US Regulations & Standards

As the companies provide more services online, digitally store data, and rely on suppliers for a variety of information technology services, the cybersecurity threats we face have dramatically increased. Recent high-profile incidents involving DIB supplier systems that Controlled Unclassified Information reinforce the need to ensure security requirements are clearly, effectively, and consistently communicated.

First, you will find here, the materials focused on DoD’s current and ongoing efforts – executed in partnership with industry – to improve the DIB’s cybersecurity. Specifically, it focuses on DoD’s effort to ensure that controlled unclassified DoD information residing on or transiting through contractor information systems is safeguarded from cyber incidents. Protecting this DoD information will save warfighter lives. The cyber threat is not going away – we must defend our networks and systems, and the information that resides on them. Cybersecurity is a shared challenge, and we must work together to address it and reduce risk.

Second, you will find cybersecurity-related content related to other efforts by the U.S. Government and other governments as well as the private sector aimed at defining and maturing the cyber protections that will best protect information systems from the evolving cyber threats that we all face.

Department of Defense Regulations

• Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041) DoD is issuing an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.
• DFARS Clause 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting DFARS Clause 252.204-7012 is required in all contracts except for contracts solely for the acquisition of COTS items. In addition the Contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support.
• DoD Procurement Toolbox – Cybersecurity Policy and Regulations This resources provides a listing of policy, regulations, and FAQs for DoD Cybersecurity requirements.
• FAR Clause 52.204-21 Basic Safeguarding of Covered Contractor Information Systems. Effective June 15, 2016, all contracts awarded by any U.S. federal agency, including DoD, must include Federal Acquisition Regulation (FAR) Clause 52.204-21, which requires immediate implementation of 15 controls, which equate to 17 NIST SP 800-171 controls for basic safeguarding of any internal systems with non-public “federal contract information” or FCI.
• The Office of the Under Secretary of Defense for Acquisition and Sustainment CMMC Website The Office of the Undersecretary of Defense for Acquisition and Sustainment (OUSD(A&S)) vision for CMMC is to be a unified cybersecurity standard for DoD acquisitions to reduce exfiltration of Controlled Unclassified Information (CUI) from the Defense Industrial Base (DIB).

Other Regulations

• Export Administration Regulations (EAR) The Export Administration Regulations are a set of regulations found at 15 C.F.R. § 730 et seq. They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department.
• Federal Information Security Management Act (FISMA) FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires each agency to implement “policies and procedures to cost-effectively reduce information technology security risks to an acceptable level”, recognizing the importance of information security to the economy and national security.
• NASA Security Requirements for Unclassified Information Technology Resources (1852.204-76) This clause is applicable to all NASA contractors and sub-contractors that process, manage, access, or store unclassified electronic information, to include Sensitive But Unclassified (SBU) information, for NASA in support of NASA’s missions, programs, projects and/or institutional requirements.
• Navy Marine Corps Acquisition Regulation Supplement (NMCARS) The Navy Marine Corps Acquisition Regulation Supplement (NMCARS) establishes uniform Department of the Navy (DON) policies and procedures implementing and supplementing the Federal Acquisition Regulation (FAR) and the Defense FAR Supplement (DFARS).

Cybersecurity Standards

NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• NIST Handbook 162 NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements This Handbook provides a step-by-step guide to assessing a small manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.
• NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, dated June 24, 2020, documents a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012. – Updates made to rev 1.2 dated June 10, 2020: Section 4) updated to address changes made due to COVID-19 and Annex B updated to address changes made in the Supplier Performance Risk System (SPRS).
• NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations The NIST SP 800-171 provides federal agencies with a set of recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when such information is resident in nonfederal systems and organizations.
• NIST SP 800-171A Assessing Security Requirements for Controlled Unclassified Information The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171. 

NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations

• NIST SP 800-53 Security and Privacy Controls for Federal Information Systems and Organizations This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).
• NIST SP 800-53A Assessing Security and Privacy Controls in Federal Information Systems and Organizations This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results.

NIST Risk Management Framework

• NIST Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle.

NIST Cybersecurity Framework

• NIST Cybersecurity Framework Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

National Aerospace Standard (NAS9933)

• National Aerospace Standard (NAS9933) The Aerospace Industries Association (AIA) has developed a national aerospace standard (NAS9933) that supplements DOD requirements to achieve a ‘state of security’ beyond minimum compliance.