DFARS 252.204-7021 — Cybersecurity Maturity Model Certification Requirements
Implements the CMMC program — requires contractors handling FCI or CDI to achieve and maintain a CMMC certification at the level specified in the solicitation.
When This Clause Applies
Phased rollout — applies to DoD solicitations starting in the CMMC implementation period (currently rolling out 2025-2028). Level 1 (FCI), Level 2 (CDI), or Level 3 (high-priority CDI) per solicitation.
What This Means for Contractors
Contractors must achieve CMMC certification at the required level before award. Level 1 is annual self-assessment. Level 2 requires C3PAO third-party assessment every 3 years. Level 3 requires DIBCAC-led government assessment. Subcontractors must be certified at the appropriate level for the CUI/FCI they handle.
Common Pitfalls
- 1Delaying preparation — Level 2 assessments take 6-12 months
- 2Treating CMMC as IT-only — it includes physical, personnel, and process controls
- 3Choosing the wrong CMMC level — under-certification means lost bids
- 4Not scoping CUI/FCI accurately, leading to oversized assessment scope
Related Topics
Related Clauses
Safeguarding Covered Defense Information and Cyber Incident Reporting
Requires DoD contractors and subcontractors handling Covered Defense Information (CDI) to implement NIST SP 800-171 security controls and report cyber incidents within 72 hours.
Notice of NIST SP 800-171 DoD Assessment Requirements
Requires offerors on DoD solicitations involving CDI to have a current Basic, Medium, or High self-assessment score posted in the Supplier Performance Risk System (SPRS).
NIST SP 800-171 DoD Assessment Requirements
Contract clause version of the SPRS requirement — flows down to subcontractors and requires score updates during performance.
Continue Your Research
DoD Procurement Guide
Cybersecurity clauses primarily apply to DoD acquisitions. See DoD's vehicles and small business focus.
NAICS 518210 — Data Processing, Hosting, and Related Services
Find federal contracts under NAICS 518210. Common agencies, set-asides, contract values.
NAICS 541330 — Engineering Services
Find federal contracts under NAICS 541330. Common agencies, set-asides, contract values.
Browse Full FAR Clause Library
All FAR and DFARS clauses we've documented with plain-English summaries.
GovCon Compliance Blog
Latest guidance on FAR/DFARS updates, CMMC, NIST 800-171, and capture strategy.
Need help complying with DFARS 252.204-7021?
Aliff helps GovCon firms map clause requirements to deliverables, build compliance evidence, and respond to CO inquiries with confidence.