Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. Here is a partial list of some of the more common laws and requirements related to cybersecurity and privacy:
If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by FAR 52.202.21. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).
The Cybersecurity Maturity Model Certification (CMMC) program is a multi-level process to verify that DoD cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the CMMC-Assessment Body (CMMC-AB), by 2026. Any entity that handles DoD controlled unclassified information (CUI) will need to have at least a Level 3 certification.
The Self-Assessment Handbook is currently under revision.
NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This handbook can be used by manufacturers to help comply with DFARS 252.204-7012 and DFARS 252.204-7019 requirements.
In addition, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with CMMC Level 3 requirements. Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.
For additional information on cybersecurity, please contact your local MEP Center or email celia.paulsen [at] nist.gov (subject: Cybersecurity%20Inquiry) (Celia Paulsen) at NIST MEP.