What is the DFARS 7021 Clause (Provision)?

Defense Federal Acquisition Regulation Supplement 252.204–7021 (DFARS 7021) is one of three related clauses that the DoD’s new interim rule adds to the DFARS. These new regulations amend DFARS 252.204–7012, which has been used in US Department of Defense (DoD) contracts since 2018.

The interim rule, in effect as of November 30, 2020 after a short comment period, reflects the DoD’s determination to “address threats to the US economy and national security from ongoing malicious cyber activities.” The problem has been that DFARS 7012, which has no provision for independent verification of contractor controls, has left the door open for “shortcomings and associated risks” concerning cyber compliance.

The interim rule has two main thrusts:

  1. The new provision DFARS 7019 and new clause DFARS 7020 drive a more robust self-attestation methodology around the current NIST SP 800–171 standard.
  2. The new DFARS 252.304–7021 Cybersecurity Maturity Model Certification Requirement (DFARS 7021) paves the way for the ongoing rollout of the DoD’s Cybersecurity Maturity Model Certification (CMMC) compliance framework, which incorporates third-party assessment of contractors’ controls.

The DFARS 7021 clause requires contractors to have a CMMC certification at the level their contract specifies at the time of contract award, and to maintain the required CMMC level across the duration of the contract.

Where the DFARS 7021 clause is specified, contractors must not only achieve and maintain their own CMMC compliance, but also “flow down” the clause by verifying that their subcontractors have successfully achieved an appropriate CMMC level before awarding or extending subcontracts, based on the sensitivity of the Controlled Unclassified Information (CUI) exchanged with each subcontractor.

In keeping with the DoD’s announced plans for a gradual CMMC rollout, the DFARS 7021 clause will initially appear only in a few select contracts approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S). However, after September 30, 2025 all DoD contracts will include the CMMC compliance requirement. The only exceptions will be “procurements exclusively for commercial off-the-shelf (COTS) items.”

To achieve a particular CMMC Level (1 through 5), the interim rule states that a US defense industrial base (DIB) company “… must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level. A DIB contractor can achieve a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s), depending upon where the information to be protected is processed, stored, or transmitted.”

While DoD contracts requiring CMMC may not be in your company’s immediate future, verifiable NIST 800–171 compliance certainly is — and the two frameworks differ by only a handful of controls.

You can learn more about CMMC and how it will impact your business here.

Next Steps

Compliance with the DFARS 7021 clause will soon be a competitive advantage for many DoD suppliers. And before too long it will be an absolute competitive necessity.

To talk with a DFARS expert about your company’s specific compliance goals and concerns, including how best to address the new interim rule, contact Pivot Point Security.

We are a trusted source of simple, practical, and actionable information security guidance.