February 1 marked one of the most significant structural changes to DFARS cybersecurity requirements since the introduction of the Cybersecurity Maturity Model Certification (CMMC).
For many organizations across the Defense Industrial Base (DIB), it happened quietly.
There was no new CMMC level announced and no immediate enforcement action tied to the update. Instead, the Department of Defense implemented a broad restructuring of how FAR and DFARS requirements are organized, referenced, and maintained.
These changes were implemented through the Department of Defense’s Revolutionary Federal Acquisition Regulation Overhaul (RFO) Phase 1 class deviations, formally announced in December 2025 and effective February 1, 2026.
The result is a more streamlined regulatory framework, with some short-term complexity that DoD contractors should understand as new solicitations begin to appear.
What Changed on February 1, 2026?
The February 1 updates are part of the Department of Defense’s initial release of 31 FAR and DFARS class deviations issued under the Revolutionary FAR Overhaul (RFO).
According to the Department, these deviations are intended to reduce regulatory and procedural burden by retaining only statutory and essential requirements, while relocating non-statutory policy and guidance to Procedures, Guidance, and Information (PGI). The Phase 1 deviations serve as interim regulatory text in advance of formal rulemaking.
Within this broader restructuring, several long-standing cybersecurity clauses were modified, renumbered, or retired.
What This Means for DoD Contractors, Plain and Simple
For DoD contractors, the February 1 changes do not introduce new cybersecurity controls, assessment criteria, or technical requirements. Instead, they change how existing requirements are organized, referenced, and applied. Legacy DFARS self-assessment pathways have been consolidated into the CMMC framework, clause numbers have been renumbered under the Revolutionary FAR Overhaul, and SPRS now serves as the system of record for CMMC assessments. During the transition period, contractors should expect to see both legacy and updated clause numbers in solicitations and contracts, but compliance expectations are increasingly centralized around CMMC. In practice, eligibility for award now depends less on standalone self-attestations and more on accurate documentation, defensible system boundaries, and alignment with applicable CMMC assessment requirements.
What This Does Not Mean
These changes do not eliminate NIST SP 800-171 requirements, do not remove the need for a System Security Plan, and do not delay or weaken CMMC enforcement. They also do not create a loophole for contractors to rely on historical self-assessment practices outside of CMMC. The Revolutionary FAR Overhaul is an administrative restructuring, not a rollback of cybersecurity expectations. Contractors who assume these updates reduce compliance obligations risk falling out of alignment as new solicitations increasingly reference CMMC-specific clause language and assessment pathways.
FAR 52.204-21 Was Renumbered
The safeguarding requirements historically referenced under FAR52.204-21 now appear under a new clause number.
Specifically, FAR 52.204-21 has been renumbered to FAR52.240-93 under the RFO class deviations.
The requirements themselves did not materially change. Contractors should expect to see updated clause references in solicitations and contracts, which can create confusion if internal compliance mappings or documentation rely on older clause numbers.
This is largely an administrative change, but one that still requires attention during contract review.
DFARS 252.204-7019 Was Retired
DFARS 252.204-7019, which required contractors to submit a Basic NIST SP 800-171 self-assessment score to the Supplier Performance Risk System (SPRS), no longer exists as a standalone provision.
This does not eliminate NIST SP 800-171 requirements or the use of SPRS. Instead, the concept of a standalone “Basic” assessment has been absorbed into the CMMC framework and reorganized under CMMC-specific assessment requirements.
The former Basic assessment structure was duplicative of the CMMC assessment model, which is why it is being phased out rather than replaced.
DFARS 252.204-7020 Was Renumbered
DFARS 252.204-7020, previously associated with Medium and High NIST SP 800-171 assessments, was also renumbered as part of the overhaul.
Under the RFO class deviations, DFARS 252.204-7020 has been renumbered to DFARS 252.240-7997.
As part of this change, there is no longer a separate concept of a “Basic” self-assessment outside of CMMC. Assessment requirements are now structured entirely within the CMMC framework.
As with FAR 52.204-21, the underlying intent and assessment expectations remain largely the same. Contractors should expect different clause references during the transition period as older contracts phase out and new solicitations are issued.
No Changes to Certain DFARS Cybersecurity Clauses
It is also important to note what did not change as part of the Revolutionary FAR Overhaul.
There are no changes to the following DFARS clauses or their associated provisions:
These requirements remain in effect as written.
Self-Assessments and SPRS Under the Updated Framework
While DFARS 252.204-7019 has been retired, SPRS remains an active system of record for cybersecurity assessments.
Under the updated structure, assessment data is now organized under the CMMC Assessments section in SPRS. Depending on contract requirements, this may include:
Assessment results, including objective-level attestations and calculated scores where applicable, are recorded within SPRS to support contract eligibility decisions.
Basic NIST SP 800-171 self-assessments are no longer managed as a standalone DFARS compliance path separate from CMMC. Instead, assessment and eligibility requirements are now organized within the CMMC framework.
Why Multiple Clause Numbers Will Persist
All of these updates are being implemented via class deviation under the Revolutionary FAR Overhaul.
Until these changes are finalized through formal rulemaking, contractors will continue to see legacy clause numbers such as FAR 52.204-21, DFARS 252.204-7019, and DFARS 252.204-7020 referenced in the Code of Federal Regulations and in some contracts.
During this transition period, contractors should expect to juggle multiple clause numbers referring to the same underlying requirements. These changes are outside of the CMMC Program Management Office’s control.
What This Means for the Defense Industrial Base
For DIB organizations, including manufacturers, engineering firms, and professional services contractors, these changes reinforce a clear direction.
Cybersecurity compliance is no longer treated as a parallel DFARS requirement alongside CMMC. Instead, CMMC is now the organizing framework for cybersecurity expectations when CMMC requirements are present in a solicitation.
In practical terms, contractors should expect:
While clause numbers may continue to evolve as the overhaul progresses, the compliance expectations themselves are becoming more consistent.
What DIB Contractors Should Be Doing Now
If your organization supports DoD contracts or processes Controlled Unclassified Information, now is the right time to:
These changes do not introduce new technical controls. They do raise the bar for documentation, traceability, and defensibility.
Looking Ahead
At Peerless, we focus on aligning our clients with what is enforceable today, while preparing them for what is coming next.
The February 1 DFARS updates reflect the Department of Defense’s stated goal of simplifying and modernizing acquisition regulations, while maintaining essential cybersecurity requirements. Although the transition introduces new clause references and short-term complexity, the long-term direction is clearer for contractors who take a structured and intentional approach to compliance.
If you have questions about how these changes affect your contracts or compliance roadmap, our team is here to help.
Reference:
Department of Defense, Revolutionary Federal Acquisition Regulation Overhaul (RFO) Phase 1 Class Deviations, Memorandum dated December 19, 2025.
https://www.acq.osd.mil/dpap/dars/classdev/DFARS_RFO/DoW_Rollout_of_RFO_Class_Deviations_19_Dec_2025.pdf
