· DFARS · 6 min read
DFARS 252.204-7021: The CMMC Flowdown Clause Explained
DFARS 252.204-7021 ties CMMC directly to DoD contracts and directs primes to flow the required level to subcontractors that handle FCI or CUI, with assessment specifics governed by 32 CFR part 170 and DoD guidance.
DFARS 252.204-7021 ties CMMC to the contract and pushes the right requirement to subcontractors that handle FCI or CUI. Contracting officers insert a CMMC level in the solicitation, and the clause requires the contractor to have and maintain that status for information systems used in performance that process, store, or transmit FCI or CUI.
Clause scope and core obligations
DFARS 252.204-7021 requires a current CMMC status at the level the contracting officer inserts into the solicitation. The obligation applies to information systems you use to perform the contract where those systems process, store, or transmit FCI or CUI. The clause text directs you to 32 CFR 170.23 for flowdown and for additional CMMC requirements that attach through the program rule.
DoD states that CMMC serves as a condition of contract award when a solicitation includes it, and that contractors and subcontractors entrusted with FCI or CUI must achieve the applicable level. DoD began a phased implementation on November 10, 2025. Solicitations add the requirement based on program phase and acquisition planning, so you need to read each one with care.
Flowdown mechanics and scope
The clause points you to the program rule for flowdown. You need to pass the correct CMMC requirement to each subcontract or other contractual instrument that covers performance where the sub processes, stores, or transmits FCI or CUI.
Two practical steps anchor this work:
- Identify which subs will process, store, or transmit FCI or CUI within your CUI boundary.
- State the required CMMC level in the subcontract, and require evidence of current status consistent with the solicitation.
Flowdown hinges on scope. You need a clear CUI boundary before you can assign the right requirement to a sub. Prime teams that map data flows and system touch points place fewer subs under CMMC obligations, and they reduce surprise later in source selection. See our overview on CUI boundary and scoping.
Linkage to 7012, 7019, and 7020
DFARS 252.204-7012 sets safeguarding and cyber incident reporting for CUI, and it still applies where the contract includes it. The 7012 clause drives core NIST SP 800-171 expectations and reporting timelines. Review our summary of DFARS 252.204-7012 obligations.
DFARS 252.204-7019 requires you to post a NIST SP 800-171 score in SPRS for covered contractor information systems. DFARS 252.204-7020 allows DoD to access your systems and facilities for a DoD assessment tied to that score.
DFARS 252.204-7021 adds the CMMC requirement on top of that foundation. The clause links your contract to the CMMC program in 32 CFR part 170, sets the required level for the work, and tells you to flow it down to the right subs.
Prime and sub tracking checkpoints
CMMC as a contract condition raises basic tracking needs for primes and for subs that carry their own sub-tier work. Focus on these checkpoints:
- Track the CMMC level inserted in each solicitation and award, and align it to the information systems in scope.
- Track which subs will process, store, or transmit FCI or CUI, and include the correct CMMC requirement in their agreements.
You also need to monitor status changes:
- Track the current CMMC status and affirmation dates for you and for in-scope subs.
- Monitor changes in status, and align your internal notification and subcontract language to DFARS 252.204-7021 paragraph structure, including paragraph (c)(3) on changes to certification status reflected in the DFARS rulemaking record.
Program timing and method also matter:
- Track whether the solicitation calls for self-assessment or an independent assessment at Level 2.
- Track the phase of CMMC implementation noted by DoD, since phase gates influence which solicitations include the clause.
Assessment guidance sources
Two official sources set assessment mechanics and evidence expectations. The Cyber AB CAP v2.0 defines the assessment process that C3PAOs follow for independent assessments. The DoD CIO CMMC Level 2 Assessment Guide v2 explains objective evidence, assessor methods, and artifacts by requirement. For Level 2, DoD states that you will complete an annual affirmation, and either a self-assessment or an independent assessment based on the solicitation you face.
Contract text sits on a separate legal base from program rules. DoD published the CMMC program rule under 32 CFR part 170. DoD then completed a separate DFARS acquisition rule that added 252.204-7021 to the DFARS, and responded to public comments on its text. The DFARS rulemaking record shows respondents asked about paragraph (c)(3) for reporting changes, and DoD addressed those comments within the final clause.
For control coverage and mapping, your Level 2 scope aligns to NIST SP 800-171 requirements. We break down the mapping and common evidence in our guide to NIST SP 800-171 to CMMC Level 2.
Microsoft cloud considerations
Many contractors use Microsoft 365 and Azure for systems in scope. Availability differs across Commercial, Government, GCC High, and DoD offerings. Microsoft maintains public sector guidance that compares those environments. You should verify service availability and capabilities in the specific Microsoft documentation for your tenant type before you describe a control solution in a CMMC context. Treat Microsoft product mapping aids as informational, and confirm service details in official Microsoft sources for your target platform.
Practical contract execution tips
Teams that plan for 7021 during capture avoid rework during award. Two moves help:
- Ask in-scope subs to state their current CMMC status and planned assessment method during teaming.
- Mirror the prime clause in subcontracts, and reference 32 CFR 170.23 for flowdown.
Your CUI boundary defines the set of systems that must meet the inserted level. Keep your system security plan, diagrams, and asset inventory aligned, and stage evidence that matches assessor methods in the Level 2 guide. The DFARS 7019 score in SPRS, and the 7020 assessment access path, sit next to CMMC in many awards, so align your contract file and program records across those clauses.
Bottom line for buyers and executives
DFARS 252.204-7021 puts CMMC in black and white inside your contract, and it requires you to pass the right level to the right subs. Read the solicitation, scope the CUI boundary, and set up a simple register that tracks the inserted level, in-scope subs, and status dates. Pull assessment mechanics from the DoD and Cyber AB sources, not from hearsay, and follow the DFARS and program rule separation when you set policy and templates.
Sources
DFARS 252.204-7021 Contractor compliance with Cybersecurity Maturity Model Certification level requirements (Acquisition.gov)
CMMC About (DoD CIO)
Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (Federal Register)
CMMC Assessment Process v2.0 (The Cyber AB)
CMMC Level 2 Assessment Guide v2 (DoD CIO)
Understanding compliance between Commercial, Government, DoD, and Secret offerings (Microsoft Public Sector Blog)
Want a structured starting point?
Our 27-question CMMC technical readiness self-survey covers tenant, identity, endpoint, data protection, audit logging, documentation, and the 72-hour DFARS reporting plan. The score is produced in your browser from your answers alone. Nothing is verified or stored.
