Stacy Bostjanick, CMMC Director, at CMMC Day

We have a full house. "We are continuing the mission. For my team it is Ground Hog Day." "We are going into the rule making. Really only can say check the FRN"

@DoctorMac Stacy begins with an overview of the rulemaking change. and how we returned back to 171 because everyone is already familiar and should be doing it anyway.

All level 1 can be POAMd. You can waive FIPS as part of POAM if you have 3 out of five points. You get 180 days to close POAM. If POAM open when contract starts after 180 days a KO can penalize.

The waiver is for companies that do something so unique no other company is doing it or thinking about CMMC. The awardee will have 180n days to start CMMC

(FYI I can't get a server in 180n days)

We are currently looking at using C3PAOs for DIBCAC-High assessments. WE will start with everyone doing the self assessment and affirmation. Our intent is they get three years.

bout time someone talked about disaggregstion...using the bolts example....too bad they get the entire tactical guide.

uses the welder story...the welder needs the whole package because of overlapping practices.

they table top shhowed a prime can be a two but i am a 3.

Stacy confirms that if you do an early assessment and 171 rev 3 comes out you can live under three years of 171 rev 2

@DoctorMac Stacy says we could look at false claims act for the self attestation. Yet I believe rule making has to finish. There is no requirement for an SSP and POAM for FAR

Matt Titcombe asks about the scoping guide and CRMA which aren't supposed to have CUI but could and are in scope out of 109 of 110 controls if you manage the risk of these assets.

A person asks about what do we do with the subs who do not have a relationship with the government.

Stacy again brings up disaggregation. So glad to hear the conversation.

Closes with zero trust is coming (for our bounday based security requirements).