Navigating regulatory compliance within the Defense Industrial Base (DIB) can be complex. With numerous frameworks, models, and cybersecurity requirements in place, understanding your obligations is critical, especially if your organization wants to do business with the U.S. Department of Defense (DoD). Two of the most essential components are DFARS and CMMC. This blog explains what each is, how they differ, and why both are important.
What is DFARS?
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of procurement regulations that supplements the Federal Acquisition Regulation (FAR). DFARS was formally established in 1987 to provide additional requirements specific to the DoD. Over time, cybersecurity provisions have become a major component—especially as contractors began handling sensitive digital information.
DFARS and Cybersecurity
Cybersecurity requirements within DFARS were first introduced in 2013 with clause 252.204-7012, which required contractors to safeguard Covered Defense Information (CDI) and report cyber incidents. These requirements were significantly expanded in December 2015, under 80 FR 81701, and formally adopted in 2016. This amendment aligned the requirements with NIST SP 800-171 Revision 1, introducing a formalized set of 110 security controls to protect Controlled Unclassified Information (CUI). The most recent update, NIST SP 800-171 Rev. 2, was incorporated in 2020.
Key Regulations
This clause applies to DoD contractors that store, process, or transmit CUI and requires them to implement specific cybersecurity controls. More specifically, organizations must comply with NIST SP 800-171, a set of 110 security requirements designed to protect CUI.
Introduced in November 2020, this clause requires contractors to complete a Basic NIST SP 800-171 Assessment and submit their score to the Supplier Performance Risk System (SPRS).
Also introduced in 2020 under Interim Rule 85 FR 61505, this clause allows the DoD to review and validate NIST 800-171 compliance through audits and documentation
Finalized in late 2020, this clause introduces the requirement for Cybersecurity Maturity Model Certification (CMMC) compliance and is now codified under 32 CFR Part 170. Contractors must comply with the appropriate maturity level in order to bid on or be awarded contracts.
What is CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is a program developed by the DoD to verify that contractors are implementing the necessary controls to protect CUI. In its current form, CMMC consists of three levels: Foundational, Advanced, and Expert
- Foundational: The first level of CMMC requires that contractors implement foundational and basic cyber hygiene practices. This includes 17 security practices alongside an annual self-assessment. This level is only applicable to organizations that handle Federal Contract Information (FCI).
- Advanced: Most organizations will full under this category. CMMC level 2 requires that all 110 practices included in NIST 800-171 be implemented in addition to triannual third-party assessments conducted by a C3PAO. Level 2 applies to contractors that store, process, or transmit CUI.
-
Expert: The final maturity level of CMMC requires contractors implement all previous controls in addition to triannual government led assessments conducted by the DIBCAC.
How do DFARS and CMMC Differ?
DFARS and CMMC are both crucial aspects of our nations cyber defense posture, working in tandem to ensure that sensitive data is protected. However, there are small differences in how each of them serves the larger DIB. CMMC is a model that lays out a certain amount of cybersecurity controls and divides them into maturity levels, while DFARS states who those controls will apply to and how they must implement them.
The primary difference, however, is that DFARS requires contractors to self-assess and submit their SPRS score to the DoD, while CMMC requires that organizations undergo a third-party audit. You could think of DFARS as the "rulebook" whereas CMMC is the "exam". None of the controls required by CMMC are new. The framework exists for contractors to prove they're doing what they've promised in securing CUI.
If I'm Compliant with CMMC, am I Compliant With DFARS?
If you have implemented the necessary controls to be considered CMMC compliant it is possible you are also compliant with DFARS. For example, DFARS 7012 and CMMC level 2 align in their approach to securing CUI. Each of these requirements are based on NIST 800-171 and the 110 controls contained therein. However, with CMMC, a self-attestation will not suffice for certification as contractors will need to go a step further in passing a third-party audit. While there is significant overlap between the two, it is wise to pursue both of them together rather than assume that, because you're compliant with one, you're compliant with the other.
What's on the Horizon
As contractors look toward the future of CMMC and DFARS compliance, there are several significant developments on the horizon. The 48 CFR Rule, the beginning of the DoD's phased rollout of CMMC is expected to be finalized within the next six months. Once this rule is finalized, contractors will begin to see CMMC level 2 requirements appear in many of their contracts, if they haven't already. Contractors should also be on the lookout for the FAR CUI Rule. This rule mandates the implementation of NIST 800-171 for contractors in possession of CUI.
CorpInfoTech, a Trusted CMMC & DFARS Partner
CorpInfoTech is a managed service provider (MSP) that offers IT, cybersecurity, and CMMC compliance solutions to SMBs. We have undergone and passed our CMMC L2 third-party audit making us C3PAO certified. This allows us to serve contractors in a way that many MSPs cannot as we understand the complexities of what it takes to comply with CMMC regulations. We've worked in the regulated space for years and understand the unique cyber threats that target the manufacturing industry. That's why we have tailored our services to adapt to your unique business needs.
Through TAS for CMMC Compliance, contractors will inherit 200+ of the 320 objectives required by CMMC, ensuring that achieving compliance is cost effective and efficient. Our solution isn't one-size-fits-all. We understand that every organization handles their data differently. Whether CUI is stored on-prem or in an enclave, CorpInfoTech has the resources and expertise to secure it!
Contact CorpInfoTech today to learn how TAS for CMMC Compliance and help you reach your compliance goals!
