DFARS 252.204-7021
Also known as: Cybersecurity Maturity Model Certification Requirements, CMMC clause
DFARS 252.204-7021 is the contract clause that makes a CMMC certification or self-assessment a material condition of award and continued performance on covered DoD contracts. It took effect November 10, 2025 as part of the 48 CFR final rule, and triggers the annual senior-official affirmation requirement under 32 CFR 170.22.
Related terms
- Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense program that verifies whether contractors meet the cybersecurity controls already required by FAR 52.204-21 and NIST SP 800-171. It defines three certification levels and the assessment mechanism for each, established by 32 CFR Part 170 and made contractually binding by DFARS 252.204-7021.
- Annual Affirmation
The annual affirmation is the electronic statement, posted in SPRS at least every 12 months by an Affirming Official under 32 CFR 170.22, that the contractor continues to meet the security requirements for its CMMC level. Knowingly false affirmations are the explicit enforcement target of the DOJ Civil Cyber-Fraud Initiative.
- 32 CFR Part 170
32 CFR Part 170 is the Department of Defense final rule that established the CMMC program — defining the three certification levels, the assessment regime, the senior-official affirmation requirement, and the role of C3PAOs and the CMMC Accreditation Body. It became effective December 16, 2024.
- 48 CFR CMMC Acquisition Rule
The 48 CFR CMMC Acquisition Rule is the September 2025 DFARS amendment that added the CMMC clause (DFARS 252.204-7021) to the FAR/DFARS contract framework. It took effect November 10, 2025 and is what makes CMMC contractually enforceable rather than merely a DoD policy.
Read more in the Library
- The 48 CFR CMMC Acquisition Rule: What Changes in Your DoD Contracts (2026)
32 CFR 170 created CMMC. 48 CFR is the rule that puts it into your contract. Here's what to look for in the next solicitation that lands in your inbox.
- The CMMC Annual Affirmation: The One Thing That Breaks DIY Compliance — 2026
Year-one DIY CMMC is easy. Year two is where most contractors quietly lose compliance. Here's how to not be one of them.
- CMMC Level 1: The Complete 2026 Guide for Small DoD Contractors
The single page to read first. What CMMC Level 1 is, who it applies to, what's actually required, what it costs, and the fastest honest path through it in 2026.