U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock ( ) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Manufacturing Extension Partnership (MEP)

How Do I Know If I Need to Be DFARS Compliant?

Share

Do you know who your company supplies to? Who the end users of your product(s) are? If your company provides products being sold to the Department of Defense (DoD) you are required to comply with the minimum cybersecurity standards set by DFARS.

All DoD contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet DFARS minimum security standards or risk losing their DoD contracts.

DFARS provides a set of adequate security controls to safeguard information systems where contractor data resides. Based on NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations”, manufacturers must implement these security controls through all levels of their supply chain.

DoD Frequently Asked Questions regarding the implementation of DFARS Subpart 204.73 and PGI Subpart 201.73 and DFRAS Subpart 239.76 and PGI Subpart 239.76.

Self-Assessment Handbook - NIST Handbook 162

NIST Handbook 162 "NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements.” The Handbook provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1.

In addition to helping defense contractors comply with DFARS, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with the Controlled Unclassified Information Federal Acquisition Regulation (FAR) clause.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.

The MEP National NetworkTM has been active in providing awareness and assistance to help U.S. manufacturers protect their information assets from the risks of cyberattacks. MEP Centers can provide valuable assistance to small manufacturers seeking reduction of their cyber risks and DFARS compliance.

 

For additional information on cybersecurity, please contact your local MEP Center or email Pat Toth at NIST MEP.
Cybersecurity and Manufacturing

Contacts

For General Information

  • MEP Headquarters
    (301) 975-5020
    100 Bureau Drive, M/S 4800
    Gaithersburg, MD 20899-4800
Created December 1, 2017, Updated May 21, 2020