CMMC compliance is not designed to be a one-size-fits-all system. CMMC offers five different levels of compliance and contract requirements will dictate what is required for a project.
The levels rise in complexity and requirements from Level 1 through Level 5. Level 1 represents the same requirements as FAR 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
Level 2 has a number of additional requirements, but is essentially a preparatory level for Level 3.
Level 3, which will be the level most frequently needed to be met by subcontractors across the DIB, is roughly equivalent to NIST SP 800-171. CMMC Level 3 adds 20 additional requirement’s beyond 800-171’s 110 requirements.
Levels 4 and 5 will only need to be met by a relatively small number of contractors. These levels are the most rigorous and complex and will require many more security items be met — with the stated goal of protecting against APT (Advanced Persistent Threats). Levels 4 and 5 can be understood as designed to rebuff much more determined and capable attackers.