Compliance with Cybersecurity and Privacy Laws and Regulations

Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. Here is a partial list of some of the more common laws and requirements related to cybersecurity and privacy:

• Defense Federal Acquisition Regulation Supplement (DFARS): manufacturers in the defense supply chain may see one or more DFARS cybersecurity requirements in their contracts.
• The International Traffic in Arms Regulations ("ITAR," 22 CFR 120-130): Governs the export and temporary import of defense articles and services.
• Payment Card Industry Data Security Standard (PCI DSS): A security standard used to ensure the safe and secure transfer of credit card data.
• Sarbanes-Oxley (Pub L. 107-204): Requires any publicly traded company to have formal data security policies and to communicate and enforce those policies.
• State privacy laws: Many states have enacted privacy laws covering how businesses can collect and use information about consumers.
• The Children's Online Privacy Protection Act (15 USC §6501 et seq.): Governs the collection of information about minors.
• The Federal Trade Commission Act (15 USC § 41 et seq.): Gives the FTC broad authority to protect consumers against organizations that fail to follow basic cybersecurity and privacy best practices.
• The General Data Protection Regulation (GDPR): Governs the collection, use, transmission, and security of data collected from residents of the European Union.
• Digital Identities – Mobile Driver's License (mDL): The National Cybersecurity Center of Excellence (NCCoE) is helping to accelerate the adoption of standards and best practices for mobile driver’s licenses.

Suppliers to the US Government

If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).

Cybersecurity Maturity Model Certification (CMMC)

Credit: U.S. Department of War

The Cybersecurity Maturity Model Certification (CMMC) program is a multi-level process to verify that U.S. Department of War (DoW) cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the Cyber-AB, by 2026. Any entity that handles DoD controlled unclassified information (CUI) will need to have at least a Level 3 certification.

The Cyber AB is the official accreditation body of the CMMC ecosystem and the sole authorized non-governmental partner of the DoW in implementing and overseeing the CMMC conformance regime. Founded in January 2020 as The CMMC Accreditation Body, Inc., The Cyber AB is a Maryland-based, nonprofit, 501(c)(3) tax-exempt organization with a mission is to ensure the successful implementation of CMMC within the Defense Industrial Base in order to reduce digital risk to DoD's supply chains and contractor support infrastructure.

You can become a DoW CMMC Level 2 Assessor to contribute to the defense of our nation, as well as a personal opportunity to expand your skills in cybersecurity and assessing.

NIST Resources

The protection of Controlled Unclassified Information (CUI) is of paramount importance to federal agencies and can directly impact the federal government's ability to successfully conduct its essential missions and functions. NIST SP 800-171 Rev. 3 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations. 

NIST SP 800-171A Rev. 3 Assessing Security Requirements for Controlled Unclassified Information provides organizations with assessment procedures and a methodology that can be used to conduct assessments of the security requirements in NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The assessment procedures are flexible and can be customized to the needs of organizations and assessors.

NIST Cybersecurity Framework (CSF) 2.0

The NIST Cybersecurity Framework (CSF) 2.0 can help organizations manage and mitigate their cybersecurity risks as they establish or enhance their cybersecurity programs. The CSF outlines specific outcomes that organizations can achieve to address risk. Other NIST resources help explain specific actions that can be taken to achieve each outcome. This guide is a supplement to the NIST CSF and is not intended to replace it. View the PDF.

Self-Assessment Handbook

The Self-Assessment Handbook has been withdrawn but remains here as a reference.

NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This handbook can be used by manufacturers to help comply with DFARS 252.204-7012 and DFARS 252.204-7019 requirements. 

In addition, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with CMMC Level 3 requirements.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks. An update is forthcoming.