A

Alrighty folks, it is February of 2026 and this one is a doozy. As of February 1, 2026, defense contractors will no longer be required to conduct basic self assessments and upload their scores into SPRs pursuant to DFARS provision 252-204-7019 and DFARS clause 252-20470 20. In fact, 7019 and 7020 no longer exist at all thanks to a DFARS class deviation. You will now See DFARS clause 252-240-7997 called NIST SP 800171 DoD assessment requirements. No, that is not a joke. That is real. Oh, and on top of that, you won't see far clause 5220421 anymore either because it has a new number, 52240 93. Oh, and all of this happened without any rulemaking at all yet. So what the hell is going on? We'll strap in, grab your coffee, because that's what we're going to talk about this week.

B

Foreign.

A

Jason, this is the biggest change to DFARS cyber security contract clauses outside of CMMC since 2020. And as far as I can tell, nobody's talking about this yet. Initial thoughts before we journey into the center of the earth here, Jacob the.

B

The late great professional wrestler Roddy, Roddy Piper used to always say, one of the best on the mic ever, right? Used to always say, just when they think they know the answers, I change it up and switch the questions, right? And so like this is what's, what's happening right here in front of our eyes. Just when the defense industrial base thinks that they're just scratching the surface on the answers, surprise, the questions are changed. When you were telling me the background and you said February 1st, I thought you were extremely confused because April 1st is April Fool's Day, not February 1st. And I thought this was all a joke. What is happening, dude?

A

Yeah, yeah, the. A lot of times the changes, the. The people who lament the changes around cmmc, they tend to overblow what those changes actually are not this time. These are actually legitimate changes that are going to cause.

B

This is a big deal, bro.

A

Yeah. Yeah. Okay, so real quick, against my instincts to explain everything and then get to the changes. We're going to summarize the changes first. That way you can listen to the context if you want to. So, five things to know here. First, far clause 5220421 has been renumbered to 522-4093. It is still titled Basic Safeguarding of Covered Contractor information systems. The 15 requirements are still the same. They have not changed. The flow down is still the same, still applies to systems that handle federal contract information. All that stuff is the same. But it has a new number 522-4093 that is real. So if you see the new number that is not an error. Second, DFARS provision 252-2047 19 no longer exists. It it has been deleted. Third, DFARS clause 252-204-7020 has two changes to it. It has been renumbered to 252-24-07997. It is still titled NIST SP 800171 DoD Assessment Requirements. However, there is no longer a basic self assessment requirement that has been completely deleted from the text of the clause. Medium and high assessments and everything associated with that process remain unchanged but everything related to basic self assessments and uploading your score to SPRs has now gone away. Fourth, there are no changes to DFARS clause 252-204-7012 or provision 252-204-7008. And fifth, there are no changes to DFars clause 252-204-7021, the CMMC clause or its provision 252-204-7025. Initial thoughts here Jason yeah, so I.

B

Guess everything between 7025 and 7997 was taken. So we just decided to throw something at the dartboard and this.

A

Honestly man, I love rulemaking. I love this whole process. I have no idea why they picked that number. I, I, they have no idea.

B

I feel like for continuity and understanding of applicability, right? Like I I can reference 21, I can reference 25, I used to until today RIP reference 19 and 20 and know kind of what they apply to. Obviously with familiarity and time people are going to relate 7997 to DoD assessment requirements. It's just that it's not the immediate, it doesn't trigger it, right?

A

Like it's not from yeah, we went from two things to one thing, but we went from two similar numbers to a very different number from the rest. You know, maybe they fell asleep on the keyboard but ultimately yeah, it's 2:47, 997.

B

And then the second thing is that like I've been doing this show with you long enough and we speak enough that I've heard the words far overhaul 6 billion times, right? And what I see here potentially and you're going to probably let me know is maybe the, the beginning, rumblings of the overhaul and what we see the outset of it.

A

Yeah. So, okay, everybody, let's talk about why this is happening. So we talked about what happened. Let's talk about why it's happening. Here is the bigger context around those changes. So for the last 40 years, the Federal Acquisition Regulation, or the FAR, has been the rule book for how the government buys stuff and how they conduct business. It's the primary regulation used by all agencies in the actual acquisition of supplies and services with appropriated funds for those agencies. The FAR is codified at Chapter 1 of Title 48 of the Code of Federal Regulations. That's what we're referring to when we refer to the far. It's issued jointly by gsa, NASA and the dod, who are often referred to as the FAR Council. It also includes standard solicitation provisions and contract clauses and various agency supplements such as the DFARs, the defense far supplements or the Department of Homeland Security supplement, the hsar, the Health and Human Services supplement, the hhr. I believe there's one for every agency. There's a supplement for every one of them. So you have the FAR and then all the supplements. The one that we're really referring to most of the time is the DFARS, the DoD supplement to the FAR. This is why the full title of a clause like DFARS 7012 is 48 CFR 252-204-7012, Title 48, Code of Federal Regulations. The DoD supplement to the FAR at 252 and then the address after that. Overall, the FAR and the agency supplements are thousands and thousands of pages long and they get longer every year. And that's kind of a big problem. And it's been a big problem for 40 years since the FAR was created. And that brings up the idea, like you mentioned, Jason, of what's known as the revolutionary FAR overhaul. So In August of 2025, the Office of Federal Procurement Policy launched a massive deregulation effort known as the Revolutionary FAR Overhaul. This is the first major overhaul and the largest single update to the far in its 40 year history. This is a massive, massive undertaking. So their goal is to rewrite the FAR in quote, unquote, plain language and remove most text that isn't either required by statute, required by executive order, or, according to them, essential to sound procurement. In total, the rfo, the revolutionary FAR overhaul, hopes to eliminate up to a third of the FAR in its entirety. Just slash and burn all this stuff that's ended up in this massive regulation, if it doesn't absolutely need to be there, the policy basis for this effort goes all the way to the top. This is not some random thing that the FAR Council thought up. It's based on three things. One, executive order 14275, restoring common sense to federal procurement. Executive order 14265, modernizing defense acquisitions and spurring innovation in the defense industrial base, and three, OMB memorandum M2526, overhauling federal acquisition regulation. Since August, every single part of the FAR has gone under the microscope. And you can see the changes to, to every subpart, every section, every subsection, every line on the RFO website. Trust me, I have looked. We will link to it below if you're curious. It's part of this. These changes that we're talking about today that affect defense contractors are one small echo of a massive, massive policy change for the overall FAR in its entirety.

B

First and foremost, Executive Order 14275, Restoring Common Sense to federal procurement, has now easily ascended to the top of my list as best named executive orders of all time.

A

Right.

B

Like anything where you're throwing common sense in there, I like the way that it's looking, Jacob. Everything that you're saying, I 40 year, you know, far regulations, obviously, 40 years ago, 40 year ago, prices aren't the same as today's prices, as the kids would like to say today, right? So, like, there's changes that have to be made. It's just that again, I've been with you long enough. We've talked long enough. I think I've learned enough from you that I. Even if they are keeping track of every changes to every subpart of every section, some of those changes have to go through a process, Right. A rulemaking process. So why.

A

Yeah, so, yeah, so I think on a high level, everybody would agree this is a good policy, right? There's a lot of stuff. Just like when, if you ever tried to move after you've lived in one place for a long time, you just end up with a lot of stuff. You're like, where did all this stuff come from? We don't need all this stuff. Same thing with the FAR. We've been in one place for four, 40 years. There's definitely some stuff in there that doesn't need to be in there. Get rid of it. Right. Okay. Like you mentioned, our astute audience that has been listening for a while is probably asking themselves, okay, hold on. How are they changing regulations without going through the pain of rulemaking? The process of creating and changing regulations like you're talking about changing a all of the regulations and you're not doing any rulemaking whatsoever. The answer is class deviations. A class deviation is a formal, temporary authorization that allows federal agencies to bypass, alter, or ignore parts of the FAR or the agency supplements. Like the DFARs, they're typically issued to implement new policies, to implement legislative changes, or to meet urgent requirements across multiple solicitations and contracts across an entire class, right? Multiple solicitations and contracts. There might be individual deviations in an individual negotiation. We're talking about policy for entire classes, right? Class deviations instruct the contracting officers to omit, replace, or insert specific clause language in place of what might already be codified in Title 48 of the FAR or the agency supplements, and they remain in effect until they are rescinded or until that text is officially incorporated via the very slow and painful process of rulemaking. If people have been listening to the podcast for a while, you might recall two examples of class deviations that are relevant to defense contractors. First is class deviation 2025 O0006 rolls right off the tongue the use of the clause on contractor compliance with CMMC level requirements. Remember, the original 2020 CMMC rule said to insert the 7021 clause in all solicitations and contracts starting on October 1st of 2025. The problem was that CMMC 2.0 rulemaking that was going to change that clause wouldn't go into effect until after October of 2025. So contracting officers were going to be inserting the wrong text of the wrong clause and that was going to be a big issue. So In August of 2025, the DoD issued a deviation that said Contracting officers shall not use the 7021 clause until the effective date of the CMMC final rule, which ended up being November 10th of 2025. We did a whole episode about it. You can check it out in the link below. Another example class deviation,2024,00013. This was the one that addressed the DFARS 7012 issue. So the original text of DFARS 7012 from 2016 says to implement the most current version of NIST SP 800171 at the time of solicitation. As of today, that would be 171 revision 3. But CMMC is pinned to a specific version of 171. As of today, that would be 171 revision 2. That's a big problem that they didn't foresee being an issue back in 2016 when they revised the text of DFARS 7012. So the DoD issued a class deviation in May of 2024 that said ignore the text of 7012 at Title 48 of the Code of Federal Regulations and use this text instead. And that's why everybody is being directed to implement 171 rev 2 in your, in your contracts and your solicitations. Even though if you Google 7012 that's not what it actually says at Title 48 because it hasn't gone through rulemaking. To update Title 48, we're using the class deviation in its place. This is why we called that podcast episode Crisis Averted. Check it out in the link below if you don't remember it.

B

Jacob, so what I'm seeing here, and maybe this isn't the right time to ask you this in the episode, right, but, but what I'm seeing here, especially with these two class deviations being issued, it's kind of like they were foreseeing potential hiccups in the program rollout or in potential compliance that needed to be alleviated. Right? In one case it was a new revision of NIST 800171 was coming out. There could be some confusion with requirements for CMC program and etc. In the other case it was the inclusion of a clause that was outdated with outdated language. The things that we've seen updated here, Jacob, Right. What are they? What is this a precursor for? What are we preparing for? What. What are we trying to avoid here?

A

Yeah, so it doesn't necessarily avoid a problem as much as it avoids the problem of how long rulemaking takes. Right. So they're issuing class deviations for every single part of the FAR and for all agency supplements so that the agencies can use that updated leaner language. Right now the agencies don't have to wait for the rulemaking for every chapter of the FAR to be finalized for them to be able to use the leaner, meaner, whatever, whatever pro wrestling reference we're going to use text that they want to use. Right? So, so imagine class deviations for every single part of the far. Before those go through rulemaking. Agencies can take that class deviation language. They can implement it right now. So that's what people are going to see. That's very helpful for going fast. But remember, this is an important point. If you google DFAR7012, you will see the text of the language that's at title 48 that says to use the most current version of NIST SP 800 171. There is a class deviation that doesn't show up when you Google it that says you need to use this version of DFARS 7012 that says to implement NIST SP800 171 Rev 2. So if you google any part of the FAR, any part of the DFARS right now, you're going to see the part that last went through rulemaking, but there is now an entire library, literally dozens and dozens, hundreds of class deviations that change the text of the FAR, the DFARs, the HR that will start showing up in solicitations and contracts. This is part of the reason why I think nobody's been talking about this yet. Because 7997 isn't something that you can google because it hasn't gone through rulemaking. It's just on a random PDF buried on a DoD acquisition website somewhere.

B

I thought you were tested. So we'll be fully transparent here. Googled it. When you were like, this is to talk about on the show this week, I googled it. I was like, hey, nothing's coming up. I think the guys officially lost it. I'm reaching, I'm reaching out to make sure we have the resources available to you in case we've gone. You know, officially. Rulemaking has pushed you. No, but. So what you're saying is that these changes, you have to know where to look for these changes. Right? Like, it's a spec, it's a specified. I'm not trying to hype you up, but like to the average person, me, raise his hand. You just can't Google this and find it.

A

You have to know where to work. Not yet. Not yet. So these changes are going to show up in people's solicitations and contracts, but you won't actually be able to Google them. Right. Which is why I expect after this podcast, people are going to be like, I don't know what the heck you're talking about. I can't find what you're talking about. You can still find FAR52 2421. You can still find DFARS 7019 and 7020 online, even though the deviation text has changed as of February 1st. First. And people will see 7,997 in their contracts and solicitations instead. And I'm sure there's going to be issues where people still have 7019 show up, even though it should be 7997. Just be aware that it's not a typo. This is actually the way that things are going to be changed.

B

Could we possibly see a class deviation that says do not use 7019 or some sort of. You know what I mean?

A

Well, the class deviation right now, There is no 7019. Like, there is no text to use, right? Yeah. So there, there's no instruction to insert it because it doesn't exist. But anyways, just to wrap up this section, eventually, all of these changes, all of the changes to the far, all of the changes to the DFARS and so on will go through rulemaking. They're probably going to go through rulemaking all at once as a gigantic omnibus, shoving the entire FAR revision through Super Bowl.

B

It's gonna be the.

A

The Super Bowl. I can't.

B

You.

A

I am for you. I'm giddy with anticipation. But the mountain of changes are being published as class deviations first to enable agencies to, quote, begin using the streamlined FAR part until the FAR is revised through the formal rulemaking process.

B

We don't know what happened to them, but the entire FAR omnibus was such a rul.

A

We haven't seen him in weeks.

B

We never saw him again.

A

Okay, so let's get down to specifics. Let's talk FAR 52 20421. So we're overhauling the FAR, and that includes the humble unassuming clause 52204 21, basic safeguarding for covered contractor information systems. Since 2016, this clause has imposed 15 cybersecurity requirements on federal contractors when the contractor or. Or their subcontractor at any tier handles federal contract information. Thanks to the overhaul of FAR Part 52-52-20421. Thanks to the overhaul of FAR Part 52, which is solicitations and contract clauses, the clause is renumbered to 52240. 93. Same title, same text, same requirements, different number. CMMC Level 1 assesses those requirements. So that's still the same. But we're gonna see CMMC referencing a clause number that no longer exists, everybody.

B

So not confusing at all.

A

So CMMC is going to reference 5220421, even though that clause is now titled 5224093, even though when you Google it, it's still going to come up as 5220421 and. And the references won't be normalized until rulemaking is complete for the FAR overhaul and for CMMC 3.0, which I'm sure means we're going to have to juggle this issue for probably another two years.

B

So just thought about something. It just came to me I know. The entire first day of any CCP class, like this is. The entire first day's gone.

A

Right.

B

Well, you're, you're. Hi. I, I know, I don't want to sound crazy, right. I'm your instructor here. I'm going to tell you about these three ghost clauses that used to apply to the program, that no longer apply to the program, but still technically apply to the program. We're going to figure it all out together. And because I have a code of professional conduct to it here too, I have to operate and teach with. What is it? Proper use of methods. Right. So these changes are the things that I have to live by and I have to execute by. However, I have to teach by the approved training materials, which now include three dead clauses.

A

That's right. That's right. Yeah. So I. Hopefully at the beginning of.

B

This, no problems, no, we're not going to run into any issues here.

A

No big deal.

B

Okay.

A

That's just, that's just changing the number. They didn't actually change the text of anything. So let's talk about the DFARs.

B

Setting yourself up for success is just.

A

Yeah, absolutely. This is, this is, this is the definition of left hand, right handism. Right. So that brings us to the DFARS. So on February 1st of 2026, 38 different DFARS class deviations went into effect to match overall far deviations. 38 of them. The one little corner of the world that we're concerned about are the cyber security clauses. There's a. Remember, there's a big old thing that's happening in terms of FAR overhaul that affects all of the stuff out there in the far. But we're considered just this one little corner. So DFARS provision 252-204-719 does not exist anymore. As of February 1, 2026, it has been deleted. DFARS clause 252-204-720 has two big changes. First, it has been renumbered to 252-24-07997. It has still got the same title, NIST SP 800 171. DoD assessment requirements, but it has a new number, 247,997. Second, there is no longer a basic self assessment requirement.

B

That's the victory here. That is the victory here. We're going to take the positives out of this situation.

A

You know, sometimes you got to take the good with the bad. Honestly, I think this overall is worth it. There is no longer a basic self assessment requirement. All references to basic self assessments have been removed. That means that the requirement to upload a basic self assessment into SPRs have also been removed. All other parts of the clause are the same. High and medium assessments are still conducted by DIBCAC using NIST SP 800 171. Alpha assessment scores will be uploaded to SPRs by DIBCAC. Those assessments apply to covered contractor information systems that are required to comply with DFARS clause 252-204-7112 which has not changed at all. Hallelujah. Thank God they didn't change that one. Contractors still have 14 days for assessment rebuttals. The clause still flows down to contractors all the stuff that we covered in our DFAR cybersecurity back to basic series which is now out of date and needs to be re recorded thanks to the new numbering. Thanks a lot Far council.

B

Oh no thank you, thank you.

A

All of that stuff is still the same. If you're curious need to catch up you can now check those out. We will add the link below. So what's going on here? People still have the requirement to implement NIST SP 800171 pursuant to DFAR 7012 but they don't have to conduct a self assessment and upload the score to SPRs. No, because now a bunch of the text of 7997 says you're going to use the scoring methodology that's at the CMMC regulation 32 CFR 170. Because now as of November 10th of 2025 all DoD contracts and solicitations that include CUI that would trigger the requirements in DFARS 7012 have at least CMMC level 2 self assessment requirements. So we're removing a piece of redundancy. The 7,019 7020 basic assessment versus the CMMC level two self assessment and third party assessment. That's a win. We changed the number and we deleted some stuff and we were going to have to juggle things for a while because rulemaking is lagging behind class deviations and blah blah blah. But ultimately instead of having a basic self assessment score upload and a CMC Level 2 Self Assessment score upload, you now only have CMMC score uploads when that applies to you.

B

Yeah and I again we take this as a win because there was a lot of confusion around that. Do I submit the SPRs for this? Do I submit the SPR so that do I split this level 2? Do I need to verify all of that thing? So this as crazy as it is, it obviously is a positive benefit to the entire program. Right. And so the timing, as much as we're like, hey, not talking to the right realistically, it's a roll down because this is far. It's going from far up above. Right. And then it trickles down to the individual agencies as they choose to enforce.

A

Exactly, exactly. So just just to remind Everybody, what about DFARS 712? There are no changes to DFARS clause 252-204-712 or provision 252-204-7008. If you'd like a review about what is involved with those, check out our Back to Basics series that will link down below. What about CMMC? There are no changes to DFARS clause 252-20470 21 or its provision 252-204-7025. Those are still the same as they have always been. You can check out the link to our webinar from the Final Rule as well as some of the other podcasts that we've done covering those clauses. Jason, what are your thoughts here?

B

Before we get to takeaways, two questions for you. Do you think this is a any sort of smoke signal that indicates maybe some FARCE UI in the near future? Right. Because these are things or elements that are attached to it. I think that that's the first question that I obviously have to you. And then the second thing that I have to you is I think this was one of these changes. 7019 going away obviously wasn't one of those things we predicted in our, you know, year end.

A

No, that was not.

B

Definitely not. But I, I do think this kind of counts as our FAR overhaul.

A

All right.

B

Like we said that this was coming.

A

Yeah, yeah, it's close enough for me.

B

Yeah, I'll take it. I'll take it. Yeah.

A

Yeah. So. So the FAR CUI rule. FAR CUI rule has been the white whale of the CUI program for 10 years now. And we saw the proposed rule come out finally in January of 2025. We've been waiting on the final rule. I think that this is what has been holding up the final rule is that the FAR in its entirety is being overhauled all at once. So I think we're going to see the FAR CUI rule text come out when the entire FAR overhaul goes through rulemaking all at once. I think they're going to stick it in there and that's what we're going to be looking for when that semi truck of rulemaking bashes through the wall all at once. I hope so. I mean, if, if there was anything that was still holding it up, this seems like a good thing that would be doing that. And it wouldn't necessarily be holding it up. As much as they aren't going to be changing the text of the FAR in the middle of an overhaul. I think they're just going to push it all together at once. Cross your fingers. I really hope that all happens. Yeah.

B

Thanks for the answer. I, I, I, I figured like, as we were going through it, I figured that this is it. This is, these are indicators that we're getting close to that.

A

Yeah. You know, they announced this thing back in August of last year and then we started to see the draft of the deviations in December of last year. We didn't really talk about it or bring it up because honestly, in the back of my mind I was like, there's no way, there's no way that they're going to be able to overhaul the FAR all at once. And they're doing it like to their credit, they are actually overhauling, you know, I mean, you're talking about like, oh, let's go through and proofread all of Tolkien's books. It's like it is a humongous project and they're actually doing it. So I, I honestly didn't think that they were going to get this far. You know, there was a lot of big talk last year about all kinds of fun things that were going to happen that never really came to fruition. And this one actually seems to be the thing where they walked the walk.

B

I would say this is a fun thing happening. Yeah, I would safely classify this as a fun thing.

A

Absolutely. Couple takeaways. Ultimately, this is a win. It's going to be very annoying to juggle the different clause numbers and the deviations and the rulemaking and this and that, but ultimately it's a win. You have one clause to deal with instead of 7019 and 70 20. You no longer have two basic assessments to deal with. You only have the one under cmmc. I think that's the right move. I think it removes redundancy. I don't really like how they numbered it, but I can live with that.

B

Yeah, it's not a 56 to nothing blowout victory as it would have been if it was timed before the rule went final. So there was extra confusion. But we'll, we'll do 31:27 in overtime to still a W. Is a W, right? It still goes in the same column. And at the end of the day, in the long Run the program will be better for it.

A

Yeah. And I guess my last takeaway, I'm a little disappointed in the CMMC haters. I think they're losing a step because they have not passed up an opportunity to misconstrue things about rulemaking that they clearly do not understand into things that they would tell people all day long were surely going to kill CMMC and DFAR cybersecurity requirements. They did it with the last two class deviations and they were completely wrong about that. Here they're talking about slashing, reforming, cutting the far by a third, getting rid of redundancies, spurring innovation in the defense industrial base. That's exactly the kind of material that the CMMC flat earthers out there would have jumped all over in the past and said, see, they're going to kill cmmc. Last takeaway here. Clearly the cybersecurity requirements are essential to procurement. Not only are they statutory requirements, not only are they executive order requirements, they are also essential to procurement. If there was ever an opportunity where they were going to kind of cut some things that people really didn't want, this was going to be it. And that is not what happened. They renumbered it, they made it more efficient. We still have the same requirements. It ain't going anywhere.

B

If they're trying to get rid of it and get and kill it off. Right. Why are they killing off the DoD counterparts to it that existed before it that accomplished the same things in lieu of that? Right.

A

Like I, if you wanted to kill it, this is how you would have done it. And they didn't know.

B

Thanks for the engagement. Just keep it.

A

Yeah. See you next time. Next. Next time there's a reform. Maybe then, but not this time. All right everybody. Did you have fun, kids? That was a long tour through a bunch of very obscure rulemaking class deviations. I hope it was was clear. If you have questions, let us know. This won't be the last time that we talk about it. Make sure that you like and subscribe and we'll see you next week.

B

DFARS overhaul videos incoming. See you next week. Sam.