The United States Department of Defense (DoD) views securing the supply chain and the Defense Industrial Base (DIB) as one critical pillar in protecting national security. Dedicated security requirements exist for the protection of federal information systems as well as classified information based on the NIST 800-53 standard. However, several years ago, a gap was identified in the security requirements for the protection of non-federal systems and controlled unclassified information (CUI). The steps initially taken by the DoD to enhance supply chain security would end up having significant implications for nearly all organizations that do work with the DoD.
To summarize, the DoD began requiring organizations that handle CUI to comply with the 110 security requirements outlined in NIST 800-171 via the Defense Federal Acquisition Regulation Supplement 252.204-7012. This contractual obligation required defense contractors to “self-attest” their compliance with this standard as well as to maintain a System Security Plan (SSP) and Plan of Action and Milestones (PoAM) to document security gaps.