An overview of DFARS and CMMC

CMMC is being discussed by the U.S DoD, U.S regulators and the global defense Industry and likely to become enforceable on DoD contracts in 2024 or 2025.  However DoD contractors and subcontractors have to be clear that CMMC is a DFARS regulation, it is not a specific regulation called CMMC.  CMMC is defined under DFARS 252.204-7021 (“DFARS 7021”) and simply extends existing and regulated regulation DFARS 252.204-7012 (“DFARS 7012”), DFARS 252.204-7019 (“DFARS 7019”) and DFARS 252.204-7020 (“DFARS 7020”) for the ‘Safeguarding Covered Defense Information and Cyber Incident reporting’.  DFARS 7012 is an important clause for the safeguarding of Controlled Unclassified Information (CUI), it requires covered contractors to implement the 110 cybersecurity practices as a minimum, defined in NIST SP 800-171 across contractor covered information systems, that create, store, process or transmit Controlled Unclassified Information (CUI).

DFARS 7012 is a Solicitation provision and contract clause defined in 48 CFR § 204.7304. Title 48, Code of Federal Regulations, Chapter 2 – ‘Defense Acquisition Regulations systems, Department of Defense‘, Part 204 ‘Administrative and Information matters‘, Sub-Part 204.7303 ‘Solicitations provisions and contract clauses’.   Meaning that DoD includes DFARS 7012 in contracts, and should have do so since December 31st 2017.  A clause that covered defense contractors are required to ‘flow-down’ to their sub-contractors, where the performance of a subcontract involves covered defense information.  DoD contractors were required to self attest compliance to DFARS 7012 prior to November 30th 2020.  However, as part of the process for the DoD to implement the CMMC program, the DoD released an interim final ruling creating DFARS 7019 and DFARS 7020.  Requiring DoD contractors and subcontractors assess their compliance against NISP 800-171A, submit their scores directly to the DoD Supplier Performance Risk System (SPRS) to be considered for a DoD contract, or subcontract and to provide U.S government contractors to their facilities, systems and personnel for the DoD to conduct follow up assessments of compliance.  DFARS regulations that are being applied today.

The CMMC Clause : DFARS 2021, the ‘CMMC clause’, has not yet been applied as it is currently being added to Title 48 CFR.  It extends DFARS 7019 and 7020 and requires covered defense contractors and subcontractors to submit a certificate of compliance to NIST SP 800-171 to SPRS.  A certificate that requires an independent audit by a certified 3rd party organisation, that is agreed by the DoD.  There is as yet no confirmed data for CMMC compliance.  But irrespective of this DFARS 7012, 7019 and 7020 are contractual requirements that are enforceable by the DoD as of late 2017 and 2020.

CMMC-EU : are founding members of the DoD CMMC Accreditation Body (CMMC AB) Standards working group.  We designed the CMMC 1.0 assessment methodology for the oversight and assurance of NIST SP 800 – 171 and CMMC.  We have created this platform to support users understand the requirements for NIST SP 800-171, CMMC compliance and underlying history of compliance requirements.  We are not a third party assessor organisation (C3PAO) or third party assessors.  There are no CMMC accreditation organisation’s or assessors in the EU at present.  The Cyber AB and DoD only allows U.S citizens to run a C3PAO organisation’s and be third party assessors.

We provide the appropriate guidance and support for organisation’s to comply with cybersecurity requirements outlined by the both NIST SP 800-171 and CMMC and the broader deployment of cyber risk management solutions for compliance to regulations that include the Securities and Exchange Commissions (SEC) cybersecurity risk management proposal, EU NIS2, Digital Operational Resilience Act (DORA) and the Cyber Resilience Act (CRA)