Organizations that contract with the U.S. military deliver essential goods and services that support national defense. To qualify for and maintain these contracts, companies must meet strict cybersecurity and compliance requirements, especially when handling sensitive government data.
Three frameworks form the foundation of these requirements: CMMC, NIST, and DFARS. Understanding how they overlap and work together is key to staying compliant, avoiding penalties, and securing future contracts.
Is your organization ready for full DoD compliance? Schedule a consultation to find out.
CMMC, NIST, DFARS, and Defense Industrial Base Security
Organizations that contract with the Department of Defense (DoD) make up the Defense Industrial Base (DIB). Every single entity in this community comes into contact with large amounts of sensitive information that needs to be protected. The DoD has worked with other governmental and private agencies to develop and maintain security standards to that effect.
In a nutshell, DoD compliance comprises three unique but interconnected frameworks:
- The Cybersecurity Maturity Model Certification (CMMC) program
- National Institute of Standards and Technology (NIST) regulations
- Defense Federal Acquisition Regulation Supplement (DFARS) rules
CMMC is the most comprehensive suite for the purposes of all potential and current DoD contractors; working with a CMMC compliance partner will help you prepare for the future.
The Cybersecurity Maturity Model Certification Program
CMMC is a regulatory framework developed by the DoD and other governmental stakeholders to optimize cybersecurity across the DIB. Its primary goals are related to two forms of data that are present in DIB ecosystems: Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). A contractor’s Level and requisite controls depend on which of these kinds of data they process, to what extent, and the amount and severity of threats to the sensitive data.
Currently, the DoD Chief Information Officer (CIO) oversees the CMMC program as the primary compliance authority. Recent updates aim to streamline accessibility for both current and prospective DoD contractors.
Given the newness and dynamism of the program, many organizations may be accustomed to language that has only recently been updated. For example, many organizations were preparing for compliance with one of five “Maturity Levels” in an earlier form of CMMC.
Governing bodies have changed as well, as the program used to be run by the Office of the Undersecretary of Defense for Acquisition & Sustainment (OUSD (A&S))—now, as noted above, it’s the DoD CIO.
These changes extend to the assessment ecosystem, which we’ll cover in detail below.
How CMMC 2.0 Compares to Earlier Versions of the Program
The biggest changes to CMMC in recent years have been to the framework itself and to the assessment ecosystem (see below). On both fronts, the changes have been in service of making compliance more streamlined and straightforward for every party involved.
The CMMC 2.0 framework comprises 134 total possible controls that contractors need to implement and maintain, depending on which Level they fall into. Unlike prior editions, these controls are direct adaptations of NIST controls (rather than similar and loosely based on them).
As of CMMC 2.0, there are three levels that DoD contractors can be categorized into:
- CMMC 2.0 Level 1 – Tailored for organizations handling only Federal Contract Information (FCI), with minimal cybersecurity risks and requirements. There are 15 requirements aligned with NIST SP 800-171 (see below), and organizations are able to perform annual self-assessments to comply.
- CMMC 2.0 Level 2 – Focuses on organizations managing Controlled Unclassified Information (CUI) alongside FCI. It encompasses 110 requirements aligned with NIST SP 800-171 and typically requires triennial third-party assessments with annual affirmations.
-
-
- This level of maturity is roughly equivalent to Level 3 in earlier versions of CMMC. The intermediate Level 2 was phased out in service of simplification.
-
- CMMC 2.0 Level 3 – Designed for organizations that process CUI and FCI in high-risk environments with advanced persistent threats (APTs). There are 134 requirements from SP 800-171 and 800-172 (see below) with government-led assessments for compliance.
-
- Similarly, this final level is equivalent to Level 5 in earlier versions of CMMC. An intermediate Level 4 was phased out in favor of full APT protection at this stage.
As these breakdowns illustrate, understanding the NIST frameworks from which CMMC derives its requirements is essential to their implementation, assessment, and long-term maintenance.
The Impact of NIST Special Publications on the DIB
NIST’s Special Publications influence most if not all frameworks that apply to governmental offices and the private organizations they work with. In the case of CMMC, NIST SP 800-171 and 172 form the basis of the controls and sensibilities that DoD contractors implement to comply. When you implement the CMMC, you are essentially implementing NIST’s controls.
NIST SP 800-171 and NIST SP 800-172 both comprise controls meant to protect CUI. The former defines Basic and Derived Security Requirements, which loosely correspond to CMMC 2.0 Levels 1 and 2, respectively (see below). NIST SP 800-172 expands on these by introducing Enhanced Security Requirements specifically designed to address and mitigate APTs.
Here is an overview of all Requirements across both documents by Requirement Family:
- Access Control – Restriction, monitoring, and control over access to sensitive systems
-
-
- Two Basic Security Requirements
- 19 Derived Security Requirements
- Three Enhanced Security Requirements
-
- Awareness and Training – Baselines for training and assessing staff for awareness
-
-
- Two Basic Security Requirements
- One Derived Security Requirement
- Two Enhanced Security Requirements
-
- Audit and Accountability – Schedules and minimum requirements for regular auditing
-
-
- Two Basic Security Requirements
- Seven Derived Security Requirements
-
- Configuration Management – Baseline settings required on all organizational assets
-
-
- Two Basic Security Requirements
- Seven Derived Security Requirements
- Three Enhanced Security Requirements
-
- Identification and Authentication – User identity, account, and credential management
-
-
- Two Basic Security Requirements
- Nine Derived Security Requirements
- Three Enhanced Security Requirements
-
- Incident Response – Protocols for mitigation and recovery in the event of an incident
-
-
- Two Basic Security Requirements
- One Derived Security Requirement
- Two Enhanced Security Requirements
-
- Maintenance – Scheduling for regular and special event updates and repair work
-
-
- Two Basic Security Requirements
- Four Derived Security Requirements
-
- Media Protection – Safeguards for onboarding, managing, and terminating devices
-
-
- Three Basic Security Requirements
- Six Derived Security Requirements
-
- Personnel Security – Protections during recruitment, hiring, and personnel moves
-
-
- Two Basic Security Requirements
- Two Enhanced Security Requirements
-
- Physical Protection – Restrictions on physical and proximal access to sensitive data
-
-
- Two Basic Security Requirements
- Four Derived Security Requirements
-
- Risk Assessment – Mandates for risk monitoring, analysis, and overall mitigation
-
-
- One Basic Security Requirements
- Two Derived Security Requirements
- Seven Enhanced Security Requirements
-
- Security Assessment – Regular system-wide assessments to ensure efficacy
-
-
- Four Basic Security Requirements
- One Enhanced Security Requirement
-
- System and Communications Protection – Controls across communications
-
-
- Two Basic Security Requirements
- 14 Derived Security Requirements
- Five Enhanced Security Requirements
-
- System and Information Integrity – Protections for confidentiality and privacy
-
- Three Basic Security Requirements,
- Four Derived Security Requirements
- Seven Enhanced Security Requirements
Note that while NIST’s Basic and Derived Requirements inform CMMC 2.0 Levels 1 and 2, they do not directly correspond in a one-to-one manner. For example, Access Control has two Basic Security Requirements in NIST, but there are four AC requirements for CMMC 2.0 Level 1.
However, there is a direct correspondence between Enhanced Requirements and CMMC 2.0 Level 3—only organizations at that level are expected to implement these advanced controls.
How DFARS Shapes DoD and DIB Cybersecurity
DFARS serves as the foundational regulation driving the need for CMMC and NIST compliance across the Defense Industrial Base (DIB). The Federal Acquisition Regulation (FAR) applies to all executive agencies and sets up parameters for their dealings with entities across the public and private sectors.
DFARS is a supplement to these rules that applies specifically to the branches of the US Military. Given the scope and sensitivity of the DoD’s relationship-building, DFARS places special emphasis on security and privacy.
In essence, several SFARS clauses within DFARS 252.204 stipulate that contractors working with the US Military need to conduct assessments to ensure compliance with NIST. The CMMC program was born out of an effort to simplify and streamline these requirements.
In a nutshell, NIST’s standards have always been what US Military contractors have needed to achieve, per DFARS. CMMC streamlined these requirements into a more accessible implementation and assessment scheme, and DFARS is the baseline document that requires CMMC and NIST.
What this all means in practice is that CMMC is the regulation to focus on for contractors.
Assessments for CMMC and DoD Compliance
As noted above, recent changes to CMMC have impacted the assessment ecosystem. In particular, more organizations are now eligible to self-assess, and the processes and oversight over high-level assessments have changed. While the DoD CIO is in charge of overall CMMC governance, it’s not the only entity overseeing assessments.
Other players are the Cyber-AB (formerly the CMMC Accreditation Body) and DIB Cybersecurity Assessment Center (DIBCAC).
Organizations at CMMC 2.0 Level 1 are generally eligible to self-assess their implementation. A Level 1 Self-Assessment Guide is available from the DoD CIO. However, it is still recommended for these organizations to work closely with an advisor to ensure their assessments go smoothly.
The vast majority of organizations seeking CMMC compliance should be targeting Level 2. This involves full coverage of NIST SP 800-171 and, maybe more critically, a third-party assessment.
These assessments need to be conducted by Certified Third Party Assessment Organizations (C3PAOs), who themselves go through rigorous vetting via the Cyber AB. Working with an advisor in the run-up to formal assessment helps, and the best C3PAO partners can also provide comprehensive support in scoping, preparation, and implementation processes.
Organizations at CMMC 2.0 Level 3 also have their work cut out for them, as they need to undergo a government-led assessment through DIBCAC. As with Levels 1 and 2, organizations should work with an advisor to prepare for these formal triennial assessments.
Prepare for Full DoD Compliance, Efficiently
Together, DFARS, NIST, and CMMC create a cohesive framework to secure sensitive data within the Defense Industrial Base, safeguarding national security and operational integrity.
By extension, they ensure the security of the armed forces and of Americans across the country and the world. Understanding the interplay between these frameworks and rulesets is essential to establishing a relationship with the DoD.
RSI Security is a fully accredited C3PAO vetted and listed by the Cyber-AB. Our experience working with military and other government contractors is extensive, and we’ve been helping organizations prepare for full DoD compliance since long before the current version of CMMC was released. We know that discipline upfront unlocks the freedom to grow in the long run.
Get a clear roadmap to CMMC compliance, download our checklist and prepare for certification with confidence.