ARTICLE
21 August 2024

DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause

CM
Crowell & Moring LLP

Contributor

Crowell & Moring LLP logo
Our founders aspired to create a different kind of law firm when they launched Crowell & Moring in 1979. From those bold beginnings, our mission has been to provide our clients with the best services of any law firm in the world through a spirit of trust, respect, cooperation, collaboration, and a commitment to giving back to the communities around us.
Explore Firm Details
The Clause will require every defense contractor that handles Federal Contract Information or Controlled Unclassified Information to assess and certify compliance with select CMMC security requirements.
United States Technology
Photo of Michael G. Gruden, CIPP/G
Photo of Megan L. Wolf
Photo of Maida Oringher Lerner
Photo of Jacob Harrison
Photo of Alexis Ward
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On August 15, 2024, the Department of Defense ("DoD") released the long-awaited proposed rule ("August 2024 Proposed Rule"), updating Defense Federal Acquisition Regulation Supplement ("DFARS") Clause 252.204-7021 (the "7021 Clause"), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 ("CMMC") requirements into DoD contracts. The Clause will require every defense contractor that handles Federal Contract Information ("FCI") or Controlled Unclassified Information ("CUI") to assess and certify compliance with select CMMC security requirements. The August 2024 Proposed Rule introduces several distinct changes to the 7021 Clause published by DoD in January 2023, including:

  • Instructing Contracting Officers to fill in the required CMMC Level in each in-scope DoD contract.
  • Requiring contractors to "maintain the CMMC level required by [the] contract for the duration of the contract for all information systems" that handle FCI or CUI.
  • Requiring contractors to notify the Contracting Officer within 72 hours if there are any "lapses in information security" or changes to the status of the CMMC certification—including in self-assessment certification.
  • Requiring contractors to affirm "continuous compliance" on an annual basis or when changes to the status of their CMMC certifications occur.
  • Requiring that contractors "ensure" that subcontractors have current CMMC certificates or self-assessments at the required flowdown level.

Heightened cybersecurity requirements and greater scrutiny on compliance will increase risks and potential consequences for defense contractors, particularly in the context of the Department of Justice's Civil Cyber Fraud Initiative and False Claims Act litigation. Thus, contractors need to be prepared for the upcoming implementation of CMMC. Comments on the proposed rule will be accepted for 60 days.

The 7021 Clause has been dormant during the CMMC rulemaking process, but DoD has stated that it will become active and begin appearing in DoD contracts when the August 2024 Proposed Rule is finalized. However, it is likely that not all contractors will be required to fully comply with all CMMC requirements immediately. The August 2024 Proposed Rule affirms that, as outlined in DoD's December 2023 CMMC Proposed Rule, CMMC requirements are slated to roll out to contractors in phases over a three year period.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Michael G. Gruden, CIPP/G
Michael G. Gruden, CIPP/G
Photo of Megan L. Wolf
Megan L. Wolf
Photo of Maida Oringher Lerner
Maida Oringher Lerner
Photo of Jacob Harrison
Jacob Harrison
Photo of Alexis Ward
Alexis Ward
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More