Get Your Cybersecurity Act In Order with NIST, CMMC, CCPA, and SHIELD 

NIST, CMMC, CCPA, SHIELD—you’ve likely heard the acronyms, but how much do you know about the laws behind them?

The cybersecurity regulation landscape can be confusing, and it’s not getting any simpler: thirty-one states enacted cybersecurity-related legislation in 2019 alone, and that’s not counting federal or industry standards. Even if you’re committed to getting your cybersecurity act in order, the number of cybersecurity acts out there can make it a complex business.

As effective dates approach and pass, it’s important to stay aware of standards and regulations that may impact your business, your partners, and your customers. And it doesn’t have to be complicated—let’s start with the basics around some of the key acronyms you might be hearing about:

NIST CSF – The National Institute of Science and Technology Cybersecurity Framework

  • What you need to know: NIST’s Cybersecurity Framework isn’t a regulation, but rather a voluntary resource to help with cybersecurity. The NIST CSF helps businesses of all sizes better understand, manage, and reduce their cybersecurity risk and protect their networks and data.
  • Who does this apply to: Flexible enough to be adopted by all kinds of businesses.
  • Effective Date: N/A
  • Full details on NIST CSF here…

Cybersecurity Maturity Model Certification (CMMC)

  • What you need to know: The CMMC is a new cybersecurity-related certification designed by the U.S. Department of Defense (DoD) to protect Controlled Unclassified Information (CUI). Released in January of 2020, it builds on the Defense Federal Acquisition Regulation Supplement (DFARS) and other cybersecurity standards to implement multiple levels of cybersecurity. While some details for implementation are still being ironed out, the CMMC will use a similar format as the DFARS mandate of 2018.
  • Who does this apply to: All companies doing business with the DoD, including manufacturers, subcontractors, and vendors.
  • Effective Date: June 2020
  • Full details on CMMC here…

CCPA – The California Consumer Privacy Act

  • What you need to know: The CCPA expands Californians’ right to privacy to include the ability to access, opt-out, and delete personal information collected by corporations, and can levy fines of as much as $7,500 per violation. To help create “privacy by default,” companies should adopt cybersecurity best practices and evaluate vendors with security in mind. Because California plays such a large role in the U.S. economy, this is part of getting your cybersecurity act in order even if you aren’t based in the state.
  • Who does this apply to: Any for-profit entity that does business in California, collects personal data about California residents, and meets one or more of the following thresholds:
  • Gross revenues greater than or equal to $25 million
  • Collects personal information from more than 50,000 California residents, households, or devices per year
  • Generates over 50% of ARR by selling personal information about California residents
  • Effective Date: January 1, 2020
  • Full details on CCPA here…

NY SHIELD Act – The Stop Hacks and Improve Electronic Data Security Act

  • What you need to know: Everyone loves a good backronym! The New York SHIELD Act requires companies to adopt specific security programs to reduce the risk of a data breach. Companies should review their cybersecurity program to see how it fits with the SHIELD ACT, appoint a Chief Information Security Officer (CISO), and provide cybersecurity training for all employees. Businesses must also conduct due diligence on all third-party vendors.
  • Who does this apply to: All New York businesses and businesses in other states who access data of New York residents. Some small businesses have less stringent requirement under the NY SHIELD Act, but still must adopt “reasonable” safeguards.
  • Effective Date: March 21, 2020
  • Full details on SHIELD here…

Current and future regulations and compliance impact many businesses, and the first step towards preparation is simply understanding the requirements. From there, you can begin to assess your business’ cybersecurity posture to see where you check the boxes and where you have an opportunity to improve. Here’s to being a class cybersecurity act!

Stay Safe,

Your Friends @ Defendify

Resources & insights

Why You Could Be Denied Cyberattack Insurance Coverage
Why You Could Be Denied Cyberattack Insurance Coverage
As you’re working toward achieving robust cybersecurity, the subject of cyber attack insurance coverage and cybersecurity insurance requirements is sure to enter the discussion.
Cost of a Cyberattack vs. Cybersecurity Investment
Cost of a Cyberattack vs. Cybersecurity Investment 
Detailing the cost of a cyberattack versus the ROI of a cybersecurity investment enables leadership to see cybersecurity solutions are worth it.
Defendify Listed as a High Performer in Six G2 Grid Categories
Defendify Listed as a High Performer in Six G2 Grid Categories
The Defendify Cybersecurity Platform has been listed as a High Performer in six Summer 2022 Data Security Software Category Reports on the technology review site G2.

Protect and defend with multiple layers of cybersecurity

Defend your business with All-In-One Cybersecurity®.

Explore layered

Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.

How can we help?

Schedule time to talk to a cybersecurity expert to discuss your needs.

See how it works

See how Defendify’s platform, modules, and expertise work to improve security posture.

Take the first step toward comprehensive cybersecurity with a free Defendify Essentials package

Gain access to 3 award-winning cybersecurity modules. Nothing to install. Nothing to pay for.