DFARS 252.204-7021 in My Contract: What It Means and What to Do Next

By The Defense Compliance Report Editorial Team · Last reviewed: June 2026 · Last verified: June 18, 2026

The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.

“There’s a clause called DFARS 252.204-7021 in my contract — what does it actually mean, and what do I have to do?”

If you found DFARS 252.204-7021 in your contract, your contract now carries a binding Cybersecurity Maturity Model Certification (CMMC) obligation:you have to hold and keep a “current” CMMC status at the exact level your contracting officer specified, affirm it every year in SPRS, and flow it down to subcontractors who touch the same information. The level — and whether you can self-assess — is set by the contract, not by a checklist.

Here’s the part that trips up almost everyone, and the reason a lot of pages you’ll read are quietly out of date: this clause has been through two very different versions, and the one most websites still describe is the old one. We’ll show you how to tell which version is in your contract in about thirty seconds — and why it changes what you owe.

Last reviewed: June 2026. We verified every regulatory claim below against the eCFR, Acquisition.gov, the Federal Register, 32 CFR Part 170, and the DoD CIO’s CMMC page. Where a fact will change as the rollout proceeds, we say so and date it.

Quick reference: what your contract package tells you

A note before you spend a dollar:Don’t panic-buy a third-party assessment yet. A “Level 2 (Self)” requirement and a “Level 2 (C3PAO)” requirement are completely different buying decisions. First, read the clause. Then decide.

DFARS 252.204-7021 in my contract — what does it actually require?

DFARS 252.204-7021 is the contract clause that makes CMMC a binding term of performance. It requires you to have and keep a current CMMC status at the level your contracting officer inserts, keep federal contract information (FCI) and controlled unclassified information (CUI) only on systems that meet that status, file an annual affirmation of compliance in the Supplier Performance Risk System (SPRS), and flow the requirement down to applicable subcontractors. (48 CFR 252.204-7021, eCFR.)

DFARS — the Defense Federal Acquisition Regulation Supplement — is the rulebook the Department of Defense (DoD) uses to govern how contractors do business with it. The clause numbered 252.204-7021 is the piece that turns CMMC from a future plan into something you’re contractually on the hook for, for the life of the award.

Two distinctions matter from the start, because mixing them up is where money gets wasted:

• 7021 is the contract clause. It governs what you must do during performance. Under DFARS 204.7504, it can appear in solicitations and in resulting contracts, task orders, or delivery orders — so you may see it before award, not only after.
• 7025 is the solicitation provision. DFARS 252.204-7025 (Notice of CMMC Level Requirements) is where the contracting officer writes down the required CMMC level before award. If you’re looking at a solicitation, 7025 usually tells you the level; 7021 then enforces it. (DFARS 204.7504, eCFR.)

And the single most important sentence on this page: the contract clause sets your level — a checklist on someone’s website does not.The contracting officer fills in a blank inside the clause. That blank is the answer to “what do I actually need.” Everything else is verification.

The obligation attaches to your contractor information systems — the ones that process, store, or transmit FCI or CUI in performance of the contract. But here’s a trap worth flagging now: “no CUI is stored on this box” does not automatically mean “this box is out of scope.” CMMC scope also reaches the assets that protect or connect tothat environment. We map exactly what’s in and out further down — and getting that right is the biggest lever you have over cost.

Wait — is the version in your contract the current one? (Jan 2023 vs. Nov 2025)

You may run into two very different versions of this clause number, and the difference is not cosmetic. The current, controlling version is “Contractor Compliance With the CMMC Level Requirements (NOV 2025),” which became effective November 10, 2025. The older “Cybersecurity Maturity Model Certification Requirements (JAN 2023)” was a placeholder from the 2020 interim rule. (48 CFR 252.204-7021 revision timeline, eCFR.)

We flag this first because it reframes everything below it. When we read the clause text directly on the eCFR — the continuously updated electronic Code of Federal Regulations — the page showed the current codified version dated (NOV 2025), with an amendment history confirming the change took effect November 10, 2025, and Title 48 last amended May 7, 2026. The September 10, 2025 Federal Register notice (DFARS Case 2019-D041) is the rulemaking that put it there.

That last row is the thirty-second check we promised. Open your contract, find the 252.204-7021 heading, and look at the month-and-year in parentheses. It tells you which set of obligations you’re actually living under.

Why this matters in the real world:plenty of older contract templates, prime flow-down packages, and pre-final-rule explainers still show the JAN 2023 language. The current Acquisition.gov clause page and the eCFR both show the NOV 2025 version. If the parenthetical in your contract and the codified version don’t line up, that’s a question for your contracting officer — not a guess for a vendor to make on your behalf.

Where do I find the required CMMC level — in 7021 or 7025?

Look for DFARS 252.204-7025 first, because that’s the solicitation notice where the contracting officer inserts the required CMMC level and assessment type before award. DFARS 252.204-7021 then enforces that level during performance. If 7025 isn’t filled in, the level still has to be specified somewhere in the package — and if it isn’t clear, you ask. (DFARS 252.204-7025 and 204.7504.)

The level isn’t always where you’d expect. Check these places in the contract or solicitation package:

• The clauses themselves: 252.204-7025 (solicitation) and 252.204-7021 (solicitation or contract)
• Section H — special contract requirements
• Section L — instructions to offerors
• Section M — evaluation criteria
• The Statement of Work (SOW) or Performance Work Statement (PWS)
• CDRLs (Contract Data Requirements Lists)
• DD Form 254, if one is attached
• A prime flow-down letter or teaming agreement
• Purchase order terms and conditions
• Option-year or modification documents
• Any CUI marking guide or security classification guide provided

What if 252.204-7021 shows up in a solicitation before award?

That’s normal, not an error. DFARS 204.7504 directs contracting officers to use the clause in solicitations as well as in contracts, task orders, and delivery orders during the phase-in, so seeing 7021 in an RFP or RFQ means CMMC will be a condition of the resulting award. (DFARS 204.7504, eCFR.) Eligibility for award generally requires the proper CMMC status in SPRS at the required level or higher, plus a current affirmation. Confirm the timing and any phase-in treatment with the contracting officer. Also see: CMMC Level 2 required in solicitation and do I need CMMC to win my contract?

If 7025 is missing, blank, or ambiguous, do this: ask the contracting officer (or your prime) to identify the required CMMC level and assessment type in writing; ask whether the requirement applies at award, at option exercise, at extension, or before subcontract award; and ask what FCI or CUI you’ll be expected to process, store, or transmit. One safety rule, no exceptions: do not put CUI, drawings, or sensitive contract details into a public form or intake toolwhile you’re sorting this out.

What’s actually in scope under DFARS 252.204-7021?

Your CMMC scope is broader than “the computers that store CUI.” It includes the assets that process, store, or transmit FCI or CUI and the assets that provide security protection to that environment. Other categories — like specialized equipment and assets you manage by risk — still have to be documented even when they aren’t fully assessed. (32 CFR 170.19 and the DoD CMMC Level 2 Scoping Guide.)

This is where contractors lose money in both directions — over-scoping (assessing the whole company) or under-scoping (missing assets that count). Here’s the plain-English version of how the CMMC Level 2 scope categories work:

One more wrinkle that catches small shops: External Service Providers (ESPs) — managed service providers, cloud services, and the like — carry scoping implications if they handle CUI or provide your security protection. A cloud service that stores or processes CUI generally needs FedRAMP Moderate authorization (or equivalent). The single biggest cost lever here is scope reduction: isolating CUI into a defined boundary, often a CUI enclave, shrinks both the controls in play and the price of the whole effort.

What should I do in the first 48 hours after finding DFARS 252.204-7021?

The first 48 hours are about triage, not buying.Before you contact a single provider, pin down the required level, the assessment type, the systems and assets in scope, what FCI or CUI is involved, your current SPRS status, your CMMC UID, your affirmation date, your subcontractor exposure, and whether any of the work is solely commercial-off-the-shelf (COTS). Get those nailed and your buying decision becomes obvious — and far cheaper.

This is the checklist we’d hand a contracts lead who walked into our office holding a contract with this clause in it:

Notice that buying decisions don’t appear until step 10 — on purpose. The contractors who overspend on CMMC almost always reversed this order: they hired before they scoped. See also: what to do after a CMMC gap assessment.

Do not submit CUI, drawings, technical data, export-controlled files, or sensitive contract details. Provider-matching may generate referral or lead-routing compensation, disclosed at the point of recommendation.

What we actually verified

Last verified: June 18, 2026. We read and cross-checked:

• 48 CFR 252.204-7021 (NOV 2025) on the eCFR — the current clause text, the seven CMMC statuses, the “Current” definitions, the annual affirmation and CMMC UID requirements, and flow-down to 32 CFR 170.23. The eCFR showed Title 48 last amended May 7, 2026 and the clause amended effective November 10, 2025.
• DFARS 204.7504 and DFARS 252.204-7025— the clause prescription (used in solicitations and contracts) and the solicitation notice that sets the level.
• The Federal Register final rule (DFARS Case 2019-D041), published September 10, 2025, effective November 10, 2025.
• 32 CFR Part 170 on the eCFR — the CMMC Program Rule (effective December 16, 2024), including the level structure, the scope categories in 170.19, the Level 2 eligibility and conditional-status consequences in 170.16–170.17, and the cost estimates in the Regulatory Impact Analysis.
• The DoD CIO CMMC page — Phase 1 dates (November 10, 2025 – November 9, 2026) and the reminder to submit affirmations with assessments in SPRS.
• NIST SP 800-171 Revision 2 (110 requirements, 14 control families) and NIST SP 800-172 (Level 3 enhanced subset).
• SPRS documentation for the CMMC UID and affirmation-visibility rules, and the Cyber AB CMMC Assessment Process for the conflict-of-interest requirements.

What we could not verify for you: the exact CMMC level in your contract, your current SPRS status, and your scope. Those are specific to your award and require your contracting officer, your prime, or a qualified advisor. See our methodology and corrections policy. This is educational research, not legal, contractual, or compliance advice. The Defense Compliance Report is an independent trade publication, not affiliated with the Cyber AB, the Department of Defense, DCMA DIBCAC, NIST, or any U.S. government agency.

Frequently asked questions