DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements is one of the three released clauses in the DFARS 70 series (7012, 7019, 7020). The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) requirements are introduced into the federal regulatory framework with the addition of DFARS 7021.
Effective as of November 30, 2020, The DFARS Interim Rule is set to require CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts until September 30, 2025.
Similar to DFARS 7020 requiring contractors AND their subcontractors to enter a current assessment into the Supplier Performance Risk System (SPRS), the DFARS 7021 clause requires DoD contractors to maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level; this will be required for the duration of the contract. According to the Federal Register, the decision to require certification at the time of contract award is subject to be reevaluated via public comments. Lastly, suppliers must insert DFARS 7021 language into their subcontract agreements and documentation.
CMMC assessments will be conducted by Certified Third Party Organizations (C3PAO), which are accredited by the Cyber AB. The Cyber AB will have the ability to issue CMMC certificates upon completion of the assessment. The CMMC certificate awarded will be given to the contractor and the requisite information will be posted in SPRS.
DIB organizations that process, store, or transmit Controlled Unclassified Information (CUI) must achieve CMMC 2.0 Level 2 or higher; this is dependent on the sensitivity of the information associated with the program or technology being developed. below, CMMC 2.0 Level 2 consists of all 110 security requirements from NIST 800-171.
The Federal Register explains CMMC compliance: "In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level."
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7021 and CMMC requirements.
If not already, your organization's information systems and organizational processes need to be configured or aligned to the 110 NIST 800-171 controls to prepare for DFARS 7021/CMMC. If your organization is handling Controlled Unclassified Information (CUI) then you will need to become CMMC 2.0 Level 2 (or higher) compliant.
Summit 7 has developed a CMMC 2.0 Level 2 solution set within Microsoft GCC High and Azure Government to help companies in the Defense Industrial Base prepare for CMMC compliance.
Ensuring that your organization, as well as your subcontractors, are CMMC compliant to the level that your contract requires at time of contract award is critical. If you have not already, begin communicating with your current suppliers and vendors to make them aware of future requirements and track the status of each subcontractor.
Public comments can be submitted to the Department of Defense for DFARS 7021 and the Interim Rule by:
Click here to access the Supplier Performance Risk System (SPRS). If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE). Click here to access the PIEE. You will need a certificate to register / authenticate to PIEE / SPRS.
For assistance in meeting DFARS 7021 and other requirements for Department of Defense suppliers with/in Microsoft 365 and Azure contact the Summit 7 team here.
If you still have questions about the DFARS 70 Series, or you would like to discuss something else, please do not hesitate to reach out to us.
Here are some ways you can stay connected to the Summit 7 team and hear the latest on all things security and compliance: