What is DFARS 7021?

Understanding DFARS 7021:
The DFARS: Defense Federal Acquisition Regulation Supplement 252.204-7021: Cybersecurity Maturity Model Certification Requirements is a part of the three declared clauses in the DFARS 70 sequence (7012, 7019, and 7020). The Cybersecurity Maturity Model Certification 2.0 (CMMC 2.0) provisions are inserted into the federal regulatory structure with the introduction of DFARS 7021.

Coming into force in November 2020, the DFARS Interim Rule is established to mandate CMMC certification during the contract award or option year award if contained in the acquisition or solicitation. The certification must also be obtained in the prior three years (as in the case of DFARS 7019 and 7020 reporting conditions). Thus, DFARS 7021 shall be retained as guiding provisions for solicitations and contracts until September 30, 2025.

Comparable to DFARS 7020 mandating contractors and their subcontractors to join an existing assessment into the Supplier Performance Risk System (SPRS), the DFARS 7021 clause also needs DoD contractors to preserve the suitable CMMC level concerning every contract. DoD contractors must also ensure that subcontractors adhere to the same CMMC level for the required contract duration. According to the Federal Register, the conclusion to demand certification at the contract award must be reviewed via public comments. Suppliers must incorporate DFARS 7021 terminology into their subcontract contracts and documentation.

CMMC Framework concerning DFARS 7021:
CMMC assessments are to be conducted by the authorized Third Party Organizations, which the Cyber AB recognizes. The Cyber AB shall hold the power to administer CMMC certificates upon fulfillment of the assessment. The CMMC certificate granted will be provided to the contractor, and the needed information will be published in SPRS.

DIB institutions that process, hoard, or disseminate Controlled Unclassified Information (CUI) must acquire CMMC 2.0 Level 2 or a higher version. This relies on the criticality of the data related to the developed program or technology.

The Federal Register also says that to acquire a distinctive CMMC level, a DIB company must exemplify process structuring or maturity and enforce practices proportionate to that level.

If not already, your organization’s information systems and processes need to be reconstituted or adapted to the 110 NIST 800-171 regimes to qualify for DFARS 7021 or CMMC. If your organization holds Controlled Unclassified Information (CUI), you must comply with CMMC 2.0 Level 2 or higher. Get in touch with VLC Solutions today to understand better how you can prepare yourself for this new compliance transition.