<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<REGINFO_RIN_DATA xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" RUN_DATE="2026-07-07-04:00" xsi:noNamespaceSchemaLocation="https://www.reginfo.gov/public/xml/REGINFO_XML_Ver10262011.xsd">
    <RIN_INFO>
        <RIN>0790-AM01</RIN>
        <PUBLICATION>
            <PUBLICATION_ID>202510</PUBLICATION_ID>
            <PUBLICATION_TITLE>The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions</PUBLICATION_TITLE>
        </PUBLICATION>
        <AGENCY>
            <CODE>0790</CODE>
            <NAME>Office of the Secretary</NAME>
            <ACRONYM>OS</ACRONYM>
        </AGENCY>
        <PARENT_AGENCY>
            <CODE>0700</CODE>
            <NAME>Department of War</NAME>
            <ACRONYM>DOW</ACRONYM>
        </PARENT_AGENCY>
        <RULE_TITLE>Cybersecurity Maturity Model Certification (CMMC) Program</RULE_TITLE>
        <ABSTRACT><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p><span data-teams="true">This amendment defines a deadline and period for transition from the requirement to comply with NIST SP 800-171 Revision 2, to a requirement to comply with NIST SP 800-171 Revision 3. Significant changes between these two documents include added specificity in the security requirements and introduction of organization-defined parameters (ODP) in select security requirements.&nbsp; In addition to revising the NIST documents that are incorporated by reference in 32 CFR part 170, this amendment adds administrative edits and clarifying content in multiple areas as necessary to effect the transition.&nbsp;</span></p>
</body>
</html>]]></ABSTRACT>
        <PRIORITY_CATEGORY>Other Significant</PRIORITY_CATEGORY>
        <RIN_STATUS>First Time Published in The Unified Agenda</RIN_STATUS>
        <RULE_STAGE>Final Rule Stage</RULE_STAGE>
        <MAJOR>Undetermined</MAJOR>
        <UNFUNDED_MANDATE_LIST>
            <UNFUNDED_MANDATE>No</UNFUNDED_MANDATE>
        </UNFUNDED_MANDATE_LIST>
        <EO_13771_DESIGNATION>Fully or Partially Exempt</EO_13771_DESIGNATION>
        <CFR_LIST>
            <CFR>32 CFR 170</CFR>
        </CFR_LIST>
        <LEGAL_AUTHORITY_LIST>
            <LEGAL_AUTHORITY>5 U.S.C. 301</LEGAL_AUTHORITY>
            <LEGAL_AUTHORITY>Pub. L 116-92, sec. 1648</LEGAL_AUTHORITY>
            <LEGAL_AUTHORITY>133 Stat. 1198</LEGAL_AUTHORITY>
        </LEGAL_AUTHORITY_LIST>
        <LEGAL_DLINE_LIST/>
        <RPLAN_ENTRY>Yes</RPLAN_ENTRY>
        <RPLAN_INFO>
            <STMT_OF_NEED><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>With this amendment, DoD amends the Cybersecurity Maturity Model Certification (CMMC) Program to define a period for transition from the requirement to comply with NIST SP 800-171 Revision 2, to a requirement to comply with NIST SP 800-171 Revision 3.&nbsp; As described by NIST, the significant changes between these two documents include added specificity in the security requirements and introduction of organization-defined parameters (ODPs) in select security requirements. In addition to revising documents incorporated by reference in this rule, this amendment adds administrative edits and clarifying content in multiple areas.&nbsp;</p>
</body>
</html>]]></STMT_OF_NEED>
            <LEGAL_BASIS><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>5 U.S.C. 301; Sec. 1648, Pub. L. 116-92, 133 Stat. 1198.</p>
</body>
</html>]]></LEGAL_BASIS>
            <ALTERNATIVES><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>None</p>
</body>
</html>]]></ALTERNATIVES>
            <COSTS_AND_BENEFITS><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p><span data-teams="true"><span data-teams="true">In addition to the change from NIST SP 800-171 revision 2 to revision 3, which impacted CMMC Level 2 and LEvel 3 assessment objectives, this rule amendment is based on a more current estimate of the size of the Defense Industrial Base.&nbsp; Overall, we estimate approximately 20% fewer total companies will be impacted by 32 CFR Part 170.&nbsp;&nbsp;</span></span></p>
</body>
</html>]]></COSTS_AND_BENEFITS>
            <RISKS><![CDATA[<!DOCTYPE html>
<html>
<head>
</head>
<body>
<p>None</p>
</body>
</html>]]></RISKS>
        </RPLAN_INFO>
        <TIMETABLE_LIST>
            <TIMETABLE>
                <TTBL_ACTION>Interim Final Rule</TTBL_ACTION>
                <TTBL_DATE>07/00/2026</TTBL_DATE>
            </TIMETABLE>
        </TIMETABLE_LIST>
        <RFA_REQUIRED>No</RFA_REQUIRED>
        <SMALL_ENTITY_LIST>
            <SMALL_ENTITY>Businesses</SMALL_ENTITY>
            <SMALL_ENTITY>Governmental Jurisdictions</SMALL_ENTITY>
            <SMALL_ENTITY>Organizations</SMALL_ENTITY>
        </SMALL_ENTITY_LIST>
        <GOVT_LEVEL_LIST>
            <GOVT_LEVEL>Undetermined</GOVT_LEVEL>
        </GOVT_LEVEL_LIST>
        <FEDERALISM>No</FEDERALISM>
        <ENERGY_AFFECTED>No</ENERGY_AFFECTED>
        <PRINT_PAPER>No</PRINT_PAPER>
        <INTERNATIONAL_INTEREST>No</INTERNATIONAL_INTEREST>
        <AGENCY_CONTACT_LIST>
            <CONTACT>
                <FIRST_NAME>Carrie</FIRST_NAME>
                <LAST_NAME>Cardwell</LAST_NAME>
                <TITLE>Acquisition Analyst, Office of the DoD CIO</TITLE>
                <AGENCY>
                    <CODE>0790</CODE>
                    <NAME>Office of the Secretary</NAME>
                    <ACRONYM>OS</ACRONYM>
                </AGENCY>
                <PHONE>571 372-4410</PHONE>
                <EMAIL>carrie.m.cardwell.civ@mail.mil</EMAIL>
                <MAILING_ADDRESS>
                    <STREET_ADDRESS>4800 Mark Center Drive , Suite 11G14,</STREET_ADDRESS>
                    <CITY>Alexandria</CITY>
                    <STATE>VA</STATE>
                    <ZIP>22350</ZIP>
                </MAILING_ADDRESS>
            </CONTACT>
        </AGENCY_CONTACT_LIST>
    </RIN_INFO>
</REGINFO_RIN_DATA>
