EPISODE · Mar 3, 2026 · 20 MIN
Navigating DFARS Cybersecurity After the FAR Part 40 Overhaul
from FAR & DFARS: Procurement Power · host Jellypod
This episode of FAR & DFARS: Procurement Power breaks down the 2026 DoD class deviation 2026-O0025 that implements the Revolutionary FAR Overhaul for Part 40 and creates the new DFARS Part 240 for Information Security and Supply Chain Security. Hosts Paul Netopski and Eric Marquette explain how key cybersecurity requirements are being relocated, rewritten, and tightened—especially around safeguarding covered defense information, NIST SP 800-171 DoD Assessments, and Cybersecurity Maturity Model Certification (CMMC). We start with the big-picture context: why the FAR overhaul is stripping out extraneous language, what a class deviation is, and how DFARS Part 240 and its PGI now consolidate rules on information security, supply chain risk, and prohibited sources. Then we zoom in on the new and revised clauses, including DFARS 252.204-7012 and the new deviation clause 252.240-7997, NIST SP 800-171 DoD Assessment Requirements, that replaces the old “basic” self-assessment model with Medium and High government-led validations. Finally, Paul and Eric walk contracting officers and defense contractors through the messy overlap period while both the “old” and “new” rules coexist. They highlight what applies to new awards versus legacy contracts, how to read solicitations that still reference older DFARS numbering, and what practical steps primes and subs should take now to prepare for more rigorous government-led assessments. If you work in federal procurement, compliance, or cybersecurity within the Defense Industrial Base, this episode will help you translate the FAR Part 40 overhaul into concrete action items for your contracts and systems.
What this episode covers
This episode of FAR & DFARS: Procurement Power breaks down the 2026 DoD class deviation 2026-O0025 that implements the Revolutionary FAR Overhaul for Part 40 and creates the new DFARS Part 240 for Information Security and Supply Chain Security. Hosts Paul Netopski and Eric Marquette explain how key cybersecurity requirements are being relocated, rewritten, and tightened—especially around safeguarding covered defense information, NIST SP 800-171 DoD Assessments, and Cybersecurity Maturity Model Certification (CMMC). We start with the big-picture context: why the FAR overhaul is stripping out extraneous language, what a class deviation is, and how DFARS Part 240 and its PGI now consolidate rules on information security, supply chain risk, and prohibited sources. Then we zoom in on the new and revised clauses, including DFARS 252.204-7012 and the new deviation clause 252.240-7997, NIST SP 800-171 DoD Assessment Requirements, that replaces the old “basic” self-assessment model with Medium and High government-led validations. Finally, Paul and Eric walk contracting officers and defense contractors through the messy overlap period while both the “old” and “new” rules coexist. They highlight what applies to new awards versus legacy contracts, how to read solicitations that still reference older DFARS numbering, and what practical steps primes and subs should take now to prepare for more rigorous government-led assessments. If you work in federal procurement, compliance, or cybersecurity within the Defense Industrial Base, this episode will help you translate the FAR Part 40 overhaul into concrete action items for your contracts and systems.
NOW PLAYING
Navigating DFARS Cybersecurity After the FAR Part 40 Overhaul
No transcript for this episode yet
Similar Episodes
Apr 21, 2026 ·73m
Apr 18, 2026 ·95m
Apr 15, 2026 ·55m
Apr 13, 2026 ·68m
Apr 11, 2026 ·59m
Apr 9, 2026 ·66m