A

All right, folks, it is almost the end of October of 2025. And if you remember way back in the day, the 48th CFR CMMC Final Rule was published in the Federal Register on September 10th of 2025. The regulation officially goes into effect on November 10th of 2025, at which point all new DoD solicitations and contracts will include at least CMMC Level 1 status requirements. While the government shutdown might affect the pace of new contracts, it doesn't change anything about the effective date of the CMMC program and contract specifically. So even though SAM.gov is very quiet at the moment thanks to the shutdown, we have seen seven notices coming out that let people know that CMMC is very real and will absolutely be required, including some level two requirements. And that's what we're going to talk about today.

B

Okay, first and foremost, let's get it out of the way. The elephant in the room. Seven notices, we had no influence over that whatsoever. And then the only other thing that I have going into this episode, Jacob, is my question is, is this a case where people were falling 7,304 too far and they didn't remove it when maybe the class deviation came out or things of that nature? Right. The requirements within the contracts. I'm also interested to see if we're seeing it in seven contracts. What kind of contracts are they? Are they really high speed contracts? Are they, what, what's it going to be? So I'm really excited for this.

A

Yeah, no, and these are all either new or upped. These are all either new notices or requests or their updates to things that were published just prior to the rule being published itself. And we'll see that as we sort of walk through them. But yeah, these are not mistakes. These are actually, you know, what it's going to look like in the, in the brave new world that we're going to be in after November 10th. So first up, the Navy has a notice on SAM.gov under Naval Sea Systems Command. They have a request for information on semiconductors and related device manufacturing. The Navy is looking for information related to establishing a US onshore 300 millimeter wafer production fabrication capability for magneto resistive random access memory devices utilizing magnetic tunnel junction technology with a focus on production foundry capabilities. That's what they're looking for. There's all kinds of cool stuff that you see on SAM.gov, however, if you scroll through this, this notice, this RFI on SAM.gov, they say at a minimum, the envisioned US onshore fabrication capability shall meet the following requirements and they give you a big list and inside of that list it says shall be able to support an ITAR compliant manufacturing flow including at a minimum CMMC level 2 for the protection of customers controlled unclassified information categorized as export controlled. They say that the requirement for this ITAR CUI compliance is driven by the need for this random access memory manufacturing capability in radiation hardened memory microcircuits custom designed to meet specific natural space and man made radiation environments. If you're doing microelectronics manufacturing, if you're doing reshoring of high speed manufacturing of microelectronics next gen things like that, high speed fabrication, they're straight up saying it's going to be CMMC level 2, not CMMC itself assessment CMMC level 2. So this is a Navy Sea Systems Command RFI and they say it right there, they say it right in the, right in the RFI on there.

B

So right out of the gates we see a contradiction to what everybody seems to think. Right Jacob. The phased rollout begins. Oh, we're going to have level one requirements inside of our contracts. But here the very first solicitation that we see says not only is it level two but it's specified CUI level two on this magnet. I'm not even going to try the who's a Majigger.

A

They're making microchips, they're going to radiation in, you know, radiation hardened microchips for some crazy space based application that is super export control.

B

Yeah, it doesn't sound like something that you would want Level one controls making sure that that security is in place or you want to take somebody's word on it. We want to make sure this stuff's locked down so it doesn't get out there. It sounds like a lot of money spent on it. But with that being said, like I mentioned at the beginning of the comment is that this is already a contradiction to what people's belief is right now. The belief is I'm only going to have to self assess, I'm only going to have to do level one. The very first solicitation that we talk about. Bam.

A

Yeah, Level two, which you know, it's an rfi so reach out to Nav C and tell them you can't do it and you need an exception or tell them you kind of crazy that.

B

It came from Navy too, right? I, I, I would in our experience, Navy I think has been the one where there's more explaining that's needed. Right. And then all of a sudden they're just out the gates. Bam bam, bam.

A

Yeah, so, and this is only one thing, right? I mean obviously there's going to be a million different RFIs, RFPs notices on SAM.gov especially once things open back up. But you know, we've been, we've been shouting from the rooftops for a long time now telling people that during phase one, that first 12 months, there is no prohibition on CMMC level two status being a requirement and it's totally up to DOD's discretion when it comes to making radiation hardened microelectronics for 300 millimeter wafer production fabrication capabilities. Level two it is. So we'll include the link to that RFI and you guys can check it out for yourself. Next up, there's one from Special Operations Command, US socom. They have notice on there for global services delivery sources sought. This is for administrative management general management consulting services. Very, very different from making precision radiation hardened microelectronics. They're actually updating a notice that they put on SAM.gov prior to the 48 CFR CMMC rule being published. They say this update is provided to place offerors on notice that the final CMMC rule was released on 10 September 2025 based on the implementation date of 10 November 2025 and an anticipated request for proposal release date that falls after that implementation date. The government will include a CMMC pass fail requirement in the final RFP as qualifying criteria, they say it's currently anticipated that CMMC Level 1 will be required at the time of proposal submission. Potential offerors are encouraged to begin working to meet this requirement if you have not already done so. They go on to say prime offerors are encouraged to ensure that team members, so they're subcontractors, team members have also completed this requirement as a prime offeror will be disqualified if it is determined that an identified team member does not also meet CMMC level one qualification. So they want administrative support consulting support general management consulting services. So not super high speed not doing consulting in space. Right. This is not ITAR rated whatever, just sort of general support services. But it's a contract after the effective date so it's going to have at least CMMC level 1. So some people think that's easy, that's no big deal. A lot of people think that that's a bridge too far. Here you go. If you're trying to do administrative management and general management consulting services for U. S Special Operations Command next year then you're going to have to be able to prove that you have at least CMC level 1 and your subs have at least CMMC level 1.

B

Yeah, that was the thing that stood out to me the most. This wasn't one where the level exceeded what was supposed to be supposed to take place. Right. We didn't go past level one self assessment and what we expected, what people's expectations were. But, but what we did say is that your entire supply chain has to be in order. And if it's not in order you're not going to get awarded this contract. You'll just be disqualified.

A

Absolutely. So we had the Navy, we had US socom, now we have US Army Corps of Engineers. And there's a ton of stuff from the Army Corps of Engineers that has mentions of CMC requirements in it. They're probably the ones that have, you know, they're the most in front of this requirement for the current set of things that are on SAM.gov so under the Corps of Engineers for commercial and institutional building construction, they want people to solicit offers for the construction of ground based strategic deterrent Sentinel Operations Group facilities at Few Air Force base in Wyoming. So gbsd, this is America's intercontinental Ballistic missile system. So they're building buildings around intercontinental ballistic missiles which is kind of a big deal. So they say in this notice the project is anticipated to be subject to cybersecurity maturity model certification level 2. Pursuant to DFARS clause 7021. Firms will need to ensure they are properly certified. Failure to meet the CMMC Level 2 requirement will make an offeror ineligible for award. They'd anticipate that the award will happen in FY27. So you have a ton of time before they're going to award this contract. You are going to be making buildings that go around intercontinental ballistic missiles at a strategic air Force base in Wyoming. You know like in Terminator when like the, the, the prairie opens up and the giant missiles fly out of the ground, that's what you're making buildings around. So you're going to probably need CMMC level two at a minimum. Although that even seems a little loose to me. It ain't going to be level one and it probably won't be a self assessment for obvious reasons. But we're talking about construction companies here, right? We're not talking about you know, some high speed space based laser, microelectronic whatever. Right. But you're in and around these facilities, you're dealing with whatever the data is that they're talking about here in this notice on SAM.gov they say, please include the following information in your response narrative. Briefly describe your firm's current status regarding CMMC progress. Remember, this isn't until FY27. We're talking about basically a year from Now, October of 2026. Briefly describe your firm's current status regarding the CMMC process. This includes, but is not limited to whether you are actively working towards certification at a specific level or have already achieved CMMC certification. If you are certified, please indicate the achieved level. So a year before they plan to award it, they're like, where are you on your progress? Are you progressing or do you already have your cert? And I would imagine that if you put down we already got our cert, that that's going to be a huge help. I don't know, a year is a long time. So maybe other people are going to get their certs and they'll be able to say, yeah, we're working on it, we'll let you know. But they're telling you right now a year from now, level two.

B

Well, yeah. So let's talk about what stands out here. Everybody always applies CMMC requirements automatically to I make a part for a missile, I make this special chip that goes into this, I make this, that goes into this particular name your defense capability here. Right. And then we're like, well what about some of those like not directly impacted contracts? Are we going to see this pop into this construction? One is one people don't realize the importance of protecting maybe the blueprints for the buildings that surround those silos, protecting some of the capabilities of those buildings. And that's why these requirements go into it. Do you think, and this is just a strict question to you, do you think because it's a construction based one and they're going to have to submit like design drawings, architecture drawings and all that to be bid on and approved on. Right. They're going to have to accept not only the contractor's proposal, but what the contractor's design is. Right. So maybe because the narratives there, they have to have all that in place because it's such a longer process.

A

Yeah, I don't know. I mean the, you know, reading through the sam.gov you know, notice on there, there's tons of stuff in there that are specific to the construction industry and the types of buildings and the types of like reinforced concrete footings that they have to make. There's a lot of situational stuff that I'm sure can drive those requirements. But that's what I did a terrible.

B

Job of trying to ask the question for is like, are there situational things as to why we're seeing this pop out because the anticipated award is 27, or is this just these. The Army Corps of Engineers being way ahead of it is kind of what.

A

It'S hard to know. I mean, I'm sure that a lot, for a lot of these big expensive construction projects, some of these construction projects are like, you know, they're basically saying like, don't even, don't even talk to us if you can't support like $175 million project or larger. And they think that it's going to be in the neighborhood of like 175 mil to $250 million project over the course of like 1100 days. Right. So they're pretty certain like the scale of these things. But yeah, that's the part that jumped out to me was they're not saying that you don't need a level 2 cert until FY27 because of the phased rollout. They're saying you need a Level 2 cert in FY27 because that's when we're going to award the contract. Right. So if they were going to say we're going to award this in Q4 of 2026, phase rollout is not what's driving this requirement. Just happens to be that's when the award period is going to be. They aren't saying in the interim you can do a self assessment. There's no work until they award the contract. So the phase rollout is not what's driving, hey, you don't need this for a year. It's the contract award. Anticipated contract award date.

B

Yep.

A

Yep. Alrighty. So we talked about the Navy. We talked about socom, we talked about Army Corps of Engineers. Army Corps of Engineers has several other notices on SAM.gov currently including housing revitalization projects in Yakuza Japan. So base housing, anybody who's lived in base housing knows they're constantly in need of renovation. They have a multiple award task order contract in Honshu, Japan. They have bulk fuel storage tanks. Phase two opportunity at Yokota Air Base in Japan. So you're talking roofers, you're talking just a multiple award contract. You're talking bulk fuel storage, specialty construction, everything from microelectronics to roofing to building concrete footings for missiles. Like there's all kinds of stuff that is on SAM.gov all the time. But the overall thing that the Army Corps of Engineers put into each of these is they've said the Army Corps of Engineers Japan District anticipates that all solicitations issued on or after November 10th will require CMMC Level 1 certification or higher, period. Right. Say if your company is not certified at level one or higher, you will not be eligible to receive a contract award. They have related questions in all of these notices on SAM.gov, one of them on there says, does your company have CMMC certification? If yes, what level and when does it expire? They said the government is seeking to minimize proposed variations or substitutions during the solicitation bidder inquiry period. Bad news for everybody that says, we're just going to ask for special treatment. We're just going to ask for a waiver. We're just going to ask for this to not be a problem. They say we're seeking to minimize all of the nonsense during the bitter inquiry period. Due to strict timelines, our ability to fully analyze these requests during the solicitation phase is often limited. We've said this multiple times, right. The, the, the cardinal sin of running a business is being difficult to do business with. And so the government is saying, you're going to need this certification if you want an award, period. Please tell us if you have the cert and when it expires. We don't want to spend time going back and forth with people over this requirement. There's many other things that they list as well, but this is relevant to the podcast. So if you got the cert, you can say, yep, we got it. Doesn't expire for two years, doesn't expire for three years, doesn't expire for whatever. And they don't have to sit there and give you special treatment for it. They don't have to carve out time for it. It's just one more thing that isn't going to be a discriminator against being able to do work with them. And that's for all Army Corps of Engineer offerings for the entire Japan district.

B

Now, if level one is the requirement, obviously you shouldn't be trying to get variations or substitutions or waivers or anything like that. Right. Because of the simplicity of it. But if Level 2 is your requirement and you're trying to get that, there's just not time to do that. And if you're depending on that, trying to compensate for the fact that you didn't get the waiver and make up for it to get done in time, it's just not enough time. Especially if they're trying to move faster.

A

Yeah, yeah. So some other Army Corps of Engineers notices that we've seen on SAM.gov and this is all since September 10th. Right. So this is all stuff that's happened in the last handful of weeks when there really hasn't been a lot of activity on SAM.gov because of the shutdown. So other things that we've seen, semiconductor test labs at White Sand Missile Range in New Mexico probably going to be at least level 2 based off of just the title of what they're talking about. The John Day Dam Turbine runner replacement and generator project in Rufus, Oregon. So we're talking about hydroelectric, we're talking about microelectronics, roofing, bulk fuel storage, general admin support. Everything that the DoD is doing. You're going to have a CMMC level one requirement in it, at least starting on November 10th. And for some of these, you're going to have CMMC level two status requirements. The phased rollout doesn't matter. Right. It is not a prohibition on including it. The problem that I see is that these are all the things that have sort of snuck through for whatever reason they're allowable or their priority. But you know, we're into the next fiscal year now and we haven't seen the long range acquisition forecasts get posted by the various DoD components. So I think what's going to happen is once the government opens back up, there's going to be a huge rush to try to get these, you know, RFPs, RFIs solicitations out there onto SAM.gov and it's going to be even more constrained, like the Army Corps of Engineers said, where they're like, we're way behind schedule. Do you have it or do you not have it? And so you'll have even less time to anticipate what's going to be in those contract solicitations because instead of them coming out in the last couple weeks, they might not come out for another month or two, depending on how long things take, but they'll still have the.

B

Same deadline to get.

A

Still going to have the same deadline.

B

I, I didn't even think about that. That's such a great point. Like the shutdown, because they can't work and the contracts don't get out. They still have to get fulfilled and there's still projects that have to get done.

A

Yeah, they were planning on, you know, publishing something in October or November to award it in January or fe and you don't see it until December. Right. Then you have way less time in order to do the same thing that they were going to require all the time anyways. So for everybody out there that says we're going to wait until we see it in a solicitation to believe that it's real. Here's a couple of examples from different components, different industries, different levels, different stuff. You're going to see the requirement in this solicitation like don't, don't be fooled. We're what, 20 days? A little less than 20 days. We're getting into the, you know, we're getting close to single digits here from the start of the phase rollout.

B

Crazy.

A

So you know the phase rollout's going to go live and the government might not be open. So everybody's going to be like looking around, waiting for things to happen and then as soon as these solicitations come out then it's going to be in there. So I thought it was interesting to walk through and see that we're, you know, already seeing very clear cut examples of CMC requirements. We'll include all the links to the ones that we mentioned in sam.gov and we'll go from there.

B

See you next week folks.

A

See you next week everybody.