DFARS vs. CMMC: Unraveling the Key Differences in Cybersecurity Compliance

In the defense industry, security and compliance are of utmost importance, even for unclassified information such as Controlled Unclassified Information (CUI). As digital infrastructure becomes more integrated into the defense supply chain, it is crucial for contractors and business operators to meet these requirements. The Department of Defense (DoD) has established two cybersecurity frameworks to address these needs: the Defense Acquisition Federal Regulation Supplement (DFARS) and the Cybersecurity Maturity Model Certification (CMMC) framework.

What is DFARS?

In 2015, the DoD released DFARS as a supplement to its Federal Acquisition Regulations (FAR). DFARS focuses on how defense agencies contract with digital service providers for services like cloud computing or application usage. It requires DoD contractors to adhere to two specific requirements:

Provide adequate security for IT systems containing, transmitting, or processing CUI to prevent unauthorized disclosures.
Report cyber incidents immediately to the DoD for mitigation, remediation, and governmental scrutiny.

DFARS relies on NIST Special Publication 800-171, which contains a catalog of security measures, practices, and procedures that organizations must implement. This document covers 14 categories of requirements, including:

Access Control
Awareness and Training
Audit and Accountability
Configuration Management
Identification and Authentication
Incident Response
Maintenance
Media Protection
Personnel Security
Physical Protection
Risk Assessment
Security Assessment
System and Communications Protection
System and Information Integrity

Contractors are expected to implement these controls, perform self-assessments, and report to the DoD. Many contractors work with managed security services providers (MSSPs) to streamline audits and costs. The process typically involves:

Gap Analysis: Analyzing existing security controls and practices against NIST 800-171 requirements.
Remediation: Addressing system issues and aligning the organization with NIST 800-171 for compliance.
Continuous Monitoring: Ongoing compliance monitoring to support reporting of cyber breaches and significant changes in IT infrastructure.
Documentation: Collecting reports and documents to demonstrate compliance annually.

What is CMMC?

Like DFARS, CMMC is designed to support defense contractors in protecting CUI and relies primarily on NIST 800-171 for its controls and requirements. However, CMMC has additional features:

Maturity Levels: CMMC organizes compliance into “Maturity Levels” based on the number of controls implemented from NIST 800-171.
Level 1 maturity requires implementing 17 total controls from NIST 800-171.
Level 2 maturity requires compliance with all 110 controls in NIST 800-171, the minimum level required to handle CUI.
Level 3 maturity requires all Level 2 controls alongside supplemental controls from NIST 800-172, primarily for systems that must account for proactive security against advanced persistent threats (APTs).
Third-Party Assessment Organizations (C3PAOs): Organizations must undergo auditing and assessment from a certified C3PAO recognized by the DoD.

The initial CMMC initiative (CMMC 1.0) was released in 2019 with five maturity levels and stringent requirements for audits, reporting, and maturity. CMMC 2.0, a revision released in November 2020, reduced the maturity levels to three and streamlined assessment based on contractor and agency feedback.

Key Differences Between DFARS and CMMC

DFARS and CMMC share the same goal: to enforce sufficient security on contractor systems handling CUI. The DoD intended to phase out DFARS in favor of CMMC for several reasons:

Clearer Expectations: CMMC’s maturity levels provide a clearer understanding of requirements for agencies and contractors.
Third-Party Assessments: CMMC introduces an additional level of assurance and rigor with third-party assessments, unlike DFARS, which relies on self-assessment.

While CMMC seems to replace DFARS, they still coexist. Most contractors working in the defense supply chain will reach Maturity Level 2 to handle CUI, making them DFARS compliant. However, DFARS compliance does not entirely equate to CMMC compliance. The plan is that CMMC will become the primary form of assessment for contractors handling CUI once fully implemented.