Regulations last checked for updates: Nov 25, 2024

Title 48 - Federal Acquisition Regulations System last revised: Nov 15, 2024
204.7500 - 204.7500 Scope of subpart.

(a) This subpart prescribes policies and procedures for including the Cybersecurity Maturity Model Certification (CMMC) level requirements in DoD contracts. CMMC is a framework that measures a contractor's cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/cmmc/index.html).

(b) This subpart does not abrogate any other requirements regarding contractor physical, personnel, information, technical, or general administrative security operations governing the protection of unclassified information, nor does it affect requirements of the National Industrial Security Program.

204.7501 - 204.7501 Policy.

(a) The contracting officer shall include in the solicitation the required CMMC level, if provided by the requiring activity. Contracting officers shall not award a contract, task order, or delivery order to an offeror that does not have a current (i.e., not more than 3 years old) CMMC certificate at the level required by the solicitation.

(b) Contractors are required to achieve, at time of award, a CMMC certificate at the level specified in the solicitation. Contractors are required to maintain a current (i.e., not more than 3 years old) CMMC certificate at the specified level, if required by the statement of work or requirement document, throughout the life of the contract, task order, or delivery order. Contracting officers shall not exercise an option period or extend the period of performance on a contract, task order, or delivery order, unless the contract has a current (i.e., not more than 3 years old) CMMC certificate at the level required by the contract, task order, or delivery order.

(c) The CMMC Assessments shall not duplicate efforts from any other comparable DoD assessment, except for rare circumstances when a re-assessment may be necessary such as, but not limited to when there are indications of issues with cybersecurity and/or compliance with CMMC requirements.

204.7502 - 204.7502 Procedures.

(a) When a requiring activity identifies a requirement for a contract, task order, or delivery order to include a specific CMMC level, the contracting officer shall not—

(1) Award to an offeror that does not have a CMMC certificate at the level required by the solicitation; or

(2) Exercise an option or extend any period of performance on a contract, task order, or delivery order unless the contractor has a CMMC certificate at the level required by the contract.

(b) Contracting officers shall use Supplier Performance Risk System (SPRS) (https://www.sprs.csd.disa.mil/) to verify an offeror or contractor's CMMC level.

204.7503 - 204.7503 Contract clause.

Use the clause at 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirement, as follows:

(a) Until September 30, 2025, in solicitations and contracts or task orders or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts or orders solely for the acquisition of commercially available off-the-shelf (COTS) items, if the requirement document or statement of work requires a contractor to have a specific CMMC level. In order to implement a phased rollout of CMMC, inclusion of a CMMC requirement in a solicitation during this time period must be approved by OUSD(A&S).

(b) On or after October 1, 2025, in all solicitations and contracts or task orders or delivery orders, including those using FAR part 12 procedures for the acquisition of commercial products and commercial services, except for solicitations and contracts or orders solely for the acquisition of COTS items.

[85 FR 61519, Sept. 29, 2020, as amended at 88 FR 6581, Jan. 31, 2023]
authority: 41 U.S.C. 1303 and 48 CFR chapter 1
source: 56 FR 36289, July 31, 1991, unless otherwise noted.
cite as: 48 CFR 204.7503