NIST Compliance Grants: Maryland Defense Cybersecurity Assistance Program

If you’re a Maryland-based Department of Defense contractor, a new state program can provide some financial assistance when it comes to compliance work necessary to remain eligible for DoD business.

The new initiative, called the Defense Cybersecurity Assistance Program (DCAP), is designed to strengthen the defense supply chain businesses in the state, especially when it comes to specific DoD requirements. Defense contractors in Maryland generate more than $57 billion in economic impact.

What is the Maryland Defense Cybersecurity Assistance Program?

The DCAP provides financial compensation and resources to Maryland companies. Specifically, the program targets the challenges in complying with the Defense Federal Acquisition Regulation Supplement (DFARS) issued several years ago and went into effect in December 2017. Specifically, the guidelines require contractors to be compliant with a National Institute of Standards and Technology rule — NIST SP 800-171.

Those standards spell out 14 requirements that must be documented to remain eligible for DoD contracts. The requirements all touch on aspects of cybersecurity, covering everything from access control, identification and authentication to risk assessment, physical security and system and communication protection.

NIST SP 800-171 is meant to accomplish two goals. Contractors need to:

• Demonstrate adequate security of defense information stored or transmitted by the contractors’ unsecured information management systems
• Immediately inform and cooperate with the DoD regarding any breaches or cybersecurity incidents

The program is funded by the Department of Defense through the Maryland Department of Commerce and is administered by the Maryland Manufacturing Extension Partnership (MD MEP).

Who Is Eligible for the Maryland DCAPS?

To be eligible, companies must be defense contractors with a physical location in Maryland. Companies must have at least 10 percent DoD-related business or have been asked to demonstrate compliance via a contract or procurement.

There are multiple business entities that may be required to comply with the NIST guidelines and may be eligible for the state financial assistance program. Among those businesses are contractors and subcontractors in the following industries:

• Government staffing firms
• Procurement services companies
• Manufacturers that sell to the government
• Manufacturers that sell to government suppliers
• Colleges and universities
• Research institutions
• Consulting companies
• Service providers

What Grants Are Available?

There are four main components to the program, including a program application, an NIST SP 800-171 gap analysis, outcomes and recommendations and technical assistance. If you’ve already begun the process to ensure NIST SP 800-171 compliance, you can join the program at any point.

Funding is available for two aspects of the program:

• Completing a gap analysis for what’s missing for compliance with the NIST SP 800-171 guidelines
• Supporting technical assistance necessary for remediation efforts necessary to become compliant

The MD MEP can work with you and your cybersecurity service provider to prepare the necessary documents.

Grants for the gap analysis are based on the number of staff the defense contractor employs:

• Less than 20: $6,500
• 20-100: $7,500
• 100-250: $8,500
• More than 250: To be determined

The scope of technical assistance is based on the gap analysis and includes $5,000 or 10 percent of the cost for consulting services and $3,000 or 75 percent of the cost for tools, hardware and software.

Who Can Help Us with NIST Compliance?

The sheer scope and complexity of the 14 NIST categories for compliance make it important to use a NIST consultant that has experience with the technologies and systems under scrutiny. Your consultant should also be able to purchase, install, configure and provide the continuous monitoring necessary to maintain compliance.

Establishing a relationship with a proven consultant and managed service provider lets you monitor your IT solution to ensure your business maintains compliance, avoiding potentially hefty fines and lost business.

What should your managed service provider include in its compliance services? Here are the five core components:

• Assessment. Includes a full evaluation of hardware, software, environments and information transfer tools and a comparison of those components to the NIST mandates
• Data Location and Classification. You need a full inventory of where sensitive defense data is stored, including local drives, cloud solutions, endpoints, portable hard drives and thumb drives. The data then need to be classified as to which fall under the DoD requirements
• Encryption. Your data needs to be encrypted while it’s in transit and at rest
• Training. Staff are your first line of defense against cyberattack and prime targets for hackers
• Access Management. Users should only have access to information they critically need to do their work

Intelice Solutions is the managed service provider with the track record and experience helping area companies with regulatory compliance and security. To schedule your initial, no-obligation with one of our IT security experts, contact us today.