A

All right, folks, it is December of 2025. It's almost the end of the year, which is so crazy because I remember back in January when things were. There were memos and fedramp equivalency and all this craziness. Anyways, it's the end of the year. Show goes on. Since the 48 CFR CMC final rule was published in September of 2025, we have seen supplier notices, supplier letters, webinars from Lockheed, rtx, bae, hii, abcdefg, you name it. All the Primes are putting out supplier notices telling people that CMC is here and it is now officially a real problem. Most recently, Northrop Grumman published a supplier announcement titled CMMC 2.0 is final. Are you ready? The bottom line, ain't nobody getting a waiver for cmmc. And this week we're going to talk about why.

B

It's very heartening to see now that somebody needs to take leadership. The people that are kind of in charge of all the contracts are stepping up and saying, hey, are you aware of this thing taking some sort of leadership? What's going on with your CMMC progress? I just don't know if the people that they're taking leadership over are prepared for what's coming to them.

A

Yeah, yeah. Generally, anecdotally, it seems like most of the DIB is not ready, but I think that we have definitely seen a big uptick in inquiries around CMMC thanks to the Primes letters more than any of the rulemaking milestones. That's the way it works. That's totally fine. Let's get into the letter.

B

And, and as they say, when big Alphabet gets involved, everybody needs to pay attention. Right. Like same thing when it comes to contracting.

A

Absolutely. Final rule comes out, goes into effect. You know, crickets, Lockheed sends a letter, everybody, you know, scrambles. So anyways, first things first, if your prime needs CMMC, you need CMMC. So directly from the 32 CFR program, Rule 32 CFR 170, if you Google it, that went into effect a year ago, December of 2024, as Northrop points out in their letter, specifically section 170.23, Application to Subcontractors. If a subcontractor will process, store or transmit CUI in performance of the subcontract and the associated prime contract has a requirement for a CMMC Status of Level 2 C3PAO, which means you had to go out and hire a third party to conduct your assessments. Then the status of CMC, CMMC level 2C3PAO is the minimum requirement for the subcontractor. So the easiest way to answer the question of whether you will need CMMC level 2 C3PAO status and whether you will have to go out and hire a third party to conduct your assessment is if your prime customer Requires CMC Level 2 C3PAO status and if your prime customer is Lockheed, BAE, HII, Northrop, ABCDEFG, the answer is yes, they will need CMMC Level 2 C3PAO, because they are certainly going to handle at least once some level of CUI that requires that level of assurance. That's kind of the end of the story for that one.

B

Yeah. There's been absolutely no way to dodge it. It just seems that even if you are on one contract in which maybe you get this glimmer of hope where you're not going to need the C3PAO every other contract that you're on, the likelihood is that small, minuscule probability that's not going to happen.

A

Yeah, absolutely. So, moving on through the announcement, your prime can't waive your CMC requirements. So if they require it, you require it. If you require it, they can't waive it. So from the Northrop letter, neither contracting officers nor prime contractors may waive or deviate from the CMMC Cybersecurity Control and Assessment requirements directly from the 32 CFR program rule that's been in effect for a year now. Section 170.5 policy. In very limited circumstances and in accordance with all applicable policies, procedures and requirements, a service acquisition executive or component acquisition executive in the DoD may elect to waive inclusion of CMC program requirements in a solicitation or contract. In such cases, contractors and subcontractors will remain obligated to comply with all applicable cybersecurity and information security requirements. They're talking about far clause 5220421 and DFARS clause 252204, 7012 and 7020. We recently wrapped up our Back to Basics series where we walk through the text of all those clauses. If somehow there is a waiver for cmmc, you still have the obligations under those FAR and DFARS CL to implement cyber security. So don't make the common mistake of conflating the CMMC Assessment program with the requirements that are still in your contract.

B

There's nothing to really be said about this, Jacob. It is just carrying out what has to be done as per the rules. And it's a prime contractor who we've said Multiple times the DoD doesn't have any necessarily grip on exactly how they're going to patrol their supply chain. And this is them telling you that we're carrying out the, the letter of the law to the exact letter, right?

A

Yeah, exactly. And so there are two CMMC rules, as we all know. There's one program implemented by two rules. So we had the 32 rule a year ago. It gets implemented in contracts with the 48 CFR rule. That's the actual text of the contract clauses, that takes that permanent program policy and converts it into contract clause language that just went into effect in November, November 10th of 2010. And so they describe the waiver process. They say, first of all, that's the 32 rule. And that was a year ago. But in the preamble to that 48 CFR rule, they say waivers are at the discretion of the program office or requiring activity. And they are determined prior to, which we're going to talk about later, prior to the Contracting Officer's involvement in the procurement. This is why Northrop's letter says we, the prime and the Contracting Officer don't control the waivers. It happens before they're involved.

B

I mean, so basically this is them telling their, their supply chain, hey, I know that you may think that this may not apply to you or you don't want this to apply to you, but we don't control whether it applies.

A

To you or not.

B

If it's being told to us from above that we have to carry this out, right?

A

If it applies to them, it applies to you. And if it applies to them and it applies to you, they can't waive it for you, so it applies to you.

B

So this is kind of more like, hey, don't come at us like we're just doing what we're told to do, right?

A

They're just, they're just following orders, if you will. So, so moving on, another reminder about waivers. They are for entire contracts, not for individual contractors. So I've been meming it up on LinkedIn this week, talking about this Northrop letter and somebody asked the question. They said, well, okay, it's, it's a pre solicitation process and you got to request a waiver. How many organizations do you think are going to get waivers? And I'm like, no, no, no, you don't understand. Organizations don't get waivers. The entire contract is waived of the requirements. So from a memo that was released in January of 2025, which we've done previous episodes on, we'll link it below. This was after the 32 CFR program rule came out. A bunch of the undersecretaries of Defense took that guidance, wrote a memo to the acquisition workforce, and part of that memo is called implementing the CMMC program Process for Waiving CMMC assessment requirements. And in that memo it says program managers or requiring activities may request service acquisition executive or component component acquisition executive approval to waive CMC assessment requirements. That's what the rule says. All CMC waiver requests must be coordinated through the component's chief Information officer. Prior to this service or component acquisition executive approval, the waivers may be requested and approved for an individual procurement or an entire class of procurements. The waivers will only impact whether CMMC assessments will be included in solicitation documents, not the actual dfars and far cybersecurity requirements that are in there. So there's a whole, like, maze of bureaucracy that has to happen before the solicitation ever goes out. So the program office has to coordinate with their service CIO, which reports to the DoD CIO. And as we know, the DoD CIO is what runs the CMMC program. So they're probably not super eager to waive the requirements. If you get past that hurdle, then it goes up to a service or component acquisition executive who makes a decision. Am I going to remove the CMMC assessment requirement for every contractor and subcontractor underneath this contract?

B

So you're telling me if the waiver were to be granted to the entirety of a contract, it would have to go through two layers of somebody deciding that this doesn't have to be there. At least.

A

At least. Yeah, at least. And remember, this is, you know, who's not included in that chain of events. North rip. Which is why their letter says we don't grant the waivers. That's a process that happens before we ever touch this. So, and then from your.

B

From what? You know, like those two people that would have to say, hey, let's remove this. Those would be the same two people that would make the decision whether to include it, right? Like, yeah. So like, they may have already come to the decision that we want to include this. And then somebody says, hey, can you double check this? And they're like, no, we already reviewed it. Right?

A

Yeah. Like we talked about in our 48 CFR CMC Rule webinar, the contracting officer just fills in the blank of the contract clause that says you require X, Y, Z, CMMC level. They're told by the program office what that level is going to be. They don't decide what the level. So the program office has to Say it needs a waiver. They got to go to the component CIO that needs a waiver. They're almost certainly going to ask the DoD CIO. Then it has to go to a component or a service level acquisition executive. As we have talked to many former contracting officers on this podcast and at various conferences like CS2 in the past, it's not something that contracting officers or program managers are eager to do. They're not eager to go knock on the door of the big boss and say, I need an exception.

B

I don't think it sounds like something that regularly happens either.

A

No, you're not getting a waiver. Right. So in, in this, in this memo. In this memo, they go on to say CMMC level one, no waivers, CMMC level two self assessment. A lot of people are breathing a sigh of relief at the idea that they might get a self assessment. First of all, those will be less and less common as time goes on. But there's also no waivers for CMMC Level 2 self assessment, which is very interesting. You might be able to get a waiver for CMSC Level 2 C3PAO assessments. But as the memo says, these will, quote, be rare. They are not for cleared defense contractors. And approved waivers on a class basis. So for an entire class of procurements must include a planned expiration date. So these are temporary. And guidance for requiring CMMC certification in subsequent solicitation. So it's only the first round of awards that goes out. In all such cases, as the memo says, the solicitation must include a requirement to submit alternate protection plans for securing FCI and cui, and the alternate protection plans must be evaluated as part of the selection process. This is exactly like poams, right? This is exactly like plans of action milestones. They do technically exist in cmmc, but not really. Waivers do technically exist, but you're not getting one.

B

Is there a case where a waiver would come, like post solicitation, like, like stringent circumstances?

A

Yeah. So, you know, we'd have to wait and see if this happens. So if they make the decision that there's a requirement and it goes out in the solicitation, and then it does turn out that there aren't enough companies who can meet that requirement, then they have to reissue the solicitation with that requirement waived. We haven't seen that happen yet. I'm sure it's going to happen at least once, but, yeah, that could happen afterwards.

B

But the inclusion of the requirements in the solicitation is an evaluation of risk.

A

On the DoD's part, correct?

B

What if the evaluation of the risk of that solicitation, which they say we need to retract those requirements from, is outside the appetite of the DoD, then.

A

They don't retract the requirement and it stays in the solicitation, it's condition of.

B

Contract award, and just there's just not enough people to meet it. It's just whoever gets to meet it or.

A

Well, this is the thing is the number of people who you need to qualify to bid on the contract is a pretty small number, right? They don't need 900 companies to submit bids. They need like nine companies to have a minimum number of bids to review to pick who to award to. So you don't need that many companies to compete for a solicitation for the DoD to say, we have enough companies to compete for the solicitation.

B

So for the sake of inclusion or for the sake of breaking down barriers or walls of inclusion into the contracting base, you're saying that the DoD is not going to adjust their risk appetite?

A

Well, this is the thing is, when we talk about DoD's risk appetite, what ends up happening is people talk about the DoD as if it's one giant entity, right? Risk appetites are going to be different from program manager to program manager, component to component, activity to activity. You know, service to service, program to program. It's going to, it's going to vary widely. We've heard, and for the subcontractors listening, this is going to vary from prime to prime, purchaser to purchaser. Right? So it's too difficult to predict broadly what the DoD is going to do versus what is going to happen with an individual circumstance. Which is why we tell everybody the best thing you can do is talk to your customer. Because unless your customer has reached out to you and say, hey, we got it, don't worry about it, we got resources, we got time, we got waivers, we got this, we're going to hook you up. You need to be really worried if you're hoping for those things and you haven't heard about them yet.

B

Yeah, my bad to derail, but that question was stuck here.

A

Yeah. So moving on here, a reminder, right? Waivers are a pre solicitation process. So from the 32 CFR rule, section 170.3 applicability, application of CNSC program requirements to a procurement or class of procurements may be waived in advance of the solicitation at the discretion of the DoD in accordance with all the relevant policies and procedures from the 32 CFR Final Rule Preamble, once applicable to a Solicitation. There is no process for organizations to seek waivers of CMC requirements from the DoD CIO. A lot of people are out there and they have been saying, we don't think that this is a real issue. We don't think that this is a real requirement. We're not going to start working on CMMC until we see it in a solicitation. Once you see it in a solicitation, it has been determined there will be enough companies to meet the requirement that there aren't going to be waivers for that contract. So if you are hoping that you'll see it in the solicitation and then get special exceptions, you are too late. So if you're waiting until you see CMMC in a solicitation to consider it a real requirement, you're just burning time.

B

And that's not just for the implementation part of it, right? Like the implementation part of it. It's completely impossible. But let's just say naively they are thinking that we aren't going to do anything towards the actual CMMC stuff, which is the C3PAO evaluation. Right? We aren't going to pursue that until we see it in a solicitation. Even then, it's not enough time.

A

Well, this is the thing, right? What people are really saying is we're not going to get started on complying with DFARS 7012 requirements until we know that there's going to be a third party assessment.

B

That's why I threw the naive in there, right? Like naive. I'd like to think like 25% of those people are like, look man, we're just not going to come.

A

That's what they're really saying. However, like the memo and the rules say even if there is a waiver for a CMC assessment requirement, DFAR 7012 still applies to you. Right? So waiting to see if the third party assessment requirement is going to be there to get started on the thing that they are verifying is honestly the reason why CMOC is a program in the first place.

B

And as we just talked about last week on the show, that 7012 requirements still exist and DIP CACK will come knocking for whenever, no matter what, DOJ.

A

Issues, you got all kinds of other issues to to worry about. Absolutely. All right, so just wrapping up here, all of this is a condition of contract awards. So from Northrop's letter, contracting officers may not award contracts to non compliant contractors and prime contractors may not award purchase orders to non compliant subcontractors. And then they nicely say, we encourage you to proactively prepare to comply with this future contractual requirement. Understatement of the decade, Northrop.

B

That's like nudge.

A

Encourage you to proactively prepare. Yeah, you should be proactively preparing.

B

That's like when your parents say, like, I suggest that you do this, or I see, you know, like, I would.

A

Strongly suggest you clean your room. Yeah.

B

You strongly advise against you doing that.

A

You're out. Yeah, you're. You're. Your suit would look a lot better with a tie. That means put a tie on. Right? Yeah. So. So last idea here. So why are they making this announcement now? Right, why is North Rip. Why are all these supplier announcements coming out? We knew this was coming. We know what the requirements are. Like, it's been the simplest thing to predict because we've been doing it for a couple years now. As north says at the bottom of their letter, starting on November 10, 2025, contracting officers may add the DFARS clauses to solicitations and contracts with immediate compliance requirements. We are in the phase rollout. We are in phase one of CMMC as it is going into contracts since November 10th. It's free game. Which means as Northrop starts to see solicitations and opportunities that they work on, which they work on those opportunities for months and months, sometimes years, before those solicitations start to come together, they're going to know ahead of time, we need suppliers who need it, which is why they're sending out the letters now, encouraging you to proactively prepare to comply.

B

Which it's a great defense against those people that are saying, I'll wait until I see CMMC and a solicitation. Because now you're seeing a prime contractor saying, we nudge, nudge, encourage you to get on top of this.

A

And the rules are done. The rules are in effect. Phased rollout is in effect. The primes have sent out the letters. We're seeing. SAM.gov immediate compliance requirement.

B

Sticks out in that whole statement, right?

A

Yeah.

B

Like, we're not.

A

We're not taking the slow rule at this point. What else do you need to know besides getting the knock on your door? And at that point, like, we're talking about, you've just wasted a bunch of time that you could have been using to get ready. So take Northrop's advice and proactively prepare to comply and then take our advice, like, and subscribe. And then we'll see you next week.

B

See you next week.

Sam.