[Federal Register Volume 89, Number 120 (Friday, June 21, 2024)]
[Notices]
[Pages 52032-52033]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-13468]


-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID: DoD-2023-OS-0063]


Submission for OMB Review; Comment Request

AGENCY: Office of the Department of Defense Chief Information Officer 
(CIO), Department of Defense (DoD).

ACTION: 30-Day information collection notice.

-----------------------------------------------------------------------

SUMMARY: The DoD has submitted to the Office of Management and Budget 
(OMB) for clearance the following proposal for collection of 
information under the provisions of the Paperwork Reduction Act.

DATES: Consideration will be given to all comments received by July 22, 
2024.

ADDRESSES: Written comments and recommendations for the proposed 
information collection should be sent within 30 days of publication of 
this notice to www.reginfo.gov/public/do/PRAMain. Find this particular 
information collection by selecting ``Currently under 30-day Review--
Open for Public Comments'' or by using the search function.

FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, 
[email protected].

SUPPLEMENTARY INFORMATION: 
    Title; Associated Form; and OMB Number: Cybersecurity Maturity 
Model Certification (CMMC) Enterprise Mission Assurance Support-Service 
(eMASS) Instantiation Information Collection; OMB Control Number 0704-
0676.
    Type of Request: New.

Accreditation Body Submission of C3PAO Information in eMASS

    Number of Respondents: 1.
    Responses per Respondent: 240.
    Annual Responses: 240.
    Average Burden per Response: 5 minutes.
    Annual Burden Hours: 20.

C3PAO Submission of Assessment Data and Results in eMASS

    Number of Respondents: 10,942.
    Responses per Respondent: 1.
    Annual Responses: 10,942.
    Average Burden per Response: 15 minutes.
    Annual Burden Hours: 2,735.5.

Total

    Number of Respondents: 10,943.
    Annual Responses: 11,182.
    Annual Burden Hours: 2,756.
    Needs and Uses: The CMMC Program provides for the assessment of 
contractor implementation of cybersecurity requirements to enhance 
confidence in contractor protection of unclassified information within 
the DoD supply chain. CMMC contractual requirements are implemented 
under a Title 48 acquisition rule, with associated rulemaking for the 
CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate 
issuance, information accessibility) under a Title 32 program rule (32 
Code of Federal Regulations (CFR) Part 170). The CMMC Title 32 program 
rule includes two separate information collection requests (ICR), one 
for the CMMC Program and this one for CMMC eMASS.
    The CMMC instantiation of eMASS is the electronic collection 
mechanism for collecting CMMC program data, which provides the 
Department of Defense (DoD) visibility of the CMMC Levels 2 and 3 
certification assessment results.
    This information collection is necessary to support the 
implementation of the CMMC assessment process for CMMC Level 2 and 
Level 3 certification assessments, as

[[Page 52033]]

defined in 32 CFR 170.17 and 170.18 respectively.
    The CMMC Level 2 certification assessment process is conducted by 
Certified Assessors, employed by CMMC Third-Party Assessment 
Organizations (C3PAOs). During the assessment process, Organizations 
Seeking Certification's hire C3PAOs to conduct the third-party 
assessment required for certification. The CMMC Certified Assessors 
upload assessment data: pre-assessment and planning material (date and 
level of the assessment; C3PAO name and unique identifier; name and 
business contact information for each Assessor; all industry CAGE codes 
associated with the information systems addressed by the CMMC 
Assessment Scope; name, date, and version of the system security plan 
(SSP); the Title 32 program rule (32 CFR part 170)), final assessment 
reports (assessment result for each requirement objective; POA&M usage 
and compliance, as applicable; and list of artifact names, the return 
values of the hashing algorithm, and the hashing algorithm used), and 
appropriate CMMC certificates of assessment (certification date, as 
applicable) into the CMMC instantiation of eMASS.
    The CMMC Level 3 certification assessment process is conducted by 
the Defense Contract Management Agency (DCMA) Defense Industrial Base 
Cybersecurity Assessment Center (DIBCAC). DCMA DIBCAC assessors upload 
assessment data: pre-assessment and planning material (date and level 
of the assessment; name and business contact information for each 
Assessor; all industry CAGE codes associated with the information 
systems addressed by the CMMC Assessment Scope; name, date, and version 
of the system security plan (SSP); the Title 32 program rule (32 CFR 
part 170)), final assessment reports (assessment result for each 
requirement objective; POA&M usage and compliance, as applicable; and 
list of artifact names, the return values of the hashing algorithm, and 
the hashing algorithm used), and appropriate CMMC certificates of 
assessment (certification date, as applicable) into the CMMC 
instantiation of eMASS.
    The Accreditation Body provides the CMMC Program Management Office 
with current data on C3PAOs and Assessors, including authorization and 
accreditation records and status using the CMMC instantiation of eMASS.
    Affected Public: Business or other for-profit.
    Frequency: On occasion.
    Respondent's Obligation: Voluntary.
    OMB Desk Officer: Ms. Jasmeet Seehra.
    You may also submit comments and recommendations, identified by 
Docket ID number and title, by the following method:
     Federal eRulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
    Instructions: All submissions received must include the agency 
name, Docket ID number, and title for this Federal Register document. 
The general policy for comments and other submissions from members of 
the public is to make these submissions available for public viewing on 
the internet at http://www.regulations.gov as they are received without 
change, including any personal identifiers or contact information.
    DoD Clearance Officer: Mr. Reginald Lucas.
    Requests for copies of the information collection proposal should 
be sent to Mr. Lucas at [email protected].

    Dated: June 14, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-13468 Filed 6-20-24; 8:45 am]
BILLING CODE 6001-FR-P