I don’t foresee the biggest challenge for CMMC being defining the rules, guidance and certification. The biggest challenge as with all cyber security programmes, will be implementation and finding cyber experts. There are simply not enough experienced resources in the market place. DFARS has been specific in its requirements for NIST 800 – 171 r2 for some time. Cyber incidents have shown that not all DIBs have adopted cyber security practices as one would expect. Which in my experience does not make them stand out from many other industry sectors. The only difference will be that if CMMC makes it into DFARS there will be a requirement for accreditation and assurance of the standards. Irrespective of CMMC companies should be preparing for cyber security. Implementing basic cyber hygiene and developing cyber maturity is something all boards should adopt as a matter of course. Protecting the organisation from serious long term damage.