The FAR, DFARS, and Agency Supplements do not specifically address or state that CORs must have the same clearance level as the contract. However, the new Department of Defense Instruction for CORs will, most likely, have a statement requiring this. The Instruction is still in draft form and not yet published.
The real guidance resides in DoD Security Instructions and Regulations (DoDI 5200.01 and 5200.1-R). Which, depending on your scenario, may require the COR to have at least the same clearance level as information being shared or generated under the contract. The questions that need to be considered is whether the COR will require or have a need to know or access any classified information developed, shared, or delivered under the contract? Will the COR be able to effectively accomplish COR duties if they do not have that access?