Although the federal government tasks companies with meeting cybersecurity mandates and other forms of regulatory compliance, few seem to cry foul. That’s largely because Washington, D.C., is expected to spend nearly $7 trillion in contracts by the end of the 2024 fiscal year. Those monetary rewards have nearly doubled over the last 10 years and are on track to exceed $8 trillion in 2029.
For defense contractors and other businesses to remain in the government’s good graces, industry leaders must meet and maintain some of the most stringent data security standards. The U.S. Department of Defense (DoD) is currently rolling out the Cybersecurity Maturity Model Certification (CMMC), which overlaps with and differs from the Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards and Technology (NIST) framework, particularly NIST SP 800-171. Understanding the differences between CMMC, DFARS, and NIST is essential if the more than 100,000 contractors, as well as subcontractors, that generate revenue from DoD contracts are to remain in compliance.
What is NIST?
Part of the U.S. Department of Commerce, the National Institute of Standards and Technology helps advance American scientific innovation, business competitiveness, and technologies by creating security standards. While its original purpose was to further the country’s economic prosperity, NIST SP 800-171 has been adopted as foundational data security thought leadership. This guidance outlines many of the best practices needed to safeguard data related to our national security.
The NIST SP 800-171 standard has been integrated into DFARS and is also the bedrock of the Pentagon’s CMMC 2.0 mandate. Direct defense contractors and those working in the private sector supply chain must adhere to one of three CMMC cyber hygiene levels or risk being sidelined.
What is CMMC 2.0?
The CMMC model has undergone some modifications since the Pentagon published its 2020 interim rule in the Federal Register. A change in governance resulted in scrapping a five-tiered cybersecurity model in favor of three tiers. Based on NIST SP 800-171 and other data security protocols, CMMC 2.0 brings many of the most determined cybersecurity measures under one umbrella. Every organization that stores or transmits DoD-related Controlled Unclassified Information (CUI) and Federal Contract Information (FCI) must meet CMMC compliance.
What is DFARS?
The Defense Federal Acquisition Regulation Supplement involves an additional layer of rules that pertain to the Federal Acquisition Regulation, also known as FAR. Rolled out during the 1980s, these supplemental DoD directives came into play when the Pentagon purchased goods, materials, and services. What began as a set of quality-related standards evolved into a set of guidelines designed to also protect national security. Along with wide-reaching product and services regulations, DFARS also has rules for CUI.
For example, the DFARS 7012 clause mandates that defense contractors and subcontractors adequately secure critical DoD data and promptly report any cyberattacks. Private-sector companies operating in the military defense niche must adopt roughly 79 security protocols, disclose cyber incidents, and ensure ongoing systems monitoring of OpSec Information, Export-Controlled Information, and Controlled Technical Information. While there was not necessarily a problem with the evolving DFARS mandate in terms of technical elements, the DoD decided to pull the best of the best measures into one policy.
How Do CMMC, DFARS & NIST Overlap and Differ?
It’s important to keep in mind that both CMMC and DFARS base much of their cybersecurity measures on NIST SP 800-171. If one were to conduct a side-by-side comparison of the 79 DFARS and more than 100 CMMC controls, they would fit into categories such as the following.
- Configuration Management
- Critical Incident Response Protocols
- Cybersecurity Awareness Training
- Data Storage and Transfer Protections
- Data and Network Monitoring
- Network Access Control
- Risk Assessments
- Security Audits and Accountability
- System Login Authentication
- User Identification and Approval
These NIST security priorities may apply in different fashions to DFARS and CMMC, but they share a common theme. The digital security measures are all designed to deter, detect, and expel threat actors. Beyond the technical NIST differences between DFARS and CMMC, the latter does not allow organizations that possess or transfer highly sensitive information to self-assess without oversight. They must enlist the support of a CMMC Third-Party Assessor Organization (C3PAO) to perform rigorous testing and report the findings to the DoD. In CMMC Level I and some Level II instances, an outfit may follow the self-testing procedures and report that score. Many reach out to a C3PAO to determine which CMMC cyber hygiene applies, refine the network, and integrate mandated protections.
By contrast, DFARS allowed, perhaps, too many military supply-chain companies to self-assess and trust them to maintain a robust cybersecurity posture. That issue resulted in an unacceptable number of data breaches and stolen national security secrets. Federal officials developed CMMC to effectively override much of the DFARS mandate and ensure ongoing cybersecurity compliance.
How to Comply with CMMC or DFARS
If your organization is currently NIST SP 800-171, in all likelihood, it also meets the DFARS standards. However, your enterprise will still need to demonstrate CMMC 2.0 compliance because the newly minted security measure integrates NIST SP 800-171 plus wide-reaching others.
The best way to accomplish compliance is to onboard a C3PAO that can perform an assessment in light of these regulations and meet the applicable cybersecurity standard.
Author Bio
John Funk is a Creative Consultant at SevenAtoms. A lifelong writer and storyteller, he has a passion for tech and cybersecurity. When he’s not found enjoying craft beer or playing Dungeons & Dragons, John can be often found spending time with his cats.