This article analyzes the DoW Class Deviation 2026-O0025, Revolutionary FAR Overhaul Part 40 and DFARS Part 240, issued by the Office of the Under Secretary of Defense for Acquisition and Sustainment and effective February 1, 2026.
The official government document is published by the Defense Acquisition Regulations System (DARS) and is available here:
https://www.acq.osd.mil/dpap/dars/dfars_far_overhaul_class_deviations.html
Why This Class Deviation Exists
The Revolutionary FAR Overhaul is a government-wide effort to reorganize and modernize acquisition regulations. The stated goal is simplification, but simplification does not mean reduced enforcement.
For the Dow, this meant creating new FAR Part 40 and new DFARS Part 240 to consolidate cybersecurity, supply chain, and information security requirements that were previously scattered across Part 204 and other sections.
Understanding which changes are structural and which are substantive is critical. This article focuses on the changes that directly affect cybersecurity assessments tied to NIST SP 800-171 and CUI handling.
The Key DFARS Clause Change Contractors Must Understand
Under this class deviation, DFARS 252.204-7020, NIST SP 800-171 DoW Assessment Requirements no longer exist in its prior form. It has been replaced by:
DFARS 252.240-7997, NIST SP 800-171 DoW Assessment Requirements (Deviation 2026-O0025) (FEB 2026)
The prescription directing when this clause is used is located at DFARS 240.370-5.
This is not cosmetic renumbering. The clause text itself matters.
https://www.acq.osd.mil/dpap/dars/dfars_far_overhaul_class_deviations.html
What Was Removed: “Basic” Assessments
Under the previous framework, contractors were accustomed to three assessment concepts: basic, medium, and high. The “basic” assessment was commonly treated as a self-attestation exercise tied to SPRS score submission.
In the new clause text of DFARS 252.240-7997, there is no definition of a basic assessment.
The clause defines only Medium and High assessments, both of which are government-performed and based on NIST SP 800-171A assessment procedures. This omission is deliberate and consistent throughout the clause.
In parallel, the deviation explicitly removes DFARS 252.204-7019, Notice of NIST SP 800-171 Dow Assessment Requirements, which was the provision that previously required contractors to submit a basic self-assessment score to SPRS.
Together, these two changes eliminate the concept of a contractor-only “basic” assessment under DFARS assessment language.
The New Clause Actually Authorizes
Under DFARS 252.240-7997, a Medium Assessment is a government-led review using NIST SP 800-171A that includes examination of evidence and results in a confidence-based score.
A High Assessment is a more comprehensive government-led assessment using NIST SP 800-171A. It includes detailed review of the System Security Plan, validation of implemented controls, and direct engagement with contractor personnel for clarification.
The clause language is built around validation, not attestation.
Once this clause is in a contract, the DoW has clear authority to assess compliance beyond paper claims.
How This Interacts with CMMC (and Why Contractors Get Confused)
This deviation does not remove or replace CMMC requirements. DFARS 252.204-7021 (CMMC Requirements) and DFARS 252.204-7025 are explicitly unchanged by the deviation.
This distinction matters.
CMMC defines certification requirements. DFARS clauses define contract enforcement authority. Even if a contractor is permitted to self-assess under CMMC, the presence of DFARS 252.240-7997 in a contract gives the government the right to validate cybersecurity claims through a Medium or High assessment.
CMMC level does not override contract clause authority.
What Did Not Change Under the Deviation
The class deviation makes clear that DFARS 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, remains unchanged. The obligation to implement NIST SP 800-171 controls when handling CUI is not new.
What changed is not the requirement, but the enforcement posture tied to assessments.
Why the DoW Made This Change
The removal of basic assessment language aligns with broader enforcement trends across the federal government. The DoW has seen repeated gaps between self-reported compliance and actual implementation.
By structuring assessment authority around Medium and High assessments, the DoW reduces reliance on contractor declarations and increases confidence in verification outcomes.
This change also aligns with increasing DOJ scrutiny of cybersecurity representations tied to federal contracts.
What Defense Contractors Should Do Now
Contractors should assume that cybersecurity claims may be validated if DFARS 252.240-7997 is present in a contract or flow-down.
System Security Plans should reflect actual implementation. Evidence should be organized and current. Controls marked as implemented should be demonstrable, not aspirational.
Waiting until an assessment is initiated increases risk.
www.acq.osd.mil/dpap/dars/classdev/DFARS_RFO/Part-240/2026-O0025_TAB_A_Deviation_Memo_DFARS_240.pdf
Final Takeaway
This class deviation does more than renumber clauses. It removes the concept of “basic” cybersecurity assessments and replaces it with a framework centered on government validation.
If DFARS 252.240-7997 is in your contract, assessment authority exists. CMMC level does not shield contractors from review. Proof matters more than promises.
Contractors that understand this shift early are better positioned to protect eligibility and avoid costly surprises as enforcement continues to tighten.
www.acq.osd.mil/dpap/dars/classdev/DFARS_RFO/Part-240/2026-O0025_TAB_A_Deviation_Memo_DFARS_240.pdf
If you want to be ready before CMMC appears in your contracts, start with readiness.
Download the CMMC Level 2 Audit Checklist to see what auditors look for, what evidence is required, and where contractors most often fall short. This checklist helps you prepare before compliance becomes a condition for award.
