DEV
This clause is modified by 2 active class deviations
- 2026-O0043 — DFARS RFO Implementation (Part 4)
- 2026-O0025 — DFARS RFO Implementation (Part 40)
252.204-7025 Notice of Cybersecurity Maturity Model Certification Level Requirements. As prescribed in 204.7504(b), use the following provision: Notice of Cybersecurity Maturity Model Certification Level Requirements (NOV 2025) (a) Definitions. As used in this provision, controlled unclassified information (CUI), current, Cybersecurity Maturity Model Certification (CMMC) status, Cybersecurity Maturity Model Certification unique identifier (CMMC UID), Federal contract information (FCI), and Plan of action and milestones have the meaning given in the Defense Federal Acquisition Regulation Supplement 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, clause of this solicitation. (b)(1) Cybersecurity Maturity Model Certification (CMMC) level. The CMMC level required by this solicitation is: ___ [Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC)]. This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract. (2) The Offeror will not be eligible for award of a contract, task order, or delivery order resulting from this solicitation if the Offeror does not have, for each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of a contract resulting from this solicitation— (i) The current CMMC status entered in the Supplier Performance Risk System (SPRS) ( https://piee.eb.mil ) at the CMMC level required by paragraph (b)(1) of this provision; and (ii) A current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS. (c) Plan of action and milestones. If the Offeror has a CMMC Status of Conditional, the Offeror shall successfully close out a valid plan of action and milestones (32 CFR 170.21) to achieve a CMMC Status of Final. (d) CMMC unique identifiers. The Offeror shall provide, in the proposal, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from this solicitation. The Offeror also shall update the list when new CMMC UIDs are generated in SPRS. The CMMC UIDs are provided in SPRS after the Offeror enters the results of self-assessment(s) for each such information system. (End of provision) [90 FR 43577, Sept. 10, 2025]
Change History
| Date | Authority | Type | Summary |
|---|---|---|---|
| detected 2026-03-19 | CLAUSE_MODIFIED | Modified: (2), (a), (b), (c), (d) and 2 more paragraphs updated | |
View diff--- 2025-10-24 00:00:00 +++ 2025-11-10 00:00:00 @@ -1,3 +1,43 @@ -252.204-7025 xxx +252.204-7025 Notice of Cybersecurity Maturity Model Certification Level Requirements. -Link to an amendment published at 90 FR 43577, Sept. 10, 2025.+As prescribed in 204.7504(b), use the following provision: + +Notice of Cybersecurity Maturity Model Certification Level Requirements (NOV 2025) + +(a) +Definitions. +As used in this provision, +controlled unclassified information (CUI), current, + +Cybersecurity Maturity Model Certification (CMMC) status, Cybersecurity Maturity Model Certification unique identifier (CMMC UID), + +Federal contract information (FCI), +and +Plan of action and milestones +have the meaning given in the Defense Federal Acquisition Regulation Supplement 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, clause of this solicitation. + +(b)(1) +Cybersecurity Maturity Model Certification (CMMC) level. +The CMMC level required by this solicitation is: ___ +[Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC)]. +This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract. + +(2) The Offeror will not be eligible for award of a contract, task order, or delivery order resulting from this solicitation if the Offeror does not have, for each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of a contract resulting from this solicitationâ + +(i) The current CMMC status entered in the Supplier Performance Risk System (SPRS) ( +https://piee.eb.mil +) at the CMMC level required by paragraph (b)(1) of this provision; and + +(ii) A current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS. + +(c) +Plan of action and milestones. +If the Offeror has a CMMC Status of Conditional, the Offeror shall successfully close out a valid plan of action and milestones (32 CFR 170.21) to achieve a CMMC Status of Final. + +(d) +CMMC unique identifiers. +The Offeror shall provide, in the proposal, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from this solicitation. The Offeror also shall update the list when new CMMC UIDs are generated in SPRS. The CMMC UIDs are provided in SPRS after the Offeror enters the results of self-assessment(s) for each such information system. + +(End of provision) + +[90 FR 43577, Sept. 10, 2025] |
|||
RFO
Prescription superseded under the RFO
The prescription shown below is from the codified eCFR. The Revolutionary FAR Overhaul relocates this clause's prescription as follows:
-
204.7504→240.371-5(prescriptive text also revised)
See the deviation memorandum for the current prescription authority.
View deviation: 2026-O0043 → · View deviation: 2026-O0025 →R-DFARS Prescription Source
This clause is prescribed in the R-DFARS by the following deviation:
-
2026-O0025
— DFARS RFO Implementation (Part 40)
(DFARS Part 240)
Add clause 252.204-7025
204.7504(b)
(b) Use the provision at 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements, in solicitations that include the clause at 252.204-7021.
Prescription data sourced from eCFR as of 2026-06-10 03:16 UTC.
Cross-references within the prescription are not resolved automatically.
Regulatory Stack
The layers of regulation that govern this clause, from the FAR prescription through agency-specific supplements and any active deviations.
R-DFARS
R-DFARS Prescription
Per Deviation 2026-O0025 (DFARS Part 240)
2026-O0025: DFARS RFO Implementation (Part 40) — DFARS Part 240
DFARS
DFARS Supplement (eCFR)
⚠ May be superseded by RFO
204.7504(b)
(b) Use the provision at 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements, in solicitations that include the clause at 252.204-7021.
Version History
Version history is sourced from the codified eCFR. Changes published only as class deviations or by the Revolutionary FAR Overhaul do not appear here until they are incorporated into the eCFR. For RFO-driven changes see the RFO Version tab and any active deviations cited above.
No version history available from eCFR.
Active Class Deviations
Use with AI assistant
Copy a link and prompt for use with Gemini or another AI assistant.