DFARS Assessment Changes Explained: Practical Impacts for Contractors

On February 1, 2026 the Department of War (FKA DoD) implemented DARS Tracking Number 2026-O0025, a class deviation that stood up a new DFARS Part 240 construct and introduced DFARS clause 252.240-7997 for use in covered solicitations and contracts. This did not add new cybersecurity obligations. Instead, it reorganized and reaffirmed how DoW administers and relies on NIST SP 800-171 assessment activity while the Department transitions toward full CMMC implementation. This is the clause that will appear in solicitations from this date forward from here forward (that is until rulemaking).

What changed is that when a solicitation uses the deviation, contracting officers are instructed to use the revised FAR Part 40 framework and the new DFARS Part 240 text, including 252.240-7997, in lieu of the otherwise codified text. The deviation itself remains in effect until rescinded or incorporated into the FAR, DFARS, and DFARS PGI. This is a procedural and structural re-issuance. It does not, by itself, rescind existing DFARS cybersecurity clauses.

DFARS 252.204-7012

DFARS 252.204-7012 remains the foundational safeguarding and incident reporting clause. Contractors must still implement NIST SP 800-171 (as referenced in the clause) for covered contractor information systems and continue to meet the 72-hour cyber incident reporting requirement. The deviation’s NIST SP 800-171 assessment clause, 252.240-7997, is scoped to systems that are required to comply with NIST SP 800-171 in accordance with 252.204-7012. In practical terms, if your contract includes 7012, you should be prepared for the Part 240 assessment and scoring mechanics to be applied where the deviation is invoked. The associated provision 252.204-7008 is also carried forward without substantive change for its role in representations and safeguarding expectations.

For contractors, the most important effect is that the deviation centralizes NIST SP 800-171 DoW assessment handling under Part 240 and makes 252.240-7997 the operative clause for Medium and High assessment access, score posting, and precedence. The clause requires the contractor to provide access necessary for the Government to conduct a Medium or High NIST SP 800-171 DoW Assessment using the methodology described at 32 CFR 170.24, if necessary. It also states that when DCMA conducts a Medium or High assessment, those results take precedence over any other assessment, and it defines a rebuttal window before posting summary scores to SPRS.

DFARS 252.204-7019 and 252.204-7020

This is the point where contractors often conclude that 7019 and 7020 have been eliminated. A more accurate way to view it operationally is that, for solicitations using DFARS Part 240, 7019 is effectively removed from the package and the assessment mechanics associated with 7020 are carried forward through 252.240-7997. In other words, you should not expect 7019 to be the vehicle that drives SPRS scoring requirements when the Part 240 deviation is used, and you should treat 252.240-7997 as the controlling contract clause for Medium and High assessment precedence and posting in that context.

The deviation does not amend, suspend, or replace the CMMC Program rule at 32 CFR part 170, nor does it displace DFARS 252.204-7021 or its associated solicitation provision 252.204-7025 as the contracting instruments used to implement CMMC status requirements. DFARS Part 240 is addressing NIST SP 800-171 DoW assessment administration. CMMC status, eligibility, and affirmation mechanics remain governed by 32 CFR part 170 and the DFARS clauses that implement it.

Most importantly for a contractor trying to plan compliance work, 252.240-7997 does not eliminate CMMC Level 2 self-assessments. If a solicitation specifies CMMC Level 2 (Self) as the required approach, you still must perform the Level 2 self-assessment, meet the posting requirements in SPRS, and complete the required affirmations of continuous compliance as required by the CMMC framework and the clauses implementing it. The Part 240 deviation changes how DoW manages NIST SP 800-171 DoW assessments and how those results take precedence when performed, but it does not remove CMMC Level 2 self-assessment obligations when that is the required CMMC compliance path.

From a contractor’s perspective, nothing you were already required to do under DFARS 252.204-7012 suddenly disappears. What changes is that DoW has made the NIST SP 800-171 assessment regime more centralized under DFARS Part 240 for solicitations that invoke the deviation, and it has made clear that if DoW performs a Medium or High assessment, that DoW result controls for NIST SP 800-171 scoring and SPRS posting. You should continue to run internal assessments, maintain your SSP and POA&M discipline, and be prepared for Government access for Medium or High assessments when applicable. At the same time, you should continue to treat CMMC requirements as separate and fully in force, including CMMC Level 2 self-assessment obligations when that is what the solicitation requires.

Summary of these (significant) changes with DFARS:

1. If your procurement is using the Part 240 deviation construct, expect the safeguarding-of-FCI clause numbering and placement to follow the revised FAR Part 40 structure, including the renumbering you referenced from FAR 52.204-21 to FAR 52.240-93 in those deviation-based packages

2. When DFARS Part 240 is invoked, DFARS 252.204-7019 is treated as removed from that deviation package for practical use. Do not expect 7019 to be the clause driving SPRS scoring requirements in those solicitations.

3. The operational assessment mechanics associated with DFARS 252.204-7020 are carried forward into DFARS 252.240-7997 for those solicitations. Treat 252.240-7997 as the controlling clause for Medium and High assessment access, rebuttal timing, and SPRS posting under the deviation.

4. Do not interpret 252.240-7997 as eliminating contractor self-assessments broadly. It establishes that, for NIST SP 800-171 scoring, a DoW Medium or High assessment takes precedence when DoW conducts one.

5. DFARS 252.204-7012 and provision 252.204-7008 remain the underlying safeguards and triggers for the assessment regime, and they continue to apply as written.

6. Nothing in DFARS Part 240 removes CMMC Level 2 self-assessment requirements when CMMC Level 2 (Self) is specified. CMMC requirements continue to be implemented through DFARS 252.204-7021 and its solicitation provision 252.204-7025 and through the governing rule at 32 CFR part 170.