Title : CMMC and DFARS

Posted by : Tariq Azmi | 2020-01-14


We have seen an increasing number of Cyberattacks, and ransomware in private and public sector. We also notice all the municipalities and city offices that were attacked in the last few years. Department of Defense and US government is increasing attention on cybersecurity to ensure public and private sector must secure systems, and networks from adversaries with malicious purpose. The Supply Chain and contracting with the US government is no different and it deserve much needed attention.

Any organization that does business with federal government contractors are using systems to store sensitive information. These systems must be secured with the required compliance controls. A federal government contractor could be a business that is part of the private sector, a research and development facility, or a university performing research.

In 2007, the federal government established the Defense Industrial Base (DIB) Cybersecurity Task Force. The U.S. Government is asking you to protect Controlled Unclassified Information (CUI). As of 2015, DoD contracts require Safeguarding Covered Defense Information (CDI), a type of CUI, and Cyber Incident Reporting with DFARS clause 252.204.7012. CDI is typically stored in Covered Contractor Information Systems. These systems store, process, generate, transmit, or access DoD-related Controlled Unclassified Information (CUI).

DFARS was put into effect in 2016 as a way to help government contractors better protect sensitive data flowing in and out of their organization. Since then, the United States has continued to put stronger security regulations in place to promote cybersecurity, like the standards from the National Institute of Standards and Technology (NIST). It is under the DFARS clause that contractors must apply the cybersecurity requirements of NIST SP 800-171. Contractors and subcontractors with access to covered defense information have been self-certifying to comply with DFARS clause 252.204.7012 since 2017.



Through the CMMC framework, DoD is telling defense contractors that security is paramount, and they must meet certain cybersecurity standards to work for DoD in the future. The CMMC is the next step in an iterative process that began several years ago. To address the need for improved cybersecurity amid increasingly insidious threats, the DoD directed the Defense Industrial Base of government contractors to adopt stronger cybersecurity practices in the form of the NIST 800-171 standard, giving them a target date of Dec. 31, 2017, to come into full compliance with the standard. Compliance was to be based on a self-assessment by each contractor itself. The standard lacked any mechanism for third-party validation of the contractor’s self-assessment, as well as any way to track how a contractor was responding to areas of concern identified in its System Security Plan. The December 2017 deadline passed with only partial adoption among the Defense Industrial Base and a very uncertain compliance status.

The limited success of the NIST 800-171 cyber initiative prompted the DoD to seek another way to ensure an appropriate level of cybersecurity and document contractor status in a manner readily visible to contracting officers. The resulting Cybersecurity Maturity Model Certification unveiled by DoD in 2019 provided a new compliance framework for cybersecurity for DoD acquisitions.

The interim rule for implementing the Cybersecurity Maturity Model Certification (CMMC) program that will eventually lead all DoD contractors to meet CMMC certification. Serving as the basis for the interim rule, DFARS 252.204.7012 triggers your compliance with NIST SP 800-171.. 

The new CMMC framework also requires third-party certification. Contractors and suppliers will need to have an independent third-party assessment organization (C3PAO) to conduct assessment and certification

WHO MUST FOLLOW CMMC? Any DoD contractors and suppliers in the supply chain. For any organization that wants to do work for the DoD and bid on a project, they must be CMMC certified.