What is the Difference Between DFARS and CMMC?

Security and compliance are paramount in the defense industry–even for unclassified information, like Controlled Unclassified Information (CUI). The operations of these particular industries call for the utmost discretion, and all stakeholders must be on the same page. 

As modern digital infrastructure makes its way into the defense supply chain, it’s equally crucial for contractors and business operators to meet these exact requirements. That’s why the Department of War (DoW) has created two different cybersecurity frameworks over the past few decades–the Defense Acquisition Federal Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) framework.

What is DFARS?

In 2015, the DoD released a supplement to its Federal Acquisition Regulations (FAR) known as DFAR. In this case, “acquisition” refers to the implementation, contracting, production or deployment of logistical support like weapons, services, supplies or systems. In the case of the digital supply chain and DFARS, it specifically refers to how defense agencies contract with digital service providers for services like cloud computing or application usage. 

DFARS is, in many ways, deceptively simple. It calls for DoD contractors to adhere to 2 specific requirements:

• Provide adequate security for IT systems containing, transmitting or processing CUI to prevent unauthorized disclosures. 
• Report cyber incidents immediately to the DoD for the purposes of mitigation, remediation and governmental scrutiny. 

As a method of monitoring CUI systems security, DFARS relies on NIST Special Publication 800-171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.” 

Much like other NIST guidelines like NIST 800-53, NIST 800-171 contains a catalog of security measures, practices and procedures that organizations must implement as part of their regulatory obligations. This document covers 14 categories of requirements covering the following security challenges:

• Access Control
• Awareness and Training
• Audit and Accountability
• Configuration Management
• Identification and Authentication
• Incident Response
• Maintenance
• Media Protection
• Personnel Security
• Physical Protection
• Risk Assessment
• Security Assessment
• System and Communications Protection
• System and Information Integrity

Contractors are expected to implement these controls following regulations, perform self-assessment to attest to compliance and report to the DoD. Many contractors will go with a managed security services provider (MSSP) with expertise in defense security and compliance to streamline audits and costs, as these firms can support contractors through a fairly predictable process:

• Gap Analysis: Simply put, conducting an analysis of existing security controls and practices against NIST 800-171 requirements and using the difference as a guide for compliance. 
• Remediation: How your organization can mobilize the information gathered from the gap analysis to remediate system issues and align your organization with NIST 800-171 for compliance. 
• Continuous Monitoring: Compliance requires ongoing compliance monitoring to support reporting of cyber breaches and significant changes in IT infrastructure. 
• Documentation: Collecting reports and documents to provide to the DoD to demonstrate compliance annually. 

What is CMMC?

Like DFARS, CMMC is built to support defense contractors in protecting CUI. Also, like DFARS, CMMC relies primarily on NIST 800-171 for its controls and requirements. 

Unlike DFARS, however, CMMC has a few additional features:

• Maturity Levels: To streamline compliance, CMMC organizes compliance into “Maturity Levels” based on how many controls they have implemented from NIST 800-171.
  • Level 1 maturity calls for organizations to implement 17 total controls from NIST 800-171.
  • Level 2 maturity calls for compliance with all 110 controls in NIST 800-171. This is the minimum level required to handle CUI. 
  • Level 3 maturity calls for all Level 2 alongside supplemental controls from the secondary document NIST 800-172, which adds several advanced controls to the CUI list. This level is primarily for systems that must account for optimized, proactive security against advanced persistent threats (APTs). 

• Third-Party Assessment Organizations (C3PAOs): Organizations must, by and large, undergo auditing and assessment from a certified 3PAO that the DoD has recognized for such purposes. These C3PAOs are listed in the official CMMC C3PAO marketplace. 

The initial CMMC initiative (colloquially known as CMMC 1.0) was released in 2019 with five maturity levels and more stringent requirements for audits, reporting and maturity. CMMC 2.0, a revision released in November 2020, reduced the maturity levels to three and streamlined assessment around contractor and agency feedback. 

What Are the Differences Between DFARS and CMMC?

For the most part, DFARS and CMMC share the same goal: to enforce sufficient security on contractor systems handling CUI. In fact, the DoD intended to phase out DFARS in favor of CMMC for a few specific reasons:

• Clearer Expectations: Since CMMC divides compliance into maturity levels, it provides a clearer shared understanding of requirements for agencies requesting services and contractors undergoing audits. 
• Third-Party Assessments: DFARS relied on self-assessment on contractors, which, while sometimes convenient for large enterprises and experienced SMBs, wasn’t always efficient or accurate. The requirement of third-party assessment under CMMC introduces an additional level of assurance and rigor to the process. 

In many ways, DFARS is an assessment of a specific point in time-based on a checklist of controls. CMMC is a continuous process of maturity assessment that details the total package of capabilities and practices a contractor displays. 

While CMMC seems to replace DFARS, they still coexist. Most contractors working in the defense supply chain will reach Maturity Level 2 to handle CUI, almost certainly making them DFARS compliant. However, there isn’t a 1-to-1 overlap between the two, and DFARS compliance will get you close to CMMC compliance, but not entirely there. However, the plan is that, by the time CMMC is fully implemented, it will become the primary form of assessment for contractors handling CUI.

Work with CMMC and DFARS Compliance with Lazarus Alliance

Alongside being one of the few multi-framework consulting firms equipped for FedRAMP and CMMC assessments, Lazarus Alliance is experienced in NIST 800-171 audits, including those for DFARS. In our experience, the best way to continue to meet DOD requirements for CUI is with precise, regular and automated auditing from security partners who have done it before. 

Are You Ready for DFARS 800-171 or CMMC Compliance?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

What Is Autonomous Malware?

We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI.  With that in mind, a new generation of threats, broadly known as...Continue reading→

What CISA’s Emergency Directive 26-01 Means for Everyone

In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→

Cybersecurity and Vetting AI-Powered Tools

A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→

Shutdown Security And Cyber Vulnerability

When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%.  Cybersecurity failures during government disruptions rarely start with...Continue reading→

Identity and the Shift from Malware

The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing.  We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→

Maintaining Compliance Against Prompt Injection Attacks

The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→

Are We Already Talking About CMMC 3.0?

The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→

Centralizing Identity-Based Risk

As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector.  It has become imperative for providers to centralize identity management...Continue reading→

Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide

FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility.  This is where deviation requests and significant change requests come into play. These two...Continue reading→

The Costs of Compliance and Data Breaches

Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks.  Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→