Certain material is incorporated by reference into this part with the approval of the Director of the Federal Register under 5 U.S.C. 552(a) and 1 CFR part 51. Material approved for incorporation by reference (IBR) is available for inspection at the Department of Defense (DoD) and at the National Archives and Records Administration (NARA). Contact DoD online: https://DoDcio.defense.gov/CMMC/; email: [email protected]; or phone: (202) 770-9100. For information on the availability of this material at NARA, visit: www.archives.gov/federal-register/cfr/ibr-locations or email: [email protected]. The material may be obtained from the following sources:

(a) National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899; phone: (301) 975-8443; website: https://csrc.nist.gov/publications/.

(1) FIPS PUB 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006 (FIPS PUB 200 Mar2006); IBR approved for § 170.4(b).

(2) FIPS PUB 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors, January 2022 (FIPS PUB 201-3 Jan2022); IBR approved for § 170.4(b).

(3) SP 800-37, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, Revision 2, December 2018 (NIST SP 800-37 R2); IBR approved for § 170.4(b).

(4) SP 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, March 2011 (NIST SP 800-39 Mar2011); IBR approved for § 170.4(b).

(5) SP 800-53, Security and Privacy Controls for Information Systems and Organizations, Revision 5, September 2020 (includes updates as of December 10, 2020) (NIST SP 800-53 R5); IBR approved for § 170.4(b).

(6) SP 800-82r3, Guide to Operational Technology (OT) Security, September 2023 (NIST SP 800-82r3); IBR approved for § 170.4(b).

(7) SP 800-115, Technical Guide to Information Security Testing and Assessment, September 2008 (NIST SP 800-115 Sept2008); IBR approved for § 170.4(b).

(8) SP 800-160, Volume 2, Developing Cyber-Resilient Systems: A Systems Security Engineering Approach, Revision 1, December 2021 (NIST SP 800-160 V2R1); IBR approved for § 170.4(b).

(9) SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, Revision 2, February 2020 (includes updates as of January 28, 2021), (NIST SP 800-171 R2); IBR approved for §§ 170.4(b) and 170.14(a) through (c).

(10) SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, June 2018 (NIST SP 800-171A Jun2018); IBR approved for §§ 170.11(a), 170.14(d), 170.15(c), 170.16(c), 170.17(c), and 170.18(c).

(11) SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, February 2021 (NIST SP 800-172 Feb2021); IBR approved for §§ 170.4(b), 170.5(a), and 170.14(a) and (c).

(12) SP 800-172A, Assessing Enhanced Security Requirements for Controlled Unclassified Information, March 2022 (NIST SP 800-172A Mar2022); IBR approved for §§ 170.4(b), 170.14(d), and 170.18(c).

(b) International Organization for Standardization (ISO) Chemin de Blandonnet 8, CP 401—1214 Vernier, Geneva, Switzerland; phone: +41 22 749 01 11; website: www.iso.org/popular-standards.html.

(1) ISO/IEC 17011:2017(E), Conformity assessment—Requirements for accreditation bodies accrediting conformity assessment bodies, Second edition, November 2017 (ISO/IEC 17011:2017(E)); IBR approved for §§ 170.8(b)(3), 170.9(b)(13), and 170.10(b)(4).

(2) ISO/IEC 17020:2012(E), Conformity assessment—Requirement for the operation of various types of bodies performing inspection, Second edition, March 1, 2012 (ISO/IEC 17020:2012(E)); IBR approved for §§ 170.8(a), (b)(1), (b)(3) and 170.9(b)(2) and (b)(13).

(3) ISO/IEC 17024:2012(E), Conformity assessment—General requirements for bodies operating certification of persons, second edition, July 1, 2012 (ISO/IEC 17024:2012(E)); IBR approved for §§ 170.8(b)(2) and 170.10(a) and (b)(4), (7), and (8).

Note 1 to paragraph (b):

The ISO/IEC standards incorporated by reference in this part may be viewed at no cost in “read only” format at https://ibr.ansi.org.