Understanding the Relationship Between DFARS and CMMC


The role of DFARS in CMMC for defense contractors.

In 2016, the (DOD) Department of Defense launched the Defense Federal Acquisition Regulation Supplement (DFARS), a set of cybersecurity requirements that contractors and subcontractors in the DIB (Defense Industrial Base) had to follow. It was designed to protect (CUI) Controlled Unclassified Information from potential attacks and strengthen the overall US national security. In late 2019, the DOD went on to roll out the Cybersecurity Maturity Model Certification (CMMC) to further enhance cybersecurity and regulate CUI.

With the DFARS requirements and CMMC frameworks having seemingly the same functions, you might be wondering how they differ and how this will affect the cybersecurity standards you need to comply with. Check out the information below to learn more about the role of DFARS in CMMC and other changes to expect.

Difference Between DFARS and CMMC

Initially, the DOD announced that the CMMC framework would be replacing DFARS. However, this caused much confusion on how organizations would have to modify their systems, so the DOD later clarified that DFARS compliance will still be integral to the new regulations. First things first, both frameworks are applicable to all DOD contractors and suppliers and specifically designed for handling of CUI.

In terms of differences, DFARS clause 252.204-7012 is  essentially a set of controls, from NIST SP 800-171, that you need to follow when transmitting any type of CUI. While its primary intention was to improve security in the DIB, the standards were not entirely clear to contractors and subcontractors. This vagueness led to slow adoption, which prompted the DOD to launch CMMC

CMMC, on the other hand, has similar goals to DFARS since it also has to do with security controls when working with CUI. However, CMMC requirements are classified into five different maturity levels to assess the extent to which a contractor adopts the proper cybersecurity measures. For example, the first two levels have less requirements than the NIST SP 800-171, while the third level includes all the requirements and a few additional ones. Having these tiers gives you the flexibility to attain a CMMC level suitable to your organization and the type of Federal data you handle.

Overall, the main difference between DFARS and CMMC is that the latter has maturity levels, which involve practices in operation over a period of time instead of a point in time. Where complying with DFARS entails following specific controls, complying with CMMC helps earn a specific maturity level through implementation of specific practices. It is important, however, to note that the release of CMMC is not meant to replace standards laid out in DFARS.

The Role of DFARS in CMMC

What exactly will be the role of DFARS in CMMC? Most likely, this will be one of the main questions you have in mind. You can think of it this way: From 2020 onwards, all organizations that transmit and process CUI will have to comply with DFARS and ultimately the CMMC framework for their cybersecurity practices.

Third-party assessment organizations (3PAOs) will be in charge of conducting certification assessments for  your appropriate maturity level. You will only be allowed to bid for contracts that match your maturity rating, so it is important to know what CMMC practices you must follow. Based on the CMMC’s current version, you will need to have your CMMC level certification before or at the time the contract is awarded.

Generally, most companies must aim for a CMMC level  3, which signifies good cyber hygiene and is a minimum requirement for contracts involving CUI. However, if you practice DFARS compliance, you are already accomplishing about 85% of the requirements needed to achieve CMMC Level 3. In that sense, the role of DFARS in CMMC is that it constitutes a big portion of the practices required in the new framework.

Another way to think about it is that CMMC “builds” on existing DFARS requirements, so it would be inaccurate to consider it a replacement to DFARS. The two are not mutually exclusive, so being compliant with CMMC does not necessarily mean you are compliant with DFARS and vice versa. As mentioned above, you can earn a maturity level, CMMC levels 1 and 2, even without abiding by all DFARS requirements. Likewise, it is possible that you are fully compliant with DFARS but have yet to get a maturity level.

CMMC Rollout

Based on the DOD timeline, the CMMC program will fully roll out by 2026, at which the framework will apply to all contracts. However, starting 2020, some contracts have already begun to follow CMMC specifications, requiring contractors to hold a certain maturity level before bidding.

Based on the estimates given by the Accreditation Body (AB), it will take about eight to 12 weeks to process a Level 3 certification. The first phase, which entails preparation to pass the CMMC assessment, will usually take the longest since you may have to update or upgrade your systems based on the requirements. Thus, preparing as early as possible will be important to help ensure that you complete a successful CMMC certification assessment and are eligible to bid for your desired DOD contracts.

Because it will take about five years before full implementation of CMMC, the DFARS Interim Rule exists to guide the DIB into implementing NIST 800-171 as a starting point. Like CMMC, satisfying the DFARS Interim Rule is required to bid on DOD contracts.

Ensure Your Compliance with DFARS and CMMC Today

Security Compliance Associates offers a range of services to assess your cybersecurity controls and determine areas of improvement. Now that you understand the role of DFARS in CMMC and the importance of earning your CMMC certification, you can begin preparing for the assessments.

Contact us today at 727-571-1141 to get started. We can evaluate your organization to assess if you are following DFARS and CMMC requirements and conduct gap analyses, as needed, to help you attain your desired maturity level. Take an active step in strengthening your security regulations to protect controlled unclassified information and avoid threats from cyber-attacks.