What is the Difference Between DFARS and CMMC?
Security and compliance are paramount in the defense industry–even for unclassified information, like Controlled Unclassified Information (CUI). The operations of these particular industries call for the utmost discretion, and all stakeholders must be on the same page.
As modern digital infrastructure makes its way into the defense supply chain, it’s equally crucial for contractors and business operators to meet these exact requirements. That’s why the Department of Defense (DoD) has created two different cybersecurity frameworks over the past few decades–the Defense Acquisition Federal Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) framework.
What is DFARS?
In 2015, the DoD released a supplement to its Federal Acquisition Regulations (FAR) known as DFAR. In this case, “acquisition” refers to the implementation, contracting, production or deployment of logistical support like weapons, services, supplies or systems. In the case of the digital supply chain and DFARS, it specifically refers to how defense agencies contract with digital service providers for services like cloud computing or application usage.
DFARS is, in many ways, deceptively simple. It calls for DoD contractors to adhere to 2 specific requirements:
- Provide adequate security for IT systems containing, transmitting or processing CUI to prevent unauthorized disclosures.
- Report cyber incidents immediately to the DoD for the purposes of mitigation, remediation and governmental scrutiny.
As a method of monitoring CUI systems security, DFARS relies on NIST Special Publication 800-171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.”
Much like other NIST guidelines like NIST 800-53, NIST 800-171 contains a catalog of security measures, practices and procedures that organizations must implement as part of their regulatory obligations. This document covers 14 categories of requirements covering the following security challenges:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Contractors are expected to implement these controls following regulations, perform self-assessment to attest to compliance and report to the DoD. Many contractors will go with a managed security services provider (MSSP) with expertise in defense security and compliance to streamline audits and costs, as these firms can support contractors through a fairly predictable process:
- Gap Analysis: Simply put, conducting an analysis of existing security controls and practices against NIST 800-171 requirements and using the difference as a guide for compliance.
- Remediation: How your organization can mobilize the information gathered from the gap analysis to remediate system issues and align your organization with NIST 800-171 for compliance.
- Continuous Monitoring: Compliance requires ongoing compliance monitoring to support reporting of cyber breaches and significant changes in IT infrastructure.
- Documentation: Collecting reports and documents to provide to the DoD to demonstrate compliance annually.
What is CMMC?
Like DFARS, CMMC is built to support defense contractors in protecting CUI. Also, like DFARS, CMMC relies primarily on NIST 800-171 for its controls and requirements.
Unlike DFARS, however, CMMC has a few additional features:
- Maturity Levels: To streamline compliance, CMMC organizes compliance into “Maturity Levels” based on how many controls they have implemented from NIST 800-171.
- Level 1 maturity calls for organizations to implement 17 total controls from NIST 800-171.
- Level 2 maturity calls for compliance with all 110 controls in NIST 800-171. This is the minimum level required to handle CUI.
- Level 3 maturity calls for all Level 2 alongside supplemental controls from the secondary document NIST 800-172, which adds several advanced controls to the CUI list. This level is primarily for systems that must account for optimized, proactive security against advanced persistent threats (APTs).
- Third-Party Assessment Organizations (C3PAOs): Organizations must, by and large, undergo auditing and assessment from a certified 3PAO that the DoD has recognized for such purposes. These C3PAOs are listed in the official CMMC C3PAO marketplace.
The initial CMMC initiative (colloquially known as CMMC 1.0) was released in 2019 with five maturity levels and more stringent requirements for audits, reporting and maturity. CMMC 2.0, a revision released in November 2020, reduced the maturity levels to three and streamlined assessment around contractor and agency feedback.
What Are the Differences Between DFARS and CMMC?
For the most part, DFARS and CMMC share the same goal: to enforce sufficient security on contractor systems handling CUI. In fact, the DoD intended to phase out DFARS in favor of CMMC for a few specific reasons:
- Clearer Expectations: Since CMMC divides compliance into maturity levels, it provides a clearer shared understanding of requirements for agencies requesting services and contractors undergoing audits.
- Third-Party Assessments: DFARS relied on self-assessment on contractors, which, while sometimes convenient for large enterprises and experienced SMBs, wasn’t always efficient or accurate. The requirement of third-party assessment under CMMC introduces an additional level of assurance and rigor to the process.
In many ways, DFARS is an assessment of a specific point in time-based on a checklist of controls. CMMC is a continuous process of maturity assessment that details the total package of capabilities and practices a contractor displays.
While CMMC seems to replace DFARS, they still coexist. Most contractors working in the defense supply chain will reach Maturity Level 2 to handle CUI, almost certainly making them DFARS compliant. However, there isn’t a 1-to-1 overlap between the two, and DFARS compliance will get you close to CMMC compliance, but not entirely there. However, the plan is that, by the time CMMC is fully implemented, it will become the primary form of assessment for contractors handling CUI.
Work with CMMC and DFARS Compliance with Lazarus Alliance
Alongside being one of the few multi-framework consulting firms equipped for FedRAMP and CMMC assessments, Lazarus Alliance is experienced in NIST 800-171 audits, including those for DFARS. In our experience, the best way to continue to meet DOD requirements for CUI is with precise, regular and automated auditing from security partners who have done it before.
Are You Ready for DFARS 800-171 or CMMC Compliance?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.