Cybersecurity Regulations
Cybersecurity refers to the body of technologies, processes, and practices designed to protect networks, devices, programs, and data from attack, damage, or unauthorized access.
The theft of intellectual property and sensitive information from all industrial sectors due to malicious cyber activity threatens economic security and national security. The Center for Strategic and International Studies estimates that the total global cost of cybercrime was a high as $600 billion in 2017. Malicious cyber actors continue to target the Defense Industrial Base sector and the supply chain of the Department of Defense. The aggregate loss of intellectual property and certain unclassified information from the DoD supply chain can undercut U.S. technical advantages and innovation as well as significantly increase risk to national security. Our adversaries are not only interested in acquiring our intellectual property, they are intent upon disrupting the DoD supply chain.
Because much of the Department of Defense’s data resides on contractors’ networks, the DoD has implemented several regulations to help safeguard the data and protect the systems that store and transmit the data.
• Federal Acquisition Regulation (FAR) 52.204-21 - Basic Safeguarding of Covered Information Systems requires that Federal Contract Information (FCI) – information that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government that is not intended for pubic release – be protected. FCI does not include simple transactional information, such as information necessary to process payments. For more information about FCI, go to the “FCU/CUI” tab.
• Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 – Safeguarding Covered Defense Information and Cyber Incident Reporting requires that controlled unclassified information (CUI) be protected. CUI is information that is provided by or generated for the DoD under a contract to develop or deliver a product or service to the DoD that requires safeguarding or dissemination controls but is not classified. In laymen’s terms, it is information that could threaten national security if it were disseminated or used inappropriately by our adversaries. The DFARS clause requires contractors to perform a self-assessment to the NIST SP 800-171 controls and upload the score and other information to the Supplier Performance Risk System. For information about the DFARS clause and the new DFARS Interim Rule, click on the DFARS tab.
• Cybersecurity Maturity Model Certification (CMMC) - To enhance the protection of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), the Under Secretary of Defense for Acquisition and Sustainment has developed the CMMC framework. The model consists of maturity processes and cybersecurity best practices from multiple cybersecurity standards, frameworks and other references, as well as inputs from the broader community. The model encompasses the basic safeguarding requirement for FCI specified in FAR Clause 52.204-21 and the security requirements for CUI specified in NIST SP 800-171 per DFARS Clause 252.204-7012. The CMMC framework adds a certification element to verify the implementation of processes and practices associated with the achievement of a cybersecurity maturity level, and measures cybersecurity maturity with five levels. For more information about CMMC click on the “CMMC” tab.
Click Here for the Cybersecurity Overview presentation.
NOTE: DoD cybersecurity regulations do NOT apply to contractors that supply strictly commercial-off-the-shelf (COTS) products or sell products to the DoD under the micro-purchase threshold.
The NCMBC and the I3C are not representatives of the DoD or the CMMC Accreditation body. This website is meant to be a community resource for cybersecurity compliance information.
CONTACT US
Main Point of Contact:
Laura Rodgers
North Carolina Military Business Center
rodgersl@ncmbc.us
919-335-1207-
How to best utilize CyberNC.us: The CyberNC.us website was created to provide North Carolina companies with one location to find all the information they need to develop a cybersecurity compliance program that is compliant with Department of Defense regulations.
The most effective way to utilize the website is to follow the steps below:
- Understand the regulations. Click on the Cybersecurity Regulations tab and review the information about each of the regulations.
- Understand the data. Click on the FCI/CUI tab for detailed information about Federal Contract Information and Controlled Unclassified Information, then review the Cybersecurity Overview presentation.
- The information on the Where to Start tab will help businesses determine which regulation with which they must comply, as well as the level of compliance that is required.
- The DFARS tab contains information about compliance with DFARS 252.204-7012 and the new DFARS Interim Rule.
- The CMMC tab contains information about compliance to each of the 5 CMMC levels and also contains “CMMC Level 1 in a Box.”
- The Training tab provides information about resources businesses can use to train their employees.
- The Blog will be used to answer questions and provide clarification as needed. Please email Laura Rodgers at rodgersl@ncmbc.us for questions and/or clarification about compliance with the cybersecurity regulations.
- The Partners tab contains links to the websites of the I3C partner agencies.
-
The NCMBC and the I3C are not representatives of the DoD or the CMMC Accreditation body. This website is meant to be a community resource for cybersecurity compliance information.
Copyright 2020, North Carolina Military Business Center. All Rights Reserved.