[cuuupid]

I am, CMMC 2.0 requires and is essentially satisfied by FedRAMP Moderate, and NIST 800-171 is a subset of FedRAMP. Notably both CMMC and FedRAMP were met with immense criticism from industry which was mostly ignored.

It would be better to compare this to commercial, like SOC 2, which is achievable even for small startups without much effort and on much more affordable budgets.

Notably SOC 2 full service is $20k including tooling (Vanta + Workstreet + audits), NIST is $20-30k (Vanta + partners), while FedRAMP is $500k-1M (Coalfire) just for implementation before getting into tooling and audits.