• Level 1: Contracts without DFARS 7012 requirements can self-attest. This is mostly for organizations handling only Federal Contract Information (FCI).
• Level 2: Most contracts with DFARS 7012 require Level 2 certification, especially those involving Controlled Unclassified Information (CUI).
• Level 3: Still unknown. This is a DIBCAC lead assessment and will most likely be a flowdown requirement from your prime or direct DoD involvement.

• Utilize cloud solutions for inherited security controls.
• Minimize the CUI scope to simplify management and ensure cost-effectiveness.
• Consider having internal staff trained in CCP to maintain long-term compliance

Awesome! 

• Courses must be taken through Licensed Training Providers (LTPs) listed on the Cyber AB website.
• CCP is a prerequisite for CCA certification.
• Organizations should consider training at least one or two staff members in CCP for foundational CMMC knowledge

…If a 1-point control isn’t met, you POA&M it, correct it, and re-assess. If a 3 or 5-point control isn’t met, the audit is over (FAIL). I could see scoring the 1-pointers…in other words, if you have too many 1-pointers not met, then they should probably fail you. But why the 3 and 5-points…why score them at all?

• 3-point and 5-point controls are pass/fail and cannot be included in a POA&M, unlike 1-point controls.
• Scoring helps achieve a 110-point maximum, but missing critical controls results in failure.
• These rules ensure readiness but can increase costs and delays.

• 88 controls must be met out of 110 for Level 2 certification.
• Exceptions include a few specific controls, listen to the podcast episode for more detail!

• Phone systems must comply with FIPS or NIST standards only if processing, storing, or transmitting CUI. Non-CUI systems may be exempt
• For tools like Kaseya EDR, compliance depends on vendor-provided evidence (e.g., FedRAMP equivalency or documentation.

• Artifacts should be:
1. Clearly labeled, including control numbers and relevant details.
2. Clean and easy to review without unnecessary information.
3. Relevant and consistent with organizational policies.
• Avoid submitting unrelated or outdated evidence

• Certificates are issued via EMASS starting January 2, 2025, depending on whether DoD or C3PAOs upload assessment data

• FedRAMP: Validates external service providers for secure DoD data handling.
• CMMC: Focuses on internal organizational security for handling DoD information.
• Both emphasize compliance but address different aspects of the supply chain

For separate environments like MS GCC High (Level 2) and MS Commercial (Level 1), boundaries depend on what the system stores, processes, or transmits (CUI or FCI). Start with identifying assets related to CUI and define the boundary, often at a firewall or demarcation point. Consider external service providers (CSPs, MSPs) as part of your scoping efforts.

Security protection assets are those directly related to protecting CUI. Specialized assets, like isolated machinery or proprietary systems, may not meet all controls but require defined usage and access limitations. Ensure clear documentation and isolation.

The latest CAP (version 5.6.1) was only available through CCA training. A new version compliant with 32 CFR is in the final stages of review and should be available before December 16, 2024.

Building an enclave can simplify scope, but tools like ticketing systems might expand the scope. Engage with a C3PAO to align your scope with compliance needs and consider whether a full or partial enclave is best.

Organize your SSP around the 14 domains and 110 controls, linking evidence clearly to objectives. Include clear diagrams (network and data flow) and avoid unnecessary navigation between documents. Naming conventions and access to linked evidence help assessors.

Isolate such systems with VLANs, apply access controls, and ensure zero-trust principles. Address this in risk assessments and provide compensating controls like segmenting and enhanced security configurations.

MFA is not required for WiFi access. Protect WiFi networks using encryption (WPA2 AES-256), and ensure guest WiFi is isolated from internal networks.

Use a structured folder system: organize by domain, then by control, and include evidence directly tied to objectives. Reference cross-domain evidence where applicable.

No official matrix exists yet. Start with NIST 800-172 requirements (Level 3). Use a workbook to map controls and objectives.

Based on updates, the 48 CFR rule is anticipated to become effective in late Q1 or early Q2 of 2025. The rule has cleared necessary review stages, indicating a probable start in spring 2025. This aligns with a typical phased rollout approach.

It’s risky to wait until mid-2026, especially if you’re both a prime and a subcontractor.

Prime contractors are likely to start pushing down certification requirements by 2025 to ensure they meet the phase two rollout. For companies operating exclusively as primes, it might be feasible to delay until late 2025, but it’s not without risk, especially with provisions allowing for early certification based on contract sensitivity.

Level 3 certification is generally expected for only the top 1% of contracts, often for high-stakes sectors like nuclear or classified operations.

If your company deals with highly sensitive DoD information or critical systems, preparing for Level 3 might be wise. Otherwise, Level 2 may suffice, but decisions should be contract-specific and guided by the contracting officer.

Defining CUI often depends on the contracting officer’s designation in each contract. Typically, only information directly tied to the contract’s sensitive parts needs to be marked. For practical purposes, when unsure, treat data as CUI and label it accordingly until further clarification is available. Specific terms in clauses 7012 and 7021 can clarify CUI expectations, with additional guidance available on the NARA website.

FCI (Federal Contract Information) generally includes contract and related documents, requiring Level 1 safeguarding. This scope is broader than CUI but only requires basic protections, not the full extent of CUI-level security measures. Treat FCI with essential safeguarding but without the rigorous controls required for CUI.

Emergency responders are typically out of scope for CMMC requirements since they are not federal contractors. Therefore, no additional background checks are necessary. Treat emergency personnel as out-of-scope for CMMC assessments.

An SSP should clearly outline operational workflows, boundary controls, and CUI data flow. Including as much detail and as many diagrams as necessary will streamline the assessment process. Consider converting the final document into a PDF with diagrams to illustrate these elements clearly. Referencing assessment guides can provide specific content expectations.

The G-code itself isn’t necessarily CUI. However, data like specifications or design inputs that inform the G-code may be classified as CUI. Thus, focus on securing the information used to generate the G-code rather than the G-code itself.

The quality of C3PAOs varies, so choose one that aligns with your company culture and has experience. Look for C3PAOs that have a strong background in CMMC, extensive knowledge of DIB requirements, and a collaborative approach to assessments.

Options like YubiKey for multi-factor authentication and solutions compatible with GCC High environments for data loss prevention (DLP) can help secure O365. For printed CUI coversheets, follow standard templates as required by contract guidelines or DoD templates.

FedRAMP equivalency offers smaller cloud providers access to DoD contracts without full FedRAMP certification, which is resource-intensive. This approach maintains security while allowing more providers to support the defense industrial base without monopolizing the market.

The CMMC rule (32 CFR) has finished its review and is now in the prep stage for Congress to review. The public comment period for the related 48 CFR rule is still ongoing and closes on October 15th. Organizations new to CMMC compliance should immediately contact a C3PAO because many are already backlogged, and certification could be delayed until 2025. It’s important to reach out now to get on the schedule, even if you’re not ready for certification yet.

The editing period depends on the volume of public comments received, but past experiences show that highly technical rules can be edited in less than 60 days. It’s possible that this rule could be edited and published by Thanksgiving, depending on the comment volume.

Microsoft 365 Government Cloud (GCC) has the foundation to meet or exceed CMMC requirements, but it must be properly configured and managed. Unique configurations may be needed depending on the client’s specific environment, technology usage, and how the tools are implemented.

Technically, for CMMC Level 1, you may use Microsoft Commercial Cloud, but Microsoft strongly advises against using it for any government-related data. For CMMC Level 2 (involving CUI), you must move to Government Cloud. The complexity of lifting and shifting depends on the environment, data, and integrations involved, but it is generally doable.

The most common licensing tiers are G5 or G3 with G5 security add-ons. The services needed vary by the client’s specific requirements and could include things like Azure virtual desktops or virtual servers, depending on how the company operates and manages CUI.

If you have DFARS 252.204-7012 in your contract but no Controlled Unclassified Information (CUI), you may only need to comply with CMMC Level 1, which applies to the protection of Federal Contract Information (FCI). However, the presence of CUI in the future could change this requirement, so it’s crucial to assess your environment regularly and know the type of data you handle.

Encrypted data is still considered CUI unless it is specifically excluded or marked otherwise. During CMMC assessments, the focus is on how the data is protected, not whether it is encrypted. CUI remains CUI even if encrypted, and assessors will check if it is properly marked and handled, as well as how encryption is applied.

For a construction company, printed CUI material must be physically controlled. This includes limiting access, secure storage when not in use, and preventing unauthorized access.

For data flow, the organization must identify where CUI enters, is processed, and exits the system. Understanding these flows is critical for setting the scope of the assessment and ensuring proper protections.

IT consultants with admin privileges to a CUI network are not typically considered security protection assets themselves. However, their access is governed by controls related to access control, identification, authentication, and audit requirements under CMMC, ensuring only authorized personnel handle CUI.

If a prime contractor shares CUI with a supplier by mistake, which is then compromised from the supplier’s infrastructure, the incident must follow established incident response processes. This includes notifying the DoD within 72 hours and preserving relevant data for investigation. Responsibility ultimately lies with the party handling the data, but legal counsel should be consulted to clarify obligations.

For ensuring CMMC compliance with cloud services like Salesforce or O365, it’s essential to configure these services properly and confirm they meet FedRAMP Moderate or equivalent standards. A shared responsibility matrix should define which controls are handled by the cloud provider and which are the client’s responsibility. The correct configuration of the cloud services is vital to meeting CMMC requirements.

The government has taken steps to help small businesses by offering resources like Manufacturing Extension Partnership (MEP) centers, which provide training and support. Additionally, some compliance-related costs can be submitted as allowable costs under certain contracts. Small businesses are encouraged to use these free resources and work with reputable providers to minimize the burden of compliance.

When will subcontractors need to be fully (no POA&M) self-certified to receive awards of certain government contracts?

Certification can start once the rule is finalized, which is expected around September 2024 . Joint surveillance assessments are anticipated to end at that time, allowing formal CMMC certifications to begin. Contractual requirements, enforced through 48 CFR, may start as early as March or April 2025, depending on the sensitivity of the contract. 

Subcontractors may be required to be fully certified (with no Plans of Action & Milestones, or POA&Ms) by prime contractors as soon as CMMC goes live. Prime contractors can impose certification requirements on their subcontractors at any time once CMMC becomes mandatory, and it’s likely that primes will push to get their subcontractors certified before the DoD formally includes CMMC requirements in its contract. 

A common point of confusion is the difference between fiscal year and calendar year in government timelines. When the DoD refers to Q1 of 2025, they mean the fiscal year, which begins on October 1, 2024. This is often misinterpreted as the calendar year, but in reality, CMMC requirements could begin to appear in contracts as early as October 2024​. 

Since everyone is expecting 32 CFR to be out in Oct. Will we be able to schedule a JSVAP in the time between 32 CFR being published and into effect?

As of August 2024, Joint Surveillance Assessments (JSVAPs) are still being scheduled through October 2024, with a major ecosystem stress test planned during the week of October 21-25, 2024. During this test, 30 assessments will take place. However, there is uncertainty about whether JSVAPs will continue after the CMMC rule (32 CFR) is finalized, which is expected to happen around September or October 2024​. 

Scheduling JSVAPs After 32 CFR is Published: Once the rule is published, it’s expected that CMMC certifications will begin, and JSVAs may no longer be conducted. Therefore, the opportunity to schedule a JSVAP between the publication of 32 CFR and when it goes into effect may be very limited. It’s recommended to schedule assessments as early as possible before the final rule is published, as the transition from JSVAPs to formal certifications is anticipated to happen quickly.

How small businesses can get CMMC certification without breaking the bank.

The costs for CMMC certification will vary depending on the scope and complexity of the business’s environment. Factors like the number of locations and the scope of CUI data involved will influence the assessment cost. Small businesses can reduce costs by minimizing their CUI footprint.​

CMMC compliance in commercial cloud environments (e.g., Microsoft Commercial Cloud) may not meet certain requirements, particularly for more sensitive types of CUI data. It is recommended to use GCC or GCC High for environments dealing with CUI data with dissemination limitations.

Redspin offers cloud solutions and Managed Service Provider (MSP) services for CUI hosting. They do not host clients in their own enclave, but they can assist with consulting and help small businesses prepare for CMMC certification.

If so, what would the specific control requirements be (e.g., administrative: AUP/owner security responsibility, technical via organization mdm, etc.)?

BYOD (Bring Your Own Device) can be allowed, but it requires strict controls, especially when accessing a secure cloud enclave. This includes controlling the flow of CUI data to devices and implementing encryption, audit logs, and strict security policies. VDI (Virtual Desktop Infrastructure) may also be a solution to restrict device capabilities. 

• Administrative Controls:
  • Acceptable Use Policy (AUP): Establish and enforce an Acceptable Use Policy that clearly defines the security responsibilities of the device owner and what actions are permitted when accessing the CUI enclave.
  • Owner Security Responsibility: Device owners must be informed and held accountable for adhering to security protocols, including reporting any potential security incidents or device loss.
• Technical Controls:
  • Mobile Device Management (MDM): Implement an organization-wide MDM solution to manage and secure BYOD devices. This ensures that security settings, such as encryption, password policies, and remote wipe capabilities, are enforced on all devices accessing CUI.
  • Virtual Desktop Infrastructure (VDI): Use VDI to limit the interaction between the device and the CUI. VDI allows for a virtual environment where the device acts only as an interface (keyboard and display) while keeping CUI securely within the cloud.
  • Encryption: Ensure all data transmitted to and from the device is encrypted, both at rest and in transit, to maintain the confidentiality of CUI.
  • Access Control: Implement role-based access controls (RBAC) to restrict access to CUI based on job function and ensure that only authorized personnel can view CUI.
  • Audit Logs: Continuously monitor and audit device usage logs to ensure no unauthorized actions are being taken and to maintain compliance with security requirements.

FIPS mode should always be enabled when handling CUI. The only exception is when devices have been upgraded to FIPS 140-3, which is still in the testing phase.

While this is a growing concern, it is up to NIST to decide when mobile application security will be formally included in audits. However, the issue has been raised, and organizations are encouraged to contact NIST directly for guidance via email to: cyber4R&D@NIST.gov.

CMMC 2.0 looks inward, focusing on how organizations protect their own environments and CUI data, while FedRAMP focuses outward on the authorization of cloud services to operate securely in external environments. FedRAMP uses NIST 800-53, while CMMC uses NIST 800-171.

For Level 1, general user training based on industry best practices is sufficient. For Level 2, organizations need more targeted training, including security and CUI-specific training for all employees, and role-based training for administrators and executives​.

If CUI is not marked, organizations should reach out to their contracting officers for clarification. In the meantime, it’s better to err on the side of caution and treat the data as CUI until confirmation is received​.

Yes, encrypted data is still considered CUI, as encryption only protects the confidentiality of the data, not its classification​.

The CMMC program applies to all types of data centers, whether owned by the organization or a colocation. The primary concerns are physical protection and technical controls, such as cameras, badging systems, and access control.

Organizations under Partnership Intermediary Agreements should review their contracts to determine whether cybersecurity requirements like DFARS 7012 or NIST 800-171 apply. If these clauses are included, CMMC will likely be required.

There is no specific requirement for using particular tools to manage CMMC compliance. Organizations can use whatever tool works best for them as long as they meet control objectives and can document evidence of compliance. This can include tools like Smartsheet, Teams, or Apptega.

Thomas: FCI and CUI are two separate designations of data. When you’re going through CMMC Level 2, it doesn’t eliminate your Level 1 responsibilities because CMMC builds on the levels. For example, to achieve Level 3, you must first schedule and pass Level 2.

Level 1 focuses on FCI, and once all updates are made into SPRS, you will need to update those requirements annually. Is this documented? Absolutely. However, I can’t provide the document numbers off the top of my head, and Tara might be disappointed in me for that, but there are distinct regulations governing this.

In short, FCI will not become CUI, as they are different designations of data.

…Is that C3PAO operating normally by charging extra?

Tara: This situation highlights the importance of thoroughly reading your contracts with any prospective vendors providing CMMC assessment services. Here are some key questions you should be asking your C3PAO:

• What happens if there is an item that needs to be placed on a POA&M, and someone has to come back in 180 days?
• Is that covered by the outlined costs in the fee breakdown?

As an OSC, it’s not just your right but also your responsibility to clarify these things. At Redspin, we strive to be as transparent as possible with our fees, but it’s essential to understand these details with any C3PAO you work with. If a C3PAO demands a high fee to validate or close out a POA&M, you do have options. Under the CMMC assessment process, you can choose another C3PAO if you find their fees unreasonable. Often, other C3PAOs may offer more competitive pricing for such tasks.

Jeremy: The simple answer is, you don’t. You either find new subcontractors or apply enough pressure for them to implement the necessary changes and become certified. If you’re flowing down DFARS 7012 requirements, your supply chain must comply with CMMC requirements, just like your team. They will need to get certified as well. If they refuse, you may need to find a new vendor to fill that role within your supply chain. I’ve encountered this issue frequently with clients, especially when dealing with MSPs. Some MSPs may say, “You’re our only DIB client, so we’re not going through CMMC just for you.” In such cases, clients have had to find new vendors to perform those services. Ultimately, CMMC compliance is a series of business decisions, and you might need to part ways with long-time partners if they’re not willing to participate in CMMC

Jeremy: This question ties into the previous discussion on flow downs and supply chain management. Once the CMMC rule is live and assessments are in place, the easiest way to vet your suppliers will be to check if they are CMMC compliant. Until then, the tried-and-true method is using security questionnaires. While they may not be the highlight of our day, they serve a very valid purpose. If you have a supply chain of subcontractors to whom you’re flowing down DFARS 7012 requirements, it’s essential to have a vendor management program in place. Don’t just send out the questionnaires—ensure they get completed and returned. Review the answers thoroughly, and don’t hesitate to follow up with additional questions. For instance, if a supplier provides an answer that needs more detail, ask for clarification or their plans to improve on areas that don’t meet your standards. Until CMMC certifications are fully operational and easily trackable, these security questionnaires remain your best bet for vetting suppliers.

Tara: So, I think portion marking is often misunderstood. Whenever you have a question about how to mark our documentation or any media, the best place to start is nara.gov. NARA, the National Archives and Records Administration, is the executive agent over the CUI program. They make all the rules and decisions regarding how to mark things. Now, about portion marking: it’s a way to further delineate types of CUI or other classified data within a document. It’s not required, though. You can choose to mark your entire document as CUI or whatever classification applies without using portion markings. However, if you decide to use portion markings, you need to do it consistently. This means marking each table,figure, drawing, and paragraph separately to show how each part should be handled. So, while portion marking isn’t mandatory, if you use it, you must apply it consistently throughout the document.

Robert: Not at this time. NIST SP 800-171 Rev 3 will not be incorporated into the CMMC program for at least a year, likely until the end of next calendar year. This delay is due to the extensive updates needed. The rule and associated documents must first be realigned with NIST SP 800-171 Revision 2. As part of this transition, all the assessor training and documentation will need to be updated. There’s a lot to be done, so it won’t be happening soon. However, I believe Vicki and Ron from NIST are already working on a new document that can be used once the updated version becomes active within the CMMC program. But as of now, there’s nothing available for anyone to use.

Jeremy: If you have a CMMC requirement, and choose not to pursue CMMC, the consequence is that you will no longer be eligible for DoD contracts. It’s a straightforward decision, but it involves more than it seems at first glance. CMMC compliance is a business decision. I’ve spoken to companies where DoD contracts make up a minimal part of their business, and they chose to let those contracts go instead of pursuing CMMC. On the other hand,for companies where DoD contracts are a significant portion of their business, it makes complete sense to pursue CMMC. Be aware that CMMC is not going away. It will become a contractual requirement for newly issued contracts, particularly Level 2 contracts involving CUI. These requirements will be part of Phase Two of the rollout. In Phase Three, CMMC requirements will be retroactively incorporated into multi-year contracts already in place. So, if you want to do business in the defense industrial base, CMMC compliance will be necessary. Opting out of CMMC means opting out of the DIB space entirely.

Thomas: The short answer, is that it’s considered CUI until the executive agent says otherwise. The executive agent is the only one who can change the designation of CUI information. Now, will a single line still be considered CUI? The line itself, no, but in the context of the contract, ifit was provided to you as CUI, it remains CUI until the executive agent changes it. If you encounter such a situation, you need to have a conversation with your contracting officer. However, keep in mind that the contracting officer or even the DoD may not be the executive agent. They might be working with other departments, like the Department of State or other branches within the DoD, and will need to seek clarification from the executive agent. CUI is a federal designation created to facilitate communication and information sharing between different federal agencies. This sometimes requires going not just up the chain within the DoD, but also laterally to other organizations.

• Jeremy referenced a hot take in July of folks asking for a quick, easy CMMC Implementation Strategy checklist. Well, we created one!
  • Download here
• Tara Referenced good practices to vet a C3PAO. Check out our “5 Time-Saving Tips for Evaluating an MSP, ESP, or C3PAO” white paper
  • Download here
• Written by Tara, this collection CMMC Assessment Interview Guides is packed with questions you/your team could be asked during an assessment (there are 14 individual guides, 1 for each of the 14 domains)
  • Download here
• Tara shared an image in the chat: CMMC Asset Categories Overview
  • View here
• We’d love your feedback! Please fill out our CMMC Connect Follow-Up Survey
  • Fill it out here!

How long will it last? Are we required to be compliant with NIST 800-171 Revision 3 for CMMC Level 2, once the CMMC rule is effective?

Currently, we will continue to follow Revision 2. The exact timeframe is uncertain at this moment. However, we are aware that there are changes between Revision 2 and Revision 3. For more details, please refer to the white paper linked here. We are not required to comply with NIST 800-171 Revision 3 for CMMC Level 2 at this time.

Yes. The data doesn’t change whether it is encrypted or not. CUI data remains CUI data regardless of its encryption state.

The DoD has been aiming for the end of the fiscal year 2024 (September 30th, 2024)for CMMC finalization. As of today (July 1st), the DoD is adhering to this timeline, with the latest update indicating that all 32 CFR public comments have been adjudicated. The rule has now progressed back to OIRA/OMB. Will it be required for non-DoD work? We don’t know yet, but there are rumors that other agencies might adopt CMMC once it is finalized. We are closely monitoring the Department of Education and other agencies for any mention of “NIST 800- 171,” as this could indicate a shift towards CMMC. Recently, the General Services Agency (GSA)issued a solicitation specifically referencing “CMMC,” which is a significant indication. Given that CUI is a designation, it wouldn’t be surprising if CMMC appears in requirements from other agencies for reciprocity.

Yes, we have assessed subcontractors under JSVA. Subcontractors do have DFARS 7012 requirements. If you are wondering if you qualify, reach out to us!

• DFARS 252.204-7012
• Class Deviation Memo
• CCP Training

Maybe. When considering scoping, you are looking at the boundaries of your assessment. You can use solutions like remote desktop, VDI, etc.,for CMMC implementation. If you do not want your endpoints to be in scope, you must lock down those virtual instances to ensure that nothing can be copied or saved from that virtual interface. If you can achieve this, prove it, and demonstrate it, then your endpoints would not be in scope. However, if capabilities such as copy and paste, download, print, or screenshotting are still enabled, then your endpoints are likely still in play. It all depends on how tightly you lock down that remote or virtual interface.

There are many good solutions for this, but one that stands out is a GRC (Governance, Risk, and Compliance) tool like Cyturus. The Cyturus CRT tool allows you to map data back to one another and offers many other usefulfeatures. Another example of a GRC tool is FutureFeed. Tools like these let you store your documentation (such as your SSP) and other documents, then grant your subcontractors access. Any time they make a change, the tool provides a warning so you can review it. This approach ensures secure information sharing and compliance management.

There are no prerequisites for CMMC Certified Professional(CCP) training itself, but there are requirements if you plan to sit for the CCP certification.

One prerequisite is having a college degree or 2 years of equivalent experience. It is also suggested that you have a certification such as CompTIA Security+.

You must complete the CCP class before taking the CCP exam. If you want to go further and become a CMMC Certified Assessor (CCA), there is another set of requirements. For more details please visit: 

CCP training

CCA training

The Cyber AB’s CCP Blueprint 

This is always a challenge, right? The bottom line is that CMMC is merely a validation of requirements that are already in place. Upper management should be aware of this. By getting certified now, you are giving yourself a competitive advantage for bidding on contracts. The advantages of being proactive are significant compared to waiting, especially with potential logjams that may occur after rulemaking becomes final. If you wait to get certified until CMMC becomes final, you might end up in a queue for certification that could potentially last a year or two, depending on how things go. Another option is to get on a call with us! We are happy to learn about your unique business and explain the CMMC process to your leadership. At the end of the day, if you want to participate in the DIB space and secure DoD contracts, CMMC will provide you with a competitive advantage, particularly if you are a subcontractor. Subcontractors will see CMMC requirements in contracts from their primes long before the DoD mandates them. We have already heard from subcontractor clients that their primes are telling them the first to get CMMC certified will get all the primes’ business for 2025, and they will reassess in 2026 once things settle down. So there you go.