What is DFARS 252.204-7021 in plain English?

DFARS 252.204-7021 is the CMMC contract clause that requires a defense contractor to have and maintain the required CMMC status, at the level the contract specifies or higher, for covered systems throughout contract performance. It also requires SPRS reporting, an annual affirmation, CMMC UID reporting, subcontractor flow-down, and POA&M closeout if the status is Conditional.

Does DFARS 252.204-7021 mean we need CMMC before award?

The pre-award requirement is stated in DFARS 252.204-7025, which makes the inserted CMMC level an eligibility condition before award for covered systems. DFARS 252.204-7021 then carries the obligation into performance.

Does DFARS 252.204-7021 always require a C3PAO?

No. The clause recognizes Level 2 (Self) and Level 2 (C3PAO) as separate statuses. Whether you need a C3PAO depends on the status inserted in your solicitation and contract, not on the mere presence of the clause.

What is DFARS 252.204-7025?

It is the solicitation provision that identifies the required CMMC level before award: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). A provision gives notice; the 7021 clause carries the obligation.

Can a Conditional CMMC status win an award?

Yes, if it is current and meets the rule's POA&M conditions, but it carries a 180-day closeout clock. If the POA&M is not successfully closed out in time, the Conditional status expires and standard contractual remedies apply.

Does DFARS 252.204-7021 apply to subcontractors?

Yes, when a subcontract will require the subcontractor to process, store, or transmit FCI or CUI, excluding COTS-only purchases. The appropriate level is determined under 32 CFR 170.23 and can be lower than the prime's level.

Was DFARS 252.204-7021 changed or eliminated by the 2026 FAR overhaul?

No. Under the Revolutionary FAR Overhaul and DoD Class Deviation 2026-O0025 (effective February 1, 2026), the standalone DFARS 252.204-7019 requirement was removed and the government-assessment function of 252.204-7020 moved to 252.240-7997 in deviation-based acquisitions, but DFARS 252.204-7021 and 252.204-7025 were left unchanged. Because these are deviation changes, codified clauses still appear on Acquisition.gov; always confirm the exact clauses in your specific solicitation.

Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?

Under current 32 CFR Part 170, CMMC Level 2 uses NIST SP 800-171 Revision 2. NIST lists Rev. 2 as superseded by Rev. 3 for publication purposes, but CMMC remains tied to Rev. 2 unless DoD amends the rule.

Should we hire a C3PAO first?

Only if your contract requires Level 2 (C3PAO) and your scope, System Security Plan, evidence, and SPRS posture are assessment-ready. If not, start with readiness before engaging an assessor, and keep readiness and assessment separate to preserve independence.

DFARS 252.204-7021 Explained: What the CMMC Contract Clause Requires

By The Defense Compliance Report Editorial Team — an independent trade publication on CMMC 2.0 and DIB compliance.

Last verified: June 17, 2026 · Clause version reviewed: NOV 2025

Provider-matching forms on this site may generate referral or lead-routing compensation. This page does not currently contain named provider rankings, endorsements, or "best provider" awards. If named provider reviews are published later, sponsored, affiliate, partner, or referral relationships will be labeled on the relevant provider card or review. See our Methodology and Editorial & Advertising Policy for details.

DFARS 252.204-7021 explained, in one breath: it's the contract clause that turns CMMC from a cybersecurity framework into a binding condition of your DoD contract. When it appears, you must have and maintain — for the life of the contract — the CMMC status your contract specifies, or higher (Level 1 Self, Level 2 Self, Level 2 C3PAO, or Level 3 DIBCAC) for every system that processes, stores, or transmits Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). You report a CMMC unique identifier (UID) for each covered system, keep your status and an annual affirmation current in the Supplier Performance Risk System (SPRS), and flow the right level down to subcontractors. It became effective November 10, 2025.

Here's the part that saves you money, and that most pages get wrong: 7021 does not automatically mean “hire a third-party assessor.” The level inserted in your solicitation decides that — and a companion provision, DFARS 252.204-7025, is where you actually find it.

Read that last line twice. We'll come back to it, because it's the difference between a five-figure mistake and a clean path to award.

Your 30-second triage: find the inserted status, then act

The fastest way to read your situation is to find the CMMC status the contracting officer inserted, then match it to the table below. (Where that status lives, and what to do when it's missing, is the very next section.)

If the inserted CMMC status is…	What DFARS 252.204-7021 means for you	Your first move
Level 1 (Self)	FCI-only path: an annual self-assessment against the 15 basic safeguarding requirements, plus an annual affirmation.	Confirm your SPRS status and current affirmation. No C3PAO needed.
Level 2 (Self)	CUI path you can self-assess (in this phase, for some contracts): a self-assessment against all 110 NIST SP 800-171 Rev. 2 requirements every three years, plus annual affirmation.	Lock your scope, finish your System Security Plan (SSP), confirm your SPRS score, and affirm.
Level 2 (C3PAO)	CUI path requiring a third-party certification assessment by a CMMC Third-Party Assessment Organization (C3PAO).	Do readiness and an evidence check before you engage a C3PAO.
Level 3 (DIBCAC)	Highest-sensitivity CUI: a government assessment by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC).	Confirm you hold Final Level 2 (C3PAO) first — it's a prerequisite.

The honest part nobody leads with.Reading the clause itself will not hand you a remediation plan, and 7021 will not, on its own, tell you to buy a C3PAO assessment. That's frustrating. It's also the good news. The clause adds no new security controls— it enforces the standard behind your CMMC level. For Level 2, that's the same 110 requirements in NIST SP 800-171 Revision 2 you've already owed under DFARS 252.204-7012, which set a NIST SP 800-171 implementation deadline of December 31, 2017. So if your house is already in order, you may be closer to “compliant” than the panic suggests. The wrong move is calling an assessor first. The right move is decoding the clause first.

Decode your clause in 60 seconds →

Tell us the inserted status, whether you're a prime or sub, and whether CUI flows to your suppliers. You'll get your level, your assessment type, and your next step — before you talk to anyone. (Two minutes. No CUI. No obligation.)

DFARS 252.204-7021 explained: what does the clause actually require?

Answer capsule:DFARS 252.204-7021 imposes a defined set of obligations: have and maintain the contract's required CMMC status — or higher — for the life of the contract; use only systems that hold that status to process, store, or transmit FCI or CUI; report a CMMC unique identifier (UID) for each covered system to the contracting officer; enter self-assessment results in SPRS for any system not covered by a C3PAO or DIBCAC assessment; complete and maintain an annual affirmation of continuous compliance through an authorized affirming official; flow the correct level down to subcontractors; and, if your status is Conditional, close out the plan of action and milestones (POA&M). It adds no new security requirements beyond the level's underlying standard.

DFARS 252.204-7021 (eCFR); 32 CFR Part 170

The clause text organizing paragraphs (b)–(f): framework, duplication, requirements, reporting, and subcontracts. Effective November 10, 2025.

View at eCFR — DFARS 252.204-7021

We read the current clause text on the eCFR line by line. Here is what each operative piece actually means once it's sitting in your contract — the plain-English translation, what evidence it forces you to produce, when it bites, and the mistake we see contractors make at each step. The clause is organized into a framework paragraph (b), a duplication paragraph (c), a requirements paragraph (d), a reporting paragraph (e), and a subcontracts paragraph (f).

The DFARS 252.204-7021 clause-to-action matrix

Clause trigger (plain English)	What it means for you	Evidence to collect	When it bites	Common mistake to avoid	Source paragraph
Have and maintain a current CMMC status at the inserted level, or higher	You must hold the status and keep it from lapsing through every option period. A higher status also satisfies a lower requirement.	Current status, CMMC UID, SPRS record, affirmation date.	Award through the full performance period.	Treating 7021 as a one-time, pre-award checkbox.	252.204-7021(d)(1)
The status can be Level 2 (Self) or Level 2 (C3PAO)	Level 2 has two distinct paths; the contract picks one.	The exact inserted status; your FCI/CUI determination.	Bid/no-bid and proposal.	Buying a C3PAO assessment before confirming the inserted status.	252.204-7021(a), (d)(1)
Use only covered systems that hold the required status	You can't run FCI/CUI through a system that isn't at the required level.	Asset inventory, system boundary, SSP.	Performance.	Letting CUI drift onto out-of-scope systems.	252.204-7021(d)(2)
Report CMMC UID(s) to the contracting officer	Each assessed system gets a 10-character UID in SPRS; you hand the CO the UIDs for the systems used on the contract, plus any changes.	UID(s), system boundary, CAGE code linkage.	Before award; updated through the contract.	Assuming one company-wide UID covers every system regardless of scope.	252.204-7021(e)(1)
Enter self-assessment results in SPRS for systems not covered by a C3PAO/DIBCAC assessment	If you self-assess, you enter the score and result yourself. If a C3PAO or DIBCAC assessed you, those results are handled through the CMMC assessment system, not entered by you as a self-assessment.	SPRS entry, SSP, assessment date.	Pre-award and ongoing.	Posting a score without understanding the scope it represents.	252.204-7021(e)(2)
Annual affirmation of continuous compliance by the affirming official	A senior official must affirm, every year, that you still meet the level. This carries legal weight (see below).	Named affirming official, affirmation record, date, scope.	Annually, for the life of the contract.	Letting the affirmation lapse while assuming a 3-year assessment still carries eligibility.	252.204-7021(d)(3), (e)(3)
Close out a POA&M if your status is Conditional	A Conditional status wins the award, but you have a hard 180-day clock to reach Final.	POA&M, closeout evidence, Conditional status date.	180 days from the Conditional status date.	Believing a POA&M can carry a failed requirement indefinitely.	252.204-7021(d)(5)
No duplicate assessments	CMMC assessments won't duplicate other comparable DoD assessments, absent a specific reason for reassessment.	Prior assessment records.	During performance.	Re-paying for an assessment you didn't need.	252.204-7021(c)
Flow down the correct level to subcontractors	You must require the right CMMC level from subs that handle FCI/CUI — possibly a lower level than yours.	Subcontract clauses, data-flow decisions, sub status.	Before each subcontract award; annually.	Flowing the same level to every vendor, or skipping verification.	252.204-7021(d)(1)(ii), (f)

What DFARS 252.204-7021 does not do

Just as important as what the clause requires is what it doesn't. It does not write your technical remediation plan. It does not certify your company logo — it covers a defined assessment scope. It does not require a C3PAO for every Level 2 situation. And it does not remove your obligation to actually read the solicitation.

Here's a detail we verified that several competing pages get flat wrong: the proposedversion of this rule would have forced you to notify your contracting officer of any “lapses in information security or changes in compliance.” The final rule deleted that requirement.Your separate DFARS 252.204-7012 obligation to report cyber incidents within 72 hours still stands — but that's a different clause doing a different job. Don't let anyone tell you 7021 makes you self-report compliance slips. It doesn't.

Federal Register, DFARS final rule (Sep. 10, 2025)

The DFARS acquisition rule effective November 10, 2025. Confirms removal of the proposed lapse-notification requirement from the final rule text.

View at Federal Register — DFARS Final Rule

Reciprocity, no strings. Want this matrix as a one-page worksheet your proposal team can mark up? Download the DFARS 252.204-7021 Obligations Checklist — every obligation, the SPRS action, and the deadline, on a single page.

Is DFARS 252.204-7021 the same thing as CMMC?

Answer capsule: No. The CMMC program — the levels, assessments, scoping rules, and affirmation policy — lives in 32 CFR Part 170, which became effective December 16, 2024. DFARS 252.204-7021 is the contract clause that requires you to hold and maintain the CMMC status inserted into your contract. A separate solicitation provision, DFARS 252.204-7025, is where the contracting officer identifies the required level before award. In short: 32 CFR Part 170 is the rulebook, 7025 is the notice, and 7021 is the obligation.

32 CFR Part 170 (eCFR); DFARS 252.204-7025 (Acquisition.gov)

32 CFR Part 170 is the CMMC program rule, effective December 16, 2024. DFARS 252.204-7025 is the solicitation provision that names the required level before award.

View at eCFR — 32 CFR Part 170

This three-part split is the single most useful thing to understand, because confusing the three is exactly what makes contractors overspend. People see “CMMC,” jump straight to “we need a third-party assessment,” and start collecting C3PAO quotes — before anyone has confirmed whether the contract even requires one.

	DFARS 252.204-7025	DFARS 252.204-7021
What it is	A solicitation provision (a notice)	A contract clause (an obligation)
Where it appears	In the solicitation	In the resulting contract
What it answers	“What CMMC status must we have before award?”	“What status must we maintain during performance?”
Lists the options	Level 1 (Self) / Level 2 (Self) / Level 2 (C3PAO) / Level 3 (DIBCAC)	Carries whichever status the contracting officer selected

In federal acquisition, this pattern is normal: a provision puts you on notice, and a clause carries the obligation. So when you're holding a live solicitation and trying to figure out what you actually need, find 252.204-7025 first.It names your level, and it's the provision that makes your status a pre-award eligibility matter.

What to do when the solicitation is silent or ambiguous

If you can't find the required level — or the language is contradictory — do not infer it from your employee count, your NAICS code, a vendor's sales deck, or what a competitor did last year. Ask the contracting officer or your prime, in writing, and keep the answer. Your CMMC level is a contractual fact, not a guess.

Working through your own Level 2 path? See our deeper guide: CMMC Level 2 requirements and the self-assessment vs. C3PAO decision.

Does DFARS 252.204-7021 require a C3PAO assessment?

Answer capsule: Not always. The clause recognizes Level 2 (Self) and Level 2 (C3PAO) as two distinct CMMC statuses, and DFARS 252.204-7025 tells you which one your contract requires. A C3PAO — a CMMC Third-Party Assessment Organization authorized by the Cyber AB — is required when the inserted status is Level 2 (C3PAO), not merely because a 7021 clause appears somewhere in the contract.

Both Level 2 paths assess you against the same 110 requirements in NIST SP 800-171 Revision 2. The difference is who verifies it and what the contract demands.

	Level 2 (Self)	Level 2 (C3PAO)
Standard	110 requirements, NIST SP 800-171 Rev. 2, 14 control families	Same 110 requirements
Who assesses	You (the Organization Seeking Assessment)	An authorized C3PAO
How results reach SPRS	You enter the self-assessment results in SPRS	The C3PAO enters results in CMMC eMASS; your status and affirmation are reflected in SPRS
Current window (Final)	3 years + annual affirmation	3 years + annual affirmation
When required	When the contract inserts Level 2 (Self)	When the contract inserts Level 2 (C3PAO) — which DoD intends for most applicable CUI contracts from Phase 2 (Nov. 10, 2026) onward

One caution: self-assessment is notdead. During the current rollout phase, Level 2 (Self) is a valid status for some contracts, and the clause itself lists it as a contracting-officer option. If a page tells you “self-assessment is no longer allowed once 7021 shows up,” it's overstating the rule. That said, plan for the Phase 2 shift — more on timing below.

The expensive mistake to avoid

Here's where money gets wasted. A C3PAO cannot remediate youduring your certification assessment, and a readiness consultant should not be treated as your assessor. The Cyber AB's accreditation requirements bar a C3PAO from offering advice, implementation assistance, or recommendations during the assessment, and prohibit a C3PAO from conducting a Level 2 certification assessment within three years of providing consulting, implementation, or product sales or services to that organization. Translation: if your scope, SSP, evidence, and SPRS posture aren't ready, hiring a C3PAO first burns time and can create independence problems that force you to start over with a different assessor.

Readiness comes first. Assessment comes after. Keep them separate, and keep them in that order.

See our full guide to selecting a C3PAO for Level 2 and the gap assessment vs. C3PAO assessment distinction.

Resolve the path before you spend. Compare your Level 2 path → Check whether your clause points to Level 2 (Self), Level 2 (C3PAO), or a contract question you need answered in writing. Two minutes, and you'll know which lane you're in.

What does “current CMMC status” mean under DFARS 252.204-7021?

Answer capsule:“Current” depends on the status type. A Conditional Level 2 or Level 3 status is current only within a 180-day window. A Final Level 1 status is current for one year (Level 1 self-assesses annually). A Final Level 2 or Final Level 3 status is current for three years. In every case, your annual affirmation of continuous compliance must also be current — no older than one year.

This is where eligibility quietly slips. A lot of contractors assume that once they pass, they're set for three years. The status may last three years — but the affirmation is annual, and a stale affirmation can make you non-current even with a valid assessment on file.

CMMC status	“Current” window	Annual affirmation required?	The trap
Final Level 1 (Self)	1 year	Yes	Forgetting the annual reassessment and affirmation.
Conditional Level 2 (Self)	180 days	Yes	The POA&M closeout clock expires.
Final Level 2 (Self)	3 years	Yes	The affirmation lapses while you assume the 3-year clock protects you.
Conditional Level 2 (C3PAO)	180 days	Yes	The closeout assessment isn't completed in time.
Final Level 2 (C3PAO)	3 years	Yes	Status valid, affirmation stale — and you're non-current.
Conditional Level 3 (DIBCAC)	180 days	Yes	Level 3 closeout not confirmed.
Final Level 3 (DIBCAC)	3 years	Yes	Level 2 and Level 3 affirmation dates drift apart.

What a CMMC UID is — and why one isn't always enough

A CMMC unique identifier (UID) is a 10-character, alphanumeric code that SPRS assigns to each CMMC assessment, tied to a specific contractor information system. The trap here is scope: if you run multiple environments, one company-level UID may not represent every system used in performance. You report the UID(s) for the systems that will actually process, store, or transmit FCI or CUI on the contract.

See: How to verify a company's CMMC status in SPRS and the full SPRS score guide.

Why the annual affirmation is the part to take seriously

The affirmation isn't a formality. It's a senior official — the “affirming official” defined in 32 CFR 170.22 — personally attesting, in SPRS, that your organization meets and will maintain the required level within the assessment scope. The U.S. Department of Justice's Civil Cyber-Fraud Initiative has been explicit about using the False Claims Act against contractors that knowingly misrepresent their cybersecurity practices. We're not raising that to scare you. We're raising it because a reasonable contractor needs to know it before signing: your affirmation should rest on real evidence and an honest scope, not on optimism. Done right, that discipline is also your best protection.

U.S. DOJ — Civil Cyber-Fraud Initiative; 32 CFR 170.22

The DOJ initiative applies the False Claims Act to contractors who knowingly misrepresent cybersecurity compliance. 32 CFR 170.22 defines the affirming official and affirmation requirements.

View at U.S. DOJ — Civil Cyber-Fraud Initiative

See our full CMMC annual affirmation guide — who signs, when it's due in SPRS, and what to verify before you sign.

Build the proof before the deadline. Build your pre-award evidence checklist — the SPRS status, CMMC UID(s), affirmation, and system-boundary items your proposal team needs in hand before submission.

What systems does DFARS 252.204-7021 cover?

Answer capsule: DFARS 252.204-7021 applies to the information systems used in performance of the contract that process, store, or transmit FCI or CUI. Under 32 CFR 170.19, your CMMC assessment scope must be defined before assessment, and Level 2 scoping sorts assets into categories — CUI Assets, Security Protection Assets, Contractor Risk Managed Assets, Specialized Assets, and out-of-scope assets — based on function and separation.

The clause keys off two information types, and the distinction drives your level:

FCI — Federal Contract Information: non-public information provided by or generated for the government under a contract to develop or deliver a product or service, not including public information or simple transactional data (32 CFR 170.4). FCI generally points to Level 1.
CUI — Controlled Unclassified Information: information the government (or someone acting for it) must safeguard under law, regulation, or government-wide policy (32 CFR 2002.4(h)). CUI generally points to Level 2 or 3.

The level and assessment type are still set by the contract — but the data type tells you where you're likely to land. See our full guide: FCI vs. CUI — what each triggers.

Do you have to lock down the whole company?

No — not if you can defensibly isolate where FCI and CUI live. DFARS 252.204-7021 does not require certifying your entire enterprise when a documented scope confines covered data to a defined boundary or enclave. But “defensible” is the operative word: your scope has to be real, documented in your SSP and network diagram, and survive an assessor's scrutiny. Drawing a tight, honest CUI boundary is the single biggest lever on both your control workload and your cost.

A related point on cloud and external services: external service providers (ESPs) and cloud platforms — including Microsoft 365 GCC Highand AWS GovCloud — can be part of your compliance story, but no platform's status automatically makes youcompliant. Inheritance helps; it doesn't certify.

Scoping is where most Level 2 budgets are won or lost. See: How to scope your CUI boundary for CMMC and the scope reduction strategies guide.

How does DFARS 252.204-7021 flow down to subcontractors?

Answer capsule:Paragraph (f) requires the prime to flow the substance of the clause into subcontracts where the subcontractor will process, store, or transmit FCI or CUI, excluding contracts solely for commercially available off-the-shelf (COTS) items. Before subcontract award, the prime must ensure the subcontractor holds a current CMMC status at the level appropriate to the information being flowed down, determined under 32 CFR 170.23. That level can be lower than the prime's, and subs that receive no FCI or CUI need no CMMC flow-down at all.

The flow-down is driven by data, not by your own level. A sub that only touches FCI may only need Level 1, even if you hold Level 2. A sub that receives no covered information needs nothing. The prime decides the appropriate level based on what's actually being shared.

DFARS 252.204-7021(f); 32 CFR 170.23

Paragraph (f) governs subcontract flow-down: what triggers it, COTS exclusion, and how to determine the correct level under 32 CFR 170.23.

View at eCFR — 32 CFR § 170.23

Subcontractor situation	Likely minimum status	Prime's action
No FCI/CUI flows to the sub	Possibly none for that work	Document the no-covered-data determination.
FCI only	Level 1 (Self)	Verify the sub's status and current affirmation.
CUI, and your requirement is Level 2 (Self)	Level 2 (Self) minimum	Verify current status, affirmation, and scope before award.
CUI, and your requirement is Level 2 (C3PAO)	Level 2 (C3PAO) minimum	Verify the certified status before subcontract award.
You hold Level 3	Sub usually needs Level 2 (C3PAO) minimum, absent specific guidance	Verify program-specific flow-down.

Two things the rule clarifies that trip people up. First, flow-down is required onlywhen the subcontract actually involves FCI or CUI — you're not papering every vendor unnecessarily. Second, subcontractors comply essentially the same way primes do, with one exception built into the clause: the requirement to report CMMC UID data to the contracting officer (paragraph (e)(1)) is not flowed down to them. And it cascades: if your sub passes CUI to their sub, the requirement flows to that tier too (32 CFR 170.23).

For the full prime-to-sub decision matrix, see: CMMC Flowdown Requirements — The Prime-to-Subcontractor Decision Guide and CMMC for DoD subcontractors.

Different readers, different next steps — pick yours.
Managing a supply chain as a prime? Get matched with source-checked partners for subcontractor vetting and flow-down.
A sub who now knows you need Level 1 or Level 2? See what a readiness program for subcontractors actually involves.
Only touch FCI and just need a clean Level 1 self-assessment? You may not need outside help yet. Grab the free Level 1 self-assessment checklist and handle it in-house. (We'd rather send you to the right page than the expensive one.)

What happens if your CMMC status is Conditional or you have a POA&M?

Answer capsule:Level 1 permits no POA&Ms — all 15 requirements must be met in full. Level 2 and Level 3 allow a Conditional status only within the rule's limits, and the POA&M must be closed out within 180 days or the Conditional status expires and standard contractual remedies apply. To reach Conditional Level 2, the assessment score divided by the total number of Level 2 requirements must be at least 0.8 — effectively 88 out of 110 — with no failed requirement worth more than one point, except SC.L2-3.13.11 where encryption is used but not FIPS-validated, and none of the failed requirements on the mandatory list (32 CFR 170.21).

“Conditional” does not mean “good enough forever.” It means you cleared the bar to win the award with a documented gap-closure plan — and the clock is running. If the closeout assessment confirms everything is met within 180 days, you reach Final status. If it doesn't, the Conditional status expires.

A second nuance worth flagging: not every requirement can be parked on a POA&M. The rule designates certain requirements as non-POA&M-able, and missing one of those means you don't get a Conditional status at all. The exact list and point thresholds matter, so confirm them against the rule before you assume a gap is survivable.

32 CFR 170.21 — CMMC Level 2 Conditional status and POA&M rules

Defines the score threshold for Conditional status (≥ 0.8 ratio), non-POA&M-able requirements, and the 180-day closeout clock.

View at eCFR — 32 CFR § 170.21

For the full breakdown — score thresholds, the non-POA&M-able requirements, and closeout mechanics — see: What to do after a CMMC gap assessment.

How does DFARS 252.204-7021 relate to 7012, 7019, 7020 and 7025 — and what changed in 2026?

Answer capsule: DFARS 252.204-7012 is the long-standing safeguarding and 72-hour cyber-incident-reporting clause; 252.204-7025 is the solicitation notice identifying the required CMMC level; and 252.204-7021 is the contract clause requiring you to maintain that level. In early 2026, the Revolutionary FAR Overhaul changed how the older assessment clauses appear in deviation-based acquisitions: under DoD Class Deviation 2026-O0025 (effective February 1, 2026), the standalone 252.204-7019 self-assessment requirement is removed and assessment requirements consolidate under a new DFARS Part 240, including 252.240-7997. DFARS 252.204-7021 and 252.204-7025 were left unchanged. Always confirm the exact clauses in your specific solicitation.

This is the section that confuses people most in 2026, so we read the change documents ourselves and laid it out plainly. If you've been told “the cyber DFARS clauses got deleted,” that's half-right and dangerously imprecise. These changes came through a class deviation, not finalized rulemaking — so the codified clauses still appear on Acquisition.gov and the eCFR, and which version applies depends on the deviation your contract is issued under.

What changed in 2026 — and what didn't (verified June 17, 2026)

Clause / provision	2026 status	What it means for you	Notes
DFARS 252.204-7012	Unchanged	Still requires NIST SP 800-171 safeguarding and 72-hour incident reporting.	Codified clause in force.
DFARS 252.204-7019	Removed in deviation-based acquisitions (Feb. 1, 2026)	The standalone “Basic” NIST SP 800-171 self-assessment-to-SPRS requirement is gone where the RFO deviation applies; assessment obligations consolidate under CMMC and the new Part 240.	Class Deviation 2026-O0025; codified text may still display pending rulemaking.
DFARS 252.204-7020	Superseded by 252.240-7997 in deviation-based acquisitions	The government NIST SP 800-171 assessment function moves to the new Part 240 clause (Medium/High assessments).	Same deviation.
FAR 52.204-21 (Basic Safeguarding)	Reorganized under the RFO (new FAR Part 40)	The 15 basic safeguarding requirements still anchor CMMC Level 1; deviation-based solicitations may cite different numbering.	Confirm the exact clause cited in your solicitation.
DFARS 252.204-7021	UNCHANGED	Your CMMC condition-of-award obligation is identical.	Codified clause, NOV 2025 version.
DFARS 252.204-7025	Unchanged	The solicitation notice of your required level.	Codified provision.

Two clarifications that will save you a wrong turn. First: because these are deviation changes, during the transition you may see either the old codified clause numbers or the new deviation numbers in different contracts. Don't assume a document is outdated just because it uses the old number — read it, and match the clause to the deviation cited in that specific solicitation. Second: you may see a “DFARS Change 5/7/2026” stamp on the Acquisition.gov pages. That's the Title 48 amendment date for otherDFARS sections — the eCFR change history shows 252.204-7021's last regulatory amendment was November 10, 2025. The clause is still the NOV 2025 version.

DoD Class Deviation 2026-O0025 (Revolutionary FAR Overhaul); Acquisition.gov DFARS

Effective February 1, 2026. Removes 7019 and reassigns 7020's government-assessment function to 252.240-7997 in deviation-based acquisitions. DFARS 252.204-7021 and 7025 are left unchanged.

View at Acquisition.gov — DFARS 252.204-7021

The clause everyone confuses with 7021: DFARS 252.204-7012

	DFARS 252.204-7012	DFARS 252.204-7021
Purpose	Safeguard covered defense information; report cyber incidents	Make a CMMC level a condition of award and performance
Control baseline	NIST SP 800-171 (implementation required by Dec. 31, 2017)	Enforces the standard behind the inserted CMMC level
In contracts since	The clause predates CMMC; NIST 800-171 implementation was due Dec. 31, 2017	November 10, 2025
Core duty	Implement NIST 800-171; report incidents within 72 hours	Maintain CMMC status; keep SPRS current; affirm annually; flow down
Assessment	Historically self-attested	Self / C3PAO / DIBCAC, per the inserted status
Relationship	The control baseline	The enforcement of that baseline via CMMC

The clean mental model: 7012 told you to build the house. 7021 makes you prove, on the record, that it's built — and keep proving it.

When does DFARS 252.204-7021 phase in?

Answer capsule: The CMMC program rule (32 CFR Part 170) became effective December 16, 2024, and the acquisition rule that put CMMC into contracts became effective November 10, 2025, starting a four-phase, three-year rollout under 32 CFR 170.3(e). Phase 1 runs from November 10, 2025 through November 9, 2026; full implementation begins November 10, 2028.

Date	Phase / event	What it means in practice
Dec. 16, 2024	32 CFR Part 170 effective	The CMMC program rule is live.
Nov. 10, 2025 – Nov. 9, 2026	Acquisition rule effective / Phase 1	Level 1 (Self) and Level 2 (Self) appear in applicable solicitations; DoD may require Level 2 (C3PAO) at its discretion.
Nov. 10, 2026	Phase 2	DoD intends Level 2 (C3PAO) certification for applicable contracts, with discretion to defer to an option period.
Nov. 10, 2027	Phase 3	Level 3 (DIBCAC) added; Level 2 (C3PAO) extends to option exercises.
Nov. 10, 2028	Phase 4	Full implementation across all applicable contracts, including option periods on earlier awards.

Here's the scarcity that's real, not manufactured: the binding date for you isn't 2028 — it's the first solicitation, award, or option exercise that requires a current status, which is happening right now. Phase 2 (November 10, 2026)is the cliff most Level 2 contractors should plan around, because that's when DoD intends third-party certification to become the requirement for most CUI work.

The math makes it concrete. DoD estimates 8,350 medium and large entities will need a Level 2 (C3PAO) assessment, ramping from 135 assessments in year one to 4,452 by year four. Meanwhile, the authorized assessor pool is a fraction of that — verify the current count on the Cyber AB Marketplace before relying on a number. A Level 2 readiness effort commonly runs 6 to 18 months. Subcontractors often face the tightest deadline of all, because the prime's schedule — not the DoD phase date — sets it.

See the full CMMC deadlines and phase guide for the detailed timeline and what each phase date means for pending bids.

What does DFARS 252.204-7021 cost to deal with?

Answer capsule:DoD's official cost estimates in the CMMC final rule are useful but narrow: they cover assessment and affirmation activities only, not the cost of implementing controls. DoD estimates a Level 1 self-assessment at roughly $4,000 for an other-than-small entity and roughly $6,000 for a small entity; a Level 2 (Self) cycle at roughly $37,000–$49,000; and a small entity's Level 2 (C3PAO) cycle at about $104,670 over three years (including a $31,234 C3PAO engagement line). These figures assume NIST SP 800-171 Rev. 2 is already implemented (Federal Register, 89 FR 83092).

This is the cost section competitors quietly mislead on, so let's be precise. DoD's numbers are real and citable — but the agency explicitly built them to start at the assessment phase and exclude implementation, on the logic that contractors have owed NIST SP 800-171 since the December 31, 2017 deadline under DFARS 252.204-7012. In other words: if you're not already compliant, the DoD estimate is the floor, not the bill.

Path	DoD estimate (assessment + affirmation only)	What it leaves out
Level 1 (Self), other-than-small	~$4,000/year	Any remediation if the 15 requirements aren't met.
Level 1 (Self), small entity	~$6,000/year	Same.
Level 2 (Self), other-than-small	~$48,800 over three years	Implementation of the 110 controls.
Level 2 (Self), small entity	~$37,200 over three years	Implementation of the 110 controls.
Level 2 (C3PAO), small entity	~$104,670 over three years (incl. ~$31,234 C3PAO engagement)	Remediation, documentation, tooling, enclave.
Level 2 (C3PAO), other-than-small	~$117,800 over three years	Same.

A word on Level 3, because it's the level most often undersold: it is not“Level 2 plus a small fee.” Level 3 requires you to first hold Final Level 2 (C3PAO), then implement 24 selected requirements from NIST SP 800-172 on top of the 110, and then pass a government assessment by DIBCAC. Budget Level 3 in two buckets — the engineering and implementation burden for the enhanced requirements, and the assessment and affirmation burden.

So what's the real number for Level 2? It depends entirely on your starting point. Three honest bands:

Already implemented, evidence needs cleanup. Your spend is mostly assessment, documentation polish, and affirmation discipline — closest to DoD's estimate. Readiness or GRC support is usually enough.
Controls partly implemented, documentation weak. Add remediation and SSP/POA&M work; budgets commonly land in the low-to-mid six figures all-in. Readiness plus an MSP/MSSP or vCISO fits here.
CUI everywhere, architecture unclear. Scoping and a possible enclave migration (GCC High, AWS GovCloud, or a managed CUI environment) come first; this is the most expensive path, and the one where tight scoping saves the most.

For detailed cost ranges by scope, path, and provider type, see: CMMC Level 2 Cost in 2026 — What Defense Contractors Should Actually Budget.

What should you do next if 7021 is in your solicitation or prime flow-down?

Answer capsule:Start by reading the inserted CMMC status — not by calling a vendor. Then map which systems and subcontractors will touch FCI or CUI, verify your SPRS status, CMMC UID(s), and annual affirmation, identify any Conditional or POA&M risk, and only then choose the provider category that matches your clause path.

The order matters as much as the steps. Here's the sequence:

Find DFARS 252.204-7025 in the solicitation.
Record the inserted CMMC status (Level 1 Self / Level 2 Self / Level 2 C3PAO / Level 3 DIBCAC).
Confirm whether you're a prime, a sub, or both.
Identify your FCI and CUI data flows.
List the contractor information systems used in performance that touch them.
Define or confirm the SSP boundary for those systems.
Check SPRS for your current status and affirmation.
Collect your CMMC UID(s).
List subcontractors and suppliers that will touch FCI or CUI.
Verify flow-down and each covered sub's status.
Flag any Conditional status or POA&M timing risk.
Choose a provider category — only after the clause path is clear.

You don't have to read the clause path alone. Get matched with source-checked provider options → Tell us your level, scope, and timeline, and we'll point you to the provider category that fits before you hire.

Which CMMC provider category fits each DFARS 252.204-7021 situation?

Answer capsule: The right provider depends on your clause path and your readiness gap, not on who markets hardest. If your scope and evidence are unclear, start with readiness — a Registered Provider Organization (RPO), vCISO, MSP/MSSP, or GRC support. If your problem is CUI architecture, look at an enclave or secure-collaboration provider. If your contract requires Level 2 (C3PAO) and your environment is assessment-ready, engage an authorized C3PAO while preserving independence. Readiness and formal assessment must stay separate.

We don't publish a paid “Top 10,” and we don't call anyone “verified” unless our verification criteria are visible on the page. What we can do is route you by category, matched to where you actually are.

Your 7021 situation	Start with this category	Don't start with
You don't know the inserted status	Neutral contract/readiness triage	A C3PAO assessment quote
Level 1 (Self), FCI only	Small-business MSP, or a DIY checklist	Level 2 tooling, unless CUI is present
Level 2 (Self), scope clear	Readiness / GRC / evidence support	A formal C3PAO assessment
Level 2 (Self), scope unclear	Scoping advisor, RPO, MSP/MSSP, or enclave architect	Company-wide migration before a data-flow map
Level 2 (C3PAO), not assessment-ready	Readiness / RPO / MSP/MSSP / vCISO first	A C3PAO contract before your SSP and evidence are credible
Level 2 (C3PAO), assessment-ready	An authorized C3PAO	A readiness consultant pretending to certify
Level 3 (DIBCAC) path	Level 3 readiness + DIBCAC coordination	Treating Level 3 as “Level 2 plus paperwork”
Subcontractor verification problem	Supply-chain compliance support	Blindly flowing Level 2 (C3PAO) to every vendor

See the full CMMC levels guide and our CMMC subject matter advisor directory for sourced provider-category profiles.

What we actually verified for this guide

Answer capsule:This guide is built on primary sources we read directly, with the date we checked them. Below is exactly what we verified, what each source establishes, and what falls outside this article's scope.

Last verified: June 17, 2026 · Clause version reviewed: NOV 2025

Source	What it establishes	Checked
DFARS 252.204-7021 (eCFR / Acquisition.gov)	Clause obligations and paragraph structure (b)–(f), the “or higher” requirement, “current” status windows, SPRS reporting, flow-down.	Jun 17, 2026
DFARS 252.204-7025	The pre-award notice of the required CMMC level.	Jun 17, 2026
32 CFR Part 170	CMMC levels and control counts, scoping (170.19), Conditional/POA&M (170.21), affirmation (170.22), flow-down (170.23), phase schedule (170.3(e)).	Jun 17, 2026
Federal Register, 89 FR 83092	CMMC program final rule, effective date, and the cost analysis behind the figures above.	Jun 17, 2026
Federal Register, DFARS final rule	The DFARS acquisition rule (effective Nov. 10, 2025) and the removal of the proposed lapse-notification requirement.	Jun 17, 2026
DoD CIO – CMMC	Phase dates and Level 3 structure.	Jun 17, 2026
NIST CSRC – SP 800-171 Rev. 2	The control set CMMC Level 2 currently maps to.	Jun 17, 2026
Cyber AB – C3PAO Accreditation Requirements (R2002)	C3PAO independence and conflict-of-interest rules.	Jun 17, 2026
U.S. DOJ – Civil Cyber-Fraud Initiative	False Claims Act enforcement for misrepresented cybersecurity compliance.	Jun 17, 2026
DoD Class Deviation 2026-O0025 (Revolutionary FAR Overhaul)	The Feb. 1, 2026 treatment of 7019/7020 and Part 240 in deviation-based acquisitions.	Jun 17, 2026

What we could not verify, and you should confirm for your situation:the exact clauses and inserted level in your specific solicitation (read the document); current C3PAO and assessor capacity (check the Cyber AB Marketplace); and your final all-in cost (request scoped quotes). This article is independent journalism and analysis, not legal advice, and it does not replace a contracting officer's interpretation, guarantee award eligibility, or certify any provider.

Frequently asked questions about DFARS 252.204-7021

What is DFARS 252.204-7021 in plain English?: DFARS 252.204-7021 is the CMMC contract clause that requires a defense contractor to have and maintain the required CMMC status — at the level the contract specifies or higher — for covered systems throughout contract performance. It also requires SPRS reporting, an annual affirmation, CMMC UID reporting, subcontractor flow-down, and POA&M closeout if the status is Conditional.
Does DFARS 252.204-7021 mean we need CMMC before award?: The pre-award requirement is stated in DFARS 252.204-7025, which makes the inserted CMMC level an eligibility condition before award for covered systems. DFARS 252.204-7021 then carries the obligation into performance.
Does DFARS 252.204-7021 always require a C3PAO?: No. The clause recognizes Level 2 (Self) and Level 2 (C3PAO) as separate statuses. Whether you need a C3PAO depends on the status inserted in your solicitation and contract, not on the mere presence of the clause.
What is DFARS 252.204-7025?: It is the solicitation provision that identifies the required CMMC level before award: Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC). A provision gives notice; the 7021 clause carries the obligation.
What is a CMMC UID?: A CMMC unique identifier is a 10-character, alphanumeric code that SPRS assigns to each CMMC assessment, tied to a specific contractor information system. You report the UID(s) for the systems used in performance that process, store, or transmit FCI or CUI.
Can a Conditional CMMC status win an award?: Yes, if it is current and meets the rule's POA&M conditions, but it carries a 180-day closeout clock. If the POA&M is not successfully closed out in time, the Conditional status expires and standard contractual remedies apply.
Does DFARS 252.204-7021 apply to subcontractors?: Yes, when a subcontract will require the subcontractor to process, store, or transmit FCI or CUI, excluding COTS-only purchases. The appropriate level is determined under 32 CFR 170.23 and can be lower than the prime's level.
Was DFARS 252.204-7021 changed or eliminated by the 2026 FAR overhaul?: No. Under the Revolutionary FAR Overhaul and DoD Class Deviation 2026-O0025 (effective February 1, 2026), the standalone DFARS 252.204-7019 requirement was removed and the government-assessment function of 252.204-7020 moved to 252.240-7997 in deviation-based acquisitions — but DFARS 252.204-7021 and 252.204-7025 were left unchanged. Because these are deviation changes, codified clauses still appear on Acquisition.gov; always confirm the exact clauses in your specific solicitation.
Does CMMC Level 2 use NIST SP 800-171 Rev. 2 or Rev. 3?: Under current 32 CFR Part 170, CMMC Level 2 uses NIST SP 800-171 Revision 2. NIST lists Rev. 2 as superseded by Rev. 3 for publication purposes, but CMMC remains tied to Rev. 2 unless DoD amends the rule.
Should we hire a C3PAO first?: Only if your contract requires Level 2 (C3PAO) and your scope, System Security Plan, evidence, and SPRS posture are assessment-ready. If not, start with readiness before engaging an assessor, and keep readiness and assessment separate to preserve independence.

The Defense Compliance Report is an independent trade publication on CMMC 2.0 and DIB compliance — the independent CMMC decision layer for defense contractors. We map contract requirements, FCI/CUI scope, environments, provider categories, costs, and evidence into the next correct step before you hire.

Need help deciding what type of CMMC provider you need? Tell us your level, scope, and timeline, and we'll match you with source-checked CMMC provider options. Find your CMMC path →