To understand the difference between DFARS and CMMC, it is helpful to know why the Department of Defense (DoD) created the Cybersecurity Maturity Model Certification (CMMC) in the first place.
The DoD created CMMC as a “verification component” of the Defense Federal Acquisition Regulation Supplement (DFARS) law. What does “verification component” mean? When DFARS 7012 was originally passed, DoD contractors only needed to state that they implemented the cybersecurity controls of DFARS. Basically, implementation was based on trust. This resulted in a poor adoption rate within the Defense Industrial Base, which pushed the DoD to clamp down and create a verification mechanism to ensure DoD suppliers were in fact compliant with DFARS. While CMMC is still being rolled out, this verification mechanism will come in the form of 3rd party audits from CMMC Third-Party Assessor Organizations (C3PAOs).
In short, DFARS is the legal text for the cybersecurity requirements that all DoD suppliers must follow, and CMMC will be the verification mechanism for ensuring that it’s actually being implemented.
With the new CMMC 2.0 model, not all DoD Contractors will be subject to a 3rd party assessment — only ones that are working on what the DoD calls “prioritized acquisitions.” Some will only be required to perform a self-assessment and affirm their compliance annually. The DoD has not yet announced how it will prioritize acquisitions.
Still, with the Department of Justice (DOJ) announcement that it will start pursuing government contractors who falsify cybersecurity affirmations, it is imperative that contractors have the documentation and evidence to back up their affirmation of compliance, even if they will not be assessed by a C3PAO.
If you are a DoD contractor and are wanting to learn more about how to prepare your organization for DFARS and CMMC, read our CMMC Compliance Guide or contact us for more information about how SysArc can help you meet DFARS requirements and prepare for CMMC.