What It Is

Cybersecurity Maturity Model Certification (CMMC) 2.0 is a U.S. Department of Defense (DoD) certification framework verifying cybersecurity practices for the Defense Industrial Base (DIB). It operationalizes FAR 52.204-21 and NIST SP 800-171/172 requirements through a tiered model with three levels: Foundational (Level 1 for FCI), Advanced (Level 2 for CUI), and Expert (Level 3 for APT defense). The risk-based approach ensures protections match data sensitivity.

Key Components

• 14 domains mirroring NIST families (e.g., Access Control, Incident Response).
• **Level 117 FAR practices; Level 2: 110 NIST 800-171 controls; Level 3: +24 NIST 800-172 selections.
• Built on NIST standards with assessment guides using interview/examine/test methods.
• Certification via self-assessment (Level 1/2 select), C3PAO (Level 2), or DIBCAC (Level 3), valid 3 years with annual affirmations in SPRS/eMASS.

Why Organizations Use It

Mandated for DoD contractors handling FCI/CUI, ensuring contract eligibility. Reduces supply-chain risks, enhances resilience, lowers breach costs, and provides competitive edge via verified maturity. Builds prime-sub trust and supports M&A diligence.

Implementation Overview

Phased: governance, scoping/gap analysis, remediation, assessment prep, certification, sustainment. Applies to all DIB primes/subs; small/mid/large firms use enclaves for scoping. Requires SSP, POA&Ms (180-day close), evidence automation. (178 words)

What It Is

23 NYCRR Part 500 is the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, a state-level mandate effective March 2017 with amendments in 2023. It establishes minimum, risk-based cybersecurity requirements for financial services entities to protect nonpublic information (NPI) and information systems. Its approach emphasizes governance, evidence-based outcomes, and prescriptive controls like MFA and incident reporting.

Key Components

• 14 core requirements including cybersecurity program, CISO appointment, risk assessments, MFA, encryption, TPSP oversight, penetration testing, and 72-hour incident notification.
• Built on risk assessment architecture; annual dual CISO/CEO certification with five-year record retention.
• Class A companies face enhanced audits and controls; no formal certification but NYDFS examinations enforce compliance.

Why Organizations Use It

• Mandatory for NY-licensed financial entities (banks, insurers, etc.) to avoid multimillion-dollar fines (e.g., Robinhood $30M).
• Enhances resilience, reduces incident risk, builds stakeholder trust, and aligns with NIST CSF.
• Provides competitive edge in vendor selection and insurance premiums.

Implementation Overview

• Phased roadmap: gap analysis, asset inventory, MFA rollout, TPSP contracts, testing; up to 24 months.
• Applies to Covered Entities in NY financial sector; small exemptions available.
• Involves governance setup, evidence repositories, and annual filings by April 15. (178 words)