Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

How Do I Know If I Need to Be DFARS Compliant?

Do you know who your company supplies to? Who the end users of your product(s) are? If your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by DFARS.

All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts.

DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”, manufacturers must implement these security controls through all levels of their supply chain.

DoD Frequently Asked Questions regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 201.73 and DFRAS Subpart 239.76 and PGI Subpart 239.76.

NIST MEP has developed a set of Frequently Asked Questions (FAQs) for small manufacturers to better understand the DoD Cybersecurity Requirements. View and Download the PDF.

Self-Assessment Handbook - NIST Handbook 162

NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.” The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.

In addition to helping defense contractors comply with DFARS, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with the Controlled Unclassified Information Federal Acquisition Regulation (FAR) clause.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.

The MEP National NetworkTM has been active in providing awareness and assistance to help U.S. manufacturers protect their information assets from the risks of cyberattacks. MEP Centers can provide valuable assistance to small manufacturers seeking reduction of their cyber risks and DFARS compliance.

 

For additional information on cybersecurity, please contact your local MEP Center or email patricia.toth [at] nist.gov (subject: Cybersecurity%20Inquiry) (Pat Toth) at NIST MEP.

Contacts

For General Information

  • MEP Headquarters
    (301) 975-5020
    100 Bureau Drive, M/S 4800
    Gaithersburg, MD 20899-4800
Created December 1, 2017, Updated December 9, 2019