The latest clause updates may look administrative, but the message from industry experts is clear: the government still expects contractors to prove they are doing what they say they are doing.
The February 1 DFARS and FAR clause changes have prompted a familiar question across the defense industrial base: does renumbering signal reduced scrutiny for CMMC?
According to the discussion in our recent webinar, DFARS 7019 & 7020 Are Gone – How to Stay CMMC Compliant, the answer is no.
The webinar was moderated by Elizabeth (Lizi) Huy, EVP of Commercial Services at Alluvionic and a Cyber AB Registered Practitioner (RP). She was joined by Bobby Padilla, Information Security Director and CCP at Alluvionic, an RPO, and Eric Levitas, VP of Business Development at ControlCase, a C3PAO.
What changed were clause references and mechanics in a few key places. What did not change is the government’s expectation that contractors be able to demonstrate real cybersecurity implementation, not just claim it. As Elizabeth Huy put it, “Clause numbers changed, security expectations did not.”
That is the core message contractors should take from this transition.
The Policy Changed Shape, Not Direction
At a surface level, the updates can look administrative. DFARS 252.204-7019 is eliminated. DFARS 252.204-7020 is renumbered to 252.240-7997. The FAR safeguarding clause moved from 52.204-21 to 52.240-93. Meanwhile, the clauses most companies already associate with protecting covered defense information, CMMC requirements, and flowdown remain in place.
| Old Clause | New Clause / Status | What Changed | Practical Takeaway |
|---|---|---|---|
| 252.204-7020 | 252.240-7997 | Renumbered / Language Removed | Clause renumbered; DoD assessment authority remains; basic self-assessment language removed; no basic SPRS upload requirement | Requirements were adjusted in structure/language, but DoD assessment authority still applies |
| 252.204-7019 | Eliminated | Eliminated | Prior self-assessment framework retired | This clause is no longer used |
| 52.204-21 | 52.240-93 | FAR Clause Shift | Safeguarding FCI requirements remain; primarily a numbering change | Same core FCI safeguarding expectations, new clause number |
| 252.204-7012 | Unchanged | Unchanged (Still Active) | CDI safeguarding | Still active and applicable |
| 252.204-7021 | Unchanged | Unchanged (Still Active) | CMMC requirements | Still active and applicable |
| 252.204-7025 | Unchanged | Unchanged (Still Active) | CMMC flowdown | Still active and applicable |
That kind of change can easily be misread as easing pressure. The panel said the opposite is true.
As Elizabeth Huy explained, the government is “certainly not abandoning or stepping away” and is instead “doubling down.” In practical terms, that means the federal government is continuing to formalize cyber expectations and push contractors toward more provable, supportable compliance.
Why CMMC Exists in the First Place
One of the clearest moments in the webinar came when the panel cut through the policy language and restated the original rationale behind CMMC.
As Eric Levitas said, “We want to make sure you’re actually doing what you’re saying you’re doing.”
That line captures the entire shift. For years, many contractors operated in a world where stated compliance and actual implementation were not always the same thing. CMMC exists to close that gap. The issue is no longer whether an organization understands the requirements in theory. The issue is whether it can prove those requirements are operating in practice.
That is why these clause changes should not be treated as a paperwork exercise. They are part of a broader move away from informal confidence and toward defensible evidence.
The SPRS Era is Changing, and Accuracy Matters More Than Optimism
Another theme from the webinar was the need to stop treating scoring as a box-checking exercise.
Historically, many organizations thought in terms of getting a score into the system. The panel’s advice was to shift that mindset completely. What matters now is whether the score is real, supportable, and likely to hold up under independent review.
Eric Levitas made that point directly: “Put in your real score.”
He went further: “If you think that’s a 110, I really hope you got that validated by a third party.”
That advice speaks to one of the market’s most persistent problems. Inflated self-confidence may help an organization feel ready, but it does not help when a formal assessor reviews the environment and finds missing evidence, poor documentation, or misunderstood controls. A weak score is not the real risk. An inaccurate score is.
Self-Attestation is Not a Free Pass
There is still confusion in the market about what happens to self-attestation. The webinar addressed that nuance well.
The old model often let companies think of self-attestation as a statement of intent: we know where we are, we are getting ready, and we will continue improving. The panel’s message was that this mindset no longer fits the direction of CMMC. If a leader is going to sign an affirmation, the organization should be in a position to stand behind it.
That does not mean every company immediately jumps into formal certification. It does mean casual self-certification as a comfort blanket is disappearing.
In that sense, the panel’s blunt assessment was useful: self-certification as the market understood it “didn’t work anyway.” The future is not about softer claims. It is about stronger proof.
Mock Assessments are Becoming a Business Necessity
One of the most practical sections of the webinar focused on readiness before a real assessment starts.
As Eric Levitas explained, once an organization begins a formal audit, the possible outcomes become very real. The point of preparation is not to “see what happens.” The point is to remove uncertainty before the stakes are high.
That is why mock assessments matter more than ever. Companies should treat them as an opportunity to find weak evidence, incomplete documentation, scoping mistakes, and service-provider misunderstandings before a C3PAO does.
The standard should not be “good enough to try.” It should be readiness to pass.
Certification is Not the Finish Line
A common misunderstanding in the market is that certification ends the hard part. The webinar pushed back on that.
As Eric Levitas said, “Once you are C3PAO certified, the journey does not end.” He added another line that makes the point even more vividly: “You just started the race.”
That is an important message for executives as much as practitioners. Certification is not a one-time event to be won and forgotten. It creates an ongoing obligation to maintain controls, preserve evidence, update documentation, manage changes, and support annual affirmations. If the environment drifts after certification, the organization’s next review can become much harder.
For leaders signing affirmations, that means visibility matters. Teams need to be prepared not only to earn compliance, but to sustain it.
Rev. 2 Versus Rev. 3: Do Not Get Ahead of the Assessment
Another valuable clarification from the webinar involved the confusion around NIST SP 800-171 Rev. 2 and Rev. 3.
Rev. 3 is out, and many organizations are understandably looking at it. But the panel emphasized that current CMMC assessment expectations are still anchored to Rev. 2.
As Bobby Padilla put it, “When it comes for certification, your SSP and all your documentation needs to be aligned with Revision 2.
That does not mean Rev. 3 should be ignored from a security maturity perspective. It does mean organizations should not build their certification readiness package around the wrong baseline. If the assessor is measuring against Rev. 2, then SSPs, procedures, and evidence need to line up to Rev. 2.
This is one of the clearest examples of why regulatory awareness and assessment readiness are not always the same thing.
Prime Contractors are Shaping the Compliance Reality
The webinar also touched on a question many subcontractors are asking: what if we do not handle CUI?
In some cases, that may mean Level 1 is the appropriate target. But the panel warned against assuming that current data handling alone settles the issue. Prime contractors are sometimes pushing suppliers toward Level 2 readiness, either because of current flowdown, anticipated future work, or a desire to reduce downstream risk.
That is why one of the most actionable pieces of advice from the session was simple. Eric Levitas said, “Communicate with your primes.”
That communication should not be casual. Contractors should understand exactly what is being flowed down, what data they are expected to handle, what future-state assumptions are being made, and whether Level 2 expectations are contractual, practical, or precautionary. Those answers can materially affect cost, scope, architecture, and timeline.
During the session, Bobby Padilla cautioned, “If you have a 7012 clause being flowed down to you, then you have the responsibility to safeguard CUI.”
Curious about CMMC for your supply chain? Read our guide to CMMC Compliance for Supply Chains to learn how vendor oversight, documentation, and supply chain risk management can affect assessment readiness and contract performance.
What Continues to Derail Readiness
When the webinar moved from policy to real-world assessment issues, two problem areas stood out.
The first is insufficient handling of service providers. Organizations often misunderstand how to scope cloud providers, managed services, or other external partners. They may assume those providers “cover” parts of compliance without properly documenting which responsibilities belong to whom. That is a recurring issue in assessment preparation.
The second is missing documentation, especially at the objective level. High-level policy language can sound solid while still failing to satisfy what an assessor needs to see in practice.
That is where Eric Levitas used one of the webinar’s most memorable illustrations: “If the control says to clean your room … if you forgot to make your bed, your room is not clean.”
It is a simple analogy, but it works. A company may believe it has addressed the spirit of a control. But if it cannot show each required piece of implementation, the control may still fail.
Why the Right Consultant Still Matters
CMMC has always been technical, but it is increasingly operational and strategic as well. Contractors are not just making cybersecurity decisions. They are making business decisions about timing, architecture, resource allocation, external partners, documentation discipline, and contract positioning.
That is why one of the most practical recommendations from the webinar was also one of the most direct. Eric Levitas advised companies to “wrap yourself around with a good consultant.”
That does not mean handing off responsibility. It means surrounding the organization with expertise that can challenge assumptions, validate interpretations, improve readiness, and keep pace with evolving expectations.
For many companies, that support is the difference between controlled progress and expensive confusion.
The Bottom Line
The renumbering of DFARS and FAR clauses should not be read as reduced pressure. It should be read as a reminder that the government is still moving toward a more disciplined, more enforceable compliance environment.
The real shift is not from one clause number to another. It is from saying you are compliant to proving you are.
That is the standard contractors should prepare for now.
Watch the Full Webinar Here
Want the full context behind these DFARS and CMMC changes? Watch the full webinar recording here: https://www.youtube.com/watch?v=mjvHcTj4x8U&t=22s
