DFARS and CMMC Compliance for Defense Contractors

The Department of Defense (DoD) has implemented regulations to protect sensitive information processed, stored, or transmitted by defense contractors.

These regulations, outlined in the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012, require compliance with the National Institute of Standards and Technology SP 800-171 to protect controlled unclassified information and stipulate incident reporting obligations and various considerations for cloud providers.

Complying with DFARS requirements is mandatory for organizations that contract with the Department of Defense in order to guarantee adequate security.

In September 2020, the Department of Defense released an updated set of regulations, referred to as the Interim Rule, which included several DFARS requirements which expanded on the initial DFARS Clause 252.204-7012. Learn more about the Interim Rule here: 

The rule includes some of the following:

DFARS 252.204-7019 Notice of NIST SP 800-171 DoD Assessment Requirements – which requires that the defense industrial base (DIB) contractor undergo self-evaluations that meet the NIST SP 800-171 DoD Assessment Methodology at least every three years and that the summary level scores of these evaluations are posted in the DoD Supplier Performance Risk System (SPRS).

DFARS 252.204-7020 NIST SP 800-171 DoD Assessment Requirements – which necessitate that DIB contractors provide access to their facilities, systems, and personnel when the DoD is conducting a Medium or High NIST SP 800-171 assessment.

DFARS 252.204-7021 Cybersecurity Maturity Model Certification (CMMC) Requirements – which requires that defense industrial base (DIB) contractors possess a valid CMMC certificate at the necessary level for the contract, which must be no older than 3 years, and maintain that certification throughout the duration of the contract.

These changes mean that more than a standalone self-attestation of compliance with DFARS 252.204-7012 by DIB contractors will be required to meet DoD contractual requirements.

Instead, the DoD has mandated that DIB contractors furnish evidence of the DFARS 252.204-7012 self-attestation and an independent third-party Cybersecurity Maturity Model Certification (CMMC) to qualify for DoD contracts.

This suggests that defense contractors must not only comply with the regulations outlined in DFARS 252.204-7012, but also undergo independent assessments and obtain certification at the appropriate level to be eligible for DoD contracts.

The CMMC framework helps ensure that all DIB contractors have the necessary cybersecurity controls and practices to protect sensitive information.

This safeguards sensitive information and protects the United States national security. By mandating the use of the CMMC, the DoD is taking a proactive approach to addressing potential cyber threats and vulnerabilities in the defense industrial base and ensuring that contractors are equipped with the necessary cybersecurity capabilities to protect sensitive information.

Resources:

Cybersecurity Maturity Model Certification (CMMC)

• https://dodcio.defense.gov/CMMC/
• https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-cmmc

Cyber AB

• https://cyberab.org/

Defense Federal Acquisition Regulation Supplement (DFARS)

• https://learn.microsoft.com/en-us/azure/compliance/offerings/offering-dfars

Computer Security Resources center

• https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final

Office of the Under Secretary of Defense for Acquisition and Sustainment, Department of Defense (DoD)

• https://www.federalregister.gov/documents/2021/11/17/2021-24880/cybersecurity-maturity-model-certification-cmmc-20-updates-and-way-forward

Navigating CMMC and DFARS Cyber Security

Compliance Standards and Regulations

Why CMMC Compliance Matters for Government Contractors?

SP 800–171 Guidelines for Sensitive Information

Why is CMMC Compliance Essential for Defense Contractors?