DoD is issuing an interim rule to amend the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a DoD Assessment Methodology and Cybersecurity Maturity Model Certification framework in order to assess contractor implementation of cybersecurity requirements and enhance the protection of unclassified information within the DoD supply chain.

DFARS Clause 252.204-7012 is required in all contracts except for contracts solely for the acquisition of COTS items. In addition the Contractor shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support.

This resources provides a listing of policy, regulations, and FAQs for DoD Cybersecurity requirements.

Effective June 15, 2016, all contracts awarded by any U.S. federal agency, including DoD, must include Federal Acquisition Regulation (FAR) Clause 52.204-21, which requires immediate implementation of 15 controls, which equate to 17 NIST SP 800-171 controls for basic safeguarding of any internal systems with non-public “federal contract information” or FCI.

To safeguard sensitive national security information, the Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base’s (DIB) sensitive unclassified information from frequent and increasingly complex cyberattacks. With its streamlined requirements, CMMC 2.0: Simplifies compliance by allowing self-assessment for some requirements, Applies priorities for protecting DoD information, and Reinforces cooperation between the DoD and industry in addressing evolving cyber threats.

The Export Administration Regulations are a set of regulations found at 15 C.F.R. § 730 et seq. They are administered by the Bureau of Industry and Security, which is part of the US Commerce Department.

FISMA was put in place to strengthen information security within federal agencies, NIST, and the OMB (Office of Management and Budget). It requires each agency to implement “policies and procedures to cost-effectively reduce information technology security risks to an acceptable level”, recognizing the importance of information security to the economy and national security.

This clause is applicable to all NASA contractors and sub-contractors that process, manage, access, or store unclassified electronic information, to include Sensitive But Unclassified (SBU) information, for NASA in support of NASA's missions, programs, projects and/or institutional requirements.

The Navy Marine Corps Acquisition Regulation Supplement (NMCARS) establishes uniform Department of the Navy (DON) policies and procedures implementing and supplementing the Federal Acquisition Regulation (FAR) and the Defense FAR Supplement (DFARS).

The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer.

NIST SP 800-171 DoD Assessment Methodology rev 1.2.1, dated June 24, 2020, documents a standard methodology that enables a strategic assessment of a contractor’s implementation of NIST SP 800-171, a requirement for compliance with DFARS clause 252.204-7012. - Updates made to rev 1.2 dated June 10, 2020: Section 4) updated to address changes made due to COVID-19 and Annex B updated to address changes made in the Supplier Performance Risk System (SPRS).

The NIST SP 800-171 provides federal agencies with a set of recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when such information is resident in nonfederal systems and organizations.

The purpose of this publication is to provide procedures for assessing the CUI requirements in NIST Special Publication 800-171. 

NIST SP 800-172 provides federal agencies with a set of enhanced security requirements for protecting the confidentiality, integrity, and availability of CUI: (1) when the CUI is resident in a nonfederal system and organization, (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency, and (3) where there are no specific safeguarding requirements for protecting the CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.

This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors (both intentional and unintentional).

This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations. The assessment procedures, executed at various phases of the system development life cycle, are consistent with the security and privacy controls in NIST Special Publication 800-53, Revision 4. The procedures are customizable and can be easily tailored to provide organizations with the needed flexibility to conduct security control assessments and privacy control assessments that support organizational risk management processes and that are aligned with the stated risk tolerance of the organization. Information on building effective security assessment plans and privacy assessment plans is also provided along with guidance on analyzing assessment results.

Created through collaboration between industry and government, the voluntary Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

The NIST Risk Management Framework provides a process that integrates security and risk management activities into the system development life cycle.

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (Text with EEA relevance)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation

This defence Standard (DEFSTAN 05-138, Issue 3) is applicable to all Ministry of Defence (MOD) procurements, MOD suppliers and their subcontract suppliers which have a relationship to one or more MOD contracts.

Cyber Essentials is a simple but effective, Government backed scheme that will help you to protect your organisation, whatever its size, against a whole range of the most common cyber attacks.

DEFCON 658 cyber applies to all suppliers down the supply chain (edition December 2022).

The Australian Signals Directorate’s Australian Cyber Security Centre (ACSC) has developed prioritised mitigation strategies, in the form of the Strategies to Mitigate Cyber Security Incidents, to help organisations mitigate cyber security incidents caused by various cyber threats. The most effective of these mitigation strategies are known as the Essential Eight

This document specifies requirements to implement, maintain and improve a management system to protect against, reduce the likelihood of the occurrence of, prepare for, respond to and recover from disruptions when they arise

ISO/IEC 27001:2022 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization. The requirements set out in ISO/IEC 27001:2022 are generic and are intended to be applicable to all organizations, regardless of type, size or nature.

ISO/IEC 27031:2011 describes the concepts and principles of information and comunication technology (ICT) readiness for business continuity, and provides a framework of methods and processes to identify and specify all aspects (such as performance criteria, design, and implementation) for improving an organization's ICT readiness to ensure business continuity

ISO/IEC 27032:2012 provides guidance for improving the state of Cybersecurity, drawing out the unique aspects of that activity and its dependencies on other security domains.

ISO/IEC 27035-1:2016 is the foundation of this multipart International Standard. It presents basic concepts and phases of information security incident management and combines these concepts with principles in a structured approach to detecting, reporting, assessing, and responding to incidents, and applying lessons learnt.

ISO/IEC 27035-2:2016 provides the guidelines to plan and prepare for incident response. The guidelines are based on the "Plan and Prepare" phase and the "Lessons Learned" phase of the "Information security incident management phases" model presented in ISO/IEC 27035‑1

The EU Cybersecurity Act establishes an EU certification framework for ICT digital products, services and processes. The European cybersecurity certification framework enables the creation of tailored and risk-based EU certification schemes.