A (3:25)

Yeah, absolutely. All right, so what is a class deviation? What are we talking about here? So, quick refresher, right? A class deviation from acquisition.gov directly here. A class deviation is a formal temporary authorization in federal procurement allowing agencies to bypass, alter or ignore specific federal acquisition regulation, the FAR or agency supplement rules, such as the DFARs for the DoD across multiple contracts, entire classes of contracts. This allows agencies to implement new policies or urgent changes such as cybersecurity requirements or procurement bans, without waiting for the slow formal regulatory rulemaking process to go through. Basically, class deviations, say, use this contract clause language instead of whatever is currently in the FAR or DFARS until further notice. So some quick examples. There are procurement prohibitions in the annual National Defense Authorization act every year, essentially, right? So there are fun things like prohibitions on the acquisition of dinnerware and stainless steel flatware. That's real, folks. You can look it up. Deviation 2026 D O0033. Got to get your silverware from America, everybody. There's also prohibitions on the procurement of foreign made unmanned aircraft systems so you can't buy Chinese drones for certain things in defense contracts. That's 2024 0014. You could also have class deviations as the result of court injunctions that overrule executive orders that resulted in rulemaking that led to contract clauses like increasing minimum wage for federal contractors. You can have class deviations that come from statutes, executive orders, court rulings, and rulemaking itself. So there's lots of things that could trigger different class deviations for all different kinds of stuff.

B (5:31)

Yeah, like when you were saying that, one of the things that I was thinking in my head is it's kind of like a temporary injunction for rulemaking purposes. Right? Like it's like, let's step in. Something needs to be done. A temporary fix here. I do have a question about class deviations when that, you know, emergency temporary injunction needs to be issued. Right. What's the process for that? Like, is it just it goes across the desk, this person signs it, and then it's in play, or is there like a voting that goes on it?

A (5:57)

Yeah, I mean, how the internal process works, I'm not exactly sure. It's a murky bureaucratic process that would change depending on which agency is doing the deviation. It's probably even more bureaucratic if it's happening at the level of the far. But there are lots of deviations for lots of things things. So whatever the process is, it seems to work okay. And in this specific situation, it actually avoided a total crisis. So I can't hate on the process too much because, you know, we've covered this in the past on previous episodes, but this specific class deviation for this specific cyber security contract clause for defense contractors was absolutely the right thing to do. Let's. Let's talk about it real quick. So what is class deviation 2024-O0013? Quick note. Come on, guys. Who. Who puts O's and zeros next to each other? Like, who numbers something with an O and a zero next to each other? Anyways, 2024 O0013 is called safeguarding Covered Defense Information and Cyber Incident Reporting. Hey, that's the title of DFARS clause 7012. So the DoD in this class deviation specifically says the deviation clause requires contractors who are subject to 252-204-7012 to comply with NIST SP 800 171, Revision 2 instead of the version of NIST SP 800171 in effect, the time the solicitation is issued or is authorized by the Contracting Officer, this class deviation tells contracting officers to use this text in lieu of the text that is codified in the DFARS at clause 252-204-7012 that's been on the books since 2016. The class deviation says use the following clause in lieu of clause 7012, and if you scroll down, it's all identical except for paragraph B2I. And it says the covered Contractor Information System shall be subject to the security requirements. And in NIST Special Publication 800 171, Revision 2, if you go to DFARS 7012, which is still at DFARS, it hasn't been deleted, it hasn't been edited, it's still in the DFARs because rulemaking hasn't changed it. The class deviations are stored somewhere else. The original text that's been there since 2016 says that the covered Contractor information system shall be subject to the security requirements in this special publication 800171 in effect at the time the solicitation is issued, or as authorized by the Contracting Officer. So if they had never issued a deviation, whatever the most current version of 800171 is at the time you get a contract solicitation, you have to implement whatever the most current version is. Rev 2, rev 3, rev 8, rev 11 and they don't have to go through and update the text of this contract clause. This is great. We have saved ourselves a bunch of bureaucratic work by just leaving that variable empty and you just comply with whatever the most current standard is. Quick note at the bottom of the class deviation says this class deviation remains in effect until it is rescinded. We're going to talk about more on that note here in a minute. But that's what the class deviation says. Existing pause from a year 10 years ago. Do whatever version is the most current one. They issued a deviation. They said you're just doing revision two until further notice.

B (9:32)

So I'm going to ask the question that probably the entire audience is asking right now is that, you know, one thing that you had mentioned previously is that this was absolutely the right thing to do and the right time to do it. And then they emphasize heavily the needs to use Rev 2 over Rev 3, the immediate future. Why was this class deviation issued? What is the. What is the point behind it? Why was it such a a pressing priority at the time? Like it was just in time, right?

A (10:00)

So 171Rev3 goes into effect as the most current version in May of 2024. This class deviation goes into effect in May of 2024. So without this class deviation, defense contractors would have needed to implement 800-171-REVISION 3 starting in May of 2024. We all would have been on Rev 3 for two years now. But back when the DoD was writing the 2016 rule to revise DFARS 7012, things were a lot looser in terms of the government's requirements for including specific cost and impact estimates. So they didn't bother specifying the revision. It made it a lot easier for them to just say do whatever the most current version is. However, when they were going through CMMC rulemaking, remember this is circa 2021 and onward, things were not so easy it was a lot more strict and the government was required to include specific cost and time and impact estimates. So they had to point to a specific revision of 171 in order to calculate how long will an assessment take. Which version of 171 are you assessing? You have to specify a version in order to estimate how long it will take to assess against it. Right. At the time they were doing that during rulemaking, 171 Rev 2 was the current version. 171 Rev 3 wasn't final and it wasn't into effect. So while the CMC rules being written, they were on Rev 2. So if the DoD had failed to issue this deviation, then contractors would have needed to implement 171 Rev 3 to comply with DFARS clause 7012 only to be assessed against 171 Rev 2 via CMMC to prove that they had complied with DFARS 7012. And so we had this big gap. So they needed to issue this deviation to say CMMC and 7012 are on the same revision because the language in 7012 doesn't specify a revision and there wasn't enough time to go through rulemaking to change DFAR7012. Thus it was an emergency. Therefore, the DoD issues a class deviation to cover the gap until it is rescinded. So do 171 Rev 2 until further notice.

B (12:28)

So basically because Rev 3 wasn't fully complete as rulemaking goes, because rulemaking is such a long arduous process, right?

A (12:35)

Correct.

B (12:35)

You can't write to something that doesn't exist for something that is going to go final. And so you have to do it with whatever you have at the time. That's what they had at the time. And now that's why we have this temporary injunction or this stop gap right in between getting it from the days of lore to days of future, which

A (12:52)

would be we, I mean, we did it, we did content for a year on the drafts of 171Rev3 and how they changed and how they were different and this and that. There was no way for the DoD to be able to accurately estimate anything against Rev3 until it was finished. And it wasn't finished until CMMC rulemaking was almost finished. So they didn't have the math to include. So all this is in effect until the class deviation is rescinded. So when will they rescind the class deviation? When it's rescinded, you have to do Rev 3. When will that be? Not until after the next round of CMMC rulemaking, right? So all the DoD has to do is either rescind the class deviation or replace it with another one that says now you implement 171Rev3 until further notice. But they won't do that until CMMC catches up. And CMMC, in order to do that requires the full rulemaking process, which they're currently going through. So the rumor is is that the CMMC 3.0 rule, the revision 232 CFR 170, is ready to go. They've been working on it for a while. They started it as soon as CMMC 2.0 rulemaking was done and it's sitting on the CIO's desk just waiting to go through the remainder of the process. But it as everybody who's ever watched this show knows, this is a very difficult to analyze process. There's just not a lot of public information. So that's basically the only thing we know at this point. However, DoD has already published the organizationally defined values known as ODVs that correspond to the variables known as Organizationally defined parameters ODPs in 171 Rev 3. Those will be included in upcoming CMMC rulemaking. You can find these on the DOD CAO's CMMC website. We'll link them below. So all the pieces are in place. We know what's going to be in the rule, we know what's in Rev3. We know what the ODVs are for Rev3. So that's what they're going to put through the rulemaking process. A lot of people are future proofing their current 171Rev2 implementations by using those values or doing bridge projects to meet 171Rev3. One thing to note, however, after the rulemaking is complete and they can rescind that class deviation or replace it, the assessment ecosystem has to catch up to 171 Rev3. Now, if you remember back to CMMC rulemaking in 2024, that didn't take very long, right? It didn't take very long for the ecosystem to catch up to the specifics of the rule. It only took a couple months. And isaca, which is now in charge of assessor training and all those sorts of things, has already said that soon they're going to begin training against 171Rev3. So there won't be a humongous gap after CMC rulemaking is done for them to catch up to 171 Rev3, especially if the training ecosystem is already ready to go. But it's something to keep in mind.

B (16:00)

Yeah. I think that timeline for that training rollout is like Q4 of 2026 with testing.

A (16:05)

Right.

B (16:05)

And if we remember when rulemaking went final and all the trained professionals in the ecosystem had to make up for it, it was just a delta training that took, you know, a couple hours, maybe a day at max, and then you were up the snuff. That delta training only covered things that were codified within the rule that changed the way that you effectively had to perform the program. So what you could see is full ecosystem trained up and then just a delta training to cover all the new things that are codified within the rule. I do have a question for you with regards to the resending of the class deviation, Jacob. Would it be a case where you could foresee, and I'm just asking your opinion here, the class deviation gets rescinded, Obviously there's something issued or there's a class deviation says that you have to implement NIST 871 revision 3. Would you envision that it would be like starting now or like starting this date, kind of like we had with 7019 implementation in the assessment results?

A (16:57)

Yeah, I think. Yeah. I mean, they could issue a class deviation that says, you know, you have to implement 171Rev3 by a certain date. But I don't think they're going to say that. I think they'll just say, hey, this class deviation is rescinded. Now new solicitations say comply with Rev 3. I don't know if there will be any kind of gap on the solicitation side for what's going on. So as rulemaking for CMC 3.0 gets to a lot of the major public milestones and we will make sure to tell everybody when that happens. Know that that's when the countdown starts to really start clicking away for being prepared for. For 171 rev3 because we won't know how the class deviation will be handled. Those are handled by a different team inside DoD than the CMMC Program office. And the team that handles the class deviation doesn't get out much. So we won't know. We won't know what their plan is, if there even is one. And because DFAR7012 is not CMMC and it belongs to a different team than the CMMC team, they're not going to answer questions about it during rulemaking because it's not relevant to the CMC program. Another fun way that rulemaking plays out. So we won't know exactly. We'll do Our best guess. But I would plan, worst case, that you wake up one day, they rescind the deviation, they put in a new one and they say, bob's your uncle now you got to do Rev3 whenever you get a new solicitation.

B (18:23)

Yeah. Wasn't it. I mean, so with the SPRs submission, where you had to go December 31, 2017, whatever it was.

A (18:28)

Right.

B (18:29)

That was like September. It was issued. It was issued at the end of the, the federal calendar year. Right. Or the government calendar year.

A (18:37)

Yeah. There's no real like date time for when these deviations happen. They can happen whenever.

B (18:42)

So.

A (18:43)

Yeah, but it'll be, it'll be.

B (18:45)

I was just saying with the, the, the, the time frame.

A (18:48)

Right.

B (18:48)

Like that, that lead time that you get from the notification that has to happen. The notification that does happen. I'm just trying to speculate there.

A (18:54)

Yeah. As of right now, you know, the soonest I could see it, based on what we currently know, end of 2026, you have to go through and have CMMC 3.0 rulemaking done in effect. At that point, they'll rescind the class deviation, which then points to Rev 3. There could be a little bit of a grace period. There may not be a little bit of a grace period. I don't think the training ecosystem will be much of an X factor from there. So just to wrap it up in terms of what's going on, defense contractors required to implement 171rev3 when the class deviation for DFARS 7012 is rescinded and or replaced. That happens after the DoD completes the next round of CMMC rulemaking, which we don't expect to happen until the end of 2026 based off what we currently know, like we said, may or may not be a grace period. We don't think the training ecosystem represents a massive X factor or delay in that process because of the way that ISAC is taking care of stuff and because DoD has published 171 rev3 values way, way, way ahead of time to enable that training. So there you go. That's when we expect that contractors will need to comply with 171Rev3. When that happens is hard to predict. At least you know what the major things are that need to happen on that timeline.

B (20:13)

Yeah. The things that need to happen for you to be like, oh, this needs to be on my radar again, like immediate.

A (20:18)

Yeah. Once we see movement of the CMMC 3.0 rule, then we'll be able to really kind of zero in. Cool. Closer on what that. What that weather forecast is, but as of right now, it's pretty. Pretty far out there on the horizon. Still something to be aware of, but that's what we know at this point. And there you go. You guys know we love talking about rulemaking, so the second we know something about rulemaking, we'll be all over it. So if you aren't liked, if you haven't liked, if you haven't subscribed, you haven't told your friends, and they want to know about rulemaking, this is the place to be. And we'll see you next week.

B (20:48)

See you next week, Sam.