A Guide to CMMC 2.0 & DFARS Compliance Requirements


A Guide to CMMC 2.0 & DFARS Compliance Requirements

The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity rules, guidelines, and regulation codes used by the Department of Defense (DoD) to safeguard controlled unclassified information (CUI) obtained and transmitted by contractors and subcontractors. If your business provides products and services to the DoD, it must first comply with DFARS regulations.

 

What Are the Minimum DFARS Requirements?

If you need your business to be compliant to DFARS regulations, it should meet the minimum requirements set by the DoD, which are:

  1. Providing sufficient security measures to protect covered defense information moving through or residing in your infrastructure from disclosure and unauthorized access.
  2. Reporting cybersecurity incidents and working with the DoD to quickly address such incidents. This includes submitting compromised media and malicious software.

In addition, before your company can be DFARS compliant, it needs to pass an assessment that follows NIST SP 800-171 guidelines, which cover these points:

  • Access control
  • Awareness and training
  • Audit and accountability
  • Configuration management
  • Identification and authentication
  • Incident response
  • Maintenance
  • Media protection
  • Personal security
  • Physical protection
  • Risk assessment
  • Security assessment
  • System and communications protection
  • System and information integrity

What Is CMMC 2.0 Compliance and Why Is it Necessary?

In 2015, the DoD published DFARS compliance, which requires DoD contractors to adopt the cybersecurity standards set by NIST SP 800-171. This is to protect the DoD's supply chain from foreign and domestic cyberattacks. After DFARS was published, more than 300,000 DoD contractors rushed to understand it and implement NIST SP 800-171 standards to be considered compliant. 

However, some contractors chose not to comply with DFARS, while others lied about being compliant. Because of this, the DoD published the Cybersecurity Maturity Model Certification (CMMC) to ensure contractors have the appropriate levels of cybersecurity protocols. In late January 2020, the first version of CMMC was released, and was updated to CMMC 2.0 in November 2021. 

CMMC 2.0 and DFARS: What's the Difference?

DFARS and CMMC are almost identical in many ways, since the latter draws heavily from the former. However, there are still some differences between the two. 

For instance, the CMMC 2.0 model categorizes contractors into three different levels of maturity depending on the complexity of their cybersecurity policies and practices. By doing this, the DoD can ensure that contractors have the proper cybersecurity protocols to protect federal contract information (FCI) and CUI.

CMMC 2.0 regulations state that the cybersecurity posture of DoD contractors must be evaluated by an external auditor before the appropriate CMMC 2.0 level can be assigned. All external auditors are required to receive training from the CMMC 2.0 accreditation body before a license can be issued.

DFARS, on the other hand, requires contractors to comply with all 14 security guidelines found in the NIST SP 800-171. And unlike CMMC 2.0, DFARS regulations allow contractors to self-assess their cybersecurity posture. 

Who Needs to Be CMMC 2.0 Compliant?

All prime contractors and subcontractors working for the DoD should be DFARS and CMMC 2.0 certified. A prime contractor is a company that works directly with the DoD and needs a high-level certification. A sub-tier supplier is a company that is subcontracted by a prime contractor to work on projects relevant to the supply chain. 

A contractor's access to CUI will determine the level of certification it needs. If a contractor does not handle or manage CUI but works with federal contract information (FCI), the contractor should comply with Federal Acquisition Regulation (FAR) Clause 52.204-21.

The CMMC 2.0 Compliance Levels Explained

If your company is planning to be a contractor for the DoD, there are three CMMC 2.0 certification levels you have to know about. 

CMMC 2.0 Level 1: Foundational Cyber Maturity

Guided by the Federal Acquisition Regulation (FAR), this is the minimum level of cyber hygiene required to hold Federal Contract Information (FCI), beyond the DoD. A level 1 certification indicates that cybersecurity best practices concerning the identified controls are “performed” and included in the business’s processes.

This is the easiest of the three levels to achieve, and contractors may self-certify.

 CMMC 2.0 Level 2: Advanced Cyber Maturity

Any company working with CUI should aim for this level. It is comparable to the former CMMC Level 3. These requirements are in complete alignment with NIST SP 800-171 practices. All practices and maturity processes that were unique to CMMC 1.0 have been eliminated, which means that the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped. Now, Level 2 directly correlates with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.

 CMMC 2.0 Level 3: Expert Cyber Maturity

Contractors at this level are required to focus on reducing the risk from Advanced Persistent Threats (APTs). This level is exclusively for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. These should be met before undergoing a triennial government-led assessment. The DoD, however, is in the process of developing the requirements for this level, which is still undergoing change.

As a DoD contractor, you should identify your organization’s cyber security level based on the classification of the data you store, transmit, and process. Your IT team must be familiar with NIST SP 800-171 and the appropriate target levels so that they can determine the right CMMC 2.0 controls to adopt for your organization.

Why the Tiered Approach?

Before the CMMC was created, contractors who wanted to work for the DoD were expected to comply with the NIST 800-171 framework. However, small and medium-sized businesses (SMBs) found it difficult to achieve compliance with the full control set because they had neither an in-house IT staff nor a dedicated information security expert. This made reaching even basic cybersecurity hygiene difficult. 

Larger companies, on the other hand, found it easier to achieve full NIST 800-171 compliance because they were held to more rigorous standards such as the Federal Risk and Authorization Management Program (FedRAMP) standard and NIST's Cybersecurity Framework (CSF). However, for these larger contractors, NIST 800-171 presented a financial disadvantage when it came to implementing continuous improvements. Once they achieved the minimum baseline, larger contractors found no reason to invest more resources in their information security posture.

The CMMC 2.0 model addressed these concerns by using a tiered approach. Each control stated in NIST 800-171 is assigned to a specific maturity level, with Level 1 being the most basic and Level 3 being the most stringent.

CMMC 2.0 Compliance: Certification Process

What's a C3PAO?

C3PAO or certified third-party assessment organizations are auditors who have undergone training with the CMMC accreditation body (AB). Once accredited, these auditors can perform CMMC 2.0 assessments and grant eligible contractors CMMC 2.0 certifications.

How Can My Company Be Certified?

The CMMC 2.0 AB will create a CMMC 2.0 marketplace that will come with a list of accredited C3PAOs. After the creation of the CMMC 2.0 marketplace, contractors can select any of the approved C3PAOs and schedule an assessment.

What Is the Cost of a CMMC 2.0 Certification?

The cost for a CMMC certification largely depends on several factors, including the complexity of your company's network, the CMMC 2.0 certification level, and other market forces.

Is Self-Certification Allowed?

No. Your company can perform a self-assessment before a CMMC 2.0 assessment, but only accredited C3PAOs can grant CMMC 2.0 certification.

Who Will Conduct the CMMC 2.0 Assessment?

Only CMMC 2.0 C3PAOs and auditors accredited by the CMMC 2.0 AB can conduct CMMC 2.0 assessments. 

What Noncompliance Means

If your company was audited by the DoD and found to be noncompliant, you will be given a stop-work order until your company can implement efficient security measures to keep CUI protected. The DoD can also impose fines on contractors for breach of contract and false claims.

In some cases, noncompliant contractors can have their contracts terminated. In addition, they can also be suspended and barred from working with the DoD again.

Preparing for a CMMC 2.0 Compliance Audit

All DoD contractors should prepare for a CMMC 2.0 audit, even for a Level 1 certification. A self-assessment is an excellent way of pinpointing issues in a contractor's cybersecurity program that should be addressed before an audit. Contractors should focus on the controls found in NIST SP 800-171 Rev. 1. Once these controls are in place, a contractor can easily obtain a Level 3 certification.

There are two ways a contractor can prepare for a CMMC 2.0 audit:

   1. In-house

If your company has the available resources and IT staff, it can meet the CMMC 2.0 requirements without the help of a third-party consultant. 

   2. CMMC 2.0 consultant

A CMMC 2.0 consultant will help your company meet the controls stated in NIST SP 800-171 Rev. 2. In addition, many contractors prefer to have a consultant help them meet CMMC 2.0 requirements. Other benefits of having a CMMC 2.0 consultant are:

  • It will save your company time and money when getting and maintaining compliance standards.
  • A CMMC 2.0 consultant possesses the tools and documentation needed to conduct a gap analysis and create a system security plan.
  • A consultant can perform remediation steps required for compliance.
  • A consultant will have documents to prove that compliance is reached and maintained during a CMMC 2.0 audit.

Once your company is ready for a CMMC 2.0 audit, the first step is to get a gap assessment. This assessment will determine how close or far away your company is from meeting CMMC level standards. Other issues that gap assessments look for are:

  • How access to sensitive information is controlled and limited
  • How managers and systems administrators are trained
  • How data records are stored and protected from breaches
  • How security controls and policies are implemented
  • How cybersecurity incident response plans are created and implemented


Without a gap assessment, you wouldn't know what changes to make to your company's existing cybersecurity protocols to achieve CMMC 2.0 and DFARS compliance. A gap assessment from Charles IT will pinpoint all weak spots in your company's IT systems. Our IT experts will then come up with a remediation plan to address any issues, so that your company won't experience any problems getting a CMMC 2.0 certification. Get your gap assessment now!

Editor's Note: This blog was originally published on July 25, 2020. It was edited for accuracy on August 1, 2023.  

Download Our CMMC Compliance Checklist: This checklist will help you determine the right CMMC controls, policies, and procedures to adopt for your organization to achieve CMMC 2.0 Certification.

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”