[Federal Register Volume 89, Number 120 (Friday, June 21, 2024)]
[Notices]
[Pages 52034-52036]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-13464]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DoD-2023-OS-0063]


Submission for OMB Review; Comment Request

AGENCY: Office of the Department of Defense Chief Information Officer 
(CIO), Department of Defense (DoD).

ACTION: 30-Day information collection notice.

-----------------------------------------------------------------------

SUMMARY: The DoD has submitted to the Office of Management and Budget 
(OMB) for clearance the following proposal for collection of 
information under the provisions of the Paperwork Reduction Act.

DATES: Consideration will be given to all comments received by July 22, 
2024.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, 
[email protected].

SUPPLEMENTARY INFORMATION: 
    Title; Associated Form; and OMB Number: Cybersecurity Maturity 
Model Certification (CMMC) Program Reporting and Recordkeeping 
Requirements Information Collection; OMB Control Number 0704-0677.
    Type of Request: New.

Level 2 Certification Assessments

    Number of Respondents: 10,942.
    Responses per Respondent: 1.
    Annual Responses: 10,942.
    Average Burden per Response: 525.955 hours.
    Annual Burden Hours: 5,754,999.61.

Level 3 Certification Assessments

    Number of Respondents: 213.
    Responses per Respondent: 1.
    Annual Responses: 213.
    Average Burden per Response: 79.01 hours.
    Annual Burden Hours: 16,829.13.

Total

    Number of Respondents: 11,155.
    Annual Responses: 11,155.
    Annual Burden Hours: 5,771,829.
    Needs and Uses: The CMMC Program provides for the assessment of 
contractor implementation of cybersecurity requirements to enhance 
confidence in contractor protection of unclassified information within 
the DoD supply chain. CMMC contractual requirements are implemented 
under a Title 48 acquisition rule, with associated rulemaking for the 
CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate 
issuance, information accessibility) under a Title 32 program rule (32 
Code of Federal Regulations (CFR) part 170). The Title 32 program rule 
includes two separate information collection requests (ICR), this one 
for the CMMC Program and one for CMMC eMASS.
    This information collection is necessary to support the 
implementation of the CMMC assessment process for Levels 2 and 3 
certification assessment, as defined in 32 CFR 170.17 and 170.18 
respectively.

Level 2 Certification Assessments

    The Level 2 certification assessment process is conducted by CMMC 
Certified Assessors, employed by CMMC Third-Party Assessment 
Organizations (C3PAOs). During the assessment process, Organizations 
Seeking Certification (OSCs) hire C3PAOs to conduct the third-party 
assessment required for certification. The Level 2 Certification 
Assessment information collection reporting and recordkeeping 
requirements are included in the Title 32 program rule with the 
exception of the requirement for the OSC to upload the affirmation in 
SPRS that is included in the Title 48 acquisition rule. Additionally, 
the information collection requirements for the CMMC instantiation of 
eMASS are addressed in a separate Title 32 program rule information 
collection request (ICR). OSCs follow the procedures defined in 32 CFR 
170.17 to prepare for Level 2 certification assessment. Certified 
Assessors assigned by C3PAOs follow the requirements and procedures 
defined in 32 CFR 170.17 to conduct CMMC assessments on defense 
contractor information systems to determine conformance with the 
information safeguarding requirements associated with Level 2 
certification assessment to validate implementation of the 110 security 
requirements from NIST SP 800-171 Rev 2. C3PAOs must generate and 
collect pre-assessment and

[[Page 52035]]

planning material (contact information for the OSC, information about 
the C3PAO and assessors conducting the assessment, the level of 
assessment planned, the CMMC Model and Assessment Guide versions, and 
assessment approach), artifact information (list of artifacts, hash of 
artifacts, and hashing algorithm used), final assessment reports, 
appropriate CMMC certificates of assessment, and assessment appeal 
information. C3PAOs submit the data they generate and collect into the 
CMMC instantiation of eMASS. The information collection required for 
this submission is addressed in a separate CMMC eMASS ICR for the Title 
32 program rule. OSCs may have a POA&M at Level 2 certification 
assessment as addressed in 32 CFR 170.21. C3PAOs perform a POA&M 
closeout assessment. The C3PAO process to conduct a POA&M closeout 
assessment, when applicable, is the same as the initial assessment with 
the same information collection requirements. OSCs must retain 
artifacts used as evidence for the assessment for the duration of the 
validity period of the certificate of assessment, and at minimum, for 
six years from the date of certification assessment as addressed in 32 
CFR 170.17(c)(4). The OSC is responsible for compiling relevant 
artifacts as evidence and having knowledgeable personnel available 
during the assessment. The organizational artifacts are proprietary to 
the OSC and will not be retained by the assessment team unless 
expressly permitted by the OSC. To preserve the integrity of the 
artifacts reviewed, the OSC creates a hash of assessment evidence (to 
include a list of the artifact names, the return values of the hashing 
algorithm, and the hashing algorithm used) and retains the artifact 
information for six years. The information obtained from the artifacts 
is an information collection and is provided to the C3PAO for uploading 
into the CMMC instantiation of eMASS. If an OSC does not agree with the 
assessment results, it may formally dispute the assessment and initiate 
an Assessment Appeal process with the C3PAO who conducted the 
assessment. C3PAOs submit assessment appeals using eMASS. Appeals are 
tracked in the CMMC instantiation of eMASS and any resulting changes to 
the assessment results are uploaded into the CMMC instantiation of 
eMASS. C3PAOs maintain records for a period of six years of monitoring, 
education, training, technical knowledge, skills, experience, and 
authorization of each member of its personnel involved in inspection 
activities; contractual agreements with OSCs; any working papers 
generated from Level 2 certification assessments; and organizations for 
whom consulting services were provided as addressed in 32 CFR 
170.9(b)(10).

Level 3 Certification Assessments

    The Level 3 certification assessment process is conducted by the 
Defense Contract Management Agency (DCMA) Defense Industrial Base 
Cybersecurity Assessment Center (DIBCAC). The Level 3 certification 
assessment information collection reporting and recordkeeping 
requirements are included in the Title 32 program rule except for the 
requirement for the OSC to upload the affirmation in SPRS that is 
included in the Title 48 acquisition rule. OSCs follow procedures as 
defined in 32 CFR 170.18 to prepare for Level 3 certification 
assessment. DCMA DIBCAC assessors follow requirements and procedures as 
defined in 32 CFR 170.18 to conduct CMMC assessments on defense 
contractor information systems to determine conformance with the 
information safeguarding requirements associated with CMMC Level 3. 
This is an assessment to validate the implementation of the 24 selected 
security requirements from NIST SP 800-172. Because DCMA DIBCAC is a 
government entity, there are no public information collection 
requirements. DCMA DIBCAC must generate and collect pre-assessment and 
planning material (contact information for the OSC, information about 
the assessors conducting the assessment, the level of assessment 
planned, the CMMC Model and Assessment Guide versions, and assessment 
approach), artifact information (list of artifacts, hash of artifacts, 
and hashing algorithm used), final assessment reports, appropriate CMMC 
certificates of assessment, and assessment appeal information. DCMA 
DIBCAC submits the data it generates and collects into the CMMC 
instantiation of. OSCs may have a POA&M at CMMC Level 3 as addressed in 
32 CFR 170.21. DCMA DIBCAC performs a POA&M closeout assessment. The 
DCMA DIBCAC process to conduct a POA&M closeout assessment, when 
applicable, is the same as the initial assessment with the same 
information collection requirements. OSCs must retain artifacts used as 
evidence for the assessment for the duration of the validity period of 
the certificate of assessment, and at minimum, for six years from the 
date of certification assessment as addressed in 32 CFR 170.18(c)(4). 
The OSC is responsible for compiling relevant artifacts as evidence and 
having knowledgeable personnel available during the assessment. 
Assessors will not permanently retain assessment artifacts. To preserve 
the integrity of the artifacts reviewed during the assessment, the OSC 
creates a hash of assessment evidence (to include a list of the 
artifact names, the return values of the hashing algorithm, and the 
hashing algorithm used) and retains the artifact information for six 
years. The information obtained from the artifacts is an information 
collection and DCMA DIBCAC uploads the information into the CMMC 
instantiation of eMASS (addressed in a separate CMMC eMASS ICR for the 
Title 32 program rule); the artifacts themselves are not an information 
collection. If an OSC does not agree with the assessment results, it 
may formally dispute the assessment and initiate an Assessment Appeal 
process with DCMA DIBCAC. DCMA DIBCAC submits assessment appeals using 
eMASS. Appeals are tracked in the CMMC instantiation of eMASS and any 
resulting changes to the assessment results are uploaded into CMMC 
eMASS. DCMA DIBCAC maintains records for a period of six years of 
monitoring, education, training, technical knowledge, skills, 
experience, and authorization of each member of its personnel involved 
in inspection activities and working papers generated from Level 3 
certification assessments.

Accreditation Body and CMMC Assessor and Instructor Certification 
Organizations (CAICOs)

    The Accreditation Body provides all plans related to potential 
sources of revenue, to include but not limited to: fees, licensing, 
processes, membership, and/or partnerships to the Government CMMC PMO 
as addressed in 32 CFR 170.8(b)(13).
    CAICOs maintain records for a period of six years of all 
procedures, processes, and actions related to fulfillment of the 
requirements set forth in 32 CFR 170.10(b)(9).
    Affected Public: Business or other for-profit.
    Frequency: On occasion.
    Respondent's Obligation: Voluntary.
    OMB Desk Officer: Ms. Jasmeet Seehra.
    You may also submit comments and recommendations, identified by 
Docket ID number and title, by the following method:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
    Instructions: All submissions received must include the agency 
name, Docket ID number, and title for this Federal Register document. 
The general policy

[[Page 52036]]

for comments and other submissions from members of the public is to 
make these submissions available for public viewing on the internet at 
http://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.
    DOD Clearance Officer: Mr. Reginald Lucas.
    Requests for copies of the information collection proposal should 
be sent to Mr. Lucas at [email protected].

    Dated: June 14, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-13464 Filed 6-20-24; 8:45 am]
BILLING CODE 6001-FR-P