An official website of the United States government
The .gov means it's official.
The site is secure.
View Rule
| View EO 12866 Meetings | Printer-Friendly Version Download RIN Data in XML |
| DOD/OS | RIN: 0790-AJ14 | Publication ID: Fall 2014 |
| Title: Defense Industrial Base (DIB) Cyber Security/Information Assurance (CS/IA) Activities: Amendment | |
| Abstract: This rule amends the DoD-DIB CS/IA Voluntary Activities regulation in response to section 941 National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013 which requires the Secretary of Defense to establish procedures that require each cleared defense contractor (CDC) to report when a network or information system that meets the criteria reports cyber intrusions. | |
| Agency: Department of Defense(DOD) | Priority: Other Significant |
| RIN Status: Previously published in the Unified Agenda | Agenda Stage of Rulemaking: Proposed Rule Stage |
| Major: No | Unfunded Mandates: No |
| CFR Citation: 32 CFR 236 | |
| Legal Authority: EO 12829 | |
|
Legal Deadline:
None |
||||||
|
Statement of Need: The Department of Defense (DoD) will amend the DoD-DIB CS/IA Voluntary Activities (32 CFR part 236) regulation to incorporate changes as required by section 941 NDAA for FY 2013 to include mandated cyber intrusion incident reporting by all cleared defense contractors (CDCs). |
||||||
|
Summary of the Legal Basis: This regulation is proposed under the authorities of section 941 NDAA for FY 2013. |
||||||
|
Alternatives: DoD analyzed the requirements in section 941 NDAA for FY 2013 and determined that implementation must be accomplished through the rulemaking process. This will allow the public to comment on the implementation strategy. |
||||||
|
Anticipated Costs and Benefits: Implementing the amended rule to meet the requirements of section 941 NDAA for FY 2013 affects approximately 8,700 CDCs. Each company will require DoD approved, medium assured certificates to submit the mandatory cyber incident reporting to the DoD-access controlled website. The cost per certificate is $175. In addition, it is estimated that the average burden per reported incident is 7 hours, which includes identifying the cyber incident details, gathering and maintaining the data needed, reviewing the collection of information to be reported, and completing the report. Note, these costs are the same as those associated with 32 CFR part 236 (DoD-DIB CS/IA Voluntary Activities), but are now applicable across a larger population of defense contractors. The benefit of this amended rule is satisfying the legal mandate from section 941 NDAA for FY 2013 as well as informing the Department of incidents that impact DoD programs and information. DoD needs to have the ability to assess the strategic and operational impacts of cyber incidents and determine appropriate mitigation activities. |
||||||
|
Risks: There will likely be significant public interest in DoD's implementation of section 941 NDAA for FY 2013. DoD will need to assure the public that DoD will provide for the reasonable protection of trade secrets, commercial or financial information, and information that can be used to identify a specific person that may be evident through the cyber incident reporting and media analysis. |
||||||
Timetable:
|
| Regulatory Flexibility Analysis Required: No | Government Levels Affected: None |
| Federalism: No | |
| Included in the Regulatory Plan: Yes | |
| RIN Data Printed in the FR: No | |
|
Agency Contact: Vicki D. Michetti Director Policy and Partnerships, DoD CIO Department of Defense Office of the Secretary 6000 Defense Pentagon, Room 3D1048, Washington, DC 20301-6000 Phone:703 695-0906 Email: vicki.d.michetti.civ@mail.mil |
|
|
Reginfo.gov
An official website of the U.S. General Services Administration and the Office of Management and Budget