DoD Reorganizes Cybersecurity Clauses in Follow up to FAR ‘Overhaul’

On Dec. 18, 2025, the Department of Defense (DoD) issued deviations to over half of the Defense Federal Acquisition Regulation Supplement (DFARS) Parts, all of which became effective Feb. 1, 2026. Two days later, DoD issued a deviation for DFARS Part 204, which became effective Feb. 17. These deviations reorganize and streamline some of the DFARS regulations and contract clauses that define contractors’ cybersecurity requirements.

Technically, they are “temporary” exceptions to the DFARS that were issued on an emergency basis in response to the much broader Revolutionary FAR Overhaul. As such, they are not yet incorporated into the DFARS text but are posted online in memorandum format by the Principal Director of Defense Pricing, Contracting, and Acquisition Policy (DPCAP). This quirk makes it difficult for contractors to keep up with them.

The overall impact of DoD’s streamlining efforts on defense contractors’ burgeoning cybersecurity obligations are minimal — at least for now. Meanwhile, given the ongoing rollout of CMMC, all contractors in the Defense Industrial Base (DIB) should familiarize themselves with these deviations and keep track of any future developments that may affect their DFARS cybersecurity compliance obligations.

DFARS Cybersecurity Obligations

The current version of DFARS addresses cybersecurity mostly in DFARS Subpart 204.73, Safeguarding Covered Defense Information and Cyber Incident Reporting and Subpart 204.75, Cybersecurity Maturity Model Certification.

DFARS 204.7304, which is located within DFARS Subpart 204.73, requires contracting officers to include the following contract clauses in all DoD solicitations except those solely for the acquisition of commercially available off-the-shelf (COTS) items:

• DFARS 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls
• DFARS 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information
• DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting
• DFARS 252.204-7019, Notice of NIST SP 800-171 DoD Assessment Requirements

Similarly, DFARS 204.7504, which is located within Subpart 204.75, generally requires contracting officers to include the following contract clauses in all DoD solicitations except those solely for the acquisition of COTS items:

• DFARS 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements
• DFARS 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements

DoD’s Class Deviation made several changes to these cybersecurity regulations, but the good news for DIB contractors is that they are, for the most part, nominal. That said, there are several substantive changes.

What Changed?

• DFARS Subpart 204.73 no longer exists; its content has been moved to DFARS Subpart 240.370 with only minor changes. All the contract clauses formerly prescribed in DFARS 204.7304 retain their original numbering, except for DFARS 252.204-7020, which has been renumbered as DFARS 252.240-7997.
• DFARS Subpart 204.75 has been rewritten and expanded and is now codified as DFARS Subpart 240.371. The new version includes a new definitions section and more detailed instructions for contracting officers on how to apply the requirements. All contract clauses formerly prescribed in DFARS 204.7504 retain the same numbering.
• DFARS 252.204-7019 has been deleted although many of its requirements remain in effect under other contract clauses. Previously, this clause required contractors subject to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 to have a current assessment for each of their covered contractor information systems that were relevant to the offer, which included a process for posting Basic self-assessments to the Supplier Performance Risk System (SPRS). Now, these requirements are solely addressed under the CMMC framework.
• DFARS 252.204-7020 was renumbered to DFARS 242.240-7997. This clause previously covered entry by the contractor of Basic Assessment scores into SPRS, and entry by DoD of scores for Medium and High Assessments conducted by DoD. The updated version eliminates all references to Basic Assessments, which is consistent with the reality that CMMC grades Level 1 scores on a pass/fail basis. That said, DFARS 252.204-7021 still requires contractors at CMMC Level 1 to “have . . . a current CMMC status” in SPRS and to upload into SPRS an affirmation of compliance on an annual basis.
• Finally, although not part of the DFARS overhaul, it is worth noting that FAR 52.204-21 has been renumbered to FAR 52.240-93. This change was made last October under the FAR overhaul. This contract clause is still titled, “Basic Safeguarding of Covered Contractor Information Systems,” and contractors should still anticipate the same 15 safeguarding requirements and procedures for protecting covered contractor information systems. This new clause number was incorporated into new solicitations as of Feb. 1.

What Stayed the Same?

• DFARS 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting.” Contractors are still expected to provide adequate security using the designated security protections on all covered contractor information systems, including systems subject to the security requirements in NIST SP 800-171. Further, contractors must still meet the cyber incident reporting requirements. The associated provision, DFARS 252.204-7008, also remains in effect and should be incorporated in all solicitations, including those using FAR Part 12 procedures to acquire commercial products and services other than those for commercially available off-the-shelf items.
• DFARS 252.204-7021, “Contractor Compliance With the Cybersecurity Maturity Model Certification Level Requirements.” Companies must still comply with CMMC requirements for applicable information security protections. This includes maintaining a current CMMC status and uploading annual affirmations of compliance in SPRS, as well as ensuring compliance by subcontractors prior to awarding a subcontract or other contractual instrument. Further, companies should still anticipate the notice provision in DFARS 252.204-7025 to appear in solicitations.

Navigating Class Deviations

In many ways, the changes caused by these deviations are structural and will not, by themselves, result in seismic shifts to a contractor’s cybersecurity practices. They do, however, open up the possibility of further confusion, particularly as the new clauses are rolled out and the outdated clauses are removed at varying speeds.

The cybersecurity requirements demanded of companies will now be nested in new Parts and Subparts of the FAR and DFARS. Thus, companies should remain informed of these evolving changes to the regulatory framework to ensure up-to-date legal compliance. Notably, many of the cybersecurity requirements are no longer codified in DFARS Part 204 but are nested within DFARS Part 240.

This Class Deviation went into effect on Feb. 1, so contractors should expect to see these provisions and associated clauses incorporated into solicitations and contracts sooner rather than later. That said, class deviations are treated as interim rules, so DoD will have to engage in formal, notice-and-comment rulemaking to finalize these changes. This process is much more involved and will likely take a few years to come into fruition. As a result, contractors should still be prepared to see a mix of new and old provisions and clauses present in their solicitations and contracts.

While such a mix may cause confusion, contractors should be mindful of the overarching goal of the RFO, which is to streamline the complexities of federal procurement. In the context of FAR and DFARS cybersecurity requirements, this means centering contractor obligations around the CMMC framework. Using the principles of CMMC as a guidepost while staying aware of the different versions of provisions and clauses at play will lead contractors through this evolving legal landscape.

Conclusion

Ultimately, DoD’s class deviations for DFARS Part 204’s and Part 240’s cybersecurity requirements were structural, aimed at increasing efficiency in federal procurements under the RFO and highlighting the CMMC framework. However, contractors must be receptive to these changes as they alter the provisions that govern forthcoming procurements and may eventually affect existing contracts.

Opinions and conclusions in this post are solely those of the author unless otherwise indicated. The information contained in this blog is general in nature and is not offered and cannot be considered as legal advice for any particular situation. The author has provided the links referenced above for information purposes only and by doing so, does not adopt or incorporate the contents. Any federal tax advice provided in this communication is not intended or written by the author to be used, and cannot be used by the recipient, for the purpose of avoiding penalties which may be imposed on the recipient by the IRS. Please contact the author if you would like to receive written advice in a format which complies with IRS rules and may be relied upon to avoid penalties.

[View source.]