DFARS, NIST SP 800-171, and CMMC are all cybersecurity frameworks that are relevant to the US Department of Defense (DoD) contractors.
DFARS stands for Defense Federal Acquisition Regulation Supplement. It is a regulation that requires DoD contractors to comply with certain cybersecurity standards, including the NIST SP 800-171 standard.
NIST SP 800-171 is a set of cybersecurity requirements that must be followed by all nonfederal organizations that process, store, or transmit Controlled Unclassified Information (CUI) on behalf of the federal government. It provides a standardized set of security controls to protect CUI.
CMMC stands for Cybersecurity Maturity Model Certification. It is a framework developed by the DoD that requires DoD contractors to undergo a third-party assessment of their cybersecurity practices to ensure compliance with the appropriate level of cybersecurity controls necessary to protect CUI. It builds upon the NIST SP 800-171 standard and adds additional controls and assessments.
In summary, DFARS requires compliance with NIST SP 800-171, and CMMC builds upon both DFARS and NIST SP 800-171 by requiring third-party assessments of a contractor's cybersecurity practices to achieve certification at different levels of cybersecurity maturity.