DFARS and CMMC are two concepts you need to understand if you are part of the Defense Industrial Base in any capacity. But if you have difficulties making sense of the differences between them, don’t worry: in this post, you will find everything you need to know.
CMMC: The Basics
CMMC stands for Cybersecurity Maturity Model Certification, a framework created by the Department of Defense to bolster cybersecurity standards throughout the Defense Industrial Base, or DIB.
As we’ll see below in more detail, If you are a defense contractor or subcontractor, you are required to achieve CMMC compliance.
CMMC is divided into three levels numbered one through three. The level you need to achieve will depend on the type of information you handle (FCI vs CUI), and the type of contracts you want to be eligible for.
To learn more about this topic, read our previous post: “What CMMC Level Do I Need?“
What Is DFARS?
The term DFARS stands for Defense Federal Acquisition Regulation Supplement.
In order to understand DFARS, first we need to take a quick look at the Federal Acquisition Regulation, or FAR.
The FAR is the primary set of rules regarding government procurement in the United States. This means that all executive agencies must follow the FAR when it comes to their acquisition of supplies and services.
DFARS is the subset of the FAR that deals with procurement for the Department of Defense (DoD). As such, the DFARS both implements and supplements the FAR.
DFARS is jointly issued by the Department of Defense (DoD), the General Services Administration (GSA), and the National Aeronautics and Space Administration (NASA). To go to the official DFARS website, just click here.
DFARS and CMMC
So far so good. But what is the relationship (and the difference) between DFARS and CMMC?
As you might expect, DFARS is a complex document that addresses different types of requirements for government acquisitions.
For example, DFARS Clause 252.204-7012 specifies requirements for the protection of controlled unclassified information (CUI) in accordance with NIST SP 800-171, which is one of the root documents for CMMC.
For its part, DFARS Clause 252.204-7021 is even more specific, as it requires defense contractors to achieve the CMMC level stipulated in their DoD contract obligations once the CMMC rulemaking process has been completed.
Plus, 7021 also states that contractors will be responsible for flowing down the CMMC requirements to their subcontractors.
So, to sum it up, the difference between CMMC and DFARS is that CMMC is a cybersecurity model while DFARS is a set of acquisition rules.
CMMC provides a model consisting of a certain number of cybersecurity practices divided into levels. DFARS, on the other hand, states who must observe those practices and how.
But despite their differences, there is a crucial relationship between CMMC and DFARS since DFARS is the document that institutes CMMC as mandatory for defense contractors and subcontractors.
Need To Achieve CMMC Compliance? We Are Here To Help
Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC / CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
