B (4:26)

Even posts with news about the rule going into effect and even with the line at the bottom of the class deviation putting a a expiration date on it based on when the rule goes into effect. Even on the post announcing that with the effective date there, people are like.

A (4:42)

Well what about the class deviation?

B (4:44)

Yeah, like, you know what I mean?

A (4:45)

Like, you know, to be fair, we don't get dfars class deviations related to cyber security requirements all that often. The last one that we had was in May of 2024. We did a whole episode on about it with the great and powerful Lauren Ayers. That was a class deviation. That said, I know DFAR 7012 says do the most recent version of NIST SP800 171 requirements. That should be Rev3, but CMMC is going to assess Rev2. So we're telling you with this deviation, just do Rev2. If that's news to you, go check out that episode. But anyways, I don't want to interrupt.

B (5:21)

I really don't want to interrupt you, but what were two words that really. It's the same word being used in both of those class deviations that we're referencing. What word sticks out to you the most there?

A (5:31)

I don't know.

B (5:32)

Indefinitely. Right, Indefinitely. And how you interpret indefinitely.

A (5:35)

Right.

B (5:36)

Because some people, I think, are automatically programmed to think indefinite means this endless time lapse continuum definitely is permanently.

A (5:44)

Yeah.

B (5:45)

But realistically what the word means is that there's something brewing. We just don't know when it's going to finish brewing. And we don't want to assign a date to it and have to be kind of. Or, yeah, anything like that. And so I think that you could read any bit of the writing on the wall and know that this was coming relatively fast. I know if you listen to this show, you should have known that this was coming relatively fast based on all the factors. And I think that that class deviation was just something to subside from. Good Lord. The amount of people that came out.

A (6:16)

And were like, October 1st. October 1st. Yeah. Well, let's talk about, you know, why did this happen? What are. What is the class deviation? What the heck are we talking about? Okay, so anyways, at the end Of August, the DoD issued Class Deviation 20, 25O Triple 06. This is the only organization in the world that I know of that uses capital O's and zeros next to each other. Great job, dod. Anyways, what the heck is a class deviation? A class deviation is an authorized exception to the far, the dfars, the hsar, all of the acquisition supplements that the government agencies use. Use to buy stuff. Right. It's an authorized exception to the acquisition regulations that they use. A class deviation applies to multiple contracts, otherwise known as a whole class, hence the name class deviation. So this is a class wide change to the regulations that are on the books.

B (7:13)

So what would technically be the class in this case?

A (7:16)

Anything that's going to have anything that's going to have the CMMC clause in it.

B (7:20)

Okay.

A (7:21)

Yeah. So it's just going to be basically all DoD contracts because it's going to be prescribed to go in everything with the relevant data types.

B (7:27)

Okay.

A (7:28)

So these deviations are issued to address what they call urgent needs. This could be things like policy gaps that they've identified, such as the DFAR7012 issue. There's a gap between two competing policies. It could be legislative demands or anything like that. They issue these deviations to bridge the gap until there can be a change to the FAR or an agency supplement via rulemaking. Because as we know, rulemaking takes a while. You got to address this issue because we're still buying stuff. And so they have this authorized deviation as a temporary band aid until they can do that. So at the end of August, the DoD issued a class deviation. And it was the subject line said class deviation, use of the clause on contractor compliance with the cybersecurity maturity model certification level requirement. And it was only two paragraphs long. It's very quick. And it says, effective immediately, contracting officers shall not use the contract clause at DFARS 252-204-7021. That is the CMMC contract clause effective immediately. Do not use the clause 7021. Okay, then it says this class deviation remains in effect until the effective date of the final rule. For DFARS case 2019 D041. That's the 48 CFR CMMC rule that was published yesterday. And as we know, the effective date of that rule is November 10th of 2025. So long story short, this class deviation does not suspend CMMC. It does not affect the November 10th effective date. It does not change the figure phased rollout. It does not override the final rule whatsoever at all. Period. So if your leadership is hemming and hawing and hesitating on getting started on implementation to meet their CMMC obligations, then, and they're waiving this class deviation in front of you, make sure they read the second paragraph that says this will expire on the effective date of the rule. The effective date of the rule is November 10th of 2025.

B (9:36)

Doesn't the the rule being published and the effective date being put in place effectively void that class deviation? Maybe not immediately with it being published, but with that effective date that's voided and it's non existent.

A (9:50)

Well, it's still on the books, Right? So right now, right now, the class deviation says don't use the clause 7021. And this guidance expires on the effective date of the rule. At which point you go read the rule and you do what the rule says essentially to use the clause as at 7021.

B (10:05)

Now how much of that do you think is played into the fact that we know by history DOD uses two clauses to accompany each other? You know, we have 19, 20, etc.

A (10:14)

Yeah.

B (10:15)

And that they knew that there was a clause that we didn't have a number for until yesterday coming out. So it was inappropriately using the clauses now because there's no notice and no notice of intent, right?

A (10:25)

Yeah. So it could be that. Right. So as we'll talk about in the webinar and things like that. So now, rather than just having The DFARS clause 7021, go get a seam level, we now also have a DFARS provision that makes you aware of the requirements in the clause that is 252-204-7025. Coming up in the future, we're going to finish our back to basics episodes where we went through DFARS 7008 and 7012, 7019 and 7020. And now we can complete the series 7025 and 7021. That's not the reason why they issued this class deviation overall, but it's adjacent. So here's a riddle for you, everybody. Here's something to ponder.

B (11:08)

I like riddles.

A (11:09)

DFARS clause 252-204-70 21 has never been authorized for inclusion in any solicitation and contract. It was put on hold indefinitely in March of 2021 when the DoD went into their programmatic review of the CMMC program. And it was still put on hold indefinitely in November of 2021 when they announced CMMC 2.0 rulemaking, which we will finish on November 10th of 2025. So at no point in time has the clause 7021 been allowed to go in any solicitation and contract. If it has, it has been a mistake. It was not authorized. So if it's never been authorized for use, why did we get a class deviation telling people not to use it? Any ideas? Any ideas? In chat, Jason, got any ideas as to why this occurred?

B (12:01)

No, because I was today years old when I didn't realize that it wasn't technically allowed because we were seeing those requirements pop up and people being like, hey, I know that you're saying that it can't go there, but I have this.

A (12:10)

So like, yeah, so it showed up in contracts and solicitations. Not authorized to be there. Right. It was suspended indefinitely. But mistakes get made. Contracting officers shotgun stuff into contracts all the time. We know that this is true for all kinds of clauses, not just for cybersecurity stuff and for cmmc. So remember back to the fact that if you were to Google right now, before November 10, DFARS clause 252, 204, 7021, there is a DFARS clause at that address, right? There is a text of a CMMC clause at 7021 right now, because the rule in 2020 that established CMMC 1.0 wrote a rule at 252-204-7021 with the CMMC clause, the original 2020 text of the CMMC clause. So that has stayed online as it was created in 2020 until this upcoming 48 CFR rule that goes into effect on November of 2025 revises the language from 2020 and then that's the new clause, right? The problem is, is that these rules don't just change the language of the clause, they also update the guidance to the Contracting officers about when and how to use these clauses. So they update part 202 and part 204 and part 212, not just part 2, 5 2, where the clauses and solicitations live. And if you go look at a part of the DFARS called Let me share, let me make sure I get it right, it's 2047503, 2047503. This is guidance to the Contracting Officers about when to use the clause 7021 that was written back in 2020. So back in 2020, the DoD had a five year phased rollout plan for putting CMMC clauses into contracts and phases. Right. At that time, the original plan was, we're going to insert this clause into contracts on a case by case basis. The Undersecretary for Acquisition and Sustainment is going to hand select the contracts that will include cmmc and then five years later, it's going to go in all solicitations and contracts. Well, ironically, coincidentally, the end of that phase rollout is October 1st of 2025. The end of the CMMC 1.0 phase rollout is October 1st. So when everybody wakes up and they hear CMMC is here, the rule is right around the corner. It's getting ready to come out. They fire up the Google Machine or they fire up ChatGPT or whatever and they say, when does CMMC go into effect? And it pulls the current language that was established in 2020 and it says October 1st must go in all solicitations and contracts. But that's not what the rule is going to say when it goes into effect in November. So in order to get around that issue, the DoD saw a policy gap and they issued a class deviation that said, just a reminder, everybody, it's still not authorized for you to use the clause 7021 that we wrote in 2020 until the new version comes out at the effective date of the 48 CFR. CMMC final rule. Everybody got this wrong. Industry got this wrong. The CMMC ecosystem got this wrong. The US Army Corps of Engineers put an official notice on SAM.gov that said October 1st is the go live date. I've been very disappointed in some of the DoD components understanding of the relationship between old clause language and upcoming new clause language. But that's besides the point. The real day is November 10th of 2025. This October 1st thing people have been hearing about is an artifact of old 2020 rulemaking. Can't be updated until that new rule goes into effect. Class deviation fixes that policy gap and says when the new rule goes into effect, go use the clause. Do not use the old clause because the new rule is about to go into effect. That's basically where it came from.

B (16:25)

And so we. I don't know if I. Given that explanation that you. You just provided, I don't know if I can be completely not mad at the KO for including it because now it just sounds like they thoroughly went down the checklist that's provided to make sure that the right clauses are inserted into the contract.

A (16:41)

Right.

B (16:41)

7503 is that checklist. They scroll down, they're like, oh, I guess there's control technical information on this contract. We got to check that this clause goes in there because preemptively. Because rulemaking is a process. Right. And because changing huge documents like that is a process. It's not. There's no immediacy to it. You have to have those things in place to make sure the clause goes in when the program was supposed to be live.

A (17:05)

Yeah. So, you know, technically it's a little. It's a little bit of egg on everybody's face. Right. Because DOD issued a memo back in 2021 that said don't use the clause suspended indefinitely. But they didn't issue a class deviation. They probably should have, but I. They were not expecting CMMC 2.0 rulemaking to take longer than 24 months. So October 1st of 2025 was never going to be an issue. Here we are in September of 2025 and the rule isn't going to go into effect until after October 1st. So they weren't anticipating that this was going to be a problem, but they could have issued a class deviation just to seal it forever. The other, you know, sort of embarrassing thing that people have done to expose themselves is October 1st of 2025 has been at DFARS 2,04,7503 since 2020. Right. But people only started worrying about October 1st of 2025, like two or three weeks ago, which tells you people weren't paying attention to what was going on. The relationship between the 48 CFR proposed rule and the final rule, what was already on the books. Because if you were worried about October 1st of 2025 in August of 2025, why weren't you worried about it in December of 2024 when the CMMC program officially went into effect and the clause says it goes into all contracts in October of 2025? It's because people weren't reading it because they didn't think that it was real.

B (18:32)

They thought it was still going away. And then there were exactly small things. You find the glimmers, I will say the demonstrated growth by the DoD not putting a hard deadline on this class deviation and showing and definitely is one of those. You're not getting me again on this one. So yeah, I.

A (18:47)

So there you go.

B (18:48)

It doesn't matter anymore. November 10th, bro.

A (18:49)

November class deviation. If anybody brings it up, you can just have them watch this episode or just direct them to the last paragraph of the two paragraphs that says it expires on the effective date. Effective date is November 10th. It won't be a thing anymore. It was created because of artifacts of old rulemaking and the fact that the new CMC 2.0 rulemaking took an extra 21 months and they just didn't think that the language October 1, 2025 was going to be an issue and not enough people were paying attention and it kind of got crazy. And that's how rumors get started. But won't matter. It'll just be a fun thing that we all look back and laugh on, as many of the things that we've talked about over the years will be. Anyways, like we were saying, T minus 59 days, everybody. From the time we're having this conversation. Then phase one, day one begins and we're off into a brave new world. Make sure you check out our webinar. We're going to talk about everything you need to know about the rule, make it into nice pretty slides you can show your leadership so that they hopefully make a decision. And we'll go from there. And we'll see you next week.

B (19:49)

See you next week.