Cybersecurity (CMMC/NIST 800-171)

Cybersecurity Requirements. The Contractor shall implement and maintain cybersecurity controls sufficient to safeguard Controlled Unclassified Information (CUI) in accordance with the security requirements specified in NIST Special Publication 800-171 Revision 2, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations," and DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." The Contractor shall: (a) provide adequate security on all covered contractor information systems that process, store, or transmit CUI; (b) report cyber incidents that affect a covered contractor information system or the CUI residing therein to the DoD Cyber Crime Center (DC3) within seventy-two (72) hours of discovery; (c) submit malicious software discovered and isolated in connection with a reported cyber incident to DC3; (d) preserve and protect images of all known affected information systems and all relevant monitoring and packet capture data for at least ninety (90) days to allow for forensic analysis; (e) achieve and maintain the appropriate Cybersecurity Maturity Model Certification (CMMC) level as specified in the contract requirements; and (f) flow down these requirements to all subcontractors that will process, store, or transmit CUI.