DFARS 252.204-7021: Cybersecurity Maturity Model Certification Requirements is one of the three newly released clauses in the DFARS 70 series (7012, 7019, 7020). The Cybersecurity Maturity Model Certification (CMMC) requirements are introduced into the federal regulatory framework with the addition of DFARS 7021; this clause will support the Department of Defense's (DoD) phased rollout of CMMC stating that all contracts, task orders, solicitations, etc. will have CMMC requirements included by October 1, 2025. Until this phased rollout has been completed, inclusion of a CMMC requirements in a solicitation must be approved by the Office of the Under Secretary of Defense for Acquisition and Sustainment (OUSD A&S).
OUSD A&S and the CMMC-Accreditation Body solidified their partnership, November 25, 2020, in signing a No-Cost contract to support this very important mission for our cybersecurity, information security, and thus national security.
Effective as of November 30, 2020, The DFARS Interim Rule is set to require CMMC certification at the time of contract award or option year award if included in the acquisition/solicitation, and the certification must be acquired in the previous three years (similar to DFARS 7019 and 7020 reporting requirements). Therefore, DFARS 7021 will be included as guiding requirements for use in solicitations and contracts until September 30, 2025.
Similar to DFARS 7020 requiring contractors AND their subcontractors to enter a current assessment into the Supplier Performance Risk System (SPRS), the DFARS 7021 clause requires DoD contractors to maintain the appropriate CMMC level with respect to each contract, while also ensuring any subcontractors are compliant to the same CMMC level; this will be required for the duration of the contract. According to the Federal Register, the decision to require certification at the time of contract award is subject to be reevaluated via public comments. Lastly, suppliers must insert DFARS 7021 language into their subcontract agreements and documentation.
CMMC assessments will be conducted by Certified Third Party Organizations (C3PAO), which are accredited by the CMMC Accreditation Body (CMMC-AB). The CMMC-AB will have the ability to issue CMMC certificates upon completion of the assessment. The CMMC certificate awarded will be given to the contractor and the requisite information will be posted in SPRS. Click here for more on CMMC, and the accreditation process.
The total number of organizations in the Defense Industrial Base (DIB) expected to be CMMC certified in years 1-7 are 163,391 with 49,000 of those expected to be CMMC Level 3 or higher. The following graphic is a high-level overview of the processes and practices that companies are evaluated on during a CMMC audit at each level.
DIB organizations that process, store, or transmit Controlled Unclassified Information (CUI) must achieve CMMC Level 3 or higher; this is dependent on the sensitivity of the information associated with the program or technology being developed. As represented in the graphic above, CMMC Level 3 consists of all 110 security requirements from NIST 800-171, 20 CMMC practices, and three CMMC processes. For a more detailed guide to CMMC Level 3 click here. DFARS 7021 also estimates the cost of a Level 3 assessment will exceed $28K.
The Federal Register explains CMMC compliance: "In order to achieve a specific CMMC level, a DIB company must demonstrate both process institutionalization or maturity and the implementation of practices commensurate with that level."
Note: Solicitations for the acquisition of Commercial Off The Shelf (COTS) items are exempt from DFARS 7021 and CMMC requirements.
If not already, your organization's information systems and organizational processes need to be configured or aligned to the 110 NIST 800-171 controls to prepare for CMMC requirements and meet preexisting DFARS 7012 requirements. If your organization is handling Controlled Unclassified Information (CUI) then you will need to become CMMC Level 3 (or higher) compliant.
Summit 7 has developed a CMMC Level 3 solution set within Microsoft GCC High and Azure Government to help companies in the supply chain achieve Level 3.
Ensuring that your organization, as well as your subcontractors, are CMMC compliant to the level that your contract requires at time of contract award is critical. If you have not already, begin communicating with your current suppliers and vendors to make them aware of future requirements and tracking the status of each subcontractor.
Public comments can be submitted to the Department of Defense for DFARS 7021 and the Interim Rule by:
Click here to access the Supplier Performance Risk System (SPRS). If you do not have an account with SPRS, you will need to request access through the Procurement Integrated Enterprise Environment (PIEE). Click here to access the PIEE. You will need a certificate to register / authenticate to PIEE / SPRS.
For assistance in meeting DFARS 7021 and other requirements for Department of Defense suppliers with/in Microsoft 365 and Azure contact the Summit 7 team here. Additionally, you can watch the overview of Microsoft's CMMC Acceleration Program below.
If you still have questions about the DFARS 70 Series, or you would like to discuss something else, please do not hesitate to reach out to us.
Here are some ways you can stay connected to the Summit 7 team and hear the latest on all things security and compliance: