A Guide to CMMC & DFARS Compliance Requirements
The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity rules, guidelines, and regulation codes used by the Department of Defense (DoD) to safeguard controlled unclassified information (CUI) obtained and transmitted by contractors and subcontractors. If your business provides products and services to the DoD, it must first comply with DFARS regulations.
What Are the Minimum DFARS Requirements?
If you need your business to be compliant to DFARS regulations, it should meet the minimum requirements set by the DoD, which are:
- Providing sufficient security measures to protect covered defense information moving through or residing in your infrastructure from disclosure and unauthorized access.
- Reporting cybersecurity incidents and working with the DoD to quickly address such incidents. This includes submitting compromised media and malicious software.
In addition, before your company can be DFARS compliant, it needs to pass an assessment that follows NIST SP 800-171 guidelines, which cover these points:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Personal security
- Physical protection
- Risk assessment
- Security assessment
- System and communications protection
- System and information integrity
What Is CMMC Compliance and Why Is it Necessary?
In 2015, the DoD published DFARS compliance, which requires DoD contractors to adopt the cybersecurity standards set by NIST SP 800-171. This is to protect the DoD's supply chain from foreign and domestic cyberattacks. After DFARS was published, more than 300,000 DoD contractors rushed to understand it and implement NIST SP 800-171 standards to be considered compliant.
However, some contractors chose not to comply with DFARS, while others lied about being compliant. Because of this, the DoD published the Cybersecurity Maturity Model Certification (CMMC) to ensure contractors have the appropriate levels of cybersecurity protocols. In late January 2020, the official version of CMMC was released, and it has been updated twice since that time.
CMMC and DFARS: What's the Difference?
DFARS and CMMC are almost identical in many ways, since the latter draws heavily from the former. However, there are still some differences between the two.
For instance, the CMMC model categorizes contractors into five different levels of maturity depending on the complexity of their cybersecurity policies and practices. By doing this, the DoD can ensure that contractors have the proper cybersecurity protocols to protect federal contract information (FCI) and CUI.
CMMC regulations state that the cybersecurity posture of DoD contractors must be evaluated by an external auditor before the appropriate CMMC level can be assigned. All external auditors are required to receive training from the CMMC accreditation body before a license can be issued.
DFARS, on the other hand, requires contractors to comply with all 14 security guidelines found in the NIST SP 800-171. And unlike CMMC, DFARS regulations allow contractors to self-assess their cybersecurity posture.
Who Needs to Be CMMC Compliant?
All prime contractors and subcontractors working for the DoD should be DFARS and CMMC certified. A prime contractor is a company that works directly with the DoD and needs a high-level certification. A sub-tier supplier is a company that is subcontracted by a prime contractor to work on projects relevant to the supply chain.
A contractor's access to CUI will determine the level of certification it needs. If a contractor does not handle or manage CUI but works with federal contract information (FCI), the contractor should comply with Federal Acquisition Regulation (FAR) Clause 52.204-21 and should be at least CMMC Level 1.
The CMMC Compliance Levels Explained
If your company is planning to be a contractor for the DoD, there are five CMMC certification levels you have to know about.
Level 1: Basic Cybersecurity Hygiene
Level 1 contractors must meet the requirements found in 48 CFR 52.204-21 before being certified. A Level 1 certification lays the foundations for the entire CMMC model and should be met by all contractors.
Level 2: Intermediate Cybersecurity Hygiene
Level 2 contractors are required to use advanced cybersecurity measures to secure sensitive data from cyberthreats. They are expected to stop more advanced threats compared to Level 1 contractors. In addition, documenting what security protocols are implemented and maintained is introduced at Level 2, which includes all the plans and policies used to implement the security program.
Level 3: Good Cybersecurity Hygiene
A contractor needs to implement cybersecurity controls stated under NIST SP 800-171 to be certified at Level 3. At this level, contractors are able to mitigate most cyberthreats and keep private information secure. It is also at this level where contractors are allowed to handle or generate CUI. In addition, Level 3 contractors who comply with DFARS clause 252.204-7012 are required to report and document all cybersecurity incidents. However, Level 3 contractors may have a hard time fending off advanced persistent threats (APTs).
Level 4: Proactive Cybersecurity Hygiene
A Level 4 certification requires contractors to have an efficient and proactive cybersecurity program. Contractors should regularly upgrade their tactics, techniques, and procedures (TTP) used against APTs and should also review and document their security protocols. Upper management must be notified immediately if any issues are found.
Level 5: Advanced and Progressive Cybersecurity Hygiene
This is the topmost level of the CMMC model and shows that a contractor can not only protect CUI but also have the capability to mitigate advanced threats as well. To receive a Level 5 certification, a contractor should show that its cybersecurity policies and processes are standardized across all networks, including third-party associates.
In addition to the five levels, the CMMC model also consists of 17 domains. The majority of these domains were taken from the Federal Information Processing Standards (FIPS) 200 security-related areas, as well as the 14 NIST SP 800-171 guidelines listed above. Other domains include asset management, recovery, and situational awareness.
Why the Tiered Approach?
Before the CMMC was created, contractors who wanted to work for the DoD were expected to comply with the NIST 800-171 framework. However, small and medium-sized businesses (SMBs) found it difficult to achieve compliance with the full control set because they had neither an in-house IT staff nor a dedicated information security expert. This made reaching even basic cybersecurity hygiene difficult.
Larger companies, on the other hand, found it easier to achieve full NIST 800-171 compliance because they were held to more rigorous standards such as the Federal Risk and Authorization Management Program (FedRAMP) standard and NIST's Cybersecurity Framework (CSF). However, for these larger contractors, NIST 800-171 presented a financial disadvantage when it came to implementing continuous improvements. Once they achieved the minimum baseline, larger contractors found no reason to invest more resources in their information security posture.
The CMMC model addressed these concerns by using a tiered approach. Each control stated in NIST 800-171 is assigned to a specific maturity level, with Level 1 being the most basic and Level 5 being the most stringent. For a contractor to be certified at a certain level, it must comply with that level's controls as well as the controls of any lower levels.
CMMC Compliance: Certification Process
What's a C3PAO?
C3PAO or certified third-party assessment organizations are auditors who have undergone training with the CMMC accreditation body (AB). Once accredited, these auditors can perform CMMC assessments and grant eligible contractors CMMC certifications.
How Can My Company Be Certified?
The CMMC AB will create a CMMC marketplace that will come with a list of accredited C3PAOs. After the creation of the CMMC marketplace, contractors can select any of the approved C3PAOs and schedule an assessment.
What Is the Cost of a CMMC Certification?
The cost for a CMMC certification largely depends on several factors, including the complexity of your company's network, the CMMC certification level, and other market forces.
Is Self-Certification Allowed?
No. Your company can perform a self-assessment before a CMMC assessment, but only accredited C3PAOs can grant CMMC certification.
Who Will Conduct the CMMC Assessment?
Only CMMC C3PAOs and auditors accredited by the CMMC AB can conduct CMMC assessments.
What Noncompliance Means
If your company was audited by the DoD and found to be noncompliant, you will be given a stop-work order until your company can implement efficient security measures to keep CUI protected. The DoD can also impose fines on contractors for breach of contract and false claims.
In some cases, noncompliant contractors can have their contracts terminated. In addition, they can also be suspended and barred from working with the DoD again.
Preparing for a CMMC Compliance Audit
All DoD contractors should prepare for a CMMC audit, even for a Level 1 certification. A self-assessment is an excellent way of pinpointing issues in a contractor's cybersecurity program that should be addressed before an audit. Contractors should focus on the controls found in NIST SP 800-171 Rev. 1. Once these controls are in place, a contractor can easily obtain a Level 3 certification.
There are two ways a contractor can prepare for a CMMC audit:1. In-house
If your company has the available resources and IT staff, it can meet the CMMC requirements without the help of a third-party consultant. A Self-Assessment Handbook - NIST Handbook 162 is available to guide your IT team, however, it only covers NIST SP 800-171 Rev. 1. Unfortunately, this only lets you obtain a level three CMMC certification. For the time being, a self-assessment handbook Rev. 2 is not yet available.2. CMMC consultant
A CMMC consultant will help your company meet the controls stated in NIST SP 800-171 Rev. 2. In addition, many contractors prefer to have a consultant help them meet CMMC requirements. Other benefits of having a CMMC consultant are:
- It will save your company time and money when getting and maintaining compliance standards.
- A CMMC consultant possesses the tools and documentation needed to conduct a gap analysis and create a system security plan.
- A consultant can perform remediation steps required for compliance.
- A consultant will have documents to prove that compliance is reached and maintained during a CMMC audit.
Once your company is ready for a CMMC audit, the first step is to get a gap assessment. This assessment will determine how close or far away your company is from meeting CMMC level standards. Other issues that gap assessments look for are:
- How access to sensitive information is controlled and limited
- How managers and systems administrators are trained
- How data records are stored and protected from breaches
- How security controls and policies are implemented
- How cybersecurity incident response plans are created and implemented
Without a gap assessment, you wouldn't know what changes to make to your company's existing cybersecurity protocols to achieve CMMC and DFARS compliance. A gap assessment from Charles IT will pinpoint all weak spots in your company's IT systems. Our IT experts will then come up with a remediation plan to address any issues, so that your company won't experience any problems getting a CMMC certification. Get your gap assessment now: