Site icon

What is the Difference Between DFARS and CMMC?

DFARS featured

Security and compliance are paramount in the defense industry–even for unclassified information, like Controlled Unclassified Information (CUI). The operations of these particular industries call for the utmost discretion, and all stakeholders must be on the same page. 

As modern digital infrastructure makes its way into the defense supply chain, it’s equally crucial for contractors and business operators to meet these exact requirements. That’s why the Department of Defense (DoD) has created two different cybersecurity frameworks over the past few decades–the Defense Acquisition Federal Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) framework.

 

What is DFARS?

In 2015, the DoD released a supplement to its Federal Acquisition Regulations (FAR) known as DFAR. In this case, “acquisition” refers to the implementation, contracting, production or deployment of logistical support like weapons, services, supplies or systems. In the case of the digital supply chain and DFARS, it specifically refers to how defense agencies contract with digital service providers for services like cloud computing or application usage. 

DFARS is, in many ways, deceptively simple. It calls for DoD contractors to adhere to 2 specific requirements:

As a method of monitoring CUI systems security, DFARS relies on NIST Special Publication 800-171, “Protecting Unclassified Information in Nonfederal Information Systems and Organizations.” 

Much like other NIST guidelines like NIST 800-53, NIST 800-171 contains a catalog of security measures, practices and procedures that organizations must implement as part of their regulatory obligations. This document covers 14 categories of requirements covering the following security challenges:

Contractors are expected to implement these controls following regulations, perform self-assessment to attest to compliance and report to the DoD. Many contractors will go with a managed security services provider (MSSP) with expertise in defense security and compliance to streamline audits and costs, as these firms can support contractors through a fairly predictable process:

What is CMMC?

Like DFARS, CMMC is built to support defense contractors in protecting CUI. Also, like DFARS, CMMC relies primarily on NIST 800-171 for its controls and requirements. 

Unlike DFARS, however, CMMC has a few additional features:

The initial CMMC initiative (colloquially known as CMMC 1.0) was released in 2019 with five maturity levels and more stringent requirements for audits, reporting and maturity. CMMC 2.0, a revision released in November 2020, reduced the maturity levels to three and streamlined assessment around contractor and agency feedback. 

 

What Are the Differences Between DFARS and CMMC?

For the most part, DFARS and CMMC share the same goal: to enforce sufficient security on contractor systems handling CUI. In fact, the DoD intended to phase out DFARS in favor of CMMC for a few specific reasons:

In many ways, DFARS is an assessment of a specific point in time-based on a checklist of controls. CMMC is a continuous process of maturity assessment that details the total package of capabilities and practices a contractor displays. 

While CMMC seems to replace DFARS, they still coexist. Most contractors working in the defense supply chain will reach Maturity Level 2 to handle CUI, almost certainly making them DFARS compliant. However, there isn’t a 1-to-1 overlap between the two, and DFARS compliance will get you close to CMMC compliance, but not entirely there. However, the plan is that, by the time CMMC is fully implemented, it will become the primary form of assessment for contractors handling CUI.

 

Work with CMMC and DFARS Compliance with Lazarus Alliance

Alongside being one of the few multi-framework consulting firms equipped for FedRAMP and CMMC assessments, Lazarus Alliance is experienced in NIST 800-171 audits, including those for DFARS. In our experience, the best way to continue to meet DOD requirements for CUI is with precise, regular and automated auditing from security partners who have done it before. 

 

Are You Ready for DFARS 800-171 or CMMC Compliance?

Call Lazarus Alliance at 1-888-896-7580 or fill in this form. 

[wpforms id=”137574″]

Exit mobile version