Podcast Summary: Sum IT Up: CMMC News Roundup
Episode: What is DFARS 252.204-7025?
Host: Summit 7
Date: September 18, 2025
Episode Overview
This episode demystifies the new DFARS provision 252.204-7025, which was introduced alongside the long-awaited final DFARS 252.204-7021 “CMMC Clause.” The hosts break down what 7025 means for defense contractors, how it fits into the DFARS Cyber series, and why it matters for CMMC compliance. The discussion focuses on the structure, function, and direct implications of the 7025 provision, especially concerning contractors’ eligibility for contract award and ongoing obligations.
Key Discussion Points & Insights
1. Context and Purpose of DFARS 7025
- 7025 as a “Notice” Provision:
- Like provisions 7008 (which alerts contractors to 7012) and 7019 (which points to 7020), 7025 serves as notice of requirements that will be enforced via the clause 7021.
- "The 7025 provision, just like it says in the title, is putting you on notice. It’s making you aware of the requirements in a corresponding contract clause." – A [02:00]
- Numbering is Arbitrary:
- The hosts joke about the arbitrary numbering in DFARS provisions; there is “no method to the madness” [01:23]. Contractors need to follow the content, not just the numbers.
2. Structure and Content of 7025 [03:57–13:07]
-
Short, Straightforward Provision:
- The text is concise – three paragraphs labeled A, B, and C.
-
Paragraph A: Definitions
- References all key terms (e.g., CMMC status, FCI, CUI) back to the definitions given in 7021.
- “Lawyers can’t go anywhere without their definitions. Contracting officers can’t go anywhere without their definitions. They always put them up there at the top.” – A [06:26]
-
Paragraph B: Certification Level Requirements
- 7025 Tells You Explicitly Which CMMC Level You Need:
- The required CMMC level for the solicitation is a direct fill-in by the contracting officer: CMMC Level 1, Level 2 (self or C3PAO), or Level 3 (DIBCAC).
- “The CMMC level required by the solicitation is blank... contracting officer, insert one of the following.” – A [08:10]
- Eligibility for Award:
- Contractors must have the specified CMMC status (final or conditional for Levels 2/3) in the Supplier Performance Risk System (SPRS) at the time of award.
- “You will not be eligible for the award if you don't have that correct level that we are outlining for you. Pretty straightforward.” – A [13:25]
- Annual Affirmation of Compliance:
- Annual official affirmation in SPRS is required, distinct from the three-year assessment window.
- "Your status is valid for a three-year period...[but] every year, we are telling the government...we are continuing to stay compliant even in these annual periods." – A [20:32]
- 7025 Tells You Explicitly Which CMMC Level You Need:
3. Conditional Status & Plans of Action and Milestones (POAMs) [20:32–23:43]
- Conditional Status = Not Final, Still Eligible (with Rules):
- Contractors with a "conditional" status (i.e., valid open items on a POAM) can take award but must close those items to upgrade to "final."
- Only certain control deficiencies are eligible for conditional status, and only for a limited time:
- "Conditional status is only valid for 180 days." – A [16:50]
- “If you have conditional status and you’ve won the contract award, you have to successfully close out those open items.” – A [22:00]
- Limits on POAM Usage:
- Not all missing controls can be placed on a POAM; key security requirements (e.g., multi-factor authentication) cannot be delayed.
- “If you think that you’re going to go through a CMMC assessment without multifactor authentication...that’s not true. You got to read the guidance for how poams work at 170.21.” – A [23:43]
4. CMMC Unique Identifiers (UIDs) [24:44–27:40]
- UID Requirement:
- Contractors must provide the unique 10-digit CMMC assessment identifier for each system processing FCI or CUI.
- “You have to, when you’re bidding on this contract, tell [the government]: these are the exact system scopes where your data will be handled.” – A [26:10]
- Responsibility to Update UIDs:
- Contractors must update the UIDs if their system scope or assessment changes.
- “It’s your responsibility to let us know when that ID changes.” – B [27:37]
5. Relationship to Other Regulations [09:27–13:25]
- DFARS 32 CFR 170 vs National CUI Program:
- The hosts clarify that CMMC is not the same as the federal CUI program, though CUI rules inform which contracts require higher CMMC levels.
Notable Quotes & Memorable Moments
-
On arbitrary numbering:
- "I'm almost certain that the dartboard was used in the selection of the number...the numbers have no...there's absolutely no method to the madness." – B [03:32]
-
On clarity for contractors:
- “It’s going to say it right there at the top of the solicitation provision...What is the CMMC level required to take award of this contract?” – A [08:25]
- “A lot of people asking for fill-in levels...to make sure there was absolutely no confusion between the Contracting Officer and the contractor.” – B [09:07]
-
On real-world eligibility:
- “If you don’t have it [compliance] at time of award or if it is not good through the contract...you have to have the correct status in order to take award.” – B [14:41]
-
On assessment maintenance:
- “You got to make sure that you balance both of those: your status is valid for a three-year period. You have to annually affirm what’s going on in SPRS.” – A [20:32]
-
On POAM misconceptions:
- “There are certain controls that can’t go into it. In addition...the assessment score...can’t be greater than 0.8...why it can’t just be one to one? I’m terrible at math...” – B [23:05]
-
On the end result of 7025:
- “That’s what we waited on for four years was three paragraphs of information that says, you need a level. You can have a poam. If you do, you got to close it out. And we want to know the IDs for the systems that the data is on.” – A [28:25]
Important Timestamps
- 00:02 – Introduction, final rule context, why 7025 is new and relevant now
- 03:57 – Structure and purpose of 7025: the “notice” model
- 09:07 – Importance of explicit CMMC level designation in contracts
- 13:07 – How definitions and data types drive CMMC requirements
- 16:50 – Explanation of the difference between final and conditional CMMC statuses
- 20:32 – Required annual affirmation, and what “current” means for CMMC status
- 22:00 – Obligations for closing POAMs after award
- 24:44 – Introduction and purpose of CMMC Unique Identifiers (UIDs)
- 27:37 – Responsibilities to keep contract officials updated on UID changes
- 28:25 – Final summary of the practical impact of 7025
Takeaways for Contractors
- DFARS 7025 will now appear alongside 7021 in new DoD solicitations, explicitly stating the CMMC certification level required.
- To be eligible for award, contractors must have a current (three years from assessment) and annually affirmed CMMC status in the SPRS, matching or exceeding the level required by the solicitation.
- Conditional awards are possible but require open POAMs to be closed within narrowly defined limits and timelines.
- Contractors must provide, and keep updated, unique CMMC identifiers for all systems processing FCI/CUI.
- The requirements are strict and procedural clarity is intended, with no room for ambiguity or leniency in the compliance process.
- DFARS 7025 is critical, but its real teeth are in DFARS 7021—coming in the next episode.
End of Summary
