Statutes, codes, and regulations
Code of Federal Regulations
Title 32 - NATIONAL DEFENSESubtitle A - DEPARTMENT OF DEFENSEChapter I - OFFICE OF THE SECRETARY OF DEFENSESubchapter G - DEFENSE CONTRACTINGPart 170 - [Effective 12/16/2024] CYBERSECURITY MATURITY MODEL CERTIFICATION (CMMC) PROGRAM
Subpart B - [Effective 12/16/2024] GOVERNMENT ROLES AND RESPONSIBILITIES
Section 170.6 - [Effective 12/16/2024] CMMC PMO

32 C.F.R. § 170.6

Download
PDF
Current through November 30, 2024
Section 170.6 - [Effective 12/16/2024] CMMC PMO
(a) The Office of the Department of Defense Chief Information Officer (DoD CIO) Office of the Deputy CIO for Cybersecurity (DoD CIO(CS)) provides oversight of the CMMC Program and is responsible for establishing CMMC assessment, accreditation, and training requirements as well as developing and updating CMMC Program policies and implementing guidance.
(b) The CMMC PMO is responsible for monitoring the CMMC AB's performance of roles assigned in this rule and acting as necessary to address problems pertaining to effective performance.
(c) The CMMC PMO retains, on behalf of the DoD CIO(CS), the prerogative to review decisions of the CMMC Accreditation Body as part of its oversight of the CMMC program and evaluate any alleged conflicts of interest purported to influence the CMMC Accreditation Body's objectivity.
(d) The CMMC PMO is responsible for sponsoring necessary DCSA activities including FOCI risk assessment and Tier 3 security background investigations for the CMMC Ecosystem members as specified in §§ 170.8(b)(4) and (5), 170.9(b)(3) through (5), 170.11(b)(3) and (4), and 170.13(b)(3) and (4).
(e) The CMMC PMO is responsible for investigating and acting upon indications that an active CMMC Status has been called into question. Indications that may trigger investigative evaluations include, but are not limited to, reports from the CMMC Accreditation Body, a C3PAO, or anyone knowledgeable of the security processes and activities of the OSA. Investigative evaluations include, but are not limited to, reviewing pertinent assessment information, and exercising the right to conduct a DCMA DIBCAC assessment of the OSA, as provided for under the 48 CFR 252.204-7020 .
(f) If a subsequent DCMA DIBCAC assessment shows that adherence to the provisions of this rule and the required CMMC Status have not been achieved or maintained, the DIBCAC results will take precedence over any pre-existing CMMC Status recorded in SPRS, or its successor capability. The DoD will update SPRS to reflect that the OSA is out of compliance and does not meet DoD CMMC requirements. If the OSA is working on an active contract requiring CMMC compliance, then standard contractual remedies will apply.

32 C.F.R. §170.6

89 FR 83214 , 12/16/2024