Certain changes to the CMMC model caused some controversy, but made sense in the larger picture of cybersecurity, such as the model scaled down from five levels to three.