Compliance with Cybersecurity and Privacy Laws and Regulations

Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. Here is a partial list of some of the more common laws and requirements related to cybersecurity and privacy:

• Defense Federal Acquisition Regulation Supplement (DFARS): manufacturers in the defense supply chain may see one or more DFARS cybersecurity requirements in their contracts.
• The International Traffic in Arms Regulations ("ITAR," 22 CFR 120-130): Governs the export and temporary import of defense articles and services.
• Payment Card Industry Data Security Standard (PCI DSS): A security standard used to ensure the safe and secure transfer of credit card data.
• Sarbanes-Oxley (Pub L. 107-204): Requires any publicly traded company to have formal data security policies and to communicate and enforce those policies.
• State privacy laws: Many states have enacted privacy laws covering how businesses can collect and use information about consumers.
• The Children's Online Privacy Protection Act (15 USC §6501 et seq.): Governs the collection of information about minors.
• The Federal Trade Commission Act (15 USC § 41 et seq.): Gives the FTC broad authority to protect consumers against organizations that fail to follow basic cybersecurity and privacy best practices.
• The General Data Protection Regulation (GDPR): Governs the collection, use, transmission, and security of data collected from residents of the European Union.

Suppliers to the US Government

If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).

• DFARS 252.204-7012: Requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps
• DFARS 252.204-7019: Requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)
• DFARS 252.204-7020: Requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA); requires contractors roll requirements down to subcontractors
• DFARS 252.204-7021: Rolling out of the Cybersecurity Maturity Model Certification program over 5 years

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) program is a multi-level process to verify that DoD cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the Cyber-AB, by 2026. Any entity that handles DoD controlled unclassified information (CUI) will need to have at least a Level 3 certification.

Self-Assessment Handbook

The Self-Assessment Handbook has been withdrawn but remains here as a reference.

NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This handbook can be used by manufacturers to help comply with DFARS 252.204-7012 and DFARS 252.204-7019 requirements.

In addition, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with CMMC Level 3 requirements.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.