Cybersecurity regulations can be confusing for many people, even for professionals who work in the field every day. For example, the Department of Defense (DoD) launched the Defense Federal Acquisition Regulation Supplement (DFARS) in 2016 as a government effort to protect national security interests from cybersecurity attacks. This publication subjected DoD contractors working with controlled information to greater regulation and scrutiny from government agencies. In addition, the Cybersecurity Maturity Model Certification (CMMC) framework was launched in 2020 to further increase defenses against cyber attacks through verifying compliance of defense contractors, although it has also created uncertainty about cybersecurity requirements in Federal Contract Information (FCI).
This post explains the differences and similarities between the CMMC cybersecurity framework and DFARS, especially DFARS clause 252.204-7012. While these two documents are related, their use in protecting information systems is distinct. Understanding this issue is crucial for DoD contractors to avoid problems with regulatory compliance regarding information security, especially as contractors progress through the process of obtaining their CMMC maturity level.
Beryllium InfoSec Collaborative continually works with its customers to navigate the complexity of these compliance regulations. We understand the challenges of defense contractors in remaining current on these cybersecurity standards, which are subject to frequent change. Schedule a free consultation with our cybersecurity experts today if you need to be DFARS 252.204-7012 compliant. You also are required to implement all the National Institute of Standards and Technology (NIST) special publication 800-171 controls to avoid fines or the loss of contract. Call us at 763-546-8354 or contact us online.
DFARS addresses the need to protect data, especially Controlled Unclassified Information (CUI). The DoD implemented it to help its contractors protect sensitive information going into and out of their systems. Furthermore, the DoD requires all its contractors to align their processes with DFARS regulations, whether they’re prime contractors or subcontractors.
Compliance with DFARS is relatively straightforward. Contractors must implement the security controls needed to protect CUI and establish the processes that simplify the reporting of security events. Achieving both of these goals allows contractors to meet the goals of DFARS to protect CUI from threats and respond to breaches as promptly and efficiently as possible.
DFARS and CMMC are similar in many ways. CMMC has many of the same goals as DFARS, which primarily include ensuring any type of government contractor uses security controls to protect CUI. In addition, CMMC draws heavily from DFARS. The main difference between the two sets of requirements is that CMMC has a greater maturity level than DFARS. Furthermore, the compliance structure between the two also differs significantly.
Unlike DFARS, CMMC uses multiple sets of security controls to create a hierarchy of five maturity levels, each with greater maturity than the one below it. These levels indicate the levels of data security that a contractor can provide, allowing the DoD and other government agencies to partner with the contractors that offer the protection appropriate for their procurement needs.
The following table shows the CMMC hierarchy:
The CMMC levels and their associated sets of processes and practices across domains are cumulative. An organization must therefore demonstrate a lower level of maturity before it can achieve the level above it. Furthermore, an organization must demonstrate both the requisite processes and practices for a specific CMMC level and the preceding lower levels to achieve that level. In cases where an organization demonstrates different maturity levels between processes and practices, the organization will be certified at the lower of the two levels.
The method of assessing compliance is another major difference between DFARS and the CMMC model. DFARS assists contractors in establishing the guidelines for a basic assessment, which generally involves monitoring security controls and assessing their effectiveness. They must also detect, contain and report breaches as soon as possible. Continuous self-assessment is a defining characteristic of DFARS.
In comparison, CMMC Third Party Assessment Organizations (C3PAOs) conduct assessments on contractors who determine their CMMC maturity level associated focus. The C3PAOs for CMMC assessments are usually Federal Risk and Authorization Management Program (FedRAMP) assessors, since they’re already experienced with the DoD assessment methodology. A CMMC assessment is typically performed after a contractor reports that they have achieved the next maturity level through their self-assessment. As a result DFARS and CMMC compliance overlaps, but the assessment process is significantly different.
The CMMC model went into effect in 2020, so contractors often wonder why they still need to comply with DFARS requirements. The answer is that DFARS outlines the security controls and processes that CMMC requirements draw from. This relationship means that DoD contractors must comply with both DFARS and the requirements for their particular CMMC maturity level.
CMMC builds on DFARS 252.204-7012 and NIST SP 800-171, a regulation that as a component to the way CUI must be protected. The CMMC model cites DFARS/NIST SP 800-171 as a source for how CMMC defines the data that contractors must protect. This additional verification component in DFARS includes two types of data. The first type is data that's “marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of, DoD in support of the performance of the contract.” The second type of data that contractors must protect is that which is “collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.”
The use of DFARS in defining the types of data required to be protected shows how essential it is in maintaining security. CMMC is simply the next step in validating the ongoing process to keep data secure, since it reframes the way in which the DoD categorizes contractors based on their efforts to protect data. DFARS self-assessment still benefits contractors because it allows them to integrate their existing security policies into the CMMC certification requirements. Contractors are better able to protect CUI when they’re continually monitoring their controls and processes for containing a security breach as quickly as possible. This practice also makes them better able to protect their business from many of the consequences of such as a breach.
The DoD will eventually require all members of the Defense Industrial Base (DIB) that store, process or transmit CUI or FCI to undergo CMMC assessments and audits by independent C3PAOs to verify their cybersecurity practices. Katie Arrington, undersecretary of defense for acquisition and sustainment stated in 2021 that every contractor seeking to do business with the DoD would need at least Level 1 CMMC by 2026. However, many contractors will need at least CMMC Level 3, which naturally aligns with the DFARS / NIST SP 800 171 standard. DIB members who want to win DoD contracts should therefore obtain this level beginning in 2020, according to the Office of the Under Secretary of Defense.
Once an Organization Seeking Certification (OSC) passes a CMMC Level 3 audit by a C3PAO, technically, the OSC would be compliant with both CMMC and DFARS 252.204-7012 because CMMC is a verification audit. The most likely scenario in which you can be compliant with DFARS but not CMMC is when your system security plan hasn't been assessed for its CMMC maturity level yet and you have gaps within your compliance program. It's also possible to have a CMMC maturity level 1 certification, but not compliant with all aspects of DFARS because CUI requirements begin at CMMC Level 3
Contractors who store, process or transmit CUI need to begin working towards DFARS compliance as soon as possible, so they can earn the CMMC level needed for a contract award. This process is essential for DoD contractors to submit Requests For Proposal (RFP) in order to win future contracts. Contractors need to start implementing tools like a secure file-sharing solution, encrypted email and storage, security information event management (SIEM), plus the supporting compliance documentation, to be DFARS compliant, which can be a time-consuming task. DFARS and CMMC compliance become much easier when the necessary security controls are already in place. All of these features (and more) are included with CUICK TRAC™.
CUICK TRAC™ is a cost-effective, practical and affordable solution that helps businesses receive, process and transmit CUI, which is essential for working with the federal government. The CMMC accreditation body requires continuous compliance with DFARS requirements, regardless of the specific level of CMMC certification. Prime contractors can use CUICK TRAC™ as their CUI risk management solution for their supply chain, while sub-contractors can also use it to comply with DFARS, to help succeed under CMMC more quickly and for a fraction of the cost of doing it themselves.
Speak with our security experts today, call us at 763-546-8354 or complete the online form to schedule your free consultation.