View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AL49 Publication ID: Fall 2022 
Title: Cybersecurity Maturity Model Certification (CMMC) Program 

DOD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework,  to help assess a Defense Industrial Base (DIB) contractor’s compliance with and implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

Agency: Department of Defense(DOD)  Priority: Economically Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: Yes  Unfunded Mandates: Private Sector 
CFR Citation: 32 CFR 170   
Legal Authority: 5 U.S.C. 301    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None

Statement of Need:

CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information (i.e., FCI and CUI) at a level commensurate with the risk, and accounting for information flow down to its subcontractors in a multi-tier supply chain.

Summary of the Legal Basis:

5 U.S.C. 301 authorizes the head of an Executive department or military department to prescribe regulations for the government of his or her department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property.  

 41 U.S.C 1303; Pub. L. 116-92, sec. 1648 directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.  Developing the CMMC Program was as an important first step toward meeting these requirements. *


DoD considered and adopted several alternatives during the development of this rule that reduce the burden on the DIB community and still meet the objectives of the rule.  These alternatives include: (1) maintaining status quo, leveraging only the current requirements implemented in DFARS provision 252.204-7019 and DFARS clause 252.204-7020 requiring DIB contractors and offerors to self-assess utilizing the DoD Assessment Methodology and entering a Basic Summary Score; (2) revising CMMC 1.0 to CMMC 2.0 in response to public comments, to reduce the burden for small businesses and contractors who do not process, store or transmit critical CUI by eliminating the requirement to hire a C3PAO and instead allow self-assessment with annual affirmations to maintain compliance at CMMC Level 1, and allowing triennial self-certification with an annual affirmation to maintain compliance for some CMMC Level 2 programs; (3) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and (4) implementing a phased implementation for CMMC.

In addition, the Department took into consideration the timing of the requirement to achieve a specified CMMC level: (1) at time of proposal or offer submission, (2) post contract award, or (3) at the time of contract award.

Anticipated Costs and Benefits:

The theft of intellectual property and sensitive information, including FCI and CUI, from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. Over a ten-year period, that burden would equate to an estimated $570 billion to $1.09 trillion dollars in costs. 


The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.

Action Date FR Cite
NPRM  05/00/2023 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: Yes 
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest.
RIN Data Printed in the FR: Yes 
Agency Contact:
Diane L. Knight
Senior Management and Program Analyst
Department of Defense
Office of the Secretary
4800 Mark Center Drive, Suite 12E08,
Alexandria, VA 22350
Phone:202 770-9100