One of the key difference between NIST/DFARS compliance and CMMC compliance is that DOD has implemented stratified levels of compliance for CMMC. CMMC has five levels of compliance.
CMMC compliance requirements will be stipulated in defense contracts.
For most situations, Level 3 compliance will suffice for subcontractors — the first level that allows for handling of CUI — controlled unclassified information. CMMC officially describes ‘Level 3 as Good Cyber Hygiene.’
The good news is that CMMC Level 3 corresponds closely with DFARS and NIST SP 800-171 requirements. Indeed, if you’re already DFARS – compliant, CMMC Level 3 only requires an additional 20 controls beyond the 110 you already have in place.