View Rule
| View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
| DOW/OS | RIN: 0790-AM01 | Publication ID: 2026 |
| Title: ●Cybersecurity Maturity Model Certification (CMMC) Program | |
|
Abstract:
This amendment defines a deadline and period for transition from the requirement to comply with NIST SP 800-171 Revision 2, to a requirement to comply with NIST SP 800-171 Revision 3. Significant changes between these two documents include added specificity in the security requirements and introduction of organization-defined parameters (ODP) in select security requirements. In addition to revising the NIST documents that are incorporated by reference in 32 CFR part 170, this amendment adds administrative edits and clarifying content in multiple areas as necessary to effect the transition. |
|
| Agency: Department of War(DOW) | Priority: Other Significant |
| RIN Status: First time published in the Unified Agenda | Agenda Stage of Rulemaking: Final Rule Stage |
| Major: Undetermined | Unfunded Mandates: No |
| EO 14192 Designation: Fully or Partially Exempt | |
| CFR Citation: 32 CFR 170 | |
| Legal Authority: 5 U.S.C. 301 Pub. L 116-92, sec. 1648 133 Stat. 1198 | |
|
Legal Deadline:
None |
||||||
|
Statement of Need: With this amendment, DoD amends the Cybersecurity Maturity Model Certification (CMMC) Program to define a period for transition from the requirement to comply with NIST SP 800-171 Revision 2, to a requirement to comply with NIST SP 800-171 Revision 3. As described by NIST, the significant changes between these two documents include added specificity in the security requirements and introduction of organization-defined parameters (ODPs) in select security requirements. In addition to revising documents incorporated by reference in this rule, this amendment adds administrative edits and clarifying content in multiple areas. |
||||||
|
Summary of the Legal Basis: 5 U.S.C. 301; Sec. 1648, Pub. L. 116-92, 133 Stat. 1198. |
||||||
|
Alternatives: None |
||||||
|
Anticipated Costs and Benefits: In addition to the change from NIST SP 800-171 revision 2 to revision 3, which impacted CMMC Level 2 and LEvel 3 assessment objectives, this rule amendment is based on a more current estimate of the size of the Defense Industrial Base. Overall, we estimate approximately 20% fewer total companies will be impacted by 32 CFR Part 170. |
||||||
|
Risks: None |
||||||
Timetable:
|
| Regulatory Flexibility Analysis Required: No | Government Levels Affected: Undetermined |
| Small Entities Affected: Businesses, Governmental Jurisdictions, Organizations | Federalism: No |
| Included in the Regulatory Plan: Yes | |
| RIN Data Printed in the FR: No | |
|
Agency Contact: Carrie Cardwell Acquisition Analyst, Office of the DoD CIO Department of War Office of the Secretary 4800 Mark Center Drive , Suite 11G14, Alexandria, VA 22350 Phone:571 372-4410 Email: carrie.m.cardwell.civ@mail.mil |
|
An official website of the United States government




