[Federal Register Volume 89, Number 158 (Thursday, August 15, 2024)]
[Proposed Rules]
[Pages 66327-66338]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-18110]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Defense Acquisition Regulations System
48 CFR Parts 204, 212, 217, and 252
[Docket DARS-2020-0034]
RIN 0750-AK81
Defense Federal Acquisition Regulation Supplement: Assessing
Contractor Implementation of Cybersecurity Requirements (DFARS Case
2019-D041)
AGENCY: Defense Acquisition Regulations System, Department of Defense
(DoD).
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: DoD is proposing to amend the Defense Federal Acquisition
Regulation Supplement (DFARS) to incorporate contractual requirements
related to the proposed Cybersecurity Maturity Model Certification 2.0
program rule, Cybersecurity Maturity Model Certification Program. This
proposed DFARS rule also partially implements a section of the National
Defense Authorization Act for Fiscal Year 2020 that directed the
Secretary of Defense to develop a consistent, comprehensive framework
to enhance cybersecurity for the U.S. defense industrial base.
DATES: Comments on the proposed rule should be submitted in writing to
the address shown below on or before October 15, 2024, to be considered
in the formation of a final rule.
ADDRESSES: Submit comments identified by DFARS Case 2019-D041, using
either of the following methods:
[cir] Federal eRulemaking Portal: https://www.regulations.gov.
Search for DFARS Case 2019-D041. Select ``Comment'' and follow the
instructions to submit a comment. Please include ``DFARS Case 2019-
D041'' on any attached documents.
[cir] Email: [email protected]. Include DFARS Case 2019-D041 in
the subject line of the message.
Comments received generally will be posted without change to
https://www.regulations.gov, including any personal information
provided. To confirm receipt of your comment(s), please check https://www.regulations.gov, approximately two to three days after submission
to verify posting.
FOR FURTHER INFORMATION CONTACT: Ms. Heather Kitchens, telephone 571-
296-7152.
SUPPLEMENTARY INFORMATION:
I. Background
DoD is proposing to revise the DFARS to implement the contractual
requirements related to the Cybersecurity Maturity Model Certification
(CMMC) 2.0 program, published in the Federal Register as a proposed
rule affecting 32 CFR part 170 on December 26, 2023, at 88 FR 89058.
CMMC 2.0 provides a framework for assessing contractor implementation
of cybersecurity requirements and enhancing the protection of
unclassified information within the DoD supply chain. This proposed
DFARS rule also partially implements section 1648 of the National
Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-92), which
directed the Secretary of Defense to develop a consistent,
comprehensive framework to enhance cybersecurity for the U.S. defense
industrial base no later than February 1, 2020.
On September 29, 2020, an interim rule under DFARS Case 2019-D041,
Assessing Contractor Implementation of Cybersecurity Requirements, was
published in the Federal Register at 85 FR 61505, effective November
30, 2020. On November 17, 2021, the notice, ``Cybersecurity Maturity
Model Certification (CMMC) 2.0 Updates and Way Forward'' was published
in the Federal Register at 86 FR 64100 to suspend the CMMC 1.0 pilot
efforts. The purpose of suspending the CMMC 1.0 pilot efforts was to
allow for development of CMMC 2.0. On December 26, 2023, DoD published
in the Federal Register at 88 FR 89058 a proposed CMMC 2.0 program
rule, Cybersecurity Maturity Model Certification Program, to propose
the establishment of the CMMC 2.0 program requirements at 32 CFR part
170.
II. Discussion and Analysis
The proposed changes to the existing DFARS language are primarily
to: (1) add references to the CMMC 2.0 program requirements proposed at
32 CFR part 170; (2) add definitions for controlled unclassified
information (CUI) and DoD unique identifier (DoD UID) to the subpart;
(3) establish a solicitation provision and prescription; and (4) revise
the existing clause language and prescription.
DoD is implementing a phased rollout of CMMC. Over a three-year
period CMMC will be phased in based on the
[[Page 66328]]
CMMC 2.0 program requirements identified at 32 CFR part 170. The clause
at DFARS 252.204-7021, Contractor Compliance With the Cybersecurity
Maturity Model Certification Level Requirements, is prescribed for use
in solicitations and contracts that require the contractor to have a
specific CMMC level, including solicitations and contracts using
Federal Acquisition Regulation (FAR) part 12 procedures for the
acquisition of commercial products and commercial services, excluding
acquisitions exclusively for commercially available off-the-shelf
(COTS) items. In order to implement the phased rollout of CMMC,
inclusion of a CMMC requirement in a solicitation during this time
period will be determined by the program office or requiring activity
after consulting the CMMC 2.0 requirements at 32 CFR part 170. During
the phase-in period, when there is a requirement in the contract for
CMMC, CMMC certification requirements must be flowed down to
subcontractors at all tiers, when the subcontractor will process,
store, or transmit Federal contract information (FCI) or CUI, based on
the sensitivity of the unclassified information flowed down to each of
the subcontractors in accordance with the proposed CMMC 2.0
requirements to be established at 32 CFR part 170 (see the proposed
rule published December 26, 2023, at 88 FR 89058).
After the phase-in period, CMMC will apply to all DoD solicitations
and contracts, including those for the acquisition of commercial
products or commercial services (except those exclusively for COTS
items), valued at greater than the micro-purchase threshold that
involve processing, storing, or transmitting FCI or CUI. When a CMMC
level is included in the solicitation or contract, contracting officers
will not make award, exercise an option, or extend the period of
performance on a contract, if the offeror or contractor does not have
the results of a current certification or self-assessment for the
required CMMC level, and an affirmation of continuous compliance with
the security requirements to be identified at 32 CFR part 170, in the
Supplier Performance Risk System (SPRS) for all information systems
that process, store, or transmit FCI or CUI during contract
performance. Furthermore, CMMC certification requirements must be
flowed down to subcontractors at all tiers when the subcontractor will
process, store, or transmit FCI or CUI, based on the sensitivity of the
unclassified information flowed down to each of the subcontractors in
accordance with the proposed CMMC 2.0 requirements to be established at
32 CFR part 170 (see 88 FR 89058).
A. Proposed Rule Changes
This proposed rule includes amendments to DFARS 204.7502, Policy.
These amendments require at the time of award the results of a current
CMMC certificate or CMMC self-assessment, at the level required, for
all information systems that process, store, or transmit FCI or CUI
during contract performance, when a CMMC level is included in the
solicitation.
The proposed rule also adds a requirement at DFARS 204.7503,
Procedures, for contracting officers to work with the program office or
requiring activity to verify in SPRS, prior to awarding a contract,
exercising an option, or when new DoD UIDs are provided, that: (1) the
results of a current CMMC certificate or current CMMC self-assessment
at the level required by the solicitation, or higher, are posted in
SPRS for each DoD UID applicable to each of the contractor information
systems that will process, store, or transmit FCI or CUI and that will
be used in performance of the contract; and (2) the apparently
successful offeror has a current affirmation of continuous compliance
with the security requirements identified at 32 CFR part 170 in SPRS
for each DoD UID applicable to each of the contractor information
systems that process, store, or transmit FCI or CUI and that are used
in performance of the contract.
The proposed rule also adds a definition at DFARS 204.7501 for use
only in the subpart for the term CUI based on the 32 CFR 2002
definition of CUI. Definitions for current (as it relates to CMMC) and
DoD UID are also added.
This proposed rule includes a new DFARS provision, 252.204-7YYY,
Notice of Cybersecurity Maturity Model Certification Level
Requirements, to provide notice to offerors of the CMMC level required
by the solicitation and of the CMMC certificate or self-assessment
results that are required to have been posted in SPRS by the apparently
successful offeror prior to award, unless electronically posted.
Offerors post CMMC Level 1 and Level 2 self-assessments into SPRS.
Level 2 certificate assessment results will be electronically
transmitted to SPRS by the third-party assessment organization (see the
proposed rule published at 88 FR 89058, in the proposed text at 32 CFR
170.17 for details on CMMC Level 2 certification assessment
requirements). Level 3 certificate assessment results will be
electronically transmitted to SPRS by the DoD assessor (see the
proposed rule published at 88 FR 89058, in the proposed text at 32 CFR
170.18 for details on CMMC Level 3 certification requirements).
Apparently successful offerors are also required to provide, at the
contracting officer's request, the DoD UIDs issued by SPRS for the
contractor information systems that will process, store, or transmit
FCI or CUI during contract performance. SPRS will issue DoD UIDs to
offerors in connection with their CMMC self-assessments and CMMC
certificates. Apparently successful offerors will need to specify which
DoD UIDs are applicable to the contractor information systems that will
process, store, or transmit FCI or CUI during contract performance.
This proposed rule at DFARS 204.7504 adds the prescription for the
new DFARS solicitation provision, 252.204-7YYY, Notice of Cybersecurity
Maturity Model Certification Level Requirements. DFARS 252.204-7YYY is
prescribed for use in solicitations that include the clause at 252.204-
7021. The provision includes language identifying the CMMC level
required for the contract and notifies offerors that the apparently
successful offeror will not be eligible for award of a contract, task
order, or delivery order resulting from the solicitation in which the
provision appears, if the apparently successful offeror does not have
the results of a current CMMC certificate or self-assessment entered in
SPRS (https://piee.eb.mil) at the CMMC level required by the provision
and an affirmation of continuous compliance with the security
requirements identified at 32 CFR part 170 in SPRS for each of the
contractor information systems that process, store, or transmit FCI or
CUI and that are used in performance of the contract.
This proposed rule includes changes to the clause at DFARS 252.204-
7021, Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirement, to:
Add definitions at paragraph (a) for Cybersecurity
Maturity Model Certification, current (as it relates to CMMC), and DoD
UID, and remove the scope statement.
Require the contractor to have and maintain the requisite
CMMC level for the life of the contract.
Require the contractor to submit to the contracting
officer the DoD UID(s) issued by SPRS for contractor information
systems that will process, store, or transmit FCI or CUI during
performance of the contract.
[[Page 66329]]
Require the contractor to complete and maintain on an
annual basis, or when security changes occur, the affirmation of
continuous compliance with the security requirements identified at 32
CFR part 170. The affirmation of continuous compliance is made by a
senior company official (see definition of ``senior company official''
at 32 CFR 170.4 in the proposed rule published at 88 FR 89058) to
affirm that its CMMC self-assessment of CMMC certification for each DoD
UID applicable to the contractor information systems that process,
store, or transmit FCI or CUI during contract performance remains
current and the information system(s) covered by the CMMC self-
assessment or CMMC certificate continue to be in compliance with the
security requirements identified at 32 CFR 170.
Require the contractor to notify the contracting officer
of any changes in the contractor information systems that process,
store, or transmit FCI or CUI during contract performance and to
provide the corresponding DoD UIDs for those contractor information
systems to the contracting officer. The contractor is required to
provide the DoD UIDS to the contracting officer so the Government can
review associated CMMC certificate or CMMC self-assessment results and
contractor affirmations of continued compliance in SPRS for those
additional contractor information systems.
Require the contractor to ensure that its subcontractors
also have the appropriate CMMC level prior to awarding a subcontract or
other contractual instruments. This requirement is included in the
clause at DFARS 252.204-7021, paragraph (d), which tells contractors
when to flow the clause down to subcontractors.
Require the contractor to include the requirements of the
clause in subcontracts or other contractual instruments. The purpose of
the clause is to ensure suppliers at all tiers are in compliance with
the security requirements identified at 32 CFR part 170 when there is a
requirement for CMMC in the contract, if applicable based on the
information that is being flowed down. The CMMC program requirements
related to the CMMC level required for suppliers is based on the
information that is being flowed down, and those requirements are
defined in the Title 32 CFR CMMC Program proposed rule.
The proposed rule also adds language to the clause at DFARS
252.204-7021 to incorporate a requirement for contractors to only
transmit data on information systems that process, store, or transmit
FCI or CUI during contract performance that have a certification at the
CMMC level required by the contract. In addition, the contractor will
be required to notify the contracting officer if there are any lapses
or changes in CMMC certification levels that affect the requirements
for information security during contract performance. The clause will
also include language identifying the CMMC level required by the
contract.
This proposed rule also includes revisions to the clause
prescription at DFARS 204.7504 to apply the clause at DFARS 252.204-
7021 to solicitations and contracts, task orders, or delivery orders
that require the contractor to have a specific CMMC level, including
solicitations and contracts using FAR part 12 procedures for the
acquisition of commercial products and commercial services, except for
solicitations and contracts solely for the acquisition of COTS items.
DoD considered three alternatives for the timing of the requirement
to achieve a CMMC 2.0 level certification in the development of this
proposed rule, weighing the benefits and risks associated with
requiring CMMC 2.0 level certification: (1) at time of proposal
submission; (2) at time of award; or (3) after contract award. DoD
ultimately adopted the second alternative to require certification at
the time of award. The drawback of the first alternative (i.e., at time
of proposal submission) is the increased risk for offerors since they
may not have sufficient time to achieve the required CMMC
certification. The drawback of the third alternative (i.e., after
contract award) is the increased risk to DoD with respect to the
schedule and uncertainty due to the possibility that the contractor may
be unable to achieve the required CMMC level in a reasonable amount of
time given their current cybersecurity posture. This potential delay
would apply to the entire supply chain and prevent the appropriate flow
of FCI and CUI to the contractor and subcontractors.
This proposed rule also includes the following conforming changes:
Makes references to the CMMC 2.0 program requirements by
incorporating the citation for 32 CFR part 170 throughout the text of
the proposed rule.
Amends the list in DFARS 212.301 of solicitation
provisions and contract clauses that are applicable for the acquisition
of commercial products and commercial services to include the new
provision at DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model
Certification Level Requirements. The clause at DFARS 252.204-7021,
Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirements, is already included in this list from
the prior interim rule under this DFARS Case 2019-D041.
Amends DFARS 217.207, Exercise of Options, to advise
contracting officers that when CMMC is required in the contract, an
option may only be exercised after verifying in SPRS that the
contractor has the required affirmation(s) of continuous compliance
with the security requirements identified at 32 CFR part 170 and has
posted the results of a current CMMC certificate or CMMC self-
assessment at the level required by the contract, or higher. The text
refers contracting officers to DFARS 204.7503(c) for complete details
regarding these requirements.
B. Analysis of Public Comments in Response to the Interim Rule
This proposed rule follows the publication of an interim rule under
this DFARS Case 2019-D041, which received over 750 public comments.
Although this proposed rule does not finalize the interim rule, it
responds to the public comments received and anticipates that these
responses will facilitate the public's understanding of this proposed
rule. Only comments submitted in response to the interim rule as it
relates to the contractual requirements are discussed below. The
technical and programmatic comments on CMMC 1.0 are being handled in
the CMMC program rule affecting 32 CFR part 170. In addition to
technical and programmatic comments, the comments related to the CMMC
cost analysis are also being addressed under the CMMC program rule
affecting 32 CFR part 170. It should also be noted that any comments
related to the National Institute of Standards and Technology (NIST)
Special Publication (SP) 800-171 DoD Assessment methodology will be
addressed under a separate DFARS Case 2022-D017, NIST SP 800-171 DoD
Assessment Requirements. A discussion of the comments is provided as
follows:
1. Small Business Impact
Comment: Several respondents requested more information on the
impact to small entities from CMMC.
Response: As described in the regulatory flexibility analysis in
section VI of this preamble, the phased roll-out of CMMC over three
years is intended to mitigate the impact of CMMC on contractors
including small entities and is only expected to apply to 1,104 small
entities in year one. In addition, the provision and clause in this
proposed
[[Page 66330]]
rule exempt contracts that are exclusively for COTS items.
2. Requirement for CMMC
Comment: Several respondents inquired about how contractors will
know there is a requirement to have CMMC certification.
Response: As stated in this proposed rule, if there is a
requirement for a specific CMMC level, the CMMC requirement will be
identified in the DFARS solicitation provision 252.204-7YYY, Notice of
Cybersecurity Maturity Model Certification Level Requirements. In
addition, the DFARS contract clause 252.204-7021, Contractor Compliance
with the Cybersecurity Maturity Model Certification Level Requirements,
will be included in the contract.
3. CMMC Application to Other Transaction Agreements (OTAs)
Comment: Many respondents asked whether CMMC will apply to OTAs.
Response: Applicability to OTAs is outside the scope of this DFARS
rule, as the DFARS does not provide coverage of OTA requirements. If
the program office or requiring activity identifies a need to include a
CMMC requirement in an OTA, it will be included in the solicitation and
resulting agreement.
4. Application to Foreign Suppliers for CMMC
Comment: Many respondents commented on whether CMMC will apply to
foreign suppliers.
Response: If the program office or requiring activity identifies a
need to include a CMMC requirement in a contract, it will be included
in the solicitation and resulting contract unless the contract is
exclusively for COTS items. The proposed rule does not exempt foreign
suppliers from CMMC requirements.
5. CMMC and NIST SP 800-171 DoD Assessment Requirements
Comment: Many respondents questioned how CMMC and the NIST SP 800-
171 requirements will interact and if one requirement will be used for
the other.
Response: As described in the interim rule at DFARS 204.7501(c),
the CMMC assessments will not duplicate efforts from any other
comparable DoD assessment, except for rare circumstances when a
reassessment may be necessary, for example, when there are indications
of issues with cybersecurity and/or compliance with CMMC requirements.
6. CMMC Application to Broad Agency Announcements (BAAs)
Comment: Many respondents inquired whether CMMC will apply to BAAs.
Response: If the program office or requiring activity identifies a
need to include a CMMC requirement in a contract, it will be included
in the solicitation and resulting contact. The proposed rule prescribes
the CMMC clause at 252.204-7021, Contractor Compliance with the
Cybersecurity Maturity Model Certification Level Requirements, for use
in solicitations and contracts, task orders, and delivery orders that
require the contractor to have a specific CMMC level, including those
using FAR part 12 procedures for the acquisition of commercial products
and commercial services, except those solely for the acquisition of
COTS items.
7. Duplication of DFARS Clause 252.204-7012 and DFARS Clause 252.204-
7021
Comment: A respondent commented on whether DFARS clause 252.204-
7012 and DFARS clause 252.204-7021 duplicate one another.
Response: These clauses are not duplicative as they have distinct
purposes. DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, levies cybersecurity
requirements on contractors, and DFARS clause 252.204-7021, Contractor
Compliance with the Cybersecurity Maturity Model Certification Level
Requirements, levies a requirement for an assessment of how well a
contractor is meeting those cybersecurity requirements specified in
252.204-7012.
8. Uniform Definition of CUI
Comment: A respondent commented that there should be a uniform
definition of CUI.
Response: This proposed rule adds a definition for use in subpart
204.75 for the term ``controlled unclassified information.'' The
definition is based on the definition of CUI at 32 CFR 2002.
9. Uniformity and Consistency
Comment: Many respondents commented that the final rule should
provide uniformity and consistency.
Response: This proposed rule does not conflict with other
regulations.
10. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
Comment: Many respondents commented that there should be
clarification as to whether this rule applies to contracts at or below
the simplified acquisition threshold.
Response: As described in section III of this preamble, this
proposed rule applies to contracts at or below the simplified
acquisition threshold, but not to purchases at or below the micro-
purchase threshold.
11. Expected Cost Impact and Benefits
Comment: Several respondents commented that the interim rule for
2019-D041 had a cost analysis that lacked a basis for the analysis.
Response: The Regulatory Impact Analysis associated with this
proposed rule only includes a cost analysis of the contractual
requirements associated with this proposed rule. The rule for the CMMC
Program affecting 32 CFR part 170 contains the expected cost impact and
benefits of technical requirements associated with CMMC. Any comments
on the cost estimates of technical or programmatic requirements related
to the CMMC Program should be directed to the proposed rule affecting
32 CFR part 170.
12. Applicability to COTS--Define Exclusively COTS
Comment: Many respondents commented that there needs to be a
definition for ``exclusively COTS''.
Response: As described in this preamble, this proposed rule does
not apply to awards that are exclusively for COTS items. The term
``commercially available off-the-shelf (COTS) item'' is defined at FAR
2.101, so any awards that are exclusively for items falling within that
FAR definition would be considered ``exclusively COTS'' awards.
13. Timing of CMMC Certification
Comment: Many respondents recommended that the CMMC certification
timing be delayed until after award, or that it should be made more
flexible.
Response: The CMMC policy identified in the CMMC 2.0 proposed rule
affecting 32 CFR part 170 (published December 26, 2023, at 88 FR 89058)
establishes that CMMC certification and CMMC self-assessments are
required at the time of award.
14. Prime Contractor Validation of Subcontractor CMMC Level
Comment: Many respondents commented that there should be a way for
prime contractors to validate subcontractor CMMC certificates and CMMC
self-assessments.
Response: There is not currently a tool established that would
allow sharing of subcontractor information
[[Page 66331]]
with prime contractors electronically. Prime contractors are expected
to work with their suppliers to conduct verifications as they would
under any other clause requirement that applies to subcontractors.
15. Cost Allowability
Comment: Many respondents commented that the DFARS rule should
specify whether costs for CMMC are allowable costs.
Response: Cost allowability requirements are described at FAR
31.201-2, Determining allowability.
16. Clause Applicability Overly Broad
Comment: Many respondents commented that the clause applicability
is overly broad.
Response: In this proposed DFARS rule, the applicability of the
clause has been narrowed to apply only when there is a requirement in
the solicitation for the contractor to have a specific CMMC level.
17. Application to Plain Old Telephone Service (POTS)
Comment: One respondent asked if handling CUI under a POTS contract
would trigger the requirements of DFARS 252.204-7012.
Response: The requirements under 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting, are triggered when
the contractor processes, stores, or transmits CUI on a covered
contractor information system (the contractor's internal information
system). Common carrier telecommunications circuits or POTS would not
normally be considered part of the covered contractor information
system processing FCI or CUI. Data traversing common carrier systems
should be separately encrypted per NIST SP 800-171 requirement 3.13.8.
Contracts with common carriers to provide telecommunications services
may include DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, but should not be interpreted
to imply the common carrier telecommunications systems themselves have
to meet the DFARS requirements.
18. Joint Ventures
Comment: Many respondents commented on how to handle CMMC
certifications and CMMC self-assessments under joint ventures.
Response: Each individual entity that has a requirement for CMMC
would be required to comply with the requirements related to the
individual entity's information systems that process, store, or
transmit FCI or CUI during contract performance.
19. Training on Marking CUI
Comment: Many respondents commented that DoD should train personnel
on marking CUI and recommended that agencies do a better job of marking
CUI.
Response: This comment is outside of the scope of this rule.
20. Clarification of How CMMC Applies to Information Systems
Comment: Many respondents commented that clarification is needed
regarding how CMMC is applied to information systems.
Response: As described in this proposed rule, if there is a
requirement for CMMC, then it applies to all information systems that
process, store, or transmit FCI or CUI in performance of the contract.
21. Fundamental Research
Comment: Many respondents commented that clarification is needed
regarding whether CMMC applies to fundamental research.
Response: Fundamental research, as defined in National Security
Decision Directive (NSDD) 189, is published and broadly shared within
the scientific community and, as such, cannot be safeguarded as either
FCI or CUI; however, if fundamental research has the potential to
become CUI, it would be subject to the requirements of CMMC.
22. Clause Fill-In With CMMC Level
Comment: One respondent requested that the clause contain a fill-in
with the CMMC level requirement.
Response: In this proposed rule, the CMMC level requirement will be
included in the solicitation provision at 252.204-7YYY, Notice of
Cybersecurity Model Certification Level Requirements and in the
contract clause at 252.204-7021.
23. Application of CMMC to Non-COTS Item Contracts With No FCI or CUI
Involved
Comment: Many respondents commented that it appears the CMMC clause
would be included in non-COTS item contracts with no FCI or CUI
involved at the prime contractor and subcontractor levels.
Response: The proposed rule prescribes the CMMC clause for use only
in solicitations and contracts that require the contractor to have a
specific CMMC level. Contracts that are exclusively for COTS items and
purchases at or below the micro-purchase threshold will not have a
requirement for the contractor to have a specific CMMC level.
24. Application of CMMC Clause to Service Contracts and Non-Defense
Contracts
Comment: One respondent commented on whether the CMMC clause will
be included in services contracts and non-defense contracts.
Response: The proposed rule proposes to amend the DFARS, so this
proposed rule only includes changes to the requirements for DoD. A
services contract may have a requirement for CMMC.
25. Definition of ``Contractor Information System Relevant to the
Contract/Offer''
Comment: Many respondents requested clarification of the phrase,
``contractor information system relevant to the contract/offer''.
Response: The proposed rule includes language that clarifies that
contractor information systems relevant to the contract or offer are
contractor information systems that process, store, or transmit FCI or
CUI during performance of the contract.
26. Effective Date of CMMC Clause for Contracts and Applicability to
Modifications
Comment: Many respondents requested clarification on the effective
date of the CMMC clause and applicability to modifications.
Response: The proposed rule includes amendments to the DFARS that
will not take effect until a final rule is issued. Therefore, the
effective date of the clause would be the effective date specified in
the final rule. The clause will only be included in solicitations
issued on or after the effective date of the final rule and any
resulting contracts, unless the contracting officer makes a decision to
include the clause in a solicitation issued prior to the effective date
of the final rule, provided that any resulting contracts are awarded on
or after the effective date of the final rule. Contracting officers
have the discretion to bilaterally incorporate the clause in contracts
in effect prior to the effective date of the clause, with appropriate
consideration. See FAR 1.108(d).
27. Determining CMMC Level for Subcontracts
Comment: Many respondents commented that there should be
clarification regarding how to determine the required CMMC level for
subcontracts.
[[Page 66332]]
Response: In determining a CMMC level appropriate for the
information being flowed down to subcontractors, see the proposed rule
affecting 32 CFR part 170 published in the Federal Register on December
26, 2023, at 88 FR 89058.
28. Proliferation of Component-Unique Security Requirements
Comment: Many respondents commented that it appeared there was a
proliferation of component-unique security requirements.
Response: While the comment is noted, the comment is outside of the
scope of this proposed rule.
29. Reflecting CMMC Levels in SAM.gov for Prime Contractor Verification
of Subcontractors
Comment: One respondent recommended reflecting CMMC levels in
SAM.gov for prime contractor verification of the subcontractors.
Response: The CMMC Program proposed rule affecting 32 CFR part 170
has identified that SPRS is the repository for CMMC certificates and
self-assessment information at present. Contractors will only be able
to access their own CMMC certificate and self-assessment information.
30. Training Contracting Officers
Comment: Many respondents commented that it would be helpful to
train contracting officers on how to appropriately identify contracts
for inclusion of the DFARS clause at 252.204-7021, Contractor
Compliance with the Cybersecurity Maturity Model Certification Level
Requirements.
Response: As with any clause, contracting officers will follow the
prescription language in determining when to include a contract clause.
31. Vendor Description of CMMC Queue in Response to Proposals
Comment: One respondent commented recommending that an offeror
should be able to share where they are in the queue for a CMMC
assessment and be allowed to have a late submission of their CMMC
certification.
Response: The CMMC Program policy, in the proposed rule affecting
32 CFR part 170, is to require a CMMC certification or CMMC self-
assessment at the time of award if there is a requirement for CMMC
under the contract.
32. Define ``Certification''
Comment: A respondent commented that the term ``certification''
should be defined.
Response: The term ''certification'' referenced in this proposed
rule relates to the Cybersecurity Maturity Model Certification.
33. Defense Industrial Base Cybersecurity Assessment Center (DIBCAC)
Assessment Reciprocity
Comment: Several respondents asked for clarification on reciprocity
between CMMC certification and Defense Contract Management Agency
DIBCAC assessments.
Response: As described in the interim rule at DFARS 204.7501(c),
the CMMC assessments will not duplicate efforts from any other
comparable DoD assessment, except for rare circumstances when a
reassessment may be necessary, for example, when there are indications
of issues with cybersecurity and/or compliance with CMMC requirements.
34. Clearance Procedures for Interim Rule
Comment: A respondent asked what clearance procedures were bypassed
to allow for the emergency processing of the previously published
interim rule.
Response: Clearance procedures were not bypassed in the emergency
processing of the previously published interim rule under this DFARS
Case 2019-D041. As described in section IX of the preamble for the
interim rule, a determination was made pursuant to 41 U.S.C. 1707(d)
and FAR 1.501-3(b) to issue the interim rule.
35. Recommend Opening a DFARS Procedures, Guidance, and Information
(PGI) Case
Comment: One respondent recommended that a PGI case should be
opened to provide procedures, guidance, and information to the
workforce related to CMMC.
Response: At present, the requirements in the proposed rule are
simply for contracting officers to include the provision and clause as
prescribed. Any additional guidance would be for the program office and
requiring activity community. Such guidance would not be added to the
DFARS PGI, which speaks to contracting officers.
36. Existence of the Clause as an Indication of the Presence of CUI
Comment: Several respondents asked for clarification on whether the
presence of the clause at 252.204-7021 means that CUI will be used in
performance of the contract.
Response: CMMC also applies to FCI, so the existence of the clause
at 252.204-7021, Contractor Compliance with the Cybersecurity Maturity
Model Certification Level Requirements, does not automatically mean
that there is CUI that will be processed, stored, or transmitted in the
performance of the contract.
37. Application of the Clause to Government Furnished Equipment (GFE)
Comment: One respondent requested clarification on whether the
clause will apply to GFE or GFE in a test environment.
Response: If the program office or requiring activity includes a
requirement in the solicitation and resulting contract for the
contractor to have a specific CMMC level, then the clause would apply.
38. Other Contractual Instruments
Comment: A respondent commented that there should be a definition
in the DFARS of ``other contractual instruments''.
Response: ``Other contractual instruments'' are agreements with
vendors or suppliers that are not considered subcontracts. The term has
been used in the DFARS for years and is well understood.
39. Source Selections
Comment: A respondent requested information on how CMMC applies to
source selections.
Response: Proposed changes to DFARS 204.7503 require that
contracting officers shall not award a contract, task order, or
delivery order to an offeror that does not have a current CMMC
certificate or self-assessment at the level required by the
solicitation. If CMMC is included in a solicitation, it is also
included as a contract requirement.
III. Applicability to Contracts at or Below the Simplified Acquisition
Threshold (SAT), for Commercial Products (Including COTS Items), and
for Commercial Services
This proposed rule amends the clause at DFARS 252.204-7021,
Contractor Compliance with the Cybersecurity Maturity Model
Certification Level Requirements, as well as the prescription at DFARS
204.7504(a). The clause is prescribed for use in solicitations and
contracts, task orders, or delivery orders, that require the contractor
to have a specific CMMC level, including solicitations and contracts
using FAR part 12 procedures for the acquisition of commercial products
and commercial services, except for solicitations and contracts solely
for the acquisition of COTS items. This proposed rule includes a new
[[Page 66333]]
provision, DFARS 252.204-7YYY, Notice of Cybersecurity Maturity Model
Certification Level Requirements. The provision is prescribed at DFARS
204.7504(b) for use in solicitations that include the clause at DFARS
252.204-7021.
DoD intends to apply the provision and clause to contracts and
subcontracts valued at or below the SAT but greater than the micro-
purchase threshold, for the acquisition of commercial products
excluding COTS items, and for the acquisition of commercial services.
A. Applicability to Contracts at or Below the Simplified Acquisition
Threshold
41 U.S.C. 1905 governs the applicability of laws to contracts or
subcontracts in amounts not greater than the simplified acquisition
threshold. It is intended to limit the applicability of laws to such
contracts or subcontracts. 41 U.S.C. 1905 provides that if a provision
of law contains criminal or civil penalties, or if the Federal
Acquisition Regulatory Council makes a written determination that it is
not in the best interest of the Federal Government to exempt contracts
or subcontracts at or below the SAT, the law will apply to them. The
Principal Director, Defense Pricing, Contracting, and Acquisition
Policy (DPCAP), is the appropriate authority to make comparable
determinations for regulations to be published in the DFARS, which is
part of the FAR system of regulations. DoD does intend to make that
determination. Therefore, this proposed rule will apply at or below the
simplified acquisition threshold.
B. Applicability to Contracts for the Acquisition of Commercial
Products Including COTS Items and for the Acquisition of Commercial
Services
10 U.S.C. 3452 exempts contracts and subcontracts for the
acquisition of commercial products including COTS items, and commercial
services from provisions of law enacted after October 13, 1994, unless
the Under Secretary of Defense (Acquisition and Sustainment) (USD(A&S))
makes a written determination that it would not be in the best interest
of DoD to exempt contracts for the procurement of commercial products
and commercial services from the applicability of the provision or
contract requirement, except for a provision of law that--
Provides for criminal or civil penalties;
Requires that certain articles be bought from American
sources pursuant to 10 U.S.C. 4862, or that strategic materials
critical to national security be bought from American sources pursuant
to 10 U.S.C. 4863; or
Specifically refers to 10 U.S.C. 3452 and states that it
shall apply to contracts and subcontracts for the acquisition of
commercial products (including COTS items) and commercial services.
The statute implemented in this proposed rule does not impose
criminal or civil penalties, does not require purchase pursuant to 10
U.S.C. 4862 or 4863, and does not refer to 10 U.S.C. 3452. Therefore,
section 1648 of the NDAA for FY 2020 will not apply to the acquisition
of commercial services or commercial products including COTS items
unless a written determination is made. Due to delegations of
authority, the Principal Director, DPCAP is the appropriate authority
to make this determination. DoD intends to make that determination to
apply this statute to the acquisition of commercial products excluding
COTS items and to the acquisition of commercial services. Therefore,
this proposed rule will apply to the acquisition of commercial products
excluding COTS items and to the acquisition of commercial services.
C. Determinations
Given that the requirements of section 1648 of the NDAA for FY 2020
were enacted to promote protection of FCI and CUI that will be
processed, stored, or transmitted on contractor information systems,
and since FCI and CUI may be processed, stored, or transmitted on
contractor information systems in the performance of contracts or
orders valued below the simplified acquisition threshold and when the
Federal Government is procuring commercial products and commercial
services, it is in the best interest of the Federal Government to apply
the statute to contracts for the acquisition of commercial services and
commercial products, excluding COTS items, as defined at FAR 2.101. An
exception for contracts for the acquisition of commercial services and
commercial products, excluding COTS items, would exclude the contracts
intended to be covered by the law, thereby undermining the overarching
public policy purpose of the law.
IV. Expected Impact of the Rule
A. Background
DoD is proposing to amend the DFARS to implement the contractual
requirements related to the DoD policy for CMMC 2.0 (see the proposed
rule affecting 32 CFR 170, published in the Federal Register December
26, 2023, at 88 FR 89058). CMMC 2.0 self-assessments and certificates
assess a contractor's compliance with certain information system
security requirements. Pursuant to the DoD policy in the CMMC 2.0
proposed rule, the CMMC level requirements apply to every contractor
information system that will process, store, or transmit Federal
contract information (FCI) or controlled unclassified information
(CUI).
DoD is proposing to amend the DFARS to include the following
solicitation and contractual requirements related to the CMMC 2.0
policy:
Offeror and contractor requirement to post the results of
a CMMC 2.0 Level 1 or Level 2 self-assessment to the Supplier
Performance Risk System (SPRS) prior to award, exercise of an option,
or extension of a period of performance, if not already posted.
Contractor requirement to maintain the required CMMC self-
assessment or certificate level for the life of the contract.
Contractor requirement to complete a contractor senior
company official affirmation of continuous compliance with the security
requirements identified at 32 CFR part 170 in SPRS for each DoD unique
identifier (UID) applicable to each of the contractor information
systems that will process, store, or transmit FCI or CUI and that will
be used in performance of the contract on an annual basis, or when CMMC
2.0 compliance status changes occur.
Apparently successful offeror and contractor requirement
to identify the contractor information systems that will be used to
process, store, or transmit FCI or CUI in performance of the contract
prior to award, exercise of an option, or extension of any period of
performance, by providing to the Government the DoD UIDs generated by
SPRS.
The costs associated with the technical completion of the CMMC 2.0
certifications and self-assessments are included in the CMMC 2.0
proposed rule affecting title 32 CFR.
B. Summary of Impact
This proposed DFARS rule will impact certain contracts during a
phased-in, three-year implementation period. Afterwards, the
requirements will apply to all contracts for which the contractor will
process, store, or transmit FCI or CUI on contractor information
systems during the performance of the contract, except for contracts
solely for the acquisition of commercially available off-the-shelf
(COTS) items.
For the first three years after the effective date of the final
rule, the information collection requirements
[[Page 66334]]
will only impact an offeror or contractor when the solicitation or
contract requires an offeror or contractor to have a specific CMMC
level, based on a phased rollout plan, including solicitations and
contracts using Federal Acquisition Regulation (FAR) part 12 procedures
for the acquisition of commercial products and commercial services,
except for solicitations and contracts solely for the acquisition of
COTS items.
By the fourth year, the information collection requirements in the
solicitation provision and contract clause will impact solicitations
and contracts, task orders, or delivery orders, including solicitations
and contracts using FAR part 12 procedures for the acquisition of
commercial products and commercial services, when there will be a
requirement under the contract to process, store, or transmit FCI or
CUI, except for solicitations and contracts solely for the acquisition
of COTS items.
Since DoD does not track awards that may include FCI or CUI, DoD
assumes the number of impacted awardees in Year 4 and beyond will be
the average number of entities in the Electronic Data Access (EDA)
system from fiscal year (FY) 2021 through FY 2023 with awards
containing the clause at DFARS 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting, or 29,543 entities,
of which 20,395 (69 percent) are small businesses. DoD also assumes
that offerors or contractors with a requirement for CMMC in contracts
will have on average 5 contractor information systems that will be used
to process, store, or transmit FCI or CUI in performance of the
contract.
For each of the information systems that will process, store, or
transmit FCI or CUI, DoD assumes it will take offerors and
contractors--
An estimated 5 minutes to post the results of the CMMC
self-assessments in SPRS;
An estimated 5 minutes to complete the required
affirmation in SPRS; and
An estimated 5 minutes to retrieve DoD UIDs in SPRS for
the information systems that will be used in performance of the
contract and to submit the DoD UIDs to the Government.
For the Government, DoD assumes it will take--
An estimated 5 minutes to validate the existence of the
correct level and currency of a CMMC certification or CMMC self-
assessment results associated with offeror DoD UIDs in SPRS for the
apparently successful offeror prior to award and for the contractor
prior to exercising an option or extending any period of performance;
An estimated 5 minutes to validate the existence of an
affirmation that is current for each of the contractor information
systems that will process, store, or transmit FCI or CUI; and
An estimated 5 minutes to validate the existence of the
correct level and currency of a CMMC certification or CMMC self-
assessment and affirmation associated with contractor DoD UIDs in SPRS,
when there are changes in the information systems during contract
performance.
The primary cost impact of this proposed rule is that apparently
successful offerors for contracts that include a CMMC requirement will
now be required to conduct the cost activities described below in
accordance with the provision at DFARS 252.204-7YYY, Notice of
Cybersecurity Maturity Model Certification Level Requirement, and the
clause at DFARS 252.204-7021, Cybersecurity Maturity Model
Certification Requirements.
The benefits of this proposed rule include verification of a
defense industrial base (DIB) contractor's implementation of system
security requirements. The clause at DFARS 252.204-7012, Safeguarding
Covered Defense Information and Cyber Incident Reporting, does not
provide for the DoD verification of a DIB contractor's implementation
of the security requirements specified in National Institute of
Standards and Technology (NIST) Special Publication (SP) 800-171 prior
to contract award. CMMC adds the element of verification of a DIB
contractor's cybersecurity through the use of accredited third-party
assessors. This proposed rule provides increased assurance to DoD that
a DIB contractor can adequately protect sensitive unclassified
information such as CUI at a level commensurate with the risk,
accounting for information flow down to its subcontractors in a multi-
tier supply chain.
Another benefit of this proposed rule is that it supports the
protection of intellectual property and sensitive information from
malicious activity that has a significant impact on the U.S. economy
and national security. While there is not enough information to be able
to estimate the benefits of this rule at this time, DoD assumes there
will be a benefit from reducing the threat of malicious cyber activity.
The Council of Economic Advisors estimates that malicious cyber
activity cost the U.S. economy between $57 billion and $109 billion in
2016. Over a ten-year period, that burden would equate to an estimated
$512 billion to $979 billion in costs at a 2 percent discount rate.
The following is a summary of the estimated public and Government
costs calculated over a 10-year period at a 2 percent discount rate:
----------------------------------------------------------------------------------------------------------------
Summary Public Government Total
----------------------------------------------------------------------------------------------------------------
Present Value.......................................... $40,687,957 $25,237,882 $65,925,839
Annualized Costs....................................... 4,529,649 2,809,646 7,339,295
----------------------------------------------------------------------------------------------------------------
Public comments are solicited on this analysis of the estimated
burden of the proposed rule.
V. Executive Orders 12866 and 13563
Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess
all costs and benefits of available regulatory alternatives and, if
regulation is necessary, to select regulatory approaches that maximize
net benefits (including potential economic, environmental, public
health and safety effects, distributive impacts, and equity). E.O.
13563 emphasizes the importance of quantifying both costs and benefits,
of reducing costs, of harmonizing rules, and of promoting flexibility.
This is a significant regulatory action and, therefore, was subject to
review under section 6(b) of E.O. 12866, Regulatory Planning and
Review, as amended.
VI. Regulatory Flexibility Act
DoD does not expect this proposed rule, when finalized, to have a
significant economic impact on a substantial number of small entities
within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et
seq. However, an initial regulatory flexibility analysis has been
performed and is summarized as follows:
This proposed rule is necessary to respond to the threat to the
U.S. economy and national security posed by
[[Page 66335]]
ongoing malicious cyber activities designed to steal hundreds of
billions of dollars of U.S. intellectual property. This proposed rule
includes the following requirements for apparently successful offerors
responding to a solicitation, and contractors awarded contracts,
containing a requirement for CMMC: (1) post in SPRS the results of a
current CMMC certificate or current CMMC self-assessment at the level
required by the solicitation, or higher, for each DoD UID applicable to
each of the contractor information systems that will process, store, or
transmit FCI or CUI and that will be used in performance of the
contract and maintain the CMMC level for the life of the contract; (2)
provide the DoD UID(s) applicable to each of those contractor
information systems to the contracting officer and provide updates, if
applicable; and (3) have a current affirmation of continuous compliance
with the security requirements identified at 32 CFR part 170 in SPRS
for each DoD UID applicable to each of those contractor information
systems. These requirements apply to apparently successful offerors
with a CMMC requirement in solicitations prior to award and to
contractors with a CMMC requirement in contracts prior to exercising an
option.
The proposed rule has two objectives. One objective is to provide
DoD with assurances that a defense industrial base contractor can
adequately protect sensitive unclassified information at a level
commensurate with the risk, accounting for information shared with its
subcontractors in a multi-tier supply chain. Another objective is to
partially implement section 1648 of the NDAA for FY 2020. The legal
basis for the rule is 41 U.S.C. 1303 and section 1648 of the NDAA for
FY 2020.
Given the enterprise-wide implementation of CMMC, DoD developed a
three-year phased rollout strategy. The rollout is intended to minimize
both the financial impacts to the industrial base, especially small
entities, and disruption to the existing DoD supply chain. Upon
completion of the phased implementation, this rule will impact all
small entities awarded contracts with DoD, except those providing only
COTS items and those that do not handle FCI or CUI. The estimated
number of small entities to which the rule will apply in year one is
1,104.
By the fourth year, all entities receiving DoD contracts and orders
that have contractor information systems that will process, store, or
transmit FCI or CUI and that will be used in performance of the
contract or order, other than contracts or orders exclusively for COTS
items, will be required to have, at minimum, a CMMC Level 1 self-
assessment or the CMMC Level identified in the solicitation and
resulting contract, as appropriate for the type of information being
handled under the contract. As described previously, it should be noted
that this requirement does not apply to awards that do not involve the
handling or transmission of FCI or CUI. By year four, the total
estimated number of small entities to which the rule will apply will be
60,783.
During the first three years of the phased rollout, the CMMC
requirement will be included only in certain contracts for which the
CMMC Program Office directs DoD component program offices to include a
CMMC requirement. After three years, DoD component program offices will
be required to include a requirement for CMMC in solicitations and
contracts that will require the contractor to process, store, or
transmit FCI or CUI on contractor information systems during contract
performance. Not every contractor will be awarded a contract in Year 4,
so it will take several years for every contractor in the defense
industrial base to be awarded a contract containing a requirement for
CMMC. DoD does not track how many years it takes for every contractor
to be awarded a DoD contract, so DoD assumes this will occur over a
period of several years.
Based on data from the Electronic Data Access system for FY 2021
through FY 2023, the number of unique entities with contracts
containing the clause at DFARS 252.204-7012, Safeguarding Covered
Defense Information and Cyber Incident Reporting, is 29,543, of which
20,395 (69 percent) are small entities. Therefore, DoD estimates that
in Year 4 and beyond, approximately 20,395 small entities will be
impacted per year. DoD anticipates that the following mix of self-
assessments and certificates will occur starting in Year 4; however, it
is likely to change based on component program office discretion
regarding whether a CMMC self-assessment or certificate is required
and, if so, at what level:
----------------------------------------------------------------------------------------------------------------
CMMC Level Percentages Small entities Large entities Total entities
----------------------------------------------------------------------------------------------------------------
Level 1 Self-assessment......................... 63 12,849 5,763 18,612
Level 2 Self-assessment......................... 2 408 183 591
Level 2 Certificate............................. 35 7,138 3,202 10,340
---------------------------------------------------------------
Total Entities.............................. 100 20,395 9,148 29,543
----------------------------------------------------------------------------------------------------------------
This proposed rule includes new reporting, recordkeeping, or other
compliance requirements for small entities. The following is a summary
of the projected reporting and other compliance requirements associated
with the proposed rule: (1) a requirement for apparently successful
offerors to post results of current CMMC Level 1 and Level 2 self-
assessments to SPRS for each DoD UID applicable to each of the
contractor information systems that will process, store, or transmit
FCI or CUI and that will be used in performance of the contract, if
applicable; (2) a requirement for apparently successful offerors and
contractors to provide DoD UIDs for each of those contractor
information systems, if applicable, prior to award and when any changes
to DoD UIDs occur; and (3) a requirement for a senior company official
to complete and maintain on an annual basis, or when CMMC compliance
status changes occur, the affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 in SPRS for each
DoD UID applicable to each of those contractor information systems.
These reporting requirements would apply to any small entities that
are the apparently successful offeror for a contract for which there is
a requirement for a specific CMMC level. The requirement to post the
self-assessment will only apply to small entities that have a
requirement for a CMMC Level 1 or Level 2 self-assessment. The
requirement to provide DoD UIDs and the requirement for the senior
official to complete the affirmation in SPRS will apply to all small
entities that are apparently successful offerors for a solicitation or
[[Page 66336]]
contractors awarded a contract for which there is a requirement for
CMMC.
This proposed rule does not duplicate, overlap, or conflict with
any other Federal rules. This proposed DFARS rule implements the
contractual requirements related to the CMMC 2.0 program, which was
published as a separate proposed rule affecting 32 CFR part 170 on
December 26, 2023, at 88 FR 89058.
There are no known alternatives that would accomplish the stated
objectives of the applicable statute. This proposed rule uses a phased
rollout approach to implementation and applies the CMMC requirements
only to apparently successful offerors for solicitations and
contractors awarded a contract containing a CMMC requirement. This
proposed rule exempts contracts and orders exclusively for the
acquisition of COTS items to minimize any significant economic impact
of the proposed rule on small entities. Because of the across-the-board
risks of not implementing cybersecurity requirements, DoD was unable to
identify any additional alternatives that would reduce the burden on
small entities and still meet the objectives of the proposed rule.
DoD invites comments from small business concerns and other
interested parties on the expected impact of this proposed rule on
small entities.
DoD will also consider comments from small entities concerning the
existing regulations in subparts affected by this proposed rule in
accordance with 5 U.S.C. 610. Interested parties must submit such
comments separately and should cite 5 U.S.C. 610 (DFARS Case 2019-
D041), in correspondence.
VII. Paperwork Reduction Act
This proposed rule contains information collection requirements
that require the approval of the Office of Management and Budget under
the Paperwork Reduction Act (44 U.S.C. chapter 35). Accordingly, DoD
has submitted a request for approval of a new information collection
requirement concerning 2019-D041, Assessing Contractor Implementation
of Cybersecurity Requirements, to the Office of Management and Budget.
A. Estimate of Public Burden
Public reporting burden for this collection of information is
estimated to average 5 minutes (0.8333) per response, including the
time for reviewing instructions, searching existing data sources,
gathering and maintaining the data needed, and completing and reviewing
the collection of information.
The annual reporting burden is estimated as follows:
Respondents: 1,493.
Total annual responses: 30,990.
Total annual burden hours: 2,582.
B. Request for Comments Regarding Paperwork Burden
Written comments and recommendations on the proposed information
collection, including suggestions for reducing this burden, should be
submitted using the Federal eRulemaking Portal at https://www.regulations.gov or by email to [email protected]. Comments can be
received up to 60 days after the date of this notice.
Public comments are particularly invited on: whether this
collection of information is necessary for the proper performance of
the functions of DoD, including whether the information will have
practical utility; the accuracy of DoD's estimate of the burden of this
information collection; ways to enhance the quality, utility, and
clarity of the information to be collected; and ways to minimize the
burden of the information collection on respondents, including through
the use of automated collection techniques or other forms of
information technology.
To obtain a copy of the supporting statement and associated
collection instruments, please email [email protected]. Include DFARS
Case 2019-D041 in the subject line of the message.
List of Subjects in 48 CFR Parts 204, 212, 217, and 252
Government procurement.
Jennifer D. Johnson,
Editor/Publisher, Defense Acquisition Regulations System.
Therefore, the Defense Acquisition Regulations System proposes to
amend 48 CFR parts 204, 212, 217, and 252 as follows:
0
1. The authority citation for 48 CFR parts 204, 212, 217, and 252
continues to read as follows:
Authority: 41 U.S.C. 1303 and 48 CFR chapter 1.
PART 204--ADMINISTRATIVE AND INFORMATION MATTERS
0
2. Revise subpart 204.75 to read as follows:
Subpart 204.75--Cybersecurity Maturity Model Certification
Sec.
204.7500 Scope of subpart.
204.7501 Definitions.
204.7502 Policy.
204.7503 Procedures.
204.7504 Solicitation provision and contract clause.
Subpart 204.75--Cybersecurity Maturity Model Certification
204.7500 Scope of subpart.
(a) This subpart prescribes policies and procedures for including
the Cybersecurity Maturity Model Certification (CMMC) level
requirements in DoD contracts. CMMC is a framework (see 32 CFR part
170) for assessing a contractor's compliance with applicable
information security requirements (see https://DoDcio.defense.gov/CMMC/
).
(b) This subpart does not abrogate any other requirements regarding
contractor physical, personnel, information, technical, or general
administrative security operations governing the protection of
unclassified information, nor does it affect requirements of the
National Industrial Security Program.
204.7501 Definitions.
As used in this subpart--
Controlled unclassified information means information the
Government creates or possesses, or an entity creates or possesses for
or on behalf of the Government, that a law, regulation, or
Governmentwide policy requires or permits an agency to handle using
safeguarding or dissemination controls (32 CFR 2002.4(h)).
Current means, with regard to Cybersecurity Maturity Model
Certification--
(1) Not older than 1 year for Level 1 self-assessments, with no
changes in CMMC compliance since the date of the assessment;
(2) Not older than 3 years for Level 2 certificates and self-
assessments, with no changes in CMMC compliance since the date of the
assessment;
(3) Not older than 3 years for Level 3 certificates, with no
changes in CMMC compliance since the date of the assessment; and
(4) Not older than 1 year for affirmations of continuous compliance
with the security requirements identified at 32 CFR part 170, with no
changes in CMMC compliance since the date of the affirmation.
DoD unique identifier means an alpha-numeric string of ten
characters assigned within the Supplier Performance Risk System to each
contractor assessment with the first two characters indicating the
confidence level of the assessment.
204.7502 Policy.
(a) The CMMC certificate or CMMC self-assessment level specified in
the contract is required for all information systems, used in the
performance of the contract, that will process, store, or
[[Page 66337]]
transmit Federal contract information (FCI) or controlled unclassified
information (CUI).
(b) Contractors are required to achieve, at time of award, a CMMC
certificate or CMMC self-assessment at the level specified in the
solicitation, or higher. Contractors are required to maintain a current
CMMC certificate or CMMC self-assessment at the specified level, if
required by the contract, task order, or delivery order, throughout the
life of the contract, task order, or delivery order.
(c) The CMMC assessments shall not duplicate efforts from any other
comparable DoD assessment, except for rare circumstances when a re-
assessment may be necessary, for example, when there are indications of
issues with cybersecurity and/or compliance with CMMC requirements.
204.7503 Procedures.
(a) The contracting officer shall include the CMMC level required
by the program office or requiring activity in the solicitation and
contract.
(b)(1) Contracting officers shall not award a contract, task order,
or delivery order to an offeror that does not have--
(i) The results of a current CMMC certificate or current CMMC self-
assessment at the level required by the solicitation, or higher, for
each DoD unique identifier (DoD UID) applicable to each of the
contractor information systems that will process, store, or transmit
FCI or CUI and that will be used in performance of the contract posted
in the Supplier Performance Risk System (SPRS) (see 32 CFR 170.15
through 170.18); and
(ii) A current affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 in SPRS for each
DoD UID applicable to each of the contractor information systems that
will process, store, or transmit FCI or CUI and that will be used in
performance of the contract.
(2) Contracting officers shall require the apparently successful
offeror to provide the DoD UID(s) applicable to each of the contractor
information systems that will process, store, or transmit FCI or CUI
and that will be used in performance of the contract. The contracting
officer shall ensure the program office or requiring activity reviews
the information described in paragraphs (b)(1)(i) and (ii) of this
section.
(c)(1) Contracting officers shall not exercise an option period or
extend the period of performance on a contract, task order, or delivery
order, unless the contractor has--
(i) A current CMMC certificate or CMMC self-assessment at the level
required by the contract, task order, or delivery order, or higher, for
each DoD UID applicable to each of the contractor information systems
that process, store, or transmit FCI or CUI and that are used in
performance of the contract; and
(ii) A current affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 in SPRS for each
DoD UID applicable to each of the contractor information systems that
process, store, or transmit FCI or CUI and that are used in performance
of the contract (see 252.204-7021, paragraph (b)(5)).
(2) The contracting officer shall ensure the program office or
requiring activity reviews the information described in paragraphs
(c)(1)(i) and (ii).
(d) If the contractor provides new DoD UIDs during performance of
the contract, the contracting officer shall ensure the program office
or requiring activity verifies in SPRS that the contractor--
(1) Has a current affirmation of continuous compliance with the
security requirements identified at 32 CFR part 170 for each DoD UID
applicable to each of the contractor information systems that process,
store, or transmit FCI or CUI (see 252.204-7021, paragraph (b)(5)); and
(2) Has a current CMMC certificate or CMMC self-assessment at the
required level, or higher, for each information system identified that
will process, store, or transmit FCI or CUI during contract performance
using the DoD UIDs assigned by SPRS.
204.7504 Solicitation provision and contract clause.
(a) Use the clause at 252.204-7021, Contractor Compliance with the
Cybersecurity Maturity Model Certification Level Requirements, in
solicitations and contracts, task orders, or delivery orders that
require the contractor to have a CMMC certificate or CMMC self-
assessment at a specific level, including those using FAR part 12
procedures for the acquisition of commercial products and commercial
services, except for solicitations and contracts or orders solely for
the acquisition of commercially available off-the-shelf items.
(b) Use the provision at 252.204-7YYY, Notice of Cybersecurity
Maturity Model Certification Level Requirements, in solicitations that
include the clause at 252.204-7021.
PART 212--ACQUISITION OF COMMERCIAL PRODUCTS AND COMMERCIAL
SERVICES
0
3. Amend section 212.301--
0
a. In paragraph (f)(ii)(L) by removing ``204.7503(a) and (b)'' and
adding ``204.7504(a)'' in its place; and
0
b. By adding paragraph (f)(ii)(P) to read as follows:
212.301 Solicitation provisions and contract clauses for the
acquisition of commercial products and commercial services.
* * * * *
(f) * * *
(ii) * * *
(P) Use the provision at 252.204-7YYY, Notice of Cybersecurity
Maturity Model Certification Level Requirements, as prescribed in
204.7504(b).
* * * * *
PART 217--SPECIAL CONTRACTING METHODS
0
4. Amend section 217.207--
0
a. In paragraph (c) introductory text by removing ``after:'' and adding
``after--'' in its place;
0
b. In paragraph (c)(1) by removing the period at the end of the
paragraph and adding ``; and'' in its place;
0
c. By revising paragraph (c)(2) introductory text;
0
d. In paragraph (c)(2)(i) by removing the period at the end of the
paragraph and adding ``; and'' in its place; and
0
e. By revising paragraph (c)(2)(ii).
The revisions read as follows:
217.207 Exercise of options.
(c) * * *
(2) Ensuring the program office or requiring activity verifies in
the Supplier Performance Risk System (https://piee.eb.mil) that--
* * * * *
(ii) If there is a requirement for the contractor to have a
Cybersecurity Maturity Model Certification (CMMC) certificate or CMMC
self-assessment at a specific level, the contractor has the required
affirmation(s) of continuous compliance with the security requirements
identified at 32 CFR part 170 and has posted the results of a current
(see 204.7501) CMMC certificate or CMMC self-assessment at the level
required by the contract, or higher. See 204.7503(c).
PART 252--SOLICITATION PROVISIONS AND CONTRACT CLAUSES
0
5. Revise section 252.204-7021 to read as follows:
[[Page 66338]]
252.204-7021 Contractor Compliance With the Cybersecurity Maturity
Model Certification Level Requirements.
As prescribed in 204.7504(a), insert the following clause:
Contractor Compliance With the Cybersecurity Maturity Model
Certification Level Requirements (Date)
(a) Definitions. As used in this clause--
Controlled unclassified information means information the
Government creates or possesses, or an entity creates or possesses
for or on behalf of the Government, that a law, regulation, or
Governmentwide policy requires or permits an agency to handle using
safeguarding or dissemination controls (32 CFR part 2002.4(h)).
Current means, with regard to Cybersecurity Maturity Model
Certification (CMMC)--
(1) Not older than 1 year for Level 1 self-assessments, with no
changes in CMMC compliance since the date of the assessment;
(2) Not older than 3 years for Level 2 certificates and self-
assessments, with no changes in CMMC compliance since the date of
the assessment;
(3) Not older than 3 years for Level 3 certificates, with no
changes in CMMC compliance since the date of the assessment; and
(4) Not older than 1 year for affirmations of continuous
compliance with the security requirements identified at 32 CFR part
170, with no changes in CMMC compliance since the date of the
affirmation.
Cybersecurity Maturity Model Certification means a framework for
assessing a contractor's compliance with applicable information
security requirements (see 32 CFR part 170).
DoD unique identifier means an alpha-numeric string of ten
characters assigned within the Supplier Performance Risk System to
each contractor assessment, with the first two characters indicating
the confidence level of the assessment.
(b) Requirements. The Contractor shall--
(1)(i) Have a current CMMC certificate or current CMMC self-
assessment at the following CMMC level, or higher: _____
[Contracting Officer to fill in the required CMMC level]; and
(ii) Consult 32 CFR part 170 related to flowing down information
in order to establish the correct CMMC level requirements for
subcontracts and other contractual instruments;
(2) Maintain the CMMC level required by this contract for the
duration of the contract for all information systems, used in
performance of the contract, that process, store, or transmit
Federal contract information (FCI) or controlled unclassified
information (CUI);
(3) Only process, store, or transmit data on information systems
that have a CMMC certificate or CMMC self-assessment at the CMMC
level required by the contract, or higher;
(4) Notify the Contracting Officer within 72 hours when there
are any lapses in information security or changes in the status of
CMMC certificate or CMMC self-assessment levels during performance
of the contract;
(5) Complete and maintain on an annual basis, or when changes
occur in CMMC compliance status (see 32 CFR part 170), an
affirmation of continuous compliance with the security requirements
associated with the CMMC level required in paragraph (b)(1) of this
clause in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil) for each DoD unique identifier (DoD UID) applicable to
each of the contractor information systems that process, store, or
transmit FCI or CUI and that are used in performance of the
contract; and
(6) Ensure all subcontractors and suppliers complete and
maintain on an annual basis, or when changes occur in CMMC
compliance status (see 32 CFR part 170), an affirmation of
continuous compliance with the security requirements associated with
the CMMC level required for the subcontract or other contractual
instrument for each of the contractor information systems that
process, store, or transmit FCI or CUI and that are used in
performance of the contract.
(c) Reporting. The Contractor shall--
(1) Submit to the Contracting Officer the DoD UID(s) issued by
SPRS for contractor information systems that will process, store, or
transmit FCI or CUI during performance of the contract;
(2) Enter into SPRS the results of self-assessment(s) for each
DoD UID applicable to each of the contractor information systems
that process, store, or transmit FCI or CUI and that are used in
performance of the contract; and
(3) Report to the Contracting Officer any changes to the list of
DoD UIDs applicable to each of the contractor information systems
that process, store, or transmit FCI or CUI and that are used in
performance of the contract.
(d) Subcontracts. The Contractor shall--
(1) Insert the substance of this clause, including this
paragraph (d), and exclude paragraphs (b)(5) and (c), in
subcontracts and other contractual instruments, including those for
the acquisition of commercial products and commercial services,
excluding commercially available off-the-shelf items, when there is
a requirement under the subcontract or similar contractual
instrument for a CMMC level; and
(2) Prior to awarding a subcontract or other contractual
instrument, ensure that the subcontractor has a current CMMC
certificate or current CMMC self-assessment at the CMMC level that
is appropriate for the information that is being flowed down to the
subcontractor.
(End of clause)
0
6. Add section 252.204-7YYY to read as follows:
252.204-7YYY Notice of Cybersecurity Maturity Model Certification
Level Requirements.
As prescribed in 204.7504(b) use the following provision:
Notice of Cybersecurity Maturity Model Certification Level Requirements
(Date)
(a) Definitions. As used in this provision, controlled
unclassified information, current, Cybersecurity Maturity Model
Certification, and DoD unique identifier have the meaning given in
the Defense Federal Acquisition Regulation Supplement 252.204-7021,
Contractor Compliance With the Cybersecurity Maturity Model
Certification Level Requirements, clause of this solicitation.
(b)(1) Cybersecurity Maturity Model Certification (CMMC) level.
The CMMC certificate or CMMC self-assessment level required by this
solicitation is: _____ [Contracting Officer insert: CMMC Level 1
self-assessment; CMMC Level 2 certificate or CMMC self-assessment;
or CMMC Level 3 certificate]. This CMMC certificate or CMMC self-
assessment level, or higher, is required prior to award for each
contractor information system that will process, store, or transmit
Federal contract information (FCI) or controlled unclassified
information (CUI) during performance of the contract.
(2) The apparently successful offeror will not be eligible for
award of a contract, task order, or delivery order resulting from
this solicitation if the apparently successful offeror does not have
the results of a current CMMC certificate or self-assessment entered
in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil)
at the CMMC level required by paragraph (b)(1) of this provision and
an affirmation of continuous compliance with the security
requirements identified at 32 CFR part 170 in SPRS for each of the
contractor information systems that will process, store, or transmit
FCI or CUI and that will be used in performance of a contract
resulting from this solicitation.
(c) DoD unique identifiers. At the request of the Contracting
Officer, the apparently successful offeror shall provide the DoD
unique identifier(s) issued by SPRS for each contractor information
system that will process, store, or transmit FCI or CUI during
performance of a contract, task order, or delivery order resulting
from this solicitation. The DoD unique identifier(s) are provided in
SPRS after the Offeror enters the results of self-assessment(s) for
each such information system.
(End of provision)
[FR Doc. 2024-18110 Filed 8-14-24; 8:45 am]
BILLING CODE 6001-FR-P