The Defense Department is asking for input on the process to report assessment results under its Cybersecurity Maturity Model Certification program and proposed parameters to address potential gaps.
“The CMMC Program provides for the assessment of contractor implementation of cybersecurity requirements to enhance confidence in contactor protection of unclassified information within the DOD supply chain,” DOD says in a Dec. 26 information collection request posted on Regulations.gov.
The ICR says, “CMMC contractual requirements are implemented under a Title 48 acquisition rule, with associated rulemaking for the CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate issuance, information accessibility) under a Title 32 program rule (32 CFR Part 170). The CMMC Title 32 program rule includes two separate information collection requests (ICR), this one for the CMMC Program and one for CMMC eMASS.”
It continues, “This information collection is necessary to support the implementation of the CMMC assessment process for Levels 2 and 3 certification assessment, as defined in 32 CFR 170.17 and 170.18 respectively.” Both ICRs have a Feb. 26 comment deadline.
DOD issued the 234-page CMMC proposed rule on Dec. 26 to amend Title 32 of the Code of Federal Regulations. The rulemaking contains details on the assessment ecosystem, key elements of the program and the use of a plan of action and milestones.
The first ICR is focused on reporting results and record-keeping on behalf of a certified third-party assessment organization and the organization seeking assessment. DOD includes five attachments as part of the ICR that walk through the pre-assessment template instructions and form as well as a template for assessment results.
DOD published attachments specific to levels two and three certifications with the required information for each maturity level. There is also a CMMC "hashing" guide draft update that includes information on collecting artifacts.
The ICR says, “C3PAOs must generate and collect pre-assessment and planning material (contact information for the OSC, information about the C3PAO and assessors conducting the assessment, the level of assessment planned, the CMMC Model and Assessment Guide versions, and assessment approach), artifact information (list of artifacts, hash of artifacts, and hashing algorithm used), final assessment reports, appropriate CMMC certificates of assessment, and assessment appeal information.”
“C3PAOs submit the data they generate and collect into the CMMC instantiation of eMASS,” the ICR adds. DOD is creating a CMMC Enterprise Mission Assurance Support Service to collect CMMC program data.
DOD provides details on the plan of action and milestones process in the ICR, explaining how the closeout assessment is performed by a C3PAO and consistent with the initial assessment when it comes to information collection requirements.
When it comes to assessment artifacts, the ICR says organizations seeking assessment must keep the artifacts for a minimum of six years from the date of the certification assessment.
The ICR says, “The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. The organizational artifacts are proprietary to the OSC and will not be retained by the assessment team unless expressly permitted by the OSC.”
OSCs are able to formally dispute assessment results and start an appeals process through eMASS, the ICR says.
The ICR directs C3PAOs to “maintain records for a period of six years of monitoring, education, training, technical knowledge, skills, experience, and authorization of each member of its personnel involved in inspection activities; contractual agreements with OSCs; any working papers generated from Level 2 Certification Assessments; and organizations for whom consulting services were provided” as addressed in the proposed rule.
Level three assessments will be conducted by the Defense Contract Management Agency’s Defense Industrial Base Cybersecurity Assessment Center. The ICR goes into detail on requirements for DIBCAC assessors, while explaining that there are no public information collection requirements because DCMA DIBAC is a “government entity.”
The ICR says:
DCMA DIBCAC must generate and collect pre-assessment and planning material (contact information for the OSC, information about the assessors conducting the assessment, the level of assessment planned, the CMMC Model and Assessment Guide versions, and assessment approach), artifact information (list of artifacts, hash of artifacts, and hashing algorithm used), final assessment reports, appropriate CMMC certificates of assessment, and assessment appeal information. DCMA DIBCAC submits the data it generates and collects into the CMMC instantiation of eMASS (addressed in a separate CMMC eMASS ICR for the Title 32 program rule).
The six-year requirement for artifacts is still in place and DOD is also establishing a dispute process for level three assessments.
The ICR provides estimates of the burden costs for the reporting and record-keeping at level two requirements for OSCs and C3PAOs. Another chart estimates burden and labor costs for level three assessments.
eMASS requirements
In the second ICR published on Dec. 26, DOD explains how eMASS will be used including C3PAOs uploading data on assessments and the responsibilities of the CMMC Program Management Office.
The second ICR says, “The CMMC PMO will use the CMMC instantiation of eMASS for reporting and tracking metrics of the CMMC Program, including but not limited to, the number of OSCs, the number of certifications, the number of assessments conducted, and the number of POA&M successfully closed within the 180-day timeframe.”
“The CMMC instantiation of eMASS will transfer assessment information to SPRS through an automated secure process, allowing DOD Contracting Officers to verify that offerors and contractors meet the required CMMC certification level at the time of contract award or option renewal,” according to the ICR.
Public and government burden costs are broken down by estimates for the CMMC Accreditation Body, the submission of assessment data and results in eMASS from C3PAOs and the DIBCAC.
The ICR includes a 12-page “Job Aid” document for C3PAO users to assist with the creation, progress and completion of assessment records.