Securing Controlled Unclassified Information (CUI) is critical. It’s valuable information that needs to be handled appropriately by defense contractors. Both the Defense Federal Acquisition Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) address keeping CUI secure. Let’s take a closer look at DFARS and CMMC, what they have in common, and how they’re different.
DFARS was implemented in 2017. Department of Defense (DoD) contractors and downstream suppliers to defense contractors must be compliant with DFARS. To be compliant with DFARS, businesses must produce:
- A System Security Plan (SSP).
- A Plan of Action and Milestones (POAM).
- A CUI Environment Management Team (CEMT).
With DFARS, organizations complete and submit self-assessments to the DoD. The DoD reserves the right to audit and conducts several hundred each year.
CMMC is a relatively new framework for ensuring CUI is protected. Any contractor or organization doing business with the DoD – spanning the entire supply chain of prime contractors and their subcontractors – must meet CMMC requirements and achieve certification. Although CMMC compliance officially began in 2020, the DoD will add CMMC standards into new contracts until all entities are covered by the year 2025. It assesses organizations based on five maturity levels:
- Level 1—Basic Cyber Hygiene
- This level has 17 security practices that must be implemented.
- Level 2—Intermediate Cyber Hygiene
- This level requires documented procedures and policies and an additional 55 security practices.
- Level 3—Good Cyber Hygiene
- Organizations at this level can demonstrate good cyber hygiene and have implemented CUI controls. This includes an additional 58 practices. Organizations that access or generate CUI must achieve this level.
- Level 4—Proactive
- Organizations at this level have implemented advanced cybersecurity practices. This level includes an additional 26 practices.
- Level 5—Advanced/Progressive
- At this level, organizations can repel advanced persistent threats (APTs). Security practices are standardized across the organization. This level has an additional 15 practices.
CMMC compliance is assessed by third-party assessment organizations (3PAOs).
DFARS vs. CMMC
Both DFARs and CMMC have the same goals: protecting CUI. Becoming DFARS compliant will help you move up maturity levels in the CMMC framework. CMMC builds on what was started with DFARs, and the documentation developed while becoming DFARS compliant is essential to advancing through CMMC levels.
The biggest difference between the two is how they’re assessed (self-assessment vs. third-party assessment). While there’s some overlap between the two, it’s possible to be DFARS compliant without being CMMC compliant and vice versa. We’ve helped organizations in pursuit of both DFARS and CMMC authorizations. Ultimately, we’ll help you evaluate contractual / market needs that will drive your organization’s decision.
DFARs Interim Rule
Before adopting CMMC, companies simply had to affirm that they followed NIST 800-171 controls without providing any evidence or undergoing an assessment. After this allowed for many compliance gaps and data breaches, the DFARS Interim Rule was put in place, requiring companies to officially assess and score their compliance based on a scoring rubric developed by the U.S. Department of Defense.
Trying to be compliant with two frameworks might seem like an overwhelming task. Peters & Associates can help. We’ve helped organizations in pursuit of both DFARS and CMMC compliance. Peters & Associates meets and exceeds CMMC Level 1 requirements, having achieved the CompTIA Security Trustmark+ designation, based on the NIST Cybersecurity Framework.
We can help companies comply with DFARS, including the DFARS Interim Rule, CMMC, NIST and ISO standards (including NIST 800-171 and NIST 800-53), and other compliance regulations. Whether you are looking to address specific compliance challenges or seeking guidance to identify compliance gaps and security concerns, we can help. Contact us today.