What is DFARS compliance and what does it mean for your business? There are many ways to answer that question but in simple terms, the Defense Acquisition Regulation Supplement is the legal brief that dictates your cybersecurity obligations as a contractor with the Department of Defense. It can be helpful to imagine your compliance with DFARS in three parts:
- NIST 800-171
- CMMC and CMMC 2.0
Think of DFARS as the mandate. This is the written text that establishes your responsibility to follow the DoD’s cybersecurity guidelines. NIST 800-171 is a document drafted by the National Institute of Standards and Technology. This document lays out the DoD’s expectations on how your cybersecurity networks are to be configured. Finally, there is CMMC. In short, CMMC is the DOD’s accountability measure. It is the framework that ensures that contractors are abiding by DFARS according to NIST 800-171. CMMC is the most recent piece of compliance with DFARS, and many find it difficult to understand. Luckily, many contractors find the program’s revisions under CMMC 2.0 to be easier to navigate.
The original CMMC framework fortified NIST 800-171 by organizing its tenants into five levels of maturity and establishing an accreditation body to assess the compliance of contractors via a third party. Prior to CMMC, contractors were able to self-certify the integrity of their systems. CMMC initially made all contractors across the DIB subject to third-party assessments. If a contractor was found to be non-compliant with CMMC, they would be ineligible to bid for contracts This is changing under CMMC 2.0.
Some firms felt that the third-party assessment requirements were too stringent given the nature of their business. In response, the Department of Defense revised these requirements to make them more contextual. CMMC 2.0 makes three critical changes:
- Revises the original five maturity levels down to three
- Significantly decreases the number of firms subject to audit
- Allows non-compliant firms to bid for contracts permitted they submit a compliance timeline.
CMMC 2.0 is designed to make the DIB more secure without unnecessarily burdening the businesses that make it run. When it comes to your firm’s relationship with CMMC 2.0, the information you handle is the most important factor.
There are two forms of information that are pertinent to the CMMC 2.0 discussion:
- Classified Uncontrolled Information
- High-Value Assets
If your firm does not handle either of these, then you will be classified under CMMC Level 1 and will have no obligation to submit to an accreditation service. You will be allowed to self-certify the integrity of your systems. Firms that handle CUI only will need to determine if their CUI is considered Critical National Security Information. If a firm handles CUI that is not considered CNSI, then it will also be allowed to self-certify. Firms that do handle CNSI will be subject to an audit every three years.
Firms that handle any form of High-Value Asset have the strictest requirements. While information is still emerging, firms with a duty to handle HVA are expected to be assessed directly by the government rather than a third-party service.