View Rule

DoD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework, to help assess a Defense Industrial Base (DIB) contractor’s compliance with implementation of cybersecurity requirements to safeguard Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) transiting non-federal systems to help mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources.

Office of the DoD CIO / CMMC Program Management Office plans to host a public meeting on the 32 CFR CMMC Program proposed rule after it is published in the Federal Register for  public review and comment.

Statement of Need:

CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information (i.e., FCI and CUI) at a level commensurate with the risk, and accounting for necessary information flow down to its subcontractors in a multi-tier supply chain.

Summary of the Legal Basis:

5 U.S.C. 301 authorizes the head of an Executive department or military department to prescribe regulations for the government of his or her department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property.  

 41 U.S.C 1303; Pub. L. 116-92, sec. 1648 directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base.  Developing the CMMC Program was as an important first step toward meeting these requirements. *

Alternatives:

DoD considered and adopted several alternatives during the development of this rule that reduce the burden on the DIB community and still meet the objectives of the rule. These alternatives include: (1) maintaining status quo, leveraging only the current requirements implemented in DFARS provision 252.204-7019 and DFARS clause 252.204- 7020 requiring DIB contractors and offerors to self-assess utilizing the DoD Assessment Methodology and entering a Basic Summary Score; (2) revising CMMC to reduce the burden for small businesses and contractors who do not process, store or transmit critical CUI by eliminating the requirement to hire a C3PAO and instead allow self-assessment with affirmation to maintain compliance at CMMC Level 1, and allowing triennial self-assessment with annual affirmation to maintain compliance for some CMMC Level 2 programs; (3) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and, (4) implementing a phased implementation for CMMC.

Inaddition, the Department took into consideration the timing of the requirement to achieve a specified CMMC level: (1) at time of proposal or offer submission, (2) after contract award, (3) at the time of contract award, or (4) permitting government program managers to seek approval to waive inclusion of a CMMC requirement in a solicitation, subject to  DoD internal policies, procedures, and waiver approval requirements.

Anticipated Costs and Benefits:

The theft of intellectual property and sensitive information, including FCI and CUI, from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. By incorporating heightened cybersecurity standards into acquisition programs, the CMMC Program provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements and provides a key mechanism to adapt to an evolving threat landscape.

Risks:

The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.