Cybersecurity Maturity Model Certification Requirements
Effective: November 10, 2025
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
Who must comply
Any DoD contractor or subcontractor at any tier on a solicitation or contract that includes the clause, on the phased rollout that began November 10, 2025.
What it requires
- 01Have, at the time of award, a current CMMC certification or self-assessment at the level required by the contract for any covered information system.
- 02Maintain the required CMMC level throughout contract performance.
- 03Complete and post the annual senior-official affirmation in SPRS as required by 32 CFR 170.22.
- 04Notify the contracting officer of any lapse in the required CMMC level during performance.
- 05Flow the clause down to subcontractors at all tiers that will process, store, or transmit FCI or CUI in performance of the contract, at the level required for the type of information the subcontractor will handle.
Key points
- The clause is being inserted into new solicitations on a phased schedule that runs through November 10, 2028.
- At Level 1, the required artifact is a self-assessment with an annual affirmation — no third-party assessment is involved.
- At Level 2, the artifact is either a self-assessment or a C3PAO certification, depending on what the contract specifies.
Related clauses
- DFARS 252.204-7012Safeguarding Covered Defense Information and Cyber Incident Reporting
DFARS 252.204-7012 requires DoD contractors that handle Covered Defense Information (CDI) to implement the security requirements of NIST SP 800-171, report cyber incidents to DoD within 72 hours via the DIBNet portal, and use FedRAMP Moderate (or equivalent) cloud services for CDI. It has been the contractual basis for NIST 800-171 across the defense industrial base since 2017.
- 32 CFR 170.15CMMC Level 1 Self-Assessment and Affirmation Requirements
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by a senior official with authority to bind the organization.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official — a senior representative of the contractor with authority to bind the organization — to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.
Related terms
Read more in the Library
- The 48 CFR CMMC Acquisition Rule: What Changes in Your DoD Contracts (2026)
32 CFR 170 created CMMC. 48 CFR is the rule that puts it into your contract. Here's what to look for in the next solicitation that lands in your inbox.
- The CMMC Annual Affirmation: The One Thing That Breaks DIY Compliance — 2026
Year-one DIY CMMC is easy. Year two is where most contractors quietly lose compliance. Here's how to not be one of them.
- CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors
The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.