Regulations last checked for updates: May 18, 2024

Title 48 - Federal Acquisition Regulations System last revised: May 14, 2024
All TitlesTitle 48Chapter 2Part 252Subpart 252.2 - Subpart 252.2—Text of Provisions and Clauses
View all text of Subpart 252.2 [252.201-7000 - 252.251-7001]
252.204-7021 - 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement.

As prescribed in 204.7503(a) and (b), insert the following clause:

Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirement (JAN 2023)

(a) Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor's cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).

(b) Requirements. The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.

(c) Subcontracts. The Contractor shall—

(1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products or commercial services, excluding commercially available off-the-shelf items; and

(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.

 (End of clause) [85 FR 61520, Sept. 29, 2020, as amended at 88 FR 6589, Jan. 31, 2023]
authority: 41 U.S.C. 1303 and 48 CFR chapter 1
source: 56 FR 36479, July 31, 1991, unless otherwise noted.
cite as: 48 CFR 252.204-7021
© 2014 CustomsMobile | Disclaimer | Privacy | About