View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
DOD/OS | RIN: 0790-AL49 | Publication ID: Fall 2023 |
Title: Cybersecurity Maturity Model Certification (CMMC) Program | |
Abstract:
DoD is proposing to implement the Cybersecurity Maturity Model Certification (CMMC) Framework Office of the DoD CIO / CMMC Program Management Office plans to host a public meeting on the 32 CFR CMMC Program proposed rule after it is published in the Federal Register for public review and comment. |
|
Agency: Department of Defense(DOD) | Priority: Section 3(f)(1) Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Proposed Rule Stage |
Major: Yes | Unfunded Mandates: No |
CFR Citation: 32 CFR 170 | |
Legal Authority: 5 U.S.C. 301 Pub. L. 116-92, sec. 1648 |
Legal Deadline:
None |
||||||
Statement of Need: CMMC is designed to provide increased assurance to the DoD that a DIB contractor can adequately protect sensitive unclassified information (i.e., FCI and CUI) at a level commensurate with the risk, and accounting for necessary information flow down to its subcontractors in a multi-tier supply chain. |
||||||
Summary of the Legal Basis: 5 U.S.C. 301 authorizes the head of an Executive department or military department to prescribe regulations for the government of his or her department, the conduct of its employees, the distribution and performance of its business, and the custody, use, and preservation of its records, papers, and property. 41 U.S.C 1303; Pub. L. 116-92, sec. 1648 directs the Secretary of Defense to develop a consistent, comprehensive framework to enhance cybersecurity for the U.S. defense industrial base. Developing the CMMC Program was as an important first step toward meeting these requirements. * |
||||||
Alternatives: DoD considered and adopted several alternatives during the development of this rule that reduce the burden on the DIB community and still meet the objectives of the rule. These alternatives include: (1) maintaining status quo, leveraging only the current requirements implemented in DFARS provision 252.204-7019 and DFARS clause 252.204- 7020 requiring DIB contractors and offerors to self-assess utilizing the DoD Assessment Methodology and entering a Basic Summary Score; (2) revising CMMC to reduce the burden for small businesses and contractors who do not process, store or transmit critical CUI by eliminating the requirement to hire a C3PAO and instead allow self-assessment with affirmation to maintain compliance at CMMC Level 1, and allowing triennial self-assessment with annual affirmation to maintain compliance for some CMMC Level 2 programs; (3) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and, (4) implementing a phased implementation for CMMC. Inaddition, the Department took into consideration the timing of the requirement to achieve a specified CMMC level: (1) at time of proposal or offer submission, (2) after contract award, (3) at the time of contract award, or (4) permitting government program managers to seek approval to waive inclusion of a CMMC requirement in a solicitation, subject to DoD internal policies, procedures, and waiver approval requirements. |
||||||
Anticipated Costs and Benefits: The theft of intellectual property and sensitive information, including FCI and CUI, from all U.S. industrial sectors due to malicious cyber activity threatens U.S. economic and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. By incorporating heightened cybersecurity standards into acquisition programs, the CMMC Program provides the Department assurance that contractors and subcontractors are meeting DoD’s cybersecurity requirements and provides a key mechanism to adapt to an evolving threat landscape. |
||||||
Risks: The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security. |
||||||
Timetable:
|
Regulatory Flexibility Analysis Required: Yes | Government Levels Affected: Federal |
Small Entities Affected: Businesses | Federalism: No |
Included in the Regulatory Plan: Yes | |
RIN Data Printed in the FR: Yes | |
Agency Contact: Diane L. Knight Senior Management and Program Analyst Department of Defense Office of the Secretary 4800 Mark Center Drive, Suite 12E08, Alexandria, VA 22350 Phone:202 770-9100 Email: diane.l.knight10.civ@mail.mil |