Big Changes to DFARS Cybersecurity Requirements
As of February 1, 2026, significant changes have taken effect in the Defense Federal Acquisition Regulation Supplement (DFARS) that directly impact defense contractors handling Controlled Unclassified Information (CUI).
Most notably:
- DFARS 252.204-7019 has been deleted
- DFARS 252.204-7020 has been renumbered
- The requirement to conduct and upload a “Basic” NIST SP 800-171 self-assessment score into SPRS has been removed
If you are a defense contractor, this is important. But it does not mean cybersecurity requirements are going away.
Let’s break down what actually changed, and what did not.
What Was DFARS 7019?
DFARS 252.204-7019 required contractors to:
- Conduct a NIST SP 800-171 Basic self-assessment
- Calculate a score using the DoD scoring methodology
- Upload that score into the Supplier Performance Risk System (SPRS)
This applied to contractors handling CUI under DFARS 252.204-7012.
Its purpose was to give the DoD visibility into a contractor’s cybersecurity posture before contract award.
As of February 1, 2026, 7019 no longer exists.
What Happened to DFARS 7020?
DFARS 252.204-7020 previously governed DoD assessments and required:
- Contractors to allow DoD access for Medium or High assessments
- Submission of self-assessment scores to SPRS
- Verification that subcontractors had current SPRS scores
As part of a broader FAR overhaul effort, 7020 has been:
- Renumbered to DFARS 252.240-7997
- Revised to remove the “Basic” self-assessment requirement
Medium and High DoD assessments remain unchanged.
Does This Mean You No Longer Need a Self-Assessment?
No.
This is where confusion is already starting.
The deletion of DFARS 7019 does not eliminate cybersecurity assessment requirements. Instead, it removes redundancy.
Here is what changed:
- The separate NIST 800-171 Basic Assessment requirement tied to SPRS uploads has been removed.
Here is what did not change:
- DFARS 252.204-7012 remains in effect
- Contractors handling CUI must still implement NIST SP 800-171
- CMMC Level 2 self-assessments are still required when applicable
- CMMC Level 2 scores must still be entered into SPRS
In short, the government eliminated duplication between:
- The old NIST 800-171 Basic Assessment process, and
- The CMMC Level 2 self-assessment process
You now have one framework to follow instead of two parallel scoring requirements.
Why Did This Happen?
These changes are part of a broader initiative known as the “Revolutionary FAR Overhaul,” an effort to streamline federal acquisition regulations by removing outdated or redundant provisions.
The removal of DFARS 7019 appears to be part of that cleanup effort.
Rather than maintain overlapping assessment mechanisms, DoD has consolidated around the CMMC structure for CUI protection.
What Defense Contractors Should Do Now
- Do not assume cybersecurity requirements have been reduced.
- Continue implementing NIST SP 800-171 if you handle CUI.
- Prepare for or maintain compliance with CMMC Level 2 requirements.
- Ensure subcontractors remain compliant under current flow-down requirements.
- Monitor solicitations for updated clause numbering (including DFARS 252.240-7997).
Clause numbers are changing. Requirements are not disappearing.
The Bottom Line
The end of DFARS 7019 and the removal of SPRS Basic Assessment uploads is ultimately a simplification, not a rollback.
You now have:
- Fewer overlapping requirements
- One clear assessment path under CMMC
- Continued accountability for protecting CUI
If your organization is unsure how these changes affect your contracts, your SPRS record, or your CMMC readiness, now is the time to review your compliance posture.
SME, Inc. is closely tracking regulatory developments and helping defense contractors navigate this evolving landscape with clarity and confidence.
