All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.
DFARS Safeguarding rules and clauses, for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.” The DFARS cybersecurity rule and clauses can be found at http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm.
DoD Cybersecurity Requirements: What do Small Manufacturers Need to Know?
NIST MEP has developed a set of Frequently Asked Questions (FAQs) for small manufacturers to better understand the DoD Cybersecurity Requirements. View and Download the PDF.
Self-Assessment Handbook - NIST Handbook 162
NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.” The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.
In addition to helping defense contractors comply with DFARS, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with the Controlled Unclassified Information Federal Acquisition Regulation (FAR) clause. Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.
The MEP National NetworkTM has been active in providing awareness and assistance to help U.S. manufacturers protect their information assets from the risks of cyberattacks. MEP Centers can provide valuable assistance to small manufacturers seeking reduction of their cyber risks and DFARS compliance.
NIST SP 800-171
NIST Special Publication SP 800-171 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI). The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
How NIST Cybersecurity Resources Works Together
Defense Acquisition University
Guidance on Cybersecurity Audits
DOD CIO Resources