Updated May 30, 2024
This guest post originally appeared on Carahsoft.com https://www.carahsoft.com/community/carahsoft-understanding-dfars-cmmc-2-0-blog-2022 and is re-published with their permission.
Cybersecurity challenges continue to grow in impact and complexity, especially as they relate to government and Defence information. In response to increasing hacking and cyber attacks, the Department of Defense (DoD) has released the DFARS and CMMC information management and cybersecurity standards to reduce the risk of system compromises within government agencies and the defense industrial base (DIB) that supports them. By complying with these guidelines, government contractors partnered with the DoD can better mitigate security breaches and protect the sensitive government and military data in their care.
WHAT ARE THE DFARS AND CMMC FRAMEWORKS?
The Defense Federal Acquisition Regulation Supplement (DFARS) expands on the standards companies must follow to begin or renew a contract with the DoD. These regulations in Clause 252.204-7012 (7012), “Safeguarding Covered Defense Information and Cyber Incident Reporting,” revolve around protecting Controlled Unclassified Information (CUI) from falling into the wrong hands through unauthorized access or disclosure.[1] DFARS was initiated in 2016 as a requirement for contractors within the Defense Industrial Base (DIB)[ 2] to increase their data education, physical security, cybersecurity measures, cyber-attack reports and alerts to the DoD. The requirements in Clause 7012 allow patterns to be assessed and more adequately countered through refined regulations.[3]
Through enhancing security in these areas, the DoD strives to protect the national economy and sensitive data by reducing vulnerabilities and monitoring threats.
To achieve DFARS Clause 252.204-7012 compliance, companies must develop security standards in 14 areas by conducting a gap analysis to identify the company’s current standing and protocols, establishing a remediation plan to align with DFARS standards, continuously tracking suspicious activity and reporting security breaches. Finally, contractors must complete a National Institute of Standards and Technology (NIST) SP 800-171 DoD Basic Assessment and document their compliance with the Supplier Performance Risk System (SPRS).[3]
In 2020, the DoD launched the Cybersecurity Maturity Model Certification (CMMC), initially announcing it as a DFARS replacement. The DoD later clarified that CMMC was an additional but complementary framework.[4] Any prime or subcontractor handling national security information and seeking to work with the DoD must follow both DFARS Clause 7012 cybersecurity standards and the appropriate level of CMMC to match the degree of their information sensitivity.
CMMC 2.0 UPDATES
Because of the initial confusion surrounding CMMC, in November 2021, the DoD released CMMC 2.0 to clarify the original specifications. This update reduced the original five maturity levels to three and made compliance more feasible for small businesses by not requiring third-party assessments for the first tier. CMMC 2.0 also provides additional flexibility in the compliance timeline.[5]
In the new version, the tiers build on each other and include:
- Level 1 – Foundational: requires the fulfillment of 17 best practices verified through annual self-assessment
- Level 2 – Advanced: incorporates NIST SP 800-171 standards plus an additional 110 best practices. Some are verified through annual self-assessment, and others are verified through triennial third-party assessment (determined per contract)
- Level 3 – Expert: aligns with NIST SP 800-172 standards as well as over 110 best practices verified through triennial third-party assessment
The distinction between these levels allows companies to comply with the tier that matches their involvement with CUI. This level also dictates what contracts companies are permitted to bid on. Companies that already comply with DFARS have a head start in achieving CMMC 2.0 compliance.[2]
The NIST SP 800-172 document describes three goals for these frameworks to prevent malicious activity from compromising CUI:
- Develop infiltration-resistant systems
- Install damage-limiting procedures
- Promote cyber resiliency and attack survivability[6]
With this new release, the DoD aims to streamline the process and lower the barrier of entry to save contractors’ resources. Allowing companies to create Plans of Action & Milestones (POA&Ms) as a placeholder enables them to work toward compliance while still receiving contract awards.[5]
CMMC 2.0 was expected to be officially published in March 2023 and start appearing in contracts in May 2023. However, the timeline has been delayed due to personnel changes and COVID-19. CMMC 2.0 is now expected to be phased in starting in Q1 2025 and be included in all DoD contractor and subcontractor contracts by 2028.
While the CMMC 2.0 program has been delayed, companies should start their journey toward compliance from now. Once in place, all DoD contracts under competitive acquisition will include an assigned CMMC level as a prerequisite that bidders must demonstrate compliance with to be eligible for the contract.[1] The Cyber Accreditation Body (Cyber AB) estimates 8-12 weeks for the average maturity level assessment to process.[2] Companies’ compliance costs depend on the gap in their existing organization’s cybersecurity posture and the desired CMMC level. In some cases, the DoD notes that cybersecurity contracts can cover contractor upgrades under “allowable costs.”[7]
DIFFERENCES BETWEEN DFARS AND CMMC
Both the DFARS and CMMC frameworks center around data protection through security controls; however, they differ in their compliance assessment.
With DFARS Clause 252.204-7012, organizations monitor their own systems without external inspection or verification of proper data generation, storage and transmission. CMMC 2.0 combines self-assessment and assessments by Third Party Assessment Organizations (3PAOs) that determine an organization’s eligibility for a specific maturity level.[8]
Another difference between DFARS and CMMC is the three levels included in CMMC. DFARS Clause 7012 contains only one tier that lays out ground rules for handling CUI and increasing security in the DIB. CMMC differs from DFARS in that it institutes maturity levels to classify the extent of cybersecurity protective measures. The first CMMC 2.0 maturity level contains fewer requirements than the NIST SP 800-171, which is the basis for DFARS Clause 7012. Level 2 is identical to NIST SP 800-171 Rev 2 and nearly the same as DFARS Clause 7012, with the exception of additional assessments, while the final CMMC level requires more guardrails.[2]
Although similar in some respects, DFARS Clause 252.204-7012 and CMMC are not interchangeable standards. Qualifying for one does not instantly precipitate qualification and compliance with the other.
The Impact of NIST SP 800-171 Revision 3
NIST released NIST SP 800-171 Revision 3 (Rev 3) on May 14, 2024, making changes to the security requirements and supporting information for the protection of CUI. However, prior to the release of Rev 3, DoD issued an indefinite class deviation for DFARS 7012, making NIST SP 800-171 revision 2 the DFARS standard for the time being. Previously, DFARS 7012 required the NIST version in effect at the time the solicitation was issued to be followed. Both DFARS and CMMC will continue to follow NIST 800-171 Rev. 2 as the baseline which applies until the DoD requires Rev 3 to be rolled out.
IMPORTANCE OF DFARS AND CMMC COMPLIANCE
Implementing DFARS Clause 252.204-7012 and CMMC guidelines has larger ramifications than just meeting the DoD requirements for contracting. The guidelines also strive to protect national security and the economy, as well as develop a solid foundation for data and cyber health for participating organizations which establishes their credibility and furthers their reputation in the field.
These standards have a large impact on the DoD contracting industry with the integration of DFARS Clause 7012 and CMMC affecting an estimated 100,000 companies.[9] In FY2020, the DoD spent over $665 billion on contracts.[10] According to the US Council of Economic Advisors, the national economy could lose over $1 trillion by 2026 because of cyber-attacks. By following regulations such as DFARS Clause 7012 and CMMC, contractors can do their part to fortify their data security and strengthen national security.[3]
Instituting adequate cyber hygiene, such as server health checks, multi-factor authentication, and zero trust user profiles, not only enables companies to meet DoD mandates, but also safeguards organizations from increased hacking.
While CMMC 2.0 is expected to have a five-year phase-in process and is not an immediate requirement across the board, it is imperative that contractors begin investigating their compliance status and initiate the precursory work to meet the requirements of their desired maturity level. By planning in advance and starting the process now, organizations can adequately budget for compliance and have a proactive advantage by being ready before all contracts officially shift to requiring CMMC compliance.
Failure to comply can result in major consequences for companies, including fines, a halt on current contracts and a future ban on working with the DoD. An organization’s disqualification from contracts would also cause revenue loss and harm its reputation in the field.[3] A lack of cybersecurity information management standards could also expose companies to serious data breaches and repair costs.
DFARS AND CMMC: UNIVERSAL PROTECTIVE MEASURES
Executing a strong, proactive cybersecurity approach is crucial. DFARS and CMMC standards offer guidance in implementing a flexible operational strategy and threat response sufficient to withstand attacks. Together these programs provide safeguards for sensitive information, increase DIB cybersecurity to address advancing threats, institute accountability measures while maintaining a streamlined process, and encourage public trust through good ethics. While DFARS and CMMC are different, they complement each other in protecting national interests and ultimately promoting contractors’ best interests.
Learn how archTIS can help you meet DFARS, CMMC and NIST 800-171 CUI and FCI labeling, marking, access and data protection guidelines in your Microsoft 365, SharePoint On-premises and File Share environments.
[1] “Implementation of DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting,” Office of the Under Secretary of Defense, https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17-DPAP.pdf
[2] “Understanding the Relationship Between DFARS and CMMC,” SCA Security, https://scasecurity.com/blog/the-role-of-dfars-in-cmmc/
[3] “What Is DFARS? (+ Your Compliance Checklist),” SCA Security, https://scasecurity.com/blog/what-is-dfars/
[4] “Fundamentals of Cybersecurity Maturity Model Certification (CMMC) 2.0,” Apptega, https://www.apptega.com/frameworks/cmmc-certification/
[5] “CMMC 2.0: What You Need to Know About the Latest Version,” SCA Security, https://scasecurity.com/blog/cmmc-2-0/
[6] “Your Guide to the New CMMC 2.0 Levels,” SCA Security, https://scasecurity.com/blog/your-guide-to-the-new-cmmc-2-0-levels/
[7] “What Is CMMC?” CISCO, https://www.cisco.com/c/en/us/products/security/what-is-cmmc.html#~the-basics-of-cmmc
[8] “What is the Difference Between CMMC and DFARS?” FTP Today, https://www.ftptoday.com/blog/difference-between-cmmc-dfars#:~:text=The%20biggest%20difference%20between%20the,government%20agencies%20they%20partner%20with
[9] “DFARS Interim Rule Compliance 101: What You Need to Know,” SCA Security, https://scasecurity.com/blog/defense-federal-acquisition-regulation/
[10] “The Importance of CMMC And Its Impact,” SeaGlass Technology, https://www.seaglasstechnology.com/the-importance-of-cmmc-and-its-impact/
Posted in Cybersecurity, Department of Defense, Government Data | Tagged CMMC, Cybersecurity, Department of Defense, DFARS, DoD, NIST
Guest Author: Alex Whitworth
CMMC Program Executive, Carahsoft
Alex Whitworth is an IT executive with more than 12 years of experience in all aspects of public sector sales, marketing and channel development. As Director at Carahsoft Technology Corp., he manages several sales teams, providing leadership and insight into the Public Sector IT marketplace. His teams play a major role in supporting the government’s evolving cybersecurity demands, with a deep focus towards supporting agencies with successful zero trust adoption. In addition, he leads Carahsoft Technology Corp.’s corporate strategic efforts in helping organizations meet compliance with the DoD’s CMMC initiative.