Bravo Consulting Group


The Differences Between DFARS, FISMA, NIST, and CMMC

The Differences Between DFARS, FISMA, NIST, and CMMC

What are the difference between DFARS, FISMA, NIST, and CMMC? Do they have anything in common? The four acronyms all contain regulations and standards that all government contractors must follow. These sets of regulations and standards are crucial to the current and future success of the contractors. 


What is DFARS? DFARS stands for (the) Defense Federal Acquisition Regulation Supplement. This defines a set of cybersecurity regulations and standards required by the Department of Defense. Cybersecurity has always been a concern for contractors. The concern is much stronger for contractors with sensitive information known as “Controlled Unclassified Information”, or CUI. In order to keep this information safe, DFARS was created in December 2015. DFARS has a lot in common with NIST 800 – 171. Lack of DFARS compliance will result in loss of current and future contracts. This can also hurt the company’s reputation. 

Requirements: Audit and Accountability, Access Control,  Awareness and Training, Configuration Management, Identification + Authentication, Incident Response, Media Protection, Maintenance, Physical Protection, Personnel Security, Risk Assessment, System and Information Integrity, Security Assessment, System and Communications Protection


What is FISMA? FISMA stands for (the) Federal Information Security Management Act. This law enacted in 2002 and it required governmental agencies to have information and security protection programs. FISMA is extremely important for data security. FISMA is also part of the E-Government Act of 2002. The main goal of FISMA is to protect CUI while spending less. FISMA is comparable to NIST 800-53.

Requirements: Must Maintain Information Systems Inventory, Categorize Risk, Keep a Security Plan, NIST 800 – 53 Controls, Complete Risk Assessments, Obtain Certification + Accreditation, Monitor


NIST 800 – 171 is a separate, special publication from NIST 800- 53, and many of the controls can be mapped back to an equivalent SP 800-53 control. While NIST 800-53 is a requirement for Government-owned networks, NIST 800-171 is designed for non-government computer systems to protect CUI data. NIST 800-171 compliance became a mandatory requirement on December 31, 2017. This protects CUI with 110 controls in 14 groups, called families.

CMMC stands for the Cybersecurity Maturity Model Certification. CMMC combines the controls from SP 800-171, SP 800-171b (Enhanced Security Requirements for Critical Programs and High-Value Assets) and from other sources. This is a new model that will replace NIST 800- 171 and will be enforced by the DoD. What is the difference? CMMC contains 5 levels of certification, which will give the contractor a score that will determine your ability to bid on certain contracts. The biggest difference that one will find is that with CMMC, a third-party audit is needed. In NIST 800- 171, the contractors could perform a self- assessment.

Compliance Overview

NIST 800- 171 is a new version of NIST 800-53 designed specifically for non-federal information systems. FISMA is very similar to NIST 800 -53. DFARS is very similar to NIST 800 -171. Therefore, if your company is NIST 800 – 171 compliant, then you are also DFARS and FISMA compliant as well! However, CMMC compliance is still needed.

If you’re interested in learning more about these different forms of compliance of how Bravo can help you become compliant, visit our website.

Interested in more ways to secure your business? Subscribe below to receive more information: