A community resource for the acquisition workforce not a .gov website
part52.dev Federal Acquisition Clause Monitor

PGI 252.204-7025: Notice of Cybersecurity Maturity Model Certification Level Requirements.

PGIPart 252 › PGI 252.204-7025

This PGI section supplements: DFARS 252.204-7025 · FAR 52.204-7025
The corresponding FAR Part 52 and DFARS Part 252 have been overhauled under the RFO. PGI replacement text is provided in the RFO deviation attachment. View FAR Part 52

Current Content

As prescribed in 204.7504(b), use the following provision:

NOTICE OF CYBERSECURITY MATURITY MODEL CERTIFICATION LEVEL REQUIREMENTS (NOV 2025)

(a) Definitions. As used in this provision, “controlled unclassified information (CUI),” “current,” “Cybersecurity Maturity Model Certification (CMMC) status,” “Cybersecurity Maturity Model Certification unique identifier (CMMC UID),” “Federal contract information (FCI)”, and “plan of action and milestones” have the meaning given in the Defense Federal Acquisition Regulation Supplement 252.204-7021, Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements, clause of this solicitation.

(b)(1) Cybersecurity Maturity Model Certification (CMMC) level. The CMMC level required by this solicitation is: ____________ Contracting Officer insert: CMMC Level 1 (Self); CMMC Level 2 (Self); CMMC Level 2 (C3PAO); or CMMC Level 3 (DIBCAC). This CMMC level, or higher (see 32 CFR part 170), is required prior to award for each contractor information system that will process, store, or transmit Federal contract information (FCI) or controlled unclassified information (CUI) during performance of the contract.

(2) The Offeror will not be eligible for award of a contract, task order, or delivery order resulting from this solicitation if the Offeror does not have, for each of the contractor information systems that will process, store, or transmit FCI or CUI and that will be used in performance of a contract resulting from this solicitation—

(i) The current CMMC status entered in the Supplier Performance Risk System (SPRS) (https://piee.eb.mil) at the CMMC level required by paragraph (b)(1) of this provision; and

(ii) A current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in SPRS.

(c) Plan of action and milestones. If the Offeror has a CMMC Status of Conditional, the Offeror shall successfully close out a valid plan of action and milestones (32 CFR 170.21) to achieve a CMMC Status of Final.

(d) CMMC unique identifiers. The Offeror shall provide, in the proposal, the CMMC unique identifier(s) (CMMC UIDs) issued by SPRS for each contractor information system that will process, store, or transmit FCI or CUI during performance of a contract, task order, or delivery order resulting from this solicitation. The Offeror also shall update the list when new CMMC UIDs are generated in SPRS. The CMMC UIDs are provided in SPRS after the Offeror enters the results of self-assessment(s) for each such information system.

(End of provision)

Sources: Search on acquisition.gov · View on acq.osd.mil