March 25, 2020

    What is the Difference Between CMMC and DFARS?

    DFARS, or the Defense Federal Acquisition Regulation Supplement, was launched back in 2016 as a government effort to protect from cybersecurity attacks. For DoD contractors, this meant increased regulations and assessments for those working with controlled information. 

    Now, in 2020, the Cybersecurity Maturity Model Certification (CMMC) framework has been launched to enhance the cybersecurity defense effort. At Sharetru, we constantly work with customers to navigate government compliance regulations, so we know how challenging it can be for defense contractors to keep up with these regularly evolving compliance requirements.

    In this article, we break down the differences between DFARS and CMMC and how they will work together. With this information, you’ll be prepared to earn your CMMC maturity level this summer.


    What Makes DFARS and CMMC Different?

    DFARS addresses how to keep data protected – specifically CUI (Controlled Unclassified Information). DFARS was put into effect in 2016 and a way to help government contractors better protect sensitive data flowing in and out of their organization. The Department of Defense mandates that all government contractors and subcontractors align with DFARS regulations

    DFARS compliance is essentially straightforward. You must have the appropriate security controls in place to protect CUI, and you must also have the processes established to make reporting any cybersecurity events simple. Implementing both safeguards and reporting processes allows contractors to meet the objectives of DFARS: protect against cybersecurity threats and respond to breaches as quickly and efficiently as possible.

    The Cybersecurity Maturity Model Certification (CMMC) has many of the same goals as DFARS. It is targeted at government contractors and subcontractors. CMMC is bringing together a number of different security controls to create a hierarchy of maturity levels. These five maturity levels represent the different levels of data security government contractors provide. The DoD and government agencies partner with contractors that have the appropriate CMMC maturity level for their needs.

    In many ways, CMMC and DFARS are similar. They both are targeted at how contractors use security controls to protect CUI. In fact, CMMC draws heavily from DFARS. The biggest difference between the two is CMMC’s maturity levels. The structure of compliance with CMMC is different that align with DFARS. 

    However, CMMC and DFARS regulations can be used in conjunction with each other to create a more secure environment for contractors and the government agencies they partner with. Using both DFARS regulations and earning your CMMC maturity level, you can withstand advancing cybersecurity threats. 

    One major difference in DFARS and the CMMC model is the way compliance is assessed. DFARS helps to establish guidelines for self-assessment. This means government contractors are constantly monitoring their security controls and assessing them for effectiveness. Then, if a breach is detected, they must detect, contain, and report said breach as soon as possible. With DFARS, contractors must continuously self-assess to keep data protected. 

    CMMC, on the other hand, requires assessments to be conducted by 3PAOs (Third Party Assessment Organizations). These 3PAOs are the entities that assess contractors to determine whether or not they are appropriately aligned with a specific maturity level. These assessments will be conducted as a contractor moves up in CMMC levels. (As a note, existing FedRAMP assessors will likely be viable options for CMMC assessment.) 

    Though DFARS and CMMC compliance does overlap, the assessment process will be a significant difference moving forward.

    Why Do Contractors Need Both CMMC and DFARS?

    Why should you pay attention to DFARS compliance requirements if the CMMC model is going into effect this summer? Because CMMC draws from the security controls and processes outlined by DFARS, which means contractors need to work to comply with both the maturity level requirements and DFARS to maintain data security.

    CMMC builds on an existing DFARS regulation, DFARS 252.204-7012 by adding a verification component to how CUI is protected. In fact, DFARS is cited as a source in how the CMMC model defines data that needs protection as data that is:

    • “Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of, DoD in support of the performance of the contract; OR
    • Collected, developed, received, transmitted, used, or stored by, or on behalf of, the contractor in support of the performance of the contract.”

    This use of DFARS to help define how the types of data that should be protected shows to essential DFARS compliance is maintaining security. CMMC is just the next step in the mission to keep data secure. Ultimately, CMMC reframes how contractors are categorized based on their data protection efforts. 

    The self-assessment aspect of DFARS is still beneficial to integrate into your security policies, though. If you are consistently monitoring your controls for their effectiveness and establishing processes by which you contain a cybersecurity breach as quickly as possible, you’re better able to protect CUI. You’ll also protect your business from the serious consequences that come with a data breach. 

    If I Am Compliant with CMMC, Am I Compliant with DFARS?

    Very likely, but not necessarily. You could be compliant with DFARS but haven't earned your CMMC maturity level yet. You could also have your CMMC level, but you’re not compliant with all aspects of DFARS.

    It’s in your best interest to work toward compliance with DFARS and to earn your CMMC level. Earning your CMMC maturity level is mandatory for DoD contractors to win RFPs and be awarded future contracts.

    One way to be compliant with DFARS and have the right tools in place, like a secure file sharing solution. If you choose a solution that already has government-level security controls in place, compliance with DFARS will be easier, as will earning your CMMC maturity level. 

    Now that you understand the difference, rather, the partnership between DFARS and CMMC, it is time to get your compliance needs lined up. To help get you aligned and ensure you are DFARS compliant, reference our free Compliance checklist.

    Download the DFARS checklist now.

    Tag(s): Government

    Martin Horan

    Founder of Sharetru (Formerly FTP Today) and a respected voice in secure file transfer and Internet protocols. A software and IT geek since a young age, Martin has successfully led his companies through the digital age by spotting market niches and filling them with quality IT services.

    Other posts you might be interested in

    View All Posts