DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
Overview
This clause implements the CMMC program, requiring contractors to achieve a specified CMMC level before contract award. CMMC Level 1 requires basic safeguarding, Level 2 requires NIST 800-171 compliance (assessed by C3PAO), and Level 3 requires enhanced security controls. The CMMC program is being phased in across DoD contracts starting in 2025.
When Does This Apply?
DoD contracts that specify a required CMMC level. Currently being phased in, with full implementation expected by 2028.
Key Requirements
- 1Achieve the specified CMMC level before contract award
- 2Maintain certification throughout contract performance
- 3Undergo C3PAO assessment for Level 2 and above
- 4Self-assessment option for Level 1 only
- 5Flowdown CMMC requirements to subcontractors handling CUI
Flowdown to Subcontractors
Yes — DFARS 252.204-7021 flows down to subcontractors. All subcontractors in the supply chain must comply with this clause when applicable.
Frequently Asked Questions
What is DFARS 252.204-7021?
DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements) This clause implements the CMMC program, requiring contractors to achieve a specified CMMC level before contract award. CMMC Level 1 requires basic safeguarding, Level 2 requires NIST 800-171 complian
Does DFARS 252.204-7021 flow down to subcontractors?
Yes, DFARS 252.204-7021 flows down to subcontractors. All applicable subcontractors must comply with this clause.
When does DFARS 252.204-7021 apply?
DoD contracts that specify a required CMMC level. Currently being phased in, with full implementation expected by 2028.
Related Guides
Stay compliant with DFARS 252.204-7021
Cabrillo Club automates compliance tracking and alerts you when DFARS clauses are amended.
Join Free