CMMC is a vehicle the U.S. government is using to implement a tiered approach to audit contractor compliance with NIST SP 800-171, based on five different levels of maturity expectations. DOD contractors have been required to comply with NIST 800-171 since January 1, 2018. In the past two years, the DOD grappled with the low rate of NIST 800-171 compliance across the Defense Industrial Base (DIB), and CMMC was created to remedy that systemic issue of non-compliance by both primes and their subs. CMMC is intended to act as a procurement gate that a contractor must pass to be eligible to bid on, win or participate on a contract. Without a valid CMMC certification (Level 1 through 5), the prime and/or sub will be barred from applicable contracts.