FAR vs DFARS vs CMMC vs NIST

Who protects what and how they fit together

Acronyms Aplenty

How do you keep track of what all of the acronyms mean and how they related to each other? Hopefully, this little cheat sheet will help!

How they Relate

Let's dig into some of the most important acronyms that relate to the protection of sensitive unclassified information within the federal contracting environment, particularly in the Department of Defense (DoD) supply chain.

Licensing Optimization

Roles in the Ecosystem

Let's get into the details of each of these roles.

FCI

Federal Contract Information

Information not intended for public release & provided or generated under a contract.

Type:Data Category
Governs/References:FAR 52.204-21
Applies to:All Federal Contractors

CUI

Controlled Unclassified Information

Sensitive but unclassified information requiring safeguarding.

Type:Data Category
Governs/References:DFARS 252.204-7012 NIST 800-171
Applies to:All Federal Contractors

FAR

Federal Acquisition Regulation

Government-wide rules for acquisition, including safeguarding FCI.

Type:Regulation
Governs/References:Includes 52.204-21
Applies to:All Federal Contractors

DFARS

Defense FAR Supplement

DoD-specific rules. Includes requirements to protect CUI.

Type:Regulation
Governs/References:252.204-7012, 7019, 7020
Applies to:DoD Contractors

NIST SP 800-171

National Institute of Standards & Technology

A NIST standard that defines 110 security controls for protecting CUI in non-federal systems

Type:Security Standard
Governs/References:DFARS 7012
Applies to:Any contractor handling CUI

CMMC

Cybersecurity Maturity Model Certification

DoD framework requiring certification of compliance with NIST 800-171 (and more at higher levels).

Type:Certification Program
Governs/References:NIST 800-171 + added controls
Applies to:DoD contractors (2025)

Relationship Summary

FAR governs the protection of FCI - basic security (15 requirements)

DFARS governs the protection of CUI - requires compliance with NIST SP 800-171 (110 controls)

CMMC is the DoD program that keeps you accountable by requiring validation (Self-assessment or 3rd party)

CUI must be protected according to DFARS 252.204-7012 (which points to NIST SP 800-171)

CMMC Level 1 = Protecting FCI (Matches FAR 52.204-21)

CMMC Level 2 = Protecting CUI (Matches NIST SP 800-171)

Scenario #1

Process payment information or scheduling data for a federal
contract (FCI)

Applicable Rules

  • FAR 52.204-21
  • CMMC Level 1

Scenario #2

Develop software containing DoD mission data (CUI)

Applicable Rules

  • DFARS 7012
  • NIST 800-171
  • CMMC Level 2

Scenario #3

Bidding on a DoD contract requiring CMMC certification

Applicable Rules

  • CMMC
  • Level needed is based on data sensitivity
Lower costs & risk

Lower your costs and risk withAgile IT's expert license optimization

Gain valuable insights with Agile IT’s help to maximize your Microsoft 365 ROI.

Contact Us