
on recognizing and responding to threats from social engineering, advanced persistent threat actors,
breaches, and suspicious behaviors; update the training at least annually or when there are significant
changes to the threat.
(iv) AT.L3–3.2.2e .....................
Include practical exercises in awareness training for all users, tailored by roles, to include general users, users
with specialized roles, and privileged users, that are aligned with current threat scenarios and provide feed-
back to individuals involved in the training and their supervisors.
(v) CM.L3–3.4.1e .....................
Establish and maintain an authoritative source and repository to provide a trusted source and accountability for
approved and implemented system components.
(vi) CM.L3–3.4.2e ....................
Employ automated mechanisms to detect misconfigured or unauthorized system components; after detection,
remove the components or place the components in a quarantine or remediation network to facilitate
patching, re-configuration, or other mitigations.
(vii) CM.L3–3.4.3e ...................
Employ automated discovery and management tools to maintain an up-to-date, complete, accurate, and readily
available inventory of system components.
(viii) IA.L3–3.5.1e .....................
Identify and authenticate systems and system components, where possible, before establishing a network con-
nection using bidirectional authentication that is cryptographically based and replay resistant.
(ix) IA.L3–3.5.3e ......................
Employ automated or manual/procedural mechanisms to prohibit system components from connecting to orga-
nizational systems unless the components are known, authenticated, in a properly configured state, or in a
trust profile.
(x) IR.L3–3.6.1e .......................
Establish and maintain a security operations center capability that operates 24/7, with allowance for remote/on-
call staff.
(xi) IR.L3–3.6.2e ......................
Establish and maintain a cyber-incident response team that can be deployed by the organization within 24
hours.
(xii) PS.L3–3.9.2e ....................
Ensure that organizational systems are protected if adverse information develops or is obtained about individ-
uals with access to CUI.
(xiii) RA.L3–3.11.1e .................
Employ threat intelligence, at a minimum from open or commercial sources, and any DoD-provided sources, as
part of a risk assessment to guide and inform the development of organizational systems, security architec-
tures, selection of security solutions, monitoring, threat hunting, and response and recovery activities.
(xiv) RA.L3–3.11.2e .................
Conduct cyber threat hunting activities on an on-going aperiodic basis or when indications warrant, to search
for indicators of compromise in organizational systems and detect, track, and disrupt threats that evade exist-
ing controls.
(xv) RA.L3–3.11.3e ..................
Employ advanced automation and analytics capabilities in support of analysts to predict and identify risks to or-
ganizations, systems, and system components.
(xvi) RA.L3–3.11.4e .................
Document or reference in the system security plan the security solution selected, the rationale for the security
solution, and the risk determination.
(xvii) RA.L3–3.11.5e ................
Assess the effectiveness of security solutions at least annually or upon receipt of relevant cyber threat informa-
tion, or in response to a relevant cyber incident, to address anticipated risk to organizational systems and the
organization based on current and accumulated threat intelligence.
(xviii) RA.L3–3.11.6e ...............
Assess, respond to, and monitor supply chain risks associated with organizational systems and system compo-
nents.
(xix) RA.L3–3.11.7e .................
Develop a plan for managing supply chain risks associated with organizational systems and system compo-
nents; update the plan at least annually, and upon receipt of relevant cyber threat information, or in response
to a relevant cyber incident.
(xx) CA.L3–3.12.1e ..................
Conduct penetration testing at least annually or when significant security changes are made to the system,
leveraging automated scanning tools and ad hoc tests using subject matter experts.
(xxi) SC.L3–3.13.4e .................
Employ physical isolation techniques or logical isolation techniques or both in organizational systems and sys-
tem components.
(xxii) SI.L3–3.14.1e ..................
Verify the integrity of security critical and essential software using root of trust mechanisms or cryptographic
signatures.
(xxiii) SI.L3–3.14.3e .................
Ensure that specialized assets including IoT, IIoT, OT, GFE, Restricted Information Systems, and test equip-
ment are included in the scope of the specified enhanced security requirements or are segregated in pur-
pose-specific networks.
(xxiv) SI.L3–3.14.6e .................
Use threat indicator information and effective mitigations obtained from, at a minimum, open or commercial
sources, and any DoD-provided sources, to guide and inform intrusion detection and threat hunting.
- Roman numerals in parentheses before the Security Requirement are for numbering purposes only. The numerals are not part of the naming
convention for the requirement.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00136
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83227
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(d) Implementation. Assessment of
security requirements is prescribed by
NIST SP 800–171A Jun2018
(incorporated by reference, see § 170.2)
and NIST SP 800–172A Mar2022
(incorporated by reference, see § 170.2).
Descriptive text in these documents
support OSA implementation of the
security requirements and use the terms
organization-defined and periodically.
Except where referring to Organization-
Defined Parameters (ODPs),
organization-defined means as
determined by the OSA. Periodically
means occurring at regular intervals. As
used in many requirements within
CMMC, the interval length is
organization-defined to provided
contractor flexibility, with an interval
length of no more than one year.
§ 170.15
CMMC Level 1 self-assessment
and affirmation requirements.
(a) Level 1 self-assessment. To comply
with CMMC Level 1 self-assessment
requirements, the OSA must meet the
requirements detailed in paragraphs
(a)(1) and (2) of this section. An OSA
conducts a Level 1 self-assessment as
detailed in paragraph (c) of this section
to achieve a CMMC Status of Final Level
1 (Self).
(1) Level 1 self-assessment
requirements. The OSA must complete
and achieve a MET result for all security
requirements specified in § 170.14(c)(2)
to achieve the CMMC Status of Final
Level 1 (Self). No POA&Ms are
permitted for CMMC Level 1. The OSA
must conduct a self-assessment in
accordance with the procedures set
forth in § 170.15(c)(1) and submit
assessment results in SPRS. To maintain
compliance with the requirements for
the CMMC Status of Final Level 1 (Self),
the OSA must conduct a Level 1 self-
assessment on an annual basis and
submit the results in SPRS, or its
successor capability.
(i) Inputs to SPRS. The Level 1 self-
assessment results in the Supplier
Performance Risk System (SPRS) shall
include, at minimum, the following
items:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s)
associated with the information
system(s) addressed by the CMMC
Assessment Scope.
(E) Compliance result.
(ii) [Reserved]
(2) Affirmation. Affirmation of the
Level 1 (Self) CMMC Status is required
for all Level 1 self-assessments.
Affirmation procedures are set forth in
§ 170.22.
(b) Contract eligibility. Prior to award
of any contract or subcontract with a
requirement for the CMMC Status of
Level 1 (Self), OSAs must both achieve
a CMMC Status of Level 1 (Self) and
have submitted an affirmation of
compliance into SPRS for all
information systems within the CMMC
Assessment Scope.
(c) Procedures—(1) Level 1 self-
assessment. The OSA must conduct a
Level 1 self-assessment scored in
accordance with the CMMC Scoring
Methodology described in § 170.24. The
Level 1 self-assessment must be
performed in accordance with the
CMMC Level 1 scope requirements set
forth in § 170.19(a) and (b) and the
following:
(i) The Level 1 self-assessment must
be performed using the objectives
defined in NIST SP 800–171A Jun2018
(incorporated by reference, see § 170.2)
for the security requirement that maps
to the CMMC Level 1 security
requirement as specified in table 1 to
paragraph (c)(1)(ii) of this section. In
any case where an objective addresses
CUI, FCI should be substituted for CUI
in the objective.
(ii) Mapping table for CMMC Level 1
security requirements to the NIST SP
800–171A Jun2018 objectives.
TABLE 2 TO § 170.15(c)(1)(ii)—CMMC LEVEL 1 SECURITY REQUIREMENTS MAPPED TO NIST SP 800–171A JUN2018
CMMC Level 1 security requirements as set forth in § 170.14(c)(2)
NIST SP 800–171A Jun2018
AC.L1–b.1.i ..................................................................................................................................................................
3.1.1
AC.L1–b.1.ii .................................................................................................................................................................
3.1.2
AC.L1–b.1.iii .................................................................................................................................................................
3.1.20
AC.L1–b.1.iv ................................................................................................................................................................
3.1.22
IA.L1–b.1.v ...................................................................................................................................................................
3.5.1
IA.L1–b.1.vi ..................................................................................................................................................................
3.5.2
MP.L1–b.1.vii ...............................................................................................................................................................
3.8.3
PE.L1–b.1.viii ...............................................................................................................................................................
3.10.1
First phrase of PE.L1–b.1.ix (FAR b.1.ix *) .................................................................................................................
3.10.3
Second phrase of PE.L1–b.1.ix (FAR b.1.ix *) ............................................................................................................
3.10.4
Third phrase of PE.L1–b.1.ix (FAR b.1.ix *) ................................................................................................................
3.10.5
SC.L1–b.1.x .................................................................................................................................................................
3.13.1
SC.L1–b.1.xi ................................................................................................................................................................
3.13.5
SI.L1–b.1.xii .................................................................................................................................................................
3.14.1
SI.L1–b.1.xiii ................................................................................................................................................................
3.14.2
SI.L1–b.1.xiv ................................................................................................................................................................
3.14.4
SI.L1–b.1.xv .................................................................................................................................................................
3.14.5
- Three of the 48 CFR 52.204–21 requirements were broken apart by ‘‘phrase’’ when NIST SP 800–171 R2 was developed.
(iii) Additional guidance can be found
in the guidance document listed in
paragraph (b) of appendix A to this part.
(2) Artifact retention. The artifacts
used as evidence for the assessment
must be retained by the OSA for six (6)
years from the CMMC Status Date.
§ 170.16
CMMC Level 2 self-assessment
and affirmation requirements.
(a) Level 2 self-assessment. To comply
with Level 2 self-assessment
requirements, the OSA must meet the
requirements detailed in paragraphs
(a)(1) and (2) of this section. An OSA
conducts a Level 2 self-assessment as
detailed in paragraph (c) of this section
to achieve a CMMC Status of either
Conditional or Final Level 2 (Self).
Achieving a CMMC Status of Level 2
(Self) also satisfies the requirements for
a CMMC Status of Level 1 (Self) detailed
in § 170.15 for the same CMMC
Assessment Scope.
(1) Level 2 self-assessment
requirements. The OSA must complete
and achieve a MET result for all security
requirements specified in § 170.14(c)(3)
to achieve the CMMC Status of Level 2
(Self). The OSA must conduct a self-
assessment in accordance with the
procedures set forth in paragraph (c)(1)
of this section and submit assessment
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00137
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83228
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
results in Supplier Performance Risk
System (SPRS). To maintain compliance
with the requirements for a CMMC
Status of Level 2 (Self), the OSA must
conduct a Level 2 self-assessment every
three years and submit the results in
SPRS, within three years of the CMMC
Status Date associated with the
Conditional Level 2 (Self).
(i) Inputs to SPRS. The Level 2 self-
assessment results in the SPRS shall
include, at minimum, the following
information:
(A) CMMC Level.
(B) CMMC Status Date.
(C) CMMC Assessment Scope.
(D) All industry CAGE code(s)
associated with the information
system(s) addressed by the CMMC
Assessment Scope.
(E) Overall Level 2 self-assessment
score (e.g., 105 out of 110).
(F) POA&M usage and compliance
status, if applicable.
(ii) Conditional Level 2 (Self). The
OSA has achieved the CMMC Status of
Conditional Level 2 (Self) if the Level 2
self-assessment results in a POA&M and
the POA&M meets all the CMMC Level
2 POA&M requirements listed in
§ 170.21(a)(2).
(A) Plan of Action and Milestones. A
Level 2 POA&M is allowed only in
accordance with the CMMC POA&M
requirements listed in § 170.21.
(B) POA&M closeout. The OSA must
remediate any NOT MET requirements,
must perform a POA&M closeout self-
assessment, and must post compliance
results to SPRS within 180 days of the
CMMC Status Date associated with the
Conditional Level 2 (Self). If the
POA&M is not successfully closed out
within the 180-day timeframe, the
Conditional Level 2 (Self) CMMC Status
for the information system will expire.
If Conditional Level 2 (Self) CMMC
Status expires within the period of
performance of a contract, standard
contractual remedies will apply, and the
OSA will be ineligible for additional
awards with a requirement for the
CMMC Status of Level 2 (Self), or higher
requirement, for the information system
within the CMMC Assessment Scope
until such time as a new CMMC Status
is achieved.
(iii) Final Level 2 (Self). The OSA has
achieved the CMMC Status of Final
Level 2 (Self) if the Level 2 self-
assessment results in a passing score as
defined in § 170.24. This score may be
achieved upon initial self-assessment or
as the result of a POA&M closeout self-
assessment, as applicable.
(iv) CMMC Status investigation. The
DoD reserves the right to conduct a
DCMA DIBCAC assessment of the OSA,
as provided for under the 48 CFR
252.204–7020. If the investigative
results of a subsequent DCMA DIBCAC
assessment show that adherence to the
provisions of this part have not been
achieved or maintained, these DCMA
DIBCAC results will take precedence
over any pre-existing CMMC Status. At
that time, standard contractual remedies
will be available and the OSA will be
ineligible for additional awards with
CMMC Status requirement of Level 2
(Self), or higher requirement, for the
information system within the CMMC
Assessment Scope until such time as a
new CMMC Status is achieved.
(2) Affirmation. Affirmation of the
Level 2 (Self) CMMC Status is required
for all Level 2 self-assessments at the
time of each assessment, and annually
thereafter. Affirmation procedures are
set forth in § 170.22.
(b) Contract eligibility. Prior to award
of any contract or subcontract with
requirement for CMMC Status of Level
2 (Self), the following two requirements
must be met:
(1) The OSA must achieve, as
specified in paragraph (a)(1) of this
section, a CMMC Status of either
Conditional Level 2 (Self) or Final Level
2 (Self).
(2) The OSA must submit an
affirmation of compliance into SPRS, as
specified in paragraph (a)(2) of this
section.
(c) Procedures—(1) Level 2 self-
assessment of the OSA. The OSA must
conduct a Level 2 self-assessment in
accordance with NIST SP 800–171A
Jun2018 (incorporated by reference, see
§ 170.2) and the CMMC Level 2 scoping
requirements set forth in §§ 170.19(a)
and (c) for the information systems
within the CMMC Assessment Scope.
The Level 2 self-assessment must be
scored in accordance with the CMMC
Scoring Methodology described in
§ 170.24 and the OSA must upload the
results into SPRS. If a POA&M exists, a
POA&M closeout self-assessment must
be performed by the OSA when all NOT
MET requirements have been
remediated. The POA&M closeout self-
assessment must be performed within
180-days of the Conditional CMMC
Status Date. Additional guidance can be
found in the guidance document listed
in paragraph (c) of appendix A to this
part.
(2) Level 2 self-assessment with the
use of Cloud Service Provider (CSP). An
OSA may use a cloud environment to
process, store, or transmit CUI in
performance of a contract or subcontract
with a requirement for the CMMC Status
of Level 2 (Self) under the following
circumstances:
(i) The CSP product or service offering
is FedRAMP Authorized at the
FedRAMP Moderate (or higher) baseline
in accordance with the FedRAMP
Marketplace; or
(ii) The CSP product or service
offering is not FedRAMP Authorized at
the FedRAMP Moderate (or higher)
baseline but meets security
requirements equivalent to those
established by the FedRAMP Moderate
(or higher) baseline. FedRAMP
Moderate or FedRAMP Moderate
equivalent is in accordance with DoD
Policy.
(iii) In accordance with § 170.19(c)(2),
the OSA’s on-premises infrastructure
connecting to the CSP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the Customer
Responsibility Matrix (CRM) must be
documented or referred to in the OSA’s
System Security Plan (SSP).
(3) Level 2 self-assessment with the
use of an External Service Provider
(ESP), not a CSP. An OSA may use an
ESP that is not a CSP to process, store,
or transmit CUI in performance of a
contract or subcontract with a
requirement for the CMMC Status of
Level 2 (Self) under the following
circumstances:
(i) The use of the ESP, its relationship
to the OSA, and the services provided
are documented in the OSA’s SSP and
described in the ESP’s service
description and CRM.
(ii) The ESP services used to meet
OSA requirements are assessed within
the scope of the OSA’s assessment
against all Level 2 security
requirements.
(iii) In accordance with § 170.19(c)(2),
the OSA’s on-premises infrastructure
connecting to the ESP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the CRM must be
documented or referred to in the OSA’s
SSP.
(4) Artifact retention. The artifacts
used as evidence for the assessment
must be retained by the OSA for six (6)
years from the CMMC Status Date.
§ 170.17
CMMC Level 2 certification
assessment and affirmation requirements.
(a) Level 2 certification assessment.
To comply with Level 2 certification
assessment requirements, the OSC must
meet the requirements set forth in
paragraphs (a)(1) and (2) of this section.
An OSC undergoes a Level 2
certification assessment as detailed in
paragraph (c) of this section to achieve
a CMMC Status of either Conditional or
Final Level 2 (C3PAO). Achieving a
CMMC Status of Level 2 (C3PAO) also
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00138
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83229
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
satisfies the requirements for a CMMC
Statuses of Level 1 (Self) and Level 2
(Self) set forth in §§ 170.15 and 170.16
respectively for the same CMMC
Assessment Scope.
(1) Level 2 certification assessment
requirements. The OSC must complete
and achieve a MET result for all security
requirements specified in § 170.14(c)(3)
to achieve the CMMC Status of Level 2
(C3PAO). The OSC must obtain a Level
2 certification assessment from an
authorized or accredited C3PAO
following the procedures outlined in
paragraph (c) of this section. The
C3PAO must submit the Level 2
certification assessment results into the
CMMC instantiation of eMASS, which
then provides automated transmission
to SPRS. To maintain compliance with
the requirements for a CMMC Status of
Level 2 (C3PAO), the Level 2
certification assessment must be
completed within three years of the
CMMC Status Date associated with the
Conditional Level 2 (C3PAO).
(i) Inputs into the CMMC instantiation
of eMASS. The Level 2 certification
assessment results input into the CMMC
instantiation of eMASS shall include, at
minimum, the following information:
(A) Date and level of the assessment.
(B) C3PAO name.
(C) Assessment unique identifier.
(D) For each Assessor conducting the
assessment, name and business contact
information.
(E) All industry CAGE codes
associated with the information systems
addressed by the CMMC Assessment
Scope.
(F) The name, date, and version of the
SSP.
(G) CMMC Status Date.
(H) Assessment result for each
requirement objective.
(I) POA&M usage and compliance, as
applicable.
(J) List of the artifact names, the
return value of the hashing algorithm,
and the hashing algorithm used.
(ii) Conditional Level 2 (C3PAO). The
OSC has achieved the CMMC Status of
Conditional Level 2 (C3PAO) if the
Level 2 certification assessment results
in a POA&M and the POA&M meets all
CMMC Level 2 POA&M requirements
listed in § 170.21(a)(2).
(A) Plan of Action and Milestones. A
Level 2 POA&M is allowed only in
accordance with the CMMC POA&M
requirements listed in § 170.21.
(B) POA&M closeout. The OSC must
remediate any NOT MET requirements,
must undergo a POA&M closeout
certification assessment from a C3PAO,
and the C3PAO must post compliance
results into the CMMC instantiation of
eMASS within 180 days of the CMMC
Status Date associated with the
Conditional Level 2 (C3PAO). If the
POA&M is not successfully closed out
within the 180-day timeframe, the
Conditional Level 2 (C3PAO) CMMC
Status for the information system will
expire. If Conditional Level 2 (C3PAO)
CMMC Status expires within the period
of performance of a contract, standard
contractual remedies will apply, and the
OSC will be ineligible for additional
awards with a requirement for the
CMMC Status of Level 2 (C3PAO), or
higher requirement, for the information
system within the CMMC Assessment
Scope until such time as a new CMMC
Status is achieved.
(iii) Final Level 2 (C3PAO). The OSC
has achieved the CMMC Status of Final
Level 2 (C3PAO) if the Level 2
certification assessment results in a
passing score as defined in § 170.24.
This score may be achieved upon initial
certification assessment or as the result
of a POA&M closeout certification
assessment, as applicable.
(iv) CMMC Status investigation. The
DoD reserves the right to conduct a
DCMA DIBCAC assessment of the OSC,
as provided for under the 48 CFR
252.204–7020. If the investigative
results of a subsequent DCMA DIBCAC
assessment show that adherence to the
provisions of this part have not been
achieved or maintained, these DCMA
DIBCAC results will take precedence
over any pre-existing CMMC Status. At
that time, standard contractual remedies
will be available and the OSC will be
ineligible for additional awards with
CMMC Status requirement of Level 2
(C3PAO), or higher requirement, for the
information system within the CMMC
Assessment Scope until such time as a
new CMMC Status is achieved.
(2) Affirmation. Affirmation of the
Level 2 (C3PAO) CMMC Status is
required for all Level 2 certification
assessments at the time of each
assessment, and annually thereafter.
Affirmation procedures are provided in
§ 170.22.
(b) Contract eligibility. Prior to award
of any contract or subcontract with a
requirement for the CMMC Status of
Level 2 (C3PAO), the following two
requirements must be met:
(1) The OSC must achieve, as
specified in paragraph (a)(1) of this
section, a CMMC Status of either
Conditional Level 2 (C3PAO) or Final
Level 2 (C3PAO).
(2) The OSC must submit an
affirmation of compliance into SPRS, as
specified in paragraph (a)(2) of this
section.
(c) Procedures—(1) Level 2
certification assessment of the OSC. An
authorized or accredited C3PAO must
perform a Level 2 certification
assessment in accordance with NIST SP
800–171A Jun2018 (incorporated by
reference, see § 170.2) and the CMMC
Level 2 scoping requirements set forth
in § 170.19(a) and (c) for the information
systems within the CMMC Assessment
Scope. The Level 2 certification
assessment must be scored in
accordance with the CMMC Scoring
Methodology described in § 170.24 and
the C3PAO must upload the results into
the CMMC instantiation of eMASS.
Final results are communicated to the
OSC through a CMMC Assessment
Findings Report.
(2) Security requirement re-
evaluation. A security requirement that
is NOT MET (as defined in § 170.24)
may be re-evaluated during the course
of the Level 2 certification assessment
and for 10 business days following the
active assessment period if all of the
following conditions exist:
(i) Additional evidence is available to
demonstrate the security requirement
has been MET;
(ii) Cannot change or limit the
effectiveness of other requirements that
have been scored MET; and
(iii) The CMMC Assessment Findings
Report has not been delivered.
(3) POA&M. If a POA&M exists, a
POA&M closeout certification
assessment must be performed by a
C3PAO within 180-days of the
Conditional CMMC Status Date.
Additional guidance can be found in
§ 170.21 and in the guidance document
listed in paragraph (c) of appendix A to
this part.
(4) Artifact retention and integrity.
The hashed artifacts used as evidence
for the assessment must be retained by
the OSC for six (6) years from the
CMMC Status Date. To ensure that the
artifacts have not been altered, the OSC
must hash the artifact files using a
NIST-approved hashing algorithm. The
OSC must provide the C3PAO with a
list of the artifact names, the return
value of the hashing algorithm, and the
hashing algorithm for upload into the
CMMC instantiation of eMASS.
Additional guidance for hashing
artifacts can be found in the guidance
document listed in paragraph (h) of
appendix A to this part.
(5) Level 2 certification assessment
with the use of Cloud Service Provider
(CSP). An OSC may use a cloud
environment to process, store, or
transmit CUI in performance of a
contract or subcontract with a
requirement for the CMMC Status of
Level 2 (C3PAO) under the following
circumstances:
(i) The CSP product or service offering
is FedRAMP Authorized at the
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00139
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83230
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
FedRAMP Moderate (or higher) baseline
in accordance with the FedRAMP
Marketplace; or
(ii) The CSP product or service
offering is not FedRAMP Authorized at
the FedRAMP Moderate (or higher)
baseline but meets security
requirements equivalent to those
established by the FedRAMP Moderate
(or higher) baseline. FedRAMP
Moderate or FedRAMP Moderate
equivalent is in accordance with DoD
Policy.
(iii) In accordance with § 170.19(c)(2),
the OSC’s on-premises infrastructure
connecting to the CSP’s product or
service offering is part of the CMMC
Assessment Scope. As such, the security
requirements from the CRM must be
documented or referred to in the OSC’s
SSP.
(6) Level 2 certification assessment
with the use of an External Service
Provider (ESP), not a CSP. An OSA may
use an ESP that is not a CSP to process,
store, or transmit CUI in performance of
a contract or subcontract with a
requirement for the CMMC Status of
Level 2 (C3PAO) under the following
circumstances:
(i) The use of the ESP, its relationship
to the OSA, and the services provided
are documented in the OSA’s SSP and
described in the ESP’s service
description and customer responsibility
matrix.
(ii) The ESP services used to meet
OSA requirements are assessed within
the scope of the OSA’s assessment
against all Level 2 security
requirements.
(iii) In accordance with § 170.19(c)(2),
the OSA’s on-premises infrastructure
connecting to the ESP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the CRM must be
documented or referred to in the OSA’s
SSP.
§ 170.18
CMMC Level 3 certification
assessment and affirmation requirements.
(a) Level 3 certification assessment.
To comply with Level 3 certification
assessment requirements, the OSC must
meet the requirements set forth in
paragraphs (a)(1) and (2) of this section.
An OSC undergoes a Level 3
certification assessment as detailed in
paragraph (c) of this section to achieve
a CMMC Status of either Conditional or
Final Level 3 (DIBCAC). A CMMC
Status of Final Level 2 (C3PAO) for
information systems within the Level 3
CMMC Assessment Scope is a
prerequisite to undergo a Level 3
certification assessment. CMMC Level 3
recertification also has a prerequisite for
a new CMMC Level 2 assessment.
Achieving a CMMC Status of Level 3
(DIBCAC) also satisfies the requirements
for CMMC Statuses of Level 1 (Self),
Level 2 (Self), and Level 2 (C3PAO) set
forth in §§ 170.15 through 170.17
respectively for the same CMMC
Assessment Scope.
(1) Level 3 certification assessment
requirements. The OSC must achieve a
CMMC Status of Final Level 2 (C3PAO)
on the Level 3 CMMC Assessment
Scope, as defined in § 170.19(d), prior to
initiating a Level 3 certification
assessment, which will be performed by
DCMA DIBCAC ([http://www.dcma.mil/DIBCAC www.dcma.mil/
DIBCAC) on behalf of the DoD. The OSC
]must complete and achieve a MET
result for all security requirements
specified in table 1 to § 170.14(c)(4) to
achieve the CMMC Status of Level 3
(DIBCAC). DCMA DIBCAC will submit
the Level 3 certification assessment
results into the CMMC instantiation of
eMASS, which then provides automated
transmission to SPRS. To maintain
compliance with the requirements for a
CMMC Status of Level 3 (DIBCAC), the
Level 3 certification assessment must be
performed every three years for all
information systems within the Level 3
CMMC Assessment Scope. In addition,
given that compliance with Level 2
requirements is a prerequisite for
applying for CMMC Level 3, a Level 2
(C3PAO) certification assessment must
also be conducted every three years to
maintain CMMC Level 3 (DIBCAC)
status. Level 3 certification assessment
must be completed within three years of
the CMMC Status Date associated with
the Final Level 3 (DIBCAC) or, if there
was a POA&M, then within three years
of the CMMC Status Date associated
with the Conditional Level 3 (DIBCAC).
(i) Inputs into the CMMC instantiation
of eMASS. The Level 3 certification
assessment results input into the CMMC
instantiation of eMASS shall include, at
minimum, the following items:
(A) Date and level of the assessment.
(B) For each Assessor(s) conducting
the assessment, name and government
organization information.
(C) All industry CAGE code(s)
associated with the information
system(s) addressed by the CMMC
Assessment Scope.
(D) The name, date, and version of the
system security plan(s) (SSP).
(E) CMMC Status Date.
(F) Result for each security
requirement objective.
(G) POA&M usage and compliance, as
applicable.
(H) List of the artifact names, the
return value of the hashing algorithm,
and the hashing algorithm used.
(ii) Conditional Level 3 (DIBCAC). The
OSC has achieved the CMMC Status of
Conditional Level 3 (DIBCAC) if the
Level 3 certification assessment results
in a POA&M and the POA&M meets all
CMMC Level 3 POA&M requirements
listed in § 170.21(a)(3).
(A) Plan of Action and Milestones. A
Level 3 POA&M is allowed only in
accordance with the CMMC POA&M
requirements listed in § 170.21.
(B) POA&M closeout. The OSC must
remediate any NOT MET requirements,
must undergo a POA&M closeout
certification assessment from DCMA
DIBCAC, and DCMA DIBCAC must post
compliance results into the CMMC
instantiation of eMASS within 180 days
of the CMMC Status Date associated
with the Conditional Level 3 (DIBCAC).
If the POA&M is not successfully closed
out within the 180-day timeframe, the
Conditional Level 3 (DIBAC) CMMC
Status for the information system will
expire. If Conditional Level 3 (DIBCAC)
CMMC Status expires within the period
of performance of a contract, standard
contractual remedies will apply, and the
OSC will be ineligible for additional
awards with a requirement for the
CMMC Status of Level 3 (DIBCAC) for
the information system within the
CMMC Assessment Scope until such
time as a new CMMC Status is achieved.
(iii) Final Level 3 (DIBCAC). The OSC
has achieved the CMMC Status of Final
Level 3 (DIBCAC) if the Level 3
certification assessment results in a
passing score as defined in § 170.24.
This score may be achieved upon initial
certification assessment or as the result
of a POA&M closeout certification
assessment, as applicable.
(iv) CMMC Status investigation. The
DoD reserves the right to conduct a
DCMA DIBCAC assessment of the OSC,
as provided for under the 48 CFR
252.204–7020. If the investigative
results of a subsequent DCMA DIBCAC
assessment show that adherence to the
provisions of this part have not been
achieved or maintained, these DCMA
DIBCAC results will take precedence
over any pre-existing CMMC Status. At
that time, standard contractual remedies
will be available and the OSC will be
ineligible for additional awards with
CMMC Status requirement of Level 3
(DIBCAC) for the information system
within the CMMC Assessment Scope
until such time as a new CMMC Status
is achieved.
(2) Affirmation. Affirmation of the
Level 3 (DIBCAC) CMMC Status is
required for all Level 3 certification
assessments at the time of each
assessment, and annually thereafter.
Affirmation procedures are provided in
§ 170.22.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00140
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83231
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(b) Contract eligibility. Prior to award
of any contract or subcontract with
requirement for CMMC Status of Level
3 (DIBCAC), the following two
requirements must be met:
(1) The OSC must achieve, as
specified in paragraph (a)(1) of this
section, a CMMC Status of either
Conditional Level 3 (DIBCAC) or Final
Level 3 (DIBCAC).
(2) The OSC must submit an
affirmation of compliance into SPRS, as
specified in paragraph (a)(2) of this
section.
(c) Procedures—(1) Level 3
certification assessment of the OSC. The
CMMC Level 3 certification assessment
process includes:
(i) Final Level 2 (C3PAO). The OSC
must achieve a CMMC Status of Final
Level 2 (C3PAO) for information
systems within the Level 3 CMMC
Assessment Scope prior to the CMMC
Level 3 certification assessment. The
CMMC Assessment Scope for the Level
3 certification assessment must be equal
to, or a subset of, the CMMC Assessment
Scope associated with the OSC’s Final
Level 2 (C3PAO). Asset requirements
differ for each CMMC Level. Scoping
differences are set forth in § 170.19.
(ii) Initiating the Final Level 3
(DIBCAC). The OSC (including ESPs
that voluntarily elect to undergo a Level
3 certification assessment) initiates a
Level 3 certification assessment by
emailing a request to DCMA DIBCAC
point of contact found at
[http://www.dcma.mil/DIBCAC www.dcma.mil/DIBCAC. The request
]must include the Level 2 certification
assessment unique identifier. DCMA
DIBCAC will validate the OSC has
achieved a CMMC Status of Level 2
(C3PAO) and will contact the OSC to
schedule their Level 3 certification
assessment.
(iii) Conducting the Final Level 3
(DIBCAC). DCMA DIBCAC will perform
a Level 3 certification assessment in
accordance with NIST SP 800–171A
Jun2018 (incorporated by reference, see
§ 170.2) and NIST SP 800–172A
Mar2022 (incorporated by reference, see
§ 170.2) and the CMMC Level 3 scoping
requirements set forth in § 170.19(d) for
the information systems within the
CMMC Assessment Scope. The Level 3
certification assessment will be scored
in accordance with the CMMC Scoring
Methodology set forth in § 170.24 and
DCMA DIBCAC will upload the results
into the CMMC instantiation of eMASS.
Final results are communicated to the
OSC through a CMMC Assessment
Findings Report. For assets that changed
asset category (i.e., CRMA to CUI Asset)
or assessment requirements (i.e.,
Specialized Assets) between the Level 2
and Level 3 certification assessments,
DCMA DIBCAC will perform limited
checks of Level 2 security requirements.
If the OSC had these upgraded asset
categories included in their Level 2
certification assessment, then DCMA
DIBCAC may still perform limited
checks for compliance. If DCMA
DIBCAC identifies that a Level 2
security requirement is NOT MET, the
Level 3 assessment process may be
paused to allow for remediation, placed
on hold, or immediately terminated.
(2) Security requirement re-
evaluation. A security requirement that
is NOT MET (as defined in § 170.24)
may be re-evaluated during the course
of the Level 3 certification assessment
and for 10 business days following the
active assessment period if all of the
following conditions exist:
(i) Additional evidence is available to
demonstrate the security requirement
has been MET;
(ii) The additional evidence does not
materially impact previously assessed
security requirements; and
(iii) The CMMC Assessment Findings
Report has not been delivered.
(3) POA&M. If a POA&M exists, a
POA&M closeout certification
assessment will be performed by DCMA
DIBCAC within 180-days of the
Conditional CMMC Status Date.
Additional guidance is located in
§ 170.21 and in the guidance document
listed in paragraph (d) of appendix A to
this part.
(4) Artifact retention and integrity.
The hashed artifacts used as evidence
for the assessment must be retained by
the OSC for six (6) years from the
CMMC Status Date. The hashed artifacts
used as evidence for the assessment
must be retained by the OSC for six (6)
years from the CMMC Status Date. To
ensure that the artifacts have not been
altered, the OSC must hash the artifact
files using a NIST-approved hashing
algorithm. Assessors will collect the list
of the artifact names, the return value of
the hashing algorithm, and the hashing
algorithm used and upload that data
into the CMMC instantiation of eMASS.
Additional guidance for hashing
artifacts can be found in the guidance
document listed in paragraph (h) of
appendix A to this part.
(5) Level 3 certification assessment
with the use of Cloud Service Provider
(CSP). An OSC may use a cloud
environment to process, store, or
transmit CUI in performance of a
contract or subcontract with a
requirement for the CMMC Status of
Level 3 (DIBCAC) under the following
circumstances:
(i) The OSC may utilize a CSP product
or service offering that meets the
FedRAMP Moderate (or higher)
baseline. If the CSP’s product or service
offering is not FedRAMP Authorized at
the FedRAMP Moderate (or higher)
baseline, the product or service offering
must meet security requirements
equivalent to those established by the
FedRAMP Moderate (or higher) baseline
in accordance with DoD Policy.
(ii) Use of a CSP does not relieve an
OSC of its obligation to implement the
24 Level 3 security requirements. These
24 requirements apply to every
environment where the CUI data is
processed, stored, or transmitted, when
Level 3 (DIBCAC) is the designated
CMMC Status. If any of these 24
requirements are inherited from a CSP,
the OSC must demonstrate that
protection during a Level 3 certification
assessment via a Customer
Implementation Summary/Customer
Responsibility Matrix (CIS/CRM) and
associated Body of Evidence (BOE). The
BOE must clearly indicate whether the
OSC or the CSP is responsible for
meeting each requirement and which
requirements are implemented by the
OSC versus inherited from the CSP.
(iii) In accordance with § 170.19(d)(2),
the OSC’s on-premises infrastructure
connecting to the CSP’s product or
service offering is part of the CMMC
Assessment Scope. As such, the security
requirements from the CRM must be
documented or referred to in the OSC’s
SSP.
(6) Level 3 certification assessment
with the use of an ESP, not a CSP. An
OSC may use an ESP that is not a CSP
to process, store, or transmit CUI in
performance of a contract or subcontract
with a requirement for the CMMC Status
of Level 3 (DIBCAC) under the following
circumstances:
(i) The use of the ESP, its relationship
to the OSC, and the services provided
are documented in the OSC’s SSP and
described in the ESP’s service
description and customer responsibility
matrix.
(ii) The ESP services used to meet
OSC requirements are assessed within
the scope of the OSC’s assessment
against all Level 2 and Level 3 security
requirements.
(iii) In accordance with § 170.19(d)(2),
the OSC’s on-premises infrastructure
connecting to the ESP’s product or
service offering is part of the CMMC
Assessment Scope, which will also be
assessed. As such, the security
requirements from the CRM must be
documented or referred to in the OSC’s
SSP.
§ 170.19
CMMC scoping.
(a) Scoping requirement. (1) The
CMMC Assessment Scope must be
specified prior to assessment in
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00141
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83232
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
accordance with the requirements of
this section. The CMMC Assessment
Scope is the set of all assets in the
OSA’s environment that will be
assessed against CMMC security
requirements.
(2) The requirements for defining the
CMMC Assessment Scope for CMMC
Levels 1, 2, and 3 are set forth in this
section. Additional guidance regarding
scoping can be found in the guidance
documents listed in paragraphs (e)
through (g) of appendix A to this part.
(b) CMMC Level 1 scoping. Prior to
performing a Level 1 self-assessment,
the OSA must specify the CMMC
Assessment Scope.
(1) Assets in scope for Level 1 self-
assessment. OSA information systems
which process, store, or transmit FCI are
in scope for CMMC Level 1 and must be
self-assessed against applicable CMMC
security requirements.
(2) Assets not in scope for Level 1 self-
assessment—(i) Out-of-Scope Assets.
OSA information systems which do not
process, store, or transmit FCI are
outside the scope for CMMC Level 1. An
endpoint hosting a VDI client
configured to not allow any processing,
storage, or transmission of FCI beyond
the Keyboard/Video/Mouse sent to the
VDI client is considered out-of-scope.
There are no documentation
requirements for out-of-scope assets.
(ii) Specialized Assets. Specialized
Assets are those assets that can process,
store, or transmit FCI but are unable to
be fully secured, including: Internet of
Things (IoT) devices, Industrial Internet
of Things (IIoT) devices, Operational
Technology (OT), Government
Furnished Equipment (GFE), Restricted
Information Systems, and Test
Equipment. Specialized Assets are not
part of the Level 1 CMMC Assessment
Scope and are not assessed against
CMMC security requirements.
(3) Level 1 self-assessment scoping
considerations. To scope a Level 1 self-
assessment, OSAs should consider the
people, technology, facilities, and
External Service Providers (ESP) within
its environment that process, store, or
transmit FCI.
(c) CMMC Level 2 Scoping. Prior to
performing a Level 2 self-assessment or
Level 2 certification assessment, the
OSA must specify the CMMC
Assessment Scope.
(1) The CMMC Assessment Scope for
CMMC Level 2 is based on the
specification of asset categories and
their respective requirements as defined
in table 3 to this paragraph (c)(1).
Additional information is available in
the guidance document listed in
paragraph (f) of appendix A to this part.
TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
Asset category
Asset description
OSA requirements
CMMC assessment requirements
Assets that are in the Level 2 CMMC Assessment Scope
Controlled Unclassified Informa-
tion (CUI) Assets.
• Assets that process, store, or transmit
CUI.
• Document in the asset inventory ...........
• Document asset treatment in the Sys-
tem Security Plan (SSP).
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 security requirements.
• Assess against all Level 2 security re-
quirements.
Security Protection Assets ........
• Assets that provide security functions
or capabilities to the OSA’s CMMC As-
sessment Scope.
• Document in the asset inventory ...........
• Document asset treatment in SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 security requirements.
• Assess against Level 2 security re-
quirements that are relevant to the ca-
pabilities provided.
Contractor Risk Managed As-
sets.
• Assets that can, but are not intended
to, process, store, or transmit CUI be-
cause of security policy, procedures,
and practices in place.
• Assets are not required to be physically
or logically separated from CUI assets.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 security requirements.
• Review the SSP:
• If sufficiently documented, do not
assess against other CMMC secu-
rity requirements, except as noted.
• If OSA’s risk-based security poli-
cies, procedures, and practices
documentation or other findings
raise questions about these assets,
the assessor can conduct a limited
check to identify deficiencies.
• The limited check(s) shall not ma-
terially increase the assessment
duration nor the assessment cost.
• The limited check(s) will be as-
sessed against CMMC security re-
quirements.
Specialized Assets ....................
• Assets that can process, store, or
transmit CUI but are unable to be fully
secured, including: Internet of Things
(IoT) devices, Industrial Internet of
Things (IIoT) devices, Operational
Technology (OT), Government Fur-
nished Equipment (GFE), Restricted In-
formation Systems, and Test Equip-
ment.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Show these assets are managed using
the contractor’s risk-based security poli-
cies, procedures, and practices.
• Document in the network diagram of
the CMMC Assessment Scope.
• Review the SSP.
• Do not assess against other CMMC se-
curity requirements.
Assets that are not in the Level 2 CMMC Assessment Scope
Out-of-Scope Assets .................
• Assets that cannot process, store, or
transmit CUI; and do not provide secu-
rity protections for CUI Assets.
• Prepare to justify the inability of an Out-
of-Scope Asset to process, store, or
transmit CUI.
• None.
• Assets that are physically or logically
separated from CUI assets.
• Assets that fall into any in-scope asset
category cannot be considered an Out-
of-Scope Asset.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00142
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83233
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
TABLE 3 TO § 170.19(c)(1)—CMMC LEVEL 2 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
Asset category
Asset description
OSA requirements
CMMC assessment requirements
• An endpoint hosting a VDI client config-
ured to not allow any processing, stor-
age, or transmission of CUI beyond the
Keyboard/Video/Mouse sent to the VDI
client is considered an Out-of-Scope
Asset.
(2)(i) Table 4 to this paragraph (c)(2)(i)
defines the requirements to be met
when utilizing an External Service
Provider (ESP). The OSA must consider
whether the ESP is a Cloud Service
Provider (CSP) and whether the ESP
processes, stores, or transmits CUI and/
or Security Protection Data (SPD).
TABLE 4 TO § 170.19(c)(2)(i)—ESP SCOPING REQUIREMENTS
When the ESP processes,
stores, or transmits:
When utilizing an ESP that is:
A CSP
Not a CSP
CUI (with or without SPD) ..
The CSP shall meet the FedRAMP requirements in 48
CFR 252.204–7012.
The services provided by the ESP are in the OSA’s as-
sessment scope and shall be assessed as part of the
OSA’s assessment.
SPD (without CUI) ..............
The services provided by the CSP are in the OSA’s as-
sessment scope and shall be assessed as Security
Protection Assets.
The services provided by the ESP are in the OSA’s as-
sessment scope and shall be assessed as Security
Protection Assets.
Neither CUI nor SPD ..........
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
(ii) The use of an ESP, its relationship
to the OSA, and the services provided
need to be documented in the OSA’s
SSP and described in the ESP’s service
description and customer responsibility
matrix (CRM), which describes the
responsibilities of the OSA and ESP
with respect to the services provided.
Note that the ESP may voluntarily
undergo a CMMC certification
assessment to reduce the ESP’s effort
required during the OSA’s assessment.
The minimum assessment type for the
ESP is dictated by the OSA’s DoD
contract requirement.
(d) CMMC Level 3 scoping. Prior to
performing a Level 3 certification
assessment, the CMMC Assessment
Scope must be specified.
(1) The CMMC Assessment Scope for
Level 3 is based on the specification of
asset categories and their respective
requirements as set forth in table 5 to
this paragraph (d)(1). Additional
information is available in the guidance
document listed in paragraph (g) of
appendix A to this part.
TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS
Asset category
Asset description
OSC requirements
CMMC assessment requirements
Assets that are in the Level 3 CMMC Assessment Scope
Controlled Unclassified Informa-
tion (CUI) Assets.
• Assets that process, store, or transmit
CUI.
• Assets that can, but are not intended
to, process, store, or transmit CUI (de-
fined as Contractor Risk Managed As-
sets in table 1 to paragraph (c)(1) of
this section CMMC Scoping).
• Document in the asset inventory ...........
• Document asset treatment in the Sys-
tem Security Plan (SSP).
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 and Level 3 security require-
ments.
• Limited check against Level 2 and as-
sess against all Level 3 CMMC security
requirements.
Security Protection Assets ........
• Assets that provide security functions
or capabilities to the OSC’s CMMC As-
sessment Scope, irrespective of wheth-
er or not these assets process, store,
or transmit CUI.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 and Level 3 security require-
ments.
• Limited check against Level 2 and as-
sess against all Level 3 CMMC security
requirements that are relevant to the
capabilities provided.
Specialized Assets ....................
• Assets that can process, store, or
transmit CUI but are unable to be fully
secured, including: Internet of Things
(IoT) devices, Industrial Internet of
Things (IIoT) devices, Operational
Technology (OT), Government Fur-
nished Equipment (GFE), Restricted In-
formation Systems, and Test Equip-
ment.
• Document in the asset inventory ...........
• Document asset treatment in the SSP.
• Document in the network diagram of
the CMMC Assessment Scope.
• Prepare to be assessed against CMMC
Level 2 and Level 3 security require-
ments.
• Limited check against Level 2 and as-
sess against all Level 3 CMMC security
requirements.
• Intermediary devices are permitted to
provide the capability for the special-
ized asset to meet one or more CMMC
security requirements.
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00143
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83234
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
TABLE 5 TO § 170.19(d)(1)—CMMC LEVEL 3 ASSET CATEGORIES AND ASSOCIATED REQUIREMENTS—Continued
Asset category
Asset description
OSC requirements
CMMC assessment requirements
Assets that are not in the Level 3 CMMC Assessment Scope
Out-of-Scope Assets .................
• Assets that cannot process, store, or
transmit CUI; and do not provide secu-
rity protections for CUI Assets.
• Prepare to justify the inability of an Out-
of-Scope Asset to process, store, or
transmit CUI.
• None.
• Assets that are physically or logically
separated from CUI assets.
• Assets that fall into any in-scope asset
category cannot be considered an Out-
of-Scope Asset.
• An endpoint hosting a VDI client config-
ured to not allow any processing, stor-
age, or transmission of CUI beyond the
Keyboard/Video/Mouse sent to the VDI
client is considered an Out-of-Scope
Asset.
(2)(i) Table 6 to this paragraph
(d)(2)(i) defines the requirements to be
met when utilizing an External Service
Provider (ESP). The OSA must consider
whether the ESP is a Cloud Service
Provider (CSP) and whether the ESP
processes, stores, or transmits CUI and/
or Security Protection Data (SPD).
TABLE 6 TO § 170.19(d)(2)(i)—ESP SCOPING REQUIREMENTS
When the ESP processes,
stores, or transmits:
When utilizing an ESP that is:
A CSP
Not a CSP
CUI (with or without SPD) ..
The CSP shall meet the FedRAMP requirements in 48
CFR 252.204–7012.
The services provided by the ESP are in the OSA’s as-
sessment scope and shall be assessed as part of the
OSA’s assessment.
SPD (without CUI) ..............
The services provided by the CSP are in the OSA’s as-
sessment scope and shall be assessed as Security
Protection Assets.
The services provided by the ESP are in the OSA’s as-
sessment scope and shall be assessed as Security
Protection Assets.
Neither CUI nor SPD ..........
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
A service provider that does not process CUI or SPD
does not meet the CMMC definition of an ESP.
(ii) The use of an ESP, its relationship
to the OSC, and the services provided
need to be documented in the OSC’s
SSP and described in the ESP’s service
description and customer responsibility
matrix (CRM), which describes the
responsibilities of the OSC and ESP
with respect to the services provided.
Note that the ESP may voluntarily
undergo a CMMC certification
assessment to reduce the ESP’s effort
required during the OSA’s assessment.
The minimum. The minimum
assessment type for the ESP is dictated
by the OSC’s DoD contract requirement.
(e) Relationship between Level 2 and
Level 3 CMMC Assessment Scope. The
Level 3 CMMC Assessment Scope must
be equal to or a subset of the Level 2
CMMC Assessment Scope in accordance
with § 170.18(a) (e.g., a Level 3 data
enclave with greater restrictions and
protections within a Level 2 data
enclave). Any Level 2 POA&M items
must be closed prior to the initiation of
the Level 3 certification assessment.
DCMA DIBCAC may check any Level 2
security requirement of any in-scope
asset. If DCMA DIBCAC identifies that
a Level 2 security requirement is NOT
MET, the Level 3 assessment process
may be paused to allow for remediation,
placed on hold, or immediately
terminated. For further information
regarding scoping of CMMC Level 3
assessments please contact DCMA
DIBCAC at www.dcma.mil/DIBCAC/.
§ 170.20
Standards acceptance.
(a) NIST SP 800–171 R2 DoD
assessments. In order to avoid
duplication of efforts, thereby reducing
the aggregate cost to industry and the
Department, OSCs that have completed
a DCMA DIBCAC High Assessment
aligned with CMMC Level 2 Scoping
will be given the CMMC Status of Final
Level 2 (C3PAO) under the following
conditions:
(1) DCMA DIBCAC High Assessment.
An OSC that achieved a perfect score
with no open POA&M from a DCMA
DIBCAC High Assessment conducted
prior to the effective date of this rule,
will be given a CMMC Status of Level
2 Final (C3PAO) with a validity period
of three (3) years from the date of the
original DCMA DIBCAC High
Assessment. DCMA DIBCAC will
identify assessments that meet these
criteria and verify that SPRS accurately
reflects the CMMC Status. Eligible
DCMA DIBCAC High Assessments
include ones conducted with Joint
Surveillance in accordance with the
DCMA Manual 2302–01 Surveillance.
The scope of the Level 2 certification
assessment is identical to the scope of
the DCMA DIBCAC High Assessment. In
accordance with § 170.17(a)(2), the OSC
must also submit an affirmation in SPRS
and annually thereafter to achieve
contractual eligibility.
(2) [Reserved].
(b) [Reserved].
§ 170.21
Plan of Action and Milestones
requirements.
(a) POA&M. For purposes of achieving
a Conditional CMMC Status, an OSA is
only permitted to have a POA&M for
select requirements scored as NOT MET
during the CMMC assessment and only
under the following conditions:
(1) Level 1 self-assessment. A POA&M
is not permitted at any time for Level 1
self-assessments.
(2) Level 2 self-assessment and Level
2 certification assessment. An OSA is
only permitted to achieve the CMMC
Status of Conditional Level 2 (Self) or
Conditional Level 2 (C3PAO), as
appropriate, if all the following
conditions are met:
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00144
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83235
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
(i) The assessment score divided by
the total number of CMMC Level 2
security requirements is greater than or
equal to 0.8;
(ii) None of the security requirements
included in the POA&M have a point
value of greater than 1 as specified in
the CMMC Scoring Methodology set
forth in § 170.24, except SC.L2–3.13.11
CUI Encryption may be included on a
POA&M if encryption is employed but
it is not FIPS-validated, which would
result in a point value of 3; and
(iii) None of the following security
requirements are included in the
POA&M:
(A) AC.L2–3.1.20 External
Connections (CUI Data).
(B) AC.L2–3.1.22 Control Public
Information (CUI Data).
(C) CA.L2–3.12.4 System Security
Plan.
(D) PE.L2–3.10.3 Escort Visitors (CUI
Data).
(E) PE.L2–3.10.4 Physical Access Logs
(CUI Data).
(F) PE.L2–3.10.5 Manage Physical
Access (CUI Data).
(3) Level 3 certification assessment.
An OSC is only permitted to achieve the
CMMC Status of Conditional Level 3
(DIBCAC) if all the following conditions
are met:
(i) The assessment score divided by
the total number of CMMC Level 3
security requirements is greater than or
equal to 0.8; and
(ii) The POA&M does not include any
of following security requirements:
(A) IR.L3–3.6.1e Security Operations
Center.
(B) IR.L3–3.6.2e Cyber Incident
Response Team.
(C) RA.L3–3.11.1e Threat-Informed
Risk Assessment.
(D) RA.L3–3.11.6e Supply Chain Risk
Response.
(E) RA.L3–3.11.7e Supply Chain Risk
Plan.
(F) RA.L3–3.11.4e Security Solution
Rationale.
(G) SI.L3–3.14.3e Specialized Asset
Security.
(b) POA&M closeout assessment. A
POA&M closeout assessment is a CMMC
assessment that assesses only the NOT
MET requirements that were identified
with POA&M in the initial assessment.
The closing of a POA&M must be
confirmed by a POA&M closeout
assessment within 180-days of the
Conditional CMMC Status Date. If the
POA&M is not successfully closed out
within the 180-day timeframe, the
Conditional CMMC Status for the
information system will expire.
(1) Level 2 self-assessment. For a
Level 2 self-assessment, the POA&M
closeout self-assessment shall be
performed by the OSA in the same
manner as the initial self-assessment.
(2) Level 2 certification assessment.
For Level 2 certification assessment, the
POA&M closeout certification
assessment must be performed by an
authorized or accredited C3PAO.
(3) Level 3 certification assessment.
For Level 3 certification assessment,
DCMA DIBCAC will perform the
POA&M closeout certification
assessment.
§ 170.22
Affirmation.
(a) General. The OSA must affirm
continuing compliance with the
appropriate level self-assessment or
certification assessment. An Affirming
Official from each OSA, whether a
prime or subcontractor, must affirm the
continuing compliance of their
respective organizations with the
specified security requirement after
every assessment, including POA&M
closeout, and annually thereafter.
Affirmations are entered electronically
in SPRS. The affirmation shall be
submitted in accordance with the
following requirements:
(1) Affirming Official. The Affirming
Official is the senior level representative
from within each Organization Seeking
Assessment (OSA) who is responsible
for ensuring the OSA’s compliance with
the CMMC Program requirements and
has the authority to affirm the OSA’s
continuing compliance with the
specified security requirements for their
respective organizations.
(2) Affirmation content. Each CMMC
affirmation shall include the following
information:
(i) Name, title, and contact
information for the Affirming Official;
and
(ii) Affirmation statement attesting
that the OSA has implemented and will
maintain implementation of all
applicable CMMC security requirements
to their CMMC Status for all information
systems within the relevant CMMC
Assessment Scope.
(3) Affirmation submission. The
Affirming Official shall submit a CMMC
affirmation in the following instances:
(i) Upon achievement of a Conditional
CMMC Status, as applicable;
(ii) Upon achievement of a Final
CMMC Status;
(iii) Annually following a Final
CMMC Status Date; and
(iv) Following a POA&M closeout
assessment, as applicable.
(b) Submission procedures. All
affirmations shall be completed in
SPRS. The Department will verify
submission of the affirmation in SPRS to
ensure compliance with CMMC
solicitation or contract requirements.
(1) Level 1 self-assessment. At the
completion of a Level 1 self-assessment
and annually thereafter, the Affirming
Official shall submit a CMMC
affirmation attesting to continuing
compliance with all requirements of the
CMMC Status Level 1 (Self).
(2) Level 2 self-assessment. At the
completion of a Level 2 self-assessment
and annually following a Final CMMC
Status Date, the Affirming Official shall
submit a CMMC affirmation attesting to
continuing compliance with all
requirements of the CMMC Status Level
2 (Self). An affirmation shall also be
submitted at the completion of a
POA&M closeout self-assessment.
(3) Level 2 certification assessment. At
the completion of a Level 2 certification
assessment and annually following a
Final CMMC Status Date, the Affirming
Official shall submit a CMMC
affirmation attesting to continuing
compliance with all requirements of the
CMMC Status Level 2 (C3PAO). An
affirmation shall also be submitted at
the completion of a POA&M closeout
certification assessment.
(4) Level 3 certification assessment. At
the completion of a Level 3 certification
assessment and annually following a
Final CMMC Status Date, the Affirming
Official shall submit a CMMC
affirmation attesting to continuing
compliance with all requirements of the
CMMC Status Level 3 (DIBCAC).
Because C3PAOs and DCMA DIBCAC
check for compliance with different
requirements in their respective
assessments, OSCs must annually affirm
their CMMC Status of Level 2 (C3PAO)
in addition to their CMMC Status of
Level 3 (DIBCAC) to maintain eligibility
for contracts requiring compliance with
Level 3. An affirmation shall also be
submitted at the completion of a
POA&M closeout certification
assessment.
§ 170.23
Application to subcontractors.
(a) CMMC requirements apply to
prime contractors and subcontractors
throughout the supply chain at all tiers
that will process, store, or transmit any
FCI or CUI on contractor information
systems in the performance of the DoD
contract or subcontract. Prime
contractors shall comply and shall
require subcontractors to comply with
and to flow down CMMC requirements,
such that compliance will be required
throughout the supply chain at all tiers
with the applicable CMMC level and
assessment type for each subcontract as
follows:
(1) If a subcontractor will only
process, store, or transmit FCI (and not
CUI) in performance of the subcontract,
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00145
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83236
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
then a CMMC Status of Level 1 (Self) is
required for the subcontractor.
(2) If a subcontractor will process,
store, or transmit CUI in performance of
the subcontract, then a CMMC Status of
Level 2 (Self) is the minimum
requirement for the subcontractor.
(3) If a subcontractor will process,
store, or transmit CUI in performance of
the subcontract and the associated
prime contract has a requirement for a
CMMC Status of Level 2 (C3PAO), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.
(4) If a subcontractor will process,
store, or transmit CUI in performance of
the subcontract and the associated
prime contract has a requirement for the
CMMC Status of Level 3 (DIBCAC), then
the CMMC Status of Level 2 (C3PAO) is
the minimum requirement for the
subcontractor.
(b) As with any solicitation or
contract, the DoD may provide specific
guidance pertaining to flow-down.
§ 170.24
CMMC Scoring Methodology.
(a) General. This scoring methodology
is designed to provide a measurement of
an OSA’s implementation status of the
NIST SP 800–171 R2 security
requirements (incorporated by reference
elsewhere in this part, see § 170.2) and
the selected NIST SP 800–172 Feb2021
security requirements (incorporated by
reference elsewhere in this part, see
§ 170.2). The CMMC Scoring
Methodology is designed to credit
partial implementation only in limited
cases (e.g., multi-factor authentication
IA.L2–3.5.3).
(b) Assessment findings. Each security
requirement assessed under the CMMC
Scoring Methodology must result in one
of three possible assessment findings, as
follows:
(1) Met. All applicable objectives for
the security requirement are satisfied
based on evidence. All evidence must
be in final form and not draft.
Unacceptable forms of evidence include
but are not limited to working papers,
drafts, and unofficial or unapproved
policies.
(i) Enduring exceptions when
described, along with any mitigations,
in the system security plan shall be
assessed as MET.
(ii) Temporary deficiencies that are
appropriately addressed in operational
plans of action (i.e., include deficiency
reviews and show progress towards the
implementation of corrections to reduce
or eliminate identified vulnerabilities)
shall be assessed as MET.
(2) Not Met. One or more applicable
objectives for the security requirement
is not satisfied. During an assessment,
for each security requirement objective
marked NOT MET, the assessor will
document why the evidence does not
conform.
(3) Not Applicable (N/A). A security
requirement and/or objective does not
apply at the time of the CMMC
assessment. For example, Public-Access
System Separation (SC.L2–3.13.5) might
be N/A if there are no publicly
accessible systems within the CMMC
Assessment Scope. During an
assessment, an assessment objective
assessed as N/A is equivalent to the
same assessment objective being
assessed as MET.
(c) Scoring. At each CMMC Level,
security requirements are scored as
follows:
(1) CMMC Level 1. All CMMC Level
1 security requirements must be fully
implemented to be considered MET. No
POA&M is permitted for CMMC Level 1,
and self-assessment results are scored as
MET or NOT MET in their entirety.
(2) CMMC Level 2 Scoring
Methodology. The maximum score
achievable for a Level 2 self-assessment
or Level 2 certification assessment is
equal to the total number of CMMC
Level 2 security requirements. If all
CMMC Level 2 security requirements
are MET, OSAs are awarded the
maximum score. For each requirement
NOT MET, the associated value of the
security requirement is subtracted from
the maximum score, which may result
in a negative score.
(i) Procedures. (A) Scoring
methodology for Level 2 self-assessment
and Level 2 certification assessment is
based on all CMMC Level 2 security
requirement objectives, including those
NOT MET.
(B) In the CMMC Level 2 Scoring
Methodology, each security requirement
has a value (e.g., 1, 3 or 5), which is
related to the designation by NIST as
basic or derived security requirements.
Per NIST SP 800–171 R2, the basic
security requirements are obtained from
FIPS PUB 200 Mar2006, which provides
the high-level and fundamental security
requirements for Federal information
and systems. The derived security
requirements, which supplement the
basic security requirements, are taken
from the security controls in NIST SP
800–53 R5.
(1) For NIST SP 800–171 R2 basic and
derived security requirements that, if
not implemented, could lead to
significant exploitation of the network,
or exfiltration of CUI, five (5) points are
subtracted from the maximum score.
The basic and derived security
requirements with a value of five (5)
points include:
(i) Basic security requirements.
AC.L2–3.1.1, AC.L2–3.1.2, AT.L2–3.2.1,
AT.L2–3.2.2, AU.L2–3.3.1, CM.L2–3.4.1,
CM.L2–3.4.2, IA–L2–3.5.1, IA–L2–3.5.2,
IR.L2–3.6.1, IR.L2–3.6.2, MA.L2–3.7.2,
MP.L2–3.8.3, PS.L2–3.9.2, PE.L2–3.10.1,
PE.L2–3.10.2, CA.L2–3.12.1, CA.L2–
3.12.3, SC.L2–3.13.1, SC.L2–3.13.2,
SI.L2–3.14.1, SI.L2–3.14.2, and SI.L2–
3.14.3.
(ii) Derived security requirements.
AC.L2–3.1.12, AC.L2–3.1.13, AC.L2–
3.1.16, AC.L2–3.1.17, AC.L2–3.1.18,
AU.L2–3.3.5, CM.L2–3.4.5, CM.L2–
3.4.6, CM.L2–3.4.7, CM.L2–3.4.8, IA.L2–
3.5.10, MA.L2–3.7.5, MP.L2–3.8.7,
RA.L2–3.11.2, SC.L2–3.13.5, SC.L2–
3.13.6, SC.L2–3.13.15, SI.L2–3.14.4, and
SI.L2–3.14.6.
(2) For basic and derived security
requirements that, if not implemented,
have a specific and confined effect on
the security of the network and its data,
three (3) points are subtracted from the
maximum score. The basic and derived
security requirements with a value of
three (3) points include:
(i) Basic security requirements.
AU.L2–3.3.2, MA.L2–3.7.1, MP.L2–
3.8.1, MP.L2–3.8.2, PS.L2–3.9.1, RA.L2–
3.11.1, and CA.L2–3.12.2.
(ii) Derived security requirements.
AC.L2–3.1.5, AC.L2- 3.1.19, MA.L2–
3.7.4, MP.L2–3.8.8, SC.L2–3.13.8, SI.L2–
3.14.5, and SI.L2–3.14.7.
(3) All remaining derived security
requirements, other than the exceptions
noted, if not implemented, have a
limited or indirect effect on the security
of the network and its data. For these,
1 point is subtracted from the maximum
score.
(4) Two derived security
requirements, IA.L2–3.5.3 and SC.L2–
3.13.11, can be partially effective even
if not completely or properly
implemented, and the points deducted
may be adjusted depending on how the
security requirement is implemented.
(i) Multi-factor authentication (MFA)
(CMMC Level 2 security requirement
IA.L2–3.5.3) is typically implemented
first for remote and privileged users
(since these users are both limited in
number and more critical) and then for
the general user, so three (3) points are
subtracted from the maximum score if
MFA is implemented only for remote
and privileged users. Five (5) points are
subtracted from the maximum score if
MFA is not implemented for any users.
(ii) FIPS-validated encryption (CMMC
Level 2 security requirement SC.L2–
3.13.11) is required to protect the
confidentiality of CUI. If encryption is
employed, but is not FIPS-validated,
three (3) points are subtracted from the
maximum score; if encryption is not
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00146
Fmt 4701
Sfmt 4700
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
83237
Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 / Rules and Regulations
employed; five (5) points are subtracted
from the maximum score.
(5) OSAs must have a System Security
Plan (SSP) (CMMC security requirement
CA.L2–3.12.4) in place at the time of
assessment to describe each information
system within the CMMC Assessment
Scope. The absence of an up to date SSP
at the time of the assessment would
result in a finding that ‘an assessment
could not be completed due to
incomplete information and
noncompliance with 48 CFR 252.204–
7012.’
(6) For each NOT MET security
requirement the OSA must have a
POA&M in place. A POA&M addressing
NOT MET security requirements is not
a substitute for a completed
requirement. Security requirements not
implemented, whether described in a
POA&M or not, is assessed as ‘NOT
MET.’
(7) Specialized Assets must be
evaluated for their asset category per the
CMMC scoping guidance for the level in
question and handled accordingly as set
forth in § 170.19.
(8) If an OSC previously received a
favorable adjudication from the DoD
CIO indicating that a security
requirement is not applicable or that an
alternative security measure is equally
effective (in accordance with 48 CFR
252.204–7008 or 48 CFR 252.204–7012),
the DoD CIO adjudication must be
included in the system security plan to
receive consideration during an
assessment. A security requirement for
which implemented security measures
have been adjudicated by the DoD CIO
as equally effective is assessed as MET
if there have been no changes in the
environment.
(ii) CMMC Level 2 Scoring Table.
CMMC Level 2 scoring has been
assigned based on the methodology set
forth in table 1 to this paragraph
(c)(2)(ii).
TABLE 7 TO § 170.24(c)(2)(ii)—CMMC LEVEL 2 SCORING TABLE
CMMC Level 2 requirement categories
Point value
subtracted from
maximum score
Basic Security Requirements:
If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................
5
If not implemented, has specific and confined effect on the security of the network and its data .......................................
3
Derived Security Requirements:
If not implemented, could lead to significant exploitation of the network, or exfiltration of CUI ...........................................
5
If not completely or properly implemented, could be partially effective and points adjusted depending on how the secu-
rity requirement is implemented: ........................................................................................................................................
3 or 5
—Partially effective implementation—3 points.
—Non-effective (not implemented at all)—5 points.
If not implemented, has specific and confined effect on the security of the network and its data .......................................
3
If not implemented, has a limited or indirect effect on the security of the network and its data ..........................................
1
(3) CMMC Level 3 assessment scoring
methodology. CMMC Level 3 scoring
does not utilize varying values like the
scoring for CMMC Level 2. All CMMC
Level 3 security requirements use a
value of one (1) point for each security
requirement. As a result, the maximum
score achievable for a Level 3
certification assessment is equivalent to
the total number of the selected subset
of NIST SP 800–172 Feb2021 security
requirements for CMMC Level 3, see
§ 170.14(c)(4). The maximum score is
reduced by one (1) point for each
security requirement NOT MET. The
CMMC Level 3 scoring methodology
reflects the fact that all CMMC Level 2
security requirements must already be
MET (for the Level 3 CMMC Assessment
Scope). A maximum score on the Level
2 certification assessment is required to
be eligible to initiate a Level 3
certification assessment. The Level 3
certification assessment score is equal to
the number of CMMC Level 3 security
requirements that are assessed as MET.
Appendix A to Part 170—Guidance
Guidance documents include:
(a) ‘‘CMMC Model Overview’’ available at
https://DoDcio.defense.gov/CMMC/.
(b) ‘‘CMMC Assessment Guide—Level 1’’
available at [https://DoDcio.defense.gov/CMMC/ https://DoDcio.defense.gov/
CMMC/. ]
(c) ‘‘CMMC Assessment Guide—Level 2’’
available at [https://DoDcio.defense.gov/CMMC/ https://DoDcio.defense.gov/
CMMC/. ]
(d) ‘‘CMMC Assessment Guide—Level 3’’
available at [https://DoDcio.defense.gov/CMMC/ https://DoDcio.defense.gov/
CMMC/. ]
(e) ‘‘CMMC Scoping Guide—Level 1’’
[https://DoDcio.defense.gov/CMMC/ available at https://DoDcio.defense.gov/
CMMC/. ]
(f) ‘‘CMMC Scoping Guide—Level 2’’
[https://DoDcio.defense.gov/CMMC/ available at https://DoDcio.defense.gov/
CMMC/. ]
(g) ‘‘CMMC Scoping Guide—Level 3’’
[https://DoDcio.defense.gov/CMMC/ available at https://DoDcio.defense.gov/
CMMC/. ]
(h) ‘‘CMMC Hashing Guide’’ available at
https://DoDcio.defense.gov/CMMC/.
Dated: September 30, 2024.
Patricia L. Toppings,
OSD Federal Register Liaison Officer,
Department of Defense.
[FR Doc. 2024–22905 Filed 10–11–24; 8:45 am]
BILLING CODE 6001–FR–P
VerDate Sep<11>2014
18:51 Oct 11, 2024
Jkt 265001
PO 00000
Frm 00147
Fmt 4701
Sfmt 9990
E:\FR\FM\15OCR2.SGM
15OCR2
khammond on DSKJM1Z7X2PROD with RULES2
Original source: https://www.govinfo.gov/content/pkg/FR-2024-10-15/pdf/2024-22905.pdf