DFARS Amendment Inserting the CMMC Clause into DoD Contracts
Effective: November 10, 2025
The 48 CFR CMMC Acquisition Rule is the September 10, 2025 final rule that amended the DFARS to add the CMMC clause (DFARS 252.204-7021) to DoD solicitations on a phased rollout that began November 10, 2025 and continues through November 10, 2028. It is the rule that converts CMMC from a program rule (32 CFR 170) into an enforceable contract obligation.
Who must comply
Every DoD contractor and subcontractor whose solicitation or contract incorporates the clause under the phased rollout.
What it requires
- 01Adds DFARS 252.204-7021 to DoD solicitations and contracts on a four-phase schedule beginning November 10, 2025.
- 02Phase 1 (Year 1): self-assessment Levels 1 and 2 at contracting officer discretion.
- 03Phase 2 (Year 2): C3PAO Level 2 certification at contracting officer discretion.
- 04Phase 3 (Year 3): Level 3 (DIBCAC) at contracting officer discretion.
- 05Phase 4 (Year 4 onward): CMMC requirements appear in all applicable DoD solicitations and contracts.
Related clauses
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- 32 CFR 170.15CMMC Level 1 Self-Assessment and Affirmation Requirements
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by a senior official with authority to bind the organization.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.