RGCI - SPRS Self-Assessment Requirements Remain for CMMC Despite DFARS Overhaul Changes

Recent DFARS class deviations associated with the FAR and DFARS overhaul reorganized several cybersecurity clauses, leading to confusion about government contractor self-assessment requirements. Although certain DFARS provisions were removed or renumbered, government contractors handling Federal Contract Information (FCI) must still conduct CMMC Level 1 self-assessments and post results in Supplier Performance Risk System (SPRS).

Highlights

  • DFARS Clause Reorganization. In January 2026, DoD began issuing class deviations on 31 FAR parts and related DFARS as part of the DFARS Revolutionary FAR overhaul. While there are many revisions, a significant change was the relocation of some of the cybersecurity procedures to FAR 40 and DFARS 240 Information Security and Supply Chain Security Requirements and renumbering of the cybersecurity provisions and clauses in the related sections.
  • Provision/Clause Renumbering. Some of the cybersecurity provisions and clauses were relocated and renumbered under the DFARS Revolutionary FAR overhaul. For example, the clause at FAR 52.204-21 was changed to FAR 52.240-93, and the clause at DFARS 252.204-7020 was changed to DFARS 252.240-7997 and removed the requirement for the basic self-assessment.
  • Self-Assessment Requirement. Although the NIST SP 800-171 Basic Self-Assessment requirement was removed from DFARS 252.204-7020 when the clause was relocated to DFARS 252.240-7997, contractor self-assessments were not eliminated. A self-assessment is still required for contractors required to comply with CMMC Level 1.
  • CMMC Level 1 Requirements. Contractors handling Federal Contract Information on DoD contracts are required to comply with CMMC Level 1. This requires contractors to prepare a self-assessment against a minimum of the 15 safeguarding controls in FAR 52.240-93 and post the score in the Supplier Performance Risk System.
  • Operational Impact. Contractors need to review the DFARS Revolutionary FAR Overhaul class deviations and effective dates to gain an understanding of the changes and the impact on policies, subcontract flowdowns, templates, and flowdown clauses.

As part of the DFARS Revolutionary FAR Overhaul Class Deviations, the Department of Defense (DoD) adopted the FAR Council’s changes. It began issuing class deviations to DFARS text with effective dates as early as January 23, 2026. While there are many changes, we are focusing on the class deviation for the revision and renumbering of the cybersecurity-related clauses, which became effective February 1, 2026.

A major change in the FAR and DFARS overhaul is the creation of FAR Part 40 and DFARS Part 240 Information Security and Supply Chain Security. These new parts consolidate some of the cybersecurity, prohibition, and supply chain risk management requirements previously located in FAR Part 4 and DFARS 204 into FAR Part 40 and DFARS Part 240, respectively.

What Changes are Related to Cybersecurity?

FAR Clause Changes

DFARS Clause Changes

As a result of the DFARS changes, some companies have circulated article titles claiming, “government contractors are no longer required to conduct basic self‑assessments or upload their scores into SPRS.” These article titles unintentionally suggest that the removal or restructuring of prior DFARS clauses (such as 252.204‑7019/7020) has eliminated the Basic Self-Assessment requirement. Government contractors handling covered defense information were required to implement all 110 security controls per NIST SP 800-171, complete a Basic Self-Assessment and post the score in SPRS. While DFARS 252.204-7997 removes the NIST SP 800-171 Basic Self-Assessment requirement, it does not eliminate the self-assessment requirement altogether.

Where Does the Self-Assessment Still Reside?

DFARS 252.204-7021 Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirements establishes a self-assessment requirement for government contractors. Under this clause, contractors and subcontractors with Department of Defense (DoD) contracts that handle Federal Contract Information (FCI) are required to comply with CMMC Level 1.

CMMC 1 requires contractors to conduct a self-assessment against the 15 basic safeguarding security controls in FAR 52.240-93, and post the resulting score to SPRS. This streamlined self-assessment is advantageous for contractors whose information systems only process FCI. In contrast to the former NIST SP 800‑171 Basic Self‑Assessment, which required evaluating and scoring 110 security controls, CMMC Level 1 imposes a significantly reduced compliance burden. Contractors that handle CUI on DoD contracts will continue to be subject to NIST SP 800-171 assessment requirements under CMMC Level 2.

Takeaways

Government contractor self-assessments of security controls have not been removed in their entirety. The requirement for a Basic Self‑Assessment using the 110 security controls in NIST 800 SP-171 has been eliminated. But if you have a DoD contract/subcontract and handle FCI, you will need to meet CMMC Level 1, prepare a self-assessment of the 15 security controls in FAR 52.240-93, and post the score in SPRS.

Government contractors should:

  • Update internal references from 52.204‑21 to 52.240‑93
  • Remove DFARS 252.204-7019 and update references from 252.204-7020 to DFARS 252.240-7997
  • Review templates, subcontracts, and flowdowns to ensure the new clause numbers are flowed down if applicable
  • Verify that the 15 safeguarding controls are implemented and documented
  • Ensure subcontractors handling FCI are also flowing down the updated clause

Understanding Cybersecurity Compliance Responsibilities

Redstone Government Consulting assists government contractors in understanding how cybersecurity requirements affect their contracts, policies, and operational processes. Our team helps government contractors evaluate contract clauses, review policy documentation, and confirm that purchasing practices and subcontract flowdowns align with applicable cybersecurity requirements. When technical support is needed, Redstone GCI works with established industry partners who provide services such as penetration testing, incident response support, security assessments, and assistance with POA&M development and remediation. Through this coordinated approach, government contractors can address both regulatory obligations and technical cybersecurity requirements while maintaining alignment with their contract compliance responsibilities.

Contact Us for a Consultation

Frequently Asked Questions (FAQs)

  • Did the DFARS Revolutionary FAR Overhaul eliminate cybersecurity self-assessments for contractors? No. The DFARS overhaul removed the basic self-assessment to comply with the 110 controls in NIST SP 800-171, but it did not eliminate self-assessments entirely. Contractors with DoD contracts handling Federal Contract Information must comply with CMMC Level 1 which requires a self-assessment.
  • Who must complete a CMMC Level 1 self-assessment? Contractors and subcontractors that handle Federal Contract Information on DoD contracts must comply with CMMC Level 1; which requires a self-assessment of the 15 basic safeguarding controls in FAR 52.240-93. The score is posted in the Supplier Performance Risk System (SPRS).
  • How is the current self-assessment different from the previous NIST SP 800-171 assessment? Contractors performing DoD contracts must complete a self assessment demonstrating compliance with 15 basic safeguarding controls when processing Federal Contract Information. Prior to this change, contractors that handled FCI had to complete a self-assessment and comply with the 110 security controls in NIST SP 800-171 and this requirement was removed from DFARS 252.240-7997.
  • Why should government contractors review their policies and contracts after these changes? DoD has issued class deviations accepting 31 sections of the DFARS Revolutionary FAR overhaul beginning in January 2026. These class deviations include effective dates of the FAR and related DFARS changes. It is important to review and understand the changes, effective dates and impact on your contracts. While there are many changes, this blog identifies significant changes related to cybersecurity clauses.

Written by Lynne Nalley, CPA

Lynne Nalley, CPA Lynne is a Director with Redstone Government Consulting, Inc. providing government contract consulting services to our clients primarily related to Commercial Item Determinations and support, Cost Accounting Standards, DFARS Business System Audits, Proposals, and Incurred Cost. Prior to joining Redstone Government Consulting, Lynne served in several capacities with DCAA and DCMA for over 35 years. Professional Experience Lynne began her career working with DCAA in the Honeywell Resident Office, Clearwater, FL in 1984. Lynne’s experience included various positions which involved conducting or reviewing forward proposals or rate audits, financial capability audits, progress payments, accounting and estimating systems, cost accounting standards, claims and disclosure statement reviews. She is an expert in FAR, DFARS, CAS and testified as an expert witness. Lynne assisted in drafting the commercial item guidance for DCAA Headquarters. Lynne was assigned as a Regional Technical Specialist where she provided guidance to 20 field offices on highly complex or technical issues relative to forward pricing, financial capability or progress payment issues. As an Assistant for Quality, she was involved in reviewing and ensuring audit reports were in compliance with policy and GAGAS as well as made NASBA certified presentations to the staff including but not limited to billing reviews, CAS, unallowable cost and progress payments. To enhance her experience in government contracting, Lynne accepted a position with DCMA in 2015 as part of the newly organized DCMA Cadre of Experts in the Commercial Item Group. This included performing reviews of prime contractor’s assertions and/or commercial item determinations as well as performing price analyses. Lynne was a project lead and later became a lead analyst where she engaged with the buying commands on requests and reviewed price analysis reviews performed by a team of 5 analysts. She also assisted the DCMA CPSR team relative to commercial items and co-instructed the Commercial Item Training presented to DCMA. Education Lynne earned a Bachelor of Science Degree in Accounting from the University of Central Florida. Certifications State of Florida Certified Public Accountant State of Alabama Certified Public Accountant Defense Acquisition Workforce Improvement Act (DAWIA) Level III- Auditing DAWIA Level III – Contracting

About Redstone GCI

Redstone GCI is a consulting firm focused on fulfilling the needs of government contractors in all areas of compliance. With a singular mission to help contractors through the multiple layers of “red tape,” we allow contractors to focus on what they do best – support their mission with the U.S. Government. We are home to a group of consultants made up of GovCon industry professionals, CPAs, attorneys, and retired government audit and acquisition professionals.

Our focus and knowledge of audit and compliance functions administered by DCAA and DCMA will always be at the heart of what we do. However, for the past decade, we’ve strategically grown to support other areas of the government contractor back-office with that same level of focus and expertise. We’ve added expertise in contracts management, subcontract administration, proposal pricing, various software systems, HR and employment law, property administration, manufacturing, data analytics/reporting, Grant specialists, M&A, and many other areas. When we see a trend in the needs of contractors, we act to ensure we can provide the best expertise in the market to fulfill those needs.

One thing our clients can be certain of is that with the Redstone GCI Team in your corner, there is no problem too big and no issue too technical for our team to tackle.

Topics: Contracts & Subcontracts Administration, Government Regulations, Federal Acquisition Regulation (FAR), Cybersecurity, Manufacturing Operations Consulting