What is the Difference Between CMMC, DFARS, and NIST 800-171?
Without Cybersecurity Maturity Model Certificate (CMMC) compliance, a contractor will be barred from all future Department of Defense (DoD) contracts. The CMMC officially launched in January 2020, building upon the DFARS and NIST 800-171 standards with additional requirements for vendors working with the DoD. Understanding CMMC and how it differs from DFARS and NIST 800-171 is crucial to the current and future success of government contractors.
DFARS stands for “Defense Federal Acquisition Regulation Supplement”. It’s a set of cybersecurity regulations required by any vendor bidding for contracts with the DoD. In addition to requiring compliance with the controls in NIST 800-171, DFARS includes a clause for Safeguarding Covered Defense Information and Cyber Incident Reporting, 252.204-1012, which ensures that DFARS protects the government’s supply chain from cyberattacks by defending “Controlled Unclassified Information” or CUI. This clause ensures that CUI is safeguarded from cyber incidents that can affect the organizations, people, activities, information, and resources involved in supplying a product or service to the DoD. DFARS also requires vendors to report incidents that affect CUI or impact contractors’ ability to perform critical support for the government.
In order to be DFARS compliant, organizations must pass an assessment that follows NIST 800-171. NIST 800-171 supplies clear guidelines on the best practices for information security. The primary goal of NIST 800-171 is to protect the confidentiality of unclassified information and reduce the risk of data breaches. NIST 800-171 influences standards like DFARS and the CMMC.
CMMC is the DoD’s next step in protecting national security data and networks from cyberattacks. CMMC shares the same goals as DFARS but reevaluates how the government categorizes vendors’ cybersecurity posture. CMMC adds on DFARS by clarifying security controls and adding additional requirements for compliance. This model ranks the maturity of a vendor’s cybersecurity program from “Basic Cybersecurity Hygiene” to “Advanced” based upon their data protection efforts. The achievement of higher CMMC levels enhances the contractor’s ability to protect CUI and guard against adversary attacks. Unlike DFARS, CMMC requires assessments to be conducted by Third Party Assessment Organizations.
The version of CMMC is continually being updated. You can find the latest version here:
At Alpine Security, we include a baseline and bi-annual CMMC audit in our CISO-as-a-Service program. We evaluate a vendor’s practices and processes in comparison with the cybersecurity controls required in NIST 800-171. Following the initial assessment, we prepare a “Cybersecurity Roadmap” outlining the steps to achieve desired CMMC compliance.
Our annual CISO-as-a-Service program has three main goals:
- Reduce your risk of a successful cyberattack
- Align cybersecurity with your business and compliance objectives
- Mature your cybersecurity posture
For more information on our CMMC assessment or program:
- Email: [email protected]
- Phone: 618-207-4636 ext. 704
Resources from NIST:
Roisin Coleman is a Cybersecurity Sales Associate with Alpine Security. She graduated from St. Bonaventure University, with a dual degree in cybersecurity and journalism. While attending St. Bonaventure, she helped develop her university’s security operations center and cybersecurity graduate program. She was also the executive producer for her university’s news station. She produced breaking news stories by developing trusted relationships and sources throughout her community. When she’s not connecting with clients, she produces cybersecurity videos for her YouTube channel, watches documentaries, and drinks lots of coffee. She’s also currently studying for her CompTIA Security+ certification.