Whether you’re a family owned machine shop or a Tier 1 supplier, the U.S. Department of Defense (DoD) expects you to protect federal contract information (FCI) and controlled unclassified information (CUI). Prior to 2020, DFARS and NIST 800-171 were the two commonly known cybersecurity requirements to DoD contractors. More recently, the Cybersecurity Maturity Model Certification (CMMC) has entered the picture. If your company doesn’t meet these specific cybersecurity requirements, you could lose your ability to bid on, win, or work on defense related projects. Understanding the goals and differences between CMMC, DFARS, and NIST 800-171 is critical for you to retain your government contracts.


The Cybersecurity Maturity Model Certification (CMMC) is the newest unified cybersecurity standard that was created to enhance the protection of FCI and CUI within the supply chain. For this exact reason, organizations of all sizes will need to receive the CMMC. CMMC builds upon clause 252.204-7012 titled “Safeguarding Covered Defense Information and Cyber Incident Reporting” within the Defense Federal Acquisition Regulation Supplement (DFARS). Within this clause, DoD contractors (including SMBs) are required to:

1. Provide adequate security to safeguard covered defense information that resides in or transits through their internal unclassified information systems from unauthorized access and disclosure.
2. Rapidly report cyber incidents to DoD.
3. When contractors or subcontractors discover and isolate malicious software in connection with a reported cyber incident, submit the malicious software to DoD Cyber Crime Center.
4. Preserve and protect images of all known affected information systems identified and all relevant monitoring/packet capture data for at least 90 days from the submission of the cyber incident report to allow DoD to request the media or decline interest.

CMMC adds a verification component to these above requirements. Additionally, CMMC establishes a model framework with 17 different domains. Each domain consists of a set of processes and capabilities across five different levels.

CMMC and NIST 800-171

NIST 800-171 is a special publication from the National Institute of Standards and Technology (NIST) titled “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. If your organization meets all of the requirements in NIST 800-171, you should have no trouble passing a CMMC audit successfully up to level 3. NIST is a non-regulatory agency so NIST 800-171 recommends requirements but does not establish them. It’s an important distinction since NIST 800-171 is commonly understood to be a minimum requirement for good cybersecurity practice. In addition, DFARS 252.204-7012 references NIST 800-171.

It is important to embrace DFARS, CMMC, and NIST 800-171 to avoid losing your business. However, it is even more important to understand that the end goal is to protect and secure your organization and your supply chain. Because without doing so, you’re leaving your organization as an open cyber target and inevitably still risking losing your business.
Today’s small businesses deal with pressures and demands from all sides, including the critical need for top-notch security. As cyber criminals morph their methods in more clever and complex ways and more cyber related requirements are released, small organizations must figure out ways to protect their network in such a way that makes sense for their needs. We’ve created an assessment that help you determine what steps to take. Learn more at https://kybersecure.com/nist-csf-gap-analysis/.