A

All right, folks, It's November of 2025. The beginning of November of 2025. This is the last podcast before the start of the CMMC phased rollout. After all of this time, we are now less than a week away from the beginning of CMMC Phase 1. At which point all new DoD solicitations and contracts will have some level of of CMMC requirements in them forever. It will be a new world that we all wake up in on November 10th. Just the other day I was in D.C. at an event with one of our partners, a line. It was an awesome event and I was running through a very brief timeline of the big events that have happened leading up to CMMC since 2013. And a lot of people in the audience were looking at me like I was speaking Greek and they hadn't heard these things before. And I was thinking about it when I was. We haven't really done a review of the timeline in quite a while. So this week we're going to talk about all the things that have happened since 2013 in a very abridged form. Get everybody on the same page before we all fly off the end of the bridge on the bus that can't go less than 50 miles per hour at the start of phase one here. So if you don't get the movie reference, ask your parents, kids. That's what we're going to talk about this week.

B

Yeah, I mean it makes sense that there is like, when you start talking about like the deep history of how the programming or why the programming exists, this and things that have happened in the past that some of the people you may be talking to in audiences now aren't familiar with it because now people are just starting to take it seriously. You know, like there's. It comes in layers, right? The, the interest in the program has come in layers based on the, the pre adopters and then the people that are now being forced to adopt it because it's going to be applicable requirements, there are finalized rules. So you're just getting the fresh batch of the new audience of minds to educate. So we start this circle of life again, I guess.

A

Yeah, I mean there are people in the audience who don't know who Katie Arrington is or who she was. They're making six, seven jokes. And so I'm like, okay, whatever, we're just gonna start over from the beginning and we'll get everybody caught up here. So we'll do the very brief version. We'll link to the history of CMMC video that we did all the way back in 2021, which is crazy to think about if you want more of the details. But we'll just jump right into it and we can go from there. Okay, so DFARS clause 252-204-7012, the center of gravity for cyber requirements for defense contractors that all of this other stuff orbits around. We did an Entire podcast explaining DFARS 7012 and the other DFARS cyber clauses in what we call the DFARS cyber series. So check those out below if you want to get familiar with the nitty gritty details of the clause. That clause was created for the first time in 2013. So a couple things here. First of all, before 2013, defense contractors didn't have any explicit cybersecurity requirements in their contracts at all, which is kind of insane to think about. Right. And so it wasn't until 2013 that there was an actual contract clause that said when you handle our data, you have to do cybersecurity requirements, and you have to do these cybersecurity requirements specifically. A lot of people think that DFAR 7012 was created in 2016. It's not true. It was created in 2013. An interesting note about the 2013 rule is that 800171 didn't exist yet. At the time, NARA was still in the middle of trying to create the federal CUI program. One of the tenets of the federal CUI program was a standardized set a standard baseline of cybersecurity requirements across the federal government and across the federal government for their suppliers and contractors. So at the time in 2013, the DoD pulled cybersecurity controls from NIST SP853, because that's the standardized catalog where you would get security controls from. So if you're watching the video, you can see the table that is in the 2013 rule where they lay out 59 controls from 853. You'll be happy to know that many of these controls are still in the baseline that contractors have to this day, because the requirements in NIST SP 800171 are derived from controls in NIST SP 853. So many of the things that people are being asked to prove they have implemented today are literally the same requirements they've had since 2013, which is a fun little factoid that people don't know they're not always familiar with.

B

Yeah. So 2013, let's just take a stab at trying to get this moving, trying to protect this data. Let's pull out these things and like many things, not great at the original onset and it's improved over time. Right.

A

That's why there's some good stuff. There's some stuff in there that you don't need. There's not a lot of controls. 59 controls is not a lot. But like I said, there's some evergreen stuff in there. Right. Least privilege has been. Least privilege, you know, things like that have been the same concept for 30 years now. Right. So they're, they're not really going to change a lot in terms of what they're asking for. But those requirements existed in 2013. DFAR 7012 was created in 2013. This goes back a lot farther than people think. It certainly goes back farther than 2020 when a lot of people heard about cyber requirements and contracts for the first time when CMMC 1.0 was announced. But the thing to know here is that there was no verification mechanism. They put this clause into people's contracts and they never asked for proof that any of these things were being done right. Which is a common theme over the years of the government being very naive about whether people would be doing these things. There is no audit mechanism, third party verification, explicit requirement to prove that you're doing this before you get the control data, which is a fatal flaw that the duty is going to be trying to deal with in subsequent revisions up until we get to November 10th of 2025, 12 years later. So anyways, we got this clause in 2013. It's in people's contracts. By virtue of accepting the contract clause and getting the work, you are telling the government that you are implementing these requirements. Government doesn't ask, people don't tell. Everybody goes about their business. Everybody lives happily ever after until 2015 a couple years later, when the Office of Personnel Management experienced one of the largest, well at the time the largest compromise of the federal government's information systems in history. Right. This would be rivaled only by like solar, solar Winds a couple years ago. Right. But at the time this, this was it. This was the biggest one ever. This was part of a larger campaign by the Chinese Ministry of State Security to compromise, I think it was the Star group of hotels, some health insurance companies for their data, and the OPM database of folks with clearances. With those three data sets, they were able to triangulate the identities of SPA American spies in mainland China, which is pretty incredible. A lot of people listening to this. Basically every audience I've ever told this story to still has identity monitoring like to this day because of the fact that OPM got whacked. That was a big problem because the requirements that are in contracts for people running cloud systems and dealing with sensitive but unclassified information like clearance data weren't really covered very well with that 2013 contract clause. This was so effective that the Director of National Security at the time, James Clapper, basically gave the Chinese their props, being like, that was pretty legit. If we would have had the opportunity to do that, we would have 100 done the same thing. So, you know, game, game, Game respects game. You know what I mean? So the OPM thing was 100% real, and it triggered a, you know, a panic response, essentially, with revising cyber requirements for defense contractors.

B

But that isn't that. That's the. The norm. Right. The way that the government works, especially when it comes to cyber, is it has to be a major event for them to react to, to show that we're doing something.

A

Even the 2013 rule was not something the DoD just woke up one day and thought, boy, that would sure would be cool if we did that. It was triggered by a series of in, you know, system compromises back in, like, 2010. So even slightly earlier, it's always in response to something bad happening.

B

Yeah, use the football analogy. The defensive coordinator goes out, team gives up 500 yards and loses by 30s. Like, yeah, we need to focus on covering or press coverage or whatever it is. I mean, that's exactly what this is. But it was very comp. Or it was very impressive and give credit where credit's due. But what improvements happened? Right?

A

Like, yeah, so we had the 2013 clause, massive compromise in 2015. And so people are basically like, what can we do here? Like, what tools do we have? What do we need to do to do something? Right? Somebody do something. So after the 2015 compromise, there's an interim final rule that revises DFARS clause 252, 204, 70, 12. And remember, if you've been listening to the podcast for a while, interim rules are a big deal because they don't go through the normal rulemaking process where they propose changes to regulations, they get public comments, then they revise things based off those public comments, then they publish a final rule, and then the rule goes into effect. Right? They just issue a regulation without any public comment whatsoever, and it immediately goes into effect. So those are very rare. They're very difficult to get approved. But this was after a massive national security incident, and so they get approval for an interim final rule, and they Revised DFARS clause 7012 to now include Cloud security requirements, which is where we get FedRAMP, moderate equivalency and all these sorts of ideas. They also revise it to point to the requirements in NIST SP 80171 rather than a selected set of controls from NIST SP 853. Because by this time, NARA had started to get their hands around what the federal CUI program was going to be. And so they replaced that original table of requirements from the 2013 clause with the requirements in 800171 in the 2015 clause. Interesting note here. This is not. This is not. This is. This rule in 2015 doesn't say anything about December 31, 2017. The deadline to implement NIST SP 800171 was December 31 of 2017. Right? I mean, that's what everybody. That's what everybody. That's what we all learn in school and we're going through CCP and CCA and all that other stuff. This rule in 2015 doesn't say that. Right. The original deadline to comply with the version of DFAR 7012 that we know today was August 26th of 2015 when this interim rule came out. So where did we get. Obviously, you know, we just had this massive OPM hack. You just had this massive emergency. They're not going to give you two years to implement requirements that they need to stem the bleeding on right now. So how did this happen? How did we go from, oh my God, revise the rule right now, everybody implement things right now, to a deadline for implementation in December of 2017 later on?

B

It's got to. It's got to be over. It just seems like, it seems like oversight, right? Like you don't realize that you have to think about something until a problem arises. You have to think about something. It seems like it's reactionary again. Yeah, it seems like that the rule went into place and they're like, oh, this might have been a bad idea to start this all at once.

A

Well, so the thing was, was the industry freaked out, right? They freaked out. They were like, oh my God, we have new requirements. We got this immediate deadline, we need more time. We need more time. And so they petitioned and sent in comments on this interim final rule to DOD that said we need more time to implement things. Interesting note. Even though you had 59 controls in 2013 and now you have 110 requirements in 2015, the actual amount of stuff to do under the hood is less in 800171 than it was in 2013, because all the Assessment objectives that you have to cover for those 59 controls in 2013 are way bigger than the 320 assessment objectives that you have in 800 and 171. So even though you have fewer things to do, two years after DFAR 7012 was created, industry went to DoD and said, we need more time. Sound familiar? And so they had a meeting. They had a public meeting in December of 2015. It's public record. I have never met anybody who was at that meeting. But they said they had almost 100 people or 100 companies represented at this meeting in 2015. And they decided that they were going to issue an update to the 2015 rule. It came out in October of 2016. And this rule said, you have until December 31st of 2017 to implement these requirements. So on the heels of a national security emergency, we get a rule in 2013 that says, here are your requirements on the heels of another national security emergency two years later. They say, here's a smaller set of requirements, but do them immediately. And everybody said, no, we need more time. So then they say, okay, you get 14 months. After waiting a year to implement these requirements, now you have to have all the requirements implemented. And then that's the version of DFARS7012 that we know and love today. It hasn't changed since this 2016 deadline to comply with that version of DFARS 7012. So there was a huge extension of time granted to industry from the DoD to comply with the same version of the clause that we have as we're talking right now, with the same set of NIST requirements that they've had, as we're talking right now. Nothing has changed since that point. So after this clause came out. Oh, what's up?

B

Oh, no, I was just going to say the one thing to point out there is that the extension was granted because there was a justifiable reason, even though it was less to do. Right. Like, than the 53 controls when they issued the 171 controls, even though it was less to do there, it still was a change in format from this framework to this framework.

A

Yeah.

B

I mean, so you can see that argument coming in.

A

Yeah.

B

Now, when you say I have these new requirements, technically, you're saying for 12 years.

A

Right.

B

These requirements.

A

Right. It's not right. The requirement. The requirements haven't changed. Yeah. So even though requirements are smaller and a bunch of the requirements are derived from the things you were already doing, everybody came back and said, we need a lot of more time. And the DOD was like, okay, so how about an extra, you know, by the time they were able to get the update to the rule out, it had been over a year. And then they gave people another 14 months.

B

How do you think that those 53 controls would have turned out if that's what they would have stuck with? Like if here we are 12 years later and that that set of 53 controls and, and people are like, gotta implement this. And they're trying to depict 53 instead of 171, which is child's play in comparison.

A

I mean, yeah, so, you know, we've got these extensions and we've got a step down from the 2013 baseline. You know, either way, the takeaway for this one is there still isn't a mechanism for verification. There still isn't a third party audit mechanism which you would have thought that the DoD would have, you know, you know, the light bulb would have been off because you had the requirements in 2013. Then you demand that everybody implements a smaller set of requirements. They all told you they weren't doing it. So maybe they would have been like, geez, we should probably, you know, have people prove it. But then in 2018, NIST, Nara, DOD all get together, they have this big industry day set of presentations on the revised DFAR 7012 and the federal CUI program. And this is sort of the height of NARA's power at the time, which we've done episodes after people have left NARA and then retired from the government about how much they hated this process, which is all very interesting information. If you're interested, we'll link it below. But someone in the audience and I, they didn't say their name in the recordings. I wish I knew who this person was. Someone in the audience in 2018 was like, this all sounds great, but there's no requirement to prove that, that anyone's doing this. Like, aren't you going to ask people to prove that they're doing this? And the DoD and NARA were very adamant that they did not want to have a verification mechanism whatsoever. Gus Cassani, one of the authors of NIST SP817 1, he's been there. He was the guy who started the rulemaking process in 2010 that gave us DFAR7012 in 2013. He still works in the DoD to this day. And this is the OG Gandalf of this entire world. And he was like, he was very colorful in his language, which I had to censor on this quote, where he's like, the department does not want to have a Cottage industry of non value added bleep. We had experience with third party assessments before and it has not worked out well. That was his response to the question when Devin Casey, friend of the show, said he was the guy who wrote the 2016 NARA CUI rule. So this was the guy at NARA. He said that we don't want to have third party audits for 800171 as a general rate, you know, policy across the government, not just for dod, because the businesses have the cyber security knowledge and the ability to protect their proprietary information because they've already been doing so for years. Whoops, sorry Devin, you missed on that one. Holy airball, as the kids might say. They said we don't want to introduce a middleman certification between industry and the government about compliance where it's not absolutely necessary. So after 2013 and they know people weren't doing it and after an emergency and then people ask for more time, now five years later they go, we do not want to have third party assessments unless it's absolutely necessary. So kids at home, do you know what happened after this?

B

Well this is, hold on. This is three years after the biggest breach of like the OPM breach and all that. And they're still saying, we still feel as though they are adequately protecting this. We don't need third party verification.

A

Right. And they even. There's even another session, I don't have the quotes up here. There's another session where they're talking about Fedramp equivalency where they basically said this OPM hack was a direct result of people putting sensitive data in the cloud without any controls whatsoever. But we don't want to cut industry out of using cloud based services. So if you're going to put our data in the cloud, this clause is telling you that it has to be at least equivalent to Fedramp moderate. So Pinky promised that you're going to put it into something that has some controls around it. And as we all know, that definitely didn't happen. So they go through this whole rigmarole, rulemaking extensions, blah blah blah. We absolutely do not under any circumstances want third party assessments on Windows unless it's absolutely necessary. And sure enough, a couple years later, another massive national security emergency directly stemming from the compromise of contractors unclassified systems. This time it was primarily in addition to F35 and F22, the Sea Dragon program. The Sea Dragon program is a submarine launched hypersonic anti ship mission missile and the Chinese navy has the largest submarine fleet on the planet. Because when they try to take over Taiwan. The only way that the United States is going to be able to prevent that is with a carrier strike group. And if you have a bunch of submarines with anti ship hypersonic submarine launched missiles, you can't get the strike group close enough to Taiwan to keep them from taking over the chip factories. So we lose. Which means that the government was ultra pissed when they found out that this super important program got handed to the exact set of people that we do not want to have this capability. So the best summary of the tone and the attitude of the government towards this discovery came from a 2019 interview with Major General Murphy. This was the guy appointed directly by, at the time, Secretary of Defense Mattis to be in charge of what was known as the Protecting Critical Technology Task Force. Sea Dragon gets whacked. Sec. Def says you're in charge of figuring out how to prevent this from ever happening again. He goes out and gives an exclusive interview with Breaking Defense. And this dude was not playing around. He was not mincing words. He was basically like, if you don't do these requirements, we don't want to do business with you. If you don't want to, if you want to be a liability to the lethality of the joint force, get out. Right? We're going to take your house, we're going to take your kids, we're going to take your contracts. You're not working with us anymore, period. Because we have been set back massively from a strategic perspective directly as a result of this compromise. The that could have been mitigated maybe entirely if you had just been doing the basic cybersecurity requirements that have been in the contracts for years that you said you were doing, right? So they were justifiably and understandably extremely angry. So if you're watching the video, you can see some of the quotes that I pulled out of the interview, but definitely check it out. I'll link it in the show notes below. You can read it for yourself. A lot of people at this time associated Katie Arrington with being a crazy person because she was going out and at events talking like this, right? She was getting in people's faces and getting super pissed and people really didn't like it. I tell people all the time she was mimicking what the Protecting Critical Technology Task Force and Secretary Mattis was saying on their own. It's just that they weren't the ones out in public saying it. So everybody associated it with this crazy lady. And it was, it was not just her, right? It was not just a Katie thing. It was. The entire DoD was up in arms over the fact that this happened. She was just repeating the same things that guys like this were saying on the in. In the inside the building.

B

Yeah. It's the loss of something very critical from the defense sector because people weren't doing what they said they were doing, but we were paying them to do.

A

Yeah.

B

No wonder people had the perspective in which they had. I. It's weird to see, you know, people say that this is too difficult and this is going to limit the barrier of entry for organizations to come in, when six years ago, you see the person that was in charge of the task force are kind of pushing this even harder, saying that if this isn't what you want to do, we don't want to do business with.

A

Yeah, I mean, his line right here is, says, I would rather have this be a conversation than an explicit direction. But as unfortunately, we've seen over the years, if there's no repercussions to not having security, there's no incentive to have it. Which is exactly what I've been telling people for years, is that if there's no consequences, people don't do the requirements. It's been proven over and over and over again. The DOD knows it. Everybody else knows it. You talk to people all the time, no judgment. No judgment, but they're like, yeah, when it's in my contracts, then I'll worry about it. It's exactly what he's talking about in this interview in 2019. Right. Which goes back years and years and years. So there's an IG report that looks into contractors and whether or not they have implemented these requirements directly as a result of the Sea Dragon compromise. The IG report is really bad. They find out that not only were contractors not implementing their requirements, they contracting officers never once asked contractors whether they were implementing the requirements because there was no incentive or consequence for them to do it. There was no incentive or consequence for the contractors to do it. So no one's paying attention. And then the department and the program and the American taxpayer, taxpayer gets totally screwed. Right. So the Senate Armed Services Committee hears about what happened. Obviously, they read the IG report court, obviously. And then in the FY20 NDAA, they put in an explicit provision that says, you are going to create a framework that is going to hold contractors accountable and make them prove that they are implementing the requirements that are in their contracts. They had a report that accompanied the FY20 NDAA where they just talked about this one issue. They said, we believe that the prime contractors need to be held responsible and accountable for securing Department of Defense technology and sensitive information. And this is all an important first step. This is not the end goal. This is the first step towards cleaning up cybersecurity in the supply chain, which is helpful to remember in the grand scheme of things. We just talked about changes to the CPAR system on the podcast a little while ago. It's just the first step, right?

B

Is it the first step, though?

A

Well, we've had some other steps. At the time, this was intended to be the first step, but either way, so.

B

No, I mean, but before that, you. You got to think about it, they had the 53 controls and they had the 171 controls. They had that breakdown, this there, this breach, that breach. I think that those were the first couple steps. Now this is the first step. Step, right? Like, first step towards making up program.

A

Yeah. First step towards making people prove it. So in the FY20 NDAA, section 1648 is the explicit provision that says you will create a framework to make contractors prove that they are doing their cyber revolution requirements. Which is why when you read the CMMC final rules at 32 CFR and 48 CFR under, at the very top, under legal justification, it lists section 1648, FY20 NDAA, the government, the DoD made the rules because Congress told them to. Right? And Congress told them to because the DoD and the taxpayer and American national security took a massive hit. But, you know, 2017, 2018 with Sea Dragon. So every time over the years, people have said, well, certainly Congress is going to annihilate. They're going to nuke CMMC from space. You're like, please scroll back to chapter one and read the legal justification for where this came from. Congress is the one who asked for it. So, no, Congress is not going to turn around and say, we don't need that. Especially when most of the people on the Senate Armed Services Committee are still on the Armed Services Committee that were serving back when they wrote this legislation.

B

No chance. No chance of that.

A

Fun fact, right? So this is why I always have this quote that we've put out here for years where I'm saying CMMC is different from the requirements that it's verifying because everybody heard about this in 2020 for the first time. And so they said, CMMC is making me do the requirements. You're like, no, no, no. It's making sure you did the requirements. Right. It stems from Congress asking for proof that companies are. Are implementing the things already in their contracts. It's not making you do anything new. It's making sure that you did those things.

B

I, I don't know if you've technically done this right. Did you. If you put a slide where you quote yourself, don't you just say it? And then you technically, like, like, I've never seen this happen before.

A

Yeah, I know. It's. Listen, it's.

B

That point aside. I. November 7, 2024. I can swear that I've heard you say that before then. We've known each other quite a long time.

A

Yeah.

B

This has been the line. This has been your go to line. And people are like, I still don't get what you mean. Six years ago.

A

Yeah, I mean, this is, this is the thing. It is a program that verifies requirements. It's not the thing that imposes the requirements. Which is why people can often see me having a complete meltdown on LinkedIn every few weeks when people go, the CMMC requirements, CMC costing me $150,000. It's not correct. CMMC is the cost of your assessment.

B

You folks on LinkedIn have got this.

A

Man quoting himself, quoting myself, my hair fell out. Thanks a lot. Thanks a lot, everybody. So that's what, that's where it all came from. Right? So then, sure enough, in 2020, we get the CMMC 1.0 rule. It's an interim final rule. So now we have had two interim final rules in a row because this is such a dire situation, Right? So clearly people outside of the dod, outside of the Senate Armed Services Committee, the people at omb, who are very detached from these issues, have viewed this situation and be like, this is a national security problem, have another interim final rule, which is crazy to say that we've had two interim final rules to fix the same problem, which is, you know, gives you an idea of the gravity of the situation at the time. It is not easy to get interim final rules. Unfortunately, this interim final rule came out right at the end of the first Trump administration. Right. This came out in 2020. And as we all know, what happens? What happens, everybody, we were just talking about this in January. This is what everybody was saying on LinkedIn. When there's a new administration, there's going to be what? There's going to be a freeze on rulemaking and there's going to be a review of programs and there's going to be a change in priorities and there's going to be a change in personnel and CMMC is going to be doomed. Right. Well, nobody was saying that in 2021. We all said it this year because we felt like CMMC was going to be a real thing. But it happens under every administration. So we go through all of 2021 and we don't hear anything. Katie Arrington gets run out of town, as many political appointees do when administrations change. They're doing a review of the program for nine months, as many controversial programs do. But remember, we've had two interim final rules in a row. We know contractors aren't doing the requirements. We know contracting officers aren't asking for proof of the requirements. Congress is pissed. DoD is pissed. Like it's a very clear cut situation. We couldn't possibly decide to deviate from this issue, right? So at the end of 2021, the DoD comes out and they say, we got a great idea. We're going to do CMMC 2.0 and we're going to do more rulemaking. Couple things. One, this is the point in time where people turn their brains off. And they said, CMMC isn't happening because the DOD said it's going to take us up to two years for us to complete new rulemaking. And they were like, it got delayed. It's another two years, it's never going to happen. Right. The trick was, was that when they said we're going to do an additional rule rather than just a 48 CFR rule, we're going to do a 32 CFR rule, that's when I reading this at the time, like everybody else was like, oh, it's over. Like, this is an inevitability at this point, because the government is not going to undertake the bureaucratic cost of modifying Title 32 of the Code of Federal Regulations unless they actually care about this situation. And this was a new administration, politically, this is not a political show, but politically, a diametrically opposed administration from the previous one. And they picked up this program, which was deeply unpopular, and doubled down on it and said, we're going to do a second rule. So at that point I was like, batten down the hatches, everybody, because it might be nine months, it might be 24 months, it might be 36 months, but it's going to happen. Because you don't commit to this arduous rulemaking process unless you're super serious about this being a real thing. But as we all know, when they heard that there was a delay, when they heard that there was going to be rulemaking, whatever the heck that is, it's going to be two years, people stopped worrying about it, right? And that was, you know, the deity Stopped talking about it. Katie Arrington went away, Major General Murphy retired. Secretary Mattis is no longer in the government. And it just wasn't a thing they were getting in people's faces about anymore. And so it wasn't the big priority, wasn't the big boogeyman that it used to be.

B

Well, I mean, you said some of the, you said a majority of the people in those subcommittees that were pushing this back in the day are still existed on the same subcommittee.

A

Sure.

B

So, like, I'm sure that those were the voices in the back end that were pushing it. It's just that there was no publicly facing voices pushing it because that's not where it was. We're not going to pop in circumstances during that administration, I guess.

A

Yeah. Now, at the time, at the time, a lot of people will remember there was another head fake that happened because they said, we're going to do this rulemaking and we think that it's going to go into contracts in the spring of 2023. Right. Stacy was out there saying it. Buddy D's was out there saying it. John Ellis was out there saying it. Everybody in the government was saying, we're going to get an interim final rule. It's going to be in contracts in the spring of 2023, which would make sense because we got an interim final rule in 2015. We got an interim final rule in 2020. The problem is still not fixed. And so we're going to get an interim final rule to finally get this thing up and running. Right. We wouldn't possibly. The, the national security situation hasn't been fixed. If anything, it's only gotten worse since those interim final rules. The DUD was expecting an interim final rule. And for reasons that I have still not been able to find out for sure. But at this point, I can only blame on actual politics. OMB decided that this 32 CFR rule did not merit interim final status. It was going to have to go through the standard rulemaking process of proposed comments final and then effective, at which point there was this long delay in 2023. And instead of going into effect as an interim final rule in the spring, we didn't get the proposed rule until December of 2023. And that's when people were like, it's definitely not happening. Right. Because you got told it's a big deal, it's a big deal, it's a big deal. You don't hear anything about it through 2021. Now all of a sudden, it's a big deal. Boom. We're Getting ready to start. End of 2022, beginning of 2023. All of a sudden it's not a big deal anymore. Right? What, what person paying attention to this, to any degree would take this super seriously when they heard that? Right. Clearly it's like, you wouldn't. I can't blame anybody for being like, this isn't gonna happen. Like you keep saying this is gonna happen. It keeps getting pushed off.

B

Yeah. But then it's the creation of a new program. Like at some point, like the, the arguing back and forth, somebody makes some sense and they're like, you're right, we should change that. So wouldn't it be more appreciation for, as John Sherman said, what is it? Measuring twice, cutting once. Right. Like, it wasn't that the approach that was being.

A

Meanwhile. Yeah, meanwhile. Right. Meanwhile. This is just the program to prove that you're doing the requirements. The requirements are still in DFAR 7012.

B

This entire time, and nobody's implementing the requirements.

A

People are uploading SPRS scores this entire time. And DIBCAC is going around spot checking people. And as they've told us in their presentations, every time DIBCAC would show up to do an assessment of somebody with a perfect score, the. The score would be off by like 100 points. And then DOD can see people's poem dates in SPRs. And people would put in like meme dates. They would put in that they were going to finish their poem in like the year 2100. They were going to finish their poem in the year 2399. As if the DoD can't see what you're putting in in SPRs. So take all the anger that DoD had prior to this happening, and then people are just trolling them in SPRs. They've got results from DIBCAC audits. They clearly want the interim final rule. Dod, your customer, wants this interim final rule, and they get denied by omb. Ultimately, as far as I can tell, that was just politics for whatever reason, but it set the program back. And we didn't get the proposed rule until the end of 2023.

B

It would have been interim. Like the first one. If there was an event close enough to where the, the wounds still were sore. Right.

A

It would have been, yeah, it would have been an interim final rule if anybody with a brain weren't playing politics. One day I will find out who it was in OMB who made that decision. But like a lot of the decisions that the bureaucracy makes, it might not have been one person. Right. It could have been a lot of reasons but when you zoom out and you look at this timeline of events, doesn't make any sense. It does not make any sense why we would have gotten a proposed rule. But that's what we got. So we got the proposed rule in December of 2023. We didn't get the final 32 CFR rule until October of 2024. It went into effect in December of 2024. And that was the start of what we called the market rollout, so people could go get their official CMMC assessments years after the Senate Armed Services Committee asked for this thing to happen. But DUD wasn't able to require it in contracts because you had to have the updated 48 CFR rule to update the clause language for DFARS clause 252-204-70 21 to say, you need this CMMC status level. We got that final rule in September of 2025. And now on November 10th of 2025, we will finally see the first set of official CMMC status requirements in contracts. Years after the 2020 rule came out, years after the Sea Dragon compromise, years after the 2016 revision resulting from the OPM hack, and over 10 years after DFARS 7012 was originally created in 2013. That's why the CMC program exists. That's why it hasn't gotten derailed. It has transcended multiple administrations. It has stemmed from Congress. It has transcended multiple Secretaries of Defense. It is the real deal. It is the thing that the DOD cares about. So if you've only been hearing about CMMC and you think it's a new thing in 2025 or 2026, it's not true. If you think that it just popped out of nowhere in 2020, it's not true. And a lot of the things that you hear about, rumors about it potentially going away or getting modified or changed, are easily refuted if you just know a little bit about the backstory of how we got here. So there you go. That's the story up until now.

B

I still am slightly afraid that I'm going to go to sleep on November 9th and I'm going to wake up and it's going to be sunny and Cher, I got you, babe, on the radio. And it's November 9th again. We're never going to get to November 10th, man.

A

Yeah, so. So there you go. Who knows? Because after November 10th, it's not like this timeline is gonna end. It's not like, you know, we're done, you know, forever. We still got 32 CFR revisions in the future under CMMC 3.0 and 4.0, we've got NIST SP 800171 Rev3 and Rev4 and Rev5. We've got 800172 Rev3 and Rev4, 4 and Rev5 and who knows what other cyber security requirements are going to be included. DFAR 7012 revisions one day are on the docket to eventually happen as well. So all of these things will continue to expand, all these things will continue to change via rulemaking. But there will no longer be this long slog and purgatory of waiting for the DoD to be allowed to have it in contracts because they've been more than justified in needing it in contracts for a long time now. So there you go. Tell your friends. That's the story. Maybe we'll recap it. It'll be like. It'll be like Christmas carols. Every year on November 10th. We all remember the history of how we got here, right?

B

Gather around, kids. Let me tell you about the story.

A

Gather around, everybody. All right, this is the last podcast, dude. The last podcast before the phase rollout. So after this it'll be post phased rollout podcast, which, you know, nothing's really going to be all that different. We're still going to be doing our thing, but, you know, it's kind of symbolic. We've been trying to raise awareness about this problem to anybody who would listen before CMMC was ever a contract requirement. So it's kind of crazy to think we've been doing this show for years now and, you know, nothing's really happened yet. And now here we are.

B

So let's see what happens, man.

A

Let's see what happens. Alrighty. We'll see you guys on the other side. We'll see you next week.

B

See you next week.