Plain-English clause guide · primary sources
DFARS 252.204-7021 — the clause that makes CMMC a condition of award
DFARS clause 252.204-7021 is the contractual mechanism behind CMMC. It requires you to hold the CMMC level the solicitation specifies — a current certificate or self-assessment — as a condition of award and option exercise, maintain it for the life of the contract, and flow the requirement down to subcontractors at the level appropriate to the information they handle. Where 7012 imposes the security duties, 7021 is what turns CMMC into a gate you must clear to win — and keep — the work.
What the clause actually requires
| Duty | Clause | In plain English |
|---|---|---|
| Hold the required level | 252.204-7021(b) | Have a current CMMC certificate or self-assessment at the level the contract requires before award — and maintain it for the life of the contract. The level (and assessment type — self-assessment vs. C3PAO) is set by the solicitation, not by you. |
| Maintain it continuously | 252.204-7021(c) | The status is not a one-time checkbox. You must keep the required CMMC status current throughout performance, including before the government exercises any option. Let it lapse and you are no longer eligible to continue. |
| Flow it down to subs | 252.204-7021(d) | Include the clause in subcontracts and require each subcontractor to hold the CMMC level appropriate to the information it will handle — before that sub begins work on the part of the effort that touches CUI or FCI. |
Source: DFARS 252.204-7021 (Cybersecurity Maturity Model Certification Requirements). The CMMC level structure and the per-solicitation rollout are set by 32 CFR part 170. Subparagraph references reflect the clause as implemented; always read the clause as it appears in your solicitation.
7021 vs. 7012, 7019, and 7020 — who does what
These four clauses are easy to confuse because they travel together. The simplest way to keep them straight: 7012 is the substance, 7019 and 7020 are the assessment and verification, and 7021 is the mechanism that makes meeting the standard a condition of the contract.
| Clause | What it is | Its role |
|---|---|---|
| 252.204-7012 | Safeguarding & incident reporting | The substance: implement NIST SP 800-171 on systems that handle covered defense information, and report cyber incidents within 72 hours at dibnet.dod.mil. |
| 252.204-7019 | Assessment requirement / SPRS | Requires a current (within 3 years) NIST SP 800-171 self-assessment and the resulting score posted to SPRS before award. This is the number 7021 builds on. |
| 252.204-7020 | Government verification rights | Gives DoD the right to conduct or verify assessments, and obligates you to ensure subcontractors have a current assessment on record before they handle the data. |
| 252.204-7021 | CMMC requirement (this clause) | The mechanism: makes the applicable CMMC level a condition of award and option exercise, and flows the requirement down to subs at the level appropriate to what they handle. |
Sources: DFARS 252.204-7012/7019/7020/7021; 32 CFR part 170. For the full breakdown of the safeguarding clause and its 72-hour reporting rule, see the 7012 guide.
When a solicitation carries 7021
Read the required level off the solicitation
7021 itself does not tell you which level applies — the solicitation does. Find the stated CMMC level (Level 1 for FCI-only work, Level 2 for CUI) and the required assessment type: a self-assessment, or a C3PAO third-party certification. Don't assume; the requirement is per-solicitation and set by the contracting officer.
Confirm your current SPRS / certification status
Pull your current posture: is there a NIST SP 800-171 self-assessment score in SPRS, computed honestly with the DoD methodology, and within the 3-year window? For Level 2 contracts moving to third-party assessment, is a C3PAO certification in hand or scheduled? If the answer is "no" or "not sure," that is your gap.
Plan gap closure before award — not after
7021 is a condition of award, so the work has to be done before the contract starts, and a C3PAO assessment cannot be booked overnight. Map the delta between your current score and the required level, build the POA&M for what is eligible to defer, and sequence remediation so the certificate exists when the award decision is made.
Push the requirement to your subcontractors
Under the flow-down, each sub that will handle CUI or FCI needs the CMMC level appropriate to that information before it starts work. Map which subs touch the data, confirm the clause is in their subcontracts, and verify their status — your eligibility depends on theirs.
The rollout is per-solicitation: under CMMC Phase 2, which began November 10, 2025, C3PAO-assessed Level 2 becomes the default for new contracts involving CUI, applied at contracting-officer discretion through full implementation in 2028. See the Phase 2 rollout timeline and Level 1 vs Level 2 to confirm which level your work requires.
Straight answers
What does DFARS 252.204-7021 require?
It makes CMMC a condition of doing the work. When the clause is in your contract, you must have a current CMMC certificate or self-assessment at the level the solicitation requires before award, and maintain that status for the life of the contract — including before the government exercises any option. You must also flow the requirement down to subcontractors at the CMMC level appropriate to the information each one handles. The clause is the contractual mechanism; the level and assessment type are set per-solicitation.
How is 7021 different from 7012, 7019, and 7020?
7012 is the substance — implement NIST SP 800-171 and report cyber incidents within 72 hours. 7019 requires a current self-assessment with the score posted to SPRS. 7020 gives DoD the right to verify assessments and obligates you to confirm subs have a current assessment. 7021 is the mechanism that ties it together: it makes the applicable CMMC level a condition of award and option exercise. The first three define and check the standard; 7021 makes meeting it a gate to winning and keeping the work.
What should I do when a solicitation carries 7021?
Three things. First, read the required CMMC level and assessment type off the solicitation — 7021 does not state the level; the contracting officer does. Second, confirm your current status: a current, honestly computed SPRS self-assessment score within the 3-year window, or a C3PAO certification if third-party assessment is required. Third, plan gap closure before award, because 7021 is a condition of award and a C3PAO assessment cannot be arranged overnight.
Does 7021 mean I need a third-party (C3PAO) certification?
Not always — it depends on the level and assessment type the solicitation specifies. CMMC Level 1 (FCI only) and a subset of Level 2 work are self-assessed; most Level 2 contracts involving CUI require a C3PAO third-party certification under the Phase 2 rollout that began November 10, 2025. 7021 enforces whatever level and assessment type the solicitation names. Read the solicitation to know which applies to you.
Does 7021 flow down to subcontractors?
Yes. Under 252.204-7021(d), you include the clause in subcontracts and require each subcontractor to hold the CMMC level appropriate to the information it will handle before it begins work on that part of the effort. A sub that touches CUI generally needs Level 2; a sub that only handles FCI needs Level 1. Your own eligibility depends on the flow-down being in place, so map which subs touch the data and verify their status.
This is compliance information, not legal advice. The clause text as it appears in your solicitation governs; for contract-interpretation or eligibility questions, consult qualified counsel.
7021 makes CMMC a condition of award. Know where you stand before the solicitation does.
The free assessment walks the 110 NIST SP 800-171 requirements in plain English and computes your SPRS score with the exact DoD methodology — so when a solicitation carries 7021, you already know your gap to the required level.
Start the free assessment