A Department of Defense (DoD) class deviation has postponed the CMMC compliance requirement originally set for October 1, 2025. This requirement, effective as of September 3, 2025, notifies contracting officers that they are not to use the DFARS 252.204-7021 contract clause in new solicitations and contracts. This class deviation will remain in effect until the date of the final rule for DFARS Case 2019-D041 or until rescinded.
What is DFARS 252.204-7021
DFARS 252.204-7021 is a regulation that outlines the Cybersecurity Maturity Model Certification (CMMC) requirements for Department of Defense contractors. It mandates that contractors maintain a specific CMMC level to ensure compliance with cybersecurity standards to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI).
Background on CMMC
CMMC establishes a tiered framework of cybersecurity standards based on NIST SP 800-171 controls. Final release of the program has repeatedly been delayed as new interim requirements and versions of the requirements have been released. Despite the fact that a final release is still pending, the DoD has repeatedly encouraged the Defense Industrial Base (DIB) and associated supply chain organizations to move ahead with their programs.
CMMC assessments are conducted by Certified Third-Party Assessment Organization (C3PAO) based on DoD contracting requirements. These requirements for CMMC programs fall under three levels:
- Level 1: Requires an annual self-assessment and affirmation of compliance with 15 basic security requirements.
- Level 2: Involves a more comprehensive assessment every three years, focusing on 110 security requirements from NIST SP 800-171.
- Level 3: Similar to Level 2 but includes additional requirements to protect against advanced persistent threats.
The CMMC program has faced numerous delays due to the complex rulemaking process and a phase implementation approach. Many have argued that it imposes significant compliance cost that impose unrealistic burdens on small businesses. Additionally, there are insufficient assessors available for certifications for organizations attempting to get CMMC certification.
CVG Strategy Information Security Management System Consultants
The DoD class deviation will delay the CMMC final rule but will, in all likelihood, not remove the requirement for DoD contractors and subcontractors. Many small businesses face challenges meeting CMMC requirements due to limited budgets and lack of qualified personnel. CVGS can provide guidance and help your organization understand and implement CMMC.
We are dedicated to helping small businesses navigate federal regulations and contract requirements for Quality Management, Cybersecurity, Export Compliance, and Test and Evaluation. We can help you meet your information security management system goals. CVG Strategy QMS experts can provide the training required to understand and engage in a ISMS and make it meet desired objectives.
Identify CUI Areas with CVG Strategy Signs
CVG Strategy provides signs to identify areas containing CUI and export controlled items. These signs should be posted at all facility entrances where products are being produced or services are being performed that are under the control of the U.S. Department of State Directorate of Defense Trade Controls (DDTC) and are subject to the International Traffic in Arms Regulations per title 22, Code of Federal Regulations (CFR), Parts 120-130.