View Rule

DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework,  to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

Statement of Need:

CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information (i.e., FCI and CUI) at a level commensurate with the risk, and accounting for information flow down to its subcontractors in a multi-tier supply chain.

Summary of the Legal Basis:

5 U.S.C. 301 authorizes the head of an Executive department or military department to prescribe regulations for the government of his or her department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property.  

 41 U.S.C 1303; Pub. L. 116-92, sec. 1648 directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.  Developing the CMMC Program was as an important first step toward meeting these requirements. *

Alternatives:

DoD considered and adopted several alternatives during the development of this rule that reduce the burden on the DIB community and still meet the objectives of the rule.  These alternatives include: (1) maintaining status quo, leveraging only the current requirements implemented in DFARS provision 252.204-7019 and DFARS clause 252.204-7020 requiring DIB contractors and offerors to self-assess utilizing the DoD Assessment Methodology and entering a Basic Summary Score; (2) revising CMMC 1.0 to CMMC 2.0 in response to public comments, to reduce the burden for small businesses and contractors who do not process, store or transmit critical CUI by eliminating the requirement to hire a C3PAO and instead allow self-assessment with annual affirmations to maintain compliance at CMMC Level 1, and allowing triennial self-certification with an annual affirmation to maintain compliance for some CMMC Level 2 programs; (3) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and (4) implementing a phased implementation for CMMC.

In addition, the Department took into consideration the timing of the requirement to achieve a specified CMMC level: (1) at time of proposal or offer submission, (2) post contract award, or (3) at the time of contract award.

Anticipated Costs and Benefits:

The theft of intellectual property and sensitive information, including FCI and CUI, from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Over a ten-year period, that burden would equate to an estimated $570 billion to $1.09 trillion dollars in costs. 

Risks:

The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.