What’s the Difference between DFARS and CMMC?

    Defense Federal Acquisition Regulation Supplement (DFARS) is a set of policies that pertain to Defense Department procurement and acquisition of supplies or services, as well as the Defense Acquisition System. Cybersecurity Maturity Model Certification (CMMC) is a framework used by businesses to assess their cybersecurity risks and deficiencies by identifying possible areas for improvement.

    DFARS contains clauses related to Defense-unique acquisition policies and procedures. CMMC identifies weaknesses in an organization’s security profile with recommendations on how to improve them, with the goal of achieving a higher level of maturity in terms of business resilience, risk management, decision making capabilities, and accountability.

    Changes between DFARS and CMMC: Differences include the following:

    1. DFARS is a subset of Defense Acquisition Regulations (DAR) whereas CMMC is an adaptation of the National Institute of Standards and Technology Cybersecurity Framework.
    1. DFARS applies to Defense Department procurement, while CMMC pertains to all cybersecurity-related activities of the business.   
    1. DFARS focuses on Defense Department acquisition processes, procedures, policies, etc., whereas CMMC provides steps for developing a plan to resolve risks identified during assessment.
    1. Once implemented by Defense contractors using DFARS clauses, compliance with Defense standards can be audited through Defense audits or inspections conducted by the Defense Contract Audit Agency (DCAA). Compliance with CMMC is assessed whenever third party assessors have been engaged to conduct an independent review process that is managed by Defense contractors.
    1. DFARS includes various clauses covering Defense-unique aspects of Defense Department acquisition, such as requiring Defense contractors to obtain price and availability estimates from the Defense Contract Pricing and Analysis Center (DCPAAC) for commercial items estimated at over $5 million. CMMC is not limited to Defense department procurement policies, rather it helps develop a business’s cybersecurity risk management maturity model with a goal of improving its security profile in all activities related to cyber security.
    1. DFARS requires Defense contractors to verify that each supplier has acceptable Cybersecurity practices before granting them access to Defense information systems or networks, whereas CMMC provides recommendations on how Defense contractors can improve their cybersecurity practices when dealing with suppliers.
    1. Defense contractors may use DFARS to meet Defense Acquisition Requirements Document (ARD) requirements, although Defense Contractors can also choose to use CMMC without having any Defense department contracts as long as the Cybersecurity practices of Defense contractors are improved which leads to better security for all their operations and activities.
    1. DFARS requires Defense departments/contractors to have a plan in place for responding to cyber incidents including mitigating adverse effects of cyber incidents on Defense missions, whereas CMMC provides specific recommendations on how a business’s cybersecurity risks and deficiencies should be addressed through a specific plan tailored for each organization.
    1. Defense contracting officers will determine what clauses from DFARS apply based on the nature of the contract being made with Defense contractors. Defense contracting officers will determine what Cybersecurity practices to verify through Defense contractors during the assessment process before granting Defense contractors access Defense information systems or networks based on the nature of the contract being made with Defense Department/contractors. Even though the Defense Department has included CMMC in DFARS, Defense contractors can still use CMMC outside Defense department contracts for improving their cybersecurity risk management maturity model.
    1. DFARS is a subset of DAR while CMMC is an adaption of NIST Cybersecurity Framework. Defense Contractors are expected to adhere strictly to all DFARS clauses while assessing compliance with existing cyber security related policies should be done separately from DFARS requirements when using CMMC for improved security posture that covers all other activities not related to Defense department contracts.

    If Defense contractors use both DFARS and CMMC: Defense contractors must satisfy all Defense-unique DFARS requirements when using Defense Department contracts while assessing compliance with cyber security related policies should be done separately from Defense department contracts using CMMC.