What is the difference between DFARS, FISMA, NIST, and CMMC? Do they have anything in common? The four acronyms all contain regulations and standards that all government contractors must be in compliance with. These sets of regulations and standards are crucial to the current and future success of contractors. Ensure your organization is secure and compliant by understanding the requirements for each.
What is DFARS? DFARS stands for (the) Defense Federal Acquisition Regulation Supplement. This defines a set of cybersecurity regulations and standards required by the Department of Defense. Undoubtedly, cybersecurity has always been a concern for contractors. Particularly, the concern is much stronger for contractors with sensitive information known as “Controlled Unclassified Information”, or CUI. To keep this information safe, DFARS was created in December 2015. DFARS has a lot in common with NIST 800 – 171. Lack of DFARS compliance will result in loss of current and future contracts. As a result, this can hurt the organization’s reputation.
- Audit and Accountability
- Access Control, Awareness and Training
- Configuration Management
- Identification + Authentication
- Incident Response
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- System and Information Integrity
- Security Assessment
- System and Communications Protection
What is FISMA? FISMA stands for (the) Federal Information Security Management Act. It was enacted in 2002 and it required governmental agencies to have information and security protection programs. Obtaining FISMA compliance is extremely important for data security. This compliance mandate is also part of the E-Government Act of 2002. The main goal of FISMA is to protect CUI while spending less. FISMA is comparable to NIST 800-53.
- Must Maintain Information Systems Inventory
- Categorize Risk
- Keep a Security Plan
- NIST 800 – 53 Controls
- Complete Risk Assessments
- Obtain Certification + Accreditation
NIST 800-171 is a separate, special publication from NIST (National Institute of Standards and Technology) 800- 53. Many of the controls from NIST 800-171 can be mapped back to an equivalent SP 800-53 control. While NIST 800-53 is a requirement for Government-owned networks, NIST 800-171 is designed for non-government computer systems to protect CUI data. Compliance for NIST 800-171 became a mandatory requirement on December 31, 2017. This protects CUI with 110 controls in 14 groups, called families.
CMMC stands for Cybersecurity Maturity Model Certification. It combines the controls from NIST SP 800-171 and from other sources, depending on the level of certification. This is a new model that will replace NIST 800-171 and will be enforced by the DoD. What is the difference? The new CMMC 2.0 contains 3 levels of certification, which will give the contractor a score that will determine your ability to bid on certain contracts. CMMC Level 1 follows Federal Acquisition Regulation (FAR) 52.204-21. Level 2 directly aligns with NIST SP 800-171. Lastly, CMMC Level 3 derives from NIST SP 800-171 and includes some controls from NIST SP 800-172. Certainly, the biggest difference that one will find is that with CMMC, a third-party audit is needed for Levels 2 and 3. Whereas in NIST 800-171, the contractors could perform a self-assessment.
NIST 800-171 is a new version of NIST 800-53 designed specifically for non-federal information systems. FISMA is very similar to NIST 800-53. DFARS is very similar to NIST 800-171. Therefore, if your company is NIST 800-171 compliant, then you are also DFARS and FISMA compliant as well! However, CMMC compliance is still needed. If you’re interested in learning more about these different forms of compliance or how Bravo can help you become compliant, visit our website.
Interested in more ways to secure your business? Fill out the form below to get in contact with one of our compliance experts!