DFARS 7021 is one of three new clauses, including 7019 and 7020, that extends the original DFARS 252.204-7012 clause requiring every organization in the DIB to be compliant with NIST 800-171 prior to awarding. DFARS 7021 states, within the last three years, the contractor will be certified at the appropriate Cybersecurity Maturity Model Certificatie at the required for each contract.
This clause requires organizations to become Cybersecurity Maturity Model Certification (CMMC) certified, for more information about CMMC, check out our webpage here. This clause makes every organization in the DIB have their CMMC certification before the time the contract is awarded.
This clause is similar to DFARS 7012, which requires all companies to become NIST 800-171 compliant. CMMC bases most of its controls off of NIST 800-171, with a majority of companies being required to be compliant, and a small portion of companies that handle critical CUI to comply with additional controls in 800-53.
This means that there is a lot of overlap between DFARS 7012 and 7021. This is good news for contractors, the resources you spend becoming compliant on 7012 will carry over to 7021 and the CMMC. Another similarity you will see between these two clauses is the requirement is flowed down to the subcontractors.
The reason the DoD is putting a heavy emphasis on securing the entire supply chain is because of the increase in supply chain attacks. A supply chain attack is where a threat actor targets a smaller company, who presumably doesn’t have as robust security as a larger company, in order to have easier access to their main target.