Questions about CUI? We've got a guide for you. Learn More
    Breaking News: DFARS 7021 is here! Get the latest information on when it will be in contracts.

    DFARS 252.204-7025: What it is, when it shows up, and what to expect 

    Learn about DFARS 252.204-7025 and its impact on CMMC requirements for defense contracts starting November 10, 2025.

    By
    4 Minutes Read

    CMMC becomes real for contracting officers on November 10, 2025.  

    Starting November 10th, a clause called DFARS 252.204-7021 will show up in contracts.  7021 requires defense contractors and their subcontractors to maintain a CMMC Certification at a level specified in their contract. 

    But the final CMMC rule also created a new provision you will start seeing in solicitations: DFARS 252.204-7025, titled “Notice of Cyber Security Maturity Model Certification Level Requirements.”  

    This provision does exactly what it says it does. DFARS 252.204-7025 simply puts you on notice about the CMMC requirement that will live in the 7021 clause of a contract. 

     

    Where 7025 fits in the DFARS “cyber series” 

    Federal acquisition regulations have followed a consistent pattern: 

    • A provision puts you on notice. 
    • A clause carries the obligation. 

    Another example of this in the DFARS series is 252.204.7008 making the reader aware of 7012 requirements. 

    Note: If you’re trying to make sense of how these are numbered, don’t. We’re pretty sure there was a dartboard or a bingo spinner involved.  

    For 252.204.2025, the text starts with standard DFARS instruction language for contracting officers. It references DFARS 204.7504, paragraph B, which tells them when and how to insert provisions and clauses. It says to use 252.204-7025 in solicitations that include 252.204-7021. 

    If you’ve seen 7021 pop up in a contract already, that was premature. Some contracting officers got ahead of themselves, so a memo and class deviation told folks hold off until the beginning of the phased rollout on November 10, 2025. From then on, when you see 7025 in a solicitation, you can recognize it as a heads-up that 7021 will be in your contract. DFARS_Graphic (2)

    The structure of DFARS 252.204.7025 

    7025 is short. There are three parts: Definitions in A, the core requirements in B, and POA&M and UIDs in C. 

    A. Definitions live in 7021

    This section simply points its key definitions back to the 7021 clause for terms like CUI, CMMC, CMMC UID, FCI, and POA&M. 

    It essentially says, “if you want the exact wording, refer to 7021. 7025 adopts those meanings.”

    B. What the solicitation will tell you up front

    1) The exact CMMC level 

    The solicitation will say, “The CMMC level required by this solicitation is ____.” The contracting officer fills in one of these options: 

    • CMMC Level 1 self-attestation 
    • CMMC Level 2 self-attestation 
    • CMMC Level 2 C3PAO 
    • CMMC Level 3 assessed by the government 

    It also specifies that level or higher is required for each contractor information system that will process or transmit federal contract information or CUI. This ties back to 32 CFR part 170. 

    2) Eligibility hinges on current status and annual affirmation 

    In addition to current CMMC status at the required level or higher for each relevant system, contractors will need a current annual affirmation in SPRS to qualify for these contracts. 

    There are three CMMC levels in the model. Assessments produce a status at one of those levels. 

    There are 7 statuses the system can reflect in SPRS: 

    • Final Level 1 self 
    • Conditional Level 2 self 
    • Final Level 2 self 
    • Conditional Level 2 C3PAO 
    • Final Level 2 C3PAO 
    • You will also have your certificate uploaded by your C3PAO to eMASS so the DoD KO can verify you have your certification.  
    • Conditional Level 3 (government assessment) 
    • Final Level 3 (government assessment) 

    A few things to know: 

    • Final statuses are valid for three years. Conditional statuses are valid for 180 days. 
    • There is no conditional status at Level 1. 
    • You must also complete an annual affirmation of continuous compliance in SPRS by a senior company official.  
    • Your three-year status can still be valid while your annual affirmation is not. You have to manage them individually. 

    For example:  

    If you were certified at Level 2 by a C3PAO in September 2025, you would need to log the annual affirmation in SPRS within 365 days. If you hit day 366 with no affirmation, the status remains, but the affirmation is not current.

    C. Conditional status and POA&Ms

    7025 says that if you have a conditional status, you must successfully close out a valid POA&M to reach a final status.  

    It also tells you to find details of how conditional status and POA&Ms work at 32 CFR 170.21. 

    Here are a few guardrails that matter during bidding and award: 

    • Only a subset of 1-point controls can live on a POA&M and only up to a limit, found in 32 CFR. 
    • Some requirements cannot be pushed to a POA&M 
      • Certain access controls and the development and maintenance of an SSP cannot be pushed.  
      • You will not be able to take award while punting those and the others listed in 32 CFR 170.21. 
    • There's a scoring constraint in play when conditional status is used: the organization’s assessment score divided by 110 Level 2 requirements cannot exceed 88/110. The point here is that a cap exists, and you should not assume you can park big gaps on a POA&M. 

    CMMC UIDs you must provide 

    7025 requires offerors to list the CMMC unique identifiers for each contractor information system that will process, store, or transmit FCI or CUI during performance. 

    A CMMC UID is a 10-digit alphanumeric identifier created per assessment and recorded in SPRS for each system scope. 

    You will include those UIDs in your proposal so the government knows exactly which scoped systems will hold its data. You must update the list when new UIDs are generated in SPRS. New assessments and new scope can trigger new UIDs. 

    SPRS provides UIDs after you enter results for self-assessments too. 

    The government is moving from little visibility to precise awareness of where its data lives. If there’s an incident, the paper trail points to the exact system scope you identified. 

    What 7025 does not try to do 

    7025 does not rewrite CMMC policy. It references 32 CFR part 170 for the program rules and 32 CFR for the government-wide CUI program.  

    It does not carry the phased rollout, waivers, or applicability logic. Those decisions live with inserting 7021 and will be covered separately. 

    Tl;dr here’s what 7025 does: 

    Essentially, DFARS 252.204-7025 will come up in solicitations to indicate what level of CMMC you would need to be awarded a contract. 7025 puts you on notice that you’ll have 7021 obligations in your contract while making a couple other clarifications. 

    • You must have a current status at or above that level and a current annual affirmation in SPRS. 
    • Conditional status is allowed within strict limits and must be closed out. 
    • You must provide and maintain the CMMC UIDs for the specific system scopes that will handle FCI or CUI. 

    For help navigating CMMC compliance and the myriad of rules that go with it, reach out to us with the form below. 

    Summit 7 Leadership

    Author

    Recommended For You