A

Alrighty folks. Merry Christmas. It's that time of year, it's the big special day and Santa has left a present for Defense Logistics Agency suppliers. A breakdown of estimated CMC requirements by level for each DLA supply class. Depending on the type of work you do, your odds of needing CMMC Level 2 certification instead of self assessment might be very low. But they are never going to be zero, non zero, if you will. And that's what we're going to talk about this week.

B

I don't think that you were the bearded man and I was the elf that people were looking forward to seeing today, Jacob, but here we, here we are and we're talking about things that are super important. And what kind of gift is this? It's a great gift. It's a great gift. That's level setting expectations for an entire base, right? That's saying this is what's going to happen and this is what you can expect. No surprises here. Let's talk about it.

A

For the Die Hards watching this on Christmas, Amazing. We're happy that you're checking this out. Probably one of the more insightful episodes that we had all year. Honestly, I wish every DoD component and program would put out breakdowns and information the way that DLA has. It's super, super cool. They're setting the, you know, they're, they're the model for how I wish the other components would put out this information. Depending on what type of work you do for dla, this might be a good gift. Might be coal in your stocking. We'll talk about it whenever we get to their breakdown. For those of you who don't know dla, the Defense Logistics Agency, the nation's combat logistics support agency. This is directly from the what DLA Buys webpage. Very interesting if you're not familiar. They manage the global defense supply chain. Everything from raw materials to everything that end users actually need. For the army, for the Navy, for the Air Force, for the Marine Corps, for the coast guard, for 11 different combatant commands, federal agencies, for partner and allied nations, everything in between. They manage all of those supply chains. They manage 86% of the military spare parts. They manage a hundred percent of fuel and troop supported consumables. They manage the reutilization of military equipment catalogs and logistics information for all the products that the military buys. They offer document automation and production services for a bunch of military and federal agencies and everything in between. It's a big deal. We're talking hundreds of billions of dollars, tons and tons of stuff all managed by dla. So when DLA says things about cmmc, there's going to be a lot of people listening.

B

Yeah. It feels like that this is one of those things where they touch just about everything, like in some way, shape or form. The 7 degrees to bacon and the Defense industrial base could be 7 degrees to DLA, right?

A

Yeah. Between the Army Corps of Engineers and DLA, we're talking about an absolute ton of people that are going to be wrestling with CMC based off of how they zig or how they zag.

B

Wait, Army Corps of Engineers. That's. That's the other one that you were talking about that was coming out and saying, pay attention to. What was it again?

A

Absolutely.

B

What was it? Oh, oh, CMMC.

A

Yeah. The majority of stuff on SAM.gov through the end of 2025 has been all from Corps of Engineers.

B

But would you look at that?

A

What do you know? All right, so let's talk about supply classes real quick. It's just a quick overview for those of you who don't know. Supply classes are the way that the US Military categorizes goods that they procure. So this is everything from food, water, condiments like ketchup and mayonnaise. They would be things in class one, there's stuff to clothing and cleaning supplies. In class two, as it were, jet fuel and jet engines, construction materials, ammunition, missiles, medical supplies, maintenance kits. Everything that you would buy for the military that you can imagine is going to fall into these supply classes. At a high level, this gets very detailed. Each class has many subclasses, of which each of those subclasses has their own distribution requirements, corresponding DoD policies. The DoD buys a lot of stuff. They've been buying a lot of stuff. There's all kinds of crazy things that they buy, as you can imagine. So there's tons and tons of detailed information, policy, so on and so forth about all of it. Needless to say, for our purposes here, the Defense Department buys a lot of stuff. And that means there's a lot of different kinds of contractors doing a lot of different kinds of work involving a lot of different kinds of data. And some of that data might be controlled. Some of that data might be controlled at a high level. Some of that data might not be controlled at all. So that means that different DLA suppliers will experience CMMC in many different ways, depending on the type of work that you do as a contractor.

B

Yeah, I think it's. It's pretty simply laid out. Right? Like, we break these things in the classes, and the classes are kind of lay out what the goods that are within there, what's being supplied there. And maybe in the class one, you won't see as many requirements being levied because there's no risk there. Right. But when you start getting into 2 and above or there's not as much risk, I don't want to say there is none right there. There's a non zero number.

A

Yeah, that's right. Yeah. It all depends if they're buying missiles or they're buying ketchup. There's going to be different data involved, which means there's going to be different requirements. So even though CMMC gets talked about as this monolithic thing for all of DoD, as we've been saying all along, even within individual agencies or individual programs, in a company's experience over here versus a company's experience over there could be wildly different in terms of requirements timelines, self assessment versus certification or having requirements at all. Anyways, the DLA small business website is excellent. They do a very good job of putting everything together in one spot that you'd want to see. Props to dla. This is the way that the information should be put out from Everybody in the DoD. Under the DLA Small Business Resource center website there's a cybersecurity resource page full of a bunch of helpful information. There's sections in there that talk about the foundations of cmmc, how it's laid out, what it is, why it is, the three levels of the CMC model steps to achieving cmmc, how CMC will be handled between automatic versus manual awards, which if you're a DLA supplier, that has a very specific meaning to you. There's an overview of the CMC phased rollout. There are external links to cyber resources and extra training, DAU Project Spectrum, all the classics that you know and love. And then most importantly at the bottom, an expected CMC level requirements broken down by individual supply classes, all on one helpful page.

B

So this is how the program applies to us, dla, we're going to put it all on one page, we're going to break it down so it's clear as say that you know, if you're in this class, this is what's going to apply to you. And if you need some help understanding, look at all these useful links that we've supplied for you right here at your convenience. I feel like that that's just setting up your supply chain for success, right? You can't say we didn't give you, we, we didn't give you the fishing rod and the, the hook and the Bait, Right.

A

You know, it would be really nice if other parts of the DoD would put their information out like this. It would be really nice if the mega primes out there weren't getting dunked on by DLA federal employees in terms of the information that they're putting out. They put out a bunch of supplier notices that basically was just like, ooga booga, get ready, right? DLA is over here, like boom, boom, boom. Details, training breakdown details. Here's what we think, here's our expectation, here's timelines, bang, bang, bang, bang, bang, all in one spot. And they didn't make a big deal out of it. So we're trying to amplify it for everybody. Props to you guys. Very good way of doing it. It's excellent. Let's talk about these supply class estimates. So definitely check out the chart we've been posting about it on LinkedIn. We'll add the link below. Study the supply class that applies to you or to your clients. The DLA anticipates that 25% of its total procurements will require CMMC. Couple of notes right off the bat. That's a lot of cots commercial off the shelf procurements that are exempt from from cmmc. Remember, DLA buys all kinds of stuff and a lot of that stuff is going to be COTS stuff. Which means CMMC requirements, DFARS 7012 requirements don't apply to COTS requirements. It's a reason the exemption exists. Not a surprise that you know a bunch of their stuff. This CMC program and cyber requirements won't apply to it at all because they're buying stuff that you could just go buy off of the shelf. But 25% of 150 billion or more dollars in contracts and acquisitions every year is a lot of stuff left over that's going to require cmmc.

B

Don't you think like this is beneficial for them to put out there too? Because it leaves out that guessing of hey I might get this exemption or hey, I might get this. No, we know what it's going to be and we know exactly what it is you ain't that right? Like pretty much is the way it's.

A

Now they say 25% of their total procurements, then it doesn't mean that you have a 25% chance of needing CMMC at all depending on which you do work under. So among the supply classes, the majority of the requirements are for CMMC level two self assessments. But the certification requirements vary widely. So for example, class one food and water subsistence goods, the DLA estimates that 95% of this work will be for level two CMMC self assessment. 5% will be for level two C3 PAO status. You got to pay somebody to give you the certification and run through the third party assessment process. Zero percent will be for level one. So if you're a class, class one vendor, supplier or whatever, DLA is saying everyone's going to need level two, you might be able to self assess, but ain't nobody getting level one, which I find very interesting.

B

What, what? 5% of the food and water supply chain is so valuable that we want to make sure that all the secrets are upheld. That's what I want to y.

A

It's kind of funny, right? It's kind of funny because it's like when you get into the supply subclasses, there's all kinds of stuff that's buried in there. So it isn't all just like oh, this is cui ketchup or something like that. Although I like to imagine that the condiments are all going to be cui. There's like a reason why buried in the subclasses, this stuff is categorized as.

B

Level 1 versus it's the steak and lobster plug. They don't want to let people know.

A

Yeah, the, the, the, the, the, the sandwich orders are all going to be cui, which is a hilarious thing because.

B

Very good joke.

A

That's a good call over categoriz in the first place. But no, level one. At class one, 95% will be level two self. So if you think you don't have to deal with level two, you're probably wrong. If you think that you're not going to need a C3PAO assessment, you might be right. But you know, everything is going to depend because in Contrast for Class 2 clothing tools, things like that, they anticipate that only 70% would need Level 2 self assessment, but 30% will need C3PAO certification. Again, 0% CMMC Level 1. Now if you're familiar with some of the high speed clothing that like special forces operators use sometimes like the type of Velcro that they have can be classified. Right?

B

Reflective tape.

A

Oh yeah. So like some of this stuff can be pretty spooky in terms of what gives them an advantage. So not a surprise to me that some of this stuff is going to be considered controlled advantage information.

B

And I think it's worth noting here that when we say 0% level one, that means that the end result or the final highest level requirement for those contracts is going to be. You have to get Level one and that's it. By default, when you go to level 2, self and level 2, C3PO, you must submit the level 1 right.

A

Right. Now, in contrast to both of those Class 3, which is like fuels, chemical products, industrial lubricants, things like that, they say 95 are going to be CMC level one because they're buying gasoline. Right. They're buying jet fuel. You know, it's going to be a lot of stuff that just needs level one. They say 4% would need CMC level two, a combination of self assessment and certification. Interestingly, they say 1% they estimate will need CMC level 3. So maybe if you're dealing certain chemical blends, fuels, things like that, you would need up to CMC level three. So 95 of people are going to be at level one, but 1% are going to be level three. As you can imagine, DLA buys a lot of class three stuff. So your experience even within a specific class is going to be wildly different because the difference in the world of people at level one and the difference in the world of people at level three might as well be on different planets of cybersecurity and compliance obligations. So it is not at all a guarantee that one person is going to experience the same thing with CNC as the next person. Within agencies, within products, within industries, even within supply classes.

B

Yeah. Do you think that it would. The fuel and chemical products have more to do with. Yeah, I don't even know. Like.

A

Yeah, I mean we'd have to get into the details of the.

B

Because like there's the obvious. There has to be some foreign interaction with you to receive some of those. Right. Like, so there has to be some sort of like.

A

Yeah, I mean, I have no idea. Yeah, I have no idea. For those of you who are in the high speed area of really super cool gasoline blends and stuff, I mean, I'm very interested. I might actually go look at some of the subclasses and try to figure out maybe what they're talking. Yeah, it's very interesting, but boy is it a rabbit hole to figure out all the different edge cases and things that they buy. But at the top they said 25 will need CMC at all. And then within individual classes, some need level one, and some of them, they say no one's going to need level one, everyone's going to need at least level two. So in general, only two of the seven classes that are listed for dla, there's other classes that they don't have listed on the chart. Only two of the seven even mention Level one is going to be your requirement. That's a lot of CMMC Level 2 compliance, regardless of whether it's going to be self assessment or a certification requirement. So a lot of people I think on LinkedIn are saying, wow, that's a lot of self assessment requirement. My takeaway was that's not a lot of level one requirement, which is what I thought a majority of DLA procurements were going to be.

B

And you said just because of the COTS inclusion in all of the contracts, that's why you thought a majority of them are going to be like that.

A

Yeah, yeah. I thought they would just say everybody's going to need level one and a couple people are going to need level two over here. But instead they just said, you know, we don't, we're not even going to say level one, we're just going to say level two and everybody else is going to be exempt. You know these are estimates. Right. And so it's like, yeah, do I have a strong level of confidence that DLA has a perfect grasp over what is cui? What isn't cui, where the CUI is flowing and that it's all going to be executed exactly according to these percentages? No, but it's better than nothing and it's better than the information that anybody else is putting out. So that's something.

B

Yeah, I, I, I could see there's nothing here that stands out to me as far as like the breakdown of where self attestation and where C3PA or self certification and C3PA certification come in. The 90, 95 of the level one within the fuel and chemical products again makes sense just because of the commercialized nature of what that business is. Right. When you get into the other stuff, I can see in each of these individual classes where there are things that would be sensitive enough and we talked about sensitive tape, maybe chemicals that go into water systems and things like that where you would have to have those added protections. But yeah, none of this is crazy.

A

Yep, chicken nuggets in the chow hall are definitely going to be controlled for sure. If you know, you know. Alrighty. Interestingly, at the bottom of the breakdown of the supply classes, service contracts. So this is medical services, transport services, logistics equipment, etc, stuff like that. They say 1% of service contracts will be level 1, 12 will be CMC level 2 self assessment, 73% CMMC level 2, C3PAO, quick maths. That's not 100%. 10% of service contracts for DLA are expected to require CMMC level 3. That's a lot of CMC level 3 because DLA does a lot of service contracts. Thoughts here, Jason? CMC level three is kind of your bread and butter here. I was. This is the part that stuck out on this breakdown chart. To me, more than anything else, more than the lack of level one, was the amount of service contracts expected to require Level 3 CMC status.

B

Well, we started talking about some of that and so like 10, 10% of the service contracts having level three makes sense because of all of the things that they touch. We talked about all of the things that they touch. We talked about parts, we talked about supplies. Well, obviously any of those Level 3 contracts, some of the things that are on them are going to need parts and supplies. Some of them probably need high speed tape and paint and things like that. So that's because we start talking about those more defense features that make it like, you know, whiz bang. Right? Like so in this case, 10%. Actually, depending on how big the number is of contracts total. Right. I think it would be more, but that's a good estimate.

A

Yeah, absolutely. This sort of bleeds into a sneak preview of our prediction episode that comes out on the 1st. We think that CMC level 3 is going to show up a lot earlier than the phased rollout says that it might. So be sure to tune in for that. We're usually very accurate with our predictions every year. But the big takeaway, if you're a DLA supplier, check out this webpage full of great information. Depending on the type of work you do, you could be experiencing CMC in a very different way than your colleagues who work in other types of supply classes. Some supply classes are going to be almost all self assessment, some are going to be almost all level one. Some of them, 10% of them are going to be level three, which is a massive change from class to class. And I think this just sort of, you know, sums up our overall takeaway that we've been talking about through the year. The rollout of CMMC is not monolithic. It is not the same across every agency, every program, every contractor. It is impossible to predict individual situations from overall CMMC policy. So you got to go to your customer in this example dla, try to get that specific information. Luckily, if you're a DLA supplier, this information is a lot easier to get than if you're working with some others out there.

B

Yeah, I think the best advice to give based off of all of the evidence that we're seeing thus far, is that preparation is the best prevention. Right? Like, you need to be prepared. There's no other excuse for it.

A

Yeah, absolutely. All right, everybody. Merry Christmas. I hope everybody got what you wanted. I hope this information is what you wanted. And next week, we'll see you for our prediction show in the new year.

B

See you next week, folks.

A

See you.