Billing Code: 6001-FR
DEPARTMENT OF DEFENSE
Office of the Secretary
[Docket ID: DoD-2023-OS-0063]
Submission for OMB Review; Comment Request
AGENCY: Office of the Department of Defense Chief Information Officer (CIO), Department
of Defense (DoD).
ACTION: 30-day information collection notice.
SUMMARY: The DoD has submitted to the Office of Management and Budget (OMB) for
clearance the following proposal for collection of information under the provisions of the
Paperwork Reduction Act.
DATES: Consideration will be given to all comments received by [INSERT 30 DAYS FROM
DATE OF PUBLICATION IN THE FEDERAL REGISTER].
ADDRESSES: Written comments and recommendations for the proposed information collection
should be sent within 30 days of publication of this notice to
www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting
"Currently under 30-day Review - Open for Public Comments" or by using the search function.
FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, whs.mcalex.esd.mbx.dd-dod-information-collections@mail.mil.
SUPPLEMENTARY INFORMATION:
TITLE; ASSOCIATED FORM; AND OMB NUMBER: Cybersecurity Maturity Model
Certification (CMMC) Program Reporting and Recordkeeping Requirements Information
Collection; OMB Control Number 0704-0677.

TYPE OF REQUEST: New.
Level 2 Certification Assessments
NUMBER OF RESPONDENTS: 10,942.
RESPONSES PER RESPONDENT: 1.
ANNUAL RESPONSES: 10,942.
AVERAGE BURDEN PER RESPONSE: 525.955 hours.
ANNUAL BURDEN HOURS: 5,754,999.61.
Level 3 Certification Assessments
NUMBER OF RESPONDENTS: 213.
RESPONSES PER RESPONDENT: 1.
ANNUAL RESPONSES: 213.
AVERAGE BURDEN PER RESPONSE: 79.01 hours.
ANNUAL BURDEN HOURS: 16,829.13.
Total
NUMBER OF RESPONDENTS: 11,155.
ANNUAL RESPONSES: 11,155.
ANNUAL BURDEN HOURS: 5,771,829.
NEEDS AND USES: The CMMC Program provides for the assessment of contractor
implementation of cybersecurity requirements to enhance confidence in contractor protection of
unclassified information within the DoD supply chain. CMMC contractual requirements are
implemented under a Title 48 acquisition rule, with associated rulemaking for the CMMC

Program requirements (e.g., CMMC Scoring Methodology, certificate issuance, information
accessibility) under a Title 32 program rule (32 Code of Federal Regulations (CFR) part 170).
The Title 32 program rule includes two separate information collection requests (ICR), this one
for the CMMC Program and one for CMMC eMASS.
This information collection is necessary to support the implementation of the CMMC assessment
process for Levels 2 and 3 certification assessment, as defined in 32 CFR 170.17 and 170.18
respectively.
Level 2 Certification Assessments
The Level 2 certification assessment process is conducted by CMMC Certified Assessors,
employed by CMMC Third-Party Assessment Organizations (C3PAOs). During the assessment
process, Organizations Seeking Certification (OSCs) hire C3PAOs to conduct the third-party
assessment required for certification. The Level 2 Certification Assessment information
collection reporting and recordkeeping requirements are included in the Title 32 program rule
with the exception of the requirement for the OSC to upload the affirmation in SPRS that is
included in the Title 48 acquisition rule. Additionally, the information collection requirements
for the CMMC instantiation of eMASS are addressed in a separate Title 32 program rule
information collection request (ICR). OSCs follow the procedures defined in 32 CFR 170.17 to
prepare for Level 2 certification assessment. Certified Assessors assigned by C3PAOs follow the
requirements and procedures defined in 32 CFR 170.17 to conduct CMMC assessments on
defense contractor information systems to determine conformance with the information
safeguarding requirements associated with Level 2 certification assessment to validate
implementation of the 110 security requirements from NIST SP 800-171 Rev 2. C3PAOs must
generate and collect pre-assessment and planning material (contact information for the OSC,
information about the C3PAO and assessors conducting the assessment, the level of assessment
planned, the CMMC Model and Assessment Guide versions, and assessment approach), artifact

information (list of artifacts, hash of artifacts, and hashing algorithm used), final assessment
reports, appropriate CMMC certificates of assessment, and assessment appeal information.
C3PAOs submit the data they generate and collect into the CMMC instantiation of eMASS. The
information collection required for this submission is addressed in a separate CMMC eMASS
ICR for the Title 32 program rule. OSCs may have a POA&M at Level 2 certification assessment
as addressed in 32 CFR 170.21. C3PAOs perform a POA&M closeout assessment. The C3PAO
process to conduct a POA&M closeout assessment, when applicable, is the same as the initial
assessment with the same information collection requirements. OSCs must retain artifacts used
as evidence for the assessment for the duration of the validity period of the certificate of
assessment, and at minimum, for six years from the date of certification assessment as addressed
in 32 CFR 170.17(c)(4). The OSC is responsible for compiling relevant artifacts as evidence and
having knowledgeable personnel available during the assessment. The organizational artifacts
are proprietary to the OSC and will not be retained by the assessment team unless expressly
permitted by the OSC. To preserve the integrity of the artifacts reviewed, the OSC creates a hash
of assessment evidence (to include a list of the artifact names, the return values of the hashing
algorithm, and the hashing algorithm used) and retains the artifact information for six years. The
information obtained from the artifacts is an information collection and is provided to the
C3PAO for uploading into the CMMC instantiation of eMASS. If an OSC does not agree with
the assessment results, it may formally dispute the assessment and initiate an Assessment Appeal
process with the C3PAO who conducted the assessment. C3PAOs submit assessment appeals
using eMASS. Appeals are tracked in the CMMC instantiation of eMASS and any resulting
changes to the assessment results are uploaded into the CMMC instantiation of eMASS.
C3PAOs maintain records for a period of six years of monitoring, education, training, technical
knowledge, skills, experience, and authorization of each member of its personnel involved in
inspection activities; contractual agreements with OSCs; any working papers generated from

Level 2 certification assessments; and organizations for whom consulting services were provided
as addressed in 32 CFR 170.9(b)(10).
Level 3 Certification Assessments
The Level 3 certification assessment process is conducted by the Defense Contract Management
Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The
Level 3 certification assessment information collection reporting and recordkeeping
requirements are included in the Title 32 program rule except for the requirement for the OSC to
upload the affirmation in SPRS that is included in the Title 48 acquisition rule. OSCs follow
procedures as defined in 32 CFR 170.18 to prepare for Level 3 certification assessment. DCMA
DIBCAC assessors follow requirements and procedures as defined in 32 CFR 170.18 to conduct
CMMC assessments on defense contractor information systems to determine conformance with
the information safeguarding requirements associated with CMMC Level 3. This is an
assessment to validate the implementation of the 24 selected security requirements from NIST
SP 800-172. Because DCMA DIBCAC is a government entity, there are no public information
collection requirements. DCMA DIBCAC must generate and collect pre-assessment and
planning material (contact information for the OSC, information about the assessors conducting
the assessment, the level of assessment planned, the CMMC Model and Assessment Guide
versions, and assessment approach), artifact information (list of artifacts, hash of artifacts, and
hashing algorithm used), final assessment reports, appropriate CMMC certificates of assessment,
and assessment appeal information. DCMA DIBCAC submits the data it generates and collects
into the CMMC instantiation of. OSCs may have a POA&M at CMMC Level 3 as addressed in
32 CFR 170.21. DCMA DIBCAC performs a POA&M closeout assessment. The DCMA
DIBCAC process to conduct a POA&M closeout assessment, when applicable, is the same as the
initial assessment with the same information collection requirements. OSCs must retain artifacts
used as evidence for the assessment for the duration of the validity period of the certificate of
assessment, and at minimum, for six years from the date of certification assessment as addressed

in 32 CFR 170.18(c)(4). The OSC is responsible for compiling relevant artifacts as evidence and
having knowledgeable personnel available during the assessment. Assessors will not
permanently retain assessment artifacts. To preserve the integrity of the artifacts reviewed
during the assessment, the OSC creates a hash of assessment evidence (to include a list of the
artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and
retains the artifact information for six years. The information obtained from the artifacts is an
information collection and DCMA DIBCAC uploads the information into the CMMC
instantiation of eMASS (addressed in a separate CMMC eMASS ICR for the Title 32 program
rule); the artifacts themselves are not an information collection. If an OSC does not agree with
the assessment results, it may formally dispute the assessment and initiate an Assessment Appeal
process with DCMA DIBCAC. DCMA DIBCAC submits assessment appeals using eMASS.
Appeals are tracked in the CMMC instantiation of eMASS and any resulting changes to the
assessment results are uploaded into CMMC eMASS. DCMA DIBCAC maintains records for a
period of six years of monitoring, education, training, technical knowledge, skills, experience,
and authorization of each member of its personnel involved in inspection activities and working
papers generated from Level 3 certification assessments.
Accreditation Body and CMMC Assessor and Instructor Certification Organizations
(CAICOs)
The Accreditation Body provides all plans related to potential sources of revenue, to include but
not limited to: fees, licensing, processes, membership, and/or partnerships to the Government
CMMC PMO as addressed in 32 CFR 170.8(b)(13).
CAICOs maintain records for a period of six years of all procedures, processes, and actions
related to fulfillment of the requirements set forth in 32 CFR 170.10(b)(9).
AFFECTED PUBLIC: Business or other for-profit.
FREQUENCY: On occasion.

RESPONDENT'S OBLIGATION: Voluntary.
OMB DESK OFFICER: Ms. Jasmeet Seehra.
You may also submit comments and recommendations, identified by Docket ID number and
title, by the following method:
•

Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for

submitting comments.
Instructions: All submissions received must include the agency name, Docket ID number, and
title for this Federal Register document. The general policy for comments and other submissions
from members of the public is to make these submissions available for public viewing on the
Internet at http://www.regulations.gov as they are received without change, including any
personal identifiers or contact information.
DOD CLEARANCE OFFICER: Mr. Reginald Lucas.
Requests for copies of the information collection proposal should be sent to Mr. Lucas at
whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.
Dated: June 14, 2024.

Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer,
Department of Defense.

[FR Doc. 2024-13464 Filed: 6/20/2024 8:45 am; Publication Date: 6/21/2024]