The reality is, data breaches in the government sector are all too common, which is why safeguarding sensitive information and CUI data is a major priority and why standards such as NIST 800-171 were created in the first place. CMMC is taking the suggestion from NIST 800-171 and adding to them as well as requiring a third-party assessment.