[Federal Register Volume 89, Number 199 (Tuesday, October 15, 2024)]
[Rules and Regulations]
[Pages 83092-83237]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-22905]
[[Page 83091]]
Vol. 89
Tuesday,
No. 199
October 15, 2024
Part II
Department of Defense
-----------------------------------------------------------------------
32 CFR Part 170
Cybersecurity Maturity Model Certification (CMMC) Program; Final Rule
��Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 /
Rules and Regulations��
[[Page 83092]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 170
[Docket ID: DoD-2023-OS-0063]
RIN 0790-AL49
Cybersecurity Maturity Model Certification (CMMC) Program
AGENCY: Office of the Department of Defense Chief Information Officer
(CIO), Department of Defense (DoD).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: With this final rule, DoD establishes the Cybersecurity
Maturity Model Certification (CMMC) Program in order to verify
contractors have implemented required security measures necessary to
safeguard Federal Contract Information (FCI) and Controlled
Unclassified Information (CUI). The mechanisms discussed in this rule
will allow the Department to confirm a defense contractor or
subcontractor has implemented the security requirements for a specified
CMMC level and is maintaining that status (meaning level and assessment
type) across the contract period of performance. This rule will be
updated as needed, using the appropriate rulemaking process, to address
evolving cybersecurity standards, requirements, threats, and other
relevant changes.
DATES: This rule is effective December 16, 2024. The incorporation by
reference of certain material listed in this rule is approved by the
Director of the Federal Register as of December 16, 2024.
FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the DoD
CIO at [email protected] or 202-770-
9100.
SUPPLEMENTARY INFORMATION:
History of the Program
The beginnings of CMMC start with the November 2010, Executive
Order (E.O.) 13556,\1\ Controlled Unclassified Information. The intent
of this Order was to ``establish an open and uniform program for
managing [unclassified] information that requires safeguarding or
dissemination controls.'' Prior to this E.O., more than 100 different
markings for this information existed across the executive branch. This
ad hoc, agency-specific approach created inefficiency and confusion,
led to a patchwork system that failed to adequately safeguard
information requiring protection, and unnecessarily restricted
information-sharing.
---------------------------------------------------------------------------
\1\ www.federalregister.gov/citation/75-FR-68675 (November 4,
2010).
---------------------------------------------------------------------------
As a result, the E.O. established the CUI Program to standardize
the way the executive branch handles information requiring safeguarding
or dissemination controls (excluding information that is classified
under E.O. 13526, Classified National Security Information \2\ or any
predecessor or successor order; or the Atomic Energy Act of 1954,\3\ as
amended).
---------------------------------------------------------------------------
\2\ www.federalregister.gov/citation/75-FR-707 (December 29,
2009).
\3\ www.govinfo.gov/link/uscode/42/2011, et seq.
---------------------------------------------------------------------------
In 2019, DoD announced the development of CMMC in order to move
away from a ``self-attestation'' model of security. It was first
conceived by the Office of the Under Secretary of Defense for
Acquisition and Sustainment (OUSD(A&S)) to secure the Defense
Industrial Base (DIB) sector against evolving cybersecurity threats. In
September 2020, DoD published the 48 CFR CMMC interim final rule,
Defense Federal Acquisition Regulation Supplement (DFARS): Assessing
Contractor Implementation of Cybersecurity Requirements (DFARS Case
2019-D041 85 FR 48513, September 9, 2020),\4\ which implemented the
DoD's vision for the initial CMMC Program and outlined the basic
features of the framework (tiered model of practices and processes,
required assessments, and implementation through contracts) to protect
FCI and CUI. The 48 CFR CMMC interim final rule became effective on 30
November 2020, establishing a five-year phase-in period. In response to
approximately 750 public comments on the 48 CFR CMMC interim final
rule, in March 2021, the Department initiated an internal review of
CMMC's implementation.
---------------------------------------------------------------------------
\4\ www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
---------------------------------------------------------------------------
In November 2021, the Department announced the revised CMMC
Program, an updated program structure and requirements designed to
achieve the primary goals of the internal review:
Safeguard sensitive information to enable and protect the
warfighter
Enforce DIB cybersecurity standards to meet evolving threats
Ensure accountability while minimizing barriers to compliance
with DoD requirements
Perpetuate a collaborative culture of cybersecurity and cyber
resilience
Maintain public trust through high professional and ethical
standards
The revised CMMC Program has three key features:
Tiered Model: CMMC requires companies entrusted with
Federal contract information and controlled unclassified information to
implement cybersecurity standards at progressively advanced levels,
depending on the type and sensitivity of the information. The program
also describes the process for requiring protection of information
flowed down to subcontractors.
Assessment Requirement: CMMC assessments allow the
Department to verify the implementation of clear cybersecurity
standards.
Phased Implementation: Once CMMC rules become effective,
certain DoD contractors handling FCI and CUI will be required to
achieve a particular CMMC level as a condition of contract award. CMMC
requirements will be implemented using a 4-phase implementation plan
over a three-year period.
Current Status of the CMMC Program
Separate from this rulemaking, DoD has a proposed acquisition rule
(48 CFR part 204 CMMC Acquisition rule) to amend the Defense Federal
Acquisition Regulation Supplement (DFARS) to address procurement
related considerations and requirements related to this program rule
(32 CFR part 170 CMMC Program rule). The 48 CFR part 204 CMMC
Acquisition rule also partially implements a section of the National
Defense Authorization Act for Fiscal Year 2020 directing the Secretary
of Defense to develop a consistent, comprehensive framework to enhance
cybersecurity for the U.S. defense industrial base.\5\ The 48 CFR part
204 CMMC Acquisition rule, when finalized, will allow DoD to require a
specific CMMC level in a solicitation or contract. When CMMC
requirements are applied to a solicitation, Contracting officers will
not make award, exercise an option, or extend the period of performance
on a contract, if the offeror or contractor does not have the passing
results of a current certification assessment or self-assessment for
the required CMMC level, and an affirmation of continuous compliance
with the security requirements in the Supplier Performance Risk System
(SPRS) \6\ for all information systems that process, store, or transmit
FCI or CUI during contract performance. Furthermore, the appropriate
CMMC certification requirements will flow down to subcontractors at all
tiers when
[[Page 83093]]
the subcontractor processes, stores, or transmits FCI or CUI. It should
be noted the Department may include CMMC requirements on contracts
awarded prior to 48 CFR part 204 CMMC Acquisition rule becoming
effective, but doing so will require bilateral contract modification
after negotiations.
---------------------------------------------------------------------------
\5\ www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
\6\ www.sprs.csd.disa.mil/ under OMB control number 0750-0004.
---------------------------------------------------------------------------
To date, the DoD has relied on offeror representation that the
security requirements of National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-171, ``Protecting Controlled
Unclassified Information in Nonfederal Systems and Organizations'' have
been met, as described by 48 CFR 252.204-7008. In some instances, the
DoD has verified contractor implementation of NIST SP 800-171 through
assessment by the Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC). As part of
this responsibility, DCMA DIBCAC assesses DIB companies to ensure they
are meeting contractually required cybersecurity standards and to
ensure contractors have the ability to protect CUI for government
contracts they are awarded. DCMA DIBCAC conducts NIST SP 800-171
assessments in support of 48 CFR 252.204-7012 (DFARS clause 252.204-
7012), Safeguarding Covered Defense Information and Cyber Incident
Reporting,\7\ and 48 CFR 252.204-7020 (DFARS clause 252.204-7020), NIST
SP 800-171 DoD Assessment Requirements.\8\ The DCMA DIBCAC
prioritization process is designed to adjust as DoD's cyber priorities
evolve based on ongoing threats. DCMA DIBCAC collects and analyzes data
on DoD contractors to include:
---------------------------------------------------------------------------
\7\ www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
\8\ www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements.
---------------------------------------------------------------------------
Mission critical programs, technologies, and
infrastructure and the contractors (prime or lower tier) that support
DoD capabilities.
Cyber threats, vulnerabilities, or incidents.
DoD Leadership requests.
To date, DCMA DIBCAC has assessed 357 entities including DoD's
major prime contractors. In accordance with NIST SP 800-171, titled
``Protecting Controlled Unclassified Information in Nonfederal Systems
and Organizations,'' Revision 2, February 2020 (includes updates as of
January 28, 2021) (NIST SP 800-171 R2), contractors must describe in a
System Security Plan (SSP) \9\ how the security requirements are met or
how the organizations plan to meet the requirements and address known
and anticipated threats. In the event companies cannot establish full
compliance, they must develop plans of action that describe how
unimplemented security requirements will be met and how any planned
mitigations will be implemented. Although an explicit time limit for
mitigation is not specified in NIST SP 800-171 R2, contractors that
fail to reasonably comply with applicable requirements may be subject
to standard contractual remedies. The CMMC Program's assessment phase-
in plan, as described in Sec. 170.3, does not preclude entities from
immediately seeking a CMMC certification assessment prior to the 48 CFR
part 204 CMMC Acquisition rule being finalized and the clause being
added to new or existing DoD contracts.
---------------------------------------------------------------------------
\9\ Required since November 2016, NIST SP 800-171 R2 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
---------------------------------------------------------------------------
The Department estimates 8350 medium and large entities will be
required to meet CMMC Level 2 C3PAO assessment requirements as a
condition of contract award. CMMC Level 2 requirements will apply to
all contractors that process, store, or transmit CUI, and will provide
DoD with a means to assess that CUI safeguarding requirements
prescribed in 32 CFR part 2002 have been met. DoD estimates 135 CMMC
Third-Party Assessment Organization (C3PAO)-led certification
assessments will be completed in the first year, 673 C3PAO
certification assessments in year 2, 2,252 C3PAO certification
assessments in year 3, and 4,452 C3PAO certification assessments in
year four.
Any DoD component can request DCMA DIBCAC to initiate an assessment
and these requests will take priority in the assessment scheduling
process. Once identified for assessment, DCMA DIBCAC determines the
assessment date and notifies the company to begin the pre-assessment
process. Typically, planning and scheduling takes place 3 to 6 months
in advance of a DCMA DIBCAC assessment to allow DCMA DIBCAC and the DIB
company time to prepare, however, DoD's identified priorities may
expedite the execution of an assessment. As discussed in more detail in
the regulatory text, assessment results are reported to DoD, including
key stakeholders via SPRS and made available to the DIB company. Please
see the DCMA DIBCAC website at www.dcma.mil/DIBCAC/ that includes links
to the pre-assessment documents; a publicly releasable version of the
assessment database; FAQs; an informational video; a link to
Procurement Integrated Enterprise Environment (PIEE), the primary
enterprise procure-to-pay application for the DoD; a link to SPRS where
assessment scores are posted; and links to other reference materials.
As discussed in more detail later in the regulatory text, all
requirements that are scored as NOT MET are identified in a Plan of
Action and Milestones (POA&M) to meet the CMMC requirement.
Organizations Seeking Assessment (OSAs) satisfy the CMMC requirements
needed for contract award by successfully meeting all 110 security
requirements of NIST SP 800-171 R2 or by receiving a Conditional CMMC
Status when achieving the minimum passing score of 80 percent and only
including permittable NOT MET requirements as described in Sec. 170.21
on the POA&M. All requirements that were scored ``NOT MET'' and placed
on the POA&M must be remedied within 180 days of receiving their
Conditional CMMC Status. Proper implementation of these requirements
must be verified by a second assessment, called a POA&M closeout
assessment. If the POA&M closeout assessment finds that all
requirements have been met, then the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable. However,
if the POA&M closeout assessment does not validate all requirements
have been met by the end of the 180 days, then the CMMC Status of
Conditional Level 2 (Self) or Conditional Level 2 (C3PAO) will expire
and at this point, standard contractual remedies will apply for any
current contract.
DoD has created a series of guidance documents to assist
organizations in better understanding the CMMC Program and the
assessment process and scope for each CMMC level. These guidance
documents are available on the DoD CMMC website at https://dodcio.defense.gov/CMMC/Documentation/ and on the DoD Open Government
website at https://open.defense.gov/Regulatory-Program/Guidance-Documents/. The CMMC Program has also been incorporated in the
Department's 2024 Defense Industrial Base Cybersecurity Strategy.\10\
The strategy requires the Department to coordinate and collaborate
across components to identify and close gaps
[[Page 83094]]
in protecting DoD networks, supply chains, and other critical
resources. Other prongs of the Department's cybersecurity strategy are
described in the Department's National Industrial Security Program
Operating Manual (NISPOM) which address implementation of the Security
Executive Agent Directive (SEAD) 3 \11\ procedures for the protection
and reproduction of classified information; controlled unclassified
information (CUI); National Interest Determination (NID) requirements
for cleared contractors operating under a Special Security Agreement
for Foreign Ownership, Control, or Influence; and eligibility
determinations for personnel security clearance processes and
requirements.\12\
---------------------------------------------------------------------------
\10\ https://media.defense.gov/2024/Mar/28/2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_DSD_SIGNED_20240325.PDF.
\11\ www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf).
\12\ www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/.
---------------------------------------------------------------------------
Overview of Revised CMMC Program
Current Requirements for Defense Contractors and Subcontractors
Currently, Federal contracts (including defense contracts)
involving the transfer of FCI to a non-Government organization follow
the requirements specified in 48 CFR 52.204-21 (Federal Acquisition
Regulation (FAR) clause 52.204-21), Basic Safeguarding of Covered
Contractor Information Systems.\13\ FAR clause 52.204-21 requires
compliance with 15 security requirements, FAR clause 52.204-21 (b)(1),
items (i) through (xv). These requirements are the minimum necessary
for any entity wishing to receive FCI from the US Government (USG).
---------------------------------------------------------------------------
\13\ www.acquisition.gov/far/52.204-21.
---------------------------------------------------------------------------
Defense contracts involving the development or transfer of CUI to a
non-Government organization require applicable requirements of DFARS
clause 252.204-7012.\14\ This clause requires defense contractors to
provide adequate security on all covered contractor information systems
by implementing the 110 security requirements specified in NIST SP 800-
171. This clause includes additional requirements; for example, defense
contractors must confirm that any Cloud Service Providers (CSPs) used
by the contractor to handle CUI meet Federal Risk and Authorization
Management Program (FedRAMP) Moderate Baseline or the equivalent
requirements. It also requires defense contractors to flow down all the
requirements to their subcontractors who process, store, or transmit
CUI. The CMMC Program currently does not include any requirements for
contractors operating systems on behalf of the DoD.
---------------------------------------------------------------------------
\14\ www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting.
---------------------------------------------------------------------------
To comply with DFARS clause 252.204-7012, contractors are required
to develop a SSP \15\ detailing the policies and procedures their
organization has in place to comply with NIST SP 800-171. The SSP
serves as a foundational document for the required NIST SP 800-171
self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision
252.204-7019) and DFARS clause 252.204-7020, self-assessment scores
must be submitted.\16\ The highest score is 110, meaning all 110 NIST
SP 800-171 security requirements have been fully implemented. If a
contractor's Supplier Performance Risk System (SPRS) score is less than
110, indicating security gaps exist, then the contractor must create a
plan of action \17\ identifying security tasks that still need to be
accomplished. In essence, an SSP describes the cybersecurity plan the
contractor has in place to protect CUI. The SSP needs to address each
NIST SP 800-171 security requirement and explain how the requirement is
implemented. This can be through policy, technology, or a combination
of both.
---------------------------------------------------------------------------
\15\ Required since November 2016, NIST SP 800-171 R2 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
\16\ www.sprs.csd.disa.mil/ under OMB control number 0750-0004.
\17\ The plan of action requirement described under DFARS clause
252.204-7020 is different from a Plan of Action and Milestones
(POA&M) requirement in CMMC as plans of action do not require
milestones.
---------------------------------------------------------------------------
In November 2020, the DoD released its 48 CFR CMMC interim final
rule, the Defense Federal Acquisition Regulation Supplement: Assessing
Contractor Implementation of Cybersecurity Requirements \18\ (DFARS
Case 2019-D041, 85 FR 61505, November 30, 2020). The goal of this rule
was to increase compliance with its cybersecurity regulations and
improve security throughout the DIB. This rule introduced one new
provision and two new clauses--DFARS provision 252.204-7019, DFARS
clause 252.204-7020, and 48 CFR 252.204-7021 (DFARS clause 252.204-
7021).
---------------------------------------------------------------------------
\18\ www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of.
---------------------------------------------------------------------------
DFARS provision 252.204-7019 complements DFARS clause
252.204-7012 by requiring contractors to have a NIST SP 800-171
assessment (basic, medium, or high) according to NIST SP 800-171 DoD
Assessment Methodology.\19\ Assessment scores must be reported to the
Department via SPRS. SPRS scores must be submitted by the time of
contract award and not be more than three years old.
---------------------------------------------------------------------------
\19\ www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf.
---------------------------------------------------------------------------
DFARS clause 252.204-7020 notifies contractors that DoD
reserves the right to conduct a higher-level assessment of contractors'
cybersecurity compliance, and contractors must give DoD assessors full
access to their facilities, systems, and personnel. Further, DFARS
clause 252.204-7020 complements DFARS clause 252.204-7012's flow down
requirements by holding contractors responsible for confirming their
subcontractors have SPRS scores on file prior to awarding them
contracts.
DFARS clause 252.204-7021 paves the way for rollout of the
CMMC Program. Once CMMC is implemented, the required CMMC Level and
assessment type will be specified in the solicitation and resulting
contract. Contractors handling FCI or CUI will be required to meet the
CMMC requirement specified in the contract. DFARS clause 252.204-7021
also stipulates contractors will be responsible for flowing down the
CMMC requirements to their subcontractors.
CFR Part 170 Additional Requirements for Defense Contractors and
Subcontractors Discussed in This Final Rule
When this 32 CFR part 170 CMMC Program rule and the complementary
48 CFR part 204 CMMC Acquisition rule are finalized and following a
phased implementation plan, solicitations and resulting defense
contracts involving the processing, storing, or transmitting of FCI or
CUI on a non-Federal system will, unless waived, have a CMMC level and
assessment type requirement that a contractor must meet to be eligible
for a contract award. The four phases of the implementation plan add
CMMC level requirements incrementally, starting in Phase 1 with self-
assessments, and ending in Phase 4, which represents full
implementation of program requirements. The DoD elected to base the
phase-in plan on the level and type of assessment to provide time to
train the necessary number of assessors, and to allow companies time to
understand and implement CMMC requirements. Details of each phase are
addressed in
[[Page 83095]]
Sec. 170.3(e). In Phases 2 and 3, DoD will implement CMMC Level 2 and
Level 3 certification requirements, respectively. At full
implementation (Phase 4), DoD will include CMMC requirements in all
applicable DoD contracts and option periods on contracts awarded after
the beginning of Phase 4.
Table 1 defines the requirements for each CMMC level and assessment
type.
Table 1--CMMC Level and Assessment Requirements
----------------------------------------------------------------------------------------------------------------
Plan of action &
CMMC status Source & number of Assessment reqts. milestones (POA&M) Affirmation reqts.
security reqts. reqts.
----------------------------------------------------------------------------------------------------------------
Level 1 (Self)........ 15 required Conducted by Not After each
by FAR clause 52.204- Organization Seeking permitted. assessment.
21. Assessment (OSA) Entered
annually. into SPRS.
Results
entered into SPRS
(or its successor
capability)..
Level 2 (Self)........ 110 NIST SP Conducted by Permitted After each
800-171 R2 required OSA every 3 years. as defined in Sec. assessment and
by DFARS clause Results 170.21(a)(2) and annually
252.204-7012. entered into SPRS must be closed out thereafter.
(or its successor within 180 days. Assessment
capability).. Final CMMC will lapse upon
CMMC Status Status will be failure to annually
will be valid for valid for three affirm.
three years from the years from the Entered
CMMC Status Date as Conditional CMMC into SPRS (or its
defined in Sec. Status Date.. successor
170.4.. capability).
Level 2 (C3PAO)....... 110 NIST SP Conducted by Permitted After each
800-171 R2 required C3PAO every 3 years. as defined in Sec. assessment and
by DFARS clause Results 170.21(a)(2) and annually
252.204-7012. entered into CMMC must be closed out thereafter.
Enterprise Mission within 180 days. Assessment
Assurance Support Final CMMC will lapse upon
Service (eMASS) (or Status will be failure to annually
its successor valid for three affirm.
capability).. years from the Entered
CMMC Status Conditional CMMC into SPRS (or its
will be valid for Status Date.. successor
three years from the capability).
CMMC Status Date as
defined in Sec.
170.4..
Level 3 (DIBCAC)...... 110 NIST SP Pre- Permitted After each
800-171 R2 required requisite CMMC as defined in Sec. assessment and
by DFARS clause Status of Level 2 170.21(a)(3) and annually
252.204-7012. (C3PAO) for the same must be closed out thereafter.
24 selected CMMC Assessment within 180 days. Assessment
from NIST SP 800-172 Scope, for each Final CMMC will lapse upon
Feb2021, as detailed Level 3 Status will be failure to annually
in table 1 to Sec. certification valid for three affirm.
170.14(c)(4).. assessment. years from the Level 2
Conducted by Conditional CMMC (C3PAO) affirmation
Defense Contract Status Date.. must also continue
Management Agency to be completed
(DCMA) Defense annually.
Industrial Base Entered
Cybersecurity into SPRS (or its
Assessment Center successor
(DIBCAC) every 3 capability).
years..
Results
entered into CMMC
eMASS (or its
successor
capability)..
CMMC Status
will be valid for
three years from the
CMMC Status Date as
defined in Sec.
170.4..
----------------------------------------------------------------------------------------------------------------
Program Walkthrough--Contractor Perspective
This section will provide a simplified walkthrough of the CMMC
Program from the perspective of an Organization Seeking Assessment
(OSA) seeking to comply with program requirements.
CMMC Level Selection
An OSA will select the CMMC level it desires to attain. Once the
CMMC Program is implemented, a DoD solicitation will specify the
minimum CMMC Status required to be eligible for award. One of four CMMC
Statuses will be specified:
Level 1 (Self) is a self-assessment to secure FCI
processed, stored, or transmitted in the course of fulfilling the
contract. The OSA must comply with the 15 security requirements set by
FAR clause 52.204-21. All 15 requirements must be met in full--no
exceptions are allowed.
Level 2 (Self) is a self-assessment to secure CUI
processed, stored, or transmitted in the course of fulfilling the
contract. The OSA must comply with the 110 Level 2 security
requirements derived from NIST SP 800-171 R2.
Level 2 (C3PAO) differs from Level 2 (Self) in the method
of verifying compliance. OSAs must hire a C3PAO to conduct an
assessment of the OSA's compliance with the 110 security requirements
of NIST SP 800-171 R2. OSAs can shop for C3PAOs on the CMMC
Accreditation Body (AB) Marketplace.
Level 3 (DIBCAC) is a government assessment of 24
additional requirements derived from NIST SP 800-172, titled ``Enhanced
Security Requirements for Protecting Controlled Unclassified
Information: A Supplement to NIST Special Publication 800-171,''
February 2021 (NIST SP 800-172 Feb2021). The OSA must ensure that they
have already achieved a CMMC Status of Final Level 2 (C3PAO) before
seeking CMMC Status of Final Level 3 (DIBCAC). Once this is done, an
OSA should then initiate a Level 3 certification assessment by emailing
a request to Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) point of
contact found at www.dcma.mil/DIBCAC, being sure to include the Level 2
(C3PAO) certification unique identifier in the email.
Scoping
In order to achieve a specified CMMC Status, OSAs must first
identify which information systems, including systems or services
provided by External Service Providers (ESPs), will process, store, or
transmit FCI, for Level 1 (Self), and CUI for all other CMMC Statuses.
These information systems constitute the scope of the assessment.
Within these information systems, for Level 2 and Level 3 the
assets should be further broken down into asset categories: Contractor
Risk Managed Assets (Level 2), Security Protection Assets (Level 2 and
3), and Specialized Assets (Level 2 and 3). For Level 1 all assets,
with the exclusion of Specialized Assets, are simply identified as
either in-scope or out-of-scope based on whether they process, store,
or transmit FCI. Definitions and treatment of these categories as they
relate to assessment scoping, treatment of ESPs, and treatment of
assets which cannot be secured due to their inherent design, can be
found at Sec. 170.19.
Assessment and Affirmation
a. OSAs that meet all 15 Level 1 requirements have achieved CMMC
Status of Final Level 1 (Self). The OSA
[[Page 83096]]
must submit an affirmation of compliance with FAR clause 52.204-21
requirements in SPRS. At this point, OSAs have satisfied the CMMC
requirements needed for award of contracts requiring a CMMC Status of
Final Level 1 (Self). To maintain a CMMC Status of Final Level 1
(Self), this entire process must be repeated in full on an annual
basis, including both self-assessment and affirmation.
b. For Level 2 assessments, if all 110 requirements are satisfied,
the assessment score will be 110 and the OSA will have achieved a CMMC
Status of Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable
and is eligible for contract award as long as all other contractual
requirements are met.
Not all requirements must immediately be MET to be eligible for
contract award. If the minimum score is achieved on the assessment
(equal to 80% of the maximum score) and certain critical requirements
are met, OSAs will achieve a CMMC Status of Conditional Level 2 (Self)
or Conditional Level 2 (C3PAO) as applicable. All NOT MET requirements
must be noted in an assessment Plan of Action and Milestones (POA&M).
At this point the OSA will have satisfied the CMMC requirements needed
for contract award OSAs must have met all 110 security requirements of
NIST SP 800-171 R2 within 180 days of receiving their Conditional CMMC
Status, which must be verified with a second assessment, called a POA&M
closeout assessment. If the POA&M closeout assessment finds that all
requirements have been met, then the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable. However,
if a POA&M closeout assessment does not find that all requirements have
been met by the end of 180 days, then the CMMC Status of Conditional
Level 2 (Self) or Conditional Level 2 (C3PAO) will expire. At this
point, standard contractual remedies will apply.
The OSA should submit an affirmation into SPRS after achieving a
CMMC Status of Conditional Level 2 (Self) or CMMC Status of Conditional
Level 2 (C3PAO) as applicable. OSAs should submit an affirmation once a
CMMC Status of Final Level 2 (Self) or Final Level 2 (C3PAO) as
applicable is achieved. Being eligible for contracts subject to CMMC
Level 2 (Self) also indicates eligibility for contracts subject to
Level 1 (Self), and being eligible for contracts subject to CMMC Level
2 (C3PAO) also indicates eligibility for contracts subject to Level 1
(Self) and Level 2 (Self), assuming all other contractual requirements
are met. OSAs must reaffirm in SPRS their compliance with CMMC Level 2
requirements annually but need only conduct a new assessment every
three years. These deadlines are based on the CMMC Status Date of the
Conditional Status if a POA&M was required or the Final Status if the
assessment resulted in a score of 110. CMMC Status date is not based on
the date of a POA&M closeout assessment.
c. For Level 3 assessments, OSAs should note that asset categories
are assessed against security requirements differently than they are at
Level 2. In particular, Contractor Risk Managed Assets identified in a
Level 2 scope are treated as CUI Assets if they reside within a Level 3
scope. Definitions and treatment of these assets at Level 3 as they
relate to scoping of the assessment, in addition to treatment of ESPs,
are described in Sec. 170.19(d).
During the course of assessment, DCMA DIBCAC will focus on
assessing compliance with all 24 selected requirements derived from
NIST SP 800-172 Feb2021, but limited checks may be performed on the 110
requirements from NIST SP 800-171 R2. If DCMA DIBCAC identifies that
all 24 requirements from NIST SP 800-172 Feb2021 are satisfied, the OSA
will have achieved a CMMC Status of Final Level 3 (DIBCAC) and is
eligible for contract award as long as all other contractual
requirements are met. Not all requirements must immediately be MET to
be eligible for contract award. If the minimum score is achieved on the
assessment (equal to 80% of the maximum score of 24) and certain
critical requirements are met, OSAs will achieve a CMMC Status of
Conditional Level 3 (DIBCAC), and all NOT MET requirements must be
noted in a POA&M. At this point the OSA will have satisfied the CMMC
requirements needed for contract award.
OSAs must have met all 24 selected security requirements of NIST SP
800-172 Feb2021 within 180 days of receiving their Conditional CMMC
Status, which must be verified with a POA&M closeout assessment by DCMA
DIBCAC. If the POA&M closeout assessment finds that all requirements
have been met, then the OSA will achieve a CMMC Status of Final Level 3
(DIBCAC). However, if a POA&M closeout assessment does not find that
all requirements have been met by the end of 180 days, then the CMMC
Status of Conditional Level 3 (DIBCAC) will expire. At this point,
standard contractual remedies will apply.
The OSA should submit an affirmation into SPRS after achieving a
CMMC Status of Conditional Level 3 (DIBCAC) if applicable and once a
CMMC Status of Final Level 3 (DIBCAC) is achieved. Being eligible for
contracts subject to CMMC Level 3 (DIBCAC) also indicates eligibility
for contracts subject to Level 1 (Self), Level 2 (Self), and Level 2
(C3PAO), assuming all other contractual requirements are met. To
maintain CMMC Level 3 (DIBCAC) status, an OSA must undergo both a Level
2 certification assessment and a Level 3 certification assessment every
three years and separately affirm compliance with Level 2 and Level 3
requirements in SPRS annually. These deadlines are based on the CMMC
Status Date of the Conditional certification if applicable or the CMMC
Status Date of the Final determination. CMMC Status Date is not based
on the date of a POA&M closeout assessment.
Flow-Down
If the OSA employs subcontractors to fulfill the contract, those
subcontractors must also have a minimum CMMC Status as shown in table
2.
Table 2--Minimum Flow-Down Requirements
------------------------------------------------------------------------
Minimum subcontractor requirement If the
subcontractor will process, store, or
Prime contractor requirement transmit
-------------------------------------------
FCI CUI
------------------------------------------------------------------------
Level 1 (Self).............. Level 1 (Self)...... N/A.
Level 2 (Self).............. Level 1 (Self)...... Level 2 (Self).
Level 2 (C3PAO)............. Level 1 (Self)...... Level 2 (C3PAO).
Level 3 (DIBCAC)............ Level 1 (Self)...... Level 2 (C3PAO).
------------------------------------------------------------------------
[[Page 83097]]
Summary of Provisions Contained in This Rule
Section 170.1 Purpose
Section 170.1 addresses the purpose of this rule. It describes the
CMMC Program and establishes policy for requiring the protection of FCI
and CUI that is processed, stored, or transmitted on defense contractor
and subcontractor information systems. The security standards utilized
in the CMMC Program are from the FAR clause 52.204-21; DFARS clause
252.204-7012 that implements NIST SP 800-171 R2; and selected
requirements from the NIST SP 800-172 Feb2021, as applicable. The
purpose of the CMMC Program is for contractors and subcontractors to
demonstrate that FCI and CUI being processed, stored, or transmitted is
adequately safeguarded through the methodology provided in the rule.
Section 170.2 Incorporation by Reference
Section 170.2 addresses the standards and guidelines that are
incorporated by reference. The Director of the Federal Register under 5
U.S.C. 552(a) and 1 CFR part 51 approves any materials that are
incorporated by reference. Materials that are incorporated by reference
in this rule are reasonably available. Information on how to access the
documents is detailed in Sec. 170.2. Materials that are incorporated
by reference in this rule are from the NIST (see Sec. 170.2(a)), the
Committee on National Security Systems (see Sec. 170.2(b)), and the
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) (see Sec. 170.2(c)) which may
require payment of a fee.
Note: While the ISO/IEC standards are issued jointly, they are
available from the ISO Secretariat (see Sec. 170.2(c)).
The American National Standards Institute (ANSI) IBR Portal
provides access to standards that have been incorporated by reference
in the U.S. Code of Federal Regulations at https://ibr.ansi.org. These
standards incorporated by the U.S. government in rulemakings are
offered at no cost in ``read only'' format and are presented for online
reading. There are no print or download options. All users will be
required to install the FileOpen plug-in and accept an online end user
license agreement prior to accessing any standards.
The materials that are incorporated by reference are summarized
below.
(a) Federal Information Processing Standard (FIPS) Publication
(PUB) 200 (FIPS PUB 200), titled ``Minimum Security Requirements for
Federal Information and Information Systems,'' is the second of two
security standards mandated by the Federal Information Security
Management Act (FISMA). It specifies minimum security requirements for
information and information systems supporting the executive agencies
of the Federal government and a risk-based process for selecting the
security controls necessary to satisfy the minimum-security
requirements. This standard promotes the development, implementation,
and operation of more secure information systems within the Federal
Government by establishing minimum levels of due diligence for
information security and facilitating a more consistent, comparable,
and repeatable approach for selecting and specifying security controls
for information systems that meet minimum security requirements. This
document is incorporated by reference as a source for definitions.
(b) FIPS PUB 201-3, titled ``Personal Identity Verification (PIV)
of Federal Employees and Contractors,'' establishes a standard for a
PIV system that meets the control and security objectives of Homeland
Security Presidential Directive-12. It is based on secure and reliable
forms of identity credentials issued by the Federal Government to its
employees and contractors. These credentials are used by mechanisms
that authenticate individuals who require access to federally
controlled facilities, information systems, and applications. This
Standard addresses requirements for initial identity proofing,
infrastructure to support interoperability of identity credentials, and
accreditation of organizations and processes issuing PIV credentials.
This document is incorporated by reference as a source for definitions.
(c) NIST SP 800-37, titled ``Risk Management Framework for
Information Systems and Organizations: A System Life Cycle Approach for
Security and Privacy,'' Revision 2 (NIST SP 800-37 R2), describes the
Risk Management Framework (RMF) and provides guidelines for applying
the RMF to information systems and organizations. The RMF provides a
disciplined, structured, and flexible process for managing security and
privacy risk that includes information security categorization; control
selection, implementation, and assessment; system and common control
authorizations; and continuous monitoring. The RMF includes activities
to prepare organizations to execute the framework at appropriate risk
management levels. The RMF also promotes near real-time risk management
and ongoing information system and common control authorization through
the implementation of continuous monitoring processes; provides senior
leaders and executives with the necessary information to make
efficient, cost-effective, risk management decisions about the systems
supporting their missions and business functions; and incorporates
security and privacy into the system development life cycle. Executing
the RMF tasks links essential risk management processes at the system
level to risk management processes at the organization level. In
addition, it establishes responsibility and accountability for the
controls implemented within an organization's information systems and
inherited by those systems. This document is incorporated by reference
as a source for definitions.
(d) NIST SP 800-39, titled ``Managing Information Security Risk:
Organization, Mission, and Information System View,'' March 2011 (NIST
SP 800-39 Mar2011), provides guidance for an integrated, organization-
wide program for managing information security risk to organizational
operations (i.e., mission, functions, image, and reputation),
organizational assets, individuals, other organizations, and the Nation
resulting from the operation and use of Federal information systems.
NIST SP 800-39 Mar2011 provides a structured, yet flexible approach for
managing risk that is intentionally broad-based, with the specific
details of assessing, responding to, and monitoring risk on an ongoing
basis provided by other supporting NIST security standards and
guidelines. The guidance provided in this publication is not intended
to replace or subsume other risk-related activities, programs,
processes, or approaches that organizations have implemented or intend
to implement addressing areas of risk management covered by other
legislation, directives, policies, programmatic initiatives, or
mission/business requirements. Rather, the risk management guidance
described herein is complementary to and should be used as part of a
more comprehensive Enterprise Risk Management (ERM) program. This
document is incorporated by reference as a source for definitions.
(e) NIST SP 800-53, titled ``Security and Privacy Controls for
Information Systems and Organizations,'' Revision 5 (NIST SP 800-53
R5), provides a catalog of security and privacy controls for
information systems and organizations to protect organizational
operations and assets, individuals, other organizations,
[[Page 83098]]
and the Nation from a diverse set of threats and risks, including
hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks. The controls are
flexible and customizable and implemented as part of an organization-
wide process to manage risk. The controls address diverse requirements
derived from mission and business needs, laws, executive orders,
directives, regulations, policies, standards, and guidelines. Finally,
the consolidated control catalog addresses security and privacy from a
functionality perspective (i.e., the strength of functions and
mechanisms provided by the controls) and from an assurance perspective
(i.e., the measure of confidence in the security or privacy capability
provided by the controls). Addressing functionality and assurance helps
to ensure that information technology products and the systems that
rely on those products are sufficiently trustworthy. This document is
incorporated by reference as a source for definitions.
(f) NIST SP 800-82r3, titled ``Guide to Operational Technology (OT)
Security,'' September 2023 (NIST SP 800-82r3), provides guidance on how
to secure ICS, including Supervisory Control and Data Acquisition
(SCADA) systems, Distributed Control Systems (DCS), and other control
system configurations such as Programmable Logic Controllers (PLC),
while addressing their unique performance, reliability, and safety
requirements. The document provides an overview of ICS and typical
system topologies, identifies typical threats and vulnerabilities to
these systems, and provides recommended security countermeasures to
mitigate the associated risks. This document is incorporated by
reference as a source for definitions.
(g) NIST SP 800-115, titled ``Technical Guide to Information
Security Testing and Assessment,'' September 2008 (NIST SP 800-115
Sept2008), assists organizations in planning and conducting technical
information security tests and examinations, analyzing findings, and
developing mitigation strategies. The guide provides practical
recommendations for designing, implementing, and maintaining technical
information security test and examination processes and procedures.
These can be used for several purposes, such as finding vulnerabilities
in a system or network and verifying compliance with a policy or other
requirements. The guide is not intended to present a comprehensive
information security testing and examination program but rather an
overview of key elements of technical security testing and examination,
with an emphasis on specific technical techniques, the benefits and
limitations of each, and recommendations for their use. This document
is incorporated by reference as a source for definitions.
(h) NIST SP 800-160, Volume 2, titled ``Developing Cyber-Resilient
Systems: A Systems Security Engineering Approach,'' Revision 1,
December 2021 (NIST SP 800-160 V2R1), focuses on cyber resiliency
engineering--an emerging specialty systems engineering discipline
applied in conjunction with systems security engineering and resilience
engineering to develop survivable, trustworthy secure systems. Cyber
resiliency engineering intends to architect, design, develop,
implement, maintain, and sustain the trustworthiness of systems with
the capability to anticipate, withstand, recover from, and adapt to
adverse conditions, stresses, attacks, or compromises that use or are
enabled by cyber resources. From a risk management perspective, cyber
resiliency is intended to help reduce the mission, business,
organizational, enterprise, or sector risk of depending on cyber
resources. This document is incorporated by reference as a source for
definitions.
(i) NIST SP 800-171, titled ``Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations,'' Revision 2,
February 2020 (includes updates as of January 28, 2021) (NIST SP 800-
171 R2), provides agencies with recommended security requirements for
protecting the confidentiality of CUI when the information is resident
in nonfederal systems and organizations; when the nonfederal
organization is not collecting or maintaining information on behalf of
a Federal agency or using or operating a system on behalf of an agency;
and where there are no specific safeguarding requirements for
protecting the confidentiality of CUI prescribed by the authorizing
law, regulation, or governmentwide policy for the CUI category listed
in the CUI Registry. The requirements apply to all components of
nonfederal systems and organizations that process, store, and/or
transmit CUI, or that provide protection for such components. The
security requirements are intended for use by Federal agencies in
contractual vehicles or other agreements established between those
agencies and nonfederal organizations. This document is incorporated by
reference as a foundational source for definitions and security
requirements.
(j) NIST SP 800-171A, titled ``Assessing Security Requirements for
Controlled Unclassified Information,'' June 2018 (NIST SP 800-171A
Jun2018), provides Federal and non-Federal organizations with
assessment procedures and a methodology that can be employed to conduct
assessments of the CUI security requirements in NIST SP 800-171 R2. The
assessment procedures are flexible and can be customized to the needs
of the organizations and the assessors conducting the assessments.
Security assessments can be conducted as self-assessments; independent,
third-party assessments; or government-sponsored assessments and can be
applied with various degrees of rigor, based on customer-defined depth
and coverage attributes. The findings and evidence produced during the
security assessments can facilitate risk-based decisions by
organizations related to the CUI requirements. This document is
incorporated by reference as a foundational source for definitions and
assessment.
(k) NIST SP 800-172, titled ``Enhanced Security Requirements for
Protecting Controlled Unclassified Information: A Supplement to NIST
Special Publication 800-171,'' February 2021 (NIST SP 800-172 Feb2021),
provides Federal agencies with recommended enhanced security
requirements for protecting the confidentiality of CUI: (1) when the
information is resident in nonfederal systems and organizations; (2)
when the nonfederal organization is not collecting or maintaining
information on behalf of a Federal agency or using or operating a
system on behalf of an agency; and (3) where there are no specific
safeguarding requirements for protecting the confidentiality of CUI
prescribed by the authorizing law, regulation, or government-wide
policy for the CUI category listed in the CUI Registry. The enhanced
requirements apply only to components of nonfederal systems that
process, store, or transmit CUI or that provide security protection for
such components when the designated CUI is associated with a critical
program or high value asset. The enhanced requirements supplement the
basic and derived security requirements in NIST SP 800-171 R2 and are
intended for use by Federal agencies in contractual vehicles or other
agreements established between those agencies and nonfederal
organizations. This document is incorporated by reference as a
foundational source for security requirements.
(l) NIST SP 800-172A, titled ``Assessing Enhanced Security
[[Page 83099]]
Requirements for Controlled Unclassified Information,'' March 2022
(NIST SP 800-172A Mar2022), provides Federal agencies and nonfederal
organizations with assessment procedures that can be used to carry out
assessments of the requirements in NIST SP 800-172 Feb2021. The
assessment procedures are flexible and can be tailored to the needs of
organizations and assessors. Assessments can be conducted as (1) self-
assessments; (2) independent, third-party assessments; or (3)
government-sponsored assessments. The assessments can be conducted with
varying degrees of rigor based on customer-defined depth and coverage
attributes. The findings and evidence produced during the assessments
can be used to facilitate risk-based decisions by organizations related
to the CUI enhanced security requirements. This document is
incorporated by reference as a foundational source for definitions and
assessment.
(m) ISO/IEC 17011:2017(E), titled ``Conformity assessment--
Requirements for accreditation bodies accrediting conformity assessment
bodies,'' Second edition, November 2017 (ISO/IEC 17011:2017(E)),
specifies requirements for the competence, consistent operation and
impartiality of accreditation bodies assessing and accrediting
conformity assessment bodies. This document is incorporated by
reference as a source for requirements on the CMMC Ecosystem.
(n) ISO/IEC 17020:2012(E), titled ``Conformity assessment--
Requirement for the operation of various types of bodies performing
inspection,'' Second edition, March 1, 2012 (ISO/IEC 17020:2012(E)),
specifies requirements for the competence of bodies performing
inspection and for the impartiality and consistency of their inspection
activities. It applies to inspection bodies of type A, B or C, as
defined in ISO/IEC 17020:2012(E), and it applies to any stage of
inspection.'' This document is incorporated by reference as a source
for requirements on the CMMC Ecosystem.
(o) ISO/IEC 17024:2012(E), titled ``Conformity assessment--General
requirements for bodies operating certification of persons,'' Second
edition, July 1, 2012 (ISO/IEC 17024:2012(E)), contains principles and
requirements for a body certifying persons against specific
requirements and includes the development and maintenance of a
certification scheme for persons.'' This document is incorporated by
reference as a source for requirements on the CMMC Ecosystem.
Section 170.3 Applicability
Section 170.3 identifies entities to which the rule applies and how
the Department intends to implement the rule. The rule applies to
defense contractors and subcontractors that will process, store, or
transmit FCI or CUI in performance of a DoD contract, and private-
sector businesses or other entities that are specified in Subpart C.
This rule does not apply to Federal information systems operated by
contractors and subcontractors in support of the Government. CMMC
Program requirements apply to DoD solicitations and contracts requiring
defense contractors and subcontractors to process, store, or transmit
FCI or CUI. Exceptions to the applicability of this rule are addressed
in Sec. 170.3(c)(1) and (2). Department Program Managers or requiring
activities will determine which CMMC Level and assessment type will
apply to a contract or procurement. Applicability of the required CMMC
Level and assessment type to subcontractors is addressed in Sec.
170.23.
Section 170.3 addresses the four-phased implementation plan of the
CMMC Program requirements in solicitations and contracts. Phase 1
begins on the effective date of this CMMC 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part 204 CMMC Acquisition rule,
whichever occurs later. More information regarding Phase 1 can be found
in Sec. 170.3(e)(1). Phase 2 begins one calendar year after the start
date of Phase 1. More information regarding Phase 2 can be found in
Sec. 170.3(e)(2). Phase 3 begins one calendar year after the start
date of Phase 2. More information regarding Phase 3 can be found in
Sec. 170.3(e)(3). Phase 4, or full implementation, begins one calendar
year after the start date of Phase 3. More information regarding Phase
4 can be found in Sec. 170.3(e)(4).
Section 170.4 Acronyms and Definitions
Section 170.4 includes acronyms and definitions used in the rule
text and can be used as a reference while reading the text and tables.
CMMC introduces new terms and associated definitions, and customizes
definitions for existing terms, as applied to the CMMC Program. CMMC-
custom terms and definitions are clearly marked to distinguish from
terms sourced externally. CMMC also utilizes terms created by other
authoritative sources, including NIST. Terms from other authoritative
sources are also listed in Sec. 170.4 and are properly sourced.
The Department developed the following CMMC-custom terms to enhance
understanding of the requirements and elements of the CMMC Program:
Accreditation
Accreditation Body
Affirming Official
Assessment
Level 1 self-assessment
Level 2 self-assessment
Level 2 certification assessment
Level 3 certification assessment
POA&M closeout self-assessment
POA&M closeout certification assessment
Assessment Findings Report
Assessment Team
Asset Categories
Authorized
Cloud Service Provider
CMMC Assessment and Certification Ecosystem
CMMC Assessment Scope
CMMC Assessor and Instructor Certification Organization
(CAICO)
CMMC instantiation of eMASS
CMMC Status
Final Level 1 (Self)
Conditional Level 2 (Self)
Final Level 2 (Self)
Conditional Level 2 (C3PAO)
Final Level 2 (C3PAO)
Conditional Level 3 (DIBCAC)
Final Level 3 (DIBCAC)
CMMC Status Date
CMMC Third-Party Assessment Organization (C3PAO)
Contractor Risk Managed Assets
Controlled Unclassified Information (CUI) Assets
Enduring Exception
External Service Provider (ESP)
Operational plan of action
Organization-defined
Organization Seeking Assessment (OSA)
Organization Seeking Certification (OSC)
Out-of-Scope Assets
Periodically
Process, store, or transmit
Restricted Information Systems
Security Protection Assets
Security Protection Data
Specialized Assets
Temporary Deficiency
Test Equipment.
Section 170.5 Policy
Section 170.5 addresses the policy underlying the rule. The
protection of FCI and CUI on defense contractor information systems is
crucial to the continuity of the missions and functions of the DoD. To
that end, this rule requires that contractors and subcontractors
implement the specified security requirements for the applicable
[[Page 83100]]
CMMC Level. For CMMC Level 3, the selected security requirements are
defined in NIST SP 800-172 Feb2021 with the applicable DoD
Organization-Defined Parameters (ODPs) defined in table 1 to Sec.
170.14(c)(4).
Program Managers and requiring activities identify the applicable
CMMC Level and assessment type. Factors used to determine which CMMC
Level and assessment type will be applied are included but not limited
to the list found in Sec. 170.5(b)(1-5). CMMC Program requirements
will flow down to subcontractors, as applicable (see Sec. 170.23). A
DoD Service Acquisition Executive or a Component Acquisition Executive
may elect to waive inclusion of CMMC Program requirements in a
solicitation or contract.
Section 170.5 addresses that the CMMC Program does not alter the
requirements imposed on contractors and subcontractors in FAR clause
52.204-21, DFARS clause 252.204-7012, or any other applicable
safeguarding of information requirement. The CMMC Program verifies
implementation of security requirements in FAR clause 52.204-21, NIST
SP 800-171 R2, and selected security requirements in NIST SP 800-172
Feb2021, as applicable.
Section 170.6 CMMC PMO
Section 170.6 addresses the CMMC Program Management Office (PMO)
functions that are performed within the Department of Defense Chief
Information Officer (DoD CIO).
Section 170.7 DCMA DIBCAC
Section 170.7 addresses how DCMA DIBCAC will support the CMMC
Program by conducting CMMC Level 2 certification assessments of the
Accreditation Body and C3PAOs; conducting CMMC Level 3 certification
assessments for OSCs; and recording results, issuing certificates,
tracking appeals, and retaining records as required.
Section 170.8 Accreditation Body
Section 170.8 addresses the roles and responsibilities of the
Accreditation Body, as well as requirements that the Accreditation Body
must meet. The Accreditation Body must be US-based and be and remain a
member in good standing with the Inter-American Accreditation
Cooperation (IAAC) and become an International Laboratory Accreditation
Cooperation (ILAC) Mutual Recognition Arrangement (MRA) signatory, with
a signatory status scope of ISO/IEC 17020:2012(E) and be compliant with
ISO/IEC 17011:2017(E) \20\. There is only one Accreditation Body for
the DoD CMMC Program at any given time, and its primary mission is to
authorize and accredit the C3PAOs. The Accreditation Body authorizes
and accredits C3PAOs in accordance with the requirements in section
170.8(b).
---------------------------------------------------------------------------
\20\ www.iso.org/standard/67198.html.
---------------------------------------------------------------------------
The Accreditation Body also oversees the CAICO to ensure compliance
with ISO/IEC 17024:2012(E) \21\ and to ensure all training products,
instruction, and testing materials are of high quality.
---------------------------------------------------------------------------
\21\ www.iso.org/standard/52993.html.
---------------------------------------------------------------------------
Section 170.8 addresses specific requirements for the Accreditation
Body with regards to national security background checks, foreign
ownership, reporting, information protection, and appeals. The
Accreditation Body will also develop policies for Conflict of Interest
(CoI), Code of Professional Conduct (CoPC), and Ethics that comply with
all ISO/IEC 17011:2017(E) and DoD requirements. These policies will
apply to the Accreditation Body as well as to all other individuals,
entities, and groups within the CMMC Ecosystem. The information systems
used by the Accreditation Body to process CMMC information have to meet
all of the security requirements for CMMC Level 2 and will be assessed
by DCMA's Defense Industrial Base Cybersecurity Assessment Center
(DIBCAC).
Section 170.9 CMMC Third-Party Assessment Organizations (C3PAOs)
Section 170.9 addresses the roles, responsibilities, and
requirements for C3PAOs, which are the organizations that perform CMMC
Level 2 certification assessments for OSCs. The C3PAOs will submit
assessment data into the CMMC instantiation of government owned and
operated system called eMASS,\22\ a CMMC instance of the Enterprise
Mission Assurance Support Service. C3PAOs issue Certificates of CMMC
Status, in accordance with the requirements in Sec. 170.17 of this
part.
---------------------------------------------------------------------------
\22\ This system is accessible only to authorized users.
---------------------------------------------------------------------------
Section 170.9 addresses detailed requirements for C3PAOs with
regards to national security background checks, foreign ownership,
reporting, records management, information protection, quality
assurance, and appeals. The information systems used by C3PAOs to
process Level 2 certification assessment information have to meet all
of the security requirements for CMMC Level 2 and will be assessed by
DCMA DIBCAC. C3PAOs need to comply with ISO/IEC 17020:2012(E), as well
as with the Accreditation Body's policies for CoI, CoPC, and Ethics.
Prior to a C3PAO being compliant with ISO/IEC 17020:2012(E), the
C3PAO may be authorized but not accredited. After a C3PAO is compliant
with ISO/IEC 17020:2012(E), the C3PAO may be accredited.
Section 170.10 CMMC Assessor and Instructor Certification Organization
(CAICO)
Section 170.10 addresses the roles, responsibilities, and
requirements for the CAICO, the organization that trains, tests,
designates Provisional Instructors (PIs), and certifies CMMC Certified
Professionals (CCPs), CMMC Certified Assessors (CCAs), CMMC Certified
Instructors (CCIs). There is only one CAICO for the DoD CMMC Program at
any given time. The CAICO must comply with ISO/IEC 17024:2012(E), as
well as with the Accreditation Body's policies for CoI, CoPC, and
Ethics. Section 170.10 addresses detailed requirements for the CAICO
with regards to certification examinations, quality assurance, appeals,
records management, reporting, separation of duties, and information
protection.
Section 170.11 CMMC Certified Assessor (CCA)
Section 170.11 addresses the roles and responsibilities of a CMMC
Certified Assessor (CCA) who conduct Level 2 certification assessments.
In order to be a CCA, a candidate must first be a CCP, must adhere to
the requirements set forth in Sec. 170.10, Sec. 170.8(b)(17), and
complete a Tier 3 background investigation or equivalent. The required
cybersecurity experience for different CCA roles is addressed in Sec.
170.11(b)(6) and (10). Section 170.11 addresses CCA requirements with
respect to security breaches; completion of a Tier 3 background
investigation or equivalent; reporting; sharing assessment information;
and permitted use of C3PAO equipment, devices, and services.
Section 170.12 CMMC Instructor
Section 170.12 addresses the roles and responsibilities of a CMMC
Provisional Instructor (PI) and CMMC Certified Instructor (CCI) to
teach CMMC assessor candidates. Candidate PIs and CCIs are trained and
tested per the requirements set forth in Sec. 170.12(c). Section
170.12(c) also provides candidate PIs and CCIs with the requirements to
obtain and maintain designation or certification (as applicable),
compliance with Accreditation Body policies, work activity exclusions,
confidentiality
[[Page 83101]]
expectations, non-disclosure clause, non-public training related
information, forbidden consulting services, and reporting requirements.
Section 170.13 CMMC Certified Professional (CCP)
Section 170.13 addresses the roles and responsibilities of a CMMC
Certified Professional (CCP) required to provide advice, consulting,
and recommendations to clients. The CAICO trains and tests candidate
CCPs per the requirements set forth in Sec. 170.13(b) with CCP
certification issued upon successful completion. A CCP can participate
on CMMC Level 2 certification assessments with CCA oversight, however
CCAs are responsible for making final assessment determinations for a
CMMC Status of Conditional or Final Level 2 (C3PAO). A list of CCP
requirements is provided for obtaining and maintaining certification,
compliance with Accreditation Body policies, completion of a Tier 3
background investigation or equivalent, sharing assessment specific
information, and reporting requirements.
Section 170.14 CMMC Model
Section 170.14 addresses the structure, security requirement
contents, organization, sourcing, and numbering of the security
requirements that comprise the CMMC Model. It also provides an overview
of the assessment process. The CMMC Model consists of three (3) levels,
each containing security requirements taken directly from existing
regulations and guidelines. Firstly, Sec. 170.14(2) defines CMMC Level
1 as the 15 security requirements listed in the FAR clause 52.204-
21(b)(1). Secondly, Sec. 170.14(3) defines CMMC Level 2 as the 110
security requirements from the NIST SP 800-171 R2. Lastly, Sec.
170.14(4) defines CMMC Level 3 as 24 selected security requirements
from the NIST SP 800-172 Feb2021.
The CMMC security requirements are organized into domains following
the approach taken in NIST SP 800-171 R2. The numbering of the CMMC
security requirements, addressed in Sec. 170.14(c)(1), is of the form
DD.L#-REQ where the `DD' is the two-letter domain abbreviation, the
`L#' is the CMMC Level, and the `REQ' is based directly on the
numbering in the source. Assessment criteria for these security
requirements, as described in Sec. 170.14(d), is based on security
requirement assessment guidance provided in NIST SP 800-171A Jun2018
and NIST SP 800-172A Mar2022.
Section 170.15 CMMC Level 1 Self-Assessment and Affirmation
Requirements
Section 170.15 addresses how an OSA will achieve and maintain
compliance with the CMMC Status of Level 1 (Self). The OSA must
successfully implement the security requirements listed in Sec.
170.14(c)(2) within their Level 1 CMMC Assessment Scope as described in
Sec. 170.19(b). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 1 security requirements as outlined in the mapping table 1
to Sec. 170.15(c)(1)(i).
After implementation, the OSA must perform a Level 1 self-
assessment to verify the implementation and score themselves using the
scoring methodology provided in Sec. 170.24. All objectives must be
met in order for a security requirement to be considered fully
implemented; no security requirements may be placed on a POA&M for
Level 1. The OSA must then input their results into SPRS as described
in Sec. 170.15(a)(1)(i) and submit an affirmation as described in
Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 1 (Self), the OSA must have achieved a CMMC Status
of Final Level 1 (Self) and have submitted an affirmation. These
activities must be completed annually.
Section 170.16 CMMC Level 2 Self-Assessment and Affirmation
Requirements
Section 170.16 addresses how an OSA will achieve and maintain
compliance with the CMMC Status of Level 2 (Self). The OSA must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 2 security requirements. Requirements for ESPs and CSPs that
process, store, transmit CUI are provided in Sec. 170.16(c)(2) and
(3).
After implementation, the OSA must perform a Level 2 self-
assessment to verify the implementation and score themselves using the
scoring methodology provided in Sec. 170.24. All objectives must be
met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as provided for in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSA has achieved the CMMC Status of
Conditional Level 2 (Self); if all requirements are MET as defined in
Sec. 170.24(b), the OSA has achieved a CMMC Status of Final Level 2
(Self). For Conditional Level 2 (Self), a POA&M closeout must be
conducted within 180 days as described in Sec. 170.21(b) or the
Conditional Level 2 (Self) CMMC Status will expire.
After a Level 2 self-assessment, as well as after a POA&M closeout,
the OSA must input their results into SPRS as described in Sec.
170.16(a)(1)(i) and submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 2 (Self), the OSA must have achieved the CMMC
Status of either Conditional Level 2 (Self) or Final Level 2 (Self) and
have submitted an affirmation. The Level 2 self-assessment must be
completed every three years and the affirmation must be completed
annually following the Final CMMC Status Date.
Section 170.17 CMMC Level 2 Certification Assessment and Affirmation
Requirements
Section 170.17 addresses how an OSC will achieve and maintain
compliance with the CMMC Status of Level 2 (C3PAO). The OSC must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 2 security requirements. Requirements for ESPs and CSPs that
process, store, transmit CUI are provided in Sec. 170.17(c)(5) and
(6).
After implementation, the OSC must hire a C3PAO to perform an
assessment to verify the implementation. The C3PAO will score the OSC
using the scoring methodology provided in Sec. 170.24. All objectives
must be met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as defined in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has achieved the CMMC Status of
Conditional Level 2 (C3PAO); if all requirements are MET as defined in
Sec. 170.24(b), the OSC has achieved the CMMC Status of Final Level 2
(C3PAO). For Conditional Level 2 (C3PAO), a POA&M closeout must be
conducted within 180 days as described
[[Page 83102]]
in Sec. 170.21(b) or the Conditional Level 2 (C3PAO) CMMC Status will
expire.
After a Level 2 certification assessment, as well as after a POA&M
closeout, the C3PAO will input the OSC's results into the CMMC
instantiation of eMASS as described in Sec. 170.17(a)(1)(i). After a
Level 2 certification assessment, as well as after a POA&M closeout,
the OSC must submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 2 (C3PAO), the OSC must have achieved the CMMC
Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO)
and have submitted an affirmation. The Level 2 certification assessment
must be completed every three years and the affirmation must be
completed annually following the Final CMMC Status Date.
Section 170.18 CMMC Level 3 Certification Assessment and Affirmation
Requirements
Section 170.18 addresses how an OSC will achieve and maintain
compliance with the CMMC Status of Level 3 (DIBCAC). The OSC must have
achieved the CMMC Status of Final Level 2 (C3PAO) for information
systems within the Level 3 CMMC Assessment Scope as a prerequisite to
undergo a Level 3 certification assessment. The OSC must successfully
implement the security requirements listed in Sec. 170.14(c)(4)
and table 1 to Sec. 170.14(c)(4) within its Level 3 CMMC Assessment
Scope as described in Sec. 170.19(d). Successful implementation
requires meeting all objectives defined in NIST SP 800-172A Mar2022 for
the corresponding CMMC Level 3 security requirements. Requirements for
ESPs and CSPs that process, store, transmit CUI are provided in Sec.
170.18(c)(5) and (6).
After implementation, the OSC must contact DCMA DIBCAC to perform
an assessment to verify the implementation. DCMA DIBCAC will score the
OSC using the scoring methodology provided in Sec. 170.24. All
objectives must be met in order for a security requirement to be
considered fully implemented; in some cases, if not all objectives are
met, some security requirements may be placed on a POA&M as defined in
Sec. 170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has achieved the CMMC Status of
Conditional Level 3 (DIBCAC); if all requirements are MET as defined in
Sec. 170.24(b), the OSC has achieved the CMMC Status of Final Level 3
(DIBCAC). For Conditional Level 3 (DIBCAC), a POA&M closeout must be
conducted within 180 days as described in Sec. 170.21(b) or the
Conditional Level 3 (DIBCAC) CMMC Status will expire.
After a Level 3 certification assessment, as well as after a POA&M
closeout, DCMA DIBCAC will input the OSC's results into the CMMC
instantiation of eMASS as described in Sec. 170.18(a)(1)(i). After a
Level 3 certification assessment, as well as after a POA&M closeout,
the OSC must submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 3 (DIBCAC), the OSC must have achieved the CMMC
Status of either Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC)
and have submitted an affirmation. The Level 3 certification assessment
must be completed every three years and the affirmation must be
completed annually following the Final CMMC Status Date.
Section 170.19 CMMC Scoping
Section 170.19 addresses the requirements for the scoping of each
CMMC Level and determines which assets are included in a given
assessment and the degree to which each is assessed. The CMMC
Assessment Scope is specified prior to any CMMC assessment, based on
the CMMC Level being assessed. The Level 2 CMMC Assessment Scope may
also be affected by any intent to achieve a CMMC Level 3 Certification
Assessment, as detailed in Sec. 170.19(e).
Scoping for CMMC Level 1, as detailed in Sec. 170.19(b), consists
of all assets that process, store, or transmit FCI. These assets are
fully assessed against the applicable CMMC security requirements
identified in Sec. 170.14(c)(2) and following the procedures in Sec.
170.15(c). All other assets are out-of-scope and are not considered in
the assessment.
Scoping for CMMC Level 2, as detailed in Sec. 170.19(c), consists
of all assets that process, store, or transmit CUI, and all assets that
provide security protections for these assets. These assets are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(3) and following the Level 2 self-assessment
procedures in Sec. 170.16(c) or the Level 2 certification assessment
procedures in Sec. 170.17(c). In addition, Contractor Risk Managed
Assets, which are assets that can, but are not intended to, process,
store, or transmit CUI because of security policy, procedures, and
practices in place, are documented and are subject to a limited check
that may result in the identification of a deficiency, as addressed in
table 3 to Sec. 170.19(c)(1). Finally, Specialized Assets, which are
assets that can process, store, or transmit CUI but are unable to be
fully secured, including: Internet of Things (IoT) devices, Industrial
Internet of Things (IIoT) devices, Operational Technology (OT),
Government Furnished Equipment (GFE), Restricted Information Systems,
and Test Equipment, are documented but are not assessed against other
CMMC security requirements, as addressed in table 3 to Sec.
170.19(c)(1). All other assets are out-of-scope and are not considered
in the assessment.
Scoping for CMMC Level 3, as detailed in Sec. 170.19(d), consists
of all assets that can (whether intended to or not) or do process,
store, or transmit CUI, and all assets that provide security
protections for these assets. The CMMC Level 3 Assessment Scope also
includes all Specialized Assets but allows an intermediary device to
provide the capability for the Specialized Asset to meet one or more
CMMC security requirements, as needed. These assets (or the applicable
intermediary device, in the case of Specialized Assets) are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(4) and following the procedures in Sec. 170.18(c).
All other assets are out-of-scope and are not considered in the
assessment.
If an OSA utilizes an ESP, including a Cloud Service Provider
(CSP), that does not process, store, or transmit CUI, the ESP does not
require its own CMMC assessment. The services provided by the ESP are
assessed as part of the OSC's assessment as Security Protection Assets.
Section 170.20 Standards Acceptance
Section 170.20 addresses how OSCs that, prior to the effective date
of this rule, have achieved a perfect score on a DCMA DIBCAC High
Assessment with the same scope as a Level 2 CMMC Assessment Scope, will
be given a CMMC Status of Level 2 (C3PAO).
Section 170.21 Plan of Action and Milestones Requirements
Section 170.21 addresses rules for having a POA&M for the purposes
of a CMMC assessment and satisfying contract eligibility requirements
for CMMC. All POA&Ms must be closed within 180 days of the Conditional
CMMC Status Date. To satisfy CMMC Level 1 requirements, a POA&M is not
allowed. To satisfy CMMC Level 2 requirements, a POA&M is allowed.
Section 170.21 details the overall minimum score that must be achieved
[[Page 83103]]
and identifies the Level 2 security requirements that cannot have a
POA&M and must be fully met at the time of the assessment. To satisfy
CMMC Level 3 requirements, a POA&M is allowed. Section 170.21 details
the overall minimum score that must be achieved and identifies the
Level 3 security requirements that cannot have a POA&M and must be
fully met at the time of the assessment. Section 170.21 also
established rules for closing POA&Ms.
Section 170.22 Affirmation
Section 170.22 addresses that the OSA's Affirming Official must
affirm, in SPRS, compliance with the CMMC Status: upon completion of
any self-assessment, certification assessment, or POA&M closeout
assessment (as applicable), and annually following a Final CMMC Status
Date.
Section 170.23 Application to Subcontractors
Section 170.23 addresses flow down of CMMC requirements from the
prime contractor to the subcontractors in the supply chain. Prime
contractors shall comply and shall require subcontractor compliance
throughout the supply chain at all tiers with the applicable CMMC Level
for each subcontract as addressed in Sec. 170.23(a).
Section 170.24 CMMC Scoring Methodology
Section 170.24 addresses the assessment finding types MET, NOT MET,
and NOT APPLICABLE (N/A) in the context of CMMC assessments, and the
CMMC Scoring Methodology used to measure the implementation status of
security requirements for CMMC Level 2 and CMMC Level 3. Scoring is not
calculated for CMMC Level 1 since all requirements must be MET at the
time of assessment.
For CMMC Level 2, the maximum score is the total number of Level 2
security requirements and is the starting value for assessment scoring.
Any security requirement that has one or more NOT MET objectives
reduces the current score by the value of the specific security
requirement. Values for each CMMC Level 2 requirement are enumerated in
Sec. 170.24(c)(2)(i)(B).
For CMMC Level 3, the maximum score is the total number of Level 3
security requirements and is the starting value for assessment scoring.
Any security requirement that has one or more NOT MET objectives
reduces the current score by the value of the specific security
requirement. CMMC Level 3 does not use varying values; the value for
each requirement is one (1), as described in Sec. 170.24(c)(3).
Appendix A to Part 170: Guidance
Appendix A lists the guidance documents that are available to
support defense contractors and the CMMC Ecosystem in the
implementation and assessment of CMMC requirements.
Discussion of Public Comments and Resulting Changes
The Department of Defense published the proposed rule, on December
26, 2023 (88 FR 89058). Approximately 361 public submissions were
received in response to the publication. Some comments were beyond the
scope of the CMMC Program and are described but not addressed in this
final rule. The majority of comments received were relevant and are
summarized in the discussion and analysis section here. Additional
comments were received in response to the CMMC supplemental documents
published concurrently with the rule; the discussion and analysis of
those comments is located at www.regulations.gov. Some comments
received lacked relevance to the rule's content, which is limited to
specific CMMC program requirements codified in the 32 CFR part 170 CMMC
Program rule, responses for those comments are not provided.
Any contractual requirements related to the CMMC Program rule will
be implemented in the DFARS, as needed, which may result in revisions
to the DFARS clause 252.204-7021, CMMC Requirements. DoD will address
comments regarding the DFARS clause 252.204-7021 in a separate 48 CFR
part 204CMMC Acquisition rulemaking.
1. Extension of the Public Comment Period
Comment: DoD received requests from industry associations for an
extension of the 60-day public comment period on the CMMC Proposed Rule
that the Office of the Federal Register published on 26 December 2023.
The length of extensions requested ranged from 30-60 days. Commenters
argued that the proposed rule was initially published following a
holiday, or more time was needed for associations to fully review
member comments about the CMMC Proposed Rule prior to submitting. In
addition, they argued that other rules pertaining to cyber incident
reporting obligations and security of Federal Information Systems had
also been published for public comment, which created a need for
additional review time.
Response: The DoD CIO denied requests for an extension of the 60-
day public comment period. The DoD provided regular communication to
the public through the DoD CMMC website and updates in the semiannual
Unified Agenda in preparation for publication of the CMMC Proposed Rule
to initiate the 60-day public comment period. The Department has an
urgent need to improve DIB cybersecurity by further enforcing
compliance with security requirements that were to be implemented by
the DIB ``as soon as possible but not later than December 2017.''
2. The CUI Program
a. CUI Program Guidance
Comment: Many comments were submitted related to the NARA CUI
policies or the DoD CUI Program, and while relevant for understanding
CMMC requirements, those are separate policies or programs beyond the
scope of the CMMC program or this rule. However, several comments
recommended that the CMMC rule be revised to address them.
Twenty-two comments requested the government provide more guidance,
preferably within RFPs or contracts, to better identify what will be
considered CUI for that contract, and how it should be appropriately
marked. One comment specifically noted a need for contractual
instructions on whether data created in performance of a contract rises
to the level of CUI. Another person asked when is does information
created or possessed by a contractor become CUI. One comment asked
whether digital or physical items derived from CUI are treated as CUI
while another asked what specific information qualifies as CUI for OT
and IoT assets. Another comment asked whether FCI and or CUI created or
provided under a non-DoD agency contract, but which is also used in
support of a DoD contract, would be subject to the applicable CMMC
level requirement. Another comment noted that DoD focuses too narrowly
on data security aspects of major system acquisition and largely fails
to address securing data generated by operational and/or maintenance
operations, such as invoices and bills of lading for operational
support purchases.
One comment stated there was a need for CUI policy guidance for the
entire Federal Government. Another comment inferred, incorrectly, that
the CMMC Accreditation Body makes determinations about what is and what
is not CUI and stated that the Government should make those
determinations. Another comment stated that to better address the needs
of contractors tasked with safeguarding
[[Page 83104]]
CUI, NARA should initiate a public comment period to reevaluate its CUI
Registry. The comment also noted that NARA should identify when a CUI
designation automatically applies to contractor-created information and
revise the CUI Registry to stipulate that a specific basis in statute
(or a contract) is required for information to be considered CUI.
Another comment recommended a study be conducted on protections for
systems and data at Confidential and higher classification levels and
should assess whether NARA's CUI protection requirements (32 CFR part
2002) have yielded any real benefits in protecting critical data.
Another comment stated that the CUI program is a costly proposition
whose security value is questionable given data can still be
compromised, even over systems with a CMMC assessment. The comment
stated that if data is to be controlled for Critical Items, then the
existing system used for CONFIDENTIAL information should suffice.
Finally, another comment suggested that CUI information should be under
the control of the Federal Government and access granted only to
appropriately trained, and qualified contractors through a portal.
Response: Neither the CUI program (established in E.O. 13556) nor
the safeguarding requirements codified in its implementing directives
are changed by virtue of the compliance assessment framework
established by this rule.
CMMC requirements apply to prime contractors and subcontractors
throughout the supply chain at all tiers that will process, store, or
transmit any FCI or CUI on contractor information systems in the
performance of the DoD contract or subcontract, irrespective of the
origin of the information.
The executive branch's CUI Program is codified in 32 CFR part 2002
and establishes policy for designating, handling, and decontrolling
information that qualifies as CUI. The definition of CUI and general
requirements for its safeguarding are included in 32 CFR 2002.4 and
2002.14, respectively. 32 CFR 2002.14(h)(2) specifically requires
agencies to use NIST SP 800-171 when establishing security requirements
to protect CUI's confidentiality on non-Federal information systems. At
the time of award, the DoD may have no visibility into whether the
awardee will choose to further disseminate DoD's CUI, but DFARS clause
252.204-7012 and DFARS clause 252.204-7021 require the prime contractor
to flow down the information security requirement to any subcontractor
with which the CUI will be shared. Decisions regarding which DoD
information must be shared to support completion of subcontractor tasks
is between the prime contractor and the subcontractors. The DoD
encourages prime contractors to work with subcontractors to lessen the
burden of flowing down CUI. The DoD declines to adopt alternatives such
as policy-based solutions that lack a rigorous assessment component or
require sharing CUI only through DoD-hosted secure platforms. Suggested
alternatives to implementing NIST SP 800-171 and identifying what data
is CUI are beyond the scope of the CMMC Program and this rule.
b. FCI and CUI Definitions
Comment: Five comments stated that what DoD considers CUI is not
well defined. Another comment stated that companies should be provided
a reference list of what the DoD considers CUI. Another recommended DoD
use existing mechanisms like the DD Form 254 architecture to clearly
define the scope of CUI on a contract-by-contract basis. Seven comments
recommended the CMMC rule mandate a Security Classification Guide (SCG)
or similar document.
Nine comments stated there was too much confusion and ambiguity
regarding FCI and CUI and that the government needed to provide clear
and standardized FCI and CUI definitions that are tailored to the
specific requirements of the CMMC rule. One comment recommended rule
edits to address this perceived ambiguity. One comment requested
clarification and examples of differences between CUI Basic and
Specialized CUI.
Response: Federal Contract Information is defined in FAR clause
52.204-21, which also provides the security requirements applicable for
basic safeguarding of such information. The DoD has no authority to
modify definitions established in the FAR for application to all
executive branch agencies. This rule makes no change to the definition
or handling of CUI.
c. Marking Requirements
Comment: Twenty-three comments expressed concern with or requested
clarification regarding CUI marking. Twelve comments specifically noted
concern with CUI markings being applied to too many documents, in part
because CUI was an ambiguous concept. They requested the DoD encourage
personnel to mark documents as CUI only when appropriate and provide
better guidance for managing flow-down clauses. Another comment noted
that many small businesses are currently subject to NIST SP 800-171
requirements through DFARS contract clause flow-down and cannot say
with certainty that they have CUI in their possession. The comment
further noted that small businesses regularly receive mismarked data.
One comment stated there is an increased use of automatic CUI marking
on DoD communications, seemingly without regard to content. One comment
stated that the rule fails to outline a mechanism for reporting
government mishandling, and that contractors should use a reporting
system to minimize their own risk and liability. One comment requested
the rule be edited to prevent Program Managers or requesting activities
from assigning a CMMC Level 3 requirement unless they have high
confidence that 80+ percent of CUI and/or FCI under the relevant
contract has complete CUI markings. Another comment stated that the
Federal government should develop a marking schema to communicate
information safeguarding requirements, while yet another stated that
DoD must publish a training module for contracting officers so that
they are properly classifying documents prior to finalization of this
rule.
One comment stated CUI across the DoD is diverse and what may be
CUI for one system may not be for another. The comment then questioned
how this proposed rule and SPRS would accommodate these facts without
assuming and mandating that all defense contractor information systems
meet the same architecture, security, and cybersecurity standards.
Response: The CMMC Program will not provide CUI guidance materials
to industry as it is outside the scope of this CMMC rule. Relevant
information regarding what to do when there are questions regarding
appropriate marking of CUI may be found at 32 CFR 2002.50--Challenges
to designation of information as CUI. The DoD declined to incorporate
suggested edits to the CMMC Level 3 requirements regarding confidence
in proper CUI and/or FCI markings.
The DoD's role as data owner is documented in the CUI Program
implementing policies and the requirements of 32 CFR part 2002. DoDI
5200.48, states: The authorized holder of a document or material is
responsible for determining, at the time of creation, whether
information in a document or material falls into a CUI category. If so,
the authorized holder is responsible for applying CUI markings and
dissemination instructions accordingly. DoD Manual 5200.01 outlines
DoD's Information Security Program and includes Volume 2, Marking of
Information. The DoD declines to incorporate by reference those
[[Page 83105]]
documents describing the Department's data governance role because the
content is beyond the scope of CMMC requirements. The DoD issued policy
guidance to its program managers regarding programmatic indicators to
consider when selecting CMMC requirements. Program managers have a
vested interested in knowing whether a contractor can comply with these
existing requirements to adequately safeguard CUI.
The DoD elected not to make any recommended edits to the CMMC
Program related to FCI or CUI marking requirements or provide
clarifying examples of the differences between Basic CUI and Specified
CUI, as these are beyond the scope of this rule. Mishandling of
information by the government is beyond the scope of this rule. DCMA
DIBCAC processes, stores, and transmits all data on DoD-approved
networks. DoD's adherence to NARA's CUI Program policies is beyond the
scope of this rule.
d. Applicability and Governance of CUI Requirements
Comment: In addition, one utilities sector representative submitted
a lengthy analysis of data types often generated by electric or other
utilities, with regulatory references and rationale for why such data
would not likely be subject to DoD's CUI safeguarding requirements or
CMMC compliance assessments. Such rationale included the fact that some
Government-Private CUI categories, such as DoD Critical Infrastructure
Information, require explicit designation in that category which
(according to the commenter) has not occurred in the electricity
subsector. One contractor requested that CMMC clarify requirements
around U.S. persons and foreign dissemination of CUI for both
contractors, subcontractors' employees, and contingent workers. Two
comments suggested it would be appropriate to reference data governance
in Sec. 170.1 and the DoD's role as the data owner of FCI and CUI
across the ecosystem. Another comment stated the classification efforts
must themselves be audited.
Response: The quantity of FCI and CUI a defense contractor
possesses, including copies of the same material, is irrelevant to the
CMMC assessment required. All copies of FCI or CUI related to the DoD
contract must be safeguarded. The CMMC Program is not intended to
validate compliance with cybersecurity requirements of non-DoD
agencies' contracts. The requirements for sharing of CUI with non-US
persons is beyond the scope of this rule.
The CMMC program provides a mechanism to assess contractor
compliance with applicable security requirements for the safeguarding
of FCI or CUI. CMMC program requirements make no change to existing
policies for information security requirements implemented by DoD.
Policies for CUI and creation of program documentation, to include
Security Classification Guides, are separate from this rule. Discussion
in this rule regarding DoD programs providing CUI training and the
implementation of E.O. 13556 are beyond the scope of this rule.
CMMC program requirements are applicable when DoD requires
processing, storing, or transmitting of either FCI or CUI on a non-
Federal contractor owned information system in the performance of a
contract between DoD and the contractor. The DoD does not manage nor is
it involved in data exchanges between contractors and subcontractors.
3. Other DoD Policies and Programs
Many comments dealt with DoD policies and programs that, while
relevant for understanding CMMC requirements, are still entirely
separate programs or policies that are not within the scope of the CMMC
program. However, several commenters recommended that the rule be
revised to address them. Key topics among such comments include:
a. Adaptive Acquisition Framework
Comment: One commenter misunderstood CMMC program purpose and
thought the requirements applied to systems and capabilities acquired
or developed for DoD's use, using formal policies of the Defense
Acquisition System. Based on this misinterpretation, this commenter
made dozens of recommendations related to integration of CMMC
assessment and program requirements with other existing DoD acquisition
frameworks and suggested relying on the assessors that complete TRAs,
in place of implementing the CMMC program. One of their comments also
proposed establishing a single responsible office for CUI and SCRM,
hosting CUI material within a single, separate secure and existing
cloud-based data warehouse and including hardware and software
approving authorities as part of the proposed rule for GFE. The
commentor also stated the role of the Office of Small Business Programs
(OSBP) needs to flow down to the Small Business Administration military
service offices. The commentor also asked how to reconcile CMMC against
the DoDI 8582.01 requirement stating a DoD Component should not specify
the content and format of plans of action that address deficiencies or
specifying the parameters of security controls.
This commenter also recommended creation of a MIL-Standard in lieu
of aligning cybersecurity requirements to existing NIST standards, and
linkage of CMMC requirements to procedures related to Approval to
Operate (which applies to DoD systems. This commenter suggested that
the CMMC PMO be made responsible to provide system scans to check for
Software Bills of Material as part of DoD's response to Executive Order
14028 regarding Supply Chain Risk Management. The commenter further
requested a DoD-level working group outline how DoD program offices
might identify which components are mission or safety critical or which
associated production processes should be identified as CTI. That
commenter recommended this rule be held in abeyance until AT&L [sic]
has reviewed and provided their insight into the impacts of CMMC on
existing DoD acquisition documentation and deliverables. Yet another
comment recommended that ``this proposed DFARS ruling'' be vetted
through ``AT&L, ASD and OUSD'' [sic] as a minimum to determine if
changes would be required in the Program Protection Improvement Plan
and System Security Plan. Lastly, this commenter recommended the DoD
engage with NDIA and ISO/IEC to develop alternate standards for
securing data and supply chains.
Response: CMMC Program requirements apply to contractor-owned
information systems that process, store, or transmit FCI and CUI and do
not apply to systems developed or acquired for DoD through the formal
Defense Acquisition System (DAS). Therefore, integrating the CMMC
assessment process and internal DAS processes (including technical
reviews prior to RFP development) is not appropriate and is beyond the
scope of this rule. Note that CMMC applicability is broader than just
the Major Defense Acquisition Programs.
DoD's organizational alignment of responsibilities (between OSBP
and SBA military offices) for assisting small businesses or
establishing new offices within OSD is beyond the scope of this rule.
Due to national security concerns, DoD declines the recommendation to
further delay implementation of the CMMC Program. Each passing day in
delay of implementing the security requirements for safeguarding DoD
FCI and CUI increases the risk for exfiltration of non-public
information on unsecured nonfederal systems that
[[Page 83106]]
may result in the loss of DoD's technological advantages in its
warfighting capabilities and programs.
Discussions regarding acquisition strategies and frameworks are
beyond the scope of this CMMC rule. The CMMC Program does not alleviate
or supersede any existing requirements of the Adaptive Acquisition
Framework, nor does it alter any statutory or regulatory requirement
for acquisition program documentation or deliverables. Note that CMMC
Program requirements do not apply to systems delivered to DoD. DoD
Instructions for required acquisition program documentation are beyond
the scope of this rule. CMMC assessment certifications are not
integrated into System Security Plans (SSPs).
The role of System Engineering and associated processes within the
DoD acquisition process is beyond the scope of this rule. ITRA
assessments provide a view of program technical risk and are not well-
suited to the assessment of contractor owned information systems
against standards for safeguarding CUI. CMMC Program requirements do
not clash with Program Office responsibilities, but instead provide
Program Manager's with a mechanism for validating that contractors are
compliant with the rules for protecting DoD CUI.
b. FedRAMP Program and FedRAMP Equivalency
Comment: Many commenters took issue with the requirements for
FedRAMP Moderate Equivalency, as referenced in DFARS clause 252.204-
7012 and defined in a separate DoD policy memo. Some merely highlighted
discrepancies or highlighted concerns about their ability to meet the
FedRAMP Moderate Equivalency requirements. Others recommended revisions
to that policy, or to the DFARS clause 252.204-7012 clause, or both.
Some recommended the FedRAMP Moderate Equivalency policy memo be
incorporated into the DFARS clause 252.204-7012 clause. Other
suggestions ranged from eliminating equivalency to meet requirements,
allowing 3PAO attestation to equivalency, requiring all FedRAMP
Moderate Equivalency candidates to be assessed by the same C3PAO or
allowing equivalency to be established through other industry
certifications or third-party security assessments, i.e., SOC, ISO/IEC
27001. One commenter requested that applications hosted on a FedRAMP
Moderate environment only need to meet the CMMC level of the data the
application will process. Another suggested that all Cloud Service
Providers be required to meet the same CMMC requirement as the OSCs
they support. One commenter recommended expanding the scope of CMMC
Program to include assessing other security requirements in DFARS
clause 252.204-7012, to include the use of FedRAMP Moderate cloud
environment. Comments also expressed that it is unreasonable to expect
any cloud provider to share security documentation with a customer or
C3PAO since they limit dissemination of this information due to
operational security needs. Another commenter noted that the proposed
rule does not cover all types of information that contractors may
handle, such as classified information, export-controlled information,
or proprietary information and they recommended the DoD clarify
applicability of the CMMC program for these types of information.
Response: Although some commercially based Cloud Service Offerings
(CSOs) may experience limitations in trying to support the Defense
Industrial Base with the FedRAMP Moderate equivalent requirement, the
DoD is not willing to assume all the risk of non-FedRAMP Moderate
Equivalent CSOs when the CSO is used to process, store, or transmit
CUI. If the offering does not process, store, or transmit CUI, then
FedRAMP certification is not required. Although the DoD considered
acceptance of the ISO/IEC 27001 certification, it chose the NIST
cybersecurity requirement to meet FedRAMP Moderate baseline equivalency
standard to stay aligned with the FedRAMP Moderate baseline which is
based on NIST standards versus ISO/IEC standards.
The rule was updated to require FedRAMP moderate or FedRAMP
moderate equivalency in accordance with DoD Policy. CMMC Program
Requirements make no change to existing policies for information
security requirements implemented by DoD. Comments related to
applications hosted on a FedRAMP Moderate environment are outside the
scope of this rule.
The requirements for CSPs that process, store, or transmit CUI are
set by DFARS clause 252.204-7012 and the DoD CIO policy memo on FedRAMP
Moderate equivalency. These requirements are beyond the scope of this
rule. ESPs that are not CSPs will be required to meet the CMMC
requirements and be assessed as part of the scope of an acquiring OSA.
ESPs that are not a CSP may voluntarily request a C3PAO assessment if
they decide it would be to their advantage.
c. Other DoD Programs and Policies
Comment: One commenter expressed dissatisfaction with results
obtained from previously submitted FOIA requests related to development
of the CMMC program.
Two commenters asked if there was a mechanism to update FAR clause
52.204-21 to address evolving threats and recommended the Department
specifically identify the frequency and identify accountable parties to
review and update FAR security requirements. Another commenter cited
responses visible on the DoD CIO's Frequently Asked Questions (FAQ)
website and criticized both the utility of the information (given that
does not constitute formal policy) and the frequency with which the
information is updated. Similarly, one commenter asked for more
frequent updates to FAQs on the DoD Procurement Toolbox URL.
One commenter asserted that the Federal Government sometimes
contracts for support to perform sensitive tasks and permits access to
``highly classified'' information that should only be accessed by
Federal employees.
One commenter requested NIST develop a simplified inspection
standard for organizations with less than 20 employees.
One commenter asked about the transfer of CMMC Program oversight
from OUSD(A&S) to DoD CIO.
A comment cited the utility of free cybersecurity related services
that DoD agencies offer, such as security alerts and vulnerability
scanning, and encouraged expansion of those programs.
One person suggested that DoD's Zero-Trust approach would provide a
higher level of security for CUI data than the CMMC program.
One commenter stated the Department should develop clear, flexible
guidelines and alternative pathways for global companies to achieve
CMMC compliance without relying on enclave architectures and
recommended that this approach rely on Zero Trust principals.
One comment noted that under FAR clause 52.204-21, FCI does not
include simple transactional information (STI) and asked if certain
data would be considered STI and therefore not subject to CMMC.
One comment stated that conflicting regulatory guidance exists
between the content of E.O. 15028, NIST SP 800-218, NIST SP 800-171 R2,
and NIST SP 800-171 Revision 3.
Response: One comment lacked clarity and failed to clearly
articulate
[[Page 83107]]
any relevance to the content of this rule, so no response can be
provided.
SPRS will be used for reporting CMMC Status of all contractors,
regardless of which service issued the contract. Publication of this
rule follows completion of OMB's formal rulemaking process, which
includes both DoD internal coordination (including the USD(A&S) and
USD(R&E)) and Interagency coordination.
CMMC is consistent with Section 3.4 of DoDI 8582.01, Validation and
Compliance. CMMC does not specify the content and format of plans of
action beyond what is specified in NIST SP 800-171 R2, which is
required under DoDI 8582.01.
Clinger Cohen Act requirements, which apply to DoD's IT
investments, are not relevant to CMMC Program requirements, which apply
to contractor-owned information systems. The classification marking of
existing DoD documentation is beyond the scope of this rule, as is
engagement with INCOSE and ISO/IEC certification organizations.
Executive Orders state mandatory requirements for the Executive
Branch and have the effect of law. E.O. 14028--``Improving the Nation's
Cybersecurity'' (issued May 12, 2021) requires agencies to enhance
cybersecurity and software supply chain integrity. NIST SP 800-171 R2
and NIST SP 800-218 are guidelines, not regulations. NIST SP 800-171
Revision 3 is not currently applicable to this rule.
Recommendations to add or modify requirements specified in NIST
documentation should be submitted in response to NIST requests for
public comment on the applicable guidelines. Federal and DoD
requirements for delivery of software bills of material of secure
software development are beyond the scope of this rule, which is
limited to the assessment of compliance with requirements for adequate
protection of FCI and CUI. Federal Contract Information is defined in
FAR clause 52.204-21, which also provides the security requirements
applicable for basic safeguarding of such information. The Department
has no authority to modify definitions established in the FAR for
application to all executive branch agencies. Any data that meets the
definition of FCI, is subject to CMMC Level 1. It is beyond the scope
of the CMMC rule to render decisions on specific elements of data.
The OUSD(A&S) was not replaced by the DoD CIO, rather, CMMC Program
management oversight has been realigned from the OUSD(A&S) to the
Office of the DoD CIO for better integration with the Department's
other DIB cybersecurity related initiatives. Comments pertaining to
DoD's organizational structure are not relevant to the content of this
rule. DoD's processing of FOIA requests is also not within the scope of
this rule. The DoD declines to respond to speculative or editorial
comments about private citizens or outside entities, all of which are
beyond the scope of this rule. Likewise, the DoD will not comment here
on other DoD cybersecurity related programs, such as Zero Trust.
Some comments expressed appreciation for cybersecurity related
services that DoD provides free of charge, including protected DNS,
vulnerability scanning, and security alerts, but these programs are
outside the CMMC program. The government cannot comment on specific
implementation or documentation choices of an OSA. Comments on
alternate risk mitigation strategies such as product monitoring or
software testing are not within the scope of this rule text.
d. DoD Policies Supporting CMMC Implementation
Comment: Some comments addressed the DoD's internal policies and
training efforts to prepare the Government workforce for CMMC program
implementation. For example, some commenters opined that the rule's
focus on contactor responsibilities misses the true risk that lies
further up obscure supply chains. Another commenter recommended DoD
work with contractors in each sector to provide clear guidance on the
types of data that the Department would consider CTI. One commenter
requested DoD acknowledge that human factors influence DIB
cybersecurity while another stated DoD should provide uniform web-based
training at no cost to ensure applicable training requirements are
satisfactorily met. Another asked whether DoD PMs would receive CMMC
related training prior to implementation. Another comment asked whether
specific risk mitigating approaches, such as product monitoring or
software testing might suffice to manage supply chain risk considering
lack of visibility into the origins of 3rd and 4th tier components.
One commenter perceived the CMMC requirement for Program Managers
to identify the level of assessment requirement appropriate for a
solicitation as removing the contract award decision from the USD(A&S).
One commenter stated more information about procedures for implementing
CMMC into government-wide contracts is needed. Another commenter
expressed a need to use a basic contract that is unclassified, and any
CUI would be contained in a separate appendix to allow sub-contractors
to plan with their Prime to access the information on the Prime's
network and avoid requirements for their own CMMC certification.
Another comment recommended revisions to describe that medium
assurance certificates for incident reporting are a DFARS clause
252.204-7012 requirement, independent of CMMC program requirements.
Two commenters criticized the DFARS clause 252.204-7020 requirement
to allow ``full access'' to contractor facilities, systems, and
personnel for the purposes of DIBCAC assessment, or for damage
assessment following incident, and recommended that the CMMC program
not include or rely on this authority.
Another commenter recommended that, prior to issuing a final rule
on CMMC, DoD work with other relevant agencies to integrate and
harmonize the numerous regulatory changes that impact contractors'
capacity to safeguard data and systems. One commenter suggested rule
publication be delayed until DoD articulates the benefit expected from
contractor compliance with the rule.
Response: All recommendations to revise other Government-wide or
DoD policies and programs are beyond the scope of the CMMC rule.
CMMC Program Requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides and FedRAMP equivalency are separate from this
rule. Relevant policies include DoDI 5200.48 ``Controlled Unclassified
Information'' and DoD Manual 5200.45 ``Instructions for Developing
Security Classification Guides'' for example.\23\ Some comments
received lacked relevance to the rule's content, which is limited to
specific CMMC program requirements. Changes to FAR and DFARS
requirements are beyond the scope of this rule, as are the contents and
updating of DoD's FAQ and Procurement Toolbox web pages.
---------------------------------------------------------------------------
\23\ DoD Issuances (www.esd.whs.mil/DD/DoD-Issuances).
---------------------------------------------------------------------------
CMMC program requirements do not result in any change to which DoD
organization makes the contract award. Recommendations to adopt
standard DoD contracting procedures (i.e., to exclude CUI information
in the basic award) are not within the scope of this rule, which
outlines program requirements. The DoD limits the
[[Page 83108]]
burden of CMMC compliance by requiring annual affirmations rather than
annual assessments. Affirmations required for the CMMC program indicate
that a DoD contractor has achieved and intends to maintain compliance
with the applicable DoD information security requirements.
The CMMC program is designed only to validate implementation of the
information security standards in FAR clause 52.204-21, NIST SP 800-171
R2, and a selected subset of NIST SP 800-172 Feb2021. This rule does
not address the other DFARS clause 252.204-7012 requirements for cyber
incident reporting. The CMMC assessment framework will not alter,
alleviate, or replace the cyber incident reporting aspects of DFARS
clause 252.204-7012, which will remain effective where applicable.
Classified information is managed differently from CUI, and different
safeguarding regulations apply to these different categories of
information (each of which are defined in 32 CFR part 2002). CMMC
Program requirements are aligned to the requirements for safeguarding
of CUI and are unrelated to the requirements for safeguarding
classified information. ``Export Controlled'' is a category of CUI. To
the extent that a company generates information it considers
proprietary, but which is explicitly excluded from the definition of
CUI (see 32 CFR part 2002), no CMMC requirements would apply.
As the CMMC program requirements make no change to existing
policies for information security requirements implemented by DoD,
dialogues with industry to identify CUI is outside the scope of this 32
CFR part 170 CMMC Program rule. Several existing requirements directly
address the human factors of cybersecurity, particularly those in the
Awareness and Training, Personnel Security, and Physical Protection
domains. Additional training and education on the topics of CUI
safeguarding requirements, cybersecurity hygiene, and other useful
topics may be found at:
www.archives.gov/cui/training.html
https://securityawareness.usalearning.gov/
https://business.defense.gov/Resources/Be-Cyber-Smart/
OSAs may develop their own policies to validate completion of
training. Developing and providing cyber security awareness training is
not within the scope of the CMMC Program. DoD program managers will
receive training.
In support of 32 CFR part 170 CMMC Program final rule, DoD issued
guidance to reiterate the most appropriate information safeguarding
requirements for DoD information and the associated CMMC assessment
requirement for any given solicitation. Irrespective of CMMC Program
assessment requirements, when CUI is processed, stored, or transmitted
on contractor owned information systems, those systems are subject to
the security requirements of NIST SP 800-171, due to the applicability
of DFARS clause 252.204-7012. Program Managers have a vested interested
in knowing whether a contractor can comply with these existing
requirements to adequately safeguard DoD CUI.
Applicability of and compliance with DFARS clause 252.204-7020 is
beyond the scope of the CMMC Program. Implementation of the CMMC
Program does not require or rely upon DFARS clause 252.204-7020. The
existing assessments described in DFARS clause 252.204-7020 are
entirely different than those described in this rule. This rule
contains no cyber incident reporting requirements. Concerns related to
a CISA rule pertaining to cyber incident reporting are beyond the scope
of this rule and should have been submitted instead to the relevant
docket for that rule. The DoD has declined the recommendation to
address certificate requirements for the cyber incident reporting
requirements of DFARS clause 252.204-7012 in this rule. The DoD is
unable to comment on, balance with, or modify contractual or regulatory
requirements to comply with any other agency's future requirements.
The preamble of this rule articulates how contractor compliance
with CMMC will contribute to counteracting the cyber security threat.
Implementation of the CMMC Program will help protect DoD's FCI and CUI
that is processed, stored, and transmitted on non-Federal information
systems of defense contractors and subcontractors. Adequately securing
that information as required, down to the smallest, most vulnerable
innovative companies, helps mitigate the security risks that result
from the significant loss of FCI and CUI, including intellectual
property and proprietary data. Hence the implementation of the DoD CMMC
Program is vital, practical, and in the public interest. Working with
NIST and other regulatory authorities to align standards is beyond the
scope of this rule.
4. DFARS Requirements
Comment: Two commenters recommended the DoD fully implement CMMC
requirements to standardize contract requirements to avoid
proliferation of unique contract clauses across the Department. One
comment suggested the rule should state explicitly that CMMC
requirements do not apply to other agencies and advise DoD contractors
to seek legal guidance before complying with CMMC requirements if other
agency requirements also apply.
In addition, several commenters thought the 32 CFR part 170 CMMC
Program rule requirements lacked sufficient information about the
associated 48 CFR part 204 CMMC Acquisition rule requirements to
implement them. One person erroneously identified the DFARS clause
252.204-7021 as part of the 32 CFR part 170 CMMC Program rule, and one
person asked what additional rulemaking is needed to implement CMMC
requirements. Another person recommended close coordination and
synchronization between the two rules. One comment recommended the
contract clauses be simplified to be ``stand alone'', rather than
requiring cognizance of the 32 CFR part 170 CMMC Program rule content.
One commenter asked whether contractors must meet CMMC requirements
during the solicitation phase, or to view RFPs that contain CUI.
Another asked how DoD plans to integrate CMMC requirements into DoD's
Adaptive Acquisition Framework. One contractor disagreed with CMMC's
pre-award approach, and worried it could create a need to become
compliant in anticipation of future solicitations. This commenter
posited that any information designated as CUI after contract award
will create a ``chicken and egg'' dilemma for CMMC compliance. Other
comments asked whether conditional certifications would be weighted
differently than final certifications in the proposal evaluation and
award process and suggested that DoD provide 6 months advance notice
for all solicitations containing a CMMC requirement.
Some comments urged the DoD to describe how DoD will identify CUI
in solicitations and when CUI markings should apply in CSP or ESP
scenarios. They also requested modification of DoD contracting
procedures to provide criteria for identifying CUI information in each
contract award along with the corresponding CMMC assessment level. One
commenter inquired about the difference between implementing security
requirements and assessing compliance. Some comments pertained to other
DFARS contractual requirements, rather than CMMC requirements. For
example, some recommended changing DFARS clause 252.204-7012 to remove
the definition
[[Page 83109]]
of Covered Defense Information and to deviate from a requirement to
comply with the NIST SP 800-171 version current at the time of
solicitation. In addition, they asked about cost allowability for time
and materials or cost type contracts. Some comments posited that costs
for reassessment or recertification should be explicitly identified as
reimbursable in the 48 CFR part 204 CMMC Acquisition rule, while one
similar comment suggested that CMMC level 3 certification costs should
be allowable when CMMC level 3 requirements are initially implemented.
One comment addressed cyber incident reporting timelines for cloud
service providers and recommended that the DoD's FedRAMP moderate
equivalency policy be revised to align with DFARS clause 252.204-7012
timelines. Another asked whether the rule inadvertently omitted
requirements to assess compliance with DFARS clause 252.204-7012 cyber
incident requirements.
Other commenters asked for the CMMC contract clause verbiage, as
was subsequently published in the related 48 CFR part 204 CMMC
Acquisition rule. For example, some people asked whether CMMC
requirements would be levied in ID/IQ contract awards versus task order
awards, and GSA schedules. They asserted that adding CMMC clauses in
GSA schedules might inadvertently allow contracting officers to include
them in non-DoD issued task orders. Another opined that ID/IQ
contracting procedures might necessitate changing the CMMC level needed
for the base contract after its initial award, based on the needs of a
task order. One commenter incorrectly inferred that a single Program
Manager would make the CMMC level and type determination for every task
order issued against an ID/IQ. In addition, two comments suggested that
the DoD communicate with every current DoD contractor to identify which
CMMC level would apply to their existing contracts.
One company identified their specific DoD contract and asked
whether it would be cancelled absent CMMC compliance. Another asked
whether a current DFARS clause 252.204-7020 self-assessment score could
be submitted to meet a CMMC level 2 self-assessment requirement. They
also recommended elimination of the DFARS clause 252.204-7020
requirements when CMMC is implemented.
One commenter speculated about whether DoD's CMMC contract clauses
can be applied to DoD contractors that also make and sell the same
product to other US Government agencies. They noted that export
licenses do not restrict companies from providing product data to other
parties and posited that this might conflict with CMMC requirements.
One person asked about the potential for conflicts between CMMC clauses
and the Berry amendment and suggested that Berry amendment compliance
take precedence over CMMC clauses.
Response: Some comments received lacked relevance to the rule's
content, which is limited to specific CMMC program requirements.
Changes to FAR and DFARS requirements are out of scope of the 32 CFR
part 170 CMMC Program rule, as contractual changes would occur under
the 48 CFR part 204 CMMC Acquisition rule. This rule does not discuss
the Berry Amendment. The rule does not address recovery of assessment
costs because it does not make any change to 48 CFR 31.201-2.
This 32 CFR part 170 CMMC Program rule is not an acquisition
regulation, however, a CMMC Conditional Certification meets the CMMC
program certification requirements. Any comments related to contract
requirements should be directed to the related 48 CFR part 204 CMMC
Acquisition rule.
CMMC requirements apply to contracts that include FAR clause
52.204-21 or DFARS clause 252.204-7012 and result in processing,
storing, or transmitting of FCI or CUI on a contractor owned
information system. The CMMC program is not a verification program for
compliance with all requirements of DFARS clause 252.204-7012, rather,
its purpose is to ensure compliance with FAR clause 52.204-21, NIST SP
800-171 R2, and NIST 800-172 Feb2021 when applicable. The DoD does not
provide detailed instruction on how to implement specific solutions to
meet security requirements identified in the FAR clause or applicable
NIST requirements, which is determined by the OSA. Any deviation from
or change to the DFARS clause 252.204-7012 clause is beyond the scope
of this rule.
Each of the teams responsible for developing these two CMMC rules
has reviewed both documents.
There are no CMMC requirements for reviewing FCI or CUI
solicitation material. Recommendations to adopt standard contracting
procedures for award of DoD contracts (i.e., to exclude CUI information
in the basic award) are out the scope of this 32 CFR part 170 CMMC
Program rule. In support of the 32 CFR part 170 CMMC Program final
rule, DoD issued policy guidance to its program managers and
acquisition workforce to identify the appropriate CMMC requirement in
solicitations and contracts. The CMMC assessment level required does
not change based on acquisition lifecycle phase and is based on whether
FCI and CUI are processed, stored, or transmitted on contractor owned
information systems used in the performance of a contract.
Discussion of DoD's willingness to provide advance notice of CMMC
requirements or to remove the PM's discretion to include the CMMC level
that best suits program requirements is a 48 CFR part 204 CMMC
Acquisition rule matter and outside the scope of this rule. The CMMC
Level will be identified in the solicitation. Once attained, a CMMC
self-assessment or certification can be used in support of any number
of proposals and solicitations.
5. Litigation and False Claims
Comment: Some commenters expressed concern that CMMC implementation
would result in increased litigation by DIB companies or pursuit of
False Claims Act penalties by DoD against DIB companies. One commenter
erroneously believed that Mexico would participate in oversight of the
CMMC ecosystem, and that ``a flood of litigation'' may result from DIB
companies losing contracts due to non-compliance with CMMC
requirements. One commenter suggested that DoD should absolve
contractors from False Claims Act prosecution when differences are
found between C3PAO assessment results and a previously submitted
contractor self-assessment, due to potentially valid reasons for the
differing outcomes. Another suggested that DoD establish protections
from regulatory and legal liability related to cyber incidents when the
affected contractor has complied with relevant CMMC Program
requirements.
Response: The DoD lacks the authority to change the False Claims
Act, which is a Federal law that imposes liability persons and
companies who defraud or knowingly submit false claims to the
government. Comments related to Safe Harbor provisions are outside the
scope of this rule.
Comments about potential industry litigation are also beyond the
scope of the final rule and the recommendations provided were not
appropriate for inclusion in this rule. Nothing in the rule prevents
frivolous private lawsuits, but the rule does provide that the CMMC AB
maintain an appeals process. The DoD has faithfully followed the formal
rulemaking process, to include completion of the public comment period.
Implementation of the CMMC program will be carried out objectively and
in accordance with the tenets of the
[[Page 83110]]
final rule. No foreign actors have any role in DoD's administration of
the program.
6. DoD Metrics
Comment: Several commenters inquired about the types of metrics the
DoD plans to use to monitor progress toward the DIB cybersecurity
objectives that the CMMC program was designed to meet. One asked
whether DoD's metrics would include testing, and another recommended
they capture changes in the population of DoD contractors caused by
cost impacts of CMMC implementation. Others referenced a December 2021
GAO Report that critiqued DoD's earlier attempts to implement the CMMC
program. Specifically, they cited the GAO's finding that, at that time,
DoD had not defined how it would analyze data to measure performance.
A comment recommended the DoD identify responses to other GAO
findings, which dealt with improvements to communications with industry
and metrics for program management. Another comment asked whether
management alignment within OSD, budget, and staffing of the CMMC
program office are adequate.
Two comments asked how many current contract awardees had received
notification or identification of CUI to be provided in performance of
their contracts, and asked which CMMC level would theoretically apply
to those contracts. Another asked the DoD to provide DIBCAC assessment
results data as a more relevant justification for the CMMC program than
the 2019 DoDIG report on DIB Cybersecurity.
Response: DoD's response to the referenced GAO and DoD IG reports
are beyond the scope of this rule. Likewise, the DoD does not comment
on analysis methods supporting the DoD IG's conclusions. Publishing
DIBCAC assessments results is also beyond the scope of this rule, as
are CMMC Program effectiveness metrics and return on investment
calculations. The DoD is establishing CMMC assessment requirements as
part of a comprehensive effort to verify that underlying information
security requirements are met, as required, for all contractor owned
information systems that process, store, or transmit CUI or FCI in the
performance of a DoD Contract. DoD's calculation of ROI for the
security controls that CMMC will assess, and cost elasticity of the DIB
are also beyond the scope of this rule.
7. Phased Implementation of the Program
Comment: Many comments asked for additional explanation of DoD's
expected start and progression through phases of the CMMC
implementation plan. Several asked that the phase-in plan be extended.
One commenter asked whether contracts that would otherwise be
associated with CMMC Level 3 would include a CMMC Level 2 requirement
if issued prior to Phase 4 of the plan. Another misread the phase-in
plan to mean that self-assessments would no longer be permitted at Full
Implementation. One comment asked if the USG would be revisiting
acquisition timelines to add more time for due diligence to ensure all
entities meet CMMC requirements or have a POA&M in place.
Some commenters observed that DoD's intended dates for CMMC
implementation, as published in an earlier 48 CFR CMMC interim final
rule, are unachievable and must be changed via another CMMC DFARS rule.
Some commenters were confused by the differences between the dates of
implementation phases in the rule, and the seven years described in
cost estimates as necessary to complete implementation. Another
commenter asked why the rule only applies to DoD.
Some commenters suggested changes to prioritize different kinds of
contracts, programs, or companies earlier or later in the
implementation plan, rather than basing the phase-in on assessment
type. For example, one suggested capping the number of contracts with
CMMC requirements each year. Another suggested phasing in by increasing
the numerical assessment score required for compliance, with additional
time permitted for POA&M close-out beyond the current limit of 180
days. Another suggested reversing the phase-in to begin with CMMC Level
3. Several commenters requested extension of the phase-in plan to allow
more time. One speculated that ``tens of thousands'' of contractors
would require certification in less than 18 months. One commenter
suggested the DoD modify the timing of implementation for CMMC levels 2
and 3, and that DoD consider allowing sufficient time to develop a
robust CMMC ecosystem and demonstrate the CMMC model before full
implementation.
Flexibility in the implementation plan that allows Program Managers
and requiring activities to include CMMC requirements earlier in the
plan than will be mandated by policy also generated questions and
comments. Some commenters asked whether this could result in the DoD
applying CMMC requirements to previously awarded contracts or asked
that the rule specify they will apply only to new contracts. Another
asked about opportunities to renegotiate the contract ceiling price if
CMMC assessments are required for option period exercise. One commenter
asked that the rule be revised to exclude these flexibilities to result
in an ``on/off'' approach to implementation.
Another commenter asked what mechanisms the DoD would have to
change the pace of implementation or monitor the contracts that include
CMMC requirements.
Response: The DoD lacks the authority to implement CMMC as a
Federal-wide program. The 48 CFR part 204 CMMC Acquisition rule for
CMMC will be updated to align with this 32 CFR part 170 CMMC Program
rule and will modify DFARS clause 252.204-7021. CMMC Phase 1
implementation will commence when both the 32 CFR part 170 CMMC Program
rule and the 48 CFR part 204 CMMC Acquisition rule are in effect. Some
commenters may have overlooked that Sec. 170.3(e) states Phase 1
begins on the effective date of this 32 CFR part 170 CMMC Program rule
or the complementary 48 CFR part 204 CMMC Acquisition rule, whichever
occurs later. The implementation plan describes when CMMC level
requirements will appear in solicitations, it does not define a
timeframe by which all contractors must be certified. During the first
phases of the plan, a majority of CMMC requirements will be for self-
assessment.
In response to public comments, the DoD has updated the rule to
extend Phase 1 by 6 months, with appropriate adjustments to later
phases. DoD is not conducting Pilots in the updated CMMC implementation
plan. The phased implementation plan described in Sec. 170.3(e) is
intended to address ramp-up issues, provide time to train the necessary
number of assessors, and allow companies the time needed to understand
and implement CMMC requirements. DoD has updated the rule to add an
additional six months to the Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1.
The DoD's objective timeline to begin implementing the CMMC
requirements has been, and remains, FY2025. The implementation period
will consist of four (4) phases, 1 through 4, and is intended to
address any CMMC assessment ramp-up issues, provide the time needed to
train the necessary number of assessors, and to allow companies time to
understand and implement CMMC requirements. It is estimated that full
implementation of
[[Page 83111]]
CMMC by all defense contractors will occur over seven years, given the
number of DoD solicitations contractors respond to and are awarded each
year.
The four phases add CMMC level requirements incrementally, starting
in Phase 1 with Level 1 and Level 2 Self-assessments, and ending with
Phase 4 for Full Implementation, as addressed in Sec. 170.3(e)(4). By
Phase 3, all CMMC Levels 1, 2, and 3 will be included in some DoD
solicitations and contracts, but Level 3 requirements may be identified
for implementation as option period requirements rather than for
initial contract award. In Phase 4, DoD will include CMMC requirements
in all applicable DoD contracts and option periods on contracts awarded
after the beginning of Phase 4. As addressed in Sec. 170.18(a),
receipt of a CMMC Level 2 Final CMMC Status for information systems
within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC
Level 3 certification assessment.
CMMC self-assessment requirements build on the existing DFARS
clause 252.204-7020 requirement for basic safeguarding of CUI. CMMC
Level 3 requires advanced implementation, and the phase-in period
provides additional time for OSC to achieve the higher standard. In
phase 4, which is full implementation, CMMC requirements must apply to
new contracts and option year awards. The DoD may choose to negotiate
modifications adding CMMC requirements to contracts awarded prior to
CMMC implementation, as needed. No changes to this rule are needed to
reflect existing contract administration processes. Questions on
specific contracting matters, including contract costs and funding, are
outside of the scope of this rule.
With the implementation of the final 32 CFR part 170 CMMC Program
rule and 48 CFR part 204 CMMC Acquisition rule, prospective DoD
contractors and subcontractors should be actively preparing for DoD
contract opportunities that will include CMMC Program requirements when
performance will require the contractor or subcontractor to process,
store, or transmit FCI or CUI. The respective phases of the
implementation plan provide adequate time to complete CMMC requirements
and DoD program requirements and timelines will dictate the programs
that may warrant CMMC Level 3 requirements during the phased
implementation of CMMC.
DoD considered many alternatives before deciding upon the current
CMMC implementation plan. The phased implementation plan is based on
CMMC assessment level and type, which DoD believes to be a fair
approach for all prospective offerors. Defining the phase-in based on
contract type, company size standard, or other potential bases could
lead to unfair advantage. Program Managers will have discretion to
include CMMC Status requirements or rely upon existing DFARS clause
252.204-7012 requirements, in accordance with DoD policy. The DoD will
monitor the Program Managers' exercise of this discretion to ensure a
smooth phase-in period. The decision to rely upon CMMC self-assessment
in lieu of certification assessment is a Government risk-based decision
based upon the nature of the effort to be performed and CUI to be
shared. Note that section Sec. 170.20 Standards acceptance states OSCs
that completed a DCMA DIBCAC High Assessment with a score of 110 and
aligned with CMMC Level 2 Scoping, will receive Final CMMC Status for a
Level 2 certification assessment.
As noted by one commenter, self-assessments against NIST SP 800-171
are already required, and verifying compliance with applicable security
requirements is necessary for the protection of DoD CUI. For all CMMC
independent assessments (i.e., Level 2 or 3), DoD policy guides Program
Managers in appropriately including these requirements in DoD
solicitations. DoD systems that support the procurement process can
identify the number of contracts issued that include any specific
clause. Such metrics for the CMMC Program are not within the scope of
this rule.
The seven-year timespan reflects the DoD's estimate for all defense
contractors to achieve CMMC compliance. The implementation plan ramps
up CMMC assessment requirements over 4 phases, such that the ecosystem
will reach maximum capacity by year four. One commenter referenced the
response to a specific comment to the 2020 CMMC rule. Those earlier
questions about the 2020 rule publication are no longer relevant due to
changes made in the more recent 2023 rule publication. DoD estimates
acknowledge that contractors with existing contracts may not receive
another contract award or even submit another proposal immediately.
The DoD has developed CMMC to increase consistency of
implementation of NIST SP 800-171 R2 and NIST SP 800-172 Feb2021.
Specifically, this rule provides extensive information on scoring
methodology, in an effort to improve self-assessments. The use of
independent C3PAOs further enforces consistency for those companies
that need to meet a CMMC Level 2 certification requirement. The DoD has
considered the suggestions and declines to modify the phase-in periods
based on total score required, or other criteria, which would not
provide the desired improvements in DIB cybersecurity.
The DoD notes the commenter's concern that self-assessments go away
after Phase 4. Requirements from earlier phases continue as each
additional phase is implemented. When applicable, self-assessments will
still be allowed, as appropriate, in Phase 4. This rule describes flow
down requirements to subcontractors. This rule makes no change to 48
CFR 252.204-7008.
8. Commercially Available Off-the-Shelf (COTS) Procurements
Comment: One comment suggested the definition of COTS should be
more explicitly defined or the model outlined in Sec. 170.2 should
encompass COTS products. Two comments questioned the exemption of CMMC
requirements for contracts or subcontracts exclusively for commercial
off-the-shelf (COTS) items. Others questioned applicability of CMMC
requirements to COTS procurements and/or purchases at or below the
micro-purchase threshold. Finally, one commenter questioned the
validity of a COTS exclusion, stating that no COTS components are
exempt from DoD's certification requirements from DISA or NSA.
Response: The term Commercially available off-the-shelf (COTS) is
defined in FAR part 2.101. Some comments pertained to content of the 48
CFR part 204 CMMC Acquisition rule, including applicability of CMMC
clauses to COTS procurements and/or those below the micro-purchase
threshold. Such comments are not within the scope of this CMMC 32 CFR
part 170 CMMC Program rule, which outlines program requirements and not
acquisition procedures. CMMC requirements do not apply to contracts and
subcontracts that are exclusively for the delivery of COTS products to
a DoD buyer. The exemption does not apply to a contractor's use of COTS
products within its information systems that process, store, or
transmit CUI. CMMC assessments are conducted on contractor owned
information systems to ascertain compliance with the designated FAR,
DFARS, and NIST requirements.
9. Specific Product Recommendations
Comment: One managed service provider expressed concern that the
specific tools they use to provide services might be considered
Security Protection Assets or generate Security Protection Data in the
context of CMMC assessment requirements, which might
[[Page 83112]]
result in clients electing to use their own tools and products in lieu
of the managed service provider. This commenter attached a list of more
than a dozen commercial product and tools they use as examples
associated with this concern. One commenter used their public comment
submission to submit materials marketing services their company can
provide, while another commenter suggested the rule direct readers to a
website listing all software, tools, and applications deemed ``safe and
cost effective'' by virtue of CMMC assessment.
Another commenter asserted that all companies need access to
cybersecurity solutions from DHS/CISA and grants to assist them in
buying Zero Trust technologies to protect CUI. Similarly, some
commenters recommended various other cybersecurity tools, programs, or
technologies that could be used to meet CMMC security requirement and
provide threat intelligence to DIB companies. Such recommendations
included portals used in conjunction with perimeter and privileged
access management systems. One commenter proposed delaying
implementation of the CMMC rule until all DoD contractors' system
architectures could be analyzed for possible implementation of Virtual
Machines, or Blockchain for secure data transmission, or hosting of all
CUI on DoD hosted platforms.
Response: The government cannot comment on specific products or
vendors, including marketing materials submitted via public comment.
However, companies that act as ESPs should note this rule does not
require CMMC assessment or certification of ESPs that do not process,
store, or transmit CUI. Services provided by an ESP are in the OSA's
assessment scope.
Comments pertaining to solutions available from other Federal
agencies or expressing a desire for grants to obtain Zero Trust
solutions or other cybersecurity solutions are also beyond the scope of
the CMMC rule. A wide range of technologies may be used to implement
CMMC requirements. DoD will not comment on specific OSA technology
choices. The Department declines the recommendation to review the
system architectures of all DoD contractors. The DoD did not modify the
rule to identify a repository of ``safe and cost effective'' software,
applications, and tools because a CMMC assessment does not evaluate
commercial products or services for those characteristics and the
government does not provide product endorsements.
10. Applicability
a. Systems Operated on Behalf of DoD and National Security Systems
Comment: The DoD received questions about whether CMMC requirements
apply to information systems that are designated as National Security
Systems, Defense Business Systems, or systems operated on the DoD's
behalf. In concert with those questions, one person recommended adding
NIST SP 800-53 R5 requirements to the rule for such systems. The
commenter further recommended expanding applicability of the rule to
include contractor-owned systems that directly affect DoD NSS. Two
commenters recommend edits to clarify that CMMC requirements do not
apply to NSS or to government systems operated by contractors on the
DoD's behalf.
One commenter asked if a Cloud Service Provider that stores CUI
would have to be at Impact Level 4 in accordance with the DISA Cloud
Computing Security Requirements Guide.
Response: The CMMC assessment requirements apply in conjunction
with FAR clause 52.204-21 and DFARS clause 252.204-7012 requirements
and provide a mechanism for verifying compliance with the security
requirements for safeguarding FCI or CUI (e.g., NIST SP 800-171) levied
by those clauses.
The CMMC Program does not alter any additional security
requirements that may be applicable to contractor-owned information
systems that may also meet the criteria for designation as NSS.
There is no conflict between the CMMC rule and the DISA Cloud SRG,
which applies to contractor information systems that are part of
Information Technology (IT) services or systems operated on behalf of
the Government. The CMMC rule does not apply to those systems (Sec.
170.3(b)). The DoD declines to modify the rule because the
applicability section already states this rule applies to contractor-
owned information systems.
b. Infrastructure Entities
Comment: Many commenters had concerns about CMMC's potential impact
to the energy and electric industries, internet Service Providers
(ISPs) and small, disadvantaged businesses looking to contract with the
DoD, especially given dependencies on appropriate marking of Controlled
Unclassified Information (CUI).
Another commenter referenced Executive Order 13175, ``Consultation
and Coordination with Indian Tribal Governments'' and requested
information on CMMC impact to and potential exemptions for Native
American and small disadvantaged contractors. Another commenter stated
that some small businesses may stop providing cost estimating services
to Federal agencies due to ``threatened penalties'' under CMMC
requirements.
One commenter recommended adding the definition of the defense
industrial base (DIB), and referenced the Cybersecurity and
Infrastructure Security Agency definition, which explicitly excludes
commercial infrastructure providers from their definition of the
Defense Industrial Base Sector. One commenter stated the lack of
clarity around requirements for electric cooperatives under the CMMC
framework is causing concern about unanticipated cost impacts for these
smaller entities. The commenter requested that DoD provide contractors
the ability to recover unanticipated costs incurred to achieve CMMC
certification.
Another commenter asked about potential CMMC exemptions for
telecommunications providers, specifically for end user encryption. The
commenter stated the DoD needs to impose CUI encryption requirements on
the relevant contractors and not telecommunications network providers,
who have no control over whether a user encrypts information it sends
over those networks. The commenter also noted that definitions of
``common carrier'' vary across Federal Government and suggested the DoD
should create a blanket exemption for contracts involving commercial
communications networks that are not ``purpose-built'' to transmit
sensitive government data. Another commenter suggested the CMMC Rule
should further clarify that encryption must be configured such that the
common carrier does not have access to the decryption key(s).
Several commenters requested clarity around CUI, citing general
confusion among industry about which CUI is subject to the CMMC
Program. Some commenters interpreted the rule as proposing to apply to
all CUI information, rather than just information handled by the
contractor ``in support of a defense contract'' and asserted that this
would be an expansion beyond the current DFARS clause 252.204-7012
requirements. They further suggested this broad definition could result
in companies applying costly controls to all apparent CUI, regardless
of its association with DoD, to avoid penalties under the False Claims
Act. They recommended clearly
[[Page 83113]]
stating that CUI provided to contractors by non-DoD agencies should be
subject to the requirements of those agencies and not the CMMC Program.
A commenter said the electric industry will experience increased
costs as electric utilities comb through vast amounts of data across
the electric grid to determine all potential CUI, even if that CUI is
not specifically subject to a DoD contract. One commenter stated that
guidance DoD has provided for electric utilities to identify CUI in the
past is insufficient and suggested that use of Security Classifications
Guides could help by minimizing the need for CMMC compliance. In
addition, they speculated that inclusion of CMMC requirements could
create requirements after award which might require adjustments to
contract price. Another commenter stated energy companies servicing
military customers must develop governance programs around data
protection years in advance, with significant investments. The
commenter is concerned that CMMC requires these companies to make these
large investments prior to knowing if a proposed contract may contain
CUI and without adequate guidance about what data is considered CUI.
Response: This rule has no disproportionate impact on Native
American-owned businesses. Once identified as a requirement, the CMMC
Level will apply uniformly to all prospective competitors. DoD must
enforce safeguarding requirements uniformly across the Defense
Industrial Base for all contractors and subcontractors who process,
store, or transmit CUI. The value of information (and impact of its
loss) does not diminish when the information moves to DoD contractors
and DoD subcontractors, regardless of their status as Native American
or small disadvantaged businesses.
The CMMC Program rule does not include ``threatened penalties.'' If
a requirement of a DoD contract is not met, then standard contractual
and other remedies applicable to that contract may apply.
CMMC Program requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides, are separate from this rule.
Section 170.4(b) of the rule states Defense Industrial Base (DIB)
is defined in 32 CFR part 236, which addresses DoD and DIB Cyber
Security Activities. Section 236.2 includes the DoD approved definition
for DIB.
The CMMC Program applies only to DoD contracts that include the
DFARS clause 252.204-7021 and under which FCI or CUI is processed,
stored, or transmitted on contractor information systems.
This includes CUI outside the category of the Defense
Organizational Index Group. Contracts for the provision of electricity
or other utilities which do not contain FAR clause 52.204-21 or DFARS
clause 252.204-7012 and which do not require the processing, storing,
or transmitting of FCI or CUI on contractor owned information systems
will not require CMMC assessment. The CMMC rule makes no change to FAR
cost allowability or cost accounting standards. The 32 CFR part 170
CMMC Program rule has been updated to add ``in performance of the DoD
contract'' to Sec. 170.3, and the 48 CFR part 204 CMMC Acquisition
rule will provide the contractual direction.
A common carrier's information system is not within the
contractor's CMMC Assessment Scope if CUI is properly encrypted during
transport across the common carrier's information system. A common
carrier who is a DoD contractor or subcontractor is responsible for
complying with the CMMC requirements in their contracts. CUI encryption
requirements already apply to the OSA, not the telecommunications
network provider. The lack of adequate encryption on the part of the
OSA would not trigger application of CMMC requirements to the common
carrier's network. The term ``common carrier'' appears in the comment
section to a previous rule making process. Its definition and use are
taken from CNSSI 4009. Efforts to define it or related terms by other
agencies are outside the scope of the CMMC Program. Commenter scenarios
where a common carrier would be privy to an OSA's encryption keys are
unrealistic. DoD declines to provide additional guidance.
CMMC Program requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides, are separate from this rule. Relevant policies
include DoDI 5200.48 ``Controlled Unclassified Information'' and DoD
Manual 5200.45 ``Instructions for Developing Security Classification
Guides''. CMMC Program requirements will be identified as solicitation
requirements. Contractors will be required to meet the stated CMMC
requirements, when applicable, at or above the level identified. For
this reason, it is up to each DIB organization to determine which CMMC
level they should attain.
Questions regarding specific contractual matters are outside of the
scope of this rule and may be addressed by the 48 CFR part 204 CMMC
Acquisition rule. The CMMC program will be implemented as a pre-award
requirement.
c. Joint Ventures
Comment: Two commenters requested clarification as to whether CMMC
requirements will apply to companies engaged in Joint Ventures.
Response: CMMC program requirements are applicable when DoD
requires processing, storing, or transmitting of either FCI or CUI in
the performance of a contract between DoD and the respective
contractor. CMMC Program requirements will apply to information systems
associated with contract efforts that process, store, or transmit FCI
or CUI, and to any information system that provides security
protections for such systems, or information systems not logically or
physically isolated from all such systems. The identity of an offeror
or contractor as a joint venture does not in and of itself define the
scope of the network to be assessed.
d. Fundamental Research Efforts
Comment: One commenter recommended that both the sharing of CUI and
the decision to apply a CMMC compliance assessment should only be
considered for contracts of sufficient contract value and performance
period to make the expense of safeguarding CUI worthwhile. This
commenter asserted that small businesses are selected for SBIR contract
award not based on ability to protect information, but instead on the
unique product or service they offer.
Some commenters expressed concern that CMMC could result in state-
funded universities incurring costs to comply with CMMC level 2, while
even the costs for implementing required FCI safeguarding requirements
is a significant financial burden. These commenters speculated that
applying FCI or CUI markings to fundamental research information
negatively impact academic institutions by requiring them to remove
such data from the public domain. This commenter cited DFARS clause
252.204-7000 as rationale to modify the CMMC rule to exclude
fundamental research.
One commenter requested that when contracting for fundamental
research, the Government include a CMMC requirement based only on
whether information shared is currently FCI or
[[Page 83114]]
CUI, and not whether the effort might lead to development of FCI or
CUI. Another commenter requested that DoD issue policies clearly
describing how to recognize or identify circumstances that could result
in fundamental research becoming FCI or CUI such that it would require
being processed, stored, or transmitted on CMMC compliant information
systems. The commenter expressed concern that absent such policies,
research institutions may house all DoD-related project activities in
CUI enclaves ``out of an abundance of caution'', thereby unnecessarily
expanding CUI applicability at significant cost. They asked that DoD
Instruction 5200.48, ``Controlled Unclassified Information,'' and a
related DoD policy memorandum ``Clarifying Guidance for Marking and
Handling Controlled Technical Information in accordance with Department
of Defense Instruction 5200.48, `Controlled Unclassified Information''
be incorporated into the rule by reference.
One commenter questioned whether and how CMMC requirements may
apply to non-contract efforts, including grants, or efforts conducted
under Other Transactional Authorities.
Response: One of the main purposes of the CMMC Program is to ensure
that DoD contracts that require contractors to safeguard CUI will be
awarded to contractors with the ability to protect that information.
All contractor-owned information systems that process, store, or
transmit CUI are subject to the requirements of NIST SP 800-171 when
DFARS clause 252.204-7012 is included in the contract. This is the case
whether or not the contractor is engaged in fundamental research.
To the extent that universities are solely engaged in fundamental
research that only includes information intended for public release and
does not include FCI or CUI, no CMMC requirement is likely to apply.
When a research institution does process, store, or transmit FCI, the
information should be adequately safeguarded in accordance with the FAR
clause 52.204-21, if applied. When a research institution does process,
store, or transmit CUI, the information should be adequately
safeguarded in accordance with the DFARS clause 252.204-7012, if
applied. That clause makes the contractor owned information system
subject to NIST SP 800-171, which includes requirements for Awareness
and Training (AT) and Physical Protection (PE). The CMMC Program
provides a means to verify compliance.
DoD's CUI program policies already address responsibilities for
identifying and marking information, including procedures for changing
markings. The DoD declined to incorporate all the references associated
with marking and handling CUI. The DoD instructions and policy guidance
are authoritative and incorporating them into the CMMC regulation is
beyond the scope of this rule. DoD declines to update the preamble to
exclude the possibility that information may be designated CUI over the
course of time. According to A&S memo dated 31 March 2021, titled
Clarifying Guidance for Marking and Handling Controlled Technical
Information in accordance with Department of Defense Instruction
5200.48, ``Controlled Unclassified Information,'' ``Information related
to RDT&E-funded research efforts, other than fundamental research, do
not always qualify as CUI.'' This implies that some DoD fundamental
research may qualify as CUI. When the DoD does determine that research
meets the definition of CUI, safeguarding requirements of DFARS clause
252.204-7012 will apply regardless of whether the contractor's work is
fundamental research. In such instances, CMMC assessment requirements
may also be applied. Contractors should work closely with Government
Program Managers to ensure a proper understanding of the data being
developed and the appropriate markings and safeguarding.
Questions regarding the application of CMMC requirements to
specific transactions, including grants and OTAs, are outside of the
scope of this 32 CFR part 170 CMMC Program rule.
e. DoD Waiver of CMMC Applicability
Comment: Several questions were submitted about waiver procedures
for CMMC requirements. For example, someone asked which DoD person or
office has authority to approve waiver requests. Others also requested
insight to the specific criteria for waiver approval. One commenter
submitted preferred rewording of the rule section that describes
waivers while another suggested self-assessment should be required even
when certification is waived.
Response: DoD internal policies, procedures, and approval
requirements will govern the process for DoD to waive inclusion of the
CMMC requirement in the solicitation. Once applicable to a
solicitation, there is no process for OSAs to seek waivers of CMMC
requirements from the DoD CIO. In accordance with Sec. 170.5(d), a
limited waiver authority is provided to the Acquisition Executive with
acquisition oversight for the program in question. These officials may
issue supplemental guidance dictating specific coordination
requirements for waiver requests. Recommended administrative changes
have been incorporated into Sec. 170.5(d) to add clarity.
11. Determination of Applicable Assessment Type
a. Process for Level Determination
Comment: Multiple comments asked how DoD will determine the CMMC
level to include in solicitations. Multiple comments inquired about the
criteria DoD will use to determine when to require a CMMC Level 2 self-
assessment, CMMC Level 2 certification, or CMMC Level 3 certification
assessment. Multiple comments asked specifically about when CMMC Level
2 self-assessment will be required versus CMMC Level 2 Certification.
One comment requested more information on which companies may ``self-
attest''.
One comment requested Sec. 170.5(a) be modified to prevent CMMC
level 2 or 3 being assigned for contracts where only FCI is exchanged.
One comment emphasized that requirement(s) for Contractor certification
levels must be the same as stated throughout this proposed ruling. Two
comments recommended providing contracting officers with interim
guidance to ensure consistency in applying CMMC requirements. One
comment requested the detailed guidance ensure CMMC requirements are
selected based on risk, and that certification is not required by
default.
Some commenters objected to the wording of one criterion for level
selection as ``potential for and impacts from exploitation of
information security deficiencies''. One asserted this equates to a
sub-CONFIDENTIAL security classification. One comment expressed that
all information systems that process CUI should have the same level of
``program criticality, information sensitivity, and the severity of
cyber threat'' since CUI is Unclassified Information which is a
``handling caveat''.
Multiple comments requested a clearer description of what contracts
require CMMC Level 3 Certification, one of which requested a definition
of what constitutes a ``priority program'' that might require CMMC
Level 3. One comment requested that acquisition processes first analyze
the CUI for a proposed effort using published factors for aligning CUI
to high value assets before setting CMMC levels. They asserted use of
such published factors would improve accuracy of CUI marking.
[[Page 83115]]
Response: Pre-award contracting procedures and processes for CMMC
assessment requirements will be addressed in the 48 CFR part 204 CMMC
Acquisition rule. CMMC is a pre-award requirement. As stated in the
Applicability section summary of the CMMC rule (Sec. 170.3), once CMMC
is implemented in the 48 CFR part 204 CMMC Acquisition rule, DoD will
specify the required CMMC Level in the solicitation and the resulting
contract.
DoD's policies and procedures for the length of time allowed for
proposal submission in response to any solicitation are beyond the
scope of this rule. PMs typically consider the totality of the
requirement when deciding how much time to allow for proposal
submission or whether to seek industry input through Request for
Information to inform solicitation details. Note that once attained,
companies may reference a CMMC Status as part of any number of
proposals to various solicitations with that level of CMMC requirement
if the same assessment scope is used.
The type and sensitivity of information to be utilized during the
contract, FCI or CUI, determines the requirements in the solicitation,
which then informs the CMMC level required. CMMC level 1 requirements
are designed to be applied when FAR clause 52.204-21 security
requirements apply to the contract, whereas CMMC level 2 and 3
requirements are designed for the protection of CUI information, and to
be applied when DFARS clause 252.204-7012 also applies.
When CMMC Program requirements are effective, the DoD will begin
including CMMC assessment requirements in solicitations as described in
Sec. 170.3 Applicability. DoD solicitations will specify which
requirements will apply to the contract award. Prior to issuance of a
solicitation, DoD will determine the appropriate CMMC level and type of
assessment needed to ensure adequate safeguarding of the DoD program
information to be shared in performance of the contract. Identification
of the CMMC level and assessment type will be part of the DoD's
requirement definition process. As addressed in Sec. 170.18(a) of this
rule, a CMMC Level 2 Final CMMC Status is a prerequisite for CMMC Level
3 assessment and must be achieved for information systems within the
Level 3 Assessment Scope.
Identification of priority programs is a function of the
requirements definition process for any DoD effort. The DoD will issue
policy guidance to Program Managers to clarify which programmatic
indicators should be considered for selecting the most appropriate
information safeguarding requirement and associated CMMC assessment
requirement for any given solicitation. Once identified as a
requirement, the CMMC Status required will apply uniformly to all
prospective competitors.
b. Who Determines the CMMC Level
Comment: Two comments asked who, within the Department, determines
the CMMC level required for a contract. One comment suggested that DoD
should require senior-level approval to include CMMC Level 3
Certification requirements in solicitations to limit unnecessary
application. One comment inquired about when and how CMMC levels change
during the program office's Agile Acquisition Framework lifecycle.
Response: Based on DoD decision criteria that include the type and
sensitivity of program information to be shared, Program Managers will
identify and coordinate as appropriate the CMMC requirement in the
solicitation. Internal policies for implementation of CMMC requirements
by DoD's acquisition community have been developed, and work will
continue as needed to integrate CMMC policies into relevant acquisition
policies, guidebooks, and training materials. The DoD intends that
requiring activities will determine when compliance should be assessed
through CMMC Level 3 as part of the ordinary acquisition planning and
requirements generation process.
The CMMC assessment level required does not change based on
acquisition lifecycle phase, but based on whether FCI and CUI are
processed, stored, or transmitted on contractor owned information
systems. All contractor-owned information systems that process, store,
or transmit CUI are subject to the requirements of NIST SP 800-171 when
DFARS clause 252.204-7012 is included in the contract.
c. CMMC Level 3 Determination
Comment: Multiple comments requested further clarification about
which types or categories of CUI require enhanced protection against
Advanced Persistent Threats (APTs) at CMMC Level 3 and whether the CMMC
level would be based on the Program or the data. Two comments expressed
concern or asked how DoD Components will avoid assigning CMMC Level 3
requirements to too many contracts. One comment recommended that DoD
modify its criteria for CMMC Level 3 to consider factors such as
Acquisition Program Category.
Response: CMMC levels do not correspond to CUI levels as the CMMC
Program requirements make changes to neither the CUI Program,
categories of CUI, nor existing DoD policies for information security
requirements. The CMMC Flow down requirement is defined in Sec.
170.23.
The Requiring Activity knows the type and sensitivity of
information that will be shared with or developed by the awarded
contractor and selects the CMMC Level required to protect the
information according to DoD guidance.
The DoD declines to modify CMMC Level 3 selection criteria as
described in the commenters recommended alternatives, which have no
bearing on DoD's need for increased confidence in a contractor's
ability to safeguard certain CUI against Advanced Persistent Threats.
The value of information, and impact of its loss, does not diminish
based on the total number or dollar value of contracts held by the
awardee, or acquisition program category. The DoD reserves the right to
decide when compliance should be assessed by the Government through
CMMC Level 3 certification. The DoD defines the work requirements to be
solicited for any given program contract.
d. Environments Processing Both FCI and CUI
Comment: Two commentors recommended the elimination of separate
assessments when the FCI and CUI environments are the same. One of
these comments requested clarification regarding the scenario of an OSC
having one assessment scope environment for both FCI and CUI that meets
Level 2 requirements.
Response: CMMC Level 2 is required when CUI will be processed,
stored, or transmitted on contractor information systems. Successful
completion of a CMMC Level 2 self-assessment or CMMC Level 2
certification assessment will suffice to meet the CMMC Level 1
requirement for FCI if/when the scope is identical. The CMMC Level 2
Scoping Guide reflects this language.
e. Recommendations and Scenarios
Comment: One comment recommended removing CMMC Level 2 self-
assessment, changing the CUI Program, or creating a new type of CUI to
distinguish between CMMC Level 2 self-assessment and CMMC Level 2
Certification. Another comment noted that the requirements for CMMC
Level 2 certification assessment are almost identical to requirements
for CMMC Level 2 self-assessment. One comment expressed concern that
DoD's designation of CMMC Level 2 self-
[[Page 83116]]
assessment and certification assessment runs contrary to FCI (FAR
requirements) and the CUI Program. One comment asked if the designation
of information as FCI or CUI changes the scope of CMMC.
One comment asked for clarification on which contracts will have
sensitive unclassified DoD information but will not require CMMC
assessment. One comment recommended removing the option for CMMC Level
2 self-assessments to reduce complexity. One comment posed multiple
questions about what DoD will do if contracting officers assign CMMC
Level 2 or CMMC Level 3 Certification requirements at a rate
substantially higher than projected.
Response: The DoD CIO looked at CUI from a risk-based perspective
and determined that different approaches to assessments could be
implemented to address risk and help lower the burden for the DIB. The
security requirements for a CMMC Level 2 self-assessment and a CMMC
Level 2 certification assessment are the same, the only difference in
these assessments is whether it is performed by the OSA or by an
independent C3PAO.
The decision to rely upon self-assessment in lieu of certification
assessment is a Government risk-based decision based upon the nature of
the effort to be performed and CUI to be shared. The size of the
company with access to the CUI is not a basis for this determination.
The value of information (and impact of its loss) does not diminish
when the information moves to contractors of smaller size. The DoD
declines to modify the rule to include its internal decision process.
To select a CMMC Level for a procurement, Program Managers and
requiring activities will identify the applicable CMMC Level using the
factors included in Sec. 170.5(b)(1) through (5). The DoD did agree
with one comment to rephrase Sec. 170.5(b)(4) to delete a reference to
the ``potential for'' impact from exploitation of information security
deficiencies, which likely cannot be effectively determined. The DoD
does not agree that the wording equates to a sub-CONFIDENTIAL
classification and declines to delete that criterion. Sec. 170.5(b)(3)
is appropriately worded in that it states Program Managers will
consider the listed criteria in selecting a CMMC requirement level. It
does not have the effect of ``transforming FCI into CUI''. The DoD
reserves the right to define the criteria for selection of the CMMC
assessment requirement, just as it defines all other requirements for
inclusion in a solicitation.
The Department remains committed to implementing the CMMC program
to require compliance assessment against applicable security
requirements in all DoD contracts involving FCI or CUI. Some such
contracts will require only a CMMC self-assessment, while others will
require a certification assessment. The commenter misinterprets that
some contracts that do require processing of FCI or CUI will not
require CMMC assessment of either kind, without approval of a waiver.
The DoD declines to remove self-assessments from the rule. Self-
assessments allow the acquiring organization to balance the cost and
complexity of assessment with the risk to the information being shared
with the OSA.
Supporting guidance for CMMC implementation will be updated, as
necessary. DoD has options to mitigate implementation issues such as
waivers and other contractual remedies. DoD's estimate for the number
of contractor's requiring CMMC Level 1 and cost estimates represent
derived estimates based on internal expertise and public feedback in
accordance with OMB Circular A-4.
12. Flow-Down/Applicability to Sub Contractors
a. Applicability and Compliance
Comment: Several comments requested clarification about the
applicability of CMMC requirements to subcontractors and how to
correctly flow down requirements. Some asked whether prime contractors
would have flexibility to flow down a lower CMMC level than required
for the prime contract. Three comments expressed confusion about the
type of Level 2 assessment required for subcontractors when supporting
a prime that is required to meet CMMC Level 3 requirements. Two asked
about the impact to flow-down when contractors hold multiple contracts.
A couple comments requested clarity on how to determine the correct
CMMC level to flow down.
Some comments asked what factors would result in flow-down of a
particular CMMC requirement level, or whether affirmations submitted by
primes would require knowledge of subcontractor compliance status.
Other comments asked what tools would be available to assist
contractors in checking subcontractor compliance with CMMC requirements
or suggested that SPRS should be made available for this purpose. One
suggested that without this transparency, CMMC compliance would become
a meaningless effort to ``check the box'' without actual steps to
secure their systems. Another simply asked if they would have their own
SPRS and eMASS access, or access through their prime. Some asked what
action meets the rule's requirement to ``require subcontractor
compliance'', i.e., does simply including the CMMC clause in
subcontracts meet that requirement.
One comment objected to the definition of subcontractor used in the
rule, which they stated was overly broad and would result in
application of CMMC requirements to too many businesses. Some comments
suggested the flow-down requirement apply only to one sub-tier, while
another requested advance notice of solicitations that plan to include
CMMC requirements. One comment suggested that CUI be treated more like
classified information, meaning to limit sharing of CUI with
subcontractors. Some comments asked whether prime contractors are
responsible for verifying subcontractor compliance with DFARS clause
252.204-7012, as C3PAOs do during an assessment. Two comments
recommended rephrasing the flow-down section, with one specifically
asking to clarify it is required only when FCI or CUI will be
processed, stored, or transmitted in the performance of any particular
prime contract. Another suggested edits for clarity or for consistency
with DFARS clause 252.204-7012.
Response: It is up to each OSA to protect FCI and CUI and to
determine the assessment boundary, policies, and procedures necessary
to do that. Section 170.23 specifically addresses the CMMC requirements
that apply to subcontractors that will process, store, or transmit FCI
or CUI. Section 170.23 addresses flow down of CMMC requirements from
the prime contractor to the subcontractors in the supply chain. Prime
contractors are responsible for complying with contract terms and
conditions, including the requirement to flow down applicable CMMC
requirements to subcontractors. The DoD modified Sec. 170.23(a)(3) to
clarify that when a subcontractor will process, store, or transmit CUI
in performance of the subcontract and the Prime contractor has, for the
associated prime contract, a requirement of Level 2 certification
assessment, then CMMC Level 2 certification assessment is the minimum
requirement for the subcontractor. Requirements for External Service
Providers are defined in Sec. 170.4; not all companies that provide
services to an OSA are considered ESPs.
[[Page 83117]]
As in other contexts, the Government may specify additional
guidance in the solicitation. CMMC assessments will be identified as
pre-award requirements. Subcontractors at each tier are responsible for
submitting their own assessment and affirmation information in SPRS.
CMMC self-assessments and certifications will be reflected in SPRS,
including an indicator of the currency of the credentials. Contracting
Officers and Program Managers need not review any assessment artifacts,
only the resulting scores and certificate validity period.
Work arrangements between the prime and subcontractor are beyond
the scope of this rule, however, if CUI is flowed down and will be
processed, stored, or transmitted on subcontractor information systems
in the performance of a DoD contract then CMMC requirements also flow
down as described in Sec. 170.23. The DoD will not track progress
toward certification but will implement CMMC as a pre-award
requirement. An OSA's pursuit of a C3PAO assessment is a business
decision to be made by each contractor considering the contract
opportunities it wishes to pursue.
The DoD disagrees with one commenter's assertion that CMMC
requirement will flow down ``regardless of what work they do'', because
it does not acknowledge the point that flow-down requirements are for
subcontractors who process, store, or transmit CUI. The text of Sec.
170.23, clearly conditions the flow-down to those cases when a
subcontractor will process, store, or transmit FCI or CUI. The prime
contractor's responsibility is to flow down CMMC assessment
requirements as described in Sec. 170.23 and to ensure that FCI and
CUI are not further disseminated to subcontractors that do not meet the
CMMC requirement indicated in Sec. 170.23. Likewise, subcontractors
must also flow down CMMC requirements and ensure that FCI and CUI are
not further disseminated to subcontractors that do not meet the CMMC
requirement indicated in Sec. 170.23. Section 170.23 has been revised
to make this clearer. DoD declines to accept the recommendation to
treat CUI like classified data. Classified information is managed
differently from CUI, and different safeguarding regulations apply to
these different categories of information (each of which are defined in
32 CFR part 2002).
This rule makes no change to CUI policies for marking of data, and
CMMC levels are not CUI categories in the DoD CUI registry. Primes and
their subcontractors must understand flow-down requirements based on
Sec. 170.23, which clearly identifies requirements that apply when
subcontractors will process, store, or transmit CUI in performance of
the subcontract and the Prime contractor has a requirement of Level 3
certification assessment (i.e., CMMC Level 2 certification assessment
is the minimum requirement for the subcontractor). In addition, the
rule has been revised to make clear that the requirement applies in the
performance of a subcontract when the relevant prime contract has a
CMMC requirement. The rationale for the minimum level 2 certification
flow-down requirement is that the DoD made a risk-based decision not to
mandate flow down of the level 3 requirement unless explicit guidance
is provided to do so. As stated in Sec. 170.23(a)(3), when a Prime
contractor has a requirement of Level 2 certification, any CUI that is
flowed down for a subcontractor to process, store, or transmit in
performance of the subcontract will also carry a minimum requirement of
Level 2 certification assessment.
CMMC Program requirements will be identified as solicitation and
contract requirements, and contractors will be required to meet the
stated CMMC requirements, when applicable, at or above the level
identified. One commenter misinterpreted a response to a prior public
comment. The quoted content says that contractors and subcontractors
each must verify (through CMMC assessment) that all applicable security
requirements of NIST SP 800-171 required via DFARS clause 252.204-7012
have been implemented. Contractors are not required to assess
subcontractor implementation of the requirements of NIST SP 800-171.
The prime contractor's responsibility is to flow down CMMC assessment
requirements as described in Sec. 170.23 and also to refrain from
disseminating FCI or CUI to subcontractors that have not indicated
meeting the CMMC level described in that section for the type of
information to be shared. Likewise, subcontractors must also flow down
CMMC requirements or refrain from disseminating FCI or CUI. The DoD
does not provide SPRS access or other tools for contractors to identify
the CMMC status or other companies. The DoD expects that defense
contractors will share information about CMMC status with other DIB
members to facilitate effective teaming arrangements when bidding for
DoD contracts.
Prime contractors will not be granted access to subcontractor's
information in SPRS. However, prime contractors should communicate
early and often with prospective subcontractors to confirm current CMMC
status, including whether the level matches that required. This
interaction does not involve the government and is beyond the scope of
this rule.
This rule follows the format and includes all sections required in
OMB guidelines for formal rulemaking. The DoD lacks authority to modify
the template or omit required sections, which results in some
repetition.
DIB contractors are responsible for submitting their Level 1 and
Level 2 self-assessments and will access SPRS to enter the results. DIB
contractors do not have access to CMMC eMASS, as that system is used to
support certification assessments only.
CMMC Program requirements are designed to require completion of an
assessment and an annual affirmation. The purpose of the annual
affirmation addressed in Sec. 170.22 is to validate to the DoD that
the contractor is actively maintaining its CMMC level status, which is
more than a checkbox exercise.
One commenter misinterpreted the quoted definition of
subcontractor, which makes clear that term includes only those entities
providing supplies, materials, equipment, or services under a
subcontract in connection with the prime contract. DFARS clause
252.204-7012 and FAR clause 52.204-21 also flow-down the requirement to
safeguard information. CMMC program requirements will be flowed down
similarly, therefore there is no anticipated expansion of scope. The
cost estimates included in the published rule include costs for both
existing DIB members and new entrants (or newly covered entities).
The DoD modified the Overview summary of CMMC 2.0 to read ``The
DFARS clause 252.204-7012 also requires defense contractors to include
this clause in all subcontracts that will require the subcontractor to
process, store, or transmit CUI.'' The DoD declined additional edits in
this location that requested reframing the criteria Program Managers
will use select CMMC requirements to address Levels 2 and 3 only. The
DoD may apply CMMC Level 2 or 3 requirements when there is anticipation
of the need for the contactor or subcontractors to process, store, or
transmit CUI during the performance of a contract.
b. Prime and Subcontractor Relationships
Comment: Many requested specific examples of when a prime
contractor should flow down its CMMC requirements to a subcontractor or
ESP, and how to determine the appropriate CMMC level to flow down. For
example,
[[Page 83118]]
one comment asked whether the subcontract document would require
safeguarding, necessitating flow-down of the CMMC requirement. Some
comments expressed concern that flow-down requirements are not
sufficiently clear to prevent prime contractors from unnecessarily
sharing CUI and applying CMMC requirements to lower tier suppliers.
Another thought that the flow-down requirements will drastically expand
the scope of the program and drive cost increases for the DIB.
Several comments suggested strategies for minimizing the burden of
security implementation on lower tier subcontractors, such as requiring
prime contractors to provide access to CUI on prime contractor systems,
or prohibiting prime contractors from unnecessarily sharing CUI
information that would necessitate a CMMC requirement. One asked
whether the prime contractor has a responsibility to check which CMMC
level the subcontractor has flowed down to the next tier. One comment
referenced industry activities aimed at gauging subcontractor
preparedness for CMMC and expressed concern with anecdotal evidence
that primes will not issue orders until the subcontractor has submitted
CMMC scores into SPRS.
Response: One commentor correctly interpreted Sec. 170.23(a)(3) as
meaning that CMMC level 2 Certification requirements (not self-
assessments) flow down for subcontractors that will handle CUI when the
Prime contract specifies a CMMC Level 2 Certification requirement.
At the time of award, the DoD may have no visibility into whether
the awardee will choose to further disseminate DoD's CUI, but DFARS
clause 252.204-7012 and DFARS clause 252.204-7021 require that the
prime contractor flow down the information security requirement to any
subcontractor with which the CUI will be shared. Decisions regarding
the DoD information that must be shared to support completion of
subcontractor tasks, will take place between the prime contractor and
the subcontractors chosen to complete the specific tasks. The DoD
encourages prime contractors to work with its subcontractors to flow
down CUI with the required security and the least burden. The DoD
declines to revise the rule to address responsibilities for derivative
marking of CUI because this rule makes no change to DFARS clause
252.204-7012 or DoD's CUI policies regarding marking of CUI, including
creation of information.
The specific contractual language is part of the 48 CFR part 204
CMMC Acquisition rule and beyond the scope of this 32 CFR part 170 CMMC
Program rule. This rule describes DoD's intent for CMMC Program
requirements, which include that all prime and subcontractors at all
tiers that process, store, or transmit CUI in the performance of a DoD
contract (or sub-contract) are required to demonstrate compliance with
the contract requirements (i.e., FAR clause 52.204-21 or DFARS clause
252.204-7012) for adequately safeguarding FCI or CUI.
CMMC flow-down requirements are designed to apply consistent
assessment requirements to all subcontractors, regardless of company
size, who are required to adequately safeguard CUI. The DoD cannot
dictate DIB business practices and encourages prime contractors to
carefully consider the necessity of sharing CUI information and work
with subcontractors to flow down CUI only when deemed appropriate.
Likewise, the criteria by which contractors select CSPs for support
or the availability of GFE for any particular contract are beyond the
scope of this rule. The DoD declines to limit CMMC program requirements
to the first-tier subcontractor, as suggested by the commenter. When a
contractor or subcontractor responds to multiple solicitations, that
contractor should complete the highest assessment level among them for
the assessment scope defined for use in performance of the contracts.
The contractor may also elect to structure its environment to meet
differing CMMC requirements based on the contract(s) in question.
Contractual remedies for non-compliance are a 48 CFR part 204 CMMC
Acquisition rule matter and beyond the scope of this rule.
c. Requirements
Comment: Some comments objected to CMMC Level 2 certification
assessment being identified as the minimum flow-down from prime
contractors with a CMMC Level 3 requirement. They asked how the more
sensitive data associated with a Level 3 requirement would be tracked.
Three asked whether CMMC Level 2 certification assessment must be
flowed down as the CMMC requirement when the prime contract requires a
higher level, and the subcontract is for limited scope. One comment
complained that the rule does not actively encourage primes to flow
down Level 2 self-assessment requirements instead of certification
requirements.
One comment suggested the Department is impermissibly attempting to
make sensitivity determinations of other agencies' CUI and FCI through
the implementation of this rule.
Another comment requested affirmation that contractors remain
responsible for determining whether information that they create
(derived from CUI) retains its CUI identity when sharing that
information with lower tier suppliers, and for determining any
associated CMMC flow-down requirement.
Response: DoD will issue guidance to Program Managers to reiterate
the most appropriate information safeguarding requirements for DoD
information and the associated CMMC assessment requirement for any
given solicitation. CMMC program requirements will be identified in the
solicitation, and contractors will be required to meet the stated CMMC
requirements, when applicable, at or above the level identified by the
time of contract award. CMMC requirements flow down from primes to
subcontractors, as described in section Sec. 170.23.
The DoD declined to provide forecasts of upcoming DoD solicitations
with CMMC assessment requirements. Given that FAR clause 52.204-21 was
effective in 2016 and DFARS clause 252.204-7012 was effective in 2017,
OSAs have had over seven years to implement NIST SP 800-171 R2
requirements and close out POA&Ms. DoD contracts that require OSAs to
process, store, or transmit CUI and include DFARS clause 252.204-7020,
also require a minimum of a self-assessment against NIST SP 800-171
requirements. That self-assessment includes the same requirements as
the CMMC Level 1 and CMMC Level 2 self-assessments.
DoD must enforce CMMC requirements uniformly for all defense
contractors and subcontractors, regardless of size, who process, store,
or transmit FCI, and CUI, regardless of size. The value of DoD
information (and impact of its loss) does not diminish when the
information moves to contractors and subcontractors. The DoD cannot
dictate business practices but encourages prime contractors to work
with its subcontractors to limit the flow down of FCI and CUI. The DoD
declines to base CUI safeguarding requirements on contract ceiling
value.
This DoD 32 CFR part 170 CMMC Program rule does not impact or
supersede 32 CFR part 2002 (the CUI Program) or make exceptions for the
categories of CUI or the Designating Agency for the CUI. CMMC
requirements apply to DoD contracts that will involve processing,
storing, or transmitting of FCI or CUI on any non-Federal information
system.
[[Page 83119]]
13. The CMMC Ecosystem Roles, Responsibilities and Requirements
a. Government
Comment: Some comments asked how the Department plans to address
complaints and concerns from ecosystem stakeholders and the process by
which disputes between OSCs and C3PAOs or the CMMC AB are resolved. Two
comments wanted the CMMC PMO to document a process for ecosystem
stakeholders to register complaints or use of Service Level Agreements
to hold the Department accountable to respond.
Some asked whether the DoD could be subject to litigation
challenging DoD's reliance on the CMMC AB's appeals process to resolve
disputes between OSCs and C3PAOs. The commenters asserted resolving
such disputes may be an inherently governmental function. One commenter
noted that transactions between OSCs and C3PAOs for initiating an
assessment are beyond the DoD's authority to regulate, since the DoD is
not a party to the transaction. They perceived DoD's indirect oversight
of C3PAOs through the CMMC AB as creating conflicts of interest and
potential legal liabilities. One commenter requested the DoD modify the
rule to state the CMMC PMO is responsible for the assessment and
monitoring of the CMMC AB, as well as the CMMC AB's performance of its
roles.
One commenter noted the ISO/IEC 17011:2017(E) requirements that the
CMMC AB must meet and asked why the rule identifies a timeline for
compliance instead of requiring immediate accreditation.
One commenter referenced a CMMC-related Request for Information
issued prior to CMMC program development to gauge industry's capability
to provide the necessary ecosystem accreditation and management
functions. They asserted no response was provided to their RFI
response.
One comment suggested the CMMC PMO should develop a process to act
as the authoritative source for assessment interpretations to ensure
consistency. One person asked which DoD office authored the rule.
Another noted the realignment of the CMMC PMO from OUSD(A&S) to DoD CIO
and asked whether this indicated a lack of OUSD(A&S) involvement in the
program. One commenter noted that DoD Program Managers and requiring
activities have a role in the CMMC Program and suggested that their
responsibilities for marking and managing CUI be added to the rule.
One commenter wanted to require DIBCAC assessors to complete CCP
and CCA training and certification exams through a CAICO approved
licensed training provider.
Response: DoD agreed with the commenter that the government does
not have authority over transactions between the OSC and C3PAO. The
roles and responsibilities of the government are set forth in Sec.
170.6. The interaction between the CMMC Accreditation Body and C3PAOs
is governed by the requirements of this rule in Sec. Sec. 170.8 and
170.9, including Conflict of Interest, Code of Professional Conduct,
and Ethics policies, as well as ISO/IEC standards.
All DCMA DIBCAC assessors comply with DoD regulations regarding the
cybersecurity workforce, to include DoD Directives 8140 and 8570 and
other internal training standards. DCMA DIBCAC assessors' credentials
for CMMC Levels 2 and 3 exceed the training that CCPs and CCAs complete
through Approved Training Providers and include industry certification
and a security clearance. Additionally, DCMA DIBCAC assessors must take
the CMMC certification examinations.
DoD's contract with the CMMC AB assigned places responsibility for
Level 2 assessment interpretation to the CMMC Accreditation Body. The
CMMC Accreditation Body publishes assessment procedures and guidance
for C3PAO's conducting CMMC Level 2 Certification Assessments. The CMMC
AB is required to provide the CMMC PMO with all plans or changes
related to its own activities and activities within the CMMC Ecosystem
for review prior to implementation and publication. The DCMA DIBCAC is
responsible for CMMC Level 3 assessment interpretation and will use the
same process that is used for DIBCAC High Assessments.
Management oversight of the CMMC Program was realigned from the
OUSD(A&S) to the Office of the DoD CIO for better integration with the
Department's other DIB cybersecurity related initiatives. Comments
pertaining to DoD's organizational structure are not relevant to the
content of this rule. The DoD CIO is responsible for all matters
relating to the DoD information enterprise, including network policy
and standards and cybersecurity. In this capacity, the DoD CIO
prescribes IT standards, including network and cybersecurity standards.
The DoD CIO oversees programs to enhance and supplement DIB company
capabilities to safeguard DoD information that resides on or transits
DIB unclassified information systems.
The DoD reviewed and assessed whitepapers that were submitted by
RFI respondents and determined that no single respondent could meet all
the broad facets required to serve as the CMMC Accreditation Body.
Sec. Sec. 170.8, 170.9, and 170.10 document the roles of the CMMC
AB and the CAICO in managing a complaints/appeals process for CCAs,
CCPs, and C3PAOs. OSCs concerned about the results of a Level 2 or
Level 3 Certification assessment have a route of appeal documented in
Sec. 170.9. DoD, as the contracting entity, is not subject to service
level agreements. Vendors and prospective vendors can voice concerns
with the relevant contracting officer. External organizations may
utilize existing DoD procedures to file complaints or concerns against
any DoD organization.
This rule establishes requirements for the conduct of assessments,
as well as the requirements for handling of disputes, to include an
appeals process. In the roles established by this rule, C3PAOs and the
CMMC AB execute program requirements as codified in the 32 CFR part 170
CMMC Program rule, with appropriate DoD oversight. For ISO/IEC
17020:2012(E) and ISO/IEC 17011:2017(E) compliance, an appeals process
is required. Appeals are addressed in Sec. Sec. 170.8(b)(16) and
170.9(b)(9), (14), (20), and (21).
The DoD declines to update the rule content of Sec. 170.6 to
include a new subsection on DoD PMs and requesting activities and their
responsibilities regarding marking CUI as that subject matter is
already addressed for the DoD. DoD Instruction 5200.48 on CUI
establishes policy, assigns responsibilities, and prescribes procedures
for CUI throughout the DoD in accordance with 32 CFR part 2002, CFR for
CUI to include 32 CFR 2002.20 Marking CUI; and 48 CFR 252.204-7008 and
DFARS clause 252.204-7012. The CMMC Program requirements make no change
to existing policies for information security implemented by the DoD.
The DoD declined to modify the rule to further define the existing
CMMC PMO oversight responsibilities, identified in Sec. 170.6, which
includes the CMMC AB and all other aspects of the program.
b. CMMC-AB
Comment: There were multiple comments regarding the CMMC
Accreditation Body (AB). Ten comments were not relevant to the rule
text. Multiple commenters asked about mechanisms to monitor the CMMC AB
and how the DoD provides oversight. Seven comments provided valuable
editorial recommendations that
[[Page 83120]]
enhanced the existing rule text. Seven comments also raised concerns
and asked for clarification about certification of the CMMC AB, its
standing with international accreditation bodies and the effects of
that standing on the C3PAOs. Two comments sought clarity on the CMMC
AB's responsibilities and what resources they will provide to the CMMC
ecosystem. One comment suggested incorporation by reference of specific
CMMC AB generated artifacts. One comment requested clarity on terms and
definitions regarding the CMMC AB.
Response: Some comments received lacked relevance to the rule's
content, including the establishment of outside entities. The DoD
declines to respond to speculative or editorial comments about private
citizens or entities, which are outside the scope of this rule. The DoD
declines to respond to requests for documents related to the CMMC AB
and the CAICO that lack relevance to the CMMC rule.
The term CMMC Accreditation Body is a generic term for whichever
accreditation body is supporting the DoD at a given time. The rule has
been updated to remove reference to any specific accreditation body.
There is only one Accreditation Body for the DoD CMMC Program at any
given time, and its primary mission is to authorize and accredit the
C3PAOs. The Accreditation Body does not issue certifications. The
current CMMC AB is under a no-cost contract that has followed normal
DoD contracting procedures. The DoD declines to delete the section
outlining requirements for the CMMC AB, which are enduring and apply
irrespective of which entity the DoD has currently approved to serve in
that capacity.
This rule identifies the requirements for the Accreditation Body's
role in the CMMC Ecosystem. The DoD has a variety of options available
to address the commenter's concern should the current CMMC AB not be
able to fulfill this role. These include but are not limited to,
contracting with a new/replacement Accreditation Body. And authorized
and accredited C3PAOs would be able to continue conducting CMMC
assessments.
Sec. 170.8(b)(6) requires the CMMC AB to complete a CMMC Level 2
assessment conducted by DCMA DIBCAC that must meet all CMMC Final Level
2 certification assessment requirements and will not result in a CMMC
Level 2 certification. This requirement for an assessment is based on
the potential compilation of sensitive information on the CMMC AB's
information systems. After the CMMC AB's successful completion of this
Level 2 assessment, the DoD reserves the right to send CUI to the CMMC
AB, as appropriate.
Requirements for the CMMC AB, detailed in Sec. 170.8(b) of this
rule, include DoD requirements to comply with Conflict of Interest,
Code of Professional Conduct and Ethics policies as set forth in the
DoD contract with the AB. Sec. 170.8(b)(3) details the ISO/IEC
requirements the CMMC AB must meet and the timeline for meeting them.
Sec. 170.8(b)(3)(i) and (ii) further detail the requirements for the
CMMC AB to authorize and accredit C3PAOs. The CMMC AB is under contract
with the DoD and must fully comply with the contract requirements.
The CMMC rule was updated to clarify that the CMMC AB must be a
U.S.-based signatory to the International Laboratory Accreditation
Cooperation Mutual Recognition Arrangement within 24 months of DoD
approval and must operate in accordance with ISO/IEC 17011:2017(E). The
rule was also updated to clarify that a disqualifying eligibility
determination may result in the CMMC AB losing its authorization or
accreditation under the CMMC Program.
All CMMC ecosystem members are required to abide by the appropriate
ethics and conflicts of interest policies established by the CMMC AB
and CAICO. Rule content pertaining to ethics, quality assurance
functions, record keeping, data encryption, security, etc. functions
across the ecosystem are tailored to reflect the role each entity fills
in the ecosystem. The CMMC AB is not an agency of the Federal
government; it is a private sector organization operating under
contract with the DoD. As described in Sec. 170.6(a), the Office of
the Department of Defense Chief Information Officer (DoD CIO) provides
oversight of the CMMC Program and is responsible for establishing CMMC
assessment, accreditation, and training requirements as well as
developing and updating CMMC Program implementing guidance. The
Accreditation Body must be under contract with the DoD. The rule has
been modified to include additional CMMC AB oversight responsibilities
for the CMMC PMO. The Department declines to incorporate CMMC AB
generated artifacts into the rule by reference. The responsibilities of
the DoD CIO and CMMC PMO are outlined in Sec. 170.6 and the
responsibilities of the Accreditation Body are outlined in Sec. 170.8.
The DoD acknowledges that the CMMC AB may not offer both
accreditation services and certification services. DoD declines to make
edits to these sections as they are in alignment with the roles and
responsibilities of the CMMC AB. The DoD has revised Sec.
170.8(b)(17)(i)(C) in the rule to clarify that the ``CMMC activities''
which former Accreditation Body members are prohibited from include any
or all responsibilities described in Subpart C of this rule.
The rule was updated to indicate that C3PAOs must also meet
administrative requirements as determined by the CMMC AB. It was also
updated to clarify that the term ``independent assessor staff'' in
Sec. 170.8(b)(4) refers to independent CMMC Certified Assessor staff,
and to clarify the meaning of the term ``members'' at Sec.
170.8(b)(17)(i)(B). DoD declines to modify Sec. 170.8(b)(15) to
include the phrase ``technical accuracy and alignment with all
applicable legal, regulatory, and policy requirements'', as this does
not result in a substantive change to the requirements as currently
specified.
c. C3PAOs
Comment: Clarification was requested regarding C3PAOs' timelines
for accreditation and their dependencies on the CMMC AB accreditation
process. Some commenters requested additional time. Clarification was
also requested on the current disposition of authorized C3PAOs. A few
comments asked for simplification and clarification of the difference
between the terms ``authorized'' and ``accredited'' with the
establishment of C3PAOs. One comment requested that the rule be edited
to require full compliance before C3PAOs can conduct certifications,
and that duplicative language relating to ethics, record keeping, etc.,
be moved to a central location in the rule. One commentor questioned
whether Sec. 170.9(b)(16), which states ``Ensure that all CMMC
assessment activities are performed on the information system within
the CMMC Assessment Scope'', applies to all C3PAO personnel or just
those involved in the Quality Assurance process.
Other comments objected to the requirement that C3PAOs obtain a
CMMC Level 2 certification assessment because the assessment does not
result in a Level 2 certification. They asked whether this would
require two separate assessments every three years for C3PAOs that also
conduct contractor work for DoD. Two comments requested clarification
on determining the scope for a CMMC Level 2 assessment of a C3PAO to be
used by DIBCAC, and if or when they would be required to obtain a
FedRAMP Moderate certification. Also, clarification was requested on
whether a C3PAO is permitted to
[[Page 83121]]
possess OSC CUI and other artifacts during the assessment so long as
they are destroyed upon completion of the assessment. One comment
suggested that all information collected by the C3PAO be encrypted.
Three comments asked for clarification on what constitutes a C3PAO
assessment team and whether it can consist of solely a Lead CCA. One
commentor asked whether entities accredited under ISO 17020:2012(E) by
another accreditation body, rather than the CMMC AB, meets CMMC C3PAO
requirements. A couple of comments asked for clarification on whether a
C3PAO could be foreign owned and participate in the current CMMC AB
Marketplace.
Response: One commenter misinterpreted several sections of the CMMC
rule. By defining the requirements in this rule to become a C3PAO, and
defining a scoring methodology, the DoD is providing the authority and
guidance necessary for C3PAOs to conduct assessments.
DoD considered many alternatives before deciding upon the current
CMMC structure. The DoD has established requirements for a CMMC
Accreditation Body, and this accreditation body will administer the
CMMC Ecosystem. The appeals process is defined in Sec. Sec.
170.8(b)(16) and 170.9(b)(9), (14), (20), and (21). The DoD will not
assume the workload of directly managing the CMMC ecosystem or the
other alternatives suggested. DoD must treat all potential defense
contractors and subcontractors fairly. DoD cannot inadvertently create
a pathway to a free assessment for an organization by virtue of its
dual-purpose as a C3PAO and separately as a defense contractor.
Therefore, DoD assesses C3PAOs free of charge, but the assessment does
not result in a Certificate of CMMC Status. The C3PAOs determine the
people, processes, and technologies that are in-scope for their DIBCAC
assessment to become a C3PAO. The need to protect the assessment
information is independent of its status as FCI or CUI. Assessment
information, such as which requirements are MET or not, as well as the
evidence and analysis leading to that result, would provide valuable
insights to an adversary if not protected. A C3PAO is not a CSP and
therefore would not require a FedRAMP moderate assessment to be a
C3PAO. However, if they use a CSP to process, store, or transmit
assessment information, then the CSP would require a FedRAMP Moderate,
or equivalent, assessment. The CSP assessment results and CRM would be
in scope for the C3PAO assessment.
The requirements in Sec. 170.9 apply to both authorized and
accredited C3PAOs. The only difference between authorization and
accreditation is the status of the CMMC Accreditation Body. Prior to
the CMMC AB achieving its full ISO/IEC 17011:2017(E) compliance, the
interim term ``authorized'' is used for C3PAOs. As stated in Sec. Sec.
170.8(b)(3)(i) and 170.9(b)(1) and (2), currently authorized C3PAOs
must achieve and maintain compliance with ISO/IEC 17020:2012(E) within
27 months of authorization. As stated in Sec. 170.9(b)(6), C3PAOs must
obtain a Level 2 certification assessment, but this does not result in
a CMMC Level 2 certificate. The DoD declines to modify the rule text
related to C3PAO requirements as it does not make a substantive change.
Requirements are specified in the rule for each entity within the CMMC
ecosystem.
A C3PAO may start preparing for compliance with ISO/IEC
17020:2012(E) before the Accreditation Body achieves compliance with
ISO/IEC 17011:2017(E). The 27-month timeline for a C3PAO to achieve and
maintain compliance with ISO/IEC 17020:2012(E) begins on the date that
the C3PAO is authorized by the Accreditation Body, as addressed in
Sec. 170.9(b)(2) C3PAOs authorized by the CMMC AB prior to becoming
compliant with ISO/IEC 17020:2012(E) must be accredited by the CMMC AB
within 27 months of the C3PAO's initial authorization to meet CMMC
program requirements. The accreditation process is not tied to, nor is
it impacted by, the DoD's appropriations period.
The rule has been updated to add ``authorized'' to the definition
of a C3PAO. Authorized is defined in Sec. 170.4.
DoD disagrees with the suggestion that certain C3PAO requirements
are not needed or redundant. C3PAO's must follow specific requirements
for CMMC assessment record retention and disposition, audits, personal
information, and CMMC Assessment Scope. Each paragraph number is
independent, dependent sub-paragraphs are numbered with lower case
Roman numerals. The requirement in Sec. 170.9(b)(16) applies to all
C3PAO company personnel participating in the CMMC assessment process.
The size of a C3PAO assessment team is variable based on factors
including the scope of the assessment and the arrangements between the
OSC and C3PAO. The rule has been updated in Sec. 170.9(b)(12) to
clarify that, at a minimum, the assessment team must have a Lead CCA,
as defined in Sec. 170.11(b)(10), and one other CCA. A C3PAO is
permitted to possess OSC CUI and artifacts during an assessment. CMMC
Certified Assessors must use the C3PAO's information technology which
has received a CMMC Level 2 certification assessment as stated in Sec.
170.11(b)(7) and any copies of the OSC's original artifacts must be
destroyed when the assessment is complete as defined in Sec. 170.9(1).
The DoD has considered the recommendation to require encryption of
all information and declines to revise the rule text, since the C3PAO
is required in Sec. 170.9(b)(6) to obtain a Level 2 certification
assessment conducted by DCMA DIBCAC.
Several foreign or international companies submitted comments
expressing interest in the rule section pertaining to C3PAO
requirements (Sec. 170.9(b)) and correctly noted that this section
does not preclude otherwise qualified foreign companies from achieving
C3PAO accreditation. Also, the DoD does permit C3PAO personnel who are
not eligible to obtain a Tier 3 background investigation to meet the
equivalent of a favorably adjudicated Tier 3 background investigation.
DoD will determine the Tier 3 background investigation equivalence for
use with the CMMC Program only.
d. CAICO
Comment: Numerous comments requested correction of perceived
misstatements, oversights, or erroneous paragraph references in the
CAICO responsibilities section. One commenter suggested the level of
detail in Sec. 170.10(b) is more appropriate for a statement of work
and some paragraphs could be deleted from the rule. They offered
preferred rewording to clarify that the CAICO must also comply with AB
and ISO/IEC requirements, and further recommended deleting the
requirement to provide all documentation in English. In addition, they
recommended deleting separation of duties as a requirement, because it
is already required under ISO/IEC certification. One commenter
conflated CAICO subcontractors with DIB subcontractors and suggested
deletion of the rule's restrictions on releasing CMMC-related
information. One comment asked whether the Cyber AB and CAICO have
documented processes for regular review and updates to their compliance
documentation. Lastly, one comment requested duplicative language
relating to ethics, record keeping, etc. be moved to a central location
in the rule.
A few commenters suggested preferred edits to improve the role of
the CAICO. One comment noted that the
[[Page 83122]]
accreditor for certifying the CAICO should be a U.S.-based signatory to
ILAC or relevant International Accreditation Forum (IAF) in addition to
complying with ISO/IEC 17011:2017(E). Two comments noted concerns that
having only one CAICO would create an untenable bottleneck should
something happen to the single CAICO. One commenter asserted that the
CMMC Certified Instructor (CCI) certification requirement is redundant
and not cost-effective since instructors will need to be certified as
CCPs or CCAs to teach those courses. One comment suggested a grace
period of 18-24 months from final rule publication, to allow update of
training and examinations, before implementing the CCP and CCA
certification requirements. Three comments recommended that Approved
Publishing Partner (APP) and Approved Training Providers (ATP) sections
be added to Subpart C of the rule. One commenter asked for
clarification on what constitutes a CAICO subcontractor and if this
includes LTPs and LPPs, and asked why an authorization process for LTPs
and LPPs is not included in the rule.
One commenter appreciated that CAICO responsibilities include
compliance with relevant ISO/IEC standards, as those are
internationally recognized standards.
One commenter provided an attachment containing an image of an
article published in the February 2024 issue of National Defense
Magazine. The commentor did not provide specific questions or comments
regarding the article, they simply submitted an article. DoD declines
to comment on the reposting of information being reported in the media.
Response: The DoD declines to comment on the reposting of
information being reported in the media. This rule identifies
requirements for the CAICO role in the ecosystem. The DoD has a variety
of options available to address issues with reliance on a single CAICO.
These include but are not limited to working with the CMMC AB to
identify a new/replacement CAICO.
The final rule includes a requirement for the Accreditation Body,
CAICO, and C3PAOs to adhere to appropriate ISO/IEC standards, which
include the current version of the standard for conformity assessment
(ISO/IEC 17024:2012(E) located at ISO website: www.iso.org/standard/52993.html).
All CMMC ecosystem members are required inter alia to abide by the
appropriate ethics and conflicts of interest policies established by
the CMMC AB and CAICO. Rule content pertaining to ethics, quality
assurance functions, record keeping, data encryption, security, etc.
functions across the ecosystem are tailored to reflect the role each
entity fills in the ecosystem. Repeating this content in the section of
each ecosystem role serves to emphasize the importance of adherence to
these requirements.
DoD disagrees with the commenter's suggestion that certain CAICO
requirements are not needed or are redundant. The DoD requirement for
documentation in English refers to official information provided to the
Accreditation Body or the DoD. The commenter's preferred rewording of
Sec. 170.10(b)(3) is unnecessary because there is a separate
requirement for the CAICO to meet ISO/IEC standards, and this rule does
not codify non-DoD requirements. The DoD declines to remove the
requirement in Sec. 170.10(b)(10) to provide status information to the
CMMC AB because it is necessary for program management. The rule
retains the separation of duties requirement at Sec. 170.10(b)(11),
which is more specific than the management of impartiality required
under ISO/IEC 17024:2012(E).
The DoD declines to delete certification requirements for CCI.
Having the technical background as a CCP or CCA does not ensure all the
instructor-unique qualifications necessary to be a CCI are met. The DoD
also declines to remove the reference to Sec. 170.10 from Sec.
170.12(b)(1) since it is accurate that the CAICO certifies CCIs.
Section Sec. 170.10(b)(13) ensures that personal information is
encrypted and protected in all CAICO information systems and databases
and those of any CAICO training support service providers. DoD
disagrees with the commentor's statement that training support service
providers of the CAICO be allowed to disclose information about CCAs
and/or CCPs. Sec. 170.10 references the CAICO requirements. Entities
providing training support services to the CAICO are not a part of the
assessment process in the ecosystem. It is not up to them to release
data on certified persons in the ecosystem. Any metrics regarding
certifications will come from the CAICO.
DoD declines to add Approved Publishing Partner (APP) and Approved
Training Providers (ATP), or sections to the rule. The CMMC Program
defines the requirements for the ecosystem. Specific requirements for
publishing and training guidelines are determined by the CAICO and do
not require the oversight of the DoD. The CMMC Rule does not use the
term Licensed Training Provider (LTP), as the LTPs are not required to
be licensed. The acronym ATP means Approved Training Provider which
encompasses the same role in the CMMC Ecosystem. The DoD does not
intend to further delay implementation of CMMC to provide an 18 to 24-
month grace period from the official release of the rule to build
curriculum.
The DoD has reviewed commenter recommendations and revised the rule
as follows:
The CMMC rule has been updated to state that the CAICO must be
accredited by a U.S. based signatory to ILAC or other relevant IAF
mutual recognition arrangements and operate in accordance with ISO/IEC
17011:2017(E). The DoD has removed the term ``practitioner'' from Sec.
170.10(b)(8) for clarity and changed the term subcontractor to training
service support provider.
e. CCPs and CCAs
Comment: Some comments requested DoD's response to speculations
about market forces, competitiveness of the CMMC Certified Professional
(CCP) and CMMC Certified Assessment (CCA) roles and career
opportunities, assessor burnout, complexity of CMMC ecosystem, and a
limited assessor pool.
Several comments identified administrative changes or preferred
rewording or reordering of the CCP and CCA sections of the ecosystem
requirements. For example, two commenters objected to repeating the
requirement to meet CoPC and COI requirements for each Ecosystem member
in Sec. 170.8. Another comment requested deletion of the requirement
for all documentation and records to be provided in English.
One commenter recommended revising proficiency and experience
requirements for CCPs, CCAs, and Lead CCAs. Another requested
clarification on what requirements govern the certification of a CCA
and requested the rule allow the CAICO to establish the certification
validity period. One comment recommended all additional assessor
certification requirements in Sec. 170.11(b)(6)(ii) be removed from
the rule, so that only those prerequisite training requirements
identified by the CAICO would apply.
Another comment suggested that a requirement prohibiting assessors
from use of personally owned IT that is contained in the CCA section at
Sec. 170.11 also be added to the C3PAO requirements section at Sec.
170.9. Two commenters objected to the restrictions on CCAs sharing
information with people outside the assessment team.
[[Page 83123]]
One comment questioned the requirement for a Tier 3 background
investigation for CCPs and another suggested the validity period of CCP
certification should be determined by the CAICO. Yet another comment
suggested changing certification periods from 3 to 4 years for those
certified prior to the rule becoming effective. One comment suggested
there is insufficient clarity regarding the role CCPs may play in an
assessment and another asked whether a CCPs was allowed to review more
than just Level 1 requirements. Two other comments recommended updating
CCP training to include Level 2 practices. Another comment noted that
assessor cannot be robotic and that they must be allowed to evaluate
the situation as it pertains to the company being evaluated.
One comment asked for clarification on Lead CCA requirements and
requested a reduction in the management experience to 2 years. Two
other comments recommended adding IT and cybersecurity experience as
relevant skills. One comment also recommended that Lead CCAs have
industry-specific knowledge of the industry in which the OSC being
assessed participates. Another comment requested clarification whether
years of experience are cumulative for the Lead CCA. One comment
recommended changing the name of Lead CCA and adding roles and
responsibilities requirements. One stated that the rule's CCA
prerequisites is too low a skill set and recommended increasing the
requirements for both CCAs and Lead CCAs. While another comment noted
the rule referenced both DoD Manual 8570 and DoD Manual 8140.03 and one
or the either should be used.
One commenter suggested that should sufficient assessors not be
available to meet demand, the DoD should provide a delay or ``grace
period'' to meet certification requirements.
Response: The CMMC rule provides detail on anticipated impacts on
the DIB in the Impact and Cost Analysis summary of the preamble.
Speculation on market forces on roles in the CMMC ecosystem such as
CCPs and CCAs are outside of the scope of the CMMC program rulemaking.
Likewise, limitations on career opportunities and associated issues
such as burn-out or job satisfaction are beyond the scope of the
program.
The DoD updated the rule to clarify that CCAs must meet all the
requirements set forth in Sec. 170.11(b) and modified the rule in
Sec. 170.10(b)(10) to include CMMC Certified Professionals (CCPs).
Sec. 170.13(b)(6) was changed to conform to rule text in Sec.
170.11(b)(9) and to clarify with whom information may be shared.
The DoD determined the certification requirements specified in
Sec. 170.11(b)(6) meet the needs of ensuring certified assessors have
the required depth of cybersecurity knowledge and experience that is
beyond what the CMMC-specific training provides.
The DoD disagreed with the comment that the CAICO should determine
the length of time a CCP certification is valid. DoD has a significant
interest in ensuring the quality of assessors in the CMMC ecosystem and
the currency of their training. The DoD does not agree with the
assertion that managerial, and personnel related skills are most
relevant for success as a Lead Assessor. As written, Sec. 170.11 of
the rule requires Lead Assessors to have a balance of technical and
managerial expertise. A Lead Assessor also requires assessment or audit
experience. The DoD views these skills as the minimum required to
adequately provide the technical guidance and managerial oversight of
the assessment team. The DoD declined to revise the rule to specify IT
and/or Cybersecurity for the required audit experience.
The DoD also disagreed with a recommendation to require Lead CCAs
to have industry-specific knowledge of the industry in which the OSC
being assessed participates. The DoD found that this requirement would
unreasonably restrict C3PAOs from participating in a broad range of
assessments and could have a negative effect on the ability of the DIB
to schedule CMMC Level 2 certification assessments. The OSC can select
a C3PAO with the experience it considers valuable.
The DoD declined a commentor's request to modify the rule to allow
the CAICO to determine the requirement for the frequency of CCA/CCP
certification. The DoD considers the 3 years certification period a key
CMMC program requirement that will be enacted and managed by the CAICO.
The DoD also declined to change the rule to extend the certification
timeline to 4 years for those earning a certification prior to
completion of rulemaking. Additionally, the DoD did not accept the
recommendation to remove the requirement for providing documentation in
the English language, which applies to all official information that
would be provided to the CAICO, CMMC AB, or the DoD.
The DoD disagreed with a commenter's recommendation to remove the
second sentence in Sec. 170.11(b)(7) that prohibits individual
assessors from using any IT other than that provided to them by the
C3PAO that has been contracted to perform that OSA's assessment. This
sentence is required to eliminate ambiguity, particularly for C3PAOs
that may have implemented a BYOD program or that allow some work roles
to use personal devices. The DoD updated the rule to provide additional
clarity.
The DoD does not concur with the comment calling for a DoD Manual
8140.03 requirement on CCAs. Assessment teams are required to have a
Lead Assessor who must meet the higher level of the DoDM 8140.03
requirements. The rule has been updated to remove reference to DoD
Manual 8570.
The experience requirements referenced for the Lead CCA are
cumulative. The rule has been updated to move Lead CCA requirements to
the end of Sec. 170.11, but not to create a new section.
The DoD disagreed with the commenter's assertion that Assessors are
robotic. Assessors will go through CMMC training and will assess each
unique CMMC Assessment Scope, as defined by the OSA, against the
security requirements. As specified in Sec. 170.13(a) CCPs can
participate on CMMC Level 2 certification assessments with CCA
oversight where the CCA makes all final decisions. Updates to training
are beyond the scope of this rule. Statements made in training
materials produced prior to final adoption of the CMMC rule are beyond
the scope of CMMC rulemaking. DoD disagrees with the comment that Sec.
170.13 does not provide sufficient detail regarding the role CCPs may
play in an assessment. The requirement in the rule that ``with CCA
oversight where the CCA makes all final determinations'' provides
sufficient flexibility to adapt to a wide variety of assessments while
ensuring the responsibility for assessment findings rests with the CCA
and Lead CCA.
The rule restates COI and CoPC requirements in each ecosystem
section because all CMMC ecosystem members are required to abide by the
appropriate ethics and conflicts of interest policies established by
the CMMC AB and the CAICO. Rule content pertaining to ethics, quality
assurance functions, record keeping, data encryption, security, and
other functions across the ecosystem are tailored to reflect the role
each entity fills in the ecosystem.
DoD CIO, in coordination with OUSD/I&S, evaluated the requirements
for the CMMC Ecosystem. Based on the access to sensitive unclassified
information, a Tier 3 background investigation that results in
determination of national
[[Page 83124]]
security eligibility is required. Sec. 170.13(a) states that a CCP is
eligible to participate in Level 2 certification assessment with CCA
oversight and is eligible to become a CCA and will receive additional
training and testing per the requirements in Sec. 170.11.
The phased implementation plan described in Sec. 170.3(e) is
intended to address ramp-up issues and provide time to train the
necessary number of assessors. DoD has updated the rule to add an
additional six months to the Phase 1 timeline.
e. CCI
1. Training and Training Materials
Comment: One comment mistook the requirement to ``provide all
documentation and records in English'' as applying to training
materials. Four comments expressed concerns about the requirements for
confidentiality surrounding training records. These concerns arose
primarily from a misinterpretation of the requirement to ``keep
confidential all information obtained during the performance of CMMC
training activities'' to mean a requirement to keep the training
materials themselves confidential, rather than keeping student records
confidential.
Response: The requirement to ``provide all documentation and
records in English'' refers to official information that would be
provided to the CMMC Assessor and Instructor Certification Organization
(CAICO) or the DoD. The terms do not pertain to all materials used in
the delivery of a course. The DoD disagreed with the recommendation to
delete the Sec. 170.12(b)(7) requirement for keeping CMMC training
records and information confidential. ``Training activities'' do not
include course material. The example in Sec. 170.12(b)(7) (student
records) makes clear the type of data covered by the rule.
2. Time Limits and Other Constraints
Comment: One comment recommended that the CAICO, instead of the
DoD, determine the frequency of CMMC Certified Instructor (CCI)
certification. Another requested clarification on the length of time
that a CCI may not provide consulting services. One comment recommended
changing the rule to require CCIs to provide updates to the CAICO and
the CMMC AB no less than annually, in lieu of ``most up to date''.
Two comments expressed concern that CCIs are not allowed to provide
consulting services to OSCs; one of the comments asserted this would
result in reduced quality of training for CMMC Certified Professionals
(CCP) and CMMC Certified Assessors (CCA). One comment expressed
disagreement with the requirement prohibiting CCIs from exam
development and exam proctoring. Another comment recommended a rule
update indicating CCIs can teach both CCA and CMMC Certified
Professional (CCP) candidates.
Response: The DoD declined a commenter's request to modify the rule
to allow the CAICO to determine the requirement for validity period of
a CCI certification. The DoD considers the 3-year certification period
for CCIs as a key CMMC program requirement that is to be enforced by
the CAICO.
The DoD modified Sec. 170.12(b)(4) to read ``annually'' instead of
``most up to date'' to clarify the reporting requirement.
All CMMC ecosystem members are required to abide by the appropriate
ethics and conflicts of interest (COI) policies established by the CMMC
AB and CAICO. Rule content pertaining to ethics, quality assurance
functions, record keeping, data encryption, security, and other
functions across the ecosystem are tailored to reflect the role each
entity fills in the ecosystem. The DoD defined COI requirements to
reduce the possibility that a CMMC Ecosystem member acting in one
capacity may bias, or be biased by, clients that are paying them to
perform another CMMC related service. CCIs are not permitted to develop
or proctor exams to avoid participating in any activity, practice, or
transaction that could result in an actual or perceived conflict of
interest.
3. Relationship to CAICO and Other Ecosystem Members
Comment: One comment asked why the rule does not include
requirements for LTPs, and another requested additional rule text to
clarify the relationship between an ATP and the CAICO in administrative
matters of students. One comment recommended not requiring CCIs to
provide qualification and training information to the CAICO.
One comment recommended a method for reducing a perceived
redundancy in the rule text between ecosystem-related sections. Two
comments asserted that a CCI certification is redundant because
individuals attempting to become CCIs are already certified as CCPs or
CCAs.
One comment asked that a new requirement be added to the rule under
Sec. 170.12 to address the transition of Provisional Instructors to
CCIs.
Response: The CMMC rule does not use the term Licensed Training
Provider (LTP), as training providers are not required to be licensed.
The correct term for CMMC training providers is Approved Training
Provider (ATP). The CMMC rule contains the requirements to create the
training for the CMMC Program. Sec. 170.10 contains the requirements
for the CAICO to ensure compliance with ISO/IEC 17024:2012(E) and to
ensure all training products, instruction, and testing materials are of
high quality.
DoD disagreed with a comment to delete a requirement in the rule
for CCIs to update the CAICO regarding qualification, training
experience, and other information relating to their competency to teach
within the CMMC ecosystem. Viewing and verifying CCI qualifications is
an important element of quality assurance in the CAICO's role of
training, testing, authorizing, certifying, and recertifying CMMC
assessors, instructors, and related individuals.
Sec. 170.12(b) in the rule was updated to add the requirement for
a CCI to be certified at or above the level of training they are
delivering. The DoD also modified Sec. 170.12(a)(11) to add CMMC
Certified Professional (CCP) candidates.
The DoD declined to remove the certification requirement for CCIs.
Although CMMC Certified Assessors have the technical background, that
does not imply that they meet all the instructor-unique qualifications
necessary to be a CCI.
The DoD modified Sec. 170.12 to include requirements for
Provisional Instructors prior to their transition to a CMMC Certified
Instructor. Any Provisional Instructor (PI) will be required to achieve
certification under the CMMC Certified Instructor (CCI) program within
18 months of the final rule publication. The PI designation ends 18
months after the effective date of the rule.
f. Conflicts of Interest and Code of Professional Conduct
Comment: Many commenters had questions about existing CMMC conflict
of interest (CoI) requirements and had suggestions for further
protecting the impartiality of the CMMC Program. One commenter
requested the Department develop a mechanism to prevent third-party
assessment organizations from delaying re-evaluation of NOT MET
requirements to create a pipeline of future assessment work. The
commenter recommended removing the 10-day re-evaluation deadline
requirement currently in the CMMC Rule to prevent any conflicts of
interest. Another commenter stated that allowing a
[[Page 83125]]
commercial entity to manage the CMMC `ecosystem' creates a scenario
`fox watching the henhouse'' condition and that fraud and abuse will be
rampant.
Some commenters questioned the legality of the current CMMC AB's
establishment and alleged unethical behavior by its Board of Directors.
They cited the number of resignations among its Board of Directors as
evidence of internal politics, conflicts of interests, or ethics
concerns. One commenter suggested the 6-month ``cooling off period''
between an employee leaving the CMMC AB and supporting other CMMC roles
be extended to one year to ensure impartiality within the CMMC Program.
Another commenter claimed an informational newsletter offered by the
CMMC AB to ecosystem members violates the conflicts of interest
requirements. In addition, commenters alleged that the CMMC AB's
progress (prior to final rule publication) toward ISO/IEC compliance
violates the terms of its contract with DoD, which the DoD should
terminate.
Commenters also stated that DoD's no-cost contract with the current
CMMC AB has forced them to focus on generating revenue instead of
building a CMMC Assessor cadre. One commenter cited publicly available
tax filings of the current CMMC AB to substantiate that view. Another
commenter noted concerns that the rule permits a timeline for meeting
the ISO/IEC requirements, rather than requiring immediate compliance,
and suggested that it would be more advantageous to cite different ISO/
IEC requirements (for conformity assessment) than those identified in
the rule.
One commenter wrote that significant delays in CMMC implementation
this far beyond the Department's earlier objectives of 2020 constitute
fraud and claimed that DoD representatives directed companies to comply
with requirements that have become irrelevant due to changes in program
requirements that occurred during rulemaking.
Many commenters stated the Department needs to further clarify
existing CoI requirements for CCIs, CCAs, and CCPs in the CMMC Rule
text. Specifically, commenters suggested the DoD:
--Revise Sec. 170.12(b)(5) to state that CCIs may serve on an
assessment team for a student's company, provided the CCI does not
provide consulting to an OSC during delivery of the CMMC Instruction or
breach other conflict of interest rules, and add that the CCI must
``[b]e a currently certified CCA and conduct at least one certified or
mock assessment under the direction of a C3PAO annually.''
--Revise Sec. 170.12(b)(6) to allow CCIs to craft exam objectives and
content, as CCIs are the ``most in tune with issues faced by candidate
CCPs and CCAs.''
--Strike Sec. 170.12 altogether, because potential CoIs will be rare
and can be ``managed by existing conflicts of interest mechanisms'';
clarify that ``while serving as a CMMC instructor'' means ``limited
only to while actively teaching or any time while the person holds the
CCI certification''; and that CoI concerns could be addressed by the
addition of an Instructor Code of Conduct. One commenter also suggested
this section would significantly decrease the available pool of CMMC
instructors, as they would be forced to choose between instructing and
consulting, which may be a more lucrative option. They also claimed it
prevented CCIs who teach CCP/CCA courses at night from providing
consulting services during the day.
--Impose a three- or four-year prohibition on ecosystem members from
participating in the CMMC assessment process for an assessment in which
they previously served as a consultant or ``since the OSC last obtained
CMMC certification, whichever is most recent.''
--Add language to Sec. Sec. 170.11 and 170.13 to clarify if an
individual consults with a defense industrial base company, they are
prohibited from participating as a CMMC assessor for that same company.
--Update Sec. 170.8(b)(ii)(17)(ii)(G) and add a time limit to this
requirement to ensure a consultant can perform assessments, given an
appropriate amount of time has passed.
--Revise Sec. 170.8(b)(17)(ii)(G) to say, ``Prohibit CMMC Ecosystem
members from participating in the CMMC assessment process for a CMMC
assessment in which they previously served as an employee or consultant
to prepare the organization for any CMMC assessment,'' as both an OSC
employee and a CCPA/CCP serving as a consultant would face identical
CoI.
--Provide more detail on the scope of CCA and CCP conflict of interest
disclosure required, particularly around the definition of ``process,
store, or transmit'' in Sec. 170.4(b).
--More narrowly tailor the CoI requirement in Sec. 170.8(b)(17)(i)(D)
and more expressly identify the ``perceived conflicts of interest''
scenarios to help ecosystem members avoid legal risk.
--Rewrite Sec. 170.8(b)(17)(iii)(C) to clarify what constitutes a
``satisfactory record of integrity and business ethics.''
--Provide more detail in Sec. 170.10(b)(11) on the term ``separation
of duties,'' so CCAs know whether they can volunteer to develop test
questions or provide training.
Response Summary: Some comments received lacked relevance to the
rule's content, which is limited to specific CMMC Program requirements.
The DoD declines to respond to speculative or editorial comments about
private citizens or entities, all of which are not within the scope of
this rule. Personnel actions taken by the CMMC AB and comments
regarding filing of IRS forms are not within the scope of this rule.
Sec. 170.8(b) of this final rule provides requirements of the CMMC
AB. CMMC Program requirements as described in this rule requires the
CMMC Accreditation Body and the CAICO to have and abide by ethics and
conflicts of interest rules and to have and maintain a Code of
Professional Conduct (CoPC). Sec. 170.8(b)(3) describes the ISO/IEC
requirements and the timeline in which the CMMC AB needs to meet those
requirements. The DoD declines to comment on business decisions made by
the current CMMC AB in the performance of its CMMC related roles,
responsibilities, and requirements. Based on information currently
known to DoD, the CMMC AB is currently performing as defined in this
final rule and the terms of the contract. The ANSI National
Accreditation Body is performing the function of accrediting the CAICO,
which is appropriate given its status as a subsidiary of the CMMC AB.
The DoD defined CMMC Conflict of Interest requirements to reduce
the possibility that a member of the CMMC Ecosystem acting in one
capacity may bias, or be biased by, clients that are paying them to
perform another CMMC related service. The rule text includes ethics
requirements for members of the CMMC ecosystem, to include the CMMC AB
(Sec. 170.8). The DoD concurred with some comments and has increased
the cooling off period from six months to one year in Sec.
170.8(b)(17)(i)(C).
DoD considered many alternatives before deciding upon the current
CMMC structure. The DoD has established requirements for a CMMC
Accreditation Body, and this accreditation body will administer the
CMMC Ecosystem. The phased CMMC implementation plan provides time to
train the necessary number of assessors and, the rule has been updated
to add an additional six months to the Phase 1 timeline.
[[Page 83126]]
The DoD requires that the Accreditation Body must achieve and
maintain compliance with the ISO/IEC 17011:2017(E) standard (the
international benchmark used in demonstrating an accreditation body's
impartiality, technical competency, and resources) and the requirements
set forth in Sec. 170.8. The CMMC Proposed rule also requires
compliance with ISO/IEC 17020:2012(E) for conformity assessments. Sec.
170.12(b)(5) was revised to indicate that a CMMC instructor, subject to
the Code of Professional Ethics and Conflict of Interest policies, may
serve on an assessment team but cannot consult. CCIs are not permitted
to develop or proctor exams to avoid participating in any activity,
practice, or transaction that could result in an actual or perceived
conflict of interest.
The CAICO is responsible to ensure the separation of duties for
individuals volunteering to assist with testing, training, and
certification activities. An example of separation of duties is shown
in Sec. 170.12(b)(6), which specifies that a CCI cannot be involved in
examination activities.
DoD modified Sec. 170.8(b)(17)(ii)(G) to add that a consultant is
only limited from participation in the assessment process for 36
months. CMMC Ecosystem members do not participate in an assessor
capacity on DIBCAC assessments. The DoD declined to add explicit
requirements prohibiting ecosystem members from participating in an
assessment of an OSC by whom they were previously employed (directly or
as a consultant), because the scenario is already covered under Sec.
170.8(b)(17)(ii)(G).
DoD disagreed with the comments that a CMMC Ecosystem member is
unable to avoid perceived conflicts of interest. The Accreditation Body
is required to provide a CoI policy in Sec. 170.8(b)(17) for CMMC
Ecosystem members. The Department expects that a reasonable person
subject to the CoI policy should understand how to avoid the appearance
of conflicts of interest and, if unsure, seek clarity from the
Accreditation Body. Details of the disclosure requirements are in the
Accreditation Body conflict of interest policy.
A satisfactory record of integrity and business ethics is a record
that does not indicate derogatory behavior in relation to professional
conduct or conflict of interest.
The DoD declined to remove the 10-day re-evaluation deadline in
Sec. Sec. 170.17(c)(2) and 170.18(c)(2) to ensure consistency in the
assessment process. The OSC may utilize the appeals process, as
necessary. The DoD is required to codify CMMC program requirements
through a prescribed and formal rulemaking process. The timeline for
CMMC implementation changed due in part to DoD's decision to pause and
assess the program, seek opportunities to streamline and ease the
burden of its implementation, and respond to public comments. The DoD
declines to respond to speculative or editorial comments regarding the
actions of private citizens, which are not within the scope of this
rule.
g. Ecosystem Eligibility
1. Foreign Ownership
Comment: Two comments noted the rule does not include Foreign
Ownership, Control, or Influence (FOCI) requirements for the CAICO. One
comment recommended the rule incorporate the definition of the
``national technology and industrial base'' and exclude those companies
from FOCI requirements. The NTIB includes organizations from the United
States, the United Kingdom of Great Britain and Northern Ireland,
Australia, New Zealand, and Canada that are engaged in research,
development, production, integration, services, or information
technology activities.
Response: The CAICO has no FOCI requirement because they do not
have knowledge of the OSC's network or potential vulnerabilities
identified in the assessment process. Per Sec. 170.9(b)(5), the CMMC
Program implements the FOCI program that is managed by DCSA. Potential
FOCI exemptions are outside the scope of this 32 CFR part 170 CMMC
Program rule and must be addressed through international arrangements
or agreements.
2. Personnel Security
Comment: There were numerous comments regarding the Tier 3
Personnel Security requirements. Several comments recommended editorial
clarification. Multiple comments requested clarification on what ``not
eligible'' meant and what is the ``equivalent process''. One comment
recommended the Tier 3 background investigation be required for all
authorized personnel while two comments recommended eliminating the
Tier 3 background investigation requirement. Two other comments
requested clarification on why a Tier 3 investigation is required when
no secret information is handled and there is no clearance granted.
Another comment requested clarification on the Tier 3 process. Three
comments requested clarity on the citizenship requirements and how the
Tier 3 requirement will be enforced for international C3PAO's.
Another comment recommended adding a requirement for CMMC
Instructors and Assessors to report to the CAICO within 30 days of
conviction, or guilty pleas to certain crimes.
Response: In coordination with the OUSD/I&S, the DoD CIO evaluated
requirements for the CMMC Ecosystem. Based on the access to sensitive
unclassified information, a Tier 3 background investigation that
results in determination of national security eligibility is required
as specified in this rule. The concept of ``not eligible'' in Sec.
170.9(b)(4) is intended to cover those applicants who do not meet the
entrance requirements for a DCSA Tier 3 background investigation, it is
not an alternative for applicants who do not pass its Tier 3 background
investigation. The DCSA maintains a record of all background
investigation information in the Personnel Vetting Records system of
records, DUSDI 02-DoD, as published in the Federal Register. The
details of the Tier 3 background investigation are included in this
rule to inform the public of the CMMC requirement and that the
investigation will not result in a clearance. The DoD declines to
remove reference to the Standard Form 86 from the rule. All
documentation and records for the background investigation process must
be provided in English; rulemaking as a Federal regulation requires
this level of detail to ensure clarity of understanding and
interpretation. Details about background investigation equivalency is
available from DCSA at www.dcsa.mil/Industrial-Security/International-Programs/Security-Assurances-for-Personnel-Facilities/. As stated in
the 32 CFR part 170 CMMC Program rule, C3PAOs must meet the criteria
defined in section Sec. 170.9. If a non-U.S. organization, and its
employees, meet all the requirements in Sec. 170.9 and Sec. 170.11,
it would not be prohibited from operating as a C3PAO within the U.S. or
abroad. The DoD declined to make recommended administrative changes to
Sec. 170.9(b)(3), because they did not result in a substantive change.
While a C3PAO may use its own employees to staff an assessment, it
also may leverage CCAs and CCPS who are independent contractors, rather
than employees of a specific C3PAO. Because these independent CCAs and
CCPs may not be covered by the C3PAO's background check requirement,
CMMC requires CCAs and CCPs to have their own Type 3 background checks
or equivalent.
Section 170.10 has been updated to specify the CAICO must require
CMMC
[[Page 83127]]
Ecosystem members to report to the CAICO, within 30 days, if they are
convicted, plead guilty, or plead no contest for certain specified
legal matters or criminal activities.
h. ISO/IEC Standards
Comment: Several comments addressed ISO/IEC standards referenced in
the proposed rule. Most of these were related to ISO/IEC 17020:2012(E).
One commenter wanted to know what the proposed rule meant by ``out-of-
cycle from ISO/IEC 17020:2012(E).'' Another felt the section outlining
CMMC AB responsibilities should clarify that the CMMC PMO must approve
all C3PAO accreditation requirements established by the Accreditation
Body under ISO/IEC 17020:2012(E). One person felt the rule should give
C3PAOs more time to achieve compliance with ISO/IEC 17020:2012(E) and
one commenter asserted that including a revocation process in the CMMC
PMO roles and responsibilities section was inconsistent with ISO/IEC
17020:2012(E) standards because the C3PAO was the certification body.
One comment asserted the requirement in the rule for the CMMC AB to
complete the ILAC Peer Review prior to accrediting C3PAOs is too
onerous and not consistent with the ISO/IEC process for gaining
international recognition as an accreditation body in accordance with
ISO/IEC 17011:2017(E).
Response: The rule was updated in Sec. 170.8(a) to clarify
responsibilities of the Accreditation Body. DoD agreed with the comment
that the requirement to complete the Peer Review prior to accrediting
C3PAOs was too onerous and inconsistent with the ISO/IEC process under
ISO/IEC 17011:2017(E). The rule has been updated for clarity.
Using the terms of the ISO/IEC 17020:2012(E), the activity of the
C3PAO is an ``inspection'', rather than a ``certification''. The C3PAO
is an inspection body, not a certification body, and is responsible for
conducting the Level 2 certification assessment [Inspection]. The rule
was revised to delete terms related to granting or revoking
certification assessment status. The DoD reserves the right to conduct
a DCMA DIBCAC assessment of the OSA, as provided for under the DFARS
clause 252.204-7012 and DFARS clause 252.204-7020. DoD declines to
extend the period for C3PAOs to achieve compliance with ISO/IEC
17020:2012(E). The Department has determined that 27 months is
reasonable and sufficient for a C3PAO to achieve compliance. The rule
was also updated in Sec. 170.9(b)(11) to clarify that audit
information must be provided upon request.
14. Ecosystem Capacity
Comment: Commenters expressed concern that the demand for third-
party assessments amongst the defense industrial base will exceed the
capacity of available Certified CMMC Assessors and Certified CMMC
Professionals and government assessors which may prevent timely and
affordable audits or cause businesses to lose out on DoD contracts. To
mitigate the concerns, one commenter suggested delaying phase-in of
certification assessment by two years, by relying on self-assessment.
One commenter warned of solicitation protests if companies are kept out
of a competitive procurement due to a slow CMMC assessment process.
Another suggested that insufficient assessors may shrink the market for
DoD contractors and compromise assessment quality. Commenters were
apprehensive that DoD projections for certification demand didn't
factor in all subcontractors and that the CMMC Accreditation Body lacks
a strategy for scaling to meet increased C3PAO demand.
Additionally, one commenter pointed out that the rule indicates
companies can pursue a certification assessment at any time after the
rule is published, which could tie up already limited C3PAO resources
and impede assessment opportunities for other companies bidding on an
upcoming contract. Another expressed concern that often-extensive
travel times required for assessors to reach rural-based companies like
electric cooperatives will disincentivize assessors from prioritizing
these companies and prevent their timely assessment.
Commenters suggested several actions the Department could take to
mitigate capacity-related risks, including: extending the phase-in of
Level 2 certification requirements; prioritizing companies for Level 2
phase-in; allowing C3PAOs to issue interim or conditional
certifications when unable to timely complete contractor assessments;
and waiving requirements for OSCs that are in the assessment process
but not yet certified. Some asked that DoD forecast the volume and
timing of Level 3 certification requirements and clearly communicate
those assessment requirements with contractors. Another requested
forecasts of both Level 2 and Level 3 assessment capacity against
various demand scenarios for each certification level.
Several commenters suggested that CMMC assessment requirements for
External Service Providers (ESPs) will also impede CMMC implementation,
as ESPs (1) must be CMMC certified before an OSC can include them in
their CMMC certification assessment scope and (2) will be competing
with DIB companies for scarce C3PAO assessors. Commenters suggested
ways to reduce burden on ESPs, which included: allowing use of non-
compliant ESPs until Phase 3 and prioritizing certification assessments
for ESPs ahead of other assessments.
Several commenters expressed concern about CCA and CCP roles, based
on perceived scarcity of candidates in the job market compared with
demand for similar services. Concerns included the potential for CCA
and CCP burnout from overwork, dissatisfaction with repetitive
assessments tasks, limited career path in the roles, and the complexity
of operating within the CMMC ecosystem. One commenter compared CCA and
CCP roles with those of Certified Public Accountants and Certified
Information System Auditors, who have access to more varied
opportunities and industries.
Response: DoD received numerous comments about the use of ESPs
which do not process, store, or transmit CUI. In response, the DoD
revised the rule to reduce the assessment burden for ESPs. ESP
assessment, certification, and authorization requirements in 32
CFR[thinsp]170.19(c)(2) and (d)(2) have been updated. ESPs that are not
CSPs and do NOT process, store, or transmit CUI, do not require CMMC
assessment or certification. Services provided by an ESP are in the
OSA's assessment scope. The phased implementation plan described in
Sec. 170.3(e) is intended to address ramp-up issues, provide time to
train the necessary number of assessors, and allow companies time to
understand and implement CMMC requirements. The DoD has updated the
rule to add an additional six months to the Phase 1 timeline. Phase 2
will start one calendar year after the start of Phase 1. It is beyond
the scope of this rule for DoD to determine the order in which
organizations are assessed.
The DoD declined to delete text stating that OSAs may elect to
complete a self-assessment or pursue CMMC certification assessment to
distinguish themselves as competitive because the recommendation did
not result in a substantive change. CMMC rule describes anticipated
impacts on the DIB in the Impact and Cost Analysis section. Speculation
on market forces affecting the DIB is outside of the scope of the CMMC
program. Speculation on market forces affecting CMMC
[[Page 83128]]
ecosystem CCP and CCA roles are also outside of the scope of the CMMC
program. Likewise, limitations on career opportunities and associated
issues such as burn-out or job satisfaction are beyond the scope of the
program.
The DoD declines to comment on external market factors impacting
CMMC compliance. The seven-year timespan reflects the DoD's estimate
for all DIB members to achieve CMMC compliance. The implementation plan
ramps up CMMC assessment requirements over 4 phases, such that the
ecosystem will reach maximum capacity by year four. The DoD does not
agree with commenter assertions that 70,000 or more entities will
require CMMC Level 2 assessment by October 1, 2026. Table 6 of the
Impact and Cost Analysis of CMMC 2.0 section provides the DoD's
estimate of CMMC assessment numbers by year and level.
DoD considered many alternatives before deciding upon the current
CMMC structure. By design, the CMMC program depends on the supply and
demand dynamics of the free market, enabling it to naturally scale and
adapt to capacity requirements. Planned changes to DCMA staffing levels
have been considered with regard to implementation of CMMC Level 3 and
C3PAO assessments as described in this rule. The DIBCAC will
communicate extensively with contractors about the conduct of a Level 3
assessment during the pre-assessment planning phase.
15. Assessments
a. Level 1 and Mapping of 15 Level 1 to 17 Level 2 Requirements
Comment: A few questions were submitted about CMMC level 1
requirements, on topics such as whether DoD intended affirmations for
CMMC level 1 be required annually versus triennially, and whether
specific policies and procedures documentation is required for Level 1
self-assessments. One commenter asked about limits on deficiency
remediation and re-accomplishing an assessment in the event a company
fails a CMMC Level 1 self-assessment. Another commenter asked for the
specific wording to reflect a CMMC Level 1 assessment score in SPRS.
One commenter objected to CMMC level 1 annual affirmation, which
they considered an unwarranted expansion of CUI safeguarding
requirements to information systems that process only FCI. One
commenter recommended revisions to explicitly indicate that OSAs may
choose to engage the services of a C3PAO to inform the OSA's Level 1
self-assessment submission. Another commenter recommended editorial
revisions to avoid use of the term ``CMMC security requirements'' based
on the observation that CMMC requirements are aligned directly to those
identified in FAR clause 52.204-21 or NIST publications.
One commenter asked for explanation of perceived differences
between tables in the published rule that map CMMC Level 1 Security
Requirements to NIST SP 800-171A Jun2018, as compared with prior
versions of the document.
One commenter asked for the rationale associated with mapping 15
requirements for CMMC level 1 to 17 requirements in CMMC level 2. Two
commenters asked if systems that process FCI (and require CMMC level 1)
are considered within scope for CMMC level 2 or 3 assessments, and if
so, how they should be documented.
Response: When applicable, the DoD does require an annual CMMC
Level 1 self-assessment against the 15 safeguarding requirements
aligned with FAR clause 52.204-21. Annual affirmations are required at
every CMMC level. There are no explicit documentation requirements for
a CMMC Level 1 Self-Assessment. The DoD modified the Level 1 Scoping
Guide to provide clarity.
An OSA may complete as many self-assessments as desired, and there
is no required timeframe between Level 1 self-assessments and updating
CMMC Status in SPRS. The entry in SPRS for CMMC Level 1 is a binary
selection between Yes and No based on meeting all Level 1 security
requirements.
The CMMC Program verifies implementation of security requirements
for FCI in accordance with FAR clause 52.204-21. The DoD has elected to
use the CMMC Status postings and attestations in SPRS as the mechanism
to verify compliance with applicable CMMC requirements.
An OSA engaging an authorized C3PAO to perform the Level 1 self-
assessment and then using the resulting CMMC Status when ``self-
assessing'' is permissible. The OSA however retains all the
responsibilities and liabilities of the affirmation. No revisions to
the rule were necessary.
Writing style recommendations were not incorporated and no
responses were provided to those comments based on comparison of pre-
publication draft versions with those officially published for public
comment. DoD aligned the security requirements for Level 1 exactly with
those in FAR clause 52.204-21 and aligned the security requirements in
Level 2 exactly with those in NIST SP 800-171 R2. The 15 security
requirements in FAR clause 52.204-21, which make up CMMC Level 1, were
mapped by NIST into 17 security requirements in NIST SP 800-171 R2.
This was accomplished by splitting 1 requirement into 3 parts, while
the other 14 align. Table 2 to Sec. 170.15(c)(1)(ii) provides a
mapping.
Meeting the CMMC Level 2 self-assessment (Sec. 170.16) or CMMC
Level 2 certification assessment (Sec. 170.17) requirements also
satisfies the CMMC Level 1 self-assessment requirements detailed in
Sec. 170.15 for the same CMMC Assessment Scope.
b. Level 2
Comment: Commenters provided a number of very specific Level 2
assessment scenarios and asked for rule interpretation for each
scenario. Scenarios included differing scores for self-assessment and
third-party assessment; assessment timing; conditional assessment
expiration; and CUI enclaves.
One commenter stated the language describing certificates of
assessment lacked clarity and seems to allow an OSC to be issued a
certificate of assessment but not be certified. Two comments stated
that wording describing the expiration of a Conditional Level 2 self-
assessment or certification could be interpreted to mean that the OSA/
OSC would be permanently barred from seeking further contracts using
information systems within that CMMC Assessment Scope. One comment said
it was not clearly stated that a Level 2 third party assessment would
satisfy contractual requirements for a Level 2 self-assessment. One
comment stated that the rule does not clearly indicate whether a Level
2 assessment checks for more than just proper implementation of the 110
requirements in NIST SP 800-171 R2 and includes paragraphs--(c) through
(g) of DFARS clause 252.204-7012. This commenter advocated that those
requirements be assessed only during DIBCAC assessments.
Response: The rule has been updated to clarify that meeting the
requirements for a CMMC Level 2 certification assessment satisfies a
CMMC Level 2 self-assessment requirement for the same CMMC Assessment
Scope.
The term ``certificate of assessment'' has been replaced with the
term ``Certificate of CMMC Status'' in the final rule. When an OSC has
met all the requirements for a Level 2 certification assessment, a
Certificate of CMMC Status is obtained from the C3PAO conducting the
assessment. See Sec. 170.9. Under CMMC, OSCs are not certified;
rather, the assessed network receives a
[[Page 83129]]
Certificate of CMMC Status for the CMMC Assessment Scope if the network
meets all applicable certification requirements. No rule edit is
necessary because Sec. 170.19 is clear on this point.
The phrase ``until such time as a valid CMMC Level 2 self-
assessment is achieved'' is added to the rule in the event a
Conditional Level 2 self-assessment or Conditional Level 3 expires [see
sections Sec. Sec. 170.16(a)(1)(ii)(B)) and 170.17(a)(1)(ii)(B)].
The CMMC program does not assess paragraph (c) through (g) of DFARS
clause 252.204-7012. The CMMC Program assesses the security
requirements set forth in the FAR clause 52.204-21; National Institute
of Standards and Technology (NIST) Special Publication (SP) 800-171 R2;
and selected requirements from the NIST SP 800-172 Feb2021, as
applicable (see table 1 to Sec. 170.14(c)(4) CMMC Level 3
Requirements).
If the contract requires a Level 2 self-assessment (i.e., a CMMC
Status of ``Conditional/Final Level 2 (Self)''), then the Level 2 self-
assessment score with a current affirmation is valid for that contract
but not for a contract with a Level 2 certification assessment
requirement. The DoD does not consider it realistic or likely that
C3PAOs will purposefully ``slow roll'' completion of assessments for
which they have been engaged by an OSC. However, the OSA's CMMC Status
is based on final results of an assessment and a valid affirmation. A
POA&M Close-out assessment need only re-assess those requirements that
were assessed as NOT MET in the original assessment as addressed in
Sec. 170.21(b). The OSA status is based on the results of this POA&M
Close-out assessment with a valid affirmation. If the subcontractor
will process, store, or transmit CUI, then the flow down requirement
for a Prime contract that specifies CMMC Level 3 certification
assessment is, at a minimum, CMMC Level 2 certification assessment
(i.e., a CMMC Status of ``Conditional/Final Level 2 (C3PAO)'').
A POA&M closeout applies to all NOT-MET requirements so if one
practice is not remediated within the 180-day time limit, the
conditional certification will expire. Scope cannot be changed in the
middle of an assessment, so the conditional certification will expire.
If the scope is changed, a new assessment is required.
The assessment is performed based on the defined CMMC Assessment
Scope. The OSA is only approved to process, store, or transmit FCI and
CUI within the CMMC Assessment Scope defined.
If the conditional assessment certification expires due to
exceeding the 180-day limit, a new full certification assessment is
required. Contracting officers can utilize standard contract remedies
during any period under which the OSA is not in compliance with CMMC
requirements. If an OSC closed out their POA&M 32 months ago, that
Level 2 Conditional certification assessment would have closed and the
OSC would have received a Level 2 Final certification assessment for
the remainder of the 3-year validity period. If after completing the
Level 2 Final certification assessment, the OSC is reassessed and does
not achieve a score of 110, then the OSC will either get a new
Conditional Level 2 (C3PAO) CMMC Status certificate (if they meet the
associated POA&M requirements), or the OSC will not receive a new
certificate.
c. Level 3
Comment: Several comments addressed CMMC Level 3 assessment
requirements and the relationship of Level 3 assessments to Level 2
assessments. One comment noted that a final version of the Level 3
assessment guidance was not available at the same time as other CMMC
assessment guides. Another recommended the DoD first pilot
implementation of CMMC Level 3 security requirements and clearly
identify (in advance) the data or programs that will be subject to
them. One commenter asked how DoD will maintain Level 3 requirements to
align with NIST's guidance since Level 3 includes only a subset of
NIST's SP 800-172 Feb2021 requirements.
Another asked about validating compliance for assets that changed
asset categories when transitioning from Level 2 certification to Level
3 certification. One comment said it was that Level 2 certification is
not clearly identified as a prerequisite for Level 3 certification, and
that organizations might try to bypass Level 2. One comment asked
whether those entities that would need a CMMC level 3 assessment could
seek a combined Level 2 and Level 3 certification from the DIBCAC to
reduce cost to the OSC.
One comment sought clarification of how long an OSC would be
prohibited from seeking additional contract awards if a Level 3
certification expired. Two comments were concerned about the DIBCAC's
ability to terminate a Level 3 assessment if the review identifies a
Level 2 requirement that is not met.
Response: For CMMC Level 3, the DoD selected a subset of NIST SP
800-172 Feb2021 requirements for enhanced safeguarding. The CMMC Level
3 supplemental documents were not finalized prior to publication of the
Proposed Rule. DoD's final determination of the specific subset of NIST
SP 800-172 Feb2021 requirements is included in this final rule, which
defines the ODPs for Level 3 in table 1 to Sec. 170.14(c)(4). DoD will
update the rule when required to change the security requirements, to
include CMMC Level 3.
DoD has reviewed and declined the recommendation to conduct a pilot
prior to phasing in CMMC Level 3 requirements. Given the evolving
cybersecurity threat, DoD's best interests are served by ensuring that
the selected CMMC Level 3 NIST SP 800-172 Feb2021 security requirements
are in place to provide enhanced protections for sensitive DoD CUI.
In those cases when DCMA DIBCAC identifies that a Level 2 security
requirement is NOT MET, DCMA DIBCAC may allow for remediation, place
the assessment process on hold, or may immediately terminate the Level
3 assessment, depending on significance of the NOT MET security
requirement(s) and the nature of the required remediation. The
determination of whether a NOT MET requirement is significant is
reserved for the judgment of the DCMA DIBCAC.
The rule has been updated to clarify that DCMA DIBCAC has the
responsibility to validate compliance of all assets that changed asset
category (i.e., CRMA to CUI Asset) or assessment requirements (i.e.,
Specialized Assets) between the Level 2 and Level 3 assessments. As
addressed in Sec. 170.18, a condition to request a Level 3
certification assessment from DCMA DIBCAC is the receipt of a Final
Level 2 (C3PAO) CMMC Status. The DoD considered, but declined, the
recommendation to allow OSAs to simultaneously pursue Level 2 and Level
3 in one assessment. DoD must enforce CMMC requirements uniformly
across the Defense Industrial Base for all contractors and
subcontractors who process, store, or transmit CUI, regardless of an
OSA's intended CMMC level. Permitting OSCs to seek combined CMMC Level
2 and 3 assessments would unfairly benefit only a subset of OSCs that
were identified to meet CMMC Level 3 requirements.
The rule has been updated to clarify that the OSC will be
ineligible for additional contract awards that require a CMMC Level 3
certification assessment until such time as a valid (Conditional or
Final) CMMC Level 3 (DIBCAC) CMMC Status is achieved for the
information systems within the CMMC Assessment Scope.
[[Page 83130]]
d. Scoring Methodology
1. CMMC Point Value System
Comment: Multiple comments were received concerning the point
values assigned to CMMC security requirements, their association to
other frameworks, consistency between CMMC levels, and their use in
POA&M eligibility determination. Numerous comments recommended that the
CMMC Level 2 weighted point system where security requirements are
valued as 1, 3, or 5 be modeled after the one point per requirement
used in CMMC Level 3 scoring. Some also questioned why the CMMC Level 2
scoring structure was the same as the NIST SP 800-171 DoD Assessment
Methodology (DODAM). Four comments recommended changes to the criteria
for adding unimplemented security requirements to an Assessment POA&M.
One comment noted that temporary deficiencies which are appropriately
addressed in plans of action should be assessed as implemented. Some of
the comments recommended not assigning point values to determine POA&M
eligibility. Two other comments recommended dropping the NIST Basic and
Derived security requirement designations and disassociating them from
CMMC point values.
Response: Recommendations to assign a point value of 1 to all CMMC
Level 2 security requirements were not accepted. CMMC adopted the
scoring as included in the NIST SP 800-171 DoD Assessment Methodology
(DoDAM) used by the DCMA DIBCAC and referenced in DFARS clause 252.204-
7020. As addressed in Sec. 170.20(a) in this rule, there is qualified
standards acceptance between a DCMA DIBCAC High Assessment and CMMC
Level 2 certification assessment. Revisions to the CMMC Scoring
Methodology will be made concurrently with changes to the DoDAM. The
variable point values of 1, 3, and 5 are linked to the NIST
determination of Basic Security Requirements and Derived Security
Requirements as described in Sec. [thinsp]170.24. The DoD has updated
the rule text at Sec. [thinsp]170.24 to clarify which requirements may
be included on a POA&M. CMMC Level 2 security requirement SC.L2-3.13.11
can be partially effective and may be included on a POA&M if encryption
is employed and is not FIPS-validated.
The DoD added a definition for enduring exceptions and temporary
deficiencies to the rule. Sec. 170.21 addresses POA&Ms for
assessments. Security requirement CA.L2-3.12.2 allows for the
development and implementation of an operational plans of action
designed to correct deficiencies and reduce or eliminate
vulnerabilities in organizational systems. These operational plans of
action are different from POA&Ms permitted under Conditional
assessment. The rule has been updated to make this distinction clear.
The CMMC rule does not prohibit the use of an operational plan of
action to address necessary information system updates, patches, or
reconfiguration as threats evolve.
2. NIST SP 800-171A Jun2018 Assessment Objectives
Comment: Multiple comments questioned the role of NIST SP 800-171A
Jun2018 Assessment Objectives within the CMMC assessment process. Three
comments asked whether all assessment objectives needed to be met to
score a security requirement as MET. Two comments questioned the need
to report assessment results at the assessment objective level within
the CMMC instantiation of eMASS for CMMC Level 2 and CMMC Level 3
certification assessments. Some comments suggested that the DoD allow
for contractors to take a more risk-based approach to include
compensating controls instead of a strict security requirement-based
model.
Response: DoD must enforce CMMC requirements uniformly for all
defense contractors and subcontractors who process, store, or transmit
CUI. Each assessment objective in NIST SP 800-171A Jun2018 must yield a
finding of MET or NOT APPLICABLE for the overall security requirement
to be scored as MET. Assessors exercise judgment, within CMMC
guidelines, in determining when sufficient and adequate evidence has
been presented to make an assessment finding. A security requirement
can be applicable, even with assessment objectives that are N/A. The
security requirement is NOT MET when one or more applicable assessment
objectives is NOT MET. CMMC assessments are conducted at the security
requirement objective level, and the results are captured at the
security requirement objective level. Assessment results are entered
into the CMMC instantiation of eMASS at the NIST SP 800-171A Jun2018
assessment objective level of detail to provide metrics on which
assessment objectives are proving difficult to implement and to
indicate where additional assessor training and guidance may be
warranted.
The DoD declines to change requirements to allow additional
organization-specific risk-based approaches. National Institute of
Standards and Technology (NIST) determined the appropriate
characteristics and considered the appropriate attack vectors when NIST
SP 800-171 R2 was created, and tailored the security requirements to
protect the confidentiality of CUI. Questions and comments related to
NIST SP 800-171 R2 background, development and scenarios are outside
the scope of the CMMC rule.
3. Other Scoring Comments
Comment: Three comments were received concerning the use of
operational plans of action to document security requirements which are
not fully implemented due to limitations beyond the ability of an OSA
to address. The use of temporary deficiencies and enduring exceptions
were suggested along with the recommendation that these items be scored
as MET.
The scoring of FIPS-validated modules was questioned in four
comments. An error in the point value for encryption (1 and 3 points vs
the correct 3 and 5 points) was identified. Clarification on full
credit for incomplete implementation of FIPS encryption was also
requested.
Two comments were received about the relationship between CMMC
Level 2 and CMMC Level 3 scoring asking if the point values in each
assessment were cumulative and how the 80% eligibility for an
assessment POA&M and Conditional certification would be calculated.
Three comments requested clarification around the use of N/A in
security requirements, assessment objectives, and in matters pertaining
to previously granted DoD CIO variances. One comment questioned what
types of artifacts are required to substantiate a determination of N/A
for a security requirement or assessment objective. Three comments
addressed the need for a System Security Plan, its point value, if any,
and the need for an SSP as a prerequisite for assessment as it exists
in the DIBCAC DODAM.
Response: The government cannot comment on the suitability of
specific implementations or products to meet CMMC security requirements
and is aware that FIPS module validation can exceed the 180-day CMMC
assessment POA&M threshold. Guidance regarding FIPS implementation on
Windows 11 is not appropriate for inclusion in the rule text and DoD
declines to make an update. Limitations of the FIPS-validated module
process do not impact the implementation status of FIPS cryptography.
The rule has been updated to include enduring exceptions and temporary
deficiencies. Vendor
[[Page 83131]]
limitations with respect to FIPS validation could be considered
enduring exceptions or temporary deficiencies and should be addressed
in an OSA's operational plan of action.
Several requirements within NIST SP 800-171 R2 specify the use of
encryption without consideration of the processing, storage, or
transmission of CUI. Requirement 3.13.11 requires that the encryption
used be a FIPS-validated module if the encryption is used to protect
the confidentiality of CUI. The scoring in Sec.
170.24(c)(2)(i)(B)(4)(ii) is based on the use of encryption and whether
the encryption uses a FIPS-validated module. There is no consideration
for multiple layers of encryption so specific guidance to assessors
regarding layers of encryption is not needed and DoD declines to make
the suggested addition. OSAs may choose how they implement security
requirements and C3PAOs will assess based on the stated
implementations. CCAs are trained in the correct process to assess
security requirements. The DoD has updated the rule text at Sec.
[thinsp]170.24(c) to clarify which requirements may be included on a
POA&M, which addresses the error in the point value for encryption.
The scoring for CMMC Level 3 is separate from the scoring for CMMC
Level 2. As stated in Sec. 170.24(c)(3), the CMMC Level 3 assessment
score is equal to the number of CMMC Level 3 security requirements that
are assessed as MET. There are twenty-four CMMC Level 3 security
requirements, identified in table 1 to Sec. 170.14(c)(4). CMMC Level 3
POA&M eligibility is based on the number of CMMC Level 3 security
requirements and does NOT include the 110 CMMC Level 2 requirements.
``Not applicable'' was removed from Sec. 170.24(c)(9) for the case
where the DoD CIO previously approved a variance. The rule has been
updated to reflect the language of DFARS clause 252.204-7012 and the
DoDAM, including nonapplicable or to have an alternative, but equally
effective, security measure. Regarding the comment on N/A objectives,
Sec. 170.23 is clear that MET means all applicable objectives for the
requirement and that if an objective does not apply, then it is
equivalent to being MET. A security requirement can be applicable, even
with one or more objectives that are N/A. The overall requirement is
only NOT MET when one or more applicable objectives is not satisfied.
The determination of assessment findings is made by an Assessor
following the assessment methodology. In the case of a self-assessment,
the Assessor is from the OSA. In the case of a certification
assessment, the Assessor is from the C3PAO or DIBCAC. An assessment
finding of NOT APPLICABLE (N/A) means a security requirement (or
assessment objective) does not apply at the time of the CMMC
assessment. For each assessment objective or security requirement
marked N/A, the Certified Assessor includes a statement that explains
why it does not apply to the contractor. The OSC should document in its
SSP why the security requirement does not apply and provide
justification. There is no standard set of artifacts required to
justify a finding of N/A.
A System Security Plan as described in security requirement CA.L2-
3.12.4 is required to conduct an assessment. The rule has been updated
at Sec. 170.24(c)(2)(i)(B)(6) for clarity. Security requirement CA.L2-
3.12.4 does not have an associated point value. The OSA will not
receive a -1 for a missing or incomplete SSP. The absence of an up-to-
date system security plan at the time of the assessment would result in
a finding that `an assessment could not be completed due to incomplete
information and noncompliance with DFARS clause 252.204-7012.' The rule
has been updated in Sec. 170.24(c)(6) to clarify this.
e. Artifacts
Comment: Several comments and requests for clarification dealt with
artifacts that are reviewed or created during a CMMC assessment, or as
part of compliance with other contractual requirements, including DFARS
clause 252.204-7012. Some commenters asked whether standardized SSP and
POA&M templates would be provided to assist with compliance. Other
templates requested included pre-assessment planning materials, final
assessment reports, and the resulting Certificate of CMMC Status.
Others expressed concern that sharing certain artifacts during the
assessment process or permitting assessors to retain them would create
vulnerability. In addition, commenters asked whether security
protections are required for documents held due to the artifact
retention requirements. One commenter asked how CMMC assessment scores,
or affirmation information will be protected, and whether the CMMC
program office will share this information outside of DoD. Another
suggested that C3PAOs should not be required to retain any OSC provided
materials.
One commenter misinterpreted the supplemental hashing guide as
requiring use of the MS PowerShell script with the SHA256 algorithm.
The commenter also stated it would be more efficient to specify a
single hash be provided for combined artifacts rather than requiring
separate hash values for each artifact. They recommended deletion of
the hashing requirement. Another commenter suggested requiring OSCs to
generate hashes for artifacts as part of a Level 2 self-assessment. One
comment also asked whether hashing is required for Level 3 artifacts.
One comment asked how long OSAs must retain artifacts following an
assessment.
Some comments expressed concern that C3PAOs that receive or retain
OSA artifacts identified as CUI would be required to undergo assessment
by both the DIBCAC and another C3PAO. Four commenters objected to the
6-year artifact retention requirement for C3PAOs and requested
reduction to 1 year. Three commenters asked whether self-assessors at
level 1 or level 2 must also retain supporting artifacts for 6 years.
Two commenters recommended revised wording of CMMC Level 3 requirements
to provide greater clarity about artifact retention and integrity.
One commenter requested edits to the description of SSP content,
advocating for deletion of references to organizational policies and
procedures in place to comply with NIST SP 800-171 R2. The recommended
edits also changed attribution of the requirement to create an SSP to
reflect DFARS clause 252.204-7020 rather than DFARS clause 252.204-
7012. This commenter also suggested additional wording to specify that
the OSA need not define roles and responsibilities of security
personnel in the SSP but may do so in ancillary documents.
Response: This rule retains the reference to DFARS clause 252.204-
7012 that implements NIST SP 800-171 as the basis for the requirement
to create and update an SSP. The DoD has considered the recommended
changes to the rule regarding the SSP content and declines to make the
revision. The NIST SP 800-171 R2 requirement for an SSP is foundational
to performing a NIST SP 800-171 R2 self-assessment and its purpose is
to provide critical information for performing the assessment. The SSP
should detail the policies and procedures that support ``. . . how
security requirements are implemented . . .'' for all NIST SP 800-171
R2 controls. DoD declines to establish a specific SSP format, as OSAs
should define the best format for their organizations. The Overview
section of the rule has been updated to remove the statement indicating
SSPs will outline the roles and responsibilities of security personnel.
DoD does not plan to provide document templates for SSPs and POA&Ms, as
they are already available
[[Page 83132]]
in existing NIST guidance. Templates and schemas for the pre-assessment
and assessment results documents are available to authorized CMMC eMASS
users at https://cmmc.emass.apps.mil.
Commenter concerns about artifact retention reflect
misunderstanding of the assessment process. Assessors and C3PAOs do not
retain OSC artifacts, they only retain the hash value captured during
the assessment process. Assessors will retain documents created during
the assessment such as their notes and the Assessment Findings Reports.
To facilitate the protection of these documents, authorized C3PAOs are
required to go through a DIBCAC conducted CMMC Level 2 assessment and
CMMC Assessors are only authorized to use C3PAO issued equipment that
was within the scope of the DIBCAC assessment. Separately, the DIBCAC
processes, stores, and transmits its assessment related data on DoD
networks. Assessment Reports are submitted to DoD via eMASS, which is a
government-owned, secured database. Sharing of this information is
subject to DoD policies.
The OSC is responsible for maintaining and hashing all artifacts
that supported the assessment. The rule has been modified to clarify
C3PAOs do not maintain artifacts from the OSC. The OSCs artifacts must
be hashed, and the value provided to the assessor for submission into
CMMC eMASS. That hash value contains no sensitive information. An OSC's
System Security Plan (SSP) will be reviewed as part of a CMMC
certification assessment, but not shared outside of the OSC. Assessors
will not retain copies of the SSP or any other proprietary OSC
information. Assessors will retain the name, date, and version of the
SSP for uploading in SPRS or eMASS, as appropriate for the level of
assessment. Assessors will upload assessment information (e.g., list of
artifacts, hash of artifacts, and hashing algorithm used) into CMMC
eMASS as addressed in Sec. 170.9(b)(17), and the OSC will retain its
assessment documentation as addressed in Sec. 170.17(c)(4) and Sec.
170.18(c)(4)
CMMC Level 2 self-assessments procedures as described in Sec.
170.16(c)(1) require assessment in accordance with NIST SP 800-171A
Jun2018, which if conducted properly will generate evidence. The rule
has been modified to incorporate data retention requirements for self-
assessments into Sec. Sec. 170.15 and 170.16. OSAs are not required to
generate hashes for self-assessment artifacts. Hashing is only required
for Level 2 or Level 3 assessments by C3PAOs and DCMA DIBCAC. The rule
and Hashing Guide have been updated to add clarity that only a single
hash is required, and that artifact retention is for six years. The use
of SHA256 algorithm is not mandatory and therefore, the name of the
hash algorithm needs to be stored in eMASS.
There are no additional requirements for artifact storage and
retention beyond those identified in the rule. It is up to the OSA to
determine the best way to ensure artifact availability during the six-
year retention period. The rule has been updated in Sec. Sec. 170.15
through 170.18 to clarify artifact retention requirements.
DoD declines to reduce the artifact retention period from six years
to one year. The rule has been updated to clarify that all OSAs and
Assessors are required to retain their respective assessment data for
six years. The requirement for an artifact retention period of six
years is a result of the Department of Justice's input to the proposed
rule.
f. POA&Ms
Comment: Over forty comments were received about POA&Ms seeking
clarification or revision to the rule content on that topic.
Several commenters misinterpreted the requirement to remediate or
close POA&M items within 180 days as eliminating acceptability of
operational plans of action for normal corrective actions such as
patching or other routine maintenance activities, thus making the
achievement of 100% compliance impossible. Some commenters requested
rule revisions to describe operational plans of action in more detail.
One commenter asked that the concept of Enduring Exceptions be added to
the rule to address special circumstances when remediation and full
compliance with CMMC security requirements is not feasible as described
in the NIST SP 800-171A Jun2018 assessment methodology.
Several commenters expressed concern with the 180-day timeline to
close out POA&Ms or limits on which practices can be placed on them.
Recommendations for changing the POA&M timeline ranged from completely
deleting the time limit to extending it by 1 to 3 years. One variation
was to permit more than 180 days for closeout only during an initial
one-year ``ramp-up'' period. One commenter encouraged DoD to reduce
POA&M restrictions to facilitate contractors' genuine attempts to meet
requirements and mitigate information security risks. Three commenters
also thought the rule should allow contractors to request approval to
delay POA&M close-out when meeting the original timeline is
impracticable, while another commenter suggested defining the close-out
timeline in the contract, allowing negotiation of extension or renewal
of POA&Ms through the contracting officer. Two commenters asked when
the 180-day timeline begins and one asked what actions occur if the
POA&M is not closed out within that period.
Four commenters noted that the number of security requirements
explicitly precluded from POA&Ms makes CMMC challenging and requested
greater flexibility in how many, and which practices may be included.
Three commenters recommended that companies be allowed to have any
number of failed practices reassessed for up to six-months after an
assessment without having to complete and pay for a new full
assessment. Three other commenters recommended that the DoD allow for
risk informed POA&Ms, while one stated that the rule should not specify
which requirements must be met. One commenter requested clarification
on how many items of each point value may be included on a POA&M for
CMMC Level 2 conditional certification. One commenter also asked DoD to
consider abandoning controls with high failure rates, lowering score
requirements based on evidence of sufficient mitigation.
Several comments expressed concern that CMMC conditional
certification does not allow higher weighted practices on a POA&M and
recommended the rule reduce those restrictions to allow more security
practices. One commenter also recommended eliminating weighting
altogether, permitting any requirement to be part of the POA&M. As
rationale, one commenter referenced DFARS clause 252.204-7012 verbiage
that permits contractors to request DoD CIO approval to vary from NIST
SP 800-171 requirements, saying that since all approved variances are
considered as ``Not Applicable'', all requirements should be POA&M
eligible.
Two commenters asked where POA&Ms are maintained, who is
responsible for validating close-out, and whether affirmation is
required after each assessment (including POA&M close-out). One
commenter asked about applicability of the 180-day POA&M close-out
requirement to Critical, High, Medium, or Low findings against Service
Level Agreements.
One commenter recommended that a description of appropriate POA&M
entries to be added to the rule and
[[Page 83133]]
provided other recommended edits to the POA&M section, including
addition of terms of art such as ``assessment-related'' and ``non-
assessment-related'', and deletion of the words ``as applicable.''
Response: The CMMC Program allows the use of POA&Ms. Section 170.21
delineates the requirements that may be addressed as part of an
assessment with a POA&M, that must be closed out by a POA&M closeout
assessment within 180 days of the initial assessment to achieve the
assessment requirement for Final certification. At Level 1, the OSA
must affirm annually that it has reassessed its environment. Security
requirement CA.L2-3.12.2 allows for the development and implementation
of an operational plans of action designed to correct deficiencies and
reduce or eliminate vulnerabilities in organizational systems. The CMMC
rule does not prohibit an OSA from using an operational plan of action
at any CMMC level to address necessary information system updates,
patches, or reconfiguration as threats evolve. These are different from
POA&Ms permitted under a Conditional certification assessment. The DoD
has updated the rule to make this distinction clear. The Department
also updated the rule to include a definition and clarity for enduring
exceptions. The DoD CIO option for variances in DFARS clause 252.204-
7012 is beyond the scope of this rule.
Operational plans of action are the appropriate mechanism to handle
CSPs, ESPs (not a CSP) and third-party vendors that are no longer
compliant with a CMMC requirement. Operational plans of action may be
necessary when the relevant security requirement or control was fully
implemented, but a vulnerability or deficiency is discovered after
gaining a CMMC final compliance status, such as, but not limited to,
routine updates, patches, or updates to CMMC compliance status. For
purposes of CMMC compliance, operational plans of action are acceptable
and are not subject to the 180-day timetable established for initial
assessment. In addition, the rule has been modified to include a
definition for Enduring Exceptions.
The DoD does not accept the recommendation to change the criteria
for POA&Ms or the timeline allowed to remediate open POA&M items. The
180-day period allowed for POA&Ms and the determination of which
weighted practices can be placed on a POA&M was a risk-based decision.
The determination considers the relative risk DoD is willing to accept
when a particular practice is not met and the amount of risk the DoD is
willing to accept for those security practices that go ``NOT MET'' for
an extended period. The DoD declined to edit the rule regarding the
closeout of security requirements that are not allowed on the POA&M as
stated in Sec. 170.21. The decision in this scenario is a business
decision between the applicable C3PAO and the OSC.
Given the evolving cybersecurity threat, DoD's best interests are
served by ensuring that POA&Ms remain open for no longer than 180 days,
regardless of which controls are included or the plan for remediation.
The 180-day period starts when the CMMC assessment results are
finalized and submitted to SPRS or eMASS, as appropriate. As addressed
in Sec. Sec. 170.17(a)(1)(ii)(B) and 170.18(a)(1)(ii)(B), if the POA&M
is not closed out within the 180-day timeframe, the Conditional
Certification will expire. If the Conditional Certification expires
within the period of performance of a contract, standard contractual
remedies will apply, and the OSC will be ineligible for additional
awards with CMMC Level 2 or 3 requirements for the information systems
within the same CMMC Assessment Scope. The scoring methodology created
by the DoD reflects the relative risk to DoD information when a
security requirement is NOT MET. As defined in Sec. 170.17(c)(2), a
security requirement that is NOT MET may be re-evaluated during the
Level 2 certification assessment and for 10 business days following the
active assessment period under certain conditions. Likewise, when an
OSC executes a contract with a C3PAO it may account for the timeliness
of any re-assessments. The language in DFARS clause 252.204-7012
describing the DoD CIO's authority to approve variances is beyond the
scope of this rule.
A POA&M for CMMC Level 2 can include up to 22 security requirements
that have a value of 1, excluding those in Sec. 170.21(a)(2)(iii), or
may include non-FIPS-validated encryption and up to 19 security
requirements that have a value of 1.
The OSA is responsible for maintaining the POA&M that resulted from
a CMMC assessment; however, those security requirements that were NOT
MET and placed on a POA&M are recorded in eMASS. The OSA is responsible
for validating the close-out of the security requirements on the POA&M
within 180 days of a self-assessment. The C3PAO or DCMA (as applicable)
must perform the POA&M Close-out Assessment for a Final certification
assessment. An affirmation of compliance is required upon the
completion of any assessment--Conditional, Close-out, or Final--and
annually after the completion of a Final assessment. The requirement
outlined in Sec. 170.21 for POA&M close out does not apply to Service
Level Agreement (SLA) severity levels.
The Department declines to include recommended POA&M examples in
the rule, as they are already available in existing NIST guidance, or
make other word changes to Sec. 170.21. This section of the CMMC rule
has been updated to add clarity when discussing the POA&M regarding
security requirements that were assessed as NOT MET during a CMMC
assessment. These POA&Ms are distinct from an operational plan of
action.
g. Assessment Activities and Reporting
1. Data Entry
Comment: One comment requested the rule state that records in SPRS
must be updated within six months of the rule's effective date or when
the functionality is in place, whichever is longer. Two comments asked
for mitigations for assessment delays that could impact the timeliness
of certification. One comment asked for more information about
assessment frequency guidelines, and one asked which date would be used
to determine timing of CMMC Level 2 triennial assessments, where this
date is maintained, and who is responsible for ensuring contractors
meet all applicable security requirements.
Response: To be eligible for a contract with a CMMC Level 1 self-
assessment requirement, the OSA must perform a Level 1 self-assessment,
input the result into SPRS, and submit an affirmation. The timeline for
initiating and reporting a self- assessment is a business decision to
be made by each contractor considering contract opportunities it wishes
to pursue. Because the OSA can fully control timelines for completion
of self-assessments and plan for changes within the assessment scope,
and because CMMC certification assessments occur on a standard 3-year
cycle, the DoD expects that companies will plan assessments well in
advance of need. The required assessment frequency is every year for
CMMC Level 1, and every 3 years for CMMC Levels 2 and 3, or when
changes within the CMMC Assessment Scope invalidate the assessment.
Certification dates for CMMC levels 2 and 3 are set to the date the
certification assessment results are entered into SPRS for self-
assessments or the date the Certificate of CMMC Status is
[[Page 83134]]
entered into eMASS for third-party assessments. The triennial
requirement renews on that date; there is no grace period. Each OSA's
annual affirmation attests that they have implemented, and are
maintaining their implementation of, the security requirements.
2. Supplier Risk Performance System and eMASS
Comment: Three commenters viewed CMMC's intent to store CMMC
related data in an existing DoD system, SPRS, as an indication that
SPRS would replace other DoD risk tracking systems or the risk
monitoring responsibilities of other agencies. One commenter asked
whether other Services would have their own systems, as the SPRS
Program Office is within the Navy. Another comment stated CMMC and SPRS
should not be tasked with the responsibility of addressing Supply Chain
Risk Management (SCRM). One comment asked if the DoD intended to make
CMMC Level 2 and 3 certification information available to other
agencies, which could reduce the cost burden of compliance with
assessment/certification programs adopted by other agencies. One
comment asked how PII would be protected in SPRS. Another comment asked
for SPRS to be redesigned to list assessment results for each security
requirement instead of the aggregate level. One comment asked for a
CMMC-specific process for entering data into SPRS to make it easier for
small businesses and another comment asked for vendor visibility into a
potential sub-contractor's SPRS score.
Several comments asked about the CAGE code requirement and noted a
perception that businesses outside the U.S are unable to obtain a CAGE
or become a member of PIEE and therefore unable to access SPRS. One
comment asked whether each contract would require a new SPRS entry.
One comment asked if OSCs that already have an eMASS account would
be able to access the CMMC instantiation of eMASS and one comment
questioned the cost/benefit of entering pre-assessment data into eMASS.
Another comment asked for clarification on the roles and
responsibilities of DoD Program Managers regarding the data uploaded
into eMASS. One commenter suggested that eMASS be modified to permit
tracking of self-assessment, in addition to certification assessments.
Response: SPRS is used to provide CMMC Status, score results, and
affirmation status to contracting officers and program managers as part
of the contract award process. It does not supersede other DoD program
office risk register systems. SPRS will be used for reporting CMMC
Status of all contractors, regardless of which service issued the
contract. Although the SPRS program is managed by the Department of the
Navy, its use spans across the Department. There is no role for other
agencies associated with this CMMC rule, which applies only to DoD
contractors that process, store, or transmit FCI or CUI. The CMMC PMO
has no current agreements with other Federal agencies to share CMMC
assessment results. There is nothing that prevents an OSA from sharing
their CMMC Status with other entities.
SPRS is an existing DoD database that is compliant with DoD
regulations, which includes meeting Privacy requirements. DoD suppliers
are already required to use SPRS to record NIST SP 800-171 self-
assessment scores, as referenced in DFARS clause 252.204-7020. The CMMC
rule expands the use of SPRS to include CMMC Status, certification
assessment scores, and affirmations.
SPRS is the tool that the DoD acquisition workforce will use to
verify companies meet CMMC requirements to be eligible for contract
award. SPRS data entry does not make available to Contracting Officers
scoring of individual security requirements.
The DoD does not concur with granting prime contractors access to
view the CMMC scores or Certificates of CMMC Status for potential
subcontractors in SPRS. Subcontractors may voluntarily share their CMMC
Status, assessment scores, or certificates to facilitate business
teaming arrangements. Changing access to PIEE and SPRS is outside the
scope of this rule.
CMMC eMASS is a tailored, stand-alone instantiation of eMASS for
use by authorized representatives from C3PAOs, the DCMA DIBCAC, and the
CMMC PMO. Individuals from each C3PAO will have access to CMMC eMASS to
upload Level 2 assessment data. DCMA DIBCAC personnel will have access
to CMMC eMASS to upload Level 3 assessment data. OSAs will not have
access to CMMC eMASS. Authorized personnel from OSAs may access SPRS,
which will host assessment certification and self-assessment data, and
will be able to upload and view scores only for their OSA.
The DOD declines to add requirements for submitting self-
assessments in eMASS. The requirement is for the OSA to enter scores
into SPRS. There is value to the DoD in having the pre-assessment
information in CMMC eMASS for overall program management and oversight.
The information indicates that an assessment is either scheduled or in-
process. The CMMC PMO seeks to track CMMC program adoption, and pre-
assessment information allows reporting on upcoming assessments. Based
on the DoD cost analysis, the effort to upload pre-assessment material
is minimal.
DoD Program Managers are not responsible for uploading data into
eMASS, nor do they have any responsibility regarding the data uploaded
to eMASS by DCMA. An ESP, OSA, or OSC seeking CMMC assessment will need
a CAGE code and an account in SPRS to complete the annual attestation
required of all CMMC certified or CMMC compliant organizations.
An OSA/OSC must obtain a CAGE code via https://sam.gov before
registering in PIEE. Step by Step instructions for how to obtain an
account can be found on the PIEE Vendor Account website: https://piee.eb.mil/xhtml/unauth/web/homepage/vendorGettingStartedHelp.xhtml.
CAGE codes (or NCAGE codes for non-US-based companies) are also
required. US-based contractors obtain a Commercial and Government
Entity (CAGE) code from https://cage.dla.mil/Home/UsageAgree.
Businesses outside of the US must obtain a NATO Commercial and
Government Entity (NCAGE) code from https://eportal.nspa.nato.int/Codification/CageTool/home.
As specified in Sec. Sec. 170.15 and 170.16, SPRS inputs include
the industry CAGE codes(s) associated with the information system(s)
addressed by the CMMC Assessment Scope. For each new information system
used to support a DoD contract with FCI or CUI, a new SPRS entry is
required. If the contractor or subcontractor will use an information
system associated with a CAGE code already recorded in SPRS then a new
entry is not required.
3. Assessors and Certificates
Comment: One commenter asked if an assessor is prohibited from
interacting with OSA IT tools such as MS Office 365 or cloud based GRC
tools. One commenter requested the CMMC rule require C3PAOs to clearly
indicate the CMMC Assessment Scope on the CMMC Certificate of CMMC
Status, to include CAGE codes, that could be shared with trusted
partners.
Response: The rule text in Sec. 170.11(b)(7) does not prohibit
collecting assessment evidence within the OSC environment using the
OSC's IT. This section applies only to IT used
[[Page 83135]]
by the assessors to process, store, or transmit assessment-related
information once it leaves the OSC environment. The rule has been
modified to list the minimum required information to be included on the
Certificate of CMMC Status, including CAGE code.
h. Reassessment
Comment: Some commenters interpreted the end of a CMMC assessment
validity period (and need for new assessment) as having the same
significance or meaning as a ``reassessment'', which the rule describes
as potentially necessary only in rare circumstances when cybersecurity
risks, threats, or awareness have changed.
Another commenter asked for examples of circumstances that might
prompt a re-assessment and description of the process for completing
one. Four commenters expressed concern that re-assessments might be
frequent, costly, and time-consuming. These commenters sought
confirmation that relatively common system maintenance activities would
not require a new assessment or prevent annual affirmation.
One commenter questioned the rationale for differences between
validity periods for CMMC Level 1 versus Levels 2 and 3 assessment and
recommended standardization on either a 1-year or 3-year frequency for
all levels. Other commenters asserted that annual affirmations would
drive a need for annual assessments at levels 2 or 3 and requested
deletion of the affirmation requirement.
One commenter asked whether system changes within an assessment
scope would require notification to the contracting agency. Another
asked for guidance on remediation of POA&M items and asked whether
systems that fall out of compliance must be identified to the
contracting agency.
Response: The DoD considered duration of assessment validity
periods and has chosen to require self-assessment of the basic Level 1
requirements every year, rather than every three years. Levels 2 and 3
require implementation of a significantly larger number of more complex
security requirements, which require more time and attention to assess.
The DoD also declines to delete the annual affirmation requirement
and does not agree that it equates to an annual assessment. The rule
was modified to clarify that reassessments may be required based on
post-assessment indicators of cybersecurity issues or non-compliance
and are different from new assessments that occur when an assessment
validity period expires. Reassessment is expected to be infrequent,
conducted by the DoD, and necessary when cybersecurity risks, threats,
or awareness have changed, or indicators of cybersecurity deficiencies
and/or non-compliance are present. When required, DCMA DIBCAC will
initiate the re-assessment process using established procedures. The
rule has been further updated to add this DCMA DIBCAC responsibility in
Sec. 170.7. OSCs seeking confirmation upon CMMC Level 2 POA&M close-
out may undergo POA&M close-out assessment by a C3PAO, which is
different from reassessment.
Self-assessments and certification assessments are valid for a
defined CMMC Assessment Scope as outlined in Sec. 170.19 CMMC Scoping.
A new assessment is required if there are significant architectural or
boundary changes to the previous CMMC Assessment Scope. Examples
include, but are not limited to, expansions of networks or mergers and
acquisitions. Operational changes within a CMMC Assessment Scope, such
as adding or subtracting resources within the existing assessment
boundary that follow the existing SSP do not require a new assessment,
but rather are covered by the annual affirmations to the continuing
compliance with requirements. The CMMC rule does not prohibit an OSA
from using an operational plan of action at any CMMC Level to address
necessary information system updates, patches, or reconfiguration as
threats evolve.
If the CMMC Assessment Scope changes, then the current assessment
is no longer valid and a new assessment is required. Requirements to
notify the contracting agency of compliance changes are described in
the 48 CFR part 204 CMMC Acquisition rule. An annual affirmation is
required at each CMMC level.
16. CMMC Assessment Scoping Policy
Comment: One comment asked whether the requirements of DFARS clause
252.204-7012 apply to the entire contractor-owned information system,
or only those components of the system that process, store, or transmit
the CUI. Another questioned whether assets that process both FCI and
CUI require CMMC Level 1 assessment.
One comment asserted that assessments described in DFARS provision
252.204-7019 and 7020 are scoped differently than CMMC assessments, and
requested the rule be revised to avoid duplication with those
assessments, where applicable. Another recommended that DoD determine
scoping, boundaries, standards, and assessments based on CUI data
rather than by systems.
One comment suggested that the rule be modified to address CMMC
applicability to service providers that only provide temporary
services, such as penetration testing, cyber incident response, or
forensic analysis.
Response: OSAs determine the CMMC Assessment Scope based on how and
where they will process, store, and transmit FCI and CUI. DoD has
reviewed the suggested changes and declines to make any updates.
Additional information for CMMC Scoping (Sec. 170.19) can be found in
the relevant scoping guides. The applicability of DFARS clause 252.204-
7012 requirements is not within the scope of this rule.
Meeting CMMC Level 2 self-assessment or certification assessment
requirements also satisfies CMMC Level 1 self-assessment requirements
for the same CMMC Assessment Scope. One commenter incorrectly assumes
that CMMC asset categories drive a change to the assessment scope from
what exists in DFARS clause 252.204-7012, which implements NIST SP 800-
171 R2. No conflicts exist between the DFARS clause 252.204-7012
requirements and the CMMC requirements in this rule.
The DoD declines to change the rule to base scoping, boundaries,
standards, or assessments solely on CUI data rather than on systems.
The purpose of the CMMC Program is for contractors and subcontractors
to demonstrate that FCI and CUI is adequately safeguarded through the
methodology provided in the rule. The decision on what CMMC level is
required for a contract is made by the Government after considering the
nature of the planned effort, associated risks, and CUI to be shared.
OSAs determine the CMMC Assessment Scope based on how and where they
will process, store, and transmit FCI and CUI.
Service providers who only need temporary access to perform
services such as penetration testing, cyber incident response, or
forensic analysis do not meet the definition of an ESP in Sec. 170.4
and do not process, store, or transmit CUI. Therefore, they are not
within scope and the DoD declines to modify the rule to include them.
17. CMMC Assessment Scope for ESPs
a. CMMC Applicability to ESPs
Comment: DoD received numerous comments about the implications of
using an ESP while seeking to comply with CMMC requirements. Many
comments were concerns that the ESP
[[Page 83136]]
assessment requirements expanded the scope and cost of the CMMC
program. Additionally, some comments described overarching concerns
about applicability of CMMC requirements to an ESP when it only
provided a Security Protection Asset or processed Security Protection
Data. In general, commenters requested to narrow the rule while
providing more clarity and definition related to CMMC requirements for
ESPs and CSPs. Many comments gave either hypothetical or actual
scenarios and asked whether the ESP in that scenario would be required
to complete a CMMC assessment at the level required for the OSA being
supported.
One comment suggested that ESPs should be treated the same as Risk
Managed Assets. Another comment suggested that they be treated as
Specialized Assets. Two comments proposed that DoD restrict DoD
contractors to the use of an ESP/MSP/MSSP that is ISO/IEC 27001:2022(E)
certified. Two comments suggest that OSA's be allowed to use non-
certified or some form of conditionally certified ESPs if they retain
the appropriate artifacts for review.
Response: The DoD has revised the rule to reduce the assessment
burden on External Service Providers (ESP). ESP assessment,
certification, and authorization requirements in Sec. Sec.
[thinsp]170.19(c)(2) and (d)(2) have been updated. The use of an ESP,
its relationship to the OSA, and the services provided need to be
documented in the OSA's SSP and described in the ESP's service
description and customer responsibility matrix (CRM), which describes
the responsibilities of the OSA and ESP with respect to the services
provided.
ESPs that are CSPs, and process, store, or transmit CUI, must meet
the FedRAMP requirements in DFARS clause 252.204-7012. ESPs that are
CSPs and do NOT process, store, or transmit CUI, are not required to
meet FedRAMP requirements in DFARS clause 252.204-7012. Services
provided by the CSP are in the OSA's scope.
When ESPs that are not CSPs, process, store, or transmit CUI, a
CMMC assessment is required to verify compliance with requirements for
safeguarding CUI. Any ESP services used to meet OSA requirements are
within the scope of the OSA's CMMC assessment.
When ESPs that are not CSPs do NOT process, store, or transmit CUI,
they do not require CMMC assessment or certification, however, services
they provide are in the OSA's assessment scope. There is nothing in the
rule that precludes an ESP, that is not a CSP, from voluntarily
requesting a C3PAO assessment. A C3PAO may perform such an assessment
if the ESP makes that business decision.
ESPs can be part of the same corporate/organizational structure but
still be external to the OSA such as a centralized Security Operations
Center (SOC) or Network Operations Center (NOC) which supports multiple
business units. The same requirements apply and are based on whether
the ESP provides cloud services and whether the ESP processes, stores,
or transmits CUI on their systems.
An ESP that is used as on-site staff augmentation only, i.e., the
OSA provides all processes, technology, and facilities, does not need
CMMC assessment. When ESPs are assessed as part of an OSA's assessment,
the assessment type is dictated by the OSA's DoD contract CMMC
requirement. The DoD declines to make any other suggested changes to
the assessment of ESPs.
b. Definitions
Comment: Multiple comments state that the definition of CSP in the
rule is overly broad and overlaps with the definition of ESP. One
comment questioned whether a C3PAO is also a Security Protection Asset
and by extension an ESP. Two comments requested change to the
definition of Out-of-Scope Assets to stipulate that SPD is Out-of-
Scope.
Response: Several comments requested clarification on when an ESP
would be considered a CSP. CSPs, MSPs, and MSSPs are always considered
ESPs. The DoD has updated the rule to narrow the definition of Cloud
Service Provider based on the definition for cloud computing from NIST
SP 800-145 Sept2011. An ESP would be considered a CSP when it provides
its own cloud services based on a model for enabling ubiquitous,
convenient, on-demand network access to a shared pool of configurable
computing that can be rapidly provisioned and released with minimal
management effort or service provider interaction on the part of the
OSA.
An ESP (not a CSP) that provides technical support services to its
clients would be considered an MSP. It does not host its own cloud
platform offering. An ESP may utilize cloud offerings to deliver
services to clients without being a CSP. An ESP that manages a third-
party cloud service on behalf of an OSA would not be considered a CSP.
C3PAOs need not ``receive'' security protection data as part of an
assessment; they view the security protection data while on premises at
the OSC for the assessment. A C3PAO is not an ESP or security
protection asset and is therefore not within the OSA assessment
boundary. DoD declines to delete the phrase ``except for assets that
provide security protection for a CUI asset'' from the definition of
Out-of-Scope Assets. Assets that provide security protection for CUI
are not Out-of-Scope Assets. A CMMC definition for Security Protection
Data has been added to the rule.
c. OSA Relationship to ESP
Comment: Several comments request clarification related to use of
an ESP that is internal to the OSA. One comment requested that DoD
require CSPs grant the US Government, as part of the contract between
the OSA and the CSP, access to any CUI that is subject to CMMC
requirements in the event of contractual failures, criminal actions or
other legal situations that warrant seizure of CUI data. Some comments
also asked whether the DoD has standing or authority to require C3PAO
assessment or conduct CMMC level 3 assessments of ESPs, given that the
ESP's direct contractual relationship is not with the Government but
with the OSA. Two comments suggest that ESPs will be covered by the
subcontractor flow down requirements from an OSA.
Response: DoD agrees with the need for added clarity around
internal ESPs and the rule was modified to remove the term internal
ESP. An ESP that provides staff augmentation, where the OSA provides
all processes, technology, and facilities, does not need CMMC
assessment. Alternatively, an ESP can be part of the same
organizational structure but still be external to the OSA, such as a
centralized SOC or NOC which supports multiple business units. The CMMC
requirements apply and are based on whether the ESP provides cloud
services and whether the ESP processes, stores, or transmits CUI on
their systems.
The OSA's contractual rights with its CSP are beyond the scope of
this rule.
The rule states requirements for the OSA, not the ESP. The rule
requires OSAs that process, store, or transmit FCI and CUI to protect
that data. If those OSAs elect to use an ESP, and that ESP processes,
stores, or transmits FCI or CUI from the OSA, then the OSA must require
that the ESP protect the FCI and CUI and the ESP will be assessed as
part of the OSA's assessment or require FedRAMP Moderate or equivalent.
Specifically for Level 3, if an OSC is seeking Level 3
certification and uses an ESP that is not a CSP and that DOES process,
store, or transmit CUI, then the ESP will need to be assessed by DIBCAC
[[Page 83137]]
against the same Level 3 requirements as the OSC as part of the OSC's
assessment unless the ESP voluntarily seeks a DIBCAC Assessment. If an
OSC is seeking Level 3 certification and uses an ESP that DOES NOT
process, store, or transmit CUI, then the ESP will NOT need to be
assessed by DIBCAC against the same Level 3 requirements as the OSC.
ESPs provide a service that meets the requirements specified by the
OSA, and therefore ESPs are not subcontractors on a DoD contract and
are not bound by subcontractor flow down requirements.
d. Assessment of ESPs
Comment: There were multiple comments regarding the assessment of
an ESP. One comment recommends the rule be revised to identify the
specific assessment requirements that would be considered NOT MET by
the OSA when using a non-compliant ESP, and to further require C3PAOs
to validate the OSCs use of compliant ESPs during a CMMC Level 2
assessment. One comment asks if an ESP, when assessed, will require a
CAGE code, and enter scores into SPRS. Another comment asked whether
CMMC certification would be required when offering full IT management
and online storage, including CUI, if the MSP policies prevent
employees from accessing customer data.
One comment asks for clarification on the contents of the System
Security Plan when documenting the use of an ESP. Two comments ask how
to assess an OSA that is using a CSP to store CUI that does not meet
the FedRAMP requirements. One comment asks how C3PAOs can check on the
assessment status of an ESP. Three comments ask how to avoid redundant
assessments of ESPs. One comment asks to clarify how to handle ESPs at
Level 3 with respect to requirement AC.L3-3.1.2e that restricts access
to systems that are owned, provisioned, or issued by the organization.
One comment recommends DoD exempt CSPs that provide service with end-
to-end encryption from CMMC requirements, similar to a common carrier.
Several comments inquired about guidelines and practices for
obtaining Customer Responsibility Matrices (CRM) from CSPs and suggest
the rule be modified to also require them from ESPs. One comment asks
about how to obtain a CSP's System Security Plan.
Response: Implications for OSAs and C3PAOs for using non-compliant
ESPs are adequately addressed in the rule. The CMMC compliance of an
ESP, including a CSP, falls under the OSA's assessment. If an ESP is
used to meet any of the CMMC requirements for the OSA, then the ESP is
part of the scope of the OSA's assessment, and the compliance of the
ESP will be verified.
An ESP that is seeking CMMC assessment will need to obtain a CAGE
code and an account in SPRS to enable the reporting of its assessment
results via CMMC eMASS. A SPRS account is required to complete the CMMC
annual affirmation requirement included in DoD contracts that include a
CMMC certification requirement.
An ESP that processes, stores, or transmits CUI, is an extension of
the OSA's environment. As part of that environment, the ESP will be
assessed against all requirements and accountable for all users who
have access to CUI as part of the ESP's service, not just OSA
employees. The government cannot comment on specific implementation or
documentation choices of an OSA, including the use of an ESP.
The C3PAO can only give credit to a FedRAMP Moderate Authorized or
equivalent CSP. Any requirements dependent on contributions from a CSP
in any other stage of compliance are considered NOT MET. The
requirements in the rule for FedRAMP Moderate equivalency have been
updated to reflect DoD policy. OSAs can consider CSPs in the FedRAMP
process for equivalency if they meet the requirements in DoD policy.
An ESP that is a CSP will be listed on the FedRAMP Marketplace. An
ESP that is not a CSP and processes, stores, or transmits CUI will be
within the OSA's assessment scope. An ESP can also volunteer to have a
C3PAO assessment and could make that information available to the OSA.
ESPs that are not CSPs may request voluntary CMMC assessments of
their environment and use that as a business discriminator. The
marketplace for ESP services will adjust to find the efficient manner
for ESPs to support OSA assessments that may include their services.
With respect to requirement AC.L3-3.1.2e, when an OSA adds an ESP's
services to its network, the ESP is considered to be provisioned by the
OSA. It is subject to the requirements for the use of an ESP.
A common carrier's information system is not within the
contractor's CMMC Assessment Scope if CUI is properly encrypted during
transport across the common carrier's information system.
In a cloud model, the end-to-end encryption would apply when
transmitting between OSA CUI assets and a cloud service. Once within
the security boundary of the CSP, the common carrier's system no longer
contributes to the handling of the CUI and the CSP's security practices
apply. If an OSA chooses to use a CSP to process, store, or transmit
CUI, FedRAMP Moderate or equivalency requirements apply.
The rule has been updated to include the use of a Customer
Responsibility Matrix by all ESPs, not just CSPs. Obtaining a copy of a
CSP's SSP is not required for a CSP that is FedRAMP Authorized.
Documentation on the services provided by the CSP and a CRM will be
required.
e. Capacity for Assessment of ESPs
Comment: Some comments questioned whether the CMMC ecosystem would
be adequate to provide the number of CMMC assessments necessary for
ESPs. In response, some comments recommend ESPs be given priority for
completing assessments. Others recommend different phasing or forms of
assessment and certification during ramp up.
Response: DoD declines to make suggested changes to the ramp up and
phasing of assessments for ESPs. DoD considered many alternatives
before deciding upon the current CMMC assessment structure. By design,
the CMMC program depends on the supply and demand dynamics of the free
market, enabling it to naturally scale and adapt to capacity
requirements. DoD declines to set priorities for the assessment
marketplace. The DoD has utilized a phased implementation approach to
reduce implementation risk. DoD expects that the public has utilized
the lead-time prior to the publication of this rule to prepare for CMMC
implementation and buy-down risk. CMMC Program requirements make no
changes to existing policies for information security requirements
implemented by the DoD. It is beyond the scope of this rule for DoD to
determine the order in which organizations are assessed.
f. Remote Access by ESPs
Comment: Two comments ask for clarification on requirements for
remote access by an ESP to an OSA, whether with OSA provided equipment
or a VPN.
Response: The assessment of remote access may fall into several
categories and is dependent on the specific architecture used and how
the OSA creates its assessment environment. When an ESP is providing
staff augmentation to the OSA and the OSA is providing all the systems
used for remote access, then the OSA's policies and procedures apply
and the ESP is not
[[Page 83138]]
considered to be processing, storing, or transmitting CUI. When the ESP
is using a Virtual Desktop solution, then the endpoint client device
will be considered out of scope when it is configured to prevent
storage, processing, or transmission of CUI on the end client beyond
the Keyboard, Video, Mouse input that is part of the Virtual Desktop
Infrastructure (VDI) solution.
Establishing a VPN connection with MSP equipment brings that
equipment into the OSA's assessment scope. The equipment must meet the
OSA's requirements for external access and connection to the network.
Depending on the processing performed by the ESP with the VPN
connection, other requirements may apply.
18. CMMC Assessment Scope for Security Protection Assets and Data
a. Scope and Authority
Comment: Multiple comments asserted that the use of Security
Protection Data and Security Protection Assets increases the scope and
cost of CMMC assessments and recommend changes to the costs or removing
SPD and SPA from the rule. One comment presented the increased scope as
an inconsistency between NARA and NIST SP 800-171A Jun2018. A few
comments asked what authority DoD uses to include SPD as part of CMMC
assessment.
Response: The commenter misread the rule's application to ESPs and
SPA/SPD. Security Protection Assets are specified in NIST SP 800-171 R2
Sec 1.1 which states: ``The requirements apply only to components of
nonfederal systems that process, store, or transmit CUI, or that
provide security protection for such components.'' The rule has been
updated in table 3 to Sec. 170.19(c)(1) and table 5 to Sec.
170.19(d)(1) to change the definition and requirements of Security
Protection Assets. The phrase ``irrespective of whether or not these
assets process, store, or transmit CUI'' has been removed from the SPA
description and the CMMC assessment requirements have been changed to
read ``Assess against CMMC security requirements that are relevant to
the capabilities provided.'' Similar changes were made to the guidance
documents. In order to clarify and address concerns about the perceived
``expansion'' of requirements, the rule was revised to reflect that
ESPs that only store SPD or provide an SPA and do not process, store,
or transmit CUI do not require CMMC assessment or certification.
b. Definition and Requirements
Comment: Numerous comments requested that the DoD provide a
definition for Security Protection Data (SPD) and configuration data,
as well as requirements for SPD to help understand the scope of SPD and
how that impacts the scope of Security Protection Assets and the
assessment requirements of ESPs. One comment recommended the removal of
the definition and use of SPD.
Multiple comments requested more information on the definition and
scoping of Security Protection Assets, their relationship to CUI, and
their requirements. Some comments suggested that the definition narrow
the scope of Security Protection Assets and/or their security and
assessment requirements. Other comments recommended eliminating the
concept of SPA. Additional comments recommended changing the assessment
requirements for SPAs to be the same as CRMAs Specialized Assets
applicable NIST SP 800-171 R2 requirements, commensurate with the level
of involvement with the security of CUI or to only assess the
requirements provided by the SPA. Two comments recommended that the
phrase'' irrespective of whether these assets process, store, or
transmit CUI'' be removed from the definition of SPA.
Two comments asked for clarification on the requirements for CSPs
that only handle SPD.
Two comments recommended different security and assessment
requirements for ESPs that host SPD but do not process, store, or
transmit CUI.
Response: DoD added a CMMC definition for Security Protection Data
to the rule. The DoD considered the NIST definitions for System
Information and Security Relevant Information in the development of the
CMMC definition for SPD.
This rule does not regulate OSA Security Protection Data, but
instead implements existing regulatory requirements for the
safeguarding of CUI, as defined in 32 CFR 2002.14(h)(2) and implemented
by DFARS clause 252.204-7012. This clause requires protection of
security protection assets and security protection data through its
specification of NIST SP 800-171.
DoD does not agree with the commentor's statement that the
definition of Security Protection Assets ``is an exceedingly dangerous
adjustment to the NIST SP 800-171 Revision 2 Paragraph 1.1 Scope of
Applicability.'' Security Protection Assets provide security to the
entirety of an OSA's assessment scope which includes CUI Assets and
other in-scope assets.
The SPD definition also defines configuration data as data required
to operate a security protection asset. This limits the possible
interpretations of configuration data. Further, the rule has been
updated to reflect that ESPs that do NOT process, store, or transmit
CUI do not require CMMC assessment or certification.
All assets within an OSA defined CMMC Level 2 or 3 assessment
boundary have access to CUI and can process, store, or transmit CUI.
They are therefore subject to DFARS clause 252.204-7012 and required to
meet NIST SP 800-171 requirements. This is the authority for including
Contractor Risk Managed Assets (CRMAs) within CMMC assessments. For
Level 2, DoD has decided to assume some risk and lessen the assurance
burden for a class of these assets called Contractor Risk Managed
Assets, as specified in table 3 to Sec. 170.19(c)(1). DoD does not
assume this risk at Level 3. CRMAs are subject to assessment against
all CMMC requirements as specified in table 5 to Sec. 170.19(d)(1).
19. CMMC Assessment Scope and FedRAMP Moderate Equivalency Requirements
Comment: Several commenters identified inconsistencies between rule
content and a separate DoD policy memo that defines requirements Cloud
Service Providers (CSPs) must meet to be considered FedRAMP moderate
``equivalent'' in the context of DFARS clause 252.204-7012. One
commenter requested administrative changes to the rule for consistency,
while others requested more substantive changes to deconflict the rule
with DoD's policies. Differences between the two documents left some
commenters unclear about when a CSP would be considered within a CMMC
assessment scope or required to meet CMMC requirements. They also noted
that some CSPs refuse to provide clients with Customer Responsibility
Matrices (CRMs), which could impede an OSAs ability to meet CMMC
requirements. One commenter asked for specific instances when a
FedRAMP-moderate-authorized CSP would not be accepted as meeting CMMC
requirements or which requirements such a CSP could not meet.
Another commenter stated the FedRAMP moderate equivalency
requirements for CSPs in this rule will create confusion because they
address only the NIST SP 800-171 requirements and do not include the
additional cyber incident reporting requirements
[[Page 83139]]
identified in DFARS clause 252.204-7012. One comment suggested that any
expectation for CSPs to meet the DFARS clause 252.204-7012 requirements
for cyber incident reporting or completion of a System Security Plan
should be referenced in this CMMC rule. Another commenter suggested
that all DoD contracts with CUI should include clauses and provisions
for CSPs to meet Federal requirements, including a self-assessment and
certification of their systems.
One commenter asked whether it is sufficient for MSP/MSSPs to have
FedRAMP certification instead of CMMC certification. Another
interpreted the rule's wording related to security protection assets
and data as expanding requirements levied on CSPs.
One commenter interpreted CMMC Level 3 assessment requirements as
meaning all parts of an OSCs infrastructure are within scope for CMMC
assessment if the OSC uses a CSP, and recommended the rule specify that
security requirements from the CRM must be documented in the SSP.
Another asked whether OSCs must track all FedRAMP controls in their SSP
or only those relevant to NIST SP 800-171 R2.
Response: Requirements associated with the use of cloud service
providers (CSPs) are covered under section (b)(2)(ii)(D) of DFARS
clause 252.204-7012. When a CSP is used, it must meet the requirements
of the FedRAMP moderate baseline or the equivalent. The rule was
updated for consistency with those requirements, and now requires
FedRAMP moderate or FedRAMP moderate equivalency as defined in DoD
Policy.
Sec. Sec. 170.16(c)(2), 170.17(c)(5), 170.18(c)(5) address CMMC
requirements for CSPs. The CMMC rule does not add new requirements on
the use of CSPs, which are found in DFARS clause 252.204-7012. A CSP
must be assessed against the FedRAMP moderate baseline when the CSP
processes, stores, or transmits CUI. The CMMC rule does not oppose or
contradict the requirements of DFARS clause 252.204-7012, nor does this
rule relieve a CSP from any requirement defined in DFARS clause
252.204-7012.
Sec. 170.17(c)(5)(iii) and the corresponding requirement in Sec.
170.18(c)(5)(iii) only apply to CSPs used to process, store, or
transmit CUI in the execution of the contract or subcontract requiring
CMMC assessment. It does not expand to any cloud provider outside the
scope of the assessment. Interactions between DoD contractors and their
service providers are beyond the scope of the rule.
CMMC Level 2 self-assessment and affirmation requirements described
in Sec. 170.16 make clear that an OSA using a FedRAMP Authorized CSP
(at the FedRAMP Moderate or higher baseline) is not responsible for the
CSP's compliance. The OSA needs to document in its SSP how the OSA
meets its requirements assigned in the CSP's CRM. When using a CSP that
is not FedRAMP Authorized, the OSA is responsible for determining if
the CSP meets the requirements for FedRAMP Moderate equivalency as
specified in DoD policy. In this case, the OSA also needs to document
in its SSP how the OSA meets the requirements assigned to it in the
CSP's CRM.
The rule has been updated to include verbiage from the DFARS clause
252.204-7012 ``in the performance of a contract'' for consistency. Use
of the term CUI in this rule is deliberate because DoD intends to
assess compliance with NIST SP 800-171 R2 for all CUI. The DoD declines
to replace the word CUI with the word CDI, as the term CUI more clearly
conveys that NIST SP 800-171 is the requirement for all CUI
information, as described in 32 CFR 2002.14.
DoD received numerous comments about the use of ESPs which do not
process, store, or transmit CUI. In response to comments, the DoD has
reduced the assessment burden on ESPs. ESP assessment, certification,
and authorization requirements in Sec. Sec. [thinsp]170.19(c)(2) and
(d)(2) have been updated.
20. CMMC Assessment Scope for Devices and Asset Categorization
a. Asset Categorization
Comment: There were many comments regarding the scoping and
treatment of assets when using table 3 to Sec. 170.19(c)(1) and table
5 to Sec. 170.19(d)(1). Several comments asked about when asset
categorization occurs, who approves it and how to document it. Two
comments questioned the applicability of using NIST SP 800-171 R2 for
Specialized Assets. Two comments suggested modifying the definition of
Out-of-Scope assets by removing the last bullet or discussing the use
of encryption. One commenter suggested adding more detailed definitions
of the asset categories to the rule. One comment recommended removing
asset categories from the rule.
Many comments requested scoping and categorization of specific
scenarios, such as ERP systems, MRP systems, quantum computing systems,
data diodes, asset isolation, and encrypted CUI. Numerous additional
comments requested clarification on scoping and categorization of
various security product classes.
Response: The OSA performs asset categorization and documents it in
their SSP. The OSA may choose the format and content of its SSP. Table
3 to Sec. 170.19(c)(1) requires that all asset categories, including
Specialized Assets, be included in the asset inventory. There is no
requirement to embed every asset in the SSP. In the SSP for Level 2,
the OSA must show how Specialized Assets are managed using the
contractor's risk-based security policies, procedures, and practices.
Prior to the conduct of an assessment, the OSC engages with the C3PAO
assessor. It is during this time that the classification of assets
should be agreed upon, and the results of these discussions are
documented in pre-planning materials. This is an example of the pre-
assessment and planning material submitted by the C3PAO as required in
Sec. 170.9(b)(8) and the CMMC Assessment Scope submitted to eMASS as
required in Sec. 170.17(a)(i)(D). It is beyond the scope of this rule
to address DoD review of specific Specialized Assets for individual
contractors.
DoD does not agree with a commentor's statement that Specialized
Assets are not actually assessed against CMMC security requirements. As
documented in Sec. 170.19, Specialized Assets are identified by the
OSC. Assessment requirements of Specialized Assets differ between CMMC
Level 2 and CMMC Level 3. If Specialized Assets are part of a CMMC
Level 2 assessment, the OSA must document them in the asset inventory,
document them in the SSP, and show how these assets are managed using
the contractor's risk-based security policies, procedures, and
practices. If Specialized Assets are part of a CMMC Level 3 assessment,
they must be assessed against all CMMC Level 2 security requirements
and CMMC Level 3 security requirements, identified in Sec.
170.14(c)(4).
DoD agrees with one comment that even if NIST SP 800-171 R2 cannot
be implemented, that does not mean the Specialized Assets cannot be
secured. CMMC requirements are defined to align directly to NIST SP
800-171 R2 and NIST SP 800-172 Feb2021 requirements. For additional
ease of burden, at Level 1, IoT and OT are not in scope, at Level 2
there are reduced requirements, but they become in-scope at Level 3,
unless they are physically or logically isolated.
DoD has reviewed the text and declines to change the definition of
Out-of-scope assets because CUI should not
[[Page 83140]]
be transmitted via clear-text per NIST SP 800-171 R2. The DoD has
reviewed the suggested changes to asset categories and scoping tables
and declines to make an update. The asset categories in the rule help
the OSA understand the requirements of various asset types that might
be found within the assessment boundary.
OSAs determine the asset categories and assessment scope based on
how and where they will process, store, and transmit FCI and CUI. DoD
cannot comment on the suitability of any specific approach or
technology to successfully implement CMMC security requirements.
b. Virtual Desktop Infrastructure
Comment: Several comments requested clarification on the use of
Virtual Desktop Infrastructures and how to scope its components.
Response: The rule has been updated in table 3 to Sec.
170.19(c)(1) and table 5 to Sec. 170.19(d)(1) to state that an
endpoint hosting a VDI client configured to not allow any processing,
storage, or transmission of FCI and CUI beyond the Keyboard/Video/Mouse
sent to the VDI client is considered out of scope.
c. Contractor Risk Managed Assets
Comment: There were numerous comments regarding Contractor Risk
Managed Assets. Several comments perceived conflicts in the changes
between the current rule and previous intermediate documents regarding
CRMA requirements. Multiple comments recommended additional details
explaining risk-based management of assets. Two comments requested
additional details on the limited checks that are permitted during
assessment of CRMAs. Multiple comments requested clarification on CRMA
requirements at Level 3 for the OSA and ESP. One comment requested
clarification about the documentation requirements for CRMAs.
One comment asserted that the rule co-mingled CRMAs with assets of
an ESP. One comment questioned why CRMAs were being included as in-
scope assets subject to CMMC security requirements. One comment asked
for clarification between the security requirements and assessment
requirements for CRMAs.
Response: There was confusion and concern over conflicts from
commenters regarding responses to comments on a previous version of the
rule, other documentation, and the current rule. The DoD did not find
any conflicting language around CRMAs. There is no conflict between
CRMAs and the requirements for logical or physical boundaries. CRMAs
are only applicable within the CMMC Assessment Scope. DoD does not
agree with the statement that the wording change around Contractor Risk
Managed Asset (CRMA) effectively makes the asset category moot.
The CRMA category was created to ease the assessment burden, based
on the Department's risk tolerance. It is not intended to reduce the
level of protection and the CMMC security requirements which apply to
the assets. Despite the wording changes identified by the commentor,
the CMMC security requirements and the assessor's ability to conduct a
limited check to identify deficiencies as addressed in table 3 to Sec.
170.19(c)(1) are unchanged.
Contractor Risk Managed Assets (CRMA) should be prepared to be
assessed against CMMC security requirements at Level 2, and included in
the SSP, asset inventory, and network diagrams.
Table 3 to Sec. 170.19(c)(1) clearly addresses the assessment
requirements for Contractor Risk Managed Assets. All CMMC security
requirements must be MET when the OSA chooses to designate certain
assets as Contractor Risk Managed Assets.
Eight guidance documents for the CMMC Program are listed in
Appendix A to Part 170--Guidance. These documents provide additional
guidance for the CMMC model, assessments, scoping, and hashing. Use of
the guidance documents is optional.
The OSA is responsible for determining its CMMC Assessment Scope
and its relationship to security domains. Assets are out-of-scope when
they are physically or logically separated from the assessment scope.
Contractor Risk Managed Assets are only applicable within the OSA's
assessment scope. Table 3 to Sec. 170.19(c)(1) is used to identify the
asset categories within the assessment scope and the associated
requirements for each asset category. Contractor's risk-based security
policies, procedures, and practices are not used to define the scope of
the assessment, they are descriptive of the types of documents an
assessor will use to meet the CMMC assessment requirements.
It is beyond the scope of the CMMC rule to provide a detailed
explanation of the usage of ``risk-based'' terminology when
implementing or assessing CMMC requirements. DoD declines to speculate
and clarify the relationship between any NIST SP 800-171 R2 definitions
and any pending NIST SP 800-171 Revision 3 definitions.
The DoD has defined the effort allowed during a limited check in
table 1 to 170.19(c)(1). A limited check may require submission of
evidence.
The DoD cannot anticipate how an OSC will scope its CMMC Level 3
assessment with respect to its CMMC Level 2 environment. As specified
in table 5 to Sec. 170.19(d)(1), Level 2 Contractor Risk Managed
Assets are categorized as CUI Assets at Level 3.
The rule has been updated to clarify that ESPs do not require a
Level 3 certification unless they process, store, or transmit CUI in
the performance of a contract with a CMMC Level 3 requirement.
3 As stated in table 1 to Sec. 170.19(c)(1), CRMA assets must be
prepared to be assessed against CMMC requirements. The SSP must provide
sufficient documentation describing how security requirements are met
to allow the assessor to follow the instruction in table 1 to not
assess against other requirements. The assessor will then decide if a
limited spot check is warranted. The results of the limited spot check
can result in a requirement being scored as NOT MET.
The rule does not create two classes of Contractor Risk Managed
Assets as one commenter asserts. Contractor Risk Managed Assets are
only those assets that are owned by the OSC and within the assessment
scope. ESP assets are subject to the ESP requirements of the rule.
All assets within the OSA defined assessment boundary have access
to CUI and can process, store, or transmit CUI, and are therefore
subject to DFARS clause 252.204-7012 and required to meet NIST SP 800-
171 requirements. This is the authority for including CRMAs within CMMC
assessments. For Level 2, DoD has decided to assume some risk and
lessen the assurance burden for a class of these assets called
Contractor Risk Managed Assets, as specified in table 3 to Sec.
170.19(c)(1). DoD does not assume this risk at Level 3. Contractor Risk
Managed Assets are subject to assessment against all CMMC requirements
as specified in table 5 to Sec. 170.19(d)(1).
At CMMC Level 2, Contractor Risk Managed Assets and Specialized
Assets are assessed differently. Both types of assets must be
documented in the SSPs; Specialized Assets will not, however, be
assessed by the C3PAO while limited checks may be performed on
Contractor Risk Managed Assets. OSCs should be prepared for assessment
of Contractor Risk Managed Assets because a deeper assessment will be
done if the assessor's evaluation of the OSC's policies and procedures
raise questions. However, at
[[Page 83141]]
Level 3, Contractor Risk Managed Assets and Specialized Assets are
assessed, like CUI assets, against all CMMC security requirements, so
no additional explanation is required.
d. Specialized Assets
Comment: There were numerous comments regarding Specialized Assets.
Several comments discuss the use of enduring exceptions for Specialized
Assets and the use of the term in NIST SP 800-171 R2. Two comments
confuse the current rule with responses to a previous version of the
rule. A comment requests clarification why specialized assets are not
CUI assets. Another comment asks about the difference in assessment
requirements between CRMAs and Specialized assets. One comment
requested processes and best practices for evaluation of specialized
assets.
Two comments recommend that the Specialized asset requirements for
Level 3 remain the same as Level 2 due to the difficulty of meeting the
Level 3 requirements in a manufacturing environment. Two comments
request additional clarification on the Level 2 assessment of
Specialized assets when the assessment is a precursor to a Level 3
assessment.
Response: Definitions for enduring exceptions and temporary
deficiencies have been added to the rule. Specialized Assets are a type
of enduring exception and cover a broad range of circumstances and
system types that may not be able to be fully secured as described in
NIST SP 800-171 R2. It does not give an OSA the flexibility to broadly
categorize assets as Specialized Assets.
The OSA would be expected to address asset categorization with a
C3PAO during the initial scoping discussion to avoid disagreements
during the assessment process.
In one example provided, a single asset which is unable to meet a
single security requirement would be a temporary deficiency and be
addressed using an operational plan of action, describing the cause
with appropriate mitigation and remediation identified.
The sentence ``NIST SP 800-171 Rev 2 uses the term ``enduring
exceptions'' to describe how to handle exceptions for Specialized
Assets'' appears in answers to public comments on a previous version of
the rule, which responded to the initial CMMC Program requirements,
therefore the inclusion of the sentence is not relevant to the rule.
One commenter has misinterpreted the answer to a public comment on
a previous version of the rule, which responded to the initial CMMC
Program requirements. Specialized Assets are not evaluated at Level 1.
Specialized Assets at Level 2 need to be documented in the SSP and
included in the asset inventory and network diagrams. They also are to
be managed using the contractor's risk-based security policies,
procedures, and practices.
At Level 2, Specialized Assets do not need to be assessed against
other CMMC security requirements. At Level 3, Specialized Assets should
be prepared to be assessed against CMMC security requirements. CMMC
also provides for the use of intermediary devices to safeguard OT and
IOT devices that otherwise would be difficult or expensive to protect.
The phrase ``or information systems not logically or physically
isolated from all such systems'' only appears in answers to public
comments on the original 48 CFR CMMC interim final rule publication,
therefore the inclusion of the phrase is not relevant to the rule.
Specialized Assets span a broad spectrum of components and have
different limitations on the application of security controls.
Processes and practices to implement and assess security requirements
on these devices are outside the scope of the CMMC rule.
The Level 3 assessment is designed to provide additional safeguards
to protect the most sensitive CUI against advanced persistent threats
(APTs). DoD estimates that only one percent of defense contractors will
require a CMMC Level 3 assessment. DoD has judged that the risks
associated with the exposure of this CUI are sufficient to justify the
increased cost of a Level 3 assessment on the small percentage of the
DIB that is processing, storing, or transmitting this type of data.
CMMC also provides for the use of intermediary devices to safeguard
OT and IOT devices that otherwise would be difficult or expensive to
protect. This difference between how a Specialized Asset is assessed at
Level 2 and Level 3 is risk-based and affords a reduction in cost for a
Level 2 certification. The CMMC Assessment Scope for a CMMC Level 2
certification assessment is discussed between the OSC and the C3PAO. If
the OSC has a goal to undergo a CMMC Level 3 certification assessment
for the same assessment scope, it may be good business practice for the
OSC to disclose this information to the C3PAO and be assessed based on
the Level 3 scoping, however this is not required.
e. Intermediary Devices
Comment: One comment asks for additional information on
intermediary devices as referenced in table 5 to Sec. 170.19(d)(1).
Another comment asks for direction in situations where the comment
asserts intermediary devices are not practical.
Response: An intermediary device is used in conjunction with a
specialized asset to provide the capability to meet one or more of the
CMMC security requirements. For example, such a device could be a
boundary device or a proxy, depending on which requirements are being
met. The rule is agnostic as to how many requirements are met and what
technology is used to meet them. Implementation guidance for OT/IOT/
IIOT is outside the scope of the CMMC rule.
21. CMMC Assessment Scope for Enterprise Versus Segmented Environments
Comment: Two commenters sought guidance for segmented networks that
inherit some controls from an enterprise network that has a valid CMMC
certification, and asked whether certification assessments may be
shared between the networks.
Response: Sec. 170.19 states that prior to a CMMC assessment, the
OSA must define the CMMC Assessment Scope for the assessment,
representing the boundary with which the CMMC assessment will be
associated. Any CMMC certification granted applies only to the assessed
CMMC Assessment Scope. An enclave may be able to leverage some elements
of the enterprise assessment by inheriting some requirements from the
enterprise network, but it cannot inherit the enterprise certification.
Enclaves beyond the certified CMMC Assessment Scope must be assessed
separately based on their own CMMC Assessment Scope.
There is no established metric for inherited implementations from
an enterprise to any defined enclaves. The OSA determines the
architecture that best meets its business needs and complies with CMMC
requirements. Within the enclave, the OSA determines which requirements
are implemented and which requirements are inherited; all requirements
must be MET. If a process, policy, tool, or technology within the
enclave would invalidate an implementation at the Enterprise level,
that requirement cannot be inherited and the OSA must demonstrate that
it is MET by implementation in some other way. Additional guidance
related to assessments and enclaves has been added to the CMMC Scoping
Guide Level 2 and Level 3.
22. Revocations and Appeals Process
Comment: One comment asked for more clarification regarding the
granting
[[Page 83142]]
and revoking of interim validity status for a CMMC assessment. Several
comments requested an appeal and remediation process if a CMMC
assessment status is revoked by the DoD. One comment requested that the
revocation process not be arbitrary or capricious and provide for due
process. And one comment recommended removing the word ``maintained''
from the criteria for revocation of the validity status because
maintenance is part of ongoing operations as specified in the security
requirement for Risk Assessments and Continuous Monitoring (CA.L2-
3.12.2). One commenter asked whether SPRS reporting is the only
mechanism in place to ensure that OSAs maintain the SSP and conduct
self-assessments correctly.
Three comments recommended that the DoD or CMMC PMO have a role in
the assessment appeals process. Of these, one cited the DFARS clause
252.204-7012 clause as precedent for DoD CIO to render final decisions.
Some commenters suggested the CMMC AB relationship to C3PAOs would bias
any decisions they may make, and that final appeal authority is an
inherently governmental risk acceptance decision. One comment suggested
that the DIBCAC or other DoD entity render final appeals decisions or
take responsibility for certifying OSCs. They also asked for the C3PAOs
to be released from liability for reasonable assessment judgments. Two
comments asked whether the only means to appeal a CMMC AB final
decision is through litigation. Another comment asked who could
escalate an appeal to the CMMC AB. One comment requested the rule
include more requirements for the C3PAO appeals process, including that
the process be time bound and address disputes related to perceived
assessor errors, malfeasance, and unethical conduct, while another
comment requested a simpler appeals process. One comment requested
clarification as to how the OSC interfaces with the C3PAO for appeals
purposes. One comment asked if there was a process to challenge C3PAOs'
findings of non-compliance if additional requirements are applied from
an assessment guide that are not included in the source standard. One
comment asked how to dispute the specific CMMC level included in a
solicitation.
Response: Requirements for CMMC Conditional certification
assessments for each level are defined in Sec. Sec. 170.16 through
170.18. Section 170.6(e) describes indications that may trigger
investigative evaluations of an OSA's CMMC Status. The DoD has revised
the rule throughout to delete the term ``revocation'' and to clarify
that the DoD reserves its right to conduct a DCMA DIBCAC assessment of
the OSA, as permitted under DFARS clause 252.204-7012 and DFARS clause
252.204-7020. If the results of a subsequent DIBCAC assessment show
that adherence to provisions of this rule have not been achieved or
maintained, the DIBCAC results take precedence over any pre-existing
CMMC self-assessment(s) or Final certification assessment(s) and will
result in SPRS reflecting that the OSA is not in compliance (i.e.,
lacks a current Certificate of CMMC Status). There are no additional
requirements or checks on self-assessments to ensure that OSAs maintain
the SSP and conduct self-assessments correctly, beyond those identified
in the rule.
One commenter misunderstood the meaning of 'maintained' with
respect to the Level 1, 2, and 3 provisions. An operational plan of
action can be created without risk to the certification validity
period. If a security event generates risk for the protection of FCI or
CUI, the associated security requirements should be readdressed
expeditiously. If one or more of the requirements can't be remediated,
the OSA should create an operational plan of action and resolve it in a
time frame that continues to provide protection to FCI or CUI.
The Accreditation Body must have its own appeals process, as
required under ISO/IEC 17011:2017(E). Each C3PAO is required to have an
appeals process which involves elevation to the CMMC Accreditation Body
for resolution. The appeals process is derived from and consistent with
ISO/IEC 17020:2012(E) and ISO/IEC 17011:2017(E). The appeals process is
addressed in Sec. Sec. 170.7(b), 170.8(b)(16), and 170.9(b)(13), (19),
and (20). An OSC, the CMMC AB, or a C3PAO may appeal the outcome of its
DCMA DIBCAC conducted assessment within 21 days of the assessment by
submitting a written basis for appeal that include the requirements in
question for DCMA DIBCAC consideration. An OSC, the CMMC AB, or a C3PAO
should visit www.dcma.mil/DIBCAC to obtain the latest for contact
information for submitting appeals. A DCMA DIBCAC Quality Assurance
Review Team will respond to acknowledge receipt of the appeal and may
request additional supporting documentation.
By defining the requirements in this rule to become a C3PAO, and
defining a scoring methodology, the DoD is providing the authority and
guidance necessary for C3PAOs to conduct assessments. The CMMC
Accreditation Body will administer the CMMC Ecosystem. The DoD will not
assume the workload of directly managing the CMMC ecosystem or the
other alternatives suggested. DoD declines to give the PMO
responsibility to render the final decision on all CMMC Level 2
assessment appeals as this role is properly aligned to the CMMC
Accreditation Body. The CMMC AB is under contract with the Department
of Defense to execute defined roles and responsibilities for the DoD
CMMC Program as outlined in Sec. 170.8. The specified CMMC AB
requirements were selected and approved by the DoD. They include
Conflict of Interest, Code of Professional Conduct, and Ethics policies
as set forth in the DoD contract.
For ISO/IEC 17020:2012(E) and ISO/IEC 17011:2017(E) compliance, an
appeals process is required. CMMC-specific requirements for appeals are
addressed in Sec. Sec. 170.8(b)(16) and 170.9(b)(13), (19), and (20).
The DoD expects the process to be managed efficiently, however setting
a specific timeline is not appropriate as the time may vary based on
the complexity of the issue.
Responsibility for final appeals determination rests with the CMMC
AB. The DoD declines to mandate that the CMMC AB consult with the CMMC
PMO or DIBCAC prior to rendering a decision. The CMMC PMO will serve in
the oversight role for the entire CMMC program.
OSCs may submit any appeal arising from CMMC Level 2 assessment
activities to C3PAOs as addressed in Sec. 170.9(b)(19). OSCs may
request a copy of the process from their C3PAO. The rule has been
revised to reflect that any dispute over assessment findings which
cannot be resolved by the C3PAO may be escalated to the CMMC AB by
either the C3PAO or the OSC. The decision rendered by the CMMC AB will
be final as stated in Sec. 170.8(b)(16). Appeals pertaining to an
assessor's professional conduct that is not resolved with the C3PAO
will also be escalated and resolved by the CMMC AB.
As addressed in Sec. 170.9(b)(13), the C3PAO will have a quality
assurance individual responsible for managing the appeals process in
accordance with ISO/IEC 17020:2012(E) and ISO/IEC 17011:2017(E).
Identification of the C3PAO staff that an OSC should interface with is
beyond the scope of this rule. It is a business decision that may vary
by C3PAO and should be addressed between the OSC and C3PAO prior to
conduct of an assessment.
The supplemental documents listed in Appendix A provide additional
guidance to aid in CMMC
[[Page 83143]]
implementation and are not authoritative. In the event of conflicts
with the security requirements incorporated by reference, this rule and
NIST SP 800-171A Jun2018 or NIST SP 800-172A Mar2022 guidance will
always take precedence. Disputes regarding the CMMC level specified in
a contract solicitation should be addressed with the contracting
officer using normal pre-award or post-award communications processes.
No revision to the rule is required. Selection of the CMMC level is a
DoD risk-based decision made by the Program Manager or Requiring
Activity.
23. CMMC Cybersecurity Requirements
a. NIST SP 800-171 R2 Requirements
Comment: Several comments were received regarding FIPS-validated
cryptography. Some recommended mitigating delays with FIPS validation
testing and reducing the risk of CMMC assessment failures by allowing
FIPS POA&Ms or POA&M extensions, waivers, or making encryption an
organizationally defined parameter (ODP). Similarly, some recommended
the DoD accept alternate FIPS solutions such as commercially viable
modules with FIPS-approved protocols or FIPS-compliant--as opposed to
FIPS-validated--protocols. One comment recommended that DoD collaborate
with NIST to either improve the processing of FIPS validation testing
and/or to define the encryption ODP for NIST SP 800-171 Revision 3. One
comment recommended DoD work with NIST to align NIST ODPs in NIST SP
800-171 Revision 3 to DoD ODPs defined in the CMMC Rule for CMMC Level
3 to ensure consistency. Another commenter asked if FIPS 140-3 was an
acceptable FIPS implementation.
Multiple comments addressed NIST requirements. One comment stated
the NIST cybersecurity standards and guidelines are not legal
requirements. The commenter recommended edits to the CMMC rule to
require contractors implement requirements ``derived'' from NIST SP
800-171 R2 with measurable specifications to protect CUI. Two
commentors felt the body of the proposed rule should have included a
list of the NIST requirements to be assessed at each CMMC level. One
comment suggested clarifying when a Systems Security Plan is required
for each level. And, one asked if the CMMC Assessment Scope and
attestation requirements included Non-Federal Organization (NFO)
controls or the flow-down and reporting requirements from DFARS clause
252.204-7012.
Some comments were speculative in nature and outside the scope of
the rule. One commenter was concerned that a CMMC assessment would not
address the risk of insider threats and national security problems
driven by political divisions within Congress.
Response: DoD is aware of industry concerns regarding FIPS
validation required in NIST SP 800-171 R2 requirement 3.13.11. Because
this is a NIST requirement, changing it is beyond the scope of the CMMC
rule. As stated in Sec. 170.5(3), the CMMC Program does not alter any
separately applicable requirements to protect FCI or CUI, including the
requirement to use FIPS-validated cryptography which comes from NIST SP
800-171 as required by DFARS clause 252.204-7012. Limitations of the
FIPS-validated module process do not impact the implementation status
of FIPS cryptography. However, the rule has been updated to allow for
Enduring Exceptions and temporary deficiencies, which may apply to the
implementation of FIPS.
DoD declined to update the rule to include ``FIPS-compliant''
encryption as opposed to ``FIPS-validated'' encryption. NIST SP 800-171
R2 requires the use of validated modules in specific conditions.
Comments on the specific security requirements contained in NIST
documentation are beyond the scope of this rule and should be directed
to NIST. Collaboration between DoD and NIST about the NIST
cryptographic module validation program, or to define cryptography
related ODPs in NIST SP 800-171 Revision 3, is also beyond the scope of
the rule. Recommendations for desired changes in NIST documentation
should be directed to NIST.
The NIST Cryptographic Module Validation Program website provides a
list of approved solutions and their timelines: https://csrc.nist.gov/projects/cryptographic-module-validation-program.
NIST SP 800-171 information security requirements were codified in
32 CFR part 2002 in response to guidance (in E.O. 13556) to standardize
Federal agency policies for safeguarding CUI. The DoD has elected to
use FAR clause 52.204-21, NIST SP 800-171 R2, and a subset of NIST SP
800-172 Feb2021 as the basis for the security requirements in this
rule.
As stated in Sec. 170.14(c), CMMC Level 1 requirements are found
in FAR clause 52.204-21, CMMC Level 2 requirements are found in NIST SP
800-171 R2, and CMMC Level 3 requirements are a selected subset of NIST
SP 800-172 Feb2021 requirements as specified in the 32 CFR part 170
CMMC Program rule in table 1 of Sec. 170.14.
NIST SP 800-171A Jun2018 provides authoritative procedures for
assessing NIST SP 800-171 R2 security requirements and the CMMC Level 2
Assessment Guide provides additional guidance for assessing CMMC Level
2 security requirements. Both documents are referenced in the 32 CFR
part 170 CMMC Program rule, at Sec. Sec. 170.16(c) and 170.17(c).
It is recommended that an OSA develop a SSP as a best practice at
Level 1, however, it is not required for a CMMC Level 1 self-
assessment. A CMMC assessment does not include Non-Federal Organization
(NFO) controls from table E in NIST SP 800-171 R2 nor the DFARS clause
252.204-7021 flow down and reporting requirements.
DoD concurs that CMMC provides no mechanism for addressing insider
threats posed by political divisions in Congress. However, insider
threat in general is addressed in the following CMMC security
requirements: AT.L2-3.2.3--Insider Threat Awareness; AC.L2-3.1.7--
Privileged Functions; PS.L3-3.9.2e-Adverse Information.
b. Transition to Future NIST Requirements
Comment: Many commenters raised concerns about the CMMC Proposed
Rule's citation of a specific version of a relevant baseline document,
i.e., NIST SP 800-171 R2. The expressed concerns focused mainly on a
perceived potential for a timing conflict between the NIST revision
requirements based on DFARS clause 252.204-7012 (revision in effect at
time of solicitation) and this CMMC Program rule which specifies NIST
SP 800-171 R2. Commentors provided a variety of differing suggestions
to address these concerns. Some commenters recommended that no revision
number be included, while others recommended citing Revision 3 rather
than Revision 2. Others recommended delaying the CMMC Program. Some
recommended changing DFARS clause 252.204-7012 or issuing a class
deviation to address differences between the NIST revisions cited.
Those that recommended citing to Revision 3 noted that to do otherwise
could delay compliance with Revision 3 beyond NIST's anticipated
finalization of that publication. Commenters noted that the criteria
defined in guidance explaining how to assess against NIST requirements
(i.e., NIST SP 800-171A Jun2018) does not identify a revision number
for the NIST SP 800-171 requirements to which they apply. In addition
to the comments about NIST
[[Page 83144]]
SP 800-171 R2 and NIST SP 800-171 Revision 3, some commenters
questioned how DoD would implement or how long the DoD would allow for
transitioning to each future version of NIST standards once approved.
One commenter recommended defining a waiver process to manage the
transition for each new NIST revision. Another commenter asked whether
contract work stoppages are expected during such transitions and if
industry would be afforded time to understand the impacts of new
requirements to existing systems. One commenter suggested that CMMC
affirmations should indicate continued compliance to the NIST SP 800-
171 version that applied to the corresponding self-assessment or
certification assessment.
Two commenters recommended changing the incorporation by reference
version of NIST 800-53 that is cited in this rule be changed from
Revision 5 to Revision 4, to better align with the incorporation of
NIST SP 800-171 R2. Another commenter noted that both NIST SP 800-171
R2 and NIST SP 800-172 Feb2021 include Organizationally Defined
Parameters (ODP), the latter of which are defined in this rule. The
commenter advised against defining ODP for either reference, and
recommended deletion of specific rule text that does so.
Response: DoD is aware of the differences between the language of
DFARS clause 252.204-7012 and the proposed rule. 1 CFR part 51, which
governs drafting of this rule, requires the specification of a revision
to a standard. Specifying a revision benefits the CMMC Ecosystem by
ensuring it moves forward from one NIST standard to the next in an
organized manner. The DoD cites NIST SP 800-171 R2 in this final rule
for a variety of reasons, including the time needed for industry
preparation to implement the requirements and the time needed to
prepare the CMMC Ecosystem to perform assessments against subsequent
revisions. DoD is unable to incorporate suggestions that CMMC
assessments be aligned to whichever NIST revision is current at the
time of solicitation and declines to respond to speculation about the
release timing of other publications. In May 2024, NIST published SP
800-171 Revision 3, Protecting Controlled Unclassified Information in
Nonfederal Systems and Organizations, after these comments were
received. DoD will issue future amendments to this rule to incorporate
the current version at that time. Comments on the content of the NIST
SP 800-171 Revision 3 publication or future NIST SP 800-171 revisions
should be directed to NIST.
The final rule has been updated to specify the use of NIST SP 800-
171A Jun2018, Assessing Security Requirements for Controlled
Unclassified Information, and NIST SP 800-172A Mar2022, Assessing
Enhanced Security Requirements for Controlled Unclassified Information.
The DoD has included the numbering scheme in the rule because the
numbering scheme is a key element of the model. The CMMC numbering
scheme for security requirements must pull together the independent
numbering schemes of FAR clause 52.204-21 (for Level 1), NIST SP 800-
171 R2 (for Level 2), and NIST SP 800-172 Feb2021 (for Level 3); it
must also identify the domain and CMMC level of the security
requirement. DoD developed the least complicated scheme that met all
these criteria.
The CMMC Program Office is unable to respond to comments proposing
changes to the DFARS, which is subject to separate rulemaking
procedures. One commenter described a hypothetical scenario wherein a
solicitation is issued such that DFARS clause 252.204-7012 would
require compliance with NIST SP 800-171 Revision 3, but the CMMC
requirement identified is for assessment against NIST SP 800-171 R2. In
this hypothetical scenario, it is possible that the bidder may meet the
CMMC requirement by citing a valid CMMC assessment against NIST SP 800-
171 R2, while also availing themselves of the flexibilities provided in
DFARS clause 252.204-7012 (2)(ii)(B) to submit a written request to the
Contracting Officer to vary from the current version of NIST SP 800-
171.
Recommendations for modification to or deviation from DFARS clause
252.204-7012 are beyond the scope of this rule. The DoD has evaluated
the potential interaction between the CMMC program requirements and the
existing requirements in DFARS clause 252.204-7012 and believes that
potential conflicts have been resolved.
NIST SP 800-53 R5 is incorporated by reference only for applicable
definitions because DoD chose to use the latest definitions available.
While it is also true that NIST SP 800-171 R2 was based on NIST SP 800-
53 Revision 4, the origination of NIST SP 800-171 R2 is beyond the
scope of this rule.
Contractors and subcontractors will not be expected to stop work
while they implement changing standards. Implementation of this rule
will be introduced as a pre-award requirement in new DoD solicitations,
as described in the timeline at Sec. 170.3(e).
Any substantive change to CMMC security requirements must go
through rulemaking, and its associated timeline, which may include
public comment. The new rule may include a transition period for
implementation of the new security requirements.
The commenter correctly identifies that the programmatic intent of
this rule is for affirmations to signify systems in question remain
compliant as indicated by the assessment that was conducted.
Assessments are conducted against the specified NIST publication
versions or the requirements in FAR clause 52.204-21. The 48 CFR part
204 CMMC Acquisition rule also reinforces this thought by providing
specific wording of the affirmation.
c. NIST SP 800-172 Feb2021 Requirements
Comment: Multiple comments recommended adding all the omitted
requirements from NIST SP 800-172 Feb2021 or a subset including Network
Intrusion Detection System, Deception and Unpredictability, arguing
that they are necessary for protecting CUI and to defend against
advanced persistent threats.
Two comments inferred that the requirement to restrict access to
systems owned, provisioned or issued by the OSC means that the OSC must
provide all equipment used to access the system, which they asserted is
impossible because outside entities using GFE, to include DoD, may need
access. One commenter also asked if DIB Furnished Equipment would be
required, and one commenter argued for an exception for GFE, even
though it is not owned, provisioned, or issued by the OSC.
Three comments stated that Organizationally Defined Parameters
(ODP) values need to be set by OSAs, not DoD. One commenter argued this
will be necessary because of the emerging ODPs at Level 2 associated
with NIST SP 800-171 Revision 3. One commenter argued this is critical
for uniformity across the Federal enterprise as many contractors
support multiple Federal agencies. The commenter further offered that
allowing ODP values to be set by OSAs could be limited to contractor
systems not operated on behalf of the DoD. One commenter suggested that
ODP values set by OSAs may require approval by the contracting officer.
One comment stated that the ODPs are too detailed for the 32 CFR part
170 CMMC Program rule, and table 1 to Sec. 170.14 should be moved to
the Level 3 Assessment Guide.
One comment argued that removal or quarantine of components to
facilitate patching or re-configuration, as specified in table 1 to
Sec. 170.14(c)(4) CM.L3-3.4.2e, is a disruptive and
[[Page 83145]]
possibly a destructive operational constraint affecting business
operations. They asserted that patching and reconfiguration are
standard day-to-day IT administrative activity, and components do not
need to be removed or quarantined.
One comment asserted that CMMC should be based on NIST SP 800-53 R5
requirements (linked to the associated NIST SP 800-172 Feb2021
requirements) due to additional labor required to create NIST SP 800-53
R5 solutions and benefits to be gained from NIST SP 800-53 R5 overlays.
Two comments argued that IA:L3-3.5.3e regarding 'the prohibition of
system components from connecting to organizational systems unless
certain conditions are met' is essentially the same requirement as
CM:L2-3.4.7 'restricting, disabling, or preventing the use of
nonessential programs, functions, ports, protocols, and services'.
Response: DoD considered many alternatives before deciding which
NIST SP 800-172 Feb2021 requirements to include as part of CMMC Level
3. NIST SP 800-172 Feb2021 notes that ``There is no expectation that
all of the enhanced security requirements will be selected by Federal
agencies implementing this guidance.'' For a variety of reasons,
including DoD's estimation of cybersecurity maturity and complexity
across the DIB, and potential cost of certain Level 3 requirements
compared with the benefit, the DoD has included a limited set of NIST
SP 800-172 Feb2021 requirements. On a contract-by-contract basis,
additional requirements may be added. OSAs are at liberty to implement
additional requirements.
The intent of AC.L3-3.1.2e, which requires restricted access to
systems and system components, is not that DIB companies issue laptops
to external users wishing to access Level 3 enclaves. While laptop
issuance is one solution, other options are available. The important
concept in this requirement is ``comply to connect'', and it applies to
all users, both within the OSA and externally, equally. In complying
with this requirement, GFE may be considered provisioned by the OSC and
therefore is not restricted under that requirement.
DoD defines the ODPs for NIST SP 800-172 Feb2021 included in CMMC
Level 3. This eliminates the risk of different parameters being set for
different DoD programs. Rulemaking requirements dictate that table 1 to
170.14(c)(4) be codified in the rule. The Assessment Guide is an
optional document.
DoD declines to accept the risk of removing security requirement
CM.L3-3.4.2e. The Assessment Guide has been updated to include
additional discussion on this security requirement. Feedback on
individual security requirements should be direct to NIST.
Any relationship to the NIST SP 800-53 R5 controls is for
information only. The requirements that must be implemented for CMMC
Level 3 are defined in the rule table 1 to Sec. 170.14(c)(4).
IA:L3-3.5.3e and CM:L2-3.4.7 are different requirements. The L2
requirement is about functionality, and the L3 requirement is about
trust. Feedback on individual security requirements should be direct to
NIST.
24. CMMC Annual Affirmation Requirements
Comment: One commenter recommended the affirmation statement
include a statement confirming the scope has not changed and requested
the rule be modified to identify types of changes that would constitute
a change of system scope. Another commenter recommended removing any
requirement for affirmation after assessment certificate issuance or
else revising the rule to identify any benefits the affirmation
provides that conducting an independent assessment does not already
provide. Another commenter recommended the DoD clarify that out-of-
cycle affirmations are not needed.
Three comments said the affirmation language needs revision because
maintaining perfect scores is not possible and asking individuals to
affirm continuous compliance is unreasonable. One commenter voiced
apprehension that signing the affirmation statement would make a person
criminally liable under the False Claims Act, due to the need for
system maintenance to fix things that break. One commenter expressed
concern that continuous monitoring by contractors increases cost and
burden to stay in compliance and opens companies up to False Claims Act
liabilities. One of these commenters recommended DoD rely on
representation and self-assessment in lieu of affirmations to indicate
that the offeror meets the requirements of the CMMC level required by
the solicitation. Two commenters requested clarification on what
affirmation entails. Another commenter requested modification to
clarify that the Affirming Official will attest only that the
requirements are implemented as of the certification date, or proposal
submission date, and requested removal of affirmation references to
continuous compliance.
Two commenters urged the Department to align the annual affirmation
timeline with the 3-year assessment timeline to ensure consistency and
reduce potential False Claims Act liability. One commenter also
incorrectly believed a prime contractor affirmation would be made on
behalf of its entire supply chain.
Another commenter asked DoD to clarify that an organization may
obtain from C3PAOs a limited review of changes made since the last
assessment in support of required affirmations and noted that the DoD
or CMMC AB may wish to clarify what supporting evidence is required for
annual affirmations. Additionally, the commenter recommended that DoD
reconsider the requirements for CMMC Level 1 since these are covered by
System for Award Management (SAM).
One commenter asked, in reference to POA&M closeout affirmations,
if there was no longer an expectation that a C3PAO will confirm the
close out of a POA&M. One commenter provided a recommendation to
include an executive summary in the affirmation that includes POA&M
related metrics as an indicator of an OSA's effective O&M, security,
and continuous monitoring activities.
Response: As described in Sec. 170.22(a)(2)(ii), the CMMC
affirmation shall include a statement to the effect that the OSA has
implemented and will maintain implementation ``within the relevant
assessment scope'', which adequately addresses the commenters
suggestion. No change to the rule text was therefore required. Annual
affirmations ensure OSAs conduct periodic checks and verify to the
Department that changes to their networks have not taken them out of
compliance during the certification period. The annual affirmation
requirement enables DoD to permit 3 years between CMMC Level 2 or 3
assessments, rather than requiring annual assessments. The DoD does not
agree with the comment that following the procedures in Sec. 170.22
creates an additional burden. The DoD does not concur with removing the
terms ``continuing'' or ``continuous ``as it relates to an OSA's
affirmation. Continuing compliance means that the contractor system in
question remains in compliance and that the OSA intends to maintain
compliance over time, not that the OSA cannot have an operational plan
of action. Any changes to the information system beyond use of
operational plans of action require a new assessment and a new
affirmation. Operational plans of action as described in CA.L2-3.12.2
are part of normal
[[Page 83146]]
maintenance of a system and do not require a separate out-of-cycle
affirmation. The DoD declines to address specific cases when
affirmations are not required. DoD's use of the term OSA within the
affirmations section is deliberate and conveys that each organization
is responsible for affirmations pertaining to their own assessments. An
Affirming Official definition was added to the rule and provides that
clarification.
The rule delineates which requirements may be addressed with a
POA&M for up to 180 days to achieve Final CMMC Status. As stated in
Sec. 170.22, an Affirming Official attests the organization is
satisfying and will maintain its specified cybersecurity requirements.
An OSA may complete a self-assessment and submit a new affirmation at
any time. POA&Ms associated with conditional assessments are closed-out
by C3PAOs for Level 2 final certification assessments and by DCMA
DIBCAC for Level 3 final certification assessments. OSAs must affirm
results in SPRS for all assessments.
If an OSA makes significant changes within the CMMC Assessment
Scope, a new assessment and affirmation are required. The rule does not
preclude OSAs from contacting a C3PAO for a review prior to an annual
affirmation, however this is not required. No supporting evidence is
required for an annual affirmation. Annual representations and
certifications submitted in the System for Award Management (SAM) serve
a different purpose from the CMMC affirmation requirement completed in
SPRS. Furthermore, given the sensitivity of an OSA's cyber security
status, the DoD has elected not to use SAM, a public website.
Details for completion of the annual affirmation, including wording
of the affirmation statement, are addressed in the 48 CFR part 204 CMMC
Acquisition rule. The affirmation signifies the requirements were
implemented as of the date of the self-assessment or certification, and
that the OSA has and intends to maintain the system as assessed. The
DoD declines to require the use of an executive summary or the
publication of metrics in the affirmation statement as part of the
affirmation because that is not consistent with the purpose of the
affirmation requirement.
Regarding the alignment of assessments and affirmation timelines,
the DoD declines to adopt recommended changes which would allow up to 3
years to elapse before DIB companies would be required to assess the
status of their cybersecurity compliance.
25. CMMC Acceptance of Alternate Standards
a. CMMC and Other Agency Standards or Acceptance of CMMC Assessments
Comment: Several commenters asked for additional detail about Sec.
170.20 Standards Acceptance. One commenter described discussions from
various DoD industry engagements and suggested the rule is inconsistent
with information provided at those information exchange events.
Some commenters observed the rule does not describe DoD efforts to
coordinate with other agencies regarding any additional cybersecurity
requirements they choose to implement, which could conflict or add
burden for companies that must also comply CMMC requirements. One
comment suggested implementing the CMMC program government wide. An
industry association submitted several comments regarding perceived
duplication between this rule and cybersecurity requirements of other
Federal agencies and foreign governments. They also recommended the DoD
modify the rule to reflect other agency standards, such as TSA and CISA
security directives requiring cyber incident reporting for natural gas
utilities.
Several commenters thought the rule did not adequately explain
potential portability of CMMC assessments, referring to whether other
agencies might recognize CMMC compliance as meeting or partially
meeting their requirements. One specifically suggested CMMC
affirmations could be accepted as evidence of compliance with any
similar cybersecurity requirements other agencies may implement. One
comment suggested that by assessing compliance of all applicable
security requirements, the CMMC program will impede efforts to
establish DoD information sharing agreements with other non-DoD
organizations, including other agencies and foreign governments.
Response: Some comments received lacked relevance to the rule's
content, which is limited to specific CMMC Program requirements. The
DoD declines to respond to speculative or editorial comments about
private citizens or entities, all of which are not within the scope of
this rule.
Similar data security requirements are already applied to
contractors across all Federal agencies, due to the applicability of
FAR clause 52.204-21, and 32 CFR part 2002. All executive agencies are
required to comply with the same standards for protection of FCI and
CUI in those regulations. Once attained, a current CMMC certification
may be presented for consideration by any entity (including other
government agencies) as an indicator that the security requirements
associated with the certificate level (e.g., CMMC Level 2) have in fact
been implemented.
CMMC Program requirements are designed to ensure compliance with
existing standards for protection of FCI and CUI and align directly to
NIST guidelines (e.g., NIST SP 800-171 R2) and the basic safeguarding
requirements of FAR clause 52.204-21 that apply to all executive
agencies. Regulations issued by any executive agency must be aligned to
these overarching requirements, therefore CMMC Program requirements
will not conflict with any FCI or CUI safeguarding regulations that may
be issued by other agencies as cited by the commenter. All executive
agencies are permitted to submit and review comments as part of the
formal rulemaking process, and additional coordination is not required.
This rule provides a consistent way of verifying contractors'
compliance with the referenced FAR and NIST requirements, in addition
to those from NIST SP 800-172 Feb2021 where applicable.
b. Requests To Recognize Alternate Standards
Comment: Several commenters requested the rule be modified to
accept or recognize alternate standards for the purpose of meeting CMMC
assessment requirements. Some small to medium businesses recommended
acceptance of healthcare relevant standards or other recognized
certification frameworks as a substitute for CMMC and FedRAMP
Equivalency.
Another comment cited verbiage in the DFARS clause 252.204-7012
clause that references DoD CIO approval to ``vary'' from NIST SP 800-
171 requirements as rationale for revising the CMMC rule to permit
acceptance of other standards such as the NERC Critical Infrastructure
Protection standards which apply to North America's Bulk Electric
System (BES).
Some comments expressed concern that absent greater acceptance of
the standards required by other agencies, companies complying with CMMC
would be at a competitive disadvantage due to the perceived costs of
complying with CMMC standards. Another comment expressed a similar
concern but cited the need for acceptance of foreign C3PAOs to
effectively scale CMMC to include assessment of foreign OSCs.
[[Page 83147]]
Response: CMMC Program requirements apply to those contractors that
seek to bid for DoD work which requires processing, storing, or
transmitting FCI or CUI in a contractor owned information system.
Section 170.20 addresses Standards Acceptance and delineates the only
existing bases for accepting alternate standards in this rule. The DoD
does not currently have standards acceptance with other Federal
entities in lieu of the CMMC requirement.
DoD's harmonization of requirements with other agencies is achieved
through compliance with NIST standards. DoD's recognition of the
standards of other nations occurs through negotiation of international
arrangements and agreements, which is beyond the scope of this rule.
The CMMC Program has aligned requirements with NIST standards, and many
foreign nations are adopting NIST standards as well. In developing this
rule, the DoD worked with standards bodies, removed unique
requirements, and aligned new requirements directly with NIST SP 800-
171 R2 and select NIST SP 800-172 Feb2021 requirements to reduce and
streamline cybersecurity burden across the industry. CMMC Program
requirements make no change to existing policies for limits on
dissemination of CUI. Comments on information sharing between other
agencies or foreign entities are beyond the scope of this rule. The
requirement to comply with NIST SP 800-171 was mandated in DFARS clause
252.204-7012. Granting alternatives to that standard is beyond the
scope of this rule.
Several foreign or international companies submitted comments
expressing interest in the rule section pertaining to C3PAO
requirements (Sec. 170.9(b)) and correctly noted that this section
does not preclude otherwise qualified foreign companies from achieving
C3PAO accreditation. Note that the DoD does permit C3PAO personnel who
are not eligible to obtain a Tier 3 background investigation to meet
the equivalent of a favorably adjudicated Tier 3 background
investigation. DoD will determine the Tier 3 background investigation
equivalence for use with the CMMC Program only.
c. CMMC Acceptance of Other DIBCAC Assessments
Comment: Some commenters either did not understand or objected to
the fact that standards acceptance requirements for DIBCAC High
Assessments require a score of 110 without POA&Ms. Other comments
requested clarity regarding standards acceptance of DIBCAC High
Assessments at CMMC Levels 2 and 3. One comment inquired about the
programmatic details of DCMA's Joint Surveillance Program.
Another comment expressed concerns over disparities between how
CMMC C3PAOs and DIBCAC assess, given the fact that DIBCAC assessors are
empowered to make risk acceptance decisions on behalf of the
Government, whereas C3PAO assessors are not. One commenter questioned
the use of the NIST SP 800-171 R2 Cybersecurity FAQs as published in
the DoD Procurement Toolbox. Another commenter asked whether C3PAOs
assess for compliance with DFARS clause 252.204-7012, paragraphs c-g,
as DCMA DIBCAC does in their assessments of OSAs. One commenter
suggested that the DIBCAC is not certified to conduct Level 3
assessments and that training requirements for CMMC Level 2 C3PAO
assessors should also apply to DIBCAC assessors, or else Level 3
assessments should be conducted by C3PAOs.
Response: There is qualified standards acceptance between DCMA
DIBCAC High Assessment and CMMC Level 2 Certification Assessment as
described in Sec. 170.20(a). There is no standards acceptance between
DCMA DIBCAC High Assessment and CMMC Level 3. To be eligible for
standards acceptance resulting in a CMMC certification, an OSC must
achieve a perfect 110 score on the Joint Surveillance assessment
without any open POA&Ms at the time of assessment. If the Joint
Surveillance assessment results in POA&M actions, any POA&M must be
closed prior to standards acceptance.
Completion of a prior DCMA DIBCAC High Assessment does not
necessarily indicate the likelihood of a future CMMC Level 3
requirement. DIBCAC High assessments are currently conducted against
the NIST SP 800-171 R2 requirements, whereas the DoD will identify the
need for a CMMC Level 3 assessment when its internal policies indicate
the added protections of NIST SP 800-172 Feb2021 are necessary to
adequately safeguard DoD information.
Acceptance of a small number of DIBCAC High or Joint Surveillance
Program assessments to meet future CMMC Level 2 assessment requirements
will reduce the initial demand for C3PAO assessment. Only those DIBCAC
High Assessments completed prior to the effective date of the rule are
eligible for standards acceptance to meet CMMC Level 2 Certification
requirements. The DoD will enter CMMC Level 2 Certifications into eMASS
for suitable DIBCAC High Assessments, with a validity period of 3 years
from the date of the original High Assessment. A CMMC Final Level 2
certification assessment is entered into eMASS by the C3PAO following a
successful (i.e., perfect score with no POA&Ms) joint surveillance
assessment against NIST SP 800-171 R2. It is not the result of a CMMC
Level 3 assessment but can be provided as evidence that an OSC is ready
to initiate a CMMC Level 3 assessment.
Although Joint Surveillance is listed as standards acceptance in
170.20(a)(1), the details of this DCMA program and any changes to it
are beyond the scope of this rule. A Joint surveillance is a DCMA
DIBCAC assessment and falls under their purview. The CMMC office
understands that there is disparity between what is assessed by a C3PAO
and the DIBCAC and that the guidance information in the DoD Procurement
Toolbox is the driving factor. Since the Procurement Toolbox is outside
of the scope of the 32 CFR part 170 CMMC Program rule, it cannot be
properly addressed here or in the rule. With CMMC the DoD utilizes a
risk-based approach in its allowance for POA&Ms, gradient scoring for
certain controls (e.g., FIPS and MFA), temporary deficiencies, and
enduring exceptions.
DCMA DIBCAC assessors are trained and qualified to conduct
assessment against NIST SP 800-171 R2 for the DoD. DoD determined that
C3PAOs conducting assessments on other C3PAOs introduced a significant
conflict of interest. Given the sensitivity of the programs requiring
Level 3 assessments, the DoD determined that those assessments must be
completed by a DoD entity. The DoD declines to respond to speculative
or editorial comments regarding DCMA DIBCAC assessments.
The CMMC model (Sec. 170.14) only incorporates requirements from
FAR clause 52.204-21, NIST SP 800-171 R2, and NIST SP 800-172 Feb2021.
C3PAOs are only responsible for assessing the requirements of Sec.
170.17. DCMA DIBCAC operates under different authorities and can
address all the requirements of DFARS clause 252.204-7012.
d. Validity Period for Standards Acceptance
Comment: Two comments asked how SPRS would be updated to reflect
CMMC Level 2 certification when based on standards acceptance. One
asked whether that update would be automatic. One comment asked whether
CMMC standards acceptance for
[[Page 83148]]
DIBCAC joint surveillance assessments would result in certifications
being issued to the OSA by the C3PAO or by DIBCAC.
Some comments, including those from three industry associations,
objected to the start date for the 3-year validity of CMMC
certification based on standards acceptance of prior DIBCAC
assessments. Those comments requested the validity period begin with
the effective date of the 32 CFR part 170 CMMC Program rule. Along
these lines, another commenter asked whether C3PAOs may certify an OSA
based on evidence of a perfect 110-scored DIBCAC High Assessment. One
comment requested a 1-year extension of the validity period to 4 years.
Response: The DoD has considered the recommendation to modify the
validity period for certifications resulting from standards acceptance
and declines to revise the rule text. It is important that contractors
maintain security compliance for systems that process, store, or
transmit DoD CUI. Given the evolving cybersecurity threat, DoD's best
interests are served by ensuring that CMMC Level 2 assessments remain
valid for no longer than a 3-year period, regardless of who performs
the assessment.
A C3PAO may not simply read the DIBCAC assessment score in SPRS and
grant a completed CMMC Level 2 certification assessment. C3PAOs may
only submit certification assessment results based on having conducted
a certification assessment. An OSA is free to seek a C3PAO
certification assessment, but this would be unnecessary, because a
valid DIBCAC High assessment with a 110 score will automatically be
converted in SPRS to reflect a CMMC Final Level 2 certification
assessment provided all requirements of Sec. 170.20(a)(1) are met. A
DIBCAC High assessment conducted after the rule is effective is not
eligible for standards acceptance.
26. CMMC Requirements and International Entities
a. Applicability to International Entities
Comment: Several public commenters asked whether and how the CMMC
rule content would apply to foreign based or international companies,
either as companies seeking to comply with assessment requirements or
as companies seeking to participate in the CMMC Ecosystem.
Some questions asked for interpretation of requirements for
specific scenarios, such as how CMMC requirements might affect Status
of Forces Agreements for DoD installations overseas. Others asked about
application of flow-down requirements to foreign subcontractors,
including in circumstances when DFARS clauses do not apply or when
international agreements supersede application of DFARS clause 252.204-
7012. A few comments asked how foreign or multinational corporations
with facilities abroad can attain CAGE codes, access SPRS, or meet
other aspects of CMMC requirements. Some asserted that specific systems
contractors need to access, such as SPRS and PIEE, are not designed to
accommodate foreign address formats and requested modifications or
alternative options to facilitate submission of CMMC affirmations. One
commenter suggested that assessment of foreign contractor information
systems should only be conducted by the host country, and asked whether
foreign contractors should be partially exempted from CMMC
requirements.
Response: CMMC Program requirements are applicable when DoD
requires processing, storing, or transmitting of either FCI or CUI
during performance of a DoD contract. CMMC Program requirements would
not apply to a DoD Installation's communication with a Host Nation
government on matters related to the Installation. CMMC program
requirements apply to all DoD contractors alike when contract
performance will require processing, storing, or transmitting of FCI or
CUI on contractor-owned information systems. This 32 CFR part 170 CMMC
Program rule does not permit partial exemption of assessment
requirements for foreign contractors. Any discussion of exemptions or
deviations for foreign businesses are outside the scope of the 32 CFR
part 170 CMMC Program rule and must be addressed through government-to-
government international arrangements or agreements. Pathways and
timelines for achieving these agreements are outside the scope of this
rule.
CMMC requirements apply to both domestic and international primes
and flow down to subcontractors throughout the supply chain if their
information systems process, store, or transmit FCI or CUI. CMMC
requirements are based upon the type of information processed and
shared, regardless of where the company is headquartered or operates.
Certification requirements for subcontractors are addressed in Sec.
170.23(a)(1) through (4). For additional information about flow-down of
contractual requirements, see the 48 CFR part 204 CMMC Acquisition
rule. The CMMC process is the same for international and domestic
contractors and subcontractors. International sub-contractors must
undergo a CMMC assessment at the appropriate level to demonstrate
compliance with NIST SP 800-171 R2 requirements. All OSAs must register
in https://sam.gov, which has instructions for obtaining applicable
CAGE or NATO CAGE codes (NCAGE codes).
Address data is not a required SPRS data input for CMMC purposes.
Contractor address information is required to obtain a CAGE code that,
along with a Unique Entity ID, is required to register in SAM. SPRS
currently receives assessment information from domestic and
international entities. International organizations get CAGE codes in
the same manner that US organizations do, including in some instances
NCAGE codes. CAGE codes are required for a contractor to register for a
user account in Procurement Integrated Enterprise Environment (PIEE)
that provides contractors access to SPRS and other applications as
necessary for DoD contracts.
b. International Agreements
Comment: Several commenters asked about procedures for establishing
recognition of other nations' cybersecurity standards or assessment
programs as acceptable alternatives to CMMC program requirements.
Another commenter noted the rule provides no explicit recognition of
existing agreements between the DoD and other nations related to
information sharing and defense procurement. They and other commenters
asked that the rule identify a specific process for reaching agreements
related to CMMC program requirements. Some of these commenters
identified specific foreign cybersecurity programs and requested that
the DoD work toward reciprocal recognition of their underlying
standards. One of these commenters requested that DoD identify
timelines for establishing bilateral agreements.
In particular, the Canadian counterpart for the CMMC program
expressed concern that Canadian companies could be disadvantaged in
seeking CMMC certification and requested the DoD consider establishing
a unified accreditation body for Canadian and US C3PAOs.
Response: While the rule does address application to foreign
contractors and ecosystem participants throughout, these requirements
may be superseded by the terms and conditions of applicable
international arrangements or agreements.
CMMC validates cybersecurity requirements, as defined in FAR clause
[[Page 83149]]
52.204-21, NIST SP 800-171 R2, and a selected subset of NIST SP 800-172
Feb2021, where applicable. These cybersecurity requirements apply to
international and domestic companies when included in a DoD contract.
The Department cannot speculate about the arrangements of any
international agreement and how it may or may not impact international
partners, as these arrangements are beyond the scope of this 32 CFR
part 170 CMMC Program rule.
The DoD has designed CMMC Program requirements to apply to those
contractors that bid for DoD work which will require access to process,
store, or transmit FCI or CUI in a contractor owned information system.
A CMMC certification assessment is portable in the sense that it
provides confidence that the holder has been assessed by an authorized
third party for compliance with the applicable security standards
(e.g., NIST SP 800-171 R2 or NIST SP 800-172 Feb2021). Once attained,
CMMC certification assessment status may be presented for consideration
by any entity as an indicator that they have implemented security
requirements associated with the certificate level (e.g., NIST SP 800-
171 R2 or NIST SP 800-172 Feb2021). Section 170.20 delineates the only
existing bases for accepting alternate standards in this rule.- It is
beyond the scope of this rule to provide a specific set of directions
or guidance on recognition for alternate cybersecurity standards.
Deviations from DFARS clauses are also beyond the scope of this rule.
Section 170.20 has been modified to state that an OSC with a
perfect score from a prior DCMA DIBCAC High Assessment aligned with the
same CMMC Level 2 Scoping may meet CMMC Final Level 2 certification
assessment requirements via acceptance of the prior DIBCAC assessment
in lieu of a C3PAO assessment. Standards Acceptance does not refer to
international standards acceptance, which is not described within the
rule.
c. C3PAO, CCP, and CCA Requirements
Comment: In addition to the interest in international agreements,
some commenters expressed concern about CMMC ecosystem capacity to meet
demand for Level 2 certification. They advocated support for
accreditation of non-U.S. based C3PAOs. One commenter suggested that
FOCI requirements be deleted from the rule and managed via DoD's
oversight of the CMMC AB. One commenter speculated the phased CMMC
implementation plan would require all non-U.S. firms to comply
simultaneously and recommended that foreign contractors be allowed
additional time to comply. Another recommended that foreign companies
be permitted to simply self-assess in lieu of obtaining a CMMC Level 2
certification assessment.
Several commenters asked about foreign nationals participating in
the CMMC ecosystem and noted discrepancies between qualifications
identified in the rule and content on the CMMC AB's website at the time
of rule publication. These commenters expressed interest in the ability
for foreign citizens to become CCAs, CCPs, and LTPs (a term no longer
used in the rule).
One commenter presumed that only U.S.-based Cloud Service Providers
(CSPs) may become FedRAMP authorized, and asserted a need to authorize
or accredit foreign-based CSPs that foreign DIB contractors might use
while still achieving CMMC compliance. Another asked how foreign small
businesses can comply with CMMC without access to U.S. approved CSPs.
One commenter asked for guidance on how to get foreign products and
services, such as encryption and decryption mechanisms, approved for
use in information systems that require CMMC assessment. One commenter
suggested that the CMMC program permit assessment by C3PAOs and
assessors accredited in accordance with other ISO/IEC standards than
those identified in this rule. They cited ISO/IEC 27001 or 9901 as
suitable alternate ISO/IEC standards.
Response: The DoD declines to delay CMMC Program implementation for
non-U.S. organizations. International businesses will not receive
special accommodations because the CMMC Program's phased implementation
will impact both U.S. and non-U.S. defense contractors equally. The
implementation plan described in the rule does not promote or
prioritize certification assessments of any contractor over any other
contractor. All companies, regardless of location or nationality, will
have access to any authorized C3PAO. The rule does not preclude non-
U.S. citizens or foreign-owned C3PAOs from operating in the U.S.
Additionally, U.S. owned C3PAOs may operate in a foreign nation.
As stated in the rule, C3PAOs must meet the criteria in Sec.
170.9. Non-U.S. organizations and employees that meet all the
requirements in Sec. Sec. 170.9 and 170.11 will not be prohibited from
operating as a C3PAO within the U.S. or abroad. A list of authorized
C3PAOs is available on the current CMMC AB marketplace. DoD does not
concur with the recommendation to delete Sec. 170.9(b)(5) content
identifying FOCI requirements. Those details for complying with FOCI
are necessary for understanding the requirement.
Some commenters noted differences between the rule content and
information on the CMMC AB website. The CMMC AB is part of the public
and had no access to advance information prior to publication of the
proposed rule. The rule takes precedence in the event of any
discrepancy with CMMC AB materials.
The document `Career Pathway Certified Assessor 612', dated 2020,
has been replaced by a regularly updated DoD Cyberspace Workforce
Framework which may be found at https://public.cyber.mil/dcwf-work-role/security-control-assessor/. Intermediate and Advanced Foundational
Qualification Options in the DoD Cyberspace Workforce Framework's
Security Control Assessor (612) Work Role are available to foreign
nationals. The rule has been updated to reflect this reference update.
A domestic or international business seeking a contract that
contains DFARS clause 252.204-7012, and using a cloud service provider
to process, store, or transmit covered defense information in
performance of that DoD contract, must ensure that the CSP meets
FedRAMP authorization or equivalency requirements. As the FedRAMP
program and FedRAMP equivalency are available to international
organizations, foreign entities do not need to develop their own
FedRAMP program. FedRAMP authorization or equivalency is also available
to small businesses. The DoD leverages the FedRAMP program to implement
requirements for the adoption of secure cloud services across the
Federal Government and provide a standardized approach to security and
risk assessment for cloud technologies. Export controlled goods and
ITAR are outside the scope of the 32 CFR part 170 CMMC Program rule.
The process for identifying specific products or services that may
meet NIST security requirements is beyond the scope of this rule. CMMC
program requirements are unrelated to evaluation or approval of
encryption or decryption products manufactured by foreign information
security companies.
DoD considered many alternatives before deciding upon the current
CMMC structure. Alternative methods of assessment have proven
inadequate and necessitated the establishment of CMMC. DoD declines to
accept the recommendation of an alternate path to C3PAO accreditation.
[[Page 83150]]
27. Impact to Small Businesses
a. Funding the CMMC Program
Comment: One comment asserted that the rule does not address CMMC
program funding, affordability, and sustainability. They recommended
the DoD conduct and publish a comprehensive cost assessment for each
level of CMMC certification and explore ways to reduce the financial
burden on contractors.
Response: DoD included an analysis of costs to meet CMMC
requirements in the regulatory impact analysis for this rule.
As described in the estimate included with the rule, the major cost
categories for compliance with CMMC requirements are anticipated to
include costs for completing a self-assessment (e.g., Level 1 or 2);
costs to prepare for and undergo C3PAO assessment (Level 2); costs
required to implement the Level 3 security requirements and for
preparing to undergo DCMA DIBCAC assessment (Level 3). All of these
except the market costs of a C3PAO are controlled by the organization
seeking assessment. Market forces of supply and demand will determine
C3PAO pricing for CMMC Level 2 certification assessments.
Analysis of costs to meet CMMC requirements is provided in the
regulatory impact analysis for this rule. The CMMC rule does not make
any change to cost allowability as defined in the FAR 31.201-2
Determining Allowability. Verifying compliance with applicable security
requirements may increase cost and is necessary for the protection of
DoD CUI. With the revised CMMC, the DoD has streamlined requirements to
align directly to NIST guidelines and has eliminated unique security
practices to ease the burden on smaller companies. DoD must enforce
CMMC requirements uniformly across the Defense Industrial Base for all
contractors and subcontractors who process, store, or transmit CUI. The
value of information (and impact of its loss) does not diminish when
the information moves to contractors and subcontractors. The DoD
declines to speculate about how OSCs and C3PAOs negotiate mutually
acceptable terms and conditions for assessment agreements. The DoD
declined to modify the estimates, which are intended to be
representative and to inform rulemaking.
b. Disproportionate Cost Burden
Comment: Many comments emphasized the importance of small business
to the DoD contracting environment and expressed the concern that
increased cost burden on small companies will result in an anti-
competitive barrier to entry. Specifically, commenters state the lack
of in-house security resources, inability to amortize costs, upfront
costs to comply with CMMC Level 1 and 2 without guaranteed contracts,
keeping pace with requirements changes, paying market rates for C3PAO
assessments, and obtaining ``perfect'' compliance with requirement or
assessment objectives may not be affordable or may cause unacceptable
enterprise disruption. One comment asserted that the DoD is not
considering additional costs to small- and medium-sized businesses
(SMBs) for ongoing compliance. One comment stated the cost of entry for
a new SMB may be insurmountable even with cost recovery. One comment
suggested ``right-sizing'' CMMC by tailoring security requirements
based on business size and number of employees. Additionally, one
comment asserted that small businesses would be unfairly punished while
large, legacy primes would lobby and get waivers.
Two comments noted that CMMC will increase costs, perhaps doubling
annual IT and security spending, ultimately passing the cost to
customers, the government and the taxpayer and asked how the DoD plans
to deal with price increases from subcontractors and primes. One
comment suggested the DoD pay contractor employees to learn to cyber
defend rather than pay auditor assessment costs.
Response: The DoD concurs with commenters' assessment of the
importance of small businesses to the DoD. The DoD has streamlined CMMC
requirements to align directly to NIST guidelines and has eliminated
unique security practices to ease the burden on smaller companies. In
recognition of the cyber threat both to DoD and to the DIB, CMMC
Program requirements are designed to ensure compliance with existing
standards for protection of FCI and CUI. These cybersecurity
requirements align directly to NIST guidelines (i.e., NIST SP 800-171
R2 and NIST SP 800-172 Feb2021) and the basic safeguarding requirements
(FAR clause 52.204-21) that apply to all executive agencies.
The analysis of costs to meet CMMC Level 1 and 2 requirements are
provided in the Regulatory Impact Analysis published with this rule.
Note that certification is never required for CMMC Level 1, which is a
self-assessment requirement. CMMC Level 2 may either be met via self-
assessment, or via certification following a C3PAO assessment,
depending on the specific requirement cited in the solicitation. Some
comments appeared to reference costs to meet the requirements of
existing DFARS clause 252.204-7012. Please refer to 81 FR 72990,
October 21, 2016, for DoD's final rule implementing the DoD's
requirement that ``contractors shall implement NIST SP 800-171 as soon
as practical, but not later than December 31, 2017.''
The cost estimates for SMBs represent average derived estimates
based on internal expertise and public feedback in accordance with OMB
Circular A-4. The size and complexity of the network within scope of
the assessment impacts the estimates as well.
The DoD has streamlined CMMC requirements to align directly to NIST
guidelines and has eliminated unique security practices to ease the
burden on smaller companies. In addition, CMMC Level 1 and select CMMC
Level 2 requirements are now met via self-assessment, which reduces
burden to small businesses.
The CMMC program incorporates flexibility with the use of self-
assessment, POA&Ms, and waivers. Since December 2017, DFARS clause
252.204-7012 has required contractors to implement the NIST SP 800-171
security requirements to provide adequate security applicable for
processing, storing, or transmitting CUI in support of the performance
of a DoD contract. OSAs that are currently attesting that they meet
DFARS clause 252.204-7012 should not have difficulty successfully
achieving a Level 2 self-assessment.
Some comments received lacked relevance to the rule's content,
which is limited to specific CMMC Program requirements. The DoD
declines to address speculation about lobbying activities. Verifying
compliance with applicable security requirements may increase financial
cost to the DoD due to increased contract costs but it is necessary for
the protection of DoD CUI. The cost of lost technological advantage
over potential adversaries is greater than the costs of such
enforcement. The value of information (and impact of its loss) does not
diminish when the information moves to contractors.
The trade-off is between protecting sensitive information from our
nation's adversaries and accepting the fact that security costs
increase for numerous reasons. Many of those cost-drivers are
completely independent of CMMC. While CMMC compliance adds to an
organization's cost, no member of the DIB can assume the status-quo in
today's ever-changing cyber security environment. Increasing costs to
protect the nation's data and industries from
[[Page 83151]]
emerging threats is simply a component of doing business anywhere in
the world. Processing, storing, or transmitting sensitive Government
information comes with a handling cost that needs to be built into each
organization's business model.
Some comments included suggestions about how workflow should occur
between prime and subcontractors to decrease or eliminate the transfer
of CUI to subcontractors. The DoD cannot dictate these business
practices but encourages prime contractors to work with its
subcontractors to flow down CUI with the required security and the
least burden. Questions regarding what to mark as CUI are out of scope
of this rule. At the time of award, the DoD may have no visibility into
whether the awardee will choose to further disseminate DoD's CUI, but
DFARS clause 252.204-7012 and DFARS clause 252.204-7021 require that
the prime contractor to flow down the information security requirement
to any subcontractor with which the CUI will be shared. Decisions
regarding which DoD information must be shared to support completion of
which subcontractor tasks takes place between the prime contractor and
the subcontractors chosen to complete the specific tasks.
c. Phasing the Cost To Comply
Comment: Two comments suggested a phased compliance would help
offset financial burden while working toward full compliance. One
comment expressed concern that Managed Service Providers (MSPs), many
of which are small businesses, will not have time to achieve Level 2
certification before their OSA and OSC customers need them to be
certified and recommended extending the phased timeline.
Several comments stated that recouping compliance costs could take
years, forcing SMBs into financial debt, contract termination, and
exclusion from the market for DoD contracts. One commenter expressed
concern about implementation of CMMC as a condition of contract award
and the implication that compliance costs are incurred prior to
receiving a DoD contract.
Response: DoD declined to implement a small entity specific
``phased compliance''. Since December 2017, DFARS clause 252.204-7012
has required contractors to implement the NIST SP 800-171 security
requirements to provide adequate security applicable for processing,
storing, or transmitting CUI in support of the performance of a DoD
contract.
DoD received numerous comments about the use of ESPs, including
MSPs, which do not process, store, or transmit CUI. In response to
comments, the DoD has reduced the assessment burden on External Service
Providers (ESPs). ESP assessment, certification, and authorization
requirements in Sec. Sec. [thinsp]170.19(c)(2) and (d)(2) have been
updated. ESPs that are not CSPs and do NOT process, store, or transmit
CUI, do not require CMMC assessment or certification. Services provided
by an ESP are in the OSA's assessment scope.
CMMC has taken several steps to keep the cost of compliance with
the rule commensurate with the risk to the DoD's information. Level 1
only requires self-assessment, and many contracts with CUI will only
require a Level 2 self-assessment. Companies that currently attest that
they meet DFARS clause 252.204-7012 should not have difficulty
completing a Level 2 self-assessment. In accordance with the rulemaking
process, this rule was reviewed by both DoD cost analysts and OMB
economists for realism and completeness.
This is a 32 CFR part 170 CMMC Program rule, not an acquisition
rule. The 48 CFR part 204 CMMC Acquisition rule will address
implementation of CMMC as it pertains to DoD contracts.
d. Detailed Cost Analysis
Comment: A few comments suggested a detailed cost analysis should
consider SMBs of various sizes, types, and challenges to ensure
compliance is sustainable. One comment asked whether a profit margin
analysis was performed, while another asserted that other third-party
assessments are less expensive than the estimates for CMMC assessment.
Another stated CMMC Level 3 cost estimates are too low and suggested
using costs associated with SECRET-level networks for calculation.
Response: The DoD provided an analysis of costs to meet CMMC Level
1 and 2 requirements in the regulatory impact analysis for this rule.
The cost estimates provided for this rule represent average costs for
companies to comply with CMMC requirements, including the need for
self-assessment or independent assessment against the specified
standards. Comparing costs with other third-party security audits
presumes that the security and assessment requirements are identical,
and DoD disagrees with that assumption.
The DoD declined to produce another cost estimate for CMMC
assessment and certification. As required by the Rulemaking Guidance,
the DoD provided cost estimates and impact analyses in the proposed
rule. The analysis included estimated costs for each level and type of
assessment or certification for different sized contractor businesses.
The cost estimates did not include an analysis of profit margins, which
is not required. This rule also does not provide the cost analysis for
all actions, personnel, and security measures required to protect CUI
information, data, systems, and technical products through the life
cycle of the work and data generated. The cost estimates represent
derived estimates based on internal expertise and public feedback in
accordance with OMB Circular A-4.
Market forces of supply and demand will determine C3PAO pricing for
CMMC Level 2 certification assessments. The size and complexity of the
network within scope of the assessment impacts the costs as well. CMMC
Level 3 assessments against the NIST SP 800-172 Feb2021 baseline are
performed free of cost by DoD assessors, which reduces the cost of CMMC
Level 3.
The costs associated with a government-owned SECRET-level network
are not relevant to the CMMC Program which ensures protection of FCI
and CUI.
e. Assistance Programs or Other Relief
Comment: Several commenters proposed that financial assistance,
contract incentives, direct reimbursement of assessment costs (in whole
or in part), and market rate price caps be considered to lessen
financial burden and decrease the entry barrier for SMBs. Several
comments also inquired about DoD SMB grant programs to help SMBs cover
the cost of CMMC Level 2 certification assessments.
Multiple comments suggested DOD provide actionable guidance through
outreach support and assistance along with free or reduced cost
cybersecurity services to SMBs, with two referencing the DoD Office of
Small Business Programs and one the DoD Procurement Toolbox. One
comment, from a large business with SMB suppliers, requested clearer
guidance and support for flow down to sub-tier suppliers and SMB supply
chains.
One comment stated firms who receive a low number of CUI documents
(30 docs in 3-years on 10 computers) do not justify the cost of
becoming CMMC compliant, and added the cost is nearly as much as
protection for classified documents. One commenter suggested NIST SP
800-171 R2 security requirements would not apply to their specific
characteristics, i.e., a very small
[[Page 83152]]
business with minimal internet connectivity, no remote access, no
public access, no mobile devices, no remote work, and no known
cybersecurity issues. The comment asserted that the company posed
minimal risk to CUI and should be excused from adhering to CMMC program
requirements based on cost burden.
One comment proposed eliminating third party assessment costs and
relying only on self-certification to address the cost burdens. One
comment noted that free market pricing and a short supply of C3PAOs
combined with excessive waiting times may result in SMB attrition.
Response: It is not within in scope of this rule to address how
companies recover assessment costs. The CMMC rule makes no change to
the cost allowability parameters described in FAR 31.201-2 Determining
Allowability.
Contractors are required to comply with all terms and conditions of
DoD contracts, to include terms and conditions relating to
cybersecurity protections and assessment requirements, as implemented
by this rule. This holds true when a contract clause is flowed down to
subcontractors.
Several of the commenters' recommendations have potential benefit
for the contractor and sub-contractor communities; however, they are
beyond the scope of the rule. These recommendations included creation
or expansion of:
grants and assistance programs, financial support for small
business, the DoD [Procurement] Toolbox, the DoD Office of Small
Business Programs, contract incentives and free or reduced cost DoD
cybersecurity services.
DoD understands the burden on small business. Nonetheless, DoD must
enforce CMMC requirements uniformly across the Defense Industrial Base
for all contractors who process, store, or transmit CUI. The
requirements necessary to protect a single document are the same as to
protect many documents, therefore scaling by amount of CUI expected is
not a viable approach.
Solicitations for DoD contracts that will involve the processing,
storing, or transmitting of FCI or CUI on any nonfederal system,
regardless of the size or configuration of the nonfederal system, will
specify the required CMMC Level (1, 2 or 3) and assessment type (self-
assessment or independent third-party assessment). That requirement
applies, regardless of the number of computers or components in a
nonfederal information system.
DoD's original implementation of security requirements for adequate
safeguarding of CUI relied upon self-attestation by contractors. Since
that time, the DoD Inspector General and DCMA found that contractors
did not consistently implement mandated system security requirements
for safeguarding CUI and recommended that DoD take steps to assess a
contractor's ability to protect this information.
All contactors or sub-contractors with access to CUI need to be
capable of protecting that information to the standard specified in 32
CFR part 2002. If a small business cannot comply with DFARS clause
252.204-7012 and NIST SP 800-171 R2, then that business should not be
processing, storing, or transmitting CUI. DoD's programs, technological
superiority, and best interests are not served if CUI is not
consistently safeguarded by all who process, store, or transmit it.
28. Perceived Cost of CMMC Program
Comment: Several comments expressed disagreement with assumptions
supporting the cost estimate, namely that implementation costs to
comply with the requirements of FAR clause 52.204-21 and DFARS clause
252.204-7012 predate and are not included as CMMC costs. These comments
assert that the cost of CMMC compliance should include those costs, and
therefore dwarfs the cost of CMMC certification. They further assert
that DoD's position does not account for those contractors who have
only recently joined the DIB marketplace or those that aspire to do so.
The concern expressed in the comments is that the cost of standing up
an infrastructure to achieve and maintain DoD cybersecurity
requirements regarding the protection of FCI and CUI, combined with
CMMC assessment costs, is prohibitive and will create a lack of diverse
suppliers.
Two commenters asserted the CMMC Program expanded application of
DFARS clause 252.204-7012 requirements due to a perceived extension of
those requirements to additional organizations, such as External
Service Providers (ESPs). One of the commenters further speculated that
CMMC requirements may decrease the availability of ESPs that are
available and suitable to support DIB members as needed to comply with
CMMC requirements. Another commenter stated that this scope expansion
increases direct implementation and compliance costs above and beyond
the CMMC Program's estimated assessment costs. The comment cites the
introduction of the terms ``Security Protection Assets'' and ``Security
Protection Data'' as extending applicability of those requirements and
incurring the additional direct implementation and compliance costs.
Lastly, the comment notes these changes will drive costs to ``rip and
replace'' existing tools and likely purchase more expensive FedRAMP or
CMMC-certified tools.
One comment indicated that, while compliance with NIST SP 800-171
was required by December 31, 2017, compliance with NIST SP 800-171A
Jun2018 increases requirements and cost because NIST SP 800-171A
Jun2018 emphasizes process and documentation in addition to the intent
of the security requirement.
Two comments pointed out that some contractors may need to
accelerate remediation efforts and close out POA&Ms under existing DoD
contracts that are subject to DFARS clause 252.204-7012 to meet CMMC
requirements. These comments requested that since these contractors
will now be faced with accelerating close-out of their POA&Ms, which
will incur additional costs, that DoD account for those costs in the
estimate and potentially allow for recovery of those costs.
One comment asserts that CMMC assessment failures, remediation
implementation, and subsequent reassessments will be very costly in
both time and money.
Response: 81 FR 72990, October 21, 2016 implemented the DoD's
requirement that ``contractors shall implement NIST SP 800-171 as soon
as practical, but not later than December 31, 2017.'' Public comments
related to costs for implementation were published with that final
rule, along with DoD's responses. CMMC cost estimates are derived
estimates based on internal expertise and public feedback in accordance
with OMB Circular A-4 and are representative of average assessment
efforts not actual prices of C3PAO services available in the
marketplace. Market forces of supply and demand will determine C3PAO
pricing for CMMC Level 2 certification assessments and how C3PAOs
choose to distinguish their service offerings from other C3PAOs,
including the timely availability of an assessment team, or re-
assessments after an assessment failure. The size and complexity of the
network within the scope of the assessment impacts the costs as well.
The DoD declines to speculate about how OSCs and C3PAOs negotiate
mutually
[[Page 83153]]
acceptable terms and conditions for assessment agreements.
OSA implementation of the requirements of FAR clause 52.204-21 and
DFARS clause 252.204-7012 long predate CMMC and are not included in
CMMC cost estimates, since those requirements are not driven by or
attributable to CMMC, even for new or aspiring defense contractors, and
have been in force since 2017 on DoD contracts that include the
processing, storing, or transmitting of FCI or CUI in the performance
of a DoD contract. The DoD has taken measures to make a self-assessment
as straight forward as possible and provided guidance to mitigate any
variance in assessment scores. Additionally, the DoD has streamlined
CMMC requirements to align directly to NIST guidelines and has
eliminated unique security practices to ease the burden on smaller
companies. DoD must enforce CMMC requirements uniformly across the
Defense Industrial Base for all contractors and subcontractors who
process, store, or transmit CUI. Creation of a grants and assistance
programs are beyond the scope of this rule. DFARS clause 252.204-7012
requires protection of security protection assets and security
protection data. Section 1.1 of NIST SP 800-171 R2 states: ``The
requirements apply only to components of nonfederal systems that
process, store, or transmit CUI, or that provide security protection
for such components.'' There is therefore no increase in the scope as
described in the rule.
Security protection data requires protection commensurate with the
CUI it protects and is based on how and where the security protection
data is stored. The FedRAMP requirements for handling security
protection data is therefore the same as that for handling CUI. Any
impact to the cost of serving Government customers across the DoD is
beyond the scope of this rule.
As NIST states in NIST SP 800-171A Jun2018, ``The assessment
procedures are flexible and can be customized to the needs of the
organizations and the assessors conducting the assessments. Security
assessments can be conducted as self-assessments; independent, third-
party assessments; or government-sponsored assessments and can be
applied with various degrees of rigor, based on customer-defined depth
and coverage attributes.'' CMMC Program requirements are designed to
ensure compliance with existing standards for protection of FCI and CUI
and align directly to NIST guidelines (i.e., NIST SP 800-171 R2 and
NIST SP 800-172 Feb2021) and the basic safeguarding requirements (of
FAR clause 52.204-21) that apply to all executive agencies. The rule
accounts for costs associated with assessment via NIST SP 800-171A
Jun2018.
Within the limitations of section Sec. 170.21 Plan of Action and
Milestones Requirements, offerors may bid on a contract while
continuing to work towards full CMMC compliance. DoD rejects the notion
that organizations must ``accelerate'' to meet a requirement in place
since 2017. DoD did not intend nor expect that POA&Ms would remain
open-ended and unimplemented for years.
The DoD provided an analysis of costs to meet CMMC Level 1 and 2
requirements in the regulatory impact analysis for this rule.
Certification is never required for CMMC Level 1, which is a self-
assessment requirement. CMMC Level 2 may either be met via self-
assessment, or via a C3PAO assessment, depending on the specific
requirement cited in the solicitation. It is not within in scope of
this rule to address the way companies recover assessment costs.
Verifying compliance with applicable security requirements may
increase cost and is necessary for the protection of DoD FCI and CUI.
The cost of lost technological advantage over potential adversaries is
greater than the costs of such enforcement.
29. CMMC Benefits and Cost Estimates
a. Cost Estimate Assumptions
Comment: Some comments proposed the DoD directly assume the costs
for industrial base compliance, increase contract award prices, offer
grants and loans, or provide tax credits to offset the costs associated
with compliance. One asked for clarification regarding allowable versus
unallowable costs. One comment stated the cost estimate was a good
guesstimate of the total cost to the USG, but the flow down costs and
the price of doing business will be at the Program Office level. The
commenter requested the DoD provide a table of Program Office funding
requirements to aid Program Managers in reflecting CMMC costs in an
Acquisition Strategy and Cost Analysis Requirements Document (CARD).
A few comments asked about the assumptions used to estimate numbers
of assessments by category and stated the labor rates for ESPs and
C3PAOs were too low, and costs associated with small entities were
incorrect. Two comments also suggested the number of hours estimated
for self-assessment are too low, and three questioned the accuracy of
small and medium sized business labor rates and asserted that the
assessment costs for small businesses were not sustainable. One comment
suggested that cost data in existing/past contracts should be used as a
part of CMMC cost analysis and Section H costs should apply to the
current CMMC cost estimate.
One comment claimed it is cost prohibitive for individuals to
obtain a CCP or CCA certification, which will hamper the CMMC Program's
scalability.
One comment requested the government elaborate on how the estimated
417.83 hours per response was derived for table 39, C3PAOs Level 1
Certification and Assessment, in section Sec. 170.17(a). Another
comment asserted that assessments conducted by Defense Technical Risk
Assessment Methodology (DTRAM) assessment teams require more manhours
than are anticipated for CMMC certification assessments.
One comment stated that while DoD included an estimate for annual
senior official affirmations in the Regulatory Impact Analysis, it
assumed a minimal number of hours will be required to complete this
task which may not be adequate to complete a full compliance review.
One comment stated the DoD self-assessment resource allocations for
an ESP for both CMMC Level 1 and Level 2 are estimated 125% to 175% too
low based on the belief that a self-assessment should have more rigor
than a gap analysis. Specifically, the commenter posed questions on
what inputs from potential OSAs were used and identifying the rigor a
Certifying Official would require for attestation. Recommendations
include that the DoD clearly state its assumptions regarding self-
assessment rigor, have OSA legal counsel review assumptions and cost
factors, and identify a representative cross-section of stakeholders to
determine appropriate rigor assumptions for company's ESPs and new to
CMMC self-assessments.
One comment stated that the DoD's assumptions for the level of
effort expressed as Director and staff IT specialist hours are too low.
Although there are continuous monitoring requirements of NIST 800-171
R2, those requirements do not invoke the level of effort necessary for
an executive to make an attestation corresponding to the level of
personal risk and corporate liability incurred under the False Claims
Act. The comment asserted that DoD's assumptions failed to account for
an SMB to acquire and manage technical tools or manage the
reaffirmation or an enterprise change management effort.
[[Page 83154]]
The comment included several questions regarding the inputs used to
determine lack of ongoing management resource requirements for
reaffirmation, a risk management application, and inputs across the DIB
regarding the level of assurance needed for affirmations to address
liability concerns with the False Claims Act. Another recommendation
suggested the DoD clearly state the degree of rigor an OSA should
assume and revisit the cost assumptions involved to provide the Entity
official with assurance for reaffirmation.
One commenter reviewed the CMMC AB's draft CMMC Assessment Process
(CAP) document and agreed that 120 hours for a C3PAO's three-person
team inclusive of Phases 1, 2 and 3 is appropriate for smaller
companies and should be considered a lower bound for C3PAOs deployed
resources but suggested the 156 ESP assessment hours should be
decreased.
One comment highlighted the following rule text, ``The total
estimated Public (large and small entities) and Government costs
associated with this rule, calculated in over a 20-year horizon in 2023
dollars at a 7 percent discount rate and a 3 percent discount rate are
provided as follows,'' and asked how an organization could become
eligible for the 7% discount.
One comment proposed DOD remove CMMC Level 1, or defer CMMC Level 1
implementation for several years, since it does not involve CUI. The
comment stated CMMC Level 1 cost estimations and burden of compliance
in the rule were greatly understated, that few companies subject to
this CMMC level have any idea what is expected of them, and most will
struggle with financial, technical, and human resources. Though FAR
clause 52.204-21 is widely used in Federal contracts, it has not been
successfully communicated that NIST SP 800-171A Jun2018 will be used.
The comment concludes stating CMMC Level 1 does not include CUI,
therefore making cost and compliance an excessive demand.
Response: Subsidizing costs for the defense industrial base
compliance is not within the scope of this rule. The rule has taken
several steps to keep the cost of compliance with the rule commensurate
with the risk to the DoD's information. In addition, Level 1 only
requires self-assessment, and many contracts with CUI will only require
a Level 2 self-assessment. Companies that are currently and validly
attesting that they meet DFARS clause 252.204-7012 should not have
difficulty passing a Level 2 self-assessment.
Cost estimates provided in this rule were based on internal
expertise, compliant with OMB Circular A-4, and informed by public
feedback. Certain elements of the estimated costs will be influenced by
market forces of supply and demand, which will determine C3PAO pricing
for CMMC Level 2 certification assessments.
The number of assessments over the phase-in period were estimated
using data from the Electronic Data Access system for the contracts
containing DFARS clause 252.204-7012 in fiscal years 2019, 2020, and
2021, as well as data calculated for the initial CMMC Program. This
data was used in combination with an expected growth factor to estimate
DoD contracts and orders in the future. Data also showed the number of
awards that were made to small entities and other than small entities.
The resulting estimate was phased in over 7 years to allow the
ecosystem to grow and accommodate an increasing number of assessments.
The assumptions and analysis of costs are provided in the
regulatory impact analysis for this rule and are explained in depth.
One of the assumptions is that Non-Small Entities have a team of full-
time cybersecurity professionals on staff while Small Entities do not.
The assumptions reflect Small Entities will likely obtain support from
External Service Providers and have a staff member submit affirmations
and SPRS scores for self-assessments (when applicable).
DoD included an analysis of costs to meet CMMC requirements in the
regulatory impact analysis for this rule. As described in the estimate
included with the rule, the major cost categories for compliance with
CMMC requirements are anticipated to include costs for completing a
self-assessment (e.g., Level 1 or 2); costs to prepare for and undergo
C3PAO assessment (Level 2); costs required to implement the Level 3
security requirements and for preparing to undergo DCMA DIBCAC
assessment (Level 3). Market forces of supply and demand will determine
C3PAO pricing for CMMC Level 2 certification assessments. The CMMC rule
does not make any change to cost allowability as defined in the FAR
31.201-2, Determining Allowability.
As addressed in the Assumptions section of the Regulatory Impact
Analysis (RIA), the cost estimates for CMMC Levels 1 and 2 are based
only on the assessment, certification, and affirmation activities that
a defense contractor, subcontractor, or ecosystem member must take to
allow DoD to verify implementation of the relevant underlying security
requirements. For CMMC Level 3, cost estimates to implement applicable
security requirements are included as they are a new addition to
current security protection requirements. Section H costs of existing/
past contracts do not apply.
CCP and CCA certification costs are set by the CAICO and are market
driven. The hours used in the cost estimations are based on estimates
by subject matter experts. The 417.83 hours per response questioned by
the commentor ties to C3PAO reporting and recordkeeping requirements
for Level 2 certification assessment on small entities as identified in
table 36, not Level 1 or table 39 as stated in the comment.
In response to public comments received in the initial 48 CFR CMMC
interim final rule public comment period, DoD streamlined the CMMC
model to ease the assessment burden. At the same time, estimates were
increased for the time and cost of self-assessment based on industry
and DIBCAC input. DoD estimates are based on defendable assumptions and
documented labor rates. Therefore, DoD declines to modify the self-
assessment estimates.
The DoD has streamlined CMMC requirements to align directly to NIST
guidelines and eliminated unique security practices to ease the burden
on smaller companies, included an analysis of costs to meet CMMC
requirements in the regulatory impact analysis for this rule. The DoD
declined to modify the estimates, which are intended to be
representative and to inform rulemaking.
Verifying compliance with applicable security requirements may
increase cost and is necessary for the protection of DoD CUI. The cost
of lost technological advantage over potential adversaries is greater
than the costs of such enforcement. The value of information (and
impact of its loss) does not diminish when the information moves to
contractors.
DoD rejected the recommendation to adjust the annual requirement
for senior affirmations to a triennial requirement to decrease senior
affirmation costs. The requirement for annual affirmations is to ensure
the Affirming Official responsible for CMMC requirements are monitoring
compliance with the requirements. If compliance is being maintained as
required, this should not require more time or cost than provided in
the estimates. Further, DFARS clause 252.204-7012 already requires NIST
SP 800-171 continuous monitoring via requirement 3.12.3. DoD also
declined to make the recommended edits to further delineate a company's
internal review of self-assessments and reaffirmations in the cost
assumptions.
The cost estimates provided for this rule represent average costs
for
[[Page 83155]]
companies to comply with the CMMC requirement, including the need for
self-assessment or independent assessment against the specified
standards. Whether the OSA elects to satisfy those requirements
themselves, or by using one ESP for many requirements, or by using
several ESPs for individual requirements, is a decision to be made by
the OSA. That decision does not change DoDs estimate of average costs
to meet CMMC requirements. The DoD declined to recalculate cost
estimates using lower costs for ESP assessments.
The 7% discount rate is not a discount for organizations. The
discount rate is a part of a formula used in a business impact analysis
calculation. When calculating 20 years in the future, a discount rate
is used to determine the net present value of money. Discount rates are
explained in step seven of OMB Circular A-4: Regulatory Impact
Analysis: A Primer. The DoD does not agree with the commenter's
assertion that the cost estimates greatly understate the costs and
burden to Level 1 compliance. The 15 FAR security requirements that
comprise CMMC Level 1 should already have the requirements implemented
if an OSA network processes, stores, or transmits FCI. In addition to
NIST SP 800-171A Jun2018, the CMMC Level 1 Assessment Guide provides
supplemental information to help facilitate implementation and
assessment of the Level 1 security requirements.
b. Economic Impact
Comment: One comment suggested the government evaluate the economic
impact of implementing the rule's reporting requirements at scale.
Another comment expressed the notion that the cost impact analysis does
not account for the free market response, referring to the associated
cost increases and schedule delays that directly impact the warfighter
and taxpayer. The commentor suggested the cost could dwarf both the
cost of implementing compliance and achieving certification.
One comment stated the CMMC Level 2 and Level 3 cost burdens for
companies that were historically never subjected to such requirements
may be disproportionate to the risk their operations pose to the
inadvertent disclosure of CUI or FCI. It suggested ensuring
requirements be proportional to the subcontractor's activity and risk
levels. The comment further mentioned that costs may be passed on to
the prime contractor, and DoD should consider providing recovery costs
in the price of implementation.
One comment stated the 100% compliance to CMMC Level 2
certification may be financially unachievable and suggests if a risk
assessment shows the likelihood of harm is comparatively low, the DoD
should direct CMMC Program assessors to use their professional
judgments and not require seeking maximum evidence of compliance where
there is evidence of sufficiency.
Response: The DoD has already evaluated the reporting requirements
and the analysis of the costs is provided in the Regulatory Impact
Analysis published with this rule. The DoD declined to respond to
speculative or editorial comments about downstream impacts of the
market's reaction to CMMC, all of which are beyond the scope of this
rule.
The DoD declined the recommendation to restructure CMMC to be
proportional to the subcontractor's activity and risk levels. DoD must
enforce CMMC requirements uniformly across the Defense Industrial Base
for all contractors and subcontractors who process, store, or transmit
CUI. The value of information (and impact of its loss) does not
diminish when the information moves to contractors and subcontractors.
Assessors exercise judgment in determining when sufficient and
adequate evidence has been presented to make an assessment finding.
This is consistent with current DIBCAC High Assessments and assessments
conducted under the Joint Surveillance Voluntary Assessment (JSVA)
program. Furthermore, to reduce burden to small businesses, the CMMC
program has implemented flexibility with self-assessment, POA&Ms, and
waivers.
c. Cross-Functional Requirements and Artifacts
Comment: Multiple comments maintained that DoD underestimated the
cross-functional (Human Resources, Physical Security, Training, etc.)
manhours and associated cost to collect artifacts and evidence in
preparation for a C3PAO assessment. One comment stated the DoD's
overestimation of CMMC Level 1 requirements would correspond to an
underestimation of compliance costs. The comment referred to current
NIST requirements and asserted that potential revisions would force
changes to POA&Ms causing additional costs beyond those included in the
estimates. The comment suggested the DoD should determine the range of
potential compliance timelines, the use and value of existing and
planned POA&Ms, and true certification costs, both for initial
compliance as well as ongoing maintenance and oversight.
One commentor claimed too much funding was expended over the past 5
years for the CMMC database system.
Response: OSCs prepare for C3PAO assessments based upon NIST
guidelines as addressed in Sec. 170.17. The cost and time estimates
represent the time to gather the evidence to address all assessment
objectives are derived averages based on internal expertise and public
feedback in accordance with OMB Circular A-4 Regulatory Impact
Analysis: A Primer. The size and complexity of the network within scope
of the assessment impacts the costs as well.
The time estimates represent average derived estimates based on
internal expertise and public feedback in accordance with OMB Circular
A-4. The size and complexity of the network within scope of the
assessment impacts the time estimates as well. The DoD does not concur
with the commenter's claim that too much funding has been spent to
develop the DoD's database for the CMMC Program.
d. Duplication or Overlap
Comment: One comment asserted CMMC requirements may be duplicative
or conflict with existing utility industry compliance requirements that
address CUI, since utility companies will not require CMMC Level 3
certification. They proposed the utilities and the DoD collaborate to
harmonize requirements to limit the financial burden.
One comment highlighted a concern that cost for companies that have
multiple contracts, each requiring different CMMC Program requirements.
Concerns were specifically based on the increased costs from CMMC Level
2 to CMMC Level 3 compliancy and assuming costs would be borne by
contractors. They expressed similar concerns about costs for FedRAMP
certification, given a purported backlog in FedRAMP authorizations.
Response: Addressing the harmonization between the DoD,
contractors, and subcontractors is beyond the scope of this rule. These
are functions of the DIB Sector Coordinating Council and the DIB
Government Coordinating Council. Additionally, non-DoD programs are
outside the control and scope of the 32 CFR part 170 CMMC Program rule.
The DoD encourages prime contractors to work with its subcontractors to
flow down CUI with the required security and the least burden.
DoD is aware organizations may receive multiple contracts that may
require different CMMC levels based upon programmatic data security
needs. It is beyond the scope of this rule to
[[Page 83156]]
dictate how OSAs manage varying contract requirements. Contractors that
have achieved a CMMC Level 2 or Level 3 certification automatically
meet a stated requirement of a lower CMMC level if the same system/
assessment scope will be used in performance of the contract.
30. Alternatives
a. Alternate Programs
Comment: Many comment submissions included lengthy proposals for
alternatives to the CMMC program purported to alleviate specific
concerns with aspects of CMMC program requirements. In some cases, the
concerns were based on a misreading of the rule's content. The DoD has
addressed some valid concerns through rule revisions that differ from
the recommendations.
One commenter suggested eliminating compliance assessments in favor
of establishing a DoD office to conduct penetration testing of each DIB
company's network every two years. Other commenters also recommended
the DoD establish a secure portal and share CUI with contractors only
through that portal, as a way for the DIB to avoid the cost of securing
their information systems. One commenter suggested the DoD monitor use
of waivers and utilize this secure portal approach when CMMC waivers
apply. Similar recommendations included sharing CUI only through
password encrypted files or requiring contractors to store CUI in
restricted access folders. In similar suggestions, several commenters
thought the DoD should provide its contractors with training, GFE and
other tools necessary to secure the contractor owned information
systems being used to process or store CUI. One such commenter stated
that the Government should appropriate funding for secure solutions
rather than phasing in compliance assessments. One commenter suggested
the DoD consider industry's application of alternate security
mechanisms in lieu of CMMC Levels 2 and 3. Another recommended the DoD
stand up a voluntary DIB Cyber Protection Program to improve real-time
monitoring of the DIB, improve cybersecurity for firms that cannot
afford the needed professional staff, and offer data and legal
protections to DIB firms. Another such commenter suggested that DoD
fund securing the DIB through contract incentives.
One commenter recommended mandating DIB use of the DoD CIO's DIB CS
Program or other DoD cybersecurity related services as alternatives to
the CMMC program. That comment suggested reassigning Government
personnel to provide training for all assessors, to reduce training
cost and ensure enough assessors to meet demand. Another commenter made
similar recommendations about CISA cybersecurity service offerings.
Response: Many comments included lengthy proposals for alternate
approaches to the CMMC program which would alleviate specific concerns
with aspects of CMMC program requirements. In some cases, the
suggestions were based on a misreading of the rule's content. The DoD
has addressed some valid concerns via rule revisions that differ from
commenter recommendations.
The DoD notes with interest one commenter's reference to
initiatives described in a report to Congress about the breadth of
cybersecurity related initiatives within the Department. While the CMMC
is an important initiative, it is by no means the Department's only
effort to improve DIB cybersecurity. The CMMC Program addresses
adequate safeguarding of contractor owned information systems which
process, store, or transmit FCI or CUI. Other DoD initiatives related
to secure cloud or software development environments are beyond the
scope of the CMMC Program.
The DoD did not adopt suggested alternatives, such as policy-based
solutions that lack a rigorous assessment component. The DoD determined
that sharing CUI only through DoD-hosted secure platforms, in lieu of
implementing the CMMC Program, was not a scalable or cost-effective
solution. Although the DoD expanded the availability of resources
through the DIB Collaborative Information Sharing Environment (DCISE)
program, the DoD also declines to rely only on training in lieu of
assessment.
The purpose of CMMC is to require defense contractors and
subcontractors to undergo an assessment to verify the implementation of
prescribed cybersecurity standards. The security requirements are
already specified in existing regulations (32 CFR part 2002, DFARS
clause 252.204-7012, and FAR clause 52.204-21).
Comments which suggest that enrollment in the DoD's DIB CS Program
can be an alternative means of meeting the objectives of CMMC
misinterpret the services that the DIB CS Program provides. The DIB CS
Program does not provide any mechanism for verifying whether those
participants have secured their contractor owned information systems to
the standards required by DFARS clause 252.204-7012. Likewise, the
recommended NSA cybersecurity offerings also do not provide the same
verification mechanism that CMMC will provide. CMMC Program
requirements apply to contractor-owned information systems that
process, store, or transmit FCI and CUI. Hardware and software
approving authorities for GFE are not relevant to this CMMC rule. The
DoD declined to adopt the recommendation to provide GFE to DIB
contractors to maintain security, ownership of data and support
Clinger-Cohen Act compliance.
Some comments received reflect a misinterpretation of the cost
estimates that accompany this rule, which are intended to inform the
rulemaking process. The cost estimates are not indicative of a funded
budget line which could be reprogrammed to fund a new agency to meet
the objectives of the CMMC Program. Comments recommending that funding
be appropriated (by Congress) to provide the DIB with security
solutions are beyond the scope of this rule.
b. Alternate Standards
Comment: One commenter recommended aligning requirements to DoD
policies rather than to NIST standards and relying on FISMA compliance
assessments in lieu of the CMMC model. Another commenter recommended
the DoD and NIST work with other international standards organizations
to incorporate CMMC requirements (really NIST standards) into existing
ISO/IEC and CMMI standards. In general, these commenters recommended
DoD accept alternate assessments conducted against alternate standards
by assessors with alternate training and qualifications. They further
recommended that DoD issue an RFI seeking recommendation of alternate
third-party assessment schemes. One commenter recommended the rule be
modified to require that contracts with a CMMC level 3 requirement also
require use of a FedRAMP moderate or higher CSP, and that contracts
with a CMMC level 2 requirement permit use of CSPs with either FedRAMP
Moderate authorization (or higher) or CMMC level 2 or 3 certification
assessment.
Response: CMMC is based on the executive branch's CUI Program as
the authoritative source, as codified in 32 CFR part 2002. The
definition of CUI and general requirements for its safeguarding are
included in 32 CFR 2002.4 and 2002.14, respectively. 32 CFR
2002.14(h)(2) specifically requires that ``Agencies must use NIST SP
800-171 when establishing security requirements to protect CUI's
confidentiality on non-Federal information systems . . .'' The CMMC
[[Page 83157]]
Program makes no change to the CUI program or its implementing
policies. Contractually, DFARS clause 252.204-7012, effective since
December 2017, requires contractors to implement the NIST SP 800-171
security requirements to provide adequate security applicable for
processing, storing, or transmitting CUI in support of the performance
of a DoD contract. That requirement applies, regardless of the number
of computers or components in a non-Federal information system.
The CMMC Program provides an assessment mechanism to verify that
prospective offerors comply with the applicable information security
requirements. All executive agencies are required to follow the
policies described in 32 CFR 2002.14. DoD aligned CMMC requirements
with NIST SP 800-171 R2 because it is enterprise focused and is already
required in DoD contracts when DFARS clause 252.204-7012 is applicable.
DFARS clause 252.204-7012 and NIST SP 800-171 R2 provide the
cybersecurity requirements, whereas CMMC validates implementation of
those requirements. CMMC does not duplicate these documents.
The DoD publishes Security Technical Implementation Guides (STIGs)
for specific products, primarily to guide secure implementation in DoD
systems. The OSA is responsible for creating the implementation
guidance they will use to meet the CMMC security requirements. OSAs are
free to use the DoD STIGS if they feel they are appropriate. The DoD
does not want to limit the choices available to the OSA for
implementation guidance. In addition, the DoD declines to create STIGs
for all products that might be used in the OSA's environment. Some
comments lacked relevance to the rule's content, which is limited to
specific CMMC program requirements.
Changes to DFARS clause 252.204-7012 are outside the scope of this
rule. DoD declines to modify CMMC Level 2 or Level 3 requirements
related to use of Cloud Service Providers (CSP). A CSP is assessed
against the FedRAMP Moderate baseline. This is required when a CSP,
regardless of the component or type of CSP, processes, stores, or
transmits CUI.
The DoD declines to align CMMC requirements to alternate standards
or accept compliance with alternate standards in lieu of the NIST SP
800-171 standard mandated by 32 CFR part 2002 for the protection of
CUI. CMMI is focused on improving the software development process,
while CMMC is focused on verifying the proper implementation of DIB
cybersecurity requirements. Incorporating requirements into new or
other existing standards would unacceptably delay action to improve DIB
cybersecurity. The DoD must take action to improve DIB cybersecurity,
regardless of the global state of cybersecurity. DoD's publication of
this rule follows completion of OMB's formal rulemaking process, which
includes both DoD internal coordination and Interagency coordination.
The recommendation for the DoD to establish a voluntary DIB Cyber
Protection Program is beyond the scope of this rule.
One commenter recommended administrative edits to identify CMMC
levels at a particular place in the pre-amble description of the
program. The preamble is not part of the official regulation. In
addition to background and overview information about the proposed or
final rule, the preamble includes responses to all comments received
during the public comment period on the proposed rule. The
certification requirements are in subpart D, Sec. Sec. 170.15 through
170.18.
c. Alternate Implementation Timelines
Comment: Several commenters suggested that DoD abandon CMMC
requirements in favor of simply continuing to rely upon self-
assessments, or else allowing contractors to comply with DFARS clause
252.204-7012 requirements absent any assessment (self-conducted or
third-party). Of those recommending self-assessment, two commenters
limited the suggestion only to companies that self-certified as small
businesses and one further recommended that DoD pay for certification
assessment of all small businesses. One such commenter based their
opinion on an interpretation that text in NIST SP 800-171 R2 identifies
the requirements as a model for self-assessment. Another commenter made
no suggestion to change assessment requirements, other than to
implement them post-award, rather than pre-award.
One comment expressed doubt in the ability of the ecosystem to
scale sufficiently to meet the demand for C3PAO assessments and
assessor training.
One commenter suggested the rule be revised to eliminate POA&Ms but
expand the period during which deficiencies can be reassessed from
within 10 days of initial assessment to 60 days for those prospective
contractors. Another commenter suggested varying timelines for POA&Ms
based on a variety of criteria, including how many DoD contracts are
held.
Response: The DoD declined to accept the risk associated with
implementing CMMC solely as a post-award requirement. When contracts
require contractors to process, store, or transmit CUI, DoD requires
that they be compliant with DFARS clause 252.204-7012 and competent to
adequately safeguard CUI from the beginning of the period of
performance. DoD declines the recommendation to require primes to
assume the cost of CMMC for their subcontractors. Arrangements between
contractors and subcontractors are negotiated directly between those
parties. The DoD does not accept the recommendation to eliminate or
change the criteria for POA&Ms or the timeline allowed to remediate
open POA&M items. The 180-day period allowed for POA&Ms and the
determination of which weighted practices can be placed on a POA&M was
a risk-based decision. The determination considers the relative risk
DoD is willing to accept when a particular practice is not met and the
amount of risk the DoD is willing to accept for those security
practices that go ``NOT MET'' for an extended period.
The Department declines to adopt the recommendation to allow DIB
members to assist in designing the DoD's mechanism for assessing DIB
compliance with DoD's contractual requirements. In developing the CMMC
program, the DoD sought and considered DIB input. DoD disagrees with
the comment that there is a lack of scalability in the CMMC program.
The phased implementation plan described in Sec. 170.3(e) is intended
to address any CMMC Ecosystem ramp-up issues, provide time to train the
necessary number of assessors, and allow companies the time needed to
understand and implement CMMC requirements. The rule has been updated
to add an additional six months to the Phase 1 timeline. As with all
its programs, the Department intends to effectively oversee the CMMC
Program and act as needed to manage its effective implementation.
Although the full extent of DoD's oversight process is beyond the scope
of this rule, the rule text addresses DoD's authority to waive the
application of CMMC requirements when warranted in accordance with all
applicable policies, procedures, and approval requirements.
DoD has utilized a phased approach to the rollout to reduce
implementation risk. CMMC Program requirements make no changes to
existing policies for information security requirements implemented by
the DoD. It is beyond the scope of this rule for DoD to determine the
order in which organizations are assessed.
[[Page 83158]]
d. Alternate Assessors or Assessments (Including Self-Assessment Only)
Comment: One commenter submitted numerous recommendations based on
an opinion that skills required for conducting CMMC compliance
assessments are like those required for conducting Independent
Technical Risk Assessments (ITRAs) on Major Defense Acquisition
Programs (MDAPs). Such assessments are conducted by the Office of the
Undersecretary of Defense for Research & Engineering (OUSD(R&E)) in
accordance with Defense Technical Risk Assessment Methodology (DTRAM)
criteria. These criteria extend beyond compliance with cybersecurity
requirements and include characteristics such as modular open systems
architecture, software, manufacturing, reliability, availability,
maintainability, and others. This commenter noted the DoD's Adaptive
Acquisition Framework applies to both Information Systems and National
Security Systems and suggested that existing acquisition requirements
pertaining to ITRA and DTRAM should suffice in lieu of CMMC
assessments. The commenter recommended that DoD use existing ITRA teams
to perform compliance assessments of contractor-owned information
systems. In addition, they recommended aligning requirements to DoD
policies rather than to NIST standards. Other comments made similar
suggestions to synchronize cybersecurity requirements with DoD policies
rather than NIST standards but cited FISMA compliance assessments as
the appropriate model rather than the DTRAM.
One comment suggested that C3PAOs be permitted to conduct partial
assessments of ESPs, MSPs, and MSSPs. Multiple comments expressed
concern with CMMC assessment requirements for OSAs that use ESPs,
stating that OSAs would be unlikely to know which components of the
services they purchased were covered by a required CMMC Level 2
assessment. This commenter recommended the creation of a separate type
of CMMC assessment specifically for ESPs, which they further
recommended should be highlighted on the CMMC AB marketplace to assist
OSAs in selecting an appropriately vetted ESP. These comments provided
an extended description of the specific scoping guidance that should be
adding to existing CMMC supplemental documentation, as well as several
sample scenarios explaining how requirements for this new type of
assessment should be applied. Two comments highlighted that the rule's
preamble does not include details of assessment and implementation
requirements.
Several commenters recommended the DoD abandon the CMMC ecosystem
model and conduct all cybersecurity compliance assessments using DIBCAC
assessors, which would reduce cost to the DIB. One such commenter
suggested that DIBCAC assessment of C3PAOs, as part of the
accreditation process, detracts from DIBCAC's capacity to perform CMMC
level 2 assessments for the DIB. Another noted that as Government
employees, DIBCAC assessors could exercise judgement to make risk-
tolerance decisions that non-Government C3PAOs cannot, including
possible acceptance of partial non-compliance.
Response: DoD must enforce CMMC requirements uniformly across the
Defense Industrial Base for all contractors and subcontractors who
process, store, or transmit CUI. The value of information and impact of
its loss does not diminish when the information moves to contractors
and subcontractors. The DoD has considered the recommendation and
declines to revise the rule text to rely solely on self-assessment or
eliminate the 3-year validity period to rely on a one-time
certification. It is important that contractors maintain security
compliance for systems that process, store, or transmit DoD CUI. Given
the evolving cybersecurity threat, DoD's best interests are served by
ensuring that CMMC Level 2 assessments remain valid for no longer than
a 3-year period, regardless of who performs the assessment.
CMMC Program requirements in this rule are designed to improve
compliance with requirements for safeguarding of FCI and CUI. DoD has
privity of contract to enforce these requirements and CISA does not.
OSAs are free to choose CISA services as part of their implementation
of DoD requirements. FISMA is for Federal systems that are used by
Government personnel or the public and is therefore an unsuitable
surrogate for CMMC requirements. If a contractor provides outsourced IT
services to a Federal agency, the system is considered a Federal system
and FISMA applies. In contrast, CMMC requirements apply to nonfederal
systems that are used internally by contractor personnel.
The DoD disagreed with the commenter's assertions about NIST SP
800-171 R2 and the available assessment methods. DoD's DIBCAC currently
performs assessments using the procedures in NIST SP 800-171A Jun2018,
and these documents explicitly identify the target audience to include
individuals with security assessment responsibilities, such as
auditors, assessors, and ``independent verifiers''. The aggregated SPRS
reporting and scoring is CUI. The DoD does not wish to make this
information public, which might aid adversaries in coordinating their
attacks.
The CMMC Program does not alleviate or supersede any existing
requirements of the Adaptive Acquisition Framework, nor does CMMC alter
any statutory or regulatory requirement for acquisition program
documentation or deliverables.
One commenter referenced assessments required during the
acquisition process for DoD systems. DoD's policies governing
acquisition programs require that Independent Technical Risk
Assessments be conducted on Major Defense Acquisition Programs. These
assessments provide a view of program technical risk and are not well-
suited to the assessment of contractor owned information systems
against standards for safeguarding CUI. CMMC assessments are conducted
on contractor owned information systems to gauge compliance with FAR
and DFARS requirements for safeguarding FCI and CUI that is processed,
stored, or transmitted within those contractor-owned information
systems. One commenter incorrectly asserts that the CMMC Scoring
Methodology does not parallel existing scoring methods, however the
CMMC methodology is based on the DoDAM.
The DoD declined to accept the recommended alternative of self-
assessment with the potential to require DIBCAC assessment for a
sampling of DoD contractors, which is essentially the status quo. Both
GAO reporting and other DoD analysis have shown that the DIB has not
consistently implemented the NIST SP 800-171 requirements needed to
comply with DFARS clause 252.204-7012, even though DoD's objective was
for the contactor to implement NIST SP 800-171 as soon as practical,
but not later than December 31, 2017.
The DoD reserves the right to decide when reliance on self-
assessment will suffice, and when compliance should be assessed through
CMMC certification. Based on DoD decision criteria that includes a risk
assessment of the type and sensitivity of program information to be
shared, Program Managers will identify the appropriate CMMC requirement
(e.g., CMMC Level 2 self-assessment or Level 2 certification) in the
solicitation.
The government does not have the capacity in house to adequately
assess
[[Page 83159]]
the 220,00+ companies in the DIB. The DoD cannot assume the workload of
directly assessing every DIB contractor. With this final rule, DoD
established a scalable way to verify, through assessment, that
contractors have implemented required security measures necessary to
safeguard DoD information. The DIBCAC's mission is derived from DoD
priorities and the Department is actively working to ensure that the
DIBCAC is adequately resourced to effectively execute its mission
areas. Planned changes to DCMA staffing levels have been considered and
are necessary to implement the elements of the CMMC program described
in this rule (i.e., Level 3 and C3PAO assessments).
By design, the CMMC Program depends on the supply and demand
dynamics of the free market, enabling it to naturally scale and adapt
to capacity requirements. The DoD established requirements for each
part of the CMMC ecosystem to support a robust compliance assessment
mechanism for DoD's contractual requirements to safeguard CUI that is
processed, stored, or transmitted in contractor owned information
systems. The DoD cannot assume the workload of directly assessing every
DIB contractor.
One commenter provided numerous comments expressing concern that
OSAs that use ESPs will be unlikely to know which ESP services require
CMMC assessment within the OSAs boundary or scope. This commenter
recommended an alternate type of CMMC assessment specifically for ESPs.
In lieu of adopting that recommendation, the DoD has updated the rule
in Sec. Sec. [thinsp]170.19(c)(2) and (d)(2) to reduce the assessment
burden on ESPs. DoD declined to allow partial CMMC Assessments. ESPs
may request voluntary CMMC assessments of their environment and use
that as a business discriminator. The marketplace for ESP services will
adjust to find the efficient manner for ESPs to support OSA
assessments.
e. Alternate Governance
Comment: Rather than abandon the CMMC ecosystem model entirely,
some commenters recommended only that DoD revise the CMMC Accreditation
Body's roles and responsibilities. Three recommended the DoD eliminate
the CMMC AB and take on its responsibilities; of these, one further
suggested the DoD publish detailed Security Technical Implementation
Guides describing how to implement the applicable NIST requirements.
One commenter questioned the reasons for creating a CMMC AB rather than
accepting another existing accreditation body or multiple accreditation
bodies. One comment expressed doubt in the ability of the ecosystem to
scale sufficiently to meet the demand for C3PAO assessments and
assessor training.
Multiple comments called for organizations other than the current
CMMC AB to run the CMMC ecosystem such as a CMMC Advisory Council or a
Civilian Cybersecurity Corps comprised of government and private sector
staff. One such comment requested that, unlike the current CMMC AB, the
proposed body would be funded and managed by the government. Two
commenters recommended the DoD consider accepting other types of
conformance assessment such as ISO/IEC 27001:2022(E) and Health
Information Trust Alliance (HITRUST) certification. One noted this
would require guidance to describe how to address the gaps between
standards those assessments are aligned to and those that CMMC are
aligned to (e.g., NIST SP 800-171 R2 for CMMC Level 2). This commenter
further suggested that DoD accept alternate industry certifications in
lieu of the training requirements identified for CMMC Assessors. One
commenter suggested the DoD accept FedRAMP authorization to meet CMMC
assessment requirements.
Response: DoD considered many alternatives before deciding upon the
current CMMC structure. The DoD established requirements for a CMMC
Accreditation Body, and this accreditation body will administer the
CMMC Ecosystem. The DoD reviewed and assessed the whitepapers that were
submitted by RFI respondents and determined that no single respondents
could meet all the broad facets required to serve as the CMMC
Accreditation Body. Based on this assessment, the DoD published notice
of a planned meeting in November 2019 to allow the respondents and
other members of the public to hear the senior DoD leadership address
DoD perspectives regarding the notional CMMC implementation flow; the
notional program structure; the notional CMMC Accreditation Body
activities, structure, and relationship with the DoD; and the notional
CMMC implementation schedule. The DoD also provided information
regarding the Department's planned way forward. The result of the
November 2019 meeting was the establishment of the current CMMC
Accreditation Body. The relationship between the current CMMC
Accreditation Body and the DoD was formalized through a Memorandum of
Understanding and then a No-Cost Contract. The DoD cannot assume the
risk or the workload of directly managing the CMMC Ecosystem or the
other alternatives suggested. The current CMMC Accreditation Body is
aligned to the DoD through contractual arrangements.
31. Rulemaking Process
Comment: Some comments were submitted to identify problems with
using the Federal eRulemaking Portal (at www.regulations.gov) or the
Federal Register website and did not address content of the proposed
rule. One commenter was confused by the identification of the rule as
``Proposed'' rather than final. Another asked whether the rule could be
republished with page numbers.
Many comments critiqued the format, heading and section numbering,
use of incorporation by reference, or sections contained within the
rule, rather than the substance of the content. For example, some
comments described the CMMC rule as overly repetitive or containing
duplicative sections. Some comments recommended deleting specific
sections to shorten or simplify the rule, including ``History of the
Program''. Some commenters perceived the preamble to the rule as
unnecessary and recommended deleting or shortening that section. In
addition, one commenter noted that responses to public comments
received against an earlier CMMC rule publication ought to be published
with the 48 CFR part 204 CMMC Acquisition rule rather than this 32 CFR
part 170 CMMC Program rule. Several commenters simply thought the rule
text too verbose and recommended rewriting the content with fewer words
and simpler language or using tables to shorten the content. One
comment criticized the organization of the documents.
Several comments addressed references to documents outside the
rule, or those that are incorporated by reference. One commenter asked
how the DoD will recognize when revisions to documents incorporated by
reference cause them to be misaligned requirements identified in this
rule. Other comments requested that additional documents be
incorporated by reference, such as DoD Instructions on CUI and the DISA
Cloud Security Technical Reference Architecture. Some commenters
complained that the page count of the rule and documents incorporated
by reference was too high and asked whether contractors are expected to
read them all. Two commenters objected to certain terms in the
definitions section pointing to other documents as the source of the
[[Page 83160]]
definition. One further suggested that such definitions be revised to
simply point to the URL of the source definition.
Some comments recommended moving content from the new 32 CFR part
170 CMMC Program rule to the CMMC supplemental documents or changing
citations to reference them rather than the NIST documents that are
incorporated by reference. Another asked why the scoring methodology
was incorporated into the rule, rather than incorporated by reference.
One comment questioned whether the supplemental documents are truly
optional, rather than required for compliance with CMMC program
requirements. One comment stated a public comment period should be
required for all supplemental guidance prior to final publication.
One commenter asked what precipitated implementation of the CFR,
which the DoD interpreted as a question about codification of the CMMC
program in the CFR. One commenter asked whether the rulemaking process
had afforded a certain group the opportunity to coordinate or comment
on the rule. Another referenced the separate 48 CFR part 204 CMMC
Acquisition rulemaking effort needed to implement the content of this
rule and urged the DoD to consider public comments of both rules prior
to their publication as final.
One comment specifically suggested the CMMC program be implemented
Government-wide. One commenter simply submitted a copy of a CMMC-
related article from the February 2024 issue of National Defense
Magazine and quoted or extracted from it rather than providing any
specific comment or question.
Response: The process for creating Federal regulations generally
has three main phases: initiating rulemaking actions, developing
proposed rules, and developing final rules. A proposed rule is
published for public comment prior to developing the final rule. A
final rule must identify its effective date and be published 60 days
prior to that date. The structure and formatting requirements for
proposed and final rules and the process for submitting public comments
are prescribed by the Office of the Federal Register and OMB,
respectively, and are outside of DoD's control.
OMB approved publishing the CMMC rule as a Proposed Rule. It has
undergone a required notice-and-comment process to give the public an
opportunity to submit comments. The Proposed Rule and the comments
received informed the final rule. Issues with the Federal Register or
www.regulations.gov functionality for submitting comments via
attachment of pdf or other file type were raised with the appropriate
help desk and resolved before conclusion of the public comment period.
The public comment period for this rule permitted review and feedback
from any member of the public.
This rule follows the format and includes all sections required in
OMB guidelines for formal rulemaking. The length of this rule is
necessary to ensure all affected parties have sufficient information to
understand and comply with the rule. Federal Register page numbers are
visible when viewing the PDF version of the rule published Tuesday,
December 26, 2023 (88 FR 89058; www.govinfo.gov/content/pkg/FR-2023-12-26/pdf/2023-27280.pdf).
Material published in the Federal Register contains numerous
sections, including portions that do not amend the CFR. Specifically,
the preamble for this rule, is written in a summary format and is not
intended to provide the detailed information that is in the regulatory
text.
DoD declines to delete reserved sections because the editorial
standard for orderly codification is that for every (a) there must be
at least a (b), and for every (1) there must be at least a (2), etc.
``Reserved'' meets this standard when there is no additional text
required. The DoD declined to make other administrative changes,
because the recommendations did not result in a substantive change.
One commenter correctly identified that the initial 32 CFR part 170
CMMC Program proposed rule included discussion and analysis of comments
made against prior publication of a 48 CFR CMMC interim final rule. The
decision to include that material was made for the public's convenience
and to facilitate greater understanding of the 32 CFR part 170 CMMC
Program proposed rule and the CMMC Program. Codification of the CMMC
Program requires publication of both the 32 CFR part 170 CMMC Program
final rule and the 48 CFR part 204 CMMC Acquisition final rule. Each of
those final rules will include a discussion and analysis of public
comments received during their respective comment periods. The DoD CIO
worked in conjunction with OUSD(A&S) to ensure that the 32 CFR part 170
CMMC Program rule and the 48 CFR part 204 CMMC Acquisition rule are in
sync.
The preamble is not regulatory text. The preamble includes a
response to the significant, relevant issues raised in previous public
comments on the original CMMC program. DoD declines to adopt
recommendations to move content from the 32 CFR part 170 CMMC Program
rule to the supplemental documents, which are not codified. As such,
the supplemental documents are provided for optional use, and the
regulatory text takes precedence. The CMMC Assessment Process (CAP)
guidance is a product of the Accreditation Body and is not codified in
the CFR as part of the CMMC rule, and the regulatory text in part 170
takes precedence.
Comments on the CMMC Supplemental Guidance were received as part of
the public comment period review. Final versions of these documents
were published with this rule. Other supplemental materials published
by the Accreditation Body do not convey government direction and are
therefore do not require rulemaking. Supplemental documents (e.g., CMMC
assessment and scoping guides) are not codified in the CFR as part of
the regulatory text. To codify CMMC program requirements, content must
be included in the 32 CFR part 170 CMMC Program rule text. DoD
developed the CMMC Assessment Guides to provide supplemental
information to the public offering added clarity on the intent of the
NIST SP 800-171A Jun2018 and NIST SP 800-172A Mar2022 guides. The CMMC
Assessment Guides are particularly important for security requirements
with organization-defined parameters (ODPs) (e.g., CMMC Level 3). There
is no requirement to use the supplemental guidance documents.
Office of the Federal Register (OFR) regulations, at 1 CFR part 51,
govern the IBR process. IBR is only available if the applicable
regulations are published in the Federal Register and codified in the
CFR. When incorporated by reference, this material has the force and
effect of law, as do all regulations published in the Federal Register
and codified in the CFR. 1 CFR part 51 requires the specification of a
revision to a standard, for example NIST SP 800-171, Protecting
Controlled Unclassified Information in Nonfederal Systems and
Organizations, Revision 2, February 2020 (includes updates as of
January 28, 2021), which is incorporated by reference in this rule. The
DoD will determine when to update this rule after documents
incorporated by reference have been revised. Per OFR guidance, Sec.
170.4 points to other sections of part 170 where applicable and repeats
definitions for terms incorporated by reference.
Contractors complying with CMMC requirements need to be familiar
with those documents that are incorporated
[[Page 83161]]
by reference. The definition of subcontractor is not incorporated by
reference, but rather points to a definition codified in 48 CFR 3.502-
1, as recommended in OMB guidelines for formal rulemaking. DoD has
determined that the Defense Information Systems Agency's Cloud Security
Technical Reference Architecture does not meet the criteria for
approved IBR material. However, the rule has been updated to use a
different definition for Cloud Service Provider. The requirements of
NARA's CUI program (32 CFR part 2002) and DoD's implementing policies
for identifying and managing CUI are beyond the scope of the CMMC rule.
The CFR is the codification of the Federal Government's rules and
regulations published in the Federal Register. The CFR was created with
the passage of the Federal Register Act and amended in 1937 to provide
a ``codification'' of all regulations at least once a year. The CFR
reflects the tenet that the Federal Government must follow an open
public process when rulemaking.
Due to the broad application of CMMC requirements for DoD
acquisition support by the defense industrial base, the Department
determined that codifying the CMMC Program and its associated
requirements in 32 CFR part 170 CMMC Program rule (for national defense
and security) was needed in conjunction with the corresponding DFARS
contractual requirements codified in 48 CFR part 204 CMMC Acquisition
rule.
The DoD has no authority to make CMMC a Federal-wide program. The
notice of the required CMMC level is provided at time of solicitation.
This does not prohibit contractors from pursuing CMMC assessments prior
to receipt of a solicitation.
DoD declines to comment on the reposting of information being
reported in the media.
32. Administrative Changes to Terms, References and Notations
Comment: Over 160 comments asked for clarification of terminology
or the addition, removal, or modification of a definition. Most
requests focused on Security Protection Data and Assets, Senior
Officials, Information System, External Service Providers, Cloud
Service Providers, Managed Support Providers, Internet of Things, CMMC
Security Requirements, Organization Seeking Assessment, and
Organization Seeking Certification. Numerous comments recommended the
following terms could be clarified, expanded, or defined: ``Defense
Industrial Base'', ``personal information'', ``contractor'', ``sub-
contractor'', ``Prime Contractor'', ``equipment'', ``contractor
information system'', ``Information System'', ``system'' ``Information
Resource'', ``CMMC Approved Training Materials (CATM)'', ``CMMC
Certified Instructor (CCI)'', ``Provisional Instructor (PI)'', ``cyber
incident'', ``Accreditation Body'', ``Assessment Findings Report'',
``Organizationally-Defined'', ``Organizationally-Defined Parameter
(ODP)'', ``Periodically'', ``Risk Assessment'', ``Risk Analysis'',
Supervisory Control'', Data Acquisition'', ``Operationally Critical
Support'', ``System Security Plan (SSP)'', ``TTP'', ``CMMC'', ``COTS'',
``NARA'',''C3PAO'' ``IS'', NSS'', ``Technology Asset'', ``Personnel
Assets'', ``Asset Categories'', ``DIBCAC High'', and ``Enterprise''.
Response: All requests for changes to terminology definitions,
references, and usage have been reviewed. In response, many terms were
updated in Sec. 170.4 Acronyms and definitions. The DoD determined
those terms that were not changed to be sufficiently defined and
appropriately referenced, and the requested administrative changes
would not have resulted in a substantive change.
a. SPA/SPD/Asset
Comment: Numerous comments asked the DoD to expand on the
definition, explanation, and guidance for Security Protection Data
(SPD) and Security Protection Assets (SPA). Several other comments
requested that the rule and supplemental documents add or expand
definitions for ``Asset'', including various specific types of assets
like ``Technology Assets'', ``Personnel Assets'', ``Organizational
Assets'' ``Specialized Assets''. Some comments asked to modify the
definition for ``Security Protection Asset'', ``CUI Asset'', ``FCI
Asset'', and ``Out-of-Scope Assets''.
Response: The DoD modified the rule to add a definition for
``Security Protection Data (SPD).'' The DoD considered the NIST
definitions for ``System Information'' and ``Security Relevant
Information'' in the development of the new SPD definition. CMMC does
not regulate the OSA's SPD, but instead implements existing regulatory
requirements for the safeguarding of CUI. The DoD does not agree with
the statement that the ESP definition conflates SPA with CUI assets.
The definition of Security Protection Assets is consistent with its
application in the NIST SP 800-171 R2 abstract. The phrase ``FCI Assets
are part of the Level 1 CMMC Assessment Scope and are assessed against
all CMMC Level 1 requirements'' was removed from the rule. The DoD
declined to rephrase the term ``CUI Assets.'' The DoD reviewed the
recommended edit and declined to make an update to ``Out-of-Scope
Assets.'' The definition, as written, provides a clear distinction with
Security Protection Assets (SPAs).
b. Senior Official
Comment: Several comments asked for additional definition or
guidance about the Senior Official role.
Response: The DoD modified the rule to replace all references to
the ``Senior Official'' with ``Affirming Official'' and provided
additional clarity on this term. It is beyond the purview of the DoD to
define technical qualifications for an OSA Affirming Official.
c. ESP/CSP/MSP
Comment: Some comments asked for additional clarification of the
terms related to External Service Providers (ESPs) and Cloud Service
Providers (CSPs). Two comments requested the rule add a definition and
acronym for ``Managed Service Provider''.
Response: The DoD received numerous comments about the use of ESPs
which do not process, store, or transmit CUI. In response to these
comments, the DoD modified the rule to reduce the assessment burden on
ESPs. An ESP that utilizes staff augmentation, where the OSA provides
all processes, technology, and facilities, does not require a CMMC
assessment. The rule was also updated to add a definition of ``CSP''
that is based on the NIST SP 800-145 Sept2011 definition of cloud
computing. The term ``Managed Service Provider'' is not used in the
rule; therefore, the acronym was removed from Sec. 170.4.
d. IoT/OT/ICS
Comment: Several comments recommended DoD clarify the definition of
IoT, OT, and ICS. Regarding IoT, one comment requested the rule specify
that the exchange of data and information between devices occurs over
the internet.
Response: As specified in the rule, IoT, IIoT, and OT, are
Specialized Assets, and all requirements associated with Specialized
Assets apply to any equipment that processes, stores, or transmits CUI
but is unable to be fully secured. The description of Internet of
Things (IoT) in the level 2 and level 3 Scoping Guides is consistent
with the definition of IOT in Sec. 170.4 and is defined in NIST SP
800-172A Mar2022. Scoping Guide text also provides examples to help
clarify what types of devices may be IoT. The definition of
[[Page 83162]]
OT is from NIST SP 800-60 V2R1 and the definition of ICS is from NIST
SP 800-82r3. Requests for revisions to these definitions should be
addressed to NIST. OSAs determine the asset categories and assessment
scope based on how and where they will process, store, and transmit FCI
and CUI. The DoD declined to comment on individual use cases included
in the comments.
e. Program and Security Requirements
Comment: Two comments asked for a definition of ``Security
Requirements'' while another asked for the DoD to define the term
``CMMC Program requirements'' in the rule. Three comments addressed
concerns with the CMMC security practices numbering scheme in
Sec. Sec. 170.14(c)(i). One comment requested clarification on what
constitutes a ``priority'' program. Another commenter stated the term
``all applicable CMMC security requirements'' is ambiguous and many
OSAs will only attest to fulfilling the FAR 52.204-21 or NIST SP 800-
171 R2 security requirements. The commenter felt this could lead to a
significant disconnect at CMMC Level 2 since Level 2 includes security
requirements associated with the use of ESPs, as defined in DFARS
clause 252.204-7012 paragraphs (e.g., para (b)(2)(ii)(D)) and the DoD
CIO FedRAMP Equivalency memorandum.
Response: CMMC Program requirements are all the requirements
codified in the 32 CFR part 170 CMMC Program rule. The term ``CMMC
Security Requirements'' is defined in Sec. 170.14(c). The CMMC
supplemental guidance documents add clarity; however, they are not
authoritative and the rule itself takes precedence. The CMMC numbering
scheme in the rule is a key element of the model that must pull
together the independent numbering schemes of FAR clause 52.204-21 (for
Level 1), NIST SP 800-171 R2 (for Level 2), and NIST SP 800-172 Feb2021
(for Level 3). For the CMMC Program, the numbering scheme must also
identify the domain and CMMC Level of each security requirement. The
term ``priority program'' is not used in the rule; therefore, no
definition of this term is needed. A commenter incorrectly associated
CMMC Program requirements as CMMC security requirements. To address
potential confusion, the rule was updated to define ``CMMC security
requirements'' as the 15 Level 1 FAR requirements, the 110 NIST SP 800-
171 R2 requirements, and the 24 selected NIST SP 800-172 Feb2021
requirements.
f. OSA and OSC
Comment: Several comments requested clarification of the terms OSA
and OSC. One recommended combining them into a single term.
Response: The definitions of Organization Seeking Assessment (OSA)
and Organization Seeking Certification (OSC) are provided in Sec.
170.4. It is important to note that OSC is a sub-set of OSA.
g. Process, Store, or Transmit
Comment: Several comments asked about use of the term, ``Process,
store or transmit''. One asked about its application to a turnkey cloud
based CMMC solution and whether the intent was to consider ``access'' a
subset of ``process''. Another recommended using the term ``Handle'' in
lieu of this term and noted that this would also require amendments to
DFARS clause 252-204-7012. Another comment recommended rephrasing the
definition to provide clarity while another asked that the definition
of ``Process, store, or transmit'' (Sec. 170.4(b)) explicitly include
residence of data in memory, which has not previously been identified
in this context and could raise interpretation issues.
Response: The phrase ``process, store, or transmit'' is more
specific than the term ``handle'' and is consistent with DoD contract
requirements for Non-Federal Information systems as specified in DFARS
clause 252.204-7012. The DoD intended ``Access'' to be included in the
``Process, store, or transmit definition as written in Sec. 170.4(b).
An organization offering a turnkey cloud based CMMC solution would be
considered an ESP by this rule, and the rule was updated to address
assessment and certification requirements of ESPs. The rule definitions
are provided for additional clarity of the terms included in the rule
and does not nor cannot include every potential instance of the term's
application to a contractor's information systems.
h. Clarification of Definitions for FCI and CUI
Comment: Three comments requested clarification of and noted
inconsistency between the terms ``FCI'' and ``CUI''. One perceived
``[FCI]'' and ``[CUI]'' as new acronyms and asked why this rule
includes them. One comment noted the inconsistent use of the terms
``CUI and FCI'' and ``sensitive unclassified information'' and
recommended selecting one term for use throughout the rule. Another
comment requested definitions for CMMC be distinguished with formatting
or another notation.
Response: FCI is defined in FAR clause 52.204-21. The definition of
CUI and general requirements for its safeguarding are included in 32
CFR 2002.4 and 2002.14, respectively. CUI is not a new acronym. The
notation ``[FCI]'' is identified in table 2 to Sec. 170.15(c)(1)(ii)
to reflect its alignment to the requirements of FAR clause 52.204-21
for basic safeguarding of information. Similarly, ``[CUI]'' has been
added to reflect the use of those requirements for CMMC Level 2, which
is designed to protect CUI, not FCI. The DoD amended the rule such that
``sensitive unclassified information'' will consistently be replaced
with ``FCI and/or CUI'' as appropriate.
i. Use of Terms Information and Data
Comment: One comment noted the terms ``data'', ``technical data'',
and ``information'' are used synonymously throughout the rule and
supplemental documents. They also noted that neither NARA's CUI
Registry nor the NIST SP 800-171 R2 define the word ``information'' and
asserted this was a major oversight by NARA ISOO, the CUI Program
Executive Agent. The commenter requested this rule adopt the term
``Information'' throughout the rule and only use ``data'' when
specifically intended based on its definition. Another commenter
requested the term ``Technical Data'' be replaced with the term
``Information''.
Response: As a commenter stated, both the CUI program and NIST use
the term ``information''. Suggestions that the DoD work with NARA or
NIST to define this term are outside the scope of this rule. Within
this rule, data generally refers to individual facts, such as those
submitted to eMASS or SPRS; however, data and information may be used
interchangeably. DoD declined to make requested administrative edits
because they would not result in a substantive change.
j. Source Materials Incorporated by Reference
Comment: Four comments asked for clarification of those documents
incorporated by reference, or the specific versions of documents
referenced in the rule.
Response: The DoD declined to incorporate by reference the
Department's role as data owner. NIST SP 800-53 R5 was incorporated by
reference only for use with applicable definitions because it provided
the latest definitions available.
The OSA is responsible for determining its CMMC Assessment Scope
and its relationship to security domains. Assets are out-of-scope when
[[Page 83163]]
they are physically or logically separated from the assessment scope.
Contractor Risk Managed Assets are only applicable within the OSA's
assessment scope. Table 3 to Sec. 170.19(c)(1) is used to identify the
asset categories within the assessment scope and the associated
requirements for each asset category. Contractor's risk-based security
policies, procedures, and practices are not used to define the scope of
the assessment, they are descriptive of the types of documents an
assessor will use to meet the CMMC assessment requirements.
To ensure the source of every definition is accounted for, the
terms in Sec. 170.4 either cite a reference or are designated as CMMC-
custom using the notation ``(CMMC-custom term).'' The rule has been
updated to eliminate the CNSS Glossary definitions and replaced them
with appropriate NIST definitions.
k. Miscellaneous Other Terms, References and Notations
Comment: Three comments asked about references to the DoD Manual
8570, ``Information Assurance Workforce Improvement Program,'' and one
asked if the references should be replaced by the newer DoD Manual
8140.
One commenter suggested DoD add an enhanced definition of
``Security Domain'' domain to the glossary.
One questioned use of the CNSSI-4009 Glossary instead of the NIST
Glossary of Terms. One comment requested a change to text quoted from
another source. One commenter asserted that the rule includes no
reference to ``existing FAR, DFARS, or DoD authoritative sources'' and
recommended that they be added in instead referencing NIST publications
only.
One comment asked if it is necessary to read and understand all
FIPS, NIST SP 800, CNSSI, and ISO/IEC documents incorporated by
referenced in Sec. 170.2. One comment requested the references for
CMMC Assessment Guides in Appendix A be changed to NIST SP 800-171A
Jun2018 and NIST SP 800-172A Mar2022. Two comments noted version
numbers are not always provided for two specific document sources.
Another comment requested references for supporting information,
resources, and training for the DIB.
A commenter asked if the term ``Government Information Systems''
was equivalent to the term ``Federal Information Systems'' while
another expressed that the term, ``CMMC Level 2 Final Certification
Assessment was confusing given that ``Assessment'' and
``Certification'' are two separate and distinct terms. Another comment
noted that the Summary Information section states there is a difference
between a POA and a POA&M but recommended both terms be defined for
clarity.
One comment stated the ``CMMC Certified Assessor (CCA)'' definition
and acronym are not used consistently in the rule and the current CMMC
AB's website. Another comment noted that the term, ``related
practitioners'' under the definition of CAICO in Sec. 170.4 could be
confused with the term ``Registered Practitioners (RP)'' used by the
CMMC AB as their designation for consultants.
One comment stated that the DoD must be deliberate in its use of
certain terms, especially the words ``must'' and ``shall'', which
connote legal requirements, versus words like ``will'', ``expected'',
``can'', ``may'', ``should'', etc., which are permissive (i.e.,
optional)
One commenter noted the word ``practice'' was replaced multiple
times based on a comparison of pre-publication drafts with the formal
drafts that were published for public comment.
Another comment asserted that the DoD is falsely describing the
CMMC program as addressing ``basic'' cybersecurity requirements when
this is the most demanding cybersecurity standard ever produced.
One commenter objected to the CMMC Level 1, 2, and 3 Assessment
definitions in Sec. 170.4 referring to the content of corresponding
rule sections and suggested that the definitions be deleted from Sec.
170.4 unless they can be succinctly defined without doing so.
Response: The rule has been updated to reference DoD Manual 8140
``Cyberspace Workforce Qualification and Management Program'' which
replaced DoD Manual 8570, ``Information Assurance Workforce Improvement
Program.'' DOD Manual 8140.03 is available at: https://dodcio.defense.gov/Portals/0/Documents/Library/DoDM-8140-03.pdf.
No changes were made to quotations from sources outside the rule. A
definition cited from a source must exactly match the source, it cannot
be altered. To address a commenter's misperception that the rule does
not reference ``existing FAR/DFARS, or other DoD authoritative
sources,'' it should be noted that the CMMC proposed rule includes 54
mentions each of FAR clause 52.204-21 and DFARS clause 252.204-7012.
The DFARS clause 252.204-7012 is added to DoD contracts to implement
the requirements of NIST SP 800-171, which is the authoritative
reference for adequate safeguarding of CUI.
Contractors complying with CMMC need to be familiar with those
documents that are incorporated by reference, which address
requirement-related topics. NIST SP 800-53 R5 is incorporated by
reference only for applicable definitions because DoD chose to use the
latest definitions available. The purpose of a reference listed in
Sec. 170.2 should be interpreted based on the context in which it is
used. For example, the references provided in Sec. 170.4 specify the
source of the definition. The references for the CMMC Assessments
Guides listed in Appendix A have been updated. These guides are largely
derived from NIST SP 800-171 R2, NIST SP 800-171A Jun2018, NIST SP 800-
172 Feb2021, and NIST SP 800-172A Mar2022.
The DoD has updated Sec. 170.3 to align with the FAR terminology
and now reflects ``Federal Information System'' instead of ``Government
Information System''.
The DoD updated the rule to reference the latest version of ``Cloud
Security Technical Reference Architecture'' and, where appropriate, to
identify a revision number for NIST SP 800-171. Specific details of
cybersecurity-related resources and training developed to support the
DIB are outside the scope of this rule. As it becomes available,
supporting resources and training information will be disseminated.
Currently, multiple public resources are available to help educate
companies on NIST and CMMC requirements.
The DoD declined to respond to comments based on comparison of pre-
publication draft versions of the supplemental guidance documents.
A commenter's claim that DoD views the CMMC program as only
addressing ``basic cybersecurity'' is incorrect. Throughout the rule,
references to ``basic safeguarding'' mean the requirements of CMMC
Level 1, which align directly to the requirements of FAR clause 52.204-
21. That FAR clause is titled ``Basic Safeguarding of Covered
Contractor Information Systems''. Similarly, the CMMC program
establishes a CMMC Level 3 requirement to comply with a subset of
requirements from NIST SP 800-172 Feb2021, titled, ``Enhanced Security
Requirements for Protecting Controlled Unclassified Information.''
Section 170.4 includes acronyms and definitions used in the rule
text. Terms from other authoritative sources are listed in Sec. 170.4
and are properly sourced. 1 CFR part 51 governs drafting of this rule.
The DoD updated the rule throughout to reflect new terminology
better differentiating between the activity of
[[Page 83164]]
undergoing an assessment and the CMMC Status that may result from that
activity. An OSA undergoes one of the following: Level 1 self-
assessment; Level 2 self-assessment; Level 2 certification assessment;
or Level 3 certification assessment. The result of that assessment
activity is either failure to meet minimum requirements or one of the
following CMMC Statuses: Final Level 1 (Self); Conditional Level 2
(Self); Final Level 2 (Self); Conditional Level 2 (C3PAO); Final Level
2 (C3PAO); Conditional Level 3 (DIBCAC); or Final Level 3 (DIBCAC).
The official DoD acronym for CCA is ``CMMC Certified Assessor,'' as
addressed in Sec. 170.4. All CMMC terms and definitions provided in
this 32 CFR part 170 CMMC Program rule are codified and therefore take
precedence over definitions and acronym usage from the CMMC website or
other sources.
To avoid confusion in the ecosystem with the term ``practitioner'',
the DoD modified the definition in Sec. 170.4 to replace the word
``practitioners'' with ``professionals.''
While ``must'' is a more commonly used term than ``shall'', both
terms impose a requirement as defined in FAR 2.101 Definitions.
33. Rule Text Modifications
a. Changes to the Preamble
Comment: One commenter recommended that the supplemental Assessment
Guides be consolidated with and cross referenced to requirements for
the CMMC Levels in the same document. Eighty-three comments requested
changes to the preamble section of the rule text. Of those, 17 were
incorporated and are summarized below.
Writing Style: Multiple commenters wanted shorter, simpler, and
more focused wording starting with changes to the first sentence in the
Summary section.
Word Choices: In the ``CMMC 2.0 Overview as Proposed by this Rule''
section several comments objected to the description of FAR clause
52.204-21 requirements as ``elementary'' or ``basic''. One comment
asserted that ``may'' is not the correct verb for ``Defense contracts .
. . may include applicable requirements . . . ,''. One comment
suggested the preamble sentence ``Once CMMC is implemented, the
required CMMC level for contractors will be specified in the
solicitation,'' be revised to use wording that is more consistent with
other parts of the preamble and rule text. One commenter proposed edits
to remove passive voice from a sentence in the preamble description of
Key Changes Incorporated in the Revised CMMC Program. One commenter
requested a change to reference the relevant DFARS clause 252.204-7012,
rather than the DFARS subpart 204.73.
Clarifications: Two comments asserted that the description of
affirmations requirement could be mis-interpreted as suggesting that
primes and subcontractors all submit a single affirmation or that one
contractor must affirm another's continuing compliance. One comment
requested clarification about FedRAMP requirements for Cloud Service
Providers. Some comments asked whether POA&Ms must be documented in the
System Security Plan. One comment recommended punctuation and
grammatical edits and asked for clarification of rule text that
discusses the impact of not logically or physically separating
contractor-owned information systems that process, store, or transmit
FCI (or CUI) from those that do not.
Response: This rule follows the format and includes all sections
required in OMB guidelines for formal rulemaking. The DoD lacks
authority to modify the template or omit required sections, as
requested by some commenters. In addition, one commenter recommended
that the supplemental Assessment Guides be consolidated with and cross
referenced to requirements for the CMMC Levels in the same document.
The DoD interpreted this recommendation as a request to integrate all
information in the supplemental guidance into the rule text, which does
not align with rulemaking guidelines (1 CFR part 51). No changes were
made to consolidate or integrate the supplemental guidance documents,
which are not codified and are provided as optional resources to assist
OSAs. The regulatory content in the 32 CFR part 170 CMMC Program rule
takes precedence.
Some commenters criticized the preamble summary paragraph, and one
submitted a preferred rewrite that oversimplified the content so far as
to alter the intended meaning. For that reason, the specific revisions
were not incorporated. However, the DoD has revised the final rule to
begin with a simplified statement of its purpose, as follows: ``With
this final rule, DoD establishes a scalable way to verify, through
assessment, that contractors have implemented required security
measures necessary to safeguard DoD's Federal Contract Information
(FCI) and Controlled Unclassified Information (CUI)''.
The DoD strove to streamline the writing style. Note that the
preamble is not part of the regulatory text, however, it is a required
part of the rulemaking template. The DoD made the following changes to
the preamble based on requests for text modifications.
The preamble is updated to change the verb ``will'' to ``should'',
where appropriate. The preamble and regulatory text have been updated
to clarify that a Plan of Action need not be part of the System
Security Plan. The sentence in the preamble overview about FAR clause
52.204-21 requirements has been rewritten to describe them as ``the
minimum necessary'' to receive FCI, rather than describing them as
``elementary'' for ``basic'' cybersecurity. Note that the title of the
FAR clause 52.204-21 clause is Basic Safeguarding Requirements.
A preamble overview paragraph about Affirming Officials is revised
to clarify that CMMC affirmations shall be submitted by the OSA and
apply only to the information systems of that organization. DoD's use
of the term OSA within the affirmations section is deliberate and
conveys that each organization is responsible for affirmations
pertaining to their own assessments. A preamble overview paragraph
about Cloud Service Providers has been aligned to DFARS clause 252.204-
7012 language and specifies that defense contractors must confirm that
any CSPs they use to handle CUI must meet FedRAMP Moderate Baseline
standards. Wording in the preamble overview of the rule has been edited
from ``may include'' to ``require'', to clarify a statement about when
DFARS clause 252.204-7012 applies. One sentence in the preamble about
the regulatory impact of CMMC Requirements has been edited into two
sentences to make clear that solicitations identify CMMC contract
requirements, rather than ``for contractors'', and that only
contractors handling FCI or CUI must meet the specified CMMC
requirements.
The DoD has incorporated a suggested re-wording to simplify the
description of CMMC Level 2 assessments in the preamble paragraph
describing Key Changes Incorporated in the Revised CMMC Program.
b. Changes to the Regulatory Text
Comment: Of the 52 comments that requested changes to the
regulatory text (Sec. Sec. 170.1 through 170.24), the nine which DoD
incorporated are summarized below.
Word choices: In Sec. 170.1(b), two comments posited that the word
``enhance'' is inaccurate in the phrase
[[Page 83165]]
``The CMMC Program is designed to enhance protection of FCI and CUI . .
.''. In Sec. 170.9(a) one comment noted that C3PAOs do not ``grant''
assessments, they ``conduct'' them. Another asked why, in table 3 to
Sec. 170.19(c)(1), the CUI Asset category needs to be assessed against
``CMMC security requirements'' but in table 5 to Sec. 170.19(d)(1),
the same category is assessed against ``all CMMC security
requirements.'' For Sec. 170.4(b) One comment requested appending
``and to the DoD'' to the definition of Assessment Findings Report.
Paragraph Organization: For Applicability, a comment recommended
changing the order of paragraphs in Sec. 170.3 and other text changes
to improve clarity.
Reference: One comment noted that the Sec. 170.6(b) phrase ``as
provided for under DFARS clauses 252.204-7012 and 7020 . . .'' is in
error because the section describes CMMC PMO responsibilities and only
DFARS clause 252.204-7020 references DIBCAC assessments of OSAs.
Redundancy: One comment asserted that Sec. 170.9(b)(9) and Sec.
170.9(b)(20) are redundant as both describe that assessment appeals and
results are entered into eMASS.
Consistency: One comment pointed out an inconsistency between the
text in Sec. 170.18(c)(1)(i) and the Scoping Guide related to whether
a CMMC Level 3 Assessment Scope must be the same as, or may be a subset
of, the Assessment Scope of the prerequisite CMMC Level 2
certification.
Clarifications: One comment asked whether the stipulation that CCIs
must not disclose CMMC data or metrics applies to all data or only
``non-public'' data.
Consistency: One commenter asked for clarification regarding
templates and formats required for information uploaded into the CMMC
instantiation of eMASS.
Response: The DoD has incorporated a request to delete the word
``enhance'' from Sec. 170.1(b), and the purpose of the CMMC Program
now reads that the CMMC Program is designed as a compliance assessment
to assist in DoD's enforcement of information safeguarding
requirements. Lower level paragraphs in Sec. 170.3 have been reordered
for added clarity.
The words ``and to the DoD via CMMC eMASS'' have been added to the
end of the Assessment Findings Report definition in Sec. 170.4(b). In
addition, Sec. 170.9(b)(17) has been rephrased to stipulate that all
assessment data and information uploaded into the CMMC instantiation of
eMASS must be compliant with the data standard provided in the eMASS
CMMC Assessment Import Templates available on the CMMC eMASS website.
The DoD replaced the word ``granting'' with the word ``conducting''
in the description of C3PAO assessments in Sec. 170.9(a). Sections
170.9(b)(9) and (b)(20) have been modified to eliminate redundancy
between the two paragraphs, however the DoD did not concur that
Sec. Sec. 170.9(b)(17) and (18) are redundant and made no change.
Section 170.18(c)(1)(i) was revised to clarify that the CMMC
Assessment Scope for Level 3 must be equal to or a subset of the CMMC
Assessment Scope for the Level 2 certification assessment of the system
in question. Section 170.19 was revised to clarify that, for CMMC Level
2, OSAs will be assessed against all Level 2 requirements. For CMMC
Level 3, OSAs will be assessed against all Level 2 and Level 3
requirements.
Section 170.1 has been revised to correct punctuation and improve
grammar. The section now conveys more clearly that the CMMC Program is
designed as a compliance assessment to assist in DoD's enforcement of
information safeguarding requirements. No changes were made regarding
use of ``not logically or physically isolated from all such CUI
systems''. Specifying a CMMC Assessment Scope is a necessary
preparatory step for a CMMC assessment. Assessment requirements are
specified in Sec. 170.19. At Levels 2 and 3, logical or physical
isolation is the primary mechanism used to separate in-scope from out-
of-scope assets. CRMA and Specialized Asset categories only apply to
assets that are within the Assessment Scope or boundary.
Sec. 170.6(b) has been revised to reference DFARS clause 252.204-
7020 rather than DFARS clause 252.204-7012. In addition, Sec. 170.05
was revised to reference DFARS clause 252.204-7012, rather than DFARS
204.73, for consistency and clarity.
The title of Sec. 170.16(c)(1) has been updated to specify self-
assessment of the OSA. DoD declined to make other administrative
changes because they would not result in a substantive change.
Sec. 170.12(b)(8) has been revised to clarify that CCIs must not
disclose CMMC data or metrics that are PPI, FCI, or CUI without prior
coordination with and approval from DoD.
c. Changes Recommended but Not Incorporated
Comment: Many comments addressed non-substantive administrative
changes or writing style and were not incorporated. Many comments
requested substantive changes that were not incorporated, and which are
described more fully in the response below.
Response: In addition, thirty-eight other recommendations were not
incorporated because they did not result in substantive changes. The
DoD declines to delete references or convert narrative text
explanations into tables, bullets, or other truncated formats because
the intent is to facilitate reader understanding of complex
requirements. Other recommended administrative changes which did not
result in a substantive change were also not incorporated.
Other changes were not incorporated because the revisions would
result in unintended or inaccurate meaning of the text. The following
explanation is provided for those unincorporated but substantive
recommendations.
The DoD did not change content in the Discussion of Public Comments
section that addressed responses to the original 48 CFR CMMC interim
final rule, because intervening rule changes made in response to public
comments received about the more recent proposed rule(s) supersede text
of the earlier rule.
Section 170.3(a)(1) applies to contract awardees. While the rule
may impact External Service Providers and Cloud Service providers, the
rule is not directly applicable to them. CMMC requirements apply at the
time of contract award and thereafter.
DoD declined to change the program name as it is well known in the
community, and the tiered approach to the model still embodies a
concept of cybersecurity maturity. OSA responsibilities for complying
with CMMC are provided throughout the rule and do not need to be
repeated.
CMMC is a program that validates implementation via assessment, the
rule does not prescribe how to implement.
In the first sentence of the Summary, this rule describes that the
CMMC assessment mechanism will cover both existing security
requirements for CUI, and new security requirements for certain
programs. No additional reference is necessary in the introductory
summary because the specific NIST reference documents are mentioned
shortly after the summary and throughout the rule text.
DoD declined to revise Sec. 170.2 to use the word ``competent''
because ``competence'' is the word included in the referenced ISO/IEC
17011:2017(E) Abstract.
[[Page 83166]]
The rule retains requirements to provide all documentation and
records in English because it is necessary for adequate program
management and specifying this requirement is required to ensure
clarity of interpretation.
The DoD has reviewed Sec. 170.17(c)(2)(ii) and does not agree that
a noun is missing. The lead-in paragraph provides the noun, and it is
not necessary to repeat the phrase. The DoD disagrees that portions of
Sec. 170.18(c)(1) are redundant and therefore did not delete the lower
level paragraphs, however revisions were made to clarify that a Level 2
certification assessment is needed prior to Level 3 certification
assessment.
Recommended edits to Sec. 170.24(9) that would change the meaning
were not accepted. During the assessment process, the Lead Assessor/
Assessor must view any prior DoD CIO adjudication of proposed variances
to security requirements in the system security plan to ensure correct
implementation and render a determination of MET if there have been no
changes in the environment.
The DoD did not modify Sec. 170.10 to permit CCAs, CCPs, and CCIs
to retrain ``or'' recertify, instead of both, upon significant change
to DoD's CMMC Program requirements under this rule. The DoD disagreed
with one commenter's assertion that the summary within the preamble to
the rule implies CMMC assessments address all DFARS clause 252.204-7012
requirements, therefore no edits were necessary. The rule indicates
that the applicable CMMC Level 2 security requirements are those in
NIST SP 800-171 R2 as implemented in DFARS clause 252.204-7012.
Revisions suggesting that all objectives identified in NIST SP 800-
171A Jun2018 need not be met are not accurate and not incorporated.
Each assessment objective in NIST SP 800-171A Jun2018 must yield a
finding of MET or NOT APPLICABLE for the overall security requirement
to be scored as MET. Assessors exercise judgment in determining when
sufficient and adequate evidence has been presented to make an
assessment finding. This is consistent with current DIBCAC High
Assessments and assessments conducted under the Joint Surveillance
Voluntary Assessment Program (JSVAP). A security requirement can be
applicable, even with assessment objectives that are N/A. The security
requirement is NOT MET when one or more applicable assessment
objectives is NOT MET.
Recommendations to address specific contractual matters were not
addressed, because this is a 32 CFR part 170 CMMC Program rule and not
an acquisition regulation. Any comments related to contract
requirements should be provided in response to the 48 CFR part 204 CMMC
Acquisition rule.
The CMMC rule does not specify the number of POA&Ms that may be
used to address one or more CMMC security requirement that were NOT MET
during a CMMC assessment. The OSA may choose to use a single POA&M or
multiple POA&Ms.
No edits were made to reference CCAs in Sec. 170.7, which covers
responsibilities for only the DIBCAC, and not CCAs. Sec. 170.11 covers
responsibilities for CCAs. DoD declined to add verbiage to address the
potential revision or cancellation of an ISO/IEC standard because Sec.
170.8 adequately reflects that the Accreditation Body shall achieve
full compliance with revised ISO/IEC 17011:2017(E) standards. Standards
are not effective until published as final.
The DoD declined to adopt one commenter's suggestion to submit all
appeals investigation materials with the final decision into eMASS,
however, an updated assessment result, if any, will be input into
eMASS. In addition, C3PAOs are required to retain assessment artifacts
for 6 years.
DoD did not agree with one commenter's assertion that the preamble
description of the CMMC Program is incomplete or inaccurate, or that
the rule makes implicit changes to DFARS clause 252.204-7010 reporting
requirements for activities subject to the U.S.-International Atomic
Energy Agency Additional Protocol. The referenced paragraph, which
appears both in the preamble background section and in an overview
paragraph of the supplemental documents, accurately portrays the CMMC
Program as a compliance assessment model to assist in DoD's enforcement
of FCI and CUI safeguarding requirements. No change has been made in
either location.
The DoD also declines to specify in the rule the DoD offices that
review Tier 3 background investigations or equivalency determinations.
No language related to Cloud Service Offerings (CSO) was added in Sec.
170.19 column two. Assets that process, store, or transmit CUI are
handled the same way regardless of whether they are from a CSO or
otherwise. Therefore, there is no need to call out CSOs in the table.
The DoD minimized use of the passive voice to an extent in this
final rule; however, in some places the passive voice is used to
emphasize the action occurring rather than the individual or entity
performing the action.
There is no version number in the title of the CMMC Program. Terms
such as versions 1.0 or 2.0 have previously been used in DoD's public
engagements as a colloquial way to communicate differences in content
as the program has evolved. This final rule codifies the program and
does include changes from the proposed rule. Only those public comments
received during the 60-day comment period following the December 26,
2023 publication (88 FR 89058) are addressed in this final rule.
34. Error Corrections
Comment: Numerous administrative comments were received that
addressed formatting grammar, punctuation, and typographical errors as
well as word usage and acronym errors: Wording discrepancies,
redundancies, and inaccuracies were also reported by multiple comments.
Several comments identified inconsistencies between FedRAMP
equivalency as stated Sec. 170.16(c)(2)(ii) and as described in the
DOD CIO's December 21, 2023, Federal Risk and Authorization Management
Program Moderate Equivalency for Cloud Service Provider's Cloud Service
Offerings memorandum. One comment requested moving the phrase ``in
accordance with all applicable policies, procedures, and requirements''
in Sec. 170.5(d) to an earlier part of the sentence to be
grammatically correct.
One comment noted that DFARS provision 252.204-7019 does not
stipulate assessments must be a ``self-assessment'' as stated in the
CMMC 2.0 Overview as Proposed by this Rule section. Also in the same
section, one comment indicated the SSP description should not direct
the user to explain how each requirement is implemented, monitored, and
enforced.
One comment asked if the reference to NIST SP 900-171A refers to
the current version or if a version number should be specified. Three
comments indicated issues using embedded links to websites. One comment
noted that ``inspection activities'' should be changed to ``assessment
activities'' in 170.9(b)(10). One comment asserted that in 170.17(a)(1)
the word ``obtaining'' should be deleted in the phrase ``. . . the OSC
must achieve either CMMC Level 2 Conditional Certification or Final
Certification through obtaining a CMMC Level 2 Certification Assessment
. . .''
Response:
Typographical, Grammatical, and Punctuation Errors, and Formatting
The DOD reviewed all reported grammatical, punctuation,
[[Page 83167]]
typographical, and acronym-related errors and the preamble, RIA, and
rule have been updated to address all confirmed errors. Additionally,
the formatting errors in the CMMC Level 2 Asset Categories and
Associated Requirements row of table 1 of Sec. 170.19(c)(1), have been
corrected. The final rule has been revised to correct document titles
as needed.
A commenter provided feedback on the PRA and identified incorrect
markings in information collection samples. DoD will work with DISA to
ensure the final versions of the eMASS templates contain the proper
markings. An OSA's CMMC certification assessment results will be
ingested into DoD's CMMC instance using the eMASS CMMC Assessment
Import Templates published at https://cmmc.emass.apps.mil. The
requirements for C3PAOs and DCMA DIBCAC and what is submitted into CMMC
eMASS is described in Sec. Sec. 170.7, 170. 9, 170.17(a)(1)(i),
170.18(a)(1)(i), and 170.19. The documents accompanying the PRA were
intended to serve as samples. The comment also contained an incorrect
assumption that commercial privileged information ``is not CUI because
it is incidental to the performance of the contract.'' The commenter
has confused CDI with CUI and is incorrect in the assumption that
commercial privileged information is not CUI because of it being
incidental to the performance of the contract.
Word Usage
Incorrect uses of ``tri-annually'' have been corrected. Where
appropriate the wording has been changed to ``every three years'' for
clarity. In the preamble to the rule, the statement ``. . . and
triennial affirmation . . .'' has been corrected to indicate the
affirmations are an ``annual'' requirement.--DoD has updated the
preamble to the rule to the correct certification assessment
terminology.
The link on the Federal Register website has been corrected and now
resolves to the website indicated.
Incorrect or Incomplete References
Several incorrect or incomplete references have also been
corrected. Sec. 170.9(b)(1) has been corrected to refer to the
authorization in Sec. 170.8(a). One comment asserted that there is no
section (c) associated with the reference ``Sec. 170.17(a)(1) and
(c)'' which is in Sec. 170.9(b)(6). The section ``Sec. 170.17(c)
Procedures'' does exist and addresses the procedures associated with a
CMMC Level 2 Certification Assessment. Section 170.17(a)(1) addresses
the Level 2 Certification Assessment requirements for an OSC. The rule
has been updated in Sec. 170.9(b)(6) for clarity.
Commenters accurately noted that Sec. 170.17(a)(1) should refer to
the Level 2 requirements in Sec. 170.14(c)(3), and this has been
corrected. The reference in Sec. 170.18(c)(5)(ii) has been updated to
say, ``that maps to the NIST SP 800-171 R2 and a subset of the NIST SP
800-172 Feb2021 requirements''. The rule is updated to replace the
instruction ``(insert references L1-3)'' with ``Sec. 170.19 CMMC
scoping.''
Wording Discrepancies, Redundancies, and Inaccuracies
To address a discrepancy between the rule and scoping guidance, the
Level 2 Scoping Guide has been updated for clarity and alignment with
Sec. 170.16(a) which states that meeting the CMMC Level 2 Self-
Assessment requirements also satisfies the CMMC Level 1 Self-Assessment
requirements for the same CMMC Assessment Scope. Additionally, the
preamble to this rule has been updated to clarify that not all
affirmations will occur prior to contract award because POA&M closeout
affirmations may occur after contract award.
To address a discrepancy about Level 1 scoring, in Sec. 170.24 the
phrase ``; therefore, no score is calculated, and no scoring
methodology is needed,'' has been deleted.
The regulatory text was updated to require FedRAMP moderate or
FedRAMP moderate equivalency in accordance with DoD Policy. CMMC
Program Requirements make no change to existing policies for
information security requirements implemented by DoD. The preamble was
modified to indicate DFARS provision 252.204-7019 requires an
assessment (basic, medium, or high) and not just a self-assessment
(basic).
The data input at Sec. 170.17(a)(1)(i)(F) for CMMC eMASS is
redundant so it has been removed. In the preamble, the DoD has also
removed the inaccurate phrase, ``certified by DoD'', from the statement
``Under CMMC, compliance will be checked by independent third-party
assessors certified by DoD.''
DoD has updated language in Sec. 170.18(a)(1)(i)(B) to reflect for
each DCMA DIBCAC Assessor conducting the assessment, ``name and
government organization information'' will be required for the CMMC
instantiation of eMASS.
The DoD has considered the recommendation to change the description
of what an SSP should contain and declines to revise the rule text. The
NIST SP 800-171 R2 requirement states that an SSP must describe ``. . .
how security requirements are implemented . . .'' which is equivalent
to going ``. . . through each NIST SP 800-171 security requirement and
explain how the requirement is implemented, monitored, and enforced.''
Perceived Errors
DoD declines to make the edit to change ``shall'' to ``will'' in
Sec. 170.9(b). The existing language is consistent with standard
rulemaking usage. The title for NIST SP 800-171A Jun2018 is the current
title used by NIST and does not have a version number, so no change was
needed. While not used in the rule text, the term enterprise is used in
the description of the CMMC Program in the preamble's Statement of Need
for This Rule section: Defense contractors can achieve a specific CMMC
Level for its entire enterprise network or an enclave(s), depending
upon where the information to protected is processed, stored, or
transmitted, therefore enterprise remains in the definitions list.
DoD verified links by clicking on them in the PDF and by copying
and pasting the links into a web browser. In both cases links resolved
correctly.
The DoD has changed ``all personnel involved in inspection
activities'' to ``all personnel involved in assessment activities'' in
Sec. 170.9(b)(9).
A comment asserted that there was a rulemaking formatting error in
Sec. 170.4(b). DoD is following the Office of the Federal Register
standards for this section. In sections or paragraphs containing only
definitions, paragraph designations are not used, and the terms are
listed in alphabetical order. The definition paragraph begins with the
term being defined. If a definition contains subordinate paragraphs,
these paragraphs are numbered with paragraph designations beginning
with the next appropriate level based on the dedicated definitions
section.
The 2nd sentence of Sec. 170.17(a)(1) includes the word
``obtaining'' for clarity.
35. Comments in Favor of the CMMC Program
Comment: Some commenters expressed favorable opinions about the
CMMC program as a viable long-term solution to ensure cybersecurity
controls are in place. Others commented about specific content of the
32 CFR part 170 CMMC Program proposed rule and the supplemental
documents. For example, two commenters specifically complimented the
inclusion of an Affirmation requirement and another supported CMMC
implementation as a
[[Page 83168]]
pre-award requirement. Another commenter appreciated the regulatory
text which ``encourages'' contractors to consult with the Government
for additional guidance if or when unsure of appropriate CMMC Level to
assign a subcontract solicitation. Two commenters applauded the use of
already established workforce qualifications while another concurred
with the regulatory text permitting CMMC Certified Professionals (CCPs)
to participate in assessments with oversight of a CMMC Certified
Assessor (CCA). A commenter also expressed appreciation for the
regulatory text's alignment to a specific version of the guidelines
(i.e., NIST SP 800-171 R2). One commenter appreciated the video that
DoD published to accompany and explain the proposed rule. Several
comments cited the longstanding requirements of DFARS clause 252.204-
7012 and cybersecurity risks of not implementing NIST SP 800-171 R2 as
reasons that the 32 CFR part 170 CMMC Program final rule should be
implemented as soon as possible.
Response: The Department appreciates that several commenters
expressed agreement to and encouragement for the CMMC Program
requirement and its associated specific rule text. The DoD recognizes
that not all entities impacted by these regulations hold the same view
of its requirements and appreciates those that took the time to express
both positive and constructive feedback.
Applicability
Once CMMC is implemented in the 48 CFR part 204 CMMC Acquisition
rule, the CMMC Program will require DoD to identify the CMMC Level and
assessment type as a solicitation requirement and in the resulting
contract for any effort that will cause a contractor or subcontractor
to process, store, or transmit FCI or CUI on its unclassified
information system(s). Once CMMC is implemented in the 48 CFR part 204
CMMC Acquisition rule, contractors handling FCI or CUI will be required
to meet the CMMC Level and assessment type specified in the
solicitation and resulting contract.
Summary of Program Changes: DFARS Case 2019-D041 implemented DoD's
original model for assessing contractor information security
protections. The initial CMMC Program was comprised of five
progressively advanced levels of cybersecurity standards and required
defense contractors and subcontractors to undergo a certification
process to demonstrate compliance with the cybersecurity standards
associated with a given CMMC Level.
In March 2021, the Department initiated an internal review of
CMMC's implementation that engaged DoD's cybersecurity and acquisition
leaders to refine policy and program implementation, focusing on the
need to reduce costs for small businesses and align cybersecurity
requirements to other Federal standards and guidelines. This review
resulted in the revised CMMC Program, which streamlines assessment and
certification requirements and improves implementation of the CMMC
Program. These changes include:
Eliminating Levels 2 and 4, and renaming the remaining
three CMMC Levels as follows:
Level 1 will remain the same as the initial CMMC Program
Level 1;
Level 2 will be similar to the initial CMMC Program Level
3;
Level 3 will be similar to the initial CMMC Program Level
5.
Removing CMMC-unique requirements and maturity processes
from all levels;
For CMMC Level 1, allowing annual self-assessments with an
annual affirmation by company leadership;
Allowing a subset of companies at Level 2 to demonstrate
compliance through self-assessment rather than C3PAO assessment.
For CMMC Level 3, requiring Department-conducted
assessments; and
Developing a time-bound and enforceable POA&M process.
In December 2023, the Department published a proposed rule to amend
32 CFR part 170 in the Federal Register (Docket ID DOD-2023-OS-0063, 88
FR 89058), which implemented the DoD's vision for the revised CMMC
Program outlined in November 2021. The comment period for the proposed
rule concluded on February 26, 2024. Changes have been made to the CMMC
Program based on public comment. Significant changes include:
The Implementation Phase 1 has been extended by an
additional six months.
A new taxonomy was created differentiating the level and
type of assessment conducted from the CMMC Status achieved as a result.
Clarification was added regarding the DoD's role in
achievement or loss of CMMC Statuses.
CMMC Status will be automatically updated in SPRS for OSAs
who have met standards acceptance.
Requirements regarding conflict of interest were updated
to expand the cooling-off period for the CMMC Accreditation Body to one
year and bounded the timeframe between consulting and assessing for the
CMMC Ecosystem to three years.
A requirement was added for the CMMC Ecosystem members to
report adverse information to the CAICO.
A Provisional Instructor role was added to cover the
transitional period that ends 18 months after the effective date of
this rule.
A CCI requirement was added to clarify that a CCI must be
certified at the same or higher level than the classes they are
instructing.
A requirement for artifact retention was added to Level 1
self-assessments and Level 2 self-assessments.
The assessment requirements for ESPs have been reduced.
The definition of CSP has been narrowed and is now based
on NIST SP 800-145 Sept2011.
The assessment requirements for Security Protection Assets
and Security Protection Data have been reduced.
References to FedRAMP equivalency have been tied to DoD
policy.
Clarified the requirements for CSPs for an OSC seeking a
CMMC Status of Level 3 (DIBCAC).
Clarified that DCMA DIBCAC has the authority to perform
limited checks of compliance of assets that changed asset category or
changed assessment requirements between the Level 2 and Level 3
certification assessment.
Clarification was added around the use of VDI clients.
Provided clarification to distinguish between Plan of
Action & Milestones (POA&Ms) and operational plan of action.
Definitions have been added for: Affirming Official,
Assessment objective, Asset, CMMC security requirement, CMMC Status,
DoD Assessment Methodology, Enduring Exception, Operational plan of
action, Personally Identifiable Information, Security Protection Data
(SPD), and Temporary deficiency. Some definitions were also changed to
source from NIST documentation instead of Committee on National
Security Systems (CNSS) Instruction No. 4009.
Background
A. Statement of Need for This Rule
The Department of Defense (DoD) requires defense contractors to
protect FCI and CUI. To verify contractor and subcontractor
implementation of DoD's cybersecurity information protection
requirements, the Department developed the Cybersecurity Maturity Model
Certification (CMMC) Program as a means of assessing and verifying
[[Page 83169]]
adequate protection of contractor information systems that process,
store, or transmit either FCI or CUI.
The CMMC Program is intended to: (1) align cybersecurity
requirements to the sensitivity of unclassified information to be
protected, (2) add a self-assessment element to affirm implementation
of applicable cybersecurity requirements, (3) add a certification
element to verify implementation of cybersecurity requirements, and (4)
add an affirmation to attest to continued compliance with assessed
requirements. As part of the program, DoD also intends to provide
supporting resources and training to the DIB, to help support companies
who are working to achieve the required CMMC Status. The CMMC Program
provides for assessment at three levels, starting with basic
safeguarding of FCI at CMMC Level 1, moving to the broad protection of
CUI at CMMC Level 2, and culminating with higher-level protection of
CUI against risk from Advanced Persistent Threats (APTs) at CMMC Level
3.
The CMMC Program addresses DoD's need to protect FCI and CUI during
the acquisition and sustainment of products and services from the DIB.
This effort is instrumental in establishing cybersecurity as a
foundation for DoD acquisitions.
Although DoD contract requirements to provide adequate security for
covered defense information (reflected in DFARS clause 252.204-7012)
predate CMMC by many years, a verification requirement for the handling
of CUI to assess a contractor or subcontractor's implementation of
those required information security controls is new with the CMMC
Program.
The theft of intellectual property and sensitive information from
all U.S. industrial sectors from malicious cyber activity threatens
economic security and national security. The Council of Economic
Advisers estimates that malicious cyber activity cost the U.S. economy
between $57 billion and $109 billion in 2016.\24\ The Center for
Strategic and International Studies estimates that the total global
cost of cybercrime was as high as $600 billion in 2017.\25\
---------------------------------------------------------------------------
\24\ Based on information from the Council of Economic Advisors
report: The Cost of Malicious Cyber Activity to the U.S. Economy,
2018.
\25\ Based on information from the Center for Strategic and
International Studies report on the Economic Impact of Cybercrime;
www.csis.org/analysis/economic-impact-cybercrime.
---------------------------------------------------------------------------
Malicious cyber actors have targeted and continue to target defense
contractors and the DoD supply chain. These attacks not only focus on
the large prime contractors, but also target subcontractors that make
up the lower tiers of the DoD supply chain. Many of these
subcontractors are small entities that provide critical support and
innovation. Overall, the DIB sector consists of over 220,000 companies
\26\ that process, store, or transmit CUI or FCI in support of the
warfighter and contribute towards the research, engineering,
development, acquisition, production, delivery, sustainment, and
operations of DoD systems, networks, installations, capabilities, and
services. The aggregate loss of intellectual property and controlled
unclassified information from the DoD supply chain can undercut U.S.
technical advantages and innovation, as well as significantly increase
the risk to national security. As part of multiple lines of effort
focused on the security and resiliency of the DIB, the Department is
working with industry to enhance the protection of FCI and CUI within
the DoD supply chain. Toward this end, DoD has developed the CMMC
Program.
---------------------------------------------------------------------------
\26\ Based on information from the Federal Procurement Data
System, the average number of unique prime contractors is
approximately 212,650 and the number of known unique subcontractors
is approximately 8,300. (FPDS from FY18-FY21).
---------------------------------------------------------------------------
Cybersecurity Maturity Model Certification Program
The CMMC Program provides a comprehensive and scalable
certification approach to verify the implementation of requirements
associated with the achievement of a cybersecurity level. CMMC is
designed to provide increased assurance to the Department that defense
contractors can adequately protect FCI and CUI at a level commensurate
with the risk, accounting for information flow down to its
subcontractors in a multi-tier supply chain. Defense contractors can
achieve a specific CMMC Status for their entire enterprise network or
an enclave(s), depending upon where the information to be protected is
processed, stored, or transmitted.
The CMMC Program assesses implementation of cybersecurity
requirements. The CMMC requirements for safeguarding and security are
the same as those required by FAR Subpart 4.19 and DFARS clause
252.204-7012, as well as selected NIST SP 800-172 Feb201 requirements.
CMMC Level 1 requires implementation of the safeguarding requirements
set forth in FAR clause 52.204-21. CMMC Level 2 requires implementation
of the security requirements in NIST SP 800-171 R2. CMMC Level 3
requires implementation of the security requirements in NIST SP 800-171
R2 as well as selected NIST SP 800-172 Feb2021 requirements, with DoD
specified parameters. The CMMC security requirements for all three
Levels are provided in Sec. 170.14. In general, CMMC assessments do
not duplicate efforts from existing DoD assessments. In rare
circumstances a re-assessment may be necessary when cybersecurity
risks, threats, or awareness have changed.
Under the CMMC Program, CMMC contract requirements include self-
assessments and third-party assessments for CMMC Level 2, predicated on
program criticality, information sensitivity, and the severity of cyber
threat. Based on the type and sensitivity of the information to be
protected, a defense contractor must achieve the appropriate CMMC
Status and demonstrate implementation of the associated set of
information protection requirements.
If the CMMC Status of Level 1 (Self) or Level 2 (Self) is a
contract requirement, the defense contractor will be required to self-
assess its compliance with the CMMC Level 1 or Level 2 security
requirements and submit both the self-assessment results and an
affirmation of conformance in SPRS. Level 1 self-assessment and
associated affirmation is required annually. Level 2 self-assessment is
required every three years with an affirmation following the self-
assessment and annually after the Final CMMC Status Date.
If the CMMC Status of Level 2 (C3PAO) is a contract requirement,
the Level 2 certification assessment must be performed by an authorized
or accredited CMMC Third Party Assessment Organization (C3PAO). When
the CMMC Status of Level 3 (DIBCAC) is a contract requirement, the
Level 3 certification assessment by DCMA DIBCAC is required following
the achievement of the CMMC Status of Final Level 2 (C3PAO). Upon
achievement of the CMMC Status of Level 2 (C3PAO) or Level 3 (DIBCAC),
the offeror will be issued a Certificate of CMMC Status. The assessment
results are documented in SPRS to enable contracting officers to verify
the CMMC Status and CMMC Status Date (i.e., not more than three years
old) of an offeror prior to contract award. The offeror must also
submit an affirmation of conformance in SPRS following the assessment
and annually after the Final CMMC Status Date.
CMMC allows the use of a Plan of Action and Milestones (POA&Ms) for
specified CMMC Level 2 and Level 3 security requirements. Each POA&M
must be closed (i.e., all requirements completed), within 180 days of
the initial assessment.
[[Page 83170]]
The details of the requirements for self-assessment, certification
assessment, and affirmation for each CMMC Level, are provided in
Sec. Sec. 170.15 through 170.18. POA&M requirements and affirmation
requirements are provided in Sec. Sec. 170.21 and 170.22.
DoD's phased implementation of the CMMC Status requirements is
described in Sec. 170.3(e). Once CMMC requirements have been
implemented in the DFARS, the solicitation and resulting contract will
identify the specific CMMC Status required for that procurement.
Selection of a CMMC Status will be based upon careful consideration of
market research and the likelihood of a robust competitive market of
prospective offerors capable of meeting the requirement. In some
scenarios, DoD may elect to waive application of CMMC Status
requirements to a particular procurement. In such cases, the
solicitation will not include a CMMC Status requirement. Such waivers
may be requested and approved by the Department in accordance with
DoD's internal policies and procedures. For a DoD solicitation or
contract that does include CMMC requirements, including those for the
acquisition of commercial items (except those exclusively COTS items)
valued at greater than the micro-purchase threshold, contracting
officers will not make award, or exercise an option on a contract, if
the offeror or contractor does not meet the requirements for the
required CMMC Status. Furthermore, CMMC requirements are required to
flow down to subcontractors as prescribed in the solicitation and
resulting contract at all tiers, commensurate with the sensitivity of
the unclassified information flowed down to each subcontractor.
B. Legal Authority
5 U.S.C. 301 authorizes the head of an Executive department or
military department to prescribe regulations for the government of his
or her department, the conduct of its employees, the distribution and
performance of its business, and the custody, use, and preservation of
its records, papers, and property (www.govinfo.gov/content/pkg/USCODE-2009-title5/pdf/USCODE-2009-title5-partI-chap3-sec301.pdf).
Section 1648 of the National Defense Authorization Act for Fiscal
Year 2020 (Pub. L. 116-92) \27\ directs the Secretary of Defense to
develop a consistent, comprehensive framework to enhance cybersecurity
for the U.S. Defense Industrial Base (DIB). The CMMC Program is an
important part of this framework.
---------------------------------------------------------------------------
\27\ www.govinfo.gov/content/pkg/PLAW-116publ92/pdf/PLAW-116publ92.pdf.
---------------------------------------------------------------------------
C. Community Impact
This final rule impacts all prospective and actual DoD contractors
and subcontractors that are handling or will handle DoD information
that meets the standards for FCI or CUI on a contractor information
system during performance of the DoD contract or subcontract. This
final rule also impacts all companies who are performing or will
perform accreditation, training, certification, or assessment functions
in connection with implementation of the CMMC Program.
D. Regulatory History
The CMMC Program verifies defense contractor compliance with DoD's
cybersecurity information protection requirements. It is designed to
protect FCI and CUI that is shared by the Department with, or generated
by, its contractors and subcontractors. The cybersecurity standards
required by the program are the same as those set forth in FAR clause
52.204-21 (CMMC Level 1), the NIST SP 800-171 R2 guidelines, which is
presently required by DFARS clause 252.204-7012 (CMMC Level 2), and
additional selected requirements from the NIST SP 800-172 Feb2021
guidelines (CMMC Level 3). The program adds a robust assessment element
and provides the Department increased assurance that contractors and
subcontractors are meeting these requirements.
In September 2020, the DoD published the 48 CFR CMMC interim final
rule to the DFARS in the Federal Register (DFARS Case 2019-D041, 85 FR
48513, September 9, 2020), which implemented the DoD's vision for the
initial CMMC Program and outlined the basic features of the program
(tiered model, required assessments, and implementation through
contracts). The 48 CFR CMMC interim final rule became effective on
November 30, 2020, establishing a five-year phase-in period.
In March 2021, the Department initiated an internal review of
CMMC's implementation, informed by more than 750 CMMC-related public
comments in response to the 48 CFR CMMC interim final rule. This
comprehensive, programmatic assessment engaged cybersecurity and
acquisition leaders within DoD to refine policy and program
implementation.
In November 2021, the Department announced plans for a revised CMMC
Program, which incorporates an updated program structure and
requirements designed to achieve the primary goals of an internal DoD
review of the CMMC Program. With the implementation of the CMMC
Program, the Department introduced several key changes that build on
and refine the original program requirements. These include:
Streamlining the model from five to three certification
levels;
Allowing all companies at Level 1 and a subset of
companies at Level 2 to demonstrate compliance through self-
assessments;
Increased oversight of professional and ethical standards
of third-party assessors; and
Allowing companies, under certain limited circumstances,
to make POA&Ms to achieve certification.
In December 2023, the Department published a proposed rule to amend
32 CFR part 170 in the Federal Register (Docket ID 2023-OS-0063, 88 FR
89058, December 26, 2023), which implemented the DoD's vision for the
revised CMMC Program outlined in November 2021. The comment period for
the proposed rule concluded on February 26, 2024.
The CMMC requirements established pursuant to DFARS Case 2019-D041
have not been revised as of the date of publication of this final rule.
However, the CMMC Program requirements in this final rule will be
implemented in the DFARS, as needed, which may result in changes to the
current DFARS text, solicitation provisions, and contract clauses
relating to DoD's cybersecurity protection requirements, including
DFARS subpart 204.75 and DFARS clause 252.204-7021, Cybersecurity
Maturity Model Certification (CMMC) Requirements.
Context of the CMMC Program in Light of Other DoD-Related Work
At present, and prior to the DFARS CMMC Acquisition rule becoming
effective, the Department is using the DCMA DIBCAC to conduct CMMC
Level 2-like assessments. To date, the DCMA DIBCAC has assessed 357
entities including DoD's major prime contractors. The CMMC Program's
assessment phase-in plan, as described in Sec. 170.3 Applicability,
does not preclude entities from immediately and voluntarily seeking a
CMMC certification assessment prior to the DFARS CMMC Acquisition rule
being finalized and the clause being added to new or existing DoD
contracts.
The Department estimates 8,350 medium and large entities will
require CMMC Level 2 certification assessments. Once the CMMC DFARS
coverage is effective, the Department will contractually mandate CMMC
Level
[[Page 83171]]
2 certification assessments on these entities. It is estimated that 135
CMMC Third-Party Assessment Organization (C3PAO)-led assessments will
be completed in the first year. The Department estimates 673 C3PAO-led
assessments in year 2 followed by 2,252 C3PAO-led assessments in year
3. During the fourth year, the Department estimates,4,452 C3PAO-led
assessments will be completed. The DCMA DIBCAC will perform assessments
upon DoD's request.
Additionally, the Department may include CMMC Level 2 certification
requirements on contracts awarded prior to the CMMC DFARS coverage
becoming effective, but doing so will require bilateral contract
modification after negotiations.
The CMMC Program has been incorporated in the Department's 2024
Defense Industrial Base Cybersecurity Strategy.\28\ The strategy
requires the Department to coordinate and collaborate across components
to identify and close gaps in protecting DoD networks, supply chains,
and other critical resources. Other prongs of the Department's
cybersecurity strategy are described in the Department's National
Industrial Security Program Operating Manual (NISPOM) which address
implementation of the Security Executive Agent Directive (SEAD) 3,\29\
including clarifications on procedures for the protection and
reproduction of classified information; controlled unclassified
information (CUI); National Interest Determination (NID) requirements
for cleared contractors operating under a Special Security Agreement
for Foreign Ownership, Control, or Influence; and eligibility
determinations for personnel security clearance processes and
requirements.\30\
---------------------------------------------------------------------------
\28\ https://media.defense.gov/2024/Mar/28/2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_DSD_SIGNED_20240325.PDF.
\29\ www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf.
\30\ www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/.
---------------------------------------------------------------------------
In addition, DCMA DIBCAC is responsible for leading the
Department's contractor cybersecurity risk mitigation efforts. As part
of this work, the DIBCAC assesses the defense industrial base companies
to ensure they are meeting contractually required cybersecurity
standards. The DIBCAC team ensures contractors have the ability to
protect controlled unclassified information for government contracts
they are awarded. DIBCAC conducts NIST SP 800-171 assessments in
support of DFARS clause 252.204-7012, Safeguarding Covered Defense
Information and Cyber Incident Reporting, and DFARS clause 204.204-
7020, NIST SP 800-171 DoD Assessment Requirements. The DFARS 204.204-
7020 DIBCAC prioritization process is designed to adjust as DoD's cyber
priorities evolve based on ongoing threats. DIBCAC analysts collect and
analyze data on DoD contractors to include:
Mission critical programs, technologies, and
infrastructure and the contractors (prime or lower tier) that support
DoD capabilities.
Cyber threats, vulnerabilities, or incidents.
DoD Leadership requests.
Regulatory Impact Analysis
FAR Subpart 4.19 and DFARS clause 252.204-7012 address safeguarding
of FCI and CUI in contractor information systems and prescribe contract
clauses requiring protection of FCI and CUI within the supply chain.
The FAR and DFARS requirements for safeguarding FCI and CUI predate the
CMMC Program by many years, and baseline costs for their implementation
are assumed to vary widely based on factors including, but not limited
to, company size and complexity of the information systems to be
secured. FAR clause 52.204-21 is prescribed at FAR section 4.1903 for
use in solicitations and contracts when the contractor or subcontractor
at any tier may have FCI residing in or transiting through its
information system. This clause requires contractors and subcontractors
to apply basic safeguarding requirements and procedures to protect
applicable contractor information systems that process, store, or
transmit FCI. In addition, DFARS clause 252.204-7012, Safeguarding
Covered Defense Information and Cyber Incident Reporting, is prescribed
at DFARS section 204.7304(c) for use by DoD in all solicitations and
contracts, including solicitations and contracts using FAR part 12
procedures for the acquisition of commercial items, except for
solicitations and contracts solely for the acquisition of commercially
available off-the-shelf items. This clause applies when a contractor
information system processes, stores, or transmits covered defense
information and requires contractors and subcontractors to provide
``adequate security'' to safeguard that information when it resides on
or transits through a contractor information system, and to report
cyber incidents that affect that system or network. The clause states
that to provide adequate security, the contractor shall implement, at a
minimum, the security requirements in National Institute of Standards
and Technology (NIST) Special Publication (SP) 800-171 R2, Protecting
CUI in Nonfederal Systems and Organizations. Contractors are also
required to flow down DFARS clause 252.204-7012 to all subcontracts for
operationally critical support or for which subcontractor performance
will involve covered defense information.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012
provide for DoD assessment of a contractor's implementation of the
information protection requirements required by those clauses. The
Department developed the CMMC Program to verify implementation of
cybersecurity requirements in DoD contracts and subcontracts, by
assessing adequacy of contractor information system security compliance
prior to award and during performance of the contract. With limited
exceptions, the Department intends to require compliance with CMMC as a
condition of contract award. Once CMMC is implemented, the required
CMMC Status will be specified in the solicitation and resulting
contract. Contractors handling FCI or CUI will be required to meet the
CMMC Status specified in the contract.
There are three different levels of CMMC assessment, starting with
basic safeguarding of FCI at Level 1, moving to the broad protection of
CUI at Level 2, and culminating with higher level protection of CUI
against risk from Advanced Persistent Threats (APTs) at Level 3. The
benefits and costs associated with implementing this final rule, as
well as alternative approaches considered, are as follows:
Costs
A Regulatory Impact Analysis (RIA) that includes a detailed
discussion and explanation about the assumptions and methodology used
to estimate the cost of this regulatory action follows and is available
at www.regulations.gov (search for ``DoD-2023-OS-0063,'' click ``Open
Docket,'' and view ``Supporting Documents'').
Background
The Department of Defense (DoD or Department) requires a secure and
resilient supply chain to ensure the development, production, and
sustainment of capabilities critical to national security. The DoD
supply chain is targeted by adversaries with increasing frequency and
sophistication, and to devastating effect. Therefore, implementation of
cybersecurity standards and enforcement mechanisms are critically
important. Executive Order (E.O.) 14028, ``Improving the Nation's
[[Page 83172]]
Cybersecurity,'' emphasizes the need to strengthen cybersecurity
protections for both the Federal Government and the private sector.
Nation-state adversaries attack the U.S. supply chain for a myriad
of reasons, including exfiltration of valuable technical data (a form
of industrial espionage); disruption to control systems used for
critical infrastructure, manufacturing, and weapons systems; corruption
of quality and assurance across a broad range of product types and
categories; and manipulation of software to achieve unauthorized access
to connected systems and to degrade the integrity of system operations.
For example, since September 2020, major cyber-attacks such as the
SolarWinds,\31\ Colonial Pipeline, Hafnium,\32\ and Kaseya \33\
attacks, have been spearheaded or influenced by nation-state actors
\34\ and resulted in significant failures and disruption. In context of
this threat, the size and complexity of defense procurement activities
provide numerous pathways for adversaries to access DoD's sensitive
systems and information. Moreover, adversaries continue to evolve their
tactics, techniques, and procedures. For example, on April 28, 2022,
CISA and the FBI issued an advisory on destructive ``wiperware,'' a
form of malware which can destroy valuable information \35\. Protection
of FCI and CUI is critically important, and the DoD needs assurance
that contactor information systems are adequately secured to protect
such information when it resides on or transits those systems.
---------------------------------------------------------------------------
\31\ www.gao.gov/assets/gao-22-104746.pdf.
\32\ www.ic3.gov/Media/News/2021/210310.pdf.
\33\ www.cisa.gov/uscert/ncas/current-activity/2021/07/04/cisa-fbi-guidance-msps-and-their-customers-affected-kaseya-vsa.
\34\ www.mitre.org/sites/default/files/publications/pr-18-2417-deliver-uncompromised-MITRE-study-26AUG2019.pdf.
\35\ www.cisa.gov/uscert/ncas/alerts/aa22-057a.
---------------------------------------------------------------------------
The Department is committed to working with defense contractors to
protect FCI and CUI.
Federal Contract Information (FCI): As defined in section
4.1901 of the FAR, FCI means information, not intended for public
release, that is provided by or generated for the Government under a
contract to develop or deliver a product or service to the Government,
but not including information provided by the Government to the public,
such as that on public websites, or simple transactional information,
such as that necessary to process payments.
Controlled Unclassified Information (CUI): 32 CFR
2002.4(h) defines CUI, in part, as information the Government creates
or possesses, or that an entity creates or possesses for or on behalf
of the Government, that a law, regulation, or Government-wide policy
requires or permits an agency to handle using safeguarding or
dissemination controls, including FCI.
In September 2020, the DoD published 48 CFR CMMC interim final rule
(DFARS Case 2019-D041, 85 FR 48513, September 9, 2020), which
implemented DoD's vision for the initial Cybersecurity Maturity Model
Certification (CMMC) Program and outlined basic program features, to
include: 5-level tiered model, CMMC Certified Third Party Assessment
Organization (C3PAO) assessments in support of contractor and
subcontractor certification, with no allowance for a Plan of Action and
Milestones (POA&Ms), and implementation of all security requirements by
the time of a contract award. A total of 750 comments were received on
the 48 CFR CMMC interim final rule during the public comment period
that ended on November 30, 2020. These comments highlighted a variety
of industry concerns including concerns relating to the costs for a
C3PAO certification, and the costs and burden associated with
implementing, prior to award, the required process maturity and 20
additional cybersecurity practices that were included in the initial
CMMC Program. The Small Business Administration Office of Advocacy also
raised similar concerns on the impact the rule would have on small
businesses in the DIB.
Pursuant to DFARS clause 252.204-7012, DoD has required certain
defense contractors and subcontractors to implement the security
protections set forth in the National Institute of Standards and
Technology (NIST) Special Publication (SP) 800-171 R2 to provide
adequate security for CUI that is processed, stored, or transmitted on
contractor information systems. The CMMC Program provides the
Department the mechanism needed to verify that a defense contractor or
subcontractor has implemented the security requirements at each CMMC
Level and is maintaining that status across the contract period of
performance, as required.
In calendar year (CY) 2021 DoD paused the planned CMMC rollout to
conduct an internal review of the CMMC Program. The internal review
resulted in a refined and streamlined set of requirements that
addressed many of the concerns identified in the public comments
received relating to the initial CMMC Program. These changes have been
incorporated into the revised CMMC Program structure and policies. In
July 2022, the CMMC PMO met with the Office of Advocacy for the United
States Small Business Administration (SBA) to address the revisions
planned to the CMMC Program that are responsive to prior SBA concerns.
The CMMC Program will enhance the ability of the DoD to safely
share FCI and CUI with defense contractors and know the information
will be suitably safeguarded. Once fully implemented, CMMC will
incorporate a set of cybersecurity requirements into acquisition
contracts to provide verification that applicable cyber protections
have been implemented. Under the CMMC Program, defense contractors and
subcontractors will be required to implement certain cybersecurity
protection requirements tied to a designated CMMC level and either
perform a self-assessment or obtain an independent assessment from
either a C3PAO or DCMA DIBCAC as a condition of a DoD contract award.
CMMC is designed to validate the protection of FCI and CUI that is
shared with and generated by the Department's contractors and
subcontractors. Through protection of information by adherence to the
requirements verified in the revised CMMC Program, the Department and
its contractors will prevent disruption in service and the loss of
intellectual property and assets, and thwart access to FCI and CUI by
the nation's adversaries.
The CMMC Program is intended to: (1) align cybersecurity
requirements to the sensitivity of unclassified information to be
protected, and (2) add a certification element, where appropriate, to
verify implementation of cybersecurity requirements. As part of the
program, DoD also intends to provide supporting resources and training
to defense contractors to help support companies who are working to
achieve the required CMMC Status. The CMMC Program provides for
assessment at three levels: basic safeguarding of FCI at CMMC Level 1,
broad protection of CUI at CMMC Level 2, and enhanced protection of CUI
against risk from Advanced Persistent Threats (APTs) at CMMC Level 3.
The CMMC Program is designed to provide increased assurance to the
Department that a defense contractor can adequately protect FCI and CUI
in accordance with prescribed security requirements, accounting for
information flow down to its subcontractors in a multi-tier supply
chain.
The CMMC Program addresses DoD's need to protect FCI and CUI during
the acquisition and sustainment of products
[[Page 83173]]
and services from the DIB. This effort is instrumental in establishing
cybersecurity as a foundation for future DoD acquisition.
Although DoD contract requirements to provide adequate security for
covered defense information (reflected in DFARS clause 252.204-7012)
predate CMMC by many years, a certification requirement for the
handling of CUI to assess a contractor or subcontractor's compliance of
those required information security controls is new with the CMMC
Program. Findings from DoD Inspector General report \36\ indicate that
DoD contractors did not consistently implement mandated system security
requirements for safeguarding CUI and recommended that DoD take steps
to assess a contractor's ability to protect this information. The
report emphasizes that malicious actors can exploit the vulnerabilities
of contractors' networks and systems and exfiltrate information related
to some of the Nation's most valuable advanced defense technologies.
---------------------------------------------------------------------------
\36\ DODIG-2019-105 ``Audit of Protection of DoD CUI on
Contractor-Owned Networks and Systems.''
---------------------------------------------------------------------------
Currently, the FAR and DFARS prescribe contract clauses intended to
protect FCI and CUI. Specifically, the clause at FAR 52.204-21, Basic
Safeguarding of Covered Contractor Information Systems, is prescribed
at FAR 4.1903 for use in Government solicitations and contracts when
the contractor or a subcontractor at any tier may have FCI residing in
or transiting through its information system(s). This clause requires
contractors and subcontractors to implement basic safeguarding
requirements and procedures to protect FCI being processed, stored, or
transmitted on contractor information systems. In addition, DFARS
clause 252.204-7012, Safeguarding Covered Defense Information and Cyber
Incident Reporting, is prescribed at DFARS 204.7304(c) for use in all
solicitations and contracts except for solicitations and contracts
solely for the acquisition of commercially available off-the-shelf
(COTS) items. This clause requires contractors and subcontractors to
provide ``adequate security'' to process, store or transmit covered
defense information when it resides on or transits a contractor
information system, and to report cyber incidents that affect that
system or network. The clause states that to provide adequate security,
the contractor shall implement, at a minimum, the security requirements
in NIST Special Publication (SP) 800-171 R2, Protecting CUI in
Nonfederal Systems and Organizations. Contractors are also required to
flow down DFARS clause 252.204-7012 to all subcontracts that require
processing, storing, or transmitting of covered defense information.
However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012
provide for DoD verification of a contractor's implementation of the
basic safeguarding requirements specified in FAR clause 52.204-21 nor
the security requirements specified in NIST SP 800-171 R2,
implementation of which is required by DFARS clause 252.204-7012, prior
to contract award. As part of multiple lines of effort focused on the
security and resilience of the DIB, the Department is working with
industry to enhance the protection of FCI and CUI within the DoD supply
chain. Toward this end, DoD has developed the CMMC Program.
Revised CMMC Program Requirements
The CMMC Program requirements will be implemented through the DoD
acquisition and contracting process. With limited exceptions, the
Department intends to require compliance with CMMC as a condition of
contract award. Once CMMC is implemented, the required CMMC Status will
be specified in the solicitation and resulting contract. Contractors
handling FCI or CUI will be required to meet the CMMC Status specified
in the contract. In accordance with the implementation plan described
in Sec. 170.3(e), CMMC Status requirements will apply to new DoD
solicitations and contracts, and shall flow down to subcontractors,
based on the sensitivity of the FCI and CUI to be processed, stored or
transmitted to or by the subcontractor. Before contract award, the
offeror must achieve the specified CMMC Status for the contractor
information system (e.g., enterprise network, network enclave) that
will process, store, or transmit the information to be protected. The
contractor or subcontractor will also submit affirmations in the
Supplier Performance Risk System (SPRS). An overview of requirements at
each level is shown:
Level 1 Self-Assessment
Level 1 self-assessment requires compliance with basic
safeguarding requirements to protect FCI are set forth in FAR clause
52.204-21. CMMC Level 1 does not add any additional security
requirements to those identified in FAR clause 52.204-21.
OSAs will submit the following information in SPRS:
1. the results of a self-assessment of the OSA's implementation of
the basic safeguarding requirements set forth in Sec. 170.15
associated with the contractor information system(s) used in
performance of the contract; and
2. an initial affirmation of compliance, and then annually
thereafter, an affirmation of continued compliance as set forth in
Sec. 170.22.
3. the Level 1 self-assessment cost burden will be addressed as
part of the 48 CFR part 204 CMMC Acquisition final rule.
Level 2 Self-Assessment
Level 2 self-assessment requires compliance with the
security requirements set forth in NIST SP 800-171 R2 to protect CUI.
CMMC Level 2 does not add any additional security requirements to those
identified in NIST SP 800-171 R2.
OSAs will submit the following information in SPRS:
1. the results of a self-assessment of the OSA's implementation of
the NIST SP 800-171 R2 requirements set forth in Sec. 170.16
associated with the covered contractor information system(s) used in
performance of the applicable contract.
2. an initial affirmation of compliance, and, if applicable, a
POA&M closeout affirmation, and then annually thereafter, an
affirmation of continued compliance set forth in Sec. 170.22.
3. the Level 2 self-assessment cost burden will be addressed as
part of the 48 CFR part 204 CMMC Acquisition final rule.
Level 2 Certification Assessment
Level 2 certification assessment requires compliance with
the security requirements set forth in in Sec. 170.17 to protect CUI.
CMMC Level 2 does not add any additional security requirements to those
selected in NIST SP 800-171 R2.
A Level 2 certification assessment of the applicable
contractor information system(s) provided by an authorized or
accredited C3PAO is required to validate implementation of the NIST SP
800-171 R2 security requirements prior to award of any prime contract
or subcontract and exercise of option.
The C3PAO will upload the Level 2 certification assessment
results in the CMMC instantiation of eMASS which will feed the
information into SPRS.
OSCs will submit in SPRS an initial affirmation of
compliance, and, if necessary, a POA&M closeout affirmation, and then
annually following the Final CMMC Status Date, an affirmation of
continued compliance as set forth in Sec. 170.22.
The Level 2 certification assessment cost burdens are included in
this part
[[Page 83174]]
with the exception of the requirement for the OSC to upload the
affirmation in SPRS that is included in the 48 CFR part 204 CMMC
Acquisition final rule and an update to DFARS collection approved under
OMB Control Number 0750-0004, Assessing Contractor Implementation of
Cybersecurity Requirements. Additionally, the information collection
reporting requirements for the CMMC instantiation of eMASS are included
in a separate ICR for this part and cover only those requirements
pertaining to the CMMC process.
Level 3 Certification Assessment
Level 3 certification assessment requires the CMMC Status
of Final Level 2 (C3PAO) and compliance with the security requirements
set forth in Sec. 170.18 to protect CUI. CMMC Level 3 adds additional
security requirements to those required by existing acquisition
regulations as specified in this rule.
A Level 3 certification assessment of the applicable
contractor information system(s) provided by the DCMA Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) is required to
validate implementation of the DoD-defined selected security
requirements set forth in NIST SP 800-172 Feb2021. A CMMC Status of
Final Level 2 (C3PAO) is a prerequisite to schedule a DCMA DIBCAC Level
3 certification assessment.
DCMA DIBCAC will upload the Level 3 certification
assessment results into the CMMC instantiation of eMASS, which will
feed the information into SPRS.
OSCs will submit in SPRS an initial affirmation of
compliance, and, if necessary, a POA&M closeout affirmation, and then
annually following the Final CMMC Status Date, an affirmation of
continued compliance as set forth in Sec. 170.22.
The Level 3 certification assessment cost burdens are included in
this part with the exception of the requirement for the OSC to upload
the affirmation in SPRS that is included in the 48 CFR part 204 CMMC
Acquisition rule and an update to DFARS collection approved under OMB
Control Number 0750-0004, Assessing Contractor Implementation of
Cybersecurity Requirements. Additionally, the information collection
reporting requirements for the CMMC instantiation of eMASS are included
in a separate ICR for this part and cover only those requirements
pertaining to the CMMC process. As described, the CMMC Program couples
an affirmation of compliance with certification assessment requirements
to verify OSA implementation of cybersecurity requirements, as
applicable.
The CMMC Program addresses DoD's need to protect FCI and CUI during
the acquisition and sustainment of products and services from the DIB.
This effort is instrumental in ensuring cybersecurity is the foundation
of future DoD acquisitions.
Policy Problems Addressed by the Revised CMMC Program
Implementation of the CMMC Program is intended to solve the
following policy problems:
Lack of Verification of Contractor Compliance With Cybersecurity
Requirements
Neither FAR clause 52.204-21 nor DFARS clause 252.204-7012 provide
for DoD assessment of a defense contractor or subcontractor's
implementation of the information protection requirements within those
clauses. Defense contractors represent that they will implement the
requirements in NIST SP 800-171 R2 upon submission of their offer.
Findings from DoD Inspector General report (DODIG-2019-105 ``Audit of
Protection of DoD Controlled Unclassified Information on Contractor-
Owned Networks and Systems'') indicate that DoD contractors did not
consistently implement mandated system security requirements for
safeguarding CUI and recommended that DoD take steps to assess a
contractor's ability to protect this information. CMMC adds new
assessment requirements for contractor implementation of underlying
information security requirements, to allow DoD to assess a defense
contractor's cybersecurity posture using authorized or accredited
C3PAOs. The contractor and subcontractor must achieve the required CMMC
Level as a condition of contract award.
Inadequate Implementation of Cybersecurity Requirements
Under DFARS clause 252.204-7012 and DFARS clause 252.204-7020,
defense contractors and subcontractors must document implementation of
the security requirements in NIST SP 800-171 R2 in a system security
plan and may use a plan of action to describe how and when any
unimplemented security requirements will be met. For the CMMC Program,
the solicitation and resulting contract, will specify the required CMMC
Status, which will be determined considering program criticality,
information sensitivity, and severity of cyber threat. Although the
security requirements in NIST SP 800-171 R2 address a range of threats,
additional requirements are needed to significantly reduce the risk
posed by APTs. An APT is an adversary that possesses sophisticated
levels of expertise and significant resources that allow it to create
opportunities to achieve its objectives by using multiple attack
vectors (e.g., cyber, physical, and deception). CMMC Level 3 requires
implementation of selected security requirements from NIST SP 800-172
Feb2021 to reduce the risk of APT threats.
The CMMC Program will require prime contractors to flow the
appropriate CMMC Status requirement down throughout the entire supply
chain relevant to a particular contract. Defense contractors or
subcontractors that handle FCI, must meet the requirements for CMMC
Level 1. Defense contractors that handle CUI must meet the requirements
for CMMC Level 2 or higher, depending on the sensitivity of the
information associated with a program or technology being developed.
Insufficient Scale and Depth of Resources To Verify Compliance
Today, DoD prime contractors must include DFARS clause 252.204-7012
in subcontracts for which performance will involve covered defense
information, but this does not provide the Department with sufficient
insights with respect to the cybersecurity posture of all members of a
multi-tier supply chain for any given program or technology development
effort. The revised CMMC Program requires prime contractors to flow
down appropriate CMMC Status requirements, as applicable, to
subcontractors throughout their supply chain(s).
Given the size and scale of the DIB, the Department cannot scale
its existing cybersecurity assessment capability to conduct on-site
assessments of approximately 220,000 DoD contractors and subcontractors
every three years. The Department's existing assessment capability is
best suited for conducting targeted assessments for the relatively
small subset of DoD contractors and subcontractors that support
designated high-priority programs involving CUI.
CMMC addresses the Department's scaling challenges by utilizing a
private-sector accreditation structure. A DoD-authorized Accreditation
Body will authorize, accredit, and provide oversight of C3PAOs which in
turn will conduct Level 2 certification assessments of actual and
prospective DoD contractors and subcontractors. Defense contractors
will directly contract with an authorized or accredited C3PAO to obtain
a Level 2
[[Page 83175]]
certification assessment. The cost of Level 2 certification assessment
activities is driven by multiple factors, including market forces that
govern availability of C3PAOs and the size and complexity of the
enterprise or enclave under assessment. The Government will perform
Level 3 certification assessments. Government resource limitations may
affect schedule availability.
Reduces Duplicate or Respective Assessments of Our Industry Partners
CMMC assessment results will be posted in SPRS, DoD's authoritative
source for supplier and product performance information. Posting CMMC
assessment results in SPRS precludes the need to validate CMMC
implementation on a contract-by-contract basis. This enables DoD to
identify whether the CMMC requirements have been met for relevant
contractor information systems, avoids duplicative assessments, and
eliminates the need for program level assessments, all of which
decreases costs to both DoD and industry.
Revised CMMC Program Implementation
The DoD is implementing a phased implementation for the revised
CMMC Program and intends to introduce CMMC Status requirements in
solicitations over a three-year period to provide appropriate ramp-up
time. This phased implementation is intended to minimize the financial
impacts to defense contractors, especially small businesses, and
disruption to the existing DoD supply chain. After CMMC is implemented
in acquisition regulation, DoD will include CMMC self-assessment
requirements in solicitations and resulting contracts when warranted by
the type of information that will be handled by the contractor of
subcontractor(s). CMMC Status requirements for Levels 1, 2, and 3 will
be included in solicitations and resulting contracts issued after the
phase-in period when warranted by any FCI and/or CUI information
protection requirements for the contract effort. In the intervening
period, Government Program Managers will have discretion to include
CMMC Status requirements or exclude them and rely upon existing DFARS
clause 252.204-7012 requirements, in accordance with DoD policy. As
stated in Sec. 170.20(a), there is qualified standards acceptance
between DCMA DIBCAC High Assessment and the CMMC Status of Level
2(C3PAO), which will result in staggering of the dates for new Level 2
certification assessments. The implementation period will consist of
four (4) phases as set forth in Sec. 170.3(e), during which time the
Government will include CMMC requirements in certain solicitations and
contracts. During the CMMC phase-in period, program managers and
requiring activities will be required to include CMMC Status
requirements in certain solicitations and contracts and will have
discretion to include in others.
A purpose of the phased implementation is to ensure adequate
availability of authorized or accredited C3PAOs and assessors to meet
the demand.
Revised CMMC Program Flow Down
CMMC Level requirements will be flowed down to subcontractors at
all tiers as set forth in Sec. 170.23; however, the specific CMMC
Status required for a subcontractor will be based on the type of
unclassified information and the priority of the acquisition program
and/or technology being developed.
Key Changes Incorporated in the Revised CMMC Program
In November 2021, the Department announced the revised CMMC
Program, which is an updated program structure with revised
requirements. In the revised CMMC Program, the Department has
introduced several key changes that build on and refine the original
program requirements. These include:
Streamlining the model from five levels to three levels.
Exclusively implementing National Institute of Standards
and Technology (NIST) cybersecurity standards and guidelines.
Allowing all companies subject to Level 1, and a subset of
companies subject to Level 2 to demonstrate compliance through self-
assessments.
Increased oversight of professional and ethical standards
of CMMC third-party assessors.
Allowing Plans of Action & Milestones (POA&M) under
limited circumstances to achieve conditional certification.
As a result of the alignment of the revised CMMC Program to NIST
guidelines, the Department's requirements will continue to evolve as
changes are made to the underlying NIST SP 800-171 R2, NIST SP 800-171A
Jun2018, NIST SP 800-172 Feb2021, and NIST SP 800-172A Mar2022
requirements.
CMMC Assessment
Assessment Criteria
CMMC requires that defense contractors and subcontractors entrusted
with FCI and CUI implement cybersecurity standards at progressively
more secure levels, depending on the type and sensitivity of the
information.
Level 1 Self-Assessment
An annual Level 1 self-assessment and annual affirmation asserts
that an OSA has implemented all the basic safeguarding requirements to
protect FCI as set forth in Sec. 170.14(c)(2).
An OSA can choose to perform the annual self-assessment internally
or engage a third-party to assist with evaluating its Level 1
compliance. Use of a third party to assist with the assessment process
is still considered a self-assessment and results in a CMMC Status of
Final Level 1 (Self). An OSA achieve the CMMC Status of Level 1 (Self)
for an entire enterprise network or for a particular enclave(s),
depending upon where the FCI is or will be processed, stored, or
transmitted.
Level 2 Self-Assessment
A Level 2 self-assessment and annual affirmation attests that an
OSA has implemented all the security requirements to protect CUI as
specified in Sec. 170.14(c)(3).
Level 2 Certification Assessment
A Level 2 certification assessment, conducted by a C3PAO, verifies
that an OSC is conforming to the security requirements to protect CUI
as specified in Sec. 170.14(c)(3). Each OSC information system that
will process, store, or transmit CUI in the execution of the contract
is subject to the corresponding CMMC Status requirements set forth in
the contract.
Level 3 Certification Assessment
Achievement of the CMMC Status of Final Level 2 (C3PAO) for
information systems within the Level 3 CMMC Assessment Scope is a
prerequisite for initiating a Level 3 certification assessment. A Level
3 certification assessment, conducted by DCMA Defense Industrial Base
Cybersecurity Assessment Center (DIBCAC), verifies that an OSC has
implemented the CMMC Level 3 security requirements to protect CUI as
specified in Sec. 170.14(c)(4). A Level 3 certification assessment
must be conducted for each OSC information system that will be used in
the execution of the contract that will process, store, or transmit
CUI.
Impact and Cost Analysis of the Revised CMMC Program
Summary of Impact
Public comment feedback on the initial CMMC Program indicated that
cost estimates were too low. The revised
[[Page 83176]]
CMMC Program cost estimates account for that feedback with the
following improvements:
Allowance for outsourced IT services
Increased total time for the contractor to prepare for the
assessment, including limited time for learning the reporting and
affirmation processes
Allowance for use of consulting firms to assist with the
assessment process
Time for a senior level manager to review the assessment
and affirmation before submitting the results in SPRS
Updated government and contractor labor rates that include
applicable burden costs
As a result, some costs of the revised CMMC Program may be higher
than those included in the initial CMMC Program.
The revised CMMC Program impact analysis includes estimated costs
for implementation of the revised CMMC Program requirements across
Level 1, Level 2, and Level 3 for the Public (small and other than
small entities, including the CMMC Ecosystem as set forth in 32 CFR
subpart C) and the Government. In summary, the total estimated Public
and Government costs associated with this rule, calculated for a 20-
year horizon in 2023 dollars at a 7 percent discount rate and a 3
percent discount rate are provided as follows:
[GRAPHIC] [TIFF OMITTED] TR15OC24.002
[GRAPHIC] [TIFF OMITTED] TR15OC24.001
Estimating the number of CMMC assessments for unique entities per
level per year is complicated by the fact that companies may serve as a
prime contractor on one effort but a subcontractor on others, and may
also enter into subcontract agreements with more than one prime
contractor for various opportunities.
In addition, the CMMC Program relies upon free market influences of
supply and demand to propel implementation. Specifically, the
Department does not control which defense contractors aspire to compete
for which business opportunities, nor does it control access to the
assessment services offered by C3PAOs. OSAs may elect to complete a
self-assessment or pursue a certification assessment at any time after
issuance of the rule, in an effort to distinguish-themselves as
competitive for efforts that require an ability to adequately protect
CUI. For that reason, the number of CMMC assessments for unique
entities per level per year may vary significantly from the assumptions
used in generating the cost estimate. The estimates represent the best
estimates at this time based on internal expertise and public feedback.
DoD utilized historical metrics gathered for the initial CMMC
Program and subject matter expertise from Defense Pricing and
Contracting (DPC) and DCMA DIBCAC to estimate the number of entities by
type and by assessment level for this analysis. The following table
summarizes the estimated profile used in this analysis.
[GRAPHIC] [TIFF OMITTED] TR15OC24.003
[[Page 83177]]
DoD is planning for a phased roll-out of each assessment level
across 7 years with the entity numbers reaching a maximum by Year 4 as
shown in the tables. The target of Year 4 was selected based on the
projected capacity of the CMMC Ecosystem to grow to efficiently support
the entities in the pipeline. For modeling efficiency, a similar roll-
out is assumed regardless of entity size or assessment level. It is
assumed that by year 7 the maximum number of entities is reached.
Beyond year 7, the number of entities entering and exiting are expected
to net to zero. The following tables reflect the number of new entities
in each year and for each level.
[GRAPHIC] [TIFF OMITTED] TR15OC24.004
[GRAPHIC] [TIFF OMITTED] TR15OC24.005
[GRAPHIC] [TIFF OMITTED] TR15OC24.006
[[Page 83178]]
Public Costs
Summary of Impacted Awardee Entities
According to data available in the Electronic Data Access system
for fiscal years (FYs) 2019, 2020, and 2021, DoD awards an average of
1,366,262 contracts and orders per year that contain DFARS clause
252.204-7012, to 31,338 unique awardees, of which 683,718 awards (50%)
are made to 23,475 small entities (75%).\37\
---------------------------------------------------------------------------
\37\ The number of unique awardees impacted each year is \1/3\
of the average number of annual awardees according to the Electronic
Data Access system (31,338/3 = 10,446). This estimate does not
address new entrants or awardees who discontinue doing business with
DoD.
---------------------------------------------------------------------------
Public Cost Analysis
The following is a summary of the estimated Public costs the
revised CMMC Program for other than small \38\ entities, per assessment
of a contractor information system, at the required periodicity for
each CMMC level.
---------------------------------------------------------------------------
\38\ Includes all businesses with the exception of those defined
under the small business criteria and size standards provided in 13
CFR 121.201 (See FAR Part 19.102)
\39\ The Level I self-assessment and Level 2 self- assessment
information collection reporting and recordkeeping requirements will
be included in a modification of an existing DFARS collection
approved under OBM Control Number 0750-0004, Assessing Contractor
Implementation of Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
\40\ The Level 1 self-assessment and Level 2 self-assessment
information collection reporting and recordkeeping requirements will
be included in a modification of an existing DFARS collection
approved under OBM Control Number 0750-0004, Assessing Contractor
Implementation of Cybersecurity Requirements. Modifications to this
DFARS collection will be addressed as part of the 48 CFR part 204
CMMC Acquisition rule.
[GRAPHIC] [TIFF OMITTED] TR15OC24.007
The following is a summary of the estimated Public costs of the
revised CMMC Program for Small Entities, per assessment of each
contractor information system, estimated at one per entity, at the
required periodicity for each CMMC level.
[GRAPHIC] [TIFF OMITTED] TR15OC24.008
[[Page 83179]]
The total estimated Public (large and small entities) costs
associated with this rule, calculated for a 20-year horizon in 2023
dollars at a 7 percent and 3 percent discount rate, per OMB guidance,
is provided as follows:
[GRAPHIC] [TIFF OMITTED] TR15OC24.009
Assumptions
In estimating the Public costs, DoD considered applicable
nonrecurring engineering costs, recurring engineering costs,\41\
assessment costs, and affirmation costs for each CMMC Level. For CMMC
Levels 1 and 2, the cost estimates are based only upon the self-
assessment, certification assessment, and affirmation activities that a
defense contractor, subcontractor, or ecosystem member must take to
allow DoD to verify implementation of the relevant underlying security
requirements, i.e., for CMMC Level 1, the security requirements set
forth in FAR clause 52.204-21, and for CMMC Level 2, the security
requirements set forth in NIST SP 800-171 R2. DoD did not consider the
cost of implementing the security requirements themselves because
implementation is already required by FAR clause 52.204-21, effective
June 15, 2016, and by DFARS clause 252.204-7012, requiring
implementation by Dec. 31, 2017, respectively; therefore, the costs of
implementing the security requirements for CMMC Levels 1 and 2 should
already have been incurred and are not attributed to this rule. As
such, the nonrecurring engineering and recurring engineering costs to
implement the security requirements defined for CMMC Level 1 and Level
2 are not included in this economic analysis. However, cost estimates
to implement CMMC Level 3, are included, as that CMMC level will
require defense contractors and subcontractors, as applicable, to
implement a DoD-defined subset of the security requirements set forth
in NIST SP 800-172 Feb2021, a new addition to current security
protection requirements.
---------------------------------------------------------------------------
\41\ The terms nonrecurring engineering costs and recurring
engineering costs are terms of art and do not only encompass actual
engineering costs.
---------------------------------------------------------------------------
In estimating the public cost for a defense contractor small entity
to comply with CMMC Program requirements for each CMMC level, DoD
considered non-recurring engineering costs, recurring engineering
costs, assessment costs, and affirmation costs for each CMMC Level.
These costs include labor and consulting.
Estimates include size and complexity assumptions to account for
typical organizational differences between small entities and other
than small entities with respect to the handling of Information
Technology (IT) and cybersecurity:
small entities are likely to have a less complex, less
expansive operating environment and IT/Cybersecurity infrastructure
compared to larger defense contractors
small entities are likely to outsource IT and
cybersecurity to an External Service Provider (ESP)
entities (small and other than small) pursuing Level 2
self-assessment are likely to seek consulting or implementation
assistance from an ESP to either help them prepare for the assessment
technically or participate in the assessment with the C3PAOs.
Estimates do not include the cost to implement (Non-recurring
Engineering Costs (NRE)) or maintenance costs (Recurring Engineering
(RE)) associated with the security requirements prescribed in current
regulations.
For CMMC Levels 1 and 2, cost estimates are based upon assessment,
reporting, and affirmation activities that a contractor or
subcontractor will need to take to verify implementation of existing
security requirements set forth in FAR clause 52.204-21, effective June
15, 2016, to protect FCI, and DFARS clause 252.204-7012 which required
implementation of NIST SP 800-171 requirements not later than December
31, 2017, to protect CUI. As such, cost estimates are not included for
an entity to implement the CMMC Level 1 or 2 security requirements,
maintain implementation of these existing security requirements, or
remediate a plan of action for unimplemented requirements.
For CMMC Level 3, the cost estimates factor in the assessment,
reporting, and affirmation activities in addition to estimates for NRE
and RE to implement and maintain CMMC Level 3 security requirements. In
addition to implementing the CMMC Level 2 security requirements, CMMC
Level 3 requires implementing selected security requirement set forth
in NIST SP 800-172 Feb2021 as described in Sec. 170.14(c)(4) which are
not currently required through other regulations. CMMC Level 3 is
expected to apply only to a small subset of defense contractors and
subcontractors.
The Cost Categories used for each CMMC Level are described:
1. Nonrecurring Engineering Costs: Estimates consist of hardware,
software, and the associated labor to implement the same. Costs
associated with implementing the requirements set forth in FAR clause
52.204-21 and NIST SP 800-171 R2 are assumed to have been already
implemented and, therefore, are not accounted for in this cost
estimate. As such, these costs only appear in CMMC Level 3. If
nonrecurring engineering costs are referenced, they are only accounted
for as a one-time occurrence and are reflected in the year of the
initial assessment.
2. Recurring Engineering Costs: Estimates consist of annually
recurring fees and associated labor for technology refresh. Costs
associated with implementing the requirements set forth in FAR clause
52.204-21 and NIST SP 800-171 R2 are assumed to have been already
implemented and, therefore, are not accounted for in this cost
estimate. As such, these costs only appear in CMMC Level 3.
3. Assessment Costs: Estimates consist of activities for pre-
assessment preparations (which includes gathering and/or developing
evidence that the assessment objectives for each requirement have been
satisfied), conducting and/or participating in the actual assessment,
and completion of any post-assessment work. Assessment costs are
represented by notional phases. Assessment costs assume the OSA passes
the assessment on the first attempt (conditional--with an allowable
POA&M or final). Each phase includes an estimate of hours to conduct
the assessment activities including:
(a) Labor hour estimates for a company (and any ESP support) to prepare
for and participate in the assessment.
[[Page 83180]]
(b) C3PAO cost estimates for companies pursuing a certification
labor hour estimates for authorized or certified assessors to
work with the business to conduct the actual assessment
Assessment Costs broken down into phases
Phase 1: Planning and preparing for the assessment
Phase 2: Conducting the assessment (self or C3PAO)
Phase 3: Reporting of Assessment Results
Phase 4: POA&M Closeout (for CMMC Level 3 only, if
applicable and allowed)
CMMC allows a limited open Plan of Action and Milestones
(POA&M) for a period of 180 days to remediate the POA&M, see Sec.
170.21.
4. Affirmations: Estimates consist of costs for an OSA to submit to
SPRS an initial and, as applicable, any subsequent affirmations of
compliance that the contractor information system is compliant with and
will maintain compliance with the security requirements of the
applicable CMMC Level. If POA&Ms are allowed, an affirmation must be
submitted with the POA&M closeout. With the exception of Small Entities
for Level 1 and Level 2, it is assumed the task requires the same labor
categories and estimated hours as the final reporting phase of the
assessment.
---------------------------------------------------------------------------
\42\ IT = Information Technology, MGMT = Management.
\43\ IT and MGMT rates represent an estimate for in-house labor
and includes the labor rate plus fringe and employee-related
expenses.
\44\ Background assumes a Bachelor's degree as the minimum
education level, additional requirements are noted including
required years of experience. A Master's degree may reduce the
required years of experience as noted.
\45\ The ESP/C3PAO rate represents an estimate for outsourced
labor and includes the labor rate, overhead expense, G&A expense,
and profit.
---------------------------------------------------------------------------
The categories and rates used for estimating purposes were compiled
by subject matter experts based on current data available from within
the DoD contractor database for comparable labor categories. A factor
estimate of 30 percent was added to the labor rate per hour to include
but are not limited to company-sponsored benefits (fringe) and limited
employee-related expenses such as training and certifications. This
estimate is based on labor performed by indirect personnel (i.e.,
personnel who are part of overhead expense); therefore, the 30 percent
factor represents an estimate for fringe expense and G&A expenses
versus full overhead expense. The categories and rates inclusive of the
labor cost plus the additional factor are defined in the table.
[GRAPHIC] [TIFF OMITTED] TR15OC24.010
[GRAPHIC] [TIFF OMITTED] TR15OC24.011
[[Page 83181]]
CMMC Level 1 Self-Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
1, since it is assumed that the contractor or subcontractor has already
implemented the applicable security requirements.\46\
---------------------------------------------------------------------------
\46\ CMMC Level 1 consists of the same 15 basic safeguarding
requirements specified in FAR clause 52.204-21. This cost analysis
assumes that defense contractors and subcontractors already have
contracts with FAR clause 52.204-21 and, therefore, have already
implemented the 15 basic safeguarding requirements.
---------------------------------------------------------------------------
Assessments Costs: It is estimated that the cost to
support a CMMC Level 1 self-assessment and affirmation is *$4,042 (as
summarized in 4.1.2, table 9). A Level 1 self-assessment is conducted
annually, and is based on the assumptions detailed:
Phase 1: Planning and preparing for the self-assessment:
$1,146
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
Phase 2: Conducting the self-assessment: $1,728
A director (MGMT5) for 6 hours ($190.52/hr x 6hrs =
$1,143)
A staff IT specialist (IT4) for 6 hours ($97.49/hrs x 6hrs
= $585)
Phase 3: Reporting of self-assessment results into SPRS: $584
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4) for 2.08 hours ($97.49/hrs x
2.08hrs = $203)
Affirmations: It is estimated that the costs to perform an
initial and annual affirmation of compliance with CMMC Level 1 for an
``other than small'' entity is $584
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4) for 2.08 hours ($97.49/hrs x
2.08hrs = $203)
The Level 1 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for Level 1 self-assessments and
affirmations over a ten-year period: (Example calculation, Year 1:
*$4,042 per entity x 246 entities (cumulative) = $994,233)
[GRAPHIC] [TIFF OMITTED] TR15OC24.012
Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with CMMC Level
1 since it is assumed the contractor or subcontractor has implemented
the applicable security requirements.\47\
---------------------------------------------------------------------------
\47\ Again, it is assumed that that defense contractors and
subcontractors have already implemented the 15 basic safeguarding
requirements in FAR clause 52.204-21.
---------------------------------------------------------------------------
Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a CMMC Level 1 self-assessment and
affirmation is *$5,977 (as summarized in 4.1.2, table 10). A Level 1
self-assessment is conducted annually, and is based on the assumptions
detailed:
Phase 1: Planning and preparing for the self-assessment:
$1,803
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An external service provider (ESP) for 4 hours ($260.28 x
4hrs = $1,041)
Phase 2: Conducting the self-assessment: $2,705
A director (MGMT5) for 6 hours ($190.52/hr x 6hrs =
$1,143)
An external service provider (ESP) for 6 hours ($260.28 x
6hrs = $1,562)
Phase 3: Reporting of assessment results into SPRS: $909
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
An external service provider (ESP) for 2 hours ($260.28/hr
* 2hrs = $521)
A staff IT specialist (IT4-SB) for 0.08 hours \48\
($86.24/hr x 0.08hrs = $7)
Affirmation: initial affirmation post assessment: $ 560
Reaffirmations: It is estimated that the costs to reaffirm a
CMMC Level 1 annually for a small entity is $560
A director (MGMT5) for 2 hours ($190.52/hr x 2hrs = $381)
A staff IT specialist (IT4-SB) for 2.08 hours ($86.24/hr x
2.08hrs = $179)
The Level 1 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
---------------------------------------------------------------------------
\48\ A person needs to enter the information into SPRS, which
should only take five minutes.
---------------------------------------------------------------------------
Summary: The following is the annual small entities total
cost summary
[[Page 83182]]
for Level 1 self-assessments and affirmations over a ten-year period:
(Example calculation, Year 1: *$5,977 per entity x 699 entities
(cumulative) = $4,177,845)
[GRAPHIC] [TIFF OMITTED] TR15OC24.013
All Entities Summary
The following is a summary of the combined costs for both small and
other than small entities for Level 1 self-assessments and affirmations
over a ten-year period:
[GRAPHIC] [TIFF OMITTED] TR15OC24.014
CMMC Level 2 Self-Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and Recurring Engineering Costs: There are no
nonrecurring or recurring engineering costs associated with Level 2
self-assessment since it is assumed the contractor or subcontractor has
implemented the NIST SP 800-171 R2 security requirements.
Self-Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a Level 2 self-assessment and
affirmation is *$43,403. The three-year cost is $48,827 (as summarized
in 4.1.2, table 9), which includes the triennial assessment +
affirmation, and two additional annual affirmations ($43,403 + $2,712 +
$2,712).
Phase 1: Planning and preparing for the self-assessment:
$18,015
A director (MGMT5) for 30 hours
[[Page 83183]]
($190.52/hr x 30hrs = $5,716)
A manager (MGMT2) for 40 hours ($95.96/hr x 40hrs =
$3,838)
A staff IT specialist (IT4) for 46 hours ($97.49/hr x
46hrs = $4,485)
A senior IT specialist (IT3) for 26 hours ($81.96/hr x
26hrs = $2,131)
An IT specialist (IT2) for 34 hours ($54.27/hr x 34hrs =
$1,845)
Phase 2: Conducting the self-assessment: $19,964
A director (MGMT5) for 24 hours ($190.52/hr x 24hrs =
$4,572)
A manager (MGMT2) for 24 hours ($95.96/hr x 24hrs =
$2,303)
A staff IT specialist (IT4) for 56 hours ($97.49/hr x
56hrs = $5,460)
A senior IT specialist (IT3) for 56 hours ($81.96/hr x
56hrs = $4,590)
An IT specialist (IT2) for 56 hours ($54.27/hr x 56hrs =
$3,039)
Phase 3: Reporting of self-assessment results into SPRS:
$2,712
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
Affirmation: initial affirmation post assessment: $ 2,712
Reaffirmations: It is estimated that the cost to perform an
annual affirmation for CMMC Level 2 self-assessment is $2,712 (three-
year cost is $8,136, or $2,712 x 3):
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A manager (MGMT2) for 4 hours ($95.96/hr x 4hrs = $384)
A staff IT specialist (IT4) for 16 hours ($97.49/hr x
16hrs = $1,560)
A senior IT specialist (IT3) for 0.08 hours ($81.96/hr x
0.08hrs = $7)
The Level 2 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
Summary: The following is the annual other than small
entities total cost summary for CMMC Level 2 self-assessments and
affirmations over a ten-year period: (Example calculation, Year 2:
(*$43,403 assessment per entity x 35 entities) + ($2,712 annual
affirmation per entity x 7 entities) = $1,538,092
[GRAPHIC] [TIFF OMITTED] TR15OC24.015
Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with Level 2
self-assessment since it is assumed the contractor or subcontractor has
implemented the NIST SP 800-171 R2 security requirements.
Self-Assessment Costs and Initial Affirmation Costs: It is
estimated that the cost to support a Level 2 self-assessment and
affirmation for a small entity is *$34,277. The three-year cost is
$37,196 (as summarized in 4.1.2, table 10), which includes the
triennial assessment + affirmation, plus two additional annual
affirmations ($34,277 + $1,459 + $1,459).
Phase 1: Planning and preparing for the self-assessment:
$14,426
A director (MGMT5) for 32 hours ($190.52/hr x* 32hrs =
$6,097)
An external service provider (ESP) for 32 hours ($260.28/
hr x 32hrs = $8,329)
Phase 2: Conducting the self-assessment: $15,542
A director (MGMT5) for 16 hours ($190.52/hr x 16hrs =
$3,048)
An external service provider (ESP) for 48 hours ($260.28/
hr x 48hrs = $12,493)
Phase 3: Reporting of self-assessment results into SPRS:
$2,851
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
An external service provider (ESP) for 8 hours ($260.28/hr
x 8hrs = $2,082)
A staff IT specialist (IT4-SB) for 0.08 hours ($86.24/hr x
0.08hrs = $7)
Affirmation: initial affirmation post assessment: $ 1,459
Reaffirmations: It is estimated that the costs to reaffirm a
Level 2 self-assessment annually is $1,459 (three-year costs to
reaffirm a Level 2 self-assessment annually is $4,377, or $1,459 x 3):
A director (MGMT5) for 4 hours ($190.52/hr x 4hrs = $762)
A staff IT specialist (IT4-SB) for 8.08 hours ($86.24/hr x
8.08hrs =
[[Page 83184]]
$697)
The Level 2 self-assessment and affirmations cost burden
will be addressed as part of the 48 CFR part 204 CMMC Acquisition rule.
Summary: The following is the annual small entities total
cost summary for Level 2 self-assessments and affirmations over a ten-
year period: (Example calculation, Year 2: (*$34,277 self-assessment
per entity x 101 entities) + ($1,459 annual affirmation per entity x 20
entities) = $3,491,193)
[GRAPHIC] [TIFF OMITTED] TR15OC24.016
All Entities Summary
The following is a summary of the cost to all entities regardless
of size for Level 2 self-assessments and affirmations over a ten-year
period:
[GRAPHIC] [TIFF OMITTED] TR15OC24.017
[[Page 83185]]
CMMC Level 2 Certification Assessment and Affirmation Costs
Other Than Small Entities
Nonrecurring and recurring engineering costs: There are no
nonrecurring or recurring engineering costs associated with Level 2
certification assessment since it is assumed the contractor or
subcontractor has implemented the NIST SP 800-171 R2 security
requirements.
Assessment and Initial Affirmation Costs: It is estimated
that the cost to support a Level 2 certification assessment and annual
affirmation for an ``other than small'' entity is *$112,345. The three-
year cost is $117,768 (as summarized in 4.1.2, table 9), and includes a
triennial assessment + affirmation, plus two additional annual
affirmations ($112,345 + $2,712 + $2,712, with a minor rounding
difference.)
Phase 1: Planning and preparing for the certification
assessment: $26,264
A director (MGMT5) for 32 hours ($190.52/hr x 32hrs =
$6,097)
A manager (MGMT2) for 64 hours ($95.96/hr x 64hrs =
$6,141)