In 2016, the Department of Defense (DoD) launched The Defense Federal Acquisition Regulation Supplement (DFARS). Its goal was simple: to protect the Defense Industrial Base (DIB) from cybersecurity threats. And for DoD contractors, DFARS meant more regulations for those working with controlled information.
But DFARS wasn’t secure enough.
Last year, the Cybersecurity Maturity Model Certification (CMMC) framework launched as the DoD’s next stage to secure the DIB.
So, what does that mean for DFARS?
Today, we’re going to break down the difference between DFARS and CMMC. And how to prepare yourself for the new CMMC regulations.
What’s the difference between DFARS and CMMC?
In basic terms, what is DFARS?
DFARS is a set of cybersecurity regulations and standards required by the DoD.
Under DFARS, a DoD contractor must have appropriate security controls in place to protect CUI (controlled unclassified information). Also, the contractor must have the processes established to report cybersecurity events.
Under DFARS, the DoD requires contractors to continuously self-assess to keep data protected.
What is CMMC?
CMMC has many of the same goals as DFARS – to secure the DIB. And it also targets all government contractors and subcontractors.
In essence, it is a cybersecurity assessment model and certification program.
To put it simply, the CMMC framework relies on a maturity model.
Meaning, CMMC brings together different security controls to create a hierarchy of levels. Overall, there are currently five maturity levels. And each of the levels builds upon the last. In other words, to achieve compliance level 2, you must be compliant with level 1.
So, what’s are the major differences between the two?
Unlike DFARS, CMMC is not based on self-assessment.
So, before a contractor receives a government bid, they must have a CMMC certification.
All contractors can attain a CMMC certification through passing an audit by a Third-Party Assessment Organization (C3PAO).
The C3PAO auditor will assess the contractor’s technical controls, documentation, and security policies. Their assessment will also check compliance with certain mandatory practices, procedures, and capabilities.
After the evaluation, the contractor will receive a level of certification of 1 to 5.
Why is DFARS not good enough anymore?
The DFARs mandate requested that contractors ensure compliance with NIST SP 800-171 frameworks. But there was no process to check whether a contractor actually met the requirements. And so, the NIST SP 800-171 frameworks were essentially guidelines, not rules.
The government recognized that the DFARS self-assessment could not meet their needs in terms of security.
The CMMC is a response to the issues that arose with DFARs. The goal of the CMMC is to provide a clearer cybersecurity roadmap with defined levels.
Do I need to be DFARS compliant in 2021?
Yes, because CMMC draws from the security controls and processes outlined by DFARS. This means contractors need to work to comply with both the CMMC level requirements and DFARS to maintain data security.
More so, you are legally required to be DFARS compliant. Last year, the DoD issued a Final Interim Rule to amend DFARS, which went into effect on November 30, 2020.
The Interim Final Rule requires mandatory, scored self-assessments for NIST 800-171. The rule serves as a bridge to connect DFARS to CMMC.
To create a bridge, the interim rule added two clauses:
DFARS provision 252.204–7019: a solicitation clause that requires contractors to provide a current self-assessment. These self-assessments must be uploaded to the Supplier Performance Risk Systems (SPRS). The SPRS will act as the central database for NIST assessments and DFARS compliance.
DFARS clause 252.204–7020: defines the NIST 800-171 DoD Assessment Methodology that contractors need to use when conducting self-assessments.
Can I use my self-assessment to receive a CMMC certification?
No, a company cannot use its SPRS self-assessment as a CMMC assessment. Instead, you can only receive a CMMC certification from passing a C3PAO audit.
How to prepare for CMMC & DFARS in 2021?
Unfortunately, if you haven’t begun any certification process, you are falling behind your competitors.
Compliance and security for a small business’s network is a full-time job. But many organizations don’t have the personnel with the ability to handle the task.
That’s where MRW Systems’ cybersecurity team, NetGarde, comes in.
NetGarde will help you meet compliance requirements with confidence. Whether you need help with CMMC, DFARS, NIST, or something else, we can help you.
And to learn more about our CMMC solutions, please click here: https://www.mrwsystems.com/cmmc-solutions/