Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · BILL · 116th Congress · H.R. 6395 (Enrolled) — To authorize appropriations for fiscal year 2021 for military activities of the Department of Defense, for military c... · Sec. 1742

Sec. 1742. Department of Defense cyber hygiene and Cybersecurity Maturity Model Certification framework

590 words·~3 min read·/bill/116/hr/6395/enr/section-1742·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

Not later than March 1, 2021, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cybersecurity Maturity Model Certification
(CMMC)framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework. The report shall include, for each component that does not achieve at least level 3 status (referred to as good cyber hygiene in CMMC Model ver. 1.02), a determination as to whether and details as to how— such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and such component will mitigate potential risks until such measures are implemented. Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review. Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall provide to the congressional defense committees a briefing regarding the plans of the Secretary to implement certain cybersecurity recommendations to ensure— the Chief Information Officer of the Department of Defense takes appropriate steps to ensure implementation of Department of Defense Cybersecurity Culture and Compliance Initiative
(DC3I)tasks; Department components develop plans with scheduled completion dates to implement any remaining Cybersecurity Discipline Implementation Plan
(CDIP)tasks overseen by the Chief Information Officer; the Deputy Secretary of Defense identifies a Department component to oversee the implementation of any CDIP tasks not overseen by the Chief Information Officer and reports on progress relating to such implementation; Department components accurately monitor and report information on the extent that users have completed Cyber Awareness Challenge training, as well as the number of users whose access to the Department network was revoked because such users have not completed such training; the Chief Information Officer ensures all Department components, including Defense Advanced Research Projects Agency (DARPA), require their users to take Cyber Awareness Challenge training; and the Chief Information Officer assesses the extent to which senior leaders of the Department have more complete information to make risk-based decisions, and revise the recurring reports (or develop a new report) accordingly, including information relating to the Department’s progress on implementing— cybersecurity practices identified in cyber hygiene initiatives; and cyber hygiene practices to protect Department networks from key cyberattack techniques. Of the funds authorized to be appropriated by this Act for fiscal year 2021 for implementation of the CMMC, not more than 60 percent of such funds may be obligated or expended until the Under Secretary of Defense for Acquisition and Sustainment delivers to the congressional defense committees a plan for implementation of the CMMC via requirements in procurement contracts, developed in coordination with the Principal Cyber Advisor and the Chief Information Officer of the Department of Defense. The plan shall include a timeline for pilot activities, a description of the planned relationship between Department of Defense and the auditing or accrediting bodies, a funding and activity profile for the Defense Industrial Base Cybersecurity Assessment Center, and a description of efforts to ensure that the service acquisition executives and service program managers are equipped to implement the CMMC requirements and facilitate contractors’ meeting relevant requirements.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.