The DOD launched DFARS — the Defense Federal Acquisition Regulations System — in 2015 to help ensure that its contractors took the measures needed to protect sensitive data from cybersecurity attacks.
Even with CMMC 2.0 looming in the near future, DFARS is still relevant.
What is DFARS?
The U.S. Department of Defense (DOD) released DFARS Clause 252.204-7012 in 2015, establishing for the first time new cybersecurity requirements for supply chain contractors and organizations in the Defense Industrial Base (DIB).
The new DFARS clause:
- Aligns with NIST SP 800-171’s 110 cybersecurity controls
- Was first introduced as a voluntary requirement; today it is mandatory
- As of 2019, many contractors still were not compliant, leading to the development and release of CMMC 2.0
- DFARS Clause 252.204-7012 can be found in over one million prime and subcontracts today
What’s the difference between DFARS and CMMC?
Between 2019 and 2021, the DOD released and subsequently revised CMMC to augment and eventually replace DFARS. There are similarities and differences.
- Both created to protect CUI/other sensitive data
- Both align with NIST 800-171 controls
- DFARS allows self-assessment; CMMC 2.0 requires third party
- DFARS is not tiered; CMMC defines 3 compliance levels
Do you need both
DFARS and CMMC?
Both DFARS and CMMC are relevant. DFARS Clause 252.204-7012 currently is included as mandatory in many if not most DOD RFIs, RFQs and RFPs, and CMMC 2.0 is expected to become mandatory by mid-2023.
Focusing on NIST 800-171 compliance will cover both DFARS 252.204-7012 and CMMC 2.0.
Every solution begins with a conversation.
Contact us today for a no-obligation discussion of CMMC 2.0 compliance, what's required, what you may need and what we can do to provide it. We've helped hundreds of DOD contractors. We can help you.