Why the RFO Ended DFARS 7019 and 7020

As of February 1, 2026, defense contractors are no longer required to conduct basic self-assessments and upload their scores into SPRS pursuant to DFARS provision 252.204-7019 and DFARS clause 252.204-7020, largely because DFARS 7019 and 7020 no longer exist at all.  This is thanks to a DFARS class deviation, DFARS clause 252.240-7997 called NIST SP 800-171 DoD Assessment Requirements.

On top of that, you won’t see FAR clause 52.204-21 either because it has a new number: 52.240.93. If all that isn’t exciting enough, all of this happened without rulemaking.

So, what’s going on? Why are we on this rollercoaster, and how did it kill DFARS 7019 and 7020? Here’s what you need to know about the recent changes made under the Revolutionary FAR Overhaul (RFO).

Key Takeaways

1) FAR clause 52.204-21 is renumbered to 52.240-93

• It is still titled Basic Safeguarding of Covered Contractor Information Systems
• Federal contractors still have 15 cybersecurity requirements.
• The clause still flows down to subcontractors.

2) DFARS provision 252.204-7019 no longer exists.

3) DFARS clause 252.204-7020 has been renumbered, and self-assessment requirements have been removed.

• The clause has been renumbered to 252.240-7997
  • It is still titled “NIST SP 800-171 DoD Assessment Requirements”
• There is no longer a “basic self-assessment” requirement.
  • Medium and High assessments are unchanged - conducted by DCMA DIBCAC auditing teams in accordance with NIST SP 800-171A.

4) There are no changes to DFARS clause 252.204-7012 or provision 252.204-7008.

5) There are no changes to DFARS clause 252.204-7021 or provision 252.204-7025.

Context:

The Federal Acquisition Regulation (FAR) has been the framework for how the government makes purchases for the last 40 years, codified under Chapter 1 of Title 48 of the Code of Federal Regulations.

Issued jointly by the FAR Council, the GSA, NASA, and the DoW, the FAR is the primary regulation used by all executive agencies in their acquisition of supplies and services with appropriated funds.

It includes standard solicitation provisions and contract clauses and various agency “supplements” such as the DFARS – the Defense FAR Supplement.

Note: This is why the full title of a clause like DFARS 7012 is 48 CFR 252.204-7012.

Naturally, the FAR and the agency supplements are complex, but they have reached thousands of pages long and continue to grow year over year. In response to that problem and added policy, the Office of Federal Procurement Policy got to work on cutting through the noise.

The Revolutionary FAR Overhaul

In August of 2025, the Office of Federal Procurement Policy launched a massive deregulation effort known as the “Revolutionary FAR Overhaul” (RFO). This is the first major overhaul and the largest single update to the FAR in its 40-year history.

The overarching goal is to rewrite the FAR in “plain language” and remove most text that isn’t:

1. Required by statute
2. Required by Executive Order
3. Essential to sound procurement
4. Executive Order 14275, Restoring Common Sense to Federal Procurement
5. Executive Order 14265, Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base
6. OMB Memorandum M-25-26, Overhauling the Federal Acquisition Regulation

Under the RFO, up to 1/3 of the FAR could be removed entirely.

The policy basis for this effort goes all the way to the top:

Since August, every part of the FAR has gone under the microscope. You can see the changes to every subpart, section, and subsection on the RFO website.

What About Rulemaking?

You’re probably wondering how we’ve gotten this far without addressing rulemaking. How are they changing regulations without the rulemaking process?

The answer: class deviations.

A class deviation is a formal, temporary authorization that allows federal agencies to bypass, alter, or ignore parts of the FAR or agency supplements.

• Typically issued to implement new policies, legislative changes, or urgent requirements across multiple solicitations and contracts
• Instruct contracting officers to omit, replace, or insert specific clause language
• Remain in effect until rescinded or officially incorporated via rulemaking.

Example 1, Class Deviation 2025-O0006:

The original 2020 CMMC rule said to insert clause 252.204-7021 in all solicitations and contracts starting October 1^st, 2025. The problem was the CMMC 2.0 rulemaking would go into effect after that so contracting officers would be inserting outdated clause language.

So, in August 2025, the DoW issued a deviation that said contracting officers shall not use the 7021 clause until the effective date of the CMMC final rule, which became November 10^th, 2025.

Example 2, Class Deviation 2024-O0013:

DFARS 7012 requires implementing the most current version of NIST SP 800-171 at the time of solicitation (currently 171, revision 3). However, CMMC is pinned to a specific version, currently 171 revision 2, meaning DFARS 7012, as codified, requires implementing a version of 171 that CMMC doesn’t assess.

The DoW didn’t foresee that issue when they revised 7012 in 2016, so they issued a class deviation in May 2024, saying to ignore the text of 7012 as written at 48 CFR 252.204-7012 and use this deviation text specifying revision 2 instead. (This is why we called that podcast episode “Crisis Averted.”

Note: If you google 7012 you see the original text from 2016 because it hasn’t been changed via rulemaking, even though deviation text is what appears in contracts.

Now, imagine class deviations in place for every single part of the FAR and all the agency supplements.

You can still find FAR 52.204-21 and DFARS 252.204-7019, for instance, even though the deviation text changed them on February 1^st.

Eventually, all of these changes will go through rulemaking, probably all at once. In the meantime, these changes are being published as class deviations first, enabling agencies to “begin using the streamlined FAR part until the FAR is revised through the formal rulemaking process,” according to the GSA.

Why FAR 52.204-21 changes to FAR 52.240-93

The FAR overhaul includes changes to FAR clause 52.204-21 Basic Safeguarding for Covered Contractor Information Systems. Thanks to the overhaul of FAR Part 52 Solicitations and Contract Clauses, the clause 52.204-21 is renumbered to 52.240-93.

Since 2016 this clause has imposed 15 cybersecurity requirements on federal contractors when the contractor or subcontractor at any tier handles Federal Contract Information. Despite the renumbering, 52.240-93 will maintain the same title, text, and requirements.

CMMC Level 1 assesses those requirements but will still reference 52.204-21 so be aware. Until rulemaking codifies the class deviations, we’ll all need to juggle both numbers for the same clause.

How the RFO Changes DFARS:

On February 1^st, 2026, 38 different DFARS class deviations went into effect to match overall FAR deviations.

DFARS 7019

Under these deviations, DFARS provision 252.204-7019 no longer exists.

DFARS 7020

DFARS clause 252.204-7020 has two changes.

• Renumbered 252.240-7997
  • It is still titled NIST SP 800-171 DoD Assessment Requirements
• There is no longer a “basic self-assessment” requirement.
  • All references to basic self-assessments have been removed.
  • That means the requirement to upload a basic self-assessment score to SPRS has also been removed.

All other parts of the clause are the same, including:

• “High” and “Medium” assessments are still conducted by DIBCAC using NIST SP 800-171A, and assessment scores will be uploaded to SPRS by DIBCAC.
  • They apply to covered contractor information systems that are required to comply with DFARS clause 252.204-7012
• Contractors still have 14 days for assessment rebuttals.
• The clauses still flow down to sub-contractors.

How does the RFO affect DFARS 7012? The CMMC clause?

• There are no changes to DFARS clause 252.204-7012 or provision 252.204-7008.
• There are no changes to DFARS clause 252.204-7021 or provision 252.204-7025.

What does all this mean?

Though the RFO kills DFARS 7019 (RIP), the changes it brings continue to reinforce practical, compliant DoW procurement within a more streamlined FAR.

With more changes underway, it’s more important than ever to stay informed.

Reach out to a Summit 7 expert to learn more about implementing CMMC compliance in your organization.