A

All right folks, here we are. It is September of 2025 and we are at the end of our Back to basics series on the DFARS clauses and provisions that make up defense contractor cyber security obligations. And here we are, the crown jewel, the boogeyman that everybody has been waiting on. DFARS clause 2522047021 and honestly, man, outside of Summit 7 live in Denver, I don't think we've ever actually done a podcast together in the same spot in this studio at the same time.

B

Yeah, I don't think that it was going to ever happen. Yeah, Predator high five. We're here. We're actually in the flesh together. But yeah, it's, it's weird to think, Jacob, that like we've been doing this for three years and aside from one when we first started in Colorado, that it's taken us this long to get here. But it's kind of fitting too. It's like a culmination. We're talking about the last there you go clause in the series that brought it all together.

A

There you go. Absolutely. Yeah. We had 90 of the videos on the YouTube channel or the podcast and we've never actually been in the same spot at the same time. But anyways, today we're talking about the big one, the CMMC clause itself. We just did the episode on the provision that makes you aware of the CMMC clause. The provision being 252-204-70 25 and today we're going to get into 7021. So at a very high level you can think of this clause in two parts. The instructions for the contracting officers, the KOs as they're called, and the requirements for contractors themselves, the clause and the provision. And so today we are going to talk about the KO side of the clause and we'll do a separate episode on the actual contractor requirements. It's important to know both because they're going to dictate what your requirements are. But if you only ever see the solicitation provision in the contract clause, you won't actually see the instructions that the contracting officers have to abide by. So we're going to do a two part episode on clause 7021 and that's we're going to talk about today.

B

Yeah, there's a lot of situations where I think that there is animosity towards the clauses because there's not this understanding of why it appears there. It's just why are you doing this to me? Or why is this happening to my organization? We don't have CY or whatever it may be, but there's a prescribed checklist and there's things that the contracting officers must follow before they include it in the contracts.

A

Yep, absolutely. We've, we've talked about this throughout the series. The DFARS and the far. The vast majority of the language in those acquisition regulations are not for you, the contractor only. The language in the solicitation provisions and the contract clauses that you read in your paperwork are the part that you actually see. The rest of the Acquisition regulations are guidance, instructions, policies, things like that that the Contracting Officers have to abide by. So let's get into it and you'll understand what I'm saying.

B

Are there definitions?

A

There are. Just like everything, there are going to be definitions. You can't go anywhere without your definitions in this world. But yeah, so we'll get into it. We'll get into the KO side, the contracting officer side of DFARS clause 252-204-70. 21. Okay, so this starts off with sections in the DFARS. So it isn't a clause 252204, blah blah, blah. They're going to be numbered 20475 something. So at the very top we've got 204-7500 DFARS 204-7500. This explains the scope of this subpart of the DFARS. And this tells contracting officers that this subpart of the DFARS prescribes policies and procedures for including the CMMC level requirements in DoD contracts. And that CMMC is a framework for assessing a contractor's information security protections. And if you want to know more, this is actually what it tells the Contracting officers is you should see 32 CFR Part 170, which is the overall CMMC program policy that got codified and went into effect in December of 2024. The important thing to know here, as they're explaining to the Contracting Officer, is that the relationship between everything in 204, 7500 and everything else in the 48 CFR final rule is implementing Title 32 CMMC policy. It's not creating anything, it's not changing anything. It's not revising anything. It's just distilling that policy down into guidance for the contracting officers and requirements for the contractors.

B

Yeah, it's crazy to think how many times throughout 48 CFR rule, throughout the provisions and the clauses where they're just like C32 CFR because we're just carrying out the mission that is established by the Programmatic Rule.

A

Yeah, absolutely. So we did a whole webinar on the 32 CFR rule back in January of 2025. If you want to go into more details about what it says, you don't want to read it for yourself, then you can check that out. We got it available, and you can register for it for free. The thing to know here is that if you read through this part of the rule, it will link to what we could consider the most important, the most relevant parts of the overall 32 CFR CMMC policy. And so they append the different sections, like for flow down and for poems and for this and that, as we walk through the language in the clause. So next you've got DFARS 2,04,7501. So under this subpart, we've got definitions. So we always have definitions at the top. Anytime we're talking about clauses or DFARS acquisition guidance, the definitions are always important to know. So make sure that you understand them and study about, study them. But like always, we'll just talk about them as they pop up. When we're reading through the clause. That way we're not just reading definitions at you.

B

Yeah, I mean, that makes sense. It's the best way to do it because they're explaining it throughout the clause anyway.

A

Yeah, absolutely. So they put them up at the top. Like, for instance, when we did the episode on DFARS provision 7025, they say, there are definitions in this provision, but you got to go find them over in the clause. We've seen this happen with DFARS 7008 and 7012. Sometimes a definition will be in a provision or a clause, and they'll point back to each other. So just make sure that you're keeping up with the definitions. They are very, very important. Okay, so outside of the scope of the subpart and the definitions, there are three sections. Literally, they are called DFARS sections, sections under this subpart that have explicit requirements for the Contracting Officer to follow. So we've got a policy section, a procedure section, and then guidance on when to use the 7021 clause and the 7025 provision. So first we'll talk about 204-7502, the policy around this CMMC program and clause for the Contracting Officer. So the first part is paragraph A, award eligibility, and it says the Contracting Officer shall. So anytime you see the word shall in a contract, especially a government contract, defense contract, it means it's a Requirement like, you will do this.

B

It's just like a polite way of saying, you have to do that.

A

You must do this. You must do this. You will do this if you know.

B

What'S good for you.

A

Exactly. Yeah. Like you shall do this. So shall is a requirement. So this says, under award eligibility, the Contracting Officer shall include in the solicitation the required CMMC level if provided by the Program Office or requiring activity. So the Contracting Officer is the one that inserts this language into your contract clause, but the Contracting Officer is not the one that decides that it's supposed to be there. The program manager, the program office, the requiring activity, the DoD component, whatever that is on the other side of the Contracting Officer, they tell the Contracting Officer, this will include this level of data, this type of data, and that will require this level of CMMC status for the contractors who are handling the data. And then they take that information and they fill in the blank on, on the, on the CMMC clause itself. So they say that if the Program Office tells you that there is a required CMMC level, you will put that level into the solicitation off the bat. Yep. Pretty clear.

B

It's not saying they're giving them justification for putting that level in there. They're saying, this is what the people that are in charge of this program are saying. The protections that we want on this contract are.

A

Yeah. Now, if the Program Office doesn't tell you that, then you don't include the solicitation and the clause. Now, that's a big question mark because the contractor that's downstream from all this isn't privy to those conversations.

B

And so the Contracting officer, how many scenarios do you think you would run into where the Contracting Officer pushes back to the Program Office and is like, yeah, I don't think we should include that.

A

Oh, I, I have no, I. Probably. Probably a non zero amount, probably not a lot. And it's certainly not something I would bank a strategy on.

B

No, not at all. That's. I think that's kind of what I was getting at is that like, it's not like your KO is going to be defending you saying, hold up, slim. I don't know if we want to defend it this much.

A

Right, right. Okay. So they're very clear off the top that you're going to insert the requirement into the solicitation if you are told that there is a requirement for a CMMC level. So moving on. They say contracting officers shall not. They will do the first thing. They will not award a contract, task order or delivery order to an offeror that does not have a current CMMC status at the CMMC level required by the solicitation. So I, the contracting officer get told by the program manager, this work will require this CMMC level. I will put that level into the solicitation and I will not award the contract to somebody who doesn't meet that level. Pretty black and white. Pretty black and white. So what is a CMMC status? Right. What is a CMMC status? So first definition here. The CMMC status is the result of meeting or exceeding the minimum required score for the corresponding assessment. So there are three levels in the CMMC model. But your status could be a level one self assessment, which would be a final status. There are no, there are no open findings allowed at level one. There are no poams allowed at level one. So you have final level one self status. You can have a conditional level two self status or a final level two self status. The difference being conditional means you have open items on your poem that need to be remediated. Final means all of your requirements have been fully implemented. You can have a conditional or a final status via C3PAO. So if you had to the requirement that you had to hire a C3PAO for a third party CMMC assessment, you can have final or conditional status. You can also have final or conditional status at level three. Those are always going to be third party assessments. Those are going to be conducted by DOD's auditing team known as DIBCAC. So you got three levels, but you got seven different statuses that could result. The solicitation provision could say you need a final level 2 self assessment status, or you need a final level 1 status, or you need a final Level 3 DIBCAC status. And here it's saying that the contract officers will not award this contract or delivery order if you don't meet what is prescribed in the solicitation above.

B

Yeah. And then for those conditional statuses, Jacob, it's important to note that there are predefined controls in which you're allowed to enter that conditional status with. Those are listed in the assessment guide, those are listed in the rule, etc.

A

Yeah, absolutely. And they'll talk about it at the bottom where they're saying, hey, you are allowed to receive, you know, win the contract award if you have a conditional status. But there's policy around when you got to close that out. So we'll get to that down at the bottom there. So the last part here, under award eligibility, contractors are required to achieve at time of award a CMMC Status at the CMMC level specified in the solicitation or higher for all information systems used in performance of the contract task order or delivery order that will store or store, process or transmit FCI or cui. That's pretty standard, Pretty standard concept. They say that contractors are required to maintain a current CMMC status at the specified CMMC level or higher if required by the contract task order or delivery order throughout the life of the contract or the order. So a current status is one that's less than three years old. Right. Because your status will expire after three years. The definition actually goes into quite a bit of detail for all of the seven different possible statuses. But the rule of thumb is your status is valid for three years, so you have to maintain a current status for the life of your contract. So if you got your status two years ago and you got a year left and your period of performance is like three or four years, then you got to make sure you keep that status valid the entire time it won't expire while you are doing this work under the contract.

B

All right, just so that we're covering paragraph A, right. Program Office says that this is the level in which we want to protect it. Contracting Officer inserts it into the contract that says this is the level that you must have to get this award. And then your responsibility is to make sure you achieve that certification status and maintain that certification status throughout the entirety of the contract.

A

Yep, that's right.

B

Okay.

A

Yeah, absolutely. So they even go into more detail here in paragraph B under CMMC status. So remember, at the top they said contracting officer shall. Contracting officers shall not. The contractor must. Here they're saying contracting officers may award a contract, task order or delivery order or modification to exercise an option or extend a period of performance if the offerors or the contractor. CMMC status is one of two things listed in the definition of a status. It's conditional or it's final or, and if it's equal or higher to the status level that is required here, they specifically tell the contracting officers that levels 2 and 3 can be in a conditional status. So you can have open POEM items as long as they fall under the allowable items that can be open, which is defined at 32 CFR section 170. So they say that CMSE level 2 and 3 can be in a conditional status for a period not to exceed 180 days from the CMMC status date. And they specifically say C32 CFR 170.21, which is the policy that outlines what items are allowable, how long you have to close those items out, so on and so forth. But the award of the contract or work can occur with a conditional CMMC status. There is no conditional status at level one. They're just reiterating that policy from 32 CFR to the contracting officers here.

B

Let me double check this real quick because it kind of. I got thrown off for a second there. It says listed in the definition of the CMMC status list in the definition means, like, I have a level 2 CMMC conditional C3PAO status. I could bid for a final status if I'm within that 180 day window.

A

Yep.

B

And is that 180 days from time of award or 180 days from the time of my conditional C3PAO status?

A

It's from the time of your status date.

B

Okay.

A

Yeah. So if you, if you finished your CMMC assessment and you are awarded a conditional status and then six months later, or let's say four months later, you bid on a solicitation. You only have two months left in order to get your final status.

B

If you don't achieve it, then Right, they can.

A

Right. You can't have like a conditional status and then bid on something seven months later and say, now I have an extra six months to close it. That's. That would just sort of be extending poams forever. And so that's the guidance, the policy around award eligibility and CMMC status to contracting officers. It's really pretty straightforward.

B

That's what I was about to say. You're gonna cut and dry.

A

You're gonna put the status in there. You're not gonna award the contract to anybody that doesn't get it. There's a bunch of different statuses. And as long as people meet that status, they have a higher level status, or they meet the requirements of a conditional status, then they're good.

B

And then I kind of feel like there's a little level of compromise in there too, where they're like, you know, we understand that you might not be able to get to the dead, you know, get to the point that you want to get to. You can't get your C3PAO status by the time this is going to be awarded, but if you're in the conditional, we'll work with you a little bit here. We're not trying to be.

A

I mean, that was the big. That was the big change from 1.0 to 2.0, because under CMMC 1.0, they said no poams whatsoever. We won't award contracts or orders based work to anybody with any open items. And then they said, we'll allow poems. And this is what the end of that original concept looks like. They say you will insert the status requirement and you won't award the work to anybody without it. If they have a conditional status, that's totally fine. Make sure you're familiar with the policy of closing out that conditional status so that it's final within the 180 days that they're allowed.

B

And it just so happens that the timeline is the industry best practice for closer.

A

There you go. Yeah, there you go. Alrighty. So the second of the three parts for the guidance to contracting officers is 204.7503. So we went from policies, now we're going to procedures. So under procedures they've got paragraph A describing the CMMC level. They say the Contracting Officer shall so explicit requirement here. The Contracting Officer shall include the CMMC level required by the Program Officer requiring activity in the solicitation provision and contract clause prescribed at 204.7504, which is the next section we haven't gotten to yet. If you look at, they say here 32 CFR 170.19, that part of the CMMC policy explains how this works. The Program Office tells the Contracting Officer what the corresponding CMMC status level needs to be in the contract language, just like we talked about the policy up top.

B

And why do you do this? Because 32 CFR says that we do this.

A

That's right. They're not inventing a new procedure. They're not inventing a new policy. They're just copying that policy down into guidance to the contracting officers. Paragraph B is the actual procedure around award. Okay, so they say when you're going to award this work, the Contracting Officer shall check SPRS and not award a contract, task order or delivery order to an offeror that does not have a current CMMC status posted in SPRS at the CMMC level required by the solicitation or higher for each CMMC UID provided by the offer. So new definition here. CMMC unique identifier. This is a 10 digit alphanumeric, you know, string of characters that is assigned to each CMMC assessment and reflected in the supplier performance risk system for each contractor information system. So when you finish your assessment, self assessment, third party assessment, doesn't matter, then SPRS is going to append this 10 digit code to that assessment. And so you have to have your status tied to that CMMC unique id. Essentially what DOD is saying here is you're going to be generating data for us or we're going to be giving you data that is considered controlled and classified information. And we want to know literally the license plate on the scope of your assessment where that data is going to exist. So you're, we're agreeing to give you this data and you're going to tell us exactly what the identifier is for the scope of whatever your assessment was, right? Yeah.

B

So you're getting assessed on an assessment scope, a level two assessment scope that you've bounded out according to the scoping guidance. Right. That's been provided. One thing that stuck out to me is for each CMMC UID provided for the contract, if I'm getting an environment scoped out for myself, for my organization to get awarded this contract, why would I enter more than1CMMC UID?

A

Maybe you have more than one system. Okay, yeah, maybe you have more than one system. You've got more than one assessment for some reason. But yeah, they're going to get a CMMC UID for each assessment, essentially. So if you had two different scoped systems, for whatever reason, as they're going to talk about later, if you have a significant change, which is a whole other can of worms that triggers a new assessment, you're going to have a new uid. You know, if you're going to have a change in scope, then that means that you're going to have to. The previous assessment scope is no longer valid, which means you have to have a new assessment, which means you're going to get another CMMC uid. So you can't reuse this one ID saying, you know, Bob's machine shop has a CMMC assessment. No, no, no, no, no. Which information system owned by Bob's machine shop corresponds to the scope of devices that will be handling the data? You might have multiple.

B

Because this is the environment that's been evaluated that says that it has adequate protections in place.

A

Yeah. So we're telling you you need CMMC level 2 final status as assessed by a C3PAO for this scope of assets. That's where the data is going to live. And as you can imagine, this is going to cause problems for people if there's an incident or something in the future. There's some reason why the government comes and starts asking you questions and they say, where is the system that corresponds to this 10 digit code? And you're like, it's these devices over here. And they're like, well then why is our data over there?

B

Sure.

A

Right. So that's going to be, that's what they're looking for here. They want a high level of traceability through the supply chain.

B

There's going to be a lot of explaining to do if that happens.

A

Yeah. So, okay, so paragraph C, you know, in paragraph B we talked about the award of contracts. Here they're talking about option exercise or period of performance extension. So people who are already on contracts or task orders or delivery orders, they're exercising an option year or they're extending the period of performance. They're modifying existing agreements. Same guidance. The Contracting Officer shall check SPRs and not exercise an option or extend the period of performance on the contract or the order unless the contractor has current CMMC Status posted in SPRs at the level required by the contractor order or higher for each CMMC UID provided by the contractor.

B

I wonder why they're doing that. Jacob?

A

Yeah.

B

What should we look at to find out why they're doing this?

A

Yeah. So very conveniently, they say if you have questions about where this policy is coming from, then see 32 CFR 170.15 through 18. That is where the policy around this procedure is codified. And that's where the Contracting Officer would go look to see this. Now, the reason we're doing this episode in two parts is that isn't written in the clause 7021. It's not in the provision 7025. This is the instruction for the Contracting Officer when they go to insert that language into your contract. So this is extra context that you wouldn't see if you're just reading through the the contract language itself. So they've got procedures around awarding new work, they've got procedures around option exercise, period of performance. It's the same for both. So then they go down here, they've got some more information on CMMC UIDs. Specifically to wrap up this section. They say if the contractor provides new CMMC unique identifiers during period of performance, the Contracting Officer shall check an SPRS using the CMMC UIDs assigned by SPRs that the contractor has current status at the required level or higher for each of the information systems identified that are going to process, store or transmit the data. So if you're going to award new work, you got to look in SPRs and make sure that the CMMC UID has the status you specified in the contract. If you're going to modify existing orders or exercise an option period, you got to check that the CMMC UID has a current status specified in the solicitation in the clause. And then if you're going to update for whatever reason, change in scope, change in environment acquisition, you know, whatever significant change, whatever it happens to be, and you give them a new CMMC UID while you're exercising this period of performance, they got to go in SPRs and check to make sure that the CMMC UID has a valid status in accordance with the requirement that they specified in the previous procedures.

B

So what you're telling me is, is that as an organization, I need to make sure that the active status that's associated with my CMMCUID is always up to date, right?

A

Yep. You want to make sure it's always up to date and you want to make sure that it's current during your period of performance. So don't let it expire during your.

B

Period it is assigned to the system that I'm bidding on. Work with.

A

Definitely do that. Definitely do that. If you, you know, give the contracting officer a CMMCU ID and it's got a valid status, and then you end up putting their data in a different system that has a different UID or doesn't have a UID at all and something goes wrong, then we're gonna have. You're gonna have to go watch the podcast on False Claims act. And that's going to be, you know, that's a whole other topic. But that's not going to happen to the listeners of this show because we all know it's all very clear as to how this is going to work. So now we're at the last section of the KO side of the 48 CFR final rule, DFARS clause 7021. This is all the guidance around how to use the clause literally. 204-7504 says solicitation provision and contract clause. And it says unless the requirements at 32 CFR 170.5 paragraph D are met, use the clause 252-204-7021. For those of you unfamiliar, 170.5 paragraph D is the part of the CMMC policy that explains the waiver process, the waiver process for CMMC requirements. So unless there is a waiver established for the contracting officers, telling them do not insert this clause, and they've gone through all the other policy and procedures up top, they will insert the clause as follows. There's two considerations here. Until November 9th of 2028, you will use the clause in solicitations and contracts, task orders or delivery orders, including those for FAR Part 12, procedures for the acquisition of commercial products and services, not COTS products and Services. If the program officer requiring activity determines that the contractor is required to have a specific activity CMMC level. So this is saying that up until the end of the phased rollout, if the program office or requiring activity determines that they that the contractor needs to have a specific level, you will insert this clause into their contract with that specific level. Unless there's been a waiver, as we've talked about in previous podcasts, there aren't going to be very many waivers because waivers are for entire contracts. That's why we say this. It's for the entire contract, not for individual contractors. And so your question here is if the program officer requiring activity determines that a contractor is required to have a specific level, how do they determine?

B

Right.

A

It doesn't explain in 32 CFR how they determine. What steps do you use, what rubric do you use, what guidance do you use to determine? So during the phased rollout and after, as we've seen, we did a whole podcast on this. We'll link it below. There is DoD policy that has been put out to the contracting workforce that says if they handle this type of data, this is the minimum requirement. And there's guidance in there that says if you handle the DoD categories of CUI, the minimum requirement is CMMC level 2 C3 PAO status. And so they have discretion during phase one to include CMMC level 2 C3PAO status. The guidance says if you handle this data, you need CMMC level 2 C3PAO status. And so depending on when you're listening to this phase, one of the phase rollout might be over. But in case it hasn't started yet or we're in the middle of it, just be aware there's nothing in here that says you can't include that status. It says you include the status that the program office determined needed to be in here. And if there's no waiver, you do what they say.

B

Yeah, there's. And it's cut and dry. Even in 48 CFR, they even went as far as to add the fill in provisions. Right. The fill ins to make sure that there was no confusion. Absolute clarity when it comes there. There's no negotiation here, like you know what I'm saying. It's once you get the contract, the contract says that you need level two. It's not saying, I don't know if this fits me or not. That's not it. If you want to be on this program.

A

Right.

B

That's how this has to.

A

Now, if you're in a position where you're very large or you've got a lot of sway over the agreement, then maybe you can negotiate. But that's not most people. People. Right. Most people are not Lockheed Martin. Most people are not in a position where you can negotiate.

B

So if you're about 11 companies in a position, maybe. Right. They're the big. I'm in a position to sway things.

A

Maybe, maybe, yeah. But you know, it's a contract. They're, they're, you know, you can negotiate contracts all day long, but most people are not in that position.

B

Congratulations to that 2.1% or whatever it is. Right.

A

And so as you can see, you know, as we've gone through these sections, this is pretty on rails here. This is, there's not a lot of open ended questions here. It's pretty clear cut. If they tell you this, you put it into the clause and you can't award the contract if they don't meet the requirements. There are conditional statuses that you can meet and it's totally fine and then we'll go from there.

B

But I mean it should be cut and dry and straightforward. And the reason why it should be cut, dry and straightforward is because it's the instructions. Right. You wouldn't want there to be like lack of clarity in what the Contracting Officer is supposed to do when assigned.

A

Well, and so just so you know, like this is the contract officer guidance to this Clause and provision 7021 and 7025. Every DoD DFARS clause and provision has Contracting Officer instructions like this. Which is why it's unrealistic to think that this one clause for one company in one situation is going to get flagged in a Contracting Officer's mind. They have to do this for every clause that goes into every contract. So it's very straightforward, very cut and dry. But this looks and sounds exactly like every other clause and contract policy and procedure guidance that they have to read for. You know, if this, then include this clause, if this, then you include this clause. If those clauses are included, you can award it under these conditions or not. Next. And then they just keep going.

B

And like we said or like I said at the beginning of the show, like it having the understanding of this makes this a little bit easier to digest. Right. Makes the, the reason I'm getting these requirements quite easier for me to understand why I'm getting them. Yeah, there's a process behind it. And again, it's not you being singled out as a program or anything like that, right?

A

Yeah, absolutely. If it shows up in your contract language it's because a program office determined that it needs to be there and the government determined that it was not necessary to waive the requirements. Absolutely. Okay, so there's, there's a second part here where they talk about after November 9th of 2028. So this would be after the phased rollout ends, but honestly, the language is not really that much different. They say, on or after November 10th of 2028, after the phased rollout ends, use the clause and solicitations and contracts, task orders or delivery orders, including for commercial work, but not for COTs. If the program officer requiring activity determines that the contractor is required to use contractor information systems in performance of the contract and it will transmit FCI or cui. So at the beginning they said, during the phased rollout, use this clause. If the program office determines that the contractor is required to have a specific CMMC level after the phased rollout, they say use this clause. If the program office determines that the information systems owned by the contractor will handle FCI or cui, isn't that how you would determine it in the beginning? So I don't see a lot of room between these two things. It is not clear to me reading this guidance that there is a huge difference in how the program offices are going to determine things during the phased rollout. Like I said, if you're watching this after the phased rollout, then you don't have to worry about this anymore. But until that process is done, there's just not a lot of wiggle room here. If you have the data, they're probably going to say, you need that CMMC status. And that's kind of it.

B

And by November 10, 2028, I think you were going to be actively in contracts where everybody's in a contract where it exists and they're not going to be like, oh, yeah, you don't have that now.

A

Right, Exactly.

B

Take these protections away, the program's not going to need them anymore. I don't think that happens.

A

Yeah, and then just at the bottom, at the last paragraph, they say, use the provision 252-204-7025, which we did a whole episode on in solicitations that include clause 252-204-7021. So if you go through this policy, you go through the steps of the procedure and then you determine, yeah, this needs to be in the contract at this CMMC status level, then you also have to include the contract provision 7025 to double check that people are aware. Hey, this contract includes the requirement that you have to achieve this CMMC status. So when you accept the terms of this contract, you're agreeing that you will achieve this CMMC status that's specified by this clause. If you got questions or you want to know more about how 7025 works, you can check out the episode below. At this point, we have covered clause 7012 and its provision 7008. We have covered clause 7020 and its provision 7019. We have covered clause 7021 and its provision 7025. And we've even included a couple of them in there that are a little lesser known about the obligations that the government has whenever they deal with your data, so on and so forth. And until we get the far CUI rule or maybe some revisions in the future, which are probably still a ways away, that's kind of the entire universe of the DFARs. Cyber clauses and provisions that impose cyber security requirements on defense contractors.

B

Yeah, it's the entire suite. I think that the dib right now, especially the audience of our show, should be concerned about within their contracts.

A

Yeah, absolutely. So there you go everybody. That is the KO contracting officer side of your DFAR7021 clause. Next time we will talk about what the clause actually says, but at this point you can probably predict what it's going to say based off what the contracting officers are instructed to do. The only real new part when we talk about the clause itself is all the flow down obligations for the contracting officers. But yeah, that's a conversation for next time and we'll see you next week.

B

See you next week.

A

SA.