Starting in September of 2020, companies who are going through the Department of Defense (DOD) procurement process are required to improve their cybersecurity hygiene. The DOD is requiring the Cybersecurity Maturity Model Certification (CMMC) for any company it conducts business with (including subcontractors). The required level will vary based on the contract and will appear in Requests for Information (RFIs) and Requests for Proposals (RFPs). The higher your level the more contracts that you would be eligible to apply for.
Companies who build off the shelf products will not need to comply with CMMC. The DOD will specify the level of cybersecurity compliance needed in each contract.
The CMMC builds on cybersecurity standards and best practices and maps those practices to 5 maturity levels ranging from 'Basic' to 'Advanced' cyber hygiene. The specific level requirements will vary depending on the contract and the company. The DOD's goal is to increase the cyber hygiene of associated contractors while making sure the requirements do not disqualify anyone. As such, the cost of certification will be considered an allowable, reimbursable cost.
According to the CMMC site:
CMMC Levels 1-3 encompass the 110 security requirements specified in NIST SP 800-171 rev1. CMMC incorporates additional practices and processes from other standards, references, and/or sources such as NIST SP 800-53, Aerospace Industries Association (AIA) National Aerospace Standard (NAS) 9933 “Critical Security Controls for Effective Capability in Cyber Defense”, and Computer Emergency Response Team (CERT) Resilience Management Model (RMM) v1.2.