Cybercriminals have aimed and continue to attack the DIB industry and the Department of Defense’s network in the desperate hope of pilfering vital intellectual assets and confidential material. Over 300,000 businesses make up the DIB sector, which conducts research, engineering, development, acquisition, production, delivery, maintenance, and operation of military services, facilities, and networks. An assault on the Department of Defense supply chain might jeopardize the US’ technological advancements and benefits and affect the country’s national security.
The CMMC framework was developed by the OUSD(A&S). This methodology is an accreditation process meant to ensure that DIB vendors can secure sensitive data such as CUI and FCI for the Department of Defense.
Here are something you should know about DFARS vs CMMC.
1. CMMC compliance is mandatory for all DoD vendors.
All DoD vendors must get a certification from the CMMC before bidding on a federal project, according to CMMC standards. According to the Department of Defense, contractors’ certification levels are determined by the type of CUI they handle. In June 2020, the Department of Defense will begin adopting minimum certification criteria in requests for information (RFIs) and select proposals (RFPs).
2. Self-assessment is mandatory.
When seeking and organizing a CMMC government contracting evaluation, contractors must work with an autonomous and certified third-party accreditation organization. It is not permitted to self-certify. Vendors determine the certification level they want depending on their company needs. Those who demonstrate the required administrative maturity and capability maturity will be certified at the necessary CMMC stages.
3. To deal with CUI, you’ll require level three certification.
Contractors must have at minimum a level-three accreditation to administer or create CUI. Contractors that get level-three accreditation under the CMMC model are recognized to have implemented the entire NIST SP 800-171 security criteria and have strong cyber security hygiene to tackle cyber threats and can maintain CUI safe. Sophisticated persistent attacks may pose a concern to vendors with level three accreditation (APTs).
4. DFARS is not terminated by CMMC.
There was significant uncertainty when the Department of Defense (DoD) introduced the Defense Federal Acquisition Regulation Supplement (DFARS) for contractors, which contributed to its sluggish implementation. As a result, the Department of Defense developed the CMMC model to assist vendors in developing efficient and robust cybersecurity requirements.
CMMC’s announcement does not imply that DFARS would be phased out. In fact, every DoD contractor who maintains, analyzes, or distributes CUI stands to lose their agreements if they do not meet the DFARS minimal security criteria. A vendor must meet the standards of NIST SP 800-171, which includes 110 controls, to be declared DFARS-compliant. At the pinnacle of the current DFARS standards, the CMMC stage three accreditation only demands 20 new controls. As a result, contractors who comply with the DFARS are around 85 percent qualified for CMMC level three certification.
The CMMC model, in conjunction with NIST 800-171, incorporate cybersecurity standard practices from NIST SP, ISO, AIA NAS, and other sources to build an efficient protection standard. There are now 17 categories in the CMMC framework.