Rule2024-22905
Cybersecurity Maturity Model Certification (CMMC) Program
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
October 15, 2024
Effective
December 16, 2024
Issuing agencies
Defense Department
Abstract
With this final rule, DoD establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). The mechanisms discussed in this rule will allow the Department to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status (meaning level and assessment type) across the contract period of performance. This rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 199 (Tuesday, October 15, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 199 (Tuesday, October 15, 2024)]
[Rules and Regulations]
[Pages 83092-83237]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-22905]
[[Page 83091]]
Vol. 89
Tuesday,
No. 199
October 15, 2024
Part II
Department of Defense
-----------------------------------------------------------------------
32 CFR Part 170
Cybersecurity Maturity Model Certification (CMMC) Program; Final Rule
��Federal Register / Vol. 89, No. 199 / Tuesday, October 15, 2024 /
Rules and Regulations��
[[Page 83092]]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
32 CFR Part 170
[Docket ID: DoD-2023-OS-0063]
RIN 0790-AL49
Cybersecurity Maturity Model Certification (CMMC) Program
AGENCY: Office of the Department of Defense Chief Information Officer
(CIO), Department of Defense (DoD).
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: With this final rule, DoD establishes the Cybersecurity
Maturity Model Certification (CMMC) Program in order to verify
contractors have implemented required security measures necessary to
safeguard Federal Contract Information (FCI) and Controlled
Unclassified Information (CUI). The mechanisms discussed in this rule
will allow the Department to confirm a defense contractor or
subcontractor has implemented the security requirements for a specified
CMMC level and is maintaining that status (meaning level and assessment
type) across the contract period of performance. This rule will be
updated as needed, using the appropriate rulemaking process, to address
evolving cybersecurity standards, requirements, threats, and other
relevant changes.
DATES: This rule is effective December 16, 2024. The incorporation by
reference of certain material listed in this rule is approved by the
Director of the Federal Register as of December 16, 2024.
FOR FURTHER INFORMATION CONTACT: Ms. Diane Knight, Office of the DoD
CIO at <a href="/cdn-cgi/l/email-protection#0f607c6b217f6a617b6e686061216b606b226c666021626d77216c62626c2266617e7a667d666a7c4f626e666321626663"><span class="__cf_email__" data-cfemail="a7c8d4c389d7c2c9d3c6c0c8c989c3c8c38ac4cec889cac5df89c4cacac48acec9d6d2ced5cec2d4e7cac6cecb89cacecb">[email protected]</span></a> or 202-770-
9100.
SUPPLEMENTARY INFORMATION:
History of the Program
The beginnings of CMMC start with the November 2010, Executive
Order (E.O.) 13556,\1\ Controlled Unclassified Information. The intent
of this Order was to ``establish an open and uniform program for
managing [unclassified] information that requires safeguarding or
dissemination controls.'' Prior to this E.O., more than 100 different
markings for this information existed across the executive branch. This
ad hoc, agency-specific approach created inefficiency and confusion,
led to a patchwork system that failed to adequately safeguard
information requiring protection, and unnecessarily restricted
information-sharing.
---------------------------------------------------------------------------
\1\ <a href="http://www.federalregister.gov/citation/75-FR-68675">www.federalregister.gov/citation/75-FR-68675</a> (November 4,
2010).
---------------------------------------------------------------------------
As a result, the E.O. established the CUI Program to standardize
the way the executive branch handles information requiring safeguarding
or dissemination controls (excluding information that is classified
under E.O. 13526, Classified National Security Information \2\ or any
predecessor or successor order; or the Atomic Energy Act of 1954,\3\ as
amended).
---------------------------------------------------------------------------
\2\ <a href="http://www.federalregister.gov/citation/75-FR-707">www.federalregister.gov/citation/75-FR-707</a> (December 29,
2009).
\3\ <a href="http://www.govinfo.gov/link/uscode/42/2011">www.govinfo.gov/link/uscode/42/2011</a>, et seq.
---------------------------------------------------------------------------
In 2019, DoD announced the development of CMMC in order to move
away from a ``self-attestation'' model of security. It was first
conceived by the Office of the Under Secretary of Defense for
Acquisition and Sustainment (OUSD(A&S)) to secure the Defense
Industrial Base (DIB) sector against evolving cybersecurity threats. In
September 2020, DoD published the 48 CFR CMMC interim final rule,
Defense Federal Acquisition Regulation Supplement (DFARS): Assessing
Contractor Implementation of Cybersecurity Requirements (DFARS Case
2019-D041 85 FR 48513, September 9, 2020),\4\ which implemented the
DoD's vision for the initial CMMC Program and outlined the basic
features of the framework (tiered model of practices and processes,
required assessments, and implementation through contracts) to protect
FCI and CUI. The 48 CFR CMMC interim final rule became effective on 30
November 2020, establishing a five-year phase-in period. In response to
approximately 750 public comments on the 48 CFR CMMC interim final
rule, in March 2021, the Department initiated an internal review of
CMMC's implementation.
---------------------------------------------------------------------------
\4\ <a href="http://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of">www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of</a>.
---------------------------------------------------------------------------
In November 2021, the Department announced the revised CMMC
Program, an updated program structure and requirements designed to
achieve the primary goals of the internal review:
<bullet> Safeguard sensitive information to enable and protect the
warfighter
<bullet> Enforce DIB cybersecurity standards to meet evolving threats
<bullet> Ensure accountability while minimizing barriers to compliance
with DoD requirements
<bullet> Perpetuate a collaborative culture of cybersecurity and cyber
resilience
<bullet> Maintain public trust through high professional and ethical
standards
The revised CMMC Program has three key features:
<bullet> Tiered Model: CMMC requires companies entrusted with
Federal contract information and controlled unclassified information to
implement cybersecurity standards at progressively advanced levels,
depending on the type and sensitivity of the information. The program
also describes the process for requiring protection of information
flowed down to subcontractors.
<bullet> Assessment Requirement: CMMC assessments allow the
Department to verify the implementation of clear cybersecurity
standards.
<bullet> Phased Implementation: Once CMMC rules become effective,
certain DoD contractors handling FCI and CUI will be required to
achieve a particular CMMC level as a condition of contract award. CMMC
requirements will be implemented using a 4-phase implementation plan
over a three-year period.
Current Status of the CMMC Program
Separate from this rulemaking, DoD has a proposed acquisition rule
(48 CFR part 204 CMMC Acquisition rule) to amend the Defense Federal
Acquisition Regulation Supplement (DFARS) to address procurement
related considerations and requirements related to this program rule
(32 CFR part 170 CMMC Program rule). The 48 CFR part 204 CMMC
Acquisition rule also partially implements a section of the National
Defense Authorization Act for Fiscal Year 2020 directing the Secretary
of Defense to develop a consistent, comprehensive framework to enhance
cybersecurity for the U.S. defense industrial base.\5\ The 48 CFR part
204 CMMC Acquisition rule, when finalized, will allow DoD to require a
specific CMMC level in a solicitation or contract. When CMMC
requirements are applied to a solicitation, Contracting officers will
not make award, exercise an option, or extend the period of performance
on a contract, if the offeror or contractor does not have the passing
results of a current certification assessment or self-assessment for
the required CMMC level, and an affirmation of continuous compliance
with the security requirements in the Supplier Performance Risk System
(SPRS) \6\ for all information systems that process, store, or transmit
FCI or CUI during contract performance. Furthermore, the appropriate
CMMC certification requirements will flow down to subcontractors at all
tiers when
[[Page 83093]]
the subcontractor processes, stores, or transmits FCI or CUI. It should
be noted the Department may include CMMC requirements on contracts
awarded prior to 48 CFR part 204 CMMC Acquisition rule becoming
effective, but doing so will require bilateral contract modification
after negotiations.
---------------------------------------------------------------------------
\5\ <a href="http://www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of">www.federalregister.gov/documents/2024/08/15/2024-18110/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of</a>.
\6\ <a href="http://www.sprs.csd.disa.mil/">www.sprs.csd.disa.mil/</a> under OMB control number 0750-0004.
---------------------------------------------------------------------------
To date, the DoD has relied on offeror representation that the
security requirements of National Institute of Standards and Technology
(NIST) Special Publication (SP) 800-171, ``Protecting Controlled
Unclassified Information in Nonfederal Systems and Organizations'' have
been met, as described by 48 CFR 252.204-7008. In some instances, the
DoD has verified contractor implementation of NIST SP 800-171 through
assessment by the Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC). As part of
this responsibility, DCMA DIBCAC assesses DIB companies to ensure they
are meeting contractually required cybersecurity standards and to
ensure contractors have the ability to protect CUI for government
contracts they are awarded. DCMA DIBCAC conducts NIST SP 800-171
assessments in support of 48 CFR 252.204-7012 (DFARS clause 252.204-
7012), Safeguarding Covered Defense Information and Cyber Incident
Reporting,\7\ and 48 CFR 252.204-7020 (DFARS clause 252.204-7020), NIST
SP 800-171 DoD Assessment Requirements.\8\ The DCMA DIBCAC
prioritization process is designed to adjust as DoD's cyber priorities
evolve based on ongoing threats. DCMA DIBCAC collects and analyzes data
on DoD contractors to include:
---------------------------------------------------------------------------
\7\ <a href="http://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting">www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting</a>.
\8\ <a href="http://www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements">www.acquisition.gov/dfars/252.204-7020-nist-sp-800-171dod-assessment-requirements</a>.
---------------------------------------------------------------------------
<bullet> Mission critical programs, technologies, and
infrastructure and the contractors (prime or lower tier) that support
DoD capabilities.
<bullet> Cyber threats, vulnerabilities, or incidents.
<bullet> DoD Leadership requests.
To date, DCMA DIBCAC has assessed 357 entities including DoD's
major prime contractors. In accordance with NIST SP 800-171, titled
``Protecting Controlled Unclassified Information in Nonfederal Systems
and Organizations,'' Revision 2, February 2020 (includes updates as of
January 28, 2021) (NIST SP 800-171 R2), contractors must describe in a
System Security Plan (SSP) \9\ how the security requirements are met or
how the organizations plan to meet the requirements and address known
and anticipated threats. In the event companies cannot establish full
compliance, they must develop plans of action that describe how
unimplemented security requirements will be met and how any planned
mitigations will be implemented. Although an explicit time limit for
mitigation is not specified in NIST SP 800-171 R2, contractors that
fail to reasonably comply with applicable requirements may be subject
to standard contractual remedies. The CMMC Program's assessment phase-
in plan, as described in Sec. 170.3, does not preclude entities from
immediately seeking a CMMC certification assessment prior to the 48 CFR
part 204 CMMC Acquisition rule being finalized and the clause being
added to new or existing DoD contracts.
---------------------------------------------------------------------------
\9\ Required since November 2016, NIST SP 800-171 R2 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
---------------------------------------------------------------------------
The Department estimates 8350 medium and large entities will be
required to meet CMMC Level 2 C3PAO assessment requirements as a
condition of contract award. CMMC Level 2 requirements will apply to
all contractors that process, store, or transmit CUI, and will provide
DoD with a means to assess that CUI safeguarding requirements
prescribed in 32 CFR part 2002 have been met. DoD estimates 135 CMMC
Third-Party Assessment Organization (C3PAO)-led certification
assessments will be completed in the first year, 673 C3PAO
certification assessments in year 2, 2,252 C3PAO certification
assessments in year 3, and 4,452 C3PAO certification assessments in
year four.
Any DoD component can request DCMA DIBCAC to initiate an assessment
and these requests will take priority in the assessment scheduling
process. Once identified for assessment, DCMA DIBCAC determines the
assessment date and notifies the company to begin the pre-assessment
process. Typically, planning and scheduling takes place 3 to 6 months
in advance of a DCMA DIBCAC assessment to allow DCMA DIBCAC and the DIB
company time to prepare, however, DoD's identified priorities may
expedite the execution of an assessment. As discussed in more detail in
the regulatory text, assessment results are reported to DoD, including
key stakeholders via SPRS and made available to the DIB company. Please
see the DCMA DIBCAC website at <a href="http://www.dcma.mil/DIBCAC/">www.dcma.mil/DIBCAC/</a> that includes links
to the pre-assessment documents; a publicly releasable version of the
assessment database; FAQs; an informational video; a link to
Procurement Integrated Enterprise Environment (PIEE), the primary
enterprise procure-to-pay application for the DoD; a link to SPRS where
assessment scores are posted; and links to other reference materials.
As discussed in more detail later in the regulatory text, all
requirements that are scored as NOT MET are identified in a Plan of
Action and Milestones (POA&M) to meet the CMMC requirement.
Organizations Seeking Assessment (OSAs) satisfy the CMMC requirements
needed for contract award by successfully meeting all 110 security
requirements of NIST SP 800-171 R2 or by receiving a Conditional CMMC
Status when achieving the minimum passing score of 80 percent and only
including permittable NOT MET requirements as described in Sec. 170.21
on the POA&M. All requirements that were scored ``NOT MET'' and placed
on the POA&M must be remedied within 180 days of receiving their
Conditional CMMC Status. Proper implementation of these requirements
must be verified by a second assessment, called a POA&M closeout
assessment. If the POA&M closeout assessment finds that all
requirements have been met, then the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable. However,
if the POA&M closeout assessment does not validate all requirements
have been met by the end of the 180 days, then the CMMC Status of
Conditional Level 2 (Self) or Conditional Level 2 (C3PAO) will expire
and at this point, standard contractual remedies will apply for any
current contract.
DoD has created a series of guidance documents to assist
organizations in better understanding the CMMC Program and the
assessment process and scope for each CMMC level. These guidance
documents are available on the DoD CMMC website at <a href="https://dodcio.defense.gov/CMMC/Documentation/">https://dodcio.defense.gov/CMMC/Documentation/</a> and on the DoD Open Government
website at <a href="https://open.defense.gov/Regulatory-Program/Guidance-Documents/">https://open.defense.gov/Regulatory-Program/Guidance-Documents/</a>. The CMMC Program has also been incorporated in the
Department's 2024 Defense Industrial Base Cybersecurity Strategy.\10\
The strategy requires the Department to coordinate and collaborate
across components to identify and close gaps
[[Page 83094]]
in protecting DoD networks, supply chains, and other critical
resources. Other prongs of the Department's cybersecurity strategy are
described in the Department's National Industrial Security Program
Operating Manual (NISPOM) which address implementation of the Security
Executive Agent Directive (SEAD) 3 \11\ procedures for the protection
and reproduction of classified information; controlled unclassified
information (CUI); National Interest Determination (NID) requirements
for cleared contractors operating under a Special Security Agreement
for Foreign Ownership, Control, or Influence; and eligibility
determinations for personnel security clearance processes and
requirements.\12\
---------------------------------------------------------------------------
\10\ <a href="https://media.defense.gov/2024/Mar/28/2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_DSD_SIGNED_20240325.PDF">https://media.defense.gov/2024/Mar/28/2003424523/-1/-1/1/DOD_DOB_CS_STRATEGY_DSD_SIGNED_20240325.PDF</a>.
\11\ <a href="http://www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf">www.govinfo.gov/content/pkg/FR-2020-12-21/pdf/2020-27698.pdf</a>).
\12\ <a href="http://www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/">www.dcsa.mil/Industrial-Security/National-Industrial-Security-Program-Oversight/32-CFR-Part-117-NISPOM-Rule/</a>.
---------------------------------------------------------------------------
Overview of Revised CMMC Program
Current Requirements for Defense Contractors and Subcontractors
Currently, Federal contracts (including defense contracts)
involving the transfer of FCI to a non-Government organization follow
the requirements specified in 48 CFR 52.204-21 (Federal Acquisition
Regulation (FAR) clause 52.204-21), Basic Safeguarding of Covered
Contractor Information Systems.\13\ FAR clause 52.204-21 requires
compliance with 15 security requirements, FAR clause 52.204-21 (b)(1),
items (i) through (xv). These requirements are the minimum necessary
for any entity wishing to receive FCI from the US Government (USG).
---------------------------------------------------------------------------
\13\ <a href="http://www.acquisition.gov/far/52.204-21">www.acquisition.gov/far/52.204-21</a>.
---------------------------------------------------------------------------
Defense contracts involving the development or transfer of CUI to a
non-Government organization require applicable requirements of DFARS
clause 252.204-7012.\14\ This clause requires defense contractors to
provide adequate security on all covered contractor information systems
by implementing the 110 security requirements specified in NIST SP 800-
171. This clause includes additional requirements; for example, defense
contractors must confirm that any Cloud Service Providers (CSPs) used
by the contractor to handle CUI meet Federal Risk and Authorization
Management Program (FedRAMP) Moderate Baseline or the equivalent
requirements. It also requires defense contractors to flow down all the
requirements to their subcontractors who process, store, or transmit
CUI. The CMMC Program currently does not include any requirements for
contractors operating systems on behalf of the DoD.
---------------------------------------------------------------------------
\14\ <a href="http://www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting">www.acquisition.gov/dfars/252.204-7012-safeguarding-covered-defense-information-and-cyber-incident-reporting</a>.
---------------------------------------------------------------------------
To comply with DFARS clause 252.204-7012, contractors are required
to develop a SSP \15\ detailing the policies and procedures their
organization has in place to comply with NIST SP 800-171. The SSP
serves as a foundational document for the required NIST SP 800-171
self-assessment. To comply with 48 CFR 252.204-7019 (DFARS provision
252.204-7019) and DFARS clause 252.204-7020, self-assessment scores
must be submitted.\16\ The highest score is 110, meaning all 110 NIST
SP 800-171 security requirements have been fully implemented. If a
contractor's Supplier Performance Risk System (SPRS) score is less than
110, indicating security gaps exist, then the contractor must create a
plan of action \17\ identifying security tasks that still need to be
accomplished. In essence, an SSP describes the cybersecurity plan the
contractor has in place to protect CUI. The SSP needs to address each
NIST SP 800-171 security requirement and explain how the requirement is
implemented. This can be through policy, technology, or a combination
of both.
---------------------------------------------------------------------------
\15\ Required since November 2016, NIST SP 800-171 R2 security
requirement 3.12.4 states organizations must ``develop, document,
and periodically update system security plans that describe system
boundaries, system environments of operation, how security
requirements are implemented, and the relationships with or
connections to other systems.''
\16\ <a href="http://www.sprs.csd.disa.mil/">www.sprs.csd.disa.mil/</a> under OMB control number 0750-0004.
\17\ The plan of action requirement described under DFARS clause
252.204-7020 is different from a Plan of Action and Milestones
(POA&M) requirement in CMMC as plans of action do not require
milestones.
---------------------------------------------------------------------------
In November 2020, the DoD released its 48 CFR CMMC interim final
rule, the Defense Federal Acquisition Regulation Supplement: Assessing
Contractor Implementation of Cybersecurity Requirements \18\ (DFARS
Case 2019-D041, 85 FR 61505, November 30, 2020). The goal of this rule
was to increase compliance with its cybersecurity regulations and
improve security throughout the DIB. This rule introduced one new
provision and two new clauses--DFARS provision 252.204-7019, DFARS
clause 252.204-7020, and 48 CFR 252.204-7021 (DFARS clause 252.204-
7021).
---------------------------------------------------------------------------
\18\ <a href="http://www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of">www.federalregister.gov/documents/2020/09/29/2020-21123/defense-federal-acquisition-regulation-supplement-assessing-contractor-implementation-of</a>.
---------------------------------------------------------------------------
<bullet> DFARS provision 252.204-7019 complements DFARS clause
252.204-7012 by requiring contractors to have a NIST SP 800-171
assessment (basic, medium, or high) according to NIST SP 800-171 DoD
Assessment Methodology.\19\ Assessment scores must be reported to the
Department via SPRS. SPRS scores must be submitted by the time of
contract award and not be more than three years old.
---------------------------------------------------------------------------
\19\ <a href="http://www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf">www.acq.osd.mil/asda/dpc/cp/cyber/docs/safeguarding/NIST-SP-800-171-Assessment-Methodology-Version-1.2.1-6.24.2020.pdf</a>.
---------------------------------------------------------------------------
<bullet> DFARS clause 252.204-7020 notifies contractors that DoD
reserves the right to conduct a higher-level assessment of contractors'
cybersecurity compliance, and contractors must give DoD assessors full
access to their facilities, systems, and personnel. Further, DFARS
clause 252.204-7020 complements DFARS clause 252.204-7012's flow down
requirements by holding contractors responsible for confirming their
subcontractors have SPRS scores on file prior to awarding them
contracts.
<bullet> DFARS clause 252.204-7021 paves the way for rollout of the
CMMC Program. Once CMMC is implemented, the required CMMC Level and
assessment type will be specified in the solicitation and resulting
contract. Contractors handling FCI or CUI will be required to meet the
CMMC requirement specified in the contract. DFARS clause 252.204-7021
also stipulates contractors will be responsible for flowing down the
CMMC requirements to their subcontractors.
CFR Part 170 Additional Requirements for Defense Contractors and
Subcontractors Discussed in This Final Rule
When this 32 CFR part 170 CMMC Program rule and the complementary
48 CFR part 204 CMMC Acquisition rule are finalized and following a
phased implementation plan, solicitations and resulting defense
contracts involving the processing, storing, or transmitting of FCI or
CUI on a non-Federal system will, unless waived, have a CMMC level and
assessment type requirement that a contractor must meet to be eligible
for a contract award. The four phases of the implementation plan add
CMMC level requirements incrementally, starting in Phase 1 with self-
assessments, and ending in Phase 4, which represents full
implementation of program requirements. The DoD elected to base the
phase-in plan on the level and type of assessment to provide time to
train the necessary number of assessors, and to allow companies time to
understand and implement CMMC requirements. Details of each phase are
addressed in
[[Page 83095]]
Sec. 170.3(e). In Phases 2 and 3, DoD will implement CMMC Level 2 and
Level 3 certification requirements, respectively. At full
implementation (Phase 4), DoD will include CMMC requirements in all
applicable DoD contracts and option periods on contracts awarded after
the beginning of Phase 4.
Table 1 defines the requirements for each CMMC level and assessment
type.
Table 1--CMMC Level and Assessment Requirements
----------------------------------------------------------------------------------------------------------------
Plan of action &
CMMC status Source & number of Assessment reqts. milestones (POA&M) Affirmation reqts.
security reqts. reqts.
----------------------------------------------------------------------------------------------------------------
Level 1 (Self)........ <bullet> 15 required <bullet> Conducted by <bullet> Not <bullet> After each
by FAR clause 52.204- Organization Seeking permitted. assessment.
21. Assessment (OSA) <bullet> Entered
annually. into SPRS.
<bullet> Results
entered into SPRS
(or its successor
capability)..
Level 2 (Self)........ <bullet> 110 NIST SP <bullet> Conducted by <bullet> Permitted <bullet> After each
800-171 R2 required OSA every 3 years. as defined in Sec. assessment and
by DFARS clause <bullet> Results 170.21(a)(2) and annually
252.204-7012. entered into SPRS must be closed out thereafter.
(or its successor within 180 days. <bullet> Assessment
capability).. <bullet> Final CMMC will lapse upon
<bullet> CMMC Status Status will be failure to annually
will be valid for valid for three affirm.
three years from the years from the <bullet> Entered
CMMC Status Date as Conditional CMMC into SPRS (or its
defined in Sec. Status Date.. successor
170.4.. capability).
Level 2 (C3PAO)....... <bullet> 110 NIST SP <bullet> Conducted by <bullet> Permitted <bullet> After each
800-171 R2 required C3PAO every 3 years. as defined in Sec. assessment and
by DFARS clause <bullet> Results 170.21(a)(2) and annually
252.204-7012. entered into CMMC must be closed out thereafter.
Enterprise Mission within 180 days. <bullet> Assessment
Assurance Support <bullet> Final CMMC will lapse upon
Service (eMASS) (or Status will be failure to annually
its successor valid for three affirm.
capability).. years from the <bullet> Entered
<bullet> CMMC Status Conditional CMMC into SPRS (or its
will be valid for Status Date.. successor
three years from the capability).
CMMC Status Date as
defined in Sec.
170.4..
Level 3 (DIBCAC)...... <bullet> 110 NIST SP <bullet> Pre- <bullet> Permitted <bullet> After each
800-171 R2 required requisite CMMC as defined in Sec. assessment and
by DFARS clause Status of Level 2 170.21(a)(3) and annually
252.204-7012. (C3PAO) for the same must be closed out thereafter.
<bullet> 24 selected CMMC Assessment within 180 days. <bullet> Assessment
from NIST SP 800-172 Scope, for each <bullet> Final CMMC will lapse upon
Feb2021, as detailed Level 3 Status will be failure to annually
in table 1 to Sec. certification valid for three affirm.
170.14(c)(4).. assessment. years from the <bullet> Level 2
<bullet> Conducted by Conditional CMMC (C3PAO) affirmation
Defense Contract Status Date.. must also continue
Management Agency to be completed
(DCMA) Defense annually.
Industrial Base <bullet> Entered
Cybersecurity into SPRS (or its
Assessment Center successor
(DIBCAC) every 3 capability).
years..
<bullet> Results
entered into CMMC
eMASS (or its
successor
capability)..
<bullet> CMMC Status
will be valid for
three years from the
CMMC Status Date as
defined in Sec.
170.4..
----------------------------------------------------------------------------------------------------------------
Program Walkthrough--Contractor Perspective
This section will provide a simplified walkthrough of the CMMC
Program from the perspective of an Organization Seeking Assessment
(OSA) seeking to comply with program requirements.
CMMC Level Selection
An OSA will select the CMMC level it desires to attain. Once the
CMMC Program is implemented, a DoD solicitation will specify the
minimum CMMC Status required to be eligible for award. One of four CMMC
Statuses will be specified:
<bullet> Level 1 (Self) is a self-assessment to secure FCI
processed, stored, or transmitted in the course of fulfilling the
contract. The OSA must comply with the 15 security requirements set by
FAR clause 52.204-21. All 15 requirements must be met in full--no
exceptions are allowed.
<bullet> Level 2 (Self) is a self-assessment to secure CUI
processed, stored, or transmitted in the course of fulfilling the
contract. The OSA must comply with the 110 Level 2 security
requirements derived from NIST SP 800-171 R2.
<bullet> Level 2 (C3PAO) differs from Level 2 (Self) in the method
of verifying compliance. OSAs must hire a C3PAO to conduct an
assessment of the OSA's compliance with the 110 security requirements
of NIST SP 800-171 R2. OSAs can shop for C3PAOs on the CMMC
Accreditation Body (AB) Marketplace.
<bullet> Level 3 (DIBCAC) is a government assessment of 24
additional requirements derived from NIST SP 800-172, titled ``Enhanced
Security Requirements for Protecting Controlled Unclassified
Information: A Supplement to NIST Special Publication 800-171,''
February 2021 (NIST SP 800-172 Feb2021). The OSA must ensure that they
have already achieved a CMMC Status of Final Level 2 (C3PAO) before
seeking CMMC Status of Final Level 3 (DIBCAC). Once this is done, an
OSA should then initiate a Level 3 certification assessment by emailing
a request to Defense Contract Management Agency (DCMA) Defense
Industrial Base Cybersecurity Assessment Center (DIBCAC) point of
contact found at <a href="http://www.dcma.mil/DIBCAC">www.dcma.mil/DIBCAC</a>, being sure to include the Level 2
(C3PAO) certification unique identifier in the email.
Scoping
In order to achieve a specified CMMC Status, OSAs must first
identify which information systems, including systems or services
provided by External Service Providers (ESPs), will process, store, or
transmit FCI, for Level 1 (Self), and CUI for all other CMMC Statuses.
These information systems constitute the scope of the assessment.
Within these information systems, for Level 2 and Level 3 the
assets should be further broken down into asset categories: Contractor
Risk Managed Assets (Level 2), Security Protection Assets (Level 2 and
3), and Specialized Assets (Level 2 and 3). For Level 1 all assets,
with the exclusion of Specialized Assets, are simply identified as
either in-scope or out-of-scope based on whether they process, store,
or transmit FCI. Definitions and treatment of these categories as they
relate to assessment scoping, treatment of ESPs, and treatment of
assets which cannot be secured due to their inherent design, can be
found at Sec. 170.19.
Assessment and Affirmation
a. OSAs that meet all 15 Level 1 requirements have achieved CMMC
Status of Final Level 1 (Self). The OSA
[[Page 83096]]
must submit an affirmation of compliance with FAR clause 52.204-21
requirements in SPRS. At this point, OSAs have satisfied the CMMC
requirements needed for award of contracts requiring a CMMC Status of
Final Level 1 (Self). To maintain a CMMC Status of Final Level 1
(Self), this entire process must be repeated in full on an annual
basis, including both self-assessment and affirmation.
b. For Level 2 assessments, if all 110 requirements are satisfied,
the assessment score will be 110 and the OSA will have achieved a CMMC
Status of Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable
and is eligible for contract award as long as all other contractual
requirements are met.
Not all requirements must immediately be MET to be eligible for
contract award. If the minimum score is achieved on the assessment
(equal to 80% of the maximum score) and certain critical requirements
are met, OSAs will achieve a CMMC Status of Conditional Level 2 (Self)
or Conditional Level 2 (C3PAO) as applicable. All NOT MET requirements
must be noted in an assessment Plan of Action and Milestones (POA&M).
At this point the OSA will have satisfied the CMMC requirements needed
for contract award OSAs must have met all 110 security requirements of
NIST SP 800-171 R2 within 180 days of receiving their Conditional CMMC
Status, which must be verified with a second assessment, called a POA&M
closeout assessment. If the POA&M closeout assessment finds that all
requirements have been met, then the OSA will achieve a CMMC Status of
Final Level 2 (Self) or Final Level 2 (C3PAO) as applicable. However,
if a POA&M closeout assessment does not find that all requirements have
been met by the end of 180 days, then the CMMC Status of Conditional
Level 2 (Self) or Conditional Level 2 (C3PAO) will expire. At this
point, standard contractual remedies will apply.
The OSA should submit an affirmation into SPRS after achieving a
CMMC Status of Conditional Level 2 (Self) or CMMC Status of Conditional
Level 2 (C3PAO) as applicable. OSAs should submit an affirmation once a
CMMC Status of Final Level 2 (Self) or Final Level 2 (C3PAO) as
applicable is achieved. Being eligible for contracts subject to CMMC
Level 2 (Self) also indicates eligibility for contracts subject to
Level 1 (Self), and being eligible for contracts subject to CMMC Level
2 (C3PAO) also indicates eligibility for contracts subject to Level 1
(Self) and Level 2 (Self), assuming all other contractual requirements
are met. OSAs must reaffirm in SPRS their compliance with CMMC Level 2
requirements annually but need only conduct a new assessment every
three years. These deadlines are based on the CMMC Status Date of the
Conditional Status if a POA&M was required or the Final Status if the
assessment resulted in a score of 110. CMMC Status date is not based on
the date of a POA&M closeout assessment.
c. For Level 3 assessments, OSAs should note that asset categories
are assessed against security requirements differently than they are at
Level 2. In particular, Contractor Risk Managed Assets identified in a
Level 2 scope are treated as CUI Assets if they reside within a Level 3
scope. Definitions and treatment of these assets at Level 3 as they
relate to scoping of the assessment, in addition to treatment of ESPs,
are described in Sec. 170.19(d).
During the course of assessment, DCMA DIBCAC will focus on
assessing compliance with all 24 selected requirements derived from
NIST SP 800-172 Feb2021, but limited checks may be performed on the 110
requirements from NIST SP 800-171 R2. If DCMA DIBCAC identifies that
all 24 requirements from NIST SP 800-172 Feb2021 are satisfied, the OSA
will have achieved a CMMC Status of Final Level 3 (DIBCAC) and is
eligible for contract award as long as all other contractual
requirements are met. Not all requirements must immediately be MET to
be eligible for contract award. If the minimum score is achieved on the
assessment (equal to 80% of the maximum score of 24) and certain
critical requirements are met, OSAs will achieve a CMMC Status of
Conditional Level 3 (DIBCAC), and all NOT MET requirements must be
noted in a POA&M. At this point the OSA will have satisfied the CMMC
requirements needed for contract award.
OSAs must have met all 24 selected security requirements of NIST SP
800-172 Feb2021 within 180 days of receiving their Conditional CMMC
Status, which must be verified with a POA&M closeout assessment by DCMA
DIBCAC. If the POA&M closeout assessment finds that all requirements
have been met, then the OSA will achieve a CMMC Status of Final Level 3
(DIBCAC). However, if a POA&M closeout assessment does not find that
all requirements have been met by the end of 180 days, then the CMMC
Status of Conditional Level 3 (DIBCAC) will expire. At this point,
standard contractual remedies will apply.
The OSA should submit an affirmation into SPRS after achieving a
CMMC Status of Conditional Level 3 (DIBCAC) if applicable and once a
CMMC Status of Final Level 3 (DIBCAC) is achieved. Being eligible for
contracts subject to CMMC Level 3 (DIBCAC) also indicates eligibility
for contracts subject to Level 1 (Self), Level 2 (Self), and Level 2
(C3PAO), assuming all other contractual requirements are met. To
maintain CMMC Level 3 (DIBCAC) status, an OSA must undergo both a Level
2 certification assessment and a Level 3 certification assessment every
three years and separately affirm compliance with Level 2 and Level 3
requirements in SPRS annually. These deadlines are based on the CMMC
Status Date of the Conditional certification if applicable or the CMMC
Status Date of the Final determination. CMMC Status Date is not based
on the date of a POA&M closeout assessment.
Flow-Down
If the OSA employs subcontractors to fulfill the contract, those
subcontractors must also have a minimum CMMC Status as shown in table
2.
Table 2--Minimum Flow-Down Requirements
------------------------------------------------------------------------
Minimum subcontractor requirement If the
subcontractor will process, store, or
Prime contractor requirement transmit
-------------------------------------------
FCI CUI
------------------------------------------------------------------------
Level 1 (Self).............. Level 1 (Self)...... N/A.
Level 2 (Self).............. Level 1 (Self)...... Level 2 (Self).
Level 2 (C3PAO)............. Level 1 (Self)...... Level 2 (C3PAO).
Level 3 (DIBCAC)............ Level 1 (Self)...... Level 2 (C3PAO).
------------------------------------------------------------------------
[[Page 83097]]
Summary of Provisions Contained in This Rule
Section 170.1 Purpose
Section 170.1 addresses the purpose of this rule. It describes the
CMMC Program and establishes policy for requiring the protection of FCI
and CUI that is processed, stored, or transmitted on defense contractor
and subcontractor information systems. The security standards utilized
in the CMMC Program are from the FAR clause 52.204-21; DFARS clause
252.204-7012 that implements NIST SP 800-171 R2; and selected
requirements from the NIST SP 800-172 Feb2021, as applicable. The
purpose of the CMMC Program is for contractors and subcontractors to
demonstrate that FCI and CUI being processed, stored, or transmitted is
adequately safeguarded through the methodology provided in the rule.
Section 170.2 Incorporation by Reference
Section 170.2 addresses the standards and guidelines that are
incorporated by reference. The Director of the Federal Register under 5
U.S.C. 552(a) and 1 CFR part 51 approves any materials that are
incorporated by reference. Materials that are incorporated by reference
in this rule are reasonably available. Information on how to access the
documents is detailed in Sec. 170.2. Materials that are incorporated
by reference in this rule are from the NIST (see Sec. 170.2(a)), the
Committee on National Security Systems (see Sec. 170.2(b)), and the
International Organization for Standardization/International
Electrotechnical Commission (ISO/IEC) (see Sec. 170.2(c)) which may
require payment of a fee.
Note: While the ISO/IEC standards are issued jointly, they are
available from the ISO Secretariat (see Sec. 170.2(c)).
The American National Standards Institute (ANSI) IBR Portal
provides access to standards that have been incorporated by reference
in the U.S. Code of Federal Regulations at <a href="https://ibr.ansi.org">https://ibr.ansi.org</a>. These
standards incorporated by the U.S. government in rulemakings are
offered at no cost in ``read only'' format and are presented for online
reading. There are no print or download options. All users will be
required to install the FileOpen plug-in and accept an online end user
license agreement prior to accessing any standards.
The materials that are incorporated by reference are summarized
below.
(a) Federal Information Processing Standard (FIPS) Publication
(PUB) 200 (FIPS PUB 200), titled ``Minimum Security Requirements for
Federal Information and Information Systems,'' is the second of two
security standards mandated by the Federal Information Security
Management Act (FISMA). It specifies minimum security requirements for
information and information systems supporting the executive agencies
of the Federal government and a risk-based process for selecting the
security controls necessary to satisfy the minimum-security
requirements. This standard promotes the development, implementation,
and operation of more secure information systems within the Federal
Government by establishing minimum levels of due diligence for
information security and facilitating a more consistent, comparable,
and repeatable approach for selecting and specifying security controls
for information systems that meet minimum security requirements. This
document is incorporated by reference as a source for definitions.
(b) FIPS PUB 201-3, titled ``Personal Identity Verification (PIV)
of Federal Employees and Contractors,'' establishes a standard for a
PIV system that meets the control and security objectives of Homeland
Security Presidential Directive-12. It is based on secure and reliable
forms of identity credentials issued by the Federal Government to its
employees and contractors. These credentials are used by mechanisms
that authenticate individuals who require access to federally
controlled facilities, information systems, and applications. This
Standard addresses requirements for initial identity proofing,
infrastructure to support interoperability of identity credentials, and
accreditation of organizations and processes issuing PIV credentials.
This document is incorporated by reference as a source for definitions.
(c) NIST SP 800-37, titled ``Risk Management Framework for
Information Systems and Organizations: A System Life Cycle Approach for
Security and Privacy,'' Revision 2 (NIST SP 800-37 R2), describes the
Risk Management Framework (RMF) and provides guidelines for applying
the RMF to information systems and organizations. The RMF provides a
disciplined, structured, and flexible process for managing security and
privacy risk that includes information security categorization; control
selection, implementation, and assessment; system and common control
authorizations; and continuous monitoring. The RMF includes activities
to prepare organizations to execute the framework at appropriate risk
management levels. The RMF also promotes near real-time risk management
and ongoing information system and common control authorization through
the implementation of continuous monitoring processes; provides senior
leaders and executives with the necessary information to make
efficient, cost-effective, risk management decisions about the systems
supporting their missions and business functions; and incorporates
security and privacy into the system development life cycle. Executing
the RMF tasks links essential risk management processes at the system
level to risk management processes at the organization level. In
addition, it establishes responsibility and accountability for the
controls implemented within an organization's information systems and
inherited by those systems. This document is incorporated by reference
as a source for definitions.
(d) NIST SP 800-39, titled ``Managing Information Security Risk:
Organization, Mission, and Information System View,'' March 2011 (NIST
SP 800-39 Mar2011), provides guidance for an integrated, organization-
wide program for managing information security risk to organizational
operations (i.e., mission, functions, image, and reputation),
organizational assets, individuals, other organizations, and the Nation
resulting from the operation and use of Federal information systems.
NIST SP 800-39 Mar2011 provides a structured, yet flexible approach for
managing risk that is intentionally broad-based, with the specific
details of assessing, responding to, and monitoring risk on an ongoing
basis provided by other supporting NIST security standards and
guidelines. The guidance provided in this publication is not intended
to replace or subsume other risk-related activities, programs,
processes, or approaches that organizations have implemented or intend
to implement addressing areas of risk management covered by other
legislation, directives, policies, programmatic initiatives, or
mission/business requirements. Rather, the risk management guidance
described herein is complementary to and should be used as part of a
more comprehensive Enterprise Risk Management (ERM) program. This
document is incorporated by reference as a source for definitions.
(e) NIST SP 800-53, titled ``Security and Privacy Controls for
Information Systems and Organizations,'' Revision 5 (NIST SP 800-53
R5), provides a catalog of security and privacy controls for
information systems and organizations to protect organizational
operations and assets, individuals, other organizations,
[[Page 83098]]
and the Nation from a diverse set of threats and risks, including
hostile attacks, human errors, natural disasters, structural failures,
foreign intelligence entities, and privacy risks. The controls are
flexible and customizable and implemented as part of an organization-
wide process to manage risk. The controls address diverse requirements
derived from mission and business needs, laws, executive orders,
directives, regulations, policies, standards, and guidelines. Finally,
the consolidated control catalog addresses security and privacy from a
functionality perspective (i.e., the strength of functions and
mechanisms provided by the controls) and from an assurance perspective
(i.e., the measure of confidence in the security or privacy capability
provided by the controls). Addressing functionality and assurance helps
to ensure that information technology products and the systems that
rely on those products are sufficiently trustworthy. This document is
incorporated by reference as a source for definitions.
(f) NIST SP 800-82r3, titled ``Guide to Operational Technology (OT)
Security,'' September 2023 (NIST SP 800-82r3), provides guidance on how
to secure ICS, including Supervisory Control and Data Acquisition
(SCADA) systems, Distributed Control Systems (DCS), and other control
system configurations such as Programmable Logic Controllers (PLC),
while addressing their unique performance, reliability, and safety
requirements. The document provides an overview of ICS and typical
system topologies, identifies typical threats and vulnerabilities to
these systems, and provides recommended security countermeasures to
mitigate the associated risks. This document is incorporated by
reference as a source for definitions.
(g) NIST SP 800-115, titled ``Technical Guide to Information
Security Testing and Assessment,'' September 2008 (NIST SP 800-115
Sept2008), assists organizations in planning and conducting technical
information security tests and examinations, analyzing findings, and
developing mitigation strategies. The guide provides practical
recommendations for designing, implementing, and maintaining technical
information security test and examination processes and procedures.
These can be used for several purposes, such as finding vulnerabilities
in a system or network and verifying compliance with a policy or other
requirements. The guide is not intended to present a comprehensive
information security testing and examination program but rather an
overview of key elements of technical security testing and examination,
with an emphasis on specific technical techniques, the benefits and
limitations of each, and recommendations for their use. This document
is incorporated by reference as a source for definitions.
(h) NIST SP 800-160, Volume 2, titled ``Developing Cyber-Resilient
Systems: A Systems Security Engineering Approach,'' Revision 1,
December 2021 (NIST SP 800-160 V2R1), focuses on cyber resiliency
engineering--an emerging specialty systems engineering discipline
applied in conjunction with systems security engineering and resilience
engineering to develop survivable, trustworthy secure systems. Cyber
resiliency engineering intends to architect, design, develop,
implement, maintain, and sustain the trustworthiness of systems with
the capability to anticipate, withstand, recover from, and adapt to
adverse conditions, stresses, attacks, or compromises that use or are
enabled by cyber resources. From a risk management perspective, cyber
resiliency is intended to help reduce the mission, business,
organizational, enterprise, or sector risk of depending on cyber
resources. This document is incorporated by reference as a source for
definitions.
(i) NIST SP 800-171, titled ``Protecting Controlled Unclassified
Information in Nonfederal Systems and Organizations,'' Revision 2,
February 2020 (includes updates as of January 28, 2021) (NIST SP 800-
171 R2), provides agencies with recommended security requirements for
protecting the confidentiality of CUI when the information is resident
in nonfederal systems and organizations; when the nonfederal
organization is not collecting or maintaining information on behalf of
a Federal agency or using or operating a system on behalf of an agency;
and where there are no specific safeguarding requirements for
protecting the confidentiality of CUI prescribed by the authorizing
law, regulation, or governmentwide policy for the CUI category listed
in the CUI Registry. The requirements apply to all components of
nonfederal systems and organizations that process, store, and/or
transmit CUI, or that provide protection for such components. The
security requirements are intended for use by Federal agencies in
contractual vehicles or other agreements established between those
agencies and nonfederal organizations. This document is incorporated by
reference as a foundational source for definitions and security
requirements.
(j) NIST SP 800-171A, titled ``Assessing Security Requirements for
Controlled Unclassified Information,'' June 2018 (NIST SP 800-171A
Jun2018), provides Federal and non-Federal organizations with
assessment procedures and a methodology that can be employed to conduct
assessments of the CUI security requirements in NIST SP 800-171 R2. The
assessment procedures are flexible and can be customized to the needs
of the organizations and the assessors conducting the assessments.
Security assessments can be conducted as self-assessments; independent,
third-party assessments; or government-sponsored assessments and can be
applied with various degrees of rigor, based on customer-defined depth
and coverage attributes. The findings and evidence produced during the
security assessments can facilitate risk-based decisions by
organizations related to the CUI requirements. This document is
incorporated by reference as a foundational source for definitions and
assessment.
(k) NIST SP 800-172, titled ``Enhanced Security Requirements for
Protecting Controlled Unclassified Information: A Supplement to NIST
Special Publication 800-171,'' February 2021 (NIST SP 800-172 Feb2021),
provides Federal agencies with recommended enhanced security
requirements for protecting the confidentiality of CUI: (1) when the
information is resident in nonfederal systems and organizations; (2)
when the nonfederal organization is not collecting or maintaining
information on behalf of a Federal agency or using or operating a
system on behalf of an agency; and (3) where there are no specific
safeguarding requirements for protecting the confidentiality of CUI
prescribed by the authorizing law, regulation, or government-wide
policy for the CUI category listed in the CUI Registry. The enhanced
requirements apply only to components of nonfederal systems that
process, store, or transmit CUI or that provide security protection for
such components when the designated CUI is associated with a critical
program or high value asset. The enhanced requirements supplement the
basic and derived security requirements in NIST SP 800-171 R2 and are
intended for use by Federal agencies in contractual vehicles or other
agreements established between those agencies and nonfederal
organizations. This document is incorporated by reference as a
foundational source for security requirements.
(l) NIST SP 800-172A, titled ``Assessing Enhanced Security
[[Page 83099]]
Requirements for Controlled Unclassified Information,'' March 2022
(NIST SP 800-172A Mar2022), provides Federal agencies and nonfederal
organizations with assessment procedures that can be used to carry out
assessments of the requirements in NIST SP 800-172 Feb2021. The
assessment procedures are flexible and can be tailored to the needs of
organizations and assessors. Assessments can be conducted as (1) self-
assessments; (2) independent, third-party assessments; or (3)
government-sponsored assessments. The assessments can be conducted with
varying degrees of rigor based on customer-defined depth and coverage
attributes. The findings and evidence produced during the assessments
can be used to facilitate risk-based decisions by organizations related
to the CUI enhanced security requirements. This document is
incorporated by reference as a foundational source for definitions and
assessment.
(m) ISO/IEC 17011:2017(E), titled ``Conformity assessment--
Requirements for accreditation bodies accrediting conformity assessment
bodies,'' Second edition, November 2017 (ISO/IEC 17011:2017(E)),
specifies requirements for the competence, consistent operation and
impartiality of accreditation bodies assessing and accrediting
conformity assessment bodies. This document is incorporated by
reference as a source for requirements on the CMMC Ecosystem.
(n) ISO/IEC 17020:2012(E), titled ``Conformity assessment--
Requirement for the operation of various types of bodies performing
inspection,'' Second edition, March 1, 2012 (ISO/IEC 17020:2012(E)),
specifies requirements for the competence of bodies performing
inspection and for the impartiality and consistency of their inspection
activities. It applies to inspection bodies of type A, B or C, as
defined in ISO/IEC 17020:2012(E), and it applies to any stage of
inspection.'' This document is incorporated by reference as a source
for requirements on the CMMC Ecosystem.
(o) ISO/IEC 17024:2012(E), titled ``Conformity assessment--General
requirements for bodies operating certification of persons,'' Second
edition, July 1, 2012 (ISO/IEC 17024:2012(E)), contains principles and
requirements for a body certifying persons against specific
requirements and includes the development and maintenance of a
certification scheme for persons.'' This document is incorporated by
reference as a source for requirements on the CMMC Ecosystem.
Section 170.3 Applicability
Section 170.3 identifies entities to which the rule applies and how
the Department intends to implement the rule. The rule applies to
defense contractors and subcontractors that will process, store, or
transmit FCI or CUI in performance of a DoD contract, and private-
sector businesses or other entities that are specified in Subpart C.
This rule does not apply to Federal information systems operated by
contractors and subcontractors in support of the Government. CMMC
Program requirements apply to DoD solicitations and contracts requiring
defense contractors and subcontractors to process, store, or transmit
FCI or CUI. Exceptions to the applicability of this rule are addressed
in Sec. 170.3(c)(1) and (2). Department Program Managers or requiring
activities will determine which CMMC Level and assessment type will
apply to a contract or procurement. Applicability of the required CMMC
Level and assessment type to subcontractors is addressed in Sec.
170.23.
Section 170.3 addresses the four-phased implementation plan of the
CMMC Program requirements in solicitations and contracts. Phase 1
begins on the effective date of this CMMC 32 CFR part 170 CMMC Program
rule or the complementary 48 CFR part 204 CMMC Acquisition rule,
whichever occurs later. More information regarding Phase 1 can be found
in Sec. 170.3(e)(1). Phase 2 begins one calendar year after the start
date of Phase 1. More information regarding Phase 2 can be found in
Sec. 170.3(e)(2). Phase 3 begins one calendar year after the start
date of Phase 2. More information regarding Phase 3 can be found in
Sec. 170.3(e)(3). Phase 4, or full implementation, begins one calendar
year after the start date of Phase 3. More information regarding Phase
4 can be found in Sec. 170.3(e)(4).
Section 170.4 Acronyms and Definitions
Section 170.4 includes acronyms and definitions used in the rule
text and can be used as a reference while reading the text and tables.
CMMC introduces new terms and associated definitions, and customizes
definitions for existing terms, as applied to the CMMC Program. CMMC-
custom terms and definitions are clearly marked to distinguish from
terms sourced externally. CMMC also utilizes terms created by other
authoritative sources, including NIST. Terms from other authoritative
sources are also listed in Sec. 170.4 and are properly sourced.
The Department developed the following CMMC-custom terms to enhance
understanding of the requirements and elements of the CMMC Program:
<bullet> Accreditation
<bullet> Accreditation Body
<bullet> Affirming Official
<bullet> Assessment
<bullet> Level 1 self-assessment
<bullet> Level 2 self-assessment
<bullet> Level 2 certification assessment
<bullet> Level 3 certification assessment
<bullet> POA&M closeout self-assessment
<bullet> POA&M closeout certification assessment
<bullet> Assessment Findings Report
<bullet> Assessment Team
<bullet> Asset Categories
<bullet> Authorized
<bullet> Cloud Service Provider
<bullet> CMMC Assessment and Certification Ecosystem
<bullet> CMMC Assessment Scope
<bullet> CMMC Assessor and Instructor Certification Organization
(CAICO)
<bullet> CMMC instantiation of eMASS
<bullet> CMMC Status
<bullet> Final Level 1 (Self)
<bullet> Conditional Level 2 (Self)
<bullet> Final Level 2 (Self)
<bullet> Conditional Level 2 (C3PAO)
<bullet> Final Level 2 (C3PAO)
<bullet> Conditional Level 3 (DIBCAC)
<bullet> Final Level 3 (DIBCAC)
<bullet> CMMC Status Date
<bullet> CMMC Third-Party Assessment Organization (C3PAO)
<bullet> Contractor Risk Managed Assets
<bullet> Controlled Unclassified Information (CUI) Assets
<bullet> Enduring Exception
<bullet> External Service Provider (ESP)
<bullet> Operational plan of action
<bullet> Organization-defined
<bullet> Organization Seeking Assessment (OSA)
<bullet> Organization Seeking Certification (OSC)
<bullet> Out-of-Scope Assets
<bullet> Periodically
<bullet> Process, store, or transmit
<bullet> Restricted Information Systems
<bullet> Security Protection Assets
<bullet> Security Protection Data
<bullet> Specialized Assets
<bullet> Temporary Deficiency
<bullet> Test Equipment.
Section 170.5 Policy
Section 170.5 addresses the policy underlying the rule. The
protection of FCI and CUI on defense contractor information systems is
crucial to the continuity of the missions and functions of the DoD. To
that end, this rule requires that contractors and subcontractors
implement the specified security requirements for the applicable
[[Page 83100]]
CMMC Level. For CMMC Level 3, the selected security requirements are
defined in NIST SP 800-172 Feb2021 with the applicable DoD
Organization-Defined Parameters (ODPs) defined in table 1 to Sec.
170.14(c)(4).
Program Managers and requiring activities identify the applicable
CMMC Level and assessment type. Factors used to determine which CMMC
Level and assessment type will be applied are included but not limited
to the list found in Sec. 170.5(b)(1-5). CMMC Program requirements
will flow down to subcontractors, as applicable (see Sec. 170.23). A
DoD Service Acquisition Executive or a Component Acquisition Executive
may elect to waive inclusion of CMMC Program requirements in a
solicitation or contract.
Section 170.5 addresses that the CMMC Program does not alter the
requirements imposed on contractors and subcontractors in FAR clause
52.204-21, DFARS clause 252.204-7012, or any other applicable
safeguarding of information requirement. The CMMC Program verifies
implementation of security requirements in FAR clause 52.204-21, NIST
SP 800-171 R2, and selected security requirements in NIST SP 800-172
Feb2021, as applicable.
Section 170.6 CMMC PMO
Section 170.6 addresses the CMMC Program Management Office (PMO)
functions that are performed within the Department of Defense Chief
Information Officer (DoD CIO).
Section 170.7 DCMA DIBCAC
Section 170.7 addresses how DCMA DIBCAC will support the CMMC
Program by conducting CMMC Level 2 certification assessments of the
Accreditation Body and C3PAOs; conducting CMMC Level 3 certification
assessments for OSCs; and recording results, issuing certificates,
tracking appeals, and retaining records as required.
Section 170.8 Accreditation Body
Section 170.8 addresses the roles and responsibilities of the
Accreditation Body, as well as requirements that the Accreditation Body
must meet. The Accreditation Body must be US-based and be and remain a
member in good standing with the Inter-American Accreditation
Cooperation (IAAC) and become an International Laboratory Accreditation
Cooperation (ILAC) Mutual Recognition Arrangement (MRA) signatory, with
a signatory status scope of ISO/IEC 17020:2012(E) and be compliant with
ISO/IEC 17011:2017(E) \20\. There is only one Accreditation Body for
the DoD CMMC Program at any given time, and its primary mission is to
authorize and accredit the C3PAOs. The Accreditation Body authorizes
and accredits C3PAOs in accordance with the requirements in section
170.8(b).
---------------------------------------------------------------------------
\20\ <a href="http://www.iso.org/standard/67198.html">www.iso.org/standard/67198.html</a>.
---------------------------------------------------------------------------
The Accreditation Body also oversees the CAICO to ensure compliance
with ISO/IEC 17024:2012(E) \21\ and to ensure all training products,
instruction, and testing materials are of high quality.
---------------------------------------------------------------------------
\21\ <a href="http://www.iso.org/standard/52993.html">www.iso.org/standard/52993.html</a>.
---------------------------------------------------------------------------
Section 170.8 addresses specific requirements for the Accreditation
Body with regards to national security background checks, foreign
ownership, reporting, information protection, and appeals. The
Accreditation Body will also develop policies for Conflict of Interest
(CoI), Code of Professional Conduct (CoPC), and Ethics that comply with
all ISO/IEC 17011:2017(E) and DoD requirements. These policies will
apply to the Accreditation Body as well as to all other individuals,
entities, and groups within the CMMC Ecosystem. The information systems
used by the Accreditation Body to process CMMC information have to meet
all of the security requirements for CMMC Level 2 and will be assessed
by DCMA's Defense Industrial Base Cybersecurity Assessment Center
(DIBCAC).
Section 170.9 CMMC Third-Party Assessment Organizations (C3PAOs)
Section 170.9 addresses the roles, responsibilities, and
requirements for C3PAOs, which are the organizations that perform CMMC
Level 2 certification assessments for OSCs. The C3PAOs will submit
assessment data into the CMMC instantiation of government owned and
operated system called eMASS,\22\ a CMMC instance of the Enterprise
Mission Assurance Support Service. C3PAOs issue Certificates of CMMC
Status, in accordance with the requirements in Sec. 170.17 of this
part.
---------------------------------------------------------------------------
\22\ This system is accessible only to authorized users.
---------------------------------------------------------------------------
Section 170.9 addresses detailed requirements for C3PAOs with
regards to national security background checks, foreign ownership,
reporting, records management, information protection, quality
assurance, and appeals. The information systems used by C3PAOs to
process Level 2 certification assessment information have to meet all
of the security requirements for CMMC Level 2 and will be assessed by
DCMA DIBCAC. C3PAOs need to comply with ISO/IEC 17020:2012(E), as well
as with the Accreditation Body's policies for CoI, CoPC, and Ethics.
Prior to a C3PAO being compliant with ISO/IEC 17020:2012(E), the
C3PAO may be authorized but not accredited. After a C3PAO is compliant
with ISO/IEC 17020:2012(E), the C3PAO may be accredited.
Section 170.10 CMMC Assessor and Instructor Certification Organization
(CAICO)
Section 170.10 addresses the roles, responsibilities, and
requirements for the CAICO, the organization that trains, tests,
designates Provisional Instructors (PIs), and certifies CMMC Certified
Professionals (CCPs), CMMC Certified Assessors (CCAs), CMMC Certified
Instructors (CCIs). There is only one CAICO for the DoD CMMC Program at
any given time. The CAICO must comply with ISO/IEC 17024:2012(E), as
well as with the Accreditation Body's policies for CoI, CoPC, and
Ethics. Section 170.10 addresses detailed requirements for the CAICO
with regards to certification examinations, quality assurance, appeals,
records management, reporting, separation of duties, and information
protection.
Section 170.11 CMMC Certified Assessor (CCA)
Section 170.11 addresses the roles and responsibilities of a CMMC
Certified Assessor (CCA) who conduct Level 2 certification assessments.
In order to be a CCA, a candidate must first be a CCP, must adhere to
the requirements set forth in Sec. 170.10, Sec. 170.8(b)(17), and
complete a Tier 3 background investigation or equivalent. The required
cybersecurity experience for different CCA roles is addressed in Sec.
170.11(b)(6) and (10). Section 170.11 addresses CCA requirements with
respect to security breaches; completion of a Tier 3 background
investigation or equivalent; reporting; sharing assessment information;
and permitted use of C3PAO equipment, devices, and services.
Section 170.12 CMMC Instructor
Section 170.12 addresses the roles and responsibilities of a CMMC
Provisional Instructor (PI) and CMMC Certified Instructor (CCI) to
teach CMMC assessor candidates. Candidate PIs and CCIs are trained and
tested per the requirements set forth in Sec. 170.12(c). Section
170.12(c) also provides candidate PIs and CCIs with the requirements to
obtain and maintain designation or certification (as applicable),
compliance with Accreditation Body policies, work activity exclusions,
confidentiality
[[Page 83101]]
expectations, non-disclosure clause, non-public training related
information, forbidden consulting services, and reporting requirements.
Section 170.13 CMMC Certified Professional (CCP)
Section 170.13 addresses the roles and responsibilities of a CMMC
Certified Professional (CCP) required to provide advice, consulting,
and recommendations to clients. The CAICO trains and tests candidate
CCPs per the requirements set forth in Sec. 170.13(b) with CCP
certification issued upon successful completion. A CCP can participate
on CMMC Level 2 certification assessments with CCA oversight, however
CCAs are responsible for making final assessment determinations for a
CMMC Status of Conditional or Final Level 2 (C3PAO). A list of CCP
requirements is provided for obtaining and maintaining certification,
compliance with Accreditation Body policies, completion of a Tier 3
background investigation or equivalent, sharing assessment specific
information, and reporting requirements.
Section 170.14 CMMC Model
Section 170.14 addresses the structure, security requirement
contents, organization, sourcing, and numbering of the security
requirements that comprise the CMMC Model. It also provides an overview
of the assessment process. The CMMC Model consists of three (3) levels,
each containing security requirements taken directly from existing
regulations and guidelines. Firstly, Sec. 170.14(2) defines CMMC Level
1 as the 15 security requirements listed in the FAR clause 52.204-
21(b)(1). Secondly, Sec. 170.14(3) defines CMMC Level 2 as the 110
security requirements from the NIST SP 800-171 R2. Lastly, Sec.
170.14(4) defines CMMC Level 3 as 24 selected security requirements
from the NIST SP 800-172 Feb2021.
The CMMC security requirements are organized into domains following
the approach taken in NIST SP 800-171 R2. The numbering of the CMMC
security requirements, addressed in Sec. 170.14(c)(1), is of the form
DD.L#-REQ where the `DD' is the two-letter domain abbreviation, the
`L#' is the CMMC Level, and the `REQ' is based directly on the
numbering in the source. Assessment criteria for these security
requirements, as described in Sec. 170.14(d), is based on security
requirement assessment guidance provided in NIST SP 800-171A Jun2018
and NIST SP 800-172A Mar2022.
Section 170.15 CMMC Level 1 Self-Assessment and Affirmation
Requirements
Section 170.15 addresses how an OSA will achieve and maintain
compliance with the CMMC Status of Level 1 (Self). The OSA must
successfully implement the security requirements listed in Sec.
170.14(c)(2) within their Level 1 CMMC Assessment Scope as described in
Sec. 170.19(b). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 1 security requirements as outlined in the mapping table 1
to Sec. 170.15(c)(1)(i).
After implementation, the OSA must perform a Level 1 self-
assessment to verify the implementation and score themselves using the
scoring methodology provided in Sec. 170.24. All objectives must be
met in order for a security requirement to be considered fully
implemented; no security requirements may be placed on a POA&M for
Level 1. The OSA must then input their results into SPRS as described
in Sec. 170.15(a)(1)(i) and submit an affirmation as described in
Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 1 (Self), the OSA must have achieved a CMMC Status
of Final Level 1 (Self) and have submitted an affirmation. These
activities must be completed annually.
Section 170.16 CMMC Level 2 Self-Assessment and Affirmation
Requirements
Section 170.16 addresses how an OSA will achieve and maintain
compliance with the CMMC Status of Level 2 (Self). The OSA must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 2 security requirements. Requirements for ESPs and CSPs that
process, store, transmit CUI are provided in Sec. 170.16(c)(2) and
(3).
After implementation, the OSA must perform a Level 2 self-
assessment to verify the implementation and score themselves using the
scoring methodology provided in Sec. 170.24. All objectives must be
met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as provided for in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSA has achieved the CMMC Status of
Conditional Level 2 (Self); if all requirements are MET as defined in
Sec. 170.24(b), the OSA has achieved a CMMC Status of Final Level 2
(Self). For Conditional Level 2 (Self), a POA&M closeout must be
conducted within 180 days as described in Sec. 170.21(b) or the
Conditional Level 2 (Self) CMMC Status will expire.
After a Level 2 self-assessment, as well as after a POA&M closeout,
the OSA must input their results into SPRS as described in Sec.
170.16(a)(1)(i) and submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 2 (Self), the OSA must have achieved the CMMC
Status of either Conditional Level 2 (Self) or Final Level 2 (Self) and
have submitted an affirmation. The Level 2 self-assessment must be
completed every three years and the affirmation must be completed
annually following the Final CMMC Status Date.
Section 170.17 CMMC Level 2 Certification Assessment and Affirmation
Requirements
Section 170.17 addresses how an OSC will achieve and maintain
compliance with the CMMC Status of Level 2 (C3PAO). The OSC must
successfully implement the security requirements listed in Sec.
170.14(c)(3) within its Level 2 CMMC Assessment Scope as described in
Sec. 170.19(c). Successful implementation requires meeting all
objectives defined in NIST SP 800-171A Jun2018 for the corresponding
CMMC Level 2 security requirements. Requirements for ESPs and CSPs that
process, store, transmit CUI are provided in Sec. 170.17(c)(5) and
(6).
After implementation, the OSC must hire a C3PAO to perform an
assessment to verify the implementation. The C3PAO will score the OSC
using the scoring methodology provided in Sec. 170.24. All objectives
must be met in order for a security requirement to be considered fully
implemented; in some cases, if not all objectives are met, some
security requirements may be placed on a POA&M as defined in Sec.
170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has achieved the CMMC Status of
Conditional Level 2 (C3PAO); if all requirements are MET as defined in
Sec. 170.24(b), the OSC has achieved the CMMC Status of Final Level 2
(C3PAO). For Conditional Level 2 (C3PAO), a POA&M closeout must be
conducted within 180 days as described
[[Page 83102]]
in Sec. 170.21(b) or the Conditional Level 2 (C3PAO) CMMC Status will
expire.
After a Level 2 certification assessment, as well as after a POA&M
closeout, the C3PAO will input the OSC's results into the CMMC
instantiation of eMASS as described in Sec. 170.17(a)(1)(i). After a
Level 2 certification assessment, as well as after a POA&M closeout,
the OSC must submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 2 (C3PAO), the OSC must have achieved the CMMC
Status of either Conditional Level 2 (C3PAO) or Final Level 2 (C3PAO)
and have submitted an affirmation. The Level 2 certification assessment
must be completed every three years and the affirmation must be
completed annually following the Final CMMC Status Date.
Section 170.18 CMMC Level 3 Certification Assessment and Affirmation
Requirements
Section 170.18 addresses how an OSC will achieve and maintain
compliance with the CMMC Status of Level 3 (DIBCAC). The OSC must have
achieved the CMMC Status of Final Level 2 (C3PAO) for information
systems within the Level 3 CMMC Assessment Scope as a prerequisite to
undergo a Level 3 certification assessment. The OSC must successfully
implement the security requirements listed in Sec. 170.14(c)(4)
and table 1 to Sec. 170.14(c)(4) within its Level 3 CMMC Assessment
Scope as described in Sec. 170.19(d). Successful implementation
requires meeting all objectives defined in NIST SP 800-172A Mar2022 for
the corresponding CMMC Level 3 security requirements. Requirements for
ESPs and CSPs that process, store, transmit CUI are provided in Sec.
170.18(c)(5) and (6).
After implementation, the OSC must contact DCMA DIBCAC to perform
an assessment to verify the implementation. DCMA DIBCAC will score the
OSC using the scoring methodology provided in Sec. 170.24. All
objectives must be met in order for a security requirement to be
considered fully implemented; in some cases, if not all objectives are
met, some security requirements may be placed on a POA&M as defined in
Sec. 170.21. If the minimum score has been achieved and some security
requirements are in a POA&M, the OSC has achieved the CMMC Status of
Conditional Level 3 (DIBCAC); if all requirements are MET as defined in
Sec. 170.24(b), the OSC has achieved the CMMC Status of Final Level 3
(DIBCAC). For Conditional Level 3 (DIBCAC), a POA&M closeout must be
conducted within 180 days as described in Sec. 170.21(b) or the
Conditional Level 3 (DIBCAC) CMMC Status will expire.
After a Level 3 certification assessment, as well as after a POA&M
closeout, DCMA DIBCAC will input the OSC's results into the CMMC
instantiation of eMASS as described in Sec. 170.18(a)(1)(i). After a
Level 3 certification assessment, as well as after a POA&M closeout,
the OSC must submit an affirmation as described in Sec. 170.22.
In order to be eligible for a contract with a requirement for the
CMMC Status of Level 3 (DIBCAC), the OSC must have achieved the CMMC
Status of either Conditional Level 3 (DIBCAC) or Final Level 3 (DIBCAC)
and have submitted an affirmation. The Level 3 certification assessment
must be completed every three years and the affirmation must be
completed annually following the Final CMMC Status Date.
Section 170.19 CMMC Scoping
Section 170.19 addresses the requirements for the scoping of each
CMMC Level and determines which assets are included in a given
assessment and the degree to which each is assessed. The CMMC
Assessment Scope is specified prior to any CMMC assessment, based on
the CMMC Level being assessed. The Level 2 CMMC Assessment Scope may
also be affected by any intent to achieve a CMMC Level 3 Certification
Assessment, as detailed in Sec. 170.19(e).
Scoping for CMMC Level 1, as detailed in Sec. 170.19(b), consists
of all assets that process, store, or transmit FCI. These assets are
fully assessed against the applicable CMMC security requirements
identified in Sec. 170.14(c)(2) and following the procedures in Sec.
170.15(c). All other assets are out-of-scope and are not considered in
the assessment.
Scoping for CMMC Level 2, as detailed in Sec. 170.19(c), consists
of all assets that process, store, or transmit CUI, and all assets that
provide security protections for these assets. These assets are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(3) and following the Level 2 self-assessment
procedures in Sec. 170.16(c) or the Level 2 certification assessment
procedures in Sec. 170.17(c). In addition, Contractor Risk Managed
Assets, which are assets that can, but are not intended to, process,
store, or transmit CUI because of security policy, procedures, and
practices in place, are documented and are subject to a limited check
that may result in the identification of a deficiency, as addressed in
table 3 to Sec. 170.19(c)(1). Finally, Specialized Assets, which are
assets that can process, store, or transmit CUI but are unable to be
fully secured, including: Internet of Things (IoT) devices, Industrial
Internet of Things (IIoT) devices, Operational Technology (OT),
Government Furnished Equipment (GFE), Restricted Information Systems,
and Test Equipment, are documented but are not assessed against other
CMMC security requirements, as addressed in table 3 to Sec.
170.19(c)(1). All other assets are out-of-scope and are not considered
in the assessment.
Scoping for CMMC Level 3, as detailed in Sec. 170.19(d), consists
of all assets that can (whether intended to or not) or do process,
store, or transmit CUI, and all assets that provide security
protections for these assets. The CMMC Level 3 Assessment Scope also
includes all Specialized Assets but allows an intermediary device to
provide the capability for the Specialized Asset to meet one or more
CMMC security requirements, as needed. These assets (or the applicable
intermediary device, in the case of Specialized Assets) are fully
assessed against the applicable CMMC security requirements identified
in Sec. 170.14(c)(4) and following the procedures in Sec. 170.18(c).
All other assets are out-of-scope and are not considered in the
assessment.
If an OSA utilizes an ESP, including a Cloud Service Provider
(CSP), that does not process, store, or transmit CUI, the ESP does not
require its own CMMC assessment. The services provided by the ESP are
assessed as part of the OSC's assessment as Security Protection Assets.
Section 170.20 Standards Acceptance
Section 170.20 addresses how OSCs that, prior to the effective date
of this rule, have achieved a perfect score on a DCMA DIBCAC High
Assessment with the same scope as a Level 2 CMMC Assessment Scope, will
be given a CMMC Status of Level 2 (C3PAO).
Section 170.21 Plan of Action and Milestones Requirements
Section 170.21 addresses rules for having a POA&M for the purposes
of a CMMC assessment and satisfying contract eligibility requirements
for CMMC. All POA&Ms must be closed within 180 days of the Conditional
CMMC Status Date. To satisfy CMMC Level 1 requirements, a POA&M is not
allowed. To satisfy CMMC Level 2 requirements, a POA&M is allowed.
Section 170.21 details the overall minimum score that must be achieved
[[Page 83103]]
and identifies the Level 2 security requirements that cannot have a
POA&M and must be fully met at the time of the assessment. To satisfy
CMMC Level 3 requirements, a POA&M is allowed. Section 170.21 details
the overall minimum score that must be achieved and identifies the
Level 3 security requirements that cannot have a POA&M and must be
fully met at the time of the assessment. Section 170.21 also
established rules for closing POA&Ms.
Section 170.22 Affirmation
Section 170.22 addresses that the OSA's Affirming Official must
affirm, in SPRS, compliance with the CMMC Status: upon completion of
any self-assessment, certification assessment, or POA&M closeout
assessment (as applicable), and annually following a Final CMMC Status
Date.
Section 170.23 Application to Subcontractors
Section 170.23 addresses flow down of CMMC requirements from the
prime contractor to the subcontractors in the supply chain. Prime
contractors shall comply and shall require subcontractor compliance
throughout the supply chain at all tiers with the applicable CMMC Level
for each subcontract as addressed in Sec. 170.23(a).
Section 170.24 CMMC Scoring Methodology
Section 170.24 addresses the assessment finding types MET, NOT MET,
and NOT APPLICABLE (N/A) in the context of CMMC assessments, and the
CMMC Scoring Methodology used to measure the implementation status of
security requirements for CMMC Level 2 and CMMC Level 3. Scoring is not
calculated for CMMC Level 1 since all requirements must be MET at the
time of assessment.
For CMMC Level 2, the maximum score is the total number of Level 2
security requirements and is the starting value for assessment scoring.
Any security requirement that has one or more NOT MET objectives
reduces the current score by the value of the specific security
requirement. Values for each CMMC Level 2 requirement are enumerated in
Sec. 170.24(c)(2)(i)(B).
For CMMC Level 3, the maximum score is the total number of Level 3
security requirements and is the starting value for assessment scoring.
Any security requirement that has one or more NOT MET objectives
reduces the current score by the value of the specific security
requirement. CMMC Level 3 does not use varying values; the value for
each requirement is one (1), as described in Sec. 170.24(c)(3).
Appendix A to Part 170: Guidance
Appendix A lists the guidance documents that are available to
support defense contractors and the CMMC Ecosystem in the
implementation and assessment of CMMC requirements.
Discussion of Public Comments and Resulting Changes
The Department of Defense published the proposed rule, on December
26, 2023 (88 FR 89058). Approximately 361 public submissions were
received in response to the publication. Some comments were beyond the
scope of the CMMC Program and are described but not addressed in this
final rule. The majority of comments received were relevant and are
summarized in the discussion and analysis section here. Additional
comments were received in response to the CMMC supplemental documents
published concurrently with the rule; the discussion and analysis of
those comments is located at <a href="http://www.regulations.gov">www.regulations.gov</a>. Some comments
received lacked relevance to the rule's content, which is limited to
specific CMMC program requirements codified in the 32 CFR part 170 CMMC
Program rule, responses for those comments are not provided.
Any contractual requirements related to the CMMC Program rule will
be implemented in the DFARS, as needed, which may result in revisions
to the DFARS clause 252.204-7021, CMMC Requirements. DoD will address
comments regarding the DFARS clause 252.204-7021 in a separate 48 CFR
part 204CMMC Acquisition rulemaking.
1. Extension of the Public Comment Period
Comment: DoD received requests from industry associations for an
extension of the 60-day public comment period on the CMMC Proposed Rule
that the Office of the Federal Register published on 26 December 2023.
The length of extensions requested ranged from 30-60 days. Commenters
argued that the proposed rule was initially published following a
holiday, or more time was needed for associations to fully review
member comments about the CMMC Proposed Rule prior to submitting. In
addition, they argued that other rules pertaining to cyber incident
reporting obligations and security of Federal Information Systems had
also been published for public comment, which created a need for
additional review time.
Response: The DoD CIO denied requests for an extension of the 60-
day public comment period. The DoD provided regular communication to
the public through the DoD CMMC website and updates in the semiannual
Unified Agenda in preparation for publication of the CMMC Proposed Rule
to initiate the 60-day public comment period. The Department has an
urgent need to improve DIB cybersecurity by further enforcing
compliance with security requirements that were to be implemented by
the DIB ``as soon as possible but not later than December 2017.''
2. The CUI Program
a. CUI Program Guidance
Comment: Many comments were submitted related to the NARA CUI
policies or the DoD CUI Program, and while relevant for understanding
CMMC requirements, those are separate policies or programs beyond the
scope of the CMMC program or this rule. However, several comments
recommended that the CMMC rule be revised to address them.
Twenty-two comments requested the government provide more guidance,
preferably within RFPs or contracts, to better identify what will be
considered CUI for that contract, and how it should be appropriately
marked. One comment specifically noted a need for contractual
instructions on whether data created in performance of a contract rises
to the level of CUI. Another person asked when is does information
created or possessed by a contractor become CUI. One comment asked
whether digital or physical items derived from CUI are treated as CUI
while another asked what specific information qualifies as CUI for OT
and IoT assets. Another comment asked whether FCI and or CUI created or
provided under a non-DoD agency contract, but which is also used in
support of a DoD contract, would be subject to the applicable CMMC
level requirement. Another comment noted that DoD focuses too narrowly
on data security aspects of major system acquisition and largely fails
to address securing data generated by operational and/or maintenance
operations, such as invoices and bills of lading for operational
support purchases.
One comment stated there was a need for CUI policy guidance for the
entire Federal Government. Another comment inferred, incorrectly, that
the CMMC Accreditation Body makes determinations about what is and what
is not CUI and stated that the Government should make those
determinations. Another comment stated that to better address the needs
of contractors tasked with safeguarding
[[Page 83104]]
CUI, NARA should initiate a public comment period to reevaluate its CUI
Registry. The comment also noted that NARA should identify when a CUI
designation automatically applies to contractor-created information and
revise the CUI Registry to stipulate that a specific basis in statute
(or a contract) is required for information to be considered CUI.
Another comment recommended a study be conducted on protections for
systems and data at Confidential and higher classification levels and
should assess whether NARA's CUI protection requirements (32 CFR part
2002) have yielded any real benefits in protecting critical data.
Another comment stated that the CUI program is a costly proposition
whose security value is questionable given data can still be
compromised, even over systems with a CMMC assessment. The comment
stated that if data is to be controlled for Critical Items, then the
existing system used for CONFIDENTIAL information should suffice.
Finally, another comment suggested that CUI information should be under
the control of the Federal Government and access granted only to
appropriately trained, and qualified contractors through a portal.
Response: Neither the CUI program (established in E.O. 13556) nor
the safeguarding requirements codified in its implementing directives
are changed by virtue of the compliance assessment framework
established by this rule.
CMMC requirements apply to prime contractors and subcontractors
throughout the supply chain at all tiers that will process, store, or
transmit any FCI or CUI on contractor information systems in the
performance of the DoD contract or subcontract, irrespective of the
origin of the information.
The executive branch's CUI Program is codified in 32 CFR part 2002
and establishes policy for designating, handling, and decontrolling
information that qualifies as CUI. The definition of CUI and general
requirements for its safeguarding are included in 32 CFR 2002.4 and
2002.14, respectively. 32 CFR 2002.14(h)(2) specifically requires
agencies to use NIST SP 800-171 when establishing security requirements
to protect CUI's confidentiality on non-Federal information systems. At
the time of award, the DoD may have no visibility into whether the
awardee will choose to further disseminate DoD's CUI, but DFARS clause
252.204-7012 and DFARS clause 252.204-7021 require the prime contractor
to flow down the information security requirement to any subcontractor
with which the CUI will be shared. Decisions regarding which DoD
information must be shared to support completion of subcontractor tasks
is between the prime contractor and the subcontractors. The DoD
encourages prime contractors to work with subcontractors to lessen the
burden of flowing down CUI. The DoD declines to adopt alternatives such
as policy-based solutions that lack a rigorous assessment component or
require sharing CUI only through DoD-hosted secure platforms. Suggested
alternatives to implementing NIST SP 800-171 and identifying what data
is CUI are beyond the scope of the CMMC Program and this rule.
b. FCI and CUI Definitions
Comment: Five comments stated that what DoD considers CUI is not
well defined. Another comment stated that companies should be provided
a reference list of what the DoD considers CUI. Another recommended DoD
use existing mechanisms like the DD Form 254 architecture to clearly
define the scope of CUI on a contract-by-contract basis. Seven comments
recommended the CMMC rule mandate a Security Classification Guide (SCG)
or similar document.
Nine comments stated there was too much confusion and ambiguity
regarding FCI and CUI and that the government needed to provide clear
and standardized FCI and CUI definitions that are tailored to the
specific requirements of the CMMC rule. One comment recommended rule
edits to address this perceived ambiguity. One comment requested
clarification and examples of differences between CUI Basic and
Specialized CUI.
Response: Federal Contract Information is defined in FAR clause
52.204-21, which also provides the security requirements applicable for
basic safeguarding of such information. The DoD has no authority to
modify definitions established in the FAR for application to all
executive branch agencies. This rule makes no change to the definition
or handling of CUI.
c. Marking Requirements
Comment: Twenty-three comments expressed concern with or requested
clarification regarding CUI marking. Twelve comments specifically noted
concern with CUI markings being applied to too many documents, in part
because CUI was an ambiguous concept. They requested the DoD encourage
personnel to mark documents as CUI only when appropriate and provide
better guidance for managing flow-down clauses. Another comment noted
that many small businesses are currently subject to NIST SP 800-171
requirements through DFARS contract clause flow-down and cannot say
with certainty that they have CUI in their possession. The comment
further noted that small businesses regularly receive mismarked data.
One comment stated there is an increased use of automatic CUI marking
on DoD communications, seemingly without regard to content. One comment
stated that the rule fails to outline a mechanism for reporting
government mishandling, and that contractors should use a reporting
system to minimize their own risk and liability. One comment requested
the rule be edited to prevent Program Managers or requesting activities
from assigning a CMMC Level 3 requirement unless they have high
confidence that 80+ percent of CUI and/or FCI under the relevant
contract has complete CUI markings. Another comment stated that the
Federal government should develop a marking schema to communicate
information safeguarding requirements, while yet another stated that
DoD must publish a training module for contracting officers so that
they are properly classifying documents prior to finalization of this
rule.
One comment stated CUI across the DoD is diverse and what may be
CUI for one system may not be for another. The comment then questioned
how this proposed rule and SPRS would accommodate these facts without
assuming and mandating that all defense contractor information systems
meet the same architecture, security, and cybersecurity standards.
Response: The CMMC Program will not provide CUI guidance materials
to industry as it is outside the scope of this CMMC rule. Relevant
information regarding what to do when there are questions regarding
appropriate marking of CUI may be found at 32 CFR 2002.50--Challenges
to designation of information as CUI. The DoD declined to incorporate
suggested edits to the CMMC Level 3 requirements regarding confidence
in proper CUI and/or FCI markings.
The DoD's role as data owner is documented in the CUI Program
implementing policies and the requirements of 32 CFR part 2002. DoDI
5200.48, states: The authorized holder of a document or material is
responsible for determining, at the time of creation, whether
information in a document or material falls into a CUI category. If so,
the authorized holder is responsible for applying CUI markings and
dissemination instructions accordingly. DoD Manual 5200.01 outlines
DoD's Information Security Program and includes Volume 2, Marking of
Information. The DoD declines to incorporate by reference those
[[Page 83105]]
documents describing the Department's data governance role because the
content is beyond the scope of CMMC requirements. The DoD issued policy
guidance to its program managers regarding programmatic indicators to
consider when selecting CMMC requirements. Program managers have a
vested interested in knowing whether a contractor can comply with these
existing requirements to adequately safeguard CUI.
The DoD elected not to make any recommended edits to the CMMC
Program related to FCI or CUI marking requirements or provide
clarifying examples of the differences between Basic CUI and Specified
CUI, as these are beyond the scope of this rule. Mishandling of
information by the government is beyond the scope of this rule. DCMA
DIBCAC processes, stores, and transmits all data on DoD-approved
networks. DoD's adherence to NARA's CUI Program policies is beyond the
scope of this rule.
d. Applicability and Governance of CUI Requirements
Comment: In addition, one utilities sector representative submitted
a lengthy analysis of data types often generated by electric or other
utilities, with regulatory references and rationale for why such data
would not likely be subject to DoD's CUI safeguarding requirements or
CMMC compliance assessments. Such rationale included the fact that some
Government-Private CUI categories, such as DoD Critical Infrastructure
Information, require explicit designation in that category which
(according to the commenter) has not occurred in the electricity
subsector. One contractor requested that CMMC clarify requirements
around U.S. persons and foreign dissemination of CUI for both
contractors, subcontractors' employees, and contingent workers. Two
comments suggested it would be appropriate to reference data governance
in Sec. 170.1 and the DoD's role as the data owner of FCI and CUI
across the ecosystem. Another comment stated the classification efforts
must themselves be audited.
Response: The quantity of FCI and CUI a defense contractor
possesses, including copies of the same material, is irrelevant to the
CMMC assessment required. All copies of FCI or CUI related to the DoD
contract must be safeguarded. The CMMC Program is not intended to
validate compliance with cybersecurity requirements of non-DoD
agencies' contracts. The requirements for sharing of CUI with non-US
persons is beyond the scope of this rule.
The CMMC program provides a mechanism to assess contractor
compliance with applicable security requirements for the safeguarding
of FCI or CUI. CMMC program requirements make no change to existing
policies for information security requirements implemented by DoD.
Policies for CUI and creation of program documentation, to include
Security Classification Guides, are separate from this rule. Discussion
in this rule regarding DoD programs providing CUI training and the
implementation of E.O. 13556 are beyond the scope of this rule.
CMMC program requirements are applicable when DoD requires
processing, storing, or transmitting of either FCI or CUI on a non-
Federal contractor owned information system in the performance of a
contract between DoD and the contractor. The DoD does not manage nor is
it involved in data exchanges between contractors and subcontractors.
3. Other DoD Policies and Programs
Many comments dealt with DoD policies and programs that, while
relevant for understanding CMMC requirements, are still entirely
separate programs or policies that are not within the scope of the CMMC
program. However, several commenters recommended that the rule be
revised to address them. Key topics among such comments include:
a. Adaptive Acquisition Framework
Comment: One commenter misunderstood CMMC program purpose and
thought the requirements applied to systems and capabilities acquired
or developed for DoD's use, using formal policies of the Defense
Acquisition System. Based on this misinterpretation, this commenter
made dozens of recommendations related to integration of CMMC
assessment and program requirements with other existing DoD acquisition
frameworks and suggested relying on the assessors that complete TRAs,
in place of implementing the CMMC program. One of their comments also
proposed establishing a single responsible office for CUI and SCRM,
hosting CUI material within a single, separate secure and existing
cloud-based data warehouse and including hardware and software
approving authorities as part of the proposed rule for GFE. The
commentor also stated the role of the Office of Small Business Programs
(OSBP) needs to flow down to the Small Business Administration military
service offices. The commentor also asked how to reconcile CMMC against
the DoDI 8582.01 requirement stating a DoD Component should not specify
the content and format of plans of action that address deficiencies or
specifying the parameters of security controls.
This commenter also recommended creation of a MIL-Standard in lieu
of aligning cybersecurity requirements to existing NIST standards, and
linkage of CMMC requirements to procedures related to Approval to
Operate (which applies to DoD systems. This commenter suggested that
the CMMC PMO be made responsible to provide system scans to check for
Software Bills of Material as part of DoD's response to Executive Order
14028 regarding Supply Chain Risk Management. The commenter further
requested a DoD-level working group outline how DoD program offices
might identify which components are mission or safety critical or which
associated production processes should be identified as CTI. That
commenter recommended this rule be held in abeyance until AT&L [sic]
has reviewed and provided their insight into the impacts of CMMC on
existing DoD acquisition documentation and deliverables. Yet another
comment recommended that ``this proposed DFARS ruling'' be vetted
through ``AT&L, ASD and OUSD'' [sic] as a minimum to determine if
changes would be required in the Program Protection Improvement Plan
and System Security Plan. Lastly, this commenter recommended the DoD
engage with NDIA and ISO/IEC to develop alternate standards for
securing data and supply chains.
Response: CMMC Program requirements apply to contractor-owned
information systems that process, store, or transmit FCI and CUI and do
not apply to systems developed or acquired for DoD through the formal
Defense Acquisition System (DAS). Therefore, integrating the CMMC
assessment process and internal DAS processes (including technical
reviews prior to RFP development) is not appropriate and is beyond the
scope of this rule. Note that CMMC applicability is broader than just
the Major Defense Acquisition Programs.
DoD's organizational alignment of responsibilities (between OSBP
and SBA military offices) for assisting small businesses or
establishing new offices within OSD is beyond the scope of this rule.
Due to national security concerns, DoD declines the recommendation to
further delay implementation of the CMMC Program. Each passing day in
delay of implementing the security requirements for safeguarding DoD
FCI and CUI increases the risk for exfiltration of non-public
information on unsecured nonfederal systems that
[[Page 83106]]
may result in the loss of DoD's technological advantages in its
warfighting capabilities and programs.
Discussions regarding acquisition strategies and frameworks are
beyond the scope of this CMMC rule. The CMMC Program does not alleviate
or supersede any existing requirements of the Adaptive Acquisition
Framework, nor does it alter any statutory or regulatory requirement
for acquisition program documentation or deliverables. Note that CMMC
Program requirements do not apply to systems delivered to DoD. DoD
Instructions for required acquisition program documentation are beyond
the scope of this rule. CMMC assessment certifications are not
integrated into System Security Plans (SSPs).
The role of System Engineering and associated processes within the
DoD acquisition process is beyond the scope of this rule. ITRA
assessments provide a view of program technical risk and are not well-
suited to the assessment of contractor owned information systems
against standards for safeguarding CUI. CMMC Program requirements do
not clash with Program Office responsibilities, but instead provide
Program Manager's with a mechanism for validating that contractors are
compliant with the rules for protecting DoD CUI.
b. FedRAMP Program and FedRAMP Equivalency
Comment: Many commenters took issue with the requirements for
FedRAMP Moderate Equivalency, as referenced in DFARS clause 252.204-
7012 and defined in a separate DoD policy memo. Some merely highlighted
discrepancies or highlighted concerns about their ability to meet the
FedRAMP Moderate Equivalency requirements. Others recommended revisions
to that policy, or to the DFARS clause 252.204-7012 clause, or both.
Some recommended the FedRAMP Moderate Equivalency policy memo be
incorporated into the DFARS clause 252.204-7012 clause. Other
suggestions ranged from eliminating equivalency to meet requirements,
allowing 3PAO attestation to equivalency, requiring all FedRAMP
Moderate Equivalency candidates to be assessed by the same C3PAO or
allowing equivalency to be established through other industry
certifications or third-party security assessments, i.e., SOC, ISO/IEC
27001. One commenter requested that applications hosted on a FedRAMP
Moderate environment only need to meet the CMMC level of the data the
application will process. Another suggested that all Cloud Service
Providers be required to meet the same CMMC requirement as the OSCs
they support. One commenter recommended expanding the scope of CMMC
Program to include assessing other security requirements in DFARS
clause 252.204-7012, to include the use of FedRAMP Moderate cloud
environment. Comments also expressed that it is unreasonable to expect
any cloud provider to share security documentation with a customer or
C3PAO since they limit dissemination of this information due to
operational security needs. Another commenter noted that the proposed
rule does not cover all types of information that contractors may
handle, such as classified information, export-controlled information,
or proprietary information and they recommended the DoD clarify
applicability of the CMMC program for these types of information.
Response: Although some commercially based Cloud Service Offerings
(CSOs) may experience limitations in trying to support the Defense
Industrial Base with the FedRAMP Moderate equivalent requirement, the
DoD is not willing to assume all the risk of non-FedRAMP Moderate
Equivalent CSOs when the CSO is used to process, store, or transmit
CUI. If the offering does not process, store, or transmit CUI, then
FedRAMP certification is not required. Although the DoD considered
acceptance of the ISO/IEC 27001 certification, it chose the NIST
cybersecurity requirement to meet FedRAMP Moderate baseline equivalency
standard to stay aligned with the FedRAMP Moderate baseline which is
based on NIST standards versus ISO/IEC standards.
The rule was updated to require FedRAMP moderate or FedRAMP
moderate equivalency in accordance with DoD Policy. CMMC Program
Requirements make no change to existing policies for information
security requirements implemented by DoD. Comments related to
applications hosted on a FedRAMP Moderate environment are outside the
scope of this rule.
The requirements for CSPs that process, store, or transmit CUI are
set by DFARS clause 252.204-7012 and the DoD CIO policy memo on FedRAMP
Moderate equivalency. These requirements are beyond the scope of this
rule. ESPs that are not CSPs will be required to meet the CMMC
requirements and be assessed as part of the scope of an acquiring OSA.
ESPs that are not a CSP may voluntarily request a C3PAO assessment if
they decide it would be to their advantage.
c. Other DoD Programs and Policies
Comment: One commenter expressed dissatisfaction with results
obtained from previously submitted FOIA requests related to development
of the CMMC program.
Two commenters asked if there was a mechanism to update FAR clause
52.204-21 to address evolving threats and recommended the Department
specifically identify the frequency and identify accountable parties to
review and update FAR security requirements. Another commenter cited
responses visible on the DoD CIO's Frequently Asked Questions (FAQ)
website and criticized both the utility of the information (given that
does not constitute formal policy) and the frequency with which the
information is updated. Similarly, one commenter asked for more
frequent updates to FAQs on the DoD Procurement Toolbox URL.
One commenter asserted that the Federal Government sometimes
contracts for support to perform sensitive tasks and permits access to
``highly classified'' information that should only be accessed by
Federal employees.
One commenter requested NIST develop a simplified inspection
standard for organizations with less than 20 employees.
One commenter asked about the transfer of CMMC Program oversight
from OUSD(A&S) to DoD CIO.
A comment cited the utility of free cybersecurity related services
that DoD agencies offer, such as security alerts and vulnerability
scanning, and encouraged expansion of those programs.
One person suggested that DoD's Zero-Trust approach would provide a
higher level of security for CUI data than the CMMC program.
One commenter stated the Department should develop clear, flexible
guidelines and alternative pathways for global companies to achieve
CMMC compliance without relying on enclave architectures and
recommended that this approach rely on Zero Trust principals.
One comment noted that under FAR clause 52.204-21, FCI does not
include simple transactional information (STI) and asked if certain
data would be considered STI and therefore not subject to CMMC.
One comment stated that conflicting regulatory guidance exists
between the content of E.O. 15028, NIST SP 800-218, NIST SP 800-171 R2,
and NIST SP 800-171 Revision 3.
Response: One comment lacked clarity and failed to clearly
articulate
[[Page 83107]]
any relevance to the content of this rule, so no response can be
provided.
SPRS will be used for reporting CMMC Status of all contractors,
regardless of which service issued the contract. Publication of this
rule follows completion of OMB's formal rulemaking process, which
includes both DoD internal coordination (including the USD(A&S) and
USD(R&E)) and Interagency coordination.
CMMC is consistent with Section 3.4 of DoDI 8582.01, Validation and
Compliance. CMMC does not specify the content and format of plans of
action beyond what is specified in NIST SP 800-171 R2, which is
required under DoDI 8582.01.
Clinger Cohen Act requirements, which apply to DoD's IT
investments, are not relevant to CMMC Program requirements, which apply
to contractor-owned information systems. The classification marking of
existing DoD documentation is beyond the scope of this rule, as is
engagement with INCOSE and ISO/IEC certification organizations.
Executive Orders state mandatory requirements for the Executive
Branch and have the effect of law. E.O. 14028--``Improving the Nation's
Cybersecurity'' (issued May 12, 2021) requires agencies to enhance
cybersecurity and software supply chain integrity. NIST SP 800-171 R2
and NIST SP 800-218 are guidelines, not regulations. NIST SP 800-171
Revision 3 is not currently applicable to this rule.
Recommendations to add or modify requirements specified in NIST
documentation should be submitted in response to NIST requests for
public comment on the applicable guidelines. Federal and DoD
requirements for delivery of software bills of material of secure
software development are beyond the scope of this rule, which is
limited to the assessment of compliance with requirements for adequate
protection of FCI and CUI. Federal Contract Information is defined in
FAR clause 52.204-21, which also provides the security requirements
applicable for basic safeguarding of such information. The Department
has no authority to modify definitions established in the FAR for
application to all executive branch agencies. Any data that meets the
definition of FCI, is subject to CMMC Level 1. It is beyond the scope
of the CMMC rule to render decisions on specific elements of data.
The OUSD(A&S) was not replaced by the DoD CIO, rather, CMMC Program
management oversight has been realigned from the OUSD(A&S) to the
Office of the DoD CIO for better integration with the Department's
other DIB cybersecurity related initiatives. Comments pertaining to
DoD's organizational structure are not relevant to the content of this
rule. DoD's processing of FOIA requests is also not within the scope of
this rule. The DoD declines to respond to speculative or editorial
comments about private citizens or outside entities, all of which are
beyond the scope of this rule. Likewise, the DoD will not comment here
on other DoD cybersecurity related programs, such as Zero Trust.
Some comments expressed appreciation for cybersecurity related
services that DoD provides free of charge, including protected DNS,
vulnerability scanning, and security alerts, but these programs are
outside the CMMC program. The government cannot comment on specific
implementation or documentation choices of an OSA. Comments on
alternate risk mitigation strategies such as product monitoring or
software testing are not within the scope of this rule text.
d. DoD Policies Supporting CMMC Implementation
Comment: Some comments addressed the DoD's internal policies and
training efforts to prepare the Government workforce for CMMC program
implementation. For example, some commenters opined that the rule's
focus on contactor responsibilities misses the true risk that lies
further up obscure supply chains. Another commenter recommended DoD
work with contractors in each sector to provide clear guidance on the
types of data that the Department would consider CTI. One commenter
requested DoD acknowledge that human factors influence DIB
cybersecurity while another stated DoD should provide uniform web-based
training at no cost to ensure applicable training requirements are
satisfactorily met. Another asked whether DoD PMs would receive CMMC
related training prior to implementation. Another comment asked whether
specific risk mitigating approaches, such as product monitoring or
software testing might suffice to manage supply chain risk considering
lack of visibility into the origins of 3rd and 4th tier components.
One commenter perceived the CMMC requirement for Program Managers
to identify the level of assessment requirement appropriate for a
solicitation as removing the contract award decision from the USD(A&S).
One commenter stated more information about procedures for implementing
CMMC into government-wide contracts is needed. Another commenter
expressed a need to use a basic contract that is unclassified, and any
CUI would be contained in a separate appendix to allow sub-contractors
to plan with their Prime to access the information on the Prime's
network and avoid requirements for their own CMMC certification.
Another comment recommended revisions to describe that medium
assurance certificates for incident reporting are a DFARS clause
252.204-7012 requirement, independent of CMMC program requirements.
Two commenters criticized the DFARS clause 252.204-7020 requirement
to allow ``full access'' to contractor facilities, systems, and
personnel for the purposes of DIBCAC assessment, or for damage
assessment following incident, and recommended that the CMMC program
not include or rely on this authority.
Another commenter recommended that, prior to issuing a final rule
on CMMC, DoD work with other relevant agencies to integrate and
harmonize the numerous regulatory changes that impact contractors'
capacity to safeguard data and systems. One commenter suggested rule
publication be delayed until DoD articulates the benefit expected from
contractor compliance with the rule.
Response: All recommendations to revise other Government-wide or
DoD policies and programs are beyond the scope of the CMMC rule.
CMMC Program Requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides and FedRAMP equivalency are separate from this
rule. Relevant policies include DoDI 5200.48 ``Controlled Unclassified
Information'' and DoD Manual 5200.45 ``Instructions for Developing
Security Classification Guides'' for example.\23\ Some comments
received lacked relevance to the rule's content, which is limited to
specific CMMC program requirements. Changes to FAR and DFARS
requirements are beyond the scope of this rule, as are the contents and
updating of DoD's FAQ and Procurement Toolbox web pages.
---------------------------------------------------------------------------
\23\ DoD Issuances (<a href="http://www.esd.whs.mil/DD/DoD-Issuances">www.esd.whs.mil/DD/DoD-Issuances</a>).
---------------------------------------------------------------------------
CMMC program requirements do not result in any change to which DoD
organization makes the contract award. Recommendations to adopt
standard DoD contracting procedures (i.e., to exclude CUI information
in the basic award) are not within the scope of this rule, which
outlines program requirements. The DoD limits the
[[Page 83108]]
burden of CMMC compliance by requiring annual affirmations rather than
annual assessments. Affirmations required for the CMMC program indicate
that a DoD contractor has achieved and intends to maintain compliance
with the applicable DoD information security requirements.
The CMMC program is designed only to validate implementation of the
information security standards in FAR clause 52.204-21, NIST SP 800-171
R2, and a selected subset of NIST SP 800-172 Feb2021. This rule does
not address the other DFARS clause 252.204-7012 requirements for cyber
incident reporting. The CMMC assessment framework will not alter,
alleviate, or replace the cyber incident reporting aspects of DFARS
clause 252.204-7012, which will remain effective where applicable.
Classified information is managed differently from CUI, and different
safeguarding regulations apply to these different categories of
information (each of which are defined in 32 CFR part 2002). CMMC
Program requirements are aligned to the requirements for safeguarding
of CUI and are unrelated to the requirements for safeguarding
classified information. ``Export Controlled'' is a category of CUI. To
the extent that a company generates information it considers
proprietary, but which is explicitly excluded from the definition of
CUI (see 32 CFR part 2002), no CMMC requirements would apply.
As the CMMC program requirements make no change to existing
policies for information security requirements implemented by DoD,
dialogues with industry to identify CUI is outside the scope of this 32
CFR part 170 CMMC Program rule. Several existing requirements directly
address the human factors of cybersecurity, particularly those in the
Awareness and Training, Personnel Security, and Physical Protection
domains. Additional training and education on the topics of CUI
safeguarding requirements, cybersecurity hygiene, and other useful
topics may be found at:
<a href="http://www.archives.gov/cui/training.html">www.archives.gov/cui/training.html</a>
<a href="https://securityawareness.usalearning.gov/">https://securityawareness.usalearning.gov/</a>
<a href="https://business.defense.gov/Resources/Be-Cyber-Smart/">https://business.defense.gov/Resources/Be-Cyber-Smart/</a>
OSAs may develop their own policies to validate completion of
training. Developing and providing cyber security awareness training is
not within the scope of the CMMC Program. DoD program managers will
receive training.
In support of 32 CFR part 170 CMMC Program final rule, DoD issued
guidance to reiterate the most appropriate information safeguarding
requirements for DoD information and the associated CMMC assessment
requirement for any given solicitation. Irrespective of CMMC Program
assessment requirements, when CUI is processed, stored, or transmitted
on contractor owned information systems, those systems are subject to
the security requirements of NIST SP 800-171, due to the applicability
of DFARS clause 252.204-7012. Program Managers have a vested interested
in knowing whether a contractor can comply with these existing
requirements to adequately safeguard DoD CUI.
Applicability of and compliance with DFARS clause 252.204-7020 is
beyond the scope of the CMMC Program. Implementation of the CMMC
Program does not require or rely upon DFARS clause 252.204-7020. The
existing assessments described in DFARS clause 252.204-7020 are
entirely different than those described in this rule. This rule
contains no cyber incident reporting requirements. Concerns related to
a CISA rule pertaining to cyber incident reporting are beyond the scope
of this rule and should have been submitted instead to the relevant
docket for that rule. The DoD has declined the recommendation to
address certificate requirements for the cyber incident reporting
requirements of DFARS clause 252.204-7012 in this rule. The DoD is
unable to comment on, balance with, or modify contractual or regulatory
requirements to comply with any other agency's future requirements.
The preamble of this rule articulates how contractor compliance
with CMMC will contribute to counteracting the cyber security threat.
Implementation of the CMMC Program will help protect DoD's FCI and CUI
that is processed, stored, and transmitted on non-Federal information
systems of defense contractors and subcontractors. Adequately securing
that information as required, down to the smallest, most vulnerable
innovative companies, helps mitigate the security risks that result
from the significant loss of FCI and CUI, including intellectual
property and proprietary data. Hence the implementation of the DoD CMMC
Program is vital, practical, and in the public interest. Working with
NIST and other regulatory authorities to align standards is beyond the
scope of this rule.
4. DFARS Requirements
Comment: Two commenters recommended the DoD fully implement CMMC
requirements to standardize contract requirements to avoid
proliferation of unique contract clauses across the Department. One
comment suggested the rule should state explicitly that CMMC
requirements do not apply to other agencies and advise DoD contractors
to seek legal guidance before complying with CMMC requirements if other
agency requirements also apply.
In addition, several commenters thought the 32 CFR part 170 CMMC
Program rule requirements lacked sufficient information about the
associated 48 CFR part 204 CMMC Acquisition rule requirements to
implement them. One person erroneously identified the DFARS clause
252.204-7021 as part of the 32 CFR part 170 CMMC Program rule, and one
person asked what additional rulemaking is needed to implement CMMC
requirements. Another person recommended close coordination and
synchronization between the two rules. One comment recommended the
contract clauses be simplified to be ``stand alone'', rather than
requiring cognizance of the 32 CFR part 170 CMMC Program rule content.
One commenter asked whether contractors must meet CMMC requirements
during the solicitation phase, or to view RFPs that contain CUI.
Another asked how DoD plans to integrate CMMC requirements into DoD's
Adaptive Acquisition Framework. One contractor disagreed with CMMC's
pre-award approach, and worried it could create a need to become
compliant in anticipation of future solicitations. This commenter
posited that any information designated as CUI after contract award
will create a ``chicken and egg'' dilemma for CMMC compliance. Other
comments asked whether conditional certifications would be weighted
differently than final certifications in the proposal evaluation and
award process and suggested that DoD provide 6 months advance notice
for all solicitations containing a CMMC requirement.
Some comments urged the DoD to describe how DoD will identify CUI
in solicitations and when CUI markings should apply in CSP or ESP
scenarios. They also requested modification of DoD contracting
procedures to provide criteria for identifying CUI information in each
contract award along with the corresponding CMMC assessment level. One
commenter inquired about the difference between implementing security
requirements and assessing compliance. Some comments pertained to other
DFARS contractual requirements, rather than CMMC requirements. For
example, some recommended changing DFARS clause 252.204-7012 to remove
the definition
[[Page 83109]]
of Covered Defense Information and to deviate from a requirement to
comply with the NIST SP 800-171 version current at the time of
solicitation. In addition, they asked about cost allowability for time
and materials or cost type contracts. Some comments posited that costs
for reassessment or recertification should be explicitly identified as
reimbursable in the 48 CFR part 204 CMMC Acquisition rule, while one
similar comment suggested that CMMC level 3 certification costs should
be allowable when CMMC level 3 requirements are initially implemented.
One comment addressed cyber incident reporting timelines for cloud
service providers and recommended that the DoD's FedRAMP moderate
equivalency policy be revised to align with DFARS clause 252.204-7012
timelines. Another asked whether the rule inadvertently omitted
requirements to assess compliance with DFARS clause 252.204-7012 cyber
incident requirements.
Other commenters asked for the CMMC contract clause verbiage, as
was subsequently published in the related 48 CFR part 204 CMMC
Acquisition rule. For example, some people asked whether CMMC
requirements would be levied in ID/IQ contract awards versus task order
awards, and GSA schedules. They asserted that adding CMMC clauses in
GSA schedules might inadvertently allow contracting officers to include
them in non-DoD issued task orders. Another opined that ID/IQ
contracting procedures might necessitate changing the CMMC level needed
for the base contract after its initial award, based on the needs of a
task order. One commenter incorrectly inferred that a single Program
Manager would make the CMMC level and type determination for every task
order issued against an ID/IQ. In addition, two comments suggested that
the DoD communicate with every current DoD contractor to identify which
CMMC level would apply to their existing contracts.
One company identified their specific DoD contract and asked
whether it would be cancelled absent CMMC compliance. Another asked
whether a current DFARS clause 252.204-7020 self-assessment score could
be submitted to meet a CMMC level 2 self-assessment requirement. They
also recommended elimination of the DFARS clause 252.204-7020
requirements when CMMC is implemented.
One commenter speculated about whether DoD's CMMC contract clauses
can be applied to DoD contractors that also make and sell the same
product to other US Government agencies. They noted that export
licenses do not restrict companies from providing product data to other
parties and posited that this might conflict with CMMC requirements.
One person asked about the potential for conflicts between CMMC clauses
and the Berry amendment and suggested that Berry amendment compliance
take precedence over CMMC clauses.
Response: Some comments received lacked relevance to the rule's
content, which is limited to specific CMMC program requirements.
Changes to FAR and DFARS requirements are out of scope of the 32 CFR
part 170 CMMC Program rule, as contractual changes would occur under
the 48 CFR part 204 CMMC Acquisition rule. This rule does not discuss
the Berry Amendment. The rule does not address recovery of assessment
costs because it does not make any change to 48 CFR 31.201-2.
This 32 CFR part 170 CMMC Program rule is not an acquisition
regulation, however, a CMMC Conditional Certification meets the CMMC
program certification requirements. Any comments related to contract
requirements should be directed to the related 48 CFR part 204 CMMC
Acquisition rule.
CMMC requirements apply to contracts that include FAR clause
52.204-21 or DFARS clause 252.204-7012 and result in processing,
storing, or transmitting of FCI or CUI on a contractor owned
information system. The CMMC program is not a verification program for
compliance with all requirements of DFARS clause 252.204-7012, rather,
its purpose is to ensure compliance with FAR clause 52.204-21, NIST SP
800-171 R2, and NIST 800-172 Feb2021 when applicable. The DoD does not
provide detailed instruction on how to implement specific solutions to
meet security requirements identified in the FAR clause or applicable
NIST requirements, which is determined by the OSA. Any deviation from
or change to the DFARS clause 252.204-7012 clause is beyond the scope
of this rule.
Each of the teams responsible for developing these two CMMC rules
has reviewed both documents.
There are no CMMC requirements for reviewing FCI or CUI
solicitation material. Recommendations to adopt standard contracting
procedures for award of DoD contracts (i.e., to exclude CUI information
in the basic award) are out the scope of this 32 CFR part 170 CMMC
Program rule. In support of the 32 CFR part 170 CMMC Program final
rule, DoD issued policy guidance to its program managers and
acquisition workforce to identify the appropriate CMMC requirement in
solicitations and contracts. The CMMC assessment level required does
not change based on acquisition lifecycle phase and is based on whether
FCI and CUI are processed, stored, or transmitted on contractor owned
information systems used in the performance of a contract.
Discussion of DoD's willingness to provide advance notice of CMMC
requirements or to remove the PM's discretion to include the CMMC level
that best suits program requirements is a 48 CFR part 204 CMMC
Acquisition rule matter and outside the scope of this rule. The CMMC
Level will be identified in the solicitation. Once attained, a CMMC
self-assessment or certification can be used in support of any number
of proposals and solicitations.
5. Litigation and False Claims
Comment: Some commenters expressed concern that CMMC implementation
would result in increased litigation by DIB companies or pursuit of
False Claims Act penalties by DoD against DIB companies. One commenter
erroneously believed that Mexico would participate in oversight of the
CMMC ecosystem, and that ``a flood of litigation'' may result from DIB
companies losing contracts due to non-compliance with CMMC
requirements. One commenter suggested that DoD should absolve
contractors from False Claims Act prosecution when differences are
found between C3PAO assessment results and a previously submitted
contractor self-assessment, due to potentially valid reasons for the
differing outcomes. Another suggested that DoD establish protections
from regulatory and legal liability related to cyber incidents when the
affected contractor has complied with relevant CMMC Program
requirements.
Response: The DoD lacks the authority to change the False Claims
Act, which is a Federal law that imposes liability persons and
companies who defraud or knowingly submit false claims to the
government. Comments related to Safe Harbor provisions are outside the
scope of this rule.
Comments about potential industry litigation are also beyond the
scope of the final rule and the recommendations provided were not
appropriate for inclusion in this rule. Nothing in the rule prevents
frivolous private lawsuits, but the rule does provide that the CMMC AB
maintain an appeals process. The DoD has faithfully followed the formal
rulemaking process, to include completion of the public comment period.
Implementation of the CMMC program will be carried out objectively and
in accordance with the tenets of the
[[Page 83110]]
final rule. No foreign actors have any role in DoD's administration of
the program.
6. DoD Metrics
Comment: Several commenters inquired about the types of metrics the
DoD plans to use to monitor progress toward the DIB cybersecurity
objectives that the CMMC program was designed to meet. One asked
whether DoD's metrics would include testing, and another recommended
they capture changes in the population of DoD contractors caused by
cost impacts of CMMC implementation. Others referenced a December 2021
GAO Report that critiqued DoD's earlier attempts to implement the CMMC
program. Specifically, they cited the GAO's finding that, at that time,
DoD had not defined how it would analyze data to measure performance.
A comment recommended the DoD identify responses to other GAO
findings, which dealt with improvements to communications with industry
and metrics for program management. Another comment asked whether
management alignment within OSD, budget, and staffing of the CMMC
program office are adequate.
Two comments asked how many current contract awardees had received
notification or identification of CUI to be provided in performance of
their contracts, and asked which CMMC level would theoretically apply
to those contracts. Another asked the DoD to provide DIBCAC assessment
results data as a more relevant justification for the CMMC program than
the 2019 DoDIG report on DIB Cybersecurity.
Response: DoD's response to the referenced GAO and DoD IG reports
are beyond the scope of this rule. Likewise, the DoD does not comment
on analysis methods supporting the DoD IG's conclusions. Publishing
DIBCAC assessments results is also beyond the scope of this rule, as
are CMMC Program effectiveness metrics and return on investment
calculations. The DoD is establishing CMMC assessment requirements as
part of a comprehensive effort to verify that underlying information
security requirements are met, as required, for all contractor owned
information systems that process, store, or transmit CUI or FCI in the
performance of a DoD Contract. DoD's calculation of ROI for the
security controls that CMMC will assess, and cost elasticity of the DIB
are also beyond the scope of this rule.
7. Phased Implementation of the Program
Comment: Many comments asked for additional explanation of DoD's
expected start and progression through phases of the CMMC
implementation plan. Several asked that the phase-in plan be extended.
One commenter asked whether contracts that would otherwise be
associated with CMMC Level 3 would include a CMMC Level 2 requirement
if issued prior to Phase 4 of the plan. Another misread the phase-in
plan to mean that self-assessments would no longer be permitted at Full
Implementation. One comment asked if the USG would be revisiting
acquisition timelines to add more time for due diligence to ensure all
entities meet CMMC requirements or have a POA&M in place.
Some commenters observed that DoD's intended dates for CMMC
implementation, as published in an earlier 48 CFR CMMC interim final
rule, are unachievable and must be changed via another CMMC DFARS rule.
Some commenters were confused by the differences between the dates of
implementation phases in the rule, and the seven years described in
cost estimates as necessary to complete implementation. Another
commenter asked why the rule only applies to DoD.
Some commenters suggested changes to prioritize different kinds of
contracts, programs, or companies earlier or later in the
implementation plan, rather than basing the phase-in on assessment
type. For example, one suggested capping the number of contracts with
CMMC requirements each year. Another suggested phasing in by increasing
the numerical assessment score required for compliance, with additional
time permitted for POA&M close-out beyond the current limit of 180
days. Another suggested reversing the phase-in to begin with CMMC Level
3. Several commenters requested extension of the phase-in plan to allow
more time. One speculated that ``tens of thousands'' of contractors
would require certification in less than 18 months. One commenter
suggested the DoD modify the timing of implementation for CMMC levels 2
and 3, and that DoD consider allowing sufficient time to develop a
robust CMMC ecosystem and demonstrate the CMMC model before full
implementation.
Flexibility in the implementation plan that allows Program Managers
and requiring activities to include CMMC requirements earlier in the
plan than will be mandated by policy also generated questions and
comments. Some commenters asked whether this could result in the DoD
applying CMMC requirements to previously awarded contracts or asked
that the rule specify they will apply only to new contracts. Another
asked about opportunities to renegotiate the contract ceiling price if
CMMC assessments are required for option period exercise. One commenter
asked that the rule be revised to exclude these flexibilities to result
in an ``on/off'' approach to implementation.
Another commenter asked what mechanisms the DoD would have to
change the pace of implementation or monitor the contracts that include
CMMC requirements.
Response: The DoD lacks the authority to implement CMMC as a
Federal-wide program. The 48 CFR part 204 CMMC Acquisition rule for
CMMC will be updated to align with this 32 CFR part 170 CMMC Program
rule and will modify DFARS clause 252.204-7021. CMMC Phase 1
implementation will commence when both the 32 CFR part 170 CMMC Program
rule and the 48 CFR part 204 CMMC Acquisition rule are in effect. Some
commenters may have overlooked that Sec. 170.3(e) states Phase 1
begins on the effective date of this 32 CFR part 170 CMMC Program rule
or the complementary 48 CFR part 204 CMMC Acquisition rule, whichever
occurs later. The implementation plan describes when CMMC level
requirements will appear in solicitations, it does not define a
timeframe by which all contractors must be certified. During the first
phases of the plan, a majority of CMMC requirements will be for self-
assessment.
In response to public comments, the DoD has updated the rule to
extend Phase 1 by 6 months, with appropriate adjustments to later
phases. DoD is not conducting Pilots in the updated CMMC implementation
plan. The phased implementation plan described in Sec. 170.3(e) is
intended to address ramp-up issues, provide time to train the necessary
number of assessors, and allow companies the time needed to understand
and implement CMMC requirements. DoD has updated the rule to add an
additional six months to the Phase 1 timeline. Phase 2 will start one
calendar year after the start of Phase 1.
The DoD's objective timeline to begin implementing the CMMC
requirements has been, and remains, FY2025. The implementation period
will consist of four (4) phases, 1 through 4, and is intended to
address any CMMC assessment ramp-up issues, provide the time needed to
train the necessary number of assessors, and to allow companies time to
understand and implement CMMC requirements. It is estimated that full
implementation of
[[Page 83111]]
CMMC by all defense contractors will occur over seven years, given the
number of DoD solicitations contractors respond to and are awarded each
year.
The four phases add CMMC level requirements incrementally, starting
in Phase 1 with Level 1 and Level 2 Self-assessments, and ending with
Phase 4 for Full Implementation, as addressed in Sec. 170.3(e)(4). By
Phase 3, all CMMC Levels 1, 2, and 3 will be included in some DoD
solicitations and contracts, but Level 3 requirements may be identified
for implementation as option period requirements rather than for
initial contract award. In Phase 4, DoD will include CMMC requirements
in all applicable DoD contracts and option periods on contracts awarded
after the beginning of Phase 4. As addressed in Sec. 170.18(a),
receipt of a CMMC Level 2 Final CMMC Status for information systems
within the Level 3 CMMC Assessment Scope is a prerequisite for a CMMC
Level 3 certification assessment.
CMMC self-assessment requirements build on the existing DFARS
clause 252.204-7020 requirement for basic safeguarding of CUI. CMMC
Level 3 requires advanced implementation, and the phase-in period
provides additional time for OSC to achieve the higher standard. In
phase 4, which is full implementation, CMMC requirements must apply to
new contracts and option year awards. The DoD may choose to negotiate
modifications adding CMMC requirements to contracts awarded prior to
CMMC implementation, as needed. No changes to this rule are needed to
reflect existing contract administration processes. Questions on
specific contracting matters, including contract costs and funding, are
outside of the scope of this rule.
With the implementation of the final 32 CFR part 170 CMMC Program
rule and 48 CFR part 204 CMMC Acquisition rule, prospective DoD
contractors and subcontractors should be actively preparing for DoD
contract opportunities that will include CMMC Program requirements when
performance will require the contractor or subcontractor to process,
store, or transmit FCI or CUI. The respective phases of the
implementation plan provide adequate time to complete CMMC requirements
and DoD program requirements and timelines will dictate the programs
that may warrant CMMC Level 3 requirements during the phased
implementation of CMMC.
DoD considered many alternatives before deciding upon the current
CMMC implementation plan. The phased implementation plan is based on
CMMC assessment level and type, which DoD believes to be a fair
approach for all prospective offerors. Defining the phase-in based on
contract type, company size standard, or other potential bases could
lead to unfair advantage. Program Managers will have discretion to
include CMMC Status requirements or rely upon existing DFARS clause
252.204-7012 requirements, in accordance with DoD policy. The DoD will
monitor the Program Managers' exercise of this discretion to ensure a
smooth phase-in period. The decision to rely upon CMMC self-assessment
in lieu of certification assessment is a Government risk-based decision
based upon the nature of the effort to be performed and CUI to be
shared. Note that section Sec. 170.20 Standards acceptance states OSCs
that completed a DCMA DIBCAC High Assessment with a score of 110 and
aligned with CMMC Level 2 Scoping, will receive Final CMMC Status for a
Level 2 certification assessment.
As noted by one commenter, self-assessments against NIST SP 800-171
are already required, and verifying compliance with applicable security
requirements is necessary for the protection of DoD CUI. For all CMMC
independent assessments (i.e., Level 2 or 3), DoD policy guides Program
Managers in appropriately including these requirements in DoD
solicitations. DoD systems that support the procurement process can
identify the number of contracts issued that include any specific
clause. Such metrics for the CMMC Program are not within the scope of
this rule.
The seven-year timespan reflects the DoD's estimate for all defense
contractors to achieve CMMC compliance. The implementation plan ramps
up CMMC assessment requirements over 4 phases, such that the ecosystem
will reach maximum capacity by year four. One commenter referenced the
response to a specific comment to the 2020 CMMC rule. Those earlier
questions about the 2020 rule publication are no longer relevant due to
changes made in the more recent 2023 rule publication. DoD estimates
acknowledge that contractors with existing contracts may not receive
another contract award or even submit another proposal immediately.
The DoD has developed CMMC to increase consistency of
implementation of NIST SP 800-171 R2 and NIST SP 800-172 Feb2021.
Specifically, this rule provides extensive information on scoring
methodology, in an effort to improve self-assessments. The use of
independent C3PAOs further enforces consistency for those companies
that need to meet a CMMC Level 2 certification requirement. The DoD has
considered the suggestions and declines to modify the phase-in periods
based on total score required, or other criteria, which would not
provide the desired improvements in DIB cybersecurity.
The DoD notes the commenter's concern that self-assessments go away
after Phase 4. Requirements from earlier phases continue as each
additional phase is implemented. When applicable, self-assessments will
still be allowed, as appropriate, in Phase 4. This rule describes flow
down requirements to subcontractors. This rule makes no change to 48
CFR 252.204-7008.
8. Commercially Available Off-the-Shelf (COTS) Procurements
Comment: One comment suggested the definition of COTS should be
more explicitly defined or the model outlined in Sec. 170.2 should
encompass COTS products. Two comments questioned the exemption of CMMC
requirements for contracts or subcontracts exclusively for commercial
off-the-shelf (COTS) items. Others questioned applicability of CMMC
requirements to COTS procurements and/or purchases at or below the
micro-purchase threshold. Finally, one commenter questioned the
validity of a COTS exclusion, stating that no COTS components are
exempt from DoD's certification requirements from DISA or NSA.
Response: The term Commercially available off-the-shelf (COTS) is
defined in FAR part 2.101. Some comments pertained to content of the 48
CFR part 204 CMMC Acquisition rule, including applicability of CMMC
clauses to COTS procurements and/or those below the micro-purchase
threshold. Such comments are not within the scope of this CMMC 32 CFR
part 170 CMMC Program rule, which outlines program requirements and not
acquisition procedures. CMMC requirements do not apply to contracts and
subcontracts that are exclusively for the delivery of COTS products to
a DoD buyer. The exemption does not apply to a contractor's use of COTS
products within its information systems that process, store, or
transmit CUI. CMMC assessments are conducted on contractor owned
information systems to ascertain compliance with the designated FAR,
DFARS, and NIST requirements.
9. Specific Product Recommendations
Comment: One managed service provider expressed concern that the
specific tools they use to provide services might be considered
Security Protection Assets or generate Security Protection Data in the
context of CMMC assessment requirements, which might
[[Page 83112]]
result in clients electing to use their own tools and products in lieu
of the managed service provider. This commenter attached a list of more
than a dozen commercial product and tools they use as examples
associated with this concern. One commenter used their public comment
submission to submit materials marketing services their company can
provide, while another commenter suggested the rule direct readers to a
website listing all software, tools, and applications deemed ``safe and
cost effective'' by virtue of CMMC assessment.
Another commenter asserted that all companies need access to
cybersecurity solutions from DHS/CISA and grants to assist them in
buying Zero Trust technologies to protect CUI. Similarly, some
commenters recommended various other cybersecurity tools, programs, or
technologies that could be used to meet CMMC security requirement and
provide threat intelligence to DIB companies. Such recommendations
included portals used in conjunction with perimeter and privileged
access management systems. One commenter proposed delaying
implementation of the CMMC rule until all DoD contractors' system
architectures could be analyzed for possible implementation of Virtual
Machines, or Blockchain for secure data transmission, or hosting of all
CUI on DoD hosted platforms.
Response: The government cannot comment on specific products or
vendors, including marketing materials submitted via public comment.
However, companies that act as ESPs should note this rule does not
require CMMC assessment or certification of ESPs that do not process,
store, or transmit CUI. Services provided by an ESP are in the OSA's
assessment scope.
Comments pertaining to solutions available from other Federal
agencies or expressing a desire for grants to obtain Zero Trust
solutions or other cybersecurity solutions are also beyond the scope of
the CMMC rule. A wide range of technologies may be used to implement
CMMC requirements. DoD will not comment on specific OSA technology
choices. The Department declines the recommendation to review the
system architectures of all DoD contractors. The DoD did not modify the
rule to identify a repository of ``safe and cost effective'' software,
applications, and tools because a CMMC assessment does not evaluate
commercial products or services for those characteristics and the
government does not provide product endorsements.
10. Applicability
a. Systems Operated on Behalf of DoD and National Security Systems
Comment: The DoD received questions about whether CMMC requirements
apply to information systems that are designated as National Security
Systems, Defense Business Systems, or systems operated on the DoD's
behalf. In concert with those questions, one person recommended adding
NIST SP 800-53 R5 requirements to the rule for such systems. The
commenter further recommended expanding applicability of the rule to
include contractor-owned systems that directly affect DoD NSS. Two
commenters recommend edits to clarify that CMMC requirements do not
apply to NSS or to government systems operated by contractors on the
DoD's behalf.
One commenter asked if a Cloud Service Provider that stores CUI
would have to be at Impact Level 4 in accordance with the DISA Cloud
Computing Security Requirements Guide.
Response: The CMMC assessment requirements apply in conjunction
with FAR clause 52.204-21 and DFARS clause 252.204-7012 requirements
and provide a mechanism for verifying compliance with the security
requirements for safeguarding FCI or CUI (e.g., NIST SP 800-171) levied
by those clauses.
The CMMC Program does not alter any additional security
requirements that may be applicable to contractor-owned information
systems that may also meet the criteria for designation as NSS.
There is no conflict between the CMMC rule and the DISA Cloud SRG,
which applies to contractor information systems that are part of
Information Technology (IT) services or systems operated on behalf of
the Government. The CMMC rule does not apply to those systems (Sec.
170.3(b)). The DoD declines to modify the rule because the
applicability section already states this rule applies to contractor-
owned information systems.
b. Infrastructure Entities
Comment: Many commenters had concerns about CMMC's potential impact
to the energy and electric industries, internet Service Providers
(ISPs) and small, disadvantaged businesses looking to contract with the
DoD, especially given dependencies on appropriate marking of Controlled
Unclassified Information (CUI).
Another commenter referenced Executive Order 13175, ``Consultation
and Coordination with Indian Tribal Governments'' and requested
information on CMMC impact to and potential exemptions for Native
American and small disadvantaged contractors. Another commenter stated
that some small businesses may stop providing cost estimating services
to Federal agencies due to ``threatened penalties'' under CMMC
requirements.
One commenter recommended adding the definition of the defense
industrial base (DIB), and referenced the Cybersecurity and
Infrastructure Security Agency definition, which explicitly excludes
commercial infrastructure providers from their definition of the
Defense Industrial Base Sector. One commenter stated the lack of
clarity around requirements for electric cooperatives under the CMMC
framework is causing concern about unanticipated cost impacts for these
smaller entities. The commenter requested that DoD provide contractors
the ability to recover unanticipated costs incurred to achieve CMMC
certification.
Another commenter asked about potential CMMC exemptions for
telecommunications providers, specifically for end user encryption. The
commenter stated the DoD needs to impose CUI encryption requirements on
the relevant contractors and not telecommunications network providers,
who have no control over whether a user encrypts information it sends
over those networks. The commenter also noted that definitions of
``common carrier'' vary across Federal Government and suggested the DoD
should create a blanket exemption for contracts involving commercial
communications networks that are not ``purpose-built'' to transmit
sensitive government data. Another commenter suggested the CMMC Rule
should further clarify that encryption must be configured such that the
common carrier does not have access to the decryption key(s).
Several commenters requested clarity around CUI, citing general
confusion among industry about which CUI is subject to the CMMC
Program. Some commenters interpreted the rule as proposing to apply to
all CUI information, rather than just information handled by the
contractor ``in support of a defense contract'' and asserted that this
would be an expansion beyond the current DFARS clause 252.204-7012
requirements. They further suggested this broad definition could result
in companies applying costly controls to all apparent CUI, regardless
of its association with DoD, to avoid penalties under the False Claims
Act. They recommended clearly
[[Page 83113]]
stating that CUI provided to contractors by non-DoD agencies should be
subject to the requirements of those agencies and not the CMMC Program.
A commenter said the electric industry will experience increased
costs as electric utilities comb through vast amounts of data across
the electric grid to determine all potential CUI, even if that CUI is
not specifically subject to a DoD contract. One commenter stated that
guidance DoD has provided for electric utilities to identify CUI in the
past is insufficient and suggested that use of Security Classifications
Guides could help by minimizing the need for CMMC compliance. In
addition, they speculated that inclusion of CMMC requirements could
create requirements after award which might require adjustments to
contract price. Another commenter stated energy companies servicing
military customers must develop governance programs around data
protection years in advance, with significant investments. The
commenter is concerned that CMMC requires these companies to make these
large investments prior to knowing if a proposed contract may contain
CUI and without adequate guidance about what data is considered CUI.
Response: This rule has no disproportionate impact on Native
American-owned businesses. Once identified as a requirement, the CMMC
Level will apply uniformly to all prospective competitors. DoD must
enforce safeguarding requirements uniformly across the Defense
Industrial Base for all contractors and subcontractors who process,
store, or transmit CUI. The value of information (and impact of its
loss) does not diminish when the information moves to DoD contractors
and DoD subcontractors, regardless of their status as Native American
or small disadvantaged businesses.
The CMMC Program rule does not include ``threatened penalties.'' If
a requirement of a DoD contract is not met, then standard contractual
and other remedies applicable to that contract may apply.
CMMC Program requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides, are separate from this rule.
Section 170.4(b) of the rule states Defense Industrial Base (DIB)
is defined in 32 CFR part 236, which addresses DoD and DIB Cyber
Security Activities. Section 236.2 includes the DoD approved definition
for DIB.
The CMMC Program applies only to DoD contracts that include the
DFARS clause 252.204-7021 and under which FCI or CUI is processed,
stored, or transmitted on contractor information systems.
This includes CUI outside the category of the Defense
Organizational Index Group. Contracts for the provision of electricity
or other utilities which do not contain FAR clause 52.204-21 or DFARS
clause 252.204-7012 and which do not require the processing, storing,
or transmitting of FCI or CUI on contractor owned information systems
will not require CMMC assessment. The CMMC rule makes no change to FAR
cost allowability or cost accounting standards. The 32 CFR part 170
CMMC Program rule has been updated to add ``in performance of the DoD
contract'' to Sec. 170.3, and the 48 CFR part 204 CMMC Acquisition
rule will provide the contractual direction.
A common carrier's information system is not within the
contractor's CMMC Assessment Scope if CUI is properly encrypted during
transport across the common carrier's information system. A common
carrier who is a DoD contractor or subcontractor is responsible for
complying with the CMMC requirements in their contracts. CUI encryption
requirements already apply to the OSA, not the telecommunications
network provider. The lack of adequate encryption on the part of the
OSA would not trigger application of CMMC requirements to the common
carrier's network. The term ``common carrier'' appears in the comment
section to a previous rule making process. Its definition and use are
taken from CNSSI 4009. Efforts to define it or related terms by other
agencies are outside the scope of the CMMC Program. Commenter scenarios
where a common carrier would be privy to an OSA's encryption keys are
unrealistic. DoD declines to provide additional guidance.
CMMC Program requirements make no change to existing policies for
information security requirements implemented by DoD. Policies for CUI
and creation of program documentation, to include Security
Classification Guides, are separate from this rule. Relevant policies
include DoDI 5200.48 ``Controlled Unclassified Information'' and DoD
Manual 5200.45 ``Instructions for Developing Security Classification
Guides''. CMMC Program requirements will be identified as solicitation
requirements. Contractors will be required to meet the stated CMMC
requirements, when applicable, at or above the level identified. For
this reason, it is up to each DIB organization to determine which CMMC
level they should attain.
Questions regarding specific contractual matters are outside of the
scope of this rule and may be addressed by the 48 CFR part 204 CMMC
Acquisition rule. The CMMC program will be implemented as a pre-award
requirement.
c. Joint Ventures
Comment: Two commenters requested clarification as to whether CMMC
requirements will apply to companies engaged in Joint Ventures.
Response: CMMC program requirements are applicable when DoD
requires processing, storing, or transmitting of either FCI or CUI in
the performance of a contract between DoD and the respective
contractor. CMMC Program requirements will apply to information systems
associated with contract efforts that process, store, or transmit FCI
or CUI, and to any information system that provides security
protections for such systems, or information systems not logically or
physically isolated from all such systems. The identity of an offeror
or contractor as a joint venture does not in and of itself define the
scope of the network to be assessed.
d. Fundamental Research Efforts
Comment: One commenter recommended that both the sharing of CUI and
the decision to apply a CMMC compliance assessment should only be
considered for contracts of sufficient contract value and performance
period to make the expense of safeguarding CUI worthwhile. This
commenter asserted that small businesses are selected for SBIR contract
award not based on ability to protect information, but instead on the
unique product or service they offer.
Some commenters expressed concern that CMMC could result in state-
funded universities incurring costs to comply with CMMC level 2, while
even the costs for implementing required FCI safeguarding requirements
is a significant financial burden. These commenters speculated that
applying FCI or CUI markings to fundamental research information
negatively impact academic institutions by requiring them to remove
such data from the public domain. This commenter cited DFARS clause
252.204-7000 as rationale to modify the CMMC rule to exclude
fundamental research.
One commenter requested that when contracting for fundamental
research, the Government include a CMMC requirement based only on
whether information shared is currently FCI or
[[Page 83114]]
CUI, and not whether the effort might lead to development of FCI or
CUI. Another commenter requested that DoD issue policies clearly
describing how to recognize or identify circumstances that could result
in fundamental research becoming FCI or CUI such that it would require
being processed, stored, or transmitted on CMMC compliant information
systems. The commenter expressed concern that absent such policies,
research institutions may house all DoD-related project activities in
CUI enclaves ``out of an abundance of caution'', thereby unnecessarily
expanding CUI applicability at significant cost. They asked that DoD
Instruction 5200.48, ``Controlled Unclassified Information,'' and a
related DoD policy memorandum ``Clarifying Guidance for Marking and
Handling Controlled Technical Information in accordance with Department
of Defense Instruction 5200.48, `Controlled Unclassified Information''
be incorporated into the rule by reference.
One commenter questioned whether and how CMMC requirements may
apply to non-contract efforts, including grants, or efforts conducted
under Other Transactional Authorities.
Response: One of the main purposes of the CMMC Program is to ensure
that DoD contracts that require contractors to safeguard CUI will be
awarded to contractors with the ability to protect that information.
All contractor-owned information systems that process, store, or
transmit CUI are subject to the requirements of NIST SP 800-171 when
DFARS clause 252.204-7012 is included in the contract. This is the case
whether or not the contractor is engaged in fundamental research.
To the extent that universities are solely engaged in fundamental
research that only includes information intended for public release and
does not include FCI or CUI, no CMMC requirement is likely to apply.
When a research institution does process, store, or transmit FCI, the
information should be adequately safeguarded in accordance with the FAR
clause 52.204-21, if applied. When a research institution does process,
store, or transmit CUI, the information should be adequately
safeguarded in accordance with the DFARS clause 252.204-7012, if
applied. That clause makes the contractor owned information system
subject to NIST SP 800-171, which includes requirements for Awareness
and Training (AT) and Physical Protection (PE). The CMMC Program
provides a means to verify compliance.
DoD's CUI program policies already address responsibilities for
identifying and marking information, including procedures for changing
markings. The DoD declined to incorporate all the references associated
with marking and handling CUI. The DoD instructions and policy guidance
are authoritative and incorporating them into the CMMC regulation is
beyond the scope of this rule. DoD declines to update the preamble to
exclude the possibility that information may be designated CUI over the
course of time. According to A&S memo dated 31 March 2021, titled
Clarifying Guidance for Marking and Handling Controlled Technical
Information in accordance with Department of Defense Instruction
5200.48, ``Controlled Unclassified Information,'' ``Information related
to RDT&E-funded research efforts, other than fundamental research, do
not always qualify as CUI.'' This implies that some DoD fundamental
research may qualify as CUI. When the DoD does determine that research
meets the definition of CUI, safeguarding requirements of DFARS clause
252.204-7012 will apply regardless of whether the contractor's work is
fundamental research. In such instances, CMMC assessment requirements
may also be applied. Contractors should work closely with Government
Program Managers to ensure a proper understanding of the data being
developed and the appropriate markings and safeguarding.
Questions regarding the application of CMMC requirements to
specific transactions, including grants and OTAs, are outside of the
scope of this 32 CFR part 170 CMMC Program rule.
e. DoD Waiver of CMMC Applicability
Comment: Several questions were submitted about waiver procedures
for CMMC requirements. For example, someone asked which DoD person or
office has authority to approve waiver requests. Others also requested
insight to the specific criteria for waiver approval. One commenter
submitted preferred rewording of the rule section that describes
waivers while another suggested self-assessment should be required even
when certification is waived.
Response: DoD internal policies, procedures, and approval
requirements will govern the process for DoD to waive inclusion of the
CMMC requirement in the solicitation. Once applicable to a
solicitation, there is no process for OSAs to seek waivers of CMMC
requirements from the DoD CIO. In accordance with Sec. 170.5(d), a
limited waiver authority is provided to the Acquisition Executive with
acquisition oversight for the program in question. These officials may
issue supplemental guidance dictating specific coordination
requirements for waiver requests. Recommended administrative changes
have been incorporated into Sec. 170.5(d) to add clarity.
11. Determination of Applicable Assessment Type
a. Process for Level Determination
Comment: Multiple comments asked how DoD will determine the CMMC
level to include in solicitations. Multiple comments inquired about the
criteria DoD will use to determine when to require a CMMC Level 2 self-
assessment, CMMC Level 2 certification, or CMMC Level 3 certification
assessment. Multiple comments asked specifically about when CMMC Level
2 self-assessment will be required versus CMMC Level 2 Certification.
One comment requested more information on which companies may ``self-
attest''.
One comment requested Sec. 170.5(a) be modified to prevent CMMC
level 2 or 3 being assigned for contracts where only FCI is exchanged.
One comment emphasized that requirement(s) for Contractor certification
levels must be the same as stated throughout this proposed ruling. Two
comments recommended providing contracting officers with interim
guidance to ensure consistency in applying CMMC requirements. One
comment requested the detailed guidance ensure CMMC requirements are
selected based on risk, and that certification is not required by
default.
Some commenters objected to the wording of one criterion for level
selection as ``potential for and impacts from exploitation of
information security deficiencies''. One asserted this equates to a
sub-CONFIDENTIAL security classification. One comment expressed that
all information systems that process CUI should have the same level of
``program criticality, information sensitivity, and the severity of
cyber threat'' since CUI is Unclassified Information which is a
``handling caveat''.
Multiple comments requested a clearer description of what contracts
require CMMC Level 3 Certification, one of which requested a definition
of what constitutes a ``priority program'' that might require CMMC
Level 3. One comment requested that acquisition processes first analyze
the CUI for a proposed effort using published factors for aligning CUI
to high value assets before setting CMMC levels. They asserted use of
such published factors would improve accuracy of CUI marking.
[[Page 83115]]
Response: Pre-award contracting procedures and processes for CMMC
assessment requirements will be addressed in the 48 CFR part 204 CMMC
Acquisition rule. CMMC is a pre-award requirement. As stated in the
Applicability section summary of the CMMC rule (Sec. 170.3), once CMMC
is implemented in the 48 CFR part 204 CMMC Acquisition rule, DoD will
specify the required CMMC Level in the solicitation and the resulting
contract.
DoD's policies and procedures for the length of time allowed for
proposal submission in response to any solicitation are beyond the
scope of this rule. PMs typically consider the totality of the
requirement when deciding how much time to allow for proposal
submission or whether to seek industry input through Request for
Information to inform solicitation details. Note that once attained,
companies may reference a CMMC Status as part of any number of
proposals to various solicitations with that level of CMMC requirement
if the same assessment scope is used.
The type and sensitivity of information to be utilized during the
contract, FCI or CUI, determines the requirements in the solicitation,
which then informs the CMMC level required. CMMC level 1 requirements
are designed to be applied when FAR clause 52.204-21 security
requirements apply to the contract, whereas CMMC level 2 and 3
requirements are designed for the protection of CUI information, and to
be applied when DFARS clause 252.204-7012 also applies.
When CMMC Program requirements are effective, the DoD will begin
including CMMC assessment requirements in solicitations as described in
Sec. 170.3 Applicability. DoD solicitations will specify which
requirements will apply to the contract award. Prior to issuance of a
solicitation, DoD will determine the appropriate CMMC level and type of
assessment needed to ensure adequate safeguarding of the DoD program
information to be shared in performance of the contract. Identification
of the CMMC level and assessment type will be part of the DoD's
requirement definition process. As addressed in Sec. 170.18(a) of this
rule, a CMMC Level 2 Final CMMC Status is a prerequisite for CMMC Level
3 assessment and must be achieved for information systems within the
Level 3 Assessment Scope.
Identification of priority programs is a function of the
requirements definition process for any DoD effort. The DoD will issue
policy guidance to Program Managers to clarify which programmatic
indicators should be considered for selecting the most appropriate
information safeguarding requirement and associated CMMC assessment
requirement for any given solicitation. Once identified as a
requirement, the CMMC Status required will apply uniformly to all
prospective competitors.
b. Who Determines the CMMC Level
Comment: Two comments asked who, within the Department, determines
the CMMC level required for a contract. One comment suggested that DoD
should require senior-level approval to include CMMC Level 3
Certification requirements in solicitations to limit unnecessary
application. One comment inquired about when and how CMMC levels change
during the program office's Agile Acquisition Framework lifecycle.
Response: Based on DoD decision criteria that include the type and
sensitivity of program information to be shared, Program Managers will
identify and coordinate as appropriate the CMMC requirement in the
solicitation. Internal policies for implementation of CMMC requirements
by DoD's acquisition community have been developed, and work will
continue as needed to integrate CMMC policies into relevant acquisition
policies, guidebooks, and training materials. The DoD intends that
requiring activities will determine when compliance should be assessed
through CMMC Level 3 as part of the ordinary acquisition planning and
requirements generation process.
The CMMC assessment level required does not change based on
acquisition lifecycle phase, but based on whether FCI and CUI are
processed, stored, or transmitted on contractor owned information
systems. All contractor-owned information systems that process, store,
or transmit CUI are subject to the requirements of NIST SP 800-171 when
DFARS clause 252.204-7012 is included in the contract.
c. CMMC Level 3 Determination
Comment: Multiple comments requested further clarification about
which types or categories of CUI require enhanced protection against
Advanced Persistent Threats (APTs) at CMMC Level 3 and whether the CMMC
level would be based on the Program or the data. Two comments expressed
concern or asked how DoD Components will avoid assigning CMMC Level 3
requirements to too many contracts. One comment recommended that DoD
modify its criteria for CMMC Level 3 to consider factors such as
Acquisition Program Category.
Response: CMMC levels do not correspond to CUI levels as the CMMC
Program requirements make changes to neither the CUI Program,
categories of CUI, nor existing DoD policies for information security
requirements. The CMMC Flow down requirement is defined in Sec.
170.23.
The Requiring Activity knows the type and sensitivity of
information that will be shared with or developed by the awarded
contractor and selects the CMMC Level required to protect the
information according to DoD guidance.
The DoD declines to modify CMMC Level 3 selection criteria as
described in the commenters recommended alternatives, which have no
bearing on DoD's need for increased confidence in a contractor's
ability to safeguard certain CUI against Advanced Persistent Threats.
The value of information, and impact of its loss, does not diminish
based on the total number or dollar value of contracts held by the
awardee, or acquisition program category. The DoD reserves the right to
decide when compliance should be assessed by the Government through
CMMC Level 3 certification. The DoD defines the work requirements to be
solicited for any given program contract.
d. Environments Processing Both FCI and CUI
Comment: Two commentors recommended the elimination of separate
assessments when the FCI and CUI environments are the same. One of
these comments requested clarification regarding the scenario of an OSC
having one assessment scope environment for both FCI and CUI that meets
Level 2 requirements.
Response: CMMC Level 2 is required when CUI will be processed,
stored, or transmitted on contractor information systems. Successful
completion of a CMMC Level 2 self-assessment or CMMC Level 2
certification assessment will suffice to meet the CMMC Level 1
requirement for FCI if/when the scope is identical. The CMMC Level 2
Scoping Guide reflects this language.
e. Recommendations and Scenarios
Comment: One comment recommended removing CMMC Level 2 self-
assessment, changing the CUI Program, or creating a new type of CUI to
distinguish between CMMC Level 2 self-assessment and CMMC Level 2
Certification. Another comment noted that the requirements for CMMC
Level 2 certification assessment are almost identical to requirements
for CMMC Level 2 self-assessment. One comment expressed concern that
DoD's designation of CMMC Level 2 self-
[[Page 83116]]
assessment and certification assessment runs contrary to FCI (FAR
requirements) and the CUI Program. One comment asked if the designation
of information as FCI or CUI changes the scope of CMMC.
One comment asked for clarification on which contracts will have
sensitive unclassified DoD information but will not require CMMC
assessment. One comment recommended removing the option for CMMC Level
2 self-assessments to reduce complexity. One comment posed multiple
questions about what DoD will do if contracting officers assign CMMC
Level 2 or CMMC Level 3 Certification requirements at a rate
substantially higher than projected.
Response: The DoD CIO looked at CUI from a risk-based perspective
and determined that different approaches to assessments could be
implemented to address risk and help lower the burden for the DIB. The
security requirements for a CMMC Level 2 self-assessment and a CMMC
Level 2 certification assessment are the same, the only difference in
these assessments is whether it is performed by the OSA or by an
independent C3PAO.
The decision to rely upon self-assessment in lieu of certification
assessment is a Government risk-based decision based upon the nature of
the effort to be performed and CUI to be shared. The size of the
company with access to the CUI is not a basis for this determination.
The value of information (and impact of its loss) does not diminish
when the information moves to contractors of smaller size. The DoD
declines to modify the rule to include its internal decision process.
To select a CMMC Level for a procurement, Program Managers and
requiring activities will identify the applicable CMMC Level using the
factors included in Sec. 170.5(b)(1) through (5). The DoD did agree
with one comment to rephrase Sec. 170.5(b)(4) to delete a reference to
the ``potential for'' impact from exploitation of information security
deficiencies, which likely cannot be effectively determined. The DoD
does not agree that the wording equates to a sub-CONFIDENTIAL
classification and declines to delete that criterion. Sec. 170.5(b)(3)
is appropriately worded in that it states Program Managers will
consider the listed criteria in selecting a CMMC requirement level. It
does not have the effect of ``transforming FCI into CUI''. The DoD
reserves the right to define the criteria for selection of the CMMC
assessment requirement, just as it defines all other requirements for
inclusion in a solicitation.
The Department remains committed to implementing the CMMC program
to require compliance assessment against applicable security
requirements in all DoD contracts involving FCI or CUI. Some such
contracts will require only a CMMC self-assessment, while others will
require a certification assessment. The commenter misinterprets that
some contracts that do require processing of FCI or CUI will not
require CMMC assessment of either kind, without approval of a waiver.
The DoD declines to remove self-assessments from the rule. Self-
assessments allow the acquiring organization to balance the cost and
complexity of assessment with the risk to the information being shared
with the OSA.
Supporting guidance for CMMC implementation will be updated, as
necessary. DoD has options to mitigate implementation issues such as
waivers and other contractual remedies. DoD's estimate for the number
of contractor's requiring CMMC Level 1 and cost estimates represent
derived estimates based on internal expertise and public feedback in
accordance with OMB Circular A-4.
12. Flow-Down/Applicability to Sub Contractors
a. Applicability and Compliance
Comment: Several comments requested clarification about the
applicability of CMMC requirements to subcontractors and how to
correctly flow down requirements. Some asked whether prime contractors
would have flexibility to flow down a lower CMMC level than required
for the prime contract. Three comments expressed confusion about the
type of Level 2 assessment required for subcontractors when supporting
a prime that is required to meet CMMC Level 3 requirements. Two asked
about the impact to flow-down when contractors hold multiple contracts.
A couple comments requested clarity on how to determine the correct
CMMC level to flow down.
Some comments asked what factors would result in flow-down of a
particular CMMC requirement level, or whether affirmations submitted by
primes would require knowledge of subcontractor compliance status.
Other comments asked what tools would be available to assist
contractors in checking subcontractor compliance with CMMC requirements
or suggested that SPRS should be made available for this purpose. One
suggested that without this transparency, CMMC compliance would become
a meaningless effort to ``check the box'' without actual steps to
secure their systems. Another simply asked if they would have their own
SPRS and eMASS access, or access through their prime. Some asked what
action meets the rule's requirement to ``require subcontractor
compliance'', i.e., does simply including the CMMC clause in
subcontracts meet that requirement.
One comment objected to the definition of subcontractor used in the
rule, which they stated was overly broad and would result in
application of CMMC requirements to too many businesses. Some comments
suggested the flow-down requirement apply only to one sub-tier, while
another requested advance notice of solicitations that plan to include
CMMC requirements. One comment suggested that CUI be treated more like
classified information, meaning to limit sharing of CUI with
subcontractors. Some comments asked whether prime contractors are
responsible for verifying subcontractor compliance with DFARS clause
252.204-7012, as C3PAOs do during an assessment. Two comments
recommended rephrasing the flow-down section, with one specifically
asking to clarify it is required only when FCI or CUI will be
processed, stored, or transmitted in the performance of any particular
prime contract. Another suggested edits for clarity or for consistency
with DFARS clause 252.204-7012.
Response: It is up to each OSA to protect FCI and CUI and to
determine the assessment boundary, policies, and procedures necessary
to do that. Section 170.23 specifically addresses the CMMC requirements
that apply to subcontractors that will process, store, or transmit FCI
or CUI. Section 170.23 addresses flow down of CMMC requirements from
the prime contractor to the subcontractors in the supply chain. Prime
contractors are responsible for complying with contract terms and
conditions, including the requirement to flow down applicable CMMC
requirements to subcontractors. The DoD modified Sec. 170.23(a)(3) to
clarify that when a subcontractor will process, store, or transmit CUI
in performance of the subcontract and the Prime contractor has, for the
associated prime contract, a requirement of Level 2 certification
assessment, then CMMC Level 2 certification assessment is the minimum
requirement for the subcontractor. Requirements for External Service
Providers are defined in Sec. 170.4; not all companies that provide
services to an OSA are considered ESPs.
[[Page 83117]]
As in other contexts, the Government may specify additional
guidance in the solicitation. CMMC assessments will be identified as
pre-award requirements. Subcontractors at each tier are responsible for
submitting their own assessment and affirmation information in SPRS.
CMMC self-assessments and certifications will be reflected in SPRS,
including an indicator of the currency of the credentials. Contracting
Officers and Program Managers need not review any assessment artifacts,
only the resulting scores and certificate validity period.
Work arrangements between the prime and subcontractor are beyond
the scope of this rule, however, if CUI is flowed down and will be
processed, stored, or transmitted on subcontractor information systems
in the performance of a DoD contract then CMMC requirements also flow
down as described in Sec. 170.23. The DoD will not track progress
toward certification but will implement CMMC as a pre-award
requirement. An OSA's pursuit of a C3PAO assessment is a business
decision to be made by each contractor considering the contract
opportunities it wishes to pursue.
The DoD disagrees with one commenter's assertion that CMMC
requirement will flow down ``regardless of what work they do'', because
it does not acknowledge the point that flow-down requirements are for
subcontractors who process, store, or transmit CUI. The text of Sec.
170.23, clearly conditions the flow-down to those cases when a
subcontractor will process, store, or transmit FCI or CUI. The prime
contractor's responsibility is to flow down CMMC assessment
requirements as described in Sec. 170.23 and to ensure that FCI and
CUI are not further disseminated to subcontractors that do not meet the
CMMC requirement indicated in Sec. 170.23. Likewise, subcontractors
must also flow down CMMC requirements and ensure that FCI and CUI are
not further disseminated to subcontractors that do not meet the CMMC
requirement indicated in Sec. 170.23. Section 170.23 has been revised
to make this clearer. DoD declines to accept the recommendation to
treat CUI like classified data. Classified information is managed
differently from CUI, and different safeguarding regulations apply to
these different categories of information (each of which are defined in
32 CFR part 2002).
This rule makes no change to CUI policies for marking of data, and
CMMC levels are not CUI categories in the DoD CUI registry. Primes and
their subcontractors must understand flow-down requirements based on
Sec. 170.23, which clearly identifies requirements that apply when
subcontractors will process, store, or transmit CUI in performance of
the subcontract and the Prime contractor has a requirement of Level 3
certification assessment (i.e., CMMC Level 2 certification assessment
is the minimum requirement for the subcontractor). In addition, the
rule has been revised to make clear that the requirement applies in the
performance of a subcontract when the relevant prime contract has a
CMMC requirement. The rationale for the minimum level 2 certification
flow-down requirement is that the DoD made a risk-based decision not to
mandate flow down of the level 3 requirement unless explicit guidance
is provided to do so. As stated in Sec. 170.23(a)(3), when a Prime
contractor has a requirement of Level 2 certification, any CUI that is
flowed down for a subcontractor to process, store, or transmit in
performance of the subcontract will also carry a minimum requirement of
Level 2 certification assessment.
CMMC Program requirements will be identified as solicitation and
contract requirements, and contractors will be required to meet the
stated CMMC requirements, when applicable, at or above the level
identified. One commenter misinterpreted a response to a prior public
comment. The quoted content says that contractors and subcontractors
each must verify (through CMMC assessment) that all applicable security
requirements of NIST SP 800-171 required via DFARS clause 252.204-7012
have been implemented. Contractors are not required to assess
subcontractor implementation of the requirements of NIST SP 800-171.
The prime contractor's responsibility is to flow down CMMC assessment
requirements as described in Sec. 170.23 and also to refrain from
disseminating FCI or CUI to subcontractors that have not indicated
meeting the CMMC level described in that section for the type of
information to be shared. Likewise, subcontractors must also flow down
CMMC requirements or refrain from disseminating FCI or CUI. The DoD
does not provide SPRS access or other tools for contractors to identify
the CMMC status or other companies. The DoD expects that defense
contractors will share information about CMMC status with other DIB
members to facilitate effective teaming arrangements when bidding for
DoD contracts.
Prime contractors will not be granted access to subcontractor's
information in SPRS. However, prime contractors should communicate
early and often with prospective subcontractors to confirm current CMMC
status, including whether the level matches that required. This
interaction does not involve the government and is beyond the scope of
this rule.
This rule follows the format and includes all sections required in
OMB guidelines for formal rulemaking. The DoD lacks authority to modify
the template or omit required sections, which results in some
repetition.
DIB contractors are responsible for submitting their Level 1 and
Level 2 self-assessments and will access SPRS to enter the results. DIB
contractors do not have access to CMMC eMASS, as that system is used to
support certification assessments only.
CMMC Program requirements are designed to require completion of an
assessment and an annual affirmation. The purpose of the annual
affirmation addressed in Sec. 170.22 is to validate to the DoD that
the contractor is actively maintaining its CMMC level status, which is
more than a checkbox exercise.
One commenter misinterpreted the quoted definition of
subcontractor, which makes clear that term includes only those entities
providing supplies, materials, equipment, or services under a
subcontract in connection with the prime contract. DFARS clause
252.204-7012 and FAR clause 52.204-21 also flow-down the requirement to
safeguard information. CMMC program requirements will be flowed down
similarly, therefore there is no anticipated expansion of scope. The
cost estimates included in the published rule include costs for both
existing DIB members and new entrants (or newly covered entities).
The DoD modified the Overview summary of CMMC 2.0 to read ``The
DFARS clause 252.204-7012 also requires defense contractors to include
this clause in all subcontracts that will require the subcontractor to
process, store, or transmit CUI.'' The DoD declined additional edits in
this location that requested reframing the criteria Program Managers
will use select CMMC requirements to address Levels 2 and 3 only. The
DoD may apply CMMC Level 2 or 3 requirements when there is anticipation
of the need for the contactor or subcontractors to process, store, or
transmit CUI during the performance of a contract.
b. Prime and Subcontractor Relationships
Comment: Many requested specific examples of when a prime
contractor should flow down its CMMC requirements to a subcontractor or
ESP, and how to determine the appropriate CMMC level to flow down. For
example,
[[Page 83118]]
one comment asked whether the subcontract document would require
safeguarding, necessitating flow-down of the CMMC requirement. Some
comments expressed concern that flow-down requirements are not
sufficiently clear to prevent prime contractors from unnecessarily
sharing CUI and applying CMMC requirements to lower tier suppliers.
Another thought that the flow-down requirements will drastically expand
the scope of the program and drive cost increases for the DIB.
Several comments suggested strategies for minimizing the burden of
security implementation on lower tier subcontractors, such as requiring
prime contractors to provide access to CUI on prime contractor systems,
or prohibiting prime contractors from unnecessarily sharing CUI
information that would necessitate a CMMC requirement. One asked
whether the prime contractor has a responsibility to check which CMMC
level the subcontractor has flowed down to the next tier. One comment
referenced industry activities aimed at gauging subcontractor
preparedness for CMMC and expressed concern with anecdotal evidence
that primes will not issue orders until the subcontractor has submitted
CMMC scores into SPRS.
Response: One commentor correctly interpreted Sec. 170.23(a)(3) as
meaning that CMMC level 2 Certification requirements (not self-
assessments) flow down for subcontractors that will handle CUI when the
Prime contract specifies a CMMC Level 2 Certification requirement.
At the time of award, the DoD may have no visibility into whether
the awardee will cho
[…truncated; see source link]Indexed from Federal Register on October 15, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.