Authority
E.O. 14275, Restoring Common Sense to Federal Procurement; E.O. 14265, Modernizing Defense Acquisitions and Spurring Innovation in the Defense Industrial Base; OMB Memorandum M-25-26, Overhauling the Federal Acquisition Regulation
Summary
This deviation establishes revised Federal Acquisition Regulation (FAR) Part 40 and new Defense FAR Supplement (DFARS) Part 240, both covering information security and supply chain security. Effective 2026-02-01, contracting officers must use the revised FAR Part 40 from the Revolutionary FAR Overhaul (RFO) web page and the attached DFARS Part 240 and DFARS Procedures, Guidance and Information (PGI) 240. The deviation implements E.O. 14275 and E.O. 14265 and remains in effect until rescinded or incorporated into the FAR, DFARS and DFARS PGI.
Contracting Officer Actions
1
Effective 2026-02-01, use the revised FAR Part 40 from the RFO web page. It replaces the codified text at 48 CFR chapter 1.
2
Effective 2026-02-01, use the new DFARS Part 240 (Attachment A1) in lieu of any previously codified DFARS text on information security and supply chain security.
3
Effective 2026-02-01, use the new DFARS PGI 240 (Attachment A2) in lieu of any previously codified PGI text on information security and supply chain security.
4
Insert provision 252.204-7016, Covered Defense Telecommunications Equipment or Services--Representation, in all solicitations including commercial (Part 12) acquisitions and solicitations for task orders, delivery orders, basic ordering agreements (BOAs), orders against BOAs, blanket purchase agreements (BPAs) and calls against BPAs.
5
Insert provision 252.204-7017, Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services--Representation, in all solicitations including commercial (Part 12) acquisitions and solicitations for task orders, delivery orders, BOAs, orders against BOAs, BPAs and calls against BPAs.
6
Insert clause 252.204-7018, Prohibition on the Acquisition of Covered Defense Telecommunications Equipment or Services. Use in all solicitations and resultant awards including commercial (Part 12) acquisitions and task orders, delivery orders, BOAs, orders against BOAs, BPAs and calls against BPAs.
7
Insert provision 252.239-7017, Notice of Supply Chain Risk, in solicitations including commercial (Part 12) acquisitions for information technology that is a covered system, part of a covered system or in support of a covered system.
8
Insert clause 252.239-7018, Supply Chain Risk. Use in solicitations and contracts including commercial (Part 12) acquisitions for information technology that is a covered system, part of a covered system or in support of a covered system.
9
Insert provision 252.204-7008, Compliance with Safeguarding Covered Defense Information Controls, in all solicitations including commercial (Part 12) acquisitions except those solely for commercially available off-the-shelf (COTS) items.
10
Insert clause 252.204-7009, Limitations on the Use or Disclosure of Third-Party Contractor Reported Cyber Incident Information. Use in all solicitations and contracts including commercial (Part 12) acquisitions for services supporting Government activities related to safeguarding covered defense information and cyber incident reporting.
11
Insert clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting, in all solicitations and contracts including commercial (Part 12) acquisitions except those solely for COTS items.
12
Insert clause 252.240-7997, NIST SP 800-171 DoD Assessment Requirements, in all solicitations and contracts including commercial (Part 12) acquisitions except those solely for COTS items.
13
Insert clause 252.204-7021, Contractor Compliance with the Cybersecurity Maturity Model Certification (CMMC) Level Requirements, per the phase-in schedule at DFARS 240.371-5(a). Do not use for solicitations and contracts solely for COTS items.
14
Insert provision 252.204-7025, Notice of Cybersecurity Maturity Model Certification Level Requirements, in solicitations that include clause 252.204-7021.
15
Insert clause 252.225-7007, Prohibition on Acquisition of Certain Items from Communist Chinese Military Companies. Use in solicitations and contracts including commercial (Part 12) acquisitions involving delivery of items covered by the United States Munitions List (USML) or the 600 series of the Commerce Control List (CCL), unless an exception at DFARS 240.272-2(c) applies.
16
Insert provision 252.225-7049, Prohibition on Acquisition of Certain Foreign Commercial Satellite Services--Representations, in solicitations that include clause 252.225-7051. Do not separately list it if FAR 52.204-7 is already included.
17
Insert clause 252.225-7051, Prohibition on Acquisition of Certain Foreign Commercial Satellite Services. Use in solicitations and contracts for commercial satellite services including commercial (Part 12) acquisitions.
18
Insert provision 252.225-7050, Disclosure of Ownership or Control by the Government of a Country that is a State Sponsor of Terrorism, in solicitations including commercial (Part 12) acquisitions (other than commercial satellite services) expected to result in contracts of $200,000 or more. Do not separately list it if FAR 52.204-7 is already included.
19
Insert clause 252.204-7000, Disclosure of Information, when the contractor will have access to or generate unclassified information that may be sensitive and inappropriate for public release.
20
Insert clause 252.204-7003, Control of Government Personnel Work Product, in all solicitations and contracts.
21
Insert clause 252.239-7000, Protection Against Compromising Emanations. Use in solicitations and contracts involving information technology that requires protection against compromising emanations.
22
For covered defense telecommunications equipment or services representations, follow the procedures at DFARS 240.270-4. Forward disclosures and consult with the requiring activity and legal counsel as required.
23
For supply chain risk exclusions under DFARS 240.271-6, ensure the determination and notification requirements at DFARS 240.271-5 are satisfied before taking any exclusion action.
24
For CMMC award eligibility, check the Supplier Performance Risk System (SPRS) before award and before exercising options or extending performance periods per DFARS 240.371-4.
25
For acquisitions involving the USML or 600 series of the CCL, confirm with the requiring activity whether items are covered before issuing the solicitation per DFARS 240.272-2(d).
26
Forward disclosures under DFARS 240.272-3 and requests for exceptions under DFARS 240.272-4 to Defense Pricing, Contracting and Acquisition Policy (DPCAP) Contract Policy via the email address in PGI 240.272-3(d) and PGI 240.272-4(d).
27
When a cyber incident is reported, consult the DoD component Chief Information Officer/cyber security office before assessing contractor compliance per DFARS 240.370-3(d) and PGI 240.370-8.
Deviation duration
This deviation remains in effect until rescinded or incorporated into the FAR, DFARS and DFARS PGI. There is no fixed expiration date.
FAR Part 40 source
The revised FAR Part 40 is published on the RFO web page at acquisition.gov. It is not yet codified at 48 CFR chapter 1.
CMMC phase-in
Clause 252.204-7021 applies under different conditions before and after 2028-11-10. Review DFARS 240.371-5(a) for the correct threshold at each phase.
COTS exemption
Several clauses and provisions are excluded from solicitations and contracts solely for COTS items. Confirm COTS status before omitting a required clause.
State sponsor of terrorism threshold
The prohibition at DFARS 240.272-3 applies to contracts of $200,000 or more. The Secretary of Defense may waive it under 10 U.S.C. 4871(c).
Inquiries
Direct questions about this deviation to osd.pentagon.ousd-a-s.mbx.dfars@mail.mil.
Affected Provisions and Clauses
52.240-90
CLAUSE
Modify clause 52.240-90
MODIFIED
52.240-91
CLAUSE
Modify clause 52.240-91
MODIFIED
252.240-7997
CLAUSE
Add clause 252.240-7997
MODIFIED