Navigating DFARS Cybersecurity After the FAR Part 40 Overhaul

Eric Marquette

Welcome back to FAR & DFARS: Procurement Power. I’m Eric Marquette, here with my co‑host, Paul Netopski. Today we’re diving into what the Revolutionary FAR Overhaul did to Part 40, and how that cascades into the new DFARS Part 240 and the Class Deviation 2026‑O0025.

Paul Netopski

Yeah, this is where the cyber rubber really meets the contracting road. Starting February 1st, 2026, that class deviation tells DoD contracting officers, “Use the revised FAR Part 40 and the new DFARS Part 240 and PGI 240 instead of what’s sitting in the Code of Federal Regulations.” So, the law hasn’t changed overnight—but the instructions you follow have.

Eric Marquette

Let’s unpack that “class deviation” piece. Folks hear it a lot, but in practice, what does 2026‑O0025 actually do?

Paul Netopski

A class deviation is basically DoD saying, “We’re not going to follow parts of the existing FAR or DFARS text for a whole class of contracts. Instead, here’s alternate language you must use.” It’s authorized under the FAR and DFARS, and it lets DoD move faster than the full, multi‑year rulemaking process. 2026‑O0025 is the vehicle that implements the Revolutionary FAR Overhaul for Part 40 on the DoD side and stands up DFARS Part 240 and PGI 240.

Eric Marquette

So, even though the CFR still shows the old Part 39/Part 204 structure, COs are told: “Ignore that; use the Overhaul version of FAR 40 plus DFARS 240 and PGI 240.”

Paul Netopski

Exactly. The memo literally says “use the revised FAR Part 40… in lieu of the text codified at 48 CFR chapter 1,” and use the attached DFARS 240 and PGI 240. And the theme of that new structure is very explicit: “Information Security and Supply Chain Security.” All the stuff that used to be scattered—telecom prohibitions, supply‑chain risk, safeguarding covered defense information, NIST 800‑171 assessments, CMMC—is now consolidated under DFARS Part 240.

Eric Marquette

Let’s do an “old versus new” contrast. Before this, cyber requirements were mostly living in DFARS Part 204, some in Part 239, and then a bunch of clauses like 252.204‑7012 hanging off of that. What’s different now?

Paul Netopski

Right, legacy world: 252.204‑7012 was still your core safeguarding and incident‑reporting clause, but the policy scaffolding was up in 204.73 and related sections. Supply‑chain risk lived in Part 239 as 239.73, and telecom prohibitions were off in other corners. It all worked, but it was fragmented. Under the deviation, DFARS Part 240 becomes the single front door for all of that. Subpart 240.2 covers “Security Prohibitions and Exclusions”—things like telecommunications restrictions, supply‑chain risk authorities, prohibited sources. Subpart 240.3 is “Safeguarding Information”—that’s where you now see 240.370 for safeguarding covered defense information and cyber incident reporting, and 240.371 for CMMC.

Eric Marquette

So for listeners: a lot of the requirements you already know—protect covered defense information, report cyber incidents, avoid Huawei or ZTE gear, respect supply‑chain risk exclusions—those didn’t suddenly appear. They’ve mostly been reordered and rewritten for clarity and to align with the new FAR 40.

Paul Netopski

That’s right. For example, 252.204‑7012 is still the core safeguarding clause. It’s updated, but the concepts—NIST SP 800‑171, reporting to DIBNet within 72 hours, preserving media—are familiar. What’s new is how it’s framed in 240.370 as part of a coherent safeguarding policy. And then DoD layers on the new deviation clause 252.240‑7997 for NIST SP 800‑171 DoD Assessment Requirements, and the CMMC machinery in 240.371 with 252.204‑7021 and ‑7025. The big takeaway for this episode: don’t treat this as an entirely new cyber universe. Treat it as a re‑baselining. Same mission, tighter integration, and a new home address—DFARS Part 240.

Eric Marquette

And that re‑baselining is what we’re gonna walk through in the next segment: how 7012, NIST 800‑171 assessments, and CMMC now fit together inside this new DFARS 240 world.

Eric Marquette

Alright, Paul, let’s dig into what you just called the “cyber core.” Start with 240.370 and 252.204‑7012. How is safeguarding and incident reporting organized now?

Paul Netopski

240.370 is the policy backbone for 252.204‑7012. It tells you the scope—this applies whenever contractors and subcontractors have to safeguard “covered defense information” on “covered contractor information systems,” and they must report cyber incidents. It defines the key terms and then lays out policy: Contractors must provide “adequate security” in line with 32 CFR 2002 and the 7012 clause. They must rapidly report cyber incidents—still within 72 hours—to DIBNet. Subcontractors report to DIBNet and pass the incident number up the chain to the prime.

Eric Marquette

And 7012 itself didn’t get flipped upside‑down, right? It still anchors on NIST SP 800‑171 as the minimum for protecting covered defense information.

Paul Netopski

Correct. The May 2024 version of 252.204‑7012, which the deviation points to, still says: if your system is not operated on behalf of the Government, you implement NIST SP 800‑171. It keeps the December 31, 2017 implementation milestone language and the path to request variances from NIST controls through the DoD CIO. It also preserves the key operational requirements: • Implement NIST 800‑171 on covered systems. • Report cyber incidents to DIBNet within 72 hours. • Submit malicious code samples to DC3 when directed. • Preserve images and logs for at least 90 days. • Provide access for forensic analysis if DoD requests it. What 240.370 does is clarify that a reported cyber incident, by itself, is not evidence of noncompliance. The contracting officer has to look at it in context and consult with the component CIO or cybersecurity office.

Eric Marquette

So that’s the safeguarding side. Now layer in the assessments. The deviation introduces 252.240‑7997, NIST SP 800‑171 DoD Assessment Requirements. How is that different from the older “basic self‑assessment” world people remember?

Paul Netopski

Under 252.240‑7997, the focus is on government‑led Medium and High NIST SP 800‑171 DoD Assessments. The clause says: if 7012 applies—so your systems must comply with NIST 800‑171—then you must provide access to facilities, systems, and personnel for DoD to conduct a Medium or High assessment using the methodology in 32 CFR 170.24. Medium assessments involve reviewing your prior assessment, a thorough document review, and discussions with you. High assessments add verification, examination, and demonstration activities—essentially walking down your system security plan. In both cases, the result is a scored assessment with either Medium or High confidence. Summary‑level scores go into SPRS: which standard was assessed, who did it—often DCMA, which CAGE codes it covers, the date and level, the overall score, and the date you expect to close your POA&Ms.

Eric Marquette

So the big shift is: no more relying solely on contractor “basic” scoring. Medium and High are driven by trained government assessors, and those scores live in SPRS where COs can see them.

Paul Netopski

Exactly. And the clause is clear that DCMA‑led Medium or High assessments take precedence over other assessments. Contractors do get due process: 252.240‑7997 gives you 14 business days after an assessment to rebut or provide additional evidence before the score is finalized in SPRS. Now, tie that to CMMC. 240.371 defines the CMMC framework in the DFARS: CMMC status, CMMC UIDs for each information system, and what “current” means for both conditional and final statuses. Policy at 240.371‑3 is blunt: contracting officers must not award a contract, task order, or delivery order if the offeror does not have a current CMMC status at or above the required level in SPRS. Same for exercising options or extending periods of performance.

Eric Marquette

And the tools COs and offerors see in the solicitation are 252.204‑7021 and 252.204‑7025, right?

Paul Netopski

Right. 252.204‑7021 is the contract clause—“Contractor Compliance with the Cybersecurity Maturity Model Certification Level Requirements.” It requires the contractor to: • Have and maintain, for the life of the contract, a current CMMC status at the level the CO inserts in the clause. • Only process FCI or CUI on systems that have that CMMC status. • Enter self‑assessment results in SPRS where applicable, and complete annual affirmations of continuous compliance. • Flow down the appropriate CMMC level to subs and ensure they have current CMMC status before subcontract award. 252.204‑7025 is the companion solicitation provision, “Notice of CMMC Level Requirements.” It tells offerors the required CMMC level and makes award eligibility explicit: if you don’t have the right CMMC status and current affirmation in SPRS for each system that will handle FCI or CUI, you are not eligible for award. So now we have a pretty tight loop: 7012 sets the technical baseline via NIST 800‑171; 252.240‑7997 enables Medium/High government assessments and scoring in SPRS; and 7021/7025 plus 240.371 convert that technical and assessment status into a go/no‑go condition for award and option exercise.

Eric Marquette

That’s the connective tissue a lot of people have been waiting to see spelled out. Next, we’ll talk about what to actually do during the overlap period—old rules still printed, new rules in the deviation, and a mix of clauses showing up in your solicitations.

Eric Marquette

Let’s talk about the messy middle, because we’re in it now. Paul, during this deviation period, the CFR still shows the old text, but COs are instructed to use the Overhaul version of FAR 40 and DFARS 240. How does that play out in real contracts?

Paul Netopski

Think of it as two layers. Layer one is what’s printed in the CFR and in legacy guidance—old FAR Part 39 references, older DFARS Part 204 and 239 sections. Layer two is the controlling text in the class deviation package: the Overhaul FAR Part 40, new DFARS 240, PGI 240, and the deviation clauses like 252.240‑7997. For new solicitations issued on or after February 1, 2026, COs are supposed to use the deviation set. So you should see 240.370 cited for safeguarding, 240.371 for CMMC, and clauses like 252.204‑7012, 252.240‑7997, 252.204‑7021, and 252.204‑7025 in the solicitation. Existing contracts, awarded before that date, generally keep the clauses they were awarded with, unless the CO bilaterally modifies them to add the new language.

Eric Marquette

So if I’m a contractor, I might have older contracts that reference the pre‑overhaul structure, and brand‑new awards that pull from DFARS 240 and include 252.240‑7997 and the CMMC clauses. Both are valid, but different.

Paul Netopski

Exactly. And options are where people stumble. The deviation tells COs to use the new DFARS 240 and clauses going forward, but options are still part of the existing contract. So a CO has to decide: do I exercise the option under the old clause set, or do I negotiate a modification to bring the contract into alignment with the new framework before or concurrent with that option exercise? That’s a judgment call, but 240.371 makes clear: you can’t exercise an option if the contractor doesn’t have a current CMMC status at the required level in SPRS. So even legacy vehicles get pulled into the new CMMC reality once 7021 is on the contract.

Eric Marquette

Let’s split the guidance. First, for contracting officers: what are the practical steps they should take when reading and drafting solicitations in this transition?

Paul Netopski

For COs, I’d boil it down to four actions: 1) Always start from the deviation package, not the CFR. When you’re building a solicitation, treat the Overhaul memo and DFARS 240/PGI 240 as the source of truth. Use 240.370‑5 to prescribe 252.204‑7008, ‑7009, ‑7012, and 252.240‑7997; and 240.371‑5 for 252.204‑7021 and ‑7025. 2) Check for mixed references. If your template still mentions “Part 204 safeguarding” or older NIST assessment language, reconcile it with 240.370 and 252.240‑7997. If the solicitation includes the deviation clause, the deviation governs—even if older text is still cited somewhere else. Clean up those inconsistencies before release when you can. 3) Map “old to new” internally. Build a quick crosswalk: where 204.73 content moved into 240.370, where 239.73 became 240.271 and 252.239‑7018, and where CMMC policy now lives at 240.371 with 7021/7025. That makes it easier to answer questions from industry. 4) Use SPRS as a gate. For awards and options that include 7021, you must verify in SPRS that the offeror or contractor has a current CMMC status at the required level, and you should review NIST 800‑171 scores from 252.240‑7997 assessments when they exist. Document those checks in the file.

Eric Marquette

Alright, now for industry—both primes and subs. What should they be doing right now to survive this overlap without missing awards?

Paul Netopski

For contractors, here’s a concrete checklist: 1) Inventory your contracts and clauses. Identify which contracts have 252.204‑7012 only, which also have 252.240‑7997, and which now include 252.204‑7021 and ‑7025. That tells you where government‑led 800‑171 assessments and CMMC are already contractually in play. 2) Validate your NIST SP 800‑171 implementation. Make sure your system security plans and POA&Ms actually reflect reality. Medium or High assessments under 252.240‑7997 will test what’s in those documents. If DCMA shows up, you want your documentation and your environment to match. 3) Check SPRS. Confirm your existing NIST 800‑171 scores and, where applicable, your CMMC statuses and UIDs. Correct anything that’s out of date, and make sure your affirmations of continuous compliance are current, because 7021 and 7025 tie award eligibility directly to what’s in SPRS. 4) Prepare for government‑led Medium/High assessments. That means: identify who will host assessors, how you’ll provide evidence mapped to 800‑171, and how you’ll respond during that 14‑business‑day rebuttal window if you disagree with findings. 5) Clean up your flowdowns. Update your standard subcontract templates to flow down 7012, 252.240‑7997, and 7021 where appropriate, and explicitly require subs to maintain the right CMMC status and, if applicable, to cooperate with Medium/High assessments. 6) Update internal training and checklists. Your contracts, supply‑chain, and capture teams need to recognize the new DFARS 240 structure, the deviation clause numbers, and the fact that missing CMMC status or an out‑of‑date SPRS record is now a show‑stopper for award.

Eric Marquette

And just to underline it: this isn’t optional hygiene anymore. 240.371 makes CMMC status and SPRS a hard eligibility gate, and 240.370 plus 252.240‑7997 give DoD a much clearer lens into whether 800‑171 is actually implemented.

Paul Netopski

That’s right. If you treat this as “just more paperwork,” you’re going to lose on technical acceptability before you ever get to price. If you treat it as core to delivery—just like quality or safety—you’ll be aligned with where DoD is clearly heading.

Eric Marquette

We’ll stop there for today. In upcoming episodes, we’re gonna zoom in on individual clauses—like 252.204‑7012 and 252.240‑7997—and walk through what good compliance and good documentation actually look like.

Paul Netopski

Yeah, we’ll take these pieces one at a time so COs and contractors can translate the regulatory language into concrete actions. Eric, thanks as always.

Eric Marquette

Thank you, Paul. And thanks to everyone listening. We’ll see you next time on FAR & DFARS: Procurement Power.