What is DFARS 7021?
DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements is one of the three released clauses in the DFARS 70 series (7012, 7019, 7020). The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) requirements are introduced into the federal regulatory framework with the addition of DFARS 7021.
Effective as of November 30, 2020, The DFARS Interim Rule is set to require CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts going forward.
Similar to DFARS 7020 requiring contractors AND their subcontractors to enter a current assessment into the Supplier Performance Risk System (SPRS), the DFARS 7021 clause requires DoD contractors to maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level; this will be required for the duration of the contract. Lastly, suppliers must insert DFARS 7021 language into their subcontract agreements and documentation.
DFARS 7021 & CMMC
CMMC Framework for DFARS 7021
CMMC assessments will be conducted by Certified Third Party Organizations (C3PAO), which are accredited by the Cyber AB. The Cyber AB will have the ability to issue CMMC certificates upon completion of the assessment. The CMMC certificate awarded will be given to the contractor and the requisite information will be posted in SPRS.
DIB organizations that process, store, or transmit Controlled Unclassified Information (CUI) must achieve CMMC 2.0 Level 2 or higher; this is dependent on the sensitivity of the information associated with the program or technology being developed. below, CMMC 2.0 Level 2 consists of all 110 security requirements from NIST 800-171.
The Federal Register explains CMMC compliance: "In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level."
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7021 and CMMC requirements.
If not already, your organization's information systems and organizational processes need to be configured or aligned to the 110 NIST 800-171 controls to prepare for DFARS 7021/CMMC. If your organization is handling Controlled Unclassified Information (CUI) then you will need to become CMMC 2.0 Level 2 (or higher) compliant.
Summit 7 has developed a CMMC 2.0 Level 2 solution set within Microsoft GCC High and Azure Government to help companies in the Defense Industrial Base prepare for CMMC compliance.
Ensuring that your organization, as well as your subcontractors, are CMMC compliant to the level that your contract requires at time of contract award is critical. If you have not already, begin communicating with your current suppliers and vendors to make them aware of future requirements and track the status of each subcontractor.
Click here to access the Supplier Performance Risk System (SPRS). If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE).
Click here to access the PIEE. You will need a certificate to register / authenticate to PIEE / SPRS.
For assistance in meeting DFARS 7021 and other requirements for Department of Defense suppliers with/in Microsoft 365 and Azure, contact the Summit 7 team below.