Department of Defense: Cybersecurity Maturity Model Certification (CMMC) Program

B-336776

October 30, 2024

The Honorable Jack Reed
Chairman
The Honorable Roger F. Wicker
Ranking Member
Committee on Armed Services
United States Senate

The Honorable Mike Rogers
Chairman
The Honorable Adam Smith
Ranking Member
Committee on Armed Services
House of Representatives

Subject: Department of Defense: Cybersecurity Maturity Model Certification (CMMC) Program

Pursuant to section 801(a)(2)(A) of title 5, United States Code, this is our report on a major rule promulgated by the Department of Defense (DoD) entitled “Cybersecurity Maturity Model Certification (CMMC) Program” (RIN: 0790-AL49). We received the rule on October 10, 2024. It was published in the Federal Register on October 15, 2024. 89 Fed. Reg. 83092. The effective date of the rule is December 16, 2024.

According to DoD, this rule establishes the Cybersecurity Maturity Model Certification (CMMC) Program in order to verify contractors have implemented required security measures necessary to safeguard Federal Contract Information and Controlled Unclassified Information. DoD stated that the mechanisms discussed in the rule will allow it to confirm a defense contractor or subcontractor has implemented the security requirements for a specified CMMC level and is maintaining that status across the contract period of performance. DoD further stated the rule will be updated as needed, using the appropriate rulemaking process, to address evolving cybersecurity standards, requirements, threats, and other relevant changes.

Enclosed is our assessment of DoD’s compliance with the procedural steps required by section 801(a)(1)(B)(i) through (iv) of title 5 with respect to the rule. If you have any questions about this report or wish to contact GAO officials responsible for the evaluation work relating to the subject matter of the rule, please contact Charlie McKiver, Assistant General Counsel, at (202) 512-5992.

Shirley A. Jones
Managing Associate General Counsel

Enclosure

cc: Patricia Toppings
OSD Federal Register Liaison Officer
Department of Defense

ENCLOSURE

REPORT UNDER 5 U.S.C. § 801(a)(2)(A) ON A MAJOR RULE
ISSUED BY THE
DEPARTMENT OF DEFENSE
ENTITLED
“CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM”
(RIN: 0790-AL49)

(i) Cost-benefit analysis

The Department of Defense (DoD) prepared an analysis of the costs and benefits of this rule. See 89 Fed. Reg. 83171–83193. DoD estimated the annualized total costs of the rule to be $3,998,690,967 at a 7 percent discount rate, and $4,229,466,760 at a 3 percent discount rate. See 89 Fed. Reg. 83176.

(ii) Agency actions relevant to the Regulatory Flexibility Act (RFA), 5 U.S.C. §§ 603–605, 607, and 609

DoD determined that this rule would have a significant economic impact on a substantial number of small entities and prepared a Final Regulatory Flexibility Analysis. 89 Fed. Reg. 83193.

(iii) Agency actions relevant to sections 202–205 of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. §§ 1532–1535

The rule does not discuss the Act. In its submission to us, DoD indicated that it did not prepare a written statement under section 202 of the Unfunded Mandates Reform Act of 1995, with respect to this rule.

(iv) Agency actions relevant to the Administrative Pay-As-You-Go-Act of 2023, Pub. L. No. 118-5, div. B, title III, 137 Stat 31 (June 3, 2023)

Section 270 of the Administrative Pay-As-You-Go-Act of 2023 amended 5 U.S.C. § 801(a)(2)(A) to require GAO to assess agency compliance with the Act, which establishes requirements for administrative actions that affect direct spending, in GAO’s major rule reports. In guidance to Executive Branch agencies, issued on September 1, 2023, the Office of Management and Budget (OMB) instructed that agencies should include a statement explaining that either: “the Act does not apply to this rule because it does not increase direct spending; the Act does not apply to this rule because it meets one of the Act’s exemptions (and specifying the relevant exemption); the OMB Director granted a waiver of the Act’s requirements pursuant to section 265(a)(1) or (2) of the Act; or the agency has submitted a notice or written opinion to the OMB Director as required by section 263(a) or (b) of the Act” in their submissions of rules to GAO under the Congressional Review Act. OMB, Memorandum for the Heads of Executive Departments and Agencies, Subject: Guidance for Implementation of the Administrative
Pay-As-You-Go Act of 2023, M-23-21 (Sept. 1, 2023), at 11–12. OMB also states that directives in the memorandum that supplement the requirements in the Act do not apply to proposed rules that have already been submitted to the Office of Information and Regulatory Affairs, however agencies must comply with any applicable requirements of the Act before finalizing such rules.

In its submission to us, DoD indicated the Act is not applicable to this rule.

(v) Other relevant information or requirements under acts and executive orders

Administrative Procedure Act, 5 U.S.C. §§ 551 et seq.

On December 26, 2023, DoD published a proposed rule. 88 Fed. Reg. 89058. DoD stated that it received approximately 361 public submissions in response. DoD summarized and responded to significant issues raised by the comments in the rule. See 89 Fed.
Reg. 83103–83171.

Paperwork Reduction Act (PRA), 44 U.S.C. §§ 3501–3520

DoD determined that this rule contains information collection requirements under the Act. 89 Fed. Reg. 83214.

Statutory authorization for the rule

DoD promulgated this rule pursuant to section 301 of title 5, United States Code.

Executive Order No. 12866 (Regulatory Planning and Review)

DoD stated that this rule is significant under the Order. See 89 Fed. Reg. 83193.

Executive Order No. 13132 (Federalism)

DoD determined that this rule does not have federalism implications. See 89 Fed. Reg. 83214.