Sum IT Up: CMMC News Roundup
Episode Title: The End of SPRS Scores (sort of)
Host: Summit 7
Date: February 5, 2026
Episode Overview
This episode centers on dramatic, largely unpublicized changes to the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity clauses and the Department of Defense’s (DoD’s) use of SPRS (Supplier Performance Risk System) scores. Hosts Jason and Jacob break down the immediate impact of these changes, their regulatory backdrop, and what contractors need to look for—and not panic about—in upcoming solicitations and contracts.
The show also situates these updates within the broader context of the sweeping "Revolutionary FAR Overhaul," a plain language and deregulatory rewrite of federal procurement rules intended to streamline and modernize decades of accumulated red tape. As the hosts highlight, these are among the most significant cyber-related DFARS changes since CMMC’s introduction in 2020.
Key Discussion Points & Insights
The Headlines: What Changed?
([03:02]–[04:46])
- Major Clause Renumbering:
- FAR Clause 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) is now 52.240-93. The title, requirements, and flow down remain unchanged, just a new number.
- DFARS Provision 252.204-7019 is deleted entirely.
- DFARS Clause 252.204-7020 is now 252.240-7997, titled "NIST SP 800-171 DoD Assessment Requirements".
- Crucial change: The basic self-assessment requirement is eliminated—contractors no longer have to upload self-assessment scores to SPRS.
- Medium and high DoD assessments remain, as does the flowdown to subcontractors.
- No changes to DFARS 252.204-7012, 252.204-7008, 252.204-7021, or 252.204-7025.
“But everything related to basic self-assessments and uploading your score to SPRS has now gone away.” – Jacob, [04:22]
Why Did This Happen?
([05:58]–[10:53])
- The Revolutionary FAR Overhaul (RFO):
- In August 2025, the Office of Federal Procurement Policy launched the largest update to the Federal Acquisition Regulation (FAR) in 40 years.
- Goals: Simplify language, remove unnecessary regulations, and generally streamline federal procurement.
- Guided by:
- Executive Order 14275: “Restoring Common Sense to Federal Procurement”
- Executive Order 14265: “Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base”
- OMB Memo M2526.
- The overhaul could eliminate up to a third of the FAR.
“This is a massive, massive undertaking... Their goal is to rewrite the FAR in quote, unquote, plain language and remove most text…” – Jacob, [07:05]
“Executive Order 14275, Restoring Common Sense to federal procurement, has now easily ascended to the top of my list as best named executive orders of all time.” – Jason, [10:07]
How Can These Changes Take Place Without Rulemaking?
([10:53]–[19:11])
- Class Deviations:
- Temporary, formal authorizations allowing federal agencies to bypass, alter, or ignore regulatory text before full rulemaking.
- Allow agencies to start using streamlined language or new procedures immediately.
- These deviations are effective until officially codified through the usual, slow rulemaking process.
- Examples relevant to defense contractors:
- Deviation preventing outdated CMMC clause use prior to final rule (2025-O0006)
- Deviation telling agencies to use NIST SP 800-171 Rev 2 in contracts (2024-O0013)
- Confusion alert: Because these are not codified, you can’t Google the new numbers or see them on official regulations yet.
- Key takeaway: Expect "ghost clauses"—clauses in training and reference material that no longer match reality.
“If you google any part of the FAR, any part of the DFARS right now, you’re going to see the part that last went through rulemaking, but there is now an entire library…of class deviations that change the text...” – Jacob, [16:56]
“You just can’t Google this and find it.” – Jason, [18:15]
Getting Specific: Breaking Down The Clause Changes
([20:17]–[26:43])
- FAR 52.204-21 → 52.240-93: Only the number changes; requirements and flow-down remain the same. CMMC Level 1 assessments map to these requirements.
- DFARS 252.204-7019: Deleted—no longer requires contractors to submit SPRS assessment scores.
- DFARS 252.204-7020 → 252.240-7997: Still covers NIST SP 800-171 assessments, but no basic self-assessment/upload required. Medium/high assessments are still performed by DIBCAC; results uploaded by DIBCAC.
- No changes to:
- DFARS 252.204-7012 (CUI requirements)
- DFARS 252.204-7008 (Solicitation Provisions)
- DFARS 252.204-7021 and 252.204-7025 (CMMC clauses and provisions).
“You no longer have a basic self assessment requirement. All references to basic self assessments have been removed.” – Jacob, [24:08]
Eliminating Redundancy with CMMC
([25:21]–[27:55])
- No more dual assessment uploads:
Contractors no longer need to upload both a basic SPRS self-assessment and a CMMC Level 2 self-assessment. Only CMMC score uploads are required if applicable. - Confusion resolved: This addresses longstanding contractor uncertainty about what, where, and when to submit assessment scores.
- The result is less redundancy and streamlined compliance.
“Instead of having a basic self assessment score upload and a CMMC Level 2 Self Assessment score upload, you now only have CMMC score uploads when that applies to you.” – Jacob, [26:28]
Impacts, Future Directions, and Takeaways
([27:55]–[32:50])
- Expect a period of confusion:
References in guides, training, or contracts may not align with current class deviations until full rulemaking occurs (possibly years away). - FAR CUI Rule is imminent:
The long-awaited FAR Controlled Unclassified Information (CUI) rule is expected to emerge when the FAR overhaul is finalized—likely as part of a massive "omnibus" rulemaking. - Ultimate assessment:
The hosts see this as a net win: less administrative burden, fewer duplicative requirements, and more clarity—at least long term. - Cybersecurity requirements are here to stay:
Despite the overhaul and eliminated redundancy, statutory and executive order-based security requirements remain in force.
“Cybersecurity requirements are essential to procurement... If there was ever an opportunity where they were going to kind of cut some things that people really didn’t want, this was going to be it. And that is not what happened.” – Jacob, [31:54]
Notable Quotes & Memorable Moments
-
On confusing numbering:
“I have no idea why they picked that number. I, they have no idea.” – Jacob, [04:52] -
On the scale of the overhaul:
“It’s like... oh, let’s go through and proofread all of Tolkien’s books. It is a humongous project and they’re actually doing it.” – Jacob, [29:44] -
On changing regulations:
“Just when the defense industrial base thinks that they’re just scratching the surface on the answers, surprise, the questions are changed.” – Jason, [01:46] -
On the training headaches:
“I have to teach by the approved training materials, which now include three dead clauses.” – Jason, [22:05] -
On streamlining compliance:
“You have one clause to deal with instead of 7019 and 7020. You no longer have two basic assessments to deal with. You only have the one under CMMC. I think that’s the right move. I think it removes redundancy.” – Jacob, [30:38]
Key Timestamps for Reference
- [00:00–03:02] — Breaking news: SPRS scores requirement ends, clauses renumbered/deleted.
- [05:58–10:53] — The Revolutionary FAR Overhaul explained.
- [10:53–19:11] — Class deviations and how rules are changing rapidly without formal rulemaking.
- [20:17–26:43] — Detailed review of clause changes; what’s new, what’s gone, what hasn’t changed.
- [26:43–27:55] — Impact on CMMC, elimination of duplicative requirements.
- [27:55–32:50] — Prognosis, predictions, and upbeat takeaways on a successful deregulatory move.
Summary Takeaways
- Immediate streamlining for defense contractors: No more SPRS self-assessment uploads.
- Contractors should look for new/renumbered clauses in solicitations and contracts; old numbers may linger.
- This is part of a much larger regulatory overhaul—expect more weirdness until the process completes.
- Cybersecurity requirements are not being weakened; if anything, requirements are more directly tied to CMMC.
- Practical advice: Stay alert for class deviations, expect some confusion, and focus on substantive requirements over clause numbers.
