The Defense Federal Acquisition Regulation Supplement (DFARS) is a set of cybersecurity rules, guidelines, and regulation codes used by the Department of Defense (DoD) to safeguard controlled unclassified information (CUI) obtained and transmitted by contractors and subcontractors. If your business provides products and services to the DoD, it must first comply with DFARS regulations.
What Are the Minimum DFARS Requirements?
If you need your business to be compliant to DFARS regulations, it should meet the minimum requirements set by the DoD, which are:
In addition, before your company can be DFARS compliant, it needs to pass an assessment that follows NIST SP 800-171 guidelines, which cover these points:
What Is CMMC 2.0 Compliance and Why Is it Necessary?
In 2015, the DoD published DFARS compliance, which requires DoD contractors to adopt the cybersecurity standards set by NIST SP 800-171. This is to protect the DoD's supply chain from foreign and domestic cyberattacks. After DFARS was published, more than 300,000 DoD contractors rushed to understand it and implement NIST SP 800-171 standards to be considered compliant.
However, some contractors chose not to comply with DFARS, while others lied about being compliant. Because of this, the DoD published the Cybersecurity Maturity Model Certification (CMMC) to ensure contractors have the appropriate levels of cybersecurity protocols. In late January 2020, the first version of CMMC was released, and was updated to CMMC 2.0 in November 2021.
CMMC 2.0 and DFARS: What's the Difference?
DFARS and CMMC are almost identical in many ways, since the latter draws heavily from the former. However, there are still some differences between the two.
For instance, the CMMC 2.0 model categorizes contractors into three different levels of maturity depending on the complexity of their cybersecurity policies and practices. By doing this, the DoD can ensure that contractors have the proper cybersecurity protocols to protect federal contract information (FCI) and CUI.
CMMC 2.0 regulations state that the cybersecurity posture of DoD contractors must be evaluated by an external auditor before the appropriate CMMC 2.0 level can be assigned. All external auditors are required to receive training from the CMMC 2.0 accreditation body before a license can be issued.
DFARS, on the other hand, requires contractors to comply with all 14 security guidelines found in the NIST SP 800-171. And unlike CMMC 2.0, DFARS regulations allow contractors to self-assess their cybersecurity posture.
Who Needs to Be CMMC 2.0 Compliant?
All prime contractors and subcontractors working for the DoD should be DFARS and CMMC 2.0 certified. A prime contractor is a company that works directly with the DoD and needs a high-level certification. A sub-tier supplier is a company that is subcontracted by a prime contractor to work on projects relevant to the supply chain.
A contractor's access to CUI will determine the level of certification it needs. If a contractor does not handle or manage CUI but works with federal contract information (FCI), the contractor should comply with Federal Acquisition Regulation (FAR) Clause 52.204-21.
The CMMC 2.0 Compliance Levels Explained
If your company is planning to be a contractor for the DoD, there are three CMMC 2.0 certification levels you have to know about.
Guided by the Federal Acquisition Regulation (FAR), this is the minimum level of cyber hygiene required to hold Federal Contract Information (FCI), beyond the DoD. A level 1 certification indicates that cybersecurity best practices concerning the identified controls are “performed” and included in the business’s processes.
This is the easiest of the three levels to achieve, and contractors may self-certify.
Any company working with CUI should aim for this level. It is comparable to the former CMMC Level 3. These requirements are in complete alignment with NIST SP 800-171 practices. All practices and maturity processes that were unique to CMMC 1.0 have been eliminated, which means that the 20 requirements in the old CMMC Level 3 that the DoD had imposed were dropped. Now, Level 2 directly correlates with the 14 levels and 110 security controls developed by the National Institute of Technology and Standards (NIST) to protect CUI.
Contractors at this level are required to focus on reducing the risk from Advanced Persistent Threats (APTs). This level is exclusively for companies working with CUI on DoD’s highest priority programs. It is comparable to the old CMMC Level 5. The DoD has indicated that its requirements will be based on NIST SP 800-171’s 110 controls plus a subset of NIST SP 800-172 controls. These should be met before undergoing a triennial government-led assessment. The DoD, however, is in the process of developing the requirements for this level, which is still undergoing change.
As a DoD contractor, you should identify your organization’s cyber security level based on the classification of the data you store, transmit, and process. Your IT team must be familiar with NIST SP 800-171 and the appropriate target levels so that they can determine the right CMMC 2.0 controls to adopt for your organization.
Why the Tiered Approach?
Before the CMMC was created, contractors who wanted to work for the DoD were expected to comply with the NIST 800-171 framework. However, small and medium-sized businesses (SMBs) found it difficult to achieve compliance with the full control set because they had neither an in-house IT staff nor a dedicated information security expert. This made reaching even basic cybersecurity hygiene difficult.
Larger companies, on the other hand, found it easier to achieve full NIST 800-171 compliance because they were held to more rigorous standards such as the Federal Risk and Authorization Management Program (FedRAMP) standard and NIST's Cybersecurity Framework (CSF). However, for these larger contractors, NIST 800-171 presented a financial disadvantage when it came to implementing continuous improvements. Once they achieved the minimum baseline, larger contractors found no reason to invest more resources in their information security posture.
The CMMC 2.0 model addressed these concerns by using a tiered approach. Each control stated in NIST 800-171 is assigned to a specific maturity level, with Level 1 being the most basic and Level 3 being the most stringent.
CMMC 2.0 Compliance: Certification Process
What's a C3PAO?
C3PAO or certified third-party assessment organizations are auditors who have undergone training with the CMMC accreditation body (AB). Once accredited, these auditors can perform CMMC 2.0 assessments and grant eligible contractors CMMC 2.0 certifications.
How Can My Company Be Certified?
The CMMC 2.0 AB will create a CMMC 2.0 marketplace that will come with a list of accredited C3PAOs. After the creation of the CMMC 2.0 marketplace, contractors can select any of the approved C3PAOs and schedule an assessment.
What Is the Cost of a CMMC 2.0 Certification?
The cost for a CMMC certification largely depends on several factors, including the complexity of your company's network, the CMMC 2.0 certification level, and other market forces.
Is Self-Certification Allowed?
No. Your company can perform a self-assessment before a CMMC 2.0 assessment, but only accredited C3PAOs can grant CMMC 2.0 certification.
Who Will Conduct the CMMC 2.0 Assessment?
Only CMMC 2.0 C3PAOs and auditors accredited by the CMMC 2.0 AB can conduct CMMC 2.0 assessments.
What Noncompliance Means
If your company was audited by the DoD and found to be noncompliant, you will be given a stop-work order until your company can implement efficient security measures to keep CUI protected. The DoD can also impose fines on contractors for breach of contract and false claims.
In some cases, noncompliant contractors can have their contracts terminated. In addition, they can also be suspended and barred from working with the DoD again.
Preparing for a CMMC 2.0 Compliance Audit
All DoD contractors should prepare for a CMMC 2.0 audit, even for a Level 1 certification. A self-assessment is an excellent way of pinpointing issues in a contractor's cybersecurity program that should be addressed before an audit. Contractors should focus on the controls found in NIST SP 800-171 Rev. 1. Once these controls are in place, a contractor can easily obtain a Level 3 certification.
There are two ways a contractor can prepare for a CMMC 2.0 audit:
1. In-houseIf your company has the available resources and IT staff, it can meet the CMMC 2.0 requirements without the help of a third-party consultant.
2. CMMC 2.0 consultantA CMMC 2.0 consultant will help your company meet the controls stated in NIST SP 800-171 Rev. 2. In addition, many contractors prefer to have a consultant help them meet CMMC 2.0 requirements. Other benefits of having a CMMC 2.0 consultant are:
Once your company is ready for a CMMC 2.0 audit, the first step is to get a gap assessment. This assessment will determine how close or far away your company is from meeting CMMC level standards. Other issues that gap assessments look for are:
Without a gap assessment, you wouldn't know what changes to make to your company's existing cybersecurity protocols to achieve CMMC 2.0 and DFARS compliance. A gap assessment from Charles IT will pinpoint all weak spots in your company's IT systems. Our IT experts will then come up with a remediation plan to address any issues, so that your company won't experience any problems getting a CMMC 2.0 certification. Get your gap assessment now!
Editor's Note: This blog was originally published on July 25, 2020. It was edited for accuracy on August 1, 2023.