“Compliance does not equal security”
– Robert Carey, Former Navy CIO
What is DFARS?
The Defense Federal Acquisition Regulation Supplement, or DFARS, was launched by the Department of Defense (DoD) back in 2016 in order to help protect Controlled Unclassified Information (CUI). These standards were made in an attempt to help secure the Defense Industrial Base (DIB) and is based off of NIST 800-171. Organizations are required to be compliant with NIST 800-171, and are able to self-assess their compliance. Additionally, organizations are allowed to not be fully compliant with NIST 800-171 at the time of contract award, if they have a System Security Plan (SSP) in place to address the gaps. There are four main DFARS standards to know:
- DFARS 7012– requires contractors to provide “adequate security” for covered defense information that is processed, stored, or transmitted on the contractor’s internal information system or network. Requires organizations to comply with NIST 800-171
- DFARS 7019– requires organizations to report their score in SPRS (the Supplier Performance Risk System), and what contracting officers are required to do when awarding or denying contracts based on such results.
- DFARS 7020– requires organizations to provide access to its facilities, systems, and personnel necessary for the Government to conduct a Medium or High NIST SP 800-171 DoD Assessment.
● DFARS 7021– requires organizations to be CMMC certified
How does it compare to CMMC:
DFARS requires all companies to be NIST 800-171 compliant, while CMMC allows some companies who do not come in contact with CUI an exemption to follow only 17 basic practices and not be compliant with all 110 controls.. CMMC also has a Level 3 called Expert that requires companies that handle critical CUI to follow a sub-set of extra controls from NIST 800-53 in addition to all 110 controls from 800-171 to reach compliance. More details will come out at a later date when they finish the rulemaking process. DFARS not only requires companies to be 800-171 compliant, but gives additional requirements about how companies should report their score, and provide access to their facilities.
The biggest difference comes in how organizations are audited on their compliance. With DFARS, organizations have been able to self-attest their compliance. With the CMMC, a majority of organizations will be required to have third party auditors test their compliance.