View Rule
View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
DOD/OS | RIN: 0790-AL49 | Publication ID: Spring 2022 |
Title: Cybersecurity Maturity Model Certification (CMMC) Framework | |
Abstract:
The National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 DoD Assessment Methodology employed to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, Protecting Controlled Unclassified Information (CUI) In Nonfederal Systems and Organizations, required by DFARS 252.204-7012. The verification of contractor implementation of NIST SP 800-171 security requirements is addressed under DFARS provision 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, and DFARS clause 252.204-7020, NIST SP 800-171 DoD Assessment Requirements. The Cybersecurity Maturity Model Certification (CMMC) Framework, version 2.0. CMMC 2.0 is a newly approved DoD certification process to help assess a DIB contractor’s compliance with and implementation of cybersecurity requirements to safeguard FCI and CUI transiting non-federal systems and mitigate the threats posed by Advanced Persistent Threats--adversaries with sophisticated levels of expertise and significant resources. This rule is related to DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which specifies the CMMC requirement at the level specified for a contract and for the duration of the contract with the DIB contractor. This rule will specify the CMMC requirements, at CMMC Level 1, 2, or 3, with which DIB contractors must comply in advance of a contract award, as well as the process for obtaining and maintaining CMMC certification, as required for a designated DoD contract. |
|
Agency: Department of Defense(DOD) | Priority: Economically Significant |
RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Final Rule Stage |
Major: Yes | Unfunded Mandates: Private Sector |
CFR Citation: 32 CFR 170 | |
Legal Authority: 5 U.S.C. 301 Pub. L. 116-92, sec. 1648 |
Legal Deadline:
None |
||||||
Timetable:
|
Regulatory Flexibility Analysis Required: Yes | Government Levels Affected: Federal |
Small Entities Affected: Businesses | Federalism: Undetermined |
Included in the Regulatory Plan: No | |
International Impacts: This regulatory action will be likely to have international trade and investment effects, or otherwise be of international interest. | |
RIN Data Printed in the FR: Yes | |
Agency Contact: Diane L. Knight Senior Management and Program Analyst Department of Defense Office of the Secretary 4800 Mark Center Drive, Suite 12E08, Alexandria, VA 22350 Phone:202 770-9100 Email: diane.l.knight10.civ@mail.mil |