What is the Difference Between CMMC, DFARS, and NIST 800-171?

Posted by IMEC on Sep 15, 2020 11:47:13 AM

This is an original post by Roisin Coleman of Alpine Security.

alpine-security-dfars-auditWithout Cybersecurity Maturity Model Certificate (CMMC) compliance, a contractor will be barred from all future Department of Defense (DoD) contracts. The CMMC officially launched in January 2020, building upon the DFARS and NIST 800-171 standards with additional requirements for vendors working with the DoD. Understanding CMMC and how it differs from DFARS and NIST 800-171 is crucial to the current and future success of government contractors.

DFARS stands for “Defense Federal Acquisition Regulation Supplement”. It’s a set of cybersecurity regulations required by any vendor bidding for contracts with the DoD. In addition to requiring compliance with the controls in NIST 800-171, DFARS  includes a clause for Safeguarding Covered Defense Information and Cyber Incident Reporting, 252.204-1012, which ensures that DFARS protects the government’s supply chain from cyberattacks by defending “Controlled Unclassified Information” or CUI. This clause ensures that CUI is safeguarded from cyber incidents that can affect the organizations, people, activities, information, and resources involved in supplying a product or service to the DoD. DFARS also requires vendors to report incidents that affect CUI or impact contractors’ ability to perform critical support for the government.

In order to be DFARS compliant, organizations must pass an assessment that follows NIST 800-171. NIST 800-171 supplies clear guidelines on the best practices for information security. The primary goal of NIST 800-171 is to protect the confidentiality of unclassified information and reduce the risk of data breaches. NIST 800-171 influences standards like DFARS and the CMMC.

CMMC is the DoD’s next step in protecting national security data and networks from cyberattacks. CMMC shares the same goals as DFARS but reevaluates how the government categorizes vendors’ cybersecurity posture. CMMC adds on DFARS by clarifying security controls and adding additional requirements for compliance. This model ranks the maturity of a vendor’s cybersecurity program from “Basic Cybersecurity Hygiene” to “Advanced” based upon their data protection efforts. The achievement of higher CMMC levels enhances the contractor’s ability to protect CUI and guard against adversary attacks. Unlike DFARS, CMMC requires assessments to be conducted by Third Party Assessment Organizations.

The version of CMMC is continually being updated. You can find the latest version here.

View original article.

Defense Contractors - are you prepared to meet the new DoD cybersecurity requirements?

With current and future DoD contracts at stake, compliance is a strategic necessity that contractors cannot ignore. And with third party certification audits to be conducted in 2020, time is running out for manufacturers to reach compliance.

IMEC and Alpine Security are offering a 6-part Cybersecurity Resiliency for Defense Contractors Webinar Series to help you understand the complete requirements for DoD contractors. Register for the DFARS & CMMC overview session, and check out the rest of the series below!

Session 2: DFARS & CMMC Overview
October 15 | 10:00 am - 11:30 pm
This session will discuss why DFARS exists, current requirements for companies with Controlled Unclassified Information (CUI) or DoD Covered Defense Information (CDI), and what CMMC is.


Cybersecurity Resiliency for Defense Contractors Webinar Series Lineup:


Written by IMEC

Topics: manufacturers, cybersecurity, DoD Contractors, cybersecurity maturity model certification, defense manufacturing

    Subscribe to Email Updates:

    Stay Connected:

    Posts by Category