Regulations Flashcards
Regulations
32 CFR Part 170
Formalizes the CMMC program rules for protecting FCI and CUI.
48 CFR Part 204
Defines DFARS rules that incorporate cybersecurity standards into DoD contracts.
48 CFR Part 3.502-1
Clarifies how CMMC requirements flow down to subcontractors.
1 CFR Part 51
Governs the incorporation of external standards, like NIST SP 800-171, into federal law.
32 CFR Part 2002
Establishes rules for protecting Controlled Unclassified Information (CUI) in federal and nonfederal systems.
FAR Clause 52.204-21
Outlines 15 basic safeguarding controls for protecting Federal Contract Information (FCI).
DFARS Clause 252.204-7012
Requires contractors to safeguard CUI and report cyber incidents to the DoD; mandates NIST SP 800-171 compliance for Level 2.
5 U.S.C. 301
Gives authority to department heads to establish regulations such as the CMMC program.
Public Law 116-92, Section 1648 (NDAA for FY 2020)
Directs the DoD to create a cybersecurity framework for the Defense Industrial Base (DIB).
Congressional Review Act (5 U.S.C. 801 et seq.)
Requires economically significant rules like CMMC to be submitted to Congress before taking effect.
Executive Orders 12866 and 13563
Directs agencies to assess the costs and benefits of regulations like CMMC to ensure maximum net benefits.
NIST SP 800-171 R2
Provides 110 security controls for protecting CUI in nonfederal systems, forming the foundation for CMMC Level 2.
NIST SP 800-172
Provides additional security controls for protecting highly sensitive CUI, forming the foundation for CMMC Level 3.
NIST SP 800-171A
Provides guidelines for assessing the controls in NIST SP 800-171 for compliance with CMMC Level 2 and 3.
ISO/IEC 17011:2017
Specifies requirements for bodies providing accreditation, like the CMMC Accreditation Body.
