Senior Management and Program Analyst

0790-AL49 202110 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0790 Office of the Secretary OS 0700 Department of Defense DOD Cybersecurity Maturity Model Certification (CMMC) Framework

This rule will establish cybersecurity requirements that must be met for Defense Industrial Base (DIB) contractors to obtain requisite Cybersecurity Maturity Model Certification status. DIB contractors may need CMMC certification to qualify for award of designated future DoD contracts. The impact of the CMMC requirements, in conjunction with DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, will be a higher level of assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at the level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats.

DoD implemented a two-pronged approach to assess and verify the DIB's ability to protect FCI and CUI. This rule implements:

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology employed to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations, required by DFARS 252.204-7012. The verification of contractor implementation of NIST SP 800-171 security requirements is addressed under DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.
The Cybersecurity Maturity Model Certification (CMMC) Framework. CMMC is a new DoD certification process to measure a DIB contractor’s adherence to processes and implementation of cybersecurity practices to address and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

This rule is related to DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which specifies the requirement for assessing that DIB contractors meet CMMC requirements. This rule will specify the CMMC requirements for which the DIB contractors will be assessed.

]]> Economically Significant First Time Published in The Unified Agenda Long-Term Actions Yes Private Sector 32 CFR 170 5 U.S.C. 301 Pub. L. 116-92, sec. 1648 No Interim Final Rule 12/00/2022 Yes Businesses Federal Undetermined No Yes Yes Diane Knight L. Senior Management and Program Analyst 0790 Office of the Secretary OS 202 770-9100 diane.l.knight10.civ@mail.mil 4800 Mark Center Drive, Suite 12E08, Alexandria VA 22350