The End of SPRS Scores (sort of)

The largest change to DFARS cybersecurity requirements other than CMMC took place on February 1st, 2026, and nobody knew it happened. DFARS 7019 and 7020 have been replaced by DFARS clause 252.240-7997. Basic self-assessments have been eliminated. FAR 52.204-21 has a new number. And none of this went through rulemaking. This week we’re diving deep into the mysterious world of class deviations and what they mean for defense contractors moving forward.


Transcript

Alrighty, folks. It is February of 2026, and this one is a doozy. As of February 1st, 2026, defense contractors are no longer required to conduct basic self-assessments and upload their scores into SPRS pursuant to DFARS provision 252.204-7019 and clause 252.204-7020. In fact, 7019 and 7020 no longer exist at all. Thanks to a DFARS class deviation, contractors will now see DFARS clause 252.240-7997 titled “NIST SP 800-171 DoD Assessment Requirements.” Yes, that number is real. On top of that, FAR clause 52.204-21 has been renumbered to 52.240-93. All of this happened without formal rulemaking—at least not yet.

This is the biggest change to DFARS cybersecurity contract clauses outside of CMMC since 2020, and hardly anyone is talking about it. For those keeping score, five major things happened. First, FAR 52.204-21 has been renumbered to 52.240-93. The title, the 15 safeguarding requirements, applicability to federal contract information, and flowdown requirements remain exactly the same. Only the number changed. Second, DFARS provision 252.204-7019 has been deleted. Third, DFARS clause 252.204-7020 has been renumbered to 252.240-7997 and, more importantly, the basic self-assessment requirement has been completely removed from the clause. Medium and high DoD assessments remain unchanged, but the requirement to conduct and upload a basic self-assessment score to SPRS is gone. Fourth, there are no changes to DFARS 252.204-7012 or 252.204-7008. Fifth, there are no changes to the CMMC clause 252.204-7021 or its provision 252.204-7025.

To understand why this is happening, you have to zoom out. For the last 40 years, the Federal Acquisition Regulation, or FAR, has governed how the government buys goods and services. It is codified at Title 48 of the Code of Federal Regulations and jointly issued by GSA, NASA, and DoD—often referred to as the FAR Council. Each agency then publishes its own supplement, such as the DFARS for DoD. Over four decades, the FAR and its supplements have grown into thousands of pages of regulatory text.

In August 2025, the Office of Federal Procurement Policy launched what it called the Revolutionary FAR Overhaul, the largest rewrite effort in the FAR’s history. The goal is to rewrite the FAR in plain language and remove text that is not required by statute, executive order, or essential to sound procurement. The policy basis includes Executive Order 14275, “Restoring Common Sense to Federal Procurement,” Executive Order 14265 on modernizing defense acquisition, and OMB Memorandum M-25-26. The overhaul aims to eliminate up to one-third of the FAR.

So how are they changing regulations without rulemaking? The answer is class deviations. A class deviation is a formal, temporary authorization allowing agencies to bypass, alter, or replace portions of the FAR or its supplements across a class of solicitations and contracts. Class deviations remain in effect until rescinded or incorporated into the FAR through the traditional, and often slow, rulemaking process. We’ve seen this before with CMMC-related deviations, such as delaying the insertion of clause 7021 until the final rule became effective and directing contractors to use NIST SP 800-171 Revision 2 despite the text of DFARS 7012 referencing the “most current” version.

What’s different this time is scale. As of February 1st, 2026, 38 DFARS deviations went into effect to align with the broader FAR overhaul. In the cybersecurity corner of the DFARS, that means 7019 is gone, 7020 has been renumbered to 252.240-7997, and the basic self-assessment requirement has been removed. Contractors are still required to implement NIST SP 800-171 under DFARS 7012. Medium and high DoD assessments conducted by DIBCAC remain in place. Contractors still have 14 days for rebuttals. Flowdown requirements remain intact. What has changed is the removal of redundancy.

Since November 10, 2025, contracts containing CUI that trigger DFARS 7012 also include at least a CMMC Level 2 self-assessment requirement under 32 CFR Part 170. That made the old 7019/7020 basic self-assessment duplicative. Instead of maintaining both a basic SPRS score and a CMMC score, contractors now deal only with CMMC score reporting where applicable. In that sense, this is a win. It simplifies compliance and removes confusion around whether and when to upload SPRS scores separate from CMMC requirements.

There are still practical complications. If you Google these clause numbers, you’ll likely see outdated text because the deviations have not yet been incorporated into Title 48 through rulemaking. Contractors may see clause 252.240-7997 in their contracts but not find it easily in public search results. Training materials and references may lag behind. Until the omnibus FAR overhaul is finalized through rulemaking, we will live in a world where clause numbers in contracts do not always match what appears in the CFR online.

As for the long-awaited FAR CUI rule, this overhaul may explain the delay. Rather than update CUI language in the middle of a sweeping rewrite, it’s likely that the final FAR CUI rule will be incorporated as part of a broader omnibus revision when the overhaul is formally codified.

The bottom line is this: the cybersecurity requirements are not going anywhere. If anything, they’ve been streamlined and reinforced. The deletion of 7019 and the removal of the basic SPRS upload requirement reduce redundancy without weakening NIST SP 800-171 implementation or CMMC enforcement. The clause numbers changed. The paperwork got lighter. The core requirements remain firmly in place.

Contact

Speak With Our Team

Scroll to Top