Summary6 min read

Sum IT Up: CMMC News Roundup

Episode Title: What is DFARS 7020?
Date: July 3, 2025
Host: Summit 7
Focus: An in-depth breakdown of DFARS 252.204-7020 and its role in the Department of Defense (DoD) cybersecurity compliance ecosystem for defense contractors.

Main Theme & Purpose

This episode is part of the “Back to Basics” series, delving into the DFARS (Defense Federal Acquisition Regulation Supplement) Cyber series—specifically, DFARS 252.204-7020, which outlines DoD Assessment Requirements for defense contractors. The hosts clarify how 7020 fits alongside other DFARS clauses, explain how it’s enforced, highlight why it’s critical for contractors in the Defense Industrial Base (DIB), and provide actionable insight into assessment processes and flowdown requirements for subcontractors.

Key Discussion Points & Insights

1. Overview: DFARS Cyber Clauses Structure

DFARS Cyber series includes five main solicitation provisions and contract clauses:
- 7008 (provision): Awareness of requirements
- 7012 (clause): Actual NIST SP 800-171 implementation requirements
- 7019 (provision): Assessment requirements notification
- 7020 (clause): DoD Assessment enforcement—focus of this episode
- 7009 (provision, to be discussed)
- Future additions: 7021 (clause), and a new provision (as part of CMMC 2.0)

“The DFARS clause 252-204-7020 applies to contractor information systems that are subject to NIST SP 800-171 requirements pursuant to DFARS clause 252.204-7012…”
—A, [02:57]

2. Difference Between Awareness and Validation Clauses

7008/7012: Tell you what to do (implement security controls).
7019/7020: Tell you how to prove you’ve done it (assessment and validation).

“…7008 and 7012 are the ones that are telling you to implement things, and 7019 and 7020 are the ways that are going to validate that you have implemented those things, right?”
—B, [02:41]
“Yeah, that’s exactly right. That’s probably the best way to kind of describe them at a high level.”
—A, [02:57]

3. Rationale for DFARS 7020

Historical Context:
- 7008 and 7012 introduced in 2016—stagnant since.
- 7019, 7020, and 7021 introduced in 2020 in response to a need for verification amid large-scale supply chain compromises.
Why 7020?
- 7012 didn’t allow direct DoD verification; massive supply chain breaches forced the DoD’s hand.
- 7020 ensures the DoD can:
  1. Conduct assessments to verify SP 800-171 implementation.
  2. Assure protection of sensitive information at all supply chain levels, especially via flowdown provisions.

“DFARS clause 252-204-7012 does not provide for DoD verification of a contractor’s implementation...prior to contract award. And as we know from the history, the DoD got screwed, right? There were massive compromises…”
—A, [04:54]

4. Assessment Types Defined in 7020

Basic Assessment ("low confidence")
- Contractor self-assessment using NIST SP 800-171A and DoD Assessment Methodology.
- Score submitted to SPRS (Supplier Performance Risk System); required before award.
- No set minimum score, but customers may set their own thresholds.
- “Just self-attestation with more steps.”
Medium Assessment ("medium confidence")
- Conducted by the DoD, reviewing self-assessment & documentation (mainly System Security Plans).
- Results posted in SPRS.
High Assessment ("high confidence"/DIBCAC High)
- Full-scale, in-person DoD assessment using NIST SP 800-171A.
- Rare, but often signals you’re a candidate for CMMC Level 3.

“A basic assessment is you conducting a self-assessment via the methods in SP800 171 Alpha...and you post those scores to the supplier Performance Risk system…”
—A, [12:06]

5. Assessment Triggers & Real-World Experience

No clear signal as to when medium/high assessment will happen; typically, you “get a phone call or an email.”
Assessed entities are often those dealing with “super duper cool stuff… the department is especially interested in.”

“Apparently with the mediums you just get a phone call and with the highs you basically get a phone call…”
—A, [15:00]

6. SPRS Scores, POAMs, and Dates

SPRS: All assessments (basic/med/high) must be recorded here.
POAM Closure Dates: Contractors must input the date by which all gaps will be closed; failure to update or unrealistic dates (e.g., year 2100) can flag you for scrutiny.
Consequences: Not updating scores or closure dates, or “winging it,” may invite DoD attention.

“…if you put in a date and you extend past that date and you don’t update the score, it will eventually come back to bite you.”
—A, [15:14] “Poem closure date score went up, that control satisfied, but you didn’t close the poem. Absolutely crazy. You’re just winging it...”
—B, [17:55]

7. 7020’s Paragraph Highlights

Applicability (B): Applies if you have 7012 in your contract.
Requirements (C): Must provide DoD access for DoD-led assessments.
Procedures (D): All assessment results must be posted in SPRS, prior to award and ongoing.
Rebuttals (E): Contractors have 14 business days post-assessment to rebut or provide extra proof.
- “Rebut is a word. Look it up, everybody.” —A, [18:25]
Data Protection (F): Standard “protect others’ data” requirement.
Subcontracts/Flowdown (G): Key for the ecosystem: Primes must ensure all lower-tier subs handling CUI (Controlled Unclassified Information) have assessments and flow clauses down the chain. No subcontract unless the sub has a current basic assessment.

“This is the magic of Flowdown ... as a result they have to use these mechanisms…if you’re going to send our data into the supply chain, we are obligating you to send these requirements with our data into the supply chain.”
—A, [21:24]

8. Supply Chain Realities

The DoD doesn’t control how primes enforce flowdown, but the clauses give them the authority and expectation to do so.
If you’re a downstream supplier and you get CUI, these requirements “flow down” to you.

“They might do it preemptively before they even know if you’re going to get the data. Because they want to mitigate their own risk, which is also up to them and up to you.”
—A, [23:23]

Notable Quotes & Memorable Moments

“DFARS clause 252-204-7020…complements DFARS clause 7012 flowdown requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts. Prior to you awarding a contract to your subs, you need to verify that they have a score in SPRs. Do not send our data down to people who have not implemented these requirements.” —A, [09:25]
“If you put in a date and you extend past that date and you don’t update the score, it will eventually come back to bite you.” —A, [15:14]
“Poem closure date score went up, that control satisfied, but you didn’t close the poem. Absolutely crazy. You’re just winging it in some points. And realistically now, especially now…it’s a terrible idea.” —B, [17:55]
“This is the magic of Flowdown...” —A, [21:24]
“Rebut is a word. Look it up, everybody. I see your face. Rebut is a word.” —A, [18:25]
“If you’re too small to negotiate, that’s also still not the DoD’s problem. Their problem is that their data is involved in this conversation and that’s the part that they care about the most.” —A, [23:23]

Timestamps for Important Segments

[00:02-01:00] – Introduction to DFARS 7020 and recap of prior episodes
[01:00-04:44] – Breakdown of how DFARS cyber clauses interrelate
[04:44-09:25] – Historical context, DoD rationale, and rulemaking insight
[12:06-15:14] – Explaining assessments: Basic, Medium, High; what triggers them
[15:14-18:25] – Mechanics (and pitfalls) of SPRS scoring, POAMs, and real-world contractor mishaps
[18:25-23:23] – Clause paragraph walk-through: applicability, requirements, procedures, rebuttal, flowdown
[23:23-End] – Realities of flowdown and upcoming DFARS/CMMC rule changes

Conclusion & Next Steps

This episode equips DIB contractors with foundational knowledge to understand not just what DFARS 7020 is, but why it matters and how it affects practical compliance efforts, assessment readiness, and supply chain obligations.
Next up: A focus on DFARS 7009, and anticipation of upcoming CMMC 2.0-related clauses.

Feedback and questions welcomed—contact the Summit 7 team via chat or comments.

Loading summary

Transcript28 lines

[00:03]
A
All right, folks, it is July of 2025. We are in the back half of the year, and we are continuing with our Back to Basics series on the DFARS Cyber series of solicitation provisions and clauses that make up all of the cyber security stuff you got to do as a defense contractor. And today we are picking up where we left off with DFARS clause 252-204-70 20 NIST special publication 800171 DoD assessment requirements. That's what we're going to talk about today.
[00:40]
B
Well, hold on. I think when we talked about 7:19, we talked about assessment requirements, and I think one of the most common questions in which we get is 1719, 7020. You know, sounds kind of like the same thing to me. And I know you and I know that they're two different things, but I think you're going to dig a little bit more into why exactly they're separate but related.
[01:00]
A
Yeah. So when you read through this collection of solicitations and clauses, the thing to remember is that the solicitation provision is making you aware of the requirements in the clauses. It doesn't always seem that straightforward. So when you sort of read through them, it can feel a little bit repetitive. But just like we talked about early on, we talked about The DFARS provision 252-204-7008 is making you aware of the requirements in DFARS clause 7012. Like we talked about previously, everything in DFARS provision 252-204-7019 is making you aware of the requirements in the clause, the corresponding clause 7020. So that's the general way that these go together. But just to review very quickly, the DFARS Cyber series is a set of five solicitation provisions and contract clauses that govern cybersecurity requirements for defense contractors handling controlled unclassified information. So you got the provision 7008, the clause 7012, the provision 7019, and the clause 7020. We also have DFARS 7009, which we have not gotten to yet, not often talked about, and eventually the CMMC program will add two more items to this list for a total of seven things. Our favorite number it will be DFARS clause 252-204-70 21 and a provision that we don't know the number of yet as of this conversation, but we should know towards the end of this year when the final CMMC clause rule, as we call it, is published.
[02:42]
B
And so would you say Kind of if we wanted to sandwich them together. Right. 77,008 and 7,012 are the ones that are telling you to implement things and 7019 and 7020 are the ways that are going to validate that you have implemented those things, right?
[02:57]
A
Yeah, yeah, that's exactly right. That's probably the best way to kind of describe them at a high level. And we'll get into how the DoD describes that position from the rule that was published in 2020. But just very, very quickly, at the the highest possible level here, The DFARS clause 252-204-7020 applies to contractor information systems that are subject to NIST SP 800171 requirements pursuant to DFARS clause 252, 204, 7012, which why we're sort of doing these in a sequence. The provision 7008 said, hey, you're going to bid on this work and then it's going to come with this clause 7012. So be aware that you have requirements. The clause 7012 as we talked about in that episode, says, hey, when you handle this specific type of data, you got all these cybersecurity obligations that you have to meet. You know, implementing NIST SB800171 using FedRAMP moderate equivalent or better, flowing it down to subcontractors, on and on and on. And then you've got 7019 saying, hey, you also have obligations for making sure that you conduct a basic self assessment, calculate a score according to our methods, upload that score and make yourself and your facilities available to us. Because that's what 7020 is going to tell you. 7020 tells you that. And then you've got the CMMC clause and provision that are going to say, hey, you need to go out and get an external auditor to actually validate that these scores are correct, and so on and so forth. Everything revolves around whether or not DFAR 7012 applies to you. 7019, 70207021 and so on all orbit around proving that you have actually implemented and complied with DFAR 7012.
[04:45]
B
And it, it depends on if 7012 applies to you. But if you work in the dibs, 7012 applies to you, right? Like essentially, yeah, yeah.
[04:54]
A
Now if you can get 7012 to not apply to you, then all the rest of this stuff does not apply to you. But that's few and far between. Takes a lot of work. It's not guaranteed. And so here we're just going to go ahead and push the button and say 7012 is going to apply to you. And in that case, these are all the things that you need to know about the other provisions and clauses. Okay, so some quick background big picture context here for everybody. So DFARS 7008 and 7012 were revised in 2016 almost 10 years ago via the rulemaking process. They have been unchanged ever since. That's where this idea of you've had these requirements in your contracts all along comes from. DFARS 7019, 7020 and the original version of 7021 were created in November of 2020. So four years after 7008 and 7012 were in place, when the DoD issued an interim final rule called Assessing Contractor Implementation of Cybersecurity Requirements. Its Cybersecurity Requirements 2016. Four years later we got a rule about assessing contractor implementation of cyber requirements. So why did the DoD issue this rule in 2020? In their own words, DFARS clause 252-204-7012 does not provide for DoD verification of a contractor's implementation of basic safeguarding requirements specified in the clause 7012 prior to contract award. And as we know from the history, the DOD got screwed, right? There were massive compromises to the supply chain for various deity Weapon Systems, F35, Sea Dragon, submarine launched hypersonic missile, blah blah blah. Bunch of bad stuff happened. So they go on to say the objective of this rule in 2020. The objective of this rule is to provide the department with two things. One, the ability to assess contractor implementation of NIST SP 800171 security requirements as required by DFARS 7012. And two, assurances that DIB contractors can adequately protect sensitive unclassified information at a level commensurate with the risk accounting for the information flowed down to subcontractors in a multi tier supply chain. They want proof that you are doing the thing that you're attesting to doing via 7008 and 7012. And they want assurance that you are flowing these requirements down the supply chain as you flow their data down the supply chain. That's why they created that rule in 7020.
[07:31]
B
Doesn't seem to be an unreasonable ask like they want protected, right? We don't know how hard could we as the DoD are doing our things and giving you requirements as our contractors are part of our supply chain that supplies to us. We're managing our supply chain and requiring security. We're just asking you to do the same. If they were managing that, don't you think the comments then would be, oh, they're too invasive into my business?
[07:57]
A
I mean, they said, hey, starting in 2016, we updated Cyber requirements. When you handle our data, you got these requirements. Good. Everybody said we're good. A couple years go by and DOD said clearly we're not good because a lot of bad stuff is happening. So here's a rule that says, please prove to us that you're doing the thing that you said that you're doing that we also technically paid you for. And then all hell broke loose. And now here we are five, five years later, still talking about proving that you're doing the thing that's in the contracts. But that's another story.
[08:31]
B
The crazy part is it was a four year timeline before the rule came out that made them required to put their scores into the system. Right. Like there was this gap in between the two, two rules where they were like, you have to implement this. I think four years was an aggregate space of time for you to go and do what you need to do and then upload the score. This is disastrous.
[08:50]
A
And if anybody remembers circa 2018, back in the day. Gather round kids. Back in 2018, the DOD was giving a presentation and they were asked from the audience, there's no mechanism here to prove that anyone's implementing. You sure about. Are you sure about that? And. And the DOD said we will not require external verification unless it's extra, absolutely necessary. Then two short years later we were in an interim final rule and CMMC was born. Anyways, back to what the rule says about summarizing this clause. The rule from 2020 says that DFARS clause 252-204-7020 notifies contractors of two things. That the DoD reserves the right to conduct a higher level assessment of the contractor. Cyber security compliance. Compliance. And two contractors must give DoD assessors full access to their facilities, systems and personnel. They go on to say that DFAR 7020 quote complements DFARS clause 7012 flow down requirements by holding contractors responsible for confirming that their subcontractors have SPRS scores on file prior to awarding them contracts. Prior to you awarding a contract to your subs, you need to verify that they have a score in SPRs. Do not send our data down to people who have not implemented these requirements.
[10:21]
B
Jacob, do you think that in the case where, you know, obviously there was an implementation of requirements required. Right. And terrible wording there. But, but then when there was a.
[10:33]
A
No.
[10:34]
B
When the DoD started noticing that there was issues happening.
[10:36]
A
Right.
[10:37]
B
There was obviously a lack of cybersecurity. Do you think that there was increased heat on the prime contractors at that point in time to flow it down or was it just like we gave you the ability to do this? Now there's this thing where we're going to have to have some accountability, some sort of system, some sort of validation.
[10:53]
A
I guess, you know, it depends, right. The major mega super primes, I mean do they feel, did they ever really feel any kind of heat at all when they're that big? I don't know. In the FY20 NDAA Senate Armed Services Committee report that attaches to that piece of legislation their specific rationale for section 1648 which created the CMMC framework. So this is the statutory basis that Congress created that said go create a framework. In that report they said that the committee is concerned that prime contractors are not flowing these requirements down to their subs and that the committee wants the prime contractors to be held accountable for the compliance or non compliance of their supply chain. So these days I don't think a lot of people remember that the Senate Armed Services Committee said that. So did they ever feel the heat? I don't know. Was there heat? Is there heat? Yes, I guess it's a little bit relative at that point.
[11:59]
B
Yeah. I think it was just identified that the supply chain, the lower tiers of supply chain were the weakest links and something had to be done about it. And nothing was being done about it.
[12:06]
A
Yeah, yeah, absolutely. Okay, so let's just talk about the clause briefly. We don't have to go line by line through it because everybody gets the general concept. And because you watched the 7019 episode, you're already aware of what the clause requires of you. So just very briefly, all the clauses start with definitions. We talked about this in the 7019 episode. But the idea of a basic, medium and high assessment come from this 70197020 provision clause setup. So a basic assessment is you conducting a self assessment via the methods in SP800 171 Alpha. By the way, you calculate a score according to the weightings that are described in the DoD assessment methodology, the DoDAM, and you post those scores to the supplier Performance risk system, also known as SPRs, so that your government customers can see your summary level score and then you're qualified to then be awarded a contract. There's no minimum requirement for what the score needs to be. Although we've heard anecdotal evidence over the years, especially recently that different customers will say your score is too low and we need it to be higher. That's their own prerogative. There is no policy that says it has to be a certain score at all. And because this is basically just self attestation with more steps, because you're doing a self assessment and that's essentially has very low assurance, these are known as low confidence assessments. Then you've got the medium and high assessments. These are still assessments that are being done against the same system and the same requirements. These are being conducted by the government rather than by you. The medium assessment is a review of your basic assessment results and your documentation. It's probably going to have a lot to do with your ssp, your system security plan. The government posts the results of that assessment to SPRs resulting in medium confidence. These are pretty rare, mostly just because the PMO and the program offices don't have a lot of bandwidth for stuff like this. However, high assessments, while still rare, much more impactful. So these are full blown in person assessments conducted by the DoD's DIBCAC auditing team. Also in accordance with 171A, they calculate a score in accordance with the DoDAM weighting methodology. And the government, like the medium assessment, posts the results of these assessments in SPRs themselves. This results in a high confidence assessment, otherwise known as a DIBCAC high assessment. As we talked about in the past, if you've had a DIBCAC high assessment, pretty good indicator that you're on the short list for CMMC level 3. So be prepared for that. That's kind of one of the indicators that we've heard, the only indicators that we've heard.
[14:52]
B
Speaking of indicators, what would be an indicator for our company to think that my basic self assessment could turn into a medium or a high?
[15:00]
A
Well, apparently with the mediums you just get a phone call and with the highs you basically get a phone call. From what I've heard, people get an email or a phone call that says, hey, we're going to be there in.
[15:09]
B
A week, but is there a way for me to know that I'm going to be one of those people that's going to get a phone call.
[15:14]
A
Not as far as I know. And just, you know, there was like if you're working on super duper cool stuff that the department is especially interested in, you know, you may not have heard from them before and then you will in the future, it's not like it's going to be explained in your contract, you will receive a high assessment. Remember, part of the 7020 clause, like they described earlier is the DoD via the language in this clause is reserving the right to show up and assess you whenever they want to. And you have to provide them access to the relevant systems personnel and so on and so forth under your covered contractor information system, which is a definition we talked about a couple episodes ago in this series. Okay, so something to note about all of these assessments, and this is the part that, that is hooking people right now that they're getting caught up on, that they ignored, is for all of these assessments, whether you're running them or the government is running them, part of the SPRS entry is the date that all requirements are expected to be implemented. You know, the date that you're expected to achieve a perfect 110 score based on information gathered from plans of action developed in accordance with NIST SP801.71. So we've heard two different versions of this story. One, we've heard versions of people who upload their self assessment score and they say we're going to be done by the end of the year. This was back in 2022. They forget all about it. They're doing their thing. They come up for contract, you know, renewal or extension or whatever, and the customer goes, hey, your SPRs score was 50 a couple years ago. You said that you'd be 110 by the end of that year. Could you please update your score and provide us with the proof that you've done it? Oh my God. And then all hell breaks loose. You know, we've received panicked DMS about this sort of exact situation. The other version of the story that we've heard is that people calculated their score and, and for their POAM date, they put in the year 2100 or 2900 or 3600 or something like that, which the DOD can clearly see you doing that. So don't do that because that's a very good way to get DIBCAC to knock on your door and be like, hey, we'd like to look around. Because you're, you're clearly not taking this seriously. So be honest with the POAM closeout dates. There is no specific requirement as of right now for when those poems must be closed out or what the minimum score needs to be. But if you put in a date and you extend past that date and you don't update the score, it will eventually come back to bite you.
[17:55]
B
The new wrinkle to those scenarios in which you mentioned is the incremental improvement of the SPRs just to show that we're paying kind of attention here. But the poems never decrease. And you'll enter 2025 score with poems that were supposed to be closed in 2023. Kind of similar to what you said. Poem closure date score went up, that control satisfied, but you didn't close the poem. Absolutely crazy. You're just winging it in some points. And, and realistically now, especially now, it never should have been a good idea. I think especially now, it's a terrible idea.
[18:26]
A
Yeah. Yep. Not good. Okay, so that's just the definitions paragraph. We got a couple other ones in the clause to cover. Very quickly. Paragraph B is applicability, just like we talked about before. The clause 7020 applies to the covered contractor information systems that are required to comply with NIST SP 800171 requirements required pursuant to DFARS clause 252-204-7012. So if you've watched the episode on 7008, 7012, this sentence on applicability makes total sense to you. If you're reading this clause for the first time in the solicitation, you don't know what 7012 is. You don't know what 171 is. You don't know what any of this stuff is. You're like, they're speaking Greek, man. I don't know what they're talking about. Once you know what these things are and how they work, then this sentence is pretty straightforward. Okay, Paragraph C is called requirements. It says the contractor shall provide access to its facilities, systems and personnel necessary for the government to conduct a medium or high NIST SP 800171 DOD assessment. Pretty straightforward. Below that, under procedures, is what they call paragraph D. They say that summary level scores for all assessments will be posted in the supplier Performance Risk system to provide DoD components visibility into the summary level scores of these strategic assessments. You got to conduct a basic assessment, upload that score. You got to make yourself, your systems and your people available. If the DOD decides they want to show up and conduct a medium or high assessment, all of these results will go into SPRs. All of them need to be in there prior to contract award and then thereafter, you know, according to what the DoD decides to do. Those are the terms of 7020. Okay, so paragraph E, just wrapping up the end of the clause here is called rebuttals. This says that the DoD will provide medium and high summary scores to the contractor, as you know, for the contractor to rebut what their findings are and that upon completion of the. It's a word. Rebut is a word. Look it up everybody. I see your face. Rebut is a word. Upon completion of the assessment, the contractor has 14 business days to provide additional information to demonstrate that they meet any of the security requirements not observed by the assessment or to rebut the findings that may be of question. Thank you very much DFars7020 for pulling out the win there. So you have the ability to respond to their findings depending on when they conduct the assessment. Paragraph F is the standard boilerplate that says when they're handling your data they're going to protect it. Imagine that, somebody handling somebody else's data, they're obligated to protect that data. You know what I'm saying? Anyways, that brings us to the end of the clause and one of the most important parts of all of these clauses and basically why we're all here in the first place. Paragraph G subcontracts two parts here. 1. The contractor shall insert the substance of this clause, including this paragraph, paragraph G in all subcontracts and other contractual instruments, including subcontracts for the acquisition of commercial products and commercial services. Part 2. The contractor shall not award a subcontract or other contractual instrument that is subject to the implementation of NIST SP 800171 security requirements in accordance with DFARS 7012 unless the subcontractor has completed within the last three years at least a basic self assessment on all covered contractor information systems relevant to this offer. This is the magic of Flowdown because the DoD doesn't know where you're sending their data. They don't even have privity of contract with the people on the other side of the primes. And so as a result they have to use these mechanisms, these flow down mechanisms that say here's all the stuff we obligate of you when you are handling our data. If you're going to send our data into the supply chain, we are obligating you to send these requirements with our data into the supply chain. And this is why you could be many tiers down in the supply chain and if the data gets to you, theoretically 7008-7012-7019-7020 and eventually CMMC will also be flowing down to you. They put these flow down paragraphs at the very end, but they're some of the most important, so don't skip them.
[23:03]
B
And just make sure that you understand the fact that the DoD does not control how your prime flows. It down to you whether or not they are going to or not. They're just saying that they have the ability to to and that they should should in certain situations. And the situations that they should not, according to this, doesn't mean they will not.
[23:23]
A
Yeah, exactly. And they might do it preemptively before they even know if you're going to get the data. Because they want to mitigate their own risk, which is also up to them and up to you. It's between. It's between you guys and your contract that you're negotiating. And if you're too small to negotiate, that's also still not the deity's problem. Their problem is that their data is involved in this conversation and that's the part that they care about the most. Okay, that's DFAR 7020. So at this point we've covered 7008, 7012, the core that everything else orbits around. And we've covered the first half of the 2020 rule that everybody knows as creating the CMMC program, but really also created the DoD Assessment Methodology Program, the provision 7019 and the clause 7020. So we're going to continue this series by talking about DFARS 7009, which most people don't know about. It's interesting, it's relevant. Doesn't really come up a lot. We're also going to talk about the DFARS clause 7021 and the corresponding provision, which are soon to be updated and revised under the banner of CMMC 2.0. Depending on how long you've been around. We've been waiting on that 48 CFR final rule to give us the final versions of that clause and that provision that will show up in contracts sometime towards the end of 2025. Okay, so there you go. This is the 101 series. Let us know what you think. We've had a lot of great feedback so far and what's been going on. But if we missed anything, if you have questions, let us know in chat, let us know in the comments and then we'll see you next week.
[24:59]
B
See you next week, Sam.