Code of Federal Regulations (Last Updated: May 6, 2024) |
Title 48 - Federal Acquisition Regulations System |
Chapter 2 - Defense Acquisition Regulations System, Department of Defense |
SubChapter H - Clauses and Forms |
Part 252 - Solicitation Provisions and Contract Clauses |
Subpart 252.2 - Text of Provisions And Clauses |
§ 252.204-7021 - xxx
-
252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.
As prescribed in 204.7503(a) and (b), insert the following clause:
CONTRACTOR COMPLIANCE WITH THE CYBERSECURITY MATURITY MODEL CERTIFICATION LEVEL REQUIREMENT (NOV 2020Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement (JAN 2023)
(a) Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor's cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).
(b) Requirements. The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.
(c) Subcontracts. The Contractor shall -
(1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial itemsproducts or commercial services, excluding commercially available off-the-shelf items; and
(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.
(End of clause)
[85 FR 61520, Sept. 29, 2020, as amended at 88 FR 6589, Jan. 31, 2023]