The DFARS Clauses Behind CMMC, and How They Changed in 2026

A plain-English map of the DFARS cybersecurity clauses behind CMMC - 7012, 7019, 7020, 7021 - and how the 2026 FAR overhaul retired, renumbered, and consolidated them.
Reference

Four DFARS clauses carry the cybersecurity weight in a defense contract - and in early 2026 the FAR overhaul reshuffled the middle of them. This is the plain-English map: what each clause requires, which ones moved, and where the SPRS score lives now. Tracks the DoD class deviations effective February 1, 2026, the CMMC 48 CFR final rule, and the July 13, 2026 Phase 2 suspension (memo 26-P-1023); verified July 14, 2026.

The chain: safeguard, assess, certify

The clauses stack in a sequence. 7012 makes you safeguard the data. The assessment clauses make you score and post how well you did. 7021 makes CMMC certification a condition of award. For years the assessment step lived in 7019 and 7020; the 2026 FAR overhaul retired 7019 and moved 7020’s mechanics into a new number, folding the self-assessment into the CMMC program itself. The obligations did not shrink - the labels changed.

252.204-7012: Safeguarding CDI & Cyber Incident Reporting

Status: unchanged. The foundational clause. If your contract involves Covered Defense Information / CUI, 7012 requires you to implement NIST SP 800-171 (Revision 2), keep a System Security Plan, and report cyber incidents to DoD within 72 hours - and to flow the same obligations down to subcontractors. Its companion solicitation provision, 252.204-7008, is where you represent that you will comply. Nothing about 7012 moved in 2026.

Mac angle: 7012 is where FileVault, FIPS-validated encryption, and your MDM-enforced baseline earn their place in the SSP - see CMMC for macOS.

252.204-7019: Notice of NIST SP 800-171 DoD Assessment (retired 2026)

Status: eliminated as a standalone provision, effective February 1, 2026. 7019 was the “notice” provision - it told offerors they needed a current NIST SP 800-171 self-assessment score in SPRS to be eligible for award. The 2026 class deviations removed it as a separate provision; the self-assessment it pointed to now lives inside the CMMC framework (below). If you are reading an older contract you may still see 7019 cited - it governs that contract as written, but new solicitations issued under the deviation do not carry it.

252.204-7020 → 252.240-7997: NIST SP 800-171 DoD Assessment Requirements (renumbered 2026)

Status: renumbered and restructured. 7020 governed the higher-confidence DoD-performed assessments - Medium and High, conducted by DIBCAC - plus subcontractor flow-down and assessor access. Effective February 1, 2026 its mechanics were carried into a new number, 252.240-7997, under the overhauled DFARS Part 240. The Basic self-assessment piece was stripped out (that job moved to CMMC); the Medium/High DIBCAC assessment role continues under the new number.

252.204-7021: Contractor Compliance with the CMMC Level Requirement

Status: unchanged; now operational. 7021 is the CMMC clause: it makes holding the required CMMC level a condition of award and maintenance, with flow-down to subcontractors. It became operational with the CMMC 48 CFR final rule on November 10, 2025 and phases into solicitations across four annual waves (Phase 1 in 2025 through Phase 4 in 2028). Its companion provision is 252.204-7025. This is the clause to expect when a prime or a solicitation asks about “CMMC Level 2.”

Update - July 13, 2026 Phase 2 suspension: the Department suspended the November 10, 2026 Phase 2 transition and pending CMMC milestones pending a 60-day program review (memo 26-P-1023). During the suspension, solicitations may designate only Level 1 (Self) or Level 2 (Self) - C3PAO and DIBCAC requirements are barred and are being amended out of active solicitations. 7021 itself remains on the books, and 7012 and the SPRS self-assessment are unchanged. Full analysis: CMMC Phase 2 is suspended.

Where the SPRS score lives now

The self-assessment did not disappear - it changed address. Instead of a standalone NIST SP 800-171 score posted under 7019/7020, the score now travels inside CMMC: a Level 1 self-assessment covers the 15 basic safeguarding requirements (for FCI), and a Level 2 (self) assessment covers all 110 NIST SP 800-171 requirements (for CUI). Either way you still compute a score, post it in SPRS, and have an affirming official affirm it. So “an SPRS score to post” is as true as ever - the authority behind it is now 7021 and the CMMC rule rather than the retired assessment clauses.

Legacy numbers vs. new solicitation numbers

The 2026 overhaul renumbered on the FAR side too: FAR 52.204-21, the Basic Safeguarding clause for Federal Contract Information, became FAR 52.240-93. Rule of thumb: a contract awarded before the deviation carries the old numbers and its own terms; a new solicitation issued under the deviation carries the new ones. The underlying obligations are the same in both - so read your specific clause list, and do not assume a number is “wrong” just because it is old.

Tracks the DoD class deviations effective February 1, 2026 (FAR-overhaul Phase 1) and the CMMC 48 CFR final rule effective November 10, 2025. Numbers and dates verified July 14, 2026 (including the Phase 2 suspension); the controlling text is always the class-deviation and rule documents themselves. Educational only, not legal advice.

The Suite’s SSP, policies, and assessment-readiness tools are built around these clauses - 7012 safeguarding, the 110/320 assessment structure, and the CMMC Level 2 affirmation. See the CMMC Operator Suite, or start with the free Mac-First Readiness Pack.
Companion references: the acronym glossary, the controls list, the key dates timeline, and the ecosystem map - or browse the full reference shelf.