CMMCDocs.comHome / Glossary / DFARS 252.204-7021
DFARS 252.204-7021
Also known as: 7021 · CMMC Clause
The DFARS clause that actually requires CMMC certification on a contract. Being phased into DoD contracts beginning in 2025.
DFARS 252.204-7021, 'Cybersecurity Maturity Model Certification Requirements,' is the contract clause that operationalizes CMMC 2.0. When this clause appears in a contract, it requires the contractor (and applicable subcontractors) to hold a CMMC certification at the level specified in the contract — typically Level 1 or Level 2.
The clause was finalized as part of the CMMC 2.0 acquisition rule and is being phased into DoD contracts beginning in 2025, with full implementation across applicable contracts by 2028. As of 2025, contracting officers can include the clause selectively; over time it becomes mandatory across all CUI-handling contracts.
If you see DFARS 252.204-7021 in a contract, you cannot be awarded that contract without a current CMMC certification at the specified level.
Stop Googling. Start working.
CMMCDocs has all 110 NIST SP 800-171 Rev 2 requirements built in — with the language, the templates, and the evidence vault you need. Spin up a free demo workspace and click around the way an assessor would.
Get my demo account