Industry will finally get official, albeit interim, regulatory guidance on how to comply with Cybersecurity Maturity Model Certification (CMMC) requirements from DOD in May.  Well over two years after CMMC was officially rolled out as a mandate, touching off a slew of expenses for defense contractors of all types, guidance on what businesses actually need to do will become officially known.  While most larger defense contractors have already taken steps to comply with the underlying NIST 800-171 rules, on which CMMC requirements will be based, a substantial number of smaller and medium sized businesses have held back, partly due to an ever-changing list of requirements for such companies.  As of now, all but the smallest DOD contractors may need to undergo third-party certification to ensure that their cybersecurity systems meet CMMC requirements.  Be prepared for that expense, along with the expense of a host of “coming soon” cyber rules that will impact both DOD and non-DOD contractors.