• Training
    • Overview
    • Schedule
    • Catalog
    • Training Reviews
    • Delivery Options
    • About Our Training
    • Exam Pass Guarantee
    • Student Funding
    • Alpine Security GSA Schedule
    • DoD 8570/8140 Approved Training
  • Services
    • Overview
    • Medical Device Cybersecurity
    • CISO-as-a-Service
    • Penetration Testing
    • DFARS and CMMC Compliance Audit
    • Breach Prevention Audit
    • Cybersecurity Risk Management Program
    • Enterprise Security Audit
    • Alpine Services Reviews
  • Blog
  • News
  • About Us
    • About Us
    • Meet The Team
    • Why Alpine?
  • Contact
CISO Global (formerly Alpine Security)CISO Global (formerly Alpine Security)
CISO Global (formerly Alpine Security)CISO Global (formerly Alpine Security)
  • Training
    • Overview
    • Schedule
    • Catalog
    • Training Reviews
    • Delivery Options
    • About Our Training
    • Exam Pass Guarantee
    • Student Funding
    • Alpine Security GSA Schedule
    • DoD 8570/8140 Approved Training
  • Services
    • Overview
    • Medical Device Cybersecurity
    • CISO-as-a-Service
    • Penetration Testing
    • DFARS and CMMC Compliance Audit
    • Breach Prevention Audit
    • Cybersecurity Risk Management Program
    • Enterprise Security Audit
    • Alpine Services Reviews
  • Blog
  • News
  • About Us
    • About Us
    • Meet The Team
    • Why Alpine?
  • Contact

What is the Difference Between CMMC, DFARS, and NIST 800-171?

What is the Difference Between CMMC, DFARS, and NIST 800-171?

alpine security dfars auditWithout Cybersecurity Maturity Model Certificate (CMMC) compliance, a contractor will be barred from all future Department of Defense (DoD) contracts. The CMMC officially launched in January 2020, building upon the DFARS and NIST 800-171 standards with additional requirements for vendors working with the DoD. Understanding CMMC and how it differs from DFARS and NIST 800-171 is crucial to the current and future success of government contractors.

DFARS stands for “Defense Federal Acquisition Regulation Supplement”. It’s a set of cybersecurity regulations required by any vendor bidding for contracts with the DoD. In addition to requiring compliance with the controls in NIST 800-171, DFARS  includes a clause for Safeguarding Covered Defense Information and Cyber Incident Reporting, 252.204-1012, which ensures that DFARS protects the government’s supply chain from cyberattacks by defending “Controlled Unclassified Information” or CUI. This clause ensures that CUI is safeguarded from cyber incidents that can affect the organizations, people, activities, information, and resources involved in supplying a product or service to the DoD. DFARS also requires vendors to report incidents that affect CUI or impact contractors’ ability to perform critical support for the government.

In order to be DFARS compliant, organizations must pass an assessment that follows NIST 800-171. NIST 800-171 supplies clear guidelines on the best practices for information security. The primary goal of NIST 800-171 is to protect the confidentiality of unclassified information and reduce the risk of data breaches. NIST 800-171 influences standards like DFARS and the CMMC.

CMMC is the DoD’s next step in protecting national security data and networks from cyberattacks. CMMC shares the same goals as DFARS but reevaluates how the government categorizes vendors’ cybersecurity posture. CMMC adds on DFARS by clarifying security controls and adding additional requirements for compliance. This model ranks the maturity of a vendor’s cybersecurity program from “Basic Cybersecurity Hygiene” to “Advanced” based upon their data protection efforts. The achievement of higher CMMC levels enhances the contractor’s ability to protect CUI and guard against adversary attacks. Unlike DFARS, CMMC requires assessments to be conducted by Third Party Assessment Organizations.

The version of CMMC is continually being updated. You can find the latest version here:

https://www.acq.osd.mil/cmmc/draft.html

At Alpine Security, we include a baseline and bi-annual CMMC audit in our CISO-as-a-Service program. We evaluate a vendor’s practices and processes in comparison with the cybersecurity controls required in NIST 800-171. Following the initial assessment, we prepare a “Cybersecurity Roadmap” outlining the steps to achieve desired CMMC compliance.

Our annual CISO-as-a-Service program has three main goals:

  1. Reduce your risk of a successful cyberattack
  2. Align cybersecurity with your business and compliance objectives
  3. Mature your cybersecurity posture

For more information on our CMMC assessment or  program:

  • Email: [email protected]
  • Phone: 618-207-4636 ext. 704

 

Resources from NIST:

https://www.nist.gov/blogs/manufacturing-innovation-blog/what-nist-sp-800-171-and-who-needs-follow-it-0

Author Bio

roisin colemanRoisin Coleman is a Cybersecurity Sales Associate with Alpine Security. She graduated from St. Bonaventure University, with a dual degree in cybersecurity and journalism. While attending St. Bonaventure, she helped develop her university’s security operations center and cybersecurity graduate program. She was also the executive producer for her university’s news station. She produced breaking news stories by developing trusted relationships and sources throughout her community. When she’s not connecting with clients, she produces cybersecurity videos for her YouTube channel, watches documentaries, and drinks lots of coffee. She’s also currently studying for her CompTIA Security+ certification.

Tags: AuditCISOcmmcdfarsnist 800-171
Share

You also might be interested in

PCI DSS Version 3.2 Released – Key Changes
Young woman handing waiter credit card, close-up

PCI DSS Version 3.2 Released – Key Changes

Apr 30, 2016

Who Needs Pen Testing? 3 Industries that Rely on It
World Network Safety Concept. Global Internet Network Conceptual Modern Technology Illustration.

Who Needs Pen Testing? 3 Industries that Rely on It

Mar 16, 2018

Nobody Likes a Compliance Audit… and Why You Should Do Them Anyway!
High quality 3d render of a modern keyboard with blue compliance button on a blue background and copy space. Blue compliance keyboard button has a text and an icon on it. Compliance keyboard button is in focus, Horizontal composition with copy space.

Nobody Likes a Compliance Audit… and Why You Should Do Them Anyway!

Apr 4, 2018

BLOG SEARCH:

Connect with Us

Interested in our cybersecurity training or services? Complete the form below and we’ll get back with you right away. We appreciate your interest.


Recent Posts

  • The State of Ransomware 2020
  • National Cybersecurity Awareness Month: 6 Things to Practice During the Month
  • Cybersecurity Checklist for Business Closures, Consolidations, and Acquisitions
  • What Is DevSecOps?
  • Cybersecurity and a Remote Workforce: What Does the Future Look Like?
  • 6 Penetration Testing Trends to Have on Your Cybersecurity Radar
  • Incorporating Privacy and Security by Design into MedTech
  • What is the Difference Between CMMC, DFARS, and NIST 800-171?
  • At Risk: Medical Device Cybersecurity Vulnerabilities Expose Patients to Life-threatening Consequences
  • 5 Reasons to Hire a Fractional CISO
  • Why Private Cybersecurity Training Matters for Your Organization
  • Is the CEH Certification Right For You?
  • Internal Penetration Test vs Vulnerability Assessment: Which is Right for You?
  • Best Beginner Cybersecurity Certification to Get
  • Penetration Testing for Compliance: The Top 5 Laws and Regulations that Require Testing

Alpine Security is a member of the CISO Global family of companies.

Contact Us:

  • CISO Global
  • 6900 E. Camelback Road, Suite 900 Scottsdale, AZ 85251
  • 480-389-3444
  • info@ciso.inc
  • www.ciso.inc

Get Info

About Our Training
About Our Services
Meet the Team
Blog
Terms of Use
Privacy Policy

Join The Community

  • Facebook
  • LinkedIn
  • Twitter
  • YouTube
  • Mail

Proud Partners

© 2021 · Alpine Security, a Cerberus Sentinel Company

Prev Next