Update: The U.S. Department of War has published the long-awaited 48 CFR Final Rule, officially making the Cybersecurity Maturity Model Certification (CMMC) a binding requirement in defense contracts. The rule was published in the Federal Register on September 10, 2025. A 60-day window follows before clauses begin appearing in contracts, meaning contractors will see DFARS 252.204-7021 requirements starting November 10, 2025.
What is DFARS 7021?
DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements is one of the three released clauses in the DFARS 70 series (7012, 7019, 7020). The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) requirements are introduced into the federal regulatory framework with the addition of DFARS 7021.
Effective as of November 30, 2020, The DFARS Interim Rule is set to require CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts going forward.
Similar to DFARS 7020 requiring contractors AND their subcontractors to enter a current assessment into the Supplier Performance Risk System (SPRS), the DFARS 7021 clause requires DoD contractors to maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level; this will be required for the duration of the contract. Lastly, suppliers must insert DFARS 7021 language into their subcontract agreements and documentation.
DFARS 7021 & CMMC: What Does This Mean for Me?
CMMC Framework for DFARS 7021
CMMC assessments will be conducted by Certified Third Party Organizations (C3PAO), which are accredited by the Cyber AB. The Cyber AB has the ability to issue CMMC certificates upon completion of the assessment. The CMMC certificate awarded will be given to the contractor and the requisite information will be posted in SPRS/eMASS.
DIB organizations that process, store, or transmit Controlled Unclassified Information (CUI) must achieve CMMC 2.0 Level 2 or higher; this is dependent on the sensitivity of the information associated with the program or technology being developed. below, CMMC 2.0 Level 2 consists of all 110 security requirements from NIST 800-171 and FedRAMP Moderate Clouds.
The Federal Register explains CMMC compliance: "In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level."
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7021 and CMMC requirements.
