[Federal Register Volume 88, Number 246 (Tuesday, December 26, 2023)]
[Proposed Rules]
[Pages 89058-89138]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-27280]
[[Page 89057]]
Vol. 88
Tuesday,
No. 246
December 26, 2023
Part II
Department of Defense
-----------------------------------------------------------------------
32 CFR Part 170
Cybersecurity Maturity Model Certification (CMMC) Program and Program
Guidance; Proposed Rule and Notice
��Federal Register / Vol. 88 , No. 246 / Tuesday, December 26, 2023 /
Proposed Rules��
[[Page 89058]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 170
[Docket ID: DoD-2023-OS-0063]
RIN 0790-AL49
Cybersecurity Maturity Model Certification (CMMC) Program
AGENCY: Office of the Department of Defense Chief Information Officer
(CIO), Department of Defense (DoD).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD is proposing to establish requirements for a comprehensive
and scalable assessment mechanism to ensure defense contractors and
subcontractors have, as part of the Cybersecurity Maturity Model
Certification (CMMC) Program, implemented required security measures to
expand application of existing security requirements for Federal
Contract Information (FCI) and add new Controlled Unclassified
Information (CUI) security requirements for certain priority programs.
DoD currently requires covered defense contractors and subcontractors
to implement the security protections set forth in the National
Institute of Standards and Technology (NIST) Special Publication (SP)
800-171 Rev 2 to provide adequate security for sensitive unclassified
DoD information that is processed, stored, or transmitted on contractor
information systems and to document their implementation status,
including any plans of action for any NIST SP 800-171 Rev 2 requirement
not yet implemented, in a System Security Plan (SSP). The CMMC Program
provides the Department the mechanism needed to verify that a defense
contractor or subcontractor has implemented the security requirements
at each CMMC Level and is maintaining that status across the contract
period of performance, as required.
DATES: Comments must be received by February 26, 2024.
ADDRESSES: You may use the following methods to submit comments on:
the proposed rule, identified by docket number DoD-2023-OS-
0063 and/or Regulatory Identifier Number (RIN) 0790-AL49 and title
the guidance in the Appendix documents, identified by docket
number DoD-2023-OS-0096 and title
the information collection requirements, identified by docket
number DoD-2023-OS-0097 and title
Comment Submission Methods include:
Federal eRulemaking Portal: https://www.regulations.gov.
Follow the instructions for submitting comments.
Mail: Department of Defense, Office of the Assistant to
the Secretary of Defense for Privacy, Civil Liberties, and
Transparency, Regulatory Directorate, 4800 Mark Center Drive, Attn:
Mailbox 24, Suite 08D09, Alexandria, VA 22350-1700.
Instructions: All submissions received must include the agency name
and docket number or RIN for this Federal Register document. The
general policy for comments and other submissions from members of the
public is to make these submissions available for public viewing at
https://www.regulations.gov as they are received without change,
including any personal identifiers or contact information.
FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the DoD
CIO, 202-770-9100.
SUPPLEMENTARY INFORMATION:
History of the Program
The CMMC Program is designed to verify protection of sensitive
unclassified information shared between the Department and its
contractors and subcontractors or generated by the contractors and
subcontractors. CMMC increases assurance that contractors and
subcontractors are meeting cybersecurity requirements applying to
acquisition programs and systems processing CUI.
The beginnings of CMMC start with the November 2010, Executive
Order (E.O.) 13556,\1\ Controlled Unclassified Information. The intent
of this Order was to ``establish an open and uniform program for
managing [unclassified] information that requires safeguarding or
dissemination controls.'' Prior to this E.O., more than 100 different
markings for this information existed across the executive branch. This
ad hoc, agency-specific approach created inefficiency and confusion,
led to a patchwork system that failed to adequately safeguard
information requiring protection, and unnecessarily restricted
information-sharing.
---------------------------------------------------------------------------
\1\ https://www.federalregister.gov/citation/75-FR-68675
(November 4, 2010).
---------------------------------------------------------------------------
As a result, the E.O. established the CUI Program to standardize
the way the executive branch handles information requiring safeguarding
or dissemination controls (excluding information that is classified
under E.O. 13526, Classified National Security Information \2\ or any
predecessor or successor order; or the Atomic Energy Act of 1954,\3\ as
amended).
---------------------------------------------------------------------------
\2\ https://www.federalregister.gov/citation/75-FR-707 (December
29, 2009).
\3\ https://www.govinfo.gov/link/uscode/42/2011, et seq.
---------------------------------------------------------------------------
In 2019, DoD announced the development of CMMC in order to move
away from a ``self-attestation'' model of security. It was first
conceived by the Office of the Under Secretary of Defense for
Acquisition and Sustainment (OUSD(A&S)) to secure the Defense
Industrial Base (DIB) sector against evolving cybersecurity threats. In
September 2020, DoD published an interim rule, Defense Federal
Acquisition Regulation Supplement (DFARS): Assessing Contractor
Implementation of Cybersecurity Requirements (DFARS Case 2019-D041),\4\
which implemented the DoD's initial vision for the CMMC Program (``CMMC
1.0'') and outlined the basic features of the framework (tiered model
of practices and processes, required assessments, and implementation
through contracts) to protect FCI and CUI. The interim rule became
effective on 30 November 2020, establishing a five-year phase-in
period. In response to approximately 750 public comments on the CMMC
1.0 Program, in March 2021, the Department initiated an internal review
of CMMC's implementation.
---------------------------------------------------------------------------
\4\ https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
---------------------------------------------------------------------------
In November 2021, the Department announced ``CMMC 2.0,'' an updated
program structure and requirements designed to achieve the primary
goals of the internal review:
Safeguard sensitive information to enable and protect the
warfighter
Enforce DIB cybersecurity standards to meet evolving threats
Ensure accountability while minimizing barriers to compliance
with DoD requirements
Perpetuate a collaborative culture of cybersecurity and cyber
resilience
Maintain public trust through high professional and ethical
standards
The CMMC 2.0 Program has three key features:
Tiered Model: CMMC requires companies entrusted with
national security information to implement cybersecurity standards at
progressively advanced levels, depending on the type and sensitivity of
the information. The program also describes the process for requiring
protection of information flowed down to subcontractors.
Assessment Requirement: CMMC assessments allow the
Department to verify the implementation of clear cybersecurity
standards.
[[Page 89059]]
Implementation through Contracts: Once CMMC is fully
implemented, certain DoD contractors handling sensitive unclassified
DoD information will be required to achieve a particular CMMC level as
a condition of contract award.
CMMC 2.0 Overview as Proposed by This Rule
Current Requirements for Defense Contractors and Subcontractors
Currently, federal contracts (including defense contracts)
involving the transfer of FCI to a non-Government organization follow
the requirements specified in FAR clause 52.204-21, Basic Safeguarding
of Covered Contractor Information Systems.\5\ FAR clause 52.204-21
requires compliance with 15 security requirements, FAR 52.204-21(b)(1),
items (i) through (xv). These requirements are elementary for any
entity wishing to achieve basic cybersecurity.
---------------------------------------------------------------------------
\5\ https://www.acquisition.gov/far/52.204-21.
---------------------------------------------------------------------------
Defense contracts involving the transfer of CUI to a non-Government
organization may include applicable requirements of DFARS clause
252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting.\6\ The DFARS clause 252.204-7012 requires defense
contractors to provide adequate security on all covered contractor
information systems by implementing the 110 security requirements
specified in the National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171, Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations. The DFARS clause
252.204-7012 includes additional requirements; for example, defense
contractors must meet Federal Risk and Authorization Management Program
(FedRAMP) standards by confirming that their Cloud Service Providers
(CSP) have achieved the FedRAMP Baseline Moderate or Equivalent
standard. The DFARS clause 252.204-7012 also requires defense
contractors to flow down all the requirements to their subcontractors.
---------------------------------------------------------------------------
\6\ https://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
---------------------------------------------------------------------------
Currently, to comply with DFARS clause 252.204-7012, contractors
are required to develop a System Security Plan (SSP) \7\ detailing the
policies and procedures their organization has in place to comply with
NIST SP 800-171. The SSP serves as a foundational document for the
required NIST SP 800-171 self-assessment. Self-assessment scores, as
referenced in DFARS clause 252.204-7020, must be submitted in the DoD's
Supplier Performance Risk System (SPRS).\8\ The highest score is 110,
meaning all 110 NIST SP 800-171 security requirements have been fully
implemented. If a contractor's SPRS score is less than 110, indicating
security gaps exist, then the contractor must create a Plan of Action
(POA) \9\ identifying security tasks that still need to be
accomplished. In essence, an SSP describes the cybersecurity plan the
contractor has in place to protect CUI. The SSP needs to go through
each NIST SP 800-171 security requirement and explain how the
requirement is implemented, monitored, and enforced. This can be
through policy, technology, or a combination of both. The SSP will also
outline the roles and responsibilities of security personnel to ensure
that CUI is appropriately protected.
---------------------------------------------------------------------------
\7\ Required since November 2016, NIST SP 800-171 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
\8\ https://www.sprs.csd.disa.mil/ under OMB control number
0750-0004.
\9\ The POA requirement described under DFARS clause 252.204-
7012 is different from a Plan of Action and Milestones (POA&M)
requirement in CMMC as POAs do not require milestones.
---------------------------------------------------------------------------
In November 2020, the DoD released its DFARS Interim Rule, the
Defense Federal Acquisition Regulation Supplement: Assessing Contractor
Implementation of Cybersecurity Requirements.\10\ The goal of this rule
was to increase compliance with its cybersecurity regulations and
improve security throughout the DIB. This rule introduced three new
clauses--DFARS clause 252.204-7019, DFARS clause 252.204-7020, and
DFARS clause 252.204-7021.
---------------------------------------------------------------------------
\10\ https://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
---------------------------------------------------------------------------
DFARS clause 252.204-7019 strengthens DFARS clause
252.204-7012 by requiring contractors to conduct a NIST SP 800-171
self-assessment according to NIST SP 800-171 DoD Assessment
Methodology.\11\ Self-assessment scores must be reported to the
Department via SPRS. SPRS scores must be submitted by the time of
contract award and not be more than three years old.
---------------------------------------------------------------------------
\11\ https://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf
---------------------------------------------------------------------------
DFARS clause 252.204-7020 notifies contractors that DoD
reserves the right to conduct a higher-level assessment of contractors'
cybersecurity compliance, and contractors must give DoD assessors full
access to their facilities, systems, and personnel. Further, DFARS
clause 252.204-7020 strengthens DFARS clause 252.204-7012's flow down
requirements by holding contractors responsible for confirming their
subcontractors have SPRS scores on file prior to awarding them
contracts.
DFARS clause 252.204-7021 paves the way for rollout of the
CMMC Program. Once CMMC is implemented, DFARS clause 252.204-7021
requires contractors to achieve the CMMC level required in the DoD
contract. DFARS clause 252.204-7021 also stipulates contractors will be
responsible for flowing down the CMMC requirements to their
subcontractors.
Additional Requirements for Defense Contractors and Subcontractors
Discussed in This Proposed Rule
A key difference between the DFARS 252.204-7012 and CMMC Level 2
requirements is that compliance with NIST SP 800-171 under DFARS
252.204-7012 has not been consistently verified. Under CMMC, compliance
will be checked by independent third-party assessors certified by DoD.
When this 32 CFR CMMC Program rule is finalized, solicitations for
defense contracts involving the processing, storing, or transmitting of
FCI or CUI on a non-Federal system will, in most cases, have a CMMC
level and assessment type requirement a contractor must meet to be
eligible for a contract award. CMMC-related contractual processes will
be addressed in DoD's DFARS Case 2019-D041, Assessing Contractor
Implementation of Cybersecurity Requirements, which will be proposed by
the Department in a separate rulemaking.\12\
---------------------------------------------------------------------------
\12\ Information on the Department's agenda for all rulemakings
can be found at https://www.reginfo.gov/public/do/eAgendaMain and
then selecting the relevant agency and rule name.
---------------------------------------------------------------------------
This rule establishes the CMMC Program and defines requirements
both in general and based on the specific CMMC level and assessment
type required by the contract and applicable subcontract. Each CMMC
level and assessment type is described.
1. Contracts or Subcontracts With a CMMC Level 1 Self-Assessment
Requirement
a. Security Requirements
For CMMC Level 1, contractors and applicable subcontractors are
already required to implement the 15 security requirements currently
required by the FAR clause 52.204-21.
[[Page 89060]]
b. Assessment Requirements (New)
At Level 1, CMMC adds a requirement for contractors and applicable
subcontractors to verify through self-assessment that all applicable
security requirements outlined in FAR clause 52.204-21 have been
implemented. This self-assessment must be performed annually and the
results must be entered electronically in the Supplier Performance Risk
System (SPRS) (see Sec. 170.15 for details on CMMC Level 1 Self-
Assessment requirements and procedures, and specifically Sec.
170.15(a)(1)(i) for the information collection).
c. Affirmation Requirements (New)
A senior official from the prime contractor and any applicable
subcontractor will be required to annually affirm continuing compliance
with the specified security requirements. Affirmations are entered
electronically in SPRS (see Sec. 170.22 for details on Affirmation
requirements and procedures).
2. Contracts or Subcontracts With a CMMC Level 2 Self-Assessment
Requirement
a. Security Requirements
For CMMC Level 2, contractors and applicable subcontractors are
already required to implement the 110 security requirements currently
required by the DFARS clause 252.204-7012, which are aligned with NIST
SP 800-171 Rev 2.
b. Assessment Requirements (New)
At Level 2, CMMC adds a requirement for contractors and applicable
subcontractors to verify that all applicable security requirements
outlined in NIST SP 800-171 Rev 2 and required via DFARS clause
252.204-7012 have been implemented. As determined by DoD, program
contracts will include either a CMMC Level 2 Self-Assessment
requirement or a CMMC Level 2 Certification Assessment requirement to
verify a contractor's implementation of the CMMC Level 2 security
requirements. Selected requirements are allowed to have a Plan of
Action and Milestones (POA&M) that must be closed out within 180 days
of the assessment (see Sec. 170.21 for details on POA&M). This self-
assessment must be performed on a triennial basis and the results must
be entered electronically in SPRS (see Sec. 170.16 for details on CMMC
Level 2 Self-Assessment requirements and procedures, and specifically
Sec. 170.16(a)(1)(i) for information collection).
c. Affirmation Requirements (New)
A senior official from the prime contractor and any applicable
subcontractor will be required to affirm continuing compliance with the
specified security requirements after every assessment, including POA&M
closeout, and annually thereafter. Affirmations are entered
electronically in SPRS (see Sec. 170.22 for details on Affirmation
requirements and procedures).
3. Contracts or Subcontracts With a CMMC Level 2 Certification
Assessment Requirement
a. Security Requirements
For CMMC Level 2 Certification Assessment, contractors and
applicable subcontractors are already required to implement the
security requirements currently required by the DFARS clause 252.204-
7012, which are aligned with NIST SP 800-171 Rev 2.
b. Assessment Requirements (New)
At Level 2, CMMC adds a requirement for contractors and applicable
subcontractors to verify that all applicable security requirements
outlined in NIST SP 800-171 Rev 2 and required via DFARS clause
252.204-7012 have been implemented. As determined by DoD, program
contracts will include either a CMMC Level 2 Self-Assessment
requirement or a CMMC Level 2 Certification Assessment requirement to
verify a contractor's implementation of the CMMC Level 2 security
requirements. Selected requirements are allowed to have a POA&M that
must be closed out within 180 days of the assessment (see Sec. 170.21
for details on POA&M). The final certification will have up to a three-
year duration. The third-party assessment organization will enter the
assessment information electronically into the CMMC Enterprise Mission
Assurance Support Service (eMASS), that will electronically transmit
the assessment results into SPRS (see Sec. 170.17 for details on CMMC
Level 2 Certification Assessment requirements and procedures, and
specifically Sec. 170.17(a)(1)(i) for information collection).
c. Affirmation Requirements (New)
A senior official from the prime contractor and any applicable
subcontractor will be required to affirm continuing compliance with the
specified security requirements after every assessment, including POA&M
closeout, and annually thereafter. Affirmations are entered
electronically in SPRS (see Sec. 170.22 for details on Affirmation
requirements, procedures, and information collection).
4. Contracts or Subcontracts With a CMMC Level 3 Certification
Assessment Requirement
a. Security Requirements (New)
For CMMC Level 3, when CMMC becomes a final rule, contractors and
applicable subcontractors will be required to implement the 24 selected
security requirements from NIST SP 800-172, as detailed in table 1 to
Sec. 170.14(c)(4). CMMC Level 2 is a prerequisite for CMMC Level 3.
b. Assessment Requirements (New)
At Level 3, CMMC adds a requirement for contractors and applicable
subcontractors to verify through DoD assessment and receive
certification that all applicable CMMC Level 3 security requirements
from NIST SP 800-172 have been implemented. Selected requirements are
allowed to have a POA&M that must be closed out within 180 days of the
assessment (see Sec. 170.21 for details on POA&Ms). The final
certification will be valid for up to three years. The DoD assessor
will enter the assessment information electronically into the eMASS,
that will electronically transmit the assessment results into SPRS (see
Sec. 170.18 for details on CMMC Level 3 Certification Assessment
requirements and procedures, and specifically Sec. 170.18(a)(1)(i) for
information collection).
c. Affirmation Requirements (New)
A senior official from the prime contractor and any applicable
subcontractor will be required to affirm continuing compliance with the
specified security requirements after every assessment, including POA&M
closeout, and annually thereafter. Affirmations are entered
electronically in SPRS (see Sec. 170.22 for details on Affirmation
requirements, procedures, and information collection).
Summary of Provisions Contained in This Rule
Section 170.1 Purpose
Section 170.1 addresses the purpose of this rule. It describes the
CMMC Program and establishes policy for requiring the protection of FCI
and CUI that is processed, stored, or transmitted on defense contractor
and subcontractor information systems. The security standards utilized
in the CMMC Program are from the FAR clause 52.204-21; NIST SP 800-171
Rev 2; and selected requirements from the NIST SP 800-172, as
applicable. The purpose of the CMMC Program is for contractors
[[Page 89061]]
and subcontractors to demonstrate that FCI and CUI being processed,
stored, or transmitted is adequately safeguarded through the
methodology provided in the rule.
Section 170.2 Incorporation by Reference
Section 170.2 addresses the standards and guidelines that are
incorporated by reference. The Director of the Federal Register under 5
U.S.C. 552(a) and 1 CFR part 51 approves any materials that are
incorporated by reference (as detailed in the Office of the Federal
Register's Incorporation By Reference (IBR) Handbook, June 2023).
Materials that are incorporated by reference in this rule are
reasonably available. Information on how to access the documents is
detailed in Sec. 170.2. Materials that are incorporated by reference
in this rule are from the NIST (see Sec. 170.2(a)), the Committee on
National Security Systems (see Sec. 170.2(b)), and the International
Organization for Standardization/International Electrotechnical
Commission (ISO/IEC) (see Sec. 170.2(c)) which may require payment of
a fee.
Note: While the ISO/IEC standards are issued jointly, they are
available from the ISO Secretariat (see Sec. 170.2(c)).
The American National Standards Institute (ANSI) IBR Portal
provides access to standards that have been incorporated by reference
in the U.S. Code of Federal Regulations at https://ibr.ansi.org. These
standards incorporated by the U.S. government in rulemakings are
offered at no cost in ``read only'' format and are presented for online
reading. There are no print or download options. All users will be
required to install the FileOpen plug-in and accept an online end user
license agreement prior to accessing any standards.
The materials that are incorporated by reference are summarized
below.
(a) Federal Information Processing Standard (FIPS) Publication
(PUB) 200 (FIPS PUB 200), titled ``Minimum Security Requirements for
Federal Information and Information Systems'' is the second of two
security standards mandated by the Federal Information Security
Management Act (FISMA). It specifies minimum security requirements for
information and information systems supporting the executive agencies
of the federal government and a risk-based process for selecting the
security controls necessary to satisfy the minimum security
requirements. This standard promotes the development, implementation,
and operation of more secure information systems within the federal
government by establishing minimum levels of due diligence for
information security and facilitating a more consistent, comparable,
and repeatable approach for selecting and specifying security controls
for information systems that meet minimum security requirements. This
document is incorporated by reference as a source for definitions.
(b) FIPS PUB 201-3, titled ``Personal Identity Verification (PIV)
of Federal Employees and Contractors'' establishes a standard for a PIV
system that meets the control and security objectives of Homeland
Security Presidential Directive-12. It is based on secure and reliable
forms of identity credentials issued by the Federal Government to its
employees and contractors. These credentials are used by mechanisms
that authenticate individuals who require access to federally
controlled facilities, information systems, and applications. This
Standard addresses requirements for initial identity proofing,
infrastructure to support interoperability of identity credentials, and
accreditation of organizations and processes issuing PIV credentials.
This document is incorporated by reference as a source for definitions.
(c) NIST SP 800-37, revision 2, titled ``Risk Management Framework
for Information Systems and Organizations: A System Life Cycle Approach
for Security and Privacy'' describes the Risk Management Framework
(RMF) and provides guidelines for applying the RMF to information
systems and organizations. The RMF provides a disciplined, structured,
and flexible process for managing security and privacy risk that
includes information security categorization; control selection,
implementation, and assessment; system and common control
authorizations; and continuous monitoring. The RMF includes activities
to prepare organizations to execute the framework at appropriate risk
management levels. The RMF also promotes near real-time risk management
and ongoing information system and common control authorization through
the implementation of continuous monitoring processes; provides senior
leaders and executives with the necessary information to make
efficient, cost-effective, risk management decisions about the systems
supporting their missions and business functions; and incorporates
security and privacy into the system development life cycle. Executing
the RMF tasks links essential risk management processes at the system
level to risk management processes at the organization level. In
addition, it establishes responsibility and accountability for the
controls implemented within an organization's information systems and
inherited by those systems. This document is incorporated by reference
as a source for definitions.
(d) NIST SP 800-39, titled ``Managing Information Security Risk:
Organization, Mission, and Information System View'' provides guidance
for an integrated, organization-wide program for managing information
security risk to organizational operations (i.e., mission, functions,
image, and reputation), organizational assets, individuals, other
organizations, and the Nation resulting from the operation and use of
federal information systems. SP 800-39 provides a structured, yet
flexible approach for managing risk that is intentionally broad-based,
with the specific details of assessing, responding to, and monitoring
risk on an ongoing basis provided by other supporting NIST security
standards and guidelines. The guidance provided in this publication is
not intended to replace or subsume other risk-related activities,
programs, processes, or approaches that organizations have implemented
or intend to implement addressing areas of risk management covered by
other legislation, directives, policies, programmatic initiatives, or
mission/business requirements. Rather, the risk management guidance
described herein is complementary to and should be used as part of a
more comprehensive Enterprise Risk Management (ERM) program. This
document is incorporated by reference as a source for definitions.
(e) NIST SP 800-53, revision 5, titled ``Security and Privacy
Controls for Information Systems and Organizations'' provides a catalog
of security and privacy controls for information systems and
organizations to protect organizational operations and assets,
individuals, other organizations, and the Nation from a diverse set of
threats and risks, including hostile attacks, human errors, natural
disasters, structural failures, foreign intelligence entities, and
privacy risks. The controls are flexible and customizable and
implemented as part of an organization-wide process to manage risk. The
controls address diverse requirements derived from mission and business
needs, laws, executive orders, directives, regulations, policies,
standards, and guidelines. Finally, the consolidated control catalog
addresses security and privacy from a functionality perspective (i.e.,
the strength of functions and mechanisms provided by the controls) and
from an assurance perspective (i.e., the measure
[[Page 89062]]
of confidence in the security or privacy capability provided by the
controls). Addressing functionality and assurance helps to ensure that
information technology products and the systems that rely on those
products are sufficiently trustworthy. This document is incorporated by
reference as a source for definitions.
(f) NIST SP 800-82, revision 2, titled ``Guide to Industrial
Control Systems (ICS) Security'' provides guidance on how to secure
ICS, including Supervisory Control and Data Acquisition (SCADA)
systems, Distributed Control Systems (DCS), and other control system
configurations such as Programmable Logic Controllers (PLC), while
addressing their unique performance, reliability, and safety
requirements. The document provides an overview of ICS and typical
system topologies, identifies typical threats and vulnerabilities to
these systems, and provides recommended security countermeasures to
mitigate the associated risks. This document is incorporated by
reference as a source for definitions.
(g) NIST SP 800-115, titled ``Technical Guide to Information
Security Testing and Assessment'' assists organizations in planning and
conducting technical information security tests and examinations,
analyzing findings, and developing mitigation strategies. The guide
provides practical recommendations for designing, implementing, and
maintaining technical information security test and examination
processes and procedures. These can be used for several purposes, such
as finding vulnerabilities in a system or network and verifying
compliance with a policy or other requirements. The guide is not
intended to present a comprehensive information security testing and
examination program but rather an overview of key elements of technical
security testing and examination, with an emphasis on specific
technical techniques, the benefits and limitations of each, and
recommendations for their use. This document is incorporated by
reference as a source for definitions.
(h) NIST SP 800-160, Volume 2, revision 1, titled ``Developing
Cyber-Resilient Systems: A Systems Security Engineering Approach''
focuses on cyber resiliency engineering--an emerging specialty systems
engineering discipline applied in conjunction with systems security
engineering and resilience engineering to develop survivable,
trustworthy secure systems. Cyber resiliency engineering intends to
architect, design, develop, implement, maintain, and sustain the
trustworthiness of systems with the capability to anticipate,
withstand, recover from, and adapt to adverse conditions, stresses,
attacks, or compromises that use or are enabled by cyber resources.
From a risk management perspective, cyber resiliency is intended to
help reduce the mission, business, organizational, enterprise, or
sector risk of depending on cyber resources. This document is
incorporated by reference as a source for definitions.
(i) NIST SP 800-171, revision 2, titled ``Security Requirements for
Controlled Unclassified Information'' provides agencies with
recommended security requirements for protecting the confidentiality of
CUI when the information is resident in nonfederal systems and
organizations; when the nonfederal organization is not collecting or
maintaining information on behalf of a federal agency or using or
operating a system on behalf of an agency; and where there are no
specific safeguarding requirements for protecting the confidentiality
of CUI prescribed by the authorizing law, regulation, or governmentwide
policy for the CUI category listed in the CUI Registry. The
requirements apply to all components of nonfederal systems and
organizations that process, store, and/or transmit CUI, or that provide
protection for such components. The security requirements are intended
for use by federal agencies in contractual vehicles or other agreements
established between those agencies and nonfederal organizations. This
document is incorporated by reference as a foundational source for
definitions and security requirements.
(j) NIST SP 800-171A, titled ``Assessing Security Requirements for
Controlled Unclassified Information'' provides federal and nonfederal
organizations with assessment procedures and a methodology that can be
employed to conduct assessments of the CUI security requirements in
NIST SP 800-171. The assessment procedures are flexible and can be
customized to the needs of the organizations and the assessors
conducting the assessments. Security assessments can be conducted as
self-assessments; independent, third-party assessments; or government-
sponsored assessments and can be applied with various degrees of rigor,
based on customer-defined depth and coverage attributes. The findings
and evidence produced during the security assessments can facilitate
risk-based decisions by organizations related to the CUI requirements.
This document is incorporated by reference as a foundational source for
definitions and assessment.
(k) NIST SP 800-172, titled ``Enhanced Security Requirements for
Controlled Unclassified Information'' provides federal agencies with
recommended enhanced security requirements for protecting the
confidentiality of CUI: (1) when the information is resident in
nonfederal systems and organizations; (2) when the nonfederal
organization is not collecting or maintaining information on behalf of
a federal agency or using or operating a system on behalf of an agency;
and (3) where there are no specific safeguarding requirements for
protecting the confidentiality of CUI prescribed by the authorizing
law, regulation, or government-wide policy for the CUI category listed
in the CUI Registry. The enhanced requirements apply only to components
of nonfederal systems that process, store, or transmit CUI or that
provide security protection for such components when the designated CUI
is associated with a critical program or high value asset. The enhanced
requirements supplement the basic and derived security requirements in
NIST SP 800-171 and are intended for use by federal agencies in
contractual vehicles or other agreements established between those
agencies and nonfederal organizations. This document is incorporated by
reference as a foundational source for security requirements.
(l) NIST SP 800-172A, titled ``Assessing Enhanced Security
Requirements for Controlled Unclassified Information'' provides federal
agencies and nonfederal organizations with assessment procedures that
can be used to carry out assessments of the requirements in NIST SP
800-172. The assessment procedures are flexible and can be tailored to
the needs of organizations and assessors. Assessments can be conducted
as (1) self-assessments; (2) independent, third-party assessments; or
(3) government-sponsored assessments. The assessments can be conducted
with varying degrees of rigor based on customer-defined depth and
coverage attributes. The findings and evidence produced during the
assessments can be used to facilitate risk-based decisions by
organizations related to the CUI enhanced security requirements. This
document is incorporated by reference as a foundational source for
definitions and assessment.
(m) Committee on National Security Systems (CNSS) Instruction No.
4009 provides a glossary of terms and applies to all U.S. Government
Departments, Agencies, Bureaus and Offices, supporting contractors and
agents that collect, generate, process, store, display,
[[Page 89063]]
transmit or receive classified or controlled unclassified information,
or that operate, use, or connect to National Security Systems (NSS).
This document is incorporated by reference as a source for definitions.
(n) ISO/IEC 17011:2017, titled ``Conformity assessment--
Requirements for accreditation bodies accrediting conformity assessment
bodies'' specifies requirements for the competence, consistent
operation and impartiality of accreditation bodies assessing and
accrediting conformity assessment bodies. This document is incorporated
by reference as a source for requirements on the CMMC Ecosystem.
(o) ISO/IEC 17020:2012, titled ``Conformity assessment--
Requirements for the operation of various types of bodies performing
inspection'' specifies requirements for the competence of bodies
performing inspection and for the impartiality and consistency of their
inspection activities. It applies to inspection bodies of type A, B or
C, as defined in ISO/IEC 17020:2012, and it applies to any stage of
inspection.'' This document is incorporated by reference as a source
for requirements on the CMMC Ecosystem.
(p) ISO/IEC 17024:2012, titled ``Conformity assessment--
Requirements for the operation of various types of bodies performing
inspection'' contains principles and requirements for a body certifying
persons against specific requirements, and includes the development and
maintenance of a certification scheme for persons.'' This document is
incorporated by reference as a source for requirements on the CMMC
Ecosystem.
Section 170.3 Applicability
Section 170.3 identifies entities to which the rule applies and how
the Department intends to implement the rule. The rule applies to
defense contractors and subcontractors that will process, store, or
transmit FCI or CUI, and private-sector businesses or other entities
that are specified in Subpart C. Government information systems that
are operated by contractors and subcontractors in support of the
Government do not apply to this rule. CMMC Program requirements apply
to DoD solicitations and contracts requiring defense contractors and
subcontractors to process, store, or transmit FCI or CUI. Exceptions to
the applicability of this rule are addressed in Sec. 170.3(c)(1) and
(2). Department Program Managers or requiring activities will determine
which CMMC Level will apply to a contract or procurement. Applicability
of the CMMC Level to subcontractors is addressed in Sec. 170.23.
Section 170.3 addresses the four-phased implementation plan of the
CMMC Program requirements in solicitations and contracts. Phase 1
begins on the effective date of the CMMC revision to DFARS 252.204-
7021. More information regarding Phase 1 can be found in Sec.
170.3(e)(1). Phase 2 begins six months after the start date of Phase 1.
More information regarding Phase 2 can be found in Sec. 170.3(e)(2).
Phase 3 begins one calendar year after the start date of Phase 2. More
information regarding Phase 3 can be found in Sec. 170.3(e)(3). Phase
4, or full implementation, begins one calendar year after the start
date of Phase 3. More information regarding Phase 4 can be found in
Sec. 170.3(e)(4).
Section 170.4 Acronyms and Definitions
Section 170.4 includes acronyms and definitions used in the rule
text and can be used as a reference while reading the text and tables.
CMMC introduces new terms and associated definitions, and customizes
definitions for existing terms, as applied to the CMMC Program. CMMC-
custom terms and definitions are clearly marked to distinguish from
terms sourced externally. CMMC also utilizes terms created by other
authoritative sources, including NIST. Terms from other authoritative
sources are also listed in Sec. 170.4 and are properly sourced.
The Department developed the following CMMC-custom terms to enhance
understanding of the requirements and elements of the CMMC Program and
welcomes comments on these definitions as part of the proposed rule:
Accreditation
Accreditation Body
Assessment
Self-Assessment
CMMC Level 2 Certification Assessment
CMMC Level 3 Certification Assessment
Assessment Findings Report
Assessment Team
Asset Categories
Authorized
CMMC Assessment and Certification Ecosystem
CMMC Assessment Scope
CMMC Assessor and Instructor Certification Organization
(CAICO)
CMMC instantiation of eMASS
CMMC Level 1 Self-Assessment
CMMC Level 2 Conditional Certification Assessment
CMMC Level 2 Conditional Self-Assessment
CMMC Level 2 Final Certification Assessment
CMMC Level 2 Final Self-Assessment
CMMC Level 3 Conditional Certification Assessment
CMMC Level 3 Final Certification Assessment
CMMC Third-Party Assessment Organization (C3PAO)
Contractor Risk Managed Assets
Controlled Unclassified Information (CUI) Assets
External Service Provider (ESP)
Federal Contract Information (FCI) Assets
Organization-Defined
Organization Seeking Assessment (OSA)
Organization Seeking Certification (OSC)
Out-of-Scope Assets
Periodically
Process, store, or transmit
Restricted Information Systems
Security Protection Assets
Specialized Assets
Test Equipment.
Section 170.5 Policy
Section 170.5 addresses the policy underlying the rule. The
protection of FCI and CUI on defense contractor information systems is
crucial to the continuity of the missions and functions of the DoD. To
that end, this rule requires that contractors and subcontractors
implement the specified security requirements for the applicable CMMC
Level. For CMMC Level 3, safeguards defined in NIST SP 800-172 and DoD-
specified parameters (see table 1 to Sec. 170.14(c)(4)) may be
required.
Program Managers and requiring activities identify the applicable
CMMC Level. Factors used to determine which CMMC Level will be applied
are included but not limited to the list found in Sec. 170.5(b)(1-5).
CMMC Program requirements will flow down to subcontractors, as
applicable (see Sec. 170.23). A DoD Service Acquisition Executive or a
Component Acquisition Executive may elect to waive inclusion of CMMC
Program requirements in a solicitation or contract.
Section 170.5 addresses that the CMMC Program does not alter the
requirements imposed on contractors and subcontractors in FAR 52.204-
21, DFARS subpart 204.73, or any other applicable safeguarding of
information requirement. The CMMC Program verifies implementation of
security requirements in FAR 52.204-21, NIST SP 800-171 Rev 2, and NIST
SP 800-172, as applicable.
Section 170.6 CMMC PMO
Section 170.6 addresses the CMMC Program Management Office (PMO)
functions that are performed within the
[[Page 89064]]
Department of Defense Chief Information Officer (DoD CIO).
Section 170.7 DCMA DIBCAC
Section 170.7 addresses how DCMA DIBCAC will support the CMMC
Program by conducting CMMC Level 2 assessments of the Accreditation
Body and C3PAOs; conducting CMMC Level 3 assessments for OSCs; and
recording results, issuing certificates, tracking appeals, and
retaining records as required.
Section 170.8 Accreditation Body
Section 170.8 addresses the roles and responsibilities of the
Accreditation Body, as well as requirements that the Accreditation Body
must meet. The Accreditation Body must be a member in good standing
with the Inter-American Accreditation Cooperation (IAAC) and become an
International Laboratory Accreditation Cooperation (ILAC) Mutual
Recognition Arrangement (MRA) signatory, with a signatory status scope
of ISO/IEC 17020:2012 and be compliant with ISO/IEC 17011:2017.\13\
There is only one Accreditation Body for the DoD CMMC Program at any
given time, and its primary mission is to authorize and accredit the
C3PAOs. Prior to the Accreditation Body being compliant with ISO/IEC
17011:2017 and completing a peer assessment of conformity with the IAAC
in accordance with the ISO Committee on Conformity Assessment,\14\ the
Accreditation Body may authorize but not accredit C3PAOs. After the
Accreditation Body has achieved compliance with ISO/IEC 17011:2017 and
completed a peer assessment of conformity with the IAAC in accordance
with the ISO Committee on Conformity Assessment, the Accreditation Body
may accredit C3PAOs.
---------------------------------------------------------------------------
\13\ https://www.iso.org/standard/67198.html.
\14\ https://www.iso.org/committee/54998.html.
---------------------------------------------------------------------------
The Accreditation Body also oversees the CAICO to ensure compliance
with ISO/IEC 17024:2012 \15\ and to ensure all training products,
instruction, and testing materials are of high quality.
---------------------------------------------------------------------------
\15\ https://www.iso.org/standard/52993.html.
---------------------------------------------------------------------------
Section 170.8 addresses specific requirements for the Accreditation
Body with regards to national security background checks, foreign
ownership, reporting, information protection, and appeals. The
Accreditation Body will also develop policies for Conflict of Interest
(CoI), Code of Professional Conduct (CoPC), and Ethics that comply with
all ISO/IEC 17011:2017 and DoD requirements. These policies will apply
to the Accreditation Body as well as to all other individuals,
entities, and groups within the CMMC Ecosystem. The information systems
used by the Accreditation Body to process CMMC information have to meet
all of the security requirements for CMMC Level 2 and will be assessed
by DCMA's Defense Industrial Base Cybersecurity Assessment Center
(DIBCAC).
Section 170.9 CMMC Third-Party Assessment Organizations (C3PAOs)
Section 170.9 addresses the roles, responsibilities, and
requirements for C3PAOs, which are the organizations that perform CMMC
Level 2 Certification Assessments for OSCs. The C3PAOs will submit
assessment data into the CMMC instantiation of government owned and
operated system called eMASS,\16\ a CMMC instance of the Enterprise
Mission Assurance Support Service. C3PAOs grant a certificate of
assessment when all security requirements are met, in accordance with
the requirements in Sec. 170.17 of this part.
---------------------------------------------------------------------------
\16\ This system is accessible only to authorized users.
---------------------------------------------------------------------------
Section 170.9 addresses detailed requirements for C3PAOs with
regards to national security background checks, foreign ownership,
reporting, records management, information protection, quality
assurance, and appeals. The information systems used by C3PAOs to
process CMMC assessment information have to meet all of the security
requirements for CMMC Level 2 and will be assessed by DCMA DIBCAC.
C3PAOs need to comply with ISO/IEC 17020:2012, as well as with the
Accreditation Body's policies for CoI, CoPC, and Ethics.
Prior to a C3PAO being compliant with ISO/IEC 17020:2012, the C3PAO
may be authorized but not accredited. After a C3PAO is compliant with
ISO/IEC 17020:2012, the C3PAO may be accredited.
Section 170.10 CMMC Assessor and Instructor Certification Organization
(CAICO)
Section 170.10 addresses the roles, responsibilities, and
requirements for the CAICO, the organization that trains, tests,
authorizes, and certifies CMMC assessors, instructors, and related
professionals. There is only one CAICO for the DoD CMMC Program at any
given time. The CAICO must comply with ISO/IEC 17024:2012, as well as
with the Accreditation Body's policies for CoI, CoPC, and Ethics.
Section 170.10 addresses detailed requirements for the CAICO with
regards to certification examinations, quality assurance, appeals,
records management, reporting, separation of duties, and information
protection.
Section 170.11 CMMC Certified Assessor (CCA)
Section 170.11 addresses the roles and responsibilities of a CMMC
Certified Assessor (CCA) who conduct Level 2 Certification Assessments.
In order to be a CCA, a candidate must first be a CCP, must adhere to
the requirements set forth in Sec. 170.10, Sec. 170.8(b)(17), and
complete a Tier 3 background investigation or equivalent. The required
cybersecurity experience for different CCA roles is addressed in Sec.
170.11(b)(6) and (7). Section 170.11 addresses CCA requirements with
respect to security breaches; completion of a Tier 3 background
investigation or equivalent; reporting; sharing assessment information;
and permitted use of C3PAO equipment, devices, and services.
Section 170.12 CMMC Certified Instructor (CCI)
Section 170.12 addresses the roles and responsibilities of a CMMC
Certified Instructor (CCI) to teach CMMC assessor candidates. The CAICO
trains and tests candidate CCIs per the requirements set forth in Sec.
170.12(b). Candidate CCIs are provided with a list of requirements to
obtain and maintain certification, compliance with Accreditation Body
policies, work activity exclusions, confidentiality expectations, non-
disclosure clause, non-public training related information, forbidden
consulting services, and reporting requirements.
Section 170.13 CMMC Certified Professional (CCP)
Section 170.13 addresses the roles and responsibilities of a CMMC
Certified Professional (CCP) required to provide advice, consulting,
and recommendations to clients. The CAICO trains and tests candidate
CCPs per the requirements set forth in Sec. 170.13(b) with CCP
certification issued upon successful completion. A CCP can participate
on CMMC Level 2 Certification Assessments with CCA oversight, however
CCAs are responsible for making final assessment determinations. A list
of CCP requirements is provided for obtaining and maintaining
certification, compliance with Accreditation Body policies, completion
of a Tier 3 background investigation or equivalent, sharing assessment
specific information, and reporting requirements.
[[Page 89065]]
Section 170.14 CMMC Model
Section 170.14 addresses the structure, security requirement
contents, organization, sourcing, and numbering of the security
requirements that comprise the CMMC Model. It also provides an overview
of the assessment process. The CMMC Model consists of three (3) levels,
each containing security requirements taken directly from existing
regulations and guidelines. Firstly, Sec. 170.14(2) defines CMMC Level
1 as the 15 requirements listed in the FAR clause 52.204-21(b)(1).
Secondly, Sec. 170.14(3) defines CMMC Level 2 as the 110 requirements
from the NIST SP 800-171 Rev 2. Lastly, Sec. 170.14(4) defines CMMC
Level 3 as 24 selected requirements from the NIST SP 800-172.
The CMMC security requirements are organized into domains following
the approach taken in NIST SP 800-171 Rev 2. The numbering of the CMMC
security requirements, addressed in Sec. 170.14(c)(1), is of the form
DD.L#-REQ where the `DD' is the two-letter domain abbreviation, the
`L#' is the CMMC Level, and the `REQ' is based directly on the
numbering in the source. Assessment criteria for these security
requirements, as described in Sec. 170.14(d), is based on security
requirement assessment guidance provided in NIST SP 800-171A and NIST
SP 800-172A.
Section 170.15 CMMC Level 1 Self-Assessment and Affirmation
Requirements
Section 170.15 addresses how an OSA will achieve and maintain
compliance with CMMC Level 1 Self-Assessment. The OSA must successfully
implement the security requirements listed in Sec. 170.14(c)(2) within
their Level 1 CMMC Assessment Scope as described in Sec. 170.19(b).
Successful implementation requires meeting all objectives defined in
NIST SP 800-171A for the corresponding CMMC Level 1 security
requirements as outlined in the mapping table 1 to Sec.
170.15(c)(1)(i).
After implementation, the OSA must perform a self-assessment to
verify the implementation and score themselves using the scoring
methodology provided in Sec. 170.24. All objectives must be met in
order for a security requirement to be considered fully implemented; no
security requirements may be placed on a POA&M for Level 1. The OSA
must then input their results into SPRS as described in Sec.
170.15(a)(1)(i) and submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a CMMC Level 1 Self-
Assessment requirement, the OSA must have a Level 1 Self-Assessment and
have submitted an affirmation. These activities must be completed
annually.
Section 170.16 CMMC Level 2 Self-Assessment and Affirmation
Requirements
Section 170.16 addresses how an OSA will achieve and maintain
compliance with CMMC Level 2 Self-Assessment. The OSA must successfully
implement the security requirements listed in Sec. 170.14(c)(3) within
its Level 2 CMMC Assessment Scope as described in Sec. 170.19(c).
Successful implementation requires meeting all objectives defined in
NIST SP 800-171A for the corresponding CMMC Level 2 security
requirements.
After implementation, the OSA must perform a self-assessment to
verify the implementation and score themselves using the scoring
methodology provided in Sec. 170.24. All objectives must be met in
order for a security requirement to be considered fully implemented; in
some cases, if not all objectives are met, some security requirements
may be placed on a POA&M as provided for in Sec. 170.21. If the
minimum score has been achieved and some security requirements are in a
POA&M, the OSA has a Conditional Self-Assessment; if the minimum score
has been achieved and no security requirements are in a POA&M, the OSA
has a Final Self-Assessment. For Conditional Self-Assessments, a POA&M
close-out must be conducted within 180 days as described in Sec.
170.21(b).
After both Conditional Self-Assessment and Final Self-Assessment,
the OSA must input their results into SPRS as described in Sec.
170.16(a)(1)(i) and submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a CMMC Level 2 Self-
Assessment requirement, the OSA must have a Level 2 Conditional Self-
Assessment or Level 2 Final Self-Assessment and have submitted an
affirmation. The Level 2 Self-Assessment must be completed tri-annually
and the affirmation must be completed annually.
Section 170.17 CMMC Level 2 Certification Assessment and Affirmation
Requirements
Section 170.17 addresses how an OSC will achieve and maintain
compliance with CMMC Level 2 Certification Assessment. The OSC must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A for the corresponding CMMC Level
2 security requirements.
After implementation, the OSC must hire a C3PAO to perform an
assessment to verify the implementation. The C3PAO will score the OSC
using the scoring methodology provided in Sec. 170.24. All objectives
must be met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as defined in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has a Conditional Certification
Assessment; if the minimum score has been achieved and no security
requirements are in a POA&M, the OSC has a Final Certification
Assessment. For Conditional Certification Assessments, a POA&M close-
out must be conducted within 180 days as described in Sec. 170.21(b).
After both Conditional Certification Assessment and Final
Certification Assessment, the C3PAO will input the OSC's results into
the CMMC instantiation of eMASS as described in Sec. 170.17(a)(1)(i).
After both Conditional Certification Assessment and Final Certification
Assessment, the OSC must submit an affirmation as described in Sec.
170.22.
In order to be eligible for a contract with a CMMC Level 2
Certification Assessment requirement, the OSC must have a CMMC Level 2
Conditional Certification Assessment or CMMC Level 2 Final
Certification Assessment and have submitted an affirmation. The CMMC
Level 2 Certification Assessment must be completed tri-annually and the
affirmation must be completed annually.
Section 170.18 CMMC Level 3 Certification Assessment and Affirmation
Requirements
Section 170.18 addresses how an OSC will achieve and maintain
compliance with CMMC Level 3 Certification Assessment. The OSC must
have a CMMC Level 2 Final Certification Assessment based on its Level 3
CMMC Assessment Scope. The OSC must successfully implement the security
requirements listed in Sec. 170.14(c)(4) and table 1 to Sec.
170.14(c)(4) within its Level 3 CMMC Assessment Scope as described in
Sec. 170.19(d). Successful implementation requires meeting all
objectives defined in NIST SP 800-172A for the corresponding CMMC Level
3 security requirements.
After implementation, the OSC must contact DCMA DIBCAC to perform
an assessment to verify the
[[Page 89066]]
implementation. DCMA DIBCAC will score the OSC using the scoring
methodology provided in Sec. 170.24. All objectives must be met in
order for a security requirement to be considered fully implemented; in
some cases, if not all objectives are met, some security requirements
may be placed on a POA&M as defined in Sec. 170.21. If the minimum
score has been achieved and some security requirements are in a POA&M,
the OSC has a Conditional Certification Assessment; if the minimum
score has been achieved and no security requirements are in a POA&M,
the OSC has a Final Certification Assessment. For Conditional
Certification Assessments, a POA&M close-out must be conducted within
180 days as described in Sec. 170.21(b).
After both Conditional Certification Assessment and Final
Certification Assessment, DCMA DIBCAC will input the OSC's results into
the CMMC instantiation of eMASS as described in Sec. 170.18(a)(1)(i).
After both Conditional Certification Assessment and Final Certification
Assessment, the OSC must submit an affirmation as described in Sec.
170.22.
In order to be eligible for a contract with a CMMC Level 3
Certification Assessment requirement, the OSC must have a CMMC Level 3
Conditional Certification Assessment or CMMC Level 3 Final
Certification Assessment and have submitted an affirmation. The CMMC
Level 3 Certification Assessment must be completed tri-annually and the
affirmation must be completed annually.
Section 170.19 CMMC Scoping
Section 170.19 addresses the requirements for the scoping of each
CMMC Level assessment. Scoping determines which assets are included in
a given assessment and the degree to which each is assessed. The CMMC
Assessment Scope is specified prior to any CMMC assessment, based on
the CMMC Level being assessed. The Level 2 CMMC Assessment Scope may
also be affected by any intent to achieve a CMMC Level 3 Certification
Assessment, as detailed in Sec. 170.19(e).
Scoping for CMMC Level 1, as detailed in Sec. 170.19(b), consists
of all assets that process, store, or transmit FCI. These assets are
fully assessed against the applicable CMMC security requirements
identified in Sec. 170.14(c)(2) and following the procedures in Sec.
170.15(c). All other assets are out of scope and are not considered in
the assessment.
Scoping for CMMC Level 2, as detailed in Sec. 170.19(c), consists
of all assets that process, store, or transmit CUI, and all assets that
provide security protections for these assets. These assets are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(3) and following the CMMC Level 2 Self-Assessment
procedures in Sec. 170.16(c) or the CMMC Level 2 Certification
Assessment procedures in Sec. 170.17(c). In addition, Contractor Risk
Managed Assets, which are assets that can, but are not intended to,
process, store, or transmit CUI because of security policy, procedures,
and practices in place, are documented and are subject to a limited
check that may result in the identification of a deficiency, as
addressed in table 1 to Sec. 170.19(c)(1). Finally, Specialized
Assets, which are assets that can process, store, or transmit CUI but
are unable to be fully secured, including: Internet of Things (IoT)
devices, Industrial Internet of Things (IIoT) devices, Operational
Technology (OT), Government Furnished Equipment (GFE), Restricted
Information Systems, and Test Equipment, are documented but are not
assessed against other CMMC security requirements, as addressed in
table 1 to Sec. 170.19(c)(1). All other assets are out of scope and
are not considered in the assessment.
Scoping for CMMC Level 3, as detailed in Sec. 170.19(d), consists
of all assets that can (whether intended to or not) or do process,
store, or transmit CUI, and all assets that provide security
protections for these assets. The CMMC Level 3 Assessment Scope also
includes all Specialized Assets but allows an intermediary device to
provide the capability for the Specialized Asset to meet one or more
CMMC security requirements, as needed. These assets (or the applicable
intermediary device, in the case of Specialized Assets) are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(4) and following the procedures in Sec. 170.18(c).
All other assets are out of scope and are not considered in the
assessment.
If an OSA utilizes an ESP, other than a Cloud Service Provider
(CSP), the ESP must have a CMMC certification level equal to or greater
than the certification level the OSA is seeking. For example, if an OSA
is seeking a CMMC Level 2 Certification Assessment the ESP must have
either a CMMC Level 2 Certification Assessment or a CMMC Level 3
Certification Assessment.
Section 170.20 Standards Acceptance
Section 170.20 addresses how OSCs that, prior to the effective date
of this rule, have achieved a perfect score on a DCMA DIBCAC High
Assessment with the same scope as a Level 2 CMMC Assessment Scope, are
eligible for a CMMC Level 2 Certification Assessment.
Section 170.21 Plan of Action and Milestones Requirements
Section 170.21 addresses rules for having a POA&M for the purposes
of a CMMC assessment and satisfying contract eligibility requirements
for CMMC. All POA&Ms must be closed within 180 days of the initial
assessment. To satisfy CMMC Level 1 requirements, a POA&M is not
allowed. To satisfy CMMC Level 2 requirements, both self-assessment and
certification assessment, a POA&M is allowed. Section 170.21 details
the overall minimum score that must be achieved and identifies the
Level 2 security requirements that cannot have a POA&M and must be
fully met at the time of the assessment. To satisfy CMMC Level 3
requirements, a POA&M is allowed. Section 170.21 details the overall
minimum score that must be achieved and identifies the Level 3 security
requirements that cannot have a POA&M and must be fully met at the time
of the assessment. Section 170.21 also established rules for closing
POA&Ms.
Section 170.22 Affirmation
Section 170.22 addresses that the OSA's affirming official must
affirm, in SPRS, compliance with the appropriate CMMC Self-Assessment
or Certification Assessment: upon completion of any conditional or
final assessment, annually following final assessment, and following a
POA&M closeout assessment (as applicable).
Section 170.23 Application to Subcontractors
Section 170.23 addresses flow down of CMMC requirements from the
prime contractor to the subcontractors in the supply chain. Prime
contractors shall comply and shall require subcontractor compliance
throughout the supply chain at all tiers with the applicable CMMC level
for each subcontract as addressed in Sec. 170.23(a).
Section 170.24 CMMC Scoring Methodology
Section 170.24 addresses the assessment finding types MET, NOT MET,
and NOT APPLICABLE (N/A) in the context of CMMC assessments, and the
CMMC Scoring Methodology used to measure the implementation status of
security requirements for CMMC Level 2 and CMMC Level 3. Scoring is not
calculated for CMMC Level 1 since all
[[Page 89067]]
requirements must be MET at the time of assessment.
For CMMC Level 2, the maximum score is the total number of
requirements and is the starting value for assessment scoring. Any
requirement that has one or more NOT MET objectives reduces the current
score by the value of the specific requirement. Values for each CMMC
Level 2 requirement are enumerated in Sec. 170.24(c)(2)(i)(B).
For CMMC Level 3, the maximum score is the total number of
requirements and is the starting value for assessment scoring. Any
requirement that has one or more NOT MET objectives reduces the current
score by the value of the specific requirement. CMMC Level 3 does not
use varying values; the value for each requirement is one (1), as
described in Sec. 170.24(c)(3).
Appendix A to Part 170: Guidance
Appendix A lists the guidance documents that are available to
support defense contractors and the CMMC Ecosystem in the
implementation and assessment of CMMC requirements.
Discussion of Public Comments and Resulting Changes
As part of standing up version 1 of the CMMC Program, the
Department of Defense published a DFARS interim final rule, ``Assessing
Contractor Implementation of Cybersecurity Requirements'' in the
Federal Register on September 29, 2020 (85 FR 61505). The Department
received approximately 750 comments on the DFARS interim final rule
pertaining to elements of the CMMC Program that are now being addressed
in this rule. Those comments are summarized and addressed in the
discussion and analysis.
In addition to comments on elements of the CMMC Program, DoD also
received comments on the associated DFARS text, solicitation
provisions, and contract clauses relating to the CMMC Program. The CMMC
Program requirements proposed in this rule will be implemented in the
DFARS, as needed, which may result in changes to current DoD
solicitation provisions and contract clauses relating to DoD's
cybersecurity protection requirements, including DFARS clause 252.204-
7021, CMMC Requirements. DoD will address comments regarding the DFARS
clause 252.204-7021 in a separate 48 CFR rulemaking.
1. Service Providers
Comment: Multiple commenters asked about applicability of the CMMC
Program to a variety of service providers. One commenter requested
clarification regarding how CUI controls apply to internet Service
Providers and their globally sourced service support because of the
prohibition of foreign dissemination for CUI. Two commenters suggested
that common carrier telecommunications (often termed as Plain-Old-
Telephone-Services (POTS)) and similar commercial services (cloud
services, external service providers) should be treated as commercial
off-the-shelf (COTS), and so excluded from CMMC certification
requirements. One commenter expressed concerns about the impact of the
rule on the telecom industry. One commenter recommended that, to limit
the burden of CMMC implementation, contractors providing commercial
services to support COTS items, such as technical support for software,
should receive the same exceptions as other COTS contracts.
Response: The CMMC Program will result in cybersecurity protection
and assessment requirements for defense contractors and subcontractors.
CMMC Level requirements will apply only if a defense contractor or
subcontractor handles FCI or CUI on its own contractor information
systems. If so, then under CMMC, the contractor or subcontractor will
be required to comply with the cybersecurity protection and assessment
requirements associated with the appropriate Level. As such, CMMC Level
requirements will not apply to internet Service Providers or other
telecommunications service providers (i.e., common carriers), unless
those entities themselves are or intend to become defense contractors
or subcontractors. In addition, there is no general prohibition of
foreign dissemination for CUI, although certain CUI may be subject to
export restrictions. Commercial item determinations per 48 CFR 15, to
include those relating to common carrier telecommunications or cloud
services, are not defined by CMMC. With respect to the CMMC Assessment
Scope, although they provide connectivity for contractor systems, and
the common carrier link is within the boundary of the contractor's
system, the common carrier's information system is not within the
contractor's CMMC Assessment Scope as long as CUI is encrypted during
transport across the common carrier's information system.
2. Joint Ventures
Comment: Multiple commenters asked for clarification on how to
handle joint ventures with respect to DFARS clause 252.204-7021.
Response: The CMMC Program requirements proposed in this rule will
be implemented in the DFARS, as needed, which may result in changes to
current DoD solicitation provisions and contract clauses, including
DFARS clause 252.204-7021. As such, DoD cannot address applicability of
current DFARS clause 252.204-7021 at this time. With respect to joint
ventures, CMMC Program requirements will apply to information systems
associated with the contract efforts that process, store, or transmit
FCI or CUI, and to any information system that provides security
protections for such systems, or information systems not logically or
physically isolated from all such systems.
3. Internet of Things/Operational Technology
Comment: Multiple commenters noted the applicability of the CMMC
requirements to Internet of Things (IoT) and Operational Technology
(OT) systems was unclear. Several commenters expressed concerns about
the impact of the rule on factories and OT.
Response: CMMC security requirements apply to information systems
associated with the contract efforts that process, store, or transmit
FCI or CUI, and to any information system that provides security
protections for such systems; or are not logically or physically
isolated from all such systems. In accordance with Sec. 170.19, an
OSA's IoT or OT systems located within its Level 1 or Level 2 CMMC
Assessment Scope are not assessed; however, for CMMC Level 2 they are
required to be documented in the System Security Plan (SSP). When a
CMMC Level 2 Certification Assessment is performed as a precursor to a
CMMC Level 3 Certification Assessment, the IOT and OT (and all other
Specialized Assets) should be assessed against all CMMC Level 2
security requirements as described in Sec. 170.18(a)(1). For CMMC
Level 3, an OSC's IoT or OT located within its CMMC Assessment Scope
are assessed against all CMMC security requirements unless they are
physically or logically isolated. However, for IoT and OT (and all
other Specialized Assets), it is permissible to use intermediary
devices to provide the capability for the specialized asset to meet
CMMC Level 3 security requirements.
4. Government Furnished Equipment
Comment: One commenter questioned how the interim rule applies to
Government Furnished Equipment (GFE) in a `test' versus a `production
environment.'
Response: As described in Sec. 170.3, CMMC security requirements
will apply
[[Page 89068]]
to any information system associated with the contract efforts that
process, store, or transmit FCI or CUI, and to any information system
that provides security protections for such systems; or information
systems not logically or physically isolated from all such systems.
This includes when a `Test Environment' processes, stores, or transmits
FCI or CUI; provides security protections for such systems; or is not
logically or physically isolated from such systems. See Sec. 170.19
and the response to public comment under the heading 3. Internet of
Things/Operational Technology in the Discussion of Comments and Changes
section of this preamble for additional details on defining the scope
of CMMC assessments.
If GFE cannot be configured to meet all the NIST SP 800-171 Rev 2
requirements or must be maintained in a specified configuration which
does not comply with NIST SP 800-171 Rev 2, additional protections such
as physical or logical isolation may be used for risk mitigation in
accordance with the treatment of Specialized Assets as defined in table
1 to Sec. 170.19(c)(1) CMMC Level 2 Scoping.
5. Fundamental Research
Comment: Multiple commenters requested that DoD clarify the
application of CMMC requirements to fundamental research. Commenters
described adverse consequences of not explicitly exempting fundamental
research from the CMMC requirements, noting that institutions of higher
education will have to pull out of research agreements with the
Department, may no longer accept DoD funds because the resource burden
would be cost prohibitive to both the institution and its partners, and
the burdens imposed by even CMMC Level 1 requirements would hinder the
progress of fundamental research. These commenters also noted that
restrictions on posting of public information would inhibit open
collaboration and the exchange of ideas that is critical to the
advancement of scientific discovery. Commenters also requested that the
Department clarify that subcontracts scoped as fundamental research
also be exempt from CMMC requirements.
Response: CMMC Program requirements are designed to provide
increased assurance to the Department that defense contractors can
adequately protect FCI and CUI, in accordance with already applicable
regulations and standards. Fundamental research is defined by National
Security Defense Directive (NSDD)-189 \17\ as `basic and applied
research in science and engineering, the results of which ordinarily
are published and shared broadly within the scientific community, as
distinguished from proprietary research and from industrial
development, design, production, and product utilization, the results
of which ordinarily are restricted for proprietary or national security
reasons.' CMMC Program requirements apply only to defense contractors
and subcontractors who handle FCI and CUI on an information system
associated with a contract effort or any information system that
provides security protections for such systems, or information systems
not logically or physically isolated from all such systems. Fundamental
research that is `shared broadly within the scientific community' is
not, by definition, FCI or CUI; however, other research-related
information that is provided to or handled by contractors as part of
contract performance may be FCI or CUI, thus may trigger application of
CMMC Level requirements. If DoD determines the information handled by
contractors pursuant to the fundamental research contract activities is
or will become FCI or CUI, the information would be required to be
processed, stored, or transmitted on an information system compliant
with the appropriate CMMC Level.
---------------------------------------------------------------------------
\17\ https://irp.fas.org/offdocs/nsdd/nsdd-189.htm.
---------------------------------------------------------------------------
6. International--Foreign DIB Partners/Non-U.S. Contractors
Comment: Multiple commenters asked if international subcontractors
of a U.S. prime will require CMMC certification. Commenters also asked
if there is a strategy for legally implementing CMMC requirements
beyond the U.S. DIB, and if an enterprise-level resolution has been
developed to address foreign DIB sovereignty. One commenter suggested
that some foreign governments have issued guidance to their local
companies directing them not to accept CMMC flow down requirements.
One commenter expressed concern regarding the impact of CMMC to
existing bilateral/multilateral security agreements. Another commenter
asked if the foreign DIB will be authorized to evaluate U.S. DIB and
vice versa. One non-U.S. commenter suggested using the existing
Facility Security Clearance process to ensure a company is compliant
with CMMC in accordance with national legislation.
Response: Contractors are required to comply with all terms and
conditions of the contract, to include terms and conditions relating to
cybersecurity protections and assessments. In addition, offerors will
be required to comply with the pre-award CMMC requirement. This holds
true when a contract clause is flowed down to subcontractors. The
Facility Security Clearance process does not apply to unclassified
information systems owned by, or operated on behalf of, a non-federal
entity (e.g., contractors), and, therefore, does not apply to systems/
networks that will be subject to CMMC requirements. This rule makes no
distinction about which C3PAOs may assess which companies seeking
certification. For more details on C3PAO requirements, see Sec. 170.9.
7. CUI and FCI
a. Marking and Identifying CUI
Comment: Multiple commenters asked for clarification regarding
definition, marking, and identification of CUI as related to CMMC
requirements and DFARS clause 252.204-7021. One commenter asked if the
definition of DoD CUI applies to the CUI required to be safeguarded
under the CMMC clause. Another asked if DFARS clause 252.204-7021
includes information that requires protection under DFARS clause
252.204-7012.
One commenter requested that the Department confirm that, under
CMMC, contractors will only be responsible for protecting CUI that is
clearly marked upon receipt from the Department and created by
contractors.
Response: If the contract includes a CMMC Level requirement,
contractors will be required to protect FCI and CUI, as applicable,
through fulfillment of the designated CMMC Level security requirements.
CMMC does not in any way change the DoD requirements regarding the
definition, marking, and protection of CUI.
If DFARS clause 252.204-7012 applies, contractors are required to
safeguard covered defense information in accordance with the terms and
conditions of the clause and contract, which includes information
developed in support of the contract. CMMC does not change these
requirements.
b. Relationship of FCI and CUI to the CMMC Requirements
Comment: One commenter suggested that the inclusion of FCI in CMMC
needs significant clarification. Others asked if FCI references within
the CMMC Model [1.0] and nonpublic DoD information references in
Department of
[[Page 89069]]
Defense Instruction (DoDI) 8582.01 \18\ are the same type of
information, and if DoDI 8582.01 is the definitive DoD policy for FCI
and DoD standards regarding the requirements under FAR clause 52.204-
21.
---------------------------------------------------------------------------
\18\ https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/DoDi/858201p.pdf?ver=2019-12-09-143118-860.
---------------------------------------------------------------------------
Response: The CMMC Program requirements for Level 1 will apply when
the contract effort requires contractors to process, store, or transmit
FCI on its unclassified information system. If CUI is processed,
stored, or transmitted on a contractor information system, a higher
level of CMMC compliance or certification is required. The CMMC Level
required to protect CUI (i.e., CMMC Level 2 Self-Assessment as
described in Sec. 170.16, CMMC Level 2 Certification Assessment as
described in Sec. 170.17, or CMMC Level 3 Certification Assessment as
described in Sec. 170.18) is determined by the Department based upon
the sensitivity of the CUI and will be identified in the solicitation.
The CMMC Program uses the definitions of FCI from FAR 4.1901 and
CUI from 32 CFR 2002, which are the definitive sources for these
definitions. DoDI 8582.01, published on December 9, 2019, points to FAR
clause 52.204-21 and DFARS clause 252.204-7012, both of which preceded
it, to address the safeguarding requirements for FCI and CUI. CMMC
builds from those requirements by requiring that defense contractors
and subcontractors provide assurance, either with Self-Assessments,
Third-Party Assessments, or Level 3 Assessments, as required, that they
have implemented the required information protection requirements.
8. Small Business/Entities
a. Assistance/Support for Small Business
Comment: Several commenters suggested that in order to successfully
implement cybersecurity requirements, contractors require support from
the Department. One commenter suggested DoD should perform an analysis
of each requirement and ensure that necessary support structures are in
place and fully functioning prior to implementing this rule, and that
access to tech support/solutions should be provided. Multiple
commenters suggested that more support and guidance is needed for small
businesses trying to comply with CMMC. One commenter suggested that DoD
should relax affiliation rules (in conjunction with the Small Business
Association (SBA)) to allow small companies to work together to meet
CMMC requirements while spreading the cost over a larger base and
expand mentor-prot[eacute]g[eacute] agreements for larger businesses to
help smaller companies with CMMC appraisals.
One commenter expressed concern for non-traditional, innovative
companies that are coming in through the Small Business Innovation
Research (SBIR) and Small Business Technology Transfer (STTR) process
and asked what DoD is doing to help them become compliant. Another
noted that if CMMC Level 1 will be the minimum requirement for SBIRs
and STTRs, regardless of whether they include FCI, it may significantly
limit the number of universities that can partner with small businesses
under these awards.
Response: DoD's Office of Small Business and Technology
Partnerships (OSBTP) is working to provide SBIR/STTR programs with
support for CMMC implementation through the use of Technical and
Business Assistance. The SBA's affiliation rules are codified at 13 CFR
121.103, available at https://www.ecfr.gov/current/title-13/chapter-I/part-121. Any change to the SBA's affiliation rules is outside the
scope of this rulemaking.
The CMMC Program is designed to increase assurance that defense
contractors do in fact, comply with information protection requirements
to adequately protect FCI and CUI. Additional information to assist
contractors regarding DoD's current information security protection
requirements may be found in Frequently Asked Questions (FAQs)
Regarding the Implementation of DFARS subpart 204.73, published at
https://DoDprocurementtoolbox.com/.
b. Impact of Cost
Comment: Multiple commenters commented on the cost impact of CMMC
to small businesses, suggesting that the cost to become and remain
compliant is too high. Several commenters added that small businesses
limited by finances won't be able to compete, which could be
detrimental to the supply chain and efforts to meet national defense
goals, and that the rule fails to provide any consideration for the
future loss of technology acquisition should small businesses be
inadvertently precluded from participation. Other commenters suggested
that the impact of CMMC will be a profound and significant obstacle to
businesses due to their lack of resources as compared to their large
business competitors, adding that the requirement to have the same
measures in place for any company, regardless of size, incurs a higher
percentage of indirect cost for small businesses. Multiple commenters
remarked on the limited or lack of options for a small business to
recover costs.
Response: The estimated costs attributed to this rule do not
include the costs associated with compliance with existing
cybersecurity requirements under FAR clause 52.204-21 or associated
with implementing NIST SP 800-171 requirements in accordance with DFARS
clause 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting. To the extent that defense contractors or
subcontractors have already been awarded DoD contracts or subcontracts
that include these clauses, and process, store, or transmit FCI or CUI
in support of the performance of those contracts, costs for
implementing those cybersecurity requirements should have already been
incurred and are not attributed to this rule. Those costs are distinct
from costs associated with undergoing a CMMC assessment to verify
implementation of those security requirements. The CMMC Program does
not levy additional information security protection requirements for
CMMC Levels 1 and 2. The value of DoD's sensitive information (and
impact of its loss to the Department) does not diminish when it moves
to contractors--prime or sub, large or small.
A Regulatory Flexibility Analysis was conducted. In comparison to
CMMC 1.0, DoD has now eliminated the requirement for organizations to
hire a third-party assessment organization to comply with CMMC Level 1.
The CMMC Program requirements further address cost concerns by
permitting self-assessment at Level 1 and at Level 2 for some contracts
that are not designated to require the added assurance of C3PAO
assessment.
In addition, resources available through the DoD Office of Small
Business Programs (OSBP) may help defray cybersecurity costs by helping
companies stay up to date with the latest cybersecurity policies and
best practices. The OSBP also partners with the NIST and its
Manufacturing Extension Partnership (MEP) programs (https://www.nist.gov/mep), which operate across the U.S. to provide resource
and funding assistance options.
The Department currently has no plans for separate reimbursement of
costs to acquire cybersecurity capabilities or a required cybersecurity
certification that may be incurred by an offeror on a DoD contract.
Costs may be recouped via competitively set prices, as companies see
fit.
[[Page 89070]]
c. Alternative Implementation
Comment: Multiple commenters requested that the government give
small businesses time for CMMC compliance post-contract award. One
commenter recommended that DoD consider only requiring government
assessment of NIST SP 800-171 compliance (vice private third party) for
small businesses, even at lower CMMC assessment levels, thus offsetting
a higher burden level to small businesses. Several commenters commented
on the need to include exemptions for small businesses that do not
possess CUI and have never been contracted by the government. One added
that DoD should identify portions of contracts which won't require CMMC
so that small businesses are afforded maximum practicable opportunity
regardless of their CMMC status.
Response: The DoD has determined that the assessment of the ability
of a prospective contactor to adequately protect FCI and CUI that will
be processed, stored, or transmitted on information systems during
contract performance is a requirement prior to award of any prime
contract or subcontract. Failure to assess a prospective contractor's
ability to comply with applicable information security protection
requirements, such as NIST SP 800-171 Rev 2, risks significant
performance delays if information cannot be shared immediately at
contract award due to lack of compliance. As applicable, the awardee
must be capable of processing, storing, and transmitting FCI and CUI at
the start of the performance period, regardless of the business size of
the awardee. The CMMC Program has simplified requirements for Level 1
and 2 assessments in some contracts. Specifically, although contractors
must still implement and maintain the security requirements set forth
in FAR 52.204-21 to protect FCI and set forth in the NIST SP 800-171
Rev 2 to protect CUI, the requirement to hire a third-party assessment
organization for CMMC Level 1 was eliminated, and for some contracts,
contractors may be permitted to self-assess compliance with CMMC Level
2. Annual affirmations are also required for CMMC Level 1 and 2.
Prospective contractors must make a business decision regarding the
type of DoD business they wish to pursue and understand the
implications for doing so. If an offeror or current DoD contractor or
subcontractor has self-assessed then later decides to pursue a contract
or subcontract requiring a certification at CMMC Level 2 or 3, it will
need to factor in the time and investment necessary to hire a third-
party assessment organization and achieve certification as a condition
of contract award.
Public comments received illustrate that some small businesses may
be unaware of how to propose cybersecurity-related costs for cost-type
contracts. This rule does not change existing contract cost principles
or procedures. For firm-fixed priced efforts, market supply and demand
dictates profitability and bid prices, and underlying costs are not
itemized.
9. Disputes Regarding CMMC Assessments
Comment: Multiple commenters asked about the CMMC assessment
dispute resolution process, with regard to which standards would be
followed, how much time would be available to appeal findings, the
types of complaints that could be raised, any limits to the costs or
schedule required for dispute resolution, and roles and
responsibilities of the DoD, C3PAOs, and the Accreditation Body.
Commenters also wanted to know whether a tiered recourse process would
be available to resolve contractor objections to the initial
resolution. Two commenters expressed concerns regarding potential
impacts of C3PAO assessment errors. Two commenters requested
clarification regarding whether the CMMC Level required by the DoD or a
prime contractor could be contested.
Response: The CMMC assessment appeal process (formerly referred to
as dispute resolution) described in the DFARS Case 2019-D041
Supplementary Information has changed and is described in Sec.
170.9(b)(20) and Sec. 170.8(b)(16). The appeals process is derived
from and consistent with ISO/IEC 17020:2012 and ISO/IEC 17011:2017.
Each C3PAO is required to have a time-bound, internal appeals process
to address disputes related to perceived assessor errors, malfeasance,
and unethical conduct. Requests for appeals will be reviewed and
approved by individual(s) within the C3PAO not involved in the original
assessment activities in question. OSCs can request a copy of the
process from their C3PAO. If a dispute regarding assessment findings
cannot be resolved by the C3PAO, it will be escalated to the
Accreditation Body. The decision by the Accreditation Body will be
final.
A request for an appeal about an assessor's professional conduct
that is not resolved with the C3PAO will be escalated and resolved by
the Accreditation Body.
The issue of C3PAO liability is between an OSC and the C3PAO with
which it contracts to do the assessment.
Any questions about the CMMC Level required by the solicitation
should be directed to the contracting officer for the affected
contractor.
10. Acceptance of Alternate Standards
a. NIST SP 800-171 Rev 2 DoD Assessments and CMMC Assessments
Comment: Multiple commenters asked for clarification on reciprocity
between NIST SP 800-171 Rev 2 DoD Assessments and CMMC assessments.
Response: As stated in Sec. 170.20(a), DoD intends to allow
qualified standards acceptance of High confidence assessment using NIST
SP 800-171 Rev 2 for CMMC Level 2. However, the CMMC Program
requirements proposed in this rule will be implemented in the DFARS, as
needed, which may result in changes to current DoD solicitation
provisions and contract clauses relating to cybersecurity assessments.
b. Cloud Standards
Comment: Many commenters expressed concerns regarding CMMC
recognition of Federal Risk and Authorization Management Program
(FedRAMP) and requested guidance on which FedRAMP baselines, if any,
would be granted standards acceptance at each CMMC Level. A few
commenters sought assurance that DoD Cloud Computing Security
Requirements Guide (SRG) Impact Levels 4 and 5 would not be applied to
CMMC Level 3.
Response: CMMC does not offer comprehensive acceptance of FedRAMP.
The CMMC Program allows the acceptance of FedRAMP environments in some
cases to meet CMMC requirements in connection with use of a Cloud
Service Provider (CSP). If an OSC uses an external CSP to process,
store, or transmit CUI or to provide security protection for any such
component, the OSC must ensure the CSP's product or service offering
either (1) is authorized as FedRAMP Moderate or High on the FedRAMP
Marketplace; or (2) meets the security requirements equivalent to those
established by the Department for the FedRAMP Moderate or High
baseline. The CSP will provide evidence that its product or service
offering meets the security requirements equivalent to FedRAMP Moderate
or High by providing a body of evidence (BOE) that attests to and
describes how the CSP's product or service offering meets the FedRAMP
baseline security requirements. Note that for any portion of the on-
premises (internal) network
[[Page 89071]]
that interacts with the cloud service offering and is within the CMMC
Assessment Scope, the OSC is required to meet all applicable CMMC
requirements to achieve certification.
The DoD Cloud Computing SRG applies to DoD-provided cloud services
and those provided by a contractor on behalf of the department, i.e., a
commercial cloud service provider or integrator. Cloud Computing SRG
does not apply to CMMC.
c. Other Standards
Comment: Numerous commenters asked whether CMMC could leverage the
results of other assessments, such as ISO/IEC 27001/27002, NIST SP 800-
53, NIST SP 800-172, HITRUST, DoE Cybersecurity Capability Maturity
Model, NIAP Common Criteria Testing Laboratory Services (CCEVS),
Committee on National Security Systems (CNSS) Instruction No. 12533
(CNSSI 12533), ISA/IEC-62443, DoD's Security Technical Implementation
Guides (STIG), NIST Cyber Security Framework (CSF), NIST Risk
Management Framework (RMF), the American Institute of CPAs Service and
Organizational Controls, Service and Organization Controls (SOC) Trust
Services Criteria (SOC 2), ISA/IEC-62443, ITAR, Criminal Justice
Information Services (CJIS) security standards, and non-ISO/IEC
standards used by foreign partners such as the Australian Cybersecurity
Centre Essential Eight Maturity Model.
Response: The CMMC Program standards acceptance is defined in Sec.
170.20 of this rule.
11. CMMC Assessment Scope
Comment: Multiple commenters requested details on assessment
boundaries and what systems are in-scope for a CMMC assessment.
Questions included how assessment boundaries are defined, how networks
composed of federal components (including systems operated on behalf of
the government) and non-federal components are addressed, how
centralized security services are treated, and how ``enduring
exceptions'' are handled.
Response: Sec. 170.19 states that prior to a CMMC assessment, the
OSA must define the CMMC Assessment Scope for the assessment,
representing the boundary with which the CMMC assessment will be
associated. This section includes detailed guidance on how to define
the CMMC Assessment Scope, how different categories of equipment are
defined to be in- or out-of-scope for an assessment, how the security
of specialized equipment is expected to be managed, External Service
Providers considerations, and the incorporation of people, technology,
and facilities into the boundary.
GFE, IoT, OT, and, as defined, Restricted Information Systems and
Test Equipment are categorized as ``Specialized Assets'' in Sec.
170.19. NIST SP 800-171 Rev 2 uses the term ``enduring exceptions'' to
describe how to handle exceptions for Specialized Assets.
12. Applicability of Multiple CMMC Levels
Comment: Two commenters sought confirmation that it is acceptable
for contractors with multiple business segments to have one or more
CMMC assessments (e.g., one segment at Level 1, another at Level 2).
Commenters also wanted to know if systems within the scope of an
assessment require multiple assessments if the systems are used to
support tasks under multiple contracts. Another asked, if a company has
multiple Commercial and Government Entity (CAGE) codes, whether a
single assessment can cover all CAGE codes.
Response: Yes, it is possible to have different business segments
or different enclaves assessed or certified at different CMMC Levels. A
CMMC assessment can be restricted to a particular segment or enclave
based on the defined CMMC Assessment Scope, and an OSA can define
multiple CMMC Assessment Scopes. Thus, a business segment that only
supports Level 1 (FCI) efforts can identify a boundary that is assessed
against Level 1 requirements, and another segment that supports Level 2
(CUI) efforts can identify a different boundary that is assessed
against Level 2. Offerors will be required to attain CMMC
certification, when applicable, at or above the level required by the
solicitation, by the time of award (or option period exercise) and must
maintain their CMMC status throughout the life of the contract, task
order, or delivery order.
13. CMMC Implementation Timeline and Pilot Program
a. CMMC Schedule
Comment: There were many comments requesting clarification or
justification regarding the general roll-out schedule for DFARS clause
252.204-7021. Some commenters requested program acceleration and others
advocated for delays. Two commenters were confused by statements in the
Federal Register Notice that the timeline for implementation across the
DoD contractor population would be seven years, but that all contracts
would include the CMMC clause in five years, at the end of the roll-
out.
Response: The DoD is implementing a phased implementation for the
CMMC Program and intends to introduce CMMC requirements in
solicitations over a three-year period to provide appropriate ramp-up
time. The Department anticipates it will take two years for companies
with existing contracts to become CMMC certified.
In response to public comment, assessment requirements in CMMC have
been simplified to three tiers, and DoD is developing policy to guide
Program Managers through a time-phased introduction of CMMC
requirements. From the effective date of the DFARS rule that will
implement CMMC requirements, DoD will include CMMC self-assessment
requirements in solicitations when warranted by the FCI and CUI
categories associated with the planned effort. A similar requirement
for CUI has been in place since publication of the September 2020 rule
that implemented DFARS provision 252.204-7019, which requires offerors
to submit NIST SP 800-171 Rev 2 self-assessment results in the SPRS as
a condition of award. DoD intends to include CMMC requirements for
Levels 1, 2, and 3 in all solicitations issued on or after October 1,
2026, when warranted by any FCI or CUI information protection
requirements for the contract effort. In the intervening period, DoD
Program Managers will have discretion to include CMMC requirements in
accordance with DoD policies.
b. CMMC Pilot Program
Comment: Multiple commenters wanted more information about the
roll-out of the CMMC pilot program, including transparency about which
acquisition programs are being considered for inclusion prior to the
release of a solicitation. Commenters requested details on the
``provisional period,'' whether there would be a break between the
pilot program and the official launch of the CMMC Program, whether
there would be an assessment on the effectiveness of the pilot, and if
lessons learned from the pilot would be shared across the community.
Response: CMMC 1.0 did include a CMMC Pilot program; however, CMMC
2.0 does not include pilots. Instead, upon the effective date of the
associated CMMC DFARS rule, the Department intends to begin including
CMMC self-assessment requirements when applicable, for protection of
FCI and CUI.
[[Page 89072]]
c. Communicating CMMC Requirements
Comment: Two commenters requested that, during the phased rollout
of CMMC, defense contractors be forewarned of DoD plans to include a
CMMC requirement in an upcoming solicitation. They asked for
transparency with respect to which contracts were being considered for
CMMC requirements.
Response: Offerors and contractors will be informed of CMMC
requirements in solicitations through (1) the specification of a
required CMMC Level, and (2) inclusion of the appropriate DFARS
provisions or clauses. There is no plan to advertise a list of
solicitations that will or may include CMMC requirements. The
implementation plan described in Sec. 170.3(e) addresses phase-in of
CMMC requirements.
d. Market Capacity for Assessments
Comment: Multiple commenters wanted details about assessor
availability and were concerned that a lack of assessors would impact
the schedule for including CMMC requirements in solicitations and
contractor planning to attain CMMC certification to meet those
requirements.
Response: The phased implementation plan described in Sec.
170.3(e) is intended to address ramp-up issues, provide time to train
the necessary number of assessors, and allow companies the time needed
to understand and implement CMMC requirements. An extension of the
implementation period or other solutions may be considered in the
future to mitigate any C3PAO capacity issues, but the Department has no
such plans at this time. If changes to the implementation plan occur,
DoD policies that govern requirements definition in the acquisition
process will be modified.
e. Certification Sustainment During Validity Period
Comment: Three commenters asked about sustainment of CMMC
certification during the three-year certificate validity period. They
wanted to know how sustainment will be monitored and whether
demonstrating continuous monitoring capabilities would be considered in
lieu of a strict three-year recertification period. There were also
questions about what the criteria or triggers would be that would lead
to a loss of accreditation during this period, including what happens
when a company with a certification is acquired by another company, and
whether contractors are required to notify the DoD if systems fall out
of compliance with CMMC requirements.
Response: The validity period is one (1) year for CMMC Level 1 and
three (3) years for CMMC Levels 2 and 3. Contractors must continue to
meet CMMC requirements during the period of performance of the
contract. Under CMMC, contractors must submit affirmations into SPRS
for each assessment, attesting that they have met the CMMC requirements
and will maintain the applicable information systems at the required
CMMC level as specified in Sec. 170.22. Monitoring contractor
compliance with the terms of the contract is the responsibility of the
contractor, with the government contracting officer. DoD is not
utilizing a continuous monitoring capability in lieu of compliance
requirements. DoD understands that information systems operating in a
CMMC Assessment Scope will require upgrades and maintenance. For
systems certified at CMMC Level 2 or above, a plan for addressing
deficiencies is defined in Sec. 170.21.
It is possible for an organization to need a new assessment during
the validity period. CMMC self-assessments and certifications are valid
for a defined CMMC Assessment Scope. If the CMMC Assessment Scope
changes due to infrastructure modifications or expansion of the CMMC
Assessment Scope due to new acquisition, a new assessment may be
required. The original CMMC certification remains valid for the
original CMMC Assessment Scope. The information system(s) in the new
CMMC Assessment Scope may not be used to process, store, or transmit
CUI for any contract until it is validated via a new CMMC assessment.
The same applies to the annual affirmations. During the annual
affirmation process, a senior organization official affirms that the
organization is satisfying and will maintain the requirements of the
specified CMMC level (e.g., CMMC Level 2 Self-Assessment). The
affirmation applies to the CMMC Assessment Scope. At the time of a new
self-assessment or certification, a new affirmation is submitted into
SPRS affirming that the organization meets the CMMC requirements and
will maintain the applicable information system (within the CMMC
Assessment Scope) at the required CMMC level. For CMMC Levels 2 and 3,
an affirmation is required to be submitted in SPRS annually for the
duration of the triennial validity period and at the conclusion of any
POA&M closeout assessments. Affirmation requirements are set forth in
Sec. 170.22.
14. CMMC Assessment Timeline
Comment: Several comments requested details about CMMC assessment
timelines, including how long an assessment would take, how long after
an assessment was completed would the assessment report be ready, and
when SPRS content would be updated. One commenter wanted to know how
soon after a failed assessment a subsequent assessment could be
scheduled. One commenter wanted details about the remediation period.
Response: The actual length of time it takes for an OSA to prepare
for, and assessors to conduct an assessment and prepare the assessment
report depends on many factors, including the number of systems and
networks in the CMMC Assessment Scope, the level of assessment being
conducted, staff preparedness for assessor questions, and the number of
assessors conducting the assessment.
For CMMC assessments, C3PAOs will upload the results of the
assessment and the signed CMMC certificate into the CMMC instantiation
of eMASS. Certification is automatically posted to SPRS. There is no
minimum time to wait after a failed assessment before scheduling
another assessment.
A NOT MET requirement may be re-evaluated during the course of the
assessment and for 10 business days following the active assessment
period under certain conditions, as set forth in Sec. 170.17(c)(2) and
Sec. 170.18(c)(2). A Level 2 or Level 3 conditional assessment and
associated POA&M must be closed out within 180 days.
15. Assessment Delays and Award Impact
Comment: Several commenters expressed concerns about the impact
that delays in the assessment process would have on contract award. For
example, if an assessment is held up, by no fault of the contractor,
such that the results will not be available until after the award date,
will the contractor be ineligible to receive the award or is there a
process for delaying the award? Would the answer be the same for a
reassessment of a contractor whose three-year assessment or certificate
is expiring? On a related issue, one comment asked about the timing of
reassessment/recertification and whether work on an existing contract
can continue after an assessment/certificate has expired if the
reassessment is scheduled but delayed.
Response: The CMMC Program rule does not provide mitigations for
assessment delays that may impact timeliness of certification or
recertification with regard to the closing date of a particular
solicitation. Offerors will be required to attain CMMC certification,
when applicable, at or
[[Page 89073]]
above the level in the solicitation, by the time of award (or option
period exercise) and must maintain their CMMC status throughout the
life of the contract, task order, or delivery order. The three-year
validity period should provide adequate time to prepare for and
schedule subsequent assessments for certification. Timelines for
meeting CMMC requirements for Level 1 or 2 self-assessment are within
the control of the contractor.
16. Defense Contractor and Subcontractor Engagement
Comment: Several commenters suggested that defense contractors and
subcontractors should be more engaged in the formulation of the rule
and better informed in how the rule will be applied. They indicated
that guidance is unclear, ad hoc, and inconsistent, and requested an
authoritative source of information, such as FAQs, that are kept up to
date and provide reliable responses to questions. They also expressed a
desire for more transparency in how ambiguities are being resolved in
early assessments.
Response: In September 2019, the CMMC PMO released the first draft
publication of the CMMC Model v 0.4. The CMMC PMO received over 2,000
comments from individuals and industry associations. These comments
informed changes included in CMMC Model 1.0 released in January 2020.
In addition, DFARS Case 2019-D041 generated over 750 additional public
comments that informed changes to the rule text and influenced the
transition to CMMC 2.0. The Office of the Under Secretary of Defense
for Acquisition and Sustainment (OUSD(A&S)) held over 100 industry
listening sessions in 2020 and 2021, engaged with the DIB through
briefings and discussions with defense industry trade associations,
academia, and government-based organizations with industry members
(e.g., National Industrial Security Program Policy Advisory Committee).
Many sessions were recorded and shared with the public on the internet
in social media, news releases, and the CMMC PMO website (https://DoDcio.defense.gov/CMMC/), which was completely updated in 2021 and
contains new information, FAQs, and allows the public direct contact
with the CMMC PMO. As always, FAQs are to clarify content only, and do
not interpret, define, or otherwise change the meaning of the
regulatory text. The CMMC PMO continues to communicate with defense
contractors and subcontractors, to include small businesses, and other
members of the public.
The official website of the DoD CMMC Program is https://DoDcio.defense.gov/CMMC/. This website contains links to CMMC documents
including, but not limited to, the CMMC Model Overview, CMMC Scoping
Guidance (by level), CMMC Level 1 Self-Assessment Guide, CMMC Level 2
Assessment Guide, and the CMMC Glossary.
17. C3PAO Consistency
Comment: One commenter expressed concerns that C3PAOs would not
conduct CMMC assessments in a uniform manner, leading to inconsistent
results.
Response: C3PAOs use only certified CMMC assessors to perform CMMC
assessments. To ensure assessments are conducted in a uniform manner,
assessors are trained by certified instructors and required to pass
CMMC assessor tests before becoming certified. The accredited CAICO
manage and oversee the training, testing, authorizing, and certifying
of candidate assessors and instructors. A CAICO must meet the DoD
requirements set forth in Sec. 170.10 and achieve compliance with ISO/
IEC 17024:2012, Conformity Assessment--General Requirements for Bodies
Operating Certification of Persons Conformity Assessment.
18. CMMC Cost Impacts
a. CMMC Cost Assumptions and Estimates
Comment: Several commenters questioned or refuted the cost
estimates and/or the assumptions and mathematical approach upon which
the cost estimates were based. Several commenters requested
clarification around the cited difference in both cost and hours
between the CMMC certification process and the DoD Assessment process,
the accounting for completion of NIST SP 800-171 Rev 2 requirements,
and cost distinction between enterprise and enclave assessments. Two
commenters stated that the estimated number of subcontractors was low,
and one commenter suggested that the $5 million threshold for small
businesses excluded a large number of small businesses from the
calculations. One commenter asked whether duplication of assessments
was considered for small businesses who support many prime contractors.
Additional commenters believed costs were absent from the calculations,
to include the cost of completing POA&M, management costs for small
companies to achieve maturity, and costs for international suppliers. A
number of comments requested additional estimates based on adjustments
to labor rates for benefits and taxes, each of the assessment levels,
and small, medium, and large companies. One commenter asked for
clarification on the calculations used to estimate public savings. One
commenter questioned why North American Industry Classification System
(NAICS) code 54715 pertaining to sensitive CUI was not included in the
calculations.
Response: The cost estimates and assumptions referenced by the
commenters pertain to CMMC 1.0 and are not reflective of the changes in
CMMC, though public comment feedback has been incorporated into the
cost estimation process for the CMMC Program where appropriate. The
Department limited estimates for CMMC to those costs associated with
preparing for, attaining, and publishing results of: (a) CMMC
compliance via self-assessment for CMMC Levels 1 and 2, and (b)
certification at CMMC Level 2 through a C3PAO and Level 3 through the
DoD. Costs for companies to implement information security protections
to comply with the existing FAR subpart 4.19 to achieve CMMC Level 1,
and DFARS subpart 204.73 to achieve CMMC Level 2, are distinct from
costs associated with CMMC assessment processes to verify and attest to
the corresponding implementation of existing rules. Cost estimates were
developed for companies to implement security requirements for CMMC
Level 3. CMMC Level 3 security requirements are defined in table 1 to
Sec. 170.14(c)(4) CMMC Level 3 Requirements. For the vast majority of
the DIB, CMMC does not levy additional information security protection
requirements but is designed to provide increased assurance that
defense contractors are contract compliant and can adequately protect
FCI and CUI at a level commensurate with risk, accounting for
information flow down to its subcontractors in a multi-tier supply
chain. There is no recognized duplication of assessments for small
companies that support many primes, because once assessed, an
organization need only provide evidence of compliance or certification
to prospective primes in order to satisfy the CMMC requirement in a
solicitation. When information system or network boundaries differ, an
additional assessment may apply.
b. CMMC Cost Burden
Comment: Several commenters suggested that costs were
underestimated, particularly for small businesses who were perceived to
be at risk of decreased participation in the
[[Page 89074]]
marketplace due to the cost prohibitive nature of the CMMC requirement.
Multiple commenters requested additional strategies to mitigate costs,
including the promotion of new technologies.
Response: CMMC Levels 1 and 2, which represent the majority of the
anticipated requirements, does not levy any additional information
security protection requirements. To address assessment cost concerns,
CMMC eliminates the third-party assessment requirement at CMMC Level 1
and permits self-assessment for certain contracts containing a CMMC
Level 2 requirement. The DoD Office of Small Business Programs,
available at https://business.defense.gov/, has informational resources
that may help defray cybersecurity implementation costs by helping
organizations stay up-to-date with the latest cybersecurity compliance
and policy best practices.
c. CMMC Cost Effectiveness and Alternatives
Comment: Two commenters requested that the DoD measure the impact
of implementing the additional security requirements. One commenter
suggested an alternative strategy to protect CUI when generated.
Response: CMMC does not require implementation of any additional
security protection requirements beyond those identified in current FAR
clause 52.204-21 and in NIST SP 800-171 Rev 2 for CMMC Levels 1 and
Level 2, respectively. CMMC Level 3 requirements are new and based upon
NIST SP 800-172.
19. CMMC Model
a. CMMC Level Requirement Selection
Comment: Multiple commenters requested clarification about who
selects the CMMC Level that is specified in a solicitation and the
criteria used. Commenters also wanted to know if the contractor's CMMC
Level flows-down directly to subcontracts and if so, whether that level
carries down to lower tier subcontracts. Numerous questions asked if
the government or a contractor is responsible for determining the
appropriate CMMC Level to include in a subcontract and, if it is the
contractor's responsibility, what criteria is used to identify the
appropriate level to flow-down. To that end, commenters requested
guidance for identifying CUI and information sensitivity. One commenter
asked for clarification on whether different CMMC Level requirements
could be identified within a single Statement of Work (SOW).
Response: The solicitation will specify the required CMMC Level,
and the level itself will be identified by the requiring activity. The
requiring activity knows the type and sensitivity of information that
will be shared with or developed by the awarded contractor and selects
the CMMC Level required to protect the information according to DoD
guidance. Contractors must have achieved this level, or higher, to be
awarded the resultant contract. For subcontracts, the prime contractor
will identify for its subcontractor the required CMMC Level in
accordance with Sec. 170.23 if it is not already defined in the
solicitation. If a prime contractor is uncertain about the appropriate
CMMC Level to assign when creating a subcontract solicitation, it
should consult with the government program office to determine what
type of certification or assessment will be required given the
information that will flow down. Policies for identification and clear
marking of CUI materials are provided in CUI program materials and 32
CFR part 2002, when applicable. A solicitation may contain requirements
for multiple CMMC Levels if, in support of the contract, different
enclaves are expected to process, store, or transmit information that
needs different levels of security.
b. Model Standard, CMMC Levels, and Model Updates
Comment: One commenter stated that the CMMC Model is not a
configuration-controlled standard managed by a recognized standards
body.
Response: This rule codifies the CMMC Program, elements of which
are reflected in the CMMC Model. All CMMC Model requirements are
derived from FAR 52.204-21, NIST SP 800-171 Rev 2, and NIST SP 800-172,
which are configuration-controlled guidelines managed by NIST. As a
result of the alignment of CMMC to NIST guidelines, the Department's
requirements will continue to evolve as changes are made to the
underlying NIST SP 800-171 Rev 2 and NIST SP 800-172 security
requirements. Additional rulemaking may be necessary in the future to
conform CMMC requirements described in this rule to any changes to the
underlying information protection requirements defined in the
foundational NIST guidelines.
Comment: Many comments were received requesting changes to CMMC
Model 1.0. Several commenters requested changes to CMMC Level
requirements and others had questions about the content and handling of
CMMC Model updates. A few commenters made suggestions for restricting
the current implementation, such as using only NIST SP 800-171 Rev 2
for the CMMC 1.0 implementation of Level 1-3 requirements and
supplementing with additional requirements only in Levels 4 and 5.
Similar comments recommended using NIST SP 800-171 Rev 2 for the
initial CMMC rollout and later expanding to include additional CMMC
requirements. A number of comments questioned the purpose and use of
the CMMC 1.0 implementation of CMMC Level 2. Other comments requested
information on updating CMMC requirements as new technology and threats
emerge and new versions of NIST SP 800-171 Rev 2 and NIST SP 800-53 are
released. Multiple comments were received on CMMC 1.0 Levels 4 and 5.
Several commenters believed there to be a significant disconnect
between NIST SP 800-171B/172 and CMMC 1.0 Levels 4 and 5, and issues
with implementation of these levels. Many comments requested that
Levels 4 and 5 be updated to allow for flexibility in implementation
rather than require all the requirements as written. Reasons cited for
allowing flexibility include reducing cost and assessment complexity as
well as allowing for the ability to adapt based on architectural
environments and dynamic threat models.
Response: Changes were made in this rule to requirements in the
former CMMC model based in part upon receipt of informal public
comment. The CMMC Model was streamlined to three-tiers, which align to
the protection requirements set forth in FAR 52.204-21, NIST SP 800-171
Rev 2, and NIST SP 800-172, and all CMMC-unique requirements and
process maturity elements have been removed.
The CMMC Model and program requirements will be evaluated as new
technology and threats emerge and revised as appropriate.
Comment: One comment included a request to identify instances where
contractors would be better off using a classified environment, rather
than CMMC version 1.0 Level 4 or 5, to protect the information.
Response: The CMMC Program is designed to enforce protection of
unclassified information, to include FCI and CUI, not intended for
public release that is shared by the Department with its contractors
and subcontractors. The program provides the Department increased
assurance that contractors and subcontractors are meeting the
cybersecurity requirements that apply to acquisition programs and
systems that process federal contract information and controlled
unclassified information.
[[Page 89075]]
Any discussion regarding the use of classified networks is outside of
the scope of the CMMC Program.
20. CMMC Requirements
Comment: There were multiple comments suggesting additions,
deletions, or changes to model requirements. One commenter noted
multiple instances of CMMC requirements with the term `information
system' rather than `system' used in NIST SP 800-171 Rev 2, asking if
CMMC meant to change the intent by inserting `information' in these
requirements. Multiple commenters questioned the intent, clarity, or
interpretation of several CMMC requirements/NIST SP 800-171 Rev 2
requirements, recommending clarification regarding vulnerability
management, protection of mobile devices, review of audit logs,
disabling of identifiers, FIPS validated encryption, and malicious code
scans. One comment suggested that CMMC 1.0 requirements RM.2.141 and
RM.3.144 are redundant and recommended incorporating RM 3.146 into
CA.2.159, justifying that a plan of action is essentially a risk
management plan. Two commenters noted that two CMMC 1.0 requirements
(RE.2.137 and RE.3.139) are unclear as they do not specify what data
requires backup, or the meaning of resilient backup. One commenter said
that CMMC 1.0 requirement MA.2.114 removed the qualifier of
``maintenance'' when describing personnel requiring supervision of
maintenance activities, asking if this is an insignificant change to
the NIST SP 800-171 Rev 2 security requirement, or whether there is
some rationale or message that the CMMC specification is trying to
adjust by deviating from the NIST SP 800-171 Rev 2. Two commenters
stated that CMMC 1.0 requirement MP.1.1.18 requires only FCI be
sanitized, but, for CMMC 1.0 Level 3 (CMMC Level 2 under CMMC 2.0)
assessments, there is no requirement to sanitize CUI. One commenter
wanted to know which CMMC requirement requires a medium assurance
certificate for reporting cyber incidents.
Response: In CMMC 1.0, there was no intent to change the meaning of
NIST requirements except those referenced as ``modified.'' These minor
discrepancies are now resolved as all FCI requirements use the exact
FAR language and all CUI requirements use the exact language from the
relevant NIST guidelines. The requirements in CMMC Level 3 are derived
from NIST SP 800-172 with DoD-approved parameters. Commenters
requesting revisions to NIST guidelines should respond to the NIST
public comment periods. There is no CMMC-specific cyber incident
reporting requirement or need for associated medium assurance
certificate.
Comment: Several comments sought clarification on the alignment and
relative authority or precedence of the CMMC requirements to Federal,
Legislative, Statutory, Regulatory, or DoD Organizational policy, DoD
instructions, and FAQs.
Response: The CMMC Program requirements will be required once
implemented in the DFARS and will have the same relative authority of
any other DoD contract requirement. The CMMC Program relates to and
incorporates elements of the following authorities: Executive Order No.
13556, Controlled Unclassified Information, 75 FR 68675 (November 4,
2010), which establishes ``an open and uniform program for managing
[unclassified] information that requires safeguarding or dissemination
controls;'' 32 CFR part 2002, which describes the executive branch's
Controlled Unclassified Information Program and establishes policy for
designating, handling, safeguarding, and decontrolling information that
qualifies as CUI when processed, stored, or transmitted on a federal or
non-federal information system; FAR clause 52.204-21, Basic
Safeguarding of Covered Contractor Information Systems, which, as
applicable, requires contractors to apply certain basic safeguarding
procedures on covered contractor information systems that process,
store, or transmit FCI; and DFARS clause 252.204-7012, Safeguarding
Covered Defense Information and Cyber Incident Reporting, which, as
applicable, requires defense contractors to implement NIST SP 800-171
Rev 2 requirements on unclassified covered contractor information
systems that process, store, or transmit covered defense information.
Additional DoD instructions and manuals address DoD information
security policy, including DoDI 5200.48 CUI which establishes policy,
assigns responsibilities, and prescribes procedures for CUI throughout
the DoD for federal and on non-federal information systems to include
the implementation of NIST SP 800-171 Rev 2. A requirement for CMMC
assessments provides DoD assurance that contractors have implemented
required cybersecurity protections. The requirements of this rule will
be implemented in an associated 48 CFR acquisition rule regarding CMMC.
21. CMMC Assessment
Comment: Multiple commenters pointed out that the rule does not
specify an authoritative source for obtaining a CMMC certificate,
leaving the pedigree of certificates in question. Two comments inquired
about the security of record [data] collection and retention and
whether the assessors' platforms would need to be CMMC Level 3
compliant to protect sensitive data used for the assessment/
certification process.
Response: The processes for achieving compliance with a CMMC level
are described in Sec. 170.15 through Sec. 170.18. CMMC Level 2
Certification Assessments are conducted by C3PAOs authorized by the
CMMC Accreditation Body. C3PAOs grant CMMC Level 2 certificates of
assessment. The DoD conducts CMMC Level 3 Certification Assessments and
grants Level 3 certificates of assessment. A C3PAO's IT infrastructure
must achieve at least a CMMC Level 2 Certification Assessment.
Certified CMMC Assessors working at their place of business or from
home must use their C3PAO's IT infrastructure. Assessment data and
results are securely uploaded by the C3PAO into the CMMC instantiation
of eMASS. The CMMC instantiation of eMASS automatically feeds
compliance data into SPRS. Both eMASS and SPRS are Department owned and
operated systems.
Comment: A few commenters requested resources for understanding
CMMC requirements. There were also many comments related to the
purpose, status, schedule, or content of the CMMC Assessment Guides.
Additional comments requested clarification on the evaluation criteria
and evidence described in the current Assessment Guides.
Response: CMMC Assessment Guides are optional resources to aid in
understanding CMMC requirements and are largely derived from NIST
documentation, to include NIST SP 800-171 Rev 2 and NIST SP 800-172.
The CMMC assessment process is defined in Sec. 170.15 through Sec.
170.18, and the CMMC Scoring Methodology is defined in Sec. 170.24.
The evaluation criteria (i.e., assessment procedures) and evidence
(i.e., potential assessment methods and objects) required are taken
directly from the NIST documentation, and revisions to NIST
documentation are outside the scope of this rule. The CMMC Assessment
Guides provide supplementary information, further discussion, examples,
and references for assessors and contractors preparing for assessments.
The guides do not identify
[[Page 89076]]
specific solutions or baselines. These documents are available at:
https://DoDcio.defense.gov/CMMC/. Updated CMMC Assessment Guides and
associated CMMC documents were posted on the OUSD(A&S) CMMC website
after the public comment period for DFARS Case 2019-D041 closed on
November 30, 2020. These documents reflected changes based on review of
public comments. Future updates to CMMC guidance documentation will be
made as needed.
Comment: One comment suggested that audit standards be determined
for CMMC assessments. Two comments asked for clarification regarding
references provided in the model, whether all references must be
reviewed, and if the requirements within the references must also be
achieved.
Response: The Department has reviewed definitions of audit and
assessments and determined ``assessment'' best meets the goals of the
CMMC Program. The cybersecurity standard requirements for the different
CMMC Levels are set forth in Sec. 170.14 and clarify references for
the security requirements.
Comment: Many commenters were concerned about the lack of waivers
or POA&Ms. Several commenters commented that not allowing waivers is
impractical and will impact the ability of businesses to qualify for
contract award. Commenters asked for clarification on the differences
between POA&M that are not allowed by CMMC and the plans of action as
required in the CMMC Level 3 control (now CMMC Level 2 under CMMC 2.0),
CA.2.159 (now CA.L2-3.12.2 under CMMC 2.0). Many noted that POA&Ms are
necessary when managing activities like system upgrades, vendor
changes, and company acquisitions to avoid temporarily falling out of
compliance.
Response: Under certain circumstances, the CMMC Program does permit
contract award to organizations that have an approved and time limited
POA&M. See Sec. 170.21 for additional information on POA&Ms. There is
no process for organizations to request waiver of CMMC solicitation
requirements. DoD internal policies, procedures, and approval
requirements will govern the process for DoD to waive inclusion of the
CMMC requirement in the solicitation.
22. The Accreditation Body and C3PAOs
Comment: Many commenters had questions and concerns about the
management of the Accreditation Body and C3PAOs. A few commenters
suggested using a government entity instead of the Accreditation Body
construct to manage assessments. Commenters asked about the governance,
resourcing, and oversight of the Accreditation Body with respect to
CMMC training and assessments. Commenters expressed concerns such as
who would make final decisions about CMMC issues, the lack of clearly
defined roles and responsibilities for CMMC governance, and the long-
term effectiveness of the Accreditation Body staffed by an all-
volunteer workforce. One comment asked how the Accreditation Body can
legally license training when CMMC Program information is available for
free.
Response: The decision to use a non-governmental Accreditation Body
was made because the DoD determined that there was insufficient
capacity within the DoD to manage assessor training and assessments for
all defense contractors who need to comply with CUI protection
policies. The DoD CMMC PMO provides oversight of the Accreditation Body
and is also responsible for developing, updating, maintaining, and
publishing the CMMC Model, CMMC Assessment Guides, and policies for
implementation of the CMMC Program.
Roles and responsibilities of the CMMC PMO, the Accreditation Body,
and its organizations are described in SUBPART C of this rule. The
Accreditation Body accredits C3PAOs and the CAICO. The Accreditation
Body authorizes the CAICO to certify CMMC assessors and instructors and
the C3PAOs to conduct assessments using CAICO-certified assessors.
Comment: Many commenters expressed concerns about how to ensure the
necessary independence, quality assurance, integrity, and rigor of, and
protection against potential conflicts of interest within the
Accreditation Body and C3PAOs. Numerous commenters recommended the use
of ISO/IEC standards to address these issues. Additionally, one
commenter was concerned about high costs for assessments that could
result if there is a lack of oversight for charging fees.
Response: The Accreditation Body is required to become compliant
with the ISO/IEC 17011:2017 standard (the international benchmark used
in demonstrating an accreditation body's impartiality, technical
competency, and resources) and the requirements set forth in Sec.
170.8. Additionally, the C3PAOs and CAICO must comply with requirements
as specified in Sec. 170.9 and Sec. 170.10, respectively, including
the specified ISO/IEC standards.
Comment: To address a perceived shortage of CMMC C3PAO assessors,
two commenters suggested authorizing the use of other ISO/IEC-compliant
accreditation bodies to increase the numbers of assessors. Another
commenter wanted to know how a company could become an accreditation
body.
Response: Consistency in training is imperative due to the unique
qualifications needed to understand requirements. Additionally, ISO/IEC
17024:2012 Conformity Assessment requirements are levied against the
CAICO and may not be required by other entities. The number and level
of assessors needed is relative to the number of companies seeking CMMC
assessment. The demand level is influenced, but not solely determined
by, the number of solicitations that include CMMC requirements, the
CMMC Levels specified, and the estimated number of subcontractors that
will also need to meet CMMC requirements, when flowed down by the prime
contractor. To facilitate a smooth and orderly transition to CMMC, the
Department will issue policy guidance to government Program Managers to
govern the rate at which CMMC requirements are levied in new
solicitations. The implementation phases are described in Sec.
170.3(e). The CMMC PMO has visibility into the Accreditation Body's
assessor training activities, tracks the anticipated number of trained
assessors, and will use this information to inform policies that guide
government Program Managers in identifying CMMC requirements in new
solicitations.
23. Relationship to Existing Regulations
Comment: Several commenters asked about the implications of having
DFARS clauses 252.204-7012 and 252.204-7021 coexist in contracts and
wanted to know if all the 252.204-7012 requirements, including the
requirements for ``adequate security,'' incident reporting, and flow-
down, apply in the presence of 252.204-7021. Others were concerned
about a perceived conflict on the protection of CUI between NIST SP
800-171 Rev 2, which specifies the minimum requirements to provide
``adequate security'' for CUI on nonfederal systems and DFARS clause
252.204-7021 based on the CMMC Program. Multiple commenters wanted to
know if the 252.204-7021 clause and the CMMC requirements override
contractor responsibility to comply with other applicable clauses of
the contract, or other applicable U.S. Government statutory or
regulatory requirements. Others were concerned about a
[[Page 89077]]
continued proliferation of security requirements.
Response: CMMC Program requirements proposed in this rule will be
implemented in the DFARS, as needed, which may result in changes to
current DoD solicitation provisions and contract, including DFARS
clause 252.204-7021. As such, DoD cannot address applicability of or
changes to current DFARS clause 252.204-7021 or other current DFARS
cybersecurity provisions or clauses at this time.
DoD does not intend to impose duplicative cybersecurity protection
or assessment requirements. There is no conflict between the CMMC
cybersecurity protection requirements described in this rule and DoD's
current information safeguarding requirements, including those set
forth in DFARS clause 252.204-7012. This CMMC rule adds new
requirements for the assessment of contractor implementation of
underlying information security standards and guidelines, as
applicable, such as those set forth in FAR clause 52.204-21 and in the
NIST SP 800-171 Rev 2. This rule also prescribes additional information
security protection and assessment requirements for CMMC Level 3,
derived from NIST SP 800-172, for certain limited scenarios.
As new cyber threats emerge, security requirements will continue to
evolve to support efforts to protect information important to U.S.
national security. However, alternate standards will continue to be
reviewed, as described in Sec. 170.20, to minimize the burden of new
requirements.
24. Phase-Out of Existing Cybersecurity Requirements
Comment: Several commenters asked whether DFARS clause 252.204-
7012, DFARS provision 252.204-7019 and 252.204-7020 will be phased out
since DFARS clause 252.204-7021 is now a requirement.
Response: The CMMC Program requirements proposed in this rule will
be implemented in the DFARS, as needed, which may result in changes to
current DoD solicitation provisions and contract clauses, including
DFARS clause 252.204-7021. As such, DoD cannot address applicability of
or changes to current DFARS clause 252.204-7021 or other current DFARS
cybersecurity provisions or clauses at this time.
The information safeguarding requirements and cyber incident
reporting requirements set forth in DFARS clause 252.204-7012 will not
be phased out as a result of this rule. CMMC Program requirements
provide DoD with verification, through self or third-party assessment,
that defense contractors have, in fact, implemented DoD's cybersecurity
protection requirements.
In addition, the requirements of this rule will not be fully
implemented (and will not appear in all DoD contracts) until 2026 or
later. As such, DoD will continue to require the current cybersecurity
protections as reflected in the identified DFARS provisions and clauses
for contracts that do not include a CMMC requirements.
Applicability
The CMMC Program will require DoD to identify CMMC Level 1, 2, or 3
as a solicitation requirement for any effort that will cause a
contractor or subcontractor to process, store, or transmit FCI or CUI
on its unclassified information system(s). Once CMMC is implemented in
48 CFR, DoD will specify the required CMMC Level in the solicitation
and the resulting contract.
Summary of Program Changes: DFARS Case 2019-D041 implemented DoD's
original model for assessing contractor information security
protections, which is referred to as ``CMMC 1.0.'' CMMC 1.0 was
comprised of five progressively advanced levels of cybersecurity
standards and required defense contractors and subcontractors to
undergo a certification process to demonstrate compliance with the
cybersecurity standards associated with a given CMMC Level.
In March 2021, the Department initiated an internal review of
CMMC's implementation that engaged DoD's cybersecurity and acquisition
leaders to refine policy and program implementation, focusing on the
need to reduce costs for small businesses and align cybersecurity
requirements to other federal standards and guidelines. This review
resulted in CMMC 2.0, which streamlines assessment and certification
requirements and improves implementation of the CMMC Program. These
changes include:
Eliminating Levels 2 and 4, and renaming the remaining
three CMMC Levels as follows:
Level 1 will remain the same as CMMC 1.0 Level 1;
Level 2 will be similar to CMMC 1.0 Level 3;
Level 3 will be similar to CMMC 1.0 Level 5.
Removing CMMC-unique requirements and maturity processes
from all levels;
For CMMC Level 1, allowing annual self-assessments with an
annual affirmation by company leadership;
Allowing a subset of companies at Level 2 to demonstrate
compliance through self-assessment rather than C3PAO assessment.
For CMMC Level 3, requiring Department-conducted
assessments; and
Developing a time-bound and enforceable POA&M process.
The CMMC Program will be implemented through publication of rules
for both title 32 CFR and title 48 CFR. Both rules will have public
comment periods.
Background
A. Statement of Need for This Rule
The Department of Defense (DoD) requires defense contractors to
protect sensitive unclassified information in accordance with
requirements for FCI and CUI. To verify contractor and subcontractor
implementation of DoD's cybersecurity information protection
requirements, the Department developed the Cybersecurity Maturity Model
Certification (CMMC) Program as a means of assessing and verifying
adequate protection of contractor information systems that process,
store, or transmit either FCI or CUI.
The CMMC Program is intended to: (1) align cybersecurity
requirements to the sensitivity of unclassified information to be
protected, (2) add a self-assessment element to affirm implementation
of applicable cybersecurity requirements, (3) add a certification
element to verify implementation of cybersecurity requirements, and (4)
add an affirmation to attest to continued compliance with assessed
requirements. As part of the program, DoD also intends to provide
supporting resources and training to the DIB, to help support companies
who are working to achieve the required CMMC level. The CMMC Program
provides for assessment at three levels, starting with basic
safeguarding of FCI at CMMC Level 1, moving to the broad protection of
CUI at CMMC Level 2, and culminating with higher-level protection of
CUI against risk from Advanced Persistent Threats (APTs) at CMMC Level
3.
The CMMC Program addresses DoD's need to protect its sensitive
unclassified information during the acquisition and sustainment of
products and services from the DIB. This effort is instrumental in
establishing cybersecurity as a foundation for DoD acquisitions.
Although DoD contract requirements to provide adequate security for
covered defense information (reflected in DFARS clause 252.204-7012)
predate CMMC by many years, a certification requirement for the
handling of CUI to
[[Page 89078]]
assess a contractor or subcontractor's implementation of those required
information security controls is new with the CMMC Program.
The theft of intellectual property and sensitive information from
all U.S. industrial sectors from malicious cyber activity threatens
economic security and national security. The Council of Economic
Advisers estimates that malicious cyber activity cost the U.S. economy
between $57 billion and $109 billion in 2016.\19\ The Center for
Strategic and International Studies estimates that the total global
cost of cybercrime was as high as $600 billion in 2017.\20\
---------------------------------------------------------------------------
\19\ Based on information from the Council of Economic Advisors
report: The Cost of Malicious Cyber Activity to the U.S. Economy,
2018.
\20\ Based on information from the Center for Strategic and
International Studies report on the Economic Impact of Cybercrime;
https://www.csis.org/analysis/economic-impact-cybercrime.
---------------------------------------------------------------------------
Malicious cyber actors have targeted and continue to target defense
contractors and the DoD supply chain. These attacks not only focus on
the large prime contractors, but also target subcontractors that make
up the lower tiers of the DoD supply chain. Many of these
subcontractors are small entities that provide critical support and
innovation. Overall, the DIB sector consists of over 220,000 companies
\21\ that process, store, or transmit CUI or FCI in support the
warfighter and contribute towards the research, engineering,
development, acquisition, production, delivery, sustainment, and
operations of DoD systems, networks, installations, capabilities, and
services. The aggregate loss of intellectual property and controlled
unclassified information from the DoD supply chain can undercut U.S.
technical advantages and innovation, as well as significantly increase
the risk to national security. As part of multiple lines of effort
focused on the security and resiliency of the DIB, the Department is
working with industry to enhance the protection of FCI and CUI within
the DoD supply chain. Toward this end, DoD has developed the CMMC
Program.
---------------------------------------------------------------------------
\21\ Based on information from the Federal Procurement Data
System, the average number of unique prime contractors is
approximately 212,650 and the number of known unique subcontractors
is approximately 8,300. (FPDS from FY18-FY21).
---------------------------------------------------------------------------
Cybersecurity Maturity Model Certification Program
The CMMC Program provides a comprehensive and scalable
certification approach to verify the implementation of requirements
associated with the achievement of a cybersecurity level. CMMC is
designed to provide increased assurance to the Department that defense
contractors can adequately protect FCI and CUI at a level commensurate
with the risk, accounting for information flow down to its
subcontractors in a multi-tier supply chain. Defense contractors can
achieve a specific CMMC Level for its entire enterprise network or an
enclave(s), depending upon where the information to be protected is
processed, stored, or transmitted.
The CMMC Program assesses implementation of cybersecurity
requirements. The CMMC requirements for safeguarding and security are
the same as those required by FAR Subpart 4.19 and DFARS Subpart
204.73, as well as selected NIST SP 800-172 requirements. CMMC Level 1
requires implementation of the safeguarding requirements set forth in
FAR clause 52.204-21. CMMC Level 2 requires implementation of the
security requirements in NIST SP 800-171 Rev 2. CMMC Level 3 requires
implementation of the security requirements in NIST SP 800-171 Rev 2 as
well as selected NIST SP 800-172 requirements, with DoD specified
parameters. The CMMC requirements for all three Levels are provided in
Sec. 170.14. In general, CMMC assessments do not duplicate efforts
from existing DoD assessments. In rare circumstances a re-assessment
may be necessary when cybersecurity risks, threats, or awareness have
changed.
Under the CMMC Program, CMMC contract requirements include self-
assessments and third-party assessments for CMMC Level 2, predicated on
program criticality, information sensitivity, and the severity of cyber
threat. Based on the type and sensitivity of the information to be
protected, a defense contractor must achieve the appropriate CMMC Level
and demonstrate implementation of the associated set of information
protection requirements.
If CMMC Level 1 or Level 2 Self-Assessment is a contract
requirement, the defense contractor will be required to self-assess its
compliance with the CMMC Level 1 or Level 2 requirements and submit the
assessment results and an affirmation of conformance in SPRS. CMMC
Level 1 self-assessment and associated affirmation is required
annually. CMMC Level 2 Self-Assessment is required triennially with an
affirmation following self-assessment and annually thereafter.
If CMMC Level 2 Certification Assessment is a contract requirement,
CMMC assessments must be performed by an authorized or accredited CMMC
Third Party Assessment Organization (C3PAO). When CMMC Level 3
Certification Assessment is a contract requirement, an assessment by
DoD is required following a CMMC Level 2 Final Certification
Assessment. Upon completion of a CMMC Level 2 or 3 Certification
Assessment, the offeror may be granted a certification of assessment
based on the results of the assessment at the appropriate CMMC Level
(as described in the CMMC Model). The assessment results are documented
in SPRS to enable contracting officers to verify the validity status of
an offeror's certification level and currency (i.e., not more than
three years old) prior to contract award. The offeror must also submit
an affirmation of conformance in SPRS following the assessment and
annually thereafter.
CMMC allows the use of a Plan of Action and Milestones (POA&Ms) for
specified CMMC Level 2 and 3 security requirements. Each POA&M must be
closed, i.e., all requirements completed, within 180 days of the
initial assessment.
The details of the requirements for self-assessment, third-party
assessment, and affirmation for each CMMC Level, are provided in Sec.
170.15 through Sec. 170.18. POA&M requirements, including which
requirements are allowed to be on a POA&M and POA&M closeout
requirements, in addition to requirements for provision of an
affirmation at closeout, contract eligibility, and continuation are
provided in Sec. 170.21 and Sec. 170.22.
DoD's phased implementation of CMMC requirements is described in
Sec. 170.3(e). Once CMMC requirements have been implemented in the
DFARS, the solicitation will identify the specific CMMC Level required
for that procurement. To implement a phased transition, selection of a
CMMC Level will be based upon careful consideration of market research
and the likelihood of a robust competitive market of prospective
offerors capable of meeting the requirement. In some scenarios, DoD may
elect to waive application of CMMC third party assessment requirements
to a particular procurement. In such cases, the solicitation will not
include a CMMC assessment requirement. Such waivers may be requested
and approved by the Department in accordance with DoD's internal
policies and procedures. For a DoD solicitation or contract that does
include CMMC requirements, including those for the acquisition of
commercial items (except those exclusively COTS items) valued at
greater than the micro-purchase threshold, contracting officers will
not make award, or exercise an option on a contract, if the offeror or
[[Page 89079]]
contractor does not meet the requirements for the required CMMC Level.
Furthermore, CMMC requirements are required to flow down to
subcontractors as prescribed in the solicitation at all tiers,
commensurate with the sensitivity of the unclassified information
flowed down to each subcontractor.
B. Legal Authority
5 U.S.C. 301 authorizes the head of an Executive department or
military department to prescribe regulations for the government of his
or her department, the conduct of its employees, the distribution and
performance of its business, and the custody, use, and preservation of
its records, papers, and property. (https://www.govinfo.gov/content/pkg/USCODE-2009-title5/pdf/USCODE-2009-title5-partI-chap3-sec301.pdf).
Section 1648 of the National Defense Authorization Act for Fiscal
Year 2020 (Pub. L. 116-92) \22\ directs the Secretary of Defense to
develop a consistent, comprehensive framework to enhance cybersecurity
for the U.S. Defense Industrial Base (DIB). The CMMC Program is an
important part of this framework.
---------------------------------------------------------------------------
\22\ https://www.govinfo.gov/content/pkg/PLAW-116publ92/pdf/PLAW-116publ92.pdf.
---------------------------------------------------------------------------
C. Community Impact
This rule impacts all prospective and actual DoD contractors and
subcontractors that are handling or will handle DoD information that
meets the standards for FCI or CUI on a contractor information system
during performance of the DoD contract or subcontract. This rule also
impacts all companies who are performing or will perform accreditation,
training, certification, or assessment functions in connection with
implementation of the CMMC Program.
D. Regulatory History
The CMMC Program verifies defense contractor compliance with DoD's
cybersecurity information protection requirements. It is designed to
protect sensitive unclassified information that is shared by the
Department with or generated by its contractors and subcontractors. The
cybersecurity standards required by the program are the same as those
set forth in FAR clause 52.204-21 (CMMC Level 1), the NIST SP 800-171
Rev 2 guidelines, which is presently required by DFARS clause 252.204-
7012 (CMMC Level 2), and additional selected requirements from the NIST
SP 800-172 guidelines (CMMC Level 3). The program adds a robust
assessment element and provides the Department increased assurance that
contractors and subcontractors are meeting these requirements.
In September 2020, the DoD published an interim rule to the DFARS
in the Federal Register (DFARS Case 2019-D041), which implemented the
DoD's initial vision for the CMMC Program (``CMMC 1.0'') and outlined
the basic features of the program (tiered model, required assessments,
and implementation through contracts). The interim rule became
effective on November 30, 2020, establishing a five-year phase-in
period.
In March 2021, the Department initiated an internal review of
CMMC's implementation, informed by more than 750 CMMC-related public
comments in response to the interim DFARS rule. This comprehensive,
programmatic assessment engaged cybersecurity and acquisition leaders
within DoD to refine policy and program implementation.
In November 2021, the Department announced CMMC 2.0, which
incorporates an updated program structure and requirements designed to
achieve the primary goals of an internal DoD review of the CMMC
Program. With the implementation of the CMMC Program, the Department
introduced several key changes that build on and refine the original
program requirements. These include:
Streamlining the model from five to three certification
levels;
Allowing all companies at Level 1 and a subset of
companies at Level 2 to demonstrate compliance through self-
assessments;
Increased oversight of professional and ethical standards
of third-party assessors; and
Allowing companies, under certain limited circumstances,
to make POA&Ms to achieve certification.
The CMMC requirements established pursuant to DFARS Case 2019-D041
have not been revised as of the date of publication of this rule.
However, the CMMC Program requirements proposed in this rule will be
implemented in the DFARS, as needed, which may result in changes to the
current DFARS text, solicitation provisions, and contract clauses
relating to DoD's cybersecurity protection requirements, including
DFARS subpart 204.75 and DFARS clause 252.204-7021, Cybersecurity
Maturity Model Certification (CMMC) Requirements.
Regulatory Impact Analysis
FAR Subpart 4.19 and DFARS Subpart 204.73 address safeguarding of
FCI and CUI in contractor information systems and prescribe contract
clauses requiring protection of FCI and CUI within the supply chain.
The FAR and DFARS requirements for safeguarding FCI and CUI predate the
CMMC Program by many years, and baseline costs for their implementation
are assumed to vary widely based on factors including, but not limited
to, company size and complexity of the information systems to be
secured. FAR 52.204-21, Basic Safeguarding of Covered Contractor
Information Systems, is prescribed at FAR section 4.1903 for use in
solicitations and contracts when the contractor or subcontractor at any
tier may have FCI residing in or transiting through its information
system. This clause requires contractors and subcontractors to apply
basic safeguarding requirements and procedures to protect applicable
contractor information systems that process, store, or transmit FCI. In
addition, DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, is prescribed at DFARS
section 204.7304(c) for use in DoD in all solicitations and contracts,
including solicitations and contracts using FAR part 12 procedures for
the acquisition of commercial items, except for solicitations and
contracts solely for the acquisition of commercially available off-the-
shelf items. This clause applies when a contractor information system
processes, stores, or transmits covered defense information and
requires contractors and subcontractors to provide ``adequate
security'' to safeguard that information when it resides on or transits
through a contractor information system, and to report cyber incidents
that affect that system or network. The clause states that to provide
adequate security, the contractor shall implement, at a minimum, the
security requirements in National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-171 Rev 2, Protecting CUI in
Nonfederal Systems and Organizations. Contractors are also required to
flow down DFARS clause 252.204-7012 to all subcontracts for
operationally critical support or for which subcontractor performance
will involve covered defense information.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012
provide for DoD assessment of a contractor's implementation of the
information protection requirements required by those clauses. The
Department developed the CMMC Program to verify implementation of
cybersecurity requirements in DoD contracts and subcontracts, by
assessing
[[Page 89080]]
adequacy of contractor information system security compliance prior to
award and during performance of the contract. With limited exceptions,
the Department intends to require compliance with CMMC as a condition
of contract award. Once CMMC is implemented, the required CMMC Level
for contractors and subcontractors will be specified in the
solicitation and Requests for Information (RFIs), if utilized.
There are three different levels of CMMC assessment, starting with
basic safeguarding of FCI at Level 1, moving to the broad protection of
CUI at Level 2, and culminating with higher level protection of CUI
against risk from Advanced Persistent Threats (APTs) at Level 3. The
benefits and costs associated with implementing this rule, as well as
alternative approaches considered, are as follows:
Costs
A Regulatory Impact Analysis (RIA) that includes a detailed
discussion and explanation about the assumptions and methodology used
to estimate the cost of this regulatory action follows and is available
at https://www.regulations.gov (search for ``DoD-2023-OS-0063'' click
``Open Docket'' and view ``Supporting Documents'').
Background
The Department of Defense (DoD or Department) requires a secure and
resilient supply chain to ensure the development, production, and
sustainment of capabilities critical to national security. The DoD
supply chain is targeted by adversaries with increasing frequency and
sophistication, and to devastating effect. Therefore, implementation of
cybersecurity standards and enforcement mechanisms are critically
important. Executive Order (E.O.) 14028, ``Improving the Nation's
Cybersecurity,'' emphasizes the need to strengthen cybersecurity
protections for both the Federal Government and the private sector.
Nation-state adversaries attack the U.S. supply chain for a myriad
of reasons, including exfiltration of valuable technical data (a form
of industrial espionage); disruption to control systems used for
critical infrastructure, manufacturing, and weapons systems; corruption
of quality and assurance across a broad range of product types and
categories; and manipulation of software to achieve unauthorized access
to connected systems and to degrade the integrity of system operations.
For example, since September 2020, major cyber-attacks such as the
SolarWinds,\23\ Colonial Pipeline, Hafnium,\24\ and Kaseya \25\
attacks, have been spearheaded or influenced by nation-state actors
\26\ and resulted in significant failures and disruption. In context of
this threat, the size and complexity of defense procurement activities
provide numerous pathways for adversaries to access DoD's sensitive
systems and information. Moreover, adversaries continue to evolve their
tactics, techniques, and procedures. For example, on April 28, 2022,
CISA and the FBI issued an advisory on destructive ``wiperware,'' a
form of malware which can destroy valuable information.\27\ Protection
of DoD's sensitive unclassified information is critically important,
and the DoD needs assurance that contactor information systems are
adequately secured to protect such information when it resides on or
transits those systems.
---------------------------------------------------------------------------
\23\ https://www.gao.gov/assets/gao-22-104746.pdf.
\24\ https://www.ic3.gov/Media/News/2021/210310.pdf.
\25\ https://www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa.
\26\ https://www.mitre.org/sites/default/files/publications/pr-18-2417-deliver-uncompromised-MITRE-study-26AUG2019.pdf.
\27\ https://www.cisa.gov/uscert/ncas/alerts/aa22-057a.
---------------------------------------------------------------------------
The Department is committed to working with defense contractors to
protect DoD and defense contractor sensitive unclassified information
in accordance with requirements for FCI and CUI.
Federal Contract Information (FCI): As defined in section
4.1901 of the FAR, FCI means information, not intended for public
release, that is provided by or generated for the Government under a
contract to develop or deliver a product or service to the Government,
but not including information provided by the Government to the public,
such as that on public websites, or simple transactional information,
such as that necessary to process payments.
Controlled Unclassified Information (CUI): 32 CFR
2002.4(h) defines CUI, in part, as information the Government creates
or possesses, or that an entity creates or possesses for or on behalf
of the Government, that a law, regulation, or Government-wide policy
requires or permits an agency to handle using safeguarding or
dissemination controls, including FCI.
In September 2020, the DoD published DFARS interim rule (Case 2019-
D041), which implemented DoD's initial vision for the Cybersecurity
Maturity Model Certification (CMMC) Program (``CMMC 1.0'') and outlined
basic program features, to include: 5-level tiered model, CMMC
Certified Third Party Assessment Organization (C3PAO) assessments in
support of contractor and subcontractor certification, with no
allowance for a Plan of Action and Milestones, and implementation of
all security requirements by the time of a contract award. A total of
750 comments were received on the CMMC Program during the public
comment period that ended on November 30, 2020. These comments
highlighted a variety of industry concerns including concerns relating
to the costs for a C3PAO certification, and the costs and burden
associated with implementing, prior to award, the required process
maturity and 20 additional cybersecurity practices that were included
in CMMC 1.0. The Small Business Administration Office of Advocacy also
raised similar concerns on the impact the rule would have on small
businesses in the DIB.
Pursuant to DFARS clause 252.204-7012, DoD has required certain
defense contractors and subcontractors to implement the security
protections set forth in the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171 Rev 2 to provide
adequate security for sensitive unclassified DoD information that is
processed, stored, or transmitted on contractor information systems and
to document their implementation status, including any plans of action
for any NIST SP 800-171 Rev 2 requirement not yet implemented, in a
System Security Plan. The CMMC Program provides the Department the
mechanism needed to verify that a defense contractor or subcontractor
has implemented the security requirements at each CMMC Level and is
maintaining that status across the contract period of performance, as
required.
In calendar year (CY) 2021 DoD paused the planned CMMC rollout to
conduct an internal review of the CMMC Program. The internal review
resulted in a refined and streamlined set of requirements that
addressed many of the concerns identified in the public comments
received relating to CMMC 1.0. These changes have been incorporated
into the CMMC Program structure and policies, now referred to as ``CMMC
2.0.'' In July 2022, the CMMC PMO met with the Office of Advocacy for
the United States Small Business Administration (SBA) to address the
revisions planned in CMMC 2.0 that are responsive to prior SBA
concerns.
The CMMC Program will enhance the ability of the DoD to safely
share sensitive unclassified information with
[[Page 89081]]
defense contractors and know the information will be suitably
safeguarded. Once fully implemented, CMMC will incorporate a set of
cybersecurity requirements into acquisition contracts to provide
verification that applicable cyber protections have been implemented.
Under the CMMC Program, defense contractors and subcontractors will be
required to implement certain cybersecurity protection requirements
tied to a designated CMMC level and either perform a self-assessment or
obtain an independent assessment from either a third-party or DoD as a
condition of a DoD contract award. CMMC is designed to validate the
protection of sensitive unclassified information that is shared with
and generated by the Department's contractors and subcontractors.
Through protection of information by adherence to the requirements
verified in CMMC 2.0, the Department and its contractors will prevent
disruption in service and the loss of intellectual property and assets,
and thwart access to sensitive unclassified information by the nation's
adversaries.
The CMMC Program is intended to: (1) align cybersecurity
requirements to the sensitivity of unclassified information to be
protected, and (2) add a certification element, where appropriate, to
verify implementation of cybersecurity requirements. As part of the
program, DoD also intends to provide supporting resources and training
to defense contractors to help support companies who are working to
achieve the required CMMC level. The CMMC Program provides for
assessment at three levels: basic safeguarding of FCI at CMMC Level 1,
broad protection of CUI at CMMC Level 2, and enhanced protection of CUI
against risk from Advanced Persistent Threats (APTs) at CMMC Level 3.
The CMMC Program is designed to provide increased assurance to the
Department that a defense contractor can adequately protect sensitive
unclassified information (i.e., FCI and CUI) in accordance with
prescribed security requirements, accounting for information flow down
to its subcontractors in a multi-tier supply chain.
The CMMC Program addresses DoD's need to protect its sensitive
unclassified information during the acquisition and sustainment of
products and services from the DIB. This effort is instrumental in
establishing cybersecurity as a foundation for future DoD acquisition.
Although DoD contract requirements to provide adequate security for
covered defense information (reflected in DFARS 252.204-7012) predate
CMMC by many years, a certification requirement for the handling of CUI
to assess a contractor or subcontractor's compliance of those required
information security controls is new with the CMMC Program. Findings
from DoD Inspector General report \28\ indicate that DoD contractors
did not consistently implement mandated system security requirements
for safeguarding CUI and recommended that DoD take steps to assess a
contractor's ability to protect this information. The report emphasizes
that malicious actors can exploit the vulnerabilities of contractors'
networks and systems and exfiltrate information related to some of the
Nation's most valuable advanced defense technologies.
---------------------------------------------------------------------------
\28\ DODIG-2019-105 ``Audit of Protection of DoD CUI on
Contractor-Owned Networks and Systems''
---------------------------------------------------------------------------
Currently, the FAR and DFARS prescribe contract clauses intended to
protect FCI and CUI. Specifically, the clause at FAR 52.204-21, Basic
Safeguarding of Covered Contractor Information Systems, is prescribed
at FAR 4.1903 for use in Government solicitations and contracts when
the contractor or a subcontractor at any tier may have FCI residing in
or transiting through its information system(s). This clause requires
contractors and subcontractors to implement basic safeguarding
requirements and procedures to protect FCI being processed, stored, or
transmitted on contractor information systems. In addition, DFARS
clause 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting, is prescribed at DFARS 204.7304(c) for use in all
solicitations and contracts except for solicitations and contracts
solely for the acquisition of commercially available off-the-shelf
(COTS) items. This clause requires contractors and subcontractors to
provide ``adequate security'' to process, store or transmit covered
defense information when it resides on or transits a contractor
information system, and to report cyber incidents that affect that
system or network. The clause states that to provide adequate security,
the contractor shall implement, at a minimum, the security requirements
in NIST Special Publication (SP) 800-171 Rev 2, Protecting CUI in
Nonfederal Systems and Organizations. Contractors are also required to
flow down DFARS clause 252.204-7012 to all subcontracts that require
processing, storing, or transmitting of covered defense information.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012
provide for DoD verification of a contractor's implementation of the
basic safeguarding requirements specified in FAR 52.204-21 nor the
security requirements specified in NIST SP 800-171 Rev 2,
implementation of which is required by DFARS clause 252.204-7012, prior
to contract award. As part of multiple lines of effort focused on the
security and resilience of the DIB, the Department is working with
industry to enhance the protection of FCI and CUI within the DoD supply
chain. Toward this end, DoD has developed the CMMC Program.
CMMC 2.0 Requirements
The CMMC Program requirements will be implemented through the DoD
acquisition and contracting process. With limited exceptions, the
Department intends to require compliance with CMMC as a condition of
contract award. Once CMMC is implemented, the required CMMC level for
contractors will be specified in the solicitation. In accordance with
the implementation plan described in 32 CFR 170.3(e), CMMC compliance
or certification requirements will apply to new DoD solicitations and
contracts, and shall flow down to subcontractors, based on the
sensitivity of the FCI and CUI to be processed, stored or transmitted
to or by the subcontractor. Before contract award, the offeror must
achieve the specified CMMC level for the contractor information system
(e.g., enterprise network, network enclave) that will process, store,
or transmit the information to be protected. The contractor or
subcontractor will also submit affirmations in the Supplier Performance
Risk System (SPRS). An overview of requirements at each level is shown:
CMMC Level 1 Self-Assessment
CMMC Level 1 Self-Assessment requires compliance with
basic safeguarding requirements to protect FCI are set forth in FAR
clause 52.204-21. CMMC Level 1 does not add any additional security
requirements to those identified in FAR 52.204-21.
Organizations Seeking Assessment (OSAs) will submit the
following information in SPRS prior to award of any prime contract or
subcontract and annually thereafter:
1. the results of a self-assessment of the OSA's implementation of
the basic safeguarding requirements set forth in 32 CFR 170.15
associated with the contractor information system(s) used in
performance of the contract; and
2. an initial affirmation of compliance, and then annually
thereafter, an affirmation of continued
[[Page 89082]]
compliance as set forth in 32 CFR 170.22.
3. the Level 1 Self-Assessment cost burden will be addressed as
part of the 48 CFR acquisition rule.
CMMC Level 2 Self-Assessment
CMMC Level 2 Self-Assessment requires compliance with the
security requirements set forth in NIST SP 800-171 Rev 2 to protect
CUI. CMMC Level 2 does not add any additional security requirements to
those identified in NIST SP 800-171 Rev 2.
OSAs will submit the following information in SPRS prior
to award of any prime contract or subcontract:
1. the results of a self-assessment of the OSA's implementation of
the NIST SP 800-171 Rev 2 requirements set forth in 32 CFR 170.16
associated with the covered contractor information system(s) used in
performance of the applicable contract.
2. an initial affirmation of compliance, and, if applicable, a
POA&M closeout affirmation, and then annually thereafter, an
affirmation of continued compliance set forth in 32 CFR 170.22.
3. the Level 2 Self-Assessment cost burden will be addressed as
part of the 48 CFR acquisition rule.
CMMC Level 2 Certification Assessment
CMMC Level 2 Certification requires compliance with the
security requirements set forth in in 32 CFR 170.17 to protect CUI.
CMMC Level 2 does not add any additional security requirements to those
identified in NIST SP 800-171 Rev 2.
A CMMC Level 2 Certification Assessment of the applicable
contractor information system(s) provided by an authorized or
accredited C3PAO is required to validate implementation of the NIST SP
800-171 Rev 2 security requirements prior to award of any prime
contract or subcontract and exercise of option.
The C3PAO will upload the CMMC Level 2 results in eMASS
which will feed the information into SPRS.
OSCs will submit in SPRS an initial affirmation of
compliance, and, if necessary, a POA&M closeout affirmation, and then
annually thereafter, an affirmation of continued compliance as set
forth in 32 CFR 170.22.
The Level 2 Certification Assessment cost burdens are included in
this part with the exception of the requirement for the OSC to upload
the affirmation in SPRS that is included in the Title 48 acquisition
rule and an update to DFARS collection approved under OMB Control
Number 0750-0004, Assessing Contractor Implementation of Cybersecurity
Requirements. Additionally, the information collection reporting
requirements for the CMMC instantiation of eMASS are included in a
separate ICR for this part and cover only those requirements pertaining
to the CMMC process.
CMMC Level 3 Certification Assessment
CMMC Level 3 Certification Assessment requires a CMMC
Level 2 Final Certification Assessment and compliance with the security
requirements set forth in 32 CFR 170.18 to protect CUI. CMMC Level 3
adds additional security requirements to those required by existing
acquisition regulations as specified in this rule.
A CMMC Level 3 Certification Assessment of the applicable
contractor information system(s) provided by the DCMA Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) is required to
validate implementation of the DoD-defined selected security
requirements set forth in NIST SP 800-172. A CMMC Level 2 Final
Certification is a prerequisite to schedule a DIBCAC assessment for
CMMC Level 3.
DCMA DIBCAC will upload the CMMC Level 3 results into the
CMMC instantiation of eMASS, which will feed the information into SPRS.
OSCs will submit in SPRS an initial affirmation of
compliance, and, if necessary, a POA&M closeout affirmation, and then
annually thereafter, an affirmation of continued compliance as set
forth in 32 CFR 170.22.
The Level 3 Certification Assessment cost burdens are included in
this part with the exception of the requirement for the OSC to upload
the affirmation in SPRS that is included in the Title 48 acquisition
rule and an update to DFARS collection approved under OMB Control
Number 0750-0004, Assessing Contractor Implementation of Cybersecurity
Requirements. Additionally, the information collection reporting
requirements for the CMMC instantiation of eMASS are included in a
separate ICR for this part and cover only those requirements pertaining
to the CMMC process. As described, the CMMC Program couples an
affirmation of compliance with certification assessment requirements to
verify OSA implementation of cybersecurity requirements, as applicable.
The CMMC Program addresses DoD's need to protect its sensitive
unclassified information during the acquisition and sustainment of
products and services from the DIB. This effort is instrumental in
ensuring cybersecurity is the foundation of future DoD acquisitions.
Policy Problems Addressed by CMMC 2.0
Implementation of the CMMC Program is intended to solve the
following policy problems:
Verifies the Contractor Cybersecurity Requirements
Neither FAR clause 52.204-21 nor DFARS clause 252.204-7012 provide
for DoD assessment of a defense contractor or subcontractor's
implementation of the information protection requirements within those
clauses. Defense contractors represent that they will implement the
requirements in NIST SP 800-171 Rev 2 upon submission of their offer.
Findings from DoD Inspector General report (DODIG-2019-105 ``Audit of
Protection of DoD Controlled Unclassified Information on Contractor-
Owned Networks and Systems'') indicate that DoD contractors did not
consistently implement mandated system security requirements for
safeguarding CUI and recommended that DoD take steps to assess a
contractor's ability to protect this information. CMMC adds new
assessment requirements for contractor implementation of underlying
information security requirements, to allow DoD to assess a defense
contractor's cybersecurity posture using authorized or accredited
C3PAOs. The contractor and subcontractor must achieve the required CMMC
Level as a condition of contract award.
Implementation of Cybersecurity Requirements
Under DFARS clause 252.204-7012, defense contractors and
subcontractors must document implementation of the security
requirements in NIST SP 800-171 Rev 2 in a system security plan and may
use a Plan of Action Milestones to describe how and when any
unimplemented security requirements will be met. For the CMMC Program,
the solicitation, will specify the required CMMC level, which will be
determined considering program criticality, information sensitivity,
and severity of cyber threat. Although the security requirements in
NIST SP 800-171 Rev 2 address a range of threats, additional
requirements are needed to significantly reduce the risk posed by APTs.
An APT is an adversary that possesses sophisticated levels of expertise
and significant resources that allow it to create opportunities to
achieve its objectives by using multiple attack vectors (e.g., cyber,
physical, and
[[Page 89083]]
deception). CMMC Level 3 requires implementation of selected security
requirements from NIST SP 800-172 to reduce the risk of APT threats.
The CMMC Program will require prime contractors to flow the
appropriate CMMC requirement down throughout the entire supply chain
relevant to a particular contract. Defense contractors or
subcontractors that handle FCI, must meet the requirements for CMMC
Level 1. Defense contractors that handle CUI must meet the requirements
for CMMC Level 2 or higher, depending on the sensitivity of the
information associated with a program or technology being developed.
Scale and Depth
Today, DoD prime contractors must include DFARS clause 252.204-7012
in subcontracts for which performance will involve covered defense
information, but this does not provide the Department with sufficient
insights with respect to the cybersecurity posture of all members of a
multi-tier supply chain for any given program or technology development
effort. CMMC 2.0 requires prime contractors to flow down appropriate
CMMC Level requirements, as applicable, to subcontractors throughout
their supply chain(s).
Given the size and scale of the DIB, the Department cannot scale
its existing cybersecurity assessment capability to conduct on-site
assessments of approximately 220,000 DoD contractors and subcontractors
every three years. The Department's existing assessment capability is
best suited for conducting targeted assessments for the relatively
small subset of DoD contractors and subcontractors that support
designated high-priority programs involving CUI.
CMMC addresses the Department's scaling challenges by utilizing a
private-sector accreditation structure. A DoD-authorized Accreditation
Body will authorize, accredit, and provide oversight of C3PAOs which in
turn will conduct CMMC Level 2 Certification Assessments of actual and
prospective DoD contractors and subcontractors. Defense contractors
will directly contract with an authorized or accredited C3PAO to obtain
a CMMC Certification Assessment. The cost of CMMC Level 2 activities is
driven by multiple factors, including market forces that govern
availability of C3PAOs and the size and complexity of the enterprise or
enclave under assessment. The Government will perform CMMC Level 3
Certification Assessments. Government resource limitations may affect
schedule availability.
Reduces Duplicate or Respective Assessments of Our Industry Partners
CMMC assessment results will be posted in SPRS, DoD's authoritative
source for supplier and product performance information. Posting CMMC
assessment results in SPRS precludes the need to validate CMMC
implementation on a contract-by-contract basis. This enables DoD to
identify whether the CMMC requirements have been met for relevant
contractor information systems, avoids duplicative assessments, and
eliminates the need for program level assessments, all of which
decreases costs to both DoD and industry.
CMMC 2.0 Implementation
The DoD is implementing a phased implementation for CMMC 2.0 and
intends to introduce CMMC requirements in solicitations over a three-
year period to provide appropriate ramp-up time. This phased
implementation is intended to minimize the financial impacts to defense
contractors, especially small businesses, and disruption to the
existing DoD supply chain. After CMMC is implemented in acquisition
regulation, DoD will include CMMC self-assessment requirements in
solicitations when warranted by the type of information that will be
handled by the contractor of subcontractor(s). CMMC requirements for
Levels 1, 2, and 3 will be included in solicitations issued after the
phase-in period when warranted by any FCI and/or CUI information
protection requirements for the contract effort. In the intervening
period, Government Program Managers will have discretion to include
CMMC requirements or exclude them and rely upon existing DFARS Clause
252.204-7012 requirements, in accordance with DoD policy. As stated in
32 CFR 170.20(a), there is qualified standards acceptance between DCMA
DIBCAC High Assessment and CMMC Level 2, which will result in
staggering of the dates for new CMMC Level 2 assessments. The
implementation period will consist of four (4) phases as set forth in
32 CFR 170.3(e), during which time the Government will include CMMC
requirements in certain solicitations and contracts. During the CMMC
phase-in period, program managers and requiring activities will be
required to include CMMC requirements in certain solicitations and
contracts and will have discretion to include in others.
A purpose of the phased implementation is to ensure adequate
availability of authorized or accredited C3PAOs and assessors to meet
the demand.
CMMC 2.0 Flow Down
CMMC Level requirements will be flowed down to subcontractors at
all tiers as set forth in 32 CFR 170.23; however, the specific CMMC
Level required for a subcontractor will be based on the type of
unclassified information and the priority of the acquisition program
and/or technology being developed.
Key Changes Incorporated in the CMMC 2.0 Program
In November 2021, the Department announced ``CMMC 2.0,'' which is
an updated program structure with revised requirements. In CMMC 2.0,
the Department has introduced several key changes that build on and
refine the original program requirements. These include:
Streamlining the model from five levels to three levels.
Exclusively implementing National Institute of Standards
and Technology (NIST) cybersecurity standards and guidelines.
Allowing all companies subject to Level 1, and a subset of
companies subject to Level 2 to demonstrate compliance through self-
assessments.
Increased oversight of professional and ethical standards
of CMMC third-party assessors.
Allowing Plans of Action & Milestones (POA&M) under
limited circumstances to achieve conditional certification.
As a result of the alignment of CMMC 2.0 to NIST guidelines, the
Department's requirements will continue to evolve as changes are made
to the underlying NIST SP 800-171 Rev 2 and NIST SP 800-172
requirements.
CMMC Assessment
Assessment Criteria
CMMC requires that defense contractors and subcontractors entrusted
with FCI and CUI implement cybersecurity standards at progressively
more secure levels, depending on the type and sensitivity of the
information.
CMMC Level 1 Self-Assessment
An annual CMMC Level 1 Self-Assessment and annual affirmation
asserts that an OSA has implemented all the Basic Safeguarding
requirements to protect FCI as set forth in 32 CFR 170.14(c)(2).
An OSA can choose to perform the annual self-assessment internally
or engage a third-party to assist with evaluating its Level 1
compliance. Use of a third party to assist with the
[[Page 89084]]
assessment process is still considered a self-assessment and does not
result in a CMMC certification. An OSA can be compliant with CMMC Level
1 requirements for an entire enterprise network or for a particular
enclave(s), depending upon where the FCI is or will be processed,
stored, or transmitted.
CMMC Level 2 Self-Assessment
A CMMC Level 2 Self-Assessment and triennial affirmation attests
that an OSA has implemented all the security requirements to protect
CUI as specified in 32 CFR 170.14(c)(3).
CMMC Level 2 Certification Assessment
A CMMC Level 2 Certification Assessment, conducted by a C3PAO,
verifies that an OSC is conforming to the security requirements to
protect CUI as specified in 32 CFR 170.14(c)(3). A CMMC Level 2
assessment must be conducted for each OSC information system that will
be used in the execution of the contract that will process, store, or
transmit CUI.
CMMC Level 3 Certification Assessment
Receipt of a CMMC Level 2 Final Certification Assessment for
information systems within the Level 3 CMMC Assessment Scope is a
prerequisite for a CMMC Level 3 Certification Assessment. A CMMC Level
3 Certification Assessment, conducted by DCMA Defense Industrial Base
Cybersecurity Assessment Center (DIBCAC), verifies that an OSC has
implemented the CMMC Level 3 security requirements to protect CUI as
specified in 32 CFR 170.14(c)(4). A CMMC Level 3 Certification
Assessment must be conducted for each OSC information system that will
be used in the execution of the contract that will process, store, or
transmit CUI.
Impact and Cost Analysis of CMMC 2.0
Summary of Impact
Public comment feedback on CMMC 1.0 indicated that cost estimates
were too low. CMMC 2.0 cost estimates account for that feedback with
the following improvements:
Allowance for outsourced IT services
Increased total time for the contractor to prepare for the
assessment, including limited time for learning the reporting and
affirmation processes
Allowance for use of consulting firms to assist with the
assessment process
Time for a senior level manager to review the assessment and
affirmation before submitting the results in SPRS
Updated government and contractor labor rates that include
applicable burden costs
As a result, some CMMC 2.0 costs may be higher than those included
in CMMC 1.0.
The CMMC 2.0 impact analysis includes estimated costs for
implementation of CMMC 2.0 requirements across Level 1, Level 2, and
Level 3 for the Public (small and other than small entities, including
the CMMC Ecosystem as set forth in 32 CFR Subpart C) and the
Government. In summary, the total estimated Public and Government costs
associated with this rule, calculated for a 20-year horizon in 2023
dollars at a 7 percent discount rate and a 3 percent discount rate are
provided as follows:
[GRAPHIC] [TIFF OMITTED] TP26DE23.004
[GRAPHIC] [TIFF OMITTED] TP26DE23.005
Estimating the number of CMMC assessments for unique entities per
level per year is complicated by the fact that companies may serve as a
prime contractor on one effort but a subcontractor on others, and may
also enter into subcontract agreements with more than one prime
contractor for various opportunities.
In addition, the CMMC Program relies upon free market influences of
supply and demand to propel implementation. Specifically, the
Department does not control which defense contractors aspire to compete
for which business opportunities, nor does it control access to the
assessment services offered by C3PAOs. OSAs may elect to complete a
self-assessment or pursue a certification assessment at any time after
issuance of the rule, in an effort to distinguish themselves as
competitive for efforts that require an ability to adequately protect
CUI. For that reason, the number of CMMC assessments for unique
entities per level per year may vary significantly from the assumptions
used in generating the cost estimate. The estimates represent the best
estimates at this time based on internal expertise and public feedback.
DoD utilized historical metrics gathered for the CMMC 1.0 Program
and subject matter expertise from Defense Pricing and Contracting (DPC)
and DCMA DIBCAC to estimate the number of entities by type and by
assessment level for this analysis. The following
[[Page 89085]]
table summarizes the estimated profile used in this analysis.
[GRAPHIC] [TIFF OMITTED] TP26DE23.006
DoD is planning for a phased roll-out of each assessment level
across 7 years with the entity numbers reaching a maximum by Year 4 as
shown in the tables. The target of Year 4 was selected based on the
projected capacity of the CMMC Ecosystem to grow to efficiently support
the entities in the pipeline. For modeling efficiency, a similar roll-
out is assumed regardless of entity size or assessment level. It is
assumed that by year 7 the maximum number of entities is reached.
Beyond year 7, the number of entities entering and exiting are expected
to net to zero. The following tables reflect the number of new entities
in each year and for each level.
[GRAPHIC] [TIFF OMITTED] TP26DE23.007
[GRAPHIC] [TIFF OMITTED] TP26DE23.008
[[Page 89086]]
[GRAPHIC] [TIFF OMITTED] TP26DE23.009
Public Costs
Summary of Impacted Awardee Entities
According to data available in the Electronic Data Access system
for fiscal years (FYs) 2019, 2020, and 2021, DoD awards an average of
1,366,262 contracts and orders per year that contain DFARS clause
252.204-7012, to 31,338 unique awardees, of which 683,718 awards (50%)
are made to 23,475 small entities (75%).\29\
---------------------------------------------------------------------------
\29\ The number of unique awardees impacted each year is \1/3\
of the average number of annual awardees according to the Electronic
Data Access system (31,338/3 = 10,446). This estimate does not
address new entrants or awardees who discontinue doing business with
DoD.
---------------------------------------------------------------------------
Public Cost Analysis
The following is a summary of the estimated Public costs CMMC 2.0
for other than small \30\ entities, per assessment of a contractor
information system, at the required periodicity for each CMMC level.
---------------------------------------------------------------------------
\30\ Includes all businesses with the exception of those defined
under the small business criteria and size standards provided in 13
CFR 121.201 (See FAR Part 19.102)
[GRAPHIC] [TIFF OMITTED] TP26DE23.010
The following is a summary of the estimated Public costs CMMC 2.0
for Small Entities, per assessment of each contractor information
system, estimated at one per entity, at the required periodicity for
each CMMC level.
---------------------------------------------------------------------------
\31\ The Level 1 and Level 2 Self-Assessment information
collection reporting and recordkeeping requirements will be included
in a modification of an existing DFARS collection approved under OMB
Control Number 0750-0004, Assessing Contractor Implementation of
Cybersecurity Requirements. Modifications to this DFARS collection
will be addressed as part of the 48 CFR acquisition rule.
---------------------------------------------------------------------------
[[Page 89087]]
[GRAPHIC] [TIFF OMITTED] TP26DE23.011
The total estimated Public (large and small entities) costs
associated with this rule, calculated for a 20-year horizon in 2023
dollars at a 7 percent and 3 percent discount rate, per OMB guidance,
is provided as follows:
---------------------------------------------------------------------------
\32\ The Level 1 and Level 2 Self-Assessment information
collection reporting and recordkeeping requirements will be included
in a modification of an existing DFARS collection approved under OMB
Control Number 0750-0004, Assessing Contractor Implementation of
Cybersecurity Requirements. Modifications to this DFARS collection
will be addressed as part of the 48 CFR acquisition rule.
[GRAPHIC] [TIFF OMITTED] TP26DE23.012
Assumptions
In estimating the Public costs, DoD considered applicable
nonrecurring engineering costs, recurring engineering costs,\33\
assessment costs, and affirmation costs for each CMMC Level. For CMMC
Levels 1 and 2, the cost estimates are based only upon the assessment,
certification, and affirmation activities that a defense contractor,
subcontractor, or ecosystem member must take to allow DoD to verify
implementation of the relevant underlying security requirements, i.e.,
for CMMC Level 1, the security requirements set forth in FAR clause
52.204-21, and for CMMC Level 2, the security requirements set forth in
NIST SP 800-171 Rev 2. DoD did not consider the cost of implementing
the security requirements themselves because implementation is already
required by FAR clause 52.204-21, effective June 15, 2016, and by DFARS
clause 252.204-7012, requiring implementation by Dec. 31, 2017,
respectively; therefore, the costs of implementing the security
requirements for CMMC Levels 1 and 2 should already have been incurred
and are not attributed to this rule. As such, the nonrecurring
engineering and recurring engineering costs to implement the security
requirements defined for CMMC Level 1 and Level 2 are not included in
this economic analysis. However, cost estimates to implement CMMC Level
3, are included, as that CMMC level will require defense contractors
and subcontractors, as applicable, to implement a DoD-defined subset of
the security requirements set forth in NIST SP 800-172, a new addition
to current security protection requirements.
---------------------------------------------------------------------------
\33\ The terms nonrecurring engineering costs and recurring
engineering costs are terms of art and do not only encompass actual
engineering costs.
---------------------------------------------------------------------------
In estimating the public cost for a defense contractor small entity
to comply with CMMC Program requirements for each CMMC level, DoD
considered non-recurring engineering costs, recurring engineering
costs, assessment costs, and affirmation costs for each CMMC Level.
These costs include labor and consulting.
Estimates include size and complexity assumptions to account for
typical organizational differences between small entities and other
than small entities with respect to the handling of Information
Technology (IT) and cybersecurity:
small entities are likely to have a less complex, less
expansive operating environment and IT/Cybersecurity infrastructure
compared to larger defense contractors
small entities are likely to outsource IT and cybersecurity to
an External Service Provider (ESP)
entities (small and other than small) pursuing CMMC Level 2
Self-Assessment are likely to seek consulting or implementation
assistance from an ESP to either help them prepare for the assessment
technically or participate in the assessment with the C3PAOs.
Estimates do not include the cost to implement (Non-recurring
Engineering Costs (NRE)) or maintenance costs (Recurring Engineering
(RE)) the
[[Page 89088]]
security requirements prescribed in current regulations.
For CMMC Levels 1 and 2, cost estimates are based upon assessment,
reporting and affirmation activities that a contractor or subcontractor
will need to take to verify implementation of existing cybersecurity
requirements set forth in FAR clause 52.204-21, effective June 15,
2016, to protect FCI, and DFARS clause 252.204-7012 which required
implementation of NIST SP 800-171 Rev 2 not later than December 31,
2017, to protect CUI. As such, cost estimates are not included for an
entity to implement the CMMC Level 1 or 2 security requirements,
maintain implementation of these existing security requirements, or
remediate a Plan of Action for unimplemented requirements.
For CMMC Level 3, the cost estimates factor in the assessment,
reporting, and affirmation activities in addition to estimates for NRE
and RE to implement and maintain CMMC Level 3 security requirements. In
addition to implementing the CMMC Level 2 security requirements, CMMC
Level 3 requires implementing selected security requirement set forth
in NIST SP 800-172 as described in 32 CFR 170.14(c)(4) which are not
currently required through other regulations. CMMC Level 3 is expected
to apply only to a small subset of defense contractors and
subcontractors.
The Cost Categories used for each CMMC Level are described:
1. Nonrecurring Engineering Costs: Estimates consist of hardware,
software, and the associated labor to implement the same. Costs
associated with implementing the requirements set forth in FAR 52.204-
21 and NIST SP 800-171 Rev 2 are assumed to have been already
implemented and, therefore, are not accounted for in this cost
estimate. As such, these costs only appear in CMMC Level 3. If
nonrecurring engineering costs are referenced, they are only accounted
for as a one-time occurrence and are reflected in the year of the
initial assessment.
2. Recurring Engineering Costs: Estimates consist of annually
recurring fees and associated labor for technology refresh. Costs
associated with implementing the requirements set forth in FAR 52.204-
21 and NIST SP 800-171 Rev 2 are assumed to have been already
implemented and, therefore, are not accounted for in this cost
estimate. As such, these costs only appear in CMMC Level 3.
3. Assessment Costs: Estimates consist of activities for pre-
assessment preparations (which includes gathering and/or developing
evidence that the assessment objectives for each requirement have been
satisfied), conducting and/or participating in the actual assessment,
and completion of any post-assessment work. Assessment costs are
represented by notional phases. Assessment costs assume the OSA passes
the assessment on the first attempt (conditional--with an allowable
POA&M or final). Each phase includes an estimate of hours to conduct
the assessment activities including:
(a) Labor hour estimates for a company (and any ESP support) to
prepare for and participate in the assessment.
(b) C3PAO cost estimates for companies pursuing a certification
labor hour estimates for authorized or certified assessors to
work with the business to conduct the actual assessment
Assessment Costs broken down into phases:
Phase 1: Planning and preparing for the assessment
Phase 2: Conducting the assessment (self or C3PAO)
Phase 3: Reporting of Assessment Results
Phase 4: POA&M Closeout (for CMMC Level 3 only, if applicable
and allowed)
CMMC allows a limited open Plan of Action and Milestones
(POA&M) for a period of 180 days to remediate the POA&M, see 32 CFR
170.21.
4. Affirmations: Estimates consist of costs for an OSA to submit to
SPRS an initial and, as applicable, any subsequent affirmations of
compliance that the contractor information system is compliant with and
will maintain compliance with the security requirements of the
applicable CMMC Level. If POA&Ms are allowed, an affirmation must be
submitted with the POA&M closeout. With the exception of Small Entities
for Level 1 and Level 2, it is assumed the task requires the same labor
categories and estimated hours as the final reporting phase of the
assessment.
The categories and rates used for estimating purposes were compiled
by subject matter experts based on current data available from within
the DoD contractor database for comparable labor categories. A factor
estimate of 30 percent was added to the labor rate per hour to include
but are not limited to company-sponsored benefits (fringe) and limited
employee-related expenses such as training and certifications. This
estimate is based on labor performed by indirect personnel (i.e.,
personnel who are part of overhead expense); therefore, the 30 percent
factor represents an estimate for fringe expense and G&A expenses
versus full overhead expense. The categories and rates inclusive of the
labor cost plus the additional factor are defined in the table.
[[Page 89089]]
[GRAPHIC] [TIFF OMITTED] TP26DE23.013
[GRAPHIC] [TIFF OMITTED] TP26DE23.014
---------------------------------------------------------------------------
\34\ IT = Information Technology, MGMT = Management.
\35\ IT and MGMT rates represent an estimate for in-house labor
and includes the labor rate plus fringe and employee-related
expenses.
\36\ Background assumes a Bachelor's degree as the minimum
education level, additional requirements are noted including
required years of experience. A Master's degree may reduce the
required years of experience as noted.
\37\ The ESP/C3PAO rate represents an estimate for outsourced
labor and includes the labor rate, overhead expense, G&A expense,
and profit.
---------------------------------------------------------------------------
CMMC Level 1 Self-Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
1, since it is assumed that the contractor or subcontractor has already
implemented the applicable security requirements.\38\
---------------------------------------------------------------------------
\38\ CMMC Level 1 consists of the same 15 basic safeguarding
requirements specified in FAR clause 52.204-21. This cost analysis
assumes that defense contractors and subcontractors already have
contracts with FAR clause 52.204-21 and, therefore, have already
implemented the 15 basic safeguarding requirements.
---------------------------------------------------------------------------
Assessments Costs: It is estimated that the cost to
support a CMMC Level 1 self-assessment and affirmation is *$4,042 (as
summarized in 4.1.2, Table 1). A Level I Self-Assessment is conducted
annually, and is based on the assumptions detailed:
Phase 1: Planning and preparing for the assessment: $1,146
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
Phase 2: Conducting the self-assessment: $1,728
A director (MGMT5) for 6 hours ($190.52/hr x 6hrs =
$1,143)
A staff IT specialist (IT4) for 6 hours ($97.49/hrs x 6hrs
= $585)
Phase 3: Reporting of assessment results into SPRS: $584
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4) for 2.08 hours ($97.49/hrs x
2.08hrs = $203)
Affirmations: It is estimated that the costs to perform an
initial and annual affirmation of compliance with CMMC Level 1 for an
``other than small'' entity is $584
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4) for 2.08 hours ($97.49/hrs x
2.08hrs = $203)
The Level 1 Self-Assessment and Affirmations cost burden
will be addressed as part of the 48 CFR acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for CMMC Level 1 self-
[[Page 89090]]
assessments and affirmations over a ten-year period: (Example
calculation, Year 1: *$4,042 per entity x 246 entities (cumulative) =
$994,233).
[GRAPHIC] [TIFF OMITTED] TP26DE23.015
Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
1 since it is assumed the contractor or subcontractor has implemented
the applicable security requirements.\39\
---------------------------------------------------------------------------
\39\ Again, it is assumed that that defense contractors and
subcontractors have already implemented the 15 basic safeguarding
requirements in FAR clause 52.204-21.
---------------------------------------------------------------------------
Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 1 assessment and
affirmation is *$5,977 (as summarized in 4.1.2, Table 2). A Level I
Self-Assessment is conducted annually, and is based on the assumptions
detailed:
Phase 1: Planning and preparing for the assessment: $1,803
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An external service provider (ESP) for 4 hours ($260.28 x
4hrs = $1,041)
Phase 2: Conducting the self-assessment: $2,705
A director (MGMT5) for 6 hours ($190.52/hr x 6hrs =
$1,143)
An external service provider (ESP) for 6 hours ($260.28 x
6hrs = $1,562)
Phase 3: Reporting of assessment results into SPRS: $909
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
An external service provider (ESP) for 2 hours ($260.28/hr
* 2hrs = $521)
A staff IT specialist (IT4-SB) for 0.08 hours \40\
($86.24/hr x 0.08hrs = $7)
---------------------------------------------------------------------------
\40\ A person needs to enter the information into SPRS, which
should only take five minutes.
---------------------------------------------------------------------------
Affirmation: initial affirmation post assessment: $ 560
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level I annually for a small entity is $560
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4-SB) for 2.08 hours ($86.24/hr x
2.08hrs = $179)
The Level 1 Self-Assessment and Affirmations cost burden
will be addressed as part of the 48 CFR acquisition rule.
Summary: The following is the annual small entities total
cost summary for CMMC Level 1 self-assessments and affirmations over a
ten-year period: (Example calculation, Year 1: *$5,977 per entity x 699
entities (cumulative) = $4,177,845).
[[Page 89091]]
[GRAPHIC] [TIFF OMITTED] TP26DE23.016
All Entities Summary
The following is a summary of the combined costs for both small and
other than small entities for CMMC Level 1 Self-Assessments and
Affirmations over a ten-year period:
[GRAPHIC] [TIFF OMITTED] TP26DE23.017
CMMC Level 2 Self-Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and Recurring Engineering Costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
2 Self-Assessment since it is assumed the contractor or subcontractor
has implemented the NIST SP 800-171 Rev 2 security requirements.
Self-Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 2 self-assessment and
affirmation is *$43,403. The three-year cost is $48,827 (as summarized
in 4.1.2, Table 1), which includes the triennial assessment +
affirmation, and two additional annual affirmations ($43,403 + $2,712 +
$2,712).
Phase 1: Planning and preparing for the assessment: $18,015
A director (MGMT5) for 30 hours ($190.52/hr x 30hrs =
$5,716)
A manager (MGMT2) for 40 hours ($95.96/hr x 40hrs =
$3,838)
A staff IT specialist (IT4) for 46 hours ($97.49/hr x
46hrs = $4,485)
A senior IT specialist (IT3) for 26 hours ($81.96/hr x
26hrs = $2,131)
An IT specialist (IT2) for 34 hours ($54.27/hr x 34hrs =
$1,845)
Phase 2: Conducting the self-assessment: $19,964
A director (MGMT5) for 24 hours ($190.52/hr x 24hrs =
$4,572)
A manager (MGMT2) for 24 hours
[[Page 89092]]
($95.96/hr x 24hrs = $2,303)
A staff IT specialist (IT4) for 56 hours ($97.49/hr x
56hrs = $5,460)
A senior IT specialist (IT3) for 56 hours ($81.96/hr x
56hrs = $4,590)
An IT specialist (IT2) for 56 hours ($54.27/hr x 56hrs =
$3,039)
Phase 3: Reporting of Assessment Results into SPRS: $2,712
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
Affirmation: initial affirmation post assessment: $2,712
Reaffirmations: It is estimated that the cost to perform an
annual affirmation for CMMC Level 2 Self-Assessment is $2,712 (three-
year cost is $8,136, or $2,712 x 3):
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
The Level 2 Self-Assessment and Affirmations cost burden
will be addressed as part of the 48 CFR acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for CMMC Level 2 Self-Assessments and
Affirmations over a ten-year period: (Example calculation, Year 2:
(*$43,403 assessment per entity x 35 entities) + ($2,712 annual
affirmation per entity x 7 entities) = $1,538,092.
[GRAPHIC] [TIFF OMITTED] TP26DE23.018
Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
2 Self-Assessment since it is assumed the contractor or subcontractor
has implemented the NIST SP 800-171 Rev 2 security requirements.
Self-Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 2 self-assessment and
affirmation for a small entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2, Table 2), which includes the triennial
assessment + affirmation, plus two additional annual affirmations
($34,277 + $1,459 + $1,459).
Phase 1: Planning and preparing for the assessment: $14,426
A director (MGMT5) for 32 hours ($190.52/hr x * 32hrs =
$6,097)
An external service provider (ESP) for 32 hours ($260.28/
hr x 32hrs = $8,329)
Phase 2: Conducting the self-assessment: $15,542
A director (MGMT5) for 16 hours ($190.52/hr x 16hrs =
$3,048)
An external service provider (ESP) for 48 hours ($260.28/
hr x 48hrs = $12,493)
Phase 3: Reporting of Assessment Results into SPRS: $2,851
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An external service provider (ESP) for 8 hours ($260.28/hr
x 8hrs = $2,082)
A staff IT specialist (IT4-SB) for 0.08 hours ($86.24/hr x
0.08hrs = $7)
Affirmation: initial affirmation post assessment: $1,459
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level 2 Self-Assessment annually is $1,459 (three-year costs to
reaffirm a CMMC Level 2 Self-Assessment annually is $4,377, or $1,459 x
3):
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A staff IT specialist (IT4-SB) for 8.08 hours ($86.24/hr x
8.08hrs = $697)
The Level 2 Self-Assessment and Affirmations cost burden
will be addressed as part of the 48 CFR acquisition rule.
Summary: The following is the annual small entities total
cost summary for CMMC Level 2 Self-Assessments and Affirmations over a
ten-year period: (Example calculation, Year 2: (*$34,277 self-
assessment per entity x 101 entities)
[[Page 89093]]
+ ($1,459 annual affirmation per entity x 20 entities) = $3,491,193).
[GRAPHIC] [TIFF OMITTED] TP26DE23.019
All Entities Summary
The following is a summary of the cost to all entities regardless
of size for CMMC Level 2 Self-Assessments and affirmations over a ten-
year period:
[GRAPHIC] [TIFF OMITTED] TP26DE23.020
CMMC Level 2 Certification Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
2 Certification Assessment since it is assumed the contractor or
subcontractor has implemented the NIST SP 800-171 Rev 2 security
requirements.
Assessment and Initial Affirmation Costs: It is estimated
that the cost to support a CMMC Level 2 Certification Assessment and
annual affirmation for an ``other than small'' entity is *$112,345. The
three-year cost is $117,768 (as summarized in 4.1.2, Table 1), and
includes a triennial assessment + affirmation, plus two additional
annual affirmations ($112,345 + $2,712
[[Page 89094]]
+ $2,712, with a minor rounding difference.)
Phase 1: Planning and preparing for the assessment: $26,264
A director (MGMT5) for 32 hours ($190.52/hr x 32hrs =
$6,097)
A manager (MGMT2) for 64 hours ($95.96/hr x 64hrs =
$6,141)
A staff IT specialist (IT4) for 72 hours ($97.49/hr x
72hrs = $7,019)
A senior IT specialist (IT3) for 40 hours ($81.96/hr x
40hrs = $3,278)
An IT specialist (IT2) for 58 hours ($54.27/hr x 58hrs =
$3,148)
An associate IT specialist (IT1) for 16 hours ($36.32/hr x
16hrs = $581)
Phase 2: Conducting the assessment: $28,600
A director (MGMT5) for 32 hours ($190.52/hr x 32hrs =
$6,097)
A manager (MGMT2) for 32 hours ($95.96/hr x 32hrs =
$3,071)
A staff IT specialist (IT4) for 72 hours ($97.49/hr x
72hrs = $7,019)
A senior IT specialist (IT3) for 72 hours ($81.96/hr x
72hrs = $5,901)
An IT specialist (IT2) for 120 hours ($54.27/hr x 120hrs =
$6,512)
Phase 3: Reporting of Assessment Results: $2,712
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
Affirmations: initial affirmation post assessment: $2,712
C3PAO Costs: C3PAO engagement inclusive of Phases 1, 2, and 3
(5-person team) for 200 hours ($260.28/hr x 200hrs = $52,056)
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level 2 Certification Assessment annually is $2,712 (three-year
cost is $8,136 or $2,712 x 3)
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 8 hours ($97.49/hr x 8hrs
= $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
The Level 2 Affirmations cost burden will be addressed as
part of the 48 CFR acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for CMMC Level 2 Certifications and
Affirmations over a ten-year period: (Example calculation, Year 2:
(*$112,345 assessment per entity x 673 entities) + ($2,712 annual
affirmation per entity x 135 entities) = $75,974,425).
[GRAPHIC] [TIFF OMITTED] TP26DE23.021
Small Entities
Nonrecurring or recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
2 Certification Assessment since it is assumed the contractor or
subcontractor has implemented the NIST SP 800-171 Rev 2 security
requirements.
Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 2 Certification
Assessment and affirmation for a small entity is *$101,752. The three-
year cost is $104,670 (as summarized in 4.1.2, Table 2), and includes
the triennial assessment + affirmation plus two additional annual
affirmations ($101,752 + $1,459 + $1,459).
Phase 1: Planning and preparing for the assessment: $20,699
A director (MGMT5) for 54 hours ($190.52/hr x 54hrs =
$10,288)
An external service provider (ESP) for 40 hours ($260.28/
hr x 40hrs = $10,411)
Phase 2: Conducting the C3PAO-assessment: $45,509
A director (MGMT5) for 64 hours ($190.52/hr x 64hrs =
$12,193)
An external service provider (ESP) for 128 hours ($260.28/
hr x 128hrs = $33,316)
Phase 3: Reporting of Assessment Results: $2,851
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An ESP for 8 hours ($260.28/hr x 8hrs = $2,082)
A staff IT specialist (IT4-SB) for 0.08 hours ($86.24/hr x
0.08hrs = $7)
Affirmations: cost to post initial affirmation $1,459
C3PAO Costs: C3PAO engagement inclusive of Phases 1, 2, and 3
(3-person team) for 120 hours ($260.28/hr x 120hrs = $31,234)
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level 2
[[Page 89095]]
Certification Assessment annually is $1,459 (three-year cost is $4,377,
or $1,459 x 3)
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A staff IT specialist (IT4-SB) for 8.08 hours ($86.24/hr x
8.08hrs = $697)
The Level 2 Affirmations cost burden will be addressed as
part of the 48 CFR acquisition rule.
Summary: The following is the annual small entities total
cost summary for CMMC Level 2 Certifications and Affirmations over a
ten-year period: (Example calculation, Year 2: (*$101,752 assessment
per entity x 1,926 entities) + ($1,459 annual affirmation per entity x
382 entities) = $196,531,451).
[GRAPHIC] [TIFF OMITTED] TP26DE23.022
All Entities Summary
The following is a summary of the cost to all entities regardless
of size for CMMC Level 2 Certification and Affirmation costs over a
ten-year period:
[GRAPHIC] [TIFF OMITTED] TP26DE23.023
[[Page 89096]]
CMMC Level 3 Certification Assessment and Affirmation Costs
An OSC pursuing Level 3 Certification must have a CMMC Level 2
Final Certification Assessment, and also must demonstrate compliance
with CMMC Level 3, which includes implementation of selected security
requirements from NIST SP 800-172 not required in prior rules.
Therefore, the Nonrecurring Engineering and Recurring Engineering cost
estimates have been included for the initial implementation and
maintenance of the required selected NIST SP 800-172 requirements. The
cost estimates account for time for an OSC to implement these security
requirements and prepare for, support, participate in, and closeout a
CMMC Level 3 Certification Assessment conducted by DCMA DIBCAC. The OSC
should keep in mind that the total cost of a CMMC Level 3 Certification
Assessment includes the cost of a Level 2 Certification Assessment as
well as the costs to implement and assess the security requirements
specific to Level 3. CMMC Level 3 is expected to affect a small subset
of the DIB.
Other Than Small Entities, Per Entity
Nonrecurring Engineering Costs: $21,100,000.\41\
---------------------------------------------------------------------------
\41\ DoD utilized subject matter expertise from Defense Pricing
and Contracting (DPC) and DCMA DIBCAC to estimate the Nonrecurring
and Recurring Engineering Costs.
---------------------------------------------------------------------------
Recurring Engineering Costs: $4,120,000.
Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 3 Certification and
affirmation for an other than small entity is *$39,021. The three-year
cost is $44,445 (as summarized in 4.1.2, Table 1), and includes the
triennial assessment + affirmation, plus two additional annual
affirmations ($39,021 + $2,712 + $2,712).
Phase 1: Planning and preparing for the assessment: $7,066
A director (MGMT5) for 12 hours ($190.52/hr x 12hrs =
$2,286)
A manager (MGMT2) for 12 hours ($95.96/hr x 12hrs =
$1,152)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 12 hours ($81.96/hr x
12hrs = $984)
An IT specialist (IT2) for 20 hours ($54.27/hr x 20hrs =
$1,085)
Phase 2: Conducting the assessment: $23,136
A director (MGMT5) for 24 hours ($190.52/hr x 24hrs =
$4,572)
A manager (MGMT2) for 24 hours ($95.96/hr x 24hrs =
$2,303)
A staff IT specialist (IT4) for 64 hours ($97.49/hr x
64hrs = $6,239)
A senior IT specialist (IT3) for 64 hours ($81.96/hr x
64hrs = $5,245)
An IT specialist (IT2) for 88 hours ($54.27/hr x 88hrs =
$4,776)
Phase 3: Reporting of assessment results: $2,712
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
Phase 4: Closing out POA&Ms \42\ (for CMMC Level 3 if
necessary and allowed): $3,394
---------------------------------------------------------------------------
\42\ Costs for closing out POA&Ms are included at Level 3
because the requirement to implement a subset of NIST SP 800-172
security requirements is new with the CMMC rule. These costs are not
included at Level 2 because the implementation of all NIST SP 800-
171 Rev 2 security requirements are already required.
---------------------------------------------------------------------------
A director (MGMT5) for 8 hours ($190.52/hr x 8hrs =
$1,524)
A senior staff IT specialist (IT5) for 16 hours ($116.87/
hr x 16hrs = $1,870)
Affirmations: initial affirmation post assessment: $2,712
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level 3 Certification Assessment annually is $2,712 (three-year
cost is $8,136, or $2,712 x 3)
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)