Even RMF packages, e.g. the DoD's own things, never get 100% POA&M-less finales. The memo is an industry-killer. If it stands, I hope DFARS 7012 re-ruling comes back with a softer solution to the problem. But you asked, "When's the last time regulation changes have gone softer?" I can think of only one occasion in modern times - the new FedRAMP "plan forward" memo appears to be offering some nice concessions. So there's that to look forward to.
I still don't get the DoD's logic about allowing other Agencies to accept risk on behalf of the DoD when it comes to CMMC, when typically it seems like they are unwilling to allow it for the sake of FedRAMP, such as the IL4 requirements. Plus, the typical FedRAMP Moderate ATO CSP has probably hundreds of items on it's POA&M when you include vulnerability scan results. At this point I am honestly more surprised the DoD hasn't decided FedRAMP Mod IL4 is the requirement for CMMC Level 2. But otherwise I don't get how a DiB company needs a 100% clean POAM and a CSP with a FedRAMP ATO can run with POAM items for long periods of time and they never have 100% clean POAMs.
I'm with you on the IL-4 bit. This is a weird disconnect when you consider it's an additional 40+ controls/enhancements. Of course, the CC SRG is under revision, so stay tuned. :)
