View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/DARC RIN: 0750-AK81 Publication ID: Fall 2022 
Title: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) 
Abstract:

DoD is amending an interim rule to implement the CMMC framework 2.0 in order to protect against the theft of intellectual property and sensitive information from the Defense Industrial Base (DIB) sector. The CMMC framework is a DoD certification process that measures a company’s institutionalization of processes and implementation of cybersecurity practices. This rule provides the Department with assurances that a DIB contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

 
Agency: Department of Defense(DOD)  Priority: Economically Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: Yes  Unfunded Mandates: No 
CFR Citation: 48 CFR 204    48 CFR 212    48 CFR 217    48 CFR 252   
Legal Authority: 41 U.S.C. 1303    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None

Statement of Need:

The purpose of this DFARS rule is to ensure that Defense Industrial Base (DIB) contractors will adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain.

Summary of the Legal Basis:

This rule is being implemented under the authority of 41 U.S.C. 1303 and section 1648 of the National Defense Authorization Act for Fiscal Year (FY) 2020 (Pub. L. 116-92).  The USD (A&S) has the authority and responsibility for promulgating DoD procurement rules under the OFPP statute, codified at title 41 of the U.S. Code. Section 1648 of the National Defense Authorization Act for Fiscal Year 2020 (Pub. L. 116-92) directs the Secretary of Defense to develop a risk-based cybersecurity framework for the DIB sector, such as CMMC, as the basis for a mandatory DoD standard. 

Alternatives:

DoD considered and adopted several alternatives during the development of the interim rule that reduced the burden on small entities and still meet the objectives of the rule. DoD will consider similar alternatives for the amendment rule. These alternatives include: (1) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and (2) implementing a phased rollout and stipulating that the inclusion a CMMC requirement in new contracts until that time be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

Anticipated Costs and Benefits:

The annualized value of costs beginning in fiscal year 2021 (calculated in perpetuity in 2016 dollars at a 7 percent discount rate) associated with implementing the CMMC Framework in the interim is $4 billion. The primary benefit of this rule is improving the protection of the Department's sensitive information and reducing the threat to DIB sector intellectual property by:

  • Enabling assessments at the entity-level of contractor implementation of cyber security processes and practices that should already be in place;
  • Requiring comprehensive implementation of cybersecurity requirements rather than plans of action to accomplish implementation;
  • Verifying DIB sector contractor and subcontractor cybersecurity postures; and  
  • Reducing duplicative or repetitive assessments of our industry partners through standardization.

  

Risks:

The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens economic security and national security.  Malicious cyber actors have and continue to target the DIB sector and the supply chain of the Department of Defense. These attacks not only focus on the large prime contractors, but also target subcontractors that make up the lower tiers of the DoD supply chain. Many of these subcontractors are small entities that provide critical support and innovation. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.

Timetable:
Action Date FR Cite
Interim Final Rule  09/29/2020  85 FR 48513   
Interim Final Rule Effective  11/30/2020 
NPRM  05/00/2023 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: Yes 
Initial (Administrative Startup and /or Capital) Cost: $0  Yearly (Annual Operating) Cost: $0 
Base Year of the Dollar Estimates: 2021  RIN Data Printed in the FR: Yes 
Related RINs: Split from 0750-AL68, Related to 0790-AL49 
Agency Contact:
Jennifer D. Johnson
Office of the Under Secretary of Defense for Acquisition and Sustainment
Department of Defense
Defense Acquisition Regulations Council
Defense Pricing, Contracting, & Acquisition Policy, Defense Acquisition Regulations System, Room 3B938, 3060 Pentagon,
Washington, DC 20301-3060
Phone:703 717-8226
Email: jennifer.d.johnson1.civ@mail.mil