For the past several years all companies which manage Controlled Unclassified Information (CUI) have been subject to DFARS and NIST 800 -171 cybersecurity rules.
Many companies, especially smaller companies, have struggled to meet the requirements. The NIST document lays out controls which need to be met by establishing a System Security Plan and a Plan of Actions and Milestones (POAM). Contrary to popular belief compliant activities do not end there. Supporting documents need to be produced and followed to ensure that each company can maintain its compliance.