DFARS Part 240: What the Cybersecurity Overhaul Means

Eric Marquette

Welcome back. This is a direct follow-on to our earlier episode, “Navigating DFARS Cybersecurity After the FAR Part 40 Overhaul.” I’m Eric Marquette, here again with Paul Netopski, and today we’re tightening the lens on the February 1, 2026 class deviation that creates DFARS Part 240.

Paul Netopski

That continuity matters. In the last episode, we talked about the FAR side moving information security and supply chain security content into FAR Part 40. This deviation does the DFARS equivalent. It consolidates legacy text that used to live in DFARS Parts 204, 225, and 239 into new DFARS Part 240, with corresponding PGI 240. The practical point is simple: this is mostly a relocation and renumbering exercise, not a wholesale rewrite of contractor obligations.

Eric Marquette

Right, and that can almost be more dangerous operationally, because teams see a “new part” and assume new substance everywhere, or the opposite, they ignore it because the rules feel familiar. But if your clause matrix, your solicitations, your review checklists, even your ERP notes still point only to the old locations, you can miss things.

Paul Netopski

Exactly. The memorandum is concrete. Effective February 1, 2026, contracting officers shall use the revised FAR Part 40, the attached new DFARS Part 240, and the attached PGI 240. And the deviation remains in effect until rescinded or incorporated into the FAR, DFARS, and DFARS PGI. So this is not theoretical. For covered contracting actions from that date forward, the new structure is the governing framework.

Eric Marquette

And Part 240 itself is pretty broad. You’ve got Subpart 240.2 for security prohibitions and exclusions, and Subpart 240.3 for safeguarding information. So things that used to feel scattered across telecom prohibitions, supply chain risk, covered defense information, incident reporting, CMMC—they’re now living under one roof.

Paul Netopski

Which is good for policy coherence, but it creates a transition problem. During implementation, contractors should expect both legacy citations and new DFARS 240 citations to show up in templates, internal SOPs, contract files, and maybe even informal correspondence. Some clause numbers remain unchanged. Some prescriptions moved. At least one new clause was added under the new part structure, 252.240-7997. So a contractor cannot rely on citation familiarity alone.

Eric Marquette

Yeah, this is where procurement and cybersecurity teams have to stay synchronized. If legal updates a playbook but supply chain doesn’t update its flowdown checklist, or IT knows 7012 but not where it now sits in the DFARS structure, you get drift. Small drift turns into missed representations, bad clause prescriptions, or incomplete subcontract packages.

Paul Netopski

And one frequently asked question is already baked into the deviation materials: why do some provisions and clauses referenced in Part 240 still look numbered as if they belong in other DFARS parts? Answer: because the text was consolidated, but some clause numbering was intentionally left in place to reduce transition burden. That is a useful answer, but it also means contractors need disciplined crosswalks, not assumptions.

Eric Marquette

So let’s get into the clauses people actually live with. Start with the one everybody knows: DFARS 252.204-7012.

Paul Netopski

Under new DFARS 240, 252.204-7012 is prescribed at 240.370-5(c). The clause itself remains the core safeguarding and cyber incident reporting requirement. It still applies to covered contractor information systems handling covered defense information, except for solicitations and contracts solely for COTS items. And it still requires adequate security and, for systems not operated on behalf of the Government, application of NIST SP 800-171 security requirements, subject to approved variances.

Eric Marquette

And the reporting piece still has teeth. If a cyber incident affects a covered contractor information system or covered defense information, the contractor has to review for evidence of compromise and rapidly report to DoD at DIBNet within 72 hours of discovery. That timeline did not go away just because the DFARS shelf got reorganized.

Paul Netopski

Correct. Also, 7012 still carries the downstream obligations people forget under pressure: malicious software submission if detected and isolated, preserving images and relevant monitoring or packet capture data for at least 90 days, and providing access to additional information or equipment necessary for forensic analysis upon request. And importantly, the policy text in 240.370-3 says a cyber incident report does not by itself prove noncompliance. The contracting officer is supposed to consult with the component CIO or cybersecurity office before assessing contractor compliance.

Eric Marquette

That’s a really important nuance for contractors. Report fast, preserve evidence, cooperate, but don’t assume the fact of reporting equals automatic breach of contract. Now, 7019 and 7020 aren’t reproduced in the deviation pages we reviewed, but they’re part of the assessment ecosystem tied to NIST SP 800-171 and SPRS, and the source materials make the assessment structure clearer under Part 240.

Paul Netopski

Yes. The new assessment clause introduced here is 252.240-7997, prescribed at 240.370-5(d), titled NIST SP 800-171 DoD Assessment Requirements. Operationally, that clause reinforces DoD assessment access rights for covered contractor information systems that must comply with 7012. It states the contractor shall provide access to facilities, systems, and personnel necessary for Medium or High DoD assessments, and that summary level scores will be posted in SPRS. That SPRS visibility is the same operating environment contractors already associate with assessment-related clauses such as 252.204-7019 and 252.204-7020.

Eric Marquette

So if I’m a contractor, the practical difference is this: 7012 is your baseline safeguarding and incident reporting obligation; 7019 and 7020 are about assessment posture, NIST 800-171 scoring, and DoD’s ability to evaluate what you’ve implemented; and now Part 240 plus 252.240-7997 makes that framework more explicit inside the reorganized DFARS.

Paul Netopski

That is a fair summary based on the materials. Then 252.204-7021 is the CMMC clause, and this one is about award eligibility and ongoing eligibility. Under 240.371-3 and 240.371-4, the contracting officer must not award, exercise an option, or extend performance unless the offeror or contractor has a current CMMC status in SPRS at the level required by the solicitation or contract, for each applicable contractor information system. That is a hard gate.

Eric Marquette

And 7021 also requires the contractor to process, store, or transmit FCI or CUI only on systems with the required CMMC status, to submit the relevant CMMC UIDs, and to complete annual affirmations of continuous compliance in SPRS. Plus flowdown.

Paul Netopski

Yes, flowdown is explicit. The contractor must consult 32 CFR 170.23 and flow down the correct CMMC level to subcontracts and other contractual instruments. And before awarding a subcontract, ensure the subcontractor has the current CMMC certificate or current CMMC status at the appropriate level. So for primes, this is not just internal readiness. It is supply chain governance.

Eric Marquette

Let’s make the date piece unmistakable. This class deviation is effective February 1, 2026. Not “sometime in fiscal year 2026,” not “after systems catch up.” February 1.

Paul Netopski

That is correct. The memorandum states that effective February 1, 2026, contracting officers shall use the revised FAR Part 40, the attached new DFARS Part 240, and PGI 240. So contractors should act on the new structure as soon as it applies to their contracting actions. At the same time, they should expect a transition period. Legacy references may continue to appear in older templates, clause guides, compliance tools, and contract administration notes.

Eric Marquette

Which means, practically, if your team sees a reference to former 204, 225, or 239 locations, don’t panic, but don’t ignore it either. Crosswalk it. Confirm whether the same requirement is now sitting in 240. And if you’re managing active proposals, mods, option exercises, or subcontract packages, check both the old citation and the new structure.

Paul Netopski

Yes. Especially where award eligibility hinges on current status in SPRS, such as CMMC under 252.204-7021, or where safeguarding obligations under 252.204-7012 and assessment access requirements under the new 252.240-7997 are implicated. During a transition, the risk is not usually misunderstanding policy intent. The risk is administrative mismatch.

Eric Marquette

That’s a good phrase for it: administrative mismatch. The rules may be substantially familiar, but if the wrong prescription is sitting in your template, or your flowdown checklist hasn’t been updated, or your clause library isn’t mapped to Part 240, you can still miss a required provision or fail to brief a subcontractor correctly.

Paul Netopski

So the operational takeaway is immediate action. Update clause libraries. Update solicitation and subcontract templates. Update internal crosswalks from legacy DFARS citations to Part 240. Review flowdown checklists for 252.204-7012, assessment-related requirements tied to NIST SP 800-171 and SPRS, and 252.204-7021 for CMMC. And ensure procurement, legal, contracts administration, and cybersecurity teams are using the same reference set.

Eric Marquette

Yeah, do it now, before the mixed-citation period turns into rework. We’ll keep tracking how these deviations settle into day-to-day contracting practice. Paul, good to keep this one practical.

Paul Netopski

Likewise, Eric. Update the templates, the clause libraries, and the flowdowns first. Everything else gets easier after that.

Eric Marquette

And that’s where we’ll leave it. Thanks, Paul. Thanks, everyone. We’ll see you next time.

Paul Netopski

Goodbye, Eric. Goodbye, everyone.