On February 2, 2018 the National Institute of Standards issued the first version of NIST SP 800-171 – “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. This standard which is based on NIST SP 800-37 – Risk Management Framework, essentially states that companies must take the same care and safeguarding of Government data on contractor networks as the Government does on Government networks.
On November 18, 2013, the DoD published DFARS 252.204-7012, “Safeguarding of Unclassified Controlled Technical Information.” The clause requires NIST 800-171 compliance in addition to several other items (e.g. reporting of information system breaches). This DFARS allows companies to self-certify their compliance.
As of 2020, enhanced security standards for defense contractors, including many in the aerospace and defense industry take effect. The DoD’s Cybersecurity Maturity Model Certification (CMMC) will subject contractors to a certification process designed to bolster security and enhance visibility into the supply chain. A company’s cyber behavior — controls and practices — will receive a Level (1-5) rating, which will determine eligibility to bid on certain contracts. The CMMC replaces the existing self-certification model under DFARS 252.204-7012, The CMMC model using varying levels of NIST 800-171 compliance.