CMMC model is built on the requirements as outlined in NIST SP 800-171, in addition to other commercial system security best practices. CMMC Level 3, with 130 practice requirements, incorporates the 110 system security requirements in NIST SP 800-171. The exception in NIST SP 800-171 in section 3.12.2, which calls for a Plan of Action and Milestones (POAM). Within the CMMC model, a POAM used to demonstrate progress towards compliance is considered non-compliant. The point is that the organization at the time of certification should be compliant with all appropriate CMMC Level practice requirements.
Currently, the DoD requirement for system security is conformance to the NIST SP 800-171 standard. There is an initiative to change the DFAR and replace the NIST requirement with the CMMC model.
