DFARS 7021 is one of three new clauses, including 7019 and 7020, that extends the original DFARS 252.204-7012 clause requiring every organization in the DIB to be compliant with NIST 800-171. DFARS 7021 states, “The Contractor shall have a current (i.e. not older than 3 years) CMMC certificate at the CMMC level required by this contract and maintain the CMMC certificate at the required level for the duration of the contract”.
This clause requires organizations to become CMMC certified, for more information about CMMC, check out our webpage here. This clause makes every organization in the DIB have their CMMC certification before the time the contract is awarded. This clause is similar to DFARS 7012, which requires all companies to become NIST 800-171 compliant. CMMC bases most of its controls off of NIST 800-171, with a majority of companies being required to be compliant, and a small portion of companies that handle critical CUI to comply with additional controls in 800-53.
This means that there is a lot of overlap between DFARS 7012 and 7021. This is good news for contractors, the resources you spend becoming compliant on 7012 will carry over to 7021 and the CMMC. Another similarity you will see between these two clauses is the flow down requirement to subcontractors. The reason the DoD is putting a heavy emphasis on securing the entire supply chain is because of the increase in supply chain attacks. A supply chain attack is where a threat actor targets a smaller company, who presumably doesn’t have as robust security as a larger company, in order to have easier access to their main target.