Billing Code: 6001-FR DEPARTMENT OF DEFENSE Office of the Secretary [Docket ID: DoD-2023-OS-0063] Submission for OMB Review; Comment Request AGENCY: Office of the Department of Defense Chief Information Officer (CIO), Department of Defense (DoD). ACTION: 30-day information collection notice. SUMMARY: The DoD has submitted to the Office of Management and Budget (OMB) for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act. DATES: Consideration will be given to all comments received by [INSERT 30 DAYS FROM DATE OF PUBLICATION IN THE FEDERAL REGISTER]. ADDRESSES: Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting "Currently under 30-day Review - Open for Public Comments" or by using the search function. FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, whs.mcalex.esd.mbx.dd-dod-information-collections@mail.mil. SUPPLEMENTARY INFORMATION: TITLE; ASSOCIATED FORM; AND OMB NUMBER: Cybersecurity Maturity Model Certification (CMMC) Program Reporting and Recordkeeping Requirements Information Collection; OMB Control Number 0704-0677. TYPE OF REQUEST: New. Level 2 Certification Assessments NUMBER OF RESPONDENTS: 10,942. RESPONSES PER RESPONDENT: 1. ANNUAL RESPONSES: 10,942. AVERAGE BURDEN PER RESPONSE: 525.955 hours. ANNUAL BURDEN HOURS: 5,754,999.61. Level 3 Certification Assessments NUMBER OF RESPONDENTS: 213. RESPONSES PER RESPONDENT: 1. ANNUAL RESPONSES: 213. AVERAGE BURDEN PER RESPONSE: 79.01 hours. ANNUAL BURDEN HOURS: 16,829.13. Total NUMBER OF RESPONDENTS: 11,155. ANNUAL RESPONSES: 11,155. ANNUAL BURDEN HOURS: 5,771,829. NEEDS AND USES: The CMMC Program provides for the assessment of contractor implementation of cybersecurity requirements to enhance confidence in contractor protection of unclassified information within the DoD supply chain. CMMC contractual requirements are implemented under a Title 48 acquisition rule, with associated rulemaking for the CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate issuance, information accessibility) under a Title 32 program rule (32 Code of Federal Regulations (CFR) part 170). The Title 32 program rule includes two separate information collection requests (ICR), this one for the CMMC Program and one for CMMC eMASS. This information collection is necessary to support the implementation of the CMMC assessment process for Levels 2 and 3 certification assessment, as defined in 32 CFR 170.17 and 170.18 respectively. Level 2 Certification Assessments The Level 2 certification assessment process is conducted by CMMC Certified Assessors, employed by CMMC Third-Party Assessment Organizations (C3PAOs). During the assessment process, Organizations Seeking Certification (OSCs) hire C3PAOs to conduct the third-party assessment required for certification. The Level 2 Certification Assessment information collection reporting and recordkeeping requirements are included in the Title 32 program rule with the exception of the requirement for the OSC to upload the affirmation in SPRS that is included in the Title 48 acquisition rule. Additionally, the information collection requirements for the CMMC instantiation of eMASS are addressed in a separate Title 32 program rule information collection request (ICR). OSCs follow the procedures defined in 32 CFR 170.17 to prepare for Level 2 certification assessment. Certified Assessors assigned by C3PAOs follow the requirements and procedures defined in 32 CFR 170.17 to conduct CMMC assessments on defense contractor information systems to determine conformance with the information safeguarding requirements associated with Level 2 certification assessment to validate implementation of the 110 security requirements from NIST SP 800-171 Rev 2. C3PAOs must generate and collect pre-assessment and planning material (contact information for the OSC, information about the C3PAO and assessors conducting the assessment, the level of assessment planned, the CMMC Model and Assessment Guide versions, and assessment approach), artifact information (list of artifacts, hash of artifacts, and hashing algorithm used), final assessment reports, appropriate CMMC certificates of assessment, and assessment appeal information. C3PAOs submit the data they generate and collect into the CMMC instantiation of eMASS. The information collection required for this submission is addressed in a separate CMMC eMASS ICR for the Title 32 program rule. OSCs may have a POA&M at Level 2 certification assessment as addressed in 32 CFR 170.21. C3PAOs perform a POA&M closeout assessment. The C3PAO process to conduct a POA&M closeout assessment, when applicable, is the same as the initial assessment with the same information collection requirements. OSCs must retain artifacts used as evidence for the assessment for the duration of the validity period of the certificate of assessment, and at minimum, for six years from the date of certification assessment as addressed in 32 CFR 170.17(c)(4). The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. The organizational artifacts are proprietary to the OSC and will not be retained by the assessment team unless expressly permitted by the OSC. To preserve the integrity of the artifacts reviewed, the OSC creates a hash of assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and retains the artifact information for six years. The information obtained from the artifacts is an information collection and is provided to the C3PAO for uploading into the CMMC instantiation of eMASS. If an OSC does not agree with the assessment results, it may formally dispute the assessment and initiate an Assessment Appeal process with the C3PAO who conducted the assessment. C3PAOs submit assessment appeals using eMASS. Appeals are tracked in the CMMC instantiation of eMASS and any resulting changes to the assessment results are uploaded into the CMMC instantiation of eMASS. C3PAOs maintain records for a period of six years of monitoring, education, training, technical knowledge, skills, experience, and authorization of each member of its personnel involved in inspection activities; contractual agreements with OSCs; any working papers generated from Level 2 certification assessments; and organizations for whom consulting services were provided as addressed in 32 CFR 170.9(b)(10). Level 3 Certification Assessments The Level 3 certification assessment process is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). The Level 3 certification assessment information collection reporting and recordkeeping requirements are included in the Title 32 program rule except for the requirement for the OSC to upload the affirmation in SPRS that is included in the Title 48 acquisition rule. OSCs follow procedures as defined in 32 CFR 170.18 to prepare for Level 3 certification assessment. DCMA DIBCAC assessors follow requirements and procedures as defined in 32 CFR 170.18 to conduct CMMC assessments on defense contractor information systems to determine conformance with the information safeguarding requirements associated with CMMC Level 3. This is an assessment to validate the implementation of the 24 selected security requirements from NIST SP 800-172. Because DCMA DIBCAC is a government entity, there are no public information collection requirements. DCMA DIBCAC must generate and collect pre-assessment and planning material (contact information for the OSC, information about the assessors conducting the assessment, the level of assessment planned, the CMMC Model and Assessment Guide versions, and assessment approach), artifact information (list of artifacts, hash of artifacts, and hashing algorithm used), final assessment reports, appropriate CMMC certificates of assessment, and assessment appeal information. DCMA DIBCAC submits the data it generates and collects into the CMMC instantiation of. OSCs may have a POA&M at CMMC Level 3 as addressed in 32 CFR 170.21. DCMA DIBCAC performs a POA&M closeout assessment. The DCMA DIBCAC process to conduct a POA&M closeout assessment, when applicable, is the same as the initial assessment with the same information collection requirements. OSCs must retain artifacts used as evidence for the assessment for the duration of the validity period of the certificate of assessment, and at minimum, for six years from the date of certification assessment as addressed in 32 CFR 170.18(c)(4). The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. Assessors will not permanently retain assessment artifacts. To preserve the integrity of the artifacts reviewed during the assessment, the OSC creates a hash of assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and retains the artifact information for six years. The information obtained from the artifacts is an information collection and DCMA DIBCAC uploads the information into the CMMC instantiation of eMASS (addressed in a separate CMMC eMASS ICR for the Title 32 program rule); the artifacts themselves are not an information collection. If an OSC does not agree with the assessment results, it may formally dispute the assessment and initiate an Assessment Appeal process with DCMA DIBCAC. DCMA DIBCAC submits assessment appeals using eMASS. Appeals are tracked in the CMMC instantiation of eMASS and any resulting changes to the assessment results are uploaded into CMMC eMASS. DCMA DIBCAC maintains records for a period of six years of monitoring, education, training, technical knowledge, skills, experience, and authorization of each member of its personnel involved in inspection activities and working papers generated from Level 3 certification assessments. Accreditation Body and CMMC Assessor and Instructor Certification Organizations (CAICOs) The Accreditation Body provides all plans related to potential sources of revenue, to include but not limited to: fees, licensing, processes, membership, and/or partnerships to the Government CMMC PMO as addressed in 32 CFR 170.8(b)(13). CAICOs maintain records for a period of six years of all procedures, processes, and actions related to fulfillment of the requirements set forth in 32 CFR 170.10(b)(9). AFFECTED PUBLIC: Business or other for-profit. FREQUENCY: On occasion. RESPONDENT'S OBLIGATION: Voluntary. OMB DESK OFFICER: Ms. Jasmeet Seehra. You may also submit comments and recommendations, identified by Docket ID number and title, by the following method: • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Instructions: All submissions received must include the agency name, Docket ID number, and title for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information. DOD CLEARANCE OFFICER: Mr. Reginald Lucas. Requests for copies of the information collection proposal should be sent to Mr. Lucas at whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil. Dated: June 14, 2024. Aaron T. Siegel, Alternate OSD Federal Register Liaison Officer, Department of Defense. [FR Doc. 2024-13464 Filed: 6/20/2024 8:45 am; Publication Date: 6/21/2024]