Bottom Line Up Front

The long-awaited update that incorporates the Cybersecurity Maturity Model Certification (CMMC) into the Defense Federal Acquisition Regulation Supplement, or DFARS, was published in the Federal Register on September 29, 2020. CMMC will be embodied in its own DFARS clause, DFARS 252.204-7021. The rule was published as an Interim Rule, meaning it will go into effect November 30, 2020.

Clause Language

That clause is surprisingly straightforward:

(a) Scope. The Cybersecurity Maturity Model Certification (CMMC) CMMC is a framework that measures a contractor’s cybersecurity maturity to include the implementation of cybersecurity practices and institutionalization of processes (see https://www.acq.osd.mil/​cmmc/​index.html).

(b) Requirements. The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract.

(c) Subcontracts. The Contractor Shall— (1) Insert the substance of this clause, including this paragraph (c), in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial items, excluding commercially available off-the-shelf items; and(2) Prior to awarding to a subcontractor, ensure that the subcontractor has a current (i.e., not older than 3 years) CMMC certificate at the CMMC level that is appropriate for the information that is being flowed down to the subcontractor.

DFARS 252.204-7021

Analysis

Effective Date