Billing Code: 6001-FR DEPARTMENT OF DEFENSE Office of the Secretary [Docket ID: DoD-2023-OS-0063] Submission for OMB Review; Comment Request AGENCY: Office of the Department of Defense Chief Information Officer (CIO), Department of Defense (DoD). ACTION: 30-day information collection notice. SUMMARY: The DoD has submitted to the Office of Management and Budget (OMB) for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act. DATES: Consideration will be given to all comments received by [INSERT 30 DAYS FROM DATE OF PUBLICATION IN THE FEDERAL REGISTER]. ADDRESSES: Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting "Currently under 30-day Review - Open for Public Comments" or by using the search function. FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, whs.mcalex.esd.mbx.dd-dod-information-collections@mail.mil. SUPPLEMENTARY INFORMATION: TITLE; ASSOCIATED FORM; AND OMB NUMBER: Cybersecurity Maturity Model Certification (CMMC) Enterprise Mission Assurance Support-Service (eMASS) Instantiation Information Collection; OMB Control Number 0704-0676. TYPE OF REQUEST: New Accreditation Body submission of C3PAO information in eMASS NUMBER OF RESPONDENTS: 1. RESPONSES PER RESPONDENT: 240. ANNUAL RESPONSES: 240. AVERAGE BURDEN PER RESPONSE: 5 minutes. ANNUAL BURDEN HOURS: 20. C3PAO submission of assessment data and results in eMASS NUMBER OF RESPONDENTS: 10,942. RESPONSES PER RESPONDENT: 1. ANNUAL RESPONSES: 10,942. AVERAGE BURDEN PER RESPONSE: 15 minutes. ANNUAL BURDEN HOURS: 2,735.5. Total NUMBER OF RESPONDENTS: 10,943. ANNUAL RESPONSES: 11,182. ANNUAL BURDEN HOURS: 2,756. NEEDS AND USES: The CMMC Program provides for the assessment of contractor implementation of cybersecurity requirements to enhance confidence in contractor protection of unclassified information within the DoD supply chain. CMMC contractual requirements are implemented under a Title 48 acquisition rule, with associated rulemaking for the CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate issuance, information accessibility) under a Title 32 program rule (32 Code of Federal Regulations (CFR) Part 170). The CMMC Title 32 program rule includes two separate information collection requests (ICR), one for the CMMC Program and this one for CMMC eMASS. The CMMC instantiation of eMASS is the electronic collection mechanism for collecting CMMC program data, which provides the Department of Defense (DoD) visibility of the CMMC Levels 2 and 3 certification assessment results. This information collection is necessary to support the implementation of the CMMC assessment process for CMMC Level 2 and Level 3 certification assessments, as defined in 32 CFR 170.17 and 170.18 respectively. The CMMC Level 2 certification assessment process is conducted by Certified Assessors, employed by CMMC Third-Party Assessment Organizations (C3PAOs). During the assessment process, Organizations Seeking Certification’s hire C3PAOs to conduct the third-party assessment required for certification. The CMMC Certified Assessors upload assessment data: pre-assessment and planning material (date and level of the assessment; C3PAO name and unique identifier; name and business contact information for each Assessor; all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope; name, date, and version of the system security plan (SSP); the Title 32 program rule (32 CFR part 170)), final assessment reports (assessment result for each requirement objective; POA&M usage and compliance, as applicable; and list of artifact names, the return values of the hashing algorithm, and the hashing algorithm used), and appropriate CMMC certificates of assessment (certification date, as applicable) into the CMMC instantiation of eMASS. The CMMC Level 3 certification assessment process is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DCMA DIBCAC assessors upload assessment data: pre-assessment and planning material (date and level of the assessment; name and business contact information for each Assessor; all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope; name, date, and version of the system security plan (SSP); the Title 32 program rule (32 CFR part 170)), final assessment reports (assessment result for each requirement objective; POA&M usage and compliance, as applicable; and list of artifact names, the return values of the hashing algorithm, and the hashing algorithm used), and appropriate CMMC certificates of assessment (certification date, as applicable) into the CMMC instantiation of eMASS. The Accreditation Body provides the CMMC Program Management Office with current data on C3PAOs and Assessors, including authorization and accreditation records and status using the CMMC instantiation of eMASS. AFFECTED PUBLIC: Business or other for-profit. FREQUENCY: On occasion. RESPONDENT'S OBLIGATION: Voluntary. OMB DESK OFFICER: Ms. Jasmeet Seehra. You may also submit comments and recommendations, identified by Docket ID number and title, by the following method: • Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Instructions: All submissions received must include the agency name, Docket ID number, and title for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the Internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information. DOD CLEARANCE OFFICER: Mr. Reginald Lucas. Requests for copies of the information collection proposal should be sent to Mr. Lucas at whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil. Dated: June 14, 2024. Aaron T. Siegel, Alternate OSD Federal Register Liaison Officer, Department of Defense. [FR Doc. 2024-13468 Filed: 6/20/2024 8:45 am; Publication Date: 6/21/2024]