Defense Federal Acquisition Regulation Supplement 252.204-7021 (DFARS 7021) is one of three related clauses that the DoD’s November 2020 Interim Rule adds to the DFARS. These newer regulations amend DFARS 252.204-7012, which the US Department of Defense (DoD) has used in contracts since 2018.
The DFARS 7021 clause requires contractors to have a Cybersecurity Maturity Model Certification (CMMC) certification at the level of their contract at the time of contract award, and to maintain the required CMMC level (1 through 3) across the duration of the contract.
This article gives you an executive overview of DFARS 7021 and how it fits with the Interim Rule and the CMMC 2.0 rollout.
What is DFARS 7021 and the Interim Rule?
The Interim Rule is part of the DoD’s continuing effort to “address threats to the US economy and national security from ongoing malicious cyber activities.” The problem has been that DFARS 7012, which has no provision for independent verification of contractor controls, has left the door open for “shortcomings and associated risks” concerning cyber compliance.
The Interim Rule has two main aims:
- The DFARS 7019 and DFARS 7020 clauses drive a more robust self-attestation methodology around the NIST SP 800-171 Rev. 2 standard.
- DFARS 7021 paves the way for the ongoing CMMC 2.0 rollout, which incorporates third-party assessment of contractors’ controls beginning at CMMC Level 2.
The purpose of DFARS 7021 is to strengthen US defense industrial base (DIB) cybersecurity through the CMMC 2.0 compliance verification regime. Like its NIST 800-171 control foundation, CMMC focuses on protecting controlled unclassified information (CUI).
When the DFARS 7021 clause is in force, contractors must not only achieve and maintain their own CMMC compliance but also “flow down” the DFARS 7021 requirements. They are required to verify that their subcontractors have successfully achieved an appropriate CMMC level before awarding or extending subcontracts, based on the sensitivity of the data exchanged with each subcontractor.
DoD contracts requiring CMMC Level 2 certification may not be in your company’s immediate future. But verifiable NIST 800-171 compliance per the DFARS 7012 clause has been mandated in DoD contracts involving controlled unclassified information (CUI) since 2016, and the control requirements for the two frameworks are identical.
What is specifically required for DFARS 7021 compliance?
To comply with DFARS 7021, DIB orgs need to:
- Achieve a CMMC certification at the level their contract requires and maintain it for the life of the contract.
- Renew their CMMC certification every three years.
- Have a senior executive affirm their continuous CMMC compliance annually.
- Flow down the appropriate CMMC requirements to all subcontractors that handle CUI or federal contract information (FCI)—and verify compliance before awarding a subcontract.
- Notify the DoD within 72 hours following a cybersecurity incident or if their CMMC certification status changes.
Does my company need to comply with DFARS 7021?
Per the DoD’s three-year CMMC rollout plan, the DFARS 7021 clause will initially appear only in a few select contracts approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S). But eventually, all DoD contracts will include the CMMC compliance requirement. The only exceptions will be “procurements exclusively for commercial off-the-shelf (COTS) items.”
In short, nearly every DIB company, regardless of size, that handles FCI or CUI on behalf of the DoD will soon need to comply with DFARS 7021. This includes not just prime contractors and subcontractors but also many vendors like IT service providers and cloud service providers whose offerings are in scope for CMMC.
Why should DIB orgs care about DFARS 7021 compliance?
DIB orgs ought to care about DFARS 7021 because compliance will soon be a prerequisite for participating in defense contracts. The DFARS 7021 regulation implements CMMC 2.0—a crucial safeguard for US national security and economic interests.
DFARS 7021 compliance sets a relatively high bar for cybersecurity and getting there ahead of rival firms could confer competitive benefits. Noncompliance, conversely, could leave your business unable to participate in DoD contracts. False attestations of compliance can result in contract termination, withholding of progress payments, and possible legal action.
What’s next?
Compliance with DFARS 7021 and CMMC 2.0 will soon be a competitive prerequisite for DIB orgs.
To schedule time with a DFARS expert to discuss your company’s cybersecurity goals, including the optimal path to CMMC Level 2 compliance, contact CBIZ Pivot Point Security.
