0704-cmmc_ssa_7.26.23

0704-CMMC_SSA_7.26.23.docx

Cybersecurity Maturity Model Certification (CMMC) Program Reporting and Recordkeeping Requirements Information Collection

OMB: 0704-0677

Document [docx]
Download: docx | pdf


PAPERWORK REDUCTION ACT REQUEST for 32 CFR

SUPPORTING STATEMENT - PART A

Cybersecurity Maturity Model Certification Assessment Information – 0704-XXXX

1. Need for the Information Collection

The Cybersecurity Maturity Model Certification (CMMC) Program provides for the assessment of contractor implementation of cybersecurity requirements to enhance confidence in contactor protection of unclassified information within the DoD supply chain. The CMMC Program is implemented under 48 CFR, with associated rulemaking for CMMC to align CMMC Program requirements (e.g., CMMC Scoring Methodology, certificate issuance, information accessibility) under 32 CFR Subpart D.

This information collection is necessary to support the implementation of the CMMC assessment process for Levels 1 and 2 self-assessment, as defined in 32 CFR Part § 170.15 and 32 CFR Part § 170.16 respectively, and Levels 2 and 3 certification assessment, as defined in 32 CFR Part § 170.17 and 32 CFR Part § 170.18 respectively.

The CMMC Level 2 certification assessment process is conducted by Certified Assessors, employed by CMMC Third-Party Assessment Organizations (C3PAOs). During the assessment process, Organizations Seeking Certification1 (OSCs) hire C3PAOs to conduct the third-party assessment required for certification. The CMMC Assessors upload select assessment data and results into CMMC Enterprise Mission Assurance Support Service (CMMC eMASS), which provides the Department of Defense (DoD) visibility.

The CMMC public comment data collection activities can be received from 30 to 60 days after the date of this notice (60 days after posting to the Federal Register).

2. Use of the Information

Level 1 and Level 2 CMMC Self-Assessments

  1. Organizations Seeking Assessment2 (OSAs) follow procedures as defined in 32 CFR Part §170.15(a)(1) and 32 CFR Part §170.16(a)(1) to conduct CMMC Level 1 and Level 2 Self-Assessments on their information systems to determine conformance with the information safeguarding requirements associated with a CMMC level.

  2. To maintain compliance with CMMC Level 1 and Level 2 Self-Assessment requirements, the contractor must perform an annual CMMC Level 1 self-assessment or a CMMC Level 2 self-assessment on a triennial basis and submit compliance results in the Supplier Performance Risk System (SPRS).

This information must include, but is not limited to: CMMC Level; Assessment Date; Assessment Scope; All industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope; and Overall self-assessment score (e.g., 105 out of 110).

  1. POA&M usage and compliance (if applicable) the standard assessed; all industry CAGE code(s) associated with the information system(s) addressed by the CMMC Assessment Scope; date and level of the assessment; overall self-assessment score; and POA&M compliance (Level 2, if applicable).

  2. The OSA Senior Official or Principal who is responsible for CMMC compliance shall submit affirmations into SPRS for each assessment in the form of a signature, attesting that they have met the CMMC security requirements and will maintain the applicable information systems at the required CMMC Level.

CMMC Level 2 Certification Assessment

  1. Certified Assessors assigned by C3PAOs follow requirements and procedures as defined in 32 CFR Part §170.17 to conduct CMMC assessments on DIB contractor information systems to determine conformance with the information safeguarding requirements associated with CMMC Level 2.

  2. Prospective C3PAOs must complete and submit the Standard Form (SF) 328 Certificate Pertaining to Foreign Interests upon request from DCSA.

  3. C3PAOs must submit pre-assessment and planning material (contact information for the OSC, information about the C3PAO and assessors conducting the assessment, the level of assessment planned, the CMMC Model and Assessment Guide versions, and assessment approach), artifact information (list of artifacts, hash of artifacts, and hashing algorithm used), final assessment reports, appropriate CMMC certificates of assessment, and assessment appeal information. C3PAOs submit the data they collect to CMMC eMASS in a format compliant with the CMMC assessment data standard as set forth in eMASS_CMMC_Assessment_Import_Templates on the CMMC eMASS website: https://cmmc.emass.apps.mil and in 32 CFR Part §170.9(b)(19). C3PAO assessment teams generate assessment data compliant with the CMMC assessment data standard, which comprises two JavaScript Object Notation (JSON) schemas: one for “pre-assessment” or planning data, and one for the assessment results. C3PAOs may develop or purchase any tool that is compliant with the data standard and DoD security requirements that generates pre-assessment data and assessment results in the required JSON file format. C3PAOs may also use spreadsheets that are compliant with the assessment data standard to submit the data. The C3PAO process to conduct a POA&M Close-out Assessment, where applicable, is the same as the initial assessment with the same information collection requirements.

  4. The CMMC PMO will use CMMC eMASS for reporting and tracking metrics of the CMMC Program, including but not limited to, the number of OSCs, the number of certifications, the number of assessments conducted, and the number of POA&M successfully closed within the 180-day timeframe. CMMC eMASS will transfer assessment information to SPRS through an automated secure process, allowing DoD Contracting Officers to verify that offerors and contractors meet the required CMMC certification level at the time of contract award or option renewal.

  5. The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. The organizational artifacts are proprietary to the OSC and will not be retained by the assessment team unless expressly permitted by the OSC. To preserve the integrity of the artifacts reviewed, the OSC creates a hash of assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and retains the artifact information for the period of the CMMC certification. The artifact information is an information collection and is provided to the C3PAO for upload into CMMC eMASS; the artifacts themselves are not an information collection. The OSC process to support a POA&M Close-out Assessment, where applicable, is the same as the initial assessment with the same information collection requirements.

  6. The OSA Senior Official or Principal who is responsible for CMMC compliance shall submit affirmations into SPRS for each assessment in the form of a signature, attesting that they have met the CMMC security requirements and will maintain the applicable information systems at the required CMMC Level.

  7. The CMMC PMO will use CMMC eMASS for reporting and tracking metrics of the CMMC Program, including but not limited to, the number of OSCs, the number of certifications, the number of assessments conducted, and the number of POA&M successfully closed within the 180-day timeframe. CMMC eMASS will transfer assessment information to SPRS through an automated secure process, allowing DoD Contracting Officers to verify that offerors and contractors meet the required CMMC certification level at the time of contract award or option renewal.

  8. If an OSC does not agree with the assessment results, it may formally dispute the assessment and initiate an Assessment Appeal process with the C3PAO who conducted the assessment. Appeals are tracked in CMMC eMASS and any resulting changes to the assessment results are uploaded into CMMC eMASS. This is not a separate information collection.

  9. The Accreditation Body, CMMC Assessor and Instructor Certification Organization (CAICO), and C3PAOs incur information collection costs that are represented in the burden estimates as pass-through costs to the OSC. The pass-through costs that were considered incorporated include: (1) Accreditation Body establishing, maintaining, and managing a listing of authorized and accredited C3PAOs, (2) Accreditation Body providing the CMMC PMO with current data on C3PAOs, (3) Accreditation Body ensuring that prospective C3PAOs complete and submit all required standard forms, (4) Accreditation Body providing assessment appeal investigation records and decision results upon request, (5) Accreditation Body providing necessary information regarding authorization and accreditation status as required, and (6) CAICO maintaining and providing the Accreditation Body with access to its records related to procedures, processes, and actions related to fulfillment of the requirements for a period mandated by the rule.

CMMC Level 3 Certification Assessment

  1. DCMA DIBCAC Assessors follow requirements and procedures as defined in 32 CFR Part §170.18 to conduct CMMC assessments on DIB contractor information systems to determine conformance with the information safeguarding requirements associated with CMMC Level 3. Because DCMA DIBCAC is a government entity, there are no information collection requirements.

  2. The OSC is responsible for compiling relevant artifacts as evidence and having knowledgeable personnel available during the assessment. Assessors will not permanently retain assessment artifacts. To preserve the integrity of the artifacts reviewed during the assessment, the OSC creates a hash of assessment evidence (to include a list of the artifact names, the return values of the hashing algorithm, and the hashing algorithm used) and retains the artifact information for the period of the CMMC certification. The artifact information is provided to DCMA DIBCAC for upload into CMMC eMASS. The OSC process to support a POA&M Close-out Assessment, where applicable, is the same as the initial assessment with the same information collection requirements.

  3. The OSA Senior Official or Principal who is responsible for CMMC compliance shall submit affirmations into SPRS for each assessment in the form of a signature, attesting that they have met the CMMC security requirements and will maintain the applicable information systems at the required CMMC Level.

  4. The CMMC PMO will use CMMC eMASS for reporting and tracking metrics of the CMMC Program, including but not limited to, the number of OSCs, the number of certifications, the number of assessments conducted, and the number of POA&M successfully closed within the 180-day timeframe. CMMC eMASS will transfer assessment information to SPRS through an automated secure process, allowing DoD Contracting Officers to verify that offerors and contractors meet the required CMMC certification level at the time of contract award or option renewal.

  5. If an OSC does not agree with the assessment results, they may formally dispute the assessment and initiate an Assessment Appeal process with DCMA DIBCAC. Appeals are tracked in CMMC eMASS and any resulting changes to the assessment results are uploaded into CMMC eMASS. This is not a separate information collection.

3. Use of Information Technology

CMMC submissions are collected using information technology. C3PAOs and DCMA DIBCAC electronically upload assessment data into CMMC eMASS. CMMC eMASS electronically transfers certification results to SPRS. For Level 1 and 2 Self-Assessments, OSAs upload their assessment data directly into SPRS.

Use of CMMC eMASS provides DoD visibility into the cybersecurity posture of the DIB supply chain and is the mechanism to generate reports on the health of the CMMC Ecosystem. SPRS is DoD's authoritative source for supplier and product performance information. Use of this electronic system eliminates the need for contractors to respond directly to multiple DoD requiring activities. SPRS serves as a single repository for Government access to CMMC assessment results.

4. Non-duplication

The information obtained through this collection is unique and is not already available for use or adaptation from another cleared source.

5. Burden on Small Businesses

For Level 1 and 2 Self-Assessments, OSAs must report annually and triennially, respectively. Level 2 and Level 3 certification assessments must be conducted every three years by a C3PAO or DCMA DIBCAC, respectively. At all levels, an annual affirmation is required. In all cases, the burden applied to small business is the minimum consistent with applicable laws, Executive orders, regulations, and prudent business practices.

C3PAOs may also be a small business. Efforts to minimize the burden on C3PAOs include all collection being done electronically and providing Microsoft Excel spreadsheet templates.

6. Less Frequent Collection

Each CMMC assessment requires the data collection defined above. CMMC certifications last up to three years. The assessment frequency for each level was determined by the DoD based on the sensitivity of information processed, stored, or transmitted by the OSA at each level.

DoD Program Managers use SPRS to confirm an OSA’s CMMC self-assessment or certification assessment status prior to contract award. Rather than taking a contract-by-contract approach to securing FCI and CUI, the OSA may obtain multiple contracts with a single CMMC self-assessment or certification assessment, thereby reducing the cost to both DoD and industry.

7. Paperwork Reduction Act Guidelines

This collection of information does not require collection to be conducted in a manner inconsistent with the guidelines delineated in 5 CFR 1320.5(d)(2).

8. Consultation and Public Comments

The Department consulted with members of the DIB Sector Coordinating Council (SCC), and government organizations including Defense Contract Management Agency (DCMA)/ Defense Industrial Base Cybersecurity Assessment Center (DIBCAC), and Missile Defense Agency (MDA) in determining the collection of CMMC eMASS information.

The 60-Day FRN citation is (volume number) FRN (Page number). [Public Comments received eventually go here]

9. Gifts or Payment

No payments or gifts are being offered to respondents as an incentive to participate in the collection.

10. Confidentiality

The CMMC Program Office coordinated with Defense Information Systems Agency (DISA) to validate compliance with all Privacy requirements, including the potential for there to be a Privacy Act Statement, System of Records Notice (SORN), and/or Privacy Impact Assessment (PIA) associated with this collection. The PIA is listed here: https://disa.mil/About/Legal-and-Regulatory/Privacy-Impact-Assessment. The SORN can be found here: https://dpcld.defense.gov/Privacy/SORNsIndex/DOD-Component-Notices/DISA-Article-List.

The CMMC Program Office is also working with a Records POC to ensure records produced from this information collection are retained and disposed of according to a NARA approved Records Retention and Disposition Schedule. Records will be treated as permanent until the appropriate schedule is identified or approved.

11. Sensitive Questions

No questions considered sensitive are being asked in this collection.

12. Respondent Burden and its Labor Costs

Part A: ESTIMATION OF RESPONDENT BURDEN

  1. Collection Instrument(s) 

CMMC Level 1 Self-Assessments (Small Entities)  

  1. Number of Respondents: 14,716 

  2. Number of Responses Per Respondent: 1 

  3. Number of Total Annual Responses: 14,716 

  4. Response Time: 24.08 hours 

  5. Respondent Burden Hours: 354,361 

 

CMMC Level 1 Self-Assessments (Other Than Small Entities) 

  1. Number of Respondents: 5,170 

  2. Number of Responses Per Respondent: 1 

  3. Number of Total Annual Responses: 5,170 

  4. Response Time: 24.08 hours 

  5. Respondent Burden Hours: 124,494 

 

CMMC Level 2 Self-Assessments (Small Entities)  

          1. Number of Respondents: 423 

          2. Number of Responses Per Respondent: 1 

          3. Number of Total Annual Responses: 423 

          4. Response Time: 140.08 hours 

          5. Respondent Burden Hours: 59,254 

 

CMMC Level 2 Self-Assessments (Other Than Small Entities) 

  1. Number of Respondents: 148 

  2. Number of Responses Per Respondent: 1 

  3. Number of Total Annual Responses: 148 

  4. Response Time: 416.08 hours 

  5. Respondent Burden Hours: 61,580 

 

 CMMC Level 2 Certification Assessments (Small Entities)  

          1. Number of Respondents: 8,098 

          2. Number of Responses Per Respondent: 1 

          3. Number of Total Annual Responses: 8,098 

          4. Response Time: 418.08 hours 

          5. Respondent Burden Hours: 3,385,612

 

CMMC Level 2 Certification Assessments (Other Than Small Entities) 

          1. Number of Respondents: 2,844 

          2. Number of Responses Per Respondent: 1 

          3. Number of Total Annual Responses: 2,844 

          4. Response Time: 834.08 hours 

          5. Respondent Burden Hours: 2,372,124


CMMC Level 3 Certification Assessments (Small Entities)  

  1. Number of Respondents: 190

  2. Number of Responses Per Respondent:  1

  3. Number of Total Annual Responses:  190

  4. Response Time: 42.08 hours 

  5. Respondent Burden Hours: 7,995

 

CMMC Level 3 Certification Assessments (Other Than Small Entities) 

  1. Number of Respondents:  23

  2. Number of Responses Per Respondent: 1

  3. Number of Total Annual Responses:  23

  4. Response Time: 384.08 hours 

  5. Respondent Burden Hours: 8,834


  1. Total Submission Burden 

  1. Total Number of Respondents: 31,612 

  2. Total Number of Annual Responses: 31,612

  3. Total Respondent Burden Hours: 6,374,254 hours 

 

Part B: LABOR COST OF RESPONDENT BURDEN 

 

  1. Collection Instrument(s) 

CMMC Level 1 Self-Assessments (Small Entities)  

  1. Number of Total Annual Responses: 14,716 

  2. Response Time: 24.08 hours 

  3. Respondent Hourly Wage: $224.92 

  4. Labor Burden per Response: $5,416 

  5. Total Labor Burden: $79,701,856 

 

CMMC Level 1 Self-Assessments (Other Than Small Entities)  

  1. Number of Total Annual Responses: 5,170 

  2. Response Time: 24.08 hours 

  3. Respondent Hourly Wage: $143.60 

  4. Labor Burden per Response: $3,458 

  5. Total Labor Burden: $17,877,860 

 

CMMC Level 2 Self-Assessments (Small Entities)  

  1. Number of Total Annual Responses: 423 

  2. Response Time: 140.08 hours 

  3. Respondent Hourly Wage: $234.28 

  4. Labor Burden per Response: $32,818 

  5. Total Labor Burden: $13,882,014 

 

CMMC Level 2 Self-Assessments (Other Than Small Entities)  

  1. Number of Total Annual Responses: 148 

  2. Response Time: 416.08 hours 

  3. Respondent Hourly Wage: $97.80 

  4. Labor Burden per Response: $40,691 

  5. Total Labor Burden: $6,022,268 

 

CMMC Level 2 Certification Assessments (Small Entities)  

  1. Number of Total Annual Responses: 8,098 

  2. Response Time: 418.08 hours 

  3. Respondent Hourly Wage: $239.89 

  4. Labor Burden per Response: $100,293 

  5. Total Labor Burden: $812,172,714 

 

CMMC Level 2 Certification Assessments (Other Than Small Entities)  

  1. Number of Total Annual Responses: 2,844 

  2. Response Time: 834.08 hours 

  3. Respondent Hourly Wage: $131.44 

  4. Labor Burden per Response: $109,633 

  5. Total Labor Burden: $311,796,252 


CMMC Level 3 Certification Assessments (Small Entities)  

  1. Number of Total Annual Responses: 190

  2. Response Time: 42.08 hours 

  3. Respondent Hourly Wage: $170.48

  4. Labor Burden per Response: $7,174

  5. Total Labor Burden: $1,363,060


CMMC Level 3 Certification Assessments (Other Than Small Entities)  

  1. Number of Total Annual Responses: 23

  2. Response Time: 384.08 hours 

  3. Respondent Hourly Wage: $94.53

  4. Labor Burden per Response: $36,309

  5. Total Labor Burden: $835,107


  1. Overall Labor Burden

    1. Total Number of Responses: 31,612

    2. Total Labor Burden: $1,243,651,131

 

13. Respondent Costs Other Than Burden Hour Costs

Non-Recurring and Recurring Engineering estimated costs are included for Level 3 Certification Assessments. Non-recurring Engineering reflects a one-time cost consisting of hardware, software, and the associated labor to implement the same. Recurring Engineering reflects annually recurring fees and associated labor for technology refresh. The estimated amounts below are average annual amounts for all entities as indicated.


Part A: Non-Recurring Engineering and Recurring Engineering Cost (Small Entities)


1) Non-Recurring Engineering Cost: $513,000,000

2) Recurring Engineering Cost: $93,100,000

3) Total Non-Recurring Engineering and Recurring Engineering: $606,100,000


Part B: Non-Recurring Engineering and Recurring Engineering Cost (Other Than Small Entities)


1) Non-Recurring Engineering Cost: $485,300,000

2) Recurring Engineering Cost: $94,760,000

3) Total Non-Recurring Engineering and Recurring Engineering: $580,060,000


Part C: Total Non-Recurring Engineering and Recurring Engineering Cost (All Entities)


1) Non-Recurring Engineering Cost: $998,300,000

2) Recurring Engineering Cost: $187,860,000

3) Total Non-Recurring Engineering and Recurring Engineering: $1,186,160,000



Travel costs for C3PAO assessors may represent an additional cost for respondents.


14. Cost to the Federal Government


Part A: LABOR COST TO THE FEDERAL GOVERNMENT


  1. Collection Instrument(s)


CMMC Level 3 Assessments (Small Entities)

a) Number of Total Annual Responses: 190

b) Processing Time per Response: 118.0 hours

c) Total Processing Time: 22,420 hours

d) Hourly Wage of Worker(s) Processing Responses: $108.48

e) Cost to Process Each Response: $12,800

f) Total Cost to Process Responses: $2,432,000


CMMC Level 3 Assessments (Other Than Small Entities)

a) Number of Total Annual Responses: 23

b) Processing Time per Response: 436.0 hours

c) Total Processing Time: 10,028 hours

d) Hourly Wage of Worker(s) Processing Responses: $81.01

e) Cost to Process Each Response: $35,322

f) Total Cost to Process Responses: $812,406


Part B: OPERATIONAL AND MAINTENANCE COSTS


Government operational and maintenance costs include the estimate to develop the operational CMMC eMASS. The estimated average annual amount is provided below.


  1. Cost Categories

    1. Equipment: $0

    2. Printing: $0

    3. Postage: $0

    4. Software Purchases: $0

    5. Licensing Costs: $0

    6. Other: $2,731,861


  1. Total Operational and Maintenance Cost: $2,731,861


Part C: TOTAL COST TO THE FEDERAL GOVERNMENT


  1. Total Labor Cost to the Federal Government: $3,244,406


  1. Total Operational and Maintenance Costs: $2,731,861


  1. Total Cost to the Federal Government: $5,976,267


The following is a summary of the estimated cost to the Public and Government to comply with the CMMC Level 1 and Level 2 Self-Assessments, and Level 2 and Level 3 Certification Assessments.

Level 1 and Level 2 Self-Assessment, Level 2 and Level 3 Certification Assessment Requirements

Estimation of Total Public and Government Burden:

CMMC Level 1 and Level 2 Self-Assessments, Level 2 and Level 3 Certification Assessments

Total Number of Respondents*

**31,612

Total Number of Annual Responses*

31,612

Total Estimated Hours***

6,406,702

Total Annual Labor Burden(Average Over Phase-In Period)

$1,246,895,537

Government Operational and Maintenance (Average Annual)

$2,731,861

Respondent Non-Recurring and Recurring (Average Annual)

$1,186,160,000

Total Annual Burden

$2,435,787,398

* Respondent is equivalent to an entity; an entity provides one response annually

** Represents the number of entities that will complete all levels, on average, based on the phase-in period shown in the table below.

***Includes hours for public and government, detailed below


Historical metrics and subject matter expertise supported the estimated number of small and other than small entities that will complete the CMMC Level 1, 2, and 3 assessments over a 7-year phase-in period. The average annual number of small and other than small entities completing Level 1 and 2 Self Assessments and Level 2, and Level 3 Certification Assessments over the phase-in period are shown below. These entity numbers are used in the cost impact calculations summarized above.

Level 1 Self-Assessment Number of Entities

Over Phased-In Period

Year

Small

Other Than Small

Total

1

699

246

945

2

3,493

1,227

4,720

3

11,654

4,094

15,748

4

22,336

7,848

30,184

5

22,333

7,846

30,179

6

22,333

7,846

30,179

7

20,162

7,084

27,246

Total

103,010

36,181

139,201

Avg

14,716

5,170



Level 2 Self-Assessment Number of Entities

Over Phased-In Period

Year

Small

Other Than Small

Total

1

20

7

27

2

101

35

136

3

335

118

453

4

642

225

867

5

642

225

867

6

642

225

867

7

579

204

783

Total

2,961

1,039

4000

Avg

423

148



Level 2 Certification Assessment Number of Entities Over Phased-In Period

Year

Small

Other Than Small

Total

1

382

135

517

2

1,926

673

2,599

3

6,414

2,252

8,666

4

12,293

4,317

16,610

5

12,289

4,317

16,606

6

12,289

4,317

16,606

7

11,096

3,898

14,994

Total

56,689

19,909

76,598

Avg

8,098

2,844



Level 3 Certification Assessment Number of Entities

Over Phased-In Period

Year

Small

Other Than Small

Total

1

3

1

4

2

45

5

50

3

151

18

169

4

289

34

323

5

289

34

323

6

289

34

323

7

261

34

295

Total

1,327

160

1,487

Avg

190

23



15. Reasons for Change in Burden

This is a new collection with a new associated burden.

16. Publication of Results.

The results of this information collection will not be published.

17. Non-Display of OMB Expiration Date

DoD does not seek approval to omit the display of the expiration dates for OMB approval of the information collection.

18. Exceptions to “Certification for Paperwork Reduction Submissions”

DoD is not requesting any exemptions to the provisions stated in 5 CFR 1320.9.

1 An Organization Seeking Certification (OSC) is an entity seeking to contract, obtain, or maintain CMMC certification for a given information system at a particular CMMC Level. An OSC is also an OSA.

2 An Organization Seeking Assessment (OSA) is an entity seeking to conduct, obtain, or maintain a CMMC assessment for a given information system at a particular CMMC Level. The term OSA includes all OSCs.


File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File Modified0000-00-00
File Created2023-07-29
© 2024 OMB.report | Privacy Policy