Department of Defense Cybersecurity Standards for the Small and Medium-Sized Manufacturer 

DFARS Cybersecurity Requirements

252.204-7012     SAFEGUARDING COVERED DEFENSE INFORMATION AND CYBER INCIDENT REPORTING (OCT 2016)

All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.

This DFARS subpart applies to contracts and subcontracts requiring contractors and subcontractors to safeguard covered defense information that resides in or transits through covered contractor information systems by applying specified network security requirements. It also requires reporting of cyber incidents.

The covered contractor information system shall be subject to the security requirements in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 rev1, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” 

What do Small Manufacturers Need to Know?

NIST MEP has developed a set of Frequently Asked Questions (FAQs) for small manufacturers to better understand the DoD Cybersecurity Requirements. 

Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

NIST SP 800-171 rev 1: “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” provides requirements for protecting the confidentiality of Controlled Unclassified Information (CUI).

Self-Assessment Handbook - NIST Handbook 162

NIST Handbook 162:  The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.

Cyber Security Evaluation Tool (CSET)

CSET: Improves situational awareness and provides insight, data, and identification of control systems threats and vulnerabilities.