DFARS 7021 and 7025 Compliance for CMMC Level 1 Contractors

If you’re a defense contractor in Hawaii—or anywhere in the Defense Industrial Base (DIB)—you’ve probably noticed a sharp increase in questions from Department of Defense (DoD) contracting officers about your cybersecurity posture. CMMC is no longer a future requirement or a compliance “nice to have.” It’s now a core eligibility factor.

As of November 10, 2025, two DFARS clauses—DFARS 252.204-7021 and DFARS 252.204-7025—officially changed how the DoD enforces cybersecurity requirements across the defense supply chain. These clauses shift the DoD away from trust-based self-attestation and toward verified compliance supported by formal assessments and ongoing accountability.

For the more than 220,000 organizations that make up the defense supply chain, this marks a major turning point. Cybersecurity compliance now directly determines whether your organization can compete for, bid on, or be awarded DoD contracts.

In this article, we break down what these DFARS clauses mean, how they work together to enforce CMMC, and what organizations pursuing CMMC Level 1 must do to remain contract-eligible in today’s compliance-driven environment.

Why the DoD Is Now Verifying CMMC Compliance Before Contract Award

With the CMMC Final Rule officially in effect, contracting officers have clear direction to integrate CMMC requirements into solicitations and contracts from the very beginning of the acquisition process. Cybersecurity is no longer treated as a post-award obligation—it is now a prerequisite for doing business with the DoD.

DFARS 252.204-7025, which applies at the solicitation stage, requires contracting officers to verify a contractor’s CMMC eligibility before making an award. In practical terms, this means your organization’s CMMC status must already be in place before your proposal can be considered responsive. There is no longer an opportunity to “fix it later” after a contract is awarded.

This shift is also driven by increased legal scrutiny. Under the Department of Justice’s Civil Cyber-Fraud Initiative, inaccurate or misleading cybersecurity representations can expose contractors to significant liability under the False Claims Act. As a result, contracting officers are under pressure to validate compliance upfront rather than uncover issues during contract performance.

Together, these changes explain why CMMC questions are appearing earlier, more frequently, and with greater urgency in the contracting process—and why defense contractors must treat CMMC readiness as a business-critical requirement, not an IT checkbox.

DFARS 252.204-7021: The Clause That Makes CMMC Mandatory

DFARS 252.204-7021, formally titled Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements, is the contract clause that enforces CMMC compliance after award. Once included in a DoD contract, it creates binding cybersecurity obligations that apply for the full period of contract performance.

This clause is a critical enforcement mechanism. It ensures contractors not only achieve CMMC compliance but continuously maintain it while handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

Five CMMC Requirements You Must Maintain

When DFARS 252.204-7021 appears in your contract, it imposes the following ongoing requirements:

1. Maintain the Required CMMC Level
   Each contract specifies a required CMMC level determined by the contracting officer:

• CMMC Level 1 (Self)
• CMMC Level 2 (Self)
• CMMC Level 2 (Third-Party Assessed)
• CMMC Level 3 (Government Assessed)

Contractors must maintain the specified level—or higher—for the entire duration of the contract across all systems that process, store, or transmit FCI or CUI.

2. Submit Annual Compliance Affirmations
   Beyond initial certification, contractors must submit annual affirmations in the Supplier Performance Risk System (SPRS). These affirmations must be signed by a senior company official and attest that the organization continues to meet all applicable CMMC requirements.

Because these are legal attestations made under penalty of perjury, inaccurate affirmations can expose organizations to significant legal risk.

3. Report CMMC Unique Identifiers
   Contractors are required to provide and maintain CMMC Unique Identifiers (UIDs) for every information system that handles FCI or CUI during contract performance.

These identifiers allow the DoD to track which contractor environments are responsible for safeguarding sensitive information, improving supply chain visibility and incident response.

4. Keep CMMC Status Current
   CMMC certifications have defined validity periods—one year for Level 1 and three years for Levels 2 and 3. Contractors must ensure their certification remains active throughout the entire contract lifecycle, including any exercised option periods.

If certification lapses at any point, the contractor becomes ineligible to continue contract performance until recertification is completed.

5. Close Out Conditional Status on Time
   Organizations that receive a Conditional CMMC status must complete all Plan of Action and Milestones (POA&M) items within 180 days.

Failure to achieve Final status within this timeframe results in loss of CMMC certification and contract ineligibility.

DFARS 252.204-7021 as a Supply Chain Requirement

DFARS 252.204-7021 is a mandatory flow-down clause. Prime contractors are required to include it in subcontracts at every tier when subcontractors will process, store, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI).

This requirement extends CMMC accountability across the entire defense supply chain—not just at the prime contractor level. Every organization that touches sensitive DoD information must meet the same baseline cybersecurity expectations.

Prime contractors are also responsible for verifying subcontractor compliance before awarding work. In practice, this typically means reviewing SPRS records, CMMC certificates, or other proof of current CMMC status, creating new due diligence obligations for supply chain and vendor management teams.

DFARS 252.204-7025: The Clause That Determines Eligibility

While DFARS 252.204-7021 governs contract performance, DFARS 252.204-7025 appears earlier in the acquisition process—within the solicitation itself. Titled Notice of Cybersecurity Maturity Model Certification Level Requirements, this provision establishes the CMMC requirements you must meet to be eligible for contract award. Understanding DFARS requirements early in the solicitation process allows contractors to assess eligibility, compliance risk, and proposal viability before investing significant resources.

In short, DFARS 252.204-7025 tells you whether you are qualified to compete before you invest time and resources into a proposal.

Why DFARS 252.204-7025 Exists

The purpose of DFARS 252.204-7025 is to eliminate uncertainty and prevent contractors from pursuing opportunities they cannot legally win.

By clearly stating CMMC eligibility requirements in the solicitation, contracting officers provide transparency early in the acquisition process. This allows contractors to quickly assess whether they meet the cybersecurity baseline needed to move forward.

What DFARS 252.204-7025 Requires

When DFARS 252.204-7025 appears in a solicitation, it provides four critical pieces of information:

1. The Required CMMC Level
   The solicitation explicitly states the CMMC level required to compete, selecting from:

• CMMC Level 1 (Self)
• CMMC Level 2 (Self)
• CMMC Level 2 (Third-Party Assessed)
• CMMC Level 3 (Government Assessed)

This removes ambiguity and sets a clear cybersecurity threshold for eligibility.

2. Pre-Award Eligibility Requirements
   To be eligible for award, offerors must have:

• Current CMMC status in the Supplier Performance Risk System (SPRS) at the required level (or higher) for each system handling FCI or CUI
• A current annual affirmation of continuous compliance in SPRS

These requirements must be met before award—contracting officers cannot make exceptions after the fact.

3. Conditional Status—With Strict Limits
   DFARS 252.204-7025 allows contract award to organizations with a Conditional CMMC status, provided a valid Plan of Action and Milestones (POA&M) is in place.

However, all POA&M items must be closed within 180 days of award to achieve Final status. Failure to meet this deadline results in loss of contract eligibility.

4. CMMC Unique Identifier Requirements
   The provision also notifies offerors that they must provide CMMC Unique Identifiers (UIDs) for all systems that process, store, or transmit FCI or CUI, establishing system-level visibility expectations from the outset.

How DFARS 252.204-7025 Saves You Time and Money

By appearing in solicitations before contract award, DFARS 252.204-7025 enables contractors to make informed go/no-go decisions based on their current CMMC posture.

If a solicitation requires CMMC Level 2 with third-party assessment and your organization only holds a Level 1 self-assessment, the message is clear: you are not eligible to compete. That clarity prevents you from investing time, labor, and proposal costs into an opportunity you cannot legally win.

This transparency benefits both sides of the acquisition process. Contractors avoid wasted proposal efforts, while the government receives proposals only from organizations that already meet baseline cybersecurity requirements.

How DFARS 252.204-7021 and 7025 Work Together

DFARS 252.204-7025 and DFARS 252.204-7021 function as two parts of a single enforcement model.

DFARS 252.204-7025 acts as the gatekeeper. It appears in the solicitation and sets the CMMC level you must already have posted in SPRS in order to compete.

DFARS 252.204-7021 serves as the enforcer. It appears in the awarded contract and requires you to maintain that CMMC status throughout contract performance, submit annual affirmations, and provide CMMC Unique Identifiers for applicable systems.

Together, these clauses create a continuous compliance framework. DFARS 252.204-7025 establishes eligibility before award, and DFARS 252.204-7021 ensures accountability after award—closing the gap between proposal promises and real-world cybersecurity performance.

Understanding CMMC Level 1 Requirements

For many defense contractors that handle Federal Contract Information (FCI)—but not Controlled Unclassified Information (CUI)—CMMC Level 1 is the applicable requirement. Understanding what Level 1 includes and how it aligns with DFARS 252.204-7021 and 252.204-7025 is critical to maintaining eligibility for DoD contracts. Many contractors find it helpful to reference structured CMMC compliance guidance when interpreting Level 1 requirements and mapping the 17 practices to their existing systems.

What Counts as Federal Contract Information (FCI)?

Federal Contract Information is information provided by, or generated for, the government under a contract that is not intended for public release. Common examples include:

• Contract terms and conditions
• Procurement-sensitive information
• Source selection data
• Contractor bids and proposals
• Financial data submitted during contract performance

If your contracts involve FCI only—and do not include CUI such as technical data, export-controlled information, or sensitive operational details—CMMC Level 1 is typically sufficient.

What CMMC Level 1 Requires

CMMC Level 1 focuses on basic cyber hygiene. It requires implementation of 17 foundational cybersecurity practices derived from FAR 52.204-21. These practices are designed to protect FCI through fundamental safeguards, including:

• Access control to ensure only authorized users can access systems
• Identification and authentication to verify user identities
• Media protection to secure and properly sanitize media containing FCI
• Physical protection to limit access to systems and equipment
• System and communications protection to monitor and control data flows
• System and information integrity to identify vulnerabilities and defend against malicious code

Together, these controls establish a baseline level of security expected of all organizations handling FCI.

CMMC Level 1 Uses Self-Assessment

Unlike CMMC Level 2, which often requires third-party assessment, CMMC Level 1 is validated through annual self-assessment. This lowers the cost and complexity of compliance but still carries formal accountability requirements.

To meet Level 1 requirements, organizations must:

1. Conduct an internal assessment using the CMMC Level 1 Self-Assessment Guide
2. Evaluate all applicable systems against the 17 required practices
3. Post assessment results to the Supplier Performance Risk System (SPRS), reflecting a “Final Level 1 (Self)” status
4. Submit an annual affirmation of continuous compliance signed by a senior company official

While no third-party assessor is involved, these affirmations are legal attestations, making accuracy and ongoing compliance essential.

The Level 1 Annual Affirmation Requirement

CMMC Level 1 certifications are valid for one year from the assessment status date. To remain compliant—and eligible for DoD contracts, contractors must complete a renewal process before their certification expires.

Each year, organizations must:

1. Conduct a new self-assessment reviewing all 17 required practices
2. Update the assessment date in the Supplier Performance Risk System (SPRS)
3. Submit a new annual affirmation signed by a senior company official attesting to continuous compliance

If these steps are not completed before expiration, your SPRS status automatically changes to “No CMMC Status (Expired).” At that point, you become ineligible for contract awards until a new assessment and affirmation are completed.

What Level 1 Means in Solicitations and Contracts

CMMC Level 1 requirements apply differently depending on whether they appear in a solicitation or an awarded contract.

When DFARS 252.204-7025 appears in a solicitation specifying CMMC Level 1 (Self), it means:

• You must have Final Level 1 (Self) status posted in SPRS before contract award
• Your Level 1 assessment must be current and less than one year old
• You must have a current annual affirmation on file in SPRS
• No changes to compliance have occurred since your assessment date

These are strict pre-award requirements. If any are missing, you are not eligible to compete.

When DFARS 252.204-7021 appears in an awarded contract specifying Level 1, it means:

• You must maintain Level 1 compliance for the full period of performance
• You must submit annual affirmations each year
• You must provide CMMC Unique Identifiers (UIDs) for systems handling FCI
• If your Level 1 status expires, you must recertify before continuing contract work

The CMMC Phased Rollout and What It Means for Level 1

The DoD is implementing DFARS 252.204-7021 and 252.204-7025 through a structured four-phase rollout, gradually expanding enforcement across the defense supply chain.

Phase 1: Initial Enforcement (November 10, 2025 – November 9, 2026)

CMMC Level 1 and Level 2 requirements appear in select solicitations and contracts. Contracting officers have discretion to include DFARS 7021 and 7025, and Level 1 self-assessments are the primary requirement for FCI-only contracts. For high-priority efforts, the DoD may still require Level 2 third-party assessments.

Phase 2: Expanded Level 2 Adoption (November 10, 2026 – November 9, 2027)

Level 2 third-party certifications become more common in applicable solicitations, while Level 1 remains the standard for FCI-only contracts. CMMC requirements expand across a broader range of contract types.

Phase 3: Mandatory Level 2 for Award (November 10, 2027 – November 9, 2028)

Level 2 third-party certification becomes a condition of award for all applicable contracts and is required to exercise options on existing contracts. Level 3 requirements are introduced for highly sensitive programs.

Phase 4: Full Implementation (November 10, 2028 and Beyond)

CMMC requirements apply to all applicable solicitations and contracts with no discretionary exceptions, aside from limited COTS-only scenarios. Levels 1, 2, and 3 are fully enforced based on information sensitivity.

What Level 1 Contractors Should Do Now

For CMMC Level 1 contractors, the key takeaway is simple: don’t wait. Even though Phase 1 gives contracting officers discretion, you should assume DFARS 252.204-7021 and 252.204-7025 will appear in new solicitations now.

Waiting until CMMC requirements show up in a specific opportunity can leave your organization scrambling to complete assessments, update SPRS, and submit affirmations on compressed timelines—putting contract eligibility at risk.

How to Comply with DFARS 7021 and 7025 at CMMC Level 1

If your contracts involve Federal Contract Information (FCI) and require CMMC Level 1, following a structured compliance process is essential. The steps below outline how to meet DFARS 252.204-7021 and 252.204-7025 requirements and maintain ongoing eligibility for DoD contracts.

Step 1: Identify Systems Handling FCI
Determine which information systems will process, store, or transmit FCI during contract performance. This scoping step is critical, as CMMC requirements apply at the system level—not the company level.

Step 2: Complete a Level 1 Self-Assessment
Using the official CMMC Level 1 Self-Assessment Guide, evaluate each scoped system against all 17 required practices. Document your results and confirm that every practice is fully implemented. CMMC Level 1 is pass/fail, and Plans of Action and Milestones (POA&Ms) are not permitted.

Step 3: Register in SPRS
Create and maintain an account in the Supplier Performance Risk System (SPRS). Registration requires your CAGE code and access to the DoD’s Procurement Integrated Enterprise Environment (PIEE).

Step 4: Upload Assessment Results
Submit your self-assessment results in SPRS, including:

• Assessment completion date
• CMMC Unique Identifiers (UIDs) for each assessed system
• Assessment scope and system boundaries
• Confirmation that all 17 practices are implemented

Your SPRS record should reflect “Final Level 1 (Self)” status upon completion.

Step 5: Submit the Annual Affirmation
A senior company official—such as a CEO, COO, or CFO—must submit an annual affirmation in SPRS attesting that:

• All 17 CMMC Level 1 practices remain in place
• No changes in compliance have occurred since the assessment
• The organization continues to meet all Level 1 requirements

This affirmation is a legally binding statement and must be kept current.

Step 6: Provide CMMC UIDs When Requested
When responding to solicitations containing DFARS 252.204-7025, be prepared to provide CMMC Unique Identifiers for systems that will process FCI. Contracting officers may request this information to verify eligibility before award.

Common Questions About DFARS 7021, 7025, and CMMC Level 1

Can I still compete for DoD contracts without CMMC certification?
It depends on the solicitation. If DFARS 252.204-7025 is included and you do not have the required CMMC level posted in SPRS, you are not eligible for award. During the early rollout, some solicitations may not yet include this clause, but those opportunities are shrinking. Contractors should prioritize certification now to avoid being excluded from future bids.

Does DFARS 252.204-7012 still apply if my contract includes DFARS 7021?
Yes. DFARS 252.204-7012 remains fully in effect. It continues to require implementation of NIST SP 800-171 controls and 72-hour cyber incident reporting. DFARS 252.204-7021 does not replace 7012—it adds CMMC certification and annual affirmation requirements on top of existing obligations.

Can a CMMC Level 1 contractor bid on Level 2 contracts?
No. DFARS 252.204-7025 requires contractors to hold the specified CMMC level or higher at the time of award. A Level 1 self-assessment does not meet Level 2 requirements. Contractors must achieve Level 2 certification before becoming eligible to compete.

What happens if my annual affirmation is late?
If your annual affirmation is not submitted before expiration, your SPRS status changes to “No CMMC Status (Expired).” At that point, you become ineligible for new contract awards until a new assessment and affirmation are completed. Existing contracts may also be at risk if DFARS 252.204-7021 requires continuous compliance throughout performance.

Can I use consultants for a Level 1 self-assessment?
Yes. Although CMMC Level 1 is a self-assessment, organizations may work with CMMC Certified Professionals or Registered Practitioners to prepare, conduct gap analyses, and validate readiness before submitting results to SPRS. Working with teams that specialize in defense contractor compliance and CMMC readiness can reduce risk and help ensure affirmations are accurate and defensible.

Why Hawaii Defense Contractors Should Act Now

For defense contractors in Hawaii, DFARS 252.204-7021 and 252.204-7025 create both urgency and opportunity. Early investment in foundational security infrastructure and managed IT capabilities gives organizations a stronger baseline before they begin formal assessments and annual compliance cycles. Contracting officers are asking about CMMC status today—this is no longer a future requirement, but an active eligibility threshold.

Key reasons to prioritize CMMC Level 1 compliance now include:

1. CMMC clauses are already appearing in solicitations
   DFARS 252.204-7025 has been included in solicitations since November 10, 2025.
2. Even Level 1 takes time
   Most organizations need 30–90 days to complete scoping, gap analysis, remediation, documentation, and SPRS submission.
3. Annual compliance starts immediately
   Achieving Level 1 is not a one-time effort. Starting now establishes the cadence needed to maintain compliance year over year.
4. Supply chain pressure is increasing
   Prime contractors are actively verifying subcontractor CMMC status and excluding non-compliant partners from new work.
5. Early compliance creates a competitive edge
   Contractors who certify early position themselves as low-risk, preferred suppliers while others scramble to catch up.

How Intech Hawaii Supports CMMC and DFARS Compliance

As Hawaii’s only CMMC Level 2 Certified Managed Service Provider with Certified CMMC Assessors and Professionals on staff, Intech Hawaii delivers end-to-end support for compliance with DFARS 252.204-7021 and DFARS 252.204-7025.

Our services are designed to meet today’s Level 1 requirements while positioning your organization for future CMMC maturity:

• CMMC Level 1 Gap Assessments
  Comprehensive evaluations against all 17 required practices to identify gaps and readiness risks.
• Implementation and Remediation Support
  Hands-on assistance with technology deployment, policy development, and control remediation.
• SPRS Submission and Affirmation Guidance
  Support with SPRS registration, assessment submission, and ongoing annual affirmations.
• Ongoing Compliance Management
  Continuous monitoring and support to help you maintain compliance year over year.
• Scalable Level 2 Readiness
  Forward-looking solutions that prepare your organization for Level 2 requirements as contracts evolve.

Because Intech Hawaii has successfully achieved CMMC Level 2 certification internally, we bring practical, real-world experience—not just theory. We understand the assessments, documentation, and ongoing compliance obligations because we’ve been through the process ourselves.

From Readiness to Eligibility: CMMC Level 1 Under DFARS

DFARS 252.204-7021 and DFARS 252.204-7025 represent the DoD’s most significant cybersecurity enforcement shift in more than a decade. Together, they move CMMC from a future requirement to a present-day contract eligibility standard.

Contracting officers are verifying CMMC compliance before award—and they are taking these requirements seriously. For contractors handling Federal Contract Information, the path forward is clear: complete your Level 1 self-assessment, post results to SPRS, submit your annual affirmation, and maintain continuous compliance.

Waiting until CMMC clauses appear in a specific solicitation increases risk. Compressed timelines, delayed certifications, and lost eligibility can quickly derail otherwise qualified bids.

The window for proactive compliance is open, but it is narrowing as Phase 1 gives way to broader enforcement in Phase 2 beginning in November 2026.

Start your CMMC Level 1 journey today. Contact Intech Hawaii for a complimentary CMMC Level 1 readiness consultation and learn how we can help you navigate DFARS 252.204-7021 and 252.204-7025 efficiently and cost-effectively.