Skip to main content
govconCyber
Rule Updates

Where Did DFARS 7019 and 7020 Go? The FAR Overhaul's Quiet Cybersecurity Reshuffle

Two DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.

Brandon Hancock, J.D., CMMC-RPPublished June 17, 2026Updated June 17, 20265 min read

# Where Did DFARS 7019 and 7020 Go? The FAR Overhaul's Quiet Cybersecurity Reshuffle

*Two DFARS clauses that defense contractors have cited for years vanished on February 1, 2026. If you went looking for 252.204-7019 and couldn't find it, you're not imagining things — and the good news is that almost nothing about your actual obligations changed.*

If you pulled up your standard DFARS cybersecurity references this year and found DFARS 252.204-7019 gone and 7020 renumbered, that's not an error. Effective February 1, 2026, as part of the Revolutionary FAR Overhaul, DoD restructured its cybersecurity clauses. The change generated a lot of confusion and very little substantive impact — but because these clauses appear in solicitations, flow-down packages, and compliance checklists across the Defense Industrial Base, it's worth understanding exactly what moved.

What the Clauses Used to Do

For years, three DFARS clauses divided the cybersecurity labor:

  • 252.204-7012 — the substance: safeguard covered defense information using NIST SP 800-171, and report cyber incidents within 72 hours.
  • 252.204-7019 — the gate for offerors: to be eligible for award on a covered contract, have a current NIST 800-171 assessment score (generally within three years) posted in SPRS.
  • 252.204-7020 — the assessment requirements behind that score, including government access for higher-level assessments and flow-down to subcontractors.

In short, 7012 told you *what* to do, and 7019/7020 told you to *prove it with a posted score.*

What Actually Happened on February 1, 2026

As part of the FAR Overhaul — a sweeping, principle-based rewrite of federal acquisition regulation — DoD issued a large batch of class deviations to remove redundancy. Among them:

  • DFARS 252.204-7019 was deleted outright.
  • DFARS 252.204-7020 was renumbered to 252.240-7997, and trimmed in the process: it no longer references "Basic" (contractor self) assessments and now covers only the government-performed Medium and High assessments.

The driver was redundancy, not relaxation. The standalone "self-assess and upload to SPRS" pathway that 7019/7020 created was increasingly duplicative of CMMC, which verifies the very same NIST 800-171 controls. So DoD folded the contractor-facing obligation into CMMC under DFARS 252.204-7021 and let the old self-assessment clauses go.

What Did *Not* Change

This is the part to internalize before you rewrite any internal documentation:

  • DFARS 252.204-7012 is untouched. The safeguarding requirement and the 72-hour incident-reporting clock are exactly as they were.
  • The standard is still NIST SP 800-171 Revision 2 — 110 controls, via the standing class deviation. Rev 3 has not been adopted for contracts.
  • SPRS is still the system of record. Scores still live there; the methodology (110 down to -203, weighted deductions, POA&M items counting against you) is unchanged.
  • Your security posture requirement is identical. If you were compliant on January 31, you were compliant on February 1.

What changed is the *plumbing* — which clause number creates the obligation and routes it — not the water flowing through it.

What Contractors Should Actually Do

1. Update your clause references. Replace citations to 252.204-7019 and 7020 in templates, checklists, and subcontract flow-down language with the current structure (CMMC/252.204-7021, and 252.240-7997 where you're referencing government Medium/High assessments). Confirm the exact citations against your current solicitation and acquisition.gov. 2. Keep your SPRS score current and honest. The obligation now reaches you through CMMC, but the score still matters and the False Claims Act exposure for an inflated number is unchanged. 3. Don't mistake renumbering for relief. The FAR Overhaul's final tranches continue rolling out through mid-2026. Expect more structural/numbering churn — and re-check your cyber clause citations after each wave — but don't expect the underlying security bar to drop.

Key Takeaways

  • DFARS 252.204-7019 was deleted and 7020 renumbered to 252.240-7997 (government Medium/High assessments only), effective February 1, 2026, under the Revolutionary FAR Overhaul.
  • The contractor self-assessment obligation now flows through CMMC (DFARS 252.204-7021), with SPRS still the system of record.
  • Nothing substantive changed: DFARS 7012, the 72-hour reporting clock, and the 110-control NIST 800-171 Rev 2 baseline all remain in force. Update your clause references, not your controls.

For the bigger picture, see how SPRS scoring works in Your SPRS Score, how the standards fit together on Frameworks, and what governs your contracts via Find My Requirements.

---

*Sources: Summit7 — Why the RFO Ended DFARS 7019 and 7020; Secureframe — A Guide to the DFARS Clauses Behind CMMC & How They've Changed in 2026; CuickTrac — DFARS 7019 is Gone; DFARS 252.204-7021, acquisition.gov. Informational only, not legal advice; verify clause citations against your solicitation.*

Tags
Share
BH

Brandon Hancock

J.D. · CMMC Registered Practitioner (RP)

Brandon is the editor of GovConCyber. He translates federal cybersecurity rules into plain language for the contractor community, with a focus on CMMC, DFARS, and False Claims Act enforcement trends.

About GovConCyber →Subscribe to the newsletter →
Was this post helpful?

Keep reading

Rule UpdatesNIST Just Finalized 800-172 Rev 3 — Here's Why CMMC Level 3 Contractors Shouldn't Panic YetOn May 13, 2026, NIST finalized a much bigger version of the enhanced-security publication behind CMMC Level 3. The headline number nearly tripled — but if you're chasing Level 3 today, the rules you're measured against did not change.June 17, 2026 · 6 min readRule UpdatesCISA's New Patching Directive (BOD 26-04) Rewrites the Vulnerability Clock — and Contractors Should Read It TooCISA's BOD 26-04 replaces BOD 19-02 and 22-01 with a risk-based patching model: fix the highest-risk, actively exploited, edge-facing flaws in three days. It binds agencies, but it reaches their contractors.June 14, 2026 · 6 min readRule UpdatesFedRAMP's 2026 Consolidated Rules Are Coming This Month: What Cloud Contractors Should Do NowFedRAMP will publish its 2026 Consolidated Rules (CR26) by the end of June: one stable rulebook through 2028, plus a shift from change requests to change notifications for cloud providers.June 9, 2026 · 6 min read