The ability for CMMC to address threats and manage risk is a function of the NIST controls it is designed to assess and verify. A closer look at the interface between CMMC and NIST SP 800-171 reveals good news and bad news.
Good: CMMC covers the same fundamentals as other approaches.
Bad: CMMC only covers the same fundamentals as other approaches.
This talk explores what CMMC does right and how it is likely to evolve and expand in the future.