View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AL49 Publication ID: Spring 2022 
Title: Cybersecurity Maturity Model Certification (CMMC) Framework 

The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology employed to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations, required by DFARS 252.204-7012. The verification of contractor implementation of NIST SP 800-171 security requirements is addressed under DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements.

The Cybersecurity Maturity Model Certification (CMMC) Framework, version 2.0. CMMC 2.0 is a newly approved DoD certification process to help assess a DIB contractor’s compliance with and implementation of cybersecurity requirements to safeguard FCI and CUI transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

This rule is related to DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which specifies the CMMC requirement at the level specified for a contract and for the duration of the contract with the DIB contractor. This rule will specify the CMMC requirements, at CMMC Level 1, 2, or 3, with which DIB contractors must comply in advance of a contract award, as well as the process for obtaining and maintaining CMMC certification, as required for a designated DoD contract.

Agency: Department of Defense(DOD)  Priority: Economically Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Final Rule Stage 
Major: Yes  Unfunded Mandates: Private Sector 
CFR Citation: 32 CFR 170   
Legal Authority: 5 U.S.C. 301    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None
Action Date FR Cite
Interim Final Rule  03/00/2023 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: Undetermined 
Included in the Regulatory Plan: No 
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest.
RIN Data Printed in the FR: Yes 
Agency Contact:
Diane L. Knight
Senior Management and Program Analyst
Department of Defense
Office of the Secretary
4800 Mark Center Drive, Suite 12E08,
Alexandria, VA 22350
Phone:202 770-9100