Over the last few days, there has been a lot of noise and more than a little panic about recent FAR and DFARS changes tied to the so-called “Revolutionary FAR Overhaul.” If you follow CMMC closely, your LinkedIn feed probably made this feel bigger, scarier and more disruptive than it really is.
Let’s slow this down and talk about what is actually happening and what is not.
The Short Version
CMMC is not going away.
CMMC requirements have not changed.
What has changed is how the government is cleaning up overlapping FAR and DFARS language now that CMMC is officially online.
This is an administrative consolidation, not a reset of the compliance model.
What Changed and Why It Happened
As of Feb. 1, 2026, the Department of Defense issued a class deviation that renumbers and reorganizes several FAR and DFARS clauses related to information security and supply chain security.
Most notably:
- FAR 52.204-21 was renumbered
- DFARS 7019 and 7020 were removed and replaced
- Legacy “basic self-assessment” language is no longer used
These changes are being implemented through a class deviation while the formal rulemaking process catches up. That means, for a period of time, you will see different clause numbers referring to the same expectations depending on where you are looking.
That confusion is real, but it is temporary.
Why DFARS 7019 and 7020 Went Away
This is the part that triggered most of the reaction, and it is actually the most logical piece of the change.
DFARS 7019 and 7020 existed to support self-attested security claims before CMMC was operational. Now that CMMC is live, those clauses are redundant.
The Department of Defense is not weakening enforcement here. It is doing the opposite.
They are removing parallel self-assessment mechanisms and elevating CMMC as the primary compliance path.
In plain English, if the Department of Defense wants assurance, they now expect it to come through CMMC.
What Did Not Change
This part matters more than anything else:
- CMMC levels remain the same
- Level 1 and Level 2 are still in effect
- Assessment requirements, including self versus third-party, are unchanged
- 32 CFR Part 170 is unchanged
- CUI handling expectations remain intact
Despite some commentary to the contrary, this is not a pivot to a different framework and it is not a collapse of the CMMC model.
If you have been preparing for CMMC, you are still on the right path.
A Legitimate Issue to Watch, But Not Panic About
One discussion point that is worth paying attention to involves how SPRS reflects certification status when contractors split environments. A common example is a Level 2 certified CUI enclave paired with a separate Level 1 environment for FCI.
This is a nuance in how status is recorded and interpreted, not a flaw in CMMC itself. These are the kinds of implementation details the Department of Defense typically tightens through guidance once real-world usage surfaces edge cases.
Important, yes.
Existential, no.
What FAR and DFARS Updates Mean for Contractors
If you are part of the Defense Industrial Base, here is the practical takeaway:
- Continue your CMMC preparation as planned
- Expect some short-term clause numbering confusion in contracts
- Do not chase rumors about CMMC being replaced or invalidated
- Understand that FAR and DFARS are being aligned around CMMC, not away from it
This is what maturation looks like in federal acquisition. It can be messy in execution, but the direction is consistent.
Final Thought
There is a temptation in our industry to treat every regulatory update as a seismic event. Most of the time, it is not.
This update signals that the Department of Defense is done experimenting with parallel compliance models and is consolidating around CMMC as the system of record.
That is not chaos.
That is clarity, even if the paperwork takes a while to catch up.