If you only read the contract clause, you’re missing the playbook.
As of Nov. 10, the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7021, also known as the “Cybersecurity Maturity Model Certification [CMMC] clause,” is now in effect. With implementation officially underway, contractors are under pressure to understand not only what 7021 demands of them, but also what contracting officers (KOs) are required to do behind the scenes. Those instructions, which are buried in DFARS subpart 204.75, tell KOs when to include 7021, when they cannot award, and what they must verify before exercising options or extending a period of performance.
Contractors often treat 7021 as a black box dropped into their contracts. Now that the clause is active across new awards, KOs are following explicit procedures you never see. Understanding those procedures gives you visibility into how requirements are determined, enforced and sustained over the life of your award.
Where 7021 really comes from — and what KOs must do
The CMMC clause doesn’t appear in your contracts out of nowhere. It’s part of a stack. At the top is 32 CFR Part 170, the Defense Department’s CMMC program policy (effective Dec. 2024). DFARS 204.75 translates that policy into concrete guidance for contracting officers: policy, procedures and instructions on when to use the clause. You see it in practice as DFARS 252.204-7021, paired with 252.204-7025. DFARS 204.7500-7501 set the scope and definitions. The point is that DFARS isn’t inventing anything new; it’s carrying out CMMC program policy and telling KOs how to enforce it.
The KO instructions are unambiguous. Under DFARS 204.7502, a KO shall insert the required CMMC level when the program office or requiring activity tells them to. The KO doesn’t decide the level, as that comes from the program office based on the data and mission, but they are responsible for putting it into your contract language. Just as clearly, KOs shall not award a contract, task order or delivery order to an offeror without a current CMMC status at the required level.
Two qualifiers matter. First, “CMMC status” doesn’t mean “in progress.” It means you’ve achieved the minimum required score for the assessment, and your status is recognized (self or third-party; final or — at Levels 2 and 3 — conditional). Second, “current” matters. Status is generally valid for three years, and you must maintain it for the life of the award.
To make sense of this, it helps to decode what “status” really means at each level:
Level 1: Only a final self-assessment counts and no plans of actions and milestones (POA&Ms) are allowed.
Level 2: Can be self- or certified third-party assessor organization (C3PAO)- assessed, in either final or conditional status.
Level 3: Always a government assessment — Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) — which can be final or conditional.
KOs may award if your status is final or conditional at Level 2 or 3, provided it meets the required level in the solicitation and any open items are limited to those allowed by 32 CFR §170.21. But conditional status is time bound: 180 days from the status date. If you achieved conditional four months ago and bid today, you’ve only got about 60 days left to close those POA&Ms. There is no conditional path for Level 1.
The message is clear: While conditional paths exist, they are narrow and tightly limited.
The SPRS/UID reality check
Before a KO awards, extends or exercises an option, they verify your status in the Supplier Performance Risk System (SPRS) using your 10-character alphanumeric CMMC Unique Identifier (UID), which is tied to the specific system or enclave that was assessed. This binding matters. The government wants traceability from the contract to the exact enclave processing its data. If your UID points to System A, but CUI ends up in System B, you’ve created a mismatch with contractual — and potentially False Claims Act — implications. Keep your boundary, documentation and operational reality aligned to the UID you present.
This KO check isn’t one-and-done. KOs verify at initial award, again at option exercise or performance extensions, and again if you introduce a new UID mid-performance (for example, after a significant scope change requiring a new assessment). If your status isn’t current at any of those points, the instruction is simple: no award, or no option for extension.
When 7021 must be used — and when it isn’t
The rule is now active, placing us in the phased rollout period that runs through Nov.9, 2028. During this stage, DFARS 204.7504 requires KOs to insert 7021 whenever the program office identifies a CMMC level and no waiver applies. Waivers remain rare and are issued only at the contract level, not as carve-outs for individual contractors.
When the rollout ends on Nov. 10, 2028, the requirement broadens: 7021 must appear in any contract involving the processing, storage or transmission of federal contract information (FCI) or CUI, unless formally waived. Wherever 7021 is used, 7025 follows to ensure all offerors see the requirement before bidding.
What this means for the contractor
Contractors should assume that KOs are already verifying CMMC status in SPRS today, not at some future point. Here’s how the KO’s world translates into your action list:
Don’t “strategy-bet” on KO discretion: The KO isn’t picking your level. The program office is. The KO’s job is execution and verification under “shall” language.
Know your status category and the timeline: If you’re planning to bid with conditional Level 2, track the 180-day closeout window from your status date. Build that into proposal schedules and risk plans.
Engineer your scope and keep it stable: Your CMMC UID binds the assessment to the specific system that will handle DoD data. Avoid unnecessary “significant change” events mid-performance that would force a new assessment/UID, unless you’ve planned for it.
Keep status current through the entire period of performance (PoP): Treat the three-year validity like a maintenance interval. If your status expires during performance, you’ve put option exercises and extensions at risk.
Map data flows to the assessed system: Ensure your CUI boundary and your assessed enclave are the same in reality, not just on paper. Align your system security plan (SSP), network diagrams, asset inventory and boundary controls to the UID’s scope.
Bid packages should include UID clarity: Make it easy for the KO to verify SPRS entries. Label the UID, level, status (final or conditional), status date and expiration in your cover letter or compliance matrix.
Have a POA&M closure plan you can execute: If conditional, your plan should show who/what/when, procurement lead times and validation steps. Assume the government will ask for evidence of progress.
Prepare for options early: Six months before option exercise, review your status currency, any scope drift, and whether new UIDs have appeared. Give your KO a smooth verification path.
The KO’s lens
Now that 7021 is in effect and being applied to new awards, KOs are already following the same mandatory procedures across solicitations, evaluations and option exercises. From the KO’s perspective, 7021 is not subjective. It’s a procedure backed by “shall” language: Include the required level, verify status in SPRS by UID, and do not award or extend if the status isn’t current at the required level. Conditional Level 2/3 can win you work, but only within the 180-day window and only with allowable POA&M items per policy.
By understanding the KO’s checklist, contractors can predict how requirements will appear in your contracts, anticipate when status checks will occur, and avoid surprises that might otherwise cost you awards or option years.
Jacob Horne is the chief cybersecurity evangelist at Summit 7.
The post CMMC DFARS clause explained: The KO’s checklist contractors never see first appeared on Federal News Network.