The CMMC model is one in a series of Federal initiatives focused on information security. The first was FAR Clause 52.204-21 June 2016, which mandated all federal contractors meet a set of 15 basic cybersecurity controls for contractor information systems upon which “Federal contract information is stored, processed or transmitted.” The second was DFARS Clause 252.204-7012, December 2017, which made NIST SP 800-171 the requirement for all defense contractors. The NIST SP 800-171 with 110 requirements also incorporated the 15 basic cybersecurity requirements from FAR 52.204-21. The CMMC model came into place in January 2020 with the publication of version 1.0. The
CMMC model is built on the requirements as outlined in NIST SP 800-171, in addition to other commercial system security best practices. CMMC Level 3, with 130 practice requirements, incorporates NIST SP 800-171 with 110 system security requirements. The exception in NIST SP 800-171 in section 3.12.2, which calls for a Plan of Action and Milestones (POAM). Within the CMMC model, a POAM used to demonstrate progress towards compliance is considered non-compliant. The point is that the organization at the time of certification should be compliant with all appropriate CMMC Level practice requirements.