View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML
DOD/OS RIN: 0790-AL49 Publication ID: Fall 2021 
Title: ●Cybersecurity Maturity Model Certification (CMMC) Framework 
Abstract:

This rule will establish cybersecurity requirements that must be met for Defense Industrial Base (DIB) contractors to obtain requisite Cybersecurity Maturity Model Certification status. DIB contractors may need CMMC certification to qualify for award of designated future DoD contracts. The impact of the CMMC requirements, in conjunction with DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, will be a higher level of assurance that Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) will be protected at the level commensurate with the risk from cybersecurity threats, including Advanced Persistent Threats.

DoD implemented a two-pronged approach to assess and verify the DIB's ability to protect FCI and CUI. This rule implements:

  • The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology employed to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations, required by DFARS 252.204-7012. The verification of contractor implementation of NIST SP 800-171 security requirements is addressed under DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

  • The Cybersecurity Maturity Model Certification (CMMC) Framework. CMMC is a new DoD certification process to measure a DIB contractor’s adherence to processes and implementation of cybersecurity practices to address and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

    This rule is related to DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which specifies the requirement for assessing that DIB contractors meet CMMC requirements. This rule will specify the CMMC requirements for which the DIB contractors will be assessed.

 
Agency: Department of Defense(DOD)  Priority: Economically Significant 
RIN Status: First time published in the Unified Agenda Agenda Stage of Rulemaking: Long-Term Actions 
Major: Yes  Unfunded Mandates: Private Sector 
CFR Citation: 32 CFR 170   
Legal Authority: 5 U.S.C. 301    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None
Timetable:
Action Date FR Cite
Interim Final Rule  12/00/2022 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: Undetermined 
Included in the Regulatory Plan: No 
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest.
RIN Data Printed in the FR: Yes 
Agency Contact:
Diane L. Knight
Senior Management and Program Analyst
Department of Defense
Office of the Secretary
4800 Mark Center Drive, Suite 12E08,
Alexandria, VA 22350
Phone:202 770-9100
Email: diane.l.knight10.civ@mail.mil