A

Alrighty folks, it is September of 2025 and we are currently on rulemaking watch pending the publication of the 48 CFR CMMC final rule. The reason that's important is that when that rule goes into effect, it will start the CMMC phased rollout. DoD is going to put CMMC certification and assessment requirements and into contract in phases of 12 months at a time until they're in all contracts and solicitations. And the big question is, will there be level two certification assessments or not in the first 12 months? Phase one of this phased rollout. A lot of people have heard or have convinced themselves that they will not be asked to do anything other than a level 2 self assessment for those first 12 months. We are going to go through the three pieces of policy that explain what the phase rollout will look like and you can decide for yourself because that's not how I read the policy and I would feel very guilty if I led someone to a conclusion and they ended up holding the bag, if you will, and needing to get a level two certification assessment. So we'll walk through it, we'll read it together, you can go read it on your own and then you can make up your mind about whether you think level two certification assessments will happen in phase one or not. Daniel, you hear this all the time. I mean, you hear this all the.

B

Time, all the time this morning. So just for reference, talking to a large defense manufacturer and I'm on the phone with them or talking about building out a solution with them and they're like, you know, but do we really need this? I mean we can kind of like self a test for like the first year. And I just want to make be very clear when people say self attest. I think it's the same requirements as SPRs and just put a score in. It's like different rules of engagement here. Like either perfect score we've even talked about, I think there's even conditional capabilities even on your s, you know, your updated SPRS score. But like you can't just put like a 50 and still win contracts in a self CMMC world. So if you just put that on the shelf for a second, and we're going to talk about it a lot today, but there's a very strong case to be made to say that the word discretion that pops up a lot in these documents we're about to look over. We think the DoD has actually defined that internally and people's behavior is typically to lean more restrictive little CYA coverage here. And yeah, but I Talk to people every day, Jacob. That. And you're on these calls like every day. They're saying, oh, I can just self a test for the first year. I can just self a test. Like, I don't actually have to really, like, be done with CMMC is kind of more of the vibe that I get. And it's just like, no, you kind of have to be done with CMMC and you actually might have to certify. So let's jump in it.

A

I'm.

B

I'm curious to see where this journey.

A

Takes us, my friend. Yeah, absolutely. Absolutely. Okay, so we're going to talk about the relevant portions from three pieces of policy. We're going to talk about 32 CFR 170, the program rule that went into effect at the end of 2024. We're going to talk about clarifying guidance in a DoD memo that was released in January of 2025. And then we're going to talk about yet another clarifying DoD memo that clarifies that guidance that came out in July of 2025. So December policy, January memo, July memo, and now we're here in September of 2025 and everybody has decided that there will only be self assessments in the first 12 months. So let's dive into it and, and then you can decide whether you want to take that bet or not. Okay, so rewind. December of 2024. December 16th of 2024, the CMMC program Rule officially went into effect. And the relevant portion of that rule is Title 32 or. Yeah, so Title 32 in the CMMC program rule. So we're talking Section 170.33, paragraph E. So that's the part of the rule that we're talking about. It's called applicability. And in 170.3, paragraph E, it says DoD is utilizing a phased approach for the inclusion of the CMMC program requirements in solicitations and contracts, otherwise known as the phased rollout. Implementation of the CMMC program requirements will occur over four phases. Here we're very focused on the first phase, the first 12 months. They say that phase one begins on the effective date of the complementary 48 CFR CMMC acquisition final Rule. That's what we're currently waiting on. Now In September of 2025, the final rule to get published and go into effect and trigger the start of phase one, just like we knew would happen back in December. They go on to say DoD intends to include the requirement for CMMC Statuses of Level 1 Self Assessment or Level 2 Self Assessment for all applicable DoD solicitations and contracts as a condition of contract award. Wonderful. For those contracts where that is the applicable requirement, level one, which are self assessments, Level two self assessments. There you go. But they go on to say dud may at its discretion, include the requirement for CMMC status of level 2 C3PAO in external third party certification of your CMMC level 2 status in place of level 2 self assessment for applicable DoD solicitations and contracts. This is the first big? 1. What does discretion mean and how much do they have and when will they use it and why? What does that mean? We keyed in on this on our 32 CFR Final Rule webinar in January. Before this memo came out, we were like, alert, alert, alert. What does that mean? They are giving them the opening to exercise their discretion for applicable DoD solicitations and contracts. What does applicable mean? How do we know what it's going to apply to or not? At the time when this rule came out, we didn't have clarifying guidance. So they were big question marks. They go on to describe phase two, one calendar year after the effective date, and they say that's going to begin phase two. And in addition to these phase one requirements, the dud intends to include the requirements for level two certifications for applicable DoD solicitations and contracts as a condition of award. So 12 months after the 48 CFR final rule comes out, there will be level two certification assessments. That's not up for debate. But that first 12 months, will there or will there not be level 2 certification assessments based off just the text of 32 CFR 170.3, paragraph E? There is no policy guidance that says there will only be self assessments. It's very important to remember before we start talking about the memo. Does that make sense? Am I, am I taking crazy pills?

B

It makes sense because if it's one of those things where like, the DOD needs an out, I mean, think golden dome, right? It's like there are going to be very sensitive projects out there that are going to have to require more stringent requirements due to the nature of the work, and the DoD wants to be able to elevate it to a certification status early. Yeah, I get that. The biggest problem I have, I know we'll get into this later on, is number one, they don't actually define what discretion is in here. Again, even that they leave at discretion. Right? But they also don't even say who can make the call, right? Like they're not saying that, oh, you know, has to come from the Secretary of defense or the CIO's office, or they're not saying who actually gets to make the call. Discretion. How far down the ladder is it? Is it just a contracting officer gets to decide that? Is it a senior official? Is it, you know, I mean, who is it? Who gets to do this?

A

Now, here's the fun part. Here's the fun part about reading the whole rule. Is that buried in the public comment responses from the DoD, we get a little bit more information about their idea behind the phase rollout. So this is the part that doesn't really get talked about a whole lot. I've pulled a couple lines. I've taken the liberty of taking a couple lines from the preamble to the rule. My favorite. My favorite thing in the world. So people are looking at this as an. In an absolute way, they're saying there will be zero level two self assessments. But to your point, we don't know what discretion means. We don't know what applicability means. At some point in the preamble, the DoD responded to public comments and they said during the first phase of the plan, a majority of CMMC requirements will be for self assessment. A majority. Not all of them. Now, that's great, because the DoD has also said this. They said this at Seek west earlier this year. They've said this many times that they intend for there to be a lot of level two self assessments. They have not said that there will be no level two certification assessments. So just keep that in your back pocket. Right. They're saying the majority will be self assessment. But at this point, it's pretty obvious someone's getting a level two certification assessment. Which is why I'm really harping on this point, because if you're listening to this podcast and I tell you everyone's getting a self assessment, and then you get a solicitation that says you need a certification, then it's my fault for misleading you and I want to be able to sleep at night. So let's look at some more of their comment responses. They say program managers. Okay, so now we know the program managers will have discretion to include CMMC status requirements or rely on existing DFARS clause 7012 requirements in accordance with DoD policy. Okay, so the PMs get to decide. We still don't know how they're going to decide or why, but we know who is going to decide. And they go on to say the DoD will monitor the program manager's exercise of discretion to ensure A smooth phase in, period. This is where you should ask yourself why would they need to monitor their exercise of discretion if the policy clearly said that there will be no certification requirements? Right. Like why would you need to monitor something that can't happen? Clearly it can happen. Clearly there is discretion. Clearly there's going to be some reason why they would or wouldn't decide to include a level 2 self or certification assessment. But as of right now, this part of the 32 CFR 170 CMMC program policy does not explicitly prohibit Level 2 certification assessments in the first 12 months. That's going to be very important as we start to talk about the memos. So the question to ask yourself at this point, based off just what's in the rule, if you're going to be working under this mysterious applicable applicability, if you're going to be working on an applicable contract, will your DoD customer exercise its discretion or not? We don't, we don't know. We don't. We don't know.

B

Let's add just a little bit of color to this.

A

Sure.

B

Because we've talked about it a lot. What's written here also does not dictate what your prime can require from you as a sub.

A

Correct.

B

So we're talking about what the CMMC 32 CFR states as requirements issued to the prime, which will then end up flowing down to subs. That's what we're talking about here. So just I want people to in their mind, go ahead and divorce. Like if you're a sub working with a prime, they can require CMMC of you whenever. Now that certifications are allowed.

A

Right.

B

This is specifically highlighting the prime to DoD relationship, a contract award. And again that will end up flowing downstream. But to your point, Jacob, I'm looking at this text. I don't see anywhere where people can pull out. I can only. I only had to self for your.

A

You might, you might be able to self assess, but you also might not be able to self assess. It does not clearly say one way or the other. And so if you're going to make a bet that you're not going to get a certification requirement, you're taking a big risk because you could be wrong. There's no extra information. But let's see what the memo from January says. Maybe it'll help clarify because that's this whole point. So shortly after this rule goes into effect, January rolls along. Happy New Year. And we get a DOD memo. This is a memo to senior Pentagon leadership, the defense agencies and all DoD field activity directors broadcast out to all the decision makers the subject of the memo implementing the CMMC program, guidance for determining appropriate CMMC assessment levels and the process for waiving CMMC assessment requirements. We did a whole episode on this back in January. This memo is only like seven pages long. Most of that is fluff at the beginning and nothing at the end. And it's really a quick read. We're going to link to it. It's on DoD procurement toolbox. You should read it because there's not a lot of information in the 32 CFR. So maybe this will tell us. So this memo talks about the importance of CyberSecurity and what DFARS7012 does and the relationship to CMMC and YADA, YADA, yada. Then they go on and they say upon publication of the Title 48 CFR DFARS rule, the thing we're currently waiting on, program managers and requiring activities shall include the need for CMMC assessments in procurement request and requirement documents in accordance with the phase in timelines described in Title 32 of CFR Section 170.3. That's what we just read. Makes total sense. They're saying the guidance for the phase in period is what we just talked about. They say Attachment one to this memoir provides program managers and requiring activities guidance to apply when determining the appropriate CMMC assessment level to include in each DoD solicitation and contract. This is great. This is going to tell us how to determine applicability as a pm. Perfect.

B

That's fantastic.

A

They go on to say that there can be waivers authorized by service and component acquisition executives. This is what we've talked about in the past. That guidance is contained in Attachment two. We're not talking about waivers today. We're talking about level determination and applicability. And this is the line that people are overreading in my opinion. They say at the conclusion of the phase in period, program managers and requiring activities will designate a CMMC level for each contract as appropriate according to the attributes of the information and will be processed, stored or transmitted on covered contractor information systems as described in Detachment one. Multiple, multiple, multiple. People have DMED me and I have talked to them in circles and they said that line says at the conclusion of the phase in period there will be self assessments and therefore there will be certification assessments and therefore there will not be certification assessments during phase one. I do not think that is correct. It is true that at the end of the phase in period there will be requirements for level one and level two and level three and certification and self assessment because it'll be fully implemented and will be in phase four, full implementation forever. That does not prohibit the inclusion of certification assessments in phase one anywhere in that line. And that's the thing that I've seen people really hinging on and I, I think that as we dig further into this memo we'll start to see where that falls apart. Any, any thoughts so far here?

B

I'm just like looking at this and I just keep thinking like okay, I get that language right. If you read it for what it is out of context of the 32 CFR at the conclusion of the phase in period and it's like okay, well there's a four phase period. But in that, in the four phases there are requirements of certification even at the level 3 level at DoD discretion and then onward after that. So it's like they're not going, the DoD is a little upset at the DIB, quite honestly. They didn't do the DFAR 7012 thing. The DoD found out in like, in like 2019 they Congress said go do this CMMC thing and make sure it doesn't happen again. And like so that's what, three years end of 2017 plus we're in 2025, eight years. And then they're going to wait another four years. We're wait 12 years since the requirement was basically like had to be done before the DoD is going to require third party certification that you've done it. I just, in my brain I just don't see that being the case.

A

Yeah, and again at this point we still don't have a line that says hey PMs do not put certification requirement for level 2 during the first 12 months. We still have not seen that line to override the open ended policy at 32 CFR 170. But let's look at what attachment one says because remember they said attachment one is going to tell program managers how to determine what's applicable. Which level is applicable to what. So what does attachment 1 say? Attachment 1 says DFARS clause 7012 and FAR clause 5220421 Establish the requirements for FAR based contracts. Okay, we've got some basic episodes we'll link to if that's news to you. That's what imposes the requirements on you. They say Title 32 of the Code of Federal Regulations Section 170.3, the same section we've been talking about all along describes a phased implementation plan for the assessment of compliance with these FAR and DFARS requirements under the CMMC program. So hey program managers read attachment one. They have these existing requirements. Section 170.3 talks to you about the phased rollout. We've all read 170.3 and we know it's open ended. They go on to say program managers and requiring activities shall follow the CMMC program implementation phases defined in 32 CFR 170.3, paragraph E. The one that says you can exercise discretion based off of applicable DoD solicitations and contracts. They say upon the publication of the Title 48 DFARS rule, all all procurement requests that may result in a contract where the contractor or subcontractor at any tier may have federal contract information or FCI residing or transiting through its information system shall include CMMC Level one. Cool. That's a self assessment. Level one. Easy peasy. One year after publication of the DFARS rule, program managers and requiring activities shall also begin to require CMMC Level 2 certification assessments when appropriate. Two years later in Phase 3, they can start to require CMMC Level 3 certification requirements. DoD program managers and requiring activities will use the following CMMC Level Determination Guide to identify the appropriate CMMC level for a given contract. So here it says phase one, you have fci, you're getting level one. Phase two, you have the appropriate data, you're getting getting Level two certification. Phase three, you're the applicable type of contractor, you're getting Level three. Still doesn't say anything about exercising discretion and applicability in Phase one, right? Still hasn't said don't do that. It just told us to follow the guidance at 32 CFR 170.3. So they say, here is the data for how to determine a a a given CMMC level. CMMC level 2 certification is the minimum assessment requirement when the planned contract will require the contractor or subcontractors to process, store or transmit CUI categorized under the National Archives CUI Registry Defense Organizational Index Grouping. This is a group of categories of CUI Controlled Technical Information, Deity Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, Privileged Safety Information, and unclassified Controlled nuclear information related to defense. If you have those types of data, whether they're given to you or whether they are generated by you under the terms of a contract, the applicable requirement at a minimum for that contract is CMMC Level 2 certification as spelled out in attachment one as guidance to the program managers and according to the language at 32 CFR 170.3, they have the discretion during phase one to include a level two certification requirement. So now the question Is what will you be handling this type of data during phase one? And how confident are you that they will not exercise their discretion to require a Level 2 certification for you during that first 12 months? Because we have not seen anywhere in this memo, do not require level two certification during Phase one. It's still open ended because all they do is point back to, to the 32 CFR rule that says discretion and applicability. And then you read the memo and they say applicability is determined by the nature of the data. So if you have the data in the first 12 months, how are you feeling? Lucky? Do you want to roll the dice? If you, if you don't know, you have to understand the nature of the risk that you're taking that you won't be required to have a level 2 cert or that you will be allowed to only self assess. And that's a very situational question because different program managers, different programs, different, you know, components, different requiring activities are by definition different.

B

Yep.

A

Anecdotally we have heard from some requiring activities and they said, no, no, no, no, no, you don't understand. Our suppliers put hypersensitive capabilities on satellites. We are going to require that they have a Level 2 certification assessment across the board, period. We're not jacking around with self assessments. We already tried that and it didn't work. And we have the discretion to do it now. We don't have a public source that we can provide you for that. You're just going to have to take our word for it at this point. But this is really, the point is you can read this policy for yourself. People have Reddit and said there will be no level two certification assessments in Phase one. That's not how I see it. But there's still another memo to talk about. So maybe there's some Easter egg in that memo that's going to clear this all up.

B

I'm just telling you, Jacob, like, listen, nobody actually knows all of the types of data that's flown down. But I just, my gut says probably somewhere around 50 to 60% of all the data generated or in receipt of defense contractors, probably falling into the CTI box, this control technical information box. And so when I'm looking at this and I'm thinking, okay, I'm a contracting officer or program manager, doesn't want to lose my job because sensitive data got leaked out because we didn't validate certified primes and then they primes didn't validate their subs, I might be more inclined to slap on a certification requirement at my discretion. Because the memo says this is the most sensitive data that we have.

A

Right.

B

So why not throw that certification requirement on top of it? And don't forget most contracting officers don't actually know what CUI or not. They're really just looking to CYA themselves. So I'm looking at this and I'm like, I don't see a world where, number one, to your point, Jacob, I can derive that I will never get certified as part of phase one, hard stop. And number two, if anything, I feel like it's, I'm becoming more inclined that I will get a certification because they're going to have a little cheat sheet on their desk of certified, not certified. And they're going to look and say, which type of data are we doing? Navy? Oh, we're doing this. Okay, perfect. Certify even during phase one.

A

Yeah. And that's the, that's the question is how confident are you based off what it says in the policy that you can read right now, that you will be gifted 12 months of discretion to only self assessment? And that's the question that only you can answer as the business owner. But just realize that there is no moratorium that we have seen describe in policy so far. But let's look at this most recent memo. Maybe there's some information in there that will finally settle the case. Spoiler alert. There isn't. So, July of 2025, another DoD guidance memo that goes out to senior Pentagon leadership, the heads of the defense agencies and the field activity directors. The subject of this one is resources for implementing the CMMC program. And the relevant portion of this memo says 32 CFR 170.3, paragraph E. What do you know? The part of the policy rule from December that talks about the phased rollout, outlines a phased timeline for inclusion of CMMC assessment requirements in DoD procurements and explains that during the first 12 months of implementation, program managers and requiring activities should include CMMC self assessment requirements in applicable solicitations and contracts. There's that word again. The applicable solicitations and contracts. The policy from January says if you got contracts and solicitations with this data, the applicable Requirement is Level 2 certification. If you got the other kinds of CUI other than the defense categories of CUI, why the applicable requirement is level 2 self assessment. So that's still not an answer. They go on to say it's important to follow the recommended implementation plan to ensure that industry has reasonable time to demonstrate compliance and become eligible for DoD contracts. Of course, we shouldn't require things that aren't required. I don't think anybody would disagree with that. Implementing higher level CMMC assessment requirements ahead of the phased implementation timeline and may reduce the pool of qualified contractors able to propose on competitive acquisitions, leading to reduced competition and potentially higher contract prices. Yes, that is true. Right. And then it says attachment one to this memo provides an overview of the phased implementation timeline. And I am not kidding folks. You can find this same image at the bottom of this July memo which we'll link to or on the DoD CIO website about CMMC section right now in. It's literally smart art out of a PowerPoint and it says phased implementation of CMMC requirements phase one begins at the 48 CFR effective date where applicable. There's that word again. Yep. Where applicable solicitations will require level one or level two self assessment. And then there's a call out bar at the bottom of the slide that says in some procurements DUD may implement CMMC requirements in advance of the planned phase. So here we are, almost a year after 32 CFR comes out and they say during phase one, the first 12 months, program managers have discretion to include level two certification for applicable solicitations and contracts. And they even go on to say in that rule we're going to be monitoring the the level to which they exercise that discretion so they don't screw this up and require too much too soon. In January they clarify and they say the only time that the minimum requirement is level 2 certification is when you handle these types of data. It doesn't say that you are prohibited from including level 2 certification requirements in phase 1. It says look at the type of data involved in the solicitation. And then you fast forward to July and we get another memo and it just restates the same thing. Read 32 CFR 170.3, paragraph E. And then it says Level 2 self assessment for applicable contracts. Level 2 certification assessment for applicable contracts. Read the memo from January to figure out what's applicable. So here we are again. The same situation that we were in in December is that there is is no explicit policy anywhere that we can find publicly that says that there will only be level 2 self assessments during the first 12 months of the phase rollout. And despite that, we went to Gold coast, we're on the phone every day, we go to events all the time, we're talking to people everywhere all the time, as much as we can. And there is this common sentiment that the 48 CFR rule is going to come out it's going to go into effect and trigger the start of phase one. And people will have 12 months to self assess before they're required to get a Level 2 certification. And that is not what I am reading in this guidance. And if I didn't stomp my foot about this, I would feel terrible. If someone who watched this podcast was led to conclude I get an extra 12 months and then they end up losing out on contracts and potentially their business because I wasn't being clear enough about the possibility that you could get the Level 2 certification. Now, does the DoD intend for most people to be able to self assess? Yes. That still means that some people are going to get a level two certification. And if those some people are you, you've got a problem on your hands that you need to prepare for. So we don't know, we don't know exactly what phase one is going to look like. It's going to depend on the customer, it's going to depend on the data. It's going to depend on a lot of variables that you would know based off your specific situation better than anybody else. And that's what should inform your understanding, your now new understanding of the policy. Do you want to take that risk or not? Because business is about taking risk. So if you want to gamble that you're going to be able to self assess and spend that money on implementation somewhere else for that first 12 months, feel free. But it isn't because I told you the wrong information. Does that make sense?

B

It does. I mean, again, I'm gonna zoom out for just a second. Going back to the. This is a prime D O D relationship, Right? Okay, let's say it is. I'm gonna go crazy. Jacob, let's say it is self a test for the first full 12 months.

A

Sure.

B

And I haven't started anything like. Okay, well let's see, my implementers, my consultants I was gonna use, they've got a four month backlog. Okay. All right. So then I go and get the environment built out and I'm getting compliant, I'm writing all my compliance documentation. That's another, you know, three or four months. Organizational adoption is the longest pole in the tent. Right. So let's just say I'm eight months from like signing something to like I've got a working environment and I'm, I'm almost through organizational adoption. Well, then I need to plan my C3PAO. Okay, well, there's only four months left before it's going to be a hard requirement for certification and contracts. Do you think their backlog might be a little bit busy at that point?

A

Right.

B

Okay, well then how many months can I miss out on of Defense Revenue at that point? So again, best case scenario, you can fully self attest. We cannot tell you that you should hang your hat on that. You need to make your own decision based on the data in front of you. But here's the thing. How quickly is is Lockheed going to get a copy of 48 CFR, take a look at it and say, do you know how long it's going to take us to turn our supply chain to certifications? How many suppliers they got? 20, 30, 40, 50,000 suppliers. Yeah, I mean they're going to start day one shoving this down your throat for certification even. Regardless, in my opinion of what the DoD does, and I do believe the DoD is going to leverage because they hardcoded the language in 32 CFR. Because Jacob, what trumps a memo or 32 CFR?

A

32 CFR. Because the memos say follow the guidance at 32 CFR. Everyone has said follow the guidance at 32 CFR.

B

Discretion, discretion, discretion. And if I know people, people are going to want to put as much safety in the contracts that they are overseeing, period. I mean we see this all the time. So again, make a wise decision. Weigh both what you think the DoD is going to do, but also weigh what you think your prime is going to do.

A

Yeah.

B

And if you have questions about those, please for the love of God, ask them because this is going to impact net new solicitations as part of a requirement of contract award. And the thing that a lot of people are snoozing on contract option years post 48 CFR going into effect. Yeah. That's going to hit you way sooner than a new solicitation that you can somewhat control. Right. In the sense of choosing to bid on it or not. You've got warm bodies sitting on a base somewhere that's dependent on that work.

A

Right.

B

And you might not be able to win it because of the position you put the business in. So yeah, I, there, there is, it's like playing roulette, that, that's really what it comes down to. You got to play business roulette with this. Make an appropriate level decision of risks that you think you can handle. But don't come back to Jacob, don't come back to me and say Summit 7 said I can self attest forever.

A

Now listen, we'd love to help you. We don't sell assessments though. We're not assessors. So I'M not here to convince you that you need to schedule your assessment with us. We just help with the implementation. And you're going to have to implement them whether you get to self assess or you have to certify or not. So it's six of one and half a dozen or the other from our perspective. But I've just heard a lot of people say, I read this memo and it says only self assessment in Phase one. And I'm like, you know, I've read a lot of these things over the last five or six years. A lot of memos, reports, rules, comments, all that stuff. And it's not how I'm reading it. So maybe I'm losing a step, maybe I'm missing something. Let us know. Are we missing a memo? Are we missing a page out of our copy of the memo where it says somewhere there will be no Level 2 certification assessments? Because we will issue a correction and do another podcast episode being like, great news everybody. There aren't going to be any Level 2 certifications in Phase 1, but as of right now, that's not what the policy says. So you got to be careful one where you're getting your info from, because that's going to influence the decision that you make. And if you make the wrong decision during phase one, that could be the last decision that you make for that company. And we don't want to see that happen to anybody. So we'll link to all this guidance. You can read it for yourself. Our DMs are always open. We do this podcast all the time. Tune into the hotline on Fridays and ask us questions about it. This is really kind of the big thing that's out there right now is this, you know, will there be self assessments or not? And so we're going to be talking about it a bunch in the future. If there's another memo like, and subscribe, because we're certainly going to do an explanation and posting about it and chopping it up and doing all that stuff. We're still on rule watch. I don't think there's going to be any information in that 48 CFR final rule that changes any of this guidance because it just implements the guidance from the 32 CFR rule. So I think that these memos are going to be all that we get and it's just going to be a big question mark and then it's a question of how much risk do you want to take? And. And then we'll go from there. So there you go.

B

Those are on SAM.gov. right? It's like we're just going to wait and see, right?

A

Yeah, exactly. So there you go. Those are the three pieces of guidance. The 32 CFR rule, the January memo, the July memo. Links are below. Give them a read. Let us know. Do you agree? Disagree? Did we read them right? Did we read them wrong? We're interested in all people's opinions and perspectives here. And. And then we'll see you next week.

B

See y'.

A

All. Thanks, everybody.