DFARS Case 2019-D041 Assessing Contractor ......Page 1 of 44 DFARS Case 2019-D041 Assessing...

of 44

DFARS Case 2019-D041 Assessing Contractor Implementation of Cybersecurity Requirements

Regulatory Impact Analysis

Table of Contents A. Background ................................................................................................................................. 3 B. NIST SP 800-171 DoD Assessment Methodology .................................................................... 5

1. Summary of Impact ................................................................................................................... 5 2. Cost Analysis ............................................................................................................................ 7

a. Public Costs .......................................................................................................................... 7 i. Basic Assessment .............................................................................................................. 8 ii. Medium Assessment ......................................................................................................... 8 iii. High Assessment ............................................................................................................... 9 iv. Total Public Costs ............................................................................................................. 9

b. Government Costs ............................................................................................................... 10 i. Review of Assessments................................................................................................... 10 ii. Medium Assessment ....................................................................................................... 10 iii. High Assessment ............................................................................................................. 10 iv. Total Government Costs ................................................................................................. 11

c. Total Public and Government Costs ................................................................................... 11 C. CMMC Framework .................................................................................................................. 12

1. Summary of Impact ................................................................................................................. 12 a. The Framework ................................................................................................................... 12 b. Policy Problems addressed by CMMC ............................................................................... 13

i. Verifies the contractor cybersecurity posture ................................................................. 14 ii. Comprehensive implementation of cybersecurity requirements ..................................... 14 iii. Scale and Depth .............................................................................................................. 15 iv. Reduces Duplicate or Repetitive Assessments of our Industry Partners. ....................... 15

c. CMMC roll-out ................................................................................................................... 15 d. Alternatives ......................................................................................................................... 19

i. CMMC Model and implementation ................................................................................ 20 ii. Timing of CMMC level certification requirement .......................................................... 22

2. Cost Analysis .......................................................................................................................... 22 a. Public Costs ........................................................................................................................ 22

i. CMMC Level 1 Certification .......................................................................................... 23 ii. CMMC Level 2 Certification .......................................................................................... 25 iii. CMMC Level 3 Certification .......................................................................................... 28

of 44

iv. CMMC Level 4 Certification .......................................................................................... 30 v. CMMC Level 5 Certification .......................................................................................... 33 vi. Total Public Costs ........................................................................................................... 35

b. Government Costs ............................................................................................................... 36 i. Review of CMMC Certification in SPRS ....................................................................... 37 ii. DoD/DIBCAC Assessment of CMMC Third Party Assessment Organizations ............ 37 iii. CMMC Database Infrastructure Costs ............................................................................ 38 iv. Total Government Costs ................................................................................................. 38

c. Total Public and Government Costs ................................................................................... 38 D. Elimination of Duplicate of Effort ........................................................................................... 40

1. Public Savings ......................................................................................................................... 40 a. Eliminate Duplicate Contractor Self-Assessments ............................................................. 40 b. Eliminate Duplicate Medium Assessments ........................................................................ 40 c. Eliminate Duplicate High Assessments .............................................................................. 41 d. Total Public Savings ........................................................................................................... 41

2. Government Savings ............................................................................................................... 41 a. Eliminate Duplicate Medium Assessments ........................................................................ 42 b. Eliminate Duplicate High Assessments .............................................................................. 42 c. Total Government Savings ................................................................................................. 42

3. Total Public and Government Savings ................................................................................... 42 E. Benefits ....................................................................................................................................... 43

of 44

A. Background The theft of intellectual property and sensitive information from all U.S. industrial sectors due to malicious cyber activity threatens economic security and national security. The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016.1 The Center for Strategic and International Studies estimates that the total global cost of cybercrime was as high as $600 billion in 2017.2

Malicious cyber actors have and continue to target the Defense Industrial Base (DIB) sector and the supply chain of the Department of Defense (DoD). These attacks not only focus on the large prime contractors, but also target subcontractors that make up the lower tiers of the DoD supply chain. Many of these subcontractors are small entities that provide critical support and innovation. Overall, the DIB sector consists of over 220,000 companies that support the warfighter and contribute towards the research, engineering, development, acquisition, production, delivery, sustainment, and operations of DoD systems, networks, installations, capabilities, and services. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation, as well as significantly increase risk to national security.

Currently, the Federal Acquisition Regulation (FAR) and Defense FAR Supplement (DFARS) prescribe contract clauses intended to protect the following types of unclassified information within the supply chain:

Federal Contract Information (FCI). FCI is information not intended for public release, that is provided by or generated for the Government under contract to develop or deliver a product or service to the Government but not including information provided by the Government to the public (such as that on public Web sites) or simple transactional information, such as that necessary to process payments.

Controlled Unclassified Information (CUI). CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Specifically, the clause at FAR 52.204–21, Basic Safeguarding of Covered Contractor Information Systems, is prescribed at FAR 4.1903 for use in Government solicitations and contracts when the contractor or a subcontractor at any tier may have FCI residing in or transiting through its information system. This clause requires contractors and subcontractors to apply basic safeguarding requirements and procedures to protect covered contractor information systems. The clause focuses on ensuring a basic level of safeguarding for any contractor system with FCI and is reflective of actions a prudent business person would employ.

1 https://www.whitehouse.gov/articles/cea-report-cost-malicious-cyber-activity-u-s-economy/ 2 https://www.csis.org/events/economic-impact-cybercrime

of 44

In addition, the clause at DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, is prescribed at DFARS 204.7304(c) for use in DoD in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of commercially available off-the-shelf items. This clause requires contractors and subcontractors to provide “adequate security” to safeguard DoD CUI when it is residing on or transiting through a contractor’s/subcontractor’s internal information system or network, and to report cyber incidents that affect that system or network. The clause states that to provide adequate security, the Contractor shall implement, at a minimum, the security requirements in “National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations.” Contractors are also required to flow down DFARS Clause 252.204-7012 to all subcontracts, which involve CUI.

However, neither the FAR clause, nor the DFARS clause, provide for DoD verification of a contractor’s implementation of basic safeguarding requirements or the security requirements specified in NIST SP 800-171 prior to contract award. As part of multiple lines of effort focused on the security and resiliency of the DIB sector, the Department is working with industry to enhance the protection of unclassified information within the supply chain. Towards this end, DoD has developed the following standards and framework to assess contractor implementation, both of which are being implemented by this rule:

The NIST SP 800-171 DoD Assessment Methodology. This is a standard methodology to assess contractor implementation of the cybersecurity requirements in NIST SP 800-171, as required by DFARS clause 252.204-7012.

Cybersecurity Maturity Model Certification (CMMC). This is a DoD cybersecurity framework that measures cybersecurity maturity with five levels and aligns a set of processes and practices with the type and sensitivity of information to be protected and the associated range of threats.

CMMC builds upon DFARS 252.204-7012 by leveraging the cybersecurity requirements found in NIST SP 800-171. The NIST SP 800-171 DoD Assessment Methodology provides a means for the Department to assess contractor implementation of these requirements as the Department transitions to full implementation of CMMC, and a means for companies to self-assess their implementation of the NIST SP 800-171 requirements prior to either a DoD or CMMC assessment. In addition, it provides the means for DoD and the Defense Contract Management Agency’s (DCMA’s) Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) to maintain quality assurance for third party assessors, and for a DoD Component/Program Office to request, when warranted based on the criticality of a program/technology, a DoD assessment of a contractor’s covered information system.

of 44

B. NIST SP 800-171 DoD Assessment Methodology 1. Summary of Impact

The NIST SP 800-171 DoD Assessment Methodology provides for the assessment of a contractor’s implementation of NIST SP 800-171 security requirements, as required by DFARS clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” The DoD/DIBCAC efforts to strategically assess implementation of NIST SP 800-171 is the Department’s initial DoD/corporate-wide assessment of contractor implementation of the mandatory cybersecurity requirements established in contract regulations. Results of a NIST SP 800-171 DoD Assessment reflect the net effect of NIST SP 800-171 security requirements not yet implemented by a contractor, and may be conducted at one of three assessment levels. A “Basic Assessment” is a self-assessment completed by the contractor, while “Medium Assessment” or “High Assessment” is completed by DoD.

The DoD Assessment Methodology provides the following benefits:

Enables Strategic Assessments at the Entity-level. The NIST SP 800-171 DoD Assessment Methodology enables DoD to strategically assess a contractor’s implementation of NIST SP 800-171 on existing contracts that include DFARS clause 252.204-7012, and to provide an objective assessment of a contractor’s NIST SP 800-171 implementation status.

Reduces Duplicate or Repetitive Assessments of our Industry Partners. Assessment results will be posted in the Supplier Performance Risk System (SPRS), DoD's authoritative source for supplier and product performance information. This will provide DoD Components with visibility to summary level scores and an alternative to addressing implementation of NIST SP 800-171 on a contract-by-contract approach—significantly reducing the need to conduct assessments at the program level, thereby reducing the cost to both DoD and industry.

Provides a Standard Methodology for Contractors to Self-assess Their Implementation of the NIST SP 800-171 Requirements. The Basic Assessment provides a consistent means for contractors to review their system security plans prior to and in preparation for either a DoD or CMMC assessment.

To implement the DoD Assessment Methodology, this rule provides a new solicitation provision at DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, which is prescribed for use in all solicitations, including solicitations using FAR part 12 procedures for the acquisition of commercial items, except for solicitations solely for the acquisition of COTS items. Per the new provision, if an Offeror is required to have implemented NIST SP 800-171 per DFARS clause 252.204-7012, then the Offeror shall have a current assessment for each covered contractor information system that is relevant to the offer, contract, task order, or delivery order in order to be considered for award.

of 44

This rule also adds a new contract clause at DFARS 252.204-7020, NIST SP 800-171 DoD Assessment Requirements, which is prescribed for use in in all solicitations and contracts, including solicitations and contracts using FAR part 12 procedures for the acquisition of commercial items, except for solicitations and contracts solely for the acquisition of COTS items. The clause requires the contractor to provide the Government access to its facilities, systems, and personnel in order to conduct a Medium or High Assessment, if necessary. Medium Assessments are assumed to be conducted by DoD Components, primarily by Program Management Office cybersecurity personnel, in coordination with the DCMA’s DIBCAC, as part of a separately scheduled visit (e.g., for a Critical Design Review). High Assessments will be conducted by, or in conjunction with, DCMA’s DIBCAC. The Department may choose to conduct a Medium or High Assessment when warranted based on the criticality of the program(s)/technology(ies) associated with the contracted effort(s). For example – a Medium Assessment may be initiated by a Program Office who has determined that the risk associated with their programs warrants going beyond the Basic self-assessment. The results of that Medium Assessment may satisfy the Program Office, or may indicate the need for a High assessment.

The following illustrates the requirements of the Basic, Medium, and High Assessments, which are conducted in accordance with the NIST SP 800-171 DoD Assessment Methodology:

Assessment Affected Entities Requirement

Basic Required for all DoD awardees, that have “covered contractor information systems,” as defined in DFARS clause 252.204-7012, that are not part of an IT service or system operated on behalf of the Government, excluding awardees with solely COTS items awards.

A contractor conducts a self-assessment by reviewing their system security plan(s) for covered contractor information system(s), identifies NIST SP 800-171 requirements not yet implemented, and reports the results to DoD for posting to SPRS.

Medium Required for certain DoD awardees that have “covered contractor information systems,” as defined in DFARS clause 252.204-7012, that are not part of an IT service or system operated on behalf of the Government, excluding awardees with solely COTS items awards.

The contractor provides DoD access to its facilities and personnel, if necessary, and prepares for/participates in the Assessment conducted by the DoD. The DoD assessor will review the system security plan description of how each requirement is met and will identify any descriptions that may not properly address the security requirements. DoD will post the results in SPRS.

High Required for certain DoD awardees that have “covered contractor information systems,” as defined in DFARS clause 252.204-7012, that are not part of an IT service or system operated on behalf of the Government, excluding awardees with solely COTS items awards.

The contractor provides the DoD access to its facilities, systems, and personnel and prepares for/participates in the Assessment conducted by DoD. The DoD assessors will review the system security plan description of how each requirement is met and the contractor will demonstrate the implementation to the DoD assessors. DoD will post the results in SPRS.

of 44

According to data available in the Electronic Data Access system for fiscal years (FYs) 2016, 2017, and 2018, on an annual basis DoD awards on average 485,859 contracts and orders that contain DFARS clause 252.204-7012 to 39,204 unique awardees, of which 262,509 awards (54%) are made to 26,468 small entities (68%).

The need for a Basic Assessment will begin to impact entities as they compete on solicitations that include the new solicitation provision and contract clause, and the clause at DFARS 252.204-7012, if the entity has covered contractor information systems that are required to be in compliance with NIST SP 800-171. This will occur gradually over time as DoD issues new solicitations. For the purposes of this cost analysis, it is assumed that 1/3 of the total unique awardees (13,068 entities) would be subject to the basic assessment requirements, 68% (8,823 entities) of which are estimated to be small entities.

It is expected that the Medium and High Assessments, on the other hand, will be conducted on a finite number of awardees each year. In addition, DoD Assessments are valid for three years, so entities will need to renew, at minimum, their basic assessment every three years.

The following is a summary of expected rollout of the Assessments over a three-year period:

Assessment Impacted Entities Year 1 Year 2 Year 3

Basic3 Small 8,823 8,823 8,823

Other than Small 4,245 4,245 4,245

Medium4 Small 148 148 148

Other than Small 52 52 52

High Small 81 81 81

Other than Small 29 29 29

2. Cost Analysis

a. Public Costs

The following is a summary of the estimated public costs calculated in perpetuity in 2016 dollars at a 7 percent and 3 percent discount rate:

Public Costs 7% Discount 3% Discount

Annualized Costs $6,727,153 $6,727,153

Present Value Costs $96,102,816 $224,238,433

3 The number of unique awardees impacted each year is 1/3 of the average number of annual awardees according to the Electronic Data Access system (39,204/3 = 13068). This estimate does not address new entrants or awardees who discontinue doing business with DoD. 4 The number of entities that would be impacted by Medium or High Assessments each year is based on estimates by DoD subject matter experts.

of 44

i. Basic Assessment

a. Calculating the self-assessment. It is estimated that the burden to calculate the Basic Assessment score is thirty minutes per entity at a journeyman-level-2 rate of pay. This results in a total estimated annual public cost of $647,388 (13,068 entities * (0.50 hour * $99.08/hour5 = $49.54/assessment)).6

b. Submission of assessment for posting in SPRS. It is estimated that the burden to submit a Basic Assessment for posting in SPRS is 15 minutes per entity at a journeyman-level-2 rate of pay. This results in a total estimated annual public cost of $323,695 (13,608 entities * (0.25 hour * $99.08/hour = $24.77/assessment)).

c. Total Annual Cost. The total estimated annual public cost for 13,608 entities to complete a Basic Assessment is $971,083 (13,608 * $74.31/assessment).

ii. Medium Assessment

a. Preparing for assessment. It is estimated that the burden to make the system security plan and supporting documentation available for review by the DoD assessor is one hour per entity at a journeyman-level-2 rate of pay. This results in a total estimated annual public cost of $19,816 (200 entities * (1 hour * $99.08/hour = $99.08/assessment)).

b. Participating in assessment. It is estimated that the burden to participate in the review and discussion of the system security plan and supporting documents with DoD assessor is three hours per entity, with one journeyman-level-2 and one senior-level-2 contractor employee participating in the assessment. This results in a total estimated annual public cost of $142,080 (200 entities * [(3 hours * $99.08/hour = $297.24) + (3 hours * $137.72/hour7 = $413.16) = $710.40/assessment]).

c. Establishing response date. Assuming issues are identified, it is estimated that the burden to determine and provide to DoD the date by which the issues will be resolved is one hour per entity at a journeyman-level rate of pay. This results in a total estimated annual public cost of $19,816 (200 entities * (1 hour * $99.08/hour = $99.08/assessment)).

5 The journeyman-level-2 rate of pay is equivalent to the Office of Personnel Management (OPM) General Schedule (GS) FY20 rate of pay for a GS-13/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($49.54 * 2 = $99.08). 6 Note, the cost for contractors to assess their compliance with NIST SP 800-171 to ensure they are in compliance with the existing terms of their contracts (i.e. DFARS clause 252.204-7012), are not included in summary of costs associated with this rule. The rule calculates the cost of completing the Strategic Assessment; in the case of the basic assessment, the contractor is calculating a score based on where they stand in implementation of the NIST SP 800-171. 7 The senior-level-2 rate of pay is equivalent to the OPM GS FY20 rate of pay for a GS-15/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($68.86 * 2 = $137.72).

of 44

d. Total Annual Cost. The total estimated annual public cost for 200 entities to complete a Medium Assessment is $181,712 (200 entities * $908.56/assessment).

iii. High Assessment

a. Participating in the assessment. It is estimated that the burden to participate in the review and discussion of the system security plan and supporting documents to the DoD assessors is 116 hours per entity. The cost estimate is based on 2 senior-level-2 employees dedicating 32 hours each, 8 senior-level-1 employees dedicating 4 hours each, and 10 journeyman-level employees dedicating 2 hours each. This results in a total estimated annual public cost of $1,599,645 (110 entities * [(2 * 32 hours * $137.72/hour = $8,814.08) + (8 * 4 hours * 117.08/hour8 = $3,746.56) + (10 * 2 hours * $99.08/hour = 1,981.60) = $14,542.24/assessment]).

b. Preparation and post review activities. It is estimated that the burden to make the system security plan and supporting documentation available for review by the DoD assessors, prepare for demonstration of requirements implementation, and to conduct post review activities is 304 hours per entity. The cost estimate is based on 2 senior-level-2 employees dedicating 48 hours each, 8 senior-level-1 employees dedicating 16 hours each, and 10 journeyman-level employees dedicating 8 hours each. This results in a total estimated annual public cost of $3,974,713 (110 entities * [(2 * 48 hours * $137.72/hour = $13,221.12) + (8 * 16 hours * 117.08/hour = $14,986.24) + (10 * 8 hours * $99.08/hour = $7,926.40) = $36,133.76/assessment]).

c. Total Annual Cost. The total estimated annual public cost for 110 entities to complete a High Assessment is $5,574,358 (110 entities * $50,675.98/assessment).

iv. Total Public Costs

The total cost for the Public to conduct Basic Assessments and prepare for/participate in Medium and High Assessments each year is summarized as follows:

Assessment Type Cost Basic Assessment $971,083

Medium Assessment $181,712 High Assessment $5,574,358

Total - All Assessments $6,727,153 The following table provides a breakdown of the annual costs for small entities and other than small entities:

8 The senior-level-1 rate of pay is equivalent to the OPM GS FY20 rate of pay for a GS-14/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($58.54 * 2 = $117.08).

of 44

New Assessments

Small Entities Cost

Other than Small Cost

Regardless of Size Cost

Basic 8,823 $655,637 4,245 $315,446 13,068 $971,083 Medium 148 $134,468 52 $47,244 200 $181,712

High 81 $4,104,755 29 $1,469,603 110 $5,574,358 Total 9,052 $4,894,860 4,326 $1,832,293 13,378 $6,727,153

b. Government Costs

The following is a summary of the estimated Government costs calculated in perpetuity in 2016 dollars at a 3 percent and 7 percent discount rate:

Government Costs 7% Discount 3% Discount

Annualized Costs $9,536,160 $9,536,160

Present Value Costs $136,230,857 $317,872,000

i. Review of Assessments

It is estimated that the burden for a Contracting Officer to validate that a potential awardee has a current Assessment (not older than 3 years) in SPRS is 5 minutes at a journeyman-level rate of pay. This results in a total estimated annual Government cost of $3,851,113 (485,859 awards * (0.08 hours * $99.08/hour = $7.93/award)).

ii. Medium Assessment

a. Conducting the assessment. It is estimated that the burden for the DoD assessor to review the system security plan and supporting documentation made available by an entity is 3 hours at a journeyman-level rate of pay. This results in a total estimated annual Government cost of $59,448 (200 entities * 1 assessment * (3 hours * $99.08/hour = $297.24/assessment)).

b. Submission of assessment for posting in SPRS. It is estimated that the burden to submit a Medium Assessment for posting in SPRS is 15 minutes per entity. This results in a total estimated annual Government cost of $4,954 (200 entities * (0.25 hour * $99.08/hour = $24.77/assessment)).

c. Total Annual Cost. The total estimated annual cost for the Government to complete 200 Medium Assessments is $64,402 (200 entities * $322.01/assessment).

iii. High Assessment

a. Conducting the assessment. It is estimated that the burden for the DoD assessors to review the system security plan and supporting documentation made available by an entity is 400 hours. The cost estimate is based on 1 senior-level-1 employee dedicating 80 hours and 4 journeyman-level employees dedicating 80 hours each.

of 44

This results in a total estimated annual Government cost of $4,517,920 (110 entities * 1 assessment * [(1 * 80 hours * 117.08/hour = 9,366.40) + (4 * 80 hours * $99.08/hour = 31,705.60) = $41,072/assessment]).

b. Travel. The estimated travel costs per assessment are $2,000 per person for 5 DoD assessors. This results in a total estimated annual Government cost of $1,100,000 (110 entities * (5 people * $2,000/person = $10,000/assessment)).

c. Submission of assessment for posting in SPRS. It is estimated that the burden to submit a High Assessment for posting in SPRS is 15 minutes per entity. This results in a total estimated annual Government cost of $2,725 (110 entities * (0.25 hour * $99.08/hour = $24.77/assessment)).

d. Total Annual Cost. The total estimated annual Government cost to complete 110 High Assessments is $5,620,645 (110 entities * $51,096.77).

iv. Total Government Costs

The total estimated cost for the Government to conduct Basic, Medium, and High Assessments each year is summarized as follows:

New Assessments Cost

Basic Assessment $3,851,113

Medium Assessment $64,402

High Assessment $5,620,645

Total - All Assessments $9,536,160

c. Total Public and Government Costs The following is a summary of the total estimated annual public and Government cost associated with NIST SP 800-171 Basic, Medium, and High Assessments:

Assessment Type Public Government Total

Basic Assessment $971,083 $3,851,113 $4,822,196

Medium Assessment $181,712 $64,402 $246,114

High Assessment $5,574,358 $5,620,645 $11,195,003

Total Annual Costs $6,727,153 $9,536,160 $16,263,313

of 44

C. CMMC Framework 1. Summary of Impact

a. The Framework

This rule adds DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, which requires the contractor to have, prior to contract award, the CMMC level required by the contract solicitation and maintain the required CMMC level for the duration of the contract.

The current DFARS clause 252.204-7012 does not address the institutionalization of processes. Building upon the NIST SP 800-171 DoD Assessment Methodology, the CMMC framework adds a comprehensive and scalable certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level. CMMC is designed to provide increased assurance to the Department that a DIB contractor can adequately protect sensitive unclassified information (i.e. FCI and CUI) at a level commensurate with the risk, accounting for information flow down to its subcontractors in a multi-tier supply chain. It is noted that a DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is handled and stored.

The CMMC model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks, and other references, as well as inputs from the broader community. The CMMC levels and the associated sets of processes and practices are cumulative. The CMMC model encompasses the basic safeguarding requirements for FCI specified in FAR clause 52.204-21 and the security requirements for CUI specified in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 per DFARS clause 252.204-7012. Furthermore, the CMMC

of 44

model includes an additional 5 processes and 61 practices across Levels 2-5 that demonstrate a progression of cybersecurity maturity.

CMMC Level Certification Description

1

Required for certain DoD awardees, excluding awardees with solely COTS items awards, as determined by the requiring activity. Level 1 consists of the same basic safeguarding requirements specified in FAR clause 52.204-21. Therefore, CMMC Level 1 does not add any additional requirements.

2

Required for certain DoD awardees, excluding awardees with solely COTS items awards, as determined by the requiring activity. Level 2 is intended as an intermediary step for contractors as part of their progression to Level 3. CMMC Level 2 is comprised of a subset of the key cybersecurity processes and practices needed to achieve a CMMC Level 3 certification.

3

Required for certain DoD awardees, as determined by the requiring activity, excluding awardees with solely COTS items awards, only including awardees that have “covered contractor information systems,” as defined in DFARS clause 252.204-7012, that are not part of an IT service or system operated on behalf of the Government. Level 3 includes all of the security requirements from DFARS clause 252.204-7012 and adds 20 practices and 3 processes.

4 Required for certain DoD awardees, excluding awardees with solely COTS items awards, that require higher level cybersecurity requirements as determined by the requiring activity.

5 Required for certain DoD awardees, excluding awardees with solely COTS items awards, that require much higher level cybersecurity requirements as determined by the requiring activity.

In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level. CMMC assessments will be conducted by CMMC Third Party Assessment Organizations (C3PAOs) which are accredited by the CMMC Accreditation Body (AB). C3PAOs will provide CMMC assessment reports to the CMMC AB who will then maintain and store these reports in a CMMC AB database. The CMMC AB will issue CMMC certificates upon the resolution of any disputes or anomalies during the conduct of the assessment. These CMMC certificates will be distributed to the DIB contractor and also hosted on a CMMC AB database. Assessment results will be posted in the Supplier Performance Risk System (SPRS), the DoD's authoritative source for supplier and product performance information.

CMMC certificates apply to a DIB contractor’s unclassified network (i.e. defined by a specific network boundary) and/or a designated segment(s) or enclave(s). The CMMC certificates and the associated assessments are valid for 3 years unless there are major changes with respect to the Information Technology (IT) and/or cybersecurity implementations for a DIB contractor’s network(s) and/or segment(s) or there are indications/warnings of a cybersecurity incident.

b. Policy Problems addressed by CMMC

of 44

i. Verifies the contractor cybersecurity posture DFARS clause 252.204-7012 does not provide for the DoD verification of a DIB contractor’s implementation of the security requirements specified in NIST SP 800-171 prior to contract award. DIB companies represent that they will implement the requirements in NIST SP 800-171 upon submission of their offer. Findings from DoD Inspector General report (DODIG-2019-105 “Audit of Protection of DoD Controlled Unclassified Information on Contractor-Owned Networks and Systems”) indicate that DoD contractors did not consistently implement mandated system security requirements for safeguarding CUI and recommended that DoD take steps to assess a contractor’s ability to protect this information. CMMC adds the element of verification of a DIB contractor’s cybersecurity posture through the use of accredited C3PAOs. The company must achieve the CMMC level certification required as a condition of contract award.

ii. Comprehensive implementation of cybersecurity requirements Under DFARS clause 252.204-7012, a contractor can document implementation of the security requirements in NIST SP 800-171 by having a system security plan in place to describe how the security requirements are implemented, in addition to associated plans of action to describe how and when any unimplemented security requirements will be met. The CMMC framework does not allow a DoD contractor or subcontractor to achieve compliance status through the use of plans of action. In general, CMMC takes a risk-based approach to addressing cyber threats. Based on the type and sensitivity of the information to be protected, a DIB company must achieve the appropriate CMMC level and demonstrate implementation of the requisite set of processes and practices.

Although the security requirements in NIST SP 800-171 addresses a range of threats, additional requirements are needed to significantly reduce the risk of Advanced Persistent Threats (APTs). An APT is an adversary that possesses sophisticated levels of expertise and significant resources which allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g. cyber, physical, and deception). The CMMC model includes additional processes and practices in Levels 4 and 5 that are focused on reducing the risk of APT threats.

The CMMC implementation will provide the Department with an ability to illuminate the supply chain, for the first time, at scale across the entire DIB sector. The CMMC framework requires prime contractors to flow the appropriate CMMC certification requirement down throughout the entire supply chain. DIB contractors or subcontractors that do not handle CUI, must obtain a CMMC level 1 certification. DIB companies that handle CUI must achieve a CMMC level 3 or higher, depending on the sensitivity of the information associated with a program or technology being developed.

of 44

iii. Scale and Depth

DoD contractors must include DFARS clause 252.204-7012 in subcontracts for which subcontract performance will involve covered defense information (DoD CUI), but this does not provide the Department with sufficient insights with respect to the cybersecurity posture of DIB companies throughout the multi-tier supply chain for any given program or technology development effort.

Given the size and scale of the DIB sector, the Department cannot scale its organic cybersecurity assessment capability to conduct on-site assessments of approximately 220,000 DoD contractors every three years. As a result, the Department’s organic assessment capability is best suited for conducting targeted assessments for a subset of DoD contractors that support prioritized programs and/or technology development efforts.

CMMC addresses the challenges of the Department scaling its organic assessment capability by partnering with an independent, non-profit CMMC Accreditation Body that will accredit and oversee multiple C3PAOs which in turn, will conduct on-site assessments of DoD contractors throughout the multi-tier supply chain. DIB companies will be able to directly schedule assessments with a certified C3PAO for a specific CMMC level. The cost of these CMMC assessments will be driven by multiple factors including market forces, the size and complexity of the network or enclaves under assessment, and the CMMC level.

iv. Reduces Duplicate or Repetitive Assessments of our Industry Partners. Assessment results will be posted in the Supplier Performance Risk System (SPRS), DoD's authoritative source for supplier and product performance information. This will provide DoD Components with visibility to CMMC certifications for DIB company networks and an alternative to addressing implementation of NIST SP 800-171 on a contract-by-contract approach—significantly reducing the need to conduct assessments at the program level, thereby reducing the cost to both DoD and industry.

c. CMMC roll-out

Given the enterprise-wide implementation of CMMC, the Department developed a five-year phased rollout strategy. The roll out is intended to minimize the financial impacts to the industrial base, especially small entities, and disruption to the existing DoD supply chain. As specified in the DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Level Requirements, the Office of the Secretary of Defense staff is coordinating with the Military Services and Department Agencies to identify candidate contracts during the first five years of implementation that will include the CMMC requirement in the statement of work.

of 44

Prior to October 1, 2025, this rule impacts certain large and small entities identified by the requiring activity with a requirement for CMMC in the statement of work, including commercial businesses, excluding businesses with awards exclusively for commercially available off-the-shelf (COTS) items. These entities will be required to have the stated CMMC certification level at the time of contract award. DoD leadership will communicate to requiring activities which programs require a CMMC certification and the level of that certification for prime contractors During this time period, it is estimated that 129,8109 unique entities will be required to have a new CMMC certification (when excluding the 9,000 re-certifications from 2021 and 2022 that will have expired due to the three-year recertification requirement).

After October 1, 2025, CMMC will be fully implemented and will apply to all business entities that are awarded a DoD contract. According to the System for Award Management10, 212,657 entities are actively registered for Government awards and have completed the DFARS representations and certifications, thus indicating they are interested in doing business with DoD. Approximately 74%11 of the 212,657 unique DoD contractors are small entities. The number of known unique subcontractors is 8,30912. After CMMC is fully implemented, this rule will impact any business, large or small, that is awarded contracts by DoD, including commercial businesses, excluding businesses with awards exclusively for COTS items. These large and small businesses will be required to have at least a Level 1 CMMC certification at the time of contract award. The ensuing cost analysis assumes that the maximum number of unique contract awardees annually is 47,905. The CMMC rollout plan achieves this maximum number for new certifications in Year 4.

CMMC requirements are required to be flowed down to subcontractors at all tiers; however, the specific CMMC level required for subcontractors will be based on the sensitivity of the unclassified information flowed down to each of the subcontractors, as illustrated in the graphic below. Program Managers will ensure that the appropriate CMMC level is used, consistent with the guidance, which will be specified in DoD Instruction 5000.CSA, Cybersecurity Risk Management in the Adaptive Acquisition Framework.

9 This is based on the OUSD(A&S)/CISO(A) phased in rollout plan values. 10 This information was retrieved from the System for Award Management (SAM) as of November 2019. 11 According to SAM, approximately 74% of entities that have completed the DoD representations and certifications, thus indicating they are interested in doing business with DoD, have registered as a small business for their primary NAICS. This is the factor used to estimate what proportion of entities would be small. 12 DoD does not track unique subcontract awardees below tier 1 of the multi-tier supply chain. Based on data from FPDS from FY18-FY20, the number of known unique 1st tier subcontractors is 8,309.

of 44

The following is an illustration of the CMMC flow-down requirements:

Based on information from the Federal Procurement Data System, the number of unique prime contractors is 212,657 and the number of known unique subcontractors is 8,309.13 Therefore, the total number of known unique prime contractors and subcontractors is 220,966. According to FPDS, the average number of new contracts for unique contractors is 47,905 for any given year. The timeline required to implement CMMC across the 220,966 unique DoD contractor population will be approximately 7 years.

The phased rollout plan is detailed below with the total number of unique DoD contractors and subcontractors specified for Years 1-7. The analysis assumes that for every unique prime contractor there are approximately 100 unique subcontractors. In Year 1, the Department will identify up to 15 prime contracts with the requirement for implementing CMMC at Level 3 or below. The CMMC requirement will then flow down from these prime contractors to all their subcontractors with CUI or FCI within the corresponding supply chains.

CMMC Level

Total Number of Unique DoD Contractors and Subcontractors*

Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7

1 899 4,490 14,981 28,714 28,709 28,709 25,919

2 149 749 2,497 4,786 4,785 4,785 4,320

3 452 2,245 7,490 14,357 14,355 14,355 12,960

4 0 8 16 24 28 28 26

5 0 8 16 24 28 28 26

Totals 1,500 7,500 25,000 47,905 47,905 47,905 43,251

13 DoD does not track unique subcontract awardees below tier 1 of the multi-tier supply chain. Based on data from FPDS from FY18-FY20, the number of known unique 1st tier subcontractors is 8,309.

of 44

*These are unique entities, to include prime contractors and all of their subcontractors. The numbers do not account for CMMC re-certifications.

As evidenced above, the total number of unique DoD contractors and subcontractors with a new CMMC certification requirement achieves a steady state of 47,905 by Year 4. It is noted that the total number of unique DoD contractors and subcontractors of 220,966 is reached in Year 7. As a result, the number of unique DoD contractors and subcontractors that require a new CMMC certification is only 43,251 for Year 7. The phased rollout assumes the following percentages of DoD contractors and subcontractors will require a CMMC certificate at each level:

Level 1: approximately 60% Level 2: approximately 10% Level 3: approximately 30% Level 4: approximately 0.06% Level 5: approximately 0.06%

The phased rollout assumes that 74% of the 220,966 unique DoD contractors and subcontractors are small entities. The following table illustrates the entities impacted in Years 1-7:

Total Number of CMMC Initial Certifications Per Year (Years 1 – 7)

Year Size Level 1 Level 2 Level 3 Level 4 Level 5 Total by Size Total All

1

Small 665 110 335 0 0 1,110

1,500 Other than

Small 234 39 117 0 0 390

2

Small 3,323 555 1,661 2 2 5,543

7,500 Other than

Small 1,167 194 584 6 6 1,957

3

Small 11,086 1,848 5,543 4 4 18,485

25,000 Other than

Small 3,895 649 1,947 12 12 6,515

4

Small 21,248 3,542 10,624 6 6 35,426

47,905 Other than

Small 7,466 1,244 3,733 18 18 12,479

5 Small 21,245 3,541 10,623 7 7 35,423 47,905

of 44

Other than

Small 7,464 1,244 3,732 21 21 12,482

6

Small 21,245 3,541 10,623 7 7 35,423

47,905 Other than

Small 7,464 1,244 3,732 21 21 12,482

7

Small 19,180 3,197 9,590 7 7 31,981

43,251 Other than

Small 6,739 1,123 3,370 19 19 11,270

1-7

Small 97,992 16,334 48,999 33 33 163,391

220,966 Other than

Small 34,429 5,737 17,215 97 97 57,575

1-7 All 134,421 22,017 33,214 130 130 220,966 220,966

As previously noted, a CMMC certification is valid for three years. After October 1, 2025, all DoD awardees (prime contractors), excluding awardees solely for COTS items awards, will be required to have at least a Level 1 CMMC certification. The total number of CMMC certifications and re-certifications per year is provided below. The number of CMMC certifications and re-certifications for Years 8-10 is provided to highlight the repeating pattern. The analysis assumes that all of the assessments will be re-certifications by Year 8.

Total Number of CMMC Certifications and Re-Certifications Per Year (Years 1 – 10)

TOTAL Year 1 Year 2 Year 3 Year 4 Year 5 Year 6 Year 7 Year 8 Year 9 Year 10

Total Number of New

Certifications 1,500 7,500 25,000 47,905 47,905 47,905 43,251 0 0 0

Total Number of Re-

Certifications 0 0 0 1,500 7,500 25,000 49,405 55,405 72,905 92,656

Totals Per Year 1,500 7,500 25,000 49,405 55,405 72,905 92,656 55,405 72,905 92,656

* The number of CMMC certifications and re-certifications follows a repeating pattern starting in Year 5. d. Alternatives

DoD considered and adopted several alternatives during the development of this rule that reduce the burden on small entities and still meet the objectives of the rule. These alternatives include: (1) exempting contracts and orders exclusively for the acquisition of commercially available off-the-shelf items; and (2) implementing a phased rollout for the CMMC portion of the rule and stipulating that the inclusion a CMMC requirement in new contracts until that time be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment.

of 44

Additional alternatives were considered, however, it was determined that these other alternatives did not achieve the intended policy outcome. Those alternatives are discussed below: i. CMMC Model and implementation

The total estimated number of unique DoD contractors and subcontractors is 220,966, with approximately 163,391 or 74% being small entities. These estimates indicate that the vast majority of small entities (i.e. 163,325 of 163,391 or 99.96%) will be required to achieve CMMC Level 1-3 certificates during the initial rollout. The Department looked at Levels 1 through 5 to determine if there were alternatives and whether these alternatives met the intended policy outcome. For CMMC Level 1, the practices map directly to the basic safeguarding requirements specified in the clause at FAR 52.204-21. The phased rollout estimates that the majority of small entities (i.e. 97,992 of the 163,325 or 60%) will be required to achieve CMMC Level 1. The planned implementation of CMMC Level 1 adds a verification component to the existing FAR clause by including an on-site assessment by a credentialed assessor from an accredited C3PAO. The on-site assessment verifies the implementation of the required cybersecurity practices and further supports the physical identification of contractors and subcontractors in the DoD supply chain. In the aggregate, the estimated cost associated with supporting this on-site assessment and approximated C3PAO fees does not represent a cost-driver with respect to CMMC costs to small entities across levels. An alternative to an on-site assessment is for contractors to provide documentation and supporting evidence of the proper implementation of the required cybersecurity practices through a secure online portal. These artifacts would then be reviewed and checked virtually by an accredited assessor prior to the CMMC-AB issuing a CMMC Level 1 certificate. The drawback of this alternative is the inability of the contractor to interact with the C3PAO assessor in person and provide evidence directly without transmitting proprietary information. Small entities will not receive as much meaningful and interactive feedback that would be part of a Level 1 on-site assessment. For CMMC Level 2, the practices encompass only 48 of the 110 security requirements of NIST SP 800-171, as specified in DFARS clause 252.204-7012, and 7 additional cybersecurity requirements. In addition, CMMC Level 2 includes two process maturity requirements. The phased rollout estimates that approximately 10% of small entities may choose to use Level 2 as a transition step from Level 1 to Level 3. Small entities that achieve Level 1 can seek to achieve Level 3 (without first achieving a Level 2 certification) if the necessary cybersecurity practices and processes have been implemented. The Department does not anticipate releasing new

of 44

contracts that require contractors to achieve CMMC Level 2. As a result, the Department did not consider alternatives with respect to CMMC Level 2. For CMMC Level 3, the practices encompass all the 110 security requirements of NIST SP 800-171, as specified in DFARS clause 252.204-7012, as well as 13 additional cybersecurity requirements above Level 2. In addition, CMMC Level 3 includes three process maturity requirements. These additional cybersecurity practices were incorporated based upon several considerations that included public comments from September to December 2019 on draft versions of the model, inputs from the DIB Sector Coordinating Council (SCC), cybersecurity threats, the progression of cybersecurity capabilities from Level 3 to Levels 4, and other factors. The CMMC phased rollout estimates that 48,999 of the 163,325 small entities or 30% will be required to achieve CMMC Level 3. The alternatives considered include removing a subset or all of the 20 additional practices at Level 3 or moving a subset or all of the 20 additional practices from Level 3 to Level 4. The primary drawback of these alternatives is that the cybersecurity capability gaps associated with protecting CUI will not be addressed until Level 4, which will apply to a relatively small percentage of non-small and small entities. Furthermore, the progression of cybersecurity capabilities from Level 3 to Level 4 becomes more abrupt. For CMMC Level 4, the practices encompass the 110 security requirements of NIST SP 800-171 as specified in DFARS clause 252.204-7012 and 46 additional cybersecurity requirements. More specifically, CMMC Level 4 adds 26 enhanced security requirements above CMMC Level 3, of which 13 are derived from Draft NIST SP 800-171B. In addition, CMMC Level 4 includes four process maturity requirements. The DIB SCC and the public contributed to the specification of the other 13 enhanced security requirements. For CMMC Level 4, an alternative considered is to define a threshold for contractors to meet 15 out of the 26 enhanced security requirements. In addition, contractors will be required to meet 6 out of the 11 remaining non-threshold enhanced security requirements. This alternative implies that a contractor will have to implement 21 of the 26 enhanced security requirements as well as the associated maturity processes. A drawback of this alternative is that contractors implement a different subset of the 11 non-threshold requirements, which in turn, leads to a non-uniform set of cybersecurity capabilities across those certified at Level 4. For CMMC Level 5, the practices encompass the 110 security requirements of NIST SP 800-171 as specified in DFARS clause 252.204-7012 and 61 additional cybersecurity requirements. More specifically, CMMC Level 5 adds 15 enhanced security requirements above CMMC Level 4, of which 4 are derived from Draft NIST SP 800-171B. In addition, CMMC Level 5 includes five process maturity requirements. The DIB SCC and the public contributed to the specification of the

of 44

other 11 enhanced security requirements. For CMMC Level 5, the alternative considered is to define a threshold for contractors to meet 6 out of the 15 enhanced security requirements. In addition, contractors will be required to meet 5 out of the 9 remaining non-threshold enhanced security requirements. This alternative implies that a contractor will have implemented 11 of the 15 enhanced security requirements as well as the associated maturity processes. A drawback of this alternative is that contractors implement a different subset of the 9 non-threshold requirements which in turn, leads to a non-uniform set of cybersecurity capabilities across those certified at Level 5.

ii. Timing of CMMC level certification requirement

In addition to evaluating the make-up of the CMMC levels, the Department took into consideration the timing of the requirement to achieve a CMMC level certification in the development of this rule, weighing the benefits and risks associated with requiring CMMC level certification: (1) at time of proposal or offer submission; (2) at time of award; or (3) after contract award. The Department ultimately adopted alternative 2 to require certification at the time of award. The drawback of alternative 1 – at time of proposal or offer submission – is the increased risk for contractors since they may not have sufficient time to achieve the required CMMC certification after the release of the Request for Information (RFI). The drawback of alternative 3 – after contract award – is the increased risk to the Department with respect to the schedule and uncertainty with respect to the case where the contractor is unable to achieve the required CMMC level in a reasonable amount of time given their current cybersecurity posture. This potential delay would apply to the entire supply chain and prevent the appropriate flow of CUI and FCI.

2. Cost Analysis In this cost analysis, each cost factor is illustrated over a ten-year period merely to illustrate the cost pattern after year 7; however, the total annualized public and Government costs associated with implementation of the CMMC Framework is based on a perpetual time horizon. a. Public Costs

The following is a summary of the estimated annual public costs calculated in perpetuity in 2016 dollars at a 7 percent and 3 percent discount rate:

Public Costs 7% Discount 3% Discount

Annualized Costs $6,524,952,954 $7,362,709,531

of 44

Present Value Costs $93,213,613,624 $245,423,651,032

For public costs, the analysis takes into account non-recurring engineering, recurring engineering, assessments, and re-certifications.14 The costs for non-recurring engineering and recurring engineering are cumulative with respect to CMMC levels.

• Nonrecurring Engineering Costs. Consists of hardware, software, and the associated labor. The costs are incurred only in the year of the initial assessment.

• Recurring Engineering Costs. Consists of any recurring fees and associated labor

for technology refresh. The recurring engineering costs associated with technology refresh have been spread uniformly over a 5-year period (i.e. 20% each year as recurring engineering costs).

• Assessment Costs. Consists of contractor support for pre-assessment preparations,

the actual assessment, and any post-assessment work. These costs also include an estimate of the potential C3PAO costs for conducting CMMC assessment, which are comprised of labor for supporting pre-assessment preparations, actual assessment, and post-assessment work, plus travel cost.

• Re-certification Costs. These costs are the same as the initial certification cost.

i. CMMC Level 1 Certification

a. Other than small entities.

i. Nonrecurring and recurring engineering costs. There are no nonrecurring or

recurring engineering costs associated with CMMC Level 1, since it is assumed the contractor has already implemented basic safeguarding requirements.15

ii. Assessments and recertifications. It is estimated that the cost to support a CMMC Level 1 assessment is $3,519.64.

• Contractor Support. It is estimated that one journeyman-level-216

employee will dedicate 14 hours to support the assessment (8 hours for pre- and post-assessment support + 6 hours for the assessment). The estimated cost is $1,387.12:

1 journeyman * $99.08/hour * 14 hours = $1,387.12

14 DoD estimates of the hours, recurring and non-recurring costs, and labor rates based on subject matter expertise from the DOD Chief Information Office, CMMC Program Office, and DoD/DIBCAC. 15 CMMC Level 1 consists of the same 15 basic safeguarding requirements specified in FAR clause 52.204-21. This cost analysis assumes that DIB contractors and subcontractors already have contracts with FAR clause 52.204-21 and, therefore, have already implemented the 15 basic safeguarding requirements. 16 The journeyman-level-2 rate of pay is equivalent to the OPM GS FY20 rate of pay for a GS-13/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($49.54 * 2 = $99.08).

of 44

• C3PAO Assessment. It is estimated that one journeyman-level-2 employee will dedicate 19 hours to conduct the assessment (8 hours for pre- and post-assessment support + 6 hours for the assessment + 5 hours for travel). Each employee is estimated to have one day of per diem for travel.17 The estimated cost is $2,132.52:

1 journeyman * $99.08/hour * 19 hours = $1,888.52 1 employee * 1 day * $250/day = $250 travel costs

iii. Summary. The following is a summary of the cost to other than small entities

for CMMC Level 1 initial assessments and 3-year recertifications over a ten-year period:

Level 1 Quantity Unique Other than Small Entities Total Cost Year Initial Recert Recert Recert Total

1 234 0 0 0 234 $823,596 2 1,167 0 0 0 1,167 $4,107,420 3 3,895 0 0 0 3,895 $13,708,997 4 7,466 234 0 0 7,700 $27,101,228 5 7,464 1,167 0 0 8,631 $30,378,013 6 7,464 3,895 0 0 11,359 $39,979,590 7 6,739 7,466 234 0 14,439 $50,820,082 8 0 7,464 1,167 0 8,631 $30,378,013 9 0 7,464 3,895 0 11,359 $39,979,590

10 0 6,739 7,466 234 14,439 $50,820,082

b. Small entities. i. Nonrecurring or recurring engineering costs. There are no nonrecurring or

recurring engineering costs associated with CMMC Level 1, since it is assumed the contractor has implemented basic safeguarding requirements.18

ii. Assessments and recertifications. It is estimated that the cost to support a CMMC Level 1 assessment is $2,999.56: • Contractor Support. It is estimated that one journeyman-level-119

employee will dedicate 14 hours to support the assessment (8 hours for pre- and post-assessment support + 6 hours for the assessment). The estimated cost is $1,166.48:

1 journeyman * $83.32/hour * 14 hours = $1,166.48

• C3PAO Assessment. It is estimated that one journeyman-level-1 employee will dedicate 19 hours to conduct he assessment (8 hours for pre- and post-assessment support + 6 hours for the assessment + 5 hours for travel). Each

17 For CMMC Level 1, the travel is assumed to be local and travel costs are confined to lodging ($150), per diem ($50), and ground transportation ($50). 18 Again, it is assumed that that DIB contractors and subcontractors have already implemented the 15 basic safeguarding requirements in FAR clause 52.204-21. 19 The journeyman-level-1 rate of pay is equivalent to the OPM GS FY20 rate of pay for a GS-12/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($41.66 * 2 = $83.32).

of 44

employee is estimated to have 1 day of per diem for travel. The estimated cost is $1,833.08:

1 journeyman * $83.32/hour * 19 hours = $1,583.08 1 employees * 1 day * $250/day = $250 travel costs

iii. Summary. The following is a summary of the cost to small entities for CMMC Level 1 initial assessments and 3-year recertifications over a ten-year period:

Level 1 Quantity Unique Small Entities Total Cost Year Initial Recert Recert Recert Total

1 665 0 0 0 665 $1,994,707 2 3,323 0 0 0 3,323 $9,967,538 3 11,086 0 0 0 11,086 $33,253,122 4 21,248 665 0 0 21,913 $65,729,358 5 21,245 3,323 0 0 24,568 $73,693,191 6 21,245 11,086 0 0 32,331 $96,978,775 7 19,180 21,248 665 0 41,093 $123,260,918 8 0 21,245 3,323 0 24,568 $73,693,191 9 0 21,245 11,086 0 32,331 $96,978,775

10 0 19,180 21,248 665 41,093 $123,260,918

c. All entities. The following is a summary of the cost to all entities regardless of size for CMMC Level 1 initial assessments and 3-year recertifications over a ten-year period:

Estimated Cost – Level 1 Certifications

Year Other than Small Entities Small Entities All Entities

1 $823,596 $1,994,707 $2,818,303 2 $4,107,420 $9,967,538 $14,074,958 3 $13,708,997 $33,253,122 $46,962,119 4 $27,101,228 $65,729,358 $92,830,586 5 $30,378,013 $73,693,191 $104,071,204 6 $39,979,590 $96,978,775 $136,958,365 7 $50,820,082 $123,260,918 $174,081,000 8 $30,378,013 $73,693,191 $104,071,204 9 $39,979,590 $96,978,775 $136,958,365

10 $50,820,082 $123,260,918 $174,163,186

ii. CMMC Level 2 Certification a. Other than small entities.

i. Nonrecurring engineering costs. The estimate nonrecurring engineering cost per entity per assessment/recertification to implement the 9 new requirements (7 CMMC practices and 2 CMMC processes) 20 is $19,225.

20 CMMC Level 2 consists of 65 security requirements from NIST SP 800-171, 7 CMMC practices, and 2 CMMC processes. This cost analysis assumes that DIB contractors and subcontractors already have contracts with the DFARS clause 252.204-7012 and, therefore, have already implemented the 65 requirements from NIST SP 800-171.

of 44

ii. Recurring engineering costs. The estimated recurring engineering cost per entity per year to implement the 9 new requirements (7 CMMC practices and 2 CMMC processes) is $48,700.

iii. Assessment and recertification. It is estimated that the cost to support a CMMC

Level 2 assessment or recertification is $33,295.32.

• Contractor Support. It is estimated that three senior-level-121 employees will dedicate 48 hours each to support the assessment (24 hours for pre- and post-assessment support + 24 hours for the assessment). The estimated cost is $16,859.52:

3 senior * $117.08/hour * 48 hours = $16,859.52

• C3PAO Assessment. It is estimated that one senior-level-1 employee and two journeyman-level-2 employees will dedicate 45 hours each to conduct the assessment (16 hours for pre- and post-assessment support + 24 hours for the assessment + 5 hours for travel). Each employee is estimated to have 3 days of per diem for travel.22 The estimated cost is $16,435.80:

1 senior * $117.08/hour * 45 hours = $5,268.60 2 journeyman * $99.08/hour * 45 hours = $8,917.20 3 employees * 3 days * $250/day = $2,250 travel costs

iv. Summary. The following is a summary of the cost to other than small entities


Level 2 Quantity Unique Other than Small Entities Total Cost Year Initial Recert Recert Recert Total 1 39 0 0 0 39 $3,947,592 2 194 0 0 0 194 $21,536,042 3 649 0 0 0 649 $77,039,087 4 1,244 39 0 0 1,283 $170,169,995 5 1,244 194 0 0 1,438 $235,913,570 6 1,244 649 0 0 1,893 $311,645,740 7 1,123 1,244 39 0 2,406 $381,090,115 8 0 1,244 194 0 1,438 $327,270,570 9 0 1,244 649 0 1,893 $342,419,940

10 0 1,123 1,244 39 2,406 $359,500,440

b. Small entities.

21 The senior-level-1 rate of pay is equivalent to the OPM GS FY20 rate of pay for a GS-14/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($58.54 * 2 = $117.08). 22 For CMMC Level 2, the travel is assumed to be local and travel costs are confined to lodging ($150), per diem ($50), and ground transportation ($50).

of 44

i. Nonrecurring engineering costs. The estimated nonrecurring engineering cost per entity per assessment/recertification to implement the 9 new requirements (7 CMMC practices and 2 CMMC processes) 23 is $8,135.


iii. Assessment and recertification. It is estimated that the cost to support a

CMMC Level 2 assessment or recertification is $22,466.88. • Contractor Support. It is estimated that two senior-level-1 employees will

dedicate 48 hours each to support the assessment (24 hours for pre- and post-assessment support + 24 hours for the assessment). The estimated cost is $11,239.68:


• C3PAO Assessment. It is estimated that one journeyman-level-2 employee and one senior-level-1 employee will dedicate 45 hours each to conduct the assessment (16 hours for pre- and post-assessment support + 24 hours for the assessment + 5 hours for travel). Each employee is estimated to have 3 days of per diem for travel. The estimated cost is $11,227.20:


iv. Summary. The following is a summary of the cost to small entities for CMMC Level 2 initial assessments and 3-year recertifications over a ten-year period:

Level 2 Quantity Unique Small Entities Total Cost Year Initial Recert Recert Recert Total 1 110 0 0 0 110 $5,583,147 2 555 0 0 0 555 $30,386,453 3 1,848 0 0 0 1,848 $107,199,277 4 3,542 110 0 0 3,652 $232,895,686 5 3,541 555 0 0 4,096 $314,228,160 6 3,541 1,848 0 0 5,389 $414,643,151 7 3,197 3,542 110 0 6,849 $509,078,692 8 0 3,541 555 0 4,096 $421,219,777 9 0 3,541 1,848 0 5,389 $450,269,454

10 0 3,197 3,542 110 6,849 $483,071,097

c. All entities. The following is a summary of the cost to all entities regardless of size for CMMC Level 2 initial assessments and 3-year recertifications over a ten-year period:

23 Again, it is assumed that DIB contractors and subcontractors have already implemented the 65 requirements from NIST SP 800-171.

of 44


Year Other than Small Entities Small Entities All Entities

1 $3,947,592 $5,583,147 $9,530,739 2 $21,536,042 $30,386,453 $51,922,495 3 $77,039,087 $107,199,277 $184,238,364 4 $170,169,995 $232,895,686 $404,710,306 5 $235,913,570 $314,228,160 $558,386,305 6 $311,645,740 $414,643,151 $753,799,396 7 $381,090,115 $509,078,692 $944,543,502 8 $327,270,570 $421,219,777 $809,456,857 9 $342,419,940 $450,269,454 $872,921,834

10 $359,500,440 $483,071,097 $944,543,502

iii. CMMC Level 3 Certification a. Other than small entities.

i. Nonrecurring engineering costs. The estimated nonrecurring engineering cost per entity per assessment/recertification to implement the 23 new requirements (20 CMMC practices, and 3 CMMC processes) 24 is $160,774.

ii. Recurring engineering costs. The estimated recurring engineering cost per

entity per year to implement the 9 new requirements (7 CMMC practices and 2 CMMC processes) is $210,866.


Level 3 assessment or recertification is $75,033.

• Contractor Support. It is estimated that five senior-level-1 employees will dedicate 64 hours each to support the assessment (32 hours for pre- and post-assessment support + 32 hours for the assessment). The estimated cost is $37,465.60:

5 seniors * $117.08/hour * 64 hours = $37,465.60

• C3PAO Assessment. It is estimated that one senior-level-1 employee and four journeyman-level-2 employees will dedicate 61 hours each to conduct the assessment (24 hours for pre- and post-assessment support + 32 hours for the assessment + 5 hours for travel). Each employee is estimated to have 5 days of per diem for travel.25 The estimated cost is $37,567.40:


24 CMMC Level 3 consists of 110 security requirements from NIST SP 800-171, 20 CMMC practices, and 3 CMMC processes. This cost analysis assumes that DIB contractors and subcontractors already have contracts with the DFARS clause 252.204-7012 and, therefore, have already implemented the 110 requirements from NIST SP 800-171. 25 For CMMC Level 3, the travel is assumed to be local and travel costs are confined to lodging ($150), per diem ($50), and ground transportation ($50).

of 44

iv. Summary. The following is a summary of the cost to other than small entities for CMMC Level 3 initial assessments and 3-year recertifications over a ten-year period:

Level 3 Quantity Unique Other than Small Entities Total Cost Year Initial Recert Recert Recert Total 1 117 0 0 0 117 $52,260,741 2 584 0 0 0 584 $285,528,354 3 1,947 0 0 0 1,947 $1,017,489,396 4 3,733 117 0 0 3,850 $2,234,582,338 5 3,732 584 0 0 4,316 $3,056,338,854 6 3,732 1,947 0 0 5,679 $3,945,560,744 7 3,730 3,733 117 0 7,580 $4,713,604,830 8 0 3,732 584 0 4,316 $3,953,900,618 9 0 3,732 1,947 0 5,679 $4,056,170,596

10 0 3,730 3,733 117 7,580 $4,171,796,450

b. Small entities.

i. Nonrecurring engineering costs. The estimated nonrecurring engineering costs per entity per assessment/recertification to implement the 23 new requirements (20 CMMC practices and 3 CMMC processes) 26 is $26,214.

ii. Recurring engineering costs. The estimated recurring engineering cost per

entity per year to implement the 9 new requirements (7 CMMC practices and 2 CMMC processes) is $41,666.





• C3PAO Assessment. It is estimated that one senior-level-1 employee and three journeyman-level-2 employees will dedicate 57 hours each to conduct the assessment (24 hours for pre- and post-assessment support + 32 hours for the assessment + 5 hours for travel). Each employee is estimated to have 5 days of per diem for travel. The estimated cost is $28,616.24:



of 44

iv. Summary. The following is a summary of the cost to small entities for CMMC Level 3 initial assessments and 3-year recertifications over a ten-year period:

Level 3 Quantity Unique Small Entities Total Cost Year Initial Recert Recert Recert Total 1 335 0 0 0 335 $39,856,827 2 1,661 0 0 0 1,661 $211,576,581 3 5,543 0 0 0 5,543 $742,647,086 4 10,624 335 0 0 10,959 $1,595,233,775 5 10,623 1,661 0 0 12,284 $2,105,527,148 6 10,623 5,543 0 0 16,166 $2,746,498,185 7 9,590 10,624 335 0 20,549 $3,342,948,078 8 0 10,623 1,661 0 12,284 $2,669,250,684 9 0 10,623 5,543 0 16,166 $2,867,603,803

10 0 9,590 10,624 335 20,549 $3,091,555,818

c. All entities. The following is a summary of the cost to all entities regardless of size for initial CMMC Level 3 assessments and recertifications over a ten-year period:


Year Other than Small Entities Small Entities Total Cost

1 $52,260,741 $39,856,827 $92,117,568 2 $285,528,354 $211,576,581 $497,104,935 3 $1,017,489,396 $742,647,086 $1,760,136,482 4 $2,234,582,338 $1,595,233,775 $3,829,816,113 5 $3,056,338,854 $2,105,527,148 $5,161,866,002 6 $3,945,560,744 $2,746,498,185 $6,692,058,929 7 $4,713,604,830 $3,342,948,078 $8,056,552,908 8 $3,953,900,618 $2,669,250,684 $6,623,151,302 9 $4,056,170,596 $2,867,603,803 $6,923,774,399

10 $4,171,796,450 $3,091,555,818 $7,263,352,268

iv. CMMC Level 4 Certification27 a. Other than small entities.

i. Nonrecurring engineering costs. The estimated nonrecurring engineering cost per entity per assessment/recertification to implement the 50 new requirements (46 CMMC practices and 4 CMMC processes) is $3,645,624.28


27 The costs associated with implementing the additional practices and processes for CMMC Level 4 are based on previous cost analysis associated with the implementation of the draft NIST SP 800-171B enhanced security requirements. 28 CMMC Level 4 consists of 110 security requirements from NIST SP 800-171, 46 CMMC practices, and 4 CMMC processes. This cost analysis assumes that DIB contractors and subcontractors already have contracts with the DFARS clause 252.204-7012 and, therefore, have already implemented the 110 requirements from NIST SP 800-171.

of 44


Level 4 assessment or recertification is $123,029.



• C3PAO Assessment. It is estimated that one senior-level-2 employee, one senior-level-1 employee, and three journeyman-level-2 employees will dedicate 85 hours each to conduct the assessment (32 hours for pre- and post-assessment support + 48 hours for the assessment + 5 hours for travel). Each employee is estimated to have 6 days of per diem for travel, plus airfare. The estimated cost is $56,923.40:

1 senior * $137.72/hour * 85 hours = $11,706.20 1 senior * $117.08/hour * 85 hours = $9,951.80 3 journeyman * $99.08/hour * 85 hours = $25,265.40 5 employees * 6 days * $250/day = $7,500 travel costs 5 employees * $500 = $2,500 airfare30



Level 4 Quantity Unique Other than Small Entities Total Cost Year Initial Recert Recert Recert Total 1 0 0 0 0 0 $0 2 6 0 0 0 6 $27,513,474 3 12 0 0 0 12 $59,928,504 4 18 0 0 0 18 $97,245,090 5 21 6 0 0 27 $126,444,669 6 21 12 0 0 33 $144,338,289 7 19 18 0 0 37 $153,060,751 8 0 21 6 0 27 $82,563,605 9 0 21 12 0 33 $83,301,779

10 0 19 18 0 37 $83,793,895

b. Small entities.

29 The senior-level-2 rate of pay is equivalent to the OPM GS FY20 rate of pay for a GS-15/step 5 employee for the locality pay area of “rest of the U.S.” plus a fringe factor of 2.0 ($68.86 * 2 = $137.72). 30 For CMMC Level 4, the travel is assumed to be regional and travel costs are confined to lodging ($150), per diem ($50), and ground transportation ($50), plus airfare ($500).

of 44

i. Nonrecurring engineering costs. The estimated nonrecurring engineering cost per entity pre assessment/recertification to implement the 50 new requirements (46 CMMC practices and 4 CMMC processes) is $938,336.31






• C3PAO Assessment. It is estimated that one senior-level-2 employee and three journeyman-level-2 employees will dedicate 69 hours each to conduct the assessment (32 hours for pre- and post-assessment support + 48 hours for the assessment + 5 hours for travel). Each employee is estimated to have 5 days of per diem for travel, plus airfare. The estimated cost is $37,012.24:

1 senior * $137.72/hour * 69 hours = $9502.68 3 journeyman * $99.08/hour * 69 hours = $20,509.56 4 employees * 5 days * $250/day = $5,000 travel costs 4 employees * $500 = $2,000 airfare

iv. Summary. The following is a summary of the cost to small entities for CMMC

Level 4 initial assessments and 3-year recertifications over a ten-year period:

Level 4 Quantity Unique Small Entities Total Cost Year Initial Recert Recert Recert Total 1 0 0 0 0 0 $0 2 2 0 0 0 2 $2,619,830 3 4 0 0 0 4 $5,842,688 4 6 0 0 0 6 $9,668,574 5 7 2 0 0 9 $12,927,704 6 7 4 0 0 11 $15,178,432 7 7 6 0 0 13 $17,429,160 8 0 7 2 0 9 $10,580,548 9 0 7 4 0 11 $10,720,678

10 0 7 6 0 13 $10,860,808

c. All entities. The following is a summary of the cost to all entities regardless of size for initial CMMC Level 4 assessments and recertifications over a ten-year period:


of 44


Year Other than Small Entities Small Entities Total Cost

1 $0 $0 $0 2 $27,513,474 $2,619,830 $30,133,304 3 $59,928,504 $5,842,688 $65,771,192 4 $97,245,090 $9,668,574 $106,913,664 5 $126,444,669 $12,927,704 $139,372,373 6 $144,338,289 $15,178,432 $159,516,721 7 $153,060,751 $17,429,160 $170,489,911 8 $82,563,605 $10,580,548 $93,144,153 9 $83,301,779 $10,720,678 $94,022,457

10 $83,793,895 $10,860,808 $94,654,703

v. CMMC Level 5 Certification32

a. Other than small entities.

i. Nonrecurring engineering costs. The estimated nonrecurring engineering cost per entity per assessment/recertification to implement the 66 new requirements (61 CMMC practices and 5 CMMC processes) 33 is $4,760,774.

ii. Recurring engineering costs. The estimated recurring engineering cost per entity per year to implement the 66 new requirements (61 CMMC practices and 5 CMMC processes) is $1,010,866.





• C3PAO Assessment. It is estimated that one senior-level-2 employee, two senior-level-1 employee, and two journeyman-level-2 employees will dedicate 101 hours each to conduct the assessment (40 hours for pre- and post-assessment support + 56 hours for the assessment + 5 hours for travel). Each employee is estimated to have 7 days of per diem for travel, plus airfare. The estimated cost is $68,824.04:

1 senior * $137.72/hour * 101 hours = $13,909.72 32 The costs associated with implementing the additional practices and processes for CMMC Level 5 are based on previous cost analysis associated with the implementation of the draft NIST SP 800-171B enhanced security requirements. 33 CMMC Level 4 consists of 110 security requirements from NIST SP 800-171, 61 CMMC practices, and 5 CMMC processes. This cost analysis assumes that DIB contractors and subcontractors already have contracts with the DFARS clause 252.204-7012 and, therefore, have already implemented the 110 requirements from NIST SP 800-171.

of 44

2 senior * $117.08/hour * 101 hours = $23,650.16 2 journeyman * $99.08/hour * 101 hours = $20,014.16 5 employees * 7 days * $250/day = $8,750 travel costs 5 employees * $500 = $2,500 airfare34



Level 5 Quantity Unique Other than Small Entities Total Cost Year Initial Recert Recert Recert Total

1 0 0 0 0 0 $0 2 6 0 0 0 6 $35,505,523 3 12 0 0 0 12 $77,076,243 4 18 0 0 0 18 $124,712,159 5 21 6 0 0 27 $161,536,190 6 21 12 0 0 33 $183,640,060 7 19 18 0 0 37 $193,908,757 8 0 21 6 0 27 $101,994,576 9 0 21 12 0 33 $102,870,260

10 0 19 18 0 37 $103,454,051

b. Small entities.

i. Nonrecurring engineering costs. The estimated nonrecurring engineering cost per entity per assessment/recertification to implement the 66 new requirements (61 CMMC practices and 5 CMMC processes)35 is $1,230,214.



Level 5 assessment or recertification is $110,090.80:

• Contractor Support. It is estimated that four senior-level-2 employees will dedicate 104 hours each to support the assessment (48 hours for pre- and post-assessment support + 56 hours for the assessment). The estimated cost is $57,291.52:


• C3PAO Assessment. It is estimated that one senior-level-2 employee, two senior-level-1 employees, and one journeyman-level-2 employee will dedicate 93 hours each to conduct the assessment (32 hours for pre- and post-assessment support + 56 hours for the assessment + 5 hours for travel).

34 For CMMC Level 5, the travel is assumed to be regional and travel costs are confined to lodging ($150), per diem ($50), a

DFARS Case 2019-D041 Assessing Contractor ......Page 1 of 44 DFARS Case 2019-D041 Assessing...

Documents

Transcript of DFARS Case 2019-D041 Assessing Contractor ......Page 1 of 44 DFARS Case 2019-D041 Assessing...