0790-AJ14 201410 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0790 Office of the Secretary OS 0700 Department of Defense DOD Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities: Amendment Other Significant Previously Published in The Unified Agenda Proposed Rule Stage No No 32 CFR 236 EO 12829 Yes

The Department of Defense (DoD) will amend the DoD-DIB CS/IA Voluntary Activities (32 CFR part 236) regulation to incorporate changes as required by section 941 NDAA for FY 2013 to include mandated cyber intrusion incident reporting by all cleared defense contractors (CDCs).

]]>

This regulation is proposed under the authorities of section 941 NDAA for FY 2013.

]]>

DoD analyzed the requirements in section 941 NDAA for FY 2013 and determined that implementation must be accomplished through the rulemaking process. This will allow the public to comment on the implementation strategy.

]]>

Implementing the amended rule to meet the requirements of section 941 NDAA for FY 2013 affects approximately 8,700 CDCs. Each company will require DoD approved, medium assured certificates to submit the mandatory cyber incident reporting to the DoD-access controlled website. The cost per certificate is $175. In addition, it is estimated that the average burden per reported incident is 7 hours, which includes identifying the cyber incident details, gathering and maintaining the data needed, reviewing the collection of information to be reported, and completing the report. Note, these costs are the same as those associated with 32 CFR part 236 (DoD-DIB CS/IA Voluntary Activities), but are now applicable across a larger population of defense contractors. The benefit of this amended rule is satisfying the legal mandate from section 941 NDAA for FY 2013 as well as informing the Department of incidents that impact DoD programs and information. DoD needs to have the ability to assess the strategic and operational impacts of cyber incidents and determine appropriate mitigation activities.

]]>

There will likely be significant public interest in DoD's implementation of section 941 NDAA for FY 2013. DoD will need to assure the public that DoD will provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person that may be evident through the cyber incident reporting and media analysis.

]]> NPRM 03/00/2015 No None No No No Vicki Michetti D. Director Policy and Partnerships, DoD CIO 0790 Office of the Secretary OS 703 695-0906 vicki.d.michetti.civ@mail.mil 6000 Defense Pentagon, Room 3D1048, Washington DC 20301-6000