Alex Whitworth, director of sales at Carahsoft Technology, said that although the Defense Federal Acquisition Regulation Supplement and the Cybersecurity Maturity Model Certification program have differences when it comes to their compliance assessment, both standards complement each other in safeguarding data and national security and advancing the interests of defense contractors.
He wrote in a blog post published Thursday about the differences between the second version of the Department of Defense’s CMMC program and DFARS.
According to Whitworth, organizations track their information technology systems without the need for external inspection under DFARS Clause 252.204-7012. With CMMC 2.0, contractors should undergo self-assessments and evaluation by third-party assessment organizations.
CMMC 2.0 comes with three maturity levels for cyber protective measures, while DFARS Clause 7012 has only one tier that outlines rules for protecting controlled unclassified information and strengthening security in the defense industrial base.
Whitworth discussed updates to CMMC 2.0 and the importance of DFARS and CMMC programs, which he said play a role in helping organizations develop a foundation for their data and cyber health.
“Together these programs provide safeguards for sensitive information, increase DIB cybersecurity to address advancing threats, institute accountability measures while maintaining a streamlined process, and encourage public trust through good ethics,” Whitworth said.