Connect It, Protect It with NIST + CMMC

October is National Cybersecurity Awareness Month. The November deadline to comply with the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171, Revised) creates a sense of urgency to move forward with evolving Cybersecurity Maturity Model Certification (CMMC) guidance. The September interim rule changes are poised to have an impact here in Georgia, where the tech and cybersecurity industries are thriving. Georgia ranks in the top 10 of the national technology markets and is home to a diverse ecosystem of talent. With approximately 4,000 contractors making up a $7.3 billion defense contracting sector, 75 cybersecurity companies generating an estimated $2.6 billion annually, as well as educational collaborative such as the Technology Association of Georgia (TAG) - the state is quickly becoming an elite cybersecurity hub. With so much information to protect, and an increasing number of cyber threats impacting small businesses, cybersecurity continues to be crucial. As National Cybersecurity Awareness Month reminds us, “If You Connect It, Protect It.”

The Defense Industrial Base (DIB) in Georgia must take significant steps now to be in compliance with the interim rule change. The interim rule will go into effect on November 30, to enhance cybersecurity throughout the DIB. Though the interim rule is based on the NIST 800-171, which has been required by law since December 2017, the interim rule implements both a new DoD assessment methodology and the Cybersecurity Maturity Model Certification (CMMC) framework.

There are less than 30 business days until the interim rule is finalized. According to the Federal Register, the interim rule requires contractors and subcontractors, with access to covered defense information, to comply with NIST 800-171 requirements and complete an assessment that is basic, medium, or high. Basic is a self-assessment while medium and high are completed by the government. The interim rule also offers further information on the forthcoming Cybersecurity Maturity Model CMMC framework. If you do business with the DoD, you will soon be required to demonstrate your compliance with CMMC to a third-party assessor. This process is separate from the NIST assessment methodology associated with the interim rule.

At this time, the public is able to comment on the interim rule. Any comments should be submitted in writing on or before November 30, 2020, to be considered in the formation of the final rule. Comments on the interim rule can be emailed to: [email protected]. Include: “DFARS Case 2019-D041” in the subject line.

Achieving CMMC compliance will be a multi-step process that takes time. Start now, by reviewing your compliance with NIST 800-171 and identifying potential areas to develop. While the process to achieving CMMC certification has presented challenges for implementation, it is clear that cybersecurity must be a priority for all businesses in the DIB.

A recent article from EIN Press Wire quotes an 80% failure rate on recent audits of NIST compliance by Defense Contract Management Agency (DCMA), implying a long road ahead to a cyber-secure DIB. The Georgia Department of Economic Development (GDEcD) has partnered with the Technology Association of Georgia (TAG) to form the Georgia Defense Industrial Base Task Force. The task force brings together expertise from the Georgia Cyber Center, University of Georgia Small Business Development Center, Georgia Tech Procurement Assistance Center, and Georgia Manufacturing Extension Partnership. The task force is focused on developing resources and educational webinars to support contractors on their journey toward achieving cybersecurity best practices and CMMC.

To learn more about how your business can boost cybersecurity, please visit: www.georgia.org/cybersecurityedge and TAG at: www.tagonline.org/ga-dibt. You may also contact our CMMC Project Manager, Cassia Baker, at: [email protected].