What You Need to Know About DFARS and CMMC Compliance?
The number of cyber-attacks on businesses, organizations, and governmental institutions has accelerated in just the last few years. Furthermore, the COVID-19 pandemic has weakened many organizations’ cybersecurity posture, which brought with it a new wave of successful attacks.
Frameworks like DFARS and CMMC are more than necessary to make sure that all contractors and subcontractors who handle controlled unclassified information are doing so according to cybersecurity standards. Still, the confusion created by unrealistic or inaccurate requirements and the delays in rolling out new regulations can only lead to chaos if left unchecked.
The Defense Federal Acquisition Regulation Supplement (or DFARS) is a memorandum issued by the Department of Defense (DoD) for contractors and subcontractors, and was designed as a set of cybersecurity requirements for contractors and organizations operating with the DoD, to safeguard controlled unclassified information (CUI) from cyberattacks and accidental leaks.
This memorandum aims to strengthen cybersecurity practices and secure the Defense Industrial Base (DIB) against cyber threats. Unfortunately, the requirements and standards specified in the DFARS are not clear enough for real-life implementation, which slowed down the entire process and left contractors and subcontractors in a state of confusion.
The DoD released the Cybersecurity Maturity Model Certification (CMMC) framework to replace the DFARS standard and provide clarity. Nevertheless, the CMMC has not been fully implemented, and the DoD still demands that all contractors & subcontractors that process, store, or transmit CUI must comply with DFARS minimum security standards. Otherwise, contractors risk losing their collaboration with the DoD.
In addition, on September 29, the DoD released an Interim Rule (that became effective on November 30) that focuses on making sure all DoD contractors are currently in compliance with all 110 security controls in the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (NIST 800-171). Furthermore, the rule also adds CMMC as a requirement in a DoD contract.
Sadly, the rule does not answer many of the questions that contractors have regarding CMMC implementation. As a result, the situation is still uncertain, and many business owners are still in a state of confusion.
The Current CMMC Situation
As of now, the CMMC is not fully rolled out and DFARS is still in effect. In fact, the CMMC Accreditation Body (AB) mentioned clearly that the DFARS standard is paramount for CMMC compliance for any of the DoD contractors that handle CUI, regardless of size.
In short, the CMMC framework is an improved version of the DFARS framework, with an added level of control that comes as audits and assessments that validate your company’s cybersecurity practices against the standard. These controls will be performed by independent third-party certified organizations, and each contractor will be assigned a maturity level from “Basic Cybersecurity Hygiene” to “Advanced/Progressive” (there are 5 levels in total).
For instance, a company working under DFARS that wants to reach level 3 (“Good Cybersecurity Hygiene”) should already have about 85% of the work already laid out; this is because, out of the 130 controls, 110 are straight from NIST 800-171, which has been the standard for several years.
Since we did not have specialized controls up until the CMMC framework, many companies will have gaps. Based on our expertise, some of the most common issues are:
- No system security plan
- Incomplete cybersecurity policies
- Missing multi-factor authentication (MFA) and/or encryption
- Incomplete incident response plans
Before applying for a CMMC evaluation, run a complete analysis to assess your current compliance level.
The New DFARS Interim Rule
DoD contractors and subcontractors handling controlled unclassified information have had to self-assess their cybersecurity using NIST SP 800-171 requirements. This has proven inefficient because contractors lack a well-structured system to support their self-assessment efforts. As a result, there are plenty of gaps and differences in planning from one business to another.
The Interim Rule is trying to improve this situation by helping contractors grade themselves using a standardized score. This way, each contractor can learn about the NIST SP 800-171 security requirements they still need to work on.
This means that all the contractors that work with CUI will have to take the NIST 800-171 Self-Assessment (even though they already did one in the past) and then post their result in the Supplier Performance Risk System (SPRS). The DoD cannot award contracts without this new assessment, which follows the scoring methodology specified by the Interim Rule.
Contractors should expect random audits by the DCMA, checking their self-assessment and final scores.
If you want to stay in the game, your business needs to be in compliance. This means keeping up with the new standards, as challenging as they may be. Our specialists have the necessary knowledge and experience to get you there. We evaluate your business, identify goals, and provide a framework and action plan while protecting your core job functions. Were ready to become your cybersecurity team or fill the gaps in your cybersecurity program.
We provide advice and guidance on CMMC compliance rules, ensuring you stay updated with all new developments.
We are ready to become your cybersecurity team or fill the gaps in your cybersecurity program. If you have questions about these topics, don’t hesitate to reach out to our specialists.