48 CFR ยง 252.204-7021 - Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

As prescribed in 204.7503(a) and (b), insert the following clause:

CONTRACTOR COMPLIANCE WITH THE CYBERSECURITY MATURITY MODEL CERTIFICATION LEVEL REQUIREMENT (NOV 2020)

(a) Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor's cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).

(b) Requirements. The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.

(c) Subcontracts. The Contractor shall -

(1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items, excluding commercially available off-the-shelf items; and

(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.

(End of clause)
[85 FR 61520, Sept. 29, 2020]

The following state regulations pages link to this page.