Information that has been provided to a company directly by a U.S. Government (USG) agency, including DOD, or through another company must be controlled in accordance to USG stipulated controls and safeguards to protect this information from unauthorized access.
The National Industrial Security Program Operations Manual (NISPOM) provides specific requirements, restrictions, and other safeguards to protect classified information. Companies need to ensure that they have internal controls that meet the requirements of the NISPOM.
Unclassified Information including technical data with DOD identified controls (DOD Distribution Statement A – X authorization and restrictions) and under the control of DOD must be controlled in compliance with DOD Directive 5230.25. A company in possession of DOD technical data with an assigned Distribution Statement or in receipt of technical data from other companies who have identified the applicability of DOD Distribution Statement controls must ensure that their internal controls are in compliance with DOD control requirements.
USG Controlled Unclassified Information (CUI) under the control of a company must be safeguarded in compliance with DOD (DFAR) 252.2047012 and standards detailed in the National Institute of Standards and Technology (NIST) publication 800-171.
In addition to required internal controls safeguarding technical data, these regulations also contain standards and requirements for identifying and reporting Cyber Security Incidents.