0790-AJ29 201510 The Regulatory Plan and the Unified Agenda of Federal Regulatory and Deregulatory Actions 0790 Office of the Secretary OS 0700 Department of Defense DOD Department of Defense (DoD)-Defense Industrial Base (DIB) Cybersecurity (CS) Activities

DoD is revising its DoD-DIB Cybersecurity (CS) Activities regulation to mandate reporting of cyber incidents that result in an actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support, and modify eligibility criteria to permit greater participation in the voluntary DoD-Defense Industrial Base (DIB) Cybersecurity (CS) information sharing program.

]]> Other Significant Previously Published in The Unified Agenda Final Rule Stage No No 32 CFR 236 10 U.S.C. 391 10 U.S.C. 2224 44 U.S.C. 3506 44 U.S.C. 3544 and sec 941 Pub. L. 112-239, 126 Stat. 1632 Yes

This rule complies with statutory guidance under section 941 of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2013, and section 391 of Title 10, United States Code (U.S.C.), requiring defense contractors to rapidly report cyber incidents on their unclassified networks or information systems that may affect unclassified defense information, or that affect their ability to provide operationally critical support to the Department.   This rule underscores the importance of better protecting unclassified defense information against the immediate cyber threat, while preserving the intellectual property and competitive capabilities of our national defense industrial base. The rule enables DoD to better assess, in the near term, when mission critical capabilities and services are affected by cyber incidents and reinforces DoD’s overall efforts to defend DoD information, protect U.S. national interests against cyber-attacks, and support military operations and contingency plans worldwide. Cybersecurity is a Congressional priority and this rule supports the Administration’s national cybersecurity strategy emphasizing public-private information sharing.

]]>

The activities in this rule implement DoD statutory authorities to establish programs and activities to protect sensitive DoD information, including when such information resides on or transits information systems operated by contractors or others in support of DoD activities (e.g., 10 U.S.C. sections 391 and 2224, the Federal Information Security Modernization Act (FISMA), codified at 44 U.S.C. sections 3551 et seq., section 941 of the NDAA for FY 2013 (Pub. L. 112-239)). Activities under this rule also fulfill important elements of DoD’s critical infrastructure protection responsibilities, as the sector specific agency for the DIB sector (see Presidential Policy Directive 21 (PPD-21), Critical Infrastructure Security and Resilience, available at https://www.whitehouse.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil).

]]>

None. This is revision to an existing regulation (32 CFR part 236).

]]>

Under this rule, contractors will incur costs associated with requirements for reporting cyber incidents of covered defense information on their covered contractor information system(s) or those affecting the contractor’s ability to provide operationally critical support. Costs for contractors include identifying and analyzing cyber incidents and their impact on covered defense information, or a contractor’s ability to provide operationally critical support, as well as obtaining DoD-approved medium assurance certificates to ensure authentication and identification when reporting cyber incidents to DoD. Government costs include onboarding new companies under the voluntary DoD-DIB CS information sharing program, and collecting and analyzing cyber incident reports, malicious software, and media.

]]>

Cyber threats to DIB unclassified information systems represent an unacceptable risk of compromise of DoD information and mission and pose an imminent threat to U.S. national security and economic security interests. The combination of the mandatory DoD contractor cyber incident reporting, combined with the voluntary participation in the DIB CS program, will enhance and supplement DoD contractor capabilities to safeguard DoD information that resides on, or transits, DoD contractor unclassified network or information systems.

]]> Interim Final Rule 10/02/2015 80 FR 59581 Interim Final Rule Effective 10/02/2015 Interim Final Rule Comment Period End 12/01/2015 Final Action 08/00/2016 No No None No No No No Vicki Michetti D. Director Policy and Partnerships, DoD CIO 0790 Office of the Secretary OS 703 695-0906 vicki.d.michetti.civ@mail.mil 6000 Defense Pentagon, Room 3D1048, Washington DC 20301-6000