Billing Code: 6001-FR
DEPARTMENT OF DEFENSE
Office of the Secretary
[Docket ID: DoD-2023-OS-0063]
Submission for OMB Review; Comment Request
AGENCY: Office of the Department of Defense Chief Information Officer (CIO), Department
of Defense (DoD).
ACTION: 30-day information collection notice.
SUMMARY: The DoD has submitted to the Office of Management and Budget (OMB) for
clearance the following proposal for collection of information under the provisions of the
Paperwork Reduction Act.
DATES: Consideration will be given to all comments received by [INSERT 30 DAYS FROM
DATE OF PUBLICATION IN THE FEDERAL REGISTER].
ADDRESSES: Written comments and recommendations for the proposed information collection
should be sent within 30 days of publication of this notice to
www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting
"Currently under 30-day Review - Open for Public Comments" or by using the search function.
FOR FURTHER INFORMATION CONTACT: Reginald Lucas, (571) 372-7574, whs.mcalex.esd.mbx.dd-dod-information-collections@mail.mil.
SUPPLEMENTARY INFORMATION:
TITLE; ASSOCIATED FORM; AND OMB NUMBER: Cybersecurity Maturity Model
Certification (CMMC) Enterprise Mission Assurance Support-Service (eMASS) Instantiation
Information Collection; OMB Control Number 0704-0676.

TYPE OF REQUEST: New
Accreditation Body submission of C3PAO information in eMASS
NUMBER OF RESPONDENTS: 1.
RESPONSES PER RESPONDENT: 240.
ANNUAL RESPONSES: 240.
AVERAGE BURDEN PER RESPONSE: 5 minutes.
ANNUAL BURDEN HOURS: 20.
C3PAO submission of assessment data and results in eMASS
NUMBER OF RESPONDENTS: 10,942.
RESPONSES PER RESPONDENT: 1.
ANNUAL RESPONSES: 10,942.
AVERAGE BURDEN PER RESPONSE: 15 minutes.
ANNUAL BURDEN HOURS: 2,735.5.
Total
NUMBER OF RESPONDENTS: 10,943.
ANNUAL RESPONSES: 11,182.
ANNUAL BURDEN HOURS: 2,756.
NEEDS AND USES: The CMMC Program provides for the assessment of contractor
implementation of cybersecurity requirements to enhance confidence in contractor protection of
unclassified information within the DoD supply chain. CMMC contractual requirements are
implemented under a Title 48 acquisition rule, with associated rulemaking for the CMMC

Program requirements (e.g., CMMC Scoring Methodology, certificate issuance, information
accessibility) under a Title 32 program rule (32 Code of Federal Regulations (CFR) Part 170).
The CMMC Title 32 program rule includes two separate information collection requests (ICR),
one for the CMMC Program and this one for CMMC eMASS.
The CMMC instantiation of eMASS is the electronic collection mechanism for collecting
CMMC program data, which provides the Department of Defense (DoD) visibility of the CMMC
Levels 2 and 3 certification assessment results.
This information collection is necessary to support the implementation of the CMMC assessment
process for CMMC Level 2 and Level 3 certification assessments, as defined in 32 CFR 170.17
and 170.18 respectively.
The CMMC Level 2 certification assessment process is conducted by Certified Assessors,
employed by CMMC Third-Party Assessment Organizations (C3PAOs). During the assessment
process, Organizations Seeking Certification’s hire C3PAOs to conduct the third-party
assessment required for certification. The CMMC Certified Assessors upload assessment data:
pre-assessment and planning material (date and level of the assessment; C3PAO name and
unique identifier; name and business contact information for each Assessor; all industry CAGE
codes associated with the information systems addressed by the CMMC Assessment Scope;
name, date, and version of the system security plan (SSP); the Title 32 program rule (32 CFR
part 170)), final assessment reports (assessment result for each requirement objective; POA&M
usage and compliance, as applicable; and list of artifact names, the return values of the hashing
algorithm, and the hashing algorithm used), and appropriate CMMC certificates of assessment
(certification date, as applicable) into the CMMC instantiation of eMASS.
The CMMC Level 3 certification assessment process is conducted by the Defense Contract
Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center
(DIBCAC). DCMA DIBCAC assessors upload assessment data: pre-assessment and planning

material (date and level of the assessment; name and business contact information for each
Assessor; all industry CAGE codes associated with the information systems addressed by the
CMMC Assessment Scope; name, date, and version of the system security plan (SSP); the Title
32 program rule (32 CFR part 170)), final assessment reports (assessment result for each
requirement objective; POA&M usage and compliance, as applicable; and list of artifact names,
the return values of the hashing algorithm, and the hashing algorithm used), and appropriate
CMMC certificates of assessment (certification date, as applicable) into the CMMC instantiation
of eMASS.
The Accreditation Body provides the CMMC Program Management Office with current data on
C3PAOs and Assessors, including authorization and accreditation records and status using the
CMMC instantiation of eMASS.
AFFECTED PUBLIC: Business or other for-profit.
FREQUENCY: On occasion.
RESPONDENT'S OBLIGATION: Voluntary.
OMB DESK OFFICER: Ms. Jasmeet Seehra.
You may also submit comments and recommendations, identified by Docket ID number and
title, by the following method:
•

Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for

submitting comments.
Instructions: All submissions received must include the agency name, Docket ID number, and
title for this Federal Register document. The general policy for comments and other submissions
from members of the public is to make these submissions available for public viewing on the
Internet at http://www.regulations.gov as they are received without change, including any
personal identifiers or contact information.

DOD CLEARANCE OFFICER: Mr. Reginald Lucas.
Requests for copies of the information collection proposal should be sent to Mr. Lucas at
whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.
Dated: June 14, 2024.

Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer,
Department of Defense.

[FR Doc. 2024-13468 Filed: 6/20/2024 8:45 am; Publication Date: 6/21/2024]