This site displays a prototype of a “Web 2.0” version of the daily Federal Register. It is not an official legal edition of the Federal Register, and does not replace the official print version or the official electronic version on GPO’s govinfo.gov.
The documents posted on this site are XML renditions of published Federal Register documents. Each document posted on the site includes a link to the corresponding official PDF file on govinfo.gov. This prototype edition of the daily Federal Register on FederalRegister.gov will remain an unofficial informational resource until the Administrative Committee of the Federal Register (ACFR) issues a regulation granting it official legal status. For complete information about, and access to, our official publications and services, go to About the Federal Register on NARA's archives.gov.
The OFR/GPO partnership is committed to presenting accurate and reliable regulatory information on FederalRegister.gov with the objective of establishing the XML-based Federal Register as an ACFR-sanctioned publication in the future. While every effort has been made to ensure that the material on FederalRegister.gov is accurately displayed, consistent with the official SGML-based PDF version on govinfo.gov, those relying on it for legal research should verify their results against an official edition of the Federal Register. Until the ACFR grants it official status, the XML rendition of the daily Federal Register on FederalRegister.gov does not provide legal notice to the public or judicial notice to the courts.
FederalRegister.gov retrieves relevant information about this document from Regulations.gov to provide users with additional context. This information is not part of the official Federal Register document.
Office of the Department of Defense Chief Information Officer (CIO), Department of Defense (DoD).
30-Day information collection notice.
The DoD has submitted to the Office of Management and Budget (OMB) for clearance the following proposal for collection of information under the provisions of the Paperwork Reduction Act.
Consideration will be given to all comments received by July 22, 2024.
Written comments and recommendations for the proposed information collection should be sent within 30 days of publication of this notice to www.reginfo.gov/public/do/PRAMain. Find this particular information collection by selecting “Currently under 30-day Review—Open for Public Comments” or by using the search function.
Reginald Lucas, (571) 372-7574, whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.
Title; Associated Form; and OMB Number: Cybersecurity Maturity Model Certification (CMMC) Enterprise Mission Assurance Support-Service (eMASS) Instantiation Information Collection; OMB Control Number 0704-0676.
Type of Request: New.
Number of Respondents: 1.
Responses per Respondent: 240.
Annual Responses: 240.
Average Burden per Response: 5 minutes.
Annual Burden Hours: 20.
Number of Respondents: 10,942.
Responses per Respondent: 1.
Annual Responses: 10,942.
Average Burden per Response: 15 minutes.
Annual Burden Hours: 2,735.5.
Number of Respondents: 10,943.
Annual Responses: 11,182.
Annual Burden Hours: 2,756.
Needs and Uses: The CMMC Program provides for the assessment of contractor implementation of cybersecurity requirements to enhance confidence in contractor protection of unclassified information within the DoD supply chain. CMMC contractual requirements are implemented under a Title 48 acquisition rule, with associated rulemaking for the CMMC Program requirements ( e.g., CMMC Scoring Methodology, certificate issuance, information accessibility) under a Title 32 program rule (32 Code of Federal Regulations (CFR) Part 170). The CMMC Title 32 program rule includes two separate information collection requests (ICR), one for the CMMC Program and this one for CMMC eMASS.
The CMMC instantiation of eMASS is the electronic collection mechanism for collecting CMMC program data, which provides the Department of Defense (DoD) visibility of the CMMC Levels 2 and 3 certification assessment results.
This information collection is necessary to support the implementation of the CMMC assessment process for CMMC Level 2 and Level 3 certification assessments, as ( printed page 52033) defined in 32 CFR 170.17 and 170.18 respectively.
The CMMC Level 2 certification assessment process is conducted by Certified Assessors, employed by CMMC Third-Party Assessment Organizations (C3PAOs). During the assessment process, Organizations Seeking Certification's hire C3PAOs to conduct the third-party assessment required for certification. The CMMC Certified Assessors upload assessment data: pre-assessment and planning material (date and level of the assessment; C3PAO name and unique identifier; name and business contact information for each Assessor; all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope; name, date, and version of the system security plan (SSP); the Title 32 program rule (32 CFR part 170)), final assessment reports (assessment result for each requirement objective; POA&M usage and compliance, as applicable; and list of artifact names, the return values of the hashing algorithm, and the hashing algorithm used), and appropriate CMMC certificates of assessment (certification date, as applicable) into the CMMC instantiation of eMASS.
The CMMC Level 3 certification assessment process is conducted by the Defense Contract Management Agency (DCMA) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). DCMA DIBCAC assessors upload assessment data: pre-assessment and planning material (date and level of the assessment; name and business contact information for each Assessor; all industry CAGE codes associated with the information systems addressed by the CMMC Assessment Scope; name, date, and version of the system security plan (SSP); the Title 32 program rule (32 CFR part 170)), final assessment reports (assessment result for each requirement objective; POA&M usage and compliance, as applicable; and list of artifact names, the return values of the hashing algorithm, and the hashing algorithm used), and appropriate CMMC certificates of assessment (certification date, as applicable) into the CMMC instantiation of eMASS.
The Accreditation Body provides the CMMC Program Management Office with current data on C3PAOs and Assessors, including authorization and accreditation records and status using the CMMC instantiation of eMASS.
Affected Public: Business or other for-profit.
Frequency: On occasion.
Respondent's Obligation: Voluntary.
OMB Desk Officer: Ms. Jasmeet Seehra.
You may also submit comments and recommendations, identified by Docket ID number and title, by the following method:
Instructions: All submissions received must include the agency name, Docket ID number, and title for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.
DoD Clearance Officer: Mr. Reginald Lucas.
Requests for copies of the information collection proposal should be sent to Mr. Lucas at whs.mc-alex.esd.mbx.dd-dod-information-collections@mail.mil.
Dated: June 14, 2024.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
[FR Doc. 2024-13468 Filed 6-20-24; 8:45 am]
BILLING CODE 6001-FR-P
1 comment has been received at Regulations.gov.
Agencies review all submissions and may choose to redact, or withhold, certain submissions (or portions thereof). Submitted comments may not be available to be read until the agency has approved them.