2024-18110. Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)  

Public comments are solicited on this analysis of the estimated burden of the proposed rule.

V. Executive Orders 12866 and 13563

Executive Orders (E.O.s) 12866 and 13563 direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). E.O. 13563 emphasizes the importance of quantifying both costs and benefits, of reducing costs, of harmonizing rules, and of promoting flexibility. This is a significant regulatory action and, therefore, was subject to review under section 6(b) of E.O. 12866, Regulatory Planning and Review, as amended.

VI. Regulatory Flexibility Act

DoD does not expect this proposed rule, when finalized, to have a significant economic impact on a substantial number of small entities within the meaning of the Regulatory Flexibility Act, 5 U.S.C. 601, et seq. However, an initial regulatory flexibility analysis has been performed and is summarized as follows:

This proposed rule is necessary to respond to the threat to the U.S. economy and national security posed by ( print page 66335) ongoing malicious cyber activities designed to steal hundreds of billions of dollars of U.S. intellectual property. This proposed rule includes the following requirements for apparently successful offerors responding to a solicitation, and contractors awarded contracts, containing a requirement for CMMC: (1) post in SPRS the results of a current CMMC certificate or current CMMC self-assessment at the level required by the solicitation, or higher, for each DoD UID applicable to each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract and maintain the CMMC level for the life of the contract; (2) provide the DoD UID(s) applicable to each of those contractor information systems to the contracting officer and provide updates, if applicable; and (3) have a current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS for each DoD UID applicable to each of those contractor information systems. These requirements apply to apparently successful offerors with a CMMC requirement in solicitations prior to award and to contractors with a CMMC requirement in contracts prior to exercising an option.

The proposed rule has two objectives. One objective is to provide DoD with assurances that a defense industrial base contractor can adequately protect sensitive unclassified information at a level commensurate with the risk, accounting for information shared with its subcontractors in a multi-tier supply chain. Another objective is to partially implement section 1648 of the NDAA for FY 2020. The legal basis for the rule is 41 U.S.C. 1303 and section 1648 of the NDAA for FY 2020.

Given the enterprise-wide implementation of CMMC, DoD developed a three-year phased rollout strategy. The rollout is intended to minimize both the financial impacts to the industrial base, especially small entities, and disruption to the existing DoD supply chain. Upon completion of the phased implementation, this rule will impact all small entities awarded contracts with DoD, except those providing only COTS items and those that do not handle FCI or CUI. The estimated number of small entities to which the rule will apply in year one is 1,104.

By the fourth year, all entities receiving DoD contracts and orders that have contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of the contract or order, other than contracts or orders exclusively for COTS items, will be required to have, at minimum, a CMMC Level 1 self-assessment or the CMMC Level identified in the solicitation and resulting contract, as appropriate for the type of information being handled under the contract. As described previously, it should be noted that this requirement does not apply to awards that do not involve the handling or transmission of FCI or CUI. By year four, the total estimated number of small entities to which the rule will apply will be 60,783.

During the first three years of the phased rollout, the CMMC requirement will be included only in certain contracts for which the CMMC Program Office directs DoD component program offices to include a CMMC requirement. After three years, DoD component program offices will be required to include a requirement for CMMC in solicitations and contracts that will require the contractor to process, store, or transmit FCI or CUI on contractor information systems during contract performance. Not every contractor will be awarded a contract in Year 4, so it will take several years for every contractor in the defense industrial base to be awarded a contract containing a requirement for CMMC. DoD does not track how many years it takes for every contractor to be awarded a DoD contract, so DoD assumes this will occur over a period of several years.

Based on data from the Electronic Data Access system for FY 2021 through FY 2023, the number of unique entities with contracts containing the clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is 29,543, of which 20,395 (69 percent) are small entities. Therefore, DoD estimates that in Year 4 and beyond, approximately 20,395 small entities will be impacted per year. DoD anticipates that the following mix of self-assessments and certificates will occur starting in Year 4; however, it is likely to change based on component program office discretion regarding whether a CMMC self-assessment or certificate is required and, if so, at what level: