The methods by which defense contractors have attempted to achieve cyber resiliency are completely different from what they may have to do to meet CMMC requirements — and for some businesses, the costs to continue participating in federal contracting opportunities can become so burdensome that they’re no longer worth it. The commercial space can be similarly profitable for these companies, and the barriers for entry are not nearly as high.

Source: Help Net Security