The Self-Assessment Era Is Over! CMMC Is Now Mandatory

Christopher Souza | CEO

As of February 1, 2026, the DoD implemented significant updates to DFARS and FAR cybersecurity clauses as part of its FAR Overhaul initiative. While certain DFARS “Basic” self-assessment requirements have been removed at the federal clause level, this does not reduce your cybersecurity obligations. It marks a clear transition away from self-attestation and toward formal CMMC verification. 

For years, the industry operated in a self-assessment era that is now officially closing. 2026 marks the year the DoD moves from contractor-asserted compliance to structured, enforceable CMMC verification. Organizations that continue operating under a self-attestation mindset will increasingly find themselves misaligned with contract eligibility requirements. 

Long story short, the era of contract-level self-assessments is officially ending this year. CMMC is now the only way forward. 

What’s Changed?

• DFARS 252.204-7019 — Deleted 
  Contractors are no longer required to conduct and upload a Basic NIST SP 800-171 self-assessment score to SPRS under this clause. 

• DFARS 252.204-7020 — Renumbered to 252.240-7997 
  References to Basic self-assessments have been removed. 
  DoD-led Medium and High assessments remain unchanged. 

• FAR 52.204-21 — Renumbered to 52.240-93 
  The 15 safeguarding requirements remain exactly the same. 

• No changes were made to: 
  DFARS 252.204-7012, which requires full implementation of NIST SP 800-171. 
  DFARS 252.204-7021 and 7025, the CMMC clauses that validate full implementation of NIST SP 800-171.

What This Means for You

You are still contractually required to implement NIST SP 800-171. DFARS 252.204-7012 remains fully in effect and contractors handling CUI are still required to implement all 110 security requirements. 

Federal-level Basic self-assessments are being phased out, but compliance is not. The DoD is consolidating validation under CMMC. CMMC is becoming the primary verification mechanism. Instead of parallel SPRS uploads and Basic assessments, organizations will increasingly demonstrate compliance through: 

• CMMC Level 2 self-assessments, when permitted 

• CMMC Level 2 third-party certifications 

Prime contractors may still require self-assessments. Although DFARS Basic assessments are being removed at the clause level, existing and future contracts, particularly through prime flow downs, may still require NIST self-assessment documentation as part of subcontractor risk management. 

The bottom line is clear. Self-attestation is no longer sufficient as a long-term strategy. Validation has shifted toward CMMC.

How TSI Positions You Ahead of This Shift

Technical Support International (TSI) works with defense contractors to navigate these regulatory transitions and position them for a favorable certification outcome. 

We help organizations: 

• Implement IT and cybersecurity solutions that fully satisfy control requirements as an MSP and MSSP 

• Assess and validate NIST SP 800-171 posture 

• Develop and maintain SSPs, POA&Ms, and evidence packages 

• Prepare for CMMC Level 2 self-assessments and C3PAO audits 

• Align policies, technical controls, and documentation into a defensible compliance posture 

We have helped multiple organizations successfully progress through CMMC readiness and certification. We closely monitor DoD and FAR developments, so our clients stay ahead of regulatory shifts, not surprised by them.

Fail to Prepare, Prepare to Fail

If you currently: 

• Hold DoD contracts under DFARS 7012 

• Anticipate bidding on future opportunities 

• Are unsure how these clause updates affect your eligibility 

• Or have relied primarily on self-assessments to date 

Now is the time to act. 

Contact TSI for Assistance

Let’s schedule a focused CMMC Impact Review where we will: 

• Review your active contracts and flow-downs 

• Confirm your NIST 800-171 implementation status 

• Identify risk exposure areas 

• Outline a clear path toward CMMC validation 

It takes an average of 12 to 18 months to achieve CMMC readiness. Contractors who transition early will gain a competitive advantage in 2026 and beyond. Ensure you are positioned correctly to maintain your contractual good standing with your DoD contracts. 

Contact TSI today to begin your CMMC Impact Review and move forward with confidence.

About Technical Support International

TSI is 38-year old cybersecurity (MSSP) and IT support (MSP) company specializing in helping DIB organizations address their NIST 800-171 and CMMC compliance obligations. As a CMMC-AB Registered Provider Organization (RPO), TSI offers a complete NIST 800-171 and CMMC support solution to help guide our clients toward a successful certification audit and provide the assurance that they’re adhering to these expansive compliance requirements.