Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Compliance with Cybersecurity and Privacy Laws and Regulations

Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. Here is a partial list of some of the more common laws and requirements related to cybersecurity and privacy:

Suppliers to the US Government

If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by FAR 52.202.21. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).

  • FAR 52.202.21: Requires government contractors to follow 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI). These requirements are sometimes called the “FAR 15”.
  • DFARS 252.204-7012: Requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps
  • DFARS 252.204-7019 (interim): Requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)
  • DFARS 252.204-7020 (interim): Requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA); requires contractors roll requirements down to subcontractors
  • DFARS 252.204-7021 (interim): Rolling out of the Cybersecurity Maturity Model Certification program over 5 years

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) program is a multi-level process to verify that DoD cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the CMMC-Assessment Body (CMMC-AB), by 2026. Any entity that handles DoD controlled unclassified information (CUI) will need to have at least a Level 3 certification.

Self-Assessment Handbook

The Self-Assessment Handbook is currently under revision.

NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This handbook can be used by manufacturers to help comply with DFARS 252.204-7012 and DFARS 252.204-7019 requirements.

In addition, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with CMMC Level 3 requirements.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.

For additional information on cybersecurity, please contact your local MEP Center or email celia.paulsen [at] nist.gov (subject: Cybersecurity%20Inquiry) (Celia Paulsen) at NIST MEP.

Contacts

For General Information

  • MEP Headquarters
    (301) 975-5020
    100 Bureau Drive, M/S 4800
    Gaithersburg, MD 20899-4800
Created December 1, 2017, Updated August 4, 2021