The Department of Defense (DoD) has released a new set of compliance measures for cybersecurity known as the CMMC. The CMMC replaces the DFARS regulations, which were put in place in 2013 to ensure that defense contractors met specific cybersecurity standards.
While both the DFARS and CMMC are concerned with ensuring the security of sensitive data, there are some key differences between the two frameworks. In this article, we will explore those differences and explain why companies should be aware of them.
Why Has DFARS Been Replaced?
The Department of Defense’s (DoD) Defense Federal Acquisition Regulation Supplement (DFARS) was initially released in 2000 in response to the increasing number of cyberattacks against the United States.
The regulation outlined specific cybersecurity requirements for defense contractors and was largely based on the National Institute of Standards and Technology (NIST) Cyber Security Framework. However, in recent years, DFARS has been replaced by the DoD’s more comprehensive CMMC standard.
The CMMC is an outline of compliance measures that aim to protect critical military data from cyberattacks. It builds on the NIST Cyber Security Framework and includes additional requirements for defense contractors, such as vulnerability scanning and penetration testing. The CMMC also establishes baseline security controls for different classification levels, from low-risk to top secret.
So why did DFARS get replaced by the CMMC? There are several reasons:
- The CMMC is more comprehensive than DFARS. It includes additional requirements for defense contractors, such as vulnerability scanning and penetration testing.
- The CMMC is more up-to-date with current cybersecurity threats. It builds on the NIST Cyber Security Framework, which has been updated multiple times since DFARS was released.
- The CMMC is easier to enforce. It establishes baseline security controls for different classification levels, making it easier for the DoD to ensure that all defense contractors are meeting minimum cybersecurity standards.
The CMMC 2.0 Updates
The Department of Defense (DoD) released the latest version of its cybersecurity compliance framework, the CMMC 2.0, in October of 2019. The updates were necessary to address gaps in the original framework, which had been released in 2017.
The CMMC 2.0 includes a number of new features and improvements, including:
- A revised definition of what constitutes a Critical Cyber Asset (CCA),
- Updated requirements for contractor cyber hygiene and incident response plans, and
- Additional guidance on managing third-party cyber risks.
One of the most significant changes in the CMMC 2.0 is the introduction of a new tier system that categorizes CCAs into four levels based on their relative risk to the DoD. The new tiers are:
- Tier 1: Low Risk
- Tier 2: Moderate Risk
- Tier 3: High Risk
- Tier 4: Very High Risk
Contractors that handle CCAs at or above the Tier 3 level will be required to implement specific security controls and processes that are designed to protect these assets from cyberattacks. These controls include multi-factor authentication, restricted access to sensitive data and malware protection.
The CMMC 2.0 also introduces new requirements for contractor cyber hygiene and incident response plans. Contractors must now have an incident response plan in place that covers not only cyber incidents, but any type of disruption or emergency that could impact their business operations. Cyber hygiene controls must now also be implemented at all tiers, not just Tier 3 and 4.
The CMMC 2.0 updates are an important step forward in strengthening the DoD cybersecurity posture. They will help ensure that contractors handling sensitive data are taking the necessary precautions to protect that data from cyber threats.
Why Adhering To The CMMC 2.0 Framework Is Important
Adherence to the CMMC 2.0 framework is important because it helps organizations protect their data and systems from cyberattacks. The CMMC framework is based on NIST SP 800-53rev4, which is recognized as the gold standard for information security. The framework helps organizations assess their risk posture and identify and implement appropriate cybersecurity measures.
The CMMC also includes a tiered certification process that provides organizations with a way to measure their cybersecurity maturity and progress. Organizations can achieve different levels of certification, depending on their level of cybersecurity risk. Certifications are valid for three years, after which an organization must recertify in order to maintain compliance.
The CMMC provides a comprehensive, risk-based approach to cybersecurity that is tailored to the unique needs of the DoD. It is important for organizations conducting business with the DoD to become certified under the CMMC framework.
Obtain Complete CMMC Compliance With The Help Of Experts
Cybersecurity consultants are experts in helping organizations achieve compliance with government regulations including the CMMC 2.0. They can help your company develop and implement a comprehensive security program that meets all of the requirements of the standard, and they will stay up-to-date on the latest changes so you can maintain compliance.
If your company is preparing to achieve CMMC 2.0 compliance, it is important to partner with a qualified cybersecurity consultant to guide you through the process. Contact SeaGlass Technology today at 212-886-0790 to learn more about our services and how we can help you prepare for CMMC 2.0 compliance.