View Rule

View EO 12866 Meetings Printer-Friendly Version     Download RIN Data in XML

DOD/OS RIN: 0790-AL49 Publication ID: Fall 2023 
Title: Cybersecurity Maturity Model Certification (CMMC) Program 

DoD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework, to help assess a Defense Industrial Base (DIB) contractor’s compliance with implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems to help mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

Office of the DoD CIO / CMMC Program Management Office plans to host a public meeting on the 32 CFR CMMC Program proposed rule after it is published in the Federal Register for  public review and comment.

Agency: Department of Defense(DOD)  Priority: Section 3(f)(1) Significant 
RIN Status: Previously published in the Unified Agenda Agenda Stage of Rulemaking: Proposed Rule Stage 
Major: Yes  Unfunded Mandates: No 
CFR Citation: 32 CFR 170   
Legal Authority: 5 U.S.C. 301    Pub. L. 116-92, sec. 1648   
Legal Deadline:  None

Statement of Need:

CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information (i.e., FCI and CUI) at a level commensurate with the risk, and accounting for necessary information flow down to its subcontractors in a multi-tier supply chain.

Summary of the Legal Basis:

5 U.S.C. 301 authorizes the head of an Executive department or military department to prescribe regulations for the government of his or her department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property.  

 41 U.S.C 1303; Pub. L. 116-92, sec. 1648 directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.  Developing the CMMC Program was as an important first step toward meeting these requirements. *


DoD considered and adopted several alternatives during the development of this rule that reduce the burden on the DIB community and still meet the objectives of the rule. These alternatives include: (1) maintaining status quo, leveraging only the current requirements implemented in DFARS provision 252.204-7019 and DFARS clause 252.204- 7020 requiring DIB contractors and offerors to self-assess utilizing the DoD Assessment Methodology and entering a Basic Summary Score; (2) revising CMMC to reduce the burden for small businesses and contractors who do not process, store or transmit critical CUI by eliminating the requirement to hire a C3PAO and instead allow self-assessment with affirmation to maintain compliance at CMMC Level 1, and allowing triennial self-assessment with annual affirmation to maintain compliance for some CMMC Level 2 programs; (3) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and, (4) implementing a phased implementation for CMMC.

Inaddition, the Department took into consideration the timing of the requirement to achieve a specified CMMC level: (1) at time of proposal or offer submission, (2) after contract award, (3) at the time of contract award, or (4) permitting government program managers to seek approval to waive inclusion of a CMMC requirement in a solicitation, subject to  DoD internal policies, procedures, and waiver approval requirements.

Anticipated Costs and Benefits:

The theft of intellectual property and sensitive information, including FCI and CUI, from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. By incorporating heightened cybersecurity standards into acquisition programs, the CMMC Program provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements and provides a key mechanism to adapt to an evolving threat landscape.


The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.

Action Date FR Cite
NPRM  11/00/2023 
Regulatory Flexibility Analysis Required: Yes  Government Levels Affected: Federal 
Small Entities Affected: Businesses  Federalism: No 
Included in the Regulatory Plan: Yes 
RIN Data Printed in the FR: Yes 
Agency Contact:
Diane L. Knight
Senior Management and Program Analyst
Department of Defense
Office of the Secretary
4800 Mark Center Drive, Suite 12E08,
Alexandria, VA 22350
Phone:202 770-9100