diff --git a/PreFlightDiscussion-02.md b/PreFlightDiscussion-02.md
new file mode 100644
index 0000000..f34211e
--- /dev/null
+++ b/PreFlightDiscussion-02.md
@@ -0,0 +1,77 @@
+# Pre-Flight Discussion - Round 2
+
+## Follow-up Questions Based on Your Feedback:
+
+### 1. Compliance Framework Clarification
+- **Your Feedback**: Entry point to tier0 infrastructure supporting ITAR/SECRET systems, CMMC Level 2/3 downstream, LI-SaaS for RackRental.net
+- **Questions**:
+  - Should we target CMMC Level 3 for this system since it supports Level 2/3 downstream?
+  - For STIG vs CIS: DISA STIGs are military requirements, CIS Benchmarks are industry best practices. Given your use case (tier0, ITAR/SECRET), I recommend DISA STIGs. Do you agree?
+  - Should we implement the "Debian 13 STIG" or the more comprehensive "General Operating System STIG"?
+
+### 2. QR Code Import Implementation
+- **Your Feedback**: Want QR code import capability using webcam
+- **Questions**:
+  - Which QR code library should we use? (qrencode for generation, zbar for scanning)
+  - Should we create a desktop shortcut for QR scanning, or integrate it into the WireGuard config management?
+  - What QR code format should we support? (Standard WireGuard QR format?)
+
+### 3. Testing Strategy Clarification
+- **Your Feedback**: Test suite runs on installed system, not in build environment
+- **Questions**:
+  - Should we include the test suite in the ISO itself for post-install validation?
+  - Or keep tests separate for QA/validation before deployment?
+  - How should the tests be triggered on the installed system? (Desktop shortcut, command line?)
+
+### 4. Package Management Strategy
+- **Your Feedback**: Very minimal packages, re-image quarterly rather than update
+- **Questions**:
+  - Should we remove apt/apt-get entirely to prevent accidental updates?
+  - Or keep it but disable network access?
+  - What's your preference for package management tools on the final system?
+
+### 5. Preseed Configuration Details
+- **Your Feedback**: Only install target, root password, non-root user/password are manual
+- **Questions**:
+  - What timezone should we default to?
+  - What keyboard layout should we default to?
+  - Should we enforce password complexity in the preseed itself, or handle that post-install?
+
+### 6. Secure Boot Implementation
+- **Your Feedback**: Must use secure boot, refuse to boot if altered
+- **Questions**:
+  - Should we include Secure Boot keys in the ISO or use standard Microsoft keys?
+  - Do you want UEFI-only boot, or support Legacy BIOS as well?
+  - Should we implement measured boot or just standard Secure Boot?
+
+### 7. Documentation Approach
+- **Your Feedback**: No user guides in ISO
+- **Questions**:
+  - Should we create minimal inline help for the desktop shortcuts?
+  - Or assume users are trained and don't need any documentation?
+  - Where should we store technical documentation? (Project repo only?)
+
+## Clarifications Received:
+
+### ✅ Test Environment: Keep tests separate from build environment, use shellcheck/shellfmt only in build
+### ✅ ISO Size: Not a concern, add to .gitignore
+### ✅ Updates: Re-image quarterly, no internet updates
+### ✅ Hardware: Standard Debian 13 kernel works on target hardware
+### ✅ User Experience: No user guides needed
+### ✅ Minimal Packages: Start minimal and iterate
+
+## Remaining High Priority Items to Resolve:
+
+1. **Compliance Framework**: CMMC level + STIG vs CIS decision
+2. **QR Code Implementation**: Library choice and integration approach
+3. **Testing Strategy**: In-ISO tests vs separate validation
+4. **Package Management**: Remove or disable apt?
+5. **Preseed Details**: Timezone, keyboard, password enforcement
+6. **Secure Boot**: Key management and boot mode
+7. **Documentation**: Minimal help vs none
+
+---
+
+**Status**: Awaiting your responses to the above questions
+**Next Action**: Update specification based on your decisions
+**Ready for Implementation**: Getting closer - need to resolve these remaining items
\ No newline at end of file