The good news for the vast majority of defense contractors and subcontractors is that they will not have to exceed Level 3 compliance for CMMC. Level 3 compliance is closely comparable to already-required NIST 800-171.
For those that do need to meet Levels 4 or 5 (all levels of CMMC build upon one another), there will be a significant upgrade in security posture. Levels 4 and 5 are designed with mitigating “Advanced Persistent Threats’ in mind. The goal is to be able to defend against more capable and determined attackers.
Requirements for Levels 4 & 5 are substantial and include such items as increased employee training, having a 24/7 security center and penetration testing.