48 C.F.R. §§ 252.204-7021

Current through October 31, 2024
Section 252.204-7021 - Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement

As prescribed in 204.7503(a) and (b), insert the following clause:

Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement (JAN 2023)

(a)Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor's cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).
(b)Requirements. The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.
(c)Subcontracts. The Contractor shall-
(1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services, excluding commercially available off-the-shelf items; and
(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.

(End of clause)

48 C.F.R. §§252.204-7021

85 FR 61520 , Sept. 29, 2020, as amended at 88 FR 6589 , Jan. 31, 2023
85 FR 61520 , 11/30/2020; as amended at 88 FR 6589 , 1/31/2023