CohnReznick has published a very comprehensive article on the CMMC  and the impact to government contractors.

By: Bhavesh Vadhani, Kristen Soles, Ali Khraibani

If you’re a Defense Industrial Base (DIB) contractor, also known as a Department of Defense (DOD) contractor, you may need to address as many as 171 security practices to qualify for future government contracts, based on a new cybersecurity standard and maturity assessment established by the DOD. The Cybersecurity Maturity Model Certification (CMMC) will begin appearing in a limited set of Requests for Information (RFIs) and Requests for Proposals (RFPs) in late 2020. The time to ensure you have implemented all security practices will be here before you know it. You should take this time to get an understanding of the requirements needed for the type of contract your organization will pursue with the DOD.

Taking the first steps toward CMMC compliance