February 26, 2024

They address: ● Our appreciation for the DoD’s recognition of the proper overall relationship between the CMMC Program and fundamental research, but also the work that remains to clarify the possible application of program requirements to edge cases; ● The importance of integrating prior DoD guidance on CUI designation and marking into the program regulations to improve the ability of DoD contract. [...] Appropriate Treatment of Fundamental Research In prior comments1 on the CMMC Program, our associations noted that the proposed treatment of “fundamental research”—the definition of which the DoD rightly identifies in the current rulemaking as deriving from National Security Decision Directive 189 (NSDD-189)2—in relation to the program ran counter to the nature of such research and the DoD’s histor. [...] If institutions have to consider utilizing different service providers specifically because the CMMC Program regulations inappropriately treat SPD as CUI, the overall security of the institution and of the CUI that the DoD seeks to protect will be negatively impacted given the difficulty that will create for developing a holistic view of the threat environment facing the institution. [...] With this in mind, we recommend that the DoD modify the requirement in the proposed rule for Certified Third-Party Assessment Organizations (C3PAOs) that concerns the composition of assessment teams (see the proposed 32 CFR 170.9(b)(13).20 This provision should require that the “Lead CCA” for an assessment team have industry-specific knowledge and experience in relation to the industry in which th. [...] The rulemaking notice does not discuss the rationale for this minimum requirement; given that the proposed rule generally indicates that CMMC certification levels will be set in relation to the FCI or CUI in question, it would help potential subcontractors if the DoD provided a clear explanation of the reasoning behind the minimum certification requirement for subcontractors in the Level 3 context.