CMMC 2.0 vs. DFARS: Understanding the Relationship

Please Share the Value
DoD Security Compliance, CUI, , POAMS


The Department of Defense has introduced new cybersecurity standards, known as Cybersecurity Maturity Model Certification 2.0. These standards apply to all contractors, including “primes” and their subcontractors, working under DoD contracts. It is important to understand the relationship between CMMC 2 0 vs DFARS cybersecurity-related provisions to ensure compliance with these regulations.

The goal today is to provide an in-depth comparison of CMMC 2.0 and DFARS, explain their relationship, and offer guidance on successful implementation.

Overview of DFARS

The Defense Federal Acquisition Regulation Supplement is a set of supplementary acquisition regulations that apply specifically to the DoD and its contractors. These regulations provide additional guidance and requirements beyond the Federal Acquisition Regulation (FAR) for all acquisitions within the DoD.

DFARS requirements for government contractors cover a wide range of topics, including procurement, contract management, and cybersecurity. One of the main focuses of DFARS is the protection of controlled unclassified information held by government contractors and their subcontractors. Contractors must implement cybersecurity measures as outlined in NIST 800-171, report incidents, and ensure that their subcontractors also adhere to these requirements.

DFARS is subject to ongoing revisions and updates, reflecting the evolving needs of the DoD and its contractors. 

For example, a recent update took effect on March 1, 2023, implementing a recommendation from the Government Accountability Office regarding quick-closeout procedures. These updates ensure that DFARS remains relevant and effective in addressing the challenges faced by the DoD and its contractors.

What Are the CMMC Levels

CMMC 2.0 simplifies certification with just 3 levels: Foundational, Advanced, and Expert. Each focuses on NIST cybersecurity standards. #CMMC2.0 #NIST

Overview of CMMC 2.0

The Cybersecurity Maturity Model Certification 2.0 is an updated version of the original CMMC framework, designed to assess the cybersecurity maturity of Department of Defense contractors and subcontractors. It incorporates processes and best practices from multiple cybersecurity standards, frameworks, and references, as well as inputs from the Defense Industrial Base (DIB) and DoD stakeholders.

CMMC 2.0 simplifies the certification process compared to its predecessor, CMMC 1.0. The new model consolidates the original five compliance levels into three levels, each with a focus on well-established NIST cybersecurity standards.

What Are the CMMC Levels?

Level 1: Foundational in CMMC 2.0 focuses on basic cybersecurity practices that form the foundation of any organization's security posture. These practices are essential for protecting sensitive information and maintaining the integrity of the systems used by DoD contractors and subcontractors.

The goal of the Foundational level of CMMC 2.0 is to ensure that organizations have implemented fundamental cybersecurity measures, such as:

  • Regularly updating software and applying patches to address vulnerabilities.
  • Implementing strong password policies and requiring multi-factor authentication (MFA) for user accounts.
  • Ensuring secure configurations of networks, devices, and systems.
  • Establishing a solid backup and recovery plan to safeguard critical data.
  • Providing cybersecurity awareness and training for employees.

By adhering to these basic cybersecurity practices, organizations can reduce the likelihood of data breaches and cyberattacks, protecting both their own interests and sensitive information related to DoD contracts. Achieving Level 1 demonstrates an organization's commitment to maintaining a basic level of cybersecurity and serves as the starting point for more advanced security practices in the higher CMMC 2.0 levels.

Level 2: Advanced in CMMC 2.0 is aligned with NIST SP 800-171 and is designed for organizations that handle Controlled Unclassified Information as part of their work with the Department of Defense (DoD) [2]. This level focuses on more advanced cybersecurity practices that go beyond the foundational measures, ensuring that organizations have a robust security posture to protect sensitive information.

Under CMMC 2.0, Level 2 incorporates all 110 practices from NIST SP 800-171 Rev2, which is a significant change from the previous CMMC 1.0 model, where 20 additional controls were required. These practices cover a range of security domains, including:

  1. Access control: Limiting access to systems and data based on the principle of least privilege and role-based access controls.
  2. Awareness and training: Providing regular, comprehensive cybersecurity training to employees.
  3. Audit and accountability: Implementing auditing processes to track and log user activities, detect anomalies, and hold individuals accountable for their actions.
  4. Configuration management: Establishing and maintaining secure configurations for hardware and software components.
  5. Identification and authentication: Enforcing strong user authentication mechanisms, such as multi-factor authentication (MFA).
  6. Incident response: Developing and implementing a comprehensive incident response plan to effectively address and mitigate cybersecurity incidents.
  7. Maintenance: Regularly updating and patching systems, applications, and infrastructure components.
  8. Media protection: Safeguarding physical and digital media containing sensitive information through secure handling, storage, and disposal processes.
  9. Physical protection: Ensuring the physical security of facilities, systems, and equipment.
  10. Personnel security: Implementing security measures during the hiring process, as well as during employment termination or reassignment.
  11. Risk assessment: Conducting regular risk assessments to identify and address potential vulnerabilities and threats.
  12. Security assessment: Evaluating the effectiveness of security controls and implementing corrective actions where needed.
  13. System and communications protection: Protecting information transmitted or stored on networks and systems through encryption and secure communication protocols.
  14. System and information integrity: Monitoring systems and information for potential anomalies, breaches, or other security incidents.

Advanced certification in CMMC 2.0 demonstrates that an organization has implemented a comprehensive set of cybersecurity practices that meet the NIST SP 800-171 requirements, thereby ensuring a high level of protection for CUI and other sensitive data.

Level 3: Expert in CMMC 2.0 builds on the practices established in Levels 1 (Foundational) and 2 (Advanced) and further augments these with additional advanced practices. These advanced practices are based on NIST SP 800-172, which supplements NIST SP 800-171 to help organizations mitigate attacks from advanced cyber threats.

It is important to note that organizations achieving this level would demonstrate a higher level of cybersecurity maturity and an enhanced ability to protect sensitive data from sophisticated adversaries.

Organizations achieving Level 3 would be able to demonstrate a strong commitment to cybersecurity, ensuring the protection of their systems, networks, and data against advanced threats, as well as promoting continuous improvement in their cybersecurity posture.

These three levels represent a more streamlined approach to evaluating the cybersecurity maturity of Department of Defense contractors and subcontractors.

The purpose of CMMC 2.0 is to ensure that DoD contractors have adequate cybersecurity measures in place to protect sensitive information. CMMC 2.0 will become part of the Defense Federal Acquisition Regulation Supplement (DFARS), further integrating cybersecurity requirements into the contracting process. To achieve certification, contractors must demonstrate compliance with the required controls and practices at their respective CMMC 2.0 level.

Did you know DFARS-compliant contractors have an edge in achieving CMMC 2.0 certification? #DFARS #CMMC2.0

Relationship between DFARS and CMMC 2.0

DFARS and CMMC 2.0 are both frameworks designed to protect Controlled Unclassified Information and ensure that Department of Defense (DoD) contractors have robust cybersecurity practices in place. The Defense Federal Acquisition Regulation Supplement (DFARS) outlines cybersecurity-related provisions, such as safeguarding sensitive information and setting requirements for incident reporting. On the other hand, CMMC 2.0 is a certification framework that measures a contractor's cybersecurity maturity by evaluating the implementation of cybersecurity practices and the institutionalization of processes. To continue working on DoD contracts and qualify for new contracted work, both prime defense contractors and their subcontractors must comply with CMMC 2.0 requirements.

NIST 800-171 is a crucial component of the CMMC 2.0 framework, as it provides guidelines on how Controlled Unclassified Information should be securely accessed, transmitted, and stored in nonfederal information systems and organizations. Its requirements are divided into four main categories, and many of these requirements are incorporated within the CMMC 2.0 framework.

CMMC 2.0, in its revised form, has reduced the compliance levels from five to three, with Level 2 – Advanced, directly aligning with NIST SP 800-171. This improved alignment with NIST 800-171 ensures a more streamlined and effective approach to cybersecurity for organizations working with the Department of Defense.

By incorporating NIST 800-171 requirements into the CMMC 2.0 framework, the Department of Defense aims to create a more unified and consistent set of cybersecurity guidelines for contractors, thereby enhancing overall security within the defense supply chain.

Contractors who are already in compliance with DFARS will find it easier to achieve CMMC 2.0 compliance because many of the requirements overlap and build upon the existing DFARS regulations. DFARS clauses were implemented to apply to all DoD contractors who process, store, or transmit ‘covered defense information' through their information systems.

CMMC 2.0 is a framework that measures a contractor's cybersecurity maturity, including the implementation of cybersecurity practices and institutionalization of processes. Since DFARS-compliant contractors have already established a strong foundation in cybersecurity by adhering to the necessary safeguards and regulations, they will be better prepared to meet the CMMC 2.0 requirements.

The overlapping requirements between DFARS and CMMC 2.0 mean that contractors with a history of DFARS compliance will have an advantage in achieving CMMC 2.0 certification. This is because they will have already implemented many of the cybersecurity practices and processes required under the CMMC 2.0 framework, making it easier for them to meet the additional requirements and demonstrate their cybersecurity maturity.

Implementation of CMMC 2.0 and DFARS

The timeline for implementing CMMC 2.0 will depend on the specific contract and requirements set forth by the DoD. The CMMC 2.0 rulemaking process is expected to take anywhere from 9-24 months, and companies have been uncertain about when that time period would begin and what the timeline might look like. The requirements for CMMC 2.0 are anticipated to be published as a “proposed rule,” which includes a 12-month review and comment period. This provides manufacturers with at least another year to provide feedback to the DoD and put the proposed rules in place for their businesses.

Ultimately, the timeline for CMMC 2.0 implementation will vary depending on the specific circumstances of each contract and the DoD's requirements. Contractors should closely monitor the ongoing rulemaking process and be prepared to adapt their cybersecurity practices and processes to meet the evolving requirements of CMMC 2.0.

CMMC 2.0 is a framework that measures a contractor's cybersecurity maturity, including the implementation of cybersecurity practices and the institutionalization of processes. It consists of three levels that rely on well-established NIST cybersecurity standards.

To implement CMMC 2.0 and DFARS, contractors would need to:

Conduct a gap analysis: identify areas where the contractor's current cybersecurity practices and processes fall short of CMMC 2.0 and DFARS requirements.
Develop an action plan: Based on the findings of the gap analysis, create a plan to address the identified shortcomings and improve the contractor's cybersecurity posture.

Implement required controls: Carry out the action plan, which may involve implementing new cybersecurity practices or improving existing ones to meet the CMMC 2.0 and DFARS requirements.

Prepare for certification assessments: As CMMC 2.0 involves a certification process, contractors should be prepared to undergo assessments to ensure they meet the necessary requirements. This may involve internal audits, documentation of processes, and engaging with CMMC assessors.

The rulemaking process for CMMC 2.0 is expected to take 9-24 months, during which contractors should monitor updates and prepare to adapt their cybersecurity practices and processes accordingly.

Tips for successful implementation include fostering a culture of cybersecurity awareness, engaging with a qualified consultant, and conducting regular audits to ensure ongoing compliance.

CMMC 2.0 and DFARS are closely related frameworks that aim to protect CUI and ensure adequate cybersecurity practices among Department of Defense contractors.

Compliance with both DFARS and CMMC 2.0 is crucial for securing and maintaining government contracts, as they measure a contractor's cybersecurity maturity and involve the implementation of cybersecurity practices and institutionalization of processes.

As the cybersecurity landscape continues to evolve, government contractors must remain vigilant and proactive in their efforts to meet both DFARS and CMMC 2.0 requirements, ensuring they maintain robust cybersecurity practices and stay compliant with relevant standards.

Don't miss out on securing your organization's future!

Get started today with a FREE consultation from On Call Compliance Solutions, where our experts are ready to help you navigate the complex world of compliance. Connect now and unlock your business's full potential!

Schedule a consultation today and take the first step towards CMMC compliance.

At On Call Compliance Solutions, we want to help defense contractors meet CMMC requirements and grow their businesses.

Backed by an award-winning cyber security and IT management team, On Call Compliance Solutions is the #1 source for CMMC, NIST SP 800-171 Compliance, DFARS and ITAR consulting. Give us a call now to schedule a free phone call with one of our compliance experts to see how we can help.

NIST SP 800-171 Compliance Experts


Fill out the form below to get a FREE consultation with one of our CMMC, NIST SP 800-171, DFARS and ITAR experts who can help you achieve your goals. There is never a fee or obligation to find out how we can help.

Contact Us