WEBVTT 00:02.279 --> 00:04.690 I'm Gurpreet Bhatia DoD principal 00:04.699 --> 00:07.570 director for cybersecurity . Although 00:07.579 --> 00:09.801 we intend to speak accurately about the 00:09.801 --> 00:12.239 content of the proposed rule , the 00:12.250 --> 00:14.510 nature of oral communication means 00:14.520 --> 00:16.760 there may be a perceived gap . The 00:16.770 --> 00:18.492 written text of the rule takes 00:18.492 --> 00:21.559 precedence over all else . The CMMC 00:21.569 --> 00:24.110 program falls within my portfolio and 00:24.120 --> 00:26.064 it's my pleasure to see the team's 00:26.064 --> 00:28.064 progress towards completion of rule 00:28.064 --> 00:30.239 making exfiltration from defense 00:30.250 --> 00:32.740 contractors is a problem that threatens 00:32.750 --> 00:34.759 our economic and national security 00:35.380 --> 00:37.389 malicious cyber actors continue to 00:37.400 --> 00:40.450 target defense contractors , attacks 00:40.459 --> 00:42.900 focus both on large prime contractors 00:42.930 --> 00:45.819 and small subcontractors in lower tiers . 00:46.500 --> 00:48.560 Although DoD has had contract 00:48.569 --> 00:50.680 requirements that intended to address 00:50.680 --> 00:52.791 this for several years . The DIB has 00:52.791 --> 00:56.400 been slow to implement in 2019 . DoD 00:56.409 --> 00:58.200 initiated a move away from self 00:58.209 --> 01:01.639 attestation security model . CMMC was 01:01.650 --> 01:03.500 created to provide DoD with a 01:03.509 --> 01:06.440 verification mechanism . We need to 01:06.449 --> 01:08.669 verify that defense companies have 01:08.680 --> 01:11.199 implemented DoD security requirements . 01:11.760 --> 01:14.330 We need to do this prior to award and 01:14.339 --> 01:16.283 ensure continued compliance during 01:16.283 --> 01:20.080 performance . In 2020 we , we looked 01:20.089 --> 01:23.089 at the CMMC model and modified it to 01:23.099 --> 01:25.709 increase flexibility and reduce cost 01:25.720 --> 01:28.120 burdens especially for small businesses 01:28.800 --> 01:31.699 CMMC is designed to validate and 01:31.709 --> 01:34.309 verify compliance with DFARS 01:34.319 --> 01:38.080 252.204 dash 7012 requirements 01:38.260 --> 01:41.790 established in December 2017 . The 01:41.849 --> 01:45.330 NIST SP 800-171 requirements 01:45.580 --> 01:47.849 which were implemented in the 7012 01:47.860 --> 01:50.650 clause , provide a baseline for the CMMC 01:50.660 --> 01:53.669 program and therefore not addressed 01:53.680 --> 01:56.389 in this rule including the cost impacts . 01:57.190 --> 01:59.470 We're committed to implementing the CMMC 01:59.480 --> 02:02.800 program . The added emphasis it will 02:02.809 --> 02:05.220 bring to protecting DoD's information 02:05.230 --> 02:08.119 is important . We hope this overview 02:08.130 --> 02:10.100 will improve understanding of the 02:10.110 --> 02:12.289 proposed CMMC requirements and 02:12.300 --> 02:14.740 increase impact of the public comment 02:14.750 --> 02:17.600 period . It is important that we 02:17.610 --> 02:20.240 receive comments that clearly 02:20.250 --> 02:23.080 articulate your perspective so that the 02:23.089 --> 02:24.922 department can address those key 02:24.922 --> 02:27.860 concerns . In the final rule . We must 02:27.869 --> 02:30.429 work together to enhance cybersecurity 02:30.710 --> 02:33.059 and protect DoD information from 02:33.070 --> 02:35.660 exfiltration . With that , I'd like to 02:35.669 --> 02:37.725 direct your attention to my chief of 02:37.725 --> 02:39.891 DIB cybersecurity , Ms Stacy Bostjanick 02:39.940 --> 02:41.869 for more information on the CMMC 02:41.880 --> 02:42.880 program . 02:47.860 --> 02:50.860 Hey , it's me , Stacy . The program is 02:50.869 --> 02:53.050 initially rooted in an executive order 02:53.059 --> 02:55.281 that established a program for managing 02:55.281 --> 02:56.948 and safeguarding unclassified 02:56.948 --> 02:59.080 information . That was the executive 02:59.089 --> 03:02.600 order 13556 on controlled unclassified 03:02.610 --> 03:05.639 information or CUI signed in November 03:05.649 --> 03:09.240 of 2010 . The CUI program was the 03:09.250 --> 03:11.850 then codified in title 32 code of 03:11.860 --> 03:15.029 federal regulations , section 2002 . In 03:15.039 --> 03:18.729 2013 , the DoD began implementation of 03:18.740 --> 03:21.039 the requirements in support of the CUI 03:21.050 --> 03:25.020 executive order and 32 CFR 2002 through 03:25.029 --> 03:26.807 the defense federal acquisition 03:26.807 --> 03:29.149 regulation supplement or the DFARS 03:29.160 --> 03:33.149 Clause 252 204-70 12 . 03:33.350 --> 03:35.009 This clause required defense 03:35.020 --> 03:37.320 contractors to implement NIST special 03:37.330 --> 03:40.970 publication 800-171 as soon as possible , 03:40.979 --> 03:44.369 but not later than December of 2017 . 03:45.139 --> 03:48.490 In 2019 , the DoD inspector general 03:48.500 --> 03:50.529 issued its report on the audit of 03:50.539 --> 03:53.339 protection of DoD CUI on contractor 03:53.369 --> 03:55.529 owned networks and systems . And the 03:55.539 --> 03:58.089 Navy also issued its cyber readiness 03:58.100 --> 04:00.322 review which revealed that little or no 04:00.322 --> 04:02.433 progress had been made by the defense 04:02.433 --> 04:04.524 industrial Base in the CUI 04:04.535 --> 04:07.264 safeguarding requirements specified in 04:07.274 --> 04:10.804 the DFARS 7012 clause . Subsequent to this 04:10.815 --> 04:14.574 finding , DoD Secretary Shanahan 04:14.585 --> 04:17.464 directed the DoD to develop a process 04:17.475 --> 04:19.595 for validating that companies were in 04:19.605 --> 04:23.019 fact protecting do DoD CUI . As a result , 04:23.028 --> 04:25.569 the defense contract management agency 04:25.579 --> 04:28.449 DCMA founded its Defense Industrial 04:28.459 --> 04:31.098 based Cyber Assessment Center or DIBCAC 04:31.209 --> 04:32.987 and began to perform compliance 04:32.987 --> 04:35.539 assessments on DIB contractors against 04:35.549 --> 04:39.069 the NIST special publication 800-171 . The 04:39.079 --> 04:40.801 department recognized that the 04:40.801 --> 04:42.746 government could not realistically 04:42.746 --> 04:44.801 perform assessments on the more than 04:44.801 --> 04:48.109 220,000 DIB companies that handle CUI . 04:48.410 --> 04:50.510 The department also recognized the 04:50.519 --> 04:52.390 inconsistencies in the level of 04:52.399 --> 04:54.920 compliance across the DIB meant that DoD 04:54.929 --> 04:56.929 information was still vulnerable to 04:56.929 --> 04:59.929 exfiltration , to fix that DoD 04:59.940 --> 05:02.049 developed the CMMC program , a 05:02.059 --> 05:04.839 mechanism to verify that defense 05:04.850 --> 05:07.140 contractors and subcontractors are 05:07.149 --> 05:10.149 implementing the NIST 800-171 security 05:10.160 --> 05:12.929 requirements in accordance with DFARS 05:12.940 --> 05:16.279 252.204-7012 and are adequately 05:16.290 --> 05:18.339 protecting sensitive unclassified 05:18.350 --> 05:21.440 information as required by 32 CFR 05:21.450 --> 05:24.920 2002 . I will now turn it over to the 05:24.929 --> 05:27.429 CMMC program . Management director , 05:27.540 --> 05:30.320 Buddy Dees for an overview of the 05:30.329 --> 05:31.850 proposed CMMC program . 05:35.829 --> 05:38.649 Hello , I'm Mr Buddy Dees , as Ms 05:38.660 --> 05:41.049 Bostjanick stated, given the defense 05:41.059 --> 05:42.892 industrial base consists of over 05:42.892 --> 05:45.540 220,000 companies . The department 05:45.549 --> 05:47.559 needed to create an ecosystem that 05:47.570 --> 05:49.579 could scale to support compliance 05:49.589 --> 05:52.399 verification . As noted at the top of 05:52.410 --> 05:55.130 the slide , the department and the DoD 05:55.140 --> 05:57.959 CIO in particular provides oversight of 05:57.970 --> 06:00.200 the CMMC program to include the 06:00.209 --> 06:03.940 designated accreditation body . The CMMC 06:03.950 --> 06:06.299 ecosystem is based on compliance with 06:06.309 --> 06:09.640 applicable ISO standards . Specifically , 06:09.649 --> 06:11.538 the accreditation body must fully 06:11.538 --> 06:14.959 comply with ISO 17011 standards , 06:15.600 --> 06:17.269 CMMC third Party Assessment 06:17.279 --> 06:20.269 Organizations or C three PAOs must 06:20.279 --> 06:24.109 comply with ISO 17020 standards and 06:24.119 --> 06:25.952 the CMMC assessor and instructor 06:25.952 --> 06:29.149 certification organization or CAICO must 06:29.160 --> 06:32.269 fully comply with ISO 17024 standards . 06:33.119 --> 06:35.175 I would now like to walk through the 06:35.175 --> 06:37.339 key components of the ecosystem as 06:37.350 --> 06:39.517 depicted on the chart displayed on the 06:39.517 --> 06:41.406 screen beginning with the two key 06:41.406 --> 06:44.380 government entities . First , the DoD 06:44.390 --> 06:47.500 CIO CMMC Program Management office or 06:47.510 --> 06:50.179 PMO out of section 06:50.190 --> 06:53.970 170.6 is responsible for 06:54.209 --> 06:56.339 establishing CMMC assessment 06:56.549 --> 06:59.299 accreditation and training requirements 06:59.880 --> 07:01.824 and developing and maintaining the 07:01.829 --> 07:04.140 model in a supplemental document such 07:04.149 --> 07:06.600 as assessment guides , scoping guides , 07:06.760 --> 07:09.320 the hatching guide and associated CMMC 07:09.329 --> 07:13.329 policies . The CMMC PMO will set all 07:13.339 --> 07:15.250 the applicable DoD requirements 07:15.260 --> 07:17.570 associated with the CMMC ecosystem 07:18.420 --> 07:21.980 section 170.6 of the proposed rule 07:21.989 --> 07:24.500 addresses these specific CMMC program 07:24.510 --> 07:26.566 management office responsibilities . 07:27.609 --> 07:31.140 Second is the DCMA Defense Industrial 07:31.149 --> 07:33.739 Base , Cyber Security Assessment Center 07:33.750 --> 07:36.920 or DIBCAC uh organization in section 07:36.929 --> 07:40.779 170.7 of the proposed rule in 07:40.790 --> 07:43.179 support of the CMMC program , the DIBCAC 07:43.429 --> 07:45.589 will conduct CMMC level two 07:45.600 --> 07:47.839 assessments of the accreditation body 07:48.049 --> 07:50.769 and candidate C three PAOs whose 07:50.779 --> 07:54.160 information systems process store and 07:54.170 --> 07:58.119 or transmit CUI to conduct all CMMC 07:58.130 --> 08:00.241 level three certification assessments 08:00.380 --> 08:02.779 and upload assessment results into the 08:02.790 --> 08:05.950 CMMC instantiation of the enterprise 08:05.959 --> 08:08.529 mission assurance support service or 08:08.540 --> 08:12.239 eMASS database. CMMC eMASS 08:12.250 --> 08:14.549 is a government owned database that 08:14.559 --> 08:17.459 will store CMMC assessment results and 08:17.470 --> 08:19.420 transmit scores into the supplier 08:19.429 --> 08:23.079 performance risk system or SPURS which 08:23.089 --> 08:24.756 can be assessed by government 08:24.756 --> 08:28.089 contracting officers . Finally , the DIBCAC 08:28.160 --> 08:31.540 advises the DoD CIO CMMC program 08:31.549 --> 08:33.960 office on matters related to DIB cyber 08:33.969 --> 08:37.008 security and assessments . Additional 08:37.018 --> 08:39.185 detailed information regarding the DIBCAC 08:39.185 --> 08:41.689 roles and responsibilities can be 08:41.698 --> 08:44.289 found in section 170.7 . 08:45.429 --> 08:47.262 Now moving to the non-government 08:47.262 --> 08:49.207 portion of the ecosystem . We will 08:49.210 --> 08:51.520 start with the CMMC Accreditation Body 08:51.530 --> 08:55.119 or A B out of section 170.8 . 08:56.330 --> 08:58.729 The day to day operations of the CMMC 08:58.739 --> 09:00.350 ecosystem are managed by the 09:00.350 --> 09:03.780 accreditation body or the A B . At any 09:03.789 --> 09:05.909 given point in time . The DoD will 09:05.919 --> 09:08.969 designate one entity to serve as the CMMC 09:08.979 --> 09:12.960 A B . The CMMC PMO will 09:12.969 --> 09:15.260 directly interface with that designated 09:15.270 --> 09:18.809 A B . The A B will be required to 09:18.820 --> 09:20.789 complete a peer assessment in 09:20.799 --> 09:23.559 accordance with ISO standards to verify 09:23.570 --> 09:25.403 their competence and accrediting 09:25.403 --> 09:27.760 assessment bodies . In addition to 09:27.770 --> 09:29.714 ensuring ISO compliance across the 09:29.714 --> 09:32.520 ecosystem , the accreditations body's 09:32.530 --> 09:35.950 primary roles include authorizing and 09:35.960 --> 09:38.182 ensuring the accreditation of C three PAOs 09:38.182 --> 09:41.659 overseeing the CAICO to ensure all 09:41.669 --> 09:44.080 training products , instruction and 09:44.090 --> 09:46.312 testing materials are of high quality . 09:47.159 --> 09:49.500 You can review the rule at section 09:49.510 --> 09:52.460 170.8 for more information on roles , 09:52.469 --> 09:54.940 responsibilities and requirements of 09:54.950 --> 09:58.849 the A B CMMC third Party assessment 09:58.859 --> 10:01.349 organizations or C three PAOs are 10:01.359 --> 10:04.750 contained in section 170.9 of the 10:04.760 --> 10:07.630 rule C three PAOs are responsible for 10:07.640 --> 10:10.070 granting CMMC level two certification 10:10.080 --> 10:12.669 assessments and issuing certificates of 10:12.679 --> 10:15.270 assessment for organizations seeking 10:15.280 --> 10:17.830 certification or OSCs 10:19.010 --> 10:21.070 C three PAOs must meet the DoD 10:21.080 --> 10:23.349 requirements set forth in section 10:23.359 --> 10:26.890 170.9 must achieve compliance with 10:26.900 --> 10:29.890 applicable ISO standards and must 10:29.900 --> 10:31.844 comply with the accreditation body 10:31.844 --> 10:34.919 policies for conflict of interest code 10:34.929 --> 10:36.985 of professional conduct and ethics . 10:38.039 --> 10:40.460 Like the DIBCAC C three PAOs will enter 10:40.469 --> 10:43.309 the assessment data into the CMMC eMASS 10:43.320 --> 10:45.669 database which will transmit the scores 10:45.679 --> 10:49.010 to the SPURS database . All C three PAO 10:49.020 --> 10:51.380 personnel participating in the CMMC 10:51.390 --> 10:54.169 assessment process must complete a tier 10:54.179 --> 10:56.090 three background investigation 10:56.349 --> 10:58.169 resulting in a determination of 10:58.179 --> 11:01.190 national security eligibility . This 11:01.200 --> 11:03.144 investigation will not result in a 11:03.144 --> 11:05.144 security clearance and is not being 11:05.144 --> 11:07.311 executed for the purpose of government 11:07.311 --> 11:10.469 employment candidate . C three PAOs are 11:10.479 --> 11:12.646 assessed by the government for foreign 11:12.646 --> 11:15.159 ownership control or influence or FOCI 11:15.169 --> 11:17.450 risk . Those that are not 11:17.460 --> 11:19.770 disqualified based on FOCI risk 11:19.820 --> 11:23.130 will then undergo a DIBCAC CMMC level 11:23.140 --> 11:25.909 two assessment before being authorized 11:25.919 --> 11:29.590 and accredited . As a C three PAO , the 11:29.599 --> 11:31.210 C three PAO must meet all the 11:31.210 --> 11:33.210 requirements for a level two final 11:33.219 --> 11:35.750 certification assessment but will not 11:35.760 --> 11:37.750 be issued a CMMC level two 11:37.760 --> 11:40.780 certificate , C three PAOs are 11:40.789 --> 11:42.511 responsible for addressing all 11:42.511 --> 11:44.960 applicable assessment appeals arising 11:44.969 --> 11:46.840 from a CMMC level two assessment 11:46.950 --> 11:50.390 conducted by their staff . Any appeal 11:50.400 --> 11:52.780 not resolved by the C three PAO will be 11:52.789 --> 11:54.956 elevated to the accreditation body for 11:54.956 --> 11:58.940 final determination . CMMC assessor and 11:58.950 --> 12:01.061 instructor certification organization 12:01.061 --> 12:03.700 or CAICO is in section 170.10 . 12:04.650 --> 12:07.280 Similar to the A B , there is only one 12:07.650 --> 12:10.070 CAICO for the CMMC program at any given 12:10.080 --> 12:13.070 time . The CAICO is responsible for 12:13.080 --> 12:15.520 training , testing , authorizing , 12:15.530 --> 12:18.330 certifying and recertifying CMMC 12:18.340 --> 12:20.679 assessors , instructors and related 12:20.690 --> 12:23.130 professionals . They also oversee 12:23.140 --> 12:25.320 development , administration and 12:25.330 --> 12:27.552 management pertaining to the quality of 12:27.552 --> 12:29.909 training and examination materials for 12:29.919 --> 12:31.880 CMMC assessor and instructor 12:31.890 --> 12:34.369 certification and recertification . 12:35.700 --> 12:37.559 The CAICO must also meet the DoD 12:37.570 --> 12:39.799 requirements specified in section 12:39.809 --> 12:42.539 170.10 . Achieve compliance with 12:42.549 --> 12:45.599 applicable ISO standards and comply with 12:45.609 --> 12:47.720 the accreditation body's policies for 12:47.720 --> 12:49.442 conflict of interest , code of 12:49.442 --> 12:52.330 professional conduct and ethics . And 12:52.340 --> 12:54.030 finally detailed roles and 12:54.039 --> 12:56.020 responsibilities for assessors , 12:56.049 --> 12:59.159 instructors and CMMC professionals are 12:59.169 --> 13:01.989 covered in sections 170.11 13:02.000 --> 13:04.909 170.12 and 170.13 13:05.080 --> 13:08.609 respectively . Now that I have reviewed 13:08.619 --> 13:11.030 the key aspects of the CMMC ecosystem . 13:11.239 --> 13:13.072 I'd like to turn our focus to an 13:13.072 --> 13:16.349 overview of the CMMC levels . In 13:16.390 --> 13:19.710 November 2021 the department announced 13:19.719 --> 13:21.700 an updated program structure that 13:21.710 --> 13:23.599 includes changes driven by public 13:23.599 --> 13:26.030 comments on the initial CMMC program . 13:26.750 --> 13:29.030 Key aspects of the model include 13:29.400 --> 13:31.950 elimination of two transitional levels 13:31.960 --> 13:34.016 which streamline the model from five 13:34.016 --> 13:37.010 tiers to three , elimination of all CMMC 13:37.020 --> 13:39.960 unique security requirements . The 13:39.969 --> 13:42.200 restructure model now directly aligns 13:42.210 --> 13:44.510 to existing far requirements and the 13:44.520 --> 13:47.510 NIST requirements , streamlining the 13:47.520 --> 13:49.631 process by eliminating assessments of 13:49.631 --> 13:51.464 the company's process maturity , 13:52.539 --> 13:55.090 transitioning assessments against NIST 13:55.099 --> 13:58.969 801 72 from C three PAOs to DCMA 13:58.979 --> 14:02.880 and DIBCAC assessors . The current CMMC 14:02.890 --> 14:05.049 model incorporates contractor self 14:05.059 --> 14:07.710 assessment . In some cases , the use of 14:07.719 --> 14:09.859 plans of actions and milestones or 14:10.000 --> 14:12.359 POAMS and flexibility for government 14:12.369 --> 14:14.859 program offices to pursue waivers for 14:14.869 --> 14:18.840 CMMC requirements . In addition , CMMC 14:18.849 --> 14:20.989 adds a requirement for senior 14:21.000 --> 14:23.539 official affirmations at each level . 14:24.239 --> 14:26.500 The senior official who is responsible 14:26.510 --> 14:28.232 for ensuring the DIB company's 14:28.232 --> 14:31.049 compliance with CMMC must submit an 14:31.059 --> 14:34.719 annual affirmation into SPURS these 14:34.729 --> 14:36.340 affirmations convey that the 14:36.340 --> 14:39.489 organization seeking assessment or OSA 14:39.619 --> 14:42.070 has implemented and will maintain all 14:42.080 --> 14:44.590 applicable CMMC security requirements 14:44.770 --> 14:47.510 for the information systems within the 14:47.520 --> 14:49.710 relevant assessment scope at the 14:49.719 --> 14:52.950 applicable CMMC level . Please review 14:52.960 --> 14:56.190 section 170.22 of the proposed rule 14:56.200 --> 14:57.909 for additional details on the 14:57.919 --> 15:01.479 affirmation requirement CMMC 15:01.489 --> 15:03.520 requires companies entrusted with 15:03.530 --> 15:05.609 national security information to 15:05.619 --> 15:07.900 implement cyber security standards at 15:07.909 --> 15:10.330 progressively advanced levels depending 15:10.340 --> 15:12.284 on the type and sensitivity of the 15:12.284 --> 15:14.719 information . The program also 15:14.729 --> 15:17.140 describes a process for requiring 15:17.150 --> 15:19.479 protection of information flow down to 15:19.489 --> 15:22.270 subcontractors . I will now talk to each 15:22.289 --> 15:24.609 specific tier of the model as shown on 15:24.619 --> 15:27.719 the graphic on the screen for CMMC 15:27.729 --> 15:30.830 level one contractors and applicable 15:30.840 --> 15:33.200 subcontractors are already required to 15:33.210 --> 15:35.390 implement the 15 basic security 15:35.400 --> 15:37.567 requirements that are specified in the 15:37.570 --> 15:40.200 federal acquisition regulation FAR 15:40.210 --> 15:43.960 clause 52.204 dash 21 . 15:44.609 --> 15:46.720 This is for the protection of federal 15:46.720 --> 15:50.599 contract information or FCI . In CMMC 15:50.609 --> 15:52.890 level one , the contractor or 15:52.900 --> 15:55.479 applicable subcontractor is required to 15:55.489 --> 15:58.030 annually conduct a self assessment 15:58.159 --> 16:01.330 against these 15 FAR requirements . The 16:01.340 --> 16:03.330 contractor or subcontractor must 16:03.340 --> 16:06.400 achieve a met result for all 15 of the 16:06.409 --> 16:08.465 security requirements and submit the 16:08.465 --> 16:11.750 results into SPURS POAMS are not 16:11.760 --> 16:14.849 permitted with level one . See section 16:14.859 --> 16:18.200 170.15 for details on CNC level one 16:18.210 --> 16:21.630 self assessment requirements , CMMC 16:21.640 --> 16:25.270 level two to protect CUI contractors 16:25.280 --> 16:27.690 and subcontractors are already required 16:27.700 --> 16:30.059 to implement the 110 security 16:30.070 --> 16:33.299 requirements as specified by the DFARS 16:33.309 --> 16:36.200 7012 clause which are aligned with the 16:36.210 --> 16:40.109 NIST SP 800-171 requirements . The 16:40.119 --> 16:42.219 CMMC program as a new assessment 16:42.229 --> 16:43.900 requirement that supports the 16:43.909 --> 16:47.010 verification of that all applicable 16:47.020 --> 16:48.798 security requirements have been 16:48.798 --> 16:51.979 implemented. As determined by DoD 16:52.150 --> 16:54.460 applicable solicitations will require 16:54.469 --> 16:56.799 either a CMMC level two self 16:56.809 --> 16:59.500 assessment or a CMMC level two 16:59.510 --> 17:02.789 certification assessment . The CMMC 17:02.799 --> 17:05.150 level two self assessment is performed 17:05.160 --> 17:07.150 by the OSA and is valid for up to 17:07.160 --> 17:09.839 three years . The resulting assessment 17:09.849 --> 17:11.920 score and compliance status must be 17:11.930 --> 17:15.050 entered electronically into SPURS. See 17:15.060 --> 17:18.780 section 170.16 for details on CMMC's 17:18.790 --> 17:20.957 level two self assessment requirements 17:20.957 --> 17:24.540 and procedures . The CMMC level two 17:24.550 --> 17:26.479 certification assessment must be 17:26.489 --> 17:29.109 conducted by an approved or authorized 17:29.119 --> 17:31.640 C three PAO and is valid for up to 17:31.650 --> 17:34.150 three years . The details of the 17:34.160 --> 17:36.449 assessment will be entered by the 17:36.459 --> 17:39.819 C three PAO into the CMMC eMASS which 17:39.829 --> 17:42.270 then transmits the scores into SPURS 17:43.479 --> 17:46.750 CMMC level three for CMMC . Level three , 17:46.760 --> 17:48.589 contractors will be required to 17:48.599 --> 17:50.579 implement 24 additional security 17:50.589 --> 17:54.189 requirements selected from NIST SP 800-172 17:54.199 --> 17:58.000 details and descriptions of these 24 17:58.010 --> 18:00.010 select requirements can be found in 18:00.010 --> 18:03.680 table one to section 170.14 of the 18:03.689 --> 18:07.180 proposed rule , the DIBCAC will perform 18:07.189 --> 18:09.411 the CMMC level three assessment against 18:09.411 --> 18:13.349 the NIST SP 800-172 requirements . However , 18:13.359 --> 18:15.415 prior to receiving a CMMC level three 18:15.415 --> 18:17.859 assessment from the DIBCAC , the OSE 18:17.869 --> 18:20.630 must have a valid level two final 18:20.640 --> 18:23.150 certification assessment from a C three 18:23.160 --> 18:27.099 PAO that indicates all 110 security 18:27.109 --> 18:30.829 requirements from NIST SP 800-171 18:30.989 --> 18:34.689 have been met . The scope of the level 18:34.699 --> 18:37.219 two assessment must be the same as the 18:37.229 --> 18:39.670 requested CMMC level three assessment . 18:40.760 --> 18:42.819 During execution of the CMMC level 18:42.829 --> 18:45.199 three certification assessment , the DIBCAC 18:45.260 --> 18:48.060 may check CMMC level two security 18:48.069 --> 18:50.239 requirements in accordance with the CMMC 18:50.250 --> 18:53.599 level three scoping . If the DIBCAC 18:53.619 --> 18:55.675 identifies that a level two security 18:55.675 --> 18:57.910 requirement is not met . The level 18:57.920 --> 19:00.087 three assessment process may be placed 19:00.087 --> 19:03.060 on hold or terminated . The DIBCAC will 19:03.069 --> 19:05.420 submit assessment results into CMMC 19:05.430 --> 19:07.652 eMass which will then post the scores to 19:07.652 --> 19:10.489 SPURS. Now that we've reviewed the CMMC 19:10.500 --> 19:12.770 model and its associated levels . 19:12.780 --> 19:14.947 I'd like to turn the presentation over 19:14.947 --> 19:17.058 to Ms Diane Knight who will provide 19:17.058 --> 19:19.002 you with information regarding the 19:19.002 --> 19:21.113 implementation of the CMMC program . 19:22.979 --> 19:26.079 Hello , I'm Diane Knight . The DoD 19:26.089 --> 19:28.250 recognized that this program was at a 19:28.260 --> 19:30.839 level that required its codification in 19:30.849 --> 19:32.819 the title 32 code of federal 19:32.829 --> 19:35.569 regulations to establish the CMMC 19:35.579 --> 19:38.599 program requirements . Title 32 of the 19:38.609 --> 19:41.010 CFR covers national defense and 19:41.020 --> 19:44.640 security . The DoD CIO through the 19:44.650 --> 19:48.329 CMMC PMO is developing the CMMC 19:48.339 --> 19:51.290 program rule . Concurrently , the DoD 19:51.300 --> 19:53.729 acquisition community is developing the 19:53.739 --> 19:56.699 corresponding 48 CFR rule to implement 19:56.709 --> 20:00.569 CMMC . Title 48 CFR is the federal 20:00.579 --> 20:03.079 acquisition regulation system and 20:03.089 --> 20:04.969 includes the defense , federal 20:04.979 --> 20:07.979 acquisition regulation supplement or DFARS 20:08.150 --> 20:11.680 The CMMC 48 CFR rule will 20:11.689 --> 20:14.560 incorporate CMMC program requirements 20:14.569 --> 20:18.060 in accordance with the 32 CFR rule. Rule 20:18.069 --> 20:21.479 making under 48 CFR is led by the DoD's 20:21.489 --> 20:23.550 Office of the Under Secretary of 20:23.560 --> 20:26.199 Defense for acquisition and sustainment 20:26.209 --> 20:29.040 and is supported by the PMO . We 20:29.050 --> 20:31.650 anticipate the proposed DFARS rule will 20:31.660 --> 20:33.827 be published for a public comment this 20:33.827 --> 20:37.319 year . The CMMC program proposed rule 20:37.329 --> 20:39.551 and supporting documents were published 20:39.551 --> 20:43.390 on December 26th , 2023 for review and 20:43.400 --> 20:45.660 to initiate the 60 day public comment 20:45.670 --> 20:48.160 period on this proposed rule . To 20:48.170 --> 20:50.219 submit comments on the rule or the 20:50.229 --> 20:52.339 supporting documents , please go to 20:52.349 --> 20:55.439 Federal register.gov or regulations.gov 20:55.540 --> 20:58.650 and search on CMMC to locate the 20:58.660 --> 21:01.869 documents . Comments must be posted by 21:01.880 --> 21:05.280 February 26 2024 . When the public 21:05.290 --> 21:08.219 comment period will end all comments 21:08.229 --> 21:10.173 received during the public comment 21:10.173 --> 21:11.951 period will be reviewed and the 21:11.951 --> 21:14.173 comments and responses will be included 21:14.173 --> 21:17.170 in the CMMC program . Final rule , 21:17.520 --> 21:21.420 both the 32 CFR CMMC program rule 21:21.430 --> 21:25.010 and the 48 CFR CMMC DFARS rule are 21:25.020 --> 21:27.619 required to implement the CMMC program 21:27.630 --> 21:30.540 requirements in DoD solicitations and 21:30.550 --> 21:33.630 resulting contracts . These final rules 21:33.640 --> 21:35.473 will be published on the federal 21:35.473 --> 21:37.473 register and include the associated 21:37.473 --> 21:39.819 effective dates of the rules which we 21:39.829 --> 21:42.459 expect to be concurrent . Next , I'll 21:42.469 --> 21:44.636 address the clauses that are important 21:44.636 --> 21:47.109 for CMMC implementation , which are 21:47.119 --> 21:50.310 the DFARS clauses 252.204-7012 21:50.319 --> 21:54.089 and 252.204-7021 21:54.199 --> 21:57.939 The respective CMMC levels 21:57.949 --> 22:01.359 1, 2 and three , utilize the information 22:01.369 --> 22:03.536 safeguarding and security requirements 22:03.536 --> 22:06.449 previously addressed by Mr Dees . That is 22:06.459 --> 22:10.449 FAR clause 52.204 dash 21 for level 22:10.459 --> 22:14.079 one , NIST SP 800-171 22:14.089 --> 22:17.300 rev two for CMMC level two , which is 22:17.310 --> 22:19.599 also required for level three . In 22:19.609 --> 22:21.720 addition to the security requirements 22:21.720 --> 22:25.239 selected from NIST SP 800-172 22:25.250 --> 22:29.109 for level three . Deforest clause 22:29.119 --> 22:32.050 7012 effective since December 22:32.060 --> 22:35.280 2017 states that unclassified 22:35.290 --> 22:37.949 nonfederal information systems that 22:37.959 --> 22:41.829 process store or transmit CUI shall 22:41.839 --> 22:44.380 be subject to the security requirements 22:44.390 --> 22:48.280 in NIST SP 800-171. Those 22:48.290 --> 22:51.709 NIST SP 800-171 requirements are the baseline 22:51.719 --> 22:54.780 for CMMC level two . When CUI is 22:54.790 --> 22:58.150 managed under contract , the CMMC 22:58.160 --> 23:00.390 DFARS Clause will require CMMC 23:00.400 --> 23:02.910 assessment to verify that the 23:02.920 --> 23:05.680 respective CMMC level requirements are 23:05.689 --> 23:08.550 implemented . Please note , even if 23:08.560 --> 23:10.959 your contract does not contain the CMMC 23:10.969 --> 23:14.425 DFARS clause , you're still required 23:14.435 --> 23:18.194 to implement all of the NIST SP 800-171 23:18.204 --> 23:20.785 requirements . When the DFARS 23:20.795 --> 23:24.474 252.204 dash 7012 , clause 23:24.484 --> 23:27.515 is in your contract and you process 23:27.525 --> 23:31.479 store or transmit CUI the CMMC 23:31.489 --> 23:33.589 program will require an assessment 23:33.599 --> 23:37.410 prior to contract award when CMMC is 23:37.420 --> 23:40.599 implemented DFARS Clause 252.204 23:40.609 --> 23:44.469 dash 7021 will require contractors to 23:44.479 --> 23:47.560 achieve the CMMC level specified in a 23:47.569 --> 23:51.069 DoD solicitation by the time of award 23:51.079 --> 23:53.530 and maintain their CMMC assessment 23:53.540 --> 23:55.550 status throughout the contract 23:55.560 --> 23:58.439 performance period . Let me address 23:58.449 --> 24:01.619 flow down to subcontracts . CMMC 24:01.630 --> 24:03.800 program requirements will apply to 24:03.810 --> 24:07.119 prime contractors and to subcontractors 24:07.130 --> 24:10.089 at all tiers of the supply chain that 24:10.099 --> 24:13.229 will process store or transmit FCI or 24:13.239 --> 24:16.609 CUI . Please review section 24:16.619 --> 24:19.989 170.23 in the proposed rule for 24:20.000 --> 24:22.089 details on application to 24:22.099 --> 24:25.780 subcontractors , the CMMC clauses will 24:25.790 --> 24:29.369 flow down just as the DFARS 7012 and 24:29.380 --> 24:32.760 FAR 52.204 dash 21 clauses are 24:32.770 --> 24:35.160 required to be flowed down to all 24:35.170 --> 24:38.640 subcontracts at all tiers CMMC 24:38.650 --> 24:41.280 requirements will be phased in and that 24:41.290 --> 24:44.119 is addressed in section 170.3 of the 24:44.130 --> 24:47.739 proposed rule when the 32 CFR CMMC 24:47.750 --> 24:51.270 program rule and the 48 CFR DFARS rules 24:51.280 --> 24:54.020 are both final and effective DoD will 24:54.030 --> 24:56.319 begin implementing CMMC program 24:56.329 --> 24:59.060 requirements as outlined in its phase 24:59.099 --> 25:02.760 in plan . The implementation period 25:02.770 --> 25:05.219 will consist of four phases which are 25:05.229 --> 25:07.285 depicted on the graphic displayed on 25:07.285 --> 25:10.109 the screen during each CMMC phase in 25:10.119 --> 25:12.420 period . Government program managers 25:12.430 --> 25:14.719 and requiring activities will include 25:14.729 --> 25:17.155 applicable CMMC requirements and 25:17.165 --> 25:19.694 designated solicitations and resulting 25:19.704 --> 25:22.635 contracts . CMMC self assessment 25:22.645 --> 25:24.805 scores will be submitted in SPURS 25:24.814 --> 25:26.925 similar to the way they are currently 25:26.925 --> 25:28.647 submitted in response to DFARS 25:28.647 --> 25:31.344 provision 252.204 dash 25:31.354 --> 25:34.704 7019 . One reason for the phase 25:34.714 --> 25:37.425 implementation of the CMMC program is 25:37.435 --> 25:39.805 to ensure adequate availability of 25:39.814 --> 25:42.775 authorized or accredited C three PAOs 25:43.104 --> 25:46.064 and assessors to meet DoD's demand . 25:46.719 --> 25:49.170 Phase one of the plan implementation 25:49.180 --> 25:51.402 will begin on the effective date of the 25:51.402 --> 25:55.209 48 CFR CMMC rule. in phase one DoD 25:55.219 --> 25:57.780 will include CMMC level one or level 25:57.790 --> 26:00.589 two self assessment requirements in all 26:00.599 --> 26:03.180 applicable solicitations as a condition 26:03.189 --> 26:06.260 of contract award. at their discretion , 26:06.270 --> 26:08.140 program managers and requiring 26:08.150 --> 26:11.020 activities also may choose to identify 26:11.189 --> 26:13.479 CMMC level two assessment 26:13.489 --> 26:15.829 certification requirements in some 26:15.839 --> 26:18.660 solicitations . Phase one is focused 26:18.670 --> 26:21.260 primarily on self assessment to provide 26:21.270 --> 26:23.939 contractors with the earliest ability 26:23.949 --> 26:27.530 to satisfy CMMC requirements . Phase 26:27.540 --> 26:29.599 two is planned to begin six months 26:29.609 --> 26:32.589 after the start date of phase one. in 26:32.599 --> 26:35.660 phase two DoD will require CMMC level 26:35.670 --> 26:37.709 two certification assessments by an 26:37.719 --> 26:40.770 authorized C three PAO at the program 26:40.780 --> 26:43.589 manager's discretion the solicitation 26:43.599 --> 26:45.910 may include the CMMC requirement but 26:45.920 --> 26:48.780 specify that it applies as a condition 26:48.790 --> 26:51.630 of awarding an option period rather 26:51.640 --> 26:54.770 than at the initial contract award . In 26:54.780 --> 26:56.979 addition , program managers may choose 26:56.989 --> 26:59.619 to include CMMC level three assessment 26:59.630 --> 27:02.619 certification and select solicitations 27:02.630 --> 27:06.400 where appropriate. In phase two DoD 27:06.410 --> 27:08.959 expands the focus to CMMC level two 27:08.969 --> 27:11.640 certification requirements to drive 27:11.650 --> 27:14.089 improvements in DIB cyber security . 27:14.250 --> 27:16.430 Phase three is planned to begin one 27:16.439 --> 27:18.939 calendar year after the start date of 27:18.949 --> 27:22.569 phase two in phase three DoD will begin 27:22.579 --> 27:24.400 to include CMMC level three 27:24.410 --> 27:26.030 requirements and applicable 27:26.040 --> 27:28.920 solicitations. At this point , DoD 27:28.930 --> 27:31.099 solicitations will include a CMMC 27:31.109 --> 27:33.300 requirement when applicable as a 27:33.310 --> 27:36.050 condition of contract award , as well 27:36.060 --> 27:39.300 as option periods. For level three only 27:39.310 --> 27:41.869 program managers can delay the CMMC 27:41.880 --> 27:43.939 level three certification assessment 27:43.949 --> 27:46.709 requirement to the exercise of an 27:46.719 --> 27:50.369 option period . Phase four or full DoD 27:50.380 --> 27:52.780 implementation is planned to begin 27:52.790 --> 27:55.140 one calendar year after the start date 27:55.150 --> 27:57.609 of phase three. In phase four , 27:57.619 --> 27:59.430 government program managers and 27:59.439 --> 28:02.150 requiring activities will identify the 28:02.160 --> 28:04.550 respective CMMC requirements for 28:04.560 --> 28:07.959 inclusion in all DoD solicitations as a 28:07.969 --> 28:10.310 condition for contract award and as a 28:10.319 --> 28:13.089 condition for exercise of any contract 28:13.099 --> 28:15.949 option period . More information about 28:15.959 --> 28:18.410 each phase of the CMMC implementation 28:18.420 --> 28:21.420 plan can be found in the proposed role 28:21.430 --> 28:25.420 at 170.3 . A quick mention of a CMMC 28:25.430 --> 28:28.329 waiver government program managers 28:28.339 --> 28:30.910 and requiring activities may seek DoD 28:30.920 --> 28:33.719 approval to waive inclusion of a CMMC 28:33.729 --> 28:35.729 requirement in an acquisition 28:35.739 --> 28:39.030 solicitation , there is no avenue for 28:39.040 --> 28:42.010 offerers to seek waivers of CMMC 28:42.020 --> 28:44.869 requirements . Now over to Ms Jen 28:44.880 --> 28:47.060 Henderson to address the next slide . 28:49.060 --> 28:52.719 Hello , I'm Jen Henderson . The CMMC 28:52.729 --> 28:55.660 scoring methodology is designed to 28:55.670 --> 28:57.781 provide an objective measurement of a 28:57.781 --> 28:59.890 contractor or subcontractors 28:59.900 --> 29:01.890 implementation of the security 29:01.900 --> 29:04.569 requirements . While it is generally 29:04.579 --> 29:06.520 not designed to credit partial 29:06.530 --> 29:09.030 implementation , the methodology allows 29:09.040 --> 29:11.096 for a limited number of requirements 29:11.096 --> 29:12.929 for which partial implementation 29:12.929 --> 29:15.060 scoring is built in such as the 29:15.069 --> 29:16.709 requirement for multi factor 29:16.719 --> 29:19.239 authentication and FIPS validated 29:19.250 --> 29:22.329 cryptography . Under the methodology . 29:22.339 --> 29:25.439 Each requirement assessed results in a 29:25.449 --> 29:28.790 finding of met , not met or not 29:28.800 --> 29:31.709 applicable . A security requirement is 29:31.719 --> 29:34.939 considered to be met if all objectives 29:34.949 --> 29:38.160 are satisfied . Whereas a not met 29:38.170 --> 29:40.439 finding means that all requirement 29:40.449 --> 29:43.510 objectives were not satisfied. A 29:43.520 --> 29:46.280 requirement or objective that does not 29:46.290 --> 29:49.079 apply at the time of a CMMC assessment 29:49.260 --> 29:51.709 is considered not applicable 29:53.420 --> 29:57.420 For CMMC level one , all requirements 29:57.459 --> 29:59.729 must be fully implemented to be 29:59.739 --> 30:03.420 considered met . No plan of action nor 30:03.430 --> 30:06.770 milestones or POAM is permitted for CMMC 30:06.780 --> 30:10.709 level one . Therefore no score is 30:10.719 --> 30:14.349 calculated for level one. CMMC level 30:14.359 --> 30:18.050 two , the maximum score achievable is 30:18.060 --> 30:20.989 equal to the total number of CMMC 30:21.000 --> 30:24.609 level two requirements . Since CMMC 30:24.619 --> 30:27.739 level two aligns with NIST SP 30:27.750 --> 30:31.099 800-171 revision two which has 30:31.109 --> 30:33.939 110 requirements . Therefore , the 30:33.949 --> 30:36.780 maximum score is 110 . 30:38.010 --> 30:40.750 If all CMMC level two security 30:40.760 --> 30:43.189 requirements are implemented, the 30:43.199 --> 30:45.550 contractor or subcontractor is awarded 30:45.560 --> 30:49.089 the maximum score. For each requirement 30:49.099 --> 30:51.949 not met, the associated value , either 30:51.959 --> 30:55.770 1, 3 or five points is subtracted 30:55.780 --> 30:59.000 from the maximum score . The maximum 30:59.010 --> 31:01.479 score is reduced by the value of each 31:01.489 --> 31:04.119 requirement not implemented which may 31:04.130 --> 31:07.660 result in a negative score . The point 31:07.670 --> 31:09.930 value of each requirement is reflective 31:09.939 --> 31:12.770 of the potential risk to DoD CUI. 31:14.949 --> 31:18.650 Unlike level two, CMMC level three 31:18.660 --> 31:22.449 scoring does not reflect varying values 31:22.459 --> 31:25.449 for security requirements as all of the 31:25.459 --> 31:27.930 requirements are considered imperative 31:28.069 --> 31:30.979 to improve the protection of DoD CUI 31:31.219 --> 31:33.920 against advanced persistent threats or 31:33.930 --> 31:37.680 APTs. Each requirement uses a 31:37.689 --> 31:41.530 value of one point . The maximum score 31:41.540 --> 31:44.479 achievable for CMMC level three is 31:44.489 --> 31:46.329 equal to the total number of 31:46.339 --> 31:50.150 requirements. As mentioned previously, 31:50.160 --> 31:53.199 CMMC level three aligns with 24 select 31:53.209 --> 31:56.489 requirements from NIST SP 800-172 31:56.500 --> 31:59.930 Therefore , the maximum score is 31:59.939 --> 32:03.449 24. For each requirement not 32:03.459 --> 32:06.449 met the maximum score is reduced by 32:06.459 --> 32:09.819 one point . The CMMC level three 32:09.829 --> 32:11.940 scoring methodology reflects the 32:11.940 --> 32:14.770 fact that all CMMC level two 32:14.780 --> 32:18.349 requirements must already be met and 32:18.359 --> 32:21.089 a final certification obtained for the 32:21.099 --> 32:24.030 CMMC level three assessment boundary 32:25.079 --> 32:27.959 assessment results for all CMMC levels 32:27.969 --> 32:29.719 will be posted in the supplier 32:29.729 --> 32:32.780 performance risk system or SPURS and 32:32.790 --> 32:35.012 reviewed by the contracting officer and 32:35.012 --> 32:37.280 requiring activities. For more 32:37.290 --> 32:39.130 information on the CMMC scoring 32:39.140 --> 32:41.699 methodology, please refer to section 170.24 32:41.709 --> 32:45.339 of the 32 CFR 32:45.349 --> 32:48.930 proposed rule . Now that we've reviewed 32:48.939 --> 32:51.161 how the assessments are scored for each 32:51.161 --> 32:54.219 CMMC level . Let's discuss the use of 32:54.229 --> 32:56.739 a plan of action and milestones or POAM 32:57.160 --> 32:58.770 within the CMMC program . 33:00.869 --> 33:03.900 CMMC allows for limited use of a plan 33:03.910 --> 33:06.109 of action in milestones or POAM for 33:06.119 --> 33:09.619 levels two and three . It is important 33:09.630 --> 33:12.329 to note that not all security 33:12.339 --> 33:14.859 requirements are eligible to be 33:14.869 --> 33:18.709 included on a POAM. CMMC level 33:18.719 --> 33:22.660 one does not allow for a POAM as all 33:22.670 --> 33:25.689 security requirements must be met . 33:26.579 --> 33:30.180 CMMC level two allows a POAM for 33:30.189 --> 33:32.939 select requirements , requirements 33:32.949 --> 33:35.729 valued at three or five points as 33:35.739 --> 33:39.729 identified in section 170.24 are not 33:39.739 --> 33:42.030 eligible to be included on a POAM. 33:42.180 --> 33:44.291 With the exception of the requirement 33:44.291 --> 33:48.130 for CUI encryption. CMMC 33:48.140 --> 33:51.109 level three also allows a POAM for 33:51.119 --> 33:53.550 select requirements as identified in 33:53.560 --> 33:56.930 section 170.21 of the 32 33:56.939 --> 33:58.969 CFR CMMC rule . 34:00.579 --> 34:04.040 Additionally , a minimum score of 80% 34:04.050 --> 34:05.828 of the total number of security 34:05.828 --> 34:09.179 requirements is required to achieve CMMC 34:09.189 --> 34:11.580 level two or three , conditional 34:11.590 --> 34:15.540 certification compliance . Finally , a 34:15.560 --> 34:19.320 POAM must be closed and verified by a 34:19.330 --> 34:21.580 POAM close out assessment of the 34:21.590 --> 34:24.469 remaining not met requirements within 34:24.479 --> 34:28.350 180 days of the initial assessment 34:29.530 --> 34:32.260 If the POAM is not closed out within the 34:32.270 --> 34:35.590 180 day time frame, the conditional 34:35.600 --> 34:38.629 certification will expire and normal 34:38.639 --> 34:42.290 contractual remedies will apply . 34:42.409 --> 34:46.270 POAMs are addressed in section 170.21 of 34:46.280 --> 34:48.479 the 32 CFR proposed rule . 34:50.489 --> 34:52.719 Another major component of the CMMC 34:52.729 --> 34:55.250 program is the standards acceptance 34:55.260 --> 34:58.429 allowance. To avoid duplication of 34:58.439 --> 35:00.870 efforts , thereby reducing the 35:00.879 --> 35:03.010 aggregate cost to both industry and 35:03.020 --> 35:05.030 government, contractors and 35:05.040 --> 35:07.909 subcontractors who have completed a DCMA 35:07.919 --> 35:11.219 DIBCAC High NIST SP 35:11.229 --> 35:15.040 800-171 DoD assessment aligned with 35:15.050 --> 35:17.840 CMMC level two scoping will be 35:17.850 --> 35:20.100 eligible for CMMC level two 35:20.110 --> 35:22.459 certification assessment credit under 35:22.469 --> 35:25.300 the following conditions . Contractors 35:25.310 --> 35:27.250 or subcontractors who achieved a 35:27.260 --> 35:30.239 perfect score which means no open POAM 35:30.629 --> 35:33.330 from an eligible DIBCAC high assessment 35:33.340 --> 35:35.929 conducted prior to the effective date 35:35.939 --> 35:39.610 of the rule, are eligible for a CMMC 35:39.669 --> 35:42.219 level two certification assessment with 35:42.229 --> 35:44.770 a validity period of three years from 35:44.780 --> 35:46.891 the start date of the original DIBCAC 35:46.891 --> 35:50.419 assessment. Eligible DIBCAC high 35:50.429 --> 35:52.709 assessments include those conducted 35:52.719 --> 35:54.830 under DCMA's joint Surveillance 35:54.840 --> 35:56.951 Authority and meet the aforementioned 35:56.951 --> 36:00.459 criteria . It is important to recognize 36:00.469 --> 36:02.770 that the scope of the CMMC level two 36:02.780 --> 36:06.770 certification must be equal to the 36:06.780 --> 36:10.100 scope of the DIBCAC assessment . I will 36:10.110 --> 36:12.550 now turn it over to Ms Diane Knight to 36:12.560 --> 36:14.504 discuss submitting comments on the 36:14.504 --> 36:17.909 federal register . The 32 36:17.919 --> 36:20.899 CFR CMMC proposed rule and supporting 36:20.909 --> 36:23.250 documents were published on December 36:23.260 --> 36:26.169 26th , 2023 to start the 60 day 36:26.179 --> 36:28.739 public comment period that will close 36:28.750 --> 36:32.580 on February 26th , 2024 . The DoD wants 36:32.590 --> 36:34.423 to receive your comments on this 36:34.423 --> 36:36.701 proposed rule and supporting documents . 36:36.701 --> 36:39.604 Please visit federalregister.gov and 36:39.614 --> 36:43.034 regulations.gov and search for CMMC to 36:43.044 --> 36:45.504 locate the documents and please submit 36:45.514 --> 36:49.185 your comments by February 26 2024, the 36:49.195 --> 36:51.445 close of the public comment period , 36:51.584 --> 36:53.645 you may post comments from either of 36:53.655 --> 36:56.514 those sites. Momentarily, you will see 36:56.524 --> 36:59.225 a QR code that when scanned will take 36:59.235 --> 37:01.346 you to the federal register website . 37:11.800 --> 37:13.790 I will now quickly review the next 37:13.800 --> 37:17.110 steps for the 32 CFR final rule process . 37:17.419 --> 37:19.641 The objective timeline for implementing 37:19.641 --> 37:21.800 contractor compliance with CMMC 37:21.810 --> 37:24.709 requirements has been and remains 37:24.719 --> 37:28.010 fiscal year 2025 to keep us on that 37:28.020 --> 37:30.520 timeline for completing the 32 CFR 37:30.530 --> 37:33.399 final CMMC program rule, at the 37:33.409 --> 37:35.742 conclusion of the public comment period , 37:35.742 --> 37:37.520 we will focus on completing the 37:37.520 --> 37:40.399 following actions . We will draft the 37:40.409 --> 37:42.899 final rule, update the regulatory 37:42.909 --> 37:45.399 impact analysis , the paperwork 37:45.409 --> 37:47.959 reduction act statements regarding the 37:47.969 --> 37:50.219 required information collections and 37:50.229 --> 37:52.239 prepare the final regulatory 37:52.250 --> 37:56.149 flexibility analysis or FRFA . We 37:56.159 --> 37:58.379 will complete internal DoD 37:58.389 --> 38:01.300 coordination , small business 38:01.310 --> 38:04.699 administration review and submit the 38:04.709 --> 38:07.500 final draft rule to OMB/OIRA for 38:07.510 --> 38:10.020 review that may include interagency 38:10.030 --> 38:13.570 reviews. Following that, the DoD CIO 38:13.580 --> 38:16.050 Honorable Sherman will approve posting 38:16.060 --> 38:17.893 of the CMMC rule to the federal 38:17.893 --> 38:21.330 register . And then finally , we have 38:21.340 --> 38:23.396 to complete the Congressional Review 38:23.396 --> 38:26.379 Act requirements for a mandatory 60 38:26.389 --> 38:28.167 days before the rule can become 38:28.169 --> 38:31.350 effective. Now back to Ms Bostjanick for 38:31.360 --> 38:33.899 her closing remarks regarding the CMMC 38:33.909 --> 38:37.689 program. The restructured CMMC 38:37.699 --> 38:40.040 program refines the original model as 38:40.050 --> 38:42.699 Mr Dees discussed earlier . It maintains 38:42.709 --> 38:44.598 the original goal of safeguarding 38:44.598 --> 38:47.050 sensitive information but does so in a 38:47.060 --> 38:49.060 manner that reduces costs for small 38:49.060 --> 38:51.282 businesses and aligns with the existing 38:51.282 --> 38:53.116 cybersecurity requirements . The 38:53.120 --> 38:55.574 department took concerns from industry 38:55.584 --> 38:57.864 and develop the proposed CMMC program 38:57.875 --> 39:00.334 which reduces complexity from five 39:00.344 --> 39:02.794 levels to three, adds flexibility 39:02.804 --> 39:05.304 through the introduction of POAMs and DoD 39:05.314 --> 39:08.145 requirements waivers, limits costs by 39:08.155 --> 39:10.377 only requiring self assessments for the 39:10.377 --> 39:12.599 15 requirements mandated by the federal 39:12.599 --> 39:14.879 acquisition regulation . Mitigates 39:14.889 --> 39:16.860 level two costs by allowing self 39:16.889 --> 39:19.389 assessment in some solicitations and 39:19.399 --> 39:22.199 limits requirements to the NIST 800-171 39:22.209 --> 39:24.040 standard , which was already 39:24.050 --> 39:27.810 implemented in the DFARS 252.204-7012 39:27.820 --> 39:31.030 clause. Applies level three to a small 39:31.040 --> 39:33.669 subset of DoD programs that require 39:33.679 --> 39:35.790 protection against our most capable 39:35.800 --> 39:38.290 adversaries and eliminates duplication 39:38.300 --> 39:40.550 through explicit acceptance of other 39:40.560 --> 39:43.270 standards . Cybersecurity is essential 39:43.280 --> 39:45.750 to the basic functioning of our economy . 39:45.770 --> 39:47.437 The operation of our critical 39:47.437 --> 39:49.492 infrastructure , the strength of our 39:49.492 --> 39:51.389 democracy and democratic 39:51.399 --> 39:54.070 institutions , the privacy of our data 39:54.080 --> 39:56.024 and communications of our national 39:56.024 --> 39:59.479 defense a CMMC program is a key 39:59.489 --> 40:01.433 component to ensuring our national 40:01.433 --> 40:03.729 security . Improving your cybersecurity 40:03.739 --> 40:05.461 against devolving threats will 40:05.461 --> 40:07.183 safeguard the information that 40:07.183 --> 40:09.350 preserves our technological advantages 40:09.350 --> 40:11.260 over adversaries . Your cooperation 40:11.270 --> 40:13.437 is critical . We thank you 40:13.437 --> 40:15.381 for your time and attention . Once 40:15.385 --> 40:17.774 again , we encourage you to submit 40:17.784 --> 40:19.895 comments on the proposed rule and 40:19.905 --> 40:22.885 supplemental documents by February 26th . 40:23.165 --> 40:24.943 Only through submission of your 40:24.943 --> 40:26.887 comments , will the DoD be able to 40:26.887 --> 40:29.655 recognize and consider your concerns as 40:29.665 --> 40:31.495 we develop the final rule.