DFARS 7021 Clause 2.0: DoD Releases Proposed Rule Updating CMMC Clause

On August 15, 2024, the Department of Defense (“DoD”) released the long-awaited proposed rule (“August 2024 Proposed Rule”), updating Defense Federal Acquisition Regulation Supplement (“DFARS”) Clause 252.204-7021 (the “7021 Clause”), which, when final, will initiate the phased implementation of Cybersecurity Maturity Model Certification 2.0 (“CMMC”) requirements into DoD contracts.  The Clause will require every defense contractor that handles Federal Contract Information (“FCI”) or Controlled Unclassified Information (“CUI”) to assess and certify compliance with select CMMC security requirements.  The August 2024 Proposed Rule introduces several distinct changes to the 7021 Clause published by DoD in January 2023, including:

• Instructing Contracting Officers to fill in the required CMMC Level in each in-scope DoD contract.
• Requiring contractors to “maintain the CMMC level required by [the] contract for the duration of the contract for all information systems” that handle FCI or CUI.
• Requiring contractors to notify the Contracting Officer within 72 hours if there are any “lapses in information security” or changes to the status of the CMMC certification—including in self-assessment certification.
• Requiring contractors to affirm “continuous compliance” on an annual basis or when changes to the status of their CMMC certifications occur.
• Requiring that contractors “ensure” that subcontractors have current CMMC certificates or self-assessments at the required flowdown level.

Heightened cybersecurity requirements and greater scrutiny on compliance will increase risks and potential consequences for defense contractors, particularly in the context of the Department of Justice’s Civil Cyber Fraud Initiative and False Claims Act litigation.  Thus, contractors need to be prepared for the upcoming implementation of CMMC.  Comments on the proposed rule will be accepted for 60 days. 

The 7021 Clause has been dormant during the CMMC rulemaking process, but DoD has stated that it will become active and begin appearing in DoD contracts when the August 2024 Proposed Rule is finalized.  However, it is likely that not all contractors will be required to fully comply with all CMMC requirements immediately.  The August 2024 Proposed Rule affirms that, as outlined in DoD’s December 2023 CMMC Proposed Rule, CMMC requirements are slated to roll out to contractors in phases over a three year period.