Whilst the roll out will be over the next 5 years. In practical terms it places a formal cyber security requirement on companies. To put in place the necessary security practices, to secure Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). In my view it is a regulation with which has some similarities to GDPR and CCPA. In the case of CMMC, formally underpinned by NIST 800 – 171.