he Hollings Manufacturing Extension Partnership (MEP) is based at the National Institute of Standards and Technology (NIST). The national Program Office (NIST MEP) which provides the federal government funding for the MEP National Network™ is located in Gaithersburg, MD. The MEP National Network comprises the National Institute of Standards and Technology’s Manufacturing Extension Partnership (NIST MEP), the 51 MEP Centers located in all 50 states and Puerto Rico, the MEP Advisory Board, MEP Center boards, and the Foundation for Manufacturing Excellence, as well as over 1,400 trusted advisors and experts at approximately 450 MEP service locations, providing any U.S. manufacturer with access to resources they need to succeed.

• National Network of Centers located in all 50 states and Puerto Rico
• Public-private partnership with local flexibility
• Federal funds, state investments, and private sector fees cover services
• Market driven program that creates high value for all manufacturers
• Leverage partners to maximize service offerings
• Transfer technology and expertise to small and medium-sized manufacturers

Our Funding Model

MEP is a public-private partnership, designed from inception as a cost-share program. Federal appropriations pay one-half, with the balance for each Center funded by state / local governments and/or private entities, plus client fees. This cost-share model contributes to MEP’s success. A GAO study found that because client fees give manufacturers a higher stake in the outcome of services, the positive impact on their businesses is greater. Meanwhile, public funding allows smaller manufacturers to afford services. NIST MEP uses 2 CFR 200 to monitor and govern the recipients’ use of federal funds.

Strength in Partnerships

The MEP National Network’s strength is in its partnerships. Through its collaborations at the federal, state and local level, MEP Centers work with manufacturers to develop new products and customers, expand and diversify markets, adopt new technology, and enhance value within supply chains. The MEP Program serves as a bridge to other organizations and federal research labs that share a passion for enhancing the manufacturing community. 

Delivering Value

As a public-private partnership, the Program delivers a high return on investment to taxpayers. For every one dollar of federal investment in FY 2021, the MEP National Network generated $26.20 in new sales growth and $34.50 in new client investment. This translates into $3.9 billion in new sales. During this same time, for every $1,193 of federal investment, the Network created or retained one manufacturing job. To learn more, view our Annual Report.

Why the MEP Program was Created

The Program was initially authorized in 1988. Our founding legislation provides the guidance for the Program’s purpose, objectives, eligibility to apply for funding, activities of Centers funded under the Program, and the cost share, performance, and evaluation requirements. It also establishes a MEP Advisory Board.

Most manufacturers are required to follow some Cybersecurity and Privacy standards, laws, regulations, or requirements. These may come from Federal, State, Local, or Tribal Governments, be industry-mandated, or voluntary. Here is a partial list of some of the more common laws and requirements related to cybersecurity and privacy:

• Defense Federal Acquisition Regulation Supplement (DFARS): manufacturers in the defense supply chain may see one or more DFARS cybersecurity requirements in their contracts.
• The International Traffic in Arms Regulations (“ITAR,” 22 CFR 120-130): Governs the export and temporary import of defense articles and services.
• Payment Card Industry Data Security Standard (PCI DSS): A security standard used to ensure the safe and secure transfer of credit card data.
• Sarbanes-Oxley (Pub L. 107-204): Requires any publicly traded company to have formal data security policies and to communicate and enforce those policies.
• State privacy laws: Many states have enacted privacy laws covering how businesses can collect and use information about consumers.
• The Children’s Online Privacy Protection Act (15 USC §6501 et seq.): Governs the collection of information about minors.
• The Federal Trade Commission Act (15 USC § 41 et seq.): Gives the FTC broad authority to protect consumers against organizations that fail to follow basic cybersecurity and privacy best practices.
• The General Data Protection Regulation (GDPR): Governs the collection, use, transmission, and security of data collected from residents of the European Union.

Suppliers to the US Government

If your company sells products to the U.S. government, you are required to comply with the minimum cybersecurity standards set by FAR 52.202.21. If your company produces products used by the Department of Defense (DoD), you may be required to comply with the minimum cybersecurity standards set by DFARS if those products aren’t commercially available off-the-shelf (COTS).

• FAR 52.202.21: Requires government contractors to follow 15 basic safeguarding requirements and procedures to protect systems used to collect, process, maintain, use, share, disseminate, or dispose of Federal Contract Information (FCI). These requirements are sometimes called the “FAR 15”.
• DFARS 252.204-7012: Requires contractors with CUI to follow NIST SP 800-171, report cyber incidents, report cybersecurity gaps
• DFARS 252.204-7019 (interim): Requires primes and subcontractors to submit self-assessment of NIST 800-171 controls through the Supplier Performance Risk System (SPRS)
• DFARS 252.204-7020 (interim): Requires primes and subcontractors give the DoD access to their infrastructure to verify the self-assessment (via DMCA); requires contractors roll requirements down to subcontractors
• DFARS 252.204-7021 (interim): Rolling out of the Cybersecurity Maturity Model Certification program over 5 years

Cybersecurity Maturity Model Certification (CMMC)

The Cybersecurity Maturity Model Certification (CMMC) program is a multi-level process to verify that DoD cybersecurity requirements have been implemented. All entities within the defense supply chain will be required to have at least a Level 1 certification, issued by the CMMC-Assessment Body (CMMC-AB), by 2026. Any entity that handles DoD controlled unclassified information (CUI) will need to have at least a Level 3 certification.

Self-Assessment Handbook

The Self-Assessment Handbook is currently under revision.

NIST Handbook 162 “NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements” provides a step-by-step guide to assessing a manufacturer’s information systems against the security requirements in NIST SP 800-171 rev 1. This handbook can be used by manufacturers to help comply with DFARS 252.204-7012 and DFARS 252.204-7019 requirements.

In addition, the Handbook may also be useful for other manufacturers interested in applying the NIST SP 800-171 security requirements, including those seeking to comply with CMMC Level 3 requirements.  Additionally, manufacturers operating in commercial supply chains may consider implementing the NIST security requirements as an integral aspect of managing their organizational risks.