Compliance
Compliance
Compliance
DFARS 7021: CMMC Is Now In Contracts
%20(4).png)
On September 10th the Federal Government published DFARS 7021. This clause introduces the Cybersecurity Maturity Model Certification (CMMC) requirements into the federal acquisition framework, making cybersecurity a core part of doing business with the Department of War.
Under DFARS 7021, both prime contractors and their subcontractors must maintain the appropriate CMMC level for the entire duration of each contract. It’s not enough for a prime contractor to be compliant, primes must also insert DFARS 7021 language into their subcontractor agreements to ensure compliance flows throughout the supply chain.
Key Timelines and Dates
The rollout of DFARS 7021 and CMMC 2.0 follows a defined schedule. According to the DoW’s rule making process, the rule was published on September 10, 2025, with an effective date of November 10, 2025—60 days after publication.
- September 10, 2025: Rule published for public inspection.
- November 10, 2025: Effective date (60 days after publication).
Immediate Impact
The final rule requires new contracts on and after November 10th to require a CMMC level based on the type of data expected in a contract. It will now spell out exactly which level of CMMC applies to each contract, aligning cybersecurity requirements with the sensitivity of the information handled. These levels establish clear expectations for both prime contractors and subcontractors.
- Level 1: Requires 17 security controls and an annual self-assessment to demonstrate compliance. This is the minimum requirement for all contractors who do not deal with CUI.
- Level 2 (Self-Assessment): Contractors must implement all 110 NIST SP 800-171 controls and may complete an internal self-assessment and attest to compliance. This is the minimum requirement for companies dealing with CUI. Less than 6% of companies who deal with CUI will fall into this category.
- Level 2 (Third-Party Assessment): Contractors must implement all 110 NIST 800-171 controls and undergo a third-party assessment from a Certified Third-Party Assessment Organization (C3PAO) every three years. 94% of companies dealing with CUI will fall into this category.
- Level 3: Builds on a subset of NIST SP 800-172 plus additional controls, with government-led assessments for the most sensitive defense categories of CUI. Less than 1% of companies dealing with CUI fall under this category.
If your contract currently has DFARS 7012—the government believes your contract deals with CUI and will likely auto insert CMMC Level 2 if you win the contract again or exercise an option.
Once the rule takes effect on November 10th, 2025, all new DoW contracts will include CMMC clauses—specifically DFARS 252.204-7025. Contractors will need to meet different levels of compliance based on the sensitivity of the information they handle, and these requirements apply not only to new contracts but also to option exercises and task orders. Importantly, certifications must be current at the time of contract award; the government will no longer allow compliance to be achieved after execution.
.avif)
.webp)
.webp){kind=icon}
.avif)
