The market for -171 and CMMC compliance just got much bigger in Connecticut.

On 2021-07-06 Governor Lamont signed Public Act No. 21-119 into law.

To incentivize the adoption of cybersecurity standards for businesses by allowing businesses that adopt certain cybersecurity framework to plead an affirmative defense to any cause of action that alleges that a failure to implement reasonable cybersecurity controls resulted in a data breach concerning personal or restricted information.
You can utlize an affirmative defense to get out lawsuits, like a get of of jail card, if you have good cybersecurity. Affirmative defenses are a means of making it impossible for you to be found liable during a lawsuit over a data breach. As the defense, you have to explain the burden of proof in your answer, and in Connecticut you now have a list of cybersecurity frakeworks to choose from.

You receive an affirmative defense if you can prove to an insurance adjuster, or more likely to a third party attestation required prior to insuring, your systems are in compliance with one of these frameworks.

  • Companies can choose from the following frameworks:
  • Framework for Improving Critical Infrastructure
  • NIST SP-800-171
  • NIST SP-800-53
  • FedRAMP
  • Center for Internet Security Critical Security Controls for Effective Cyber Defense
  • ISO/IEC 27000-series
We tried to get CMMC Level Three included, but the bill did not recieve any markup. Our friends in the Capitol let us know CMMC Level 3 would count for NIST-SP-800-171 since it subsumes all 110 controls.

The demand for CMMC and -171 or -53 compliance just sky rocketed in Connecticut.