Back to Top Icon

DFARS 7021: The Contractual Shift to CMMC 2.0 Compliance

Intel
CMMC

DFARS 7021: The Contractual Shift to CMMC 2.0 Compliance

The Department of Defense has officially moved forward with implementing the Cybersecurity Maturity Model Certification program. On October 15, 2024, the Cybersecurity Maturity Model Certification Rule titled 32 CFR was published in the Federal Register as a final rule, officially establishing the CMMC program for protecting Controlled Unclassified Information and sensitive contract information across the Defense Industrial Base.

Although the 32 CFR rule is in the past and now we're on to the second rule that is really going to change the defense contract acquisition game. 

Companies are already getting CMMC certified now that the rule is officially in place but it has not been a requirement in order to be awarded a defense contract. That rule is coming...

The Title 48 CFR CMMC Acquisition Rule

Currently in a proposed state as of August 2024 and awaiting final rule this year. 48 CFR includes revising acquisition regulations to implement contractual requirements related to CMMC 2.0. Meaning a fundamental change that will require contractors to provide successful CMMC certification results before contract awards or extensions.

The rule builds upon existing cybersecurity requirements, particularly those found in DFARS 252.204-7012, which has required defense contractors to implement cybersecurity practices in the interest of protecting Controlled Unclassified Information since 2017. However, the new CMMC 2.0 framework goes further by establishing a structured certification process that validates actual implementation of these security controls.

The 7021 DFARS Clause

DFARS 252.204-7021, formally titled "Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements," is the contractual clause that implements CMMC 2.0 requirements in Department of Defense contracts. The clause specifies just three broad requirements:

  1. Defense contractors need to have a current CMMC certificate (less than three years old) at the CMMC level required by their contract, and they need to maintain that required CMMC level for the duration of their contract.
  2. The current proposed rule prescribes the CMMC clause for use in solicitations and contracts, task orders, and delivery orders that require the contractor to have a specific CMMC level. This clause will be the primary mechanism through which the DoD enforces CMMC certification requirements across its supply chain.
  3. Key aspects of DFARS 7021 include requiring contractors to flow down CMMC requirements to subcontractors and verify their compliance before awarding subcontracts. The clause will require every defense contractor that handles Federal Contract Information or Controlled Unclassified Information to assess and certify compliance with select CMMC security requirements. 

With the August 2024 proposed rule updates, DFARS 7021 represents the formal implementation pathway for CMMC 2.0 across the defense industrial base, making cybersecurity certification a contractual requirement rather than a voluntary standard.

Implementation Timeline: What to Expect

About CMMC

The rollout of CMMC 2.0 requirements will be phased over the next several years:

  • Q3 2025: Initial contractual rollout begins with select contracts
  • 2025-2028: Phased implementation across DoD contracts
  • Full Implementation: Expected by 2028

The DoD plans to include CMMC requirements in solicitations starting in fiscal year 2025. Contractors who process, store, or transmit FCI or CUI will need to achieve the appropriate CMMC level as a condition of contract award.

Prime contractors will manage their supply chains well before the CMMC certification requirement officially appears in contracts. Why? Because their ability to win and perform on DoD contracts will increasingly depend on the compliance posture of their entire supply base. Primes are under pressure to demonstrate that their subcontractors can safeguard Controlled Unclassified Information  today, not a year from now.

If subcontractors assume they can wait until CMMC is explicitly required in a solicitation, they’re putting themselves and their partners at risk. By then, it will be too late. Primes will have already started evaluating and selecting partners who are actively progressing toward or have already achieved certification readiness. This means subcontractors’ timelines are effectively much shorter than the official rulemaking timeline might suggest.

The Bottom Line

The 48 CFR rule represents a fundamental shift in how the DoD will evaluate and manage cybersecurity risk in its supply chain.

Organizations that take proactive steps to achieve CMMC certification will be better positioned to compete in the evolving defense marketplace.

Success in this new environment will require viewing cybersecurity not as a compliance burden, but as a strategic business capability that enables continued participation in the defense industrial base. The contractors who embrace this shift and invest in real cybersecurity programs will be the ones that thrive in the post CMMC world. The DOD will be waving the flag of opportunity and only those who are CMMC certified will be eligible to grab it.

Share this post