The Feb 2026 FAR overhaul renumbered the CMMC clauses — here's the quick map
Ran into this doing paperwork for a re-compete and it tripped me up, so posting in case it saves someone else the confusion. As of Feb 1, 2026 (the "Revolutionary FAR Overhaul," implemented via Class Deviation 2026-O0025, which stood up a new DFARS Part 240 and moved the FCI clause into a new FAR Part 40), several of the clause numbers we're all used to changed:
- DFARS 252.204-7019 — deleted.
- DFARS 252.204-7020 — renumbered to 252.240-7997, and rewritten. The new text only defines Medium and High assessments (both government-performed, per NIST SP 800-171A). The old "Basic" self-assessment definition is gone from the clause itself.
- FAR 52.204-21 (the Level 1 / FCI "basic safeguarding" clause) — renumbered to 52.240-93.
- DFARS 252.204-7012 — unchanged.
- DFARS 252.204-7021 (the CMMC requirement clause) — unchanged.
The part that actually bit me: both the old and new numbers are "live" right now. Solicitations issued on/after Feb 1, 2026 use the new numbers (252.240-7997, 52.240-93); existing/older contracts still cite the legacy numbers (252.204-7020, 52.204-21). So it's not a clean find-and-replace in your own docs — you match the number to the contract's vintage.
What did not change, and this is the important part: your actual obligations. If you handle CUI and a solicitation calls for CMMC Level 2 (Self), you still self-assess against the same 110 controls, post to SPRS, and affirm — that all lives under 252.204-7021, which kept its number. And SPRS/CMMC scoring is still on NIST SP 800-171 Rev 2, not Rev 3.
TL;DR: the FAR overhaul was basically a filing-cabinet reorg for the cyber clauses. The numbers moved; the work didn't.
If I've got any of this wrong I'd genuinely like the correction — primary source is the DoD Class Deviation 2026-O0025 memo under the DFARS RFO Part 240 materials.