Understanding the Differences Between DFARS and CMMC

This guest post originally appeared on Carahsoft.com https://www.carahsoft.com/community/carahsoft-understanding-dfars-cmmc-2-0-blog-2022 and is re-published with their permission.

Cybersecurity challenges continue to grow in impact and complexity, especially as they relate to government and Defence information. In response to increasing hacking and cyber attacks, the Department of Defense (DoD) has released the DFARS and CMMC information management and cybersecurity standards to reduce the risk of system compromises within government agencies and the defense industrial base (DIB) that supports them. By complying with these guidelines, government contractors partnered with the DoD can better mitigate security breaches and protect the sensitive government and military data in their care.

WHAT ARE THE DFARS AND CMMC FRAMEWORKS?

The Defense Federal Acquisition Regulation Supplement (DFARS) expands on the standards companies must follow to begin or renew a contract with the DoD. These regulations in Clause 252.204-7012 (7012), “Safeguarding Covered Defense Information and Cyber Incident Reporting,” revolve around protecting Controlled Unclassified Information (CUI) from falling into the wrong hands through unauthorized access or disclosure.^[1] DFARS was initiated in 2016 as a requirement for contractors within the Defense Industrial Base (DIB)^[ 2] to increase their data education, physical security, cybersecurity measures, cyber-attack reports and alerts to the DoD. The requirements in Clause 7012 allow patterns to be assessed and more adequately countered through refined regulations.^[3]

Through enhancing security in these areas, the DoD strives to protect the national economy and sensitive data by reducing vulnerabilities and monitoring threats.

To achieve DFARS Clause 252.204-7012 compliance, companies must develop security standards in 14 areas by conducting a gap analysis to identify the company’s current standing and protocols, establishing a remediation plan to align with DFARS standards, continuously tracking suspicious activity and reporting security breaches. Finally, contractors must complete a National Institute of Standards and Technology (NIST) SP 800-171 DoD Basic Assessment and document their compliance with the Supplier Performance Risk System (SPRS).^[3]

In 2020, the DoD launched the Cybersecurity Maturity Model Certification (CMMC), initially announcing it as a DFARS replacement. The DoD later clarified that CMMC was an additional but complementary framework.^[4] Any prime or subcontractor handling national security information and seeking to work with the DoD must follow both DFARS Clause 7012 cybersecurity standards and the appropriate level of CMMC to match the degree of their information sensitivity.

PENDING CMMC 2.0 UPDATES

Because of the initial confusion surrounding CMMC, in November 2021, the DoD released CMMC 2.0 to clarify the original specifications. This update reduced the original five maturity levels to three and made compliance more feasible for small businesses by not requiring third-party assessments for the first tier. CMMC 2.0 also provides additional flexibility in the compliance timeline.^[5]

In the new version, the tiers build on each other and include:

• Level 1 – Foundational: requires the fulfillment of 17 best practices verified through annual self-assessment
• Level 2 – Advanced: incorporates NIST SP 800-171 standards plus an additional 110 best practices. Some are verified through annual self-assessment, and others are verified through triennial third-party assessment (determined per contract)
• Level 3 – Expert: aligns with NIST SP 800-172 standards as well as over 110 best practices verified through triennial third-party assessment

The distinction between these levels allows companies to comply with the tier that matches their involvement with CUI. This level also dictates what contracts companies are permitted to bid on. Companies that already comply with DFARS have a head start in achieving CMMC 2.0 compliance.^[2]

The NIST SP 800-172 document describes three goals for these frameworks to prevent malicious activity from compromising CUI:

• Develop infiltration-resistant systems
• Install damage-limiting procedures
• Promote cyber resiliency and attack survivability^[6]

With this new release, the DoD aims to streamline the process and lower the barrier of entry to save contractors’ resources. Allowing companies to create Plans of Action & Milestones (POA&Ms) as a placeholder enables them to work toward compliance while still receiving contract awards.^[5]

CMMC 2.0 was expected to be officially published in March 2023 and start appearing in contracts in May 2023.  However, the timeline has been delayed due to personnel changes and COVID-19. While the DoD has released no information on the new timeline, industry experts speculate it will come into play in late 2023 or early 2024.

While the CMMC 2.0 program has been delayed, companies should start initiating their journey toward compliance starting from now. Once in place, all DoD contracts under competitive acquisition will include an assigned CMMC level as a prerequisite that bidders must demonstrate compliance with to be eligible for the contract.[1] The Cyber Accreditation Body (Cyber AB) estimates 8-12 weeks for the average maturity level assessment to process.^[2] Companies’ compliance costs depend on the gap in their existing organization’s cybersecurity posture and the desired CMMC level. In some cases, the DoD notes that cybersecurity contracts can cover contractor upgrades under “allowable costs.”^[7]

DIFFERENCES BETWEEN DFARS AND CMMC

Both the DFARS and CMMC frameworks center around data protection through security controls; however, they differ in their compliance assessment.

With DFARS Clause 252.204-7012, organizations monitor their own systems without external inspection or verification of proper data generation, storage and transmission. CMMC 2.0 combines self-assessment and assessments by Third Party Assessment Organizations (3PAOs) who determine an organization’s eligibility for a specific maturity level.^[8]

Another difference between DFARS and CMMC is the levels included in CMMC. DFARS Clause 7012 contains only one tier that lays out ground rules for handling CUI and increasing security in the DIB. CMMC differs from DFARS in that it institutes maturity levels to classify the extent of cybersecurity protective measures. The first CMMC 2.0 maturity level contains fewer requirements than the NIST SP 800-171, which is the basis for DFARS Clause 7012. Level 2 is identical to NIST SP 800-171 and nearly the same as DFARS Clause 7012, with the exception of additional assessments, while the final CMMC level requires more guardrails.^[2] 

In addition, NIST is in the process of making changes to the security requirements and supporting information for the protection of CUI in SP-800-171, which are anticipated to go into effect in Q2 of FY24. Contractors must also be aware of these changes to remain in compliance.

Although similar in some respects, DFARS Clause 252.204-7012 and CMMC are not interchangeable standards. Qualifying for one does not instantly precipitate qualification and compliance with the other.

IMPORTANCE OF DFARS AND CMMC COMPLIANCE

Implementing DFARS Clause 252.204-7012 and CMMC guidelines has larger ramifications than just meeting the DoD requirements for contracting. The guidelines also strive to protect national security and the economy, as well as develop a solid foundation for data and cyber health for participating organizations which establishes their credibility and furthers their reputation in the field.

These standards have a large impact on the DoD contracting industry with the integration of DFARS Clause 7012 and CMMC affecting an estimated 100,000 companies.^[9] In FY2020, the DoD spent over $665 billion on contracts.^[10] According to the US Council of Economic Advisors, the national economy could lose over $1 trillion by 2026 because of cyber-attacks. By following regulations such as DFARS Clause 7012 and CMMC, contractors can do their part to fortify their data security and strengthen national security.^[3]

Instituting adequate cyber hygiene, such as server health checks, multi-factor authentication, and zero trust user profiles, not only enables companies to meet DoD mandates, they also safeguard organizations from increased hacking.

While CMMC 2.0 is expected to have a five-year phase-in process and is not an immediate requirement across the board, it is imperative that contractors begin investigating their compliance status and initiate the precursory work to meet the requirements of their desired maturity level. By planning in advance and starting the process now, organizations can adequately budget for compliance and have a proactive advantage by being ready before all contracts officially shift to requiring CMMC compliance.

Failure to comply can result in major consequences for companies, including fines, a halt on current contracts and a future ban on working with the DoD. An organization’s disqualification from contracts would also cause revenue loss and harm its reputation in the field.^[3] A lack of cybersecurity information management standards could also expose companies to serious data breaches and repair costs.

DFARS AND CMMC: UNIVERSAL PROTECTIVE MEASURES

Executing a strong, proactive cybersecurity approach is crucial. DFARS and CMMC standards offer guidance in implementing a flexible operational strategy and threat response sufficient to withstand attacks. Together these programs provide safeguards for sensitive information, increase DIB cybersecurity to address advancing threats, institute accountability measures while maintaining a streamlined process, and encourage public trust through good ethics. While DFARS and CMMC are different, they complement each other in protecting national interests and ultimately promoting contractors’ best interests.

Learn more about how archTIS can help you meet CMMC and NIST 800-171 CUI and FCI handling guidelines in your Microsoft 365, SharePoint On-premises and File Share environments.

[1] “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Office of the Under Secretary of Defense, https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf

[2] “Understanding the Relationship Between DFARS and CMMC,” SCA Security, https://scasecurity.com/blog/the-role-of-dfars-in-cmmc/

[3] “What Is DFARS? (+ Your Compliance Checklist),” SCA Security, https://scasecurity.com/blog/what-is-dfars/

[4] “Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0,” Apptega, https://www.apptega.com/frameworks/cmmc-certification/

[5] “CMMC 2.0: What You Need to Know About the Latest Version,” SCA Security, https://scasecurity.com/blog/cmmc-2-0/

[6] “Your Guide to the New CMMC 2.0 Levels,” SCA Security, https://scasecurity.com/blog/your-guide-to-the-new-cmmc-2-0-levels/

[7] “What Is CMMC?” CISCO, https://www.cisco.com/c/en/us/products/security/what-is-cmmc.html#~the-basics-of-cmmc

[8] “What is the Difference Between CMMC and DFARS?” FTP Today, https://www.ftptoday.com/blog/difference-between-cmmc-dfars#:~:text=The%20biggest%20difference%20between%20the,government%20agencies%20they%20partner%20with

[9] “DFARS Interim Rule Compliance 101: What You Need to Know,” SCA Security, https://scasecurity.com/blog/defense-federal-acquisition-regulation/

[10] “The Importance of CMMC And Its Impact,” SeaGlass Technology, https://www.seaglasstechnology.com/the-importance-of-cmmc-and-its-impact/

Posted in Cybersecurity, Department of Defense, Government Data | Tagged CMMC, Cybersecurity, Department of Defense, DFARS, DoD, NIST