With Phase 1 of the CMMC rollout underway and Phase 2 fast approaching, if you're continuing to delay CMMC readiness, then you’re not only behind the curve. You still fundamentally misunderstand the CMMC program and its relationship to existing regulations. 

CMMC is designed to verify compliance with security requirements from FAR clause 52.204-21 (now 52.240-93) and DFARS clause 252.204-7012, which have been in effect since 2016 and 2017. It does not alter or replace them with new security requirements. 

So if you haven’t yet implemented the appropriate measures to protect sensitive defense information entrusted to you by the Department of Defense or prime contractors, then you’re not just months behind the first CMMC deadline. You’re years behind. 

To close the readiness gap, let’s cover what DFARs is, how it relates to the CMMC program, and how it’s been changed under the Revolutionary FAR Overhaul as of February 1, 2026.

What is the Defense Federal Acquisition Regulation Supplement (DFARS)?

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of rules issued by the Department of Defense (DoD) that implements and supplements the Federal Acquisition Regulation (FAR). While FAR provides the primary set of rules governing all federal procurement, DFARS defines the requirements for contractors working with the Department of Defense (DoD) specifically and covers everything from procurement and logistics to safeguarding sensitive data.

The DFARS provides requirements and guidelines specifically tailored to the DoD and its contractors that are not comprehensively covered by the FAR. For example, DFARS focuses on national security, classified information, intellectual property rights in the defense sector, and cybersecurity requirements, among other areas.

DFARS’s cybersecurity requirements have focused particularly on contractors that process Controlled Unclassified Information (CUI). These requirements, along with FAR 52.204-21 (now 52.240-93), have formed the foundation of the CMMC program. 

FAR, DFARS, and CMMC: How are these rules related?

To understand how FAR, DFARS, and CMMC are intertwined, we have to go back in time. In 2016, the DoD partnered with the General Services Administration (GSA) and National Aeronautics and Space Administration (NASA) to release the FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems, in response to increases in cyber threats aimed at the Defense Industrial Base (DIB). 

Soon after, DFARS clause 252.204-7012 was released, requiring defense contractors and subcontractors to provide adequate security for all covered defense information. Later, they clarified that “adequate security” meant contractors must implement all 110 NIST 800-171 Revision 2 requirements prior to contract award. 

However, neither FAR clause 52.204-21 nor DFARS clause 252.204-7012 required the DoD to verify a contractor's implementation of those security requirements prior to contract award. So by signing a defense contract, vendors were essentially self-attesting that they met those security requirements. 

This turned out to be an issue. In 2020, the DoD reviewed the DIB and found widespread noncompliance with the FAR and DFARS requirements. In fact, many contractors had Plans of Action and Milestones that wouldn’t have brought them into full compliance with NIST 800-171 until 2099.

To replace this self-attestation model of security, the DoD introduced the DFARS Interim Rule in 2020 to verify contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain. The DFARS Interim Rule, formally known as the Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements, introduced three new DFARS clauses (7019, 7020 and 7021) to increase compliance with DFARS 7012.

• DFARS provision 252.204-7019: Requires contractors to conduct a NIST SP 800-171 self-assessment and submit scores via the Supplier Performance Risk System (SPRS) for contract eligibility.
• DFARS clause 252.204-7020: Notifies contractors that DoD reserves the right to conduct a higher-level assessment of their cybersecurity compliance to verify self-assessment scores, and requires primes to ensure subcontractors have SPRS scores on file before contract award to enforce flow down requirements.
• DFARS clause 252.204-7021: Formally requires contractors to achieve the required CMMC certification level prior to contract award and primes to flow down requirements to subcontractors.

Together, these became known as the DFARS 70 series. 

This series, along with FAR 52.204-21, underwent notable changes as part of a massive regulation effort known as the Revolutionary FAR Overhaul. Let’s cover these changes below. 

DFARS in 2026: Updates under the Revolutionary FAR Overhaul

On February 1, 2026, significant regulatory changes took effect as part of the Revolutionary FAR Overhaul (RFO), a massive deregulation effort launched by the Office of Federal Procurement Policy in August 2025. The RFO became the first comprehensive rewrite of federal acquisition regulations in over 40 years. 

These changes were implemented through class deviations issued by the Department of Defense. Most notably, the DoW Class Deviation 2026-O0025, Revolutionary FAR Overhaul Part 40 and DFARS Part 240 consolidated and moved cybersecurity, supply chain, and information security requirements into a new Part 240. This affected how the FAR and DFARS requirements related to CMMC are organized and referenced. 

Here’s what defense contractors need to know.

Key changes effective February 1, 2026:

• FAR 52.204-21 has been renumbered to FAR 52.240-93 under the new FAR Part 40 (Information Security and Supply Chain Security). The requirements themselves remain unchanged. Contractors handling Federal Contract Information (FCI) must still implement the 15 basic safeguarding controls.
• DFARS 252.204-7019 has been eliminated. The standalone requirement to perform a "Basic”  NIST SP 800-171 Self-Assessment previously mandated by this clause no longer exists as a separate DFARS provision. However, most contractors handling CUI must still complete either self- or third-party assessments against NIST 800-171 and have their scores submitted in SPRS as part of the CMMC program under DFARS 252.204-7021.
• DFARS 252.204-7020 has been renumbered to DFARS 252.240-7997 under the new DFARS Part 240. This revised clause removes all references to "Basic" assessments and now defines only Medium and High assessments, both of which are government-performed.
• DFARS 252.204-7012 and DFARS 252.204-7021 remain unchanged. The foundational safeguarding, incident reporting, and CMMC certification requirements are unchanged, and remain in full effect.

What these DFARS changes means for contractors

The RFO consolidates cybersecurity assessment requirements around the CMMC framework. While DFARS 7019 and 7020 no longer exist in their previous form, contractors are not relieved of assessment obligations. Instead, assessment requirements are now primarily fulfilled through CMMC certification under DFARS 252.204-7021.

The underlying cybersecurity obligations have not changed. So if you handle CUI, that means:

• You must still implement all 110 NIST 800-171 R2 requirements.
• You must still maintain a System Security Plan. 
• You must still report cyber incidents within 72 hours. 
• You must still perform NIST 800-171 self-assessments if CMMC Level 2 (Self) is specified in contract (or complete a third-party assessment).
• You must still have assessment scores submitted in the Supplier Performance Risk System (SPRS) (either by yourself or your C3PAO via eMASS).

During the transition period, you may see both old and new clause numbers referenced in contracts. Solicitations issued after February 1, 2026 will use the new numbering (FAR 52.240-93 and DFARS 252.240-7997), while older contracts will still reference the legacy clause numbers (FAR 52.240-21 and DFARS 252.240-7020). Contractors should update internal compliance documentation, proposal templates, and training materials to reflect both numbering systems during this transition.

Let's take a closer look at the four DFARS clauses that historically formed the DFARS 70 series and how they relate to current CMMC requirements.

DFARS 7019

Note: As of February 1, 2026, DFARS clause 252.204-7019 has been eliminated under the Revolutionary FAR Overhaul. This section is retained for historical context and to help contractors understand the evolution of DFARS cybersecurity requirements.

DFARS clause 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements, amended DFARS 7012 to include a new requirement. This required contractors to perform a Basic self-assessment using the NIST SP 800-171 DoD Assessment Methodology and submit their score to the Supplier Performance Risk System (SPRS) prior to contract award.

How is the SPRS score calculated? The DoD Assessment Methodology assigns each NIST 800-171 requirement a score of one (1), three (3), or five (5) points. So organizations start with the lowest score possible, -203, and earn between one and five points for each requirement they meet for a maximum score of 110. If an organization does not meet all NIST 800-171 requirements and gets a score below 110, they must create a Plan of Action and Milestones (POA&M) to explain how they’ll fill those security gaps. 

During an assessment, an Organization Seeking Certification (OSC) can POA&M their scores to no lower than 88 in order to pass their audit. However, they must remediate all POA&Ms within 180 days and get to a final score of 110 to get CMMC authorized.

Note that both the DoD and prime contractors will likely consider companies with lower scores a higher security risk and opt to work with companies with the highest scores and least risk. 

These requirements strengthened DFARS 7012 in two key ways: 

• By providing a metric (the SPRS score) for the DoD to assess that contractors actually implemented NIST 800-171 requirements.
• By requiring assessments and SPRS scores to be updated at least every three years to remain eligible for new contract awards.

How this affects contractors as of February 1, 2026:

With the elimination of DFARS 7019, there is no longer a standalone requirement to conduct Basic self-assessments outside of the CMMC framework. However, contractors pursuing CMMC Level 2 (Self) certification must still complete self-assessments against NIST 800-171 and post their scores to SPRS as part of the CMMC program under DFARS 252.204-7021.

The SPRS remains an active system of record, and CMMC Level 2 assessments (both self and third-party) use the same scoring methodology described above.

In short, contractors should not interpret the elimination of DFARS 7019 as eliminating assessment and reporting obligations. These obligations have simply been consolidated under the CMMC framework.

DFARS 7021

Note: This clause remains unchanged by the February 2026 regulatory updates.

DFARS clause 252.204-7021, Cybersecurity Maturity Model Certification Requirements, formally requires CMMC certification as a condition for contract award. When this clause goes into effect, contractors will need to:

• Obtain the CMMC level specified in the contract.
• Maintain that certification throughout the contract period.
• Flow down the applicable CMMC level to any subcontractors handling FCI, CUI, Security Protection Data (SPD), and/or Covered Defense Information (CDI).
• Ensure subcontractors have the appropriate CMMC level prior to awarding a contract.

By enforcing independent validation of the implementation of cybersecurity requirements, the DFARS 7021 clause officially shifts DIB cybersecurity from a self-attestation model under previous FAR and DFARS regulations to a verification-based model of security. This is the vision for the CMMC program. 

How this affects contractors as of February 1, 2026:

With the elimination of DFARS 7019 and the restructuring of 7020, CMMC under DFARS 7021 has become the primary framework for cybersecurity compliance in the DIB. 

DFARS 7021—eg. CMMC requirements—are now actively being enforced in contracts. The phased rollout began on November 10, 2025, with the implementation of the 48 CFR CMMC Acquisition rule. 

For contractors, this means the following CMMC level and assessment requirements may be in their solicitations and contracts now (or very soon):

• CMMC Level 1: Contracts handling FCI must implement and self-assess the 15 basic safeguarding controls from FAR 52.240-93 (formerly 52.204-21) with results and affirmations submitted to SPRS annually.
• CMMC Level 2 (Self-Assessment): A select few contractors handling Basic CUI (approximately 5% of the DIB) must implement and self-assess the 110 NIST 800-171 R2 requirements with results and affirmations submitted to SPRS every three years.
• CMMC Level 2 (C3PAO): Most contractors handling CUI (approximately 93% of the DIB) must implement NIST 800-171 and complete a third-party assessment by a certified C3PAO. This becomes the default for CUI contracts starting November 10, 2026, but DoD contracting officials have the discretion to include this requirement in contracts now and many primes have been requesting proof of Level 2 (C3PAO) readiness or certification for months. 

DFARS compliance checklist​ for 2026

In order to maintain eligibility for DoD contracts, contractors must meet the requirements of DFARS 7012 and 7021, while understanding the historical context of 7019 and 7020 (now 252.240-7997). We've created a high-level checklist organized by urgency to help you prioritize compliance efforts based on the current CMMC enforcement timeline.

How Secureframe can help you achieve and maintain DFARS and CMMC compliance

Achieving CMMC compliance is complex and resource-intensive for defense contractors, particularly those facing Level 2 (C3PAO) requirements on tight timelines. The challenge isn't just understanding the requirements. It's building a defensible scope, standing up a compliant infrastructure, and keeping evidence and documentation current as your environment evolves.

Secureframe Defense addresses these challenges with automation purpose-built for the Defense Industrial Base. The platform combines automated cloud provisioning, guided implementation workflows, and assessment-ready documentation that stays synchronized with your actual environment.

With CMMC enforcement now active and Phase 2 approaching in November 2026, defense contractors can't afford to waste time on manual compliance processes or stitching together outsourced services and point solutions.

Learn how Secureframe Defense is helping organizations get ready in as little as 4-8 weeks by visiting secureframe.com/cmmc or requesting a demo.

This post was originally published in June 2025 and has been updated for accuracy and comprehensiveness.