Tap any paragraph to write a margin note. Your notes collect in the Desk below the text and file under cases with @. The side-by-side margin rail opens on a larger screen.

§
Marginalia
Code · STATUTE-COMPILATIONS · William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021 · Sec. 1742

Sec. 1742. DEPARTMENT OF DEFENSE CYBER HYGIENE AND CYBERSECURITY MATURITY MODEL CERTIFICATION FRAMEWORK

663 words·~3 min read·/statute-compilations/comps-16736/sec-1742·

A research copy — for the controlling text, always check the official state or federal source. Not legal advice.

## SEC. 1742 DEPARTMENT OF DEFENSE CYBER HYGIENE AND CYBERSECURITY MATURITY MODEL CERTIFICATION FRAMEWORK ###
(a)Cyber Security Practices and Capabilities in the Department of Defense ####
(1)In general Not later than March 1, 2021, the Secretary of Defense, acting through the Chief Information Officer of the Department of Defense and the Commander, Joint Forces Headquarters-Department of Defense Information Network, shall assess each Department component against the Cybersecurity Maturity Model Certification
(CMMC)framework and submit to the congressional defense committees a report that identifies each such component’s CMMC level and implementation of the cybersecurity practices and capabilities required in each of the levels of the CMMC framework. The report shall include, for each component that does not achieve at least level 3 status (referred to as “good cyber hygiene” in CMMC Model ver. 1.02), a determination as to whether and details as to how— #####
(A)such component will implement relevant security measures to achieve a desired CMMC or other appropriate capability and performance threshold prior to March 1, 2022; and #####
(B)such component will mitigate potential risks until such measures are implemented. ####
(2)Comptroller general report required Not later than 180 days after the submission of the report required under paragraph (1), the Comptroller General of the United States shall conduct an independent review of the report and provide a briefing to the congressional defense committees on the findings of the review. ###
(b)Briefing on Implementation of Certain Cybersecurity Recommendations Not later than 180 days after the date of the enactment of this Act, the Secretary of Defense shall provide to the congressional defense committees a briefing regarding the plans of the Secretary to implement certain cybersecurity recommendations to ensure— ####
(1)the Chief Information Officer of the Department of Defense takes appropriate steps to ensure implementation of Department of Defense Cybersecurity Culture and Compliance Initiative
(DC3I)tasks; ####
(2)Department components develop plans with scheduled completion dates to implement any remaining Cybersecurity Discipline Implementation Plan
(CDIP)tasks overseen by the Chief Information Officer; ####
(3)the Deputy Secretary of Defense identifies a Department component to oversee the implementation of any CDIP tasks not overseen by the Chief Information Officer and reports on progress relating to such implementation; ####
(4)Department components accurately monitor and report information on the extent that users have completed Cyber Awareness Challenge training, as well as the number of users whose access to the Department network was revoked because such users have not completed such training; ####
(5)the Chief Information Officer ensures all Department components, including Defense Advanced Research Projects Agency (DARPA), require their users to take Cyber Awareness Challenge training; and ####
(6)the Chief Information Officer assesses the extent to which senior leaders of the Department have more complete information to make risk-based decisions, and revise the recurring reports (or develop a new report) accordingly, including information relating to the Department’s progress on implementing— #####
(A)cybersecurity practices identified in cyber hygiene initiatives; and #####
(B)cyber hygiene practices to protect Department networks from key cyberattack techniques. ###
(c)Cybersecurity Maturity Model Certification Funding Limitation Of the funds authorized to be appropriated by this Act for fiscal year 2021 for implementation of the CMMC, not more than 60 percent of such funds may be obligated or expended until the Under Secretary of Defense for Acquisition and Sustainment delivers to the congressional defense committees a plan for implementation of the CMMC via requirements in procurement contracts, developed in coordination with the Principal Cyber Advisor and the Chief Information Officer of the Department of Defense. The plan shall include a timeline for pilot activities, a description of the planned relationship between Department of Defense and the auditing or accrediting bodies, a funding and activity profile for the Defense Industrial Base Cybersecurity Assessment Center, and a description of efforts to ensure that the service acquisition executives and service program managers are equipped to implement the CMMC requirements and facilitate contractors’ meeting relevant requirements.
★   the supreme law of the land   ★
Don't Tread on Me
E Pluribus Unum — out of many, one

"If you don't know your rights, you don't have any."

Marginalia · a citizen's law index
A research desk, not legal advice. Always read the cited source before relying on a summary.
Questions or an issue? support@self-law.org
disclaimerMarginalia is a research index, not a law firm. Nothing on this site is legal, tax, or financial advice and no attorney–client relationship is formed by using it. Statutes, regulations, and case law change; summaries, search results, AI output, and member posts may be incomplete, out of date, or wrong. Any interpretation drawn from material on this site should be validated by a licensed attorney in your jurisdiction before you act on it.