Welcome, Today is April 22, 2024

DFARS/CMMC/ITAR

What are DFARS, ITAR, AND CMMC Regulations?

In the landscape of defense contracting and cybersecurity, compliance with regulatory frameworks extends beyond being a matter of best practice; it is paramount for national security. Within this realm, there are a few regulations that stand out: Defense Federal Acquisition Regulation Supplement (DFARS), International Traffic in Arms Regulations (ITAR), and Cybersecurity Maturity Model Certification (CMMC). Despite these frameworks being enforced by different government agencies, they all collectively play a role in shaping how defense contractors and those within their supply chain handle sensitive information and technology.

Cybersecurity compliance

Understanding DFARS

Enforced by the Department of Defense (DoD), Defense Federal Acquisition Regulation Supplement (DFARS) is a supplement to the Federal Acquisition Regulation (FAR). DFARS serves to ensure DoD contractors are adhering to cybersecurity requirements that are specifically tailored to protecting controlled unclassified information (CUI).

CUI is a broad category of information that is not considered to be classified, however it is regarded as sensitive and requires safeguarding. CUI is a broad term that encompasses several different types of unclassified information that may be subject to protection requirements. A registry of CUI categories and examples of what information may fall under the umbrella of CUI can be found here: https://www.dodcui.mil/CUI-Registry-New/.

Understanding ITAR

The International Traffic in Arms Regulations (ITAR) is administered by the Directorate of Defense Trade Controls (DDTC). This regulation governs the import and export of defense-related services and items that are defined on the United States Munitions List (USML). Organizations under ITAR are required to register with the DDTC and receive a license to export their controlled items and services. Non-compliance with ITAR for businesses involved in the import or export of defense-related items can result in severe penalties, including legal consequences.

Understanding CMMC

Developed and enforced by the DoD, the Cybersecurity Maturity Model Certification (CMMC) aims to enhance the cybersecurity posture of DoD contractors and subcontractors. The CMMC framework consists of levels that represent the maturity level of an organization's cybersecurity infrastructure and implementation regarding areas such as access control, incident response, system protection, and more.

CMMC 1.0 versus CMMC 2.0

CMMC 1.0 versus CMMC 2.0

Image via: https://dodcio.defense.gov/CMMC/About/

In 2020, the DoD published CMMC 1.0, which outlines the basic features of the framework. This regulation includes five increasingly progressive levels to represent the cybersecurity maturity level of an organization, ranging from Basic to Advanced. With each rise in level, an organization will have implemented an increasing number of cybersecurity practices and processes. CMMC 1.0 also requires annual assessments conducted by third parties for those within Level 1, Level 3, and Level 5.

CMMC 2.0, announced in November of 2021, aims to streamline the original model by condensing the five compliance levels in CMMC 1.0 to three levels. These levels are Foundational, Advanced, and Expert. Each rise in level comes with increased requirements and assessment needs.

CMMC 2.0 aims to offer greater implementation flexibility by allowing organizations to create Plans of Action & Milestones (POA&Ms) in order to achieve compliance under certain circumstances. Furthermore, CMMC 2.0 also offers the option to perform self-assessments to organizations under CMMC 2.0 Level 1 and some organizations that are under Level 2, rather than requiring all organizations who are seeking to be CMMC certified to get assessed by third parties. The brief overview of CMMC 2.0 requirements by level can be seen in the table below.

Level Assessment Requirements
Level 1
(Foundational)
Annual self-assessment. 15 Requirements
Level 2
(Advanced)
Third-party assessment every three years & annual affirmation; Self-assessment every three years & annual affirmation for select circumstances. 110 requirements aligned with NIST SP 800-171
Level 3
(Expert)
Government-led assessment every three years & annual affirmation. 110+ requirements based on NIST SP 800-171 and 800-171

Preparing for CMMC 2.0 with Egis

Egis IT Security serves organizations within the Indianapolis metropolitan area and across the United States to help them stay up to date on regulatory compliance. Whether there are questions or concerns about DFARS, ITAR, or CMMC, Egis is dedicated to helping others understand and implement the necessary security controls for their business. With our extensive expertise and years of experience, Egis can offer tailored solutions to help your organization align with industry standards, allowing you to focus on your business. Regardless of your compliance needs, Egis can:

  • Improve upon current IT policies and procedures
  • Meet with your auditors
  • Perform vulnerability assessments
  • Continuously monitor your websites, networks, and servers
  • Recommend, sell, and deploy a variety of products as needed
  • Perform security awareness training
  • Consultations