What is DFARS 252.204-7025?

A

All right, folks, it is September of 2025, and the regulation that finalizes CMMC guidance for DoD contracting officers and program managers officially goes into effect on November 10th of 2025. And the highlight of the regulation for most people is the final text of DFARS clause 252-204-70 21, the CMMC clause that we've been waiting on for years, which tells contractors which CMMC level they need to achieve specifically to take award of the contract. But the regulation also created DFARS provision 252-204-70. 25, 7025. What the heck is that? I thought 7021 was what we had to worry about. But now that the final rule is done, we can wrap up our Back to Basics series on the DFARS Cyber series of cybersecurity provisions and clauses with this new wacky provision 7025. And that's what we're going to talk about today.

B

Yeah, we saw the trend, or we saw how the pattern was. There was always one clause that tells you what's happening and the other clause that tells you what needs to happen for the most part. Right. And so for the CMMC program, for the longest time, we only had 7,021, and it was the one that told us kind of what's happening, but we need to know what needs to happen here. And so that's what 7025 was. All of our guesses as to what number they were going to use were completely off. The numbers have no. There's absolutely no method to the madness when it comes to these numbers, but we have the numbers and it's the ones we have to stick to. And you're going to see them in your contract soon.

A

Yep, absolutely. All righty. So we should have a playlist available with the Back to Basic series that you guys can check out. It's been a minute since we've updated it, but we're covering all of the DFARS Cyber series, as we like to call them, the set of solicitation provisions and clauses that govern cybersecurity requirements for defense contractors handling controlled information. So we talked About DFARS provision 7008-7009-7012-7019, 7020. We've gone through all of these, and today we're looking at the new provision 252-204-7025, titled Notice of Cybersecurity Maturity Model Certification Level Requirements. And just like we Talked about with DFARS 252-204-7008 and 7019. The 7025 provision, just like it says in the title, is putting you on notice. It's making you aware of the requirements in a corresponding contract clause. So if you remember from the other episodes that we've done, 7008 makes you aware of 7012, 7019 makes you aware of 7020, 7025 makes you aware of 7021. And like you said, the numbers are completely arbitrary. They get assigned when the rules are, when the final text of the rules are, are put together and the numbering scheme does not indicate what they correspond to. So 7008-7012-7019-7020, 7025, 7021 solicitation provisions and their corresponding contract clauses.

B

Yeah, so I'm almost certain that the dartboard was used in the selection of the number and which we chose here. But yeah, like we said. And Jacob, if you could break it down just a little bit more, you know, we say that, you know, 1725 is the provision that makes you aware of the requirements and the contract clause makes you aware of the requirements out. Does it tell me I need CMMC level three, I need CMMC level two, or that there's CMMC requirements in this contract?

A

Yeah. So like the other provisions, it's not very long and it's very straightforward. And the main part of it says this contract clause is going to require this CMMC level. So let's talk about the text of the provision and it'll, it'll basically explain itself at that point. So like I said, not very long, just like the other provisions. And it starts out with the same line that all the provisions and clauses say. And it says as prescribed in DFARS 204 7504, paragraph B, use the following provision because remember, most of the DFARS is not written for you, the contractor. It's written as guidance to, to the contracting officers in order to know when and why and how to insert certain clauses and provisions based off the things that they're trying to buy. So the guidance at DFARS 2047504 tells them when and how to use provisions and clauses. In this case it says use the provision at 252-200-47025, notice of CMNC requirements in solicitations that include the clause 252-204-7021. So obviously you'll have to tune into the upcoming episode on 7021 and we're going to Talk about what it says at this part of the DFARS that says when you insert the 7021 clause. Now, real quick, inserting the 7021 clause, as people are probably familiar, has phased rollout guidance. There's waiver issues. There's applicability considerations. There's other topics that we're going to talk about in that upcoming episode. But for. We're just going to assume that the clause is going to be there. And so therefore, the 7025 provision needs to be included in the solicitation question from the.

B

From the class.

A

Yes.

B

Yes, Professor Horn. Yes. So just a quick question here. We know that because of what's prescribed in 7504, that 7021 was appearing in some contracts and they had to issue a little memo and class deviation that says, hey, take that out. You can't use that yet, even though the conditions apply. So would you be willing to go out on the limb and assume. I know it's terrible to assume, but would you be willing to go out on that limb and assume that some of those contracts that preemptively had 7,021 in them, if I were a betting man, I would bet that they have 7025 in them.

A

The ones.

B

So probably the ones that. Yeah. Remember, they put the 7,021, like, hey, stop doing that.

A

Yeah.

B

If I was one of those contracts where I saw that pop up on my contract, would it be safe to assume that 7025 would be a part of it?

A

Well, yeah. So moving forward, if. If they determine that 7021 needs to be in the contract, 7025 will be in the. The solicitation. Absolutely. Up until now, when you know people, because you'll talk to some people and they're like, well, I've seen the 7021 clause, even though the phased rollout hasn't begun, so what the heck is going on? All that stuff was unauthorized. It was a mistake. It was contracting officers, program managers jumping the gun for various reasons. They're humans. It's what happens. But in the future, you know, after the phased rollout begins, if the determination is made that you need the 7021 clause, which is a whole process that we'll talk about in that episode, then you have to include the solicitation provision to make people aware that they're going to have requirements in the corresponding clause clause. But like I said, this solicitation provision that makes you aware is pretty short. There's only a couple paragraphs. And like, all of them. It starts out with our favorite thing definitions. So it says, as used in this provision, the definitions for controlled and classified information, current CMMC status, Cybersecurity Maturity Model, Unique Identifier, CMMC uid, Federal Contract Information and Plan of Action and milestones and have the meaning given in the 7021 clause. So you actually have to go look at the clause to go find those definitions. We're just going to structure those and cover them as we see them pop up in the text of the provision. That way we're not just reading definitions at you. But lawyers can't go anywhere without their definitions. Contracting officers can't go anywhere without their definitions. They always put them up there at the top. Anyways, that's the first paragraph down. Let's talk about paragraph B. There's only A, B and c. So paragraph B1. Cyber security maturity Model Certification Level. The CMMC level starts off very, very, very apparent, very upfront. The CMMC level required by the solicitation is blank. And then it has guidance that says contracting officer, insert one of the following. CMMC level one, self, CMMC level two self. CMMC level two C3PAO, CMMC level three DIBCAC. That's it. The solicitation provision is going to say the CMMC level required for this contract is CMMC level 2, C3PAO certification, CMMC level 1, whatever. It's going to say it right there at the top of the solicitation provision. It's also going to say this in the 7021 clause. It's going to say it twice. What is the CMC level required to take award of this contract?

B

That was one of the comments and responses from the, the final rule which I was very happy to see that the DOD took action on. A lot of people asking for fill in levels and things like that to make sure that there was plenty of clarity, not just for their understanding, but to make sure there was absolutely no confusion between the Contracting Officer and the contractor.

A

Yeah, yeah. Now, so it's important to remember, right, CMMC is one program that's implemented by two different regulations. So the 32 CFR section 170 rule establishes all the program policy around how CMMC works. This 48 CFR rule takes all of that policy and implements it in contract language and guidance to the DoD contract workforce. So it, you know, when people were looking at the 32 CFR rule as it was going through rulemaking, they one of the main questions was how do I know? How do I know what Level I need? Well, it tells you in the corresponding solicitation provision and clause you need this level. And that part of the paragraph goes on to say this CMMC level or higher is required prior to award for each contractor information system that will process or transmit federal contract information or controlled unclassified information during performance of the contract. C32 CFR part 170. So there are many times in the provision and in the clause that they call back, they actually just provide you a hyperlink to the corresponding guidance from the 32 CFR policy. The 48 CFR rule, especially the contract clause, the provision, they're not changing anything that's written 32. They're referencing what is said at 32 and then putting it in the terms of of your contract.

B

Just, I think it's just an assurance that they're covering the things that they need to cover from the programmatic side for the contractual side to make sure everything's aligned.

A

Yeah, the policy at 32 CFR 170 says you need a level in order to take award or a higher level in order to take award. And so this says you need this level or higher to take award of the contract. And as people are probably familiar at this point, Federal contract information, everybody's favorite definition, information not intended for public release that's provided or generated for the government under a contract to develop or deliver a product or service to the government. This does not include information provided to the government by the government to the public, such as information on public websites, simple transactional information such as information necessary to process payments. By virtue of being a federal contractor at all, you're going to be interacting with fci, which means you're always going to see a CMMC Level 1 requirement in these solicitation provisions and contract clauses. Unless you're, you know, below micro purchase thresholds and some of the exceptions, if you're strictly a COTS acquisition, you know, type of transaction or something like that, there's some carve outs for where it won't apply. But anybody doing any type of significant work is going to at least see the CMC level 1 requirement. And as people probably know, controlled and classified information is information that the government creates or possesses or information an entity creates or possesses for or on behalf of the government that a law, regulation or government wide policy requires an agency to handle using safeguarding or dissemination controls. There is a law, a regulation or a government wide policy and authority as they're called, that says this unclassified information needs to be protected. It is controlled right because an authority says control it, it's not classified. So it's unclassified, controlled, unclassified information. So if you're handling either of those two forms of data, it's going to trigger this requirement. Then this first paragraph of the solicitation provision is going to say you need the following CMMC level in order to take award of this contract that involves one or more of these types of data.

B

Yep. Simply put, programmatically, 32 CFR says that if you have this data or this data, you have to protect it. And this clause is telling you that based on the definitions in 32 CFR or based on the definitions of that type of data and what we have to do to carry it out. This is why this contract clause exists.

A

Right.

B

This is the justification behind putting this in your contract.

A

You add this and little note here. The CMMC program is not the CUI program. Those are separate programs. There is a federal wide CUI program that is itself a regulation that was the result of rulemaking. And they provide the link to you in the definition of CUI at 32 CFR 2002. So the CUMC program is 32 CFR 170. If you need to brush up, check out 32 CFR 2002, which is the policy outlining CUI for the entire federal government. But anyways, the other part of paragraph B, paragraph B2, the offeror will not be eligible for award of a contract, task order or delivery order resulting from this solicitation if the offeror does not have for each contract or information system that will process, store or transmit FCI or cui, and that will be used in the performance of a contract resulting from this solicitation. So this solicitation is letting you know that this contract requires this specific level because of the data that you will be generating or receiving as a result of doing the work. And you will not be eligible for the award if you don't have that correct level that we are outlining for you. Pretty straightforward.

B

Yeah. If you don't have it at time of award or if it is not good through the contract. Right?

A

Yeah. So you have to have the correct status in order to take award of the contract. Now they actually go in here in this subparagraph and they say, well, you have to have a current CMC status. So what the heck does that mean? CMMC as A model has three levels, Level 1, Level 2 and Level 3 that correspond to the type of data that you are going to be handling and that triggers a certain set of requirements. So You've got a set of requirements for fci, set of requirements for cui, and then another set of requirements for extra super duper cui, if you will. At CMMC level three you go through an assessment and that generates a status for one of those levels. There's seven different statuses that you could have and as the provision goes on to say the current CMMC status entered in the Supplier Performance Risk System, the SPRS database at the CMMC level required in the previous paragraph of this provision can be Final Level 1, Self Conditional Level 2, Self Final Level 2, Self Conditional Level 2 C3PAO, Final Level 2 C3PAO, Conditional Level 3 from DIBCAC, Final Level 3 from DIBCAC. So your status can be final if you've implemented all the requirements, or conditional if you've met the requirements that let you have some open findings on your plan of action and milestone. That's a conditional status at whatever level you're at. There is no conditional status at level one. You can only have final. But let's say you go through a self assessment at level two you're missing a couple of the one point controls. You put them onto your plan of action milestones, you have a conditional level two status or you have to go through level three and DIBCAT comes in to run your assessment, they find that you've implemented all of your requirements, you have a final level three status from dibcac. So you have CMMC status, which is a term that has meaning, it also has to be current, a current DMMC status. In the definitions at 7021 they give you a definition of current for all seven of those statuses. Basically means it's not older than three years because your status is valid for a three year period. So when you take award, your status still has to be valid. If it expires, then you got to handle it appropriately. If you have conditional statuses and you've got open POAM items, those poem periods, that conditional status is only valid for 180 days. So you have to make sure that you close those things out. Otherwise, as they say at CMMC policy standard contractual remedies will apply, which is going to be a bad day for everybody.

B

And then there's a list of controls within the CMMC level 2, level 3, level 3 assessment guides, right, which dictate these are acceptable. These are the ones that you can be granted a conditional status with. Obviously you can't have a self assessment, don't have an SSP and be like, yeah, we're conditional. We'll get, we'll get to it. When we get to it. There are specific ones where this is acceptable. And so like if you say I have a conditional and really you're just completely fubar, it's going to be problems down the road.

A

Yeah, you can totally take award with conditional status. You just got to make sure you manage and close out that conditional status appropriately and not let it expire. So this paragraph says this is the level. You got to have this level in order to take award. You got to have a current CMMC status that matches that level or higher. And then finally it says you also have to have a current affirmation of continuous compliance with the security requirements identified at 32 CFR part 170 in the SPRs database. Because part of CMMC, you got to have your assessment every three years at whatever level you need. And then annually there has to be an affirmation of continuous compliance from a senior company official. This is a real thing that you absolutely need to make sure that you do. Those are terms with meaning. We're doing a webinar that's coming up. If you're watching this and it's before the webinar, you'll be able to find the webinar after it's done. Registration link is below in the comments and we're going to talk all about the details of what's been going on. But that's a 32 CFR CMMC policy and this is just implementing it in the contract provisioning clause.

B

And can I interrupt you to ask you a question? Of course. Teach me. Right. All right, so check this out. If today, September. In September, right? September of 2020. Yeah. Today, September of 2025.

A

Right.

B

This month I get certified at level two by a C3 PAL. That means within 365 days, if I'm the affirming official, I must go into SPRs and self attest or self affirm. This is our score. We've maintained the score. XYZ.

A

Right.

B

Let's say on day 366. I haven't done that.

A

That.

B

Am I technically out of. Does that make sense? Right.

A

Yeah, let's just. Yeah, your. If your annual affirmation expires, then it's expired. Don't let.

B

And that means you don't no longer have that, that current CMMC certificate. Technically. Right.

A

Well, your CMMC certificate from your assessment, your status is still valid, but your affirmation of compliance would not. Be. So you've got multiple things to juggle. Right. Because your status is valid for a 3 year period. You have to annually affirm what's going on in SPRs. So you got to make sure that you balance both of those correct.

B

So I have paragraph one or. Yeah, paragraph one or subspart one of paragraph B. Right. The current CMMC status XYZ have that covered. Got my certificate from the C3PO.

A

Yep.

B

But then subpart to a current affirmation of continuous compliance. So at 366 right. That that no longer becomes a current affirmation. There is no affirmation. Am I this is really me like asking.

A

You got two different. You get two different things to juggle. Right. You got to make sure that you have a valid status. If it's conditional, you close it out. That's in there for three years. You got to plan accordingly so that before your status expires you get it re upped so that that status is reflected in SPRs every year. You also have a requirement to update your affirmation that hey yeah, we are good for a period of three years on our status, but every year we are telling the government officially in an official statement and representation to them we are continuing to stay compliant even in these annual periods between the three year period that our status represents. Okay, yeah, okay, that's paragraph B. Moving on to paragraph C. Plan of Action Milestones this has been the big highlight when we went from CMMC 1.0 to 2.0. You can have conditional status and still win a contract, still take award of a contract. Here the provision tells us if the offeror has a CMMC Status of Conditional the offeror shall successfully close out a valid Plan of Action Milestones to achieve a CMMC Status of Final this guidance is contained at 32 CFR 170.21. So if you want to find out what the CMMC Program policy is regarding conditional status plans of Action milestones, check out 32 CFR 170.21 referenced right there in the provision. From the definitions that we talked about earlier. A Plan of Action Milestones is a document that identifies tasks to be accomplished. It details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones as defined in nist Special Publication 800115 as policy dictates specifically for CMMC at 32 CFR 170.21. Like we talked about earlier, CMMC has a scoring system for all the requirements that it's verifying and only the one point controls a subsection of the one point controls and a certain amount of them are allowed to be represented on a poem which would have you in a conditional status. This is letting you know that if you have that conditional status and you've won the contract award, you have to successfully close out that those open items in order to go to a final status. That's what it's telling you here.

B

Yeah. So just a few tidbits on the conditional status. There are a lot of parameters that go into it. Like we mentioned, there are certain controls that can't go into it. In addition to that, the assessment score of the organization divided by the total number of CMC controls. 110 CMC level 2 controls and requirements. It can't be greater than 0.8. How that math works out, why it can't just be one to one. We got to go 0.8. I'm terrible at math. I'm not going to do it on the show.

A

I was prompt. There would be no math today.

B

Yeah, literally there is a bunch of lists. So if we're thinking that we can just go through this with a conditional certification and we don't want to do some things, there are certain things again based on the rule that this, this carries out.

A

Yeah. If you think that you're going to go through a CMMC assessment without multifactor authentication implemented because you can put it on a poem or like basic access controls because you can just put it on a POAM and have a conditional status, that's not true. You got to read the guidance for how poams work at 170.21. Although if you're bidding on a solicitation that's going to be awarded in like 30, 60, 90 days later, hopefully by that point you're very aware of what's been going on because you're either scheduled for an immediate assessment or you're already done with your assessment. So you won't be learning about the POAM requirements for the first time on a solicitation. You're hoping to win like 45 days later, but you know you do you. Anyways, last paragraph of the solicitation provision, CMMC unique identifiers. And so here they're talking about CMMC unique identifiers from the definitions in the clause. A CMMC UID is a 10 digit alphanumeric characters assigned to each CMMC assessment and reflected in the SPRS database for each contractor information system. So when you snap a final scope for your CMMC assessment and you go through your CMMC assessment and those results get uploaded into SPRs either via you, from self assessment or from a third party, a C3PA level 2 or from a DIBCAC assessment. Whatever. It's going to be a CMMC unique identifier for that assessment scope. And the solicitation provision tells us the offeror shall provide in the proposal the CMMC unique identifiers issued by SPRs for each contractor information system that will process, store or transmit FCI or CUI during performance of the contract task order, delivery order resulting from this solicitation. So you have to, when you're bidding on this contract, tell them these are the exact system scopes where your data will be handled during the course of executing this contract. Like they're going, the DOD is going from having no idea where their data is and no idea who's handling it to having a 10 digit alphanumeric identifier that says this specific set of assets in this specific scope is where your data is located and it's valid for the next three years, which as you can imagine is going to get real spicy if there's an incident or the DOJ starts sniffing around after things get mishandled. And they say, you told us that the data was supposed to be here and it turns out that the data was all over there, so what the heck is going on? So the CMMC unique identifier is a thing that's generated as a result of your assessment being, you know, represented in SPRs. And they want to know, they want to know the license plates on all the cars that you're driving around their data inside of it wraps up here. It says the offeror shall also update the list of these IDs when new CMMC UIDs are generated in SPRs. New assessments, new assessments triggered by new scope, things like that. The CMMC UIDs are provided in SPRs after the offeror enters the results of self assessments for each such information system. And that's it, that's what the solicitation provision says. You need this CMMC level. Your CMMC level has to be current. You can have open POEM items for a conditional status, but you're going to have to close it out. And then we also want to know the specific CMMC unique identifiers for the system scopes in which you plan to place and handle the data that we will be providing for you or that you will be generating for us. Pretty straightforward.

B

And it's your responsibility to let us know when that ID changes.

A

Yeah, absolutely. Which is a whole other can of worms. What is a significant change? What would change your system scope, does that trigger a new assessment and therefore trigger a new id? And then we got to update the contract officer to let them know that the system scopes have changed. Blah, blah, blah. That's a topic for another day. But coming up soon, we're going to talk about the big one that everybody's been waiting on. The DFARS clause 252-204-70 21. The the seventh and final iteration of this DFARS cyber series of kind of the basics of how you end up with cyber security obligations as a defense contractor. But there you go, everybody. That's what we waited on for four years was three paragraphs of information that says, you need a level. You can have a poam. If you do, you got to close it out. And we want to know the IDs for the systems that the data is on.

B

Absolutely no controversy at all in those days.

A

How hard can it be? That's all we got to do. That's all we got to do.

B

After four years, they had mercy on us. No deliberating what we're saying.

A

All right, there you go. So coming up, we're going to wrap up with the 7021 clause, and then. And then we'll go onward and upward from there. And we'll see you next week.

B

See you next week.

A

SA.