DFARS Amendment Inserting the CMMC Clause into DoD Contracts
Effective: November 10, 2025
The 48 CFR CMMC Acquisition Rule is the September 10, 2025 final rule that amended the DFARS to add the CMMC clause (DFARS 252.204-7021) to DoD solicitations on a phased rollout that began November 10, 2025 and continues through November 10, 2028. It is the rule that converts CMMC from a program rule (32 CFR 170) into an enforceable contract obligation.
Who must comply
Every DoD contractor and subcontractor whose solicitation or contract incorporates the clause under the phased rollout.
What it requires
- 01Adds DFARS 252.204-7021 to DoD solicitations and contracts on a four-phase schedule beginning November 10, 2025. During the phase-in the clause is used when the program office or requiring activity determines a specific CMMC level is required (DFARS 204.7504(a)(1)), not at contracting officer discretion.
- 02Phase 1 (from November 10, 2025): DoD intends to require Level 1 (Self) or Level 2 (Self) as a condition of award for all applicable solicitations, and may at its discretion substitute Level 2 (C3PAO) for Level 2 (Self) (32 CFR 170.3(e)(1)).
- 03Phase 2 (from November 10, 2026): DoD additionally intends to require Level 2 (C3PAO) as a condition of award for applicable solicitations, and may at its discretion include Level 3 (DIBCAC) (32 CFR 170.3(e)(2)).
- 04Phase 3 (from November 10, 2027): DoD intends to require Level 2 (C3PAO) for all applicable awards and option exercises, and intends to require Level 3 (DIBCAC) as a condition of award (32 CFR 170.3(e)(3)).
- 05Phase 4 (from November 10, 2028): full implementation. CMMC requirements appear in all applicable DoD solicitations and contracts, including option periods on earlier awards (32 CFR 170.3(e)(4)).
Related clauses
- DFARS 252.204-7021Cybersecurity Maturity Model Certification Requirements
DFARS 252.204-7021 is the contract clause that makes a current CMMC certification or self-assessment at the level specified in the contract a material condition of award and continued performance. It triggers the annual senior-official affirmation obligation under 32 CFR 170.22 and is the contractual hook that turns CMMC from a DoD policy into an enforceable requirement.
- 32 CFR 170.15CMMC Level 1 Self-Assessment and Affirmation Requirements
32 CFR 170.15 sets the procedural requirements for CMMC Level 1: an annual self-assessment against the 15 safeguarding requirements of FAR 52.204-21, scored on a binary MET / NOT MET basis with no POA&Ms permitted, followed by an annual affirmation posted in SPRS by the company's Affirming Official.
- 32 CFR 170.22Affirmation by a Senior Official
32 CFR 170.22 requires a named Affirming Official, defined at 32 CFR 170.4 as the senior level representative responsible for ensuring the contractor's compliance with the CMMC Program requirements who has the authority to affirm its continuing compliance, to electronically affirm in SPRS at least every 12 months that the contractor continues to meet the CMMC security requirements for its level. A knowingly false affirmation is the explicit target of the Department of Justice Civil Cyber-Fraud Initiative under the False Claims Act.