CMMC builds upon DFARS and outlines multiple maturity levels, ranging from "Basic Cybersecurity Hygiene" to "Advanced." Unlike DFARS/NIST 800-171, all contractors working with the DoD will need to undergo a thirty-party audit prior to any contract award (pre-award certification). The intent is to identify a contractor's CMMC level in their Request for Proposal (RFP) as a decision factor when evaluating vendors.