The CMMC Clause and Why it Matters

DFARS 252.204-7021, Cybersecurity Maturity Model Certification Requirements (aka DFARS 7021) was published in January 2024. DFARS 7021 is the vehicle the Department of Defense will use to insert CMMC requirements into defense contracts. Once CMMC rulemaking is complete—which is expected in late 2024—the DFARS 7021 clause will start to appear in DoD contracts.
 

 
This blog explains DFARS 7021, what it means to your organization, and offers tips on how to save time and money meeting CMMC requirements.

What does DFARS 7021 require?

DFARS 7021 specifies just three broad requirements:

  • Defense contractors need to have a current CMMC certificate (i.e., less than three years old) at the CMMC level required by their contract, and they need to maintain that required CMMC level for the duration of their contract.
  • Defense contractors have to flow down CMMC requirements by inserting the DFARS 7021 CMMC clause into all their subcontracts (except for contracts for commercially available off-the-shelf items, or COTS).
  • Prior to award, contractors must ensure that their subcontractors have a current CMMC certificate at the CMMC level appropriate for the information that is being flowed down to the subcontractor.

Further details about the CMMC program itself will be codified later this year in the Code of Federal Regulations (CFR).

DFARS 7021: Culmination of DoD effort to enforce DFARS 7012

If your organization handles CUI (Controlled Unclassified Information), then you have a DFARS 7012 clause in your contract. DFARS 7012 requires contractors to secure CUI by implementing the 110 security controls in NIST SP 800-171. DFARS 7012 has been in effect since 2017 but requires only self-assessment of compliance, and enforcement has been weak.
 
To help close the gap on compliance, DoD released a trio of DFARS clauses: DFARS 7019, DFARS 7020 and 7021. DFARS 7019 and 7020 went into effect in 2020, and DFARS 7021 is expected to be added to defense contracts beginning late 2024, as shown below.
 

What does DFARS 7021 mean for my organization?

It’s expected that DFARS 7021 clauses will start to appear in DoD contracts by late 2024. To reduce your business risk and continue to be eligible for DoD work, now is the time to focus on meeting CMMC requirements.
 
Organizations that handle CUI will need to achieve at least CMMC Level 2. Experts who have done this work estimate that it takes typical small to midsize organizations anywhere from 12-18 months to meet Level 2 requirements. Note that this time frame exceeds estimates of how long it will be before CMMC requirements begin to appear in DoD contracts.
 
CMMC Level 2 security requirements will mirror NIST SP 800-171—which you are already expected to comply with per DFARS 7012. That means that your first steps toward CMMC Level 2 certification should focus on compliance with the 110 security controls in NIST SP 800-171 and conducting your self-assessment per DFARS 7019.
 
PreVeil’s goal is to help you achieve CMMC Level 2 certification faster and more affordably. Here’s a quick checklist to guide that journey:

  1. Reduce your compliance boundary. If only a portion of your organization handles CUI, then it makes sense to narrow the scope of the security requirements by creating a separate enclave. A smaller compliance scope means a simpler assessment process that saves you time and money.
     
    PreVeil can be deployed to a small enclave created just for users who handle CUI.
  2. Adopt a technical solution to protect CUI that’s easy to deploy and use—and helps you comply with NIST SP 800-171 and CMMC Level 2. PreVeil deploys in just hours and doesn’t require any rip-and-replace of your existing IT infrastructure because it works alongside it. It’s easy to use and, most important, supports compliance with more than 90% of the 110 NIST SP 800-171 security controls.
  3. Use prepared compliance documentation to save time and money. To pass your required C3PAO (CMMC Third-Party Assessment Organization) assessment for CMMC Level 2 certification, you’ll need detailed evidence-based documentation showing how each security control is addressed. This can be a daunting, time-consuming, and costly task.
     
    PreVeil’s compliance documentation package gives its customers a huge head start on this essential work. The package includes a System Security Plan (SSP) template with detailed language that explains how a customer will be able to meet each of the NIST SP 800-171 controls and objectives that PreVeil supports; policy documents; a Customer Responsibility Matrix (CRM); POA&M templates; and more.
  4. Identify consultants certified by the Cyber-AB who are familiar with your technology. It’s understandable that many organizations lack the internal security expertise to self-assess accurately and cost effectively. Outside partners can save time and money if you get stuck and need help.
     
    PreVeil has built a partner network of C3PAOs, Registered Practitioners, MSPs, and other consultants and organizations certified by the Cyber AB—all with expert knowledge of DFARS, NIST, CMMC and PreVeil. This coordinated access offers peace of mind and streamlines your engagement because no time is spent learning how PreVeil supports compliance.
  5. Create a reasonable timeline that matches your budget. Once you’ve protected your CUI, developed documentation to prove it, completed your NIST SP 800-171 self-assessment and uploaded your SPRS score, your next step is to schedule your C3PAO Level 2 assessment. Remember that you don’t need to be perfect at this point! If you’ve met 88 of the required 110 controls—and assuming POA&Ms are acceptable for the remaining 22 controls—then you’ll have up to 180 days to close those security gaps and complete your assessment. Consider spreading out your C3PAO and other costs over that time—and possibly into next year’s budget. Just know that the DoD has the authority to assess your organization at any time.

The PreVeil solution

PreVeil is the leading solution for NIST SP 800-171 compliance and CMMC Level 2 certification, and is trusted by more than 1,000 small and midsize defense contractors. Multiple PreVeil customers have achieved perfect 110 out of 110 NIST SP 800-171 scores in rigorous DIBCAC and JSVA assessments. Learn more about how PreVeil can help your organization achieve CMMC Level 2 compliance faster and more affordably:

  • Get a custom quote for your organization
  • Sign up here for a free 15-minute consultation with our compliance team
  • Check out our CMMC Guide, Achieving CMMC Compliance: A guide for small and midsize defense contractors, which has been downloaded by more than 4,000 defense contractors