Summary5 min read

Podcast Summary: Sum IT Up: CMMC News Roundup

Episode: CMMC: Final Rule vs Class Deviation
Date: September 11, 2025
Host: Summit 7
Main Speakers: A (Summit 7 Host), B (Co-Host Jason)

Overview

This episode of Sum IT Up: CMMC News Roundup breaks down the recent and highly anticipated release of the Department of Defense (DoD)'s final rule for the Cybersecurity Maturity Model Certification (CMMC) program. The hosts address widespread confusion within the defense contracting community regarding the impact of a recently issued class deviation and clarify how it relates to the final rule, specifically focusing on what happens on November 10, 2025. They walk through how to interpret these regulatory developments and address common misconceptions propagated in the industry.

Key Discussion Points & Insights

1. The Big News: The CMMC Final Rule Release

[00:02–02:51]

The long-awaited final rule to fully implement CMMC has been released (September 10, 2025).
The rule officially takes effect on November 10, 2025, launching the first phase of CMMC’s rollout.
From this date, all new DoD solicitations and contracts will contain some level of CMMC requirement based on the nature of the handled data.
This marks a shift from a pre-CMMC era, making compliance the rule rather than the exception.
A free Summit 7 webinar will break down the rule's details for contractors and interested parties.

Notable Quote:

"After that point, November 10th, all new DoD solicitations and contracts will have some level of CMMC requirement in them depending on the nature of the data that you are handling under your contract. From that day forward, any work that doesn't involve CMMC will be the exception rather than the rule. Everything changes."
— A, [01:15]

2. The Confusion: Class Deviation vs. Final Rule

[02:51–05:44]

Despite the final rule's announcement, rumors are circulating about CMMC being “suspended indefinitely” due to a class deviation memo, notably because it uses the word “indefinitely.”
The hosts clarify the meaning of "indefinitely" in DoD regulatory language. It simply means a date is not set—it does not signal permanence.

Notable Quote:

"Because some people, I think, are automatically programmed to think indefinite means this endless time lapse continuum, definitely is permanently. But realistically what the word means is that there's something brewing. We just don't know when it's going to finish brewing."
— B, [05:36]

3. What is a Class Deviation?

[06:16–09:36]

Definition: A class deviation is a temporary, authorized exception to government acquisition regulations (FAR, DFARS, etc.) affecting multiple contracts, used to address urgent needs or policy gaps until a permanent rule can be established.
The most recent class deviation (Class Deviation 2025-O0006) directs contracting officers not to use DFARS clause 252.204-7021 (the original CMMC contract clause) until the final rule’s effective date (November 10, 2025).
This does not suspend CMMC or affect the rollout—rather, it bridges the gap caused by misaligned or outdated regulatory text.

Notable Quote:

"This class deviation does not suspend CMMC. It does not affect the November 10th effective date. It does not change the phased rollout. It does not override the final rule whatsoever at all. Period."
— A, [08:39]

4. Why Was This Class Deviation Necessary?

[09:36–15:00]

Due to rulemaking timelines, the official regulatory literature (DFARS 252.204-7021) had an old phased rollout plan ending October 1, 2025, causing confusion as the new rule takes effect after that date.
Historically, the clause was never actually authorized for general use—errors and oversights led to its inclusion in some contracts.
The deviation serves as a temporary instruction: do not use the old version of the clause until the new, final rule is in place.

Notable Quote:

"At no point in time has the clause 7021 been allowed to go in any solicitation and contract. If it has, it has been a mistake… So if it's never been authorized for use, why did we get a class deviation telling people not to use it?"
— A, [11:09]

5. Widespread Misunderstandings & How They Occurred

[15:00–18:48]

Some DoD components and industry players mistakenly announced October 1, 2025, as the “go-live” date for CMMC, pulling from outdated rule text.
The class deviation corrects these misunderstandings by explicitly stating the clause’s current status and expiration.
The episode underscores the importance of reading current and official regulatory guidance—not relying on web search or AI outputs that might reference outdated proposals.

Notable Quote:

"I've been very disappointed in some of the DoD components understanding of the relationship between old clause language and upcoming new clause language. But that's besides the point. The real day is November 10th of 2025."
— A, [13:35]

6. Key Takeaways and Guidance

[18:48–19:49]

The only date that matters is November 10, 2025.
The class deviation is a temporary fix, expiring automatically with the final rule’s effective date.
Contractors should focus preparation efforts on November 10 and disregard “October 1st” rumors.
Future webinars and episodes will go deeper into the final rule's content and implementation steps.

Notable Quote:

"If anybody brings [the class deviation] up, you can just have them watch this episode or just direct them to the last paragraph of the two paragraphs that says it expires on the effective date. Effective date is November 10th. It won't be a thing anymore."
— A, [18:49]

Notable Quotes (by Timestamp & Speaker)

"Surreal is the word that I've been using and I've heard a lot of other people, a lot of other OGs in the space use is. It feels very surreal." — A, [02:51]
"Doesn't the rule being published and the effective date being put in place effectively void that class deviation?" — B, [09:36]
"DFARS clause 252-204-7021 has never been authorized for inclusion in any solicitation and contract. ...If it's never been authorized for use, why did we get a class deviation telling people not to use it?" — A, [11:09]

Important Timestamps

00:02–02:18: CMMC final rule announced; key dates
04:00–05:36: Misinterpretation of “indefinitely”
06:16–09:36: Explanation of class deviations and their purpose
11:09–13:35: History and mistakes with clause 7021
15:00–16:41: Why October 1, 2025, is NOT the “go-live” date
18:48–19:49: Final takeaways and summary guidance

Conclusion

This episode decisively debunks confusion about the CMMC program's rollout, especially regarding class deviations versus the final rule. The industry’s focus should now shift exclusively to the final rule’s effective date—November 10, 2025—with prior confusion about class deviations and October 1 quickly fading into irrelevance. The episode advises listeners to prepare accordingly and directs them to upcoming webinars for more detailed CMMC guidance.

Loading summary

Transcript40 lines

[00:03]
A
Alrighty, folks, it is September of 2025 and boy, oh boy, if you've been living under a rock, then you missed the news. The news we've all been waiting on for literally years and years. Yesterday, September 10, 2025, we got the second of two final rules that fully implement the CMMC program. For those of you that are new here, that's a program that uses third party assessments to verify the implementation of contractually obligated cybersecurity requirements for contractors working with the Department of Defense, slash, the Department of War, depending on who you ask these days. The regulation that final rule that we got on September 10th goes into effect officially goes into effect on November 10th of 2025, officially triggering the first phase of CMMC's phased rollout. After that point, November 10th, all new DoD solicitations and contracts will have some level of CMMC requirement in them depending on the nature of the data that you are handling under your contract. From that day forward, any work that doesn't involve CMMC will be the exception rather than the rule. Everything changes. On November 10, we are hosting a free webinar that's going to break down everything you need to know about the final rule and most importantly, how to strategize for CMMC success. On September 24th at noon Central, we will put the registration link below. It's free, so come check it out, hang it out. Lots of people have already signed up based off of the news, so everybody's welcome. But anyways, Jason, before we get started, you and I have been doing this show for a long time. You and I have been working in this space for a long time. We have been waiting on this final rule for years and years. And now we have the day, November 10th of 2025. What do you think how you, I.
[02:19]
B
I, it took me a while to process it. Like you sit and you reflect and you're like, man, this seems to be the day that even when we started this show that we were like trying to anticipate when it was going to come, what it was going to be like, what would happen, what the rule would say by that point in time because of the evolutions that it went through. And it's almost surreal to sit here and think that we now are conducting our first show where there are two rules that fully support the program that we've been talking about for over 125 episodes.
[02:51]
A
Yeah, yeah. Actually now that you say that, you know, surreal is the word that I've been using and I've heard a lot of other people, a lot of other OGs in the space use is. It feels very surreal. And now that you say that we only have a. We only have a finite number of podcast episodes where it is a pre CMMC phase rollout world. So we'll have to do a celebration for the the last podcast before CMMC is the norm rather than a thing that we are just continuously speculating about. But anyways, that's not what we're talking about today. We're going to have a whole webinar coming up in two weeks that everybody can check out. We're going to put out all the information. We're going to talk about details in the rule, things to know, things that are interesting, details that might not be brought up in a webinar on future episodes. That's not what we're talking about today because. Wait, wait, wait. Hold the presses. Everybody stop, stop, stop. I know that it's going into effect in 60 days, but my leadership just put this on my desk. I heard there's a class deviation thing, a memo thing that got issued a couple weeks ago and that memo said CMMC is suspended indefinitely. Something's going on about October 1st. Why are you talking about November 10th? What the heck is going on? That's what we're going to talk about today because we got to nip this in the bud. Literally yesterday when we found out with the when the final rule is going to go into effect, I had people messaging me saying my boss has heard that the rule is here and the phased rollout is starting. But they asked me about this class deviation and they think that it's not happening. That's what we're going to talk about today.
[04:27]
B
Even posts with news about the rule going into effect and even with the line at the bottom of the class deviation putting a a expiration date on it based on when the rule goes into effect. Even on the post announcing that with the effective date there, people are like.
[04:43]
A
Well what about the class deviation?
[04:45]
B
Yeah, like, you know what I mean?
[04:46]
A
Like, you know, to be fair, we don't get dfars class deviations related to cyber security requirements all that often. The last one that we had was in May of 2024. We did a whole episode on about it with the great and powerful Lauren Ayers. That was a class deviation. That said, I know DFAR 7012 says do the most recent version of NIST SP800 171 requirements. That should be Rev3, but CMMC is going to assess Rev2. So we're telling you with this deviation, just do Rev2. If that's news to you, go check out that episode. But anyways, I don't want to interrupt.
[05:21]
B
I really don't want to interrupt you, but what were two words that really. It's the same word being used in both of those class deviations that we're referencing. What word sticks out to you the most there?
[05:32]
A
I don't know.
[05:33]
B
Indefinitely. Right, Indefinitely. And how you interpret indefinitely.
[05:36]
A
Right.
[05:36]
B
Because some people, I think, are automatically programmed to think indefinite means this endless time lapse continuum definitely is permanently.
[05:45]
A
Yeah.
[05:45]
B
But realistically what the word means is that there's something brewing. We just don't know when it's going to finish brewing. And we don't want to assign a date to it and have to be kind of. Or, yeah, anything like that. And so I think that you could read any bit of the writing on the wall and know that this was coming relatively fast. I know if you listen to this show, you should have known that this was coming relatively fast based on all the factors. And I think that that class deviation was just something to subside from. Good Lord. The amount of people that came out.
[06:17]
A
And were like, October 1st. October 1st. Yeah. Well, let's talk about, you know, why did this happen? What are. What is the class deviation? What the heck are we talking about? Okay, so anyways, at the end Of August, the DoD issued Class Deviation 20, 25O Triple 06. This is the only organization in the world that I know of that uses capital O's and zeros next to each other. Great job, dod. Anyways, what the heck is a class deviation? A class deviation is an authorized exception to the far, the dfars, the hsar, all of the acquisition supplements that the government agencies use. Use to buy stuff. Right. It's an authorized exception to the acquisition regulations that they use. A class deviation applies to multiple contracts, otherwise known as a whole class, hence the name class deviation. So this is a class wide change to the regulations that are on the books.
[07:13]
B
So what would technically be the class in this case?
[07:16]
A
Anything that's going to have anything that's going to have the CMMC clause in it.
[07:21]
B
Okay.
[07:21]
A
Yeah. So it's just going to be basically all DoD contracts because it's going to be prescribed to go in everything with the relevant data types.
[07:27]
B
Okay.
[07:28]
A
So these deviations are issued to address what they call urgent needs. This could be things like policy gaps that they've identified, such as the DFAR7012 issue. There's a gap between two competing policies. It could be legislative demands or anything like that. They issue these deviations to bridge the gap until there can be a change to the FAR or an agency supplement via rulemaking. Because as we know, rulemaking takes a while. You got to address this issue because we're still buying stuff. And so they have this authorized deviation as a temporary band aid until they can do that. So at the end of August, the DoD issued a class deviation. And it was the subject line said class deviation, use of the clause on contractor compliance with the cybersecurity maturity model certification level requirement. And it was only two paragraphs long. It's very quick. And it says, effective immediately, contracting officers shall not use the contract clause at DFARS 252-204-7021. That is the CMMC contract clause effective immediately. Do not use the clause 7021. Okay, then it says this class deviation remains in effect until the effective date of the final rule. For DFARS case 2019 D041. That's the 48 CFR CMMC rule that was published yesterday. And as we know, the effective date of that rule is November 10th of 2025. So long story short, this class deviation does not suspend CMMC. It does not affect the November 10th effective date. It does not change the figure phased rollout. It does not override the final rule whatsoever at all. Period. So if your leadership is hemming and hawing and hesitating on getting started on implementation to meet their CMMC obligations, then, and they're waiving this class deviation in front of you, make sure they read the second paragraph that says this will expire on the effective date of the rule. The effective date of the rule is November 10th of 2025.
[09:37]
B
Doesn't the the rule being published and the effective date being put in place effectively void that class deviation? Maybe not immediately with it being published, but with that effective date that's voided and it's non existent.
[09:50]
A
Well, it's still on the books, Right? So right now, right now, the class deviation says don't use the clause 7021. And this guidance expires on the effective date of the rule. At which point you go read the rule and you do what the rule says essentially to use the clause as at 7021.
[10:05]
B
Now how much of that do you think is played into the fact that we know by history DOD uses two clauses to accompany each other? You know, we have 19, 20, etc.
[10:15]
A
Yeah.
[10:15]
B
And that they knew that there was a clause that we didn't have a number for until yesterday coming out. So it was inappropriately using the clauses now because there's no notice and no notice of intent, right?
[10:25]
A
Yeah. So it could be that. Right. So as we'll talk about in the webinar and things like that. So now, rather than just having The DFARS clause 7021, go get a seam level, we now also have a DFARS provision that makes you aware of the requirements in the clause that is 252-204-7025. Coming up in the future, we're going to finish our back to basics episodes where we went through DFARS 7008 and 7012, 7019 and 7020. And now we can complete the series 7025 and 7021. That's not the reason why they issued this class deviation overall, but it's adjacent. So here's a riddle for you, everybody. Here's something to ponder.
[11:08]
B
I like riddles.
[11:09]
A
DFARS clause 252-204-70 21 has never been authorized for inclusion in any solicitation and contract. It was put on hold indefinitely in March of 2021 when the DoD went into their programmatic review of the CMMC program. And it was still put on hold indefinitely in November of 2021 when they announced CMMC 2.0 rulemaking, which we will finish on November 10th of 2025. So at no point in time has the clause 7021 been allowed to go in any solicitation and contract. If it has, it has been a mistake. It was not authorized. So if it's never been authorized for use, why did we get a class deviation telling people not to use it? Any ideas? Any ideas? In chat, Jason, got any ideas as to why this occurred?
[12:01]
B
No, because I was today years old when I didn't realize that it wasn't technically allowed because we were seeing those requirements pop up and people being like, hey, I know that you're saying that it can't go there, but I have this.
[12:11]
A
So like, yeah, so it showed up in contracts and solicitations. Not authorized to be there. Right. It was suspended indefinitely. But mistakes get made. Contracting officers shotgun stuff into contracts all the time. We know that this is true for all kinds of clauses, not just for cybersecurity stuff and for cmmc. So remember back to the fact that if you were to Google right now, before November 10, DFARS clause 252, 204, 7021, there is a DFARS clause at that address, right? There is a text of a CMMC clause at 7021 right now, because the rule in 2020 that established CMMC 1.0 wrote a rule at 252-204-7021 with the CMMC clause, the original 2020 text of the CMMC clause. So that has stayed online as it was created in 2020 until this upcoming 48 CFR rule that goes into effect on November of 2025 revises the language from 2020 and then that's the new clause, right? The problem is, is that these rules don't just change the language of the clause, they also update the guidance to the Contracting officers about when and how to use these clauses. So they update part 202 and part 204 and part 212, not just part 2, 5 2, where the clauses and solicitations live. And if you go look at a part of the DFARS called Let me share, let me make sure I get it right, it's 2047503, 2047503. This is guidance to the Contracting Officers about when to use the clause 7021 that was written back in 2020. So back in 2020, the DoD had a five year phased rollout plan for putting CMMC clauses into contracts and phases. Right. At that time, the original plan was, we're going to insert this clause into contracts on a case by case basis. The Undersecretary for Acquisition and Sustainment is going to hand select the contracts that will include cmmc and then five years later, it's going to go in all solicitations and contracts. Well, ironically, coincidentally, the end of that phase rollout is October 1st of 2025. The end of the CMMC 1.0 phase rollout is October 1st. So when everybody wakes up and they hear CMMC is here, the rule is right around the corner. It's getting ready to come out. They fire up the Google Machine or they fire up ChatGPT or whatever and they say, when does CMMC go into effect? And it pulls the current language that was established in 2020 and it says October 1st must go in all solicitations and contracts. But that's not what the rule is going to say when it goes into effect in November. So in order to get around that issue, the DoD saw a policy gap and they issued a class deviation that said, just a reminder, everybody, it's still not authorized for you to use the clause 7021 that we wrote in 2020 until the new version comes out at the effective date of the 48 CFR. CMMC final rule. Everybody got this wrong. Industry got this wrong. The CMMC ecosystem got this wrong. The US Army Corps of Engineers put an official notice on SAM.gov that said October 1st is the go live date. I've been very disappointed in some of the DoD components understanding of the relationship between old clause language and upcoming new clause language. But that's besides the point. The real day is November 10th of 2025. This October 1st thing people have been hearing about is an artifact of old 2020 rulemaking. Can't be updated until that new rule goes into effect. Class deviation fixes that policy gap and says when the new rule goes into effect, go use the clause. Do not use the old clause because the new rule is about to go into effect. That's basically where it came from.
[16:26]
B
And so we. I don't know if I. Given that explanation that you. You just provided, I don't know if I can be completely not mad at the KO for including it because now it just sounds like they thoroughly went down the checklist that's provided to make sure that the right clauses are inserted into the contract.
[16:41]
A
Right.
[16:42]
B
7503 is that checklist. They scroll down, they're like, oh, I guess there's control technical information on this contract. We got to check that this clause goes in there because preemptively. Because rulemaking is a process. Right. And because changing huge documents like that is a process. It's not. There's no immediacy to it. You have to have those things in place to make sure the clause goes in when the program was supposed to be live.
[17:05]
A
Yeah. So, you know, technically it's a little. It's a little bit of egg on everybody's face. Right. Because DOD issued a memo back in 2021 that said don't use the clause suspended indefinitely. But they didn't issue a class deviation. They probably should have, but I. They were not expecting CMMC 2.0 rulemaking to take longer than 24 months. So October 1st of 2025 was never going to be an issue. Here we are in September of 2025 and the rule isn't going to go into effect until after October 1st. So they weren't anticipating that this was going to be a problem, but they could have issued a class deviation just to seal it forever. The other, you know, sort of embarrassing thing that people have done to expose themselves is October 1st of 2025 has been at DFARS 2,04,7503 since 2020. Right. But people only started worrying about October 1st of 2025, like two or three weeks ago, which tells you people weren't paying attention to what was going on. The relationship between the 48 CFR proposed rule and the final rule, what was already on the books. Because if you were worried about October 1st of 2025 in August of 2025, why weren't you worried about it in December of 2024 when the CMMC program officially went into effect and the clause says it goes into all contracts in October of 2025? It's because people weren't reading it because they didn't think that it was real.
[18:32]
B
They thought it was still going away. And then there were exactly small things. You find the glimmers, I will say the demonstrated growth by the DoD not putting a hard deadline on this class deviation and showing and definitely is one of those. You're not getting me again on this one. So yeah, I.
[18:47]
A
So there you go.
[18:48]
B
It doesn't matter anymore. November 10th, bro.
[18:50]
A
November class deviation. If anybody brings it up, you can just have them watch this episode or just direct them to the last paragraph of the two paragraphs that says it expires on the effective date. Effective date is November 10th. It won't be a thing anymore. It was created because of artifacts of old rulemaking and the fact that the new CMC 2.0 rulemaking took an extra 21 months and they just didn't think that the language October 1, 2025 was going to be an issue and not enough people were paying attention and it kind of got crazy. And that's how rumors get started. But won't matter. It'll just be a fun thing that we all look back and laugh on, as many of the things that we've talked about over the years will be. Anyways, like we were saying, T minus 59 days, everybody. From the time we're having this conversation. Then phase one, day one begins and we're off into a brave new world. Make sure you check out our webinar. We're going to talk about everything you need to know about the rule, make it into nice pretty slides you can show your leadership so that they hopefully make a decision. And we'll go from there. And we'll see you next week.
[19:50]
B
See you next week.