DFARS Cybersecurity Requirements and CMMC
DFARS Cybersecurity Requirements
Clause 252.204-7012 – Safeguarding Covered Defense Information And Cyber Incident Reporting
If your company provides products being sold to the Department of Defense (DoD), you are required to comply with the minimum cybersecurity standards set by DFARS.
All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards. Contractors who do not meet these minimum standards risk losing their DoD contracts and losing out on future contract bids.
This DFARS subpart applies to contracts and subcontracts requiring contractors and subcontractors to safeguard covered defense information that resides in, or transits through, covered contractor information systems by applying specified network security requirements. It also requires reporting of cyber incidents.
DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”, manufacturers must implement these security controls through all levels of their supply chain.
DFARS requirements also include developing a plan of actions and milestones (POAM) and system security plan (SSP).
DFARS: Additional Resources:
- DIBNet Portal: the official gateway for reporting cyber incidents for DoD contractors and sub-contractors
- The DoD Frequently Asked Questions web page addresses common questions on the implementation of DFARS cybersecurity requirements.
- NIST documents for protecting controlled unclassified information in nonfederal systems and organizations:
CMMC: The Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) 2.0 aims to protect Federal Contract Information [FCI], unclassified information that is to be protected from public disclosure, and Controlled Unclassified Information [CUI], information that requires safeguarding or dissemination controls.
While DFARS 252.204-7012 allowed businesses to “self-attest” to compliance with NIST SP 800-171, CMMC 2.0 will require businesses to demonstrate compliance according to a three-tiered maturity system which will require “triennial third-party assessments for critical national security information; annual self-assessment for select programs.” Any organization in the DoD supply chain that processes, stores and/or transmits CUI as well as any organization that provides protection for CUI/FCI are required to demonstrate their compliance with CMMC.
There are three levels within the CMMC. The most common expectation will be for businesses to demonstrate compliance with level 2, demonstrating cybersecurity practices in line with the 110 controls within NIST 800-171 prior to being awarded a contract. The required level for a contract will be determined by the type and amount of CUI a contractor will handle during the contract and will be stated in the contract.
CMMC: Additional Resources:
Cybersecurity Toolkit for Small Businesses and Manufacturers
Discover and learn about the cybersecurity concepts that can be incorporated into your implementation plan to help secure your business and enable you to enter or continue DoD contracts by meeting the NIST 800-171 requirements. Concepts can be applied across all industries and sectors and are not limited to DoD contractors. Included with this education and awareness toolkit is a complete gap assessment, planning and documentation tool for NIST 800-171 compliance.
Ready to Start Your DFARS and CMMC compliance Journey?
Contact us today to get started on your journey to DFARS and CMMC compliance!