Cybersecurity & Supply Chain (Parts 4 / 39 / DFARS 204)

DFARS 252.204-7021

Cybersecurity Maturity Model Certification Requirements

The CMMC 2.0 clause. Requires contractors to have the specified CMMC level certification (Level 1 / Level 2 / Level 3) prior to award and to maintain it through performance. Level 1 is self-assessment (Federal Contract Information); Level 2 typically requires C3PAO third-party assessment (CUI); Level 3 requires DIBCAC assessment (most sensitive CUI). Phased rollout in 2025-2028; check the specific solicitation for required level and assessment type.

FAR / DFARS Part
DFARS Part 204 — Administrative and Information Matters
Prescribed By
DFARS 204.7503 — Required in DoD solicitations and contracts requiring CMMC certification.
Flow-down to Subcontracts

Yes — flow down required for subs handling FCI / CUI (252.204-7021(c)).

What this clause requires

  • 1Achieve and maintain CMMC certification at the level specified in the solicitation/contract.
  • 2Level 1 (FCI): annual self-assessment of 15 NIST 800-171 controls + senior official affirmation.
  • 3Level 2 (CUI): C3PAO third-party assessment of 110 NIST 800-171 controls (or self for limited scenarios) + 3-year recertification.
  • 4Level 3 (high-priority CUI): DoD DIBCAC assessment of NIST 800-171 + NIST 800-172 selected controls + 3-year recertification.
  • 5Flow-down to subs handling FCI / CUI at the appropriate level.
  • 6Maintain certification through performance — loss of certification can trigger contract issues.

When this clause applies

DoD contracts where FCI or CUI is processed, stored, or transmitted. Phased rollout from 2025; verify which level applies for each opportunity.

Common pitfalls

!Underestimating Level 2 C3PAO timelines — booking + audit + remediation often 6-12 months.
!C3PAO supply shortage in early CMMC rollout — schedule far in advance.
!Sub flow-down — primes responsible for sub CMMC status; missing certifications at sub tier risks award.
!Loss of certification mid-contract — must notify the CO; can trigger stop-work or termination.

Proposal-team checklist

  • Verify required CMMC level for each opportunity; check the DoD solicitation language.
  • Book C3PAO well in advance for Level 2 assessments.
  • Audit subs — require sub CMMC status before sub award; budget for sub remediation if needed.
  • Maintain a CMMC compliance calendar — annual self-affirmation, 3-year recertification, scope changes.

Stop tracking clauses in spreadsheets.

BidCraft auto-detects every FAR / DFARS clause in your RFP, builds the compliance matrix, and structures the response. Try free.

Generate a Proposal →

FAQ

When is CMMC required?

Phased rollout starting late 2025 through 2028, with the level required varying by contract sensitivity. Check the solicitation; the CMMC clause (7021) is included only when CMMC certification is required at award.

Can I self-assess at Level 2?

Only in limited circumstances — most Level 2 contracts require C3PAO assessment. The solicitation will specify.

What happens if I lose certification mid-contract?

Notify the CO. Depending on level and reason, the agency may allow remediation, suspend performance, or terminate. Loss of certification is a serious compliance event.

Related clauses

DFARS 252.204-7012
Cyber Incident Reporting (DoD)
DFARS 252.204-7019
NIST 800-171 Assessment Notice
DFARS 252.204-7020
NIST 800-171 DoD Assessment Requirement
FAR 52.204-24
Section 889 Part B Representation

Home · All FAR Clauses · Government RFP · Sample Proposal

Reference content based on the Federal Acquisition Regulation and DFARS as of June 2026. Always verify the current clause text at acquisition.gov before relying on it for an actual submission. Educational reference; not legal advice.