DFARS 252.204-7025 Explained: The CMMC Notice That Decides If You Can Win
The Defense Compliance Report is the independent trade publication and decision resource for CMMC and Defense Industrial Base compliance — explaining the CMMC Final Rule with primary-source citation on every claim and mapping a contractor’s level, CUI scope, assessment type, and timeline to the right provider category, so DIB contractors choose the right CMMC path before they spend six figures.
DFARS 252.204-7025 is the solicitation provision that tells you which CMMC status must be current in SPRS — for every in-scope contractor information system — before a DoD contract can be awarded to you. It doesn’t add new security controls. It doesn’t change what you have to build. What it does is turn your CMMC status, your current affirmation of continuous compliance, and your CMMC unique identifiers (UIDs) into a pass/fail award gate. It took effect November 10, 2025, and it is the front door of every CMMC Phase 1 and Phase 2 solicitation. (DFARS 252.204-7025, eCFR; Acquisition.gov.)
DFARS is the Defense Federal Acquisition Regulation Supplement — the rulebook of clauses the Department of Defense (DoD) bolts onto its contracts. CMMC is the Cybersecurity Maturity Model Certification program. Keep those two straight and 7025 stops being scary.
Start here: what your solicitation is actually telling you
Before you read another word, find yourself in this table. It’s the fastest way to know whether you have a problem or just a question.
| What your solicitation (or contract) shows | What it most likely means | Your next move |
|---|---|---|
| 7025 with a filled-in CMMC level | CMMC status is now a condition of award for this opportunity. | Confirm your SPRS status, affirmation, and UID(s) for every in-scope system before you invest in the proposal. |
| 7021 and 7025 together | The normal CMMC pairing — provision in the solicitation, clause in the contract. | Read the level in the 7025 fill-in and make sure 7021 names the same level. |
| 7021 but no 7025 | A possible drafting gap. The rule says 7025 goes in solicitations that include 7021. | Ask the contracting officer a clarification question (we give you the exact wording below). Don’t assume CMMC doesn’t apply. |
| 7012, 7019, and/or 7020 — but no 7021 or 7025 | Likely an older contract or pre-CMMC-rule solicitation. NIST SP 800-171 and SPRS obligations may still apply; a CMMC award gate may not. | Verify your FCI/CUI scope and SPRS posture. Note: as of Feb 1, 2026, 7019 was retired and 7020 was renumbered. |
| A prime’s flow-down email says “be CMMC certified” but cites no DFARS clause | The prime may be flowing down its own read of the requirement. | Ask what FCI or CUI is being flowed down, which CMMC level is required, and whether self-assessment or third-party assessment is needed. See: CMMC for subcontractors. |
One honest warning before we go further. 7025 is short — barely a page. That’s exactly what makes it dangerous. You can have the strongest technical proposal, the best past performance, and the sharpest price on the street, and still be ruled ineligible for awardbecause a CMMC status, an affirmation, or a UID wasn’t current in SPRS on the day it mattered. The good news: every one of those is fixable, and most of them are fixable faster than you think.
The right CMMC provider isn’t the same for every contractor — the category you need (a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave) depends on your required CMMC level, whether you handle FCI or CUI, your assessment type, your cloud and IT environment, and your contract timeline. The contract clause sets your level, not a checklist. Use The Defense Compliance Report’s Find My CMMC Path tool to map your situation to the right provider category before you request quotes.
Find My CMMC Path →What is DFARS 252.204-7025?
DFARS 252.204-7025, titled “Notice of Cybersecurity Maturity Model Certification Level Requirements,” is a solicitation provision that tells offerors the CMMC level required to win an award and makes a current CMMC status and affirmation in SPRS a condition of eligibility. It became effective November 10, 2025. It does not impose any new security controls — it announces the CMMC level the contract will require and screens who is eligible to be awarded.
Think of 7025 as the doorman, not the dress code. It doesn’t write the rules for how you secure your systems — that work lives in NIST SP 800-171 and the CMMC program rule. 7025 simply stands at the door of the solicitation and says: here is the CMMC level required, and here is the proof you must have on file to come in.
The single most important line in the whole provision is the fill-in. Your contracting officer picks one of exactly four options:
- CMMC Level 1 (Self)
- CMMC Level 2 (Self)
- CMMC Level 2 (C3PAO)
- CMMC Level 3 (DIBCAC)
C3PAO is a Certified Third-Party Assessment Organization — an outside assessor authorized or accredited by the CMMC Accreditation Body to perform Level 2 certification assessments (32 CFR Part 170). DIBCAC is the Defense Industrial Base Cybersecurity Assessment Center, the government team that runs Level 3 assessments.
The four moving parts of 7025, annotated
- 1→ The fill-in (one of the four options above). Read it first.
- 2→ The gate is at award, and it attaches to each in-scope system.
- 3→ SPRS status + affirmation are the eligibility test. Both must be current.
- 4→ Your UIDs go in the proposal. Not after award — in the proposal.
Why you’re seeing 7025 now. Phase 1 of CMMC runs from November 10, 2025 through November 9, 2026. During Phase 1, DoD is primarily putting Level 1 and Level 2 self-assessment requirements into solicitations, though it can require Level 2 (C3PAO) at its discretion. Phase 2 begins November 10, 2026and adds the Level 2 (C3PAO) requirement as a condition of award for applicable contracts. If 7025 just showed up in your paperwork, it’s not random — it’s the rollout reaching your acquisition.
Is DFARS 252.204-7025 a provision or a clause — and how does it work with 7021?
DFARS 252.204-7025 is a solicitation provision; DFARS 252.204-7021 is the contract clause it points to. In federal contracting, a provision governs the solicitation and award stage, while a clause creates obligations inside the awarded contract. So 7025 puts you on notice before award, and 7021 carries the ongoing CMMC obligations after you win.
This is the distinction that trips up smart people, so let’s make it concrete.
| DFARS 252.204-7025 | DFARS 252.204-7021 | |
|---|---|---|
| Type | Solicitation provision | Contract clause |
| Lives in | The solicitation (before award) | The resulting contract (during performance) |
| Its job | Names the required CMMC level; screens eligibility | Requires you to maintain that level, affirm annually, flow it down to subs, and report UID changes |
| Borrows definitions from | DFARS 252.204-7021 | Itself (and 32 CFR Part 170) |
The pairing isn’t optional or accidental. The DFARS prescription at 204.7504(b) directs contracting officers to use 7025 in solicitations that include 7021 (Acquisition.gov, DFARS 204.7504). That single sentence is why a solicitation that carries 7021 but omits 7025 is worth a question — more on that shortly. It’s also the federal contracting pattern repeating itself: a provision gives notice, a clause carries the obligation, the way a solicitation provision pairs with a safeguarding clause.
How DFARS 252.204-7025 fits with 7012, 7019, 7020 & 7021 — and what changed February 1, 2026
The DFARS cyber clause family changed on February 1, 2026. Under the Department of Defense’s Revolutionary FAR Overhaul (RFO), implemented through Class Deviation 2026-O0025, DFARS 252.204-7019 was retired, DFARS 252.204-7020 was renumbered to DFARS 252.240-7997, and FAR 52.204-21 was renumbered to FAR 52.240-93 — while 252.204-7012, 252.204-7021, and 252.204-7025 were left unchanged. If you memorized the old four-clause stack, it no longer matches what appears in new solicitations.
This is the section every other “7025 explained” page is missing, because most of them were written before February 2026. We read the deviation listing on the Defense Acquisition Regulations System site and cross-checked it against the still-codified text in the eCFR. Here’s the cyber clause family you’ll encounter in new DoD solicitations as of mid-2026:
| What you’ll see now | Legacy number (pre-Feb 2026) | Type | What it does | Status as of June 2026 |
|---|---|---|---|---|
| DFARS 252.204-7012 | (unchanged) | Clause | Safeguard covered defense information; report cyber incidents to DoD within 72 hours; cloud and flow-down conditions | Unchanged by the RFO; still in force |
| (retired) | DFARS 252.204-7019 | Provision | Was the notice to post your NIST SP 800-171 self-assessment score in SPRS | Retired from the deviation-path clause package effective (Class Deviation 2026-O0025) |
| DFARS 252.240-7997 | DFARS 252.204-7020 | Clause | NIST SP 800-171 DoD Assessment requirements; revised to define only Medium and High government assessments (the “Basic” self-assessment concept was removed) | Renumbered + revised effective |
| DFARS 252.204-7021 | (same number; revised Nov 2025) | Clause | The CMMC requirement: maintain the required CMMC status per covered system, flow down to subs, affirm annually, report UIDs | Unchanged by the RFO; revised version effective |
| DFARS 252.204-7025 | (new) | Provision | Notice of the required CMMC level; the award-eligibility gate | New and unchanged by the RFO; effective |
| FAR 52.240-93 | FAR 52.204-21 | Clause | Basic Safeguarding of Covered Contractor Information Systems (15 basic safeguards for FCI) | Renumbered effective ; same title and text |
Verification snapshot — we checked this one ourselves. DARS Class Deviation 2026-O0025 (effective ) stands up DFARS Part 240, renumbers 252.204-7020 → 252.240-7997, retires 252.204-7019, and renumbers FAR 52.204-21 → 52.240-93; 7012, 7021, and 7025 are not changed. Source: DARS Revolutionary FAR Overhaul class-deviation listing. Verified .
What the overhaul did not do is just as important: it didn’t remove a single CMMC obligation. 7012’s 72-hour incident reporting is still live. 7021 and 7025 are untouched. The deviation stripped the standalone “Basic” self-assessment language out of the renumbered NIST SP 800-171 DoD Assessment clause — but CMMC self-assessment itself is still governed by 32 CFR Part 170 and still posted in SPRS. Nothing got easier to ignore.
“I have 7012, 7019, 7020, and 7021 — but not 7025. What does that mean?”
If you’re looking at clauses 7012, 7019, 7020, and 7021 but no 7025, you’re almost certainly looking at a document from before the CMMC acquisition rule — 7025 is a solicitation-only provision that didn’t exist until November 10, 2025. It is never written into the contract itself. If instead you’re reading a new solicitation that has 7021 but no 7025, treat that as a possible drafting gap and ask the contracting officer, because the rule pairs the two.
This is the exact scenario that sends people searching at 11 p.m. before a proposal is due, so let’s resolve it cleanly. There are three flavors.
Flavor 1 — An existing contract shows 7012/7019/7020/7021 and no 7025
That’s expected. 7025 only ever appears in solicitations, and only since November 10, 2025. A contract awarded before the CMMC rule — or a solicitation that simply predates it — won’t carry 7025. You’re not missing a step; the provision didn’t apply to that action. (And remember: for new actions, 7019 is now retired and 7020 is now 252.240-7997.)
Flavor 2 — A new solicitation shows 7021 but no 7025
This one earns a question. The prescription at DFARS 204.7504(b) says 7025 is used in solicitations that include 7021, so an omission is unusual enough to clarify in writing rather than guess. Here’s language you can adapt and submit as a formal question:
“Section [X] includes DFARS 252.204-7021 but does not appear to include DFARS 252.204-7025. Please confirm whether DFARS 252.204-7025 was intentionally omitted and, if CMMC applies, which CMMC level — Level 1 (Self), Level 2 (Self), Level 2 (C3PAO), or Level 3 (DIBCAC) — is required for offeror eligibility, and whether that requirement flows down to subcontractors that will process, store, or transmit FCI or CUI.”
Flavor 3 — You see 7012/7019/7020 and no 7021 or 7025 at all
Then a CMMC award gate may not be active on that opportunity, but your underlying NIST SP 800-171 and SPRS obligations can still be very much alive. Confirm whether the work involves CUI, whether NIST SP 800-171 applies, and whether a prime is separately requiring CMMC by flow-down. The absence of 7025 proves only that CMMC isn’t the visible award gate on that document — not that you have no cyber obligations. See also: is CMMC required to bid on a contract?
12-step award-gate self-check
Before you invest another hour in a proposal, run through these twelve checks. They take about two minutes and they tell you whether you’re looking at a problem or just a question. If any answer is “unknown” or “no,” that’s your action item — not a reason to panic.
| # | Check | Where to look | Action if No / Unknown |
|---|---|---|---|
| 1 | Is DFARS 252.204-7025 present in the solicitation? | Section I or clause list | If 7021 is present, ask CO whether 7025 was intentionally omitted (use Flavor 2 language above) |
| 2 | Is the fill-in blank completed with a CMMC level? | The 7025 fill-in line | Ask CO for the required level in writing; check Section H, L, M, SOW |
| 3 | Does the level match what 7021 specifies? | 7025 fill-in vs 7021 fill-in | Ask CO to reconcile; conflicting fill-ins is a drafting error worth flagging |
| 4 | Do you know which contractor information systems are in scope? | SOW, PWS, DD Form 254, CUI markings | Map FCI/CUI data flows before assuming a scope; see scope reduction |
| 5 | Is your current CMMC status at the required level (or higher) in SPRS? | SPRS.csd.disa.mil | Check status type, level, scope, and expiration; see how to verify SPRS status |
| 6 | Is your CMMC affirmation of continuous compliance current? | SPRS affirmation record | File the affirmation; see CMMC annual affirmation guide |
| 7 | Do you have a CMMC UID for each in-scope contractor information system? | SPRS CMMC record | Complete your assessment for each in-scope system; UIDs go in the proposal |
| 8 | If you have a Conditional status, is the 180-day window still open? | Conditional status expiration date in SPRS | Close the POA&M to reach Final status before the window closes |
| 9 | Does your CMMC UID cover the scope of the system that will perform this specific contract? | Assessment boundary vs SOW requirements | A UID for a different scope does not satisfy 7025; you may need an additional assessment |
| 10 | Are subcontractors involved, and do they need CMMC? | SOW sub-tiers, CUI flow-down | Map FCI/CUI handling per sub; see flow-down requirements |
| 11 | Is any work solely COTS? | Product/service classification, SOW | Confirm no FCI handling changes the COTS analysis before relying on the exclusion |
| 12 | What is the actual award gate — at award, option, task order, or sub-award? | 7025/7021 fill-in, Section L/M, CO | Get the deadline in writing; see do I need CMMC to win my contract? |
What we actually verified
- DFARS 252.204-7025 and DFARS 252.204-7021 (NOV 2025) on the eCFR — the current provision and clause text, the fill-in structure, the SPRS eligibility language, and the UID requirement. Title 48 last amended ; 7025 and 7021 effective .
- DFARS 204.7504(b) — the prescription requiring 7025 in solicitations that include 7021.
- DARS Class Deviation 2026-O0025 (effective ) — DFARS Part 240 standing up, 252.204-7019 retired, 252.204-7020 → 252.240-7997, FAR 52.204-21 → 52.240-93; 7012/7021/7025 unchanged. Source: DARS class-deviation listing, acq.osd.mil. Not yet codified; eCFR still shows legacy numbers. Re-checking quarterly.
- 32 CFR Part 170 — the CMMC Program Rule (effective ): Phase 1 dates (November 10, 2025 – November 9, 2026), Phase 2 begins November 10, 2026, Conditional/Final status definitions, 180-day POA&M closeout and expiry consequences, Level 2 = 110 requirements / 14 control families (NIST SP 800-171 Rev. 2), Level 1 = 15 requirements, flow-down rules, CMMC scope categories (Security Protection Assets, CRMAs, Specialized Assets).
- DoD CIO CMMC page — Phase 1 and Phase 2 dates, affirmation reminder, and Level 2 Scoping Guide.
- DFARS 252.204-7012text on Acquisition.gov — confirmed 7012’s NIST SP 800-171 version language and the effect of the May 2024 class deviation keeping 7012 on Rev. 2.
- Federal Register CMMC Program Rule (32 CFR Part 170) — DoD cost estimates: Level 1 ~$6,000; Level 2 Self ~$37,000/3 yrs; Level 2 C3PAO $101,752 assessment + $104,670/3 yrs ongoing (implementation cost excluded for L1/L2).
- DOJ Civil Cyber-Fraud Initiative — affirming-official False Claims Act context.
DFARS 252.204-7025 FAQ
Is DFARS 252.204-7025 the same as DFARS 252.204-7021?
No. 7025 is the solicitation provision that gives notice of the required CMMC level and screens award eligibility. 7021 is the contract clause that carries the ongoing CMMC obligations during performance. They’re a matched pair: 7025 in the solicitation, 7021 in the contract.
Is DFARS 252.204-7025 a clause or a provision?
It’s a solicitation provision, prescribed at DFARS 204.7504(b) and used in any solicitation that includes the 7021 clause.
When did DFARS 252.204-7025 take effect?
, under the CMMC acquisition rule (DFARS Case 2019-D041).
Does DFARS 252.204-7025 impose NIST SP 800-171 controls?
No. 7025 announces the required CMMC level and makes your SPRS status, affirmation, and UIDs an eligibility gate. The actual security requirements live in NIST SP 800-171 Revision 2 for Level 2 and flow through clauses like DFARS 252.204-7012.
Does DFARS 252.204-7025 apply to task orders and delivery orders?
Yes. When a solicitation includes 7025, the required CMMC status applies before award of the contract, task order, or delivery order identified in the provision, and the offeror must provide the applicable CMMC UID(s) in the proposal. The provision expressly refers to the “contract, task order, or delivery order.”
What if my solicitation has 7021 but not 7025?
Ask the contracting officer. The rule pairs them (7025 is used in solicitations that include 7021), so an omission is worth a written clarification question rather than an assumption that CMMC doesn’t apply. Use the Flavor 2 language above as a starting point.
What if I have 7012, 7019, and 7020 but no 7021 or 7025?
You may still have NIST SP 800-171 and SPRS obligations, but a CMMC award gate may not be active on that action. Also note that as of , 7019 was retired and 7020 was renumbered to 252.240-7997 for new actions.
Do I need to be certified before I submit a proposal, or before award?
The provision states the required CMMC status is needed prior to award, but it also requires your UID(s) in the proposal — so treat it as a proposal-readiness issue. Follow any stricter submission instructions in the solicitation’s Section L or M.
What is a CMMC UID?
A 10-character alphanumeric identifier SPRS assigns to each CMMC assessment, tied to a specific contractor information system. You list your applicable UIDs in the proposal and keep the list current.
Can a Conditional Level 2 status satisfy DFARS 252.204-7025?
Yes, if it’s at the required level or higher and still within its 180-day window — but you must close out your POA&M to reach Final status, or the Conditional status expires. Level 1 has no POA&M and requires a Final status.
Does Level 2 (Self) satisfy a Level 2 (C3PAO) requirement?
No. They use the same Level 2 security requirements, but the assessment type differs. If the 7025 fill-in says Level 2 (C3PAO), a self-assessment won’t make you eligible. See: CMMC self-assessment vs C3PAO.
Does a higher CMMC status satisfy a lower requirement?
Yes. 7025 requires the named level “or higher,” and 32 CFR Part 170 confirms a Level 2 (C3PAO) status also satisfies a Level 1 (Self) or Level 2 (Self) requirement for the same scope.
Does NIST SP 800-171 Revision 3 apply to CMMC Level 2 today?
No. The CMMC program rule references Revision 2 for Level 2, and a May 2024 class deviation keeps DFARS 7012 on Revision 2 as well. Build and assess to Rev. 2 for CMMC unless DoD amends the rule.
Can the same firm get me ready and then certify me?
Generally no. The CMMC ecosystem’s independence rules separate consulting/remediation from certification assessment, so the firm that helps you remediate usually cannot be the C3PAO that certifies you. See: RPO vs C3PAO.
Need help deciding what type of CMMC provider you need?
Tell us your level, scope, and timeline, and we’ll match you with source-checked CMMC provider options. The Defense Compliance Report’s Find My CMMC Path tool maps your required CMMC level, FCI/CUI scope, assessment type, environment, and contract timeline to the right provider category— a C3PAO, an RPO, an MSSP, a GRC platform, or a CUI enclave — so you choose the right CMMC path before you spend six figures.
Find My CMMC Path →Primary sources (expand)
- 48 CFR 252.204-7025 (NOV 2025) — eCFR
- DFARS 252.204-7025 — Acquisition.gov
- 48 CFR 252.204-7021, Contractor Compliance With the CMMC Level Requirements (NOV 2025) — eCFR
- DFARS 204.7504(b), Solicitation Provision and Contract Clause — Acquisition.gov
- DARS Class Deviation 2026-O0025 (RFO) — acq.osd.mil
- 32 CFR Part 170, CMMC Program Rule — eCFR
- DoD CIO, About CMMC — dodcio.defense.gov
- CMMC Program Rule, Federal Register (Oct. 15, 2024) — federalregister.gov
- NIST SP 800-171 Revision 2 — NIST CSRC
- DOJ Civil Cyber-Fraud Initiative — justice.gov